diff --git a/hieradata/common.eyaml b/hieradata/common.eyaml index bf97631..a0d629d 100644 --- a/hieradata/common.eyaml +++ b/hieradata/common.eyaml @@ -5,3 +5,4 @@ profiles::consul::client::secret_id_salt: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCC profiles::consul::token::node_editor::secret_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAO8IIF2r18dFf0bVKEwjJUe1TmXHH0AIzsQHxkHwV7d37kvH1cY9rYw0TtdHn7GTxvotJG7GZbWvbunpBs1g2p2RPADiM6TMhbO8mJ0tAWLnMk7bQ221xu8Pc7KceqWmU17dmgNhVCohyfwJNqbA756TlHVgxGA0LtNrKoLOmgKGXAL1VYZoKEQnWq7xOpO+z3e1UfjoO6CvX/Od2hGYfUkHdro8mwRw4GFKzU7XeKFdAMUGpn5rVmY3xe+1ARXwGFaSrTHzk2n85pvwhPRlQ+OwqzyT19Qo2FNeAO6RoCRIFTtqbsjTWPUlseHIhw4Q5bHO1I0Mrlm5IHDESw/22IzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCEe9wD72qxnpeq5nCi/d7BgDCP29sDFObkFTabt2uZ/nF9MT1g+QOrrdFKgnG6ThnwH1hwpZPsSVgIs+yRQH8laB4=] profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAh4Ag95xgkIZHL0gP9OLnZauih0dB1/2l9Jzw8mP3OiIv7fw23otHYONlS3Emtj7oxW8MKcZGKDCzwCT6T2p+V5wx1n15wr2J+FmL24VbclJwrMPQ4AdgP359B9h21uoyo7Zdy7RuuvLfkU1fWXbs3SeWbi2HJs1Ed1/oI1jzr3OgwMbVtbyzd1VuAXeZ9bHQG3IA8z+w/k5m61th0HTyHjw7eldQulbohDuwv545z9axHEoHKCRT2a3ZwBufV2ST6Dm3g9GERzXE9Adp9DQC5adqM74wfsujOMLK2QFJSSIOj2uCs1CpEnrNrQ8zjP3fudM2z3l7KdSHZazEamCSxTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBY/Tn9tzEKYc5dxnzP2rP7gDBWKgVP3lf2T4Q0WPQt3ns0E6RUSO6OtBegb/5qDyohY2nsDeJTnMKOYzYt/J1PhnY=] +profiles::consul::server::acl_tokens_replication: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEzTIxbaAR/TZYnC671aBhiahsfwf3ieyeSHpD5hQm40sMEF/fXlEDijq9i2ykPikm94074j1Uo4HNzv/V9GTf0NSC/64t61jJ/Ya3QKa5f/36+DcRj3lcETsSIyhWwmU+E+zkY8I2r68MtXAuvSoMSMZdpgWSkPx/3FFgZlrsg//bzDu69jS9cx4UK582N3A6QN4Uy/qwYtJcm+2iTQlqqgGRWGqnSgTirxhegxPbJGWTDoAEpAL4/DyF5/hqcUn6mgoSfAsHF3loPHOqN30lG+9o0THWJ9B8Gf4W/1X2UWA/avmUnqBnumGoz0p7AYdNgpW+qLl2rk4lyGYa4kvQjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBD9KSLH3Pn/1EIzgVJM+8VOgDDpKWzHfSVsfUMyTD0XIRPGclTdmxqCnsdhKNqmUfSjkYIf2nI9rQtSK6n42TYuO4k=] diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 6baf98e..b909823 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -87,9 +87,21 @@ lookup_options: profiles::consul::client::node_rules: merge: strategy: deep + profiles::consul::prepared_query::rules: + merge: + strategy: deep profiles::puppet::server::dns_alt_names: merge: strategy: deep + profiles::base::hosts::additional_hosts: + merge: + strategy: deep + postgresql_config_entries: + merge: + strategy: deep + profiles::yum::global::repos: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/country/au/region/drw1/infra/storage/consul.eyaml b/hieradata/country/au/region/drw1/infra/storage/consul.eyaml index 948b16f..33b5046 100644 --- a/hieradata/country/au/region/drw1/infra/storage/consul.eyaml +++ b/hieradata/country/au/region/drw1/infra/storage/consul.eyaml @@ -1,4 +1,4 @@ --- profiles::consul::server::gossip_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEADwwYLK+fU0M/uLqQpRjHnIAyrt6yPEZSXpUX2jvOGVOA63X8LOYpLVfEGWMmkZ7BHRO0fgr847UUI/xI8otIuiOpgtW2E7QLWs806KUNXz+L8c7kSnQ1XAD5R81/5joDHl4AIxl5fAGryTXH1gfnpTMWh2yjFzU/KYuk2GhrU0M9ewCGJErQG4pT4u3ymGmkLjx6AiZ8r9xb4Eos2bhCCpFWfyb0kKcJqdKU9mzy508byNCfp8lr1DoKxEQrdqSSAQdepn6wCgBZtlAK/k63tOqM9dxyDaCsK8vLG9LlvuEwi3OL2lzTtc1mAcdYxahDo3uBX0/VcCswaXq3nPnu3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCUwXPoMh/dylvFwyRzAsnRgDDvh5CHrzJYdUXWGsauYlifOOukYokkwG3yqqtCByveMqVWfWsQukiDTixdqpCgfzw=] -profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] -profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=] +#profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] +#profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=] diff --git a/hieradata/country/au/region/drw1/infra/storage/consul.yaml b/hieradata/country/au/region/drw1/infra/storage/consul.yaml index 11b6a2f..b44e321 100644 --- a/hieradata/country/au/region/drw1/infra/storage/consul.yaml +++ b/hieradata/country/au/region/drw1/infra/storage/consul.yaml @@ -1,4 +1,7 @@ --- profiles::consul::server::bootstrap_count: 3 profiles::consul::server::raft_multiplier: 10 -profiles::consul::server::primary_datacenter: 'au-drw1' +profiles::consul::server::primary_datacenter: 'au-syd1' +profiles::consul::server::join_remote_regions: true +profiles::consul::server::remote_regions: + - syd1 diff --git a/hieradata/country/au/region/syd1/infra/sql/galera.yaml b/hieradata/country/au/region/syd1/infra/sql/galera.yaml new file mode 100644 index 0000000..9c4119c --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/sql/galera.yaml @@ -0,0 +1,4 @@ +--- +profiles::sql::galera_member::cluster_name: au-syd1 +profiles::sql::galera_member::galera_master: ausyd1nxvm1027.main.unkin.net +profiles::sql::galera_member::innodb_buffer_pool_size: 256M diff --git a/hieradata/country/au/region/syd1/infra/storage/consul.yaml b/hieradata/country/au/region/syd1/infra/storage/consul.yaml index 4bd8c14..52a084f 100644 --- a/hieradata/country/au/region/syd1/infra/storage/consul.yaml +++ b/hieradata/country/au/region/syd1/infra/storage/consul.yaml @@ -2,3 +2,6 @@ profiles::consul::server::bootstrap_count: 3 profiles::consul::server::raft_multiplier: 10 profiles::consul::server::primary_datacenter: 'au-syd1' +profiles::consul::server::join_remote_regions: true +profiles::consul::server::remote_regions: + - drw1 diff --git a/hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml new file mode 100644 index 0000000..f7ad64b --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml @@ -0,0 +1,2 @@ +--- +profiles::cobbler::params::is_cobbler_master: true diff --git a/hieradata/os/AlmaLinux/AlmaLinux8.yaml b/hieradata/os/AlmaLinux/AlmaLinux8.yaml index e0b4a27..7861fca 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux8.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux8.yaml @@ -1,11 +1,2 @@ # hieradata/os/AlmaLinux/AlmaLinux8.yaml --- -profiles::yum::global::managed_repos: - - 'base' - - 'appstream' - - 'epel' - - 'powertools' - - 'highavailability' - - 'puppet7' - - 'yum.postgresql.org' - - 'unkin' diff --git a/hieradata/os/AlmaLinux/AlmaLinux9.yaml b/hieradata/os/AlmaLinux/AlmaLinux9.yaml index c6e95cc..03c8c55 100644 --- a/hieradata/os/AlmaLinux/AlmaLinux9.yaml +++ b/hieradata/os/AlmaLinux/AlmaLinux9.yaml @@ -1,8 +1,2 @@ # hieradata/os/AlmaLinux/AlmaLinux9.yaml --- -profiles::yum::global::managed_repos: - - 'base' - - 'appstream' - - 'epel' - - 'puppet7' - - 'yum.postgresql.org' diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index e1e5192..c383966 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -1,9 +1,5 @@ # hieradata/os/almalinux/all_releases.yaml --- -profiles::yum::base::baseurl: https://repos.main.unkin.net/almalinux -profiles::yum::epel::baseurl: https://repos.main.unkin.net/epel -profiles::yum::unkin::baseurl: https://repos.main.unkin.net/unkin -profiles::yum::ovirt::baseurl: https://repos.main.unkin.net/centos profiles::firewall::firewalld::ensure_package: 'absent' profiles::firewall::firewalld::ensure_service: 'stopped' profiles::firewall::firewalld::enable_service: false @@ -12,5 +8,55 @@ profiles::puppet::agent::puppet_version: '7.26.0' profiles::packages::install: - lzo - xz + - policycoreutils lm-sensors::package: lm_sensors + +profiles::yum::global::repos: + baseos: + name: baseos + descr: baseos repository + target: /etc/yum.repos.d/baseos.repo + baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os + gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + extras: + name: extras + descr: extras repository + target: /etc/yum.repos.d/extras.repo + baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os + gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + appstream: + name: appstream + descr: appstream repository + target: /etc/yum.repos.d/appstream.repo + baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os + gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + powertools: + name: powertools + descr: powertools repository + target: /etc/yum.repos.d/powertools.repo + baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os + gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + highavailability: + name: highavailability + descr: highavailability repository + target: /etc/yum.repos.d/highavailability.repo + baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os + gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} + epel: + name: epel + descr: epel repository + target: /etc/yum.repos.d/epel.repo + baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture} + gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major} + puppet: + name: puppet + descr: puppet repository + target: /etc/yum.repos.d/puppet.repo + baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture} + gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406 + unkin: + name: unkin + descr: unkin repository + target: /etc/yum.repos.d/unkin.repo + baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os diff --git a/hieradata/roles/infra/cobbler/server.eyaml b/hieradata/roles/infra/cobbler/server.eyaml index 9f6f432..6ccffe3 100644 --- a/hieradata/roles/infra/cobbler/server.eyaml +++ b/hieradata/roles/infra/cobbler/server.eyaml @@ -1,2 +1,2 @@ --- -profiles::cobbler::server::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=] +profiles::cobbler::params::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=] diff --git a/hieradata/roles/infra/cobbler/server.yaml b/hieradata/roles/infra/cobbler/server.yaml index 4aaea83..6709152 100644 --- a/hieradata/roles/infra/cobbler/server.yaml +++ b/hieradata/roles/infra/cobbler/server.yaml @@ -14,4 +14,8 @@ profiles::packages::install: