Merge branch 'develop' into neoloc/syd1_puppetdb

This commit is contained in:
2024-05-22 22:11:04 +10:00
77 changed files with 1230 additions and 668 deletions
+57 -52
View File
@@ -3,59 +3,64 @@ class profiles::base (
Array $puppet_servers,
) {
# install the vault ca first
include profiles::pki::vaultca
# run a limited set of classes on the first run aimed at bootstrapping the new node
if $facts['firstrun'] {
include profiles::firstrun::init
}else{
# manage the puppet agent
include profiles::puppet::agent
# install the vault ca first
include profiles::pki::vaultca
# manage puppet clients
if ! member($puppet_servers, $trusted['certname']) {
include profiles::puppet::client
# manage the puppet agent
include profiles::puppet::agent
# manage puppet clients
if ! member($puppet_servers, $trusted['certname']) {
include profiles::puppet::client
}
# include the base profiles
include profiles::base::repos
include profiles::packages
include profiles::base::facts
include profiles::base::motd
include profiles::base::scripts
include profiles::base::hosts
include profiles::base::groups
include profiles::base::root
include profiles::accounts::sysadmin
include profiles::ntp::client
include profiles::dns::base
include profiles::pki::vault
include profiles::cloudinit::init
include profiles::metrics::default
include profiles::helpers::node_lookup
include profiles::consul::client
# include the python class
class { 'python':
manage_python_package => true,
manage_venv_package => true,
manage_pip_package => true,
use_epel => false,
}
# all hosts will have sudo applied
class { 'sudo':
secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin'
}
# manage virtualised guest agents
if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' {
include profiles::qemu::agent
}
# include classes from hiera
lookup('hiera_classes', Array[String], 'unique').include
# specifc ordering constraints
Class['profiles::pki::vaultca']
-> Class['profiles::base::repos']
-> Class['profiles::packages']
}
# include the base profiles
include profiles::base::repos
include profiles::packages
include profiles::base::facts
include profiles::base::motd
include profiles::base::scripts
include profiles::base::hosts
include profiles::base::groups
include profiles::base::root
include profiles::accounts::sysadmin
include profiles::ntp::client
include profiles::dns::base
include profiles::pki::vault
include profiles::cloudinit::init
include profiles::metrics::default
include profiles::helpers::node_lookup
include profiles::consul::client
# include the python class
class { 'python':
manage_python_package => true,
manage_venv_package => true,
manage_pip_package => true,
use_epel => false,
}
# all hosts will have sudo applied
class { 'sudo':
secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin'
}
# manage virtualised guest agents
if $::facts['is_virtual'] and $::facts['dmi']['manufacturer'] == 'QEMU' {
include profiles::qemu::agent
}
# include classes from hiera
lookup('hiera_classes', Array[String], 'unique').include
# specifc ordering constraints
Class['profiles::pki::vaultca']
-> Class['profiles::base::repos']
-> Class['profiles::packages']
}
+77
View File
@@ -0,0 +1,77 @@
# profiles::cobbler::config
class profiles::cobbler::config {
include profiles::cobbler::params
$default_password_crypted = $profiles::cobbler::params::default_password_crypted
$httpd_ssl_certificate = $profiles::cobbler::params::httpd_ssl_certificate
$httpd_ssl_privatekey = $profiles::cobbler::params::httpd_ssl_privatekey
$pxe_just_once = $profiles::cobbler::params::pxe_just_once
$is_cobbler_master = $profiles::cobbler::params::is_cobbler_master
$service_cname = $profiles::cobbler::params::service_cname
$next_server = $profiles::cobbler::params::next_server
$server = $profiles::cobbler::params::server
# manage the cobbler settings file
file { '/etc/cobbler/settings.yaml':
ensure => 'file',
content => template('profiles/cobbler/settings.yaml.erb'),
group => 'apache',
owner => 'root',
mode => '0640',
require => Package['cobbler'],
notify => Service['cobblerd'],
}
# manage the debmirror config to meet cobbler requirements
file { '/etc/debmirror.conf':
ensure => 'file',
content => template('profiles/cobbler/debmirror.conf.erb'),
group => 'root',
owner => 'root',
mode => '0644',
require => Package['debmirror'],
}
# manage the httpd ssl configuration
file { '/etc/httpd/conf.d/ssl.conf':
ensure => 'file',
content => template('profiles/cobbler/httpd_ssl.conf.erb'),
group => 'root',
owner => 'root',
mode => '0644',
require => Package['httpd'],
notify => Service['httpd'],
}
# fix permissions in /var/lib/cobbler/web.ss
file {'/var/lib/cobbler/web.ss':
