unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
1,052 Commits 18 Branches 0 Tags 3 MiB
219b655f29
Commit Graph

446 Commits

Author SHA1 Message Date
Ben Vincent
acef1bde29 feat: move puppetca role (#351) 
- move puppetca from vm to lxd

Reviewed-on: #351
 2025-07-09 21:15:09 +10:00
Ben Vincent
7d87e11e79 feat: add victoria metrics roles (#350) 
- add vmstorage, vmselect and vminsert roles
- base roles, only adding packages
- preparation for standing up a vicmet cluster

Reviewed-on: #350
 2025-07-08 20:34:46 +10:00
Ben Vincent
40c57ede59 feat: add ci build task (#342) 
- a ci workflow for build tests
- run pre-commit against all files

Reviewed-on: #342
 2025-07-08 20:19:36 +10:00
Ben Vincent
a550d48f21 fix: sort nameservers (#348) 
- sort nameservers before creating glue records

Reviewed-on: #348
 2025-07-06 20:09:19 +10:00
Ben Vincent
2d9faf578f feat: add unkin.net domain (#347) 
- manage the unkin.net domain
- ensure forwarding for unkin.net
- split domain from cname list and set zone correctly
- add fafflix to cnames list for haproxy2

Reviewed-on: #347
 2025-07-06 20:02:20 +10:00
Ben Vincent
2814a55df6 chore: hard-code git.unkin.net path (#346) 
- dirty fix, set git.unkin.net in hosts file template
- avoid hairpint nat

Reviewed-on: #346
 2025-07-06 16:43:07 +10:00
Ben Vincent
0063f68bc6 feat: enable external access to gitea (#344) 
- add git.unkin.net to certbot
- export haproxy resources for gitea
- add be_gitea to haproxy, import the certbot cert
- update the ROOT_URL for gitea instances

Reviewed-on: #344
 2025-07-06 13:47:56 +10:00
Ben Vincent
cf0ff85b70 fix: manage git user (#339) 
- prevent different gid/uid for git users when deploying cluster
- only add sudo conf when sudo_rules is a list

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/339
 2025-07-06 11:27:35 +10:00
Ben Vincent
b976f2063a feat: deploy redis for git (#336) 
- deploy redis/sentinel ha cluster for git
- update redis to 7 (required for almalinux 9)
- enable requirepass/masterauth

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/336
 2025-07-05 15:51:28 +10:00
Ben Vincent
93049707e7 benvin/gitea_cluster (#335) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/335
 2025-07-05 14:49:56 +10:00
Ben Vincent
a9faa098ee benvin/grafana_postgres (#334) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/334
 2025-07-01 19:07:24 +10:00
Ben Vincent
9bed18f78c fix: duplicate toml resources (#332) 
- change resource name for puppetserver_gem
- ensure toml installed on all agents

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/332
 2025-06-30 19:57:29 +10:00
Ben Vincent
33c8b226e0 feat: add puppetserver gem for toml (#330) 
- require toml for puppetserver gem

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/330
 2025-06-30 19:05:12 +10:00
Ben Vincent
d1e63ad18b feat: add shared pgsql instance (#328) 
- add shared pgsql instance
- use patroni

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/328
 2025-06-29 17:25:59 +10:00
Ben Vincent
99b312669b benvin/dhcp_failover (#327) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/327
 2025-06-29 13:36:16 +10:00
Ben Vincent
770fd643ac feat: add haproxy2 role (#322) 
- add basic haproxy2 role
- add peers and resolvers
- add haproxy2+ metrics frontend

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/322
 2025-06-28 16:20:06 +10:00
Ben Vincent
cb1d562cb0 feat: migrate pupeptdb sql to patroni (#318) 
- change puppetdb::sql to using the patroni profile
- change puppetdb::api to use new patroni cluster
- remove references to puppetlabs-puppetdb managed database
- update consul rules to enable sessions

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/318
 2025-06-19 05:52:32 +10:00
Ben Vincent
26b908e5e7 feat: add node_pools (#317) 
- change agentv2 to common node_pool
- set default node_pool to default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/317
 2025-06-15 17:43:19 +10:00
Ben Vincent
1cbc1be808 feat: add host_volumes to nomad (#315) 
- add puppet client certs
- add tls-ca-bundle

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/315
 2025-06-14 19:37:50 +10:00
Ben Vincent
60834ced00 feat: nomad cni additions (#314) 
- add consul-cni package
- enable grpc for consul servers
- enable consul connect for consul servers
- set recursors for consul
- add ports to consul agent (grpc, dns, http for nomad)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/314
 2025-06-14 18:47:24 +10:00
Ben Vincent
a26daca28c feat: stop manage nginx repo (#312) 
- use epel repo for nginx

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/312
 2025-06-09 14:18:30 +10:00
Ben Vincent
057c4ab747 feat: manage nginx resource ordering (#311) 
- ensure the package is installed before creating directories
- ensure nginx is restarted when vhost config changes

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/311
 2025-06-09 11:18:39 +10:00
Ben Vincent
bb2f59621a feat: split reposync into two roles (#307) 
- reposync and packagerepo web service
- change backing datastore to be cephfs /shared/app/packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/307
 2025-06-01 11:33:44 +10:00
Ben Vincent
1a904af2ee feat: change g10k to use a package (#304) 
- the archive path is no longer valid
- produced a g10k rpm with rpmbuilder

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/304
 2025-05-31 13:51:51 +10:00
Ben Vincent
bdd833fa4e feat: create basic k8s roles to start deployment (#302) 
- just create roles so can deploy hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/302
 2025-05-30 23:21:02 +10:00
Ben Vincent
3d5d40f381 chore: minor jellyfin updates (#300) 
- add jellyfin to video group, for access to gpu
- install intel related gpu drivers
- export lxc jellyfin to haproxy