profiles::pki::vault::alt_names: - cobbler.main.unkin.net -profiles::cobbler::server::service_cname: 'cobbler.main.unkin.net' +profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net' +profiles::selinux::setenforce::mode: permissive + +hiera_classes: + - profiles::selinux::setenforce diff --git a/hieradata/country/au/region/drw1/infra/dhcp/server.yaml b/hieradata/roles/infra/dhcp/server.yaml similarity index 83% rename from hieradata/country/au/region/drw1/infra/dhcp/server.yaml rename to hieradata/roles/infra/dhcp/server.yaml index ca98e40..a186d6c 100644 --- a/hieradata/country/au/region/drw1/infra/dhcp/server.yaml +++ b/hieradata/roles/infra/dhcp/server.yaml @@ -16,10 +16,10 @@ profiles::dhcp::server::pools: - '198.18.15.200 198.18.15.220' gateway: 198.18.15.254 nameservers: - - 198.18.17.7 - - 198.18.17.8 + - 198.18.13.12 + - 198.18.13.13 domain_name: main.unkin.net - pxeserver: 198.18.17.48 + pxeserver: 198.18.13.27 syd1-test: network: 198.18.16.0 mask: 255.255.255.0 @@ -27,10 +27,10 @@ profiles::dhcp::server::pools: - '198.18.16.200 198.18.16.220' gateway: 198.18.16.254 nameservers: - - 198.18.17.7 - - 198.18.17.8 + - 198.18.13.12 + - 198.18.13.13 domain_name: main.unkin.net - pxeserver: 198.18.17.48 + pxeserver: 198.18.13.27 syd1-prod1: network: 198.18.13.0 mask: 255.255.255.0 @@ -38,10 +38,10 @@ profiles::dhcp::server::pools: - '198.18.13.200 198.18.13.220' gateway: 198.18.13.254 nameservers: - - 198.18.17.7 - - 198.18.17.8 + - 198.18.13.12 + - 198.18.13.13 domain_name: main.unkin.net - pxeserver: 198.18.17.48 + pxeserver: 198.18.13.27 syd1-prod2: network: 198.18.14.0 mask: 255.255.255.0 @@ -49,10 +49,10 @@ profiles::dhcp::server::pools: - '198.18.14.200 198.18.14.220' gateway: 198.18.14.254 nameservers: - - 198.18.17.7 - - 198.18.17.8 + - 198.18.13.12 + - 198.18.13.13 domain_name: main.unkin.net - pxeserver: 198.18.17.48 + pxeserver: 198.18.13.27 drw1-prod: network: 198.18.17.0 mask: 255.255.255.0 @@ -63,7 +63,7 @@ profiles::dhcp::server::pools: - 198.18.17.7 - 198.18.17.8 domain_name: main.unkin.net - pxeserver: 198.18.17.48 + pxeserver: 198.18.13.27 # UFI 64-bit profiles::dhcp::server::classes: diff --git a/hieradata/roles/infra/ovirt/engine.yaml b/hieradata/roles/infra/ovirt/engine.yaml index 44c4baa..b2a934d 100644 --- a/hieradata/roles/infra/ovirt/engine.yaml +++ b/hieradata/roles/infra/ovirt/engine.yaml @@ -1,10 +1,50 @@ --- -profiles::yum::global::managed_repos: - - 'virt-advanced-virtualization' - - 'storage-ceph-pacific' - - 'cloud-openstack-xena' - - 'messaging-rabbitmq-38' - - 'nfv-openvswitch-2' - - 'opstools-collectd-5' - - 'storage-gluster-10' - - 'virt-ovirt-45' +profiles::yum::global::repos: + centos_8_advanced_virtualization: + name: 'virt-advanced-virtualization' + descr: 'CentOS Advanced Virtualization' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization' + centos_8_ceph_pacific: + name: 'storage-ceph-pacific' + descr: 'CentOS Ceph Pacific' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage' + centos_8_rabbitmq_38: + name: 'messaging-rabbitmq-38' + descr: 'CentOS RabbitMQ 38' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging' + centos_8_nfv_openvswitch: + name: 'nfv-openvswitch-2' + descr: 'CentOS NFV OpenvSwitch' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV' + centos_8_openstack_xena: + name: 'cloud-openstack-xena' + descr: 'CentOS OpenStack Xena' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud' + centos_8_opstools: + name: 'opstools-collectd-5' + descr: 'CentOS OpsTools - collectd' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools' + centos_8_ovirt45: + name: 'virt-ovirt-45' + descr: 'CentOS oVirt 4.5' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization' + centos_8_stream_gluster10: + name: 'storage-gluster-10' + descr: 'CentOS oVirt 4.5 - Glusterfs 10' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage' diff --git a/hieradata/roles/infra/ovirt/node.yaml b/hieradata/roles/infra/ovirt/node.yaml index 847efc6..762c1aa 100644 --- a/hieradata/roles/infra/ovirt/node.yaml +++ b/hieradata/roles/infra/ovirt/node.yaml @@ -1,17 +1,58 @@ --- profiles::firewall::firewalld::ensure_package: 'installed' profiles::firewall::firewalld::ensure_service: 'running' -profiles::yum::global::managed_repos: - - 'virt-advanced-virtualization' - - 'storage-ceph-pacific' - - 'cloud-openstack-xena' - - 'messaging-rabbitmq-38' - - 'nfv-openvswitch-2' - - 'opstools-collectd-5' - - 'storage-gluster-10' - - 'virt-ovirt-45' sudo::purge_ignore: - '50_vdsm' - '50_vdsm_hook_ovirt_provider_ovn_hook' - '60_ovirt-ha' + +profiles::yum::global::repos: + centos_8_advanced_virtualization: + name: 'virt-advanced-virtualization' + descr: 'CentOS Advanced Virtualization' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization' + centos_8_ceph_pacific: + name: 'storage-ceph-pacific' + descr: 'CentOS Ceph Pacific' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage' + centos_8_rabbitmq_38: + name: 'messaging-rabbitmq-38' + descr: 'CentOS RabbitMQ 38' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging' + centos_8_nfv_openvswitch: + name: 'nfv-openvswitch-2' + descr: 'CentOS NFV OpenvSwitch' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV' + centos_8_openstack_xena: + name: 'cloud-openstack-xena' + descr: 'CentOS OpenStack Xena' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud' + centos_8_opstools: + name: 'opstools-collectd-5' + descr: 'CentOS OpsTools - collectd' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools' + centos_8_ovirt45: + name: 'virt-ovirt-45' + descr: 'CentOS oVirt 4.5' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization' + centos_8_stream_gluster10: + name: 'storage-gluster-10' + descr: 'CentOS oVirt 4.5 - Glusterfs 10' + target: /etc/yum.repos.d/ovirt.repo + baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10 + gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage' diff --git a/hieradata/roles/infra/puppetdb/sql.yaml b/hieradata/roles/infra/puppetdb/sql.yaml new file mode 100644 index 0000000..0d6409a --- /dev/null +++ b/hieradata/roles/infra/puppetdb/sql.yaml @@ -0,0 +1,4 @@ +--- +postgresql_config_entries: + max_connections: 300 + shared_buffers: '256MB' diff --git a/hieradata/roles/infra/sql/galera.yaml b/hieradata/roles/infra/sql/galera.yaml index f6965e6..084072a 100644 --- a/hieradata/roles/infra/sql/galera.yaml +++ b/hieradata/roles/infra/sql/galera.yaml @@ -1,11 +1,27 @@ --- -profiles::sql::galera_member::cluster_name: galera01 -profiles::sql::galera_member::galera_master: prodinf01n29.main.unkin.net profiles::sql::galera_member::configure_firewall: false profiles::sql::galera_member::wsrep_sst_method: rsync profiles::sql::galera_member::galera_members_lookup: true profiles::sql::galera_member::galera_members_role: roles::infra::sql::galera profiles::sql::galera_member::datadir: /data/mariadb -profiles::sql::galera_member::innodb_buffer_pool_size: 256M profiles::sql::galera_member::innodb_file_per_table: 1 profiles::sql::galera_member::package_name: mariadb-galera-server + +consul::services: + mariadb: + service_name: "mariadb-%{facts.environment}" + tags: + - 'database' + - 'mariadb' + address: "%{facts.networking.ip}" + port: 3306 + checks: + - id: 'mariadb_tcp_check' + name: 'MariaDB TCP Check' + tcp: "%{facts.networking.ip}:3306" + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: "mariadb-%{facts.environment}" + disposition: write diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index 723f60c..036e177 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -18,6 +18,7 @@ profiles::consul::server::acl: tokens: initial_management: "%{alias('profiles::consul::server::acl_tokens_initial_management')}" default: "%{alias('profiles::consul::server::acl_tokens_default')}" + replication: "%{alias('profiles::consul::server::acl_tokens_replication')}" # additional altnames profiles::pki::vault::alt_names: @@ -32,3 +33,29 @@ profiles::nginx::simpleproxy::nginx_aliases: - consul.main.unkin.net profiles::nginx::simpleproxy::proxy_port: 8500 profiles::nginx::simpleproxy::proxy_path: '/' + +profiles::consul::prepared_query::rules: + vault: + ensure: 'present' + service_name: 'vault' + service_failover_n: 3 + service_only_passing: true + ttl: 10 + puppet: + ensure: 'present' + service_name: 'puppet' + service_failover_n: 3 + service_only_passing: true + ttl: 10 + puppetca: + ensure: 'present' + service_name: 'puppetca' + service_failover_n: 3 + service_only_passing: true + ttl: 10 + edgecache: + ensure: 'present' + service_name: 'edgecache' + service_failover_n: 3 + service_only_passing: true + ttl: 10 diff --git a/hieradata/roles/infra/storage/edgecache.yaml b/hieradata/roles/infra/storage/edgecache.yaml new file mode 100644 index 0000000..7fcd2f8 --- /dev/null +++ b/hieradata/roles/infra/storage/edgecache.yaml @@ -0,0 +1,120 @@ +--- +consul::services: + edgecache: + service_name: 'edgecache' + tags: + - 'cache' + - 'edge' + address: "%{facts.networking.ip}" + port: 443 + checks: + - id: 'edgecache_https_check' + name: 'EdgeCache HTTPS Check' + http: "https://%{facts.networking.fqdn}" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: edgecache + disposition: write + +# additional altnames +profiles::pki::vault::alt_names: + - edgecache.service.consul + - edgecache.query.consul + +profiles::edgecache::params::nginx_resolvers_enable: true +profiles::edgecache::params::nginx_resolvers_ipv4only: true +profiles::edgecache::params::nginx_listen_mode: both +profiles::edgecache::params::nginx_cert_type: vault +profiles::edgecache::params::nginx_aliases: + - edgecache.service.consul + - edgecache.query.consul +profiles::edgecache::params::directories: + /data/edgecache: { owner: root, group: root } + /data/edgecache/pub: { owner: nginx, group: nginx } + /data/edgecache/pub/centos: { owner: nginx, group: nginx } + /data/edgecache/pub/almalinux: { owner: nginx, group: nginx } + /data/edgecache/pub/debian: { owner: nginx, group: nginx } + /data/edgecache/pub/epel: { owner: nginx, group: nginx } + /data/edgecache/pub/postgres: { owner: nginx, group: nginx } + /data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx } + /data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx } + +profiles::edgecache::params::mirrors: + debian: + ensure: present + location: /debian + proxy: http://mirror.gsl.icu + debian_pool: + ensure: present + location: /debian/pool + proxy: http://mirror.gsl.icu + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' + centos_repodata: + ensure: present + location: '~* ^/centos/.