From 8cb6b68b53fe0b277558d236fab0020428526348 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 10 Feb 2024 23:50:13 +1100
Subject: [PATCH] feat: add consul server profile

- install/configure consul
- install/configure dnsmasq as dns proxy for consul
- add unkin yumrepo definition as source for consul
- update datavol to ensure the /data volume is mounted
---
 Puppetfile                                    |   1 +
 .../au/region/drw1/infra/storage/consul.eyaml |   4 +
 .../au/region/drw1/infra/storage/consul.yaml  |   3 +
 hieradata/os/AlmaLinux/AlmaLinux8.yaml        |   1 +
 hieradata/os/AlmaLinux/all_releases.yaml      |   1 +
 hieradata/roles/infra/storage/consul.eyaml    |   2 +
 hieradata/roles/infra/storage/consul.yaml     |  22 +++
 site/profiles/manifests/base/datavol.pp       |   3 +-
 site/profiles/manifests/consul/server.pp      | 125 ++++++++++++++++++
 site/profiles/manifests/yum/global.pp         |   5 +
 site/profiles/manifests/yum/unkin.pp          |  23 ++++
 site/roles/manifests/infra/storage/consul.pp  |   2 +
 12 files changed, 191 insertions(+), 1 deletion(-)
 create mode 100644 hieradata/country/au/region/drw1/infra/storage/consul.eyaml
 create mode 100644 hieradata/country/au/region/drw1/infra/storage/consul.yaml
 create mode 100644 hieradata/roles/infra/storage/consul.eyaml
 create mode 100644 hieradata/roles/infra/storage/consul.yaml
 create mode 100644 site/profiles/manifests/consul/server.pp
 create mode 100644 site/profiles/manifests/yum/unkin.pp

diff --git a/Puppetfile b/Puppetfile
index 4654fa0..85a9ba9 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -27,6 +27,7 @@ mod 'puppet-nginx', '5.0.0'
 mod 'puppet-selinux', '4.1.0'
 mod 'puppet-prometheus', '13.4.0'
 mod 'puppet-grafana', '13.1.0'
+mod 'puppet-consul', '8.0.0'
 
