1 Commits

Author SHA1 Message Date
unkinben 23dd962d89 feat: allow specifying consul addr for exporters
- ensure frr/node exporter reachable on hosts with loopbacks
2025-08-09 17:08:38 +10:00
90 changed files with 125 additions and 2354 deletions
-1
View File
@@ -1 +0,0 @@
sources/
-4
View File
@@ -19,7 +19,6 @@ mod 'puppetlabs-haproxy', '8.2.0'
mod 'puppetlabs-java', '11.1.0'
mod 'puppetlabs-reboot', '5.1.0'
mod 'puppetlabs-docker', '10.2.0'
mod 'puppetlabs-mailalias_core', '1.2.0'
# puppet
mod 'puppet-python', '7.4.0'
@@ -44,8 +43,6 @@ mod 'puppet-letsencrypt', '11.1.0'
mod 'puppet-rundeck', '9.2.0'
mod 'puppet-redis', '11.1.0'
mod 'puppet-nodejs', '11.0.0'
mod 'puppet-postfix', '5.1.0'
mod 'puppet-alternatives', '6.0.0'
# other
mod 'saz-sudo', '9.0.2'
@@ -63,7 +60,6 @@ mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'ssm-crypto_policies', '0.3.3'
mod 'thias-sysctl', '1.0.8'
mod 'cirrax-dovecot', '1.3.3'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
-18
View File
@@ -29,21 +29,3 @@ these steps are required when adding additional puppet masters, as the subject a
sudo systemctl start puppetserver
sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
## troubleshooting
### Issue 1:
[sysadmin@ausyd1nxvm2056 ~]$ sudo puppet agent -t
Error: The CRL issued by 'CN=Puppet CA: prodinf01n01.main.unkin.net' is missing
Find another puppetserver that IS working, copy the `/etc/puppetlabs/puppet/ssl/crl.pem` to this host, run puppet again.
### Issue 2:
[sysadmin@ausyd1nxvm2097 ~]$ sudo puppet agent -t
Error: Failed to parse CA certificates as PEM
The puppet-agents CA cert `/etc/puppetlabs/puppet/ssl/certs/ca.pem` is empty or missing. Grab it from any other host. Run puppet again.
+3 -34
View File
@@ -155,18 +155,6 @@ lookup_options:
zfs::datasets:
merge:
strategy: deep
rke2::config_hash:
merge:
strategy: deep
postfix::configs:
merge:
strategy: deep
postfix::maps:
merge:
strategy: deep
postfix::virtuals:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
@@ -185,6 +173,9 @@ profiles::ntp::client::peers:
- 2.au.pool.ntp.org
- 3.au.pool.ntp.org
profiles::base::puppet_servers:
- 'prodinf01n01.main.unkin.net'
consul::install_method: 'package'
consul::manage_repo: false
consul::bin_dir: /usr/bin
@@ -377,28 +368,6 @@ profiles::ceph::client::mons:
- 10.18.15.1
- 10.18.15.2
- 10.18.15.3
profiles::ceph::conf::config:
global:
auth_client_required: 'cephx'
auth_cluster_required: 'cephx'
auth_service_required: 'cephx'
fsid: 'de96a98f-3d23-465a-a899-86d3d67edab8'
mon_allow_pool_delete: true
mon_initial_members: 'prodnxsr0009,prodnxsr0010,prodnxsr0011,prodnxsr0012,prodnxsr0013'
mon_host: '198.18.23.9,198.18.23.10,198.18.23.11,198.18.23.12,198.18.23.13'
ms_bind_ipv4: true
ms_bind_ipv6: false
osd_crush_chooseleaf_type: 1
osd_pool_default_min_size: 2
osd_pool_default_size: 3
osd_pool_default_pg_num: 128
public_network: >
198.18.23.1/32,198.18.23.2/32,198.18.23.3/32,198.18.23.4/32,
198.18.23.5/32,198.18.23.6/32,198.18.23.7/32,198.18.23.8/32,
198.18.23.9/32,198.18.23.10/32,198.18.23.11/32,198.18.23.12/32,
198.18.23.13/32
#profiles::base::hosts::additional_hosts:
# - ip: 198.18.17.9
# hostname: prodinf01n09.main.unkin.net
@@ -10,7 +10,6 @@ profiles::haproxy::dns::vrrp_cnames:
- git.unkin.net
- fafflix.unkin.net
- grafana.unkin.net
- dashboard.ceph.unkin.net
profiles::haproxy::mappings:
fe_http:
@@ -28,7 +27,6 @@ profiles::haproxy::mappings:
- 'fafflix.unkin.net be_jellyfin'
- 'git.unkin.net be_gitea'
- 'grafana.unkin.net be_grafana'
- 'dashboard.ceph.unkin.net be_ceph_dashboard'
fe_https:
ensure: present
mappings:
@@ -44,7 +42,6 @@ profiles::haproxy::mappings:
- 'fafflix.unkin.net be_jellyfin'
- 'git.unkin.net be_gitea'
- 'grafana.unkin.net be_grafana'
- 'dashboard.ceph.unkin.net be_ceph_dashboard'
profiles::haproxy::frontends:
fe_http:
@@ -65,7 +62,6 @@ profiles::haproxy::frontends:
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
- 'acl_gitea req.hdr(host) -i git.unkin.net'
- 'acl_grafana req.hdr(host) -i grafana.unkin.net'
- 'acl_ceph_dashboard req.hdr(host) -i dashboard.ceph.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -83,7 +79,6 @@ profiles::haproxy::frontends:
- 'set-header X-Frame-Options DENY if acl_fafflix'
- 'set-header X-Frame-Options DENY if acl_gitea'
- 'set-header X-Frame-Options DENY if acl_grafana'
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
- 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block'
@@ -267,26 +262,6 @@ profiles::haproxy::backends:
redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
be_ceph_dashboard:
description: Backend for Ceph Dashboard from Mgr instances
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-check:
- expect status 200
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 9443 }
redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
@@ -301,7 +276,6 @@ profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem
# additional altnames
@@ -329,4 +303,3 @@ certbot::client::domains:
- fafflix.unkin.net
- git.unkin.net
- grafana.unkin.net
- dashboard.ceph.unkin.net
+8 -2
View File
@@ -3,8 +3,7 @@
profiles::firewall::firewalld::ensure_package: 'absent'
profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::version: '7.37.2'
profiles::puppet::agent::openvox_enable: true
profiles::puppet::agent::puppet_version: '7.34.0'
hiera_include:
- profiles::almalinux::base
@@ -54,6 +53,13 @@ profiles::yum::global::repos:
baseurl: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
mirrorlist: absent
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkinben:
name: unkinben
descr: unkinben repository
+1 -1
View File
@@ -11,4 +11,4 @@ profiles::apt::components:
- main
- non-free
profiles::puppet::agent::version: '7.25.0-1bullseye'
profiles::puppet::agent::puppet_version: '7.25.0-1bullseye'
+1 -1
View File
@@ -12,4 +12,4 @@ profiles::apt::components:
- non-free
- non-free-firmware
profiles::puppet::agent::version: 'latest'
profiles::puppet::agent::puppet_version: 'latest'
+4 -4
View File
@@ -70,7 +70,7 @@ profiles::nginx::simpleproxy::locations:
arrstack_web_external:
location_satisfy: any
location_allow:
- 198.18.26.161
- 198.18.27.131
- 198.18.28.165
- 198.18.29.32
- 198.18.13.47
- 198.18.13.50
- 198.18.13.51
- 198.18.13.52
-12
View File
@@ -211,18 +211,6 @@ glauth::users:
loginshell: '/bin/bash'
homedir: '/home/waewak'
passsha256: 'd9bb99634215fe031c3bdca94149a165192fe8384ecaa238a19354c2f760a811'
debvin:
user_name: 'debvin'
givenname: 'Debbie'
sn: 'Vincent'
mail: 'debvin@users.main.unkin.net'
uidnumber: 20009
primarygroup: 20000
othergroups:
- 20010 # jelly
loginshell: '/bin/bash'
homedir: '/home/debvin'
passsha256: 'cdac05ddb02e665d4ea65a974995f38a10236bc158731d92d78f6cde89b294a1'
glauth::services:
svc_jellyfin:
-8
View File
@@ -1,8 +0,0 @@
---
profiles::ceph::rgw::ceph_client_keys:
ausyd1nxvm2115: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAovOUUtTm/9nXWj6D+kVhmbZedVVkA5N80ULNYqISrv0A+KlXCx/V2sB56SpJ9eL6aPHdC+CKkrtrrdo1h2j2em7wTA5ghhbFVF0NIS7bbn0jzpl5YqbUrNxOtDSpjzX1aCGnyMvw69Lp+NcHwxIj+1XFgK6335138s9wbX3HmYF3jcsQkMqTzynELe1OQPWFXVKTjUfFFLdCQOFryp8UY8L9j/PpV6wd4w6p7R6eXhX21rjSaN4aqN1zjsnF2OVhL8Ge0QxMhePWKGOqsUfi72kh3II028DjqU0DcZQvoxnoqRPyUUjysH0nTKoLeXOGNgJdphY1dHBJ+SJnw2gqQDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB9wA3ZJjmU95W+9r8va5uagDAMAv2APfdzrPnAU7NJPL+IW08osGuQWWamqF+XGVeHRoBmoFKwZ7grYRV2e3aabyc=]
ausyd1nxvm2116: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf5ksy/pyUZSwTh+HiKw+1Uhj16A0DVZEKAbkKUQzXVmc+QpL4Dn7YBoXlEwrY8CcsTrxTQjADvtu9FC3o34QIdh06noSgYYA+7fna2A+9+oYoNtgwC3b8LeglxO/SQ9dKoJ90jRtmlw5P/CtrxA2RelMK6FNRekp1CaWMM4q20fJGgr/E33vgx38UJyp4/q0bTu2lLehCuDUP80j3XGbSNZ2snfYdIo91Cl+nSxLSU2TdnFpWaabsH19HwDnkWGiILlLBVvvhY7copCxs5DS1ueoOTCsqnWSrTrBMJjnu7WZd/s4NLw/0q/UP5xcFA51caY3Kv+sI6bfIYkNoLazwDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDrCF16nrtukRPamx1VbGY+gDAK5dw0kV8MpATpwxTkJG6JtlFlwdpU9THs1bNwqSRD1ZhEWxQeWwsyyTtjUXi4bP8=]
