Merge branch 'develop' into neoloc/syd1_puppetdb
This commit is contained in:
@@ -3,59 +3,64 @@ class profiles::base (
|
||||
Array $puppet_servers,
|
||||
) {
|
||||
|
||||
# install the vault ca first
|
||||
include profiles::pki::vaultca
|
||||
# run a limited set of classes on the first run aimed at bootstrapping the new node
|
||||
if $facts['firstrun'] {
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
|
||||
# manage the puppet agent
|
||||
include profiles::puppet::agent
|
||||
# install the vault ca first
|
||||
include profiles::pki::vaultca
|
||||
|
||||
# manage puppet clients
|
||||
if ! member($puppet_servers, $trusted['certname']) {
|
||||
include profiles::puppet::client
|
||||
# manage the puppet agent
|
||||
include profiles::puppet::agent
|
||||
|
||||
# manage puppet clients
|
||||
if ! member($puppet_servers, $trusted['certname']) {
|
||||
include profiles::puppet::client
|
||||
}
|
||||
|
||||
# include the base profiles
|
||||
include profiles::base::repos
|
||||
include profiles::packages
|
||||
include profiles::base::facts
|
||||
include profiles::base::motd
|
||||
include profiles::base::scripts
|
||||
include profiles::base::hosts
|
||||
include profiles::base::groups
|
||||
include profiles::base::root
|
||||
include profiles::accounts::sysadmin
|
||||
include profiles::ntp::client
|
||||
include profiles::dns::base
|
||||
include profiles::pki::vault
|
||||
include profiles::cloudinit::init
|
||||
include profiles::metrics::default
|
||||
include profiles::helpers::node_lookup
|
||||
include profiles::consul::client
|
||||
|
||||
# include the python class
|
||||
class { 'python':
|
||||
manage_python_package => true,
|
||||
manage_venv_package => true,
|
||||
manage_pip_package => true,
|
||||
use_epel => false,
|
||||
}
|
||||
|
||||
# all hosts will have sudo applied
|
||||
class { 'sudo':
|
||||
secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin'
|
||||
}
|
||||
|
||||
# manage virtualised guest agents
|
||||
if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' {
|
||||
include profiles::qemu::agent
|
||||
}
|
||||
|
||||
# include classes from hiera
|
||||
lookup('hiera_classes', Array[String], 'unique').include
|
||||
|
||||
# specifc ordering constraints
|
||||
Class['profiles::pki::vaultca']
|
||||
-> Class['profiles::base::repos']
|
||||
-> Class['profiles::packages']
|
||||
}
|
||||
|
||||
# include the base profiles
|
||||
include profiles::base::repos
|
||||
include profiles::packages
|
||||
include profiles::base::facts
|
||||
include profiles::base::motd
|
||||
include profiles::base::scripts
|
||||
include profiles::base::hosts
|
||||
include profiles::base::groups
|
||||
include profiles::base::root
|
||||
include profiles::accounts::sysadmin
|
||||
include profiles::ntp::client
|
||||
include profiles::dns::base
|
||||
include profiles::pki::vault
|
||||
include profiles::cloudinit::init
|
||||
include profiles::metrics::default
|
||||
include profiles::helpers::node_lookup
|
||||
include profiles::consul::client
|
||||
|
||||
# include the python class
|
||||
class { 'python':
|
||||
manage_python_package => true,
|
||||
manage_venv_package => true,
|
||||
manage_pip_package => true,
|
||||
use_epel => false,
|
||||
}
|
||||
|
||||
# all hosts will have sudo applied
|
||||
class { 'sudo':
|
||||
secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin'
|
||||
}
|
||||
|
||||
# manage virtualised guest agents
|
||||
if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' {
|
||||
include profiles::qemu::agent
|
||||
}
|
||||
|
||||
# include classes from hiera
|
||||
lookup('hiera_classes', Array[String], 'unique').include
|
||||
|
||||
# specifc ordering constraints
|
||||
Class['profiles::pki::vaultca']
|
||||
-> Class['profiles::base::repos']
|
||||
-> Class['profiles::packages']
|
||||
|
||||
}
|
||||
|
||||
@@ -0,0 +1,77 @@
|
||||
# profiles::cobbler::config
|
||||
class profiles::cobbler::config {
|
||||
|
||||
include profiles::cobbler::params
|
||||
|
||||
$default_password_crypted = $profiles::cobbler::params::default_password_crypted
|
||||
$httpd_ssl_certificate = $profiles::cobbler::params::httpd_ssl_certificate
|
||||
$httpd_ssl_privatekey = $profiles::cobbler::params::httpd_ssl_privatekey
|
||||
$pxe_just_once = $profiles::cobbler::params::pxe_just_once
|
||||
$is_cobbler_master = $profiles::cobbler::params::is_cobbler_master
|
||||
$service_cname = $profiles::cobbler::params::service_cname
|
||||
$next_server = $profiles::cobbler::params::next_server
|
||||
$server = $profiles::cobbler::params::server
|
||||
|
||||
# manage the cobbler settings file
|
||||
file { '/etc/cobbler/settings.yaml':
|
||||
ensure => 'file',
|
||||
content => template('profiles/cobbler/settings.yaml.erb'),
|
||||
group => 'apache',
|
||||
owner => 'root',
|
||||
mode => '0640',
|
||||
require => Package['cobbler'],
|
||||
notify => Service['cobblerd'],
|
||||
}
|
||||
|
||||
# manage the debmirror config to meet cobbler requirements
|
||||
file { '/etc/debmirror.conf':
|
||||
ensure => 'file',
|
||||
content => template('profiles/cobbler/debmirror.conf.erb'),
|
||||
group => 'root',
|
||||
owner => 'root',
|
||||
mode => '0644',
|
||||
require => Package['debmirror'],
|
||||
}
|
||||
|
||||
# manage the httpd ssl configuration
|
||||
file { '/etc/httpd/conf.d/ssl.conf':
|
||||
ensure => 'file',
|
||||
content => template('profiles/cobbler/httpd_ssl.conf.erb'),
|
||||
group => 'root',
|
||||
owner => 'root',
|
||||
mode => '0644',
|
||||
require => Package['httpd'],
|
||||
notify => Service['httpd'],
|
||||
}
|
||||
|
||||
# fix permissions in /var/lib/cobbler/web.ss
|
||||
file {'/var/lib/cobbler/web.ss':
|
||||
ensure => 'file',
|
||||
group => 'root',
|
||||
owner => 'apache',
|
||||
mode => '0660',
|
||||
require => Package['cobbler'],
|
||||
notify => Service['cobblerd'],
|
||||
}
|
||||
|
||||
# manage the main ipxe menu script
|
||||
file { '/var/lib/tftpboot/main.ipxe':
|
||||
ensure => 'file',
|
||||
content => template('profiles/cobbler/main.ipxe.erb'),
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
