chore: cleanup gitea actions workflows (#451)

- migrated workflows to woodpeckerci

Reviewed-on: #451

.gitea/workflows/build.yaml

@@ -1,24 +0,0 @@
-name: Build
-
-on:
-  pull_request:
-
-jobs:
-  precommit:
-    runs-on: almalinux-8
-    container:
-      image: git.unkin.net/unkin/almalinux9-actionsdind:latest
-      options: --privileged
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Install requirements
-        run: |
-          dnf groupinstall -y "Development Tools" -y
-          dnf install rubygems ruby-devel gcc make redhat-rpm-config glibc-headers glibc-devel -y
-
-      - name: Pre-Commit All Files
-        run: |
-          uvx pre-commit run --all-files

.woodpecker/pre-commit.yaml

@@ -0,0 +1,10 @@
+when:
+  - event: pull_request
+
+steps:
+  - name: pre-commit
+    image: git.unkin.net/unkin/almalinux9-base:latest
+    commands:
+      - dnf groupinstall -y "Development Tools" -y
+      - dnf install uv rubygems ruby-devel gcc make redhat-rpm-config glibc-headers glibc-devel libffi libffi-devel -y
+      - uvx pre-commit run --all-files

doc/ceph/README.md

@@ -28,6 +28,98 @@ Always refer back to the official documentation at https://docs.ceph.com/en/late
     sudo ceph fs set mediafs max_mds 2
 ```
 
+
+## managing cephfs with subvolumes
+
+Create erasure code profiles. The K and M values are equivalent to the number of data disks (K) and parity disks (M) in RAID5, RAID6, etc.
+
+    sudo ceph osd erasure-code-profile set ec_6_2 k=6 m=2
+    sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
+
+Create data pools using the erasure-code-profile, set some required options
+
+    sudo ceph osd pool create cephfs_data_ssd_ec_6_2 erasure ec_6_2
+    sudo ceph osd pool set cephfs_data_ssd_ec_6_2 allow_ec_overwrites true
+    sudo ceph osd pool set cephfs_data_ssd_ec_6_2 bulk true
+
+    sudo ceph osd pool create cephfs_data_ssd_ec_4_1 erasure ec_4_1
+    sudo ceph osd pool set cephfs_data_ssd_ec_4_1 allow_ec_overwrites true
+    sudo ceph osd pool set cephfs_data_ssd_ec_4_1 bulk true
+
+Add the pool to the fs `cephfs`
+
+    sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_6_2
+    sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_4_1
+
+Create a subvolumegroup using the new data pool
+
+    sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_6_2 --pool_layout cephfs_data_ssd_ec_6_2
+    sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_4_1 --pool_layout cephfs_data_ssd_ec_4_1
+
+All together:
+
+    sudo ceph osd erasure-code-profile set ec_6_2 k=6 m=2
+    sudo ceph osd pool create cephfs_data_ssd_ec_6_2 erasure ec_6_2
+    sudo ceph osd pool set cephfs_data_ssd_ec_6_2 allow_ec_overwrites true
+    sudo ceph osd pool set cephfs_data_ssd_ec_6_2 bulk true
+    sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_6_2
+    sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_6_2 --pool_layout cephfs_data_ssd_ec_6_2
+
+    sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
+    sudo ceph osd pool create cephfs_data_ssd_ec_4_1 erasure ec_4_1
+    sudo ceph osd pool set cephfs_data_ssd_ec_4_1 allow_ec_overwrites true
+    sudo ceph osd pool set cephfs_data_ssd_ec_4_1 bulk true
+    sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_4_1
+    sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_4_1 --pool_layout cephfs_data_ssd_ec_4_1
+
+Create a key with access to the new subvolume groups. Check if the user already exists first:
+
+    sudo ceph auth get client.kubernetes-cephfs
+
+If it doesnt:
+
+    sudo ceph auth get-or-create client.kubernetes-cephfs \
+      mgr 'allow rw' \
+      osd 'allow rw tag cephfs metadata=cephfs, allow rw tag cephfs data=cephfs' \
+      mds 'allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi_ssd_ec_6_2, allow rws fsname=cephfs path=/volumes/csi_ssd_ec_4_1' \
+      mon 'allow r fsname=cephfs'
+
+If it does, use `sudo ceph auth caps client.kubernetes-cephfs ...` instead to update existing capabilities.
+
+## removing a cephfs subvolumegroup from cephfs
+
+This will cleanup the subvolumegroup, and subvolumes if they exist, then remove the pool.
+
+Check for subvolumegroups first, then for subvolumes in it
+
+    sudo ceph fs subvolumegroup ls cephfs
+    sudo ceph fs subvolume ls cephfs --group_name csi_raid6
+
+
+If subvolumes exist, remove each one-by-one:
+
+    sudo ceph fs subvolume rm cephfs <subvol_name> --group_name csi_raid6
+
+If you have snapshots, remove snapshots first:
+
+    sudo ceph fs subvolume snapshot ls cephfs <subvol_name> --group_name csi_raid6
+    sudo ceph fs subvolume snapshot rm cephfs <subvol_name> <snap_name> --group_name csi_raid6
+
+Once the group is empty, remove it:
+
+    sudo ceph fs subvolumegroup rm cephfs csi_raid6
+
+If it complains it’s not empty, go back as there’s still a subvolume or snapshot.
+
+If you added it with `ceph fs add_data_pool`. Undo with `rm_data_pool`:
+
+    sudo ceph fs rm_data_pool cephfs cephfs_data_csi_raid6
+
+After it’s detached from CephFS, you can delete it.
+
+    sudo ceph osd pool rm cephfs_data_csi_raid6 cephfs_data_csi_raid6 --yes-i-really-really-mean-it
+
+
 ## creating authentication tokens
 
 - this will create a client keyring named media
@@ -58,3 +150,78 @@ this will overwrite the current capabilities of a given client.user
       mon 'allow r' \
       mds 'allow rw path=/' \
       osd 'allow rw pool=media_data'
+
+## adding a new osd on new node
+
+create the ceph conf (automate this?)