*/repodata/' + proxy: http://gsl-syd.mm.fcix.net + centos_data: + ensure: present + location: /centos + proxy: http://gsl-syd.mm.fcix.net + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' + almalinux_repodata: + ensure: present + location: '~* ^/almalinux/.*/repodata/' + proxy: http://gsl-syd.mm.fcix.net + almalinux_data: + ensure: present + location: /almalinux + proxy: http://gsl-syd.mm.fcix.net + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' + epel_repodata: + ensure: present + location: '~* ^/epel/.*/repodata/' + proxy: http://gsl-syd.mm.fcix.net + epel_data: + ensure: present + location: /epel + proxy: http://gsl-syd.mm.fcix.net + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' + postgres_yum_repodata: + ensure: present + location: '~* ^/postgres/yum/.*/repodata/' + rewrite_rules: + - '^/postgres/yum/(.*)$ /pub/repos/yum/$1 break' + proxy: https://download.postgresql.org + postgres_yum_data: + ensure: present + location: /postgres/yum + proxy: https://download.postgresql.org/pub/repos/yum + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' + postgres_apt: + ensure: present + location: /postgres/apt + proxy: https://download.postgresql.org/pub/repos/apt + postgres_apt_pool: + ensure: present + location: /postgres/apt/pool + proxy: https://download.postgresql.org/pub/repos/apt/pool + proxy_cache: cache + proxy_cache_valid: + - '200 302 1440h' + - '404 1m' diff --git a/modules/libs/lib/facter/cobbler_data_dir_exists.rb b/modules/libs/lib/facter/cobbler_data_dir_exists.rb new file mode 100644 index 0000000..d716b35 --- /dev/null +++ b/modules/libs/lib/facter/cobbler_data_dir_exists.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +Facter.add('cobbler_data_dir_exists') do + confine enc_role: 'roles::infra::cobbler::server' + setcode do + File.exist?('/data/cobbler') + end +end diff --git a/modules/libs/lib/facter/cobbler_var_www_exists.rb b/modules/libs/lib/facter/cobbler_var_www_exists.rb new file mode 100644 index 0000000..aa445b8 --- /dev/null +++ b/modules/libs/lib/facter/cobbler_var_www_exists.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +Facter.add('cobbler_var_www_exists') do + confine enc_role: 'roles::infra::cobbler::server' + setcode do + File.exist?('/var/www/cobbler') + end +end diff --git a/modules/libs/lib/facter/cobbler_var_www_islink.rb b/modules/libs/lib/facter/cobbler_var_www_islink.rb new file mode 100644 index 0000000..13d9c6e --- /dev/null +++ b/modules/libs/lib/facter/cobbler_var_www_islink.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +Facter.add('cobbler_var_www_islink') do + confine enc_role: 'roles::infra::cobbler::server' + setcode do + File.exist?('/var/www/cobbler') and File.symlink?('/var/www/cobbler') + end +end diff --git a/modules/libs/lib/facter/firstrun.rb b/modules/libs/lib/facter/firstrun.rb new file mode 100644 index 0000000..012aafc --- /dev/null +++ b/modules/libs/lib/facter/firstrun.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +Facter.add(:firstrun) do + confine kernel: 'Linux' + setcode do + File.exist?('/root/.cache/puppet_firstrun_complete') ? false : true + end +end diff --git a/modules/libs/lib/facter/nameservers.rb b/modules/libs/lib/facter/nameservers.rb new file mode 100644 index 0000000..8ece095 --- /dev/null +++ b/modules/libs/lib/facter/nameservers.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +Facter.add(:nameservers) do + confine kernel: 'Linux' + setcode do + nameservers = File.readlines('/etc/resolv.conf').grep(/^nameserver\s+(\S+)/) { Regexp.last_match(1) } + nameservers + end +end diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index a387570..13f6b10 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -3,59 +3,64 @@ class profiles::base ( Array $puppet_servers, ) { - # install the vault ca first - include profiles::pki::vaultca + # run a limited set of classes on the first run aimed at bootstrapping the new node + if $facts['firstrun'] { + include profiles::firstrun::init + }else{ - # manage the puppet agent - include profiles::puppet::agent + # install the vault ca first + include profiles::pki::vaultca - # manage puppet clients - if ! member($puppet_servers, $trusted['certname']) { - include profiles::puppet::client + # manage the puppet agent + include profiles::puppet::agent + + # manage puppet clients + if ! member($puppet_servers, $trusted['certname']) { + include profiles::puppet::client + } + + # include the base profiles + include profiles::base::repos + include profiles::packages + include profiles::base::facts + include profiles::base::motd + include profiles::base::scripts + include profiles::base::hosts + include profiles::base::groups + include profiles::base::root + include profiles::accounts::sysadmin + include profiles::ntp::client + include profiles::dns::base + include profiles::pki::vault + include profiles::cloudinit::init + include profiles::metrics::default + include profiles::helpers::node_lookup + include profiles::consul::client + + # include the python class + class { 'python': + manage_python_package => true, + manage_venv_package => true, + manage_pip_package => true, + use_epel => false, + } + + # all hosts will have sudo applied + class { 'sudo': + secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin' + } + + # manage virtualised guest agents + if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' { + include profiles::qemu::agent + } + + # include classes from hiera + lookup('hiera_classes', Array[String], 'unique').include + + # specifc ordering constraints + Class['profiles::pki::vaultca'] + -> Class['profiles::base::repos'] + -> Class['profiles::packages'] } - - # include the base profiles - include profiles::base::repos - include profiles::packages - include profiles::base::facts - include profiles::base::motd - include profiles::base::scripts - include profiles::base::hosts - include profiles::base::groups - include profiles::base::root - include profiles::accounts::sysadmin - include profiles::ntp::client - include profiles::dns::base - include profiles::pki::vault - include profiles::cloudinit::init - include profiles::metrics::default - include profiles::helpers::node_lookup - include profiles::consul::client - - # include the python class - class { 'python': - manage_python_package => true, - manage_venv_package => true, - manage_pip_package => true, - use_epel => false, - } - - # all hosts will have sudo applied - class { 'sudo': - secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin' - } - - # manage virtualised guest agents - if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' { - include profiles::qemu::agent - } - - # include classes from hiera - lookup('hiera_classes', Array[String], 'unique').include - - # specifc ordering constraints - Class['profiles::pki::vaultca'] - -> Class['profiles::base::repos'] - -> Class['profiles::packages'] - } diff --git a/site/profiles/manifests/cobbler/config.pp b/site/profiles/manifests/cobbler/config.pp new file mode 100644 index 0000000..90aee5d --- /dev/null +++ b/site/profiles/manifests/cobbler/config.pp @@ -0,0 +1,77 @@ +# profiles::cobbler::config +class profiles::cobbler::config { + + include profiles::cobbler::params + + $default_password_crypted = $profiles::cobbler::params::default_password_crypted + $httpd_ssl_certificate = $profiles::cobbler::params::httpd_ssl_certificate + $httpd_ssl_privatekey = $profiles::cobbler::params::httpd_ssl_privatekey + $pxe_just_once = $profiles::cobbler::params::pxe_just_once + $is_cobbler_master = $profiles::cobbler::params::is_cobbler_master + $service_cname = $profiles::cobbler::params::service_cname + $next_server = $profiles::cobbler::params::next_server + $server = $profiles::cobbler::params::server + + # manage the cobbler settings file + file { '/etc/cobbler/settings.yaml': + ensure => 'file', + content => template('profiles/cobbler/settings.yaml.erb'), + group => 'apache', + owner => 'root', + mode => '0640', + require => Package['cobbler'], + notify => Service['cobblerd'], + } + + # manage the debmirror config to meet cobbler requirements + file { '/etc/debmirror.conf': + ensure => 'file', + content => template('profiles/cobbler/debmirror.conf.erb'), + group => 'root', + owner => 'root', + mode => '0644', + require => Package['debmirror'], + } + + # manage the httpd ssl configuration + file { '/etc/httpd/conf.d/ssl.conf': + ensure => 'file', + content => template('profiles/cobbler/httpd_ssl.conf.erb'), + group => 'root', + owner => 'root', + mode => '0644', + require => Package['httpd'], + notify => Service['httpd'], + } + + # fix permissions in /var/lib/cobbler/web.ss + file {'/var/lib/cobbler/web.ss': + ensure => 