ensure => 'file',
group => 'root',
owner => 'apache',
mode => '0660',
require => Package['cobbler'],
notify => Service['cobblerd'],
}
# manage the main ipxe menu script
file { '/var/lib/tftpboot/main.ipxe':
ensure => 'file',
content => template('profiles/cobbler/main.ipxe.erb'),
owner => 'root',
group => 'root',
mode => '0644',
require => Package['cobbler'],
}
# export cnames for cobbler
if $is_cobbler_master {
profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME":
value => $::facts['networking']['hostname'],
type => 'CNAME',
record => "${service_cname}.",
zone => $::facts['networking']['domain'],
order => 10,
}
}
}
+17
View File
@@ -0,0 +1,17 @@
# profiles::cobbler::init
class profiles::cobbler::init (
) {
# wait for enc_role to be populated, needed for hieradata to match
if $facts['enc_role'] == 'roles::infra::cobbler::server' {
include profiles::cobbler::config
include profiles::cobbler::install
include profiles::cobbler::ipxebins
include profiles::cobbler::selinux
include profiles::cobbler::service
Class['profiles::cobbler::install']
-> Class['profiles::cobbler::config']
-> Class['profiles::cobbler::ipxebins']
-> Class['profiles::cobbler::selinux']
}
}
@@ -0,0 +1,34 @@
# profiles::cobbler::install
class profiles::cobbler::install {
include profiles::cobbler::params
$packages = $profiles::cobbler::params::packages
ensure_packages($packages, { ensure => 'present' })
# move the /var/www/cobbler directory to /data/cobbler
if ! $facts['cobbler_var_www_islink'] and ! $facts['cobbler_data_exists'] {
exec {'move_cobbler_data':
command => 'mv /var/www/cobbler /data/cobbler',
onlyif => 'test -d /var/www/cobbler',
path => ['/bin', '/usr/bin'],
before => Service['cobblerd'],
}
file { '/var/www/cobbler':
ensure => 'link',
target => '/data/cobbler',
require => Exec['move_cobbler_data'],
before => Service['httpd'],
notify => Service['httpd'],
}
}
if ! $facts['cobbler_var_www_exists'] and $facts['cobbler_data_exists'] {
file { '/var/www/cobbler':
ensure => 'link',
target => '/data/cobbler',
before => Service['httpd'],
notify => Service['httpd'],
}
}
}
@@ -1,6 +1,8 @@
# profiles::cobbler::ipxebins
class profiles::cobbler::ipxebins {
include profiles::cobbler::params
# download the custom undionly.kpxe file
# https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1
exec { 'download_undionly_kpxe':
+25
View File
@@ -0,0 +1,25 @@
# profiles::cobbler::params
class profiles::cobbler::params (
Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt',
Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key',
Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot',
Stdlib::Fqdn $service_cname = $facts['networking']['fqdn'],
String $default_password_crypted = 'changeme',
String $server = $::facts['networking']['ip'],
String $next_server = $::facts['networking']['ip'],
Boolean $pxe_just_once = true,
Boolean $is_cobbler_master = false,
Array $packages = [
'cobbler',
'cobbler3.2-web',
'httpd',
'syslinux',
'dnf-plugins-core',
'debmirror',
'pykickstart',
'fence-agents',
'selinux-policy-devel',
'ipxe-bootimgs',
]
){
}
@@ -0,0 +1,48 @@
# profiles::cobbler::selinux
class profiles::cobbler::selinux inherits profiles::cobbler::params {
include profiles::cobbler::params
$tftpboot_path = $profiles::cobbler::params::tftpboot_path
# manage selinux requirements for cobbler
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
$enable_sebooleans = [
'httpd_can_network_connect_cobbler',
'httpd_serve_cobbler_files',
'cobbler_can_network_connect'
]
$enable_sebooleans.each |$bool| {
selboolean { $bool:
value => on,
persistent => true,
}
}
selinux::fcontext { $tftpboot_path:
ensure => 'present',
seltype => 'cobbler_var_lib_t',
pathspec => "${tftpboot_path}(/.*)?",
}
selinux::fcontext { '/data/cobbler':
ensure => 'present',
seltype => 'cobbler_var_lib_t',
pathspec => '/data/cobbler(/.*)?',
}
exec { "restorecon_${tftpboot_path}":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${tftpboot_path}",
refreshonly => true,
subscribe => Selinux::Fcontext[$tftpboot_path],
}
exec { 'restorecon_/data/cobbler':
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => 'restorecon -Rv /data/cobbler',
refreshonly => true,
subscribe => Selinux::Fcontext['/data/cobbler'],
}
}
}
-119
View File
@@ -1,119 +0,0 @@
# profiles::cobbler::server
class profiles::cobbler::server (
Stdlib::Fqdn $service_cname,
String $default_password_crypted,
Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt',
Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key',
Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot',
String $server = $::facts['networking']['ip'],
String $next_server = $::facts['networking']['ip'],
Boolean $pxe_just_once = true,