require => Package['cobbler'],
|
||||
}
|
||||
|
||||
# export cnames for cobbler
|
||||
if $is_cobbler_master {
|
||||
profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME":
|
||||
value => $::facts['networking']['hostname'],
|
||||
type => 'CNAME',
|
||||
record => "${service_cname}.",
|
||||
zone => $::facts['networking']['domain'],
|
||||
order => 10,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
# profiles::cobbler::init
|
||||
class profiles::cobbler::init (
|
||||
) {
|
||||
# wait for enc_role to be populated, needed for hieradata to match
|
||||
if $facts['enc_role'] == 'roles::infra::cobbler::server' {
|
||||
include profiles::cobbler::config
|
||||
include profiles::cobbler::install
|
||||
include profiles::cobbler::ipxebins
|
||||
include profiles::cobbler::selinux
|
||||
include profiles::cobbler::service
|
||||
|
||||
Class['profiles::cobbler::install']
|
||||
-> Class['profiles::cobbler::config']
|
||||
-> Class['profiles::cobbler::ipxebins']
|
||||
-> Class['profiles::cobbler::selinux']
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,34 @@
|
||||
# profiles::cobbler::install
|
||||
class profiles::cobbler::install {
|
||||
|
||||
include profiles::cobbler::params
|
||||
|
||||
$packages = $profiles::cobbler::params::packages
|
||||
|
||||
ensure_packages($packages, { ensure => 'present' })
|
||||
|
||||
# move the /var/www/cobbler directory to /data/cobbler
|
||||
if ! $facts['cobbler_var_www_islink'] and ! $facts['cobbler_data_exists'] {
|
||||
exec {'move_cobbler_data':
|
||||
command => 'mv /var/www/cobbler /data/cobbler',
|
||||
onlyif => 'test -d /var/www/cobbler',
|
||||
path => ['/bin', '/usr/bin'],
|
||||
before => Service['cobblerd'],
|
||||
}
|
||||
file { '/var/www/cobbler':
|
||||
ensure => 'link',
|
||||
target => '/data/cobbler',
|
||||
require => Exec['move_cobbler_data'],
|
||||
before => Service['httpd'],
|
||||
notify => Service['httpd'],
|
||||
}
|
||||
}
|
||||
if ! $facts['cobbler_var_www_exists'] and $facts['cobbler_data_exists'] {
|
||||
file { '/var/www/cobbler':
|
||||
ensure => 'link',
|
||||
target => '/data/cobbler',
|
||||
before => Service['httpd'],
|
||||
notify => Service['httpd'],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,6 +1,8 @@
|
||||
# profiles::cobbler::ipxebins
|
||||
class profiles::cobbler::ipxebins {
|
||||
|
||||
include profiles::cobbler::params
|
||||
|
||||
# download the custom undionly.kpxe file
|
||||
# https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1
|
||||
exec { 'download_undionly_kpxe':
|
||||
|
||||
@@ -0,0 +1,25 @@
|
||||
# profiles::cobbler::params
|
||||
class profiles::cobbler::params (
|
||||
Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt',
|
||||
Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key',
|
||||
Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot',
|
||||
Stdlib::Fqdn $service_cname = $facts['networking']['fqdn'],
|
||||
String $default_password_crypted = 'changeme',
|
||||
String $server = $::facts['networking']['ip'],
|
||||
String $next_server = $::facts['networking']['ip'],
|
||||
Boolean $pxe_just_once = true,
|
||||
Boolean $is_cobbler_master = false,
|
||||
Array $packages = [
|
||||
'cobbler',
|
||||
'cobbler3.2-web',
|
||||
'httpd',
|
||||
'syslinux',
|
||||
'dnf-plugins-core',
|
||||
'debmirror',
|
||||
'pykickstart',
|
||||
'fence-agents',
|
||||
'selinux-policy-devel',
|
||||
'ipxe-bootimgs',
|
||||
]
|
||||
){
|
||||
}
|
||||
@@ -0,0 +1,48 @@
|
||||
# profiles::cobbler::selinux
|
||||
class profiles::cobbler::selinux inherits profiles::cobbler::params {
|
||||
|
||||
include profiles::cobbler::params
|
||||
|
||||
$tftpboot_path = $profiles::cobbler::params::tftpboot_path
|
||||
|
||||
# manage selinux requirements for cobbler
|
||||
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
|
||||
|
||||
$enable_sebooleans = [
|
||||
'httpd_can_network_connect_cobbler',
|
||||
'httpd_serve_cobbler_files',
|
||||
'cobbler_can_network_connect'
|
||||
]
|
||||
|
||||
$enable_sebooleans.each |$bool| {
|
||||
selboolean { $bool:
|
||||
value => on,
|
||||
persistent => true,
|
||||
}
|
||||
}
|
||||
|
||||
selinux::fcontext { $tftpboot_path:
|
||||
ensure => 'present',
|
||||
seltype => 'cobbler_var_lib_t',
|
||||
pathspec => "${tftpboot_path}(/.*)?",
|
||||
}
|
||||
selinux::fcontext { '/data/cobbler':
|
||||
ensure => 'present',
|
||||
seltype => 'cobbler_var_lib_t',
|
||||
pathspec => '/data/cobbler(/.*)?',
|
||||
}
|
||||
|
||||
exec { "restorecon_${tftpboot_path}":
|
||||
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
||||
command => "restorecon -Rv ${tftpboot_path}",
|
||||
refreshonly => true,
|
||||
subscribe => Selinux::Fcontext[$tftpboot_path],
|
||||
}
|
||||
exec { 'restorecon_/data/cobbler':
|
||||
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
||||
command => 'restorecon -Rv /data/cobbler',
|
||||
refreshonly => true,
|
||||
subscribe => Selinux::Fcontext['/data/cobbler'],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,119 +0,0 @@
|
||||
# profiles::cobbler::server
|
||||
class profiles::cobbler::server (
|
||||
Stdlib::Fqdn $service_cname,
|
||||
String $default_password_crypted,
|
||||
Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt',
|
||||
Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key',
|
||||
Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot',
|
||||
String $server = $::facts['networking']['ip'],
|
||||
String $next_server = $::facts['networking']['ip'],
|
||||
Boolean $pxe_just_once = true,
|
||||
) {
|
||||
|
||||
include profiles::cobbler::ipxebins
|
||||
|
||||
# manage the cobbler settings file
|
||||
file { '/etc/cobbler/settings.yaml':
|
||||
ensure => 'file',
|
||||
content => template('profiles/cobbler/settings.yaml.erb'),
|
||||
group => 'apache',
|
||||
owner => 'root',
|
||||
mode => '0640',
|
||||
require => Package['cobbler'],
|
||||
notify => Service['cobblerd'],
|
||||
}
|
||||
|
||||
# fix permissions in /var/lib/cobbler/web.ss
|
||||
file {'/var/lib/cobbler/web.ss':
|
||||
ensure => 'file',
|
||||