'file', + group => 'root', + owner => 'apache', + mode => '0660', + require => Package['cobbler'], + notify => Service['cobblerd'], + } + + # manage the main ipxe menu script + file { '/var/lib/tftpboot/main.ipxe': + ensure => 'file', + content => template('profiles/cobbler/main.ipxe.erb'), + owner => 'root', + group => 'root', + mode => '0644', + require => Package['cobbler'], + } + + # export cnames for cobbler + if $is_cobbler_master { + profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME": + value => $::facts['networking']['hostname'], + type => 'CNAME', + record => "${service_cname}.", + zone => $::facts['networking']['domain'], + order => 10, + } + } +} diff --git a/site/profiles/manifests/cobbler/init.pp b/site/profiles/manifests/cobbler/init.pp new file mode 100644 index 0000000..24b1555 --- /dev/null +++ b/site/profiles/manifests/cobbler/init.pp @@ -0,0 +1,17 @@ +# profiles::cobbler::init +class profiles::cobbler::init ( +) { + # wait for enc_role to be populated, needed for hieradata to match + if $facts['enc_role'] == 'roles::infra::cobbler::server' { + include profiles::cobbler::config + include profiles::cobbler::install + include profiles::cobbler::ipxebins + include profiles::cobbler::selinux + include profiles::cobbler::service + + Class['profiles::cobbler::install'] + -> Class['profiles::cobbler::config'] + -> Class['profiles::cobbler::ipxebins'] + -> Class['profiles::cobbler::selinux'] + } +} diff --git a/site/profiles/manifests/cobbler/install.pp b/site/profiles/manifests/cobbler/install.pp new file mode 100644 index 0000000..f6bb8d6 --- /dev/null +++ b/site/profiles/manifests/cobbler/install.pp @@ -0,0 +1,34 @@ +# profiles::cobbler::install +class profiles::cobbler::install { + + include profiles::cobbler::params + + $packages = $profiles::cobbler::params::packages + + ensure_packages($packages, { ensure => 'present' }) + + # move the /var/www/cobbler directory to /data/cobbler + if ! $facts['cobbler_var_www_islink'] and ! $facts['cobbler_data_exists'] { + exec {'move_cobbler_data': + command => 'mv /var/www/cobbler /data/cobbler', + onlyif => 'test -d /var/www/cobbler', + path => ['/bin', '/usr/bin'], + before => Service['cobblerd'], + } + file { '/var/www/cobbler': + ensure => 'link', + target => '/data/cobbler', + require => Exec['move_cobbler_data'], + before => Service['httpd'], + notify => Service['httpd'], + } + } + if ! $facts['cobbler_var_www_exists'] and $facts['cobbler_data_exists'] { + file { '/var/www/cobbler': + ensure => 'link', + target => '/data/cobbler', + before => Service['httpd'], + notify => Service['httpd'], + } + } +} diff --git a/site/profiles/manifests/cobbler/ipxebins.pp b/site/profiles/manifests/cobbler/ipxebins.pp index 125c353..1fc0bf9 100644 --- a/site/profiles/manifests/cobbler/ipxebins.pp +++ b/site/profiles/manifests/cobbler/ipxebins.pp @@ -1,6 +1,8 @@ # profiles::cobbler::ipxebins class profiles::cobbler::ipxebins { + include profiles::cobbler::params + # download the custom undionly.kpxe file # https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1 exec { 'download_undionly_kpxe': diff --git a/site/profiles/manifests/cobbler/params.pp b/site/profiles/manifests/cobbler/params.pp new file mode 100644 index 0000000..877f986 --- /dev/null +++ b/site/profiles/manifests/cobbler/params.pp @@ -0,0 +1,25 @@ +# profiles::cobbler::params +class profiles::cobbler::params ( + Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt', + Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key', + Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot', + Stdlib::Fqdn $service_cname = $facts['networking']['fqdn'], + String $default_password_crypted = 'changeme', + String $server = $::facts['networking']['ip'], + String $next_server = $::facts['networking']['ip'], + Boolean $pxe_just_once = true, + Boolean $is_cobbler_master = false, + Array $packages = [ + 'cobbler', + 'cobbler3.2-web', + 'httpd', + 'syslinux', + 'dnf-plugins-core', + 'debmirror', + 'pykickstart', + 'fence-agents', + 'selinux-policy-devel', + 'ipxe-bootimgs', + ] +){ +} diff --git a/site/profiles/manifests/cobbler/selinux.pp b/site/profiles/manifests/cobbler/selinux.pp new file mode 100644 index 0000000..df8dab5 --- /dev/null +++ b/site/profiles/manifests/cobbler/selinux.pp @@ -0,0 +1,48 @@ +# profiles::cobbler::selinux +class profiles::cobbler::selinux inherits profiles::cobbler::params { + + include profiles::cobbler::params + + $tftpboot_path = $profiles::cobbler::params::tftpboot_path + + # manage selinux requirements for cobbler + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + $enable_sebooleans = [ + 'httpd_can_network_connect_cobbler', + 'httpd_serve_cobbler_files', + 'cobbler_can_network_connect' + ] + + $enable_sebooleans.each |$bool| { + selboolean { $bool: + value => on, + persistent => true, + } + } + + selinux::fcontext { $tftpboot_path: + ensure => 'present', + seltype => 'cobbler_var_lib_t', + pathspec => "${tftpboot_path}(/.*)?", + } + selinux::fcontext { '/data/cobbler': + ensure => 'present', + seltype => 'cobbler_var_lib_t', + pathspec => '/data/cobbler(/.*)?', + } + + exec { "restorecon_${tftpboot_path}": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${tftpboot_path}", + refreshonly => true, + subscribe => Selinux::Fcontext[$tftpboot_path], + } + exec { 'restorecon_/data/cobbler': + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => 'restorecon -Rv /data/cobbler', + refreshonly => true, + subscribe => Selinux::Fcontext['/data/cobbler'], + } + } +} diff --git a/site/profiles/manifests/cobbler/server.pp b/site/profiles/manifests/cobbler/server.pp deleted file mode 100644 index 3dba1dc..0000000 --- a/site/profiles/manifests/cobbler/server.pp +++ /dev/null @@ -1,119 +0,0 @@ -# profiles::cobbler::server -class profiles::cobbler::server ( - Stdlib::Fqdn $service_cname, - String $default_password_crypted, - Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt', - Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key', - Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot', - String $server = $::facts['networking']['ip'], - String $next_server = $::facts['networking']['ip'], - Boolean $pxe_just_once = true, -) { - - include profiles::cobbler::ipxebins - - # manage the cobbler settings file - file { '/etc/cobbler/settings.yaml': - ensure => 'file', - content => template('profiles/cobbler/settings.yaml.erb'), - group => 'apache', - owner => 'root', - mode => '0640', - require => Package['cobbler'], - notify => Service['cobblerd'], - } - - # fix permissions in /var/lib/cobbler/web.ss - file {'/var/lib/cobbler/web.ss': - ensure => 'file', - group => 'root', - owner => 'apache', - mode => '0660', - require => Package['cobbler'], - notify => Service['cobblerd'], - } - - # manage the debmirror config to meet cobbler requirements - file { '/etc/debmirror.conf': - ensure => 'file', - content => template('profiles/cobbler/debmirror.conf.erb'), - group => 'root', - owner => 'root', - mode => '0644', - require => Package['debmirror'], - } - - # manage the httpd ssl configuration - file { '/etc/httpd/conf.d/ssl.conf': - ensure => 'file', - content => template('profiles/cobbler/httpd_ssl.conf.erb'), - group => 'root', - owner => 'root', - mode => '0644', - require => Package['httpd'], - notify => Service['httpd'], - } - - # manage the main ipxe menu script - file { '/var/lib/tftpboot/main.ipxe': - ensure => 'file', - content => template('profiles/cobbler/main.ipxe.erb'), - owner => 'root', - group => 'root', - mode => '0644', - require => Package['cobbler'], - } - - # ensure cobblerd is running - service {'cobblerd': - ensure => 'running', - enable => true, - require => File['/etc/cobbler/settings.yaml'], - } - - # ensure httpd is running - service {'httpd': - ensure => 'running', - enable => true, - require => File['/etc/httpd/conf.d/ssl.conf'], - } - - # export cnames for cobbler - profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME": - value => $::facts['networking']['hostname'], - type => 'CNAME', - record => "${service_cname}.", - zone => $::facts['networking']['domain'], - order => 10, - } - - # manage selinux requirements for cobbler - if $::facts['os']['selinux']['config_mode'] == 'enforcing' { - - $enable_sebooleans = [ - 'httpd_can_network_connect_cobbler', - 'httpd_serve_cobbler_files', - 'cobbler_can_network_connect' - ] - - $enable_sebooleans.each |$bool| { - selboolean { $bool: - value => on, - persistent => true, - } - } - - selinux::fcontext { $tftpboot_path: - ensure => 'present', - seltype => 'cobbler_var_lib_t', - pathspec => "${tftpboot_path}(/.