ausyd1nxvm2117: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKtvsgDk2QTmL8flBBE4nA43sRSnroq4I6T2CUAYv/lRdzCCWvE961o/51zyQEz8L5QyDo7L3gcGYIBqthYjRe9Gp5a5d4qds0qskupgQKnb0KR2RLFVUtH5vxHqyJZHjXaP+PQreyRoSIfRWXAdoZu544FeJ9DKKbmEzZaH5B2OdDMrf4Ufuud0maEAw0PJthS//ghCfGi74F1xlJnIWVvMhp66b0iMxC+ACClEHunG3oKx7M/w05HllG0wcxPTg4PFrbnFXjRuIxsykF9aVHJkRnCdgbMXRM4o6FrYyZRR74F1HKRujFCUA7kYWDKLxHxJpYCvCHp4HMhfzjs824zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBbaSig6kgVVNfmSI53sNimgDDQ5O10Dzfa7S7RdJVLLUFBaZ5TG2g3Bwmy0k3wKZvABYMuYyOxQdfk6eMsKC+sC5w=]
ausyd1nxvm2118: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdKl0ude3ZxW0ihyA758mpQp43qZvzTI2Bp83WzCp2ifJCgAIjRWdd01P64rSHaa4lus/wqB9jxg38g6DrN4ejX56Y/CJ6GQKxz6b1BO5nDfsLx6QEzCt+cfg5d/PPoTtEpz2VSvDfxFUrHiABA6++Sqzb9Og+nQCFMYJD3NHCk67QpkjPGQ/ejZk4MNXZQVCfKOlFqay/fF0jEmQixFOlX/Fdm9UoKttbrKluUmzpaVUzfGRaTTFVgzc3x2t/z1q1k0P7ClI9Uu02kUXpFVs9LPX99Zc2GtrnP06mYqqARhWF1NMK0zlmxtKpfObahRP/HmtI3fgnQsU1Cpwah0emTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAILqpYx3FKY3xXLJRu2oDlgDCIOXeX6hxpu0qpj5c/9jMUSeV2DIydnxO+MiT3mceS50ip8B+zGQy5UedPmLt36Zs=]
ausyd1nxvm2119: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASlZglUxazp+9azfV3QkgRv+ACo+MH0RO5b18blbelgdmr38iwK7MwwEFpEfVJEyc/ph9RunWwrMmofDQHj5bBribfzZ2pH2CGiOrR0i5lZMtN0yQXPBA/+jm1Pi1AWGJLtoquuhMbibuHOTiXwBCBVrHHHaFTR5Xt34ABN/p/mCaG+N9nWux93msHCCextCalKBMmPhmI2q6HodfjanEVgYAe3/5hRPnpsi6IGSDNGygsTC3MG+hjGMpNF8izbwk9Lpzn6kY51aeNxI2ed9Jm8UZ/k+8b+o7ZQyWIBbf7DTFpEzk4G46puaDbXIorBWQ4azCjN3gt8VB91hwihtzcDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6U+9z4cSzMTA1z9bmoX82gDBfy5zbRPK8GxImJo6evecMOTtaY2c4aEnESXtGBCS02enmxljv9dv1UYQD0/a6S3A=]
-60
View File
@@ -1,60 +0,0 @@
---
hiera_include:
- profiles::ceph::rgw
- profiles::nginx::simpleproxy
profiles::ceph::rgw::enable: true
# FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
python::manage_dev_package: false
# additional altnames
profiles::pki::vault::alt_names:
- radosgw.main.unkin.net
- radosgw.service.consul
- radosgw.query.consul
- "radosgw.service.%{facts.country}-%{facts.region}.consul"
# additional repos
profiles::yum::global::repos:
ceph:
name: ceph
descr: ceph repository
target: /etc/yum.repos.d/ceph.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download.ceph.com/keys/release.asc
mirrorlist: absent
ceph-noarch:
name: ceph-noarch
descr: ceph-noarch repository
target: /etc/yum.repos.d/ceph-noarch.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
gpgkey: https://download.ceph.com/keys/release.asc
mirrorlist: absent
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'radosgw.service.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- radosgw.service.au-syd1.consul
profiles::nginx::simpleproxy::proxy_port: 7480
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 100M
# manage consul service
consul::services:
radosgw:
service_name: 'radosgw'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'radosgw_https_check'
name: 'RADOSGW HTTPS Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: radosgw
disposition: write
+1 -3
View File
@@ -2,7 +2,6 @@
hiera_include:
- docker
- profiles::gitea::runner
- incus::client
docker::version: latest
docker::curl_ensure: false
@@ -40,8 +39,7 @@ profiles::gitea::runner::config:
privileged: false
options:
workdir_parent: /workspace
valid_volumes:
- /etc/pki/tls/vault
valid_volumes: []
docker_host: ""
force_pull: true
force_rebuild: false
+3 -7
View File
@@ -6,7 +6,6 @@ hiera_include:
- zfs
- profiles::ceph::node
- profiles::ceph::client
- profiles::ceph::dashboard
- profiles::storage::cephfsvols
- exporters::frr_exporter
@@ -37,7 +36,6 @@ profiles::ssh::sign::principals:
- "%{facts.networking.interfaces.enp3s0.ip}"
# configure consul service
profiles::consul::client::host_addr: "%{hiera('networking_loopback0_ip')}"
consul::services:
incus:
service_name: 'incus'
@@ -123,9 +121,6 @@ profiles::yum::global::repos:
# dns
profiles::dns::base::primary_interface: loopback0
# dashboard/haproxy
profiles::ceph::dashboard::ipaddress: "%{hiera('networking_loopback0_ip')}"
# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
@@ -155,11 +150,12 @@ networking::interfaces:
netmask: 255.255.255.255
mtu: 1500
exporters::node_exporter::addr: "%{hiera('networking_loopback0_ip')}"
# frrouting
exporters::frr_exporter::enable: true
exporters::frr_exporter::addr: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::ospf_preferred_source_enable: true
frrouting::ospf_preferred_source: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
-1
View File
@@ -1 +0,0 @@
rke2::node_token: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOD+w5nJFqEYWFj+tZQ65Oi19eDhaWtpLQ0gwEdBtMmY9sPJ63l1q2qH933NH6TOd1UlMDvGfoDLCae+yt/MAW//cJ15X3QbiVQ23DdfCOlUEZN6fjVrveEt/yIeFQmWvnkMS4pRfPbgQu2OHm37PpuPE7s6dUyGItAYjchrRhtQ7ibhXDnN7miG+oVRXP2T8b/V5WPdmA222DSV6r/AnqaWkna9W/oh/I2sNKeEm5q3f8bh8Gxt1dDy3VwaZ3lAh3uR+SUm7P/6PTYw8opxiumFBvos0mRiXIdOwUuqrAS8hafWBhxnDLlTBfz62Nc4wQmQ8gz0bHJZSipH9G6mIEDCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ2WG6ROWFlQdXx0TuO5oABoBwTDtAXIj7y6I1B3zCnFoMHETf5d7ulPGdgwZsENf0UIHpg2l0w503MUHHbu6YDFiDiTE0oDNJPVHid7TO+XwWFgh5v1MWi/XeEBgCs6nMCW8qkX0Z3UXaZdSBUll1M4sRtuqscBnoD/LLs2kKfxrqQg==]
-168
View File
@@ -1,168 +0,0 @@
---
hiera_include:
- profiles::selinux::setenforce
- profiles::ceph::node
- profiles::ceph::client
- exporters::frr_exporter
- frrouting
- rke2
# manage rke2
rke2::bootstrap_node: prodnxsr0001.main.unkin.net
rke2::join_url: https://join-k8s.service.consul:9345
rke2::config_hash:
bind-address: "%{hiera('networking_loopback0_ip')}"
node-ip: "%{hiera('networking_loopback0_ip')}"
node-external-ip: "%{hiera('networking_loopback0_ip')}"
write-kubeconfig-mode: 644
kubelet-arg:
- '--node-status-update-frequency=4s'
- '--max-pods=100'
node-label:
- "region=%{facts.region}"
- "country=%{facts.country}"
- "asset=%{facts.dmi.product.serial_number}"
- "zone=%{zone}"
# FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
python::manage_dev_package: false
profiles::packages::include:
bridge-utils: {}
cephadm: {}
profiles::selinux::setenforce::mode: disabled
profiles::ceph::client::manage_ceph_conf: false
profiles::ceph::client::manage_ceph_package: false
profiles::ceph::client::manage_ceph_paths: false
profiles::ceph::client::fsid: 'de96a98f-3d23-465a-a899-86d3d67edab8'
profiles::ceph::client::mons:
- 198.18.23.9
- 198.18.23.10
- 198.18.23.11
- 198.18.23.12
- 198.18.23.13
# additional repos
profiles::yum::global::repos:
ceph:
name: ceph
descr: ceph repository
target: /etc/yum.repos.d/ceph.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download.ceph.com/keys/release.asc
mirrorlist: absent
ceph-noarch:
name: ceph-noarch
descr: ceph-noarch repository
target: /etc/yum.repos.d/ceph-noarch.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
gpgkey: https://download.ceph.com/keys/release.asc
mirrorlist: absent
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
rancher-rke2-common-latest:
name: rancher-rke2-common-latest
descr: rancher-rke2-common-latest
target: /etc/yum.repos.d/rke2-common.repo
baseurl: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/common-daily/x86_64/os/
gpgkey: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/common-daily/x86_64/os/public.key
mirrorlist: absent
rancher-rke2-1-33-latest:
name: rancher-rke2-1-33-latest
descr: rancher-rke2-1-33-latest
target: /etc/yum.repos.d/rke2-1-33.repo
baseurl: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/1.33-daily/x86_64/os/
gpgkey: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/1.33-daily/x86_64/os/public.key
mirrorlist: absent
# dns
profiles::dns::base::primary_interface: loopback0
# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
"%{hiera('networking_1000_iface')}":
type: physical
ipaddress: "%{hiera('networking_1000_ip')}"
gateway: 198.18.15.254
txqueuelen: 10000
forwarding: true
"%{hiera('networking_2500_iface')}":
type: physical
ipaddress: "%{hiera('networking_2500_ip')}"
mtu: 1500
txqueuelen: 10000
forwarding: true
loopback0:
type: dummy