+
+    cat <<EOF | sudo tee /etc/ceph/ceph.conf
+    [global]
+      auth_client_required = cephx
+      auth_cluster_required = cephx
+      auth_service_required = cephx
+      fsid = de96a98f-3d23-465a-a899-86d3d67edab8
+      mon_allow_pool_delete = true
+      mon_initial_members = prodnxsr0009,prodnxsr0010,prodnxsr0011,prodnxsr0012,prodnxsr0013
+      mon_host = 198.18.23.9,198.18.23.10,198.18.23.11,198.18.23.12,198.18.23.13
+      ms_bind_ipv4 = true
+      ms_bind_ipv6 = false
+      osd_crush_chooseleaf_type = 1
+      osd_pool_default_min_size = 2
+      osd_pool_default_size = 3
+      osd_pool_default_pg_num = 128
+      public_network = 198.18.23.1/32,198.18.23.2/32,198.18.23.3/32,198.18.23.4/32,198.18.23.5/32,198.18.23.6/32,198.18.23.7/32,198.18.23.8/32,198.18.23.9/32,198.18.23.10/32,198.18.23.11/32,198.18.23.12/32,198.18.23.13/32
+    EOF
+
+ssh to one of the monitor hosts, then transfer the keys required
+
+    sudo cat /etc/ceph/ceph.client.admin.keyring | ssh prodnxsr0003 'sudo tee /etc/ceph/ceph.client.admin.keyring'
+    sudo cat /var/lib/ceph/bootstrap-osd/ceph.keyring | ssh prodnxsr0003 'sudo tee /var/lib/ceph/bootstrap-osd/ceph.keyring'
+
+assuming we are adding /dev/sda to the cluster, first zap the disk to remove partitions/lvm/metadata
+
+    sudo ceph-volume lvm zap /dev/sda --destroy
+
+then add it to the cluster
+
+    sudo ceph-volume lvm create --data /dev/sda
+
+## removing an osd
+
+check what OSD IDs were on this host (if you know it)
+
+    sudo ceph osd tree
+
+or check for any DOWN osds
+
+    sudo ceph osd stat
+    sudo ceph health detail
+
+once you identify the old OSD ID, remove it with these steps, replace X with the actual OSD ID:
+
+    sudo ceph osd out osd.X
+    sudo ceph osd down osd.X
+    sudo ceph osd crush remove osd.X
+    sudo ceph auth del osd.X
+    sudo ceph osd rm osd.X
+
+
+## maintenance mode for the cluster
+
+from one node in the cluster disable recovery
+
+    sudo ceph osd set noout
+    sudo ceph osd set nobackfill
+    sudo ceph osd set norecover
+    sudo ceph osd set norebalance
+    sudo ceph osd set nodown
+    sudo ceph osd set pause
+
+to undo the change, use unset
+
+    sudo ceph osd unset noout
+    sudo ceph osd unset nobackfill
+    sudo ceph osd unset norecover
+    sudo ceph osd unset norebalance
+    sudo ceph osd unset nodown
+    sudo ceph osd unset pause

hieradata/os/AlmaLinux/AlmaLinux8.yaml

@@ -7,17 +7,4 @@ profiles::packages::include:
 
 profiles::yum::global::repos:
   powertools:
-    name: powertools
+    ensure: present
-    descr: powertools repository
-    target: /etc/yum.repos.d/powertools.repo
-    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
-    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
-    mirrorlist: absent
-  unkin:
-    name: unkin
-    descr: unkin repository
-    target: /etc/yum.repos.d/unkin.repo
-    baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8
-    gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
-    gpgcheck: false
-    mirrorlist: absent

hieradata/os/AlmaLinux/AlmaLinux9.yaml

@@ -4,17 +4,4 @@ crypto_policies::policy: 'DEFAULT:SHA1'
 
 profiles::yum::global::repos:
   crb:
-    name: crb
+    ensure: present
-    descr: crb repository
-    target: /etc/yum.repos.d/crb.repo
-    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os
-    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
-    mirrorlist: absent
-  unkin:
-    name: unkin
-    descr: unkin repository
-    target: /etc/yum.repos.d/unkin.repo
-    baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el9
-    gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
-    gpgcheck: false
-    mirrorlist: absent

hieradata/os/AlmaLinux/all_releases.yaml

@@ -23,30 +23,46 @@ profiles::yum::global::repos:
     name: baseos
     descr: baseos repository
     target: /etc/yum.repos.d/baseos.repo
-    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/
     gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
     mirrorlist: absent
   extras:
     name: extras
     descr: extras repository
     target: /etc/yum.repos.d/extras.repo
-    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/
     gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
     mirrorlist: absent
   appstream:
     name: appstream
     descr: appstream repository
     target: /etc/yum.repos.d/appstream.repo
-    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/
     gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
     mirrorlist: absent
   highavailability:
     name: highavailability
     descr: highavailability repository
     target: /etc/yum.repos.d/highavailability.repo
-    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/
     gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
     mirrorlist: absent
+  crb:
+    ensure: absent
+    name: crb
+    descr: crb repository
+    target: /etc/yum.repos.d/crb.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
+    mirrorlist: absent
+  powertools:
+    ensure: absent
+    name: powertools
+    descr: powertools repository
+    target: /etc/yum.repos.d/powertools.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
+    mirrorlist: absent
   epel:
     name: epel
     descr: epel repository
@@ -62,3 +78,193 @@ profiles::yum::global::repos:
     gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
     gpgcheck: false
     mirrorlist: absent
+
+  # Additional repositories - default to absent, roles can override with ensure: present
+  # FRRouting repositories
+  frr-extras:
+    ensure: absent
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/frr/el%{facts.os.release.major}/extras
+    gpgcheck: false
+    mirrorlist: absent
+  frr-stable:
+    ensure: absent
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/frr/el%{facts.os.release.major}/frr
+    gpgcheck: false
+    mirrorlist: absent
+
+  # PostgreSQL repositories
+  postgresql-15:
+    ensure: absent
+    name: postgresql-15
+    descr: postgresql-15 repository
+    target: /etc/yum.repos.d/postgresql.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/15/redhat/rhel-%{facts.os.release.major}-%{facts.os.architecture}
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/keys/PGDG-RPM-GPG-KEY-RHEL
+  postgresql-17:
+    ensure: absent
+    name: postgresql-17
+    descr: postgresql-17 repository
+    target: /etc/yum.repos.d/postgresql.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/17/redhat/rhel-%{facts.os.release.major}-%{facts.os.architecture}
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/keys/PGDG-RPM-GPG-KEY-RHEL
+  postgresql-common:
+    ensure: absent
+    name: postgresql-common
+    descr: postgresql-common repository
+    target: /etc/yum.repos.d/postgresql.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/common/redhat/rhel-%{facts.os.release.major}-%{facts.os.architecture}
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/keys/PGDG-RPM-GPG-KEY-RHEL
+
+  # Ceph repositories
+  ceph:
+    ensure: absent
+    name: ceph
+    descr: ceph repository
+    target: /etc/yum.repos.d/ceph.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/ceph-reef/el%{facts.os.release.major}/%{facts.os.architecture}