*)?", - } - - exec { "restorecon_${tftpboot_path}": - path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], - command => "restorecon -Rv ${tftpboot_path}", - refreshonly => true, - subscribe => Selinux::Fcontext[$tftpboot_path], - } - } -} diff --git a/site/profiles/manifests/cobbler/service.pp b/site/profiles/manifests/cobbler/service.pp new file mode 100644 index 0000000..63b2645 --- /dev/null +++ b/site/profiles/manifests/cobbler/service.pp @@ -0,0 +1,17 @@ +# profiles::cobbler::service +class profiles::cobbler::service inherits profiles::cobbler::params { + + # ensure cobblerd is running + service {'cobblerd': + ensure => 'running', + enable => true, + require => File['/etc/cobbler/settings.yaml'], + } + + # ensure httpd is running + service {'httpd': + ensure => 'running', + enable => true, + require => File['/etc/httpd/conf.d/ssl.conf'], + } +} diff --git a/site/profiles/manifests/consul/prepared_query.pp b/site/profiles/manifests/consul/prepared_query.pp new file mode 100644 index 0000000..16df79f --- /dev/null +++ b/site/profiles/manifests/consul/prepared_query.pp @@ -0,0 +1,14 @@ +# profile::consul::prepared_query +class profiles::consul::prepared_query ( + String $root_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'), + Hash $rules = {}, +) { + + $rules.each | $rule, $data | { + consul_prepared_query { $rule: + acl_api_token => $root_api_token, + hostname => $facts['networking']['ip'], + * => $data, + } + } +} diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp index e2e9d06..f71c567 100644 --- a/site/profiles/manifests/consul/server.pp +++ b/site/profiles/manifests/consul/server.pp @@ -43,6 +43,8 @@ class profiles::consul::server ( Stdlib::Absolutepath $bin_dir = '/usr/bin', Boolean $disable_remote_exec = true, Boolean $disable_update_check = true, + Boolean $join_remote_regions = false, + Array[String] $remote_regions = [], ) { # wait for all attributes to be ready @@ -62,6 +64,21 @@ class profiles::consul::server ( # if it is, find hosts, sort them so they dont cause changes every run $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn')) + if $join_remote_regions { + # get all nodes in the members_role for each other region + $region_to_servers = $remote_regions.reduce({}) |$memo, $region| { + $servers = sort(query_nodes("enc_role='${members_role}' and region='${region}'", 'networking.fqdn')) + $memo + { $region => $servers } + } + + # sort and flatten the regions into a single array of fqdns + $remote_servers_array = sort(flatten($region_to_servers.values)) + + } else { + # else just send an empty array + $remote_servers_array = [] + } + # else use provided array from params }else{ $servers_array = $consul_servers @@ -97,7 +114,8 @@ class profiles::consul::server ( 'performance' => { 'raft_multiplier' => $raft_multiplier }, 'bind_addr' => $::facts['networking']['ip'], 'advertise_addr' => $::facts['networking']['ip'], - 'retry_join' => $servers_array + 'retry_join' => $servers_array, + 'retry_join_wan' => $remote_servers_array, }, } } @@ -109,6 +127,7 @@ class profiles::consul::server ( include profiles::nginx::simpleproxy include profiles::consul::policies include profiles::consul::tokens + include profiles::consul::prepared_query # get the dns port from the $ports hash, otherwise use the default $dns_port = pick($ports['dns'], 8600) diff --git a/site/profiles/manifests/defaults.pp b/site/profiles/manifests/defaults.pp index 1db27c8..c0b94a8 100644 --- a/site/profiles/manifests/defaults.pp +++ b/site/profiles/manifests/defaults.pp @@ -8,7 +8,9 @@ class profiles::defaults { } Package { - ensure => present, + ensure => present, + require => Class['profiles::base::repos'] + } File { @@ -29,6 +31,11 @@ class profiles::defaults { } Yumrepo { - require => Class['profiles::pki::vaultca'], + ensure => 'present', + enabled => 1, + gpgcheck => 1, + mirrorlist => 'absent', + require => Class['profiles::pki::vaultca'], + notify => Exec['dnf_makecache'], } } diff --git a/site/profiles/manifests/dhcp/server.pp b/site/profiles/manifests/dhcp/server.pp index a4c6d98..726ff19 100644 --- a/site/profiles/manifests/dhcp/server.pp +++ b/site/profiles/manifests/dhcp/server.pp @@ -13,25 +13,27 @@ class profiles::dhcp::server ( Hash $classes = {}, ){ - class { 'dhcp': - service_ensure => running, - interfaces => $interfaces, - ntpservers => $ntpservers, - default_lease_time => $default_lease_time, - globaloptions => $globaloptions - } - - # if pools, import them - $pools.each | $name, $data | { - dhcp::pool { $name: - * => $data, + if $facts['enc_role'] == 'roles::infra::dhcp::server' { + class { 'dhcp': + service_ensure => running, + interfaces => $interfaces, + ntpservers => $ntpservers, + default_lease_time => $default_lease_time, + globaloptions => $globaloptions } - } - # if classes, import them - $classes.each | $name, $data | { - dhcp::dhcp_class { $name: - * => $data, + # if pools, import them + $pools.each | $name, $data | { + dhcp::pool { $name: + * => $data, + } + } + + # if classes, import them + $classes.each | $name, $data | { + dhcp::dhcp_class { $name: + * => $data, + } } } } diff --git a/site/profiles/manifests/edgecache/init.pp b/site/profiles/manifests/edgecache/init.pp new file mode 100644 index 0000000..1112530 --- /dev/null +++ b/site/profiles/manifests/edgecache/init.pp @@ -0,0 +1,12 @@ +# profiles::edgecache::init +class profiles::edgecache::init { + + if $facts['enc_role'] == 'roles::infra::storage::edgecache' { + + include profiles::edgecache::nginx + include profiles::edgecache::selinux + + Class['profiles::edgecache::nginx'] + -> Class['profiles::edgecache::selinux'] + } +} diff --git a/site/profiles/manifests/edgecache/nginx.pp b/site/profiles/manifests/edgecache/nginx.pp new file mode 100644 index 0000000..30e2c69 --- /dev/null +++ b/site/profiles/manifests/edgecache/nginx.pp @@ -0,0 +1,129 @@ +# profiles::edgecache::nginx +class profiles::edgecache::nginx { + + include profiles::edgecache::params + + $data_root = $profiles::edgecache::params::data_root + $nginx_vhost = $profiles::edgecache::params::nginx_vhost + $nginx_aliases = $profiles::edgecache::params::nginx_aliases + $nginx_port = $profiles::edgecache::params::nginx_port + $nginx_ssl_port = $profiles::edgecache::params::nginx_ssl_port + $nginx_listen_mode = $profiles::edgecache::params::nginx_listen_mode + $nginx_cert_type = $profiles::edgecache::params::nginx_cert_type + $nginx_resolvers_enable = $profiles::edgecache::params::nginx_resolvers_enable + $nginx_resolvers_ipv4only = $profiles::edgecache::params::nginx_resolvers_ipv4only + + # select the certificates to use based on cert type + case $nginx_cert_type { + 'puppet': { + $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" + $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" + } + 'vault': { + $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' + $selected_ssl_key = '/etc/pki/tls/vault/private.key' + } + default: { + # enum param prevents this ever being reached + } + } + + # set variables based on the listen_mode + case $nginx_listen_mode { + 'http': { + $enable_ssl = false + $ssl_cert = undef + $ssl_key = undef + $listen_port = $nginx_port + $listen_ssl_port = undef + $extras_hash = {} + } + 'https': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_ssl_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + 'both': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + default: { + # enum param prevents this ever being reached + } + } + + if $nginx_resolvers_ipv4only and $nginx_resolvers_enable { + $resolvers = $facts['nameservers'].join(' ') + file { '/etc/nginx/conf.d/resolvers.conf': + ensure => file, + content => "resolver ${resolvers} ipv4=on;\n", + } + } + + # set the server_names + $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases) + + # define the default parameters for the nginx server + $defaults = { + 'listen_port' => $listen_port, + 'server_name' => $server_names, + 'use_default_location' => true, + 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", + 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", + 'www_root' => "${data_root}/pub", + 'autoindex' => 'on', + 'ssl' => $enable_ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_port' => $listen_ssl_port, + } + + # ensure the requires directories exist + $profiles::edgecache::params::directories.each |$name,$data| { + file { $name: + ensure => 'directory', + before => Class['nginx'], + mode => '0775', + * => $data, + } + } + + # merge the hashes conditionally + $nginx_parameters = merge($defaults, $extras_hash) + + # manage the nginx class + class { 'nginx': + proxy_cache_path => { + "${data_root}/cache" => 'cache:128m', + }, + proxy_cache_levels => '1:2', + proxy_cache_keys_zone => 'cache:128m', + proxy_cache_max_size => '30000m', + proxy_cache_inactive => '60d', + proxy_temp_path => "${data_root}/cache_tmp", + } + + # create the nginx vhost with the merged parameters + create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) + + # create location mirrors + $profiles::edgecache::params::mirrors.each |$name, $data| { + nginx::resource::location { "${nginx_vhost}_${name}": + server => $nginx_vhost, + ssl => true, + ssl_only => false, + * => $data, + } + } +} diff --git a/site/profiles/manifests/edgecache/params.pp b/site/profiles/manifests/edgecache/params.pp new file mode 100644 index 0000000..0766ea7 --- /dev/null +++ b/site/profiles/manifests/edgecache/params.pp @@ -0,0 +1,15 @@ +# profiles::edgecache::params +class profiles::edgecache::params ( + Stdlib::Absolutepath $data_root = '/data/edgecache', + Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'], + Array[Stdlib::Host] $nginx_aliases = [], + Stdlib::Port $nginx_port = 80, + Stdlib::Port $nginx_ssl_port = 443, + Enum['http','https','both'] $nginx_listen_mode = 'http', + Enum['puppet', 'vault'] $nginx_cert_type = 'vault', + Boolean $nginx_resolvers_enable = false, + Boolean $nginx_resolvers_ipv4only = false, + Hash $directories = {}, + Hash $mirrors = {}, +){ +} diff --git a/site/profiles/manifests/edgecache/selinux.pp b/site/profiles/manifests/edgecache/selinux.pp new file mode 100644 index 0000000..c3b502b --- /dev/null +++ b/site/profiles/manifests/edgecache/selinux.pp @@ -0,0 +1,56 @@ +# profiles::edgecache::selinux +class profiles::edgecache::selinux { + + include profiles::edgecache::params + + $data_root = $profiles::edgecache::params::data_root + + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + # set httpd_sys_content_t to all files under the www_root + selinux::fcontext { "${data_root}/pub": + ensure => 'present', + seltype => 'httpd_sys_content_t', + pathspec => "${data_root}/pub(/.