1 Commits

Author SHA1 Message Date
unkinben 4ef99b4573 fix: helm before rke2 managed manifests
Build / precommit (pull_request) Successful in 5m15s
- add fact to list namespaces
- require namespace before adding additional config
- renamed some files to better match what they are
2025-09-20 23:49:10 +10:00
62 changed files with 691 additions and 1176 deletions
-1
View File
@@ -1 +0,0 @@
sources/
-4
View File
@@ -19,7 +19,6 @@ mod 'puppetlabs-haproxy', '8.2.0'
mod 'puppetlabs-java', '11.1.0'
mod 'puppetlabs-reboot', '5.1.0'
mod 'puppetlabs-docker', '10.2.0'
mod 'puppetlabs-mailalias_core', '1.2.0'
# puppet
mod 'puppet-python', '7.4.0'
@@ -44,8 +43,6 @@ mod 'puppet-letsencrypt', '11.1.0'
mod 'puppet-rundeck', '9.2.0'
mod 'puppet-redis', '11.1.0'
mod 'puppet-nodejs', '11.0.0'
mod 'puppet-postfix', '5.1.0'
mod 'puppet-alternatives', '6.0.0'
# other
mod 'saz-sudo', '9.0.2'
@@ -63,7 +60,6 @@ mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'ssm-crypto_policies', '0.3.3'
mod 'thias-sysctl', '1.0.8'
mod 'cirrax-dovecot', '1.3.3'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+3 -9
View File
@@ -158,15 +158,6 @@ lookup_options:
rke2::config_hash:
merge:
strategy: deep
postfix::configs:
merge:
strategy: deep
postfix::maps:
merge:
strategy: deep
postfix::virtuals:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
@@ -185,6 +176,9 @@ profiles::ntp::client::peers:
- 2.au.pool.ntp.org
- 3.au.pool.ntp.org
profiles::base::puppet_servers:
- 'prodinf01n01.main.unkin.net'
consul::install_method: 'package'
consul::manage_repo: false
consul::bin_dir: /usr/bin
+8 -2
View File
@@ -3,8 +3,7 @@
profiles::firewall::firewalld::ensure_package: 'absent'
profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::version: '7.37.2'
profiles::puppet::agent::openvox_enable: true
profiles::puppet::agent::puppet_version: '7.34.0'
hiera_include:
- profiles::almalinux::base
@@ -54,6 +53,13 @@ profiles::yum::global::repos:
baseurl: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
mirrorlist: absent
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkinben:
name: unkinben
descr: unkinben repository
+1 -1
View File
@@ -11,4 +11,4 @@ profiles::apt::components:
- main
- non-free
profiles::puppet::agent::version: '7.25.0-1bullseye'
profiles::puppet::agent::puppet_version: '7.25.0-1bullseye'
+1 -1
View File
@@ -12,4 +12,4 @@ profiles::apt::components:
- non-free
- non-free-firmware
profiles::puppet::agent::version: 'latest'
profiles::puppet::agent::puppet_version: 'latest'
+1 -3
View File
@@ -2,7 +2,6 @@
hiera_include:
- docker
- profiles::gitea::runner
- incus::client
docker::version: latest
docker::curl_ensure: false
@@ -40,8 +39,7 @@ profiles::gitea::runner::config:
privileged: false
options:
workdir_parent: /workspace
valid_volumes:
- /etc/pki/tls/vault
valid_volumes: []
docker_host: ""
force_pull: true
force_rebuild: false
+1 -1
View File
@@ -1 +1 @@
rke2::node_token: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOD+w5nJFqEYWFj+tZQ65Oi19eDhaWtpLQ0gwEdBtMmY9sPJ63l1q2qH933NH6TOd1UlMDvGfoDLCae+yt/MAW//cJ15X3QbiVQ23DdfCOlUEZN6fjVrveEt/yIeFQmWvnkMS4pRfPbgQu2OHm37PpuPE7s6dUyGItAYjchrRhtQ7ibhXDnN7miG+oVRXP2T8b/V5WPdmA222DSV6r/AnqaWkna9W/oh/I2sNKeEm5q3f8bh8Gxt1dDy3VwaZ3lAh3uR+SUm7P/6PTYw8opxiumFBvos0mRiXIdOwUuqrAS8hafWBhxnDLlTBfz62Nc4wQmQ8gz0bHJZSipH9G6mIEDCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ2WG6ROWFlQdXx0TuO5oABoBwTDtAXIj7y6I1B3zCnFoMHETf5d7ulPGdgwZsENf0UIHpg2l0w503MUHHbu6YDFiDiTE0oDNJPVHid7TO+XwWFgh5v1MWi/XeEBgCs6nMCW8qkX0Z3UXaZdSBUll1M4sRtuqscBnoD/LLs2kKfxrqQg==]
rke2::node_token: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAVPo7WjzlJQQhxefhV1bu1/+Jo/LY3gMmVGicDnDloGQd1jbdDtNz9wi6Hqqht1xQPdn22XmvvrVXtPhsdjDCGqWxmfZ0qWQVl1Ju2WIh5WsyyZgdE96k2+y7Cg5Dl0brX2m9YSZfow5BF8J8EnCDdRZncOCtFl/SU8ipPEq2uJJR+Y9sJv6aJflnFLCEYgJNbZY9ljMcs5ssJ21VpIqWYA0Z6vKVqOUeIWWKbYZUIoEml7sj3ktmw3loMYA6ED0/nzyYvRVizTvtGXl3IWGVDSt8rQ/kNhzKqURVOsgwfbt7un4n2Kxkreiydj3R6PbLdkpHdtu25dbjue8HLQkc4zCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQMmIatr2oBei35+evghIkLIBwWT6F1WPDV3PA/QYNusfYcI1KrMRYFlDYyEkg/Tf+0gOpty9rdnYL+MQO2fTU9Br+INTr1oJcxJp/Lqap2+NibmBfZcLUIMn3q1S/jZp9BGQTk6RSwODqQ2x5GxDATinrtiUR4TXIIaiaP3KWlP8A7g==]
+1
View File
@@ -1 +1,2 @@
---
rke2::csi_ceph_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEApQ371O4nGSrFB5tOZFTSJP+kJj3wJyEcWiNfonYA5LmbaMnQ6pUortec1519WHMICpSWdpq3O8frivm2CK3taYoKczeTzbsFTxvVp7s6gIZJUsCeqGHuq81YyjPtJE+Yy5IOBJjhe/8ECkEFNr0JlhwKBPWfTx5hHOzRdkGlN464weGFQtCI8UgdGe7AWEePG+u3e4RL+xCriw5tfuqMeeo+isDwVf30nK9NxsnmliOd/+jNW+GrtzycHAeokQOKnxfgrKll5Y5+npy5WueuSCEw1E+Io0NI/4Jthi7zu24UQu0KT8iRsqhuD5mr1ymvCNREnvCcVWt8VVRTGXQV+TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDS8VXZM3wEAFRALB/Fa19dgDCTRYhU8YY4g9zREP7epY9x2MRWaTT84Jx9w5Dc/XWaRrmL4yL2sK+QHSy2057jHzo=]
+19 -1
View File
@@ -9,11 +9,29 @@ rke2::helm_repos:
harbor: https://helm.goharbor.io
traefik: https://traefik.github.io/charts
hashicorp: https://helm.releases.hashicorp.com
rke2::csi_ceph_enable: true
rke2::csi_ceph_clusterid: de96a98f-3d23-465a-a899-86d3d67edab8
rke2::csi_ceph_poolname: kubernetes
rke2::csi_ceph_monitors:
- 198.18.23.9:6789
- 198.18.23.10:6789
- 198.18.23.11:6789
- 198.18.23.12:6789
- 198.18.23.13:6789