group => 'root',
|
||||
owner => 'apache',
|
||||
mode => '0660',
|
||||
require => Package['cobbler'],
|
||||
notify => Service['cobblerd'],
|
||||
}
|
||||
|
||||
# manage the debmirror config to meet cobbler requirements
|
||||
file { '/etc/debmirror.conf':
|
||||
ensure => 'file',
|
||||
content => template('profiles/cobbler/debmirror.conf.erb'),
|
||||
group => 'root',
|
||||
owner => 'root',
|
||||
mode => '0644',
|
||||
require => Package['debmirror'],
|
||||
}
|
||||
|
||||
# manage the httpd ssl configuration
|
||||
file { '/etc/httpd/conf.d/ssl.conf':
|
||||
ensure => 'file',
|
||||
content => template('profiles/cobbler/httpd_ssl.conf.erb'),
|
||||
group => 'root',
|
||||
owner => 'root',
|
||||
mode => '0644',
|
||||
require => Package['httpd'],
|
||||
notify => Service['httpd'],
|
||||
}
|
||||
|
||||
# manage the main ipxe menu script
|
||||
file { '/var/lib/tftpboot/main.ipxe':
|
||||
ensure => 'file',
|
||||
content => template('profiles/cobbler/main.ipxe.erb'),
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
require => Package['cobbler'],
|
||||
}
|
||||
|
||||
# ensure cobblerd is running
|
||||
service {'cobblerd':
|
||||
ensure => 'running',
|
||||
enable => true,
|
||||
require => File['/etc/cobbler/settings.yaml'],
|
||||
}
|
||||
|
||||
# ensure httpd is running
|
||||
service {'httpd':
|
||||
ensure => 'running',
|
||||
enable => true,
|
||||
require => File['/etc/httpd/conf.d/ssl.conf'],
|
||||
}
|
||||
|
||||
# export cnames for cobbler
|
||||
profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME":
|
||||
value => $::facts['networking']['hostname'],
|
||||
type => 'CNAME',
|
||||
record => "${service_cname}.",
|
||||
zone => $::facts['networking']['domain'],
|
||||
order => 10,
|
||||
}
|
||||
|
||||
# manage selinux requirements for cobbler
|
||||
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
|
||||
|
||||
$enable_sebooleans = [
|
||||
'httpd_can_network_connect_cobbler',
|
||||
'httpd_serve_cobbler_files',
|
||||
'cobbler_can_network_connect'
|
||||
]
|
||||
|
||||
$enable_sebooleans.each |$bool| {
|
||||
selboolean { $bool:
|
||||
value => on,
|
||||
persistent => true,
|
||||
}
|
||||
}
|
||||
|
||||
selinux::fcontext { $tftpboot_path:
|
||||
ensure => 'present',
|
||||
seltype => 'cobbler_var_lib_t',
|
||||
pathspec => "${tftpboot_path}(/.*)?",
|
||||
}
|
||||
|
||||
exec { "restorecon_${tftpboot_path}":
|
||||
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
||||
command => "restorecon -Rv ${tftpboot_path}",
|
||||
refreshonly => true,
|
||||
subscribe => Selinux::Fcontext[$tftpboot_path],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
# profiles::cobbler::service
|
||||
class profiles::cobbler::service inherits profiles::cobbler::params {
|
||||
|
||||
# ensure cobblerd is running
|
||||
service {'cobblerd':
|
||||
ensure => 'running',
|
||||
enable => true,
|
||||
require => File['/etc/cobbler/settings.yaml'],
|
||||
}
|
||||
|
||||
# ensure httpd is running
|
||||
service {'httpd':
|
||||
ensure => 'running',
|
||||
enable => true,
|
||||
require => File['/etc/httpd/conf.d/ssl.conf'],
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
# profile::consul::prepared_query
|
||||
class profiles::consul::prepared_query (
|
||||
String $root_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
|
||||
Hash $rules = {},
|
||||
) {
|
||||
|
||||
$rules.each | $rule, $data | {
|
||||
consul_prepared_query { $rule:
|
||||
acl_api_token => $root_api_token,
|
||||
hostname => $facts['networking']['ip'],
|
||||
* => $data,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -43,6 +43,8 @@ class profiles::consul::server (
|
||||
Stdlib::Absolutepath $bin_dir = '/usr/bin',
|
||||
Boolean $disable_remote_exec = true,
|
||||
Boolean $disable_update_check = true,
|
||||
Boolean $join_remote_regions = false,
|
||||
Array[String] $remote_regions = [],
|
||||
) {
|
||||
|
||||
# wait for all attributes to be ready
|
||||
@@ -62,6 +64,21 @@ class profiles::consul::server (
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
if $join_remote_regions {
|
||||
# get all nodes in the members_role for each other region
|
||||
$region_to_servers = $remote_regions.reduce({}) |$memo, $region| {
|
||||
$servers = sort(query_nodes("enc_role='${members_role}' and region='${region}'", 'networking.fqdn'))
|
||||
$memo + { $region => $servers }
|
||||
}
|
||||
|
||||
# sort and flatten the regions into a single array of fqdns
|
||||
$remote_servers_array = sort(flatten($region_to_servers.values))
|
||||
|
||||
} else {
|
||||
# else just send an empty array
|
||||
$remote_servers_array = []
|
||||
}
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $consul_servers
|
||||
@@ -97,7 +114,8 @@ class profiles::consul::server (
|
||||
'performance' => { 'raft_multiplier' => $raft_multiplier },
|
||||
'bind_addr' => $::facts['networking']['ip'],
|
||||
'advertise_addr' => $::facts['networking']['ip'],
|
||||
'retry_join' => $servers_array
|
||||
'retry_join' => $servers_array,
|
||||
'retry_join_wan' => $remote_servers_array,
|
||||
},
|
||||
}
|
||||
}
|
||||
@@ -109,6 +127,7 @@ class profiles::consul::server (
|
||||
include profiles::nginx::simpleproxy
|
||||
include profiles::consul::policies
|
||||
include profiles::consul::tokens
|
||||
include profiles::consul::prepared_query
|
||||
|
||||
# get the dns port from the $ports hash, otherwise use the default
|
||||
$dns_port = pick($ports['dns'], 8600)
|
||||
|
||||
@@ -8,7 +8,9 @@ class profiles::defaults {
|
||||
}
|
||||
|
||||
Package {
|
||||
ensure => present,
|
||||
ensure => present,
|
||||
require => Class['profiles::base::repos']
|
||||
|
||||
}
|
||||
|
||||
File {
|
||||
@@ -29,6 +31,11 @@ class profiles::defaults {
|
||||
}
|
||||
|
||||
Yumrepo {
|
||||
require => Class['profiles::pki::vaultca'],
|
||||
ensure => 'present',
|
||||
enabled => 1,
|
||||
gpgcheck => 1,
|
||||
mirrorlist => 'absent',
|
||||
require => Class['profiles::pki::vaultca'],
|
||||
notify => Exec['dnf_makecache'],
|
||||
}
|
||||
}
|
||||
|
||||
@@ -13,25 +13,27 @@ class profiles::dhcp::server (