+    gpgcheck: false
+    mirrorlist: absent
+  ceph-noarch:
+    ensure: absent
+    name: ceph-noarch
+    descr: ceph noarch repository
+    target: /etc/yum.repos.d/ceph.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/ceph-reef/el%{facts.os.release.major}/noarch
+    gpgcheck: false
+    mirrorlist: absent
+
+  # Rancher RKE2 repositories
+  rancher-rke2-common-latest:
+    ensure: absent
+    name: rancher-rke2-common
+    descr: rancher-rke2-common repository
+    target: /etc/yum.repos.d/rancher-rke2-common.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/rke2/rke2/latest/common/centos/%{facts.os.release.major}/noarch
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/rke2/public.key
+    gpgcheck: 1
+    mirrorlist: absent
+  rancher-rke2-1-33-latest:
+    ensure: absent
+    name: rancher-rke2-1.33-latest
+    descr: rancher-rke2-1.33-latest repository
+    target: /etc/yum.repos.d/rancher-rke2.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/rke2/rke2/latest/1.33/centos/%{facts.os.release.major}/%{facts.os.architecture}
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/rke2/public.key
+    gpgcheck: 1
+    mirrorlist: absent
+
+  # CentOS repositories for legacy systems
+  centos_8_advanced_virtualization:
+    ensure: absent
+    name: centos_8_advanced_virtualization
+    descr: centos_8_advanced_virtualization repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/virt/x86_64/advanced-virtualization
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Virtualization
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_ceph_pacific:
+    ensure: absent
+    name: centos_8_ceph_pacific
+    descr: centos_8_ceph_pacific repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/storage/x86_64/ceph-pacific
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Storage
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_rabbitmq_38:
+    ensure: absent
+    name: centos_8_rabbitmq_38
+    descr: centos_8_rabbitmq_38 repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/messaging/x86_64/rabbitmq-38
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Messaging
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_nfv_openvswitch:
+    ensure: absent
+    name: centos_8_nfv_openvswitch
+    descr: centos_8_nfv_openvswitch repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/nfv/x86_64/openvswitch-2
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-NFV
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_openstack_xena:
+    ensure: absent
+    name: centos_8_openstack_xena
+    descr: centos_8_openstack_xena repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/cloud/x86_64/openstack-xena
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Cloud
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_opstools:
+    ensure: absent
+    name: centos_8_opstools
+    descr: centos_8_opstools repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/opstools/x86_64/collectd-5
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-OpsTools
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_ovirt45:
+    ensure: absent
+    name: centos_8_ovirt45
+    descr: centos_8_ovirt45 repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/virt/x86_64/ovirt-45
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Virtualization
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_stream_gluster10:
+    ensure: absent
+    name: centos_8_stream_gluster10
+    descr: centos_8_stream_gluster10 repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Storage
+    gpgcheck: 1
+    mirrorlist: absent
+
+  # Additional repositories
+  zfs-kmod:
+    ensure: absent
+    name: zfs-kmod
+    descr: zfs-kmod repository
+    target: /etc/yum.repos.d/zfs.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/zfs/epel/%{facts.os.release.major}/kmod/%{facts.os.architecture}/
+    gpgcheck: false
+    mirrorlist: absent
+  rpmfusion-free:
+    ensure: absent
+    name: rpmfusion-free
+    descr: rpmfusion-free repository
+    target: /etc/yum.repos.d/rpmfusion-free.repo
+    baseurl: https://packagerepo.service.consul/rpmfusion-free-el%{facts.os.release.major}-%{facts.os.architecture}/
+    gpgkey: https://packagerepo.service.consul/rpmfusion-free-el%{facts.os.release.major}-%{facts.os.architecture}/repodata/repomd.xml.key
+    gpgcheck: 1
+    mirrorlist: absent
+  rpmfusion-nonfree:
+    ensure: absent
+    name: rpmfusion-nonfree
+    descr: rpmfusion-nonfree repository
+    target: /etc/yum.repos.d/rpmfusion-nonfree.repo
+    baseurl: https://packagerepo.service.consul/rpmfusion-nonfree-el%{facts.os.release.major}-%{facts.os.architecture}/
+    gpgkey: https://packagerepo.service.consul/rpmfusion-nonfree-el%{facts.os.release.major}-%{facts.os.architecture}/repodata/repomd.xml.key
+    gpgcheck: 1
+    mirrorlist: absent
+  unkin:
+    name: unkin
+    descr: unkin repository
+    target: /etc/yum.repos.d/unkin.repo
+    baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el%{facts.os.release.major}
+    gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
+    gpgcheck: false
+    mirrorlist: absent

hieradata/roles/apps/media.yaml

@@ -3,13 +3,8 @@ hiera_include:
   - profiles::nginx::simpleproxy
 
 profiles::yum::global::repos:
-  ceph-reef:
+  ceph:
-    name: ceph-reef
+    ensure: present
-    descr: ceph reef repository
-    target: /etc/yum.repos.d/ceph-reef.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgcheck: 0,
-    mirrorlist: absent
 
 profiles::ceph::client::keyrings:
   media:

hieradata/roles/apps/media/jellyfin.yaml

@@ -54,24 +54,8 @@ profiles::consul::client::node_rules:
 
 profiles::yum::global::repos:
   rpmfusion-free:
-    name: rpmfusion-free
+    ensure: present
-    descr: rpmfusion-free repository
-    target: /etc/yum.repos.d/rpmfusion.repo
-    baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
-    mirrorlist: absent
   rpmfusion-nonfree:
-    name: rpmfusion-nonfree
+    ensure: present
-    descr: rpmfusion-nonfree repository
-    target: /etc/yum.repos.d/rpmfusion.repo
-    baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
-    mirrorlist: absent
   unkinben:
-    name: unkinben
+    ensure: present
-    descr: unkinben repository
-    target: /etc/yum.repos.d/unkin.repo
-    baseurl: https://git.query.consul/api/packages/unkinben/rpm/el8
-    gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
-    gpgcheck: false
-    mirrorlist: absent

hieradata/roles/apps/media/nzbget.yaml

@@ -72,16 +72,6 @@ profiles::consul::client::node_rules:
 
 profiles::yum::global::repos:
   rpmfusion-free:
-    name: rpmfusion-free
+    ensure: present
-    descr: rpmfusion-free repository
-    target: /etc/yum.repos.d/rpmfusion.repo
-    baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
-    mirrorlist: absent
   rpmfusion-nonfree:
-    name: rpmfusion-nonfree
+    ensure: present
-    descr: rpmfusion-nonfree repository
-    target: /etc/yum.repos.d/rpmfusion.repo
-    baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
-    mirrorlist: absent

hieradata/roles/ceph.yaml

@@ -31,30 +31,10 @@ frrouting::daemons:
 # additional repos
 profiles::yum::global::repos:
   ceph:
-    name: ceph
+    ensure: present
-    descr: ceph repository
-    target: /etc/yum.repos.d/ceph.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
   ceph-noarch:
-    name: ceph-noarch
+    ensure: present
-    descr: ceph-noarch repository
-    target: /etc/yum.repos.d/ceph-noarch.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
   frr-extras:
-    name: frr-extras
+    ensure: present
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   frr-stable:
-    name: frr-stable
+    ensure: present
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent

hieradata/roles/infra/auth/glauth.yaml

@@ -66,6 +66,9 @@ glauth::users:
       - 20025   # jupyterhub_admin
       - 20026   # jupyterhub_user
       - 20027   # grafana_user
+      - 20028   # k8s/au/syd1 operator
+      - 20029   # k8s/au/syd1 admin
+      - 20030   # k8s/au/syd1 root
     loginshell: '/bin/bash'
     homedir: '/home/benvin'
     passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
@@ -223,6 +226,24 @@ glauth::users:
     loginshell: '/bin/bash'
     homedir: '/home/debvin'
     passsha256: 'cdac05ddb02e665d4ea65a974995f38a10236bc158731d92d78f6cde89b294a1'
+  jassol:
+    user_name: 'jassol'
+    givenname: 'Jason'
+    sn: 'Solomon'
+    mail: 'jassol@users.main.unkin.net'
+    uidnumber: 20010
+    primarygroup: 20000
+    othergroups:
+      - 20010 # jelly
+      - 20011 # sonarr
+      - 20012 # radarr
+      - 20013 # lidarr
+      - 20014 # readarr
+      - 20016 # nzbget
+      - 20027 # grafana user
+    loginshell: '/bin/bash'
+    homedir: '/home/jassol'
+    passsha256: 'd8e215d3c94b954e1318c9c7243ce72713f2fb1d006037724fe857c1fb7e88e9'
 
 glauth::services:
   svc_jellyfin:
@@ -367,3 +388,12 @@ glauth::groups:
   grafana_user:
     group_name: 'grafana_user'
     gidnumber: 20027
+  kubernetes_au_syd1_cluster_operator:
+    group_name: 'kubernetes_au_syd1_cluster_operator'
+    gidnumber: 20028
+  kubernetes_au_syd1_cluster_admin:
+    group_name: 'kubernetes_au_syd1_cluster_admin'
+    gidnumber: 20029
+  kubernetes_au_syd1_cluster_root:
+    group_name: 'kubernetes_au_syd1_cluster_root'
+    gidnumber: 20030

hieradata/roles/infra/ceph/rgw.yaml

@@ -18,19 +18,9 @@ profiles::pki::vault::alt_names:
 # additional repos
 profiles::yum::global::repos:
   ceph:
-    name: ceph
+    ensure: present
-    descr: ceph repository
-    target: /etc/yum.repos.d/ceph.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
   ceph-noarch:
-    name: ceph-noarch
+    ensure: present
-    descr: ceph-noarch repository
-    target: /etc/yum.repos.d/ceph-noarch.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
 
 # manage a simple nginx reverse proxy
 profiles::nginx::simpleproxy::nginx_vhost: 'radosgw.service.consul'

hieradata/roles/infra/cobbler/server.yaml

@@ -57,19 +57,9 @@ profiles::consul::client::node_rules:
 # additional repos
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
+    ensure: present
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el%{facts.os.release.major}/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el%{facts.os.release.major}/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   frr-stable:
-    name: frr-stable
+    ensure: present
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el%{facts.os.release.major}/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el%{facts.os.release.major}/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
 
 # cobbler settings
 profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'

hieradata/roles/infra/dhcp/server.yaml

@@ -41,19 +41,9 @@ profiles::consul::client::node_rules:
 # additional repos
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
+    ensure: present
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   frr-stable:
-    name: frr-stable
+    ensure: present
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
 
 profiles::dhcp::server::ntpservers:
   - 0.au.pool.ntp.org

hieradata/roles/infra/dns/externaldns.yaml

@@ -50,16 +50,6 @@ profiles::consul::client::node_rules:
 # additional repos
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
+    ensure: present
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   frr-stable:
-    name: frr-stable
+    ensure: present
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent

hieradata/roles/infra/dns/master.yaml

@@ -200,16 +200,6 @@ profiles::consul::client::node_rules:
 # additional repos
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
+    ensure: present
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   frr-stable:
-    name: frr-stable
+    ensure: present
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent

hieradata/roles/infra/dns/resolver.yaml

@@ -261,16 +261,6 @@ profiles::consul::client::node_rules:
 # additional repos
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
+    ensure: present
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   frr-stable:
-    name: frr-stable
+    ensure: present
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent

hieradata/roles/infra/halb/haproxy2.yaml

@@ -35,19 +35,9 @@ frrouting::daemons:
 # additional repos
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
+    ensure: present
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   frr-stable:
-    name: frr-stable
+    ensure: present
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
 
 # haproxy metrics
 consul::services:

hieradata/roles/infra/incus/node.yaml

@@ -85,40 +85,15 @@ profiles::consul::client::node_rules:
 # additional repos
 profiles::yum::global::repos:
   ceph:
-    name: ceph
+    ensure: present
-    descr: ceph repository
-    target: /etc/yum.repos.d/ceph.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
   ceph-noarch:
-    name: ceph-noarch
+    ensure: present
-    descr: ceph-noarch repository
-    target: /etc/yum.repos.d/ceph-noarch.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
   frr-extras:
-    name: frr-extras
+    ensure: present
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   frr-stable:
-    name: frr-stable
+    ensure: present
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   zfs-kmod:
-    name: zfs-kmod
+    ensure: present
-    descr: zfs-kmod repository
-    target: /etc/yum.repos.d/zfs-kmod.repo
-    baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
-    mirrorlist: absent
 
 # dns
 profiles::dns::base::primary_interface: loopback0

hieradata/roles/infra/k8s.yaml

@@ -47,47 +47,17 @@ profiles::ceph::client::mons:
 # additional repos
 profiles::yum::global::repos:
   ceph:
-    name: ceph
+    ensure: present
-    descr: ceph repository
-    target: /etc/yum.repos.d/ceph.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
   ceph-noarch:
-    name: ceph-noarch
+    ensure: present
-    descr: ceph-noarch repository
-    target: /etc/yum.repos.d/ceph-noarch.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
   frr-extras:
-    name: frr-extras
+    ensure: present
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   frr-stable:
-    name: frr-stable
+    ensure: present
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   rancher-rke2-common-latest:
-    name: rancher-rke2-common-latest