rke2::csi_ceph_files:
- ceph-csi-nodeplugin-rbac
- ceph-csi-provisioner-rbac
- ceph-csi-rbdplugin-provisioner
- ceph-csi-rbdplugin
rke2::csi_ceph_templates:
- ceph-csi-config
- ceph-csi-secret
rke2::extra_config_files:
- rke2-canal-config
- rke2-nginx-ingress-config
- service-loadbalancer-nginx
rke2::config_hash:
advertise-address: "%{hiera('networking_loopback0_ip')}"
cluster-domain: "svc.k8s.unkin.net"
tls-san:
- "join-k8s.service.consul"
- "api-k8s.service.consul"
-20
View File
@@ -1,20 +0,0 @@
---
# Common mail server configuration
# base postfix configuration (passed to postfix class)
postfix::relayhost: 'direct'
postfix::myorigin: 'main.unkin.net'
postfix::manage_aliases: true
# Common postfix virtuals for all mail servers
postfix::virtuals:
'root':
ensure: present
destination: 'ben@main.unkin.net'
'postmaster':
ensure: present
destination: 'ben@main.unkin.net'
'abuse':
ensure: present
destination: 'ben@main.unkin.net'
-87
View File
@@ -1,87 +0,0 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- mail.main.unkin.net
# manage dovecot
dovecot::install::packages:
- dovecot
- dovecot-pgsql
profiles::dovecot::server::maildir_path: "%{hiera('profiles::postfix::gateway::virtual_mailbox_base')}"
#dovecot::config:
# auth.conf:
# values:
# auth_mechanisms: 'plain login'
# auth_username_format: '%Lu'
# auth_default_realm: 'main.unkin.net'
# auth-vmail.conf:
# values:
# passdb: |
# {
# driver = pam
# }
# userdb: |
# {
# driver = passwd
# override_fields = uid=vmail gid=vmail home=/shared/apps/maildata/%u
# }
# mail.conf:
# values:
# mail_plugins: '$mail_plugins'
# namespace inbox: |
# {
# inbox = yes
# location =
# mailbox Drafts {
# special_use = \Drafts
# }
# mailbox Junk {
# special_use = \Junk
# }
# mailbox Sent {
# special_use = \Sent
# }
# mailbox "Sent Messages" {
# special_use = \Sent
# }
# mailbox Trash {
# special_use = \Trash
# }
# }
# sections:
# - name: 'namespace inbox'
# values:
# 'inbox': 'yes'
# 'seperator': '.'
# 'prefix': 'INBOX'
# backend-specific postfix configuration
postfix::mydestination: 'localhost'
postfix::mynetworks: '127.0.0.0/8 [::1]/128 10.10.12.0/24'
postfix::smtp_listen: ['0.0.0.0', '::']
postfix::use_dovecot_lda: true # use built-in dovecot LDA support
postfix::mail_user: 'vmail:vmail'
profiles::postfix::gateway::enable_postscreen: false # disable postscreen (backend doesn't need it)
profiles::postfix::gateway::myhostname: 'mail.main.unkin.net'
profiles::postfix::gateway::enable_dovecot: true # enable dovecot integration
profiles::postfix::gateway::virtual_mailbox_domains:
- 'main.unkin.net'
profiles::postfix::gateway::virtual_mailbox_base: '/shared/apps/maildata'
profiles::postfix::gateway::virtual_mailbox_maps:
'ben@main.unkin.net': 'main.unkin.net/ben/'
'root@main.unkin.net': 'main.unkin.net/ben/'
'postmaster@main.unkin.net': 'main.unkin.net/ben/'
'abuse@main.unkin.net': 'main.unkin.net/ben/'
profiles::postfix::gateway::smtpd_client_restrictions:
- 'permit_mynetworks'
- 'reject_unauth_destination'
profiles::postfix::gateway::smtpd_sender_restrictions:
- 'permit_mynetworks'
- 'reject_non_fqdn_sender'
profiles::postfix::gateway::smtpd_recipient_restrictions:
- 'permit_mynetworks'
- 'reject_non_fqdn_recipient'
- 'reject_unauth_destination'
-34
View File
@@ -1,34 +0,0 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- in-mta.main.unkin.net
# gateway-specific postfix configuration
postfix::mydestination: 'blank'
postfix::mynetworks: '127.0.0.0/8 [::1]/128'
postfix::smtp_listen: '0.0.0.0'
postfix::mta: true
profiles::postfix::gateway::myhostname: 'in-mta.main.unkin.net'
profiles::postfix::gateway::relay_recipients_maps:
'@main.unkin.net': 'OK'
profiles::postfix::gateway::relay_domains_maps:
'main.unkin.net': 'OK'
profiles::postfix::gateway::postscreen_access_maps:
'127.0.0.1/32': 'permit'
'10.10.12.200/32': 'permit'
profiles::postfix::gateway::helo_access_maps:
'.dynamic.': 'REJECT'
'.dialup.': 'REJECT'
'unknown': 'REJECT'
'localhost': 'REJECT You are not localhost'
# postfix transports
postfix::transports:
'main.unkin.net':
ensure: present
destination: 'relay'
nexthop: 'ausyd1nxvm2120.main.unkin.net:25'
+1 -1
View File
@@ -1,3 +1,3 @@
---
profiles::packages::include:
openvox-server: {}
puppetserver: {}
+1 -2
View File
@@ -4,8 +4,7 @@ profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault
profiles::vault::server::manage_storage_dir: true
profiles::vault::server::tls_disable: false
vault::package_name: openbao
vault::package_ensure: 2.4.1
vault::download_url: http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/vault_1.15.5_linux_amd64.zip
# additional altnames
profiles::pki::vault::alt_names:
@@ -1,28 +0,0 @@
# frozen_string_literal: true
# lib/facter/incus_trust_list.rb
require 'json'
Facter.add(:incus_trust_list) do
confine do
# Only run on systems that have incus installed and running
incus_path = Facter::Util::Resolution.which('incus')
incus_path && File.exist?('/var/lib/incus/server.key')
end
setcode do
incus_path = Facter::Util::Resolution.which('incus')
next {} unless incus_path
begin
# Run incus config trust list --format=json
trust_output = Facter::Core::Execution.execute("#{incus_path} config trust list --format=json")
next {} if trust_output.empty?
