unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
1,116 Commits 18 Branches 0 Tags 3 MiB
5b0365c096
Commit Graph

64 Commits

Author SHA1 Message Date
Ben Vincent
5b0365c096 feat: manage haproxy for stalwart (#420) 
- add frontends for imap, imaps and smtp
- add backends for webadmin, imap, imaps and smtp

Reviewed-on: #420
 2025-11-08 21:07:43 +11:00
Ben Vincent
62aade77ff feat: add ceph-dashboard to haproxy (#382) 
- add profile to export haproxy backend
- add new cert for dashboard.ceph.unkin.net
- extend balancemember with ipaddress attribute

Reviewed-on: #382
 2025-08-14 11:06:11 +10:00
Ben Vincent
df457306cc feat: add external grafana access (#366) 
- enable access to grafana through haproxy
- ensure grafana cert created from letsencrypt
- enable user access to grafana

Reviewed-on: #366
 2025-07-28 21:07:43 +10:00
Ben Vincent
2d9faf578f feat: add unkin.net domain (#347) 
- manage the unkin.net domain
- ensure forwarding for unkin.net
- split domain from cname list and set zone correctly
- add fafflix to cnames list for haproxy2

Reviewed-on: #347
 2025-07-06 20:02:20 +10:00
Ben Vincent
73362a3bf9 feat: add stick tables for gitea (#345) 
- stick tables are required for docker authentication

Reviewed-on: #345
 2025-07-06 14:42:14 +10:00
Ben Vincent
0063f68bc6 feat: enable external access to gitea (#344) 
- add git.unkin.net to certbot
- export haproxy resources for gitea
- add be_gitea to haproxy, import the certbot cert
- update the ROOT_URL for gitea instances

Reviewed-on: #344
 2025-07-06 13:47:56 +10:00
Ben Vincent
770fd643ac feat: add haproxy2 role (#322) 
- add basic haproxy2 role
- add peers and resolvers
- add haproxy2+ metrics frontend

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/322
 2025-06-28 16:20:06 +10:00
Ben Vincent
1df11b8977 chore: migrate certbot webserver (#306) 
- ausyd1nxvm1021 is decommed
- new source is ausyd1nxvm2057

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/306
 2025-05-31 16:22:59 +10:00
Ben Vincent
90504e5b02 chore: use alias for nameservers (#283) 
- use an alias for nameservers for dhcp ranges
- move aliased nameservers to region-wide hiera

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/283
 2025-05-14 20:19:18 +10:00
Ben Vincent
bb6f6cbd49 feat: anycast dnsmasters (#279) 
- change dns masters on incus to anycast for bind
- change to networkd to support anycast/loopbacks

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/279
 2025-05-10 23:00:03 +10:00
Ben Vincent
537a207779 feat: update upstream ip for consul dns (#277) 
- set bind resolvers to use consuls anycast address for forwarding

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/277
 2025-05-09 22:10:35 +10:00
Ben Vincent
762d980ea8 feat: update dns resolver zone management (#261) 
- move zones to common role path
- specify forwarders for each zone in region based hiera