+    ensure: present
-    descr: rancher-rke2-common-latest
-    target: /etc/yum.repos.d/rke2-common.repo
-    baseurl: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/common-daily/x86_64/os/
-    gpgkey: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/common-daily/x86_64/os/public.key
-    mirrorlist: absent
   rancher-rke2-1-33-latest:
-    name: rancher-rke2-1-33-latest
+    ensure: present
-    descr: rancher-rke2-1-33-latest
-    target: /etc/yum.repos.d/rke2-1-33.repo
-    baseurl: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/1.33-daily/x86_64/os/
-    gpgkey: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/1.33-daily/x86_64/os/public.key
-    mirrorlist: absent
 
 # dns
 profiles::dns::base::primary_interface: loopback0

hieradata/roles/infra/k8s/control.yaml

@@ -3,9 +3,6 @@
 rke2::node_type: server
 rke2::helm_install: true
 rke2::helm_repos:
-  rancher-stable: https://releases.rancher.com/server-charts/stable
-  purelb: https://gitlab.com/api/v4/projects/20400619/packages/helm/stable
-  jetstack: https://charts.jetstack.io
   harbor: https://helm.goharbor.io
   traefik: https://traefik.github.io/charts
   hashicorp: https://helm.releases.hashicorp.com
@@ -58,6 +55,12 @@ consul::services:
         tcp: "%{hiera('networking_loopback0_ip')}:9345"
         interval: '10s'
         timeout: '1s'
+      - id: 'rke2_server_ping_check'
+        name: 'rke2 Server Ping Check'
+        http: "https://%{hiera('networking_loopback0_ip')}:9345/ping"
+        interval: '10s'
+        timeout: '3s'
+        tls_skip_verify: true
 profiles::consul::client::node_rules:
   - resource: service
     segment: api-k8s

hieradata/roles/infra/k8s/node.yaml

@@ -47,47 +47,17 @@ profiles::ceph::client::mons:
 # additional repos
 profiles::yum::global::repos:
   ceph:
-    name: ceph
+    ensure: present
-    descr: ceph repository
-    target: /etc/yum.repos.d/ceph.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
   ceph-noarch:
-    name: ceph-noarch
+    ensure: present
-    descr: ceph-noarch repository
-    target: /etc/yum.repos.d/ceph-noarch.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
   frr-extras:
-    name: frr-extras
+    ensure: present
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   frr-stable:
-    name: frr-stable
+    ensure: present
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   rancher-rke2-common-latest:
-    name: rancher-rke2-common-latest
+    ensure: present
-    descr: rancher-rke2-common-latest
-    target: /etc/yum.repos.d/rke2-common.repo
-    baseurl: https://rpm.rancher.io/rke2/latest/common/centos/%{facts.os.release.major}/noarch
-    gpgkey: https://rpm.rancher.io/public.key
-    mirrorlist: absent
   rancher-rke2-1-33-latest:
-    name: rancher-rke2-1-33-latest
+    ensure: present
-    descr: rancher-rke2-1-33-latest
-    target: /etc/yum.repos.d/rke2-1-33.repo
-    baseurl: https://rpm.rancher.io/rke2/latest/1.33/centos/%{facts.os.release.major}/x86_64
-    gpgkey: https://rpm.rancher.io/public.key
-    mirrorlist: absent
 
 # dns
 profiles::dns::base::primary_interface: loopback0

hieradata/roles/infra/nomad/agent.yaml

@@ -24,13 +24,8 @@ frrouting::ospfd_interfaces:
     area: 0.0.0.1
 
 profiles::yum::global::repos:
-  ceph-reef:
+  ceph:
-    name: ceph-reef
+    ensure: present
-    descr: ceph reef repository
-    target: /etc/yum.repos.d/ceph-reef.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgcheck: 0,
-    mirrorlist: absent
 
 profiles::ceph::client::keyrings:
   nomad:

hieradata/roles/infra/ovirt/engine.yaml

@@ -1,50 +1,18 @@
 ---
 profiles::yum::global::repos:
   centos_8_advanced_virtualization:
-    name: 'virt-advanced-virtualization'
+    ensure: present
-    descr: 'CentOS Advanced Virtualization'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
   centos_8_ceph_pacific:
-    name: 'storage-ceph-pacific'
+    ensure: present
-    descr: 'CentOS Ceph Pacific'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
   centos_8_rabbitmq_38:
-    name: 'messaging-rabbitmq-38'
+    ensure: present
-    descr: 'CentOS RabbitMQ 38'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
   centos_8_nfv_openvswitch:
-    name: 'nfv-openvswitch-2'
+    ensure: present
-    descr: 'CentOS NFV OpenvSwitch'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
   centos_8_openstack_xena:
-    name: 'cloud-openstack-xena'
+    ensure: present
-    descr: 'CentOS OpenStack Xena'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
   centos_8_opstools:
-    name: 'opstools-collectd-5'
+    ensure: present
-    descr: 'CentOS OpsTools - collectd'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
   centos_8_ovirt45:
-    name: 'virt-ovirt-45'
+    ensure: present
-    descr: 'CentOS oVirt 4.5'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
   centos_8_stream_gluster10:
-    name: 'storage-gluster-10'
+    ensure: present
-    descr: 'CentOS oVirt 4.5 - Glusterfs 10'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'

hieradata/roles/infra/ovirt/node.yaml

@@ -9,50 +9,18 @@ sudo::purge_ignore:
 
 profiles::yum::global::repos:
   centos_8_advanced_virtualization:
-    name: 'virt-advanced-virtualization'
+    ensure: present
-    descr: 'CentOS Advanced Virtualization'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
   centos_8_ceph_pacific:
-    name: 'storage-ceph-pacific'
+    ensure: present
-    descr: 'CentOS Ceph Pacific'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
   centos_8_rabbitmq_38:
-    name: 'messaging-rabbitmq-38'
+    ensure: present
-    descr: 'CentOS RabbitMQ 38'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
   centos_8_nfv_openvswitch:
-    name: 'nfv-openvswitch-2'
+    ensure: present
-    descr: 'CentOS NFV OpenvSwitch'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
   centos_8_openstack_xena:
-    name: 'cloud-openstack-xena'
+    ensure: present
-    descr: 'CentOS OpenStack Xena'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
   centos_8_opstools:
-    name: 'opstools-collectd-5'
+    ensure: present
-    descr: 'CentOS OpsTools - collectd'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
   centos_8_ovirt45:
-    name: 'virt-ovirt-45'
+    ensure: present
-    descr: 'CentOS oVirt 4.5'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
   centos_8_stream_gluster10:
-    name: 'storage-gluster-10'
+    ensure: present
-    descr: 'CentOS oVirt 4.5 - Glusterfs 10'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'

hieradata/roles/infra/puppetdb/sql.yaml

@@ -62,14 +62,6 @@ profiles::consul::client::node_rules:
 
 profiles::yum::global::repos:
   postgresql-17:
-    name: postgresql-17
+    ensure: present
-    descr: postgresql-17 repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/17-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/17-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
   postgresql-common:
-    name: postgresql-common
+    ensure: present
-    descr: postgresql-common repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL

hieradata/roles/infra/reposync/syncer.yaml

@@ -3,125 +3,6 @@ profiles::packages::include:
   createrepo: {}
 
 profiles::reposync::repos_list:
-  almalinux_9.7_baseos:
-    repository: 'baseos'
-    description: 'AlmaLinux 9.7 BaseOS'
-    osname: 'almalinux'
-    release: '9.7'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/baseos'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.7_appstream:
-    repository: 'appstream'
-    description: 'AlmaLinux 9.7 AppStream'
-    osname: 'almalinux'
-    release: '9.7'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/appstream'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.7_crb:
-    repository: 'crb'
-    description: 'AlmaLinux 9.7 CRB'
-    osname: 'almalinux'
-    release: '9.7'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/crb'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.7_ha:
-    repository: 'ha'
-    description: 'AlmaLinux 9.7 HighAvailability'
-    osname: 'almalinux'
-    release: '9.7'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/highavailability'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.7_extras:
-    repository: 'extras'
-    description: 'AlmaLinux 9.7 extras'
-    osname: 'almalinux'
-    release: '9.7'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/extras'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.6_baseos:
-    repository: 'baseos'
-    description: 'AlmaLinux 9.6 BaseOS'
-    osname: 'almalinux'
-    release: '9.6'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/baseos'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.6_appstream:
-    repository: 'appstream'
-    description: 'AlmaLinux 9.6 AppStream'
-    osname: 'almalinux'
-    release: '9.6'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/appstream'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.6_crb:
-    repository: 'crb'
-    description: 'AlmaLinux 9.6 CRB'
-    osname: 'almalinux'
-    release: '9.6'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/crb'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.6_ha:
-    repository: 'ha'
-    description: 'AlmaLinux 9.6 HighAvailability'
-    osname: 'almalinux'
-    release: '9.6'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/highavailability'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.6_extras:
-    repository: 'extras'
-    description: 'AlmaLinux 9.6 extras'
-    osname: 'almalinux'
-    release: '9.6'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/extras'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9_5_baseos:
-    repository: 'baseos'
-    description: 'AlmaLinux 9.5 BaseOS'
-    osname: 'almalinux'
-    release: '9.5'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9_5_appstream:
-    repository: 'appstream'
-    description: 'AlmaLinux 9.5 AppStream'
-    osname: 'almalinux'
-    release: '9.5'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9_5_crb:
-    repository: 'crb'
-    description: 'AlmaLinux 9.5 CRB'
-    osname: 'almalinux'
-    release: '9.5'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9_5_ha:
-    repository: 'ha'
-    description: 'AlmaLinux 9.5 HighAvailability'
-    osname: 'almalinux'
-    release: '9.5'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9_5_extras:
-    repository: 'extras'
-    description: 'AlmaLinux 9.5 extras'
-    osname: 'almalinux'
-    release: '9.5'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  epel_8:
-    repository: 'everything'
-    description: 'EPEL8'
-    osname: 'epel'
-    release: '8'
-    mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64'
-    gpgkey: 'https://epel.mirror.digitalpacific.com.au/RPM-GPG-KEY-EPEL-8'
-  epel_9:
-    repository: 'everything'
-    description: 'EPEL9'
-    osname: 'epel'
-    release: '9'
-    mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-9&arch=x86_64'
-    gpgkey: 'https://epel.mirror.digitalpacific.com.au/RPM-GPG-KEY-EPEL-9'
   docker_stable_el8:
     repository: 'stable'
     description: 'Docker CE Stable EL8'
@@ -136,34 +17,6 @@ profiles::reposync::repos_list:
     release: 'el9'
     baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/'
     gpgkey: 'https://download.docker.com/linux/centos/gpg'
-  frr_stable_el8:
-    repository: 'stable'
-    description: 'FRR Stable EL8'
-    osname: 'frr'
-    release: 'el8'
-    baseurl: 'https://rpm.frrouting.org/repo/el8/frr/'
-    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
-  frr_extras_el8:
-    repository: 'extras'
-    description: 'FRR Extras EL8'
-    osname: 'frr'
-    release: 'el8'
-    baseurl: 'https://rpm.frrouting.org/repo/el8/extras/'
-    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
-  frr_stable_el9:
-    repository: 'stable'
-    description: 'FRR Stable EL9'
-    osname: 'frr'
-    release: 'el9'
-    baseurl: 'https://rpm.frrouting.org/repo/el9/frr/'
-    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
-  frr_extras_el9:
-    repository: 'extras'
-    description: 'FRR Extras el9'
-    osname: 'frr'
-    release: 'el9'
-    baseurl: 'https://rpm.frrouting.org/repo/el9/extras/'
-    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
   k8s_1.32:
     repository: '1.32'
     description: 'Kubernetes 1.32'
@@ -178,62 +31,6 @@ profiles::reposync::repos_list:
     release: '1.33'
     baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/'
     gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/repodata/repomd.xml.key'
-  mariadb_11_8_el8:
-    repository: 'el8'
-    description: 'MariaDB 11.8'
-    osname: 'mariadb'
-    release: '11.8'
-    baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.8/rhel8-amd64/'
-    gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB'
-  mariadb_11_8_el9:
-    repository: 'el9'
-    description: 'MariaDB 11.8'
-    osname: 'mariadb'
-    release: '11.8'
-    baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.8/rhel9-amd64/'
-    gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB'
-  openvox7_el8:
-    repository: '8'
-    description: 'openvox 7 EL8'
-    osname: 'openvox7'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox7/el/8/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
-  openvox7_el9:
-    repository: '9'
-    description: 'openvox 7 EL9'
-    osname: 'openvox7'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox7/el/9/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
-  openvox7_el10:
-    repository: '10'
-    description: 'openvox 7 EL10'
-    osname: 'openvox7'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox7/el/10/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
-  openvox8_el8:
-    repository: '8'
-    description: 'openvox 8 EL8'
-    osname: 'openvox8'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox8/el/8/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
-  openvox8_el9:
-    repository: '9'
-    description: 'openvox 8 EL9'
-    osname: 'openvox8'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox8/el/9/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
-  openvox8_el10:
-    repository: '10'
-    description: 'openvox 8 EL10'
-    osname: 'openvox8'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox8/el/10/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
   puppet7_el8:
     repository: '8'
     description: 'Puppet 7 EL8'