) {
include profiles::cobbler::ipxebins
# manage the cobbler settings file
file { '/etc/cobbler/settings.yaml':
ensure => 'file',
content => template('profiles/cobbler/settings.yaml.erb'),
group => 'apache',
owner => 'root',
mode => '0640',
require => Package['cobbler'],
notify => Service['cobblerd'],
}
# fix permissions in /var/lib/cobbler/web.ss
file {'/var/lib/cobbler/web.ss':
ensure => 'file',
group => 'root',
owner => 'apache',
mode => '0660',
require => Package['cobbler'],
notify => Service['cobblerd'],
}
# manage the debmirror config to meet cobbler requirements
file { '/etc/debmirror.conf':
ensure => 'file',
content => template('profiles/cobbler/debmirror.conf.erb'),
group => 'root',
owner => 'root',
mode => '0644',
require => Package['debmirror'],
}
# manage the httpd ssl configuration
file { '/etc/httpd/conf.d/ssl.conf':
ensure => 'file',
content => template('profiles/cobbler/httpd_ssl.conf.erb'),
group => 'root',
owner => 'root',
mode => '0644',
require => Package['httpd'],
notify => Service['httpd'],
}
# manage the main ipxe menu script
file { '/var/lib/tftpboot/main.ipxe':
ensure => 'file',
content => template('profiles/cobbler/main.ipxe.erb'),
owner => 'root',
group => 'root',
mode => '0644',
require => Package['cobbler'],
}
# ensure cobblerd is running
service {'cobblerd':
ensure => 'running',
enable => true,
require => File['/etc/cobbler/settings.yaml'],
}
# ensure httpd is running
service {'httpd':
ensure => 'running',
enable => true,
require => File['/etc/httpd/conf.d/ssl.conf'],
}
# export cnames for cobbler
profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME":
value => $::facts['networking']['hostname'],
type => 'CNAME',
record => "${service_cname}.",
zone => $::facts['networking']['domain'],
order => 10,
}
# manage selinux requirements for cobbler
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
$enable_sebooleans = [
'httpd_can_network_connect_cobbler',
'httpd_serve_cobbler_files',
'cobbler_can_network_connect'
]
$enable_sebooleans.each |$bool| {
selboolean { $bool:
value => on,
persistent => true,
}
}
selinux::fcontext { $tftpboot_path:
ensure => 'present',
seltype => 'cobbler_var_lib_t',
pathspec => "${tftpboot_path}(/.*)?",
}
exec { "restorecon_${tftpboot_path}":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${tftpboot_path}",
refreshonly => true,
subscribe => Selinux::Fcontext[$tftpboot_path],
}
}
}
@@ -0,0 +1,17 @@
# profiles::cobbler::service
class profiles::cobbler::service inherits profiles::cobbler::params {
# ensure cobblerd is running
service {'cobblerd':
ensure => 'running',
enable => true,
require => File['/etc/cobbler/settings.yaml'],
}
# ensure httpd is running
service {'httpd':
ensure => 'running',
enable => true,
require => File['/etc/httpd/conf.d/ssl.conf'],
}
}
@@ -0,0 +1,14 @@
# profile::consul::prepared_query
class profiles::consul::prepared_query (
String $root_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
Hash $rules = {},
) {
$rules.each | $rule, $data | {
consul_prepared_query { $rule:
acl_api_token => $root_api_token,
hostname => $facts['networking']['ip'],
* => $data,
}
}
}
+20 -1
View File
@@ -43,6 +43,8 @@ class profiles::consul::server (
Stdlib::Absolutepath $bin_dir = '/usr/bin',
Boolean $disable_remote_exec = true,
Boolean $disable_update_check = true,
Boolean $join_remote_regions = false,
Array[String] $remote_regions = [],
) {
# wait for all attributes to be ready
@@ -62,6 +64,21 @@ class profiles::consul::server (
# if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
if $join_remote_regions {
# get all nodes in the members_role for each other region
$region_to_servers = $remote_regions.reduce({}) |$memo, $region| {
$servers = sort(query_nodes("enc_role='${members_role}' and region='${region}'", 'networking.fqdn'))
$memo + { $region => $servers }
}
# sort and flatten the regions into a single array of fqdns
$remote_servers_array = sort(flatten($region_to_servers.values))
} else {
# else just send an empty array
$remote_servers_array = []
}
# else use provided array from params
}else{
$servers_array = $consul_servers
@@ -97,7 +114,8 @@ class profiles::consul::server (
'performance' => { 'raft_multiplier' => $raft_multiplier },
'bind_addr' => $::facts['networking']['ip'],
'advertise_addr' => $::facts['networking']['ip'],
'retry_join' => $servers_array
'retry_join' => $servers_array,
'retry_join_wan' => $remote_servers_array,
},
}
}
@@ -109,6 +127,7 @@ class profiles::consul::server (
include profiles::nginx::simpleproxy
include profiles::consul::policies
include profiles::consul::tokens
include profiles::consul::prepared_query