 # other
 mod 'ghoneycutt-puppet', '3.3.0'
diff --git a/hieradata/country/au/region/drw1/infra/storage/consul.eyaml b/hieradata/country/au/region/drw1/infra/storage/consul.eyaml
new file mode 100644
index 0000000..948b16f
--- /dev/null
+++ b/hieradata/country/au/region/drw1/infra/storage/consul.eyaml
@@ -0,0 +1,4 @@
+---
+profiles::consul::server::gossip_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEADwwYLK+fU0M/uLqQpRjHnIAyrt6yPEZSXpUX2jvOGVOA63X8LOYpLVfEGWMmkZ7BHRO0fgr847UUI/xI8otIuiOpgtW2E7QLWs806KUNXz+L8c7kSnQ1XAD5R81/5joDHl4AIxl5fAGryTXH1gfnpTMWh2yjFzU/KYuk2GhrU0M9ewCGJErQG4pT4u3ymGmkLjx6AiZ8r9xb4Eos2bhCCpFWfyb0kKcJqdKU9mzy508byNCfp8lr1DoKxEQrdqSSAQdepn6wCgBZtlAK/k63tOqM9dxyDaCsK8vLG9LlvuEwi3OL2lzTtc1mAcdYxahDo3uBX0/VcCswaXq3nPnu3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCUwXPoMh/dylvFwyRzAsnRgDDvh5CHrzJYdUXWGsauYlifOOukYokkwG3yqqtCByveMqVWfWsQukiDTixdqpCgfzw=]
+profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=]
+profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=]
diff --git a/hieradata/country/au/region/drw1/infra/storage/consul.yaml b/hieradata/country/au/region/drw1/infra/storage/consul.yaml
new file mode 100644
index 0000000..fef2905
--- /dev/null
+++ b/hieradata/country/au/region/drw1/infra/storage/consul.yaml
@@ -0,0 +1,3 @@
+---
+profiles::consul::server::bootstrap_count: 3
+profiles::consul::server::raft_multiplier: 10
diff --git a/hieradata/os/AlmaLinux/AlmaLinux8.yaml b/hieradata/os/AlmaLinux/AlmaLinux8.yaml
index ef48076..75984dc 100644
--- a/hieradata/os/AlmaLinux/AlmaLinux8.yaml
+++ b/hieradata/os/AlmaLinux/AlmaLinux8.yaml
@@ -8,3 +8,4 @@ profiles::yum::managed_repos:
   - 'highavailability'
   - 'puppet7'
   - 'yum.postgresql.org'
+  - 'unkin'
diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml
index 6592ae6..9a85522 100644
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@@ -2,6 +2,7 @@
 ---
 profiles::yum::base::baseurl: http://repos.main.unkin.net/almalinux
 profiles::yum::epel::baseurl: http://repos.main.unkin.net/epel
+profiles::yum::unkin::baseurl: http://repos.main.unkin.net/unkin
 profiles::firewall::firewalld::ensure_package: 'absent'
 profiles::firewall::firewalld::ensure_service: 'stopped'
 profiles::firewall::firewalld::enable_service: false
diff --git a/hieradata/roles/infra/storage/consul.eyaml b/hieradata/roles/infra/storage/consul.eyaml
new file mode 100644
index 0000000..4182583
--- /dev/null
+++ b/hieradata/roles/infra/storage/consul.eyaml
@@ -0,0 +1,2 @@
+---
+profiles::consul::server::acl_master_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAFCDnJyImf/X8f6WGqt37XbuuSg5hCeC5Uhdd0u1/Jjlz4AzMyhF41Vs6iVrV6irlsMDziSQrcEvGumTPmYShRQiRv0GvkhHUpn2XROKd63KolsWRj2K2S5FhgwolgtQc05DLmGaQ6FIUMVk3aKU/v8IGSDopcjdhwTJtheOLgiiEjv8TsjWKOOIa0H7caa6ZiZxcf2Y99Wv9gIZdt+LnXGdlDuO88+gkYTpRM07RY21nr4VS821y0MwFcYx2SyzMDk60RvgCmvA6RdoyHBUYAu07IX6IjP5LZwpAkcPcA4gADVP7vOPT2WhVAtkzpg+RwNxkuWYA5roO2r1UhERixjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9TM/c8nXJswHAUSU6kFCDgDBob2r0tFLq1Jw313Ys8jUtKsetsrc5x7uIDYzOqr7ulEM9B0VOD2ekR9IRYZMsBCg=]
diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml
new file mode 100644
index 0000000..e3eb0fd
--- /dev/null
+++ b/hieradata/roles/infra/storage/consul.yaml
@@ -0,0 +1,22 @@
+---
+profiles::consul::server::members_role: roles::infra::storage::consul
+profiles::consul::server::members_lookup: true
+profiles::consul::server::data_dir: /data/consul
+profiles::consul::server::primary_datacenter: 'au-drw1'
+profiles::consul::server::addresses:
+  dns: "%{::networking.ip}"
+  http: "%{::networking.ip}"
+  https: "%{::networking.ip}"
+  grpc: "%{::networking.ip}"
+  grpc_tls: "%{::networking.ip}"
+profiles::consul::server::ports:
+  dns: 8600
+  http: 8500
+  https: -1
+profiles::consul::server::acl:
+  enabled: true
+  default_policy: 'deny'
+  down_policy: 'extend-cache'
+  tokens:
+    initial_management: "%{alias('profiles::consul::server::acl_tokens_initial_management')}"
+    default: "%{alias('profiles::consul::server::acl_tokens_default')}"
diff --git a/site/profiles/manifests/base/datavol.pp b/site/profiles/manifests/base/datavol.pp
index 4384bb6..5cb2a12 100644
--- a/site/profiles/manifests/base/datavol.pp
+++ b/site/profiles/manifests/base/datavol.pp
@@ -11,6 +11,7 @@
 #
 class profiles::base::datavol (
   Enum['present', 'absent'] $ensure = 'present',
+  Enum['present', 'absent', 'mounted'] $mountstate = 'mounted',
   Enum['ext2', 'ext3', 'ext4', 'xfs', 'btrfs'] $fstype = 'xfs',
   String $vg = 'datavg',
   String $pv = '/dev/vdb',
@@ -63,7 +64,7 @@ class profiles::base::datavol (
 