@@ -262,76 +59,6 @@ profiles::reposync::repos_list:
     release: 'el'
     baseurl: 'https://yum.puppet.com/puppet8/el/9/x86_64/'
     gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
-  postgresql_rhel8_common:
-    repository: 'common'
-    description: 'PostgreSQL Common RHEL 8'
-    osname: 'postgresql'
-    release: 'rhel8'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel9_common:
-    repository: 'common'
-    description: 'PostgreSQL Common RHEL 9'
-    osname: 'postgresql'
-    release: 'rhel9'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel8_15:
-    repository: '15'
-    description: 'PostgreSQL 15 RHEL 8'
-    osname: 'postgresql'
-    release: 'rhel8'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-8-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel9_15:
-    repository: '15'
-    description: 'PostgreSQL 15 RHEL 9'
-    osname: 'postgresql'
-    release: 'rhel9'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-9-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel8_16:
-    repository: '16'
-    description: 'PostgreSQL 16 RHEL 8'
-    osname: 'postgresql'
-    release: 'rhel8'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel9_16:
-    repository: '16'
-    description: 'PostgreSQL 16 RHEL 9'
-    osname: 'postgresql'
-    release: 'rhel9'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel8_17:
-    repository: '17'
-    description: 'PostgreSQL 17 RHEL 8'
-    osname: 'postgresql'
-    release: 'rhel8'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-8-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel9_17:
-    repository: '17'
-    description: 'PostgreSQL 17 RHEL 9'
-    osname: 'postgresql'
-    release: 'rhel9'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-9-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  rke2_common_el9:
-    repository: 'common'
-    description: 'RKE2 common RHEL 9'
-    osname: 'rke2'
-    release: "rhel9"
-    baseurl: "https://rpm.rancher.io/rke2/latest/common/centos/9/noarch"
-    gpgkey: "https://rpm.rancher.io/public.key"
-  rke2_1_33_el9:
-    repository: '1.33'
-    description: 'RKE2 1.33 RHEL 9'
-    osname: 'rke2'
-    release: "rhel9"
-    baseurl: "https://rpm.rancher.io/rke2/latest/1.33/centos/9/x86_64"
-    gpgkey: "https://rpm.rancher.io/public.key"
   zfs_dkms_rhel8:
     repository: 'dkms'
     description: 'ZFS DKMS RHEL 8'

hieradata/roles/infra/sql/patroni.yaml

@@ -1,17 +1,9 @@
 ---
 profiles::yum::global::repos:
   postgresql-15:
-    name: postgresql-15
+    ensure: present
-    descr: postgresql-15 repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
   postgresql-common:
-    name: postgresql-common
+    ensure: present
-    descr: postgresql-common repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
 
 profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
 profiles::sql::patroni::postgres_exporter_enabled: true

hieradata/roles/infra/sql/shared.yaml

@@ -47,14 +47,6 @@ profiles::consul::client::node_rules:
 
 profiles::yum::global::repos:
   postgresql-17:
-    name: postgresql-17
+    ensure: present
-    descr: postgresql-17 repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/17-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/17-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
   postgresql-common:
-    name: postgresql-common
+    ensure: present
-    descr: postgresql-common repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL

hieradata/roles/infra/storage/consul.yaml

@@ -29,6 +29,7 @@ profiles::consul::server::acl:
 profiles::pki::vault::alt_names:
   - consul.main.unkin.net
   - consul.service.consul
+  - "consul.service.%{facts.country}-%{facts.region}.consul"
   - consul
 
 # manage a simple nginx reverse proxy
@@ -38,6 +39,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
   - consul.main.unkin.net
 profiles::nginx::simpleproxy::proxy_port: 8500
 profiles::nginx::simpleproxy::proxy_path: '/'
+nginx::client_max_body_size: 512M
 
 # consul
 profiles::consul::client::node_rules:
@@ -134,19 +136,9 @@ frrouting::ospfd_interfaces:
 frrouting::daemons:
   ospfd: true
 
-# additional repos
+# additional repos - enable needed repositories
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
+    ensure: present
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
   frr-stable:
-    name: frr-stable
+    ensure: present
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent

hieradata/roles/infra/storage/vault.yaml

@@ -2,10 +2,12 @@
 profiles::vault::server::members_role: roles::infra::storage::vault
 profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
+profiles::vault::server::plugin_dir: /opt/openbao-plugins
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
-vault::package_name: openbao
+profiles::vault::server::package_name: openbao
-vault::package_ensure: latest
+profiles::vault::server::package_ensure: 2.4.4
+profiles::vault::server::disable_openbao: false
 
 # additional altnames
 profiles::pki::vault::alt_names:
@@ -23,3 +25,6 @@ profiles::nginx::simpleproxy::proxy_scheme: 'http'
 profiles::nginx::simpleproxy::proxy_host: '127.0.0.1'
 profiles::nginx::simpleproxy::proxy_port: 8200
 profiles::nginx::simpleproxy::proxy_path: '/'
+
+profiles::packages::include:
+  openbao-plugins: {}

modules/rke2/files/ingress-route-rancher.yaml

@@ -1,23 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: rancher
-  namespace: cattle-system
-  annotations:
-    kubernetes.io/ingress.class: nginx
-spec:
-  tls:
-    - hosts: [rancher.main.unkin.net]
-      secretName: tls-rancher
-  rules:
-    - host: rancher.main.unkin.net
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: rancher
-                port:
-                  number: 80

modules/rke2/files/purelb-config.yaml

@@ -1,45 +0,0 @@
-apiVersion: purelb.io/v1
-kind: LBNodeAgent
-metadata:
-  name: common
-  namespace: purelb
-spec:
-  local:
-    extlbint: kube-lb0
-    localint: default
-    sendgarp: false
----
-apiVersion: purelb.io/v1
-kind: LBNodeAgent
-metadata:
-  name: dmz
-  namespace: purelb
-spec:
-  local:
-    extlbint: kube-lb0
-    localint: default
-    sendgarp: false
----
-apiVersion: purelb.io/v1
-kind: ServiceGroup
-metadata:
-  name: dmz
-  namespace: purelb
-spec:
-  local:
-    v4pools:
-      - subnet: 198.18.199.0/24
-        pool: 198.18.199.0/24
-        aggregation: /32
----
-apiVersion: purelb.io/v1
-kind: ServiceGroup
-metadata:
-  name: common
-  namespace: purelb
-spec:
-  local:
-    v4pools:
-      - subnet: 198.18.200.0/24
-        pool: 198.18.200.0/24
-        aggregation: /32

modules/rke2/manifests/config.pp

@@ -68,30 +68,6 @@ class rke2::config (
   # on the controller nodes only
   if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 {
 
-    # wait for purelb helm to setup namespace
-    if 'purelb' in $facts['k8s_namespaces'] {
-      file {'/var/lib/rancher/rke2/server/manifests/purelb-config.yaml':
-        ensure  => file,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0644',
-        source  => 'puppet:///modules/rke2/purelb-config.yaml',
-        require => Service['rke2-server'],
-      }
-    }
-
-    # wait for rancher helm to setup namespace