*)?", + } + + # set httpd_sys_rw_content_t to all files under the cache_root + selinux::fcontext { "${data_root}/cache": + ensure => 'present', + seltype => 'httpd_sys_rw_content_t', + pathspec => "${data_root}/cache(/.*)?", + } + selinux::fcontext { "${data_root}/cache_tmp": + ensure => 'present', + seltype => 'httpd_sys_rw_content_t', + pathspec => "${data_root}/cache_tmp(/.*)?", + } + + # make sure we can connect to other hosts + selboolean { 'httpd_can_network_connect': + persistent => true, + value => 'on', + } + + exec { "restorecon_${data_root}/pub": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${data_root}/pub", + refreshonly => true, + subscribe => Selinux::Fcontext["${data_root}/pub"], + } + + exec { "restorecon_${data_root}/cache": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${data_root}/cache", + refreshonly => true, + subscribe => Selinux::Fcontext["${data_root}/cache"], + } + + exec { "restorecon_${data_root}/cache_tmp": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${data_root}/cache_tmp", + refreshonly => true, + subscribe => Selinux::Fcontext["${data_root}/cache_tmp"], + } + } +} diff --git a/site/profiles/manifests/firstrun/complete.pp b/site/profiles/manifests/firstrun/complete.pp new file mode 100644 index 0000000..b79eaf2 --- /dev/null +++ b/site/profiles/manifests/firstrun/complete.pp @@ -0,0 +1,19 @@ +# profiles::firstrun::complete +class profiles::firstrun::complete { + + file { '/root/.cache': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0750', + } + + file {'/root/.cache/puppet_firstrun_complete': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0750', + content => 'firstrun completed', + require => File['/root/.cache'], + } +} diff --git a/site/profiles/manifests/firstrun/init.pp b/site/profiles/manifests/firstrun/init.pp new file mode 100644 index 0000000..c4845e1 --- /dev/null +++ b/site/profiles/manifests/firstrun/init.pp @@ -0,0 +1,20 @@ +# profiles::firstrun::init +class profiles::firstrun::init { + + # include the required CA certificates + include profiles::pki::vaultca + + # fast install packages on the first run + include profiles::base::repos + include profiles::firstrun::packages + + # mark the firstrun as done + include profiles::firstrun::complete + + + Class['profiles::defaults'] + -> Class['profiles::pki::vaultca'] + -> Class['profiles::base::repos'] + -> Class['profiles::firstrun::packages'] + -> Class['profiles::firstrun::complete'] +} diff --git a/site/profiles/manifests/firstrun/packages.pp b/site/profiles/manifests/firstrun/packages.pp new file mode 100644 index 0000000..5bcc6d4 --- /dev/null +++ b/site/profiles/manifests/firstrun/packages.pp @@ -0,0 +1,27 @@ +# profiles::firstrun::packages +class profiles::firstrun::packages { + # include the correct package repositories, define the install_packages exec + case $facts['os']['family'] { + 'RedHat': { + include profiles::yum::global + $install_command = 'dnf install -y' + } + 'Debian': { + include profiles::apt::global + $install_command = 'apt-get install -y' + } + default: { + fail("Unsupported OS family ${facts['os']['family']}") + } + } + + # get all the packages to install, and convert into a space separated list + $packages = hiera_array('profiles::packages::install', []) + $package_list = $packages.join(' ') + + # install all the packages + exec { 'install_packages': + command => "${install_command} ${package_list}", + path => ['/bin', '/usr/bin'], + } +} diff --git a/site/profiles/manifests/puppet/agent.pp b/site/profiles/manifests/puppet/agent.pp index c911f0d..76164c1 100644 --- a/site/profiles/manifests/puppet/agent.pp +++ b/site/profiles/manifests/puppet/agent.pp @@ -19,7 +19,7 @@ class profiles::puppet::agent ( # Ensure the puppet-agent package is installed and locked to a specific version package { 'puppet-agent': ensure => $puppet_version, - require => Class['profiles::yum::puppet7'], + require => Yumrepo['puppet'], } # versionlock puppet-agent diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppet/puppetdb_sql.pp index 2d80d30..5afa9a5 100644 --- a/site/profiles/manifests/puppet/puppetdb_sql.pp +++ b/site/profiles/manifests/puppet/puppetdb_sql.pp @@ -24,4 +24,12 @@ class profiles::puppet::puppetdb_sql ( contain ::puppetdb::database::postgresql + # create the postgresql::server::config_entry resources + $pg_config_entries = lookup('postgresql_config_entries', Hash[String, Data], 'hash', {}) + $pg_config_entries.each |String $key, Data $value| { + postgresql::server::config_entry { $key: + ensure => 'present', + value => $value, + } + } } diff --git a/site/profiles/manifests/sql/galera_member.pp b/site/profiles/manifests/sql/galera_member.pp index 66f189c..24fab57 100644 --- a/site/profiles/manifests/sql/galera_member.pp +++ b/site/profiles/manifests/sql/galera_member.pp @@ -47,7 +47,7 @@ class profiles::sql::galera_member ( } # if it is, find hosts, sort them so they dont cause changes every run - $servers_array = sort(query_nodes("enc_role='${galera_members_role}'", 'networking.fqdn')) + $servers_array = sort(query_nodes("enc_role='${galera_members_role}' and region='${facts['region']}'", 'networking.fqdn')) # else use provided array from params }else{ @@ -103,7 +103,8 @@ class profiles::sql::galera_member ( 'binlog_format' => 'ROW', 'default-storage-engine' => 'innodb', 'query_cache_size' => '0', - 'query_cache_type' => '0' + 'query_cache_type' => '0', + 'bind-address' => $local_ip, } } $default_override_options_galera = { @@ -211,4 +212,5 @@ class profiles::sql::galera_member ( }else{ notice("${title} requires the servers_array to have 3 or more, currently it is ${length($servers_array)}.") } + } diff --git a/site/profiles/manifests/yum/base.pp b/site/profiles/manifests/yum/base.pp deleted file mode 100644 index df86cd0..0000000 --- a/site/profiles/manifests/yum/base.pp +++ /dev/null @@ -1,92 +0,0 @@ -# Class: profiles::yum::base -# -# This class manages the 'base', extras' and 'appstream' yum -# repositories for a system, based on the provided list of managed repositories. -# -# Parameters: -# ----------- -# - $managed_repos: An array containing the names of the repositories to be -# managed. This can include 'base', 'extras', -# and 'appstream'. -# -# - $baseurl: The base URL for the yum repositories. This should be the root -# URL of your yum mirror server. -# -# Actions: -# -------- -# - Sets up the 'base', extras', and 'appstream' yum repositories -# as specified in the $managed_repos parameter, all using the provided baseurl. -# -# - Each repo configuration includes the baseurl parameterized with the OS -# release version and architecture, and specifies the GPG key. -# -# Example usage: -# -------------- -# To use this class with the default parameters: -# class { 'profiles::yum::base': -# managed_repos => ['base', 'extras', 'appstream'], -# baseurl => 'http://mylocalmirror.com/yum', -# } -# -class profiles::yum::base ( - Array[String] $managed_repos, - String $baseurl, - Enum[ - 'daily', - 'weekly', - 'monthly' - ] $snapshot = 'daily', -) { - $release = $facts['os']['release']['full'] - $basearch = $facts['os']['architecture'] - - if 'base' in $managed_repos { - yumrepo { 'base': - name => 'base', - descr => 'base repository', - target => '/etc/yum.repos.d/base.repo', - baseurl => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", - } - } - - if 'extras' in $managed_repos { - yumrepo { 'extras': - name => 'extras', - descr => 'extras repository', - target => '/etc/yum.repos.d/extras.repo', - baseurl => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", - } - } - - if 'appstream' in $managed_repos { - yumrepo { 'appstream': - name => 'appstream', - descr => 'appstream repository', - target => '/etc/yum.repos.d/appstream.repo', - baseurl => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", - } - } - - if 'powertools' in $managed_repos { - yumrepo { 'powertools': - name => 'powertools', - descr => 'powertools repository', - target => '/etc/yum.repos.d/powertools.repo', - baseurl => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", - } - } - - if 'highavailability' in $managed_repos { - yumrepo { 'highavailability': - name => 'highavailability', - descr => 'highavailability repository', - target => '/etc/yum.repos.d/highavailability.repo', - baseurl => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}", - } - } -} diff --git a/site/profiles/manifests/yum/epel.pp b/site/profiles/manifests/yum/epel.pp deleted file mode 100644 index 575e099..0000000 --- a/site/profiles/manifests/yum/epel.pp +++ /dev/null @@ -1,48 +0,0 @@ -# Class: profiles::yum::epel -# -# This class manages the EPEL yum repository for the system. -# -# Parameters: -# ----------- -# - $baseurl: The base URL for the EPEL yum repository. This should be the root -# URL of your EPEL mirror server. -# -# Actions: -# -------- -# - Checks the OS release version. -# -# - If the release version is 7, 8, or 9, it sets up the 'epel' yum repository -# -# - If the release version is not supported, it raises an error. -# -# Example usage: -# -------------- -# To use this class with the default parameters: -# include profiles::yum::epel -# -# To specify a custom base URL: -# class { 'profiles::yum::epel': -# baseurl => 'http://mylocalmirror.com/yum', -# } -class profiles::yum::epel ( - Array[String] $managed_repos, - String $baseurl, - Enum[ - 'daily', - 'weekly', - 'monthly' - ] $snapshot = 'daily', -) { - $release = $facts['os']['release']['major'] - $basearch = $facts['os']['architecture'] - - if 'epel' in $managed_repos { - yumrepo { 