# Parse the JSON output
JSON.parse(trust_output)
rescue StandardError
{}
end
end
end
-16
View File
@@ -1,16 +0,0 @@
# incus::client
#
# This class configures a host as an incus client and exports its certificate
# for automatic trust management on incus servers.
#
class incus::client {
# Export this client's certificate for collection by incus servers
@@incus::client_cert { $facts['networking']['fqdn']:
hostname => $facts['networking']['fqdn'],
certificate => $facts['vault_cert_content'],
fingerprint => $facts['vault_cert_fingerprint'],
tag => 'incus_client',
}
}
-41
View File
@@ -1,41 +0,0 @@
# Define the exported resource type for incus client certificates
define incus::client_cert (
String $hostname,
Optional[String] $certificate = undef,
Optional[String] $fingerprint = undef,
) {
# Only proceed if we have both certificate and fingerprint
if $certificate and $fingerprint {
$trust_list = $facts['incus_trust_list']
$existing_client = $trust_list.filter |$client| { $client['name'] == $hostname }
if $existing_client.empty {
# Add new certificate
exec { "incus_trust_add_${hostname}":
path => ['/bin', '/usr/bin'],
command => "echo '${certificate}' > /tmp/${hostname}.crt && \
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
rm -f /tmp/${hostname}.crt",
unless => "incus config trust list --format=json | grep '\"name\":\"${hostname}\"'",
}
} else {
# Check if fingerprints are different
$existing_fingerprint = $existing_client[0]['fingerprint']
if $existing_fingerprint != $fingerprint {
# Remove existing and add new certificate only if fingerprints differ
exec { "incus_trust_update_${hostname}":
path => ['/bin', '/usr/bin'],
command => "incus config trust remove ${existing_fingerprint} && \
echo '${certificate}' > /tmp/${hostname}.crt && \
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
rm -f /tmp/${hostname}.crt",
onlyif => "incus config trust list --format=json | grep '${existing_fingerprint}'",
}
}
# If fingerprints match, do nothing (certificate is already correct)
}
}
}
-25
View File
@@ -21,10 +21,6 @@ class incus (
enable => true,
hasstatus => true,
hasrestart => true,
subscribe => [
File['/var/lib/incus/server.crt'],
File['/var/lib/incus/server.key'],
],
}
file_line { 'subuid_root':
@@ -59,22 +55,6 @@ class incus (
}
}
file { '/var/lib/incus/server.crt':
ensure => file,
source => '/etc/pki/tls/vault/certificate.crt',
owner => 'root',
group => 'root',
mode => '0644',
}
file { '/var/lib/incus/server.key':
ensure => file,
source => '/etc/pki/tls/vault/private.key',
owner => 'root',
group => 'root',
mode => '0600',
}
if $facts['incus'] and $facts['incus']['config'] {
# set core.https_address
if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {
@@ -92,10 +72,5 @@ class incus (
}
}
}
# Collect exported client certificates and manage trust
Incus::Client_cert <<| tag == 'incus_client' |>> {
require => Service['incus'],
}
}
}
@@ -1,11 +0,0 @@
# frozen_string_literal: true
# lib/facter/vault_cert_content.rb
Facter.add(:vault_cert_content) do
confine kernel: 'Linux'
setcode do
cert_path = '/etc/pki/tls/vault/certificate.crt'
File.read(cert_path) if File.exist?(cert_path) && File.readable?(cert_path)
end
end
@@ -1,23 +0,0 @@
# frozen_string_literal: true
# lib/facter/vault_cert_fingerprint.rb
Facter.add(:vault_cert_fingerprint) do
confine kernel: 'Linux'
setcode do
require 'openssl'
require 'digest'
cert_path = '/etc/pki/tls/vault/certificate.crt'
if File.exist?(cert_path) && File.readable?(cert_path)
begin
cert_content = File.read(cert_path)
cert = OpenSSL::X509::Certificate.new(cert_content)
# Calculate SHA256 fingerprint like incus does
Digest::SHA256.hexdigest(cert.to_der)
rescue StandardError
nil
end
end
end
end
@@ -0,0 +1,48 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rbd-csi-nodeplugin
namespace: ceph-csi
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-nodeplugin
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["list", "get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-nodeplugin
subjects:
- kind: ServiceAccount
name: rbd-csi-nodeplugin
namespace: ceph-csi
roleRef:
kind: ClusterRole
name: rbd-csi-nodeplugin
apiGroup: rbac.authorization.k8s.io
@@ -0,0 +1,125 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rbd-csi-provisioner
namespace: ceph-csi
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-external-provisioner-runner
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
verbs: ["update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["get", "list", "watch", "update", "patch", "create"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots/status"]
verbs: ["get", "list", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
- apiGroups: ["groupsnapshot.storage.k8s.io"]
resources: ["volumegroupsnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["groupsnapshot.storage.k8s.io"]
resources: ["volumegroupsnapshotcontents"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["groupsnapshot.storage.k8s.io"]
resources: ["volumegroupsnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: ["replication.storage.openshift.io"]
resources: ["volumegroupreplicationcontents"]
verbs: ["get", "list", "watch"]
- apiGroups: ["replication.storage.openshift.io"]
resources: ["volumegroupreplicationclasses"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-provisioner-role
subjects:
- kind: ServiceAccount
name: rbd-csi-provisioner
namespace: ceph-csi
roleRef:
kind: ClusterRole
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-external-provisioner-cfg
namespace: ceph-csi
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-provisioner-role-cfg
namespace: ceph-csi
subjects:
- kind: ServiceAccount
name: rbd-csi-provisioner
namespace: ceph-csi
roleRef:
kind: Role
name: rbd-external-provisioner-cfg
apiGroup: rbac.authorization.k8s.io
@@ -0,0 +1,124 @@
---
apiVersion: v1
kind: Service
metadata:
name: csi-rbdplugin-provisioner
namespace: ceph-csi
labels:
app: csimetrics
spec:
selector:
app: csirbdpluginprovisioner
ports:
- name: httpmetrics
port: 8080
protocol: TCP
targetPort: 8680
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: csirbdpluginprovisioner
namespace: ceph-csi
spec:
replicas: 3
selector:
matchLabels:
app: csirbdpluginprovisioner
template:
metadata:
labels:
app: csirbdpluginprovisioner
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- csirbdpluginprovisioner
topologyKey: "kubernetes.io/hostname"
serviceAccountName: rbdcsiprovisioner
priorityClassName: systemclustercritical
containers:
- name: csirbdplugin
image: quay.io/cephcsi/cephcsi:v3.15
args:
- "--nodeid=$(NODE_ID)"
- "--type=rbd"
- "--controllerserver=true"
- "--endpoint=$(CSI_ENDPOINT)"
- "--csi-addons-endpoint=$(CSI_ADDONS_ENDPOINT)"
- "--v=5"
- "--drivername=rbd.csi.ceph.com"
- "--pidlimit=-1"
- "--rbdhardmaxclonedepth=8"
- "--rbdsoftmaxclonedepth=4"
- "--enableprofiling=false"
- "--setmetadata=true"
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_ID
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CSI_ENDPOINT
value: unix:///csi/csi-provisioner.sock
- name: CSI_ADDONS_ENDPOINT
value: unix:///csi/csi-addons.sock
imagePullPolicy: IfNotPresent
volumeMounts:
- name: socket-dir
mountPath: /csi
- name: host-dev
mountPath: /dev
- name: host-sys
mountPath: /sys
- name: lib-modules
mountPath: /lib/modules
readOnly: true
- name: ceph-csi-config
mountPath: /etc/ceph-csi-config/
- name: ceph-csi-encryption-kms-config
mountPath: /etc/ceph-csi-encryption-kms-config/
- name: ceph-config
mountPath: /etc/ceph/
- name: keys-tmp-dir
mountPath: /tmp/csi/keys
# snapshotter & other sidecars omitted in this snippet for brevity
volumes:
- name: socket-dir
emptyDir:
medium: Memory
- name: host-dev
hostPath:
path: /dev
- name: host-sys
hostPath:
path: /sys
- name: lib-modules
hostPath:
path: /lib/modules
- name: ceph-csi-config
configMap:
name: ceph-csi-config
- name: ceph-csi-encryption-kms-config
configMap:
name: ceph-csi-encryption-kms-config
- name: ceph-config
configMap:
name: ceph-config
- name: keys-tmp-dir
emptyDir:
medium: Memory
# and other volumes as in the original
+155
View File
@@ -0,0 +1,155 @@
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: csirbdplugin
namespace: ceph-csi
spec:
selector:
matchLabels:
app: csirbdplugin
template:
metadata:
labels:
app: csirbdplugin
spec:
serviceAccountName: rbdcsinodeplugin
hostNetwork: true
hostPID: true
priorityClassName: systemnodecritical
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: csirbdplugin
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
image: quay.io/cephcsi/cephcsi:v3.15
args:
- "--nodeid=$(NODE_ID)"
- "--pluginpath=/var/lib/kubelet/plugins"
- "--stagingpath=/var/lib/kubelet/plugins/kubernetes.io/csi/"
- "--type=rbd"
- "--nodeserver=true"
- "--endpoint=$(CSI_ENDPOINT)"
- "--csi-addons-endpoint=$(CSI_ADDONS_ENDPOINT)"
- "--v=5"
- "--drivername=rbd.csi.ceph.com"
- "--enableprofiling=false"
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_ID
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CSI_ENDPOINT
value: unix:///csi/csi.sock
- name: CSI_ADDONS_ENDPOINT
value: unix:///csi/csi-addons.sock
imagePullPolicy: IfNotPresent
volumeMounts:
- name: socket-dir
mountPath: /csi
- name: host-dev
mountPath: /dev
- name: host-sys
mountPath: /sys
- name: host-mount
mountPath: /run/mount
- name: etc-selinux
mountPath: /etc/selinux
readOnly: true
- name: lib-modules
mountPath: /lib/modules
readOnly: true
- name: plugin-dir
mountPath: /var/lib/kubelet/plugins
mountPropagation: "Bidirectional"
- name: mountpoint-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: "Bidirectional"
- name: keys-tmp-dir
mountPath: /tmp/csi/keys
- name: ceph-logdir
mountPath: /var/log/ceph
- name: ceph-config
mountPath: /etc/ceph/
- name: ceph-csi-config
mountPath: /etc/ceph-csi-config/
- name: ceph-csi-encryption-kms-config
mountPath: /etc/ceph-csi-encryption-kms-config/
- name: oidc-token
mountPath: /run/secrets/tokens
readOnly: true
# possibly sidecars like driverregistrar, liveness, etc.
volumes:
- name: socket-dir
hostPath:
path: /var/lib/kubelet/plugins/rbd.csi.ceph.com
type: DirectoryOrCreate
- name: plugin-dir
hostPath:
path: /var/lib/kubelet/plugins
type: Directory
- name: mountpoint-dir
hostPath:
path: /var/lib/kubelet/pods
type: DirectoryOrCreate
- name: ceph-logdir
hostPath:
path: /var/log/ceph
type: DirectoryOrCreate
- name: host-dev
hostPath:
path: /dev
- name: host-sys
hostPath:
path: /sys
- name: etc-selinux
hostPath:
path: /etc/selinux
type: DirectoryOrCreate
- name: host-mount
hostPath:
path: /run/mount
- name: lib-modules
hostPath:
path: /lib/modules
type: DirectoryOrCreate
- name: ceph-config
configMap:
name: ceph-config
- name: ceph-csi-config
configMap:
name: ceph-csi-config
- name: ceph-csi-encryption-kms-config
configMap:
name: ceph-csi-encryption-kms-config
- name: keys-tmp-dir
emptyDir:
medium: Memory
---
apiVersion: v1
kind: Service
metadata:
name: csi-metrics-rbdplugin
namespace: ceph-csi
labels:
app: csimetrics
spec:
ports:
- name: httpmetrics
port: 8080
protocol: TCP
targetPort: 8680
selector:
app: csirbdplugin
@@ -1,4 +1,3 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
@@ -1,20 +0,0 @@
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
hostPort:
enabled: false
service:
enabled: true
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerClass: purelb.io/purelb
allocateLoadBalancerNodePorts: false
annotations:
purelb.io/service-group: common
purelb.io/addresses: "198.18.200.0"
@@ -0,0 +1,41 @@
apiVersion: v1
kind: Service
metadata:
name: rke2-ingress-nginx-controller
namespace: kube-system
annotations:
purelb.io/service-group: common
spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
ports:
- name: http
port: 80
targetPort: http
protocol: TCP
- name: https
port: 443
targetPort: https
protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
app.kubernetes.io/instance: rke2-ingress-nginx
loadBalancerIP: 198.18.200.0
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
hostPort:
enabled: false
service:
enabled: true
type: LoadBalancer
externalTrafficPolicy: Local
annotations:
purelb.io/service-group: common
-39
View File
@@ -1,39 +0,0 @@
# frozen_string_literal: true
require 'json'
require 'open3'
Facter.add(:k8s_masters) do
confine do
File.exist?('/etc/rancher/rke2/rke2.yaml') &&
File.executable?('/usr/bin/kubectl')
end
setcode do
env = { 'KUBECONFIG' => '/etc/rancher/rke2/rke2.yaml' }
cmd = ['/usr/bin/kubectl', 'get', 'nodes', '-o', 'json']
stdout, stderr, status = Open3.capture3(env, *cmd)
if status.success?