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/300
 2025-05-27 19:55:55 +10:00
Ben Vincent
b3347f9226 chore: migrate media applications (#299) 
- migrate media applications to new cephfs pool + incus
- enable exporting haproxy
- move ceph-client-setup to only apply to non-lxc hosts
- ensure unrar is installed for nzbget
- updated jellyfin use of data_dir
- set lxc instances for jellyfin to use /shared/apps/jellyfin

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/299
 2025-05-25 20:27:17 +10:00
Ben Vincent
1d23fef82e feat: update settings for ceph (#298) 
- enable root logins via ssh with keys
- add ssh key for ceph to root user

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/298
 2025-05-25 20:22:00 +10:00
Ben Vincent
c0aab1087e fix: readd to jellyfin_haproxy (#297) 
- fix operator for jellyfin/haproxy

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/297
 2025-05-24 21:10:56 +10:00
Ben Vincent
596e498a00 feat: change media arr apps to hiera_include (#296) 
- change profiles::media::* to be hiera_included
- this is required to enable it to be hiera_excluded on virtual == lxc

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/296
 2025-05-24 20:23:56 +10:00
Ben Vincent
93cd02deec chore: update media roles for incus (#294) 
- prevent incus roles from exporting haproxy endpoints (for now)
- incus doesnt need to mount cephfs

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/294
 2025-05-24 18:59:46 +10:00
Ben Vincent
520e8a34e0 feat: add a nomad agent v2 role (#293) 
- excludes ceph (will be passed from incus)
- excludes frrouting (will use host-networking)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/293
 2025-05-24 15:35:20 +10:00
Ben Vincent
77d07672f8 chore: dont mount cephfs inside lxc (#292) 
- lxc instances will have cephfs passed from the host
- skip cephfs mounting for lxc instances

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/292
 2025-05-22 21:06:15 +10:00
Ben Vincent
d9e8637ad6 feat: manage more ceph requirements (#288) 
- add ceph-common to provide utilities for managing ceph
- add root and sysadmin ssh keys for ceph deployments

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/288
 2025-05-17 11:14:45 +10:00
Ben Vincent
2f088c461f feat: add ceph roles (#284) 
- add hieradata to manage ceph repo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/284
 2025-05-15 19:29:53 +10:00
Ben Vincent
a7b793238a fix: exclude docker0 interfaces (#282) 
- docker0 is the same on many hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/282
 2025-05-11 16:53:34 +10:00
Ben Vincent
87a6c73578 neoloc/loopback_dns (#281) 
- manage all interfaces in dns (except lo and anycast)
- move loopback0 anycast addresses to be anycast0

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/281
 2025-05-11 16:36:04 +10:00
Ben Vincent
3e0141bb1b feat: change to anycast resolver (#280) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/280
 2025-05-11 11:39:00 +10:00
Ben Vincent
ed947dee59 fix: listen-addr -> listen-address (#275) 
- listen-address is the correct option

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/275
 2025-05-04 00:07:45 +10:00
Ben Vincent
a70b6492b0 feat: update consul/dnsmasq (#274) 
- update params with bind/advertise addr
- update params with anycast ip option
- migrate dnsmasq config to template

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/274
 2025-05-03 23:51:29 +10:00
Ben Vincent
1b8f50786f feat: ensure the vault audit_log exists (#272) 
- without this, vault will not take a leadership role

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/272
 2025-05-03 22:25:10 +10:00
Ben Vincent
b05acb23f4 feat: use custom cert for puppetdb access (#271) 
- manually generated certificate using sudo puppetserver ca generate --certname puppetdbapi.query.consul
- saved certificate and private_key in eyaml

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/271
 2025-05-03 12:41:23 +10:00
Ben Vincent
62f71e1feb chore: change puppetboard python version (#270) 
- change python version to follow python3_release fact
- this will follow os-release upgrades

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/270
 2025-05-03 01:07:52 +10:00
Ben Vincent
07b89ab737 feat: enable terraform access to puppetca (#267) 
- enable terraform to clean certificates

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/267
 2025-04-28 18:46:58 +10:00
Ben Vincent
1e3ce0ec1c feat: dont set gid/uid for sysadmin (#265) 
- sysadmin doesnt need to be a specific uid/gid, the next available
  uid/gid is fine

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/265
 2025-04-26 20:02:57 +10:00
Ben Vincent
496ed12a58 feat: change vault to use package install (#264) 
- vault 18.2 rpm produced by rpmbuilder repo
- ensure the /etc/vault directory is managed
- ensure service file is managed by puppet
- ensure package comes from unkin repo (not hashicorp)
- disable_mlock as unprivileged containers cannot use mlock

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/264
 2025-04-26 18:40:31 +10:00
Ben Vincent
e4166c6b14 feat: lxc compatability with datavol (#263) 
- lxc doesnt mount block devices, just check for mountpoint

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/263
 2025-04-26 17:28:57 +10:00
Ben Vincent
ecce93bedb feat: lxc cannot use chronyd (#259) 
- ensure lxc nodes do not attempt to install chronyd
- ensure chrony is removed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/259
 2025-04-24 23:18:45 +10:00
Ben Vincent
9dcaafb8ba feat: lxc updates (#258) 
- add virtual/lxc.yaml
- add crypto crypto-policies-scripts
- ensure ssh::server is managed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/258
 2025-04-24 23:03:01 +10:00
Ben Vincent
bc5bd11f5e feat: disable cobbler cache (#256) 
- this is required to resolve issues with terraform deploying cobbler
  settings

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/256
 2025-04-24 21:18:59 +10:00