unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
1,129 Commits 16 Branches 0 Tags 2.9 MiB
develop
Commit Graph

1129 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ben Vincent
3e0141bb1b feat: change to anycast resolver (#280) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/280
 2025-05-11 11:39:00 +10:00
Ben Vincent
bb6f6cbd49 feat: anycast dnsmasters (#279) 
- change dns masters on incus to anycast for bind
- change to networkd to support anycast/loopbacks

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/279
 2025-05-10 23:00:03 +10:00
Ben Vincent
51d6c1e81d fix: enable dns resolver access for dmz1 (#278) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/278
 2025-05-10 06:57:05 +10:00
Ben Vincent
537a207779 feat: update upstream ip for consul dns (#277) 
- set bind resolvers to use consuls anycast address for forwarding

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/277
 2025-05-09 22:10:35 +10:00
Ben Vincent
f322440d01 feat: setup anycast consul dns (#276) 
- manage frrouting repo/ospf
- change to systemd-networkd
- enable ospf on incus nodes bridges

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/276
 2025-05-09 22:07:42 +10:00
Ben Vincent
ed947dee59 fix: listen-addr -> listen-address (#275) 
- listen-address is the correct option

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/275
 2025-05-04 00:07:45 +10:00
Ben Vincent
a70b6492b0 feat: update consul/dnsmasq (#274) 
- update params with bind/advertise addr
- update params with anycast ip option
- migrate dnsmasq config to template

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/274
 2025-05-03 23:51:29 +10:00
Ben Vincent
3079f7d000 feat: enable use of dhcp addresses in networkd (#273) 
- change ipaddress to be optional
- add dhcp option

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/273
 2025-05-03 23:51:17 +10:00
Ben Vincent
1b8f50786f feat: ensure the vault audit_log exists (#272) 
- without this, vault will not take a leadership role

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/272
 2025-05-03 22:25:10 +10:00
Ben Vincent
b05acb23f4 feat: use custom cert for puppetdb access (#271) 
- manually generated certificate using sudo puppetserver ca generate --certname puppetdbapi.query.consul
- saved certificate and private_key in eyaml

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/271
 2025-05-03 12:41:23 +10:00
Ben Vincent
62f71e1feb chore: change puppetboard python version (#270) 
- change python version to follow python3_release fact
- this will follow os-release upgrades

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/270
 2025-05-03 01:07:52 +10:00
Ben Vincent
cdf9456456 feat: update psql15 repos for roles (#269) 
- update patroni to use packagerepo
- update puppetdb to use packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/269
 2025-04-29 21:04:45 +10:00
Ben Vincent
2323ef7749 feat: postgresql15/postgresql17 (#268) 
- add postgresql15 and 17 to reposync

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/268
 2025-04-28 21:39:45 +10:00
Ben Vincent
07b89ab737 feat: enable terraform access to puppetca (#267) 
- enable terraform to clean certificates

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/267
 2025-04-28 18:46:58 +10:00
Ben Vincent
9359b8902e feat: vault mlock (#266) 
- enable mlock by default
- disable mlock on lxd/incus nodes (lxc doesnt support it)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/266
 2025-04-26 22:43:20 +10:00
Ben Vincent
1e3ce0ec1c feat: dont set gid/uid for sysadmin (#265) 
- sysadmin doesnt need to be a specific uid/gid, the next available
  uid/gid is fine

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/265
 2025-04-26 20:02:57 +10:00
Ben Vincent
496ed12a58 feat: change vault to use package install (#264) 
- vault 18.2 rpm produced by rpmbuilder repo
- ensure the /etc/vault directory is managed
- ensure service file is managed by puppet
- ensure package comes from unkin repo (not hashicorp)
- disable_mlock as unprivileged containers cannot use mlock

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/264
 2025-04-26 18:40:31 +10:00
Ben Vincent
e4166c6b14 feat: lxc compatability with datavol (#263) 
- lxc doesnt mount block devices, just check for mountpoint

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/263
 2025-04-26 17:28:57 +10:00
Ben Vincent
78f4d2a88f feat: cleanup mpls configuration (#262) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/262
 2025-04-26 00:39:23 +10:00
Ben Vincent
762d980ea8 feat: update dns resolver zone management (#261) 
- move zones to common role path
- specify forwarders for each zone in region based hiera

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/261
 2025-04-25 01:01:47 +10:00
Ben Vincent
463abe4b9d feat: add reverse dns zones for incus (#260) 
- add reverse dns zones for incus hosts
- update acls for openresolver

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/260
 2025-04-24 23:48:34 +10:00
Ben Vincent
ecce93bedb feat: lxc cannot use chronyd (#259) 
- ensure lxc nodes do not attempt to install chronyd
- ensure chrony is removed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/259
 2025-04-24 23:18:45 +10:00
Ben Vincent
9dcaafb8ba feat: lxc updates (#258) 
- add virtual/lxc.yaml
- add crypto crypto-policies-scripts
- ensure ssh::server is managed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/258
 2025-04-24 23:03:01 +10:00
Ben Vincent
a21c1b3697 Adding hieradata/node/ausyd1nxvm1072.main.unkin.net.yaml (#257) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/257
 2025-04-24 21:25:00 +10:00
Ben Vincent
bc5bd11f5e feat: disable cobbler cache (#256) 
- this is required to resolve issues with terraform deploying cobbler
  settings