|
||||
Hash $classes = {},
|
||||
){
|
||||
|
||||
class { 'dhcp':
|
||||
service_ensure => running,
|
||||
interfaces => $interfaces,
|
||||
ntpservers => $ntpservers,
|
||||
default_lease_time => $default_lease_time,
|
||||
globaloptions => $globaloptions
|
||||
}
|
||||
|
||||
# if pools, import them
|
||||
$pools.each | $name, $data | {
|
||||
dhcp::pool { $name:
|
||||
* => $data,
|
||||
if $facts['enc_role'] == 'roles::infra::dhcp::server' {
|
||||
class { 'dhcp':
|
||||
service_ensure => running,
|
||||
interfaces => $interfaces,
|
||||
ntpservers => $ntpservers,
|
||||
default_lease_time => $default_lease_time,
|
||||
globaloptions => $globaloptions
|
||||
}
|
||||
}
|
||||
|
||||
# if classes, import them
|
||||
$classes.each | $name, $data | {
|
||||
dhcp::dhcp_class { $name:
|
||||
* => $data,
|
||||
# if pools, import them
|
||||
$pools.each | $name, $data | {
|
||||
dhcp::pool { $name:
|
||||
* => $data,
|
||||
}
|
||||
}
|
||||
|
||||
# if classes, import them
|
||||
$classes.each | $name, $data | {
|
||||
dhcp::dhcp_class { $name:
|
||||
* => $data,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
# profiles::edgecache::init
|
||||
class profiles::edgecache::init {
|
||||
|
||||
if $facts['enc_role'] == 'roles::infra::storage::edgecache' {
|
||||
|
||||
include profiles::edgecache::nginx
|
||||
include profiles::edgecache::selinux
|
||||
|
||||
Class['profiles::edgecache::nginx']
|
||||
-> Class['profiles::edgecache::selinux']
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,129 @@
|
||||
# profiles::edgecache::nginx
|
||||
class profiles::edgecache::nginx {
|
||||
|
||||
include profiles::edgecache::params
|
||||
|
||||
$data_root = $profiles::edgecache::params::data_root
|
||||
$nginx_vhost = $profiles::edgecache::params::nginx_vhost
|
||||
$nginx_aliases = $profiles::edgecache::params::nginx_aliases
|
||||
$nginx_port = $profiles::edgecache::params::nginx_port
|
||||
$nginx_ssl_port = $profiles::edgecache::params::nginx_ssl_port
|
||||
$nginx_listen_mode = $profiles::edgecache::params::nginx_listen_mode
|
||||
$nginx_cert_type = $profiles::edgecache::params::nginx_cert_type
|
||||
$nginx_resolvers_enable = $profiles::edgecache::params::nginx_resolvers_enable
|
||||
$nginx_resolvers_ipv4only = $profiles::edgecache::params::nginx_resolvers_ipv4only
|
||||
|
||||
# select the certificates to use based on cert type
|
||||
case $nginx_cert_type {
|
||||
'puppet': {
|
||||
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
|
||||
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
|
||||
}
|
||||
'vault': {
|
||||
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
|
||||
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
|
||||
}
|
||||
default: {
|
||||
# enum param prevents this ever being reached
|
||||
}
|
||||
}
|
||||
|
||||
# set variables based on the listen_mode
|
||||
case $nginx_listen_mode {
|
||||
'http': {
|
||||
$enable_ssl = false
|
||||
$ssl_cert = undef
|
||||
$ssl_key = undef
|
||||
$listen_port = $nginx_port
|
||||
$listen_ssl_port = undef
|
||||
$extras_hash = {}
|
||||
}
|
||||
'https': {
|
||||
$enable_ssl = true
|
||||
$ssl_cert = $selected_ssl_cert
|
||||
$ssl_key = $selected_ssl_key
|
||||
$listen_port = $nginx_ssl_port
|
||||
$listen_ssl_port = $nginx_ssl_port
|
||||
$extras_hash = {
|
||||
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
||||
}
|
||||
}
|
||||
'both': {
|
||||
$enable_ssl = true
|
||||
$ssl_cert = $selected_ssl_cert
|
||||
$ssl_key = $selected_ssl_key
|
||||
$listen_port = $nginx_port
|
||||
$listen_ssl_port = $nginx_ssl_port
|
||||
$extras_hash = {
|
||||
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
||||
}
|
||||
}
|
||||
default: {
|
||||
# enum param prevents this ever being reached
|
||||
}
|
||||
}
|
||||
|
||||
if $nginx_resolvers_ipv4only and $nginx_resolvers_enable {
|
||||
$resolvers = $facts['nameservers'].join(' ')
|
||||
file { '/etc/nginx/conf.d/resolvers.conf':
|
||||
ensure => file,
|
||||
content => "resolver ${resolvers} ipv4=on;\n",
|
||||
}
|
||||
}
|
||||
|
||||
# set the server_names
|
||||
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
|
||||
|
||||
# define the default parameters for the nginx server
|
||||
$defaults = {
|
||||
'listen_port' => $listen_port,
|
||||
'server_name' => $server_names,
|
||||
'use_default_location' => true,
|
||||
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
|
||||
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
|
||||
'www_root' => "${data_root}/pub",
|
||||
'autoindex' => 'on',
|
||||
'ssl' => $enable_ssl,
|
||||
'ssl_cert' => $ssl_cert,
|
||||
'ssl_key' => $ssl_key,
|
||||
'ssl_port' => $listen_ssl_port,
|
||||
}
|
||||
|
||||
# ensure the requires directories exist
|
||||
$profiles::edgecache::params::directories.each |$name,$data| {
|
||||
file { $name:
|
||||
ensure => 'directory',
|
||||
before => Class['nginx'],
|
||||
mode => '0775',
|
||||
* => $data,
|
||||
}
|
||||
}
|
||||
|
||||
# merge the hashes conditionally
|
||||
$nginx_parameters = merge($defaults, $extras_hash)
|
||||
|
||||
# manage the nginx class
|
||||
class { 'nginx':
|
||||
proxy_cache_path => {
|
||||
"${data_root}/cache" => 'cache:128m',
|
||||
},
|
||||
proxy_cache_levels => '1:2',
|
||||
proxy_cache_keys_zone => 'cache:128m',
|
||||
proxy_cache_max_size => '30000m',
|
||||
proxy_cache_inactive => '60d',
|
||||
proxy_temp_path => "${data_root}/cache_tmp",
|
||||
}
|
||||
|
||||
# create the nginx vhost with the merged parameters
|
||||
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
|
||||
|
||||
# create location mirrors
|
||||
$profiles::edgecache::params::mirrors.each |$name, $data| {
|
||||
nginx::resource::location { "${nginx_vhost}_${name}":
|
||||
server => $nginx_vhost,
|
||||
ssl => true,
|
||||
ssl_only => false,
|
||||
* => $data,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# profiles::edgecache::params
|
||||
class profiles::edgecache::params (
|
||||
Stdlib::Absolutepath $data_root = '/data/edgecache',
|
||||
Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
|
||||