ipaddress: "%{hiera('networking_loopback0_ip')}"
netmask: 255.255.255.255
mtu: 1500
loopback1:
type: dummy
ipaddress: "%{hiera('networking_loopback1_ip')}"
netmask: 255.255.255.255
mtu: 1500
loopback2:
type: dummy
ipaddress: "%{hiera('networking_loopback2_ip')}"
netmask: 255.255.255.255
mtu: 1500
# configure consul service
profiles::consul::client::host_addr: "%{hiera('networking_loopback0_ip')}"
profiles::consul::client::node_rules:
- resource: service
segment: frr_exporter
disposition: write
# frrouting
exporters::frr_exporter::enable: true
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::ospf_preferred_source_enable: true
frrouting::ospf_preferred_source: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
"%{hiera('networking_1000_iface')}":
area: 0.0.0.0
"%{hiera('networking_2500_iface')}":
area: 0.0.0.0
loopback0:
area: 0.0.0.0
loopback1:
area: 0.0.0.0
loopback2:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
frrouting::ospf_exclude_k8s_enable: true
frrouting::k8s_cluster_cidr: '10.42.0.0/16' # RKE2 cluster-cidr (pods)
frrouting::k8s_service_cidr: '10.43.0.0/16' # RKE2 service-cidr
# add loopback interfaces to ssh list
ssh::server::options:
ListenAddress:
- "%{hiera('networking_loopback0_ip')}"
- "%{hiera('networking_1000_ip')}"
- "%{hiera('networking_2500_ip')}"
profiles::ssh::sign::principals:
- "%{hiera('networking_loopback0_ip')}"
- "%{hiera('networking_1000_ip')}"
- "%{hiera('networking_2500_ip')}"
+9 -2
View File
@@ -1,3 +1,10 @@
---
# manage rke2
rke2::node_type: agent
# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
mtu: 1500
-1
View File
@@ -1 +0,0 @@
---
+29 -65
View File
@@ -1,78 +1,42 @@
---
# manage rke2
rke2::node_type: server
rke2::helm_install: true
rke2::helm_repos:
rancher-stable: https://releases.rancher.com/server-charts/stable
purelb: https://gitlab.com/api/v4/projects/20400619/packages/helm/stable
jetstack: https://charts.jetstack.io
harbor: https://helm.goharbor.io
traefik: https://traefik.github.io/charts
hashicorp: https://helm.releases.hashicorp.com
rke2::extra_config_files:
- rke2-canal-config
- rke2-nginx-ingress-config
rke2::config_hash:
advertise-address: "%{hiera('networking_loopback0_ip')}"
tls-san:
- "join-k8s.service.consul"
- "api-k8s.service.consul"
- "api.k8s.unkin.net"
- "join.k8s.unkin.net"
cni: canal
cluster-cidr: 10.42.0.0/16
service-cidr: 10.43.0.0/16
cluster-dns: 10.43.0.10
etcd-arg: "--quota-backend-bytes 2048000000"
etcd-snapshot-schedule-cron: "0 3 * * *"
etcd-snapshot-retention: 10
kube-apiserver-arg:
- '--default-not-ready-toleration-seconds=30'
- '--default-unreachable-toleration-seconds=30'
kube-controller-manager-arg:
- '--node-monitor-period=4s'
protect-kernel-defaults: true
disable-kube-proxy: false
profiles::pki::vault::alt_names:
- k8s-control.service.consul
- k8s-control.query.consul
- "k8s-control.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- k8s-control.service.consul
- k8s-control.query.consul
- "k8s-control.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
api-k8s:
service_name: 'api-k8s'
k8s-control:
service_name: 'k8s-control'
tags:
- 'k8s'
- 'container'
address: "%{facts.networking.fqdn}"
port: 6443
checks:
- id: 'api-k8s_livez_check'
name: 'api-k8s livez Check'
args:
- sudo
- /usr/local/bin/check_k8s_api.sh
interval: '10s'
timeout: '1s'
join-k8s:
service_name: 'join-k8s'
address: "%{facts.networking.fqdn}"
port: 9345
checks:
- id: 'rke2_tcp_check_9345'
name: 'rke2 TCP Check 9345'
tcp: "%{hiera('networking_loopback0_ip')}:9345"
- id: 'k8s-control_https_check'
name: 'k8s-control HTTPS Check'
http: "https://%{facts.networking.fqdn}:6443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: api-k8s
disposition: write
- resource: service
segment: join-k8s
segment: k8s-control
disposition: write
profiles::pki::vault::alt_names:
- api-k8s.service.consul
- api-k8s.query.consul
- "api-k8s.service.%{facts.country}-%{facts.region}.consul"
sudo::configs:
consul-checks:
priority: 20
content: |
consul ALL=(ALL) NOPASSWD: /usr/local/bin/check_k8s_api.sh
# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
mtu: 1500
+4 -71
View File
@@ -5,24 +5,6 @@ hiera_include:
- profiles::ceph::node
- profiles::ceph::client
- exporters::frr_exporter
- profiles::rke2::node
# manage rke2
profiles::rke2::node::servers:
- prodnxsr0001.main.unkin.net
- prodnxsr0002.main.unkin.net
- prodnxsr0003.main.unkin.net
rke2::config_hash:
bind-address: "%{hiera('networking_loopback0_ip')}"
advertise-address: "%{hiera('networking_loopback0_ip')}"
node-ip: "%{hiera('networking_loopback0_ip')}"
node-external-ip: "%{hiera('networking_loopback0_ip')}"
cluster-domain: "svc.k8s.unkin.net"
tls-san:
- "api.k8s.unkin.net"
- "join.k8s.unkin.net"
cni: cilium
# FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
python::manage_dev_package: false
@@ -43,7 +25,6 @@ profiles::ceph::client::mons:
- 198.18.23.11
- 198.18.23.12
- 198.18.23.13
# additional repos
profiles::yum::global::repos:
ceph:
@@ -74,20 +55,6 @@ profiles::yum::global::repos:
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
rancher-rke2-common-latest:
name: rancher-rke2-common-latest
descr: rancher-rke2-common-latest
target: /etc/yum.repos.d/rke2-common.repo
baseurl: https://rpm.rancher.io/rke2/latest/common/centos/%{facts.os.release.major}/noarch
gpgkey: https://rpm.rancher.io/public.key
mirrorlist: absent
rancher-rke2-1-33-latest:
name: rancher-rke2-1-33-latest
descr: rancher-rke2-1-33-latest
target: /etc/yum.repos.d/rke2-1-33.repo
baseurl: https://rpm.rancher.io/rke2/latest/1.33/centos/%{facts.os.release.major}/x86_64
gpgkey: https://rpm.rancher.io/public.key
mirrorlist: absent
# dns
profiles::dns::base::primary_interface: loopback0
@@ -124,47 +91,18 @@ networking::interfaces:
netmask: 255.255.255.255
mtu: 1500
# configure consul service
profiles::consul::client::host_addr: "%{hiera('networking_loopback0_ip')}"
consul::services:
api-k8s:
service_name: 'api-k8s'
address: "%{facts.networking.fqdn}"
port: 6443
checks:
- id: 'api-k8s_https_check'
name: 'api-k8s HTTPS Check'
http: "https://%{facts.networking.fqdn}:6443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
join-k8s:
service_name: 'join-k8s'
address: "%{facts.networking.fqdn}"
port: 9345
checks:
- id: 'etcd_tcp_check_9345'
name: 'ETCD TCP Check 9345'
tcp: "%{facts.networking.fqdn}:9345"
interval: '10s'
timeout: '1s'
# consul
profiles::consul::client::node_rules:
- resource: service
segment: api-k8s
disposition: write
- resource: service
segment: join-k8s
disposition: write
- resource: service
segment: frr_exporter
disposition: write
exporters::node_exporter::addr: "%{hiera('networking_loopback0_ip')}"
# frrouting
exporters::frr_exporter::enable: true
exporters::frr_exporter::addr: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::ospf_preferred_source_enable: true
frrouting::ospf_preferred_source: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
@@ -192,8 +130,3 @@ profiles::ssh::sign::principals:
- "%{hiera('networking_loopback0_ip')}"
- "%{hiera('networking_1000_ip')}"
- "%{hiera('networking_2500_ip')}"
profiles::pki::vault::alt_names:
- api-k8s.service.consul
- api-k8s.query.consul
- "api-k8s.service.%{facts.country}-%{facts.region}.consul"
-20
View File
@@ -1,20 +0,0 @@
---
# Common mail server configuration
# base postfix configuration (passed to postfix class)
postfix::relayhost: 'direct'
postfix::myorigin: 'main.unkin.net'
postfix::manage_aliases: true
# Common postfix virtuals for all mail servers
postfix::virtuals:
'root':
ensure: present
destination: 'ben@main.unkin.net'
'postmaster':
ensure: present
destination: 'ben@main.unkin.net'
'abuse':
ensure: present
destination: 'ben@main.unkin.net'
-87
View File
@@ -1,87 +0,0 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- mail.main.unkin.net
# manage dovecot
dovecot::install::packages:
- dovecot
- dovecot-pgsql
profiles::dovecot::server::maildir_path: "%{hiera('profiles::postfix::gateway::virtual_mailbox_base')}"
#dovecot::config:
# auth.conf:
# values:
# auth_mechanisms: 'plain login'
# auth_username_format: '%Lu'
# auth_default_realm: 'main.unkin.net'
# auth-vmail.conf:
# values:
# passdb: |
# {
# driver = pam
# }
# userdb: |
# {
# driver = passwd
# override_fields = uid=vmail gid=vmail home=/shared/apps/maildata/%u
# }
# mail.conf:
# values:
# mail_plugins: '$mail_plugins'
# namespace inbox: |
# {
# inbox = yes
# location =
# mailbox Drafts {
# special_use = \Drafts
# }
# mailbox Junk {
# special_use = \Junk
# }
# mailbox Sent {
# special_use = \Sent
# }
# mailbox "Sent Messages" {
# special_use = \Sent
# }
# mailbox Trash {
# special_use = \Trash
# }
# }
# sections:
# - name: 'namespace inbox'
# values:
# 'inbox': 'yes'
# 'seperator': '.'
# 'prefix': 'INBOX'
# backend-specific postfix configuration
postfix::mydestination: 'localhost'
postfix::mynetworks: '127.0.0.0/8 [::1]/128 10.10.12.0/24'
postfix::smtp_listen: ['0.0.0.0', '::']
postfix::use_dovecot_lda: true # use built-in dovecot LDA support
postfix::mail_user: 'vmail:vmail'
profiles::postfix::gateway::enable_postscreen: false # disable postscreen (backend doesn't need it)
profiles::postfix::gateway::myhostname: 'mail.main.unkin.net'
profiles::postfix::gateway::enable_dovecot: true # enable dovecot integration
profiles::postfix::gateway::virtual_mailbox_domains:
- 'main.unkin.net'
profiles::postfix::gateway::virtual_mailbox_base: '/shared/apps/maildata'
profiles::postfix::gateway::virtual_mailbox_maps:
'ben@main.unkin.net': 'main.unkin.net/ben/'
'root@main.unkin.net': 'main.unkin.net/ben/'
'postmaster@main.unkin.net': 'main.unkin.net/ben/'
'abuse@main.unkin.net': 'main.unkin.net/ben/'
profiles::postfix::gateway::smtpd_client_restrictions:
- 'permit_mynetworks'
- 'reject_unauth_destination'
profiles::postfix::gateway::smtpd_sender_restrictions:
- 'permit_mynetworks'
- 'reject_non_fqdn_sender'
profiles::postfix::gateway::smtpd_recipient_restrictions:
- 'permit_mynetworks'
- 'reject_non_fqdn_recipient'
- 'reject_unauth_destination'
-34
View File
@@ -1,34 +0,0 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- in-mta.main.unkin.net
# gateway-specific postfix configuration
postfix::mydestination: 'blank'
postfix::mynetworks: '127.0.0.0/8 [::1]/128'
postfix::smtp_listen: '0.0.0.0'
postfix::mta: true
profiles::postfix::gateway::myhostname: 'in-mta.main.unkin.net'
profiles::postfix::gateway::relay_recipients_maps:
'@main.unkin.net': 'OK'
profiles::postfix::gateway::relay_domains_maps:
'main.unkin.net': 'OK'
profiles::postfix::gateway::postscreen_access_maps:
'127.0.0.1/32': 'permit'
'10.10.12.200/32': 'permit'
profiles::postfix::gateway::helo_access_maps:
'.dynamic.': 'REJECT'
'.dialup.': 'REJECT'
'unknown': 'REJECT'
'localhost': 'REJECT You are not localhost'
# postfix transports
postfix::transports:
'main.unkin.net':
ensure: present
destination: 'relay'
nexthop: 'ausyd1nxvm2120.main.unkin.net:25'
@@ -11,9 +11,6 @@ profiles::metrics::grafana::db_name: "%{hiera('profiles::sql::postgresdb::dbname
profiles::metrics::grafana::db_user: "%{hiera('profiles::sql::postgresdb::dbuser')}"
profiles::metrics::grafana::db_pass: "%{hiera('profiles::sql::postgresdb::dbpass')}"
profiles::metrics::grafana::pgsql_backend: true
profiles::metrics::grafana::plugins:
victoriametrics-logs-datasource:
ensure: present
# additional altnames
profiles::pki::vault::alt_names:
-1
View File
@@ -15,4 +15,3 @@ certbot::domains:
- fafflix.unkin.net
- git.unkin.net
- grafana.unkin.net
- dashboard.ceph.unkin.net
+1 -1
View File
@@ -1,3 +1,3 @@
---
profiles::packages::include:
openvox-server: {}
puppetserver: {}
@@ -283,20 +283,6 @@ profiles::reposync::repos_list:
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
rke2_common_el9:
repository: 'common'
description: 'RKE2 common RHEL 9'
osname: 'rke2'
release: "rhel9"
baseurl: "https://rpm.rancher.io/rke2/latest/common/centos/9/noarch"
gpgkey: "https://rpm.rancher.io/public.key"
rke2_1_33_el9:
repository: '1.33'
description: 'RKE2 1.33 RHEL 9'
osname: 'rke2'
release: "rhel9"
baseurl: "https://rpm.rancher.io/rke2/latest/1.33/centos/9/x86_64"
gpgkey: "https://rpm.rancher.io/public.key"
zfs_dkms_rhel8:
repository: 'dkms'
description: 'ZFS DKMS RHEL 8'
+1 -2
View File
@@ -4,8 +4,7 @@ profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault
profiles::vault::server::manage_storage_dir: true
profiles::vault::server::tls_disable: false
vault::package_name: openbao
vault::package_ensure: 2.4.1
vault::download_url: http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/vault_1.15.5_linux_amd64.zip
# additional altnames
profiles::pki::vault::alt_names:
+2 -9
View File
@@ -4,6 +4,7 @@ class exporters::frr_exporter (
String $group = 'frr_exporter',
Boolean $manage_user = true,
Boolean $manage_service = true,
Stdlib::Host $addr = $facts['networking']['ip'],
Stdlib::Port $port = 9342,
Stdlib::Absolutepath $exec_path = '/usr/bin/frr_exporter',
Stdlib::Absolutepath $socket_dir = '/var/run/frr',
@@ -16,14 +17,6 @@ class exporters::frr_exporter (
ensure => installed,
}
# ensure the frr_exporter user can read the directory
file { $socket_dir:
ensure => directory,
owner => 'frr',
group => 'frr',
mode => '0751',
}
# manage the user/group
if $manage_user {
group { $group:
@@ -53,7 +46,7 @@ class exporters::frr_exporter (
# manage consul service
consul::service { 'frr_exporter':
service_name => 'frr_exporter',
address => $facts['networking']['ip'],
address => $addr,
port => $port,
tags => [
'metrics',
+2 -1
View File
@@ -4,6 +4,7 @@ class exporters::node_exporter (
String $group = 'node_exporter',
Boolean $manage_user = true,
Boolean $manage_service = true,
Stdlib::Host $addr = $facts['networking']['ip'],
Stdlib::Port $port = 9100,
Stdlib::Absolutepath $exec_path = '/usr/bin/node_exporter',
Boolean $cleanup_old_node_exporter = false,
@@ -58,7 +59,7 @@ class exporters::node_exporter (
# manage consul service
consul::service { 'node_exporter':
service_name => 'node_exporter',
address => $facts['networking']['ip'],
address => $addr,
port => $port,
tags => [
'metrics',
-10
View File
@@ -14,18 +14,8 @@ class frrouting (
Optional[String] $mpls_ldp_router_id = undef,
Optional[String] $mpls_ldp_transport_addr = undef,
Array[String] $mpls_ldp_interfaces = [],
Boolean $ospf_preferred_source_enable = false,
Optional[Stdlib::IP::Address] $ospf_preferred_source = undef,
Boolean $ospf_exclude_k8s_enable = false,
Optional[Stdlib::IP::Address::V4::CIDR] $k8s_cluster_cidr = undef, # pod/cluster CIDR (e.g. 10.42.0.0/16)
Optional[Stdlib::IP::Address::V4::CIDR] $k8s_service_cidr = undef, # service CIDR (e.g. 10.43.0.0/16)
) {
# sanity check
if $ospf_exclude_k8s_enable and $k8s_cluster_cidr == undef and $k8s_service_cidr == undef {
warning('frrouting: ospf_exclude_k8s_enable is true but no k8s_*_cidr provided; nothing will be filtered.')
}
$daemons_defaults = {
'bgpd' => false,
'ospfd' => true,
-32
View File
@@ -2,7 +2,6 @@
frr defaults traditional
hostname <%= @hostname %>
no ipv6 forwarding
<% @ospfd_interfaces.each do |iface, params| -%>
interface <%= iface %>
<% if params['area'] -%>
@@ -13,31 +12,12 @@ interface <%= iface %>
<% end -%>
exit
<% end -%>
<%# ---- K8s exclude (prefix-list + route-map) ---- -%>
<% if @ospf_exclude_k8s_enable && (@k8s_cluster_cidr || @k8s_service_cidr) -%>
! Do not redistribute Kubernetes Pod/Service CIDRs
ip prefix-list K8S-BLOCK seq 5 permit <%= @k8s_cluster_cidr %> le 32<% if !@k8s_cluster_cidr %> ! (unset)<% end %>
<% if @k8s_service_cidr -%>
ip prefix-list K8S-BLOCK seq 10 permit <%= @k8s_service_cidr %> le 32
<% end -%>
route-map CONNECTED-NON-K8S deny 5
match ip address prefix-list K8S-BLOCK
exit
route-map CONNECTED-NON-K8S permit 100
exit
<% end -%>
router ospf
ospf router-id <%= @ospfd_router_id %>
log-adjacency-changes detail
<% @ospfd_redistribute.each do |type| -%>
<% if @ospf_exclude_k8s_enable && type == 'connected' && (@k8s_cluster_cidr || @k8s_service_cidr) -%>
redistribute connected route-map CONNECTED-NON-K8S
<% else -%>
redistribute <%= type %>
<% end -%>
<% end -%>
<% @ospfd_networks.each do |network| -%>
network <%= network %>
<% end -%>
@@ -51,8 +31,6 @@ router ospf
mpls-te inter-as area 0.0.0.0
<% end -%>
exit
<%# ---- MPLS/LDP config ---- -%>
<% if @mpls_ldp_router_id and @mpls_ldp_transport_addr and @mpls_ldp_interfaces.any? -%>
mpls ldp
router-id <%= @mpls_ldp_router_id %>
@@ -65,13 +43,3 @@ mpls ldp
exit-address-family
exit
<% end -%>
<%# ---- Preferred OSPF source ---- -%>
<% if @ospf_preferred_source_enable && @ospf_preferred_source -%>
ip prefix-list ANY seq 5 permit 0.0.0.0/0 le 32
route-map OSPF-SRC permit 10
match ip address prefix-list ANY
set src <%= @ospf_preferred_source %>
exit
ip protocol ospf route-map OSPF-SRC
<% end -%>
@@ -1,28 +0,0 @@
# frozen_string_literal: true
# lib/facter/incus_trust_list.rb
require 'json'
Facter.add(:incus_trust_list) do
confine do
# Only run on systems that have incus installed and running
incus_path = Facter::Util::Resolution.which('incus')
incus_path && File.exist?('/var/lib/incus/server.key')
end
setcode do
incus_path = Facter::Util::Resolution.which('incus')
next {} unless incus_path
begin
# Run incus config trust list --format=json
trust_output = Facter::Core::Execution.execute("#{incus_path} config trust list --format=json")
next {} if trust_output.empty?