json = JSON.parse(stdout)
master_count = json['items'].count do |item|
roles = item.dig('metadata', 'labels') || {}
# Look for well-known labels assigned to control-plane nodes
roles.any? do |key, _|
key =~ %r{node-role\.kubernetes\.io/(control-plane|master|etcd)}
end
end
master_count
else
Facter.debug("kubectl error: #{stderr}")
0
end
rescue StandardError => e
Facter.debug("Exception in k8s_masters fact: #{e.message}")
0
end
end
+38 -2
View File
@@ -7,6 +7,13 @@ class rke2::config (
Stdlib::Fqdn $bootstrap_node = $rke2::bootstrap_node,
String $node_token = $rke2::node_token,
Array[String[1]] $extra_config_files = $rke2::extra_config_files,
Boolean $csi_ceph_enable = $rke2::csi_ceph_enable,
Array[String] $csi_ceph_files = $rke2::csi_ceph_files,
Array[String] $csi_ceph_templates = $rke2::csi_ceph_templates,
Optional[String[1]] $csi_ceph_key = $rke2::csi_ceph_key,
Optional[String[1] ] $csi_ceph_clusterid = $rke2::csi_ceph_clusterid,
Optional[Array[String]] $csi_ceph_monitors = $rke2::csi_ceph_monitors,
Optional[String[1]] $csi_ceph_poolname = $rke2::csi_ceph_poolname,
){
# if its not the bootstrap node, add join path to config
@@ -17,7 +24,9 @@ class rke2::config (
token => $node_token,
} )
}else{
$config = merge($config_hash, {})
$config = merge($config_hash, {
token => $node_token,
} )
}
} elsif $node_type == 'agent' {
$config = merge($config_hash, {
@@ -66,7 +75,7 @@ class rke2::config (
}
# on the controller nodes only
if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 {
if $node_type == 'server' {
# wait for purelb helm to setup namespace
if 'purelb' in $facts['k8s_namespaces'] {
@@ -105,5 +114,32 @@ class rke2::config (
}
}
# manage ceph files
if $csi_ceph_enable {
$csi_ceph_files.each |$file| {
file {"/var/lib/rancher/rke2/server/manifests/${file}.yaml":
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
source => "puppet:///modules/rke2/${file}.yaml",
require => Service['rke2-server'],
}
}
$csi_ceph_templates.each |$file| {
file {"/var/lib/rancher/rke2/server/manifests/${file}.yaml":
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template("rke2/${file}.yaml.erb"),
require => Service['rke2-server'],
}
}
}
}
}
+2 -2
View File
@@ -20,8 +20,8 @@ class rke2::helm (
mode => '0755',
}
# on the controller nodes only, and after 3 master nodes exist
if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 {
# on the controller nodes only
if $node_type == 'server' {
# check if the repo already exists
$helm_repos.each | String $repo, Stdlib::HTTPSUrl $url | {
+7
View File
@@ -12,6 +12,13 @@ class rke2 (
Hash $helm_repos = $rke2::params::helm_repos,
Array[String[1]] $extra_config_files = $rke2::params::extra_config_files,
Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source,
Boolean $csi_ceph_enable = $rke2::params::csi_ceph_enable,
Array[String] $csi_ceph_files = $rke2::params::csi_ceph_files,
Array[String] $csi_ceph_templates = $rke2::params::csi_ceph_templates,
Optional[String[1]] $csi_ceph_key = $rke2::params::csi_ceph_key,
Optional[String[1] ] $csi_ceph_clusterid = $rke2::params::csi_ceph_clusterid,
Optional[Array[String]] $csi_ceph_monitors = $rke2::params::csi_ceph_monitors,
Optional[String[1]] $csi_ceph_poolname = $rke2::params::csi_ceph_poolname,
) inherits rke2::params {
include rke2::install
+7
View File
@@ -12,4 +12,11 @@ class rke2::params (
Hash $helm_repos = {},
Array[String[1]] $extra_config_files = [],
Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download',
Boolean $csi_ceph_enable = false,
Array[String] $csi_ceph_files = [],
Array[String] $csi_ceph_templates = [],
Optional[String[1]] $csi_ceph_key = undef,
Optional[String[1] ] $csi_ceph_clusterid = undef,
Optional[Array[String]] $csi_ceph_monitors = undef,
Optional[String[1]] $csi_ceph_poolname = undef,
) {}
@@ -0,0 +1,65 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: ceph-csi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ceph-csi-config
namespace: ceph-csi
data:
config.json: |-
[
{
"clusterID": "<%= @csi_ceph_clusterid %>",
"monitors": [
<% @csi_ceph_monitors.each_with_index do |mon, index| -%>
"<%= mon %>"<% if index < @csi_ceph_monitors.length - 1 %>,<% end %>
<% end -%>
]
}
]
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ceph-csi-encryption-kms-config
namespace: ceph-csi
data:
config.json: |-
{}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ceph-config
namespace: ceph-csi
data:
ceph.conf: |
[global]
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
keyring: |
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: csi-rbd-sc
provisioner: rbd.csi.ceph.com
parameters:
clusterID: <%= @csi_ceph_clusterid %>
pool: <%= @csi_ceph_poolname %>
imageFeatures: layering
csi.storage.k8s.io/provisioner-secret-name: csi-rbd-secret
csi.storage.k8s.io/provisioner-secret-namespace: ceph-csi
csi.storage.k8s.io/controller-expand-secret-name: csi-rbd-secret
csi.storage.k8s.io/controller-expand-secret-namespace: ceph-csi
csi.storage.k8s.io/node-stage-secret-name: csi-rbd-secret
csi.storage.k8s.io/node-stage-secret-namespace: ceph-csi
reclaimPolicy: Delete
allowVolumeExpansion: true
mountOptions:
- discard
@@ -0,0 +1,10 @@
---
apiVersion: v1
kind: Secret
metadata:
name: csi-rbd-secret
namespace: ceph-csi
stringData:
userID: kubernetes
userKey: <%= @csi_ceph_key %>
-19
View File
@@ -1,19 +0,0 @@
# frozen_string_literal: true
Facter.add(:zfs_datasets) do
confine kernel: 'Linux'
setcode do
datasets = []
if Facter::Core::Execution.which('zfs')
begin
output = Facter::Core::Execution.execute('zfs list -H -o name 2>/dev/null', on_fail: nil)
datasets = output.strip.split("\n") if output && !output.empty?
rescue StandardError => e
Facter.debug("Error getting zfs dataset information: #{e.message}")
end
end
datasets.empty? ? nil : datasets
end
end
@@ -3,8 +3,7 @@
Facter.add('zfs_zpool_cache_present') do
confine kernel: 'Linux'
setcode do
cache_file = '/etc/zfs/zpool.cache'
File.exist?(cache_file) && File.size(cache_file).positive?
File.exist?('/etc/zfs/zpool.cache')
end
end
-19
View File
@@ -1,19 +0,0 @@
# frozen_string_literal: true
Facter.add(:zfs_zpools) do
confine kernel: 'Linux'
setcode do
zpools = []
if Facter::Core::Execution.which('zpool')
begin
output = Facter::Core::Execution.execute('zpool list -H -o name 2>/dev/null', on_fail: nil)
zpools = output.strip.split("\n") if output && !output.empty?
rescue StandardError => e
Facter.debug("Error getting zpool information: #{e.message}")
end
end
zpools.empty? ? nil : zpools
end
end
+2 -5
View File
@@ -38,11 +38,8 @@ class zfs (
# create zpools
$zpools.each | $zpool, $data | {
# Only create zpool if it doesn't already exist
if $facts['zfs_zpools'] == undef or !($zpool in $facts['zfs_zpools']) {
zpool { $zpool:
* => $data
}
zpool { $zpool:
* => $data
}
}
@@ -1,54 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
postmaster: root
# Many mailers use this address to represent the empty SMTP return path
MAILER-DAEMON: postmaster
# Common aliases for system accounts.
bin: root
daemon: root
games: root
ingres: root
nobody: root
system: root
toor: root
foo: root
falken: root
# Well-known aliases.
admin: root
manager: root
dumper: root
operator: root
# traps to catch security attacks
decode: root
moof: root
moog: root
# Standard aliases also defined by RFC 2142
abuse: postmaster
# reports of network infrastructure difficulties
noc: root
# address to report secuirty problems
security: root
# DNS administrator (DNS soa records should use this)
hostmaster: root
# Usenet news service administrator
news: usenet
usenet: root
# http/web service administrator
www: webmaster
webmaster: root
# UUCP service administrator
uucp: root
# FTP administrator (especially anon FTP)
ftp: root
+8 -2
View File
@@ -1,5 +1,7 @@
# this is the base class, which will be used by all servers
class profiles::base () {
class profiles::base (
Array $puppet_servers,
) {
# run a limited set of classes on the first run aimed at bootstrapping the new node
if $facts['firstrun'] {
@@ -11,7 +13,11 @@ class profiles::base () {
# manage the puppet agent
include profiles::puppet::agent
include profiles::puppet::client
# manage puppet clients
if ! member($puppet_servers, $trusted['certname']) {
include profiles::puppet::client
}
# include the base profiles
include profiles::base::repos
-1
View File
@@ -11,7 +11,6 @@ class profiles::defaults {
ensure => present,
require => [
Class['profiles::base::repos'],
Exec['dnf_makecache'],
]
}
-99
View File
@@ -1,99 +0,0 @@
class profiles::dovecot::server (
Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_key_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_ca_file = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
Stdlib::Absolutepath $maildir_path = '/var/vmail',
String $maildir_var = '%d/%n',
String $hostname = $trusted['certname'],
Array[String] $listen = ['*', '::'],
Array[String] $protocols = ['imap'],
) {
# Ensure the maildata directory exists
file { $maildir_path:
ensure => directory,
owner => 'vmail',
group => 'vmail',
mode => '0755',
}
# Create vmail user for dovecot
user { 'vmail':
ensure => present,
uid => 5000,
gid => 5000,
home => $maildir_path,
shell => '/usr/sbin/nologin',
managehome => false,
system => true,
}
group { 'vmail':
ensure => present,
gid => 5000,
system => true,
}
# Main dovecot configuration
$main_config = {
values => {
'listen' => join($listen, ', '),
'protocols' => join($protocols, ' '),
'default_login_user' => 'vmail',
'default_internal_user' => 'vmail',
'first_valid_uid' => '5000',
'last_valid_uid' => '5000',
'first_valid_gid' => '5000',
'last_valid_gid' => '5000',
'mail_uid' => 'vmail',
'mail_gid' => 'vmail',
'mail_location' => "maildir:${maildir_path}/${maildir_var}/Maildir",
'login_trusted_networks' => '10.0.0.0/8 127.0.0.0/8 [::1]/128',
'disable_plaintext_auth' => 'no',
'auth_mechanisms' => 'cram-md5 plain login',
'ssl' => 'required',
'ssl_cert' => $tls_cert_file,
'ssl_key' => $tls_key_file,
'ssl_ca' => $tls_ca_file,
'ssl_min_protocol' => 'TLSv1.2',
'ssl_cipher_list' => join([
'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES',
'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
], ':'),
'ssl_prefer_server_ciphers' => 'yes',
},
sections => [
{
name => 'passdb',
values => {
'driver' => 'passwd-file',
'args' => 'scheme=CRAM-MD5 username_format=%u /etc/dovecot/users',
},
},
{
name => 'userdb',
values => {
'driver' => 'static',
'args' => "uid=vmail gid=vmail home=${maildir_path}/${maildir_var}",
},
},
],
}
# # Postfix smtp-auth
# unix_listener /var/spool/postfix/private/auth {
# mode = 0666
# user = postfix
# group = postfix
# }
# Configure dovecot
class { 'dovecot':
main_config => $main_config,
include_sysdefault => false,
require => [User['vmail'], Group['vmail'], File[$maildir_path]],
}
}
+3 -4
View File
@@ -136,10 +136,9 @@ class profiles::nginx::simpleproxy (
}
service { 'nginx':
ensure => true,
enable => true,
hasrestart => true,
subscribe => [
ensure => true,
enable => true,
subscribe => [
File[$selected_ssl_cert],
File[$selected_ssl_key],
Nginx::Resource::Server[$nginx_vhost]
-392
View File
@@ -1,392 +0,0 @@
class profiles::postfix::gateway (
Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_key_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_ca_file = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
String $myhostname = $trusted['certname'],
String $message_size_limit = '133169152',
String $mailbox_size_limit = '133169152',
String $local_transport = 'error:No local mail delivery',
Boolean $enable_postscreen = true,
Array[String] $alias_maps = [
'hash:/etc/aliases',
'hash:/etc/postfix/aliases',
],
Array[String] $postscreen_dnsbl_sites = [
'zen.spamhaus.org*3',
'b.barracudacentral.org=127.0.0.[2..11]*2',
'bl.spameatingmonkey.net*2',
'bl.spamcop.net',
'dnsbl.sorbs.net',
'swl.spamhaus.org*-4',
'list.dnswl.org=127.[0..255].[0..255].0*-2',
'list.dnswl.org=127.[0..255].[0..255].1*-4',
'list.dnswl.org=127.[0..255].[0..255].[2..3]*-6',
],
Array[String] $smtpd_client_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_rbl_client zen.spamhaus.org',
],
Array[String] $smtpd_sender_restrictions = [
'permit_sasl_authenticated',
'check_sender_access hash:/etc/postfix/sender_access',
'reject_non_fqdn_sender',
'reject_unknown_sender_domain',
],
Array[String] $smtpd_recipient_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_unauth_destination',
'reject_non_fqdn_recipient',
'reject_unknown_recipient_domain',
'check_recipient_access hash:/etc/postfix/recipient_access',
'reject_unverified_recipient',
],
Array[String] $smtpd_relay_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_unauth_destination',
],
Hash[Stdlib::Fqdn, String] $smtp_tls_policy_maps = {},
Hash[String, String] $sender_canonical_maps = {},
Hash[Stdlib::Email, String] $sender_access_maps = {},
Hash[String, String] $relay_recipients_maps = {},
Hash[Stdlib::Fqdn, String] $relay_domains_maps = {},
Hash[String, String] $recipient_canonical_maps = {},
Hash[Stdlib::Email, String] $recipient_access_maps = {},
Hash[Variant[Stdlib::IP::Address, Stdlib::IP::Address::CIDR], String] $postscreen_access_maps = {},
Hash[String, String] $helo_access_maps = {},
Hash[Stdlib::Email, String] $virtual_mailbox_maps = {},
Hash[Variant[Stdlib::Email, Pattern[/^@.+$/]], Stdlib::Email] $virtual_alias_maps = {},
# Dovecot integration
Boolean $enable_dovecot = false,
Array[Stdlib::Fqdn] $virtual_mailbox_domains = [],
String $virtual_uid_maps = 'static:5000',
String $virtual_gid_maps = 'static:5000',
Stdlib::Absolutepath $virtual_mailbox_base = '/var/vmail',
String $virtual_transport = 'dovecot',
) {
$alias_maps_string = join($alias_maps, ', ')
# Set master.cf configuration based on postscreen setting
if $enable_postscreen {