Array[Stdlib::Host] $nginx_aliases = [],
|
||||
Stdlib::Port $nginx_port = 80,
|
||||
Stdlib::Port $nginx_ssl_port = 443,
|
||||
Enum['http','https','both'] $nginx_listen_mode = 'http',
|
||||
Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
|
||||
Boolean $nginx_resolvers_enable = false,
|
||||
Boolean $nginx_resolvers_ipv4only = false,
|
||||
Hash $directories = {},
|
||||
Hash $mirrors = {},
|
||||
){
|
||||
}
|
||||
@@ -0,0 +1,56 @@
|
||||
# profiles::edgecache::selinux
|
||||
class profiles::edgecache::selinux {
|
||||
|
||||
include profiles::edgecache::params
|
||||
|
||||
$data_root = $profiles::edgecache::params::data_root
|
||||
|
||||
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
|
||||
|
||||
# set httpd_sys_content_t to all files under the www_root
|
||||
selinux::fcontext { "${data_root}/pub":
|
||||
ensure => 'present',
|
||||
seltype => 'httpd_sys_content_t',
|
||||
pathspec => "${data_root}/pub(/.*)?",
|
||||
}
|
||||
|
||||
# set httpd_sys_rw_content_t to all files under the cache_root
|
||||
selinux::fcontext { "${data_root}/cache":
|
||||
ensure => 'present',
|
||||
seltype => 'httpd_sys_rw_content_t',
|
||||
pathspec => "${data_root}/cache(/.*)?",
|
||||
}
|
||||
selinux::fcontext { "${data_root}/cache_tmp":
|
||||
ensure => 'present',
|
||||
seltype => 'httpd_sys_rw_content_t',
|
||||
pathspec => "${data_root}/cache_tmp(/.*)?",
|
||||
}
|
||||
|
||||
# make sure we can connect to other hosts
|
||||
selboolean { 'httpd_can_network_connect':
|
||||
persistent => true,
|
||||
value => 'on',
|
||||
}
|
||||
|
||||
exec { "restorecon_${data_root}/pub":
|
||||
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
||||
command => "restorecon -Rv ${data_root}/pub",
|
||||
refreshonly => true,
|
||||
subscribe => Selinux::Fcontext["${data_root}/pub"],
|
||||
}
|
||||
|
||||
exec { "restorecon_${data_root}/cache":
|
||||
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
||||
command => "restorecon -Rv ${data_root}/cache",
|
||||
refreshonly => true,
|
||||
subscribe => Selinux::Fcontext["${data_root}/cache"],
|
||||
}
|
||||
|
||||
exec { "restorecon_${data_root}/cache_tmp":
|
||||
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
||||
command => "restorecon -Rv ${data_root}/cache_tmp",
|
||||
refreshonly => true,
|
||||
subscribe => Selinux::Fcontext["${data_root}/cache_tmp"],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
# profiles::firstrun::complete
|
||||
class profiles::firstrun::complete {
|
||||
|
||||
file { '/root/.cache':
|
||||
ensure => 'directory',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0750',
|
||||
}
|
||||
|
||||
file {'/root/.cache/puppet_firstrun_complete':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0750',
|
||||
content => 'firstrun completed',
|
||||
require => File['/root/.cache'],
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,20 @@
|
||||
# profiles::firstrun::init
|
||||
class profiles::firstrun::init {
|
||||
|
||||
# include the required CA certificates
|
||||
include profiles::pki::vaultca
|
||||
|
||||
# fast install packages on the first run
|
||||
include profiles::base::repos
|
||||
include profiles::firstrun::packages
|
||||
|
||||
# mark the firstrun as done
|
||||
include profiles::firstrun::complete
|
||||
|
||||
|
||||
Class['profiles::defaults']
|
||||
-> Class['profiles::pki::vaultca']
|
||||
-> Class['profiles::base::repos']
|
||||
-> Class['profiles::firstrun::packages']
|
||||
-> Class['profiles::firstrun::complete']
|
||||
}
|
||||
@@ -0,0 +1,27 @@
|
||||
# profiles::firstrun::packages
|
||||
class profiles::firstrun::packages {
|
||||
# include the correct package repositories, define the install_packages exec
|
||||
case $facts['os']['family'] {
|
||||
'RedHat': {
|
||||
include profiles::yum::global
|
||||
$install_command = 'dnf install -y'
|
||||
}
|
||||
'Debian': {
|
||||
include profiles::apt::global
|
||||
$install_command = 'apt-get install -y'
|
||||
}
|
||||
default: {
|
||||
fail("Unsupported OS family ${facts['os']['family']}")
|
||||
}
|
||||
}
|
||||
|
||||
# get all the packages to install, and convert into a space separated list
|
||||
$packages = hiera_array('profiles::packages::install', [])
|
||||
$package_list = $packages.join(' ')
|
||||
|
||||
# install all the packages
|
||||
exec { 'install_packages':
|
||||
command => "${install_command} ${package_list}",
|
||||
path => ['/bin', '/usr/bin'],
|
||||
}
|
||||
}
|
||||
@@ -19,7 +19,7 @@ class profiles::puppet::agent (
|
||||
# Ensure the puppet-agent package is installed and locked to a specific version
|
||||
package { 'puppet-agent':
|
||||
ensure => $puppet_version,
|
||||
require => Class['profiles::yum::puppet7'],
|
||||
require => Yumrepo['puppet'],
|
||||
}
|
||||
|
||||
# versionlock puppet-agent
|
||||
|
||||
@@ -24,4 +24,12 @@ class profiles::puppet::puppetdb_sql (
|
||||
|
||||
contain ::puppetdb::database::postgresql
|
||||
|
||||
# create the postgresql::server::config_entry resources
|
||||
$pg_config_entries = lookup('postgresql_config_entries', Hash[String, Data], 'hash', {})
|
||||
$pg_config_entries.each |String $key, Data $value| {
|
||||
postgresql::server::config_entry { $key:
|
||||
ensure => 'present',
|
||||
value => $value,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -47,7 +47,7 @@ class profiles::sql::galera_member (
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${galera_members_role}'", 'networking.fqdn'))
|
||||
$servers_array = sort(query_nodes("enc_role='${galera_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
@@ -103,7 +103,8 @@ class profiles::sql::galera_member (
|
||||
'binlog_format' => 'ROW',
|
||||
'default-storage-engine' => 'innodb',
|
||||
'query_cache_size' => '0',
|
||||
'query_cache_type' => '0'
|
||||
'query_cache_type' => '0',
|
||||
'bind-address' => $local_ip,
|
||||
}
|
||||
}
|
||||
$default_override_options_galera = {
|
||||
@@ -211,4 +212,5 @@ class profiles::sql::galera_member (
|
||||
}else{
|
||||
notice("${title} requires the servers_array to have 3 or more, currently it is ${length($servers_array)}.")