# Parse the JSON output
JSON.parse(trust_output)
rescue StandardError
{}
end
end
end
-16
View File
@@ -1,16 +0,0 @@
# incus::client
#
# This class configures a host as an incus client and exports its certificate
# for automatic trust management on incus servers.
#
class incus::client {
# Export this client's certificate for collection by incus servers
@@incus::client_cert { $facts['networking']['fqdn']:
hostname => $facts['networking']['fqdn'],
certificate => $facts['vault_cert_content'],
fingerprint => $facts['vault_cert_fingerprint'],
tag => 'incus_client',
}
}
-41
View File
@@ -1,41 +0,0 @@
# Define the exported resource type for incus client certificates
define incus::client_cert (
String $hostname,
Optional[String] $certificate = undef,
Optional[String] $fingerprint = undef,
) {
# Only proceed if we have both certificate and fingerprint
if $certificate and $fingerprint {
$trust_list = $facts['incus_trust_list']
$existing_client = $trust_list.filter |$client| { $client['name'] == $hostname }
if $existing_client.empty {
# Add new certificate
exec { "incus_trust_add_${hostname}":
path => ['/bin', '/usr/bin'],
command => "echo '${certificate}' > /tmp/${hostname}.crt && \
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
rm -f /tmp/${hostname}.crt",
unless => "incus config trust list --format=json | grep '\"name\":\"${hostname}\"'",
}
} else {
# Check if fingerprints are different
$existing_fingerprint = $existing_client[0]['fingerprint']
if $existing_fingerprint != $fingerprint {
# Remove existing and add new certificate only if fingerprints differ
exec { "incus_trust_update_${hostname}":
path => ['/bin', '/usr/bin'],
command => "incus config trust remove ${existing_fingerprint} && \
echo '${certificate}' > /tmp/${hostname}.crt && \
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
rm -f /tmp/${hostname}.crt",
onlyif => "incus config trust list --format=json | grep '${existing_fingerprint}'",
}
}
# If fingerprints match, do nothing (certificate is already correct)
}
}
}
-25
View File
@@ -21,10 +21,6 @@ class incus (
enable => true,
hasstatus => true,
hasrestart => true,
subscribe => [
File['/var/lib/incus/server.crt'],
File['/var/lib/incus/server.key'],
],
}
file_line { 'subuid_root':
@@ -59,22 +55,6 @@ class incus (
}
}
file { '/var/lib/incus/server.crt':
ensure => file,
source => '/etc/pki/tls/vault/certificate.crt',
owner => 'root',
group => 'root',
mode => '0644',
}
file { '/var/lib/incus/server.key':
ensure => file,
source => '/etc/pki/tls/vault/private.key',
owner => 'root',
group => 'root',
mode => '0600',
}
if $facts['incus'] and $facts['incus']['config'] {
# set core.https_address
if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {
@@ -92,10 +72,5 @@ class incus (
}
}
}
# Collect exported client certificates and manage trust
Incus::Client_cert <<| tag == 'incus_client' |>> {
require => Service['incus'],
}
}
}
@@ -1,11 +0,0 @@
# frozen_string_literal: true
# lib/facter/vault_cert_content.rb
Facter.add(:vault_cert_content) do
confine kernel: 'Linux'
setcode do
cert_path = '/etc/pki/tls/vault/certificate.crt'
File.read(cert_path) if File.exist?(cert_path) && File.readable?(cert_path)
end
end
@@ -1,23 +0,0 @@
# frozen_string_literal: true
# lib/facter/vault_cert_fingerprint.rb
Facter.add(:vault_cert_fingerprint) do
confine kernel: 'Linux'
setcode do
require 'openssl'
require 'digest'
cert_path = '/etc/pki/tls/vault/certificate.crt'
if File.exist?(cert_path) && File.readable?(cert_path)
begin
cert_content = File.read(cert_path)
cert = OpenSSL::X509::Certificate.new(cert_content)
# Calculate SHA256 fingerprint like incus does
Digest::SHA256.hexdigest(cert.to_der)
rescue StandardError
nil
end
end
end
end
-2
View File
@@ -1,2 +0,0 @@
#!/usr/bin/bash
/var/lib/rancher/rke2/bin/kubectl --kubeconfig=/etc/rancher/rke2/rke2.yaml get --raw /livez
@@ -1,23 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rancher
namespace: cattle-system
annotations:
kubernetes.io/ingress.class: nginx
spec:
tls:
- hosts: [rancher.main.unkin.net]
secretName: tls-rancher
rules:
- host: rancher.main.unkin.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rancher
port:
number: 80
-45
View File
@@ -1,45 +0,0 @@
apiVersion: purelb.io/v1
kind: LBNodeAgent
metadata:
name: common
namespace: purelb
spec:
local:
extlbint: kube-lb0
localint: default
sendgarp: false
---
apiVersion: purelb.io/v1
kind: LBNodeAgent
metadata:
name: dmz
namespace: purelb
spec:
local:
extlbint: kube-lb0
localint: default
sendgarp: false
---
apiVersion: purelb.io/v1
kind: ServiceGroup
metadata:
name: dmz
namespace: purelb
spec:
local:
v4pools:
- subnet: 198.18.199.0/24
pool: 198.18.199.0/24
aggregation: /32
---
apiVersion: purelb.io/v1
kind: ServiceGroup
metadata:
name: common
namespace: purelb
spec:
local:
v4pools:
- subnet: 198.18.200.0/24
pool: 198.18.200.0/24
aggregation: /32
@@ -1,9 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-canal
namespace: kube-system
spec:
valuesContent: |-
flannel:
iface: "loopback0"
@@ -1,20 +0,0 @@
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
hostPort:
enabled: false
service:
enabled: true
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerClass: purelb.io/purelb
allocateLoadBalancerNodePorts: false
annotations:
purelb.io/service-group: common
purelb.io/addresses: "198.18.200.0"
-15
View File
@@ -1,15 +0,0 @@
# frozen_string_literal: true
require 'facter/util/helm'
Facter.add(:helm_repos) do
confine kernel: 'Linux'
confine enc_role: [
'roles::infra::k8s::control',
'roles::infra::k8s::compute'
]
setcode do
Facter::Util::Helm.get_helm_repos('/usr/bin/helm')
end
end
-39
View File
@@ -1,39 +0,0 @@
# frozen_string_literal: true
require 'json'
require 'open3'
Facter.add(:k8s_masters) do
confine do
File.exist?('/etc/rancher/rke2/rke2.yaml') &&
File.executable?('/usr/bin/kubectl')
end
setcode do
env = { 'KUBECONFIG' => '/etc/rancher/rke2/rke2.yaml' }
cmd = ['/usr/bin/kubectl', 'get', 'nodes', '-o', 'json']
stdout, stderr, status = Open3.capture3(env, *cmd)
if status.success?
json = JSON.parse(stdout)
master_count = json['items'].count do |item|
roles = item.dig('metadata', 'labels') || {}
# Look for well-known labels assigned to control-plane nodes
roles.any? do |key, _|
key =~ %r{node-role\.kubernetes\.io/(control-plane|master|etcd)}
end
end
master_count
else
Facter.debug("kubectl error: #{stderr}")
0
end
rescue StandardError => e
Facter.debug("Exception in k8s_masters fact: #{e.message}")
0
end
end
-29
View File
@@ -1,29 +0,0 @@
# frozen_string_literal: true
require 'json'
require 'open3'
Facter.add(:k8s_namespaces) do
confine do
File.exist?('/etc/rancher/rke2/rke2.yaml') &&
File.executable?('/usr/bin/kubectl') # Adjust this path if needed
end
setcode do
env = { 'KUBECONFIG' => '/etc/rancher/rke2/rke2.yaml' }
cmd = ['/usr/bin/kubectl', 'get', 'namespaces', '-o', 'json']
stdout, stderr, status = Open3.capture3(env, *cmd)
if status.success?
json = JSON.parse(stdout)
json['items'].map { |item| item['metadata']['name'] }
else
Facter.debug("kubectl error: #{stderr}")
[]
end
rescue StandardError => e
Facter.debug("Exception in k8s_namespaces fact: #{e.message}")
[]
end
end
-31
View File
@@ -1,31 +0,0 @@
# frozen_string_literal: true
require 'facter'
require 'json'
# a simple helm module
module Facter::Util::Helm
def self.get_helm_repos(helm_cmd)
return [] unless File.executable?(helm_cmd)
output = Facter::Core::Execution.execute(
"#{helm_cmd} repo list --output json --repository-config /etc/helm/repositories.yaml",
on_fail: nil
)
return [] if output.to_s.strip.empty?
parse_helm_output(output)
rescue StandardError => e
Facter.debug("helm_repos fact error: #{e}")
[]
end
def self.parse_helm_output(output)
JSON.parse(output).map do |repo|
{
'name' => repo['name'],
'url' => repo['url']
}
end
end
end
-109
View File
@@ -1,109 +0,0 @@
# config rke2
class rke2::config (
Enum['server', 'agent'] $node_type = $rke2::node_type,
Stdlib::Absolutepath $config_file = $rke2::config_file,
Hash $config_hash = $rke2::config_hash,
Stdlib::HTTPSUrl $join_url = $rke2::join_url,
Stdlib::Fqdn $bootstrap_node = $rke2::bootstrap_node,
String $node_token = $rke2::node_token,
Array[String[1]] $extra_config_files = $rke2::extra_config_files,
){
# if its not the bootstrap node, add join path to config
if $node_type == 'server' {
if $trusted['certname'] != $bootstrap_node {
$config = merge($config_hash, {
server => $join_url,
token => $node_token,
} )
}else{
$config = merge($config_hash, {})
}
} elsif $node_type == 'agent' {
$config = merge($config_hash, {
server => $join_url,
token => $node_token,
} )
}else{
$config = $config_hash
}
# create the config file
file { $config_file:
ensure => file,
content => Sensitive($config.to_yaml),
owner => 'root',
group => 'root',
mode => '0644',
require => Package["rke2-${node_type}"],
before => Service["rke2-${node_type}"],
}
# create a script to verify k8s api is up (used by consul)
file {'/usr/local/bin/check_k8s_api.sh':
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
source => 'puppet:///modules/rke2/check_k8s_api.sh',
}
# symlink kubectl to path
file {'/usr/bin/kubectl':
ensure => link,
target => '/var/lib/rancher/rke2/bin/kubectl',
require => Package["rke2-${node_type}"],
}
# when ProtectKernelDefaults=true
sysctl { 'vm.overcommit_memory':
value => '1',
before => Service["rke2-${node_type}"],
}
sysctl { 'kernel.panic':
value => '10',
before => Service["rke2-${node_type}"],
}
# on the controller nodes only
if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 {
# wait for purelb helm to setup namespace
if 'purelb' in $facts['k8s_namespaces'] {
file {'/var/lib/rancher/rke2/server/manifests/purelb-config.yaml':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/rke2/purelb-config.yaml',
require => Service['rke2-server'],
}
}
# wait for rancher helm to setup namespace
if 'cattle-system' in $facts['k8s_namespaces'] {
file {'/var/lib/rancher/rke2/server/manifests/ingress-route-rancher.yaml':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/rke2/ingress-route-rancher.yaml',