$master_smtp = 'smtp inet n - n - 1 postscreen'
$master_entries = [
'smtpd pass - - n - - smtpd',
'dnsblog unix - - n - 0 dnsblog',
'tlsproxy unix - - n - 0 tlsproxy',
]
$postscreen_configs = {
'postscreen_access_list' => {
'value' => 'permit_mynetworks, cidr:/etc/postfix/postscreen_access'
},
'postscreen_blacklist_action' => {
'value' => 'enforce'
},
'postscreen_cache_map' => {
'value' => 'btree:$data_directory/postscreen_cache'
},
'postscreen_dnsbl_action' => {
'value' => 'enforce'
},
'postscreen_dnsbl_sites' => {
'value' => join($postscreen_dnsbl_sites, ', ')
},
'postscreen_dnsbl_threshold' => {
'value' => '2'
},
'postscreen_greet_action' => {
'value' => 'enforce'
},
'postscreen_greet_banner' => {
'value' => '$smtpd_banner'
},
'postscreen_greet_wait' => {
'value' => "\${stress?2}\${stress:6}s"
},
}
} else {
$master_smtp = undef
$master_entries = []
$postscreen_configs = {}
}
# Base postfix configuration
$base_configs = {
'alias_database' => {
'value' => $alias_maps_string
},
'default_destination_recipient_limit' => {
'value' => '1'
},
'disable_vrfy_command' => {
'value' => 'yes'
},
'enable_long_queue_ids' => {
'value' => 'yes'
},
'error_notice_recipient' => {
'value' => 'root'
},
'header_checks' => {
'value' => 'regexp:/etc/postfix/header_checks'
},
'local_recipient_maps' => {
'ensure' => 'blank'
},
'local_transport' => {
'value' => $local_transport
},
'mailbox_size_limit' => {
'value' => $mailbox_size_limit
},
'message_size_limit' => {
'value' => $message_size_limit
},
'myhostname' => {
'value' => $myhostname
},
'non_smtpd_milters' => {
'ensure' => 'blank'
},
'qmqpd_authorized_clients' => {
'value' => '127.0.0.1 [::1]'
},
'recipient_canonical_maps' => {
'value' => 'hash:/etc/postfix/recipient_canonical'
},
'recipient_delimiter' => {
'value' => '+'
},
'relay_domains' => {
'value' => 'hash:/etc/postfix/relay_domains'
},
'relay_recipient_maps' => {
'value' => 'hash:/etc/postfix/relay_recipients'
},
'sender_canonical_maps' => {
'value' => 'hash:/etc/postfix/sender_canonical'
},
'smtp_tls_CAfile' => {
'value' => $tls_ca_file
},
'smtp_tls_mandatory_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtp_tls_note_starttls_offer' => {
'value' => 'yes'
},
'smtp_tls_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtp_tls_security_level' => {
'value' => 'may'
},
'smtp_tls_session_cache_database' => {
'value' => 'btree:/var/lib/postfix/smtp_tls_session_cache'
},
'smtp_use_tls' => {
'value' => 'yes'
},
'smtpd_banner' => {
'value' => '$myhostname ESMTP $mail_name'
},
'smtpd_client_restrictions' => {
'value' => join($smtpd_client_restrictions, ', ')
},
'smtpd_data_restrictions' => {
'value' => 'reject_unauth_pipelining'
},
'smtpd_delay_reject' => {
'value' => 'yes'
},
'smtpd_discard_ehlo_keywords' => {
'value' => 'chunking, silent-discard'
},
'smtpd_forbid_bare_newline' => {
'value' => 'yes'
},
'smtpd_forbid_bare_newline_exclusions' => {
'value' => '$mynetworks'
},
'smtpd_forbid_unauth_pipelining' => {
'value' => 'yes'
},
'smtpd_helo_required' => {
'value' => 'yes'
},
'smtpd_helo_restrictions' => {
'value' => 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname'
},
'smtpd_milters' => {
'value' => 'inet:127.0.0.1:33333'
},
'smtpd_recipient_restrictions' => {
'value' => join($smtpd_recipient_restrictions, ', ')
},
'smtpd_relay_restrictions' => {
'value' => join($smtpd_relay_restrictions, ', ')
},
'smtpd_sender_restrictions' => {
'value' => join($smtpd_sender_restrictions, ', ')
},
'smtpd_tls_CAfile' => {
'value' => $tls_ca_file
},
'smtpd_tls_cert_file' => {
'value' => $tls_cert_file
},
'smtpd_tls_ciphers' => {
'value' => 'medium'
},
'smtpd_tls_key_file' => {
'value' => $tls_key_file
},
'smtpd_tls_loglevel' => {
'value' => '1'
},
'smtpd_tls_mandatory_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtpd_tls_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtpd_tls_received_header' => {
'value' => 'yes'
},
'smtpd_tls_security_level' => {
'value' => 'may'
},
'smtpd_tls_session_cache_database' => {
'value' => 'btree:/var/lib/postfix/smtpd_tls_session_cache'
},
'smtpd_tls_session_cache_timeout' => {
'value' => '3600s'
},
'smtpd_use_tls' => {
'value' => 'yes'
},
'tls_medium_cipherlist' => {
'value' => join([
'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES',
'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
], ':')
},
'tls_preempt_cipherlist' => {
'value' => 'yes'
},
'tls_random_source' => {
'value' => 'dev:/dev/urandom'
},
'unverified_recipient_reject_code' => {
'value' => '550'
},
'unverified_recipient_reject_reason' => {
'value' => 'No user at this address'
},
'smtp_tls_policy_maps' => {
'value' => 'hash:/etc/postfix/smtp_tls_policy_maps'
},
}
# Postfix maps (all using templates now)
$postfix_maps = {
'postscreen_access' => {
'ensure' => 'present',
'type' => 'cidr',
'content' => template('profiles/postfix/gateway/postscreen_access.erb')
},
'relay_recipients' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/relay_recipients.erb')
},
'relay_domains' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/relay_domains.erb')
},
'aliases' => {
'ensure' => 'present',
'type' => 'hash',
'source' => 'puppet:///modules/profiles/postfix/gateway/aliases'
},
'helo_access' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/helo_access.erb')
},
'sender_access' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/sender_access.erb')
},
'recipient_access' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/recipient_access.erb')
},
'recipient_canonical' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/recipient_canonical.erb')
},
'sender_canonical' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/sender_canonical.erb')
},
'smtp_tls_policy_maps' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/smtp_tls_policy_maps.erb')
},
'virtual_mailbox_maps' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/virtual_mailbox_maps.erb')
},
'virtual_alias_maps' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/virtual_alias_maps.erb')
},
}
if $enable_dovecot {
postfix::config {
'virtual_mailbox_domains': value => join($virtual_mailbox_domains, ', ');
'virtual_mailbox_maps': value => 'hash:/etc/postfix/virtual_mailbox_maps';
'virtual_alias_maps': value => 'hash:/etc/postfix/virtual_alias_maps';
'virtual_uid_maps': value => $virtual_uid_maps;
'virtual_gid_maps': value => $virtual_gid_maps;
'virtual_mailbox_base': value => $virtual_mailbox_base;
'virtual_transport': value => $virtual_transport;
'home_mailbox': value => "${virtual_mailbox_base}/%d/%n/Maildir";
}
} else {
postfix::config {
'virtual_mailbox_domains': ensure => 'absent';
'virtual_mailbox_maps': ensure => 'absent';
'virtual_uid_maps': ensure => 'absent';
'virtual_gid_maps': ensure => 'absent';
'virtual_mailbox_base': ensure => 'absent';
'virtual_transport': ensure => 'absent';
'home_mailbox': ensure => 'absent';
}
}
# Merge base configs with postscreen configs
$all_configs = $base_configs + $postscreen_configs
class { 'postfix':