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/256
 2025-04-24 21:18:59 +10:00
Ben Vincent
2321186ad5 neoloc/mpls_ldp_frr (#255) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/255
 2025-04-24 16:51:31 +10:00
Ben Vincent
c24babe309 feat: add incus image host (#254) 
- add role
- add consul service + checks
- manage the datavol as zfs
- insure the incus fact exists before attempting to read it

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/254
 2025-04-24 01:00:39 +10:00
Ben Vincent
bfda2b628b feat: enable ip forwarding for gitea runners (#253) 
- required to enable docker containers reach git service

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/253
 2025-04-21 18:40:17 +10:00
Ben Vincent
278f8001b0 feat: add frr synced repo (#252) 
- add frr repo to incus hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/252
 2025-04-18 21:21:23 +10:00
Ben Vincent
0fe44cf4e2 feat: add frr repos (#251) 
- add frr/stable/el8
- add frr/stable/el9
- add frr/extras/el8
- add frr/extras/el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/251
 2025-04-15 02:21:55 +10:00
Ben Vincent
25b06cde22 feat: move bridge management to incus (#250) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/250
 2025-04-15 00:04:14 +10:00
Ben Vincent
8c76e71dc4 chore: set core.https_address for incus (#249) 
- check the current config and update core.https_address if its wrong

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/249
 2025-04-07 11:04:12 +10:00
Ben Vincent
0e3dd4d7d0 feat: initialise barebones server (#248) 
- manage incus servers init

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/248
 2025-04-06 23:56:50 +10:00
Ben Vincent
83d0b31753 fix: set default for use_networkd (#247) 
- resolving issue where the systemd::manage_networkd is missing for most
  hosts, setting a default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/247
 2025-04-06 19:24:39 +10:00
Ben Vincent
b6ea353cfb feat: update dns resolver acls (#246) 
- add dmz acl
- add common acl
- add loopback/ceph/physical subnets to main acl

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/246
 2025-04-06 16:44:16 +10:00
Ben Vincent
c225564bdb feat: continue incus implementation (#245) 
- migrate to systemd-networkd
- setup dummy, bridge and static/ethernet interfaces
- manage sshd.service droping to start ssh after networking is online
- enable ip forewarding
- add fastpool/data/incus dataset
- enable ospf and frr
- add loopback0 as ssh listenaddress
- add loopback1/2 for ceph cluster/public traffic

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/245
 2025-04-06 16:38:04 +10:00
Ben Vincent
06666fe488 fix: resolve issue with baseos in el9 (#244) 
- was not correctly provisioning the baseos repo for el9 incus hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/244
 2025-04-02 21:02:08 +11:00
Ben Vincent
9dc88e6db6 feat: deep merge zpools/datasets (#243) 
- change prodnxsr0009 to use nvme0n1 as zfs device

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/243
 2025-04-02 20:35:04 +11:00
Ben Vincent
d87983d8fc chore: add sysadmin user after first run (#242) 
- enables extra_groups to function correctly

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/242
 2025-04-02 20:27:11 +11:00
Ben Vincent
95bc2716cf neoloc/incus_deploy (#241) 
feat: deploy incus

- manage sysctl based on incus recommendations
- manage limits based on incus recommendations
- manage zpools and zfs datasets
- add incus hiera settings

feat: manage repo for zfs

- dont use zfs module to manage repo, use profiles:😋:global::repos

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/241
 2025-03-31 23:14:05 +11:00
Ben Vincent
978013f325 chore: set default nameservers (#240) 
- if no nameservers are returned from puppetdb query, use default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/240
 2025-03-31 22:49:47 +11:00
Ben Vincent
829b1b05fd feat: cleanup consul from url install (#239) 
- set bind_dir to be /usr/bin for rhel, /usr/local/bin for debian
- remove url-installed consul from rhel

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/239
 2025-03-30 18:40:09 +11:00
Ben Vincent
6cb249ffbc fix: backtrack to 9.2.0 for postgresql (#238) 
- no parameter named 'instance'
- no parameter named 'port'

downgrading due to incompatibilities between the latest version of puppetdb and postgresql

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/238
 2025-03-30 17:51:33 +11:00
Ben Vincent
427fe352b4 feat: debian package for consul not managed (#237) 
- change debian hosts to use the url method to download consul

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/237
 2025-03-30 17:13:54 +11:00
Ben Vincent
45b061a053 feat: change almalinux9 to use packagerepo (#236) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/236
 2025-03-30 17:05:03 +11:00
Ben Vincent
d39d25d3f1 feat: add almalinux 9.5 repos using mirrorlist (#235) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/235
 2025-03-30 16:24:55 +11:00
Ben Vincent
06b458cb0e feat: reposync for almalinux 9.4 (in vault) (#234) 
- sync baseos, ha, appstream and crb repos

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/234
 2025-03-30 12:31:09 +11:00
Ben Vincent
e3046563a2 chore: install consul from package (#233) 
- upgrade to puppet-consul changed default install method to archive
- ensure package method is used
- dont manage the repo, consul is packaged by rpmbuilder

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/233
 2025-03-30 02:04:13 +11:00
Ben Vincent
e025928d77 chore: set secretid for puppetboard (#232) 
- manage the secret_key for puppetboard
- required since module upgrade

https://github.com/voxpupuli/puppetboard/issues/721

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/232
 2025-03-30 01:53:25 +11:00
Ben Vincent
e3e8b3484d chore: enable extra groups (#231) 
- enable adding extra groups to the sysadmin user

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/231
 2025-03-30 01:20:59 +11:00