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,92 +0,0 @@
|
||||
# Class: profiles::yum::base
|
||||
#
|
||||
# This class manages the 'base', extras' and 'appstream' yum
|
||||
# repositories for a system, based on the provided list of managed repositories.
|
||||
#
|
||||
# Parameters:
|
||||
# -----------
|
||||
# - $managed_repos: An array containing the names of the repositories to be
|
||||
# managed. This can include 'base', 'extras',
|
||||
# and 'appstream'.
|
||||
#
|
||||
# - $baseurl: The base URL for the yum repositories. This should be the root
|
||||
# URL of your yum mirror server.
|
||||
#
|
||||
# Actions:
|
||||
# --------
|
||||
# - Sets up the 'base', extras', and 'appstream' yum repositories
|
||||
# as specified in the $managed_repos parameter, all using the provided baseurl.
|
||||
#
|
||||
# - Each repo configuration includes the baseurl parameterized with the OS
|
||||
# release version and architecture, and specifies the GPG key.
|
||||
#
|
||||
# Example usage:
|
||||
# --------------
|
||||
# To use this class with the default parameters:
|
||||
# class { 'profiles::yum::base':
|
||||
# managed_repos => ['base', 'extras', 'appstream'],
|
||||
# baseurl => 'http://mylocalmirror.com/yum',
|
||||
# }
|
||||
#
|
||||
class profiles::yum::base (
|
||||
Array[String] $managed_repos,
|
||||
String $baseurl,
|
||||
Enum[
|
||||
'daily',
|
||||
'weekly',
|
||||
'monthly'
|
||||
] $snapshot = 'daily',
|
||||
) {
|
||||
$release = $facts['os']['release']['full']
|
||||
$basearch = $facts['os']['architecture']
|
||||
|
||||
if 'base' in $managed_repos {
|
||||
yumrepo { 'base':
|
||||
name => 'base',
|
||||
descr => 'base repository',
|
||||
target => '/etc/yum.repos.d/base.repo',
|
||||
baseurl => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/",
|
||||
gpgkey => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
|
||||
}
|
||||
}
|
||||
|
||||
if 'extras' in $managed_repos {
|
||||
yumrepo { 'extras':
|
||||
name => 'extras',
|
||||
descr => 'extras repository',
|
||||
target => '/etc/yum.repos.d/extras.repo',
|
||||
baseurl => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/",
|
||||
gpgkey => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
|
||||
}
|
||||
}
|
||||
|
||||
if 'appstream' in $managed_repos {
|
||||
yumrepo { 'appstream':
|
||||
name => 'appstream',
|
||||
descr => 'appstream repository',
|
||||
target => '/etc/yum.repos.d/appstream.repo',
|
||||
baseurl => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/",
|
||||
gpgkey => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
|
||||
}
|
||||
}
|
||||
|
||||
if 'powertools' in $managed_repos {
|
||||
yumrepo { 'powertools':
|
||||
name => 'powertools',
|
||||
descr => 'powertools repository',
|
||||
target => '/etc/yum.repos.d/powertools.repo',
|
||||
baseurl => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/",
|
||||
gpgkey => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
|
||||
}
|
||||
}
|
||||
|
||||
if 'highavailability' in $managed_repos {
|
||||
yumrepo { 'highavailability':
|
||||
name => 'highavailability',
|
||||
descr => 'highavailability repository',
|
||||
target => '/etc/yum.repos.d/highavailability.repo',
|
||||
baseurl => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/",
|
||||
gpgkey => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,48 +0,0 @@
|
||||
# Class: profiles::yum::epel
|
||||
#
|
||||
# This class manages the EPEL yum repository for the system.
|
||||
#
|
||||
# Parameters:
|
||||
# -----------
|
||||
# - $baseurl: The base URL for the EPEL yum repository. This should be the root
|
||||
# URL of your EPEL mirror server.
|
||||
#
|
||||
# Actions:
|
||||
# --------
|
||||
# - Checks the OS release version.
|
||||
#
|
||||
# - If the release version is 7, 8, or 9, it sets up the 'epel' yum repository
|
||||
#
|
||||
# - If the release version is not supported, it raises an error.
|
||||
#
|
||||
# Example usage:
|
||||
# --------------
|
||||
# To use this class with the default parameters:
|
||||
# include profiles::yum::epel
|
||||
#
|
||||
# To specify a custom base URL:
|
||||
# class { 'profiles::yum::epel':
|
||||
# baseurl => 'http://mylocalmirror.com/yum',
|
||||
# }
|
||||
class profiles::yum::epel (
|
||||
Array[String] $managed_repos,
|
||||
String $baseurl,
|
||||
Enum[
|
||||
'daily',
|
||||
'weekly',
|
||||
'monthly'
|
||||
] $snapshot = 'daily',
|
||||
) {
|
||||
$release = $facts['os']['release']['major']
|
||||
$basearch = $facts['os']['architecture']
|
||||
|
||||
if 'epel' in $managed_repos {
|
||||
yumrepo { 'epel':
|
||||
name => 'epel',
|
||||
descr => 'epel repository',
|
||||
target => '/etc/yum.repos.d/epel.repo',
|
||||
baseurl => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/",
|
||||
gpgkey => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/RPM-GPG-KEY-EPEL-${release}",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,48 +1,7 @@