master_smtp => $master_smtp,
master_entries => $master_entries,
alias_maps => $alias_maps_string,
configs => $all_configs,
maps => $postfix_maps,
}
}
+17 -47
View File
@@ -1,68 +1,37 @@
# profiles::puppet::agent
# This class manages Puppet agent package and service.
class profiles::puppet::agent (
String $version = 'latest',
Boolean $openvox_enable = false,
String $puppet_version = 'latest',
) {
# set openvox package, yumrepo, service
if $openvox_enable {
$use_package = 'openvox-agent'
$use_yumrepo = 'openvox'
$use_service = 'puppet'
}else{
$use_package = 'puppet-agent'
$use_yumrepo = 'puppet'
$use_service = 'puppet'
}
# manage the yumrepo for the given package
if $openvox_enable and $facts['os']['family'] == 'RedHat' {
yumrepo { 'openvox':
ensure => 'present',
baseurl => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/",
descr => 'openvox repository',
gpgkey => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/GPG-KEY-openvox.pub",
notify => Exec['dnf_makecache'],
}
}else{
yumrepo { 'puppet':
ensure => 'present',
baseurl => "https://packagerepo.service.consul/puppet7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/",
descr => 'puppet repository',
gpgkey => "https://packagerepo.service.consul/puppet7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/RPM-GPG-KEY-puppet-20250406",
notify => Exec['dnf_makecache'],
}
}
# if agent-version is anything other than latest, set a versionlock
$agent_versionlock_ensure = $version ? {
# if puppet-version is anything other than latest, set a versionlock
$puppet_versionlock_ensure = $puppet_version ? {
'latest' => 'absent',
default => 'present',
}
$agent_versionlock_version = $version ? {
$puppet_versionlock_version = $puppet_version ? {
'latest' => undef,
default => $version,
default => $puppet_version,
}
case $facts['os']['family'] {
'RedHat': {
# Ensure the agent package is installed and locked to a specific version
package { $use_package:
ensure => $version,
require => Yumrepo[$use_yumrepo],
# Ensure the puppet-agent package is installed and locked to a specific version
package { 'puppet-agent':
ensure => $puppet_version,
require => Yumrepo['puppet'],
}
# versionlock puppet-agent
yum::versionlock{$use_package:
ensure => $agent_versionlock_ensure,
version => $agent_versionlock_version,
yum::versionlock{'puppet-agent':
ensure => $puppet_versionlock_ensure,
version => $puppet_versionlock_version,
}
}
'Debian': {
# Ensure the puppet-agent package is installed and locked to a specific version
package { $use_package:
ensure => $version,
package { 'puppet-agent':
ensure => $puppet_version,
require => Class['profiles::apt::puppet7'],
}
}
@@ -70,11 +39,12 @@ class profiles::puppet::agent (
}
# Ensure the puppet service is running
service { $use_service:
service { 'puppet':
ensure => 'running',
enable => true,
hasrestart => true,
require => Package[$use_package],
require => Package['puppet-agent'],
}
}
@@ -26,12 +26,6 @@ class profiles::puppet::puppetdb_api (
before => Class['puppetdb::server'],
}
# cleanup puppetdb first, this isnt replaced by openvoxdb (conflicts)
package { 'puppetdb':
ensure => 'purged',
before => Class['puppetdb::server'],
}
class { 'puppetdb::server':
manage_firewall => false,
ssl_listen_address => $listen_address,
@@ -50,7 +44,6 @@ class profiles::puppet::puppetdb_api (
database_name => $database_name,
database_password => Sensitive($database_password),
database_validate => $database_validate,
puppetdb_package => 'openvoxdb',
}
contain ::puppetdb::server
+1 -12
View File
@@ -20,23 +20,12 @@ class profiles::puppet::puppetmaster (
include profiles::puppet::puppetca
include profiles::puppet::eyaml
# migration to openvox, cleanup puppetserver/puppetdb-termini
package {'puppetdb-termini':
ensure => purged,
before => Package['openvoxdb-termini'],
}
package {'puppetserver':
ensure => purged,
before => Package['openvox-server'],
}
class { 'puppetdb::master::config':
puppetdb_server => $puppetdb_host,
manage_storeconfigs => false,
terminus_package => 'openvoxdb-termini',
}
Package['openvox-server']
Package['puppetserver']
-> Class['profiles::puppet::gems']
-> Class['profiles::puppet::r10k']
-> Class['profiles::puppet::g10k']
-3
View File
@@ -55,7 +55,4 @@ class profiles::yum::global (
# setup dnf-autoupdate
include profiles::yum::autoupdater
# ensure dnf makecache runs before packages
Yumrepo <| |> -> Exec['dnf_makecache'] -> Package <| |>
}
@@ -1,11 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on HELO/EHLO hostnames to block spam patterns
# HELO/EHLO access controls
# Format: pattern action
# Example: .dynamic.example.com REJECT
# Example: localhost REJECT You are not localhost
<% @helo_access_maps.each do |pattern, action| -%>
<%= pattern %> <%= action %>
<% end -%>
@@ -1,10 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls which IP addresses/networks are allowed through postscreen
# Postscreen access controls (CIDR format)
# Format: network/mask action
# Example: 192.168.1.0/24 permit
<% @postscreen_access_maps.each do |network, action| -%>
<%= network %> <%= action %>
<% end -%>
@@ -1,11 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on recipient email addresses or domains
# Recipient access controls
# Format: recipient_pattern action
# Example: @example.com OK
# Example: admin@foo.net REJECT
<% @recipient_access_maps.each do |recipient, action| -%>
<%= recipient %> <%= action %>
<% end -%>
@@ -1,10 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Rewrites recipient addresses before delivery (address normalization)
# Recipient canonical address mapping
# Format: original_address canonical_address
# Example: user@olddomain.com user@example.com
<% @recipient_canonical_maps.each do |original, canonical| -%>
<%= original %> <%= canonical %>
<% end -%>
@@ -1,10 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines which domains are allowed for mail relaying
# Relay domains control
# Format: domain action
# Example: example.com OK
<% @relay_domains_maps.each do |domain, action| -%>
<%= domain %> <%= action %>
<% end -%>
@@ -1,10 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines which recipient addresses are allowed for mail relaying
# Relay recipients control
# Format: recipient_pattern action
# Example: @example.com OK
<% @relay_recipients_maps.each do |recipient, action| -%>
<%= recipient %> <%= action %>
<% end -%>
@@ -1,11 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on sender email addresses or domains
# Sender access controls
# Format: sender_pattern action
# Example: spammer@foo.net REJECT
# Example: @badspammer.com REJECT
<% @sender_access_maps.each do |sender, action| -%>
<%= sender %> <%= action %>
<% end -%>
@@ -1,10 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Rewrites sender addresses before sending (address masquerading)
# Sender canonical address mapping
# Format: original_address canonical_address
# Example: user@internal.local user@example.com
<% @sender_canonical_maps.each do |original, canonical| -%>
<%= original %> <%= canonical %>
<% end -%>
@@ -1,11 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Enforces TLS security policies for outbound mail per destination domain
# SMTP TLS policy map for outbound connections
# Format: destination policy
# Example: gmail.com encrypt
# Example: secure-bank.example.com secure
<% @smtp_tls_policy_maps.each do |destination, policy| -%>
<%= destination %> <%= policy %>
<% end -%>
@@ -1,9 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines virtual alias mappings
# Maps email addresses or patterns to target addresses
# Format: alias@foo.net real@corp.foo.net
<% @virtual_alias_maps.each do |source, target| -%>
<%= source %> <%= target %>
<% end -%>
@@ -1,9 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines virtual mailbox mappings for dovecot delivery
# Maps email addresses to maildir paths
# Format: user@domain maildir/path/
<% @virtual_mailbox_maps.each do |email, path| -%>
<%= email %> <%= path %>
<% end -%>
@@ -1,12 +0,0 @@
# a role to deploy a imap/pop3 backend for mail services
class roles::infra::mail::backend {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::dovecot::server
include profiles::postfix::gateway
}
}
@@ -1,11 +0,0 @@
# a role to deploy a dmz mx gateway for mail services
class roles::infra::mail::gateway {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::postfix::gateway
}
}