# get the dns port from the $ports hash, otherwise use the default
$dns_port = pick($ports['dns'], 8600)
+9 -2
View File
@@ -8,7 +8,9 @@ class profiles::defaults {
}
Package {
ensure => present,
ensure => present,
require => Class['profiles::base::repos']
}
File {
@@ -29,6 +31,11 @@ class profiles::defaults {
}
Yumrepo {
require => Class['profiles::pki::vaultca'],
ensure => 'present',
enabled => 1,
gpgcheck => 1,
mirrorlist => 'absent',
require => Class['profiles::pki::vaultca'],
notify => Exec['dnf_makecache'],
}
}
+19 -17
View File
@@ -13,25 +13,27 @@ class profiles::dhcp::server (
Hash $classes = {},
){
class { 'dhcp':
service_ensure => running,
interfaces => $interfaces,
ntpservers => $ntpservers,
default_lease_time => $default_lease_time,
globaloptions => $globaloptions
}
# if pools, import them
$pools.each | $name, $data | {
dhcp::pool { $name:
* => $data,
if $facts['enc_role'] == 'roles::infra::dhcp::server' {
class { 'dhcp':
service_ensure => running,
interfaces => $interfaces,
ntpservers => $ntpservers,
default_lease_time => $default_lease_time,
globaloptions => $globaloptions
}
}
# if classes, import them
$classes.each | $name, $data | {
dhcp::dhcp_class { $name:
* => $data,
# if pools, import them
$pools.each | $name, $data | {
dhcp::pool { $name:
* => $data,
}
}
# if classes, import them
$classes.each | $name, $data | {
dhcp::dhcp_class { $name:
* => $data,
}
}
}
}
+12
View File
@@ -0,0 +1,12 @@
# profiles::edgecache::init
class profiles::edgecache::init {
if $facts['enc_role'] == 'roles::infra::storage::edgecache' {
include profiles::edgecache::nginx
include profiles::edgecache::selinux
Class['profiles::edgecache::nginx']
-> Class['profiles::edgecache::selinux']
}
}
+129
View File
@@ -0,0 +1,129 @@
# profiles::edgecache::nginx
class profiles::edgecache::nginx {
include profiles::edgecache::params
$data_root = $profiles::edgecache::params::data_root
$nginx_vhost = $profiles::edgecache::params::nginx_vhost
$nginx_aliases = $profiles::edgecache::params::nginx_aliases
$nginx_port = $profiles::edgecache::params::nginx_port
$nginx_ssl_port = $profiles::edgecache::params::nginx_ssl_port
$nginx_listen_mode = $profiles::edgecache::params::nginx_listen_mode
$nginx_cert_type = $profiles::edgecache::params::nginx_cert_type
$nginx_resolvers_enable = $profiles::edgecache::params::nginx_resolvers_enable
$nginx_resolvers_ipv4only = $profiles::edgecache::params::nginx_resolvers_ipv4only
# select the certificates to use based on cert type
case $nginx_cert_type {
'puppet': {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
# enum param prevents this ever being reached
}
}
# set variables based on the listen_mode
case $nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_ssl_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
'both': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
# enum param prevents this ever being reached
}
}
if $nginx_resolvers_ipv4only and $nginx_resolvers_enable {
$resolvers = $facts['nameservers'].join(' ')
file { '/etc/nginx/conf.d/resolvers.conf':
ensure => file,
content => "resolver ${resolvers} ipv4=on;\n",
}
}
# set the server_names
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
# define the default parameters for the nginx server
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
'www_root' => "${data_root}/pub",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
}
# ensure the requires directories exist
$profiles::edgecache::params::directories.each |$name,$data| {
file { $name:
ensure => 'directory',
before => Class['nginx'],
mode => '0775',
* => $data,
}
}
# merge the hashes conditionally
$nginx_parameters = merge($defaults, $extras_hash)
# manage the nginx class
class { 'nginx':
proxy_cache_path => {
"${data_root}/cache" => 'cache:128m',
},
proxy_cache_levels => '1:2',
proxy_cache_keys_zone => 'cache:128m',
proxy_cache_max_size => '30000m',
proxy_cache_inactive => '60d',
proxy_temp_path => "${data_root}/cache_tmp",
}
# create the nginx vhost with the merged parameters
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
# create location mirrors
$profiles::edgecache::params::mirrors.each |$name, $data| {
nginx::resource::location { "${nginx_vhost}_${name}":
server => $nginx_vhost,
ssl => true,
ssl_only => false,
* => $data,
}
}
}
@@ -0,0 +1,15 @@
# profiles::edgecache::params
class profiles::edgecache::params (
Stdlib::Absolutepath $data_root = '/data/edgecache',
Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
Array[Stdlib::Host] $nginx_aliases = [],
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Enum['http','https','both'] $nginx_listen_mode = 'http',
Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
Boolean $nginx_resolvers_enable = false,