|
||||
# Class: profiles::yum::global
|
||||
#
|
||||
# This class manages global YUM configurations and optionally includes the
|
||||
# base and EPEL yum repository profiles based on the content of the
|
||||
# $managed_repos parameter, which is an array of repository names.
|
||||
#
|
||||
# Parameters:
|
||||
# -----------
|
||||
# - $managed_repos: An array of repository names that the Puppet agent should
|
||||
# manage. This parameter is mandatory and the class will
|
||||
# fail if it is not provided via hieradata.
|
||||
# Example: ['base', 'updates', 'extras', 'appstream']
|
||||
#
|
||||
# Actions:
|
||||
# --------
|
||||
# - Configures global YUM settings, including keeping the kernel development
|
||||
# packages and cleaning old kernels.
|
||||
#
|
||||
# - Establishes default parameters for any YUM repositories managed by Puppet.
|
||||
# This includes the repository file location, the repository description,
|
||||
# and enabling the repository and GPG checks.
|
||||
#
|
||||
# - Depending on the content of the $managed_repos parameter, it includes the
|
||||
# profiles::yum::base and/or profiles::yum::epel classes.
|
||||
#
|
||||
# - Manages all .repo files under /etc/yum.repos.d. All the repositories listed
|
||||
# in $managed_repos will have their corresponding .repo files preserved. Any
|
||||
# .repo file that is not listed in $managed_repos will be removed.
|
||||
#
|
||||
# - Creates and maintains a /etc/yum.repos.d/.managed file that lists all the
|
||||
# .repo files that should be managed by Puppet.
|
||||
#
|
||||
# Example usage:
|
||||
# --------------
|
||||
# To use this class, include the class and configure hieradata:
|
||||
# include profiles::yum::global
|
||||
#
|
||||
# profiles::yum::managed_repos:
|
||||
# - 'base'
|
||||
# - 'extras'
|
||||
# - 'appstream'
|
||||
#
|
||||
class profiles::yum::global (
|
||||
Array[String] $managed_repos,
|
||||
Boolean $purge = true,
|
||||
Hash $repos = {},
|
||||
Boolean $purge = true,
|
||||
){
|
||||
class { 'yum':
|
||||
keep_kernel_devel => true,
|
||||
@@ -52,54 +11,34 @@ class profiles::yum::global (
|
||||
},
|
||||
}
|
||||
|
||||
Yumrepo {
|
||||
ensure => 'present',
|
||||
enabled => 1,
|
||||
gpgcheck => 1,
|
||||
mirrorlist => 'absent',
|
||||
}
|
||||
|
||||
# purge all yum repos not defined by puppet
|
||||
resources { 'yumrepo':
|
||||
purge => $purge,
|
||||
}
|
||||
|
||||
# Generate the content for the .managed file
|
||||
$managed_file_content = $managed_repos.map |$repo_name| { "${repo_name}.repo" }.join("\n")
|
||||
# download all gpg keys if a repo defines it
|
||||
$repos.each |$name, $repo| {
|
||||
if $repo['gpgkey'] {
|
||||
$key_url = $repo['gpgkey']
|
||||
$key_file = "/etc/pki/rpm-gpg/${name}-gpg-key"
|
||||
|
||||
# Create the .managed file
|
||||
file { '/etc/yum.repos.d/.managed':
|
||||
ensure => file,
|
||||
content => $managed_file_content,
|
||||
exec { "download_gpg_key_${name}":
|
||||
command => "curl -s -o ${key_file} ${key_url} && rpm --import ${key_file}",
|
||||
path => ['/bin', 'usr/bin'],
|
||||
creates => $key_file,
|
||||
before => Yumrepo[$name],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Setup base repos
|
||||
class { 'profiles::yum::base':
|
||||
managed_repos => $managed_repos,
|
||||
require => Class['profiles::pki::vaultca'],
|
||||
}
|
||||
# create repos
|
||||
create_resources('yumrepo', $repos)
|
||||
|
||||
# Setup epel if included in managed_repos
|
||||
class { 'profiles::yum::epel':
|
||||
managed_repos => $managed_repos,
|
||||
require => Class['profiles::pki::vaultca'],
|
||||
}
|
||||
|
||||
# Setup puppet7 if included in managed_repos
|
||||
class { 'profiles::yum::puppet7':
|
||||
managed_repos => $managed_repos,
|
||||
require => Class['profiles::pki::vaultca'],
|
||||
}
|
||||
|
||||
# Setup unkin repo if included in managed_repos
|
||||
class { 'profiles::yum::unkin':
|
||||
managed_repos => $managed_repos,
|
||||
require => Class['profiles::pki::vaultca'],
|
||||
}
|
||||
|
||||
# Setup ovirt repo if included in managed_repos
|
||||
class { 'profiles::yum::ovirt':
|
||||
managed_repos => $managed_repos,
|
||||
require => Class['profiles::pki::vaultca'],
|
||||
# makecache if changes made to repos
|
||||
exec {'dnf_makecache':
|
||||
command => 'dnf makecache -q',
|
||||
path => ['/usr/bin', '/bin'],
|
||||
refreshonly => true,
|
||||
}
|
||||
|
||||
# setup dnf-autoupdate
|
||||
|
||||
@@ -1,25 +0,0 @@
|
||||
# Class: profiles::yum::mariadb
|
||||
#
|
||||
# This class manages the mariadb yum repository for the system.
|
||||
#
|
||||
class profiles::yum::mariadb (
|
||||
String $baseurl = 'https://repos.main.unkin.net',
|
||||
String $version = '11.2',
|
||||
Enum[
|
||||
'daily',
|
||||
'weekly',
|
||||
'monthly'
|
||||
] $snapshot = 'daily',
|
||||
) {
|
||||
$release = $facts['os']['release']['major']
|
||||
$basearch = $facts['os']['architecture']
|
||||
|
||||
yumrepo { 'mariadb':
|
||||
name => 'mariadb',
|
||||
descr => 'mariadb repository',
|
||||
target => '/etc/yum.repos.d/mariadb.repo',
|
||||
baseurl => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/",
|
||||
gpgkey => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/RPM-GPG-KEY-MariaDB",
|
||||
require => Class['profiles::pki::vaultca'],
|
||||
}
|
||||
}
|
||||
@@ -1,48 +0,0 @@
|
||||
# Class: profiles::yum::ovirt
|
||||
class profiles::yum::ovirt (
|
||||
Array[String] $managed_repos,
|
||||
String $baseurl,
|
||||
Enum[
|
||||
'daily',
|
||||
'weekly',
|
||||
'monthly'
|
||||
] $snapshot = 'daily',
|
||||
) {
|
||||
$release = $facts['os']['release']['major']
|
||||
$basearch = $facts['os']['architecture']
|
||||
|
||||
$centos_nonstream = [
|
||||
'virt-advanced-virtualization',
|
||||
'storage-ceph-pacific'
|
||||
]
|
||||
$centos_stream = [
|
||||
'cloud-openstack-xena',
|
||||
'messaging-rabbitmq-38',
|
||||
'nfv-openvswitch-2',
|
||||
'opstools-collectd-5',
|
||||
'storage-gluster-10',
|
||||
'virt-ovirt-45'
|
||||
]
|
||||
$centos_nonstream.each |$name| {
|
||||
if $name in $managed_repos {
|
||||
yumrepo { $name:
|
||||
name => $name,
|
||||
descr => $name,
|
||||
target => '/etc/yum.repos.d/ovirt.repo',
|
||||
baseurl => "${baseurl}/${release}/${name}-20240311/${basearch}/os/",
|
||||
gpgcheck => false,
|
||||
}
|
||||
}
|
||||
}
|
||||
$centos_stream.each |$name| {
|
||||
if $name in $managed_repos {
|
||||
yumrepo { $name:
|
||||
name => $name,
|
||||
descr => $name,
|
||||
target => '/etc/yum.repos.d/ovirt.repo',
|
||||
baseurl => "${baseurl}/${release}-stream/${name}-20240311/${basearch}/os/",
|
||||
gpgcheck => false,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,48 +0,0 @@