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/261
 2025-04-25 01:01:47 +10:00
Ben Vincent
2ef4fb0bf8 feat: update certbot module 
- update documentation
- add option to notify services
- set haproxy role to notify the haproxy service
 2024-10-07 13:40:53 +11:00
Ben Vincent
eb32a216f5 Merge pull request 'neoloc/rundeck' (#121) from neoloc/rundeck into develop 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/121
 2024-07-28 02:05:20 +10:00
Ben Vincent
26ffe17ee1 feat: add database 
- add database for rundeck
 2024-07-27 13:06:14 +10:00
Ben Vincent
946922fdb9 feat: add vrrp to halb 
- update keepalived module to 5.1.0
- add keepalived::vrrp::* to be deep merged in hiera
- add vrrp dns configuration
- add vrrp instance/script to halb in syd1
 2024-07-13 20:15:13 +10:00
Ben Vincent
1532641640 feat: add nzbget to media platform 
- add haproxy rules
- generate/distribute letsencrypt certificates
- manage access to cephfs
 2024-07-09 22:32:54 +10:00
Ben Vincent
899e2cbf49 feat: haproxy updates 
- use letsencrypt certificates
- add fafflix and jellyfin backends
 2024-07-08 22:56:24 +10:00
Ben Vincent
bd5164fed3 feat: certbot reorg 
- moved certbot into its own module
- added fact to list available certificates
- created systemd timer to rsync data to $data_dir/pub
- ensure the $data_dir/pub exists
- manage selinux for nginx
 2024-07-08 22:33:11 +10:00
Ben Vincent
30ec8c1bb1 feat: enable retrieval of certbot certs 
- refactor certbot
- add nginx to certbot hosts
 2024-07-07 22:30:40 +10:00
Ben Vincent
991c8a3029 feat: haproxy updates 
- add acls for all backends
- harden security of backends
- update http-check for all backends
 2024-07-07 16:51:36 +10:00
Ben Vincent
2199e4e3c0 feat: add jellyfin to haproxy 2024-06-30 00:02:44 +10:00
Ben Vincent
d07751a151 feat: haproxy for *arr stack 
- add additional backends
- set *arr's to export as a backend
- add *arr.main.unkin.net certificates
 2024-06-28 22:46:50 +10:00
Ben Vincent
62cac63f11 feat: add database generation to grafana 
- ensure a database, user and credential is created for each grafana node
- ensure all databases for a region are included in a mariadb cluster
- refine params with stdlib types
 2024-06-16 18:49:59 +10:00
Ben Vincent
b468f67103 feat: sign ssh host keys 
- manage python script/venv to sign ssh host certificates
- add approle_id to puppetmaster eyaml files
- add class to sign ssh-rsa host keys
- add facts to check if the current principals match the desired principals
 2024-06-01 22:51:42 +10:00
Ben Vincent
d2d08bc479 fix: change drw1 puppetmasters to use syd1 approle 
- changing vault url to vault.query.consul forced puppetmasters in drw1
  to connect to syd1 vault hosts
- set drw1 puppetmasters to use syd1 approle_id
 2024-05-26 01:27:45 +10:00
Ben Vincent
ad268e8977 Merge pull request 'feat: vault use vault' (#226) from neoloc/vault_use_vault into develop 
Reviewed-on: unkinben/puppet-prod#226
 2024-05-26 00:38:55 +09:30
Ben Vincent
ad4f9b81f4 Merge pull request 'neoloc/syd1_certmanager_approle' (#224) from neoloc/syd1_certmanager_approle into develop 
Reviewed-on: unkinben/puppet-prod#224
 2024-05-26 00:38:16 +09:30
Ben Vincent
7c0bf4a398 feat: vault use vault 
- change vault to use vault ephemeral certificates
- remove nginx frontend to vault
 2024-05-26 01:06:48 +10:00
Ben Vincent
b9c327799f feat: add vault service/query altnames 
- add nginx aliases for vault services
- add additional vault certificates
- change certmanager script to use vault.service.consul
 2024-05-25 15:51:09 +10:00
Ben Vincent
2c3aa2bbdc feat: vault certmanager tokens 
- move vault certmanager tokens to drw1/syd1 specific eyaml
- add syd1 certmanger token for syd1 vault
 2024-05-25 15:50:59 +10:00
Ben Vincent
0b549325a1 Merge pull request 'feat: added country-region altnames' (#223) from neoloc/puppetboard_altnames into develop 
Reviewed-on: unkinben/puppet-prod#223
 2024-05-24 23:01:37 +09:30
Ben Vincent
c883bc8c91 feat: added country-region altnames 
- add puppetboard.service.au-{syd1|drw1}.consul to:
  - vault pki cert
  - nginx server aliases
 2024-05-24 23:27:07 +10:00
Ben Vincent
cbf3f0e694 feat: change drw1 puppetdb -> syd1 2024-05-24 23:06:18 +10:00
Ben Vincent
349547c4bc feat: puppetboard on consul 
- updated nginx param types
- add nginx aliases, merge with vhost, use as server_names
- add additional vault alt-names
- add prepared query for puppetboard
 2024-05-22 22:54:54 +10:00
Ben Vincent
25cbff4656 feat: set syd1 puppetdb hosts 
- change syd1 puppetdb hosts to use consul serivce/query addresses
 2024-05-22 22:23:07 +10:00
Ben Vincent
2aa5ead9d1 feat: prepare syd1 mariadb cluster 
- update role to wait for enc_role
- move hiera data to country/region/role specific location
 2024-05-12 15:40:43 +10:00
Ben Vincent
c2e413c0fb chore: move dhcp hieradata to hieradata/role 2024-05-06 21:49:41 +10:00
Ben Vincent
14a56a41a2 Merge branch 'develop' into neoloc/consul_wan 
Conflicts:
	hieradata/common.yaml
 2024-05-05 18:01:41 +10:00
Ben Vincent
31f670ad18 Merge pull request 'neoloc/syd1_puppet' (#195) from neoloc/syd1_puppet into develop 
Reviewed-on: unkinben/puppet-prod#195
 2024-05-05 17:13:38 +09:30
Ben Vincent
51bd1796ad feat: per-datacentre consul dns 
- change forwarding for consul to be per-datacentre to local consul
- change domain from service.consul -> consul so query.consul can be resolved
 2024-05-04 16:27:32 +10:00
Ben Vincent
6020143f76 feat: consul multi-datacentre joining 
- add method to join multiple consul datacentres
- set syd1 as the primary datacentre
- use default token from au-syd1 cluster in all locations
- add replication token
 2024-05-04 00:39:18 +10:00
Ben Vincent
56b23620b7 refactor: reoganise the puppetserver profile 
- manage puppetserver package
- set order for puppetserver classes
- for profiles::puppet::server class:
  - set param types using stdlib where possible
  - set default values for all params
- move configuration data to hieradata
- wait for enc_role fact to match role
- exclude puppet::client from puppermaster nodes
 2024-05-02 23:32:32 +10:00
Ben Vincent
95135fb58a fix: add use_backend for drw1 haproxy 2024-05-01 21:58:10 +10:00
Ben Vincent
8697492611 feat: haproxy refactor 
- configure deep merging in hiera
- move fe_http and fe_https to hiera
- configure pve backends for standard and api traffic
 2024-05-01 19:02:03 +10:00
Ben Vincent
220ac182f4 feat: sydney haproxy cluster 
- add au-syd1 halb cluster
- add http-response to frontends
- manage haproxy after enc_role is correct
 2024-04-28 21:14:36 +10:00
Ben Vincent
8df927de18 feat: add node_token to agent config 
- move policy rules to hiera array[hash]
- add node_token to agent as the default token
 2024-04-28 17:06:06 +10:00
Ben Vincent
43afc23535 feat: deploy consul services 
- add vault.service.consul
 2024-04-28 14:06:49 +10:00
Ben Vincent
3001bc32f2 feat: add sydney vault cluster 
- separate yaml between multiple regions
- add nginx frontend to vault
 2024-04-27 22:35:16 +10:00
Ben Vincent
f536d19034 feat: generate consul policy/tokens 
- generate policy/token to add nodes
- generate policy/token for all nodes
- add base::root profile to manage aspects of the root user
 2024-04-27 20:21:57 +10:00