Boolean $nginx_resolvers_ipv4only = false,
Hash $directories = {},
Hash $mirrors = {},
){
}
@@ -0,0 +1,56 @@
# profiles::edgecache::selinux
class profiles::edgecache::selinux {
include profiles::edgecache::params
$data_root = $profiles::edgecache::params::data_root
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
# set httpd_sys_content_t to all files under the www_root
selinux::fcontext { "${data_root}/pub":
ensure => 'present',
seltype => 'httpd_sys_content_t',
pathspec => "${data_root}/pub(/.*)?",
}
# set httpd_sys_rw_content_t to all files under the cache_root
selinux::fcontext { "${data_root}/cache":
ensure => 'present',
seltype => 'httpd_sys_rw_content_t',
pathspec => "${data_root}/cache(/.*)?",
}
selinux::fcontext { "${data_root}/cache_tmp":
ensure => 'present',
seltype => 'httpd_sys_rw_content_t',
pathspec => "${data_root}/cache_tmp(/.*)?",
}
# make sure we can connect to other hosts
selboolean { 'httpd_can_network_connect':
persistent => true,
value => 'on',
}
exec { "restorecon_${data_root}/pub":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${data_root}/pub",
refreshonly => true,
subscribe => Selinux::Fcontext["${data_root}/pub"],
}
exec { "restorecon_${data_root}/cache":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${data_root}/cache",
refreshonly => true,
subscribe => Selinux::Fcontext["${data_root}/cache"],
}
exec { "restorecon_${data_root}/cache_tmp":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${data_root}/cache_tmp",
refreshonly => true,
subscribe => Selinux::Fcontext["${data_root}/cache_tmp"],
}
}
}
@@ -0,0 +1,19 @@
# profiles::firstrun::complete
class profiles::firstrun::complete {
file { '/root/.cache':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0750',
}
file {'/root/.cache/puppet_firstrun_complete':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0750',
content => 'firstrun completed',
require => File['/root/.cache'],
}
}
+20
View File
@@ -0,0 +1,20 @@
# profiles::firstrun::init
class profiles::firstrun::init {
# include the required CA certificates
include profiles::pki::vaultca
# fast install packages on the first run
include profiles::base::repos
include profiles::firstrun::packages
# mark the firstrun as done
include profiles::firstrun::complete
Class['profiles::defaults']
-> Class['profiles::pki::vaultca']
-> Class['profiles::base::repos']
-> Class['profiles::firstrun::packages']
-> Class['profiles::firstrun::complete']
}
@@ -0,0 +1,27 @@
# profiles::firstrun::packages
class profiles::firstrun::packages {
# include the correct package repositories, define the install_packages exec
case $facts['os']['family'] {
'RedHat': {
include profiles::yum::global
$install_command = 'dnf install -y'
}
'Debian': {
include profiles::apt::global
$install_command = 'apt-get install -y'
}
default: {
fail("Unsupported OS family ${facts['os']['family']}")
}
}
# get all the packages to install, and convert into a space separated list
$packages = hiera_array('profiles::packages::install', [])
$package_list = $packages.join(' ')
# install all the packages
exec { 'install_packages':
command => "${install_command} ${package_list}",
path => ['/bin', '/usr/bin'],
}
}
+1 -1
View File
@@ -19,7 +19,7 @@ class profiles::puppet::agent (
# Ensure the puppet-agent package is installed and locked to a specific version
package { 'puppet-agent':
ensure => $puppet_version,
require => Class['profiles::yum::puppet7'],
require => Yumrepo['puppet'],
}
# versionlock puppet-agent
@@ -24,4 +24,12 @@ class profiles::puppet::puppetdb_sql (
contain ::puppetdb::database::postgresql
# create the postgresql::server::config_entry resources
$pg_config_entries = lookup('postgresql_config_entries', Hash[String, Data], 'hash', {})
$pg_config_entries.each |String $key, Data $value| {
postgresql::server::config_entry { $key:
ensure => 'present',
value => $value,
}
}
}
+4 -2
View File
@@ -47,7 +47,7 @@ class profiles::sql::galera_member (
}
# if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(query_nodes("enc_role='${galera_members_role}'", 'networking.fqdn'))
$servers_array = sort(query_nodes("enc_role='${galera_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
# else use provided array from params
}else{
@@ -103,7 +103,8 @@ class profiles::sql::galera_member (
'binlog_format' => 'ROW',
'default-storage-engine' => 'innodb',
'query_cache_size' => '0',
'query_cache_type' => '0'
'query_cache_type' => '0',
'bind-address' => $local_ip,
}
}
$default_override_options_galera = {
@@ -211,4 +212,5 @@ class profiles::sql::galera_member (
}else{
notice("${title} requires the servers_array to have 3 or more, currently it is ${length($servers_array)}.")