   # Ensure the logical volume is mounted at the desired location
   mount { $mount:
-    ensure  => $ensure,
+    ensure  => $mountstate,
     device  => "/dev/${vg}/${lv}",
     fstype  => $fstype,
     options => $mount_options.join(','),
diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp
new file mode 100644
index 0000000..83dac9f
--- /dev/null
+++ b/site/profiles/manifests/consul/server.pp
@@ -0,0 +1,125 @@
+# profiles::consul::server
+class profiles::consul::server (
+  String    $gossip_key,
+  String    $primary_datacenter,
+  Hash      $acl,
+  Hash      $ports,
+  Hash      $addresses,
+  Boolean   $members_lookup     = false,
+  String    $members_role       = undef,
+  Array     $consul_servers     = [],
+  Boolean   $enable_ui          = true,
+  Boolean   $enable_ui_config   = true,
+  Boolean   $manage_repo        = false,
+  String    $package_ensure     = 'latest',
+  String    $package_name       = 'consul',
+  Integer   $bootstrap_count    = 1,
+  String    $domain             = 'consul',
+  Integer   $raft_multiplier    = 1,
+  Enum[
+    'allow',
+    'deny',
+    'extend-cache',
+    'async-cache'
+  ]         $acl_down_policy    = 'extend-cache',
+  Enum[
+    'allow',
+    'deny'
+  ]         $acl_default_policy = 'deny',
+  Enum[
+    'url',
+    'package',
+    'docker',
+    'none'
+  ]         $install_method         = 'package',
+  Stdlib::IP::Address  $client_addr = '0.0.0.0',
+  Stdlib::Absolutepath $data_dir    = '/opt/consul',
+  Stdlib::Absolutepath $bin_dir     = '/usr/bin',
+  Boolean   $disable_remote_exec    = true,
+  Boolean   $disable_update_check   = true,
+) {
+
+  # set a datacentre/cluster name
+  $consul_cluster = "${::facts['country']}-${::facts['region']}"
+
+  # if lookup is enabled, find all the hosts in the specified role and create the servers_array
+  if $members_lookup {
+
+    # check that the role is also set
+    unless !($members_role == undef) {
+      fail("members_role must be provided for ${title} when members_lookup is True")
+    }
+
+    # if it is, find hosts, sort them so they dont cause changes every run
+    $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
+
+  # else use provided array from params
+  }else{
+    $servers_array = $consul_servers
+  }
+
+  # if $data_dir starts with /data, ensure the data mount exists
+  if ($data_dir.stdlib::start_with('/data') and $::facts['mountpoints']['/data']) or ! $data_dir.stdlib::start_with('/data') {
+
+    # install consul
+    class { 'consul':
+      install_method => $install_method,
+      manage_repo    => $manage_repo,
+      package_name   => $package_name,
+      package_ensure => $package_ensure,
+      bin_dir        => $bin_dir,
+      config_hash    => {
+        'primary_datacenter'   => $primary_datacenter,
+        'acl'                  => $acl,
+        'ports'                => $ports,
+        'addresses'            => $addresses,
+        'disable_remote_exec'  => $disable_remote_exec,
+        'disable_update_check' => $disable_update_check,
+        'domain'               => $domain,
+        'bootstrap_expect'     => $bootstrap_count,
+        'client_addr'          => '0.0.0.0',
+        'data_dir'             => $data_dir,
+        'datacenter'           => $consul_cluster,
+        'log_level'            => 'INFO',
+        'node_name'            => $::facts['networking']['fqdn'],
+        'server'               => true,
+        'ui'                   => $enable_ui,
+        'ui_config'            => { 'enabled' => $enable_ui_config },
+        'performance'          => { 'raft_multiplier' => $raft_multiplier },
+        'bind_addr'            => $::facts['networking']['ip'],
+        'advertise_addr'       => $::facts['networking']['ip'],
+        'retry_join'           => $servers_array
+      },
+    }
+  }
+
+  # consul before dnsmasq
+  if defined(Class['consul']) {
+
+    # get the dns port from the $ports hash, otherwise use the default
+    $dns_port = pick($ports['dns'], 8600)
+
+    # install dnsmasq
+    package { 'dnsmasq':
+      ensure => installed,
+    }
+
+    # create the 10-consul.conf file
+    file { '/etc/dnsmasq.d/10-consul.conf':
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => "server=/${domain}/${::facts['networking']['ip']}#${dns_port}\n",
+      require => Package['dnsmasq'],
+      notify  => Service['dnsmasq'],
+    }
+
+    # ensure dnsmasq service is running and enabled at boot
+    service { 'dnsmasq':
+      ensure    => running,
+      enable    => true,
+      subscribe => File['/etc/dnsmasq.d/10-consul.conf'], # Restart dnsmasq if the consul config changes
+    }
+  }
+}
diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp
index 119230e..796b491 100644
--- a/site/profiles/manifests/yum/global.pp
+++ b/site/profiles/manifests/yum/global.pp
@@ -87,6 +87,11 @@ class profiles::yum::global (
     managed_repos => $managed_repos,
   }
 
+  # Setup unkin repo if included in managed_repos
+  class { 'profiles::yum::unkin':
+    managed_repos => $managed_repos,
+  }
+
   # setup dnf-autoupdate
   include profiles::yum::autoupdater
 
diff --git a/site/profiles/manifests/yum/unkin.pp b/site/profiles/manifests/yum/unkin.pp
new file mode 100644
index 0000000..be5be37
--- /dev/null
+++ b/site/profiles/manifests/yum/unkin.pp
@@ -0,0 +1,23 @@
+# Class: profiles::yum::unkin
+class profiles::yum::unkin (
+  Array[String] $managed_repos,
+  String        $baseurl,
+  Enum[
+    'daily',
+    'weekly',
+    'monthly'
+  ]             $snapshot = 'daily',
+) {
+  $release = $facts['os']['release']['major']
+  $basearch = $facts['os']['architecture']
+
+  if 'unkin' in $managed_repos {
+    yumrepo { 'unkin':
+      name     => 'unkin',
+      descr    => 'unkin repository',
+      target   => '/etc/yum.repos.d/unkin.repo',
+      baseurl  => "${baseurl}/${::facts['os']['release']['major']}/${basearch}/os/",
+      gpgcheck => false,
+    }
+  }
+}
diff --git a/site/roles/manifests/infra/storage/consul.pp b/site/roles/manifests/infra/storage/consul.pp
index 22c3489..e47a108 100644
--- a/site/roles/manifests/infra/storage/consul.pp
+++ b/site/roles/manifests/infra/storage/consul.pp
@@ -3,4 +3,6 @@
 class roles::infra::storage::consul {
   include profiles::defaults
   include profiles::base
+  include profiles::base::datavol
+  include profiles::consul::server
 }