|
||||
# Class: profiles::yum::epel
|
||||
#
|
||||
# This class manages the puppet7 yum repository for the system.
|
||||
#
|
||||
# Parameters:
|
||||
# -----------
|
||||
# - $baseurl: The base URL for the puppet7 yum repository. This should be the root
|
||||
# URL of your puppet7 mirror server.
|
||||
#
|
||||
# Actions:
|
||||
# --------
|
||||
# - Checks the OS release version.
|
||||
#
|
||||
# - If the release version is 7, 8, or 9, it sets up the 'puppet7' yum repository
|
||||
# and installs the puppet7 release RPM from the provided baseurl.
|
||||
#
|
||||
# - If the release version is not supported, it raises an error.
|
||||
#
|
||||
# - The repo configuration includes the baseurl parameterized with the OS
|
||||
# release version and architecture, and specifies the GPG key.
|
||||
#
|
||||
# Example usage:
|
||||
# --------------
|
||||
# To use this class with the default parameters:
|
||||
# include profiles::yum::puppet7
|
||||
#
|
||||
# To specify a custom base URL:
|
||||
# class { 'profiles::yum::puppet7':
|
||||
# baseurl => 'http://mylocalmirror.com/yum',
|
||||
# }
|
||||
class profiles::yum::puppet7 (
|
||||
Array[String] $managed_repos,
|
||||
String $baseurl = 'http://repos.main.unkin.net/puppet7',
|
||||
) {
|
||||
$releasever = $facts['os']['release']['major']
|
||||
$basearch = $facts['os']['architecture']
|
||||
|
||||
if 'puppet7' in $managed_repos {
|
||||
yumrepo { 'puppet7':
|
||||
name => 'puppet7',
|
||||
descr => 'puppet7 repository',
|
||||
target => '/etc/yum.repos.d/puppet7.repo',
|
||||
baseurl => "${baseurl}/el/${releasever}-daily/${basearch}/os/",
|
||||
gpgkey => 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406',
|
||||
#gpgkey => "${baseurl}/el/${releasever}-daily/${basearch}/os/RPM-GPG-KEY-puppet",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,23 +0,0 @@
|
||||
# Class: profiles::yum::unkin
|
||||
class profiles::yum::unkin (
|
||||
Array[String] $managed_repos,
|
||||
String $baseurl,
|
||||
Enum[
|
||||
'daily',
|
||||
'weekly',
|
||||
'monthly'
|
||||
] $snapshot = 'daily',
|
||||
) {
|
||||
$release = $facts['os']['release']['major']
|
||||
$basearch = $facts['os']['architecture']
|
||||
|
||||
if 'unkin' in $managed_repos {
|
||||
yumrepo { 'unkin':
|
||||
name => 'unkin',
|
||||
descr => 'unkin repository',
|
||||
target => '/etc/yum.repos.d/unkin.repo',
|
||||
baseurl => "${baseurl}/${::facts['os']['release']['major']}/${basearch}/os/",
|
||||
gpgcheck => false,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,6 +1,11 @@
|
||||
# a role to deploy the base system
|
||||
# work in progress
|
||||
class roles::base {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,11 @@
|
||||
# cobbler server profile
|
||||
class roles::infra::cobbler::server {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::cobbler::server
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::cobbler::init
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,10 @@
|
||||
|
||||
# a role to deploy a redis node
|
||||
class roles::infra::db::redis {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,11 @@
|
||||
# dhcp server profile
|
||||
class roles::infra::dhcp::server {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::dhcp::server
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::dhcp::server
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,7 +2,12 @@
|
||||
# defines a dns server with master-only zones
|
||||
#
|
||||
class roles::infra::dns::master {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::dns::master
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,7 +2,12 @@
|
||||
# defines a dns server with forward-only zones
|
||||
#
|
||||
class roles::infra::dns::resolver {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::dns::resolver
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,11 @@
|
||||
# a role to deploy a haproxy node
|
||||
class roles::infra::halb::haproxy {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::haproxy::server
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::haproxy::server
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,5 +1,10 @@
|
||||
# a role to deploy a grafana service
|
||||
class roles::infra::metrics::grafana {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,12 @@
|
||||
# a role to deploy a prometheus server
|
||||
class roles::infra::metrics::prometheus {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::metrics::server
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::metrics::server
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,11 @@
|
||||
# a role to deploy a ntp server
|
||||
class roles::infra::ntp::server {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::ntp::server
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::ntp::server
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,5 +1,10 @@
|
||||
# role to manage ovirt management engine nodes
|
||||
class roles::infra::ovirt::engine {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,11 @@
|
||||
# role to manage ovirt hypervisor nodes
|
||||
class roles::infra::ovirt::node {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::ovirt::node
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::ovirt::node
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,11 @@
|
||||
# manage the installation of a proxmox node
|
||||
class roles::infra::proxmox::node {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::proxmox::init
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,12 @@
|
||||
# a role to deploy the puppetmaster
|
||||
# work in progress
|
||||
class roles::infra::puppet::master {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::puppet::puppetmaster
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,11 @@
|
||||
# a role to deploy the puppetboard
|
||||
class roles::infra::puppetboard::server {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::puppet::puppetboard
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,11 @@
|
||||
# a role to deploy the puppetdb api service
|
||||
class roles::infra::puppetdb::api {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::puppet::puppetdb_api
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,11 @@
|
||||
# a role to deploy the puppetdb postgresql service
|
||||
class roles::infra::puppetdb::sql {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::puppet::puppetdb_sql
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,12 @@
|
||||
# a role to deploy a packagerepo
|
||||
class roles::infra::reposync::syncer {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::reposync::syncer
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::reposync::syncer
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,15 @@
|
||||
# a role to deploy a mariadb galera node
|
||||
class roles::infra::sql::galera {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::sql::galera_member
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
|
||||
if $facts['enc_role'] == 'roles::infra::sql::galera' {
|
||||
include profiles::sql::galera_member
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,8 +1,12 @@
|
||||
|
||||
# a role to deploy a consul node
|
||||
class roles::infra::storage::consul {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::consul::server
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::consul::server
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
# a role to deploy an edgecache
|
||||
class roles::infra::storage::edgecache {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::edgecache::init
|
||||
}
|
||||
}
|
||||
@@ -1,6 +1,11 @@
|
||||
# a role to deploy a minio node
|
||||
class roles::infra::storage::minio {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::minio::server
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::minio::server
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,12 @@
|
||||
# a role to deploy a vault node
|
||||
class roles::infra::storage::vault {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::vault::server
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::vault::server
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user