}
}
-92
View File
@@ -1,92 +0,0 @@
# Class: profiles::yum::base
#
# This class manages the 'base', extras' and 'appstream' yum
# repositories for a system, based on the provided list of managed repositories.
#
# Parameters:
# -----------
# - $managed_repos: An array containing the names of the repositories to be
# managed. This can include 'base', 'extras',
# and 'appstream'.
#
# - $baseurl: The base URL for the yum repositories. This should be the root
# URL of your yum mirror server.
#
# Actions:
# --------
# - Sets up the 'base', extras', and 'appstream' yum repositories
# as specified in the $managed_repos parameter, all using the provided baseurl.
#
# - Each repo configuration includes the baseurl parameterized with the OS
# release version and architecture, and specifies the GPG key.
#
# Example usage:
# --------------
# To use this class with the default parameters:
# class { 'profiles::yum::base':
# managed_repos => ['base', 'extras', 'appstream'],
# baseurl => 'http://mylocalmirror.com/yum',
# }
#
class profiles::yum::base (
Array[String] $managed_repos,
String $baseurl,
Enum[
'daily',
'weekly',
'monthly'
] $snapshot = 'daily',
) {
$release = $facts['os']['release']['full']
$basearch = $facts['os']['architecture']
if 'base' in $managed_repos {
yumrepo { 'base':
name => 'base',
descr => 'base repository',
target => '/etc/yum.repos.d/base.repo',
baseurl => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
}
}
if 'extras' in $managed_repos {
yumrepo { 'extras':
name => 'extras',
descr => 'extras repository',
target => '/etc/yum.repos.d/extras.repo',
baseurl => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
}
}
if 'appstream' in $managed_repos {
yumrepo { 'appstream':
name => 'appstream',
descr => 'appstream repository',
target => '/etc/yum.repos.d/appstream.repo',
baseurl => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
}
}
if 'powertools' in $managed_repos {
yumrepo { 'powertools':
name => 'powertools',
descr => 'powertools repository',
target => '/etc/yum.repos.d/powertools.repo',
baseurl => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
}
}
if 'highavailability' in $managed_repos {
yumrepo { 'highavailability':
name => 'highavailability',
descr => 'highavailability repository',
target => '/etc/yum.repos.d/highavailability.repo',
baseurl => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
}
}
}
-48
View File
@@ -1,48 +0,0 @@
# Class: profiles::yum::epel
#
# This class manages the EPEL yum repository for the system.
#
# Parameters:
# -----------
# - $baseurl: The base URL for the EPEL yum repository. This should be the root
# URL of your EPEL mirror server.
#
# Actions:
# --------
# - Checks the OS release version.
#
# - If the release version is 7, 8, or 9, it sets up the 'epel' yum repository
#
# - If the release version is not supported, it raises an error.
#
# Example usage:
# --------------
# To use this class with the default parameters:
# include profiles::yum::epel
#
# To specify a custom base URL:
# class { 'profiles::yum::epel':
# baseurl => 'http://mylocalmirror.com/yum',
# }
class profiles::yum::epel (
Array[String] $managed_repos,
String $baseurl,
Enum[
'daily',
'weekly',
'monthly'
] $snapshot = 'daily',
) {
$release = $facts['os']['release']['major']
$basearch = $facts['os']['architecture']
if 'epel' in $managed_repos {
yumrepo { 'epel':
name => 'epel',
descr => 'epel repository',
target => '/etc/yum.repos.d/epel.repo',
baseurl => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/RPM-GPG-KEY-EPEL-${release}",