require => Service['rke2-server'],
}
}
# manage extra config config (these are not dependent on helm)
$extra_config_files.each |$file| {
file {"/var/lib/rancher/rke2/server/manifests/${file}.yaml":
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
source => "puppet:///modules/rke2/${file}.yaml",
require => Service['rke2-server'],
}
}
}
}
-81
View File
@@ -1,81 +0,0 @@
# manage helm
class rke2::helm (
Enum['server', 'agent'] $node_type = $rke2::node_type,
Stdlib::Fqdn $bootstrap_node = $rke2::bootstrap_node,
Boolean $helm_install = $rke2::helm_install,
Hash $helm_repos = $rke2::helm_repos
){
# when installing helm, manage the repos
if $helm_install {
package {'helm':
ensure => installed,
}
file { '/etc/helm':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
# on the controller nodes only, and after 3 master nodes exist
if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 {
# check if the repo already exists
$helm_repos.each | String $repo, Stdlib::HTTPSUrl $url | {
# if repo isnt in repo list from helm, install it
if ! $facts['helm_repos'].any |$existing| { $existing['name'] == $repo } {
exec { "helm_add_repo_${repo}":
command => "helm repo add ${repo} ${url} --repository-config /etc/helm/repositories.yaml",
path => ['/usr/bin'],
environment => [
'KUBECONFIG=/etc/rancher/rke2/rke2.yaml',
],
}
}
}
# install specific helm charts to bootstrap environment
$plb_cmd = 'helm install purelb purelb/purelb \
--create-namespace \
--namespace=purelb \
--repository-config /etc/helm/repositories.yaml'
exec { 'install_purelb':
command => $plb_cmd,
path => ['/usr/bin', '/bin'],
environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
unless => 'helm list -n purelb | grep -q ^purelb',
}
$cm_cmd = 'helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set crds.enabled=true \
--repository-config /etc/helm/repositories.yaml'
exec { 'install_cert_manager':
command => $cm_cmd,
path => ['/usr/bin', '/bin'],
environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
unless => 'helm list -n cert-manager | grep -q ^cert-manager',
}
$r_cmd = 'helm install rancher rancher-stable/rancher \
--namespace cattle-system \
--create-namespace \
--set hostname=rancher.main.unkin.net \
--set bootstrapPassword=admin \
--set ingress.tls.source=secret \
--repository-config /etc/helm/repositories.yaml'
exec { 'install_rancher':
command => $r_cmd,
path => ['/usr/bin', '/bin'],
environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
unless => 'helm list -n cattle-system | grep -q ^rancher',
}
}
}
}
-23
View File
@@ -1,23 +0,0 @@
# manage rke2
class rke2 (
Enum['server', 'agent'] $node_type = $rke2::params::node_type,
String $rke2_version = $rke2::params::rke2_version,
String $rke2_release = $rke2::params::rke2_release,
Stdlib::Absolutepath $config_file = $rke2::params::config_file,
Hash $config_hash = $rke2::params::config_hash,
Stdlib::HTTPSUrl $join_url = $rke2::params::join_url,
Stdlib::Fqdn $bootstrap_node = $rke2::params::bootstrap_node,
String $node_token = $rke2::params::node_token,
Boolean $helm_install = $rke2::params::helm_install,
Hash $helm_repos = $rke2::params::helm_repos,
Array[String[1]] $extra_config_files = $rke2::params::extra_config_files,
Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source,
) inherits rke2::params {
include rke2::install
include rke2::config
include rke2::service
include rke2::helm
Class['rke2::install'] -> Class['rke2::service'] -> Class['rke2::helm']
}
-53
View File
@@ -1,53 +0,0 @@
# install rke2
class rke2::install (
Enum['server', 'agent'] $node_type = $rke2::node_type,
String $rke2_version = $rke2::rke2_version,
String $rke2_release = $rke2::rke2_release,
Stdlib::HTTPUrl $container_archive_source = $rke2::container_archive_source,
){
# versionlock rke2
yum::versionlock{"rke2-${node_type}":
ensure => present,
version => "${rke2_version}~${rke2_release}",
}
# install rke2
package {"rke2-${node_type}":
ensure => "${rke2_version}~${rke2_release}",
}
# ensure images path exists
file { ['/var/lib/rancher/rke2/agent', '/var/lib/rancher/rke2/agent/images']:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0750',
require => Package["rke2-${node_type}"],
before => Service["rke2-${node_type}"],
}
# download required archive of containers
archive { '/var/lib/rancher/rke2/agent/images/rke2-images.linux-amd64.tar.zst':
ensure => present,
source => "https://github.com/rancher/rke2/releases/download/v${rke2_version}%2B${rke2_release}/rke2-images.linux-amd64.tar.zst",
require => [
Package["rke2-${node_type}"],
File['/var/lib/rancher/rke2/agent/images'],
],
before => Service["rke2-${node_type}"],
}
# ensure the images cache file exists
file {'/var/lib/rancher/rke2/agent/images/.cache.json':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
require => [
Package["rke2-${node_type}"],
File['/var/lib/rancher/rke2/agent/images'],
],
before => Service["rke2-${node_type}"],
}
}
-15
View File
@@ -1,15 +0,0 @@
# rke2 params
class rke2::params (
Enum['server', 'agent'] $node_type = 'agent',
String $rke2_version = '1.33.4',
String $rke2_release = 'rke2r1',
Stdlib::Absolutepath $config_file = '/etc/rancher/rke2/config.yaml',
Hash $config_hash = {},
Stdlib::HTTPSUrl $join_url = 'https://127.0.0.1:9345',
Stdlib::Fqdn $bootstrap_node = 'localhost.localdomain',
String $node_token = '',
Boolean $helm_install = false,
Hash $helm_repos = {},
Array[String[1]] $extra_config_files = [],
Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download',
) {}
-13
View File
@@ -1,13 +0,0 @@
# manage rke2 service
class rke2::service (
Enum['server', 'agent'] $node_type = $rke2::node_type,
Stdlib::Absolutepath $config_file = $rke2::config_file,
){
service {"rke2-${node_type}":
ensure => true,
enable => true,
subscribe => File[$config_file],
}
}
-19
View File
@@ -1,19 +0,0 @@
# frozen_string_literal: true
Facter.add(:zfs_datasets) do
confine kernel: 'Linux'
setcode do
datasets = []
if Facter::Core::Execution.which('zfs')
begin
output = Facter::Core::Execution.execute('zfs list -H -o name 2>/dev/null', on_fail: nil)
datasets = output.strip.split("\n") if output && !output.empty?
rescue StandardError => e
Facter.debug("Error getting zfs dataset information: #{e.message}")
end
end
datasets.empty? ? nil : datasets
end
end
@@ -3,8 +3,7 @@
Facter.add('zfs_zpool_cache_present') do
confine kernel: 'Linux'
setcode do
cache_file = '/etc/zfs/zpool.cache'
File.exist?(cache_file) && File.size(cache_file).positive?
File.exist?('/etc/zfs/zpool.cache')
end
end
-19
View File
@@ -1,19 +0,0 @@
# frozen_string_literal: true
Facter.add(:zfs_zpools) do
confine kernel: 'Linux'
setcode do
zpools = []
if Facter::Core::Execution.which('zpool')
begin
output = Facter::Core::Execution.execute('zpool list -H -o name 2>/dev/null', on_fail: nil)
zpools = output.strip.split("\n") if output && !output.empty?
rescue StandardError => e
Facter.debug("Error getting zpool information: #{e.message}")
end
end
zpools.empty? ? nil : zpools
end
end
+2 -5
View File
@@ -38,11 +38,8 @@ class zfs (
# create zpools
$zpools.each | $zpool, $data | {
# Only create zpool if it doesn't already exist
if $facts['zfs_zpools'] == undef or !($zpool in $facts['zfs_zpools']) {
zpool { $zpool:
* => $data
}
zpool { $zpool:
* => $data
}
}
@@ -1,54 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
postmaster: root
# Many mailers use this address to represent the empty SMTP return path
MAILER-DAEMON: postmaster
# Common aliases for system accounts.
bin: root
daemon: root
games: root
ingres: root
nobody: root
system: root
toor: root
foo: root
falken: root
# Well-known aliases.
admin: root
manager: root
dumper: root
operator: root
# traps to catch security attacks
decode: root
moof: root
moog: root
# Standard aliases also defined by RFC 2142
abuse: postmaster
# reports of network infrastructure difficulties
noc: root
# address to report secuirty problems
security: root
# DNS administrator (DNS soa records should use this)
hostmaster: root
# Usenet news service administrator
news: usenet
usenet: root
# http/web service administrator
www: webmaster
webmaster: root
# UUCP service administrator
uucp: root
# FTP administrator (especially anon FTP)
ftp: root
+8 -2
View File
@@ -1,5 +1,7 @@
# this is the base class, which will be used by all servers
class profiles::base () {
class profiles::base (
Array $puppet_servers,
) {
# run a limited set of classes on the first run aimed at bootstrapping the new node
if $facts['firstrun'] {
@@ -11,7 +13,11 @@ class profiles::base () {
# manage the puppet agent
include profiles::puppet::agent
include profiles::puppet::client
# manage puppet clients
if ! member($puppet_servers, $trusted['certname']) {
include profiles::puppet::client
}
# include the base profiles
include profiles::base::repos
-36
View File
@@ -1,36 +0,0 @@
class profiles::ceph::conf (
Hash $config = {}
) {
package {[
'ceph',
'ceph-common'
]:
ensure => installed,
}
file {'/etc/ceph':
ensure => directory,
owner => 'ceph',
group => 'ceph',
mode => '0755',
require => Package['ceph'],
}
file {'/var/log/ceph':
ensure => directory,
owner => 'ceph',
group => 'ceph',
mode => '0755',
require => Package['ceph'],
}
file { '/etc/ceph/ceph.conf':
ensure => file,
owner => 'ceph',
group => 'ceph',
mode => '0644',
content => template('profiles/ceph/conf.erb'),
require => Package['ceph-common'],
}
}
-20
View File
@@ -1,20 +0,0 @@
class profiles::ceph::dashboard (
Stdlib::IP::Address $ipaddress = $facts['networking']['ip'],
){
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_9443":
service => 'be_ceph_dashboard',
ipaddress => $ipaddress,
ports => [9443],
options => [
"cookie ${facts['networking']['hostname']}",
'ssl',
'verify none',
'check',
'inter 2s',
'rise 3',
'fall 2',
]
}
}
-41
View File
@@ -1,41 +0,0 @@
class profiles::ceph::rgw (
Boolean $enable = true,
Hash[String, String] $ceph_client_keys = {},
Stdlib::Absolutepath $base_path = '/var/lib/ceph'
){
$key = $ceph_client_keys[$facts['networking']['hostname']]
if $enable {
include profiles::ceph::conf