'epel': - name => 'epel', - descr => 'epel repository', - target => '/etc/yum.repos.d/epel.repo', - baseurl => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/RPM-GPG-KEY-EPEL-${release}", - } - } -} diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp index 2296b7f..a9fbef5 100644 --- a/site/profiles/manifests/yum/global.pp +++ b/site/profiles/manifests/yum/global.pp @@ -1,48 +1,7 @@ # Class: profiles::yum::global -# -# This class manages global YUM configurations and optionally includes the -# base and EPEL yum repository profiles based on the content of the -# $managed_repos parameter, which is an array of repository names. -# -# Parameters: -# ----------- -# - $managed_repos: An array of repository names that the Puppet agent should -# manage. This parameter is mandatory and the class will -# fail if it is not provided via hieradata. -# Example: ['base', 'updates', 'extras', 'appstream'] -# -# Actions: -# -------- -# - Configures global YUM settings, including keeping the kernel development -# packages and cleaning old kernels. -# -# - Establishes default parameters for any YUM repositories managed by Puppet. -# This includes the repository file location, the repository description, -# and enabling the repository and GPG checks. -# -# - Depending on the content of the $managed_repos parameter, it includes the -# profiles::yum::base and/or profiles::yum::epel classes. -# -# - Manages all .repo files under /etc/yum.repos.d. All the repositories listed -# in $managed_repos will have their corresponding .repo files preserved. Any -# .repo file that is not listed in $managed_repos will be removed. -# -# - Creates and maintains a /etc/yum.repos.d/.managed file that lists all the -# .repo files that should be managed by Puppet. -# -# Example usage: -# -------------- -# To use this class, include the class and configure hieradata: -# include profiles::yum::global -# -# profiles::yum::managed_repos: -# - 'base' -# - 'extras' -# - 'appstream' -# class profiles::yum::global ( - Array[String] $managed_repos, - Boolean $purge = true, + Hash $repos = {}, + Boolean $purge = true, ){ class { 'yum': keep_kernel_devel => true, @@ -52,54 +11,34 @@ class profiles::yum::global ( }, } - Yumrepo { - ensure => 'present', - enabled => 1, - gpgcheck => 1, - mirrorlist => 'absent', - } - + # purge all yum repos not defined by puppet resources { 'yumrepo': purge => $purge, } - # Generate the content for the .managed file - $managed_file_content = $managed_repos.map |$repo_name| { "${repo_name}.repo" }.join("\n") + # download all gpg keys if a repo defines it + $repos.each |$name, $repo| { + if $repo['gpgkey'] { + $key_url = $repo['gpgkey'] + $key_file = "/etc/pki/rpm-gpg/${name}-gpg-key" - # Create the .managed file - file { '/etc/yum.repos.d/.managed': - ensure => file, - content => $managed_file_content, + exec { "download_gpg_key_${name}": + command => "curl -s -o ${key_file} ${key_url} && rpm --import ${key_file}", + path => ['/bin', 'usr/bin'], + creates => $key_file, + before => Yumrepo[$name], + } + } } - # Setup base repos - class { 'profiles::yum::base': - managed_repos => $managed_repos, - require => Class['profiles::pki::vaultca'], - } + # create repos + create_resources('yumrepo', $repos) - # Setup epel if included in managed_repos - class { 'profiles::yum::epel': - managed_repos => $managed_repos, - require => Class['profiles::pki::vaultca'], - } - - # Setup puppet7 if included in managed_repos - class { 'profiles::yum::puppet7': - managed_repos => $managed_repos, - require => Class['profiles::pki::vaultca'], - } - - # Setup unkin repo if included in managed_repos - class { 'profiles::yum::unkin': - managed_repos => $managed_repos, - require => Class['profiles::pki::vaultca'], - } - - # Setup ovirt repo if included in managed_repos - class { 'profiles::yum::ovirt': - managed_repos => $managed_repos, - require => Class['profiles::pki::vaultca'], + # makecache if changes made to repos + exec {'dnf_makecache': + command => 'dnf makecache -q', + path => ['/usr/bin', '/bin'], + refreshonly => true, } # setup dnf-autoupdate diff --git a/site/profiles/manifests/yum/mariadb.pp b/site/profiles/manifests/yum/mariadb.pp deleted file mode 100644 index 3c6c4e6..0000000 --- a/site/profiles/manifests/yum/mariadb.pp +++ /dev/null @@ -1,25 +0,0 @@ -# Class: profiles::yum::mariadb -# -# This class manages the mariadb yum repository for the system. -# -class profiles::yum::mariadb ( - String $baseurl = 'https://repos.main.unkin.net', - String $version = '11.2', - Enum[ - 'daily', - 'weekly', - 'monthly' - ] $snapshot = 'daily', -) { - $release = $facts['os']['release']['major'] - $basearch = $facts['os']['architecture'] - - yumrepo { 'mariadb': - name => 'mariadb', - descr => 'mariadb repository', - target => '/etc/yum.repos.d/mariadb.repo', - baseurl => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/", - gpgkey => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/RPM-GPG-KEY-MariaDB", - require => Class['profiles::pki::vaultca'], - } -} diff --git a/site/profiles/manifests/yum/ovirt.pp b/site/profiles/manifests/yum/ovirt.pp deleted file mode 100644 index d04b145..0000000 --- a/site/profiles/manifests/yum/ovirt.pp +++ /dev/null @@ -1,48 +0,0 @@ -# Class: profiles::yum::ovirt -class profiles::yum::ovirt ( - Array[String] $managed_repos, - String $baseurl, - Enum[ - 'daily', - 'weekly', - 'monthly' - ] $snapshot = 'daily', -) { - $release = $facts['os']['release']['major'] - $basearch = $facts['os']['architecture'] - - $centos_nonstream = [ - 'virt-advanced-virtualization', - 'storage-ceph-pacific' - ] - $centos_stream = [ - 'cloud-openstack-xena', - 'messaging-rabbitmq-38', - 'nfv-openvswitch-2', - 'opstools-collectd-5', - 'storage-gluster-10', - 'virt-ovirt-45' - ] - $centos_nonstream.each |$name| { - if $name in $managed_repos { - yumrepo { $name: - name => $name, - descr => $name, - target => '/etc/yum.repos.d/ovirt.repo', - baseurl => "${baseurl}/${release}/${name}-20240311/${basearch}/os/", - gpgcheck => false, - } - } - } - $centos_stream.each |$name| { - if $name in $managed_repos { - yumrepo { $name: - name => $name, - descr => $name, - target => '/etc/yum.repos.d/ovirt.repo', - baseurl => "${baseurl}/${release}-stream/${name}-20240311/${basearch}/os/", - gpgcheck => false, - } - } - } -} diff --git a/site/profiles/manifests/yum/puppet7.pp b/site/profiles/manifests/yum/puppet7.pp deleted file mode 100644 index 1d6c802..0000000 --- a/site/profiles/manifests/yum/puppet7.pp +++ /dev/null @@ -1,48 +0,0 @@ -# Class: profiles::yum::epel -# -# This class manages the puppet7 yum repository for the system. -# -# Parameters: -# ----------- -# - $baseurl: The base URL for the puppet7 yum repository. This should be the root -# URL of your puppet7 mirror server. -# -# Actions: -# -------- -# - Checks the OS release version. -# -# - If the release version is 7, 8, or 9, it sets up the 'puppet7' yum repository -# and installs the puppet7 release RPM from the provided baseurl. -# -# - If the release version is not supported, it raises an error. -# -# - The repo configuration includes the baseurl parameterized with the OS -# release version and architecture, and specifies the GPG key. -# -# Example usage: -# -------------- -# To use this class with the default parameters: -# include profiles::yum::puppet7 -# -# To specify a custom base URL: -# class { 'profiles::yum::puppet7': -# baseurl => 'http://mylocalmirror.com/yum', -# } -class profiles::yum::puppet7 ( - Array[String] $managed_repos, - String $baseurl = 'http://repos.main.unkin.net/puppet7', -) { - $releasever = $facts['os']['release']['major'] - $basearch = $facts['os']['architecture'] - - if 'puppet7' in $managed_repos { - yumrepo { 'puppet7': - name => 'puppet7', - descr => 'puppet7 repository', - target => '/etc/yum.repos.d/puppet7.repo', - baseurl => "${baseurl}/el/${releasever}-daily/${basearch}/os/", - gpgkey => 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406', - #gpgkey => "${baseurl}/el/${releasever}-daily/${basearch}/os/RPM-GPG-KEY-puppet", - } - } -} diff --git a/site/profiles/manifests/yum/unkin.pp b/site/profiles/manifests/yum/unkin.pp deleted file mode 100644 index be5be37..0000000 --- a/site/profiles/manifests/yum/unkin.pp +++ /dev/null @@ -1,23 +0,0 @@ -# Class: profiles::yum::unkin -class profiles::yum::unkin ( - Array[String] $managed_repos, - String $baseurl, - Enum[ - 'daily', - 'weekly', - 'monthly' - ] $snapshot = 'daily', -) { - $release = $facts['os']['release']['major'] - $basearch = $facts['os']['architecture'] - - if 'unkin' in $managed_repos { - yumrepo { 'unkin': - name => 'unkin', - descr => 'unkin repository', - target => '/etc/yum.repos.d/unkin.repo', - baseurl => "${baseurl}/${::facts['os']['release']['major']}/${basearch}/os/", - gpgcheck => false, - } - } -} diff --git a/site/roles/manifests/base.pp b/site/roles/manifests/base.pp index d6a7fa2..371974f 100644 --- a/site/roles/manifests/base.pp +++ b/site/roles/manifests/base.pp @@ -1,6 +1,11 @@ # a role to deploy the base system # work in progress class roles::base { - include profiles::defaults - include profiles::base + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } } diff --git a/site/roles/manifests/infra/cobbler/server.pp b/site/roles/manifests/infra/cobbler/server.pp index 65d8541..5ffd2a6 100644 --- a/site/roles/manifests/infra/cobbler/server.pp +++ b/site/roles/manifests/infra/cobbler/server.pp @@ -1,7 +1,11 @@ # cobbler server profile class roles::infra::cobbler::server { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::cobbler::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::base + include profiles::base::datavol + include profiles::cobbler::init + } } diff --git a/site/roles/manifests/infra/db/redis.pp b/site/roles/manifests/infra/db/redis.pp index fda1b3a..af3bfce 100644 --- a/site/roles/manifests/infra/db/redis.pp +++ b/site/roles/manifests/infra/db/redis.pp @@ -1,6 +1,10 @@ - # a role to deploy a redis node class roles::infra::db::redis { - include profiles::defaults - include profiles::base + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } } diff --git a/site/roles/manifests/infra/dhcp/server.pp b/site/roles/manifests/infra/dhcp/server.pp index 86a3606..1a27e17 100644 --- a/site/roles/manifests/infra/dhcp/server.pp +++ b/site/roles/manifests/infra/dhcp/server.pp @@ -1,6 +1,11 @@ # dhcp server profile class roles::infra::dhcp::server { - include profiles::defaults - include profiles::base - include profiles::dhcp::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::dhcp::server + } } diff --git a/site/roles/manifests/infra/dns/master.pp b/site/roles/manifests/infra/dns/master.pp index e5d50de..fbf5192 100644 --- a/site/roles/manifests/infra/dns/master.pp +++ b/site/roles/manifests/infra/dns/master.pp @@ -2,7 +2,12 @@ # defines a dns server with master-only zones # class roles::infra::dns::master { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::dns::master + } } diff --git a/site/roles/manifests/infra/dns/resolver.pp b/site/roles/manifests/infra/dns/resolver.pp index 606ca9f..3277cad 100644 --- a/site/roles/manifests/infra/dns/resolver.pp +++ b/site/roles/manifests/infra/dns/resolver.pp @@ -2,7 +2,12 @@ # defines a dns server with forward-only zones # class roles::infra::dns::resolver { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::dns::resolver + } } diff --git a/site/roles/manifests/infra/halb/haproxy.pp b/site/roles/manifests/infra/halb/haproxy.pp index 6b128b4..87a2d41 100644 --- a/site/roles/manifests/infra/halb/haproxy.pp +++ b/site/roles/manifests/infra/halb/haproxy.pp @@ -1,6 +1,11 @@ # a role to deploy a haproxy node class roles::infra::halb::haproxy { - include profiles::defaults - include profiles::base - include profiles::haproxy::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::haproxy::server + } } diff --git a/site/roles/manifests/infra/metrics/grafana.pp b/site/roles/manifests/infra/metrics/grafana.pp index db6f757..2f99f8d 100644 --- a/site/roles/manifests/infra/metrics/grafana.pp +++ b/site/roles/manifests/infra/metrics/grafana.pp @@ -1,5 +1,10 @@ # a role to deploy a grafana service class roles::infra::metrics::grafana { - include profiles::defaults - include profiles::base + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } } diff --git a/site/roles/manifests/infra/metrics/prometheus.pp b/site/roles/manifests/infra/metrics/prometheus.pp index d3dd8ea..1b2ee1c 100644 --- a/site/roles/manifests/infra/metrics/prometheus.pp +++ b/site/roles/manifests/infra/metrics/prometheus.pp @@ -1,7 +1,12 @@ # a role to deploy a prometheus server class roles::infra::metrics::prometheus { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::metrics::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::metrics::server + } } diff --git a/site/roles/manifests/infra/ntp/server.pp b/site/roles/manifests/infra/ntp/server.pp index cfc685d..4ff34f3 100644 --- a/site/roles/manifests/infra/ntp/server.pp +++ b/site/roles/manifests/infra/ntp/server.pp @@ -1,6 +1,11 @@ # a role to deploy a ntp server class roles::infra::ntp::server { - include profiles::defaults - include profiles::base - include profiles::ntp::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::ntp::server + } } diff --git a/site/roles/manifests/infra/ovirt/engine.pp b/site/roles/manifests/infra/ovirt/engine.pp index f437516..1e998f3 100644 --- a/site/roles/manifests/infra/ovirt/engine.pp +++ b/site/roles/manifests/infra/ovirt/engine.pp @@ -1,5 +1,10 @@ # role to manage ovirt management engine nodes class roles::infra::ovirt::engine { - include profiles::defaults - include profiles::base + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } } diff --git a/site/roles/manifests/infra/ovirt/node.pp b/site/roles/manifests/infra/ovirt/node.pp index 5182092..026a25f 100644 --- a/site/roles/manifests/infra/ovirt/node.pp +++ b/site/roles/manifests/infra/ovirt/node.pp @@ -1,6 +1,11 @@ # role to manage ovirt hypervisor nodes class roles::infra::ovirt::node { - include profiles::defaults - include profiles::base - include profiles::ovirt::node + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::ovirt::node + } } diff --git a/site/roles/manifests/infra/proxmox/node.pp b/site/roles/manifests/infra/proxmox/node.pp index 62bc14f..ccf41b6 100644 --- a/site/roles/manifests/infra/proxmox/node.pp +++ b/site/roles/manifests/infra/proxmox/node.pp @@ -1,6 +1,11 @@ # manage the installation of a proxmox node class roles::infra::proxmox::node { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::proxmox::init + } } diff --git a/site/roles/manifests/infra/puppet/master.pp b/site/roles/manifests/infra/puppet/master.pp index 01e8877..c29ab7a 100644 --- a/site/roles/manifests/infra/puppet/master.pp +++ b/site/roles/manifests/infra/puppet/master.pp @@ -1,7 +1,12 @@ # a role to deploy the puppetmaster # work in progress class roles::infra::puppet::master { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::puppet::puppetmaster } +} diff --git a/site/roles/manifests/infra/puppetboard/server.pp b/site/roles/manifests/infra/puppetboard/server.pp index 4742810..e2d772d 100644 --- a/site/roles/manifests/infra/puppetboard/server.pp +++ b/site/roles/manifests/infra/puppetboard/server.pp @@ -1,6 +1,11 @@ # a role to deploy the puppetboard class roles::infra::puppetboard::server { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::puppet::puppetboard } +} diff --git a/site/roles/manifests/infra/puppetdb/api.pp b/site/roles/manifests/infra/puppetdb/api.pp index 65bee4c..7d50c47 100644 --- a/site/roles/manifests/infra/puppetdb/api.pp +++ b/site/roles/manifests/infra/puppetdb/api.pp @@ -1,6 +1,11 @@ # a role to deploy the puppetdb api service class roles::infra::puppetdb::api { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::puppet::puppetdb_api } +} diff --git a/site/roles/manifests/infra/puppetdb/sql.pp b/site/roles/manifests/infra/puppetdb/sql.pp index 97ebc96..7f13859 100644 --- a/site/roles/manifests/infra/puppetdb/sql.pp +++ b/site/roles/manifests/infra/puppetdb/sql.pp @@ -1,6 +1,11 @@ # a role to deploy the puppetdb postgresql service class roles::infra::puppetdb::sql { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ include profiles::defaults include profiles::base include profiles::puppet::puppetdb_sql } +} diff --git a/site/roles/manifests/infra/reposync/syncer.pp b/site/roles/manifests/infra/reposync/syncer.pp index 8c5a613..9c41fe3 100644 --- a/site/roles/manifests/infra/reposync/syncer.pp +++ b/site/roles/manifests/infra/reposync/syncer.pp @@ -1,7 +1,12 @@ # a role to deploy a packagerepo class roles::infra::reposync::syncer { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::reposync::syncer + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::reposync::syncer + } } diff --git a/site/roles/manifests/infra/sql/galera.pp b/site/roles/manifests/infra/sql/galera.pp index a116c8c..2628f81 100644 --- a/site/roles/manifests/infra/sql/galera.pp +++ b/site/roles/manifests/infra/sql/galera.pp @@ -1,7 +1,15 @@ # a role to deploy a mariadb galera node class roles::infra::sql::galera { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::sql::galera_member + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + + if $facts['enc_role'] == 'roles::infra::sql::galera' { + include profiles::sql::galera_member + } + } } diff --git a/site/roles/manifests/infra/storage/consul.pp b/site/roles/manifests/infra/storage/consul.pp index e47a108..143b167 100644 --- a/site/roles/manifests/infra/storage/consul.pp +++ b/site/roles/manifests/infra/storage/consul.pp @@ -1,8 +1,12 @@ - # a role to deploy a consul node class roles::infra::storage::consul { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::consul::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::consul::server + } } diff --git a/site/roles/manifests/infra/storage/edgecache.pp b/site/roles/manifests/infra/storage/edgecache.pp new file mode 100644 index 0000000..7d9d655 --- /dev/null +++ b/site/roles/manifests/infra/storage/edgecache.pp @@ -0,0 +1,12 @@ +# a role to deploy an edgecache +class roles::infra::storage::edgecache { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::edgecache::init + } +} diff --git a/site/roles/manifests/infra/storage/minio.pp b/site/roles/manifests/infra/storage/minio.pp index 72411e8..d436e8e 100644 --- a/site/roles/manifests/infra/storage/minio.pp +++ b/site/roles/manifests/infra/storage/minio.pp @@ -1,6 +1,11 @@ # a role to deploy a minio node class roles::infra::storage::minio { - include profiles::defaults - include profiles::base - include profiles::minio::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::minio::server + } } diff --git a/site/roles/manifests/infra/storage/vault.pp b/site/roles/manifests/infra/storage/vault.pp index fce67af..9e11b14 100644 --- a/site/roles/manifests/infra/storage/vault.pp +++ b/site/roles/manifests/infra/storage/vault.pp @@ -1,7 +1,12 @@ # a role to deploy a vault node class roles::infra::storage::vault { - include profiles::defaults - include profiles::base - include profiles::base::datavol - include profiles::vault::server + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + include profiles::vault::server + } }