-    if 'cattle-system' in $facts['k8s_namespaces'] {
-      file {'/var/lib/rancher/rke2/server/manifests/ingress-route-rancher.yaml':
-        ensure  => file,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0644',
-        source  => 'puppet:///modules/rke2/ingress-route-rancher.yaml',
-        require => Service['rke2-server'],
-      }
-    }
-
     # manage extra config config (these are not dependent on helm)
     $extra_config_files.each |$file| {
 

modules/rke2/manifests/helm.pp

@@ -38,44 +38,6 @@ class rke2::helm (
           }
         }
       }
-
-      # install specific helm charts to bootstrap environment
-      $plb_cmd = 'helm install purelb purelb/purelb \
-                  --create-namespace \
-                  --namespace=purelb \
-                  --repository-config /etc/helm/repositories.yaml'
-      exec { 'install_purelb':
-        command     => $plb_cmd,
-        path        => ['/usr/bin', '/bin'],
-        environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
-        unless      => 'helm list -n purelb | grep -q ^purelb',
-      }
-
-      $cm_cmd = 'helm install cert-manager jetstack/cert-manager \
-                  --namespace cert-manager \
-                  --create-namespace \
-                  --set crds.enabled=true \
-                  --repository-config /etc/helm/repositories.yaml'
-      exec { 'install_cert_manager':
-        command     => $cm_cmd,
-        path        => ['/usr/bin', '/bin'],
-        environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
-        unless      => 'helm list -n cert-manager | grep -q ^cert-manager',
-      }
-
-      $r_cmd = 'helm install rancher rancher-stable/rancher \
-                  --namespace cattle-system \
-                  --create-namespace \
-                  --set hostname=rancher.main.unkin.net \
-                  --set bootstrapPassword=admin \
-                  --set ingress.tls.source=secret \
-                  --repository-config /etc/helm/repositories.yaml'
-      exec { 'install_rancher':
-        command     => $r_cmd,
-        path        => ['/usr/bin', '/bin'],
-        environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
-        unless      => 'helm list -n cattle-system | grep -q ^rancher',
-      }
     }
   }
 }

modules/rke2/manifests/install.pp

@@ -30,7 +30,7 @@ class rke2::install (
   # download required archive of containers
   archive { '/var/lib/rancher/rke2/agent/images/rke2-images.linux-amd64.tar.zst':
     ensure  => present,
-    source  => "https://github.com/rancher/rke2/releases/download/v${rke2_version}%2B${rke2_release}/rke2-images.linux-amd64.tar.zst",
+    source  => "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/rancher/rke2/releases/download/v${rke2_version}%2B${rke2_release}/rke2-images.linux-amd64.tar.zst",
     require => [
       Package["rke2-${node_type}"],
       File['/var/lib/rancher/rke2/agent/images'],

site/profiles/manifests/puppet/agent.pp

@@ -20,9 +20,9 @@ class profiles::puppet::agent (
   if $openvox_enable and $facts['os']['family'] == 'RedHat' {
     yumrepo { 'openvox':
       ensure  => 'present',
-      baseurl => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/",
+      baseurl => "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/openvox/openvox7/el/${facts['os']['release']['major']}/${facts['os']['architecture']}/",
       descr   => 'openvox repository',
-      gpgkey  => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/GPG-KEY-openvox.pub",
+      gpgkey  => 'https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/openvox/GPG-KEY-openvox.pub',
       notify  => Exec['dnf_makecache'],
     }
   }else{

site/profiles/manifests/puppet/client.pp

@@ -13,6 +13,8 @@ class profiles::puppet::client (
   Boolean $show_diff          = true,
   Boolean $usecacheonfailure  = false,
   Integer $facts_soft_limit   = 4096,
+  Boolean $splay              = true,
+  Integer $splaylimit         = 600,
 ) {
 
   # dont manage puppet.conf if this is a puppetmaster

site/profiles/manifests/vault/server.pp

@@ -6,11 +6,15 @@ class profiles::vault::server (
     Undef
   ]         $members_role   = undef,
   Array     $vault_servers  = [],
+  String        $package_name       = 'vault',
+  String        $package_ensure     = 'latest',
+  Boolean       $disable_openbao    = true,
   Boolean       $tls_disable        = false,
   Stdlib::Port  $client_port        = 8200,
   Stdlib::Port  $cluster_port       = 8201,
   Boolean   $manage_storage_dir     = false,
   Stdlib::Absolutepath $data_dir    = '/opt/vault',
+  Stdlib::Absolutepath $plugin_dir  = '/opt/vault_plugins',
   Stdlib::Absolutepath $bin_dir     = '/usr/bin',
   Stdlib::Absolutepath $ssl_crt     = '/etc/pki/tls/vault/certificate.crt',
   Stdlib::Absolutepath $ssl_key     = '/etc/pki/tls/vault/private.key',
@@ -51,7 +55,33 @@ class profiles::vault::server (
       }
     }
 
+    # cleanup openbao?
+    if $disable_openbao {
+      package {'openbao':
+        ensure => absent,
+        before => Class['vault']
+      }
+      package {'openbao-vault-compat':
+        ensure => absent,
+        before => [
+          Class['vault'],
+          Package['openbao']
+        ]
+      }
+    }
+
+    # add versionlock for package_name?
+    if $package_ensure != 'latest' {
+      yum::versionlock{$package_name:
+        ensure  => present,
+        version => $package_ensure,
+        before  => Class['vault']
+      }
+    }
+
     class { 'vault':
+      package_name       => $package_name,
+      package_ensure     => $package_ensure,
       manage_service     => false,
       manage_storage_dir => $manage_storage_dir,
       enable_ui          => true,
@@ -64,7 +94,8 @@ class profiles::vault::server (
       },
       api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
       extra_config       => {
-        cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        cluster_addr     => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        plugin_directory => $plugin_dir,
       },
       listener           => [
         {

site/profiles/manifests/yum/global.pp

@@ -32,11 +32,14 @@ class profiles::yum::global (
       $key_url = $repo['gpgkey']
       $key_file = "/etc/pki/rpm-gpg/${name}-gpg-key"
 
-      exec { "download_gpg_key_${name}":
+      # only download the key if the repo is present
-        command => "curl -s -o ${key_file} ${key_url} && rpm --import ${key_file}",
+      if $repo['ensure'] == 'present' {
-        path    => ['/bin', 'usr/bin'],
+        exec { "download_gpg_key_${name}":
-        creates => $key_file,
+          command => "curl -s -o ${key_file} ${key_url} && rpm --import ${key_file}",
-        before  => Yumrepo[$name],
+          path    => ['/bin', 'usr/bin'],
+          creates => $key_file,
+          before  => Yumrepo[$name],
+        }
       }
     }
     # create the repo

site/profiles/templates/puppet/client/puppet.conf.erb

@@ -12,3 +12,5 @@ runtimeout = <%= @runtimeout %>
 show_diff = <%= @show_diff %>
 usecacheonfailure = <%= @usecacheonfailure %>
 number_of_facts_soft_limit = <%= @facts_soft_limit %>
+splay = <%= @splay %>
+splaylimit = <%= @splaylimit %>