}
}
}
+22 -83
View File
@@ -1,48 +1,7 @@
# Class: profiles::yum::global
#
# This class manages global YUM configurations and optionally includes the
# base and EPEL yum repository profiles based on the content of the
# $managed_repos parameter, which is an array of repository names.
#
# Parameters:
# -----------
# - $managed_repos: An array of repository names that the Puppet agent should
# manage. This parameter is mandatory and the class will
# fail if it is not provided via hieradata.
# Example: ['base', 'updates', 'extras', 'appstream']
#
# Actions:
# --------
# - Configures global YUM settings, including keeping the kernel development
# packages and cleaning old kernels.
#
# - Establishes default parameters for any YUM repositories managed by Puppet.
# This includes the repository file location, the repository description,
# and enabling the repository and GPG checks.
#
# - Depending on the content of the $managed_repos parameter, it includes the
# profiles::yum::base and/or profiles::yum::epel classes.
#
# - Manages all .repo files under /etc/yum.repos.d. All the repositories listed
# in $managed_repos will have their corresponding .repo files preserved. Any
# .repo file that is not listed in $managed_repos will be removed.
#
# - Creates and maintains a /etc/yum.repos.d/.managed file that lists all the
# .repo files that should be managed by Puppet.
#
# Example usage:
# --------------
# To use this class, include the class and configure hieradata:
# include profiles::yum::global
#
# profiles::yum::managed_repos:
# - 'base'
# - 'extras'
# - 'appstream'
#
class profiles::yum::global (
Array[String] $managed_repos,
Boolean $purge = true,
Hash $repos = {},
Boolean $purge = true,
){
class { 'yum':
keep_kernel_devel => true,
@@ -52,54 +11,34 @@ class profiles::yum::global (
},
}
Yumrepo {
ensure => 'present',
enabled => 1,
gpgcheck => 1,
mirrorlist => 'absent',
}
# purge all yum repos not defined by puppet
resources { 'yumrepo':
purge => $purge,
}
# Generate the content for the .managed file
$managed_file_content = $managed_repos.map |$repo_name| { "${repo_name}.repo" }.join("\n")
# download all gpg keys if a repo defines it
$repos.each |$name, $repo| {
if $repo['gpgkey'] {
$key_url = $repo['gpgkey']
$key_file = "/etc/pki/rpm-gpg/${name}-gpg-key"
# Create the .managed file
file { '/etc/yum.repos.d/.managed':
ensure => file,
content => $managed_file_content,
exec { "download_gpg_key_${name}":
command => "curl -s -o ${key_file} ${key_url} && rpm --import ${key_file}",
path => ['/bin', 'usr/bin'],
creates => $key_file,
before => Yumrepo[$name],
}
}
}
# Setup base repos
class { 'profiles::yum::base':
managed_repos => $managed_repos,
require => Class['profiles::pki::vaultca'],
}
# create repos
create_resources('yumrepo', $repos)
# Setup epel if included in managed_repos
class { 'profiles::yum::epel':
managed_repos => $managed_repos,
require => Class['profiles::pki::vaultca'],
}
# Setup puppet7 if included in managed_repos
class { 'profiles::yum::puppet7':
managed_repos => $managed_repos,
require => Class['profiles::pki::vaultca'],
}
# Setup unkin repo if included in managed_repos
class { 'profiles::yum::unkin':
managed_repos => $managed_repos,
require => Class['profiles::pki::vaultca'],
}
# Setup ovirt repo if included in managed_repos
class { 'profiles::yum::ovirt':
managed_repos => $managed_repos,
require => Class['profiles::pki::vaultca'],
# makecache if changes made to repos
exec {'dnf_makecache':
command => 'dnf makecache -q',
path => ['/usr/bin', '/bin'],
refreshonly => true,
}
# setup dnf-autoupdate
-25
View File
@@ -1,25 +0,0 @@
# Class: profiles::yum::mariadb
#
# This class manages the mariadb yum repository for the system.
#
class profiles::yum::mariadb (
String $baseurl = 'https://repos.main.unkin.net',
String $version = '11.2',
Enum[
'daily',
'weekly',
'monthly'
] $snapshot = 'daily',
) {
$release = $facts['os']['release']['major']
$basearch = $facts['os']['architecture']
yumrepo { 'mariadb':
name => 'mariadb',
descr => 'mariadb repository',
target => '/etc/yum.repos.d/mariadb.repo',
baseurl => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/RPM-GPG-KEY-MariaDB",
require => Class['profiles::pki::vaultca'],
}
}
-48
View File
@@ -1,48 +0,0 @@
# Class: profiles::yum::ovirt
class profiles::yum::ovirt (
Array[String] $managed_repos,
String $baseurl,
Enum[
'daily',
'weekly',
'monthly'
] $snapshot = 'daily',
) {
$release = $facts['os']['release']['major']
$basearch = $facts['os']['architecture']
$centos_nonstream = [
'virt-advanced-virtualization',
'storage-ceph-pacific'
]
$centos_stream = [
'cloud-openstack-xena',
'messaging-rabbitmq-38',
'nfv-openvswitch-2',
'opstools-collectd-5',
'storage-gluster-10',
'virt-ovirt-45'
]
$centos_nonstream.each |$name| {
if $name in $managed_repos {
yumrepo { $name:
name => $name,
descr => $name,
target => '/etc/yum.repos.d/ovirt.repo',
baseurl => "${baseurl}/${release}/${name}-20240311/${basearch}/os/",
gpgcheck => false,
}
}
}
$centos_stream.each |$name| {
if $name in $managed_repos {
yumrepo { $name:
name => $name,
descr => $name,
target => '/etc/yum.repos.d/ovirt.repo',
baseurl => "${baseurl}/${release}-stream/${name}-20240311/${basearch}/os/",
gpgcheck => false,
}
}
}
}
-48
View File
@@ -1,48 +0,0 @@
# Class: profiles::yum::epel
#
# This class manages the puppet7 yum repository for the system.
#
# Parameters:
# -----------
# - $baseurl: The base URL for the puppet7 yum repository. This should be the root
# URL of your puppet7 mirror server.
#
# Actions:
# --------
# - Checks the OS release version.
#
# - If the release version is 7, 8, or 9, it sets up the 'puppet7' yum repository
# and installs the puppet7 release RPM from the provided baseurl.
#
# - If the release version is not supported, it raises an error.
#
# - The repo configuration includes the baseurl parameterized with the OS
# release version and architecture, and specifies the GPG key.
#
# Example usage:
# --------------
# To use this class with the default parameters:
# include profiles::yum::puppet7
#
# To specify a custom base URL:
# class { 'profiles::yum::puppet7':
# baseurl => 'http://mylocalmirror.com/yum',
# }
class profiles::yum::puppet7 (
Array[String] $managed_repos,
String $baseurl = 'http://repos.main.unkin.net/puppet7',
) {
$releasever = $facts['os']['release']['major']
$basearch = $facts['os']['architecture']
if 'puppet7' in $managed_repos {
yumrepo { 'puppet7':
name => 'puppet7',
descr => 'puppet7 repository',
target => '/etc/yum.repos.d/puppet7.repo',
baseurl => "${baseurl}/el/${releasever}-daily/${basearch}/os/",
gpgkey => 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406',
#gpgkey => "${baseurl}/el/${releasever}-daily/${basearch}/os/RPM-GPG-KEY-puppet",
}
}
}
-23
View File
@@ -1,23 +0,0 @@
# Class: profiles::yum::unkin
class profiles::yum::unkin (
Array[String] $managed_repos,
String $baseurl,
Enum[
'daily',
'weekly',
'monthly'
] $snapshot = 'daily',
) {
$release = $facts['os']['release']['major']
$basearch = $facts['os']['architecture']
if 'unkin' in $managed_repos {
yumrepo { 'unkin':
name => 'unkin',
descr => 'unkin repository',
target => '/etc/yum.repos.d/unkin.repo',
baseurl => "${baseurl}/${::facts['os']['release']['major']}/${basearch}/os/",
gpgcheck => false,
}
}
}
+7 -2
View File
@@ -1,6 +1,11 @@
# a role to deploy the base system
# work in progress
class roles::base {
include profiles::defaults
include profiles::base
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}
+8 -4
View File
@@ -1,7 +1,11 @@
# cobbler server profile
class roles::infra::cobbler::server {
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::cobbler::server
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::base
include profiles::base::datavol
include profiles::cobbler::init
}
}
+7 -3
View File
@@ -1,6 +1,10 @@
# a role to deploy a redis node
class roles::infra::db::redis {
include profiles::defaults
include profiles::base
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}
+8 -3
View File
@@ -1,6 +1,11 @@
# dhcp server profile
class roles::infra::dhcp::server {
include profiles::defaults
include profiles::base
include profiles::dhcp::server
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::dhcp::server
}
}
+5
View File
@@ -2,7 +2,12 @@
# defines a dns server with master-only zones
#
class roles::infra::dns::master {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::dns::master
}
}
@@ -2,7 +2,12 @@
# defines a dns server with forward-only zones
#
class roles::infra::dns::resolver {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::dns::resolver
}
}
+8 -3
View File
@@ -1,6 +1,11 @@
# a role to deploy a haproxy node
class roles::infra::halb::haproxy {
include profiles::defaults
include profiles::base
include profiles::haproxy::server
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::haproxy::server
}
}
@@ -1,5 +1,10 @@
# a role to deploy a grafana service
class roles::infra::metrics::grafana {
include profiles::defaults
include profiles::base
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}
@@ -1,7 +1,12 @@
# a role to deploy a prometheus server
class roles::infra::metrics::prometheus {
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::metrics::server
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::metrics::server
}
}
+8 -3
View File
@@ -1,6 +1,11 @@
# a role to deploy a ntp server
class roles::infra::ntp::server {
include profiles::defaults
include profiles::base
include profiles::ntp::server
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::ntp::server
}
}
+7 -2
View File
@@ -1,5 +1,10 @@
# role to manage ovirt management engine nodes
class roles::infra::ovirt::engine {
include profiles::defaults
include profiles::base
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}
+8 -3
View File
@@ -1,6 +1,11 @@
# role to manage ovirt hypervisor nodes
class roles::infra::ovirt::node {
include profiles::defaults
include profiles::base
include profiles::ovirt::node
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::ovirt::node
}
}
@@ -1,6 +1,11 @@
# manage the installation of a proxmox node
class roles::infra::proxmox::node {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::proxmox::init
}
}
@@ -1,7 +1,12 @@
# a role to deploy the puppetmaster
# work in progress
class roles::infra::puppet::master {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::puppet::puppetmaster
}
}
@@ -1,6 +1,11 @@
# a role to deploy the puppetboard
class roles::infra::puppetboard::server {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::puppet::puppetboard
}
}
@@ -1,6 +1,11 @@
# a role to deploy the puppetdb api service
class roles::infra::puppetdb::api {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::puppet::puppetdb_api
}
}
@@ -1,6 +1,11 @@
# a role to deploy the puppetdb postgresql service
class roles::infra::puppetdb::sql {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::puppet::puppetdb_sql
}
}
@@ -1,7 +1,12 @@
# a role to deploy a packagerepo
class roles::infra::reposync::syncer {
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::reposync::syncer
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::reposync::syncer
}
}
+12 -4
View File
@@ -1,7 +1,15 @@
# a role to deploy a mariadb galera node
class roles::infra::sql::galera {
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::sql::galera_member
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
if $facts['enc_role'] == 'roles::infra::sql::galera' {
include profiles::sql::galera_member
}
}
}
+9 -5
View File
@@ -1,8 +1,12 @@
# a role to deploy a consul node
class roles::infra::storage::consul {
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::consul::server
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::consul::server
}
}
@@ -0,0 +1,12 @@
# a role to deploy an edgecache
class roles::infra::storage::edgecache {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::edgecache::init
}
}
+8 -3
View File
@@ -1,6 +1,11 @@
# a role to deploy a minio node
class roles::infra::storage::minio {
include profiles::defaults
include profiles::base
include profiles::minio::server
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::minio::server
}
}
+9 -4
View File
@@ -1,7 +1,12 @@
# a role to deploy a vault node
class roles::infra::storage::vault {
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::vault::server
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::vault::server
}
}