package {'ceph-radosgw':
ensure => installed,
}
file { [
"${base_path}/radosgw",
"${base_path}/radosgw/ceph-${facts['networking']['hostname']}"
]:
ensure => directory,
owner => 'ceph',
group => 'ceph',
mode => '0750',
}
file { "${base_path}/radosgw/ceph-${facts['networking']['hostname']}/keyring":
ensure => file,
owner => 'ceph',
group => 'ceph',
mode => '0750',
content => Sensitive("[client.${facts['networking']['hostname']}]\n key = ${key}\n")
}
service {"ceph-radosgw@${facts['networking']['hostname']}":
ensure => true,
enable => true,
subscribe => File["${base_path}/radosgw/ceph-${facts['networking']['hostname']}/keyring"]
}
}
}
+2 -3
View File
@@ -11,7 +11,6 @@ class profiles::consul::client (
Stdlib::Absolutepath $data_dir = '/opt/consul',
Array[Hash] $node_rules = [],
Hash $ports = {},
Stdlib::IP::Address $host_addr = $facts['networking']['ip'],
) {
if $facts['enc_role'] != $members_role {
@@ -43,8 +42,8 @@ class profiles::consul::client (
'log_level' => 'INFO',
'node_name' => $facts['networking']['fqdn'],
'retry_join' => $servers_array,
'bind_addr' => $host_addr,
'advertise_addr' => $host_addr,
'bind_addr' => $::facts['networking']['ip'],
'advertise_addr' => $::facts['networking']['ip'],
'enable_script_checks' => true,
'ports' => $ports,
'acl' => {
-1
View File
@@ -11,7 +11,6 @@ class profiles::defaults {
ensure => present,
require => [
Class['profiles::base::repos'],
Exec['dnf_makecache'],
]
}
+1 -1
View File
@@ -47,7 +47,7 @@ class profiles::dns::base (
$facts['networking']['interfaces'].each | $interface, $data | {
# exclude those without ipv4 address, lo, docker0 and anycast addresses
if $data['ip'] and $interface != 'lo' and $interface != 'docker0' and $interface !~ /^anycast[0-9]$/ and $interface !~ /^cilium_/ {
if $data['ip'] and $interface != 'lo' and $interface != 'docker0' and $interface !~ /^anycast[0-9]$/ {
# use defaults for the primary_interface
if $interface == $primary_interface {
-99
View File
@@ -1,99 +0,0 @@
class profiles::dovecot::server (
Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_key_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_ca_file = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
Stdlib::Absolutepath $maildir_path = '/var/vmail',
String $maildir_var = '%d/%n',
String $hostname = $trusted['certname'],
Array[String] $listen = ['*', '::'],
Array[String] $protocols = ['imap'],
) {
# Ensure the maildata directory exists
file { $maildir_path:
ensure => directory,
owner => 'vmail',
group => 'vmail',
mode => '0755',
}
# Create vmail user for dovecot
user { 'vmail':
ensure => present,
uid => 5000,
gid => 5000,
home => $maildir_path,
shell => '/usr/sbin/nologin',
managehome => false,
system => true,
}
group { 'vmail':
ensure => present,
gid => 5000,
system => true,
}
# Main dovecot configuration
$main_config = {
values => {
'listen' => join($listen, ', '),
'protocols' => join($protocols, ' '),
'default_login_user' => 'vmail',
'default_internal_user' => 'vmail',
'first_valid_uid' => '5000',
'last_valid_uid' => '5000',
'first_valid_gid' => '5000',
'last_valid_gid' => '5000',
'mail_uid' => 'vmail',
'mail_gid' => 'vmail',
'mail_location' => "maildir:${maildir_path}/${maildir_var}/Maildir",
'login_trusted_networks' => '10.0.0.0/8 127.0.0.0/8 [::1]/128',
'disable_plaintext_auth' => 'no',
'auth_mechanisms' => 'cram-md5 plain login',
'ssl' => 'required',
'ssl_cert' => $tls_cert_file,
'ssl_key' => $tls_key_file,
'ssl_ca' => $tls_ca_file,
'ssl_min_protocol' => 'TLSv1.2',
'ssl_cipher_list' => join([
'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES',
'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
], ':'),
'ssl_prefer_server_ciphers' => 'yes',
},
sections => [
{
name => 'passdb',
values => {
'driver' => 'passwd-file',
'args' => 'scheme=CRAM-MD5 username_format=%u /etc/dovecot/users',
},
},
{
name => 'userdb',
values => {
'driver' => 'static',
'args' => "uid=vmail gid=vmail home=${maildir_path}/${maildir_var}",
},
},
],
}
# # Postfix smtp-auth
# unix_listener /var/spool/postfix/private/auth {
# mode = 0666
# user = postfix
# group = postfix
# }
# Configure dovecot
class { 'dovecot':
main_config => $main_config,
include_sysdefault => false,
require => [User['vmail'], Group['vmail'], File[$maildir_path]],
}
}
@@ -3,7 +3,6 @@ define profiles::haproxy::balancemember (
String $service,
Array[Stdlib::Port] $ports,
Array $options = ['check'],
Stdlib::IP::Address $ipaddress = $facts['networking']['ip'],
) {
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
@@ -13,7 +12,7 @@ define profiles::haproxy::balancemember (
listening_service => $service,
ports => $ports,
server_names => $facts['networking']['hostname'],
ipaddresses => $ipaddress,
ipaddresses => $facts['networking']['ip'],
options => $options,
tag => $balancemember_tag,
}
@@ -11,7 +11,6 @@ class profiles::metrics::grafana (
String $db_pass = fqdn_rand_string(16),
Stdlib::Host $db_host = '127.0.0.1',
Stdlib::Port $db_port = 5432,
Hash $plugins = {}
) {
# set the fqdn
@@ -109,7 +108,6 @@ class profiles::metrics::grafana (
class { 'grafana':
cfg => $cfg,
ldap_cfg => $ldap_cfg,
plugins => $plugins,
}
# fix the package provided systemd service
+3 -4
View File
@@ -136,10 +136,9 @@ class profiles::nginx::simpleproxy (
}
service { 'nginx':
ensure => true,
enable => true,
hasrestart => true,
subscribe => [
ensure => true,
enable => true,
subscribe => [
File[$selected_ssl_cert],
File[$selected_ssl_key],
Nginx::Resource::Server[$nginx_vhost]
-392
View File
@@ -1,392 +0,0 @@
class profiles::postfix::gateway (
Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_key_file = '/etc/pki/tls/vault/certificate.pem',
Stdlib::Absolutepath $tls_ca_file = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
String $myhostname = $trusted['certname'],
String $message_size_limit = '133169152',
String $mailbox_size_limit = '133169152',
String $local_transport = 'error:No local mail delivery',
Boolean $enable_postscreen = true,
Array[String] $alias_maps = [
'hash:/etc/aliases',
'hash:/etc/postfix/aliases',
],
Array[String] $postscreen_dnsbl_sites = [
'zen.spamhaus.org*3',
'b.barracudacentral.org=127.0.0.[2..11]*2',
'bl.spameatingmonkey.net*2',
'bl.spamcop.net',
'dnsbl.sorbs.net',
'swl.spamhaus.org*-4',
'list.dnswl.org=127.[0..255].[0..255].0*-2',
'list.dnswl.org=127.[0..255].[0..255].1*-4',
'list.dnswl.org=127.[0..255].[0..255].[2..3]*-6',
],
Array[String] $smtpd_client_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_rbl_client zen.spamhaus.org',
],
Array[String] $smtpd_sender_restrictions = [
'permit_sasl_authenticated',
'check_sender_access hash:/etc/postfix/sender_access',
'reject_non_fqdn_sender',
'reject_unknown_sender_domain',
],
Array[String] $smtpd_recipient_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_unauth_destination',
'reject_non_fqdn_recipient',
'reject_unknown_recipient_domain',
'check_recipient_access hash:/etc/postfix/recipient_access',
'reject_unverified_recipient',
],
Array[String] $smtpd_relay_restrictions = [
'permit_sasl_authenticated',
'permit_mynetworks',
'reject_unauth_destination',
],
Hash[Stdlib::Fqdn, String] $smtp_tls_policy_maps = {},
Hash[String, String] $sender_canonical_maps = {},
Hash[Stdlib::Email, String] $sender_access_maps = {},
Hash[String, String] $relay_recipients_maps = {},
Hash[Stdlib::Fqdn, String] $relay_domains_maps = {},
Hash[String, String] $recipient_canonical_maps = {},
Hash[Stdlib::Email, String] $recipient_access_maps = {},
Hash[Variant[Stdlib::IP::Address, Stdlib::IP::Address::CIDR], String] $postscreen_access_maps = {},
Hash[String, String] $helo_access_maps = {},
Hash[Stdlib::Email, String] $virtual_mailbox_maps = {},
Hash[Variant[Stdlib::Email, Pattern[/^@.+$/]], Stdlib::Email] $virtual_alias_maps = {},
# Dovecot integration
Boolean $enable_dovecot = false,
Array[Stdlib::Fqdn] $virtual_mailbox_domains = [],
String $virtual_uid_maps = 'static:5000',
String $virtual_gid_maps = 'static:5000',
Stdlib::Absolutepath $virtual_mailbox_base = '/var/vmail',
String $virtual_transport = 'dovecot',
) {
$alias_maps_string = join($alias_maps, ', ')
# Set master.cf configuration based on postscreen setting
if $enable_postscreen {
$master_smtp = 'smtp inet n - n - 1 postscreen'
$master_entries = [
'smtpd pass - - n - - smtpd',
'dnsblog unix - - n - 0 dnsblog',
'tlsproxy unix - - n - 0 tlsproxy',
]
$postscreen_configs = {
'postscreen_access_list' => {
'value' => 'permit_mynetworks, cidr:/etc/postfix/postscreen_access'
},
'postscreen_blacklist_action' => {
'value' => 'enforce'
},
'postscreen_cache_map' => {
'value' => 'btree:$data_directory/postscreen_cache'
},
'postscreen_dnsbl_action' => {
'value' => 'enforce'
},
'postscreen_dnsbl_sites' => {
'value' => join($postscreen_dnsbl_sites, ', ')
},
'postscreen_dnsbl_threshold' => {
'value' => '2'
},
'postscreen_greet_action' => {
'value' => 'enforce'
},
'postscreen_greet_banner' => {
'value' => '$smtpd_banner'
},
'postscreen_greet_wait' => {
'value' => "\${stress?2}\${stress:6}s"
},
}
} else {
$master_smtp = undef
$master_entries = []
$postscreen_configs = {}
}
# Base postfix configuration
$base_configs = {
'alias_database' => {
'value' => $alias_maps_string
},
'default_destination_recipient_limit' => {
'value' => '1'
},
'disable_vrfy_command' => {
'value' => 'yes'
},
'enable_long_queue_ids' => {
'value' => 'yes'
},
'error_notice_recipient' => {
'value' => 'root'
},
'header_checks' => {
'value' => 'regexp:/etc/postfix/header_checks'
},
'local_recipient_maps' => {
'ensure' => 'blank'
},
'local_transport' => {
'value' => $local_transport
},
'mailbox_size_limit' => {
'value' => $mailbox_size_limit
},
'message_size_limit' => {
'value' => $message_size_limit
},
'myhostname' => {
'value' => $myhostname
},
'non_smtpd_milters' => {
'ensure' => 'blank'
},
'qmqpd_authorized_clients' => {
'value' => '127.0.0.1 [::1]'
},
'recipient_canonical_maps' => {
'value' => 'hash:/etc/postfix/recipient_canonical'
},
'recipient_delimiter' => {
'value' => '+'
},
'relay_domains' => {
'value' => 'hash:/etc/postfix/relay_domains'
},
'relay_recipient_maps' => {
'value' => 'hash:/etc/postfix/relay_recipients'
},
'sender_canonical_maps' => {
'value' => 'hash:/etc/postfix/sender_canonical'
},
'smtp_tls_CAfile' => {
'value' => $tls_ca_file
},
'smtp_tls_mandatory_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtp_tls_note_starttls_offer' => {
'value' => 'yes'
},
'smtp_tls_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtp_tls_security_level' => {
'value' => 'may'
},
'smtp_tls_session_cache_database' => {
'value' => 'btree:/var/lib/postfix/smtp_tls_session_cache'
},
'smtp_use_tls' => {
'value' => 'yes'
},
'smtpd_banner' => {
'value' => '$myhostname ESMTP $mail_name'
},
'smtpd_client_restrictions' => {
'value' => join($smtpd_client_restrictions, ', ')
},
'smtpd_data_restrictions' => {
'value' => 'reject_unauth_pipelining'
},
'smtpd_delay_reject' => {
'value' => 'yes'
},
'smtpd_discard_ehlo_keywords' => {
'value' => 'chunking, silent-discard'
},
'smtpd_forbid_bare_newline' => {
'value' => 'yes'
},
'smtpd_forbid_bare_newline_exclusions' => {
'value' => '$mynetworks'
},
'smtpd_forbid_unauth_pipelining' => {
'value' => 'yes'
},
'smtpd_helo_required' => {
'value' => 'yes'
},
'smtpd_helo_restrictions' => {
'value' => 'check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname'
},
'smtpd_milters' => {
'value' => 'inet:127.0.0.1:33333'
},
'smtpd_recipient_restrictions' => {
'value' => join($smtpd_recipient_restrictions, ', ')
},
'smtpd_relay_restrictions' => {
'value' => join($smtpd_relay_restrictions, ', ')
},
'smtpd_sender_restrictions' => {
'value' => join($smtpd_sender_restrictions, ', ')
},
'smtpd_tls_CAfile' => {
'value' => $tls_ca_file
},
'smtpd_tls_cert_file' => {
'value' => $tls_cert_file
},
'smtpd_tls_ciphers' => {
'value' => 'medium'
},
'smtpd_tls_key_file' => {
'value' => $tls_key_file
},
'smtpd_tls_loglevel' => {
'value' => '1'
},
'smtpd_tls_mandatory_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtpd_tls_protocols' => {
'value' => '!SSLv2,!SSLv3'
},
'smtpd_tls_received_header' => {
'value' => 'yes'
},
'smtpd_tls_security_level' => {
'value' => 'may'
},
'smtpd_tls_session_cache_database' => {
'value' => 'btree:/var/lib/postfix/smtpd_tls_session_cache'
},
'smtpd_tls_session_cache_timeout' => {
'value' => '3600s'
},
'smtpd_use_tls' => {
'value' => 'yes'
},
'tls_medium_cipherlist' => {
'value' => join([
'ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES',
'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
], ':')
},
'tls_preempt_cipherlist' => {
'value' => 'yes'
},
'tls_random_source' => {
'value' => 'dev:/dev/urandom'
},
'unverified_recipient_reject_code' => {
'value' => '550'
},
'unverified_recipient_reject_reason' => {
'value' => 'No user at this address'
},
'smtp_tls_policy_maps' => {
'value' => 'hash:/etc/postfix/smtp_tls_policy_maps'
},
}
# Postfix maps (all using templates now)
$postfix_maps = {
'postscreen_access' => {
'ensure' => 'present',
'type' => 'cidr',
'content' => template('profiles/postfix/gateway/postscreen_access.erb')
},
'relay_recipients' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/relay_recipients.erb')
},
'relay_domains' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/relay_domains.erb')
},
'aliases' => {
'ensure' => 'present',
'type' => 'hash',
'source' => 'puppet:///modules/profiles/postfix/gateway/aliases'
},
'helo_access' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/helo_access.erb')
},
'sender_access' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/sender_access.erb')
},
'recipient_access' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/recipient_access.erb')
},
'recipient_canonical' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/recipient_canonical.erb')
},
'sender_canonical' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/sender_canonical.erb')
},
'smtp_tls_policy_maps' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/smtp_tls_policy_maps.erb')
},
'virtual_mailbox_maps' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/virtual_mailbox_maps.erb')
},
'virtual_alias_maps' => {
'ensure' => 'present',
'type' => 'hash',
'content' => template('profiles/postfix/gateway/virtual_alias_maps.erb')
},
}
if $enable_dovecot {
postfix::config {
'virtual_mailbox_domains': value => join($virtual_mailbox_domains, ', ');
'virtual_mailbox_maps': value => 'hash:/etc/postfix/virtual_mailbox_maps';
'virtual_alias_maps': value => 'hash:/etc/postfix/virtual_alias_maps';
'virtual_uid_maps': value => $virtual_uid_maps;
'virtual_gid_maps': value => $virtual_gid_maps;
'virtual_mailbox_base': value => $virtual_mailbox_base;
'virtual_transport': value => $virtual_transport;
'home_mailbox': value => "${virtual_mailbox_base}/%d/%n/Maildir";
}
} else {
postfix::config {
'virtual_mailbox_domains': ensure => 'absent';
'virtual_mailbox_maps': ensure => 'absent';
'virtual_uid_maps': ensure => 'absent';
'virtual_gid_maps': ensure => 'absent';
'virtual_mailbox_base': ensure => 'absent';
'virtual_transport': ensure => 'absent';
'home_mailbox': ensure => 'absent';
}
}
# Merge base configs with postscreen configs
$all_configs = $base_configs + $postscreen_configs
class { 'postfix':
master_smtp => $master_smtp,
master_entries => $master_entries,
alias_maps => $alias_maps_string,
configs => $all_configs,
maps => $postfix_maps,
}
}
+17 -47
View File
@@ -1,68 +1,37 @@
# profiles::puppet::agent
# This class manages Puppet agent package and service.
class profiles::puppet::agent (
String $version = 'latest',
Boolean $openvox_enable = false,
String $puppet_version = 'latest',
) {
# set openvox package, yumrepo, service
if $openvox_enable {
$use_package = 'openvox-agent'
$use_yumrepo = 'openvox'
$use_service = 'puppet'
}else{
$use_package = 'puppet-agent'
$use_yumrepo = 'puppet'
$use_service = 'puppet'
}
# manage the yumrepo for the given package
if $openvox_enable and $facts['os']['family'] == 'RedHat' {
yumrepo { 'openvox':
ensure => 'present',
baseurl => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/",
descr => 'openvox repository',
gpgkey => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/GPG-KEY-openvox.pub",
notify => Exec['dnf_makecache'],
}
}else{
yumrepo { 'puppet':
ensure => 'present',
baseurl => "https://packagerepo.service.consul/puppet7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/",
descr => 'puppet repository',
gpgkey => "https://packagerepo.service.consul/puppet7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/RPM-GPG-KEY-puppet-20250406",
notify => Exec['dnf_makecache'],
}
}
# if agent-version is anything other than latest, set a versionlock
$agent_versionlock_ensure = $version ? {
# if puppet-version is anything other than latest, set a versionlock
$puppet_versionlock_ensure = $puppet_version ? {
'latest' => 'absent',
default => 'present',
}
$agent_versionlock_version = $version ? {
$puppet_versionlock_version = $puppet_version ? {
'latest' => undef,
default => $version,
default => $puppet_version,
}
case $facts['os']['family'] {
'RedHat': {
# Ensure the agent package is installed and locked to a specific version
package { $use_package:
ensure => $version,
require => Yumrepo[$use_yumrepo],
# Ensure the puppet-agent package is installed and locked to a specific version
package { 'puppet-agent':
ensure => $puppet_version,
require => Yumrepo['puppet'],
}
# versionlock puppet-agent
yum::versionlock{$use_package:
ensure => $agent_versionlock_ensure,
version => $agent_versionlock_version,
yum::versionlock{'puppet-agent':
ensure => $puppet_versionlock_ensure,
version => $puppet_versionlock_version,
}
}
'Debian': {
# Ensure the puppet-agent package is installed and locked to a specific version
package { $use_package:
ensure => $version,
package { 'puppet-agent':
ensure => $puppet_version,
require => Class['profiles::apt::puppet7'],
}
}
@@ -70,11 +39,12 @@ class profiles::puppet::agent (
}
# Ensure the puppet service is running
service { $use_service:
service { 'puppet':
ensure => 'running',
enable => true,
hasrestart => true,
require => Package[$use_package],
require => Package['puppet-agent'],
}
}
@@ -26,12 +26,6 @@ class profiles::puppet::puppetdb_api (
before => Class['puppetdb::server'],
}
# cleanup puppetdb first, this isnt replaced by openvoxdb (conflicts)
package { 'puppetdb':
ensure => 'purged',
before => Class['puppetdb::server'],
}
class { 'puppetdb::server':
manage_firewall => false,
ssl_listen_address => $listen_address,
@@ -50,7 +44,6 @@ class profiles::puppet::puppetdb_api (
database_name => $database_name,
database_password => Sensitive($database_password),
database_validate => $database_validate,
puppetdb_package => 'openvoxdb',
}
contain ::puppetdb::server
+1 -12
View File
@@ -20,23 +20,12 @@ class profiles::puppet::puppetmaster (
include profiles::puppet::puppetca
include profiles::puppet::eyaml
# migration to openvox, cleanup puppetserver/puppetdb-termini
package {'puppetdb-termini':
ensure => purged,
before => Package['openvoxdb-termini'],
}
package {'puppetserver':
ensure => purged,
before => Package['openvox-server'],
}
class { 'puppetdb::master::config':
puppetdb_server => $puppetdb_host,
manage_storeconfigs => false,
terminus_package => 'openvoxdb-termini',
}
Package['openvox-server']
Package['puppetserver']
-> Class['profiles::puppet::gems']
-> Class['profiles::puppet::r10k']
-> Class['profiles::puppet::g10k']
-3
View File
@@ -55,7 +55,4 @@ class profiles::yum::global (
# setup dnf-autoupdate
include profiles::yum::autoupdater
# ensure dnf makecache runs before packages
Yumrepo <| |> -> Exec['dnf_makecache'] -> Package <| |>
}
-9
View File
@@ -1,9 +0,0 @@
# Managed by Puppet in profiles::ceph::conf
<% @config.each do |section, settings| -%>
[<%= section %>]
<% settings.each do |key, value| -%>
<%# Convert booleans and numbers to strings, leave strings untouched %>
<%= key %> = <%= value.is_a?(TrueClass) ? 'true' : value.is_a?(FalseClass) ? 'false' : value %>
<% end -%>
<% end -%>
@@ -1,11 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on HELO/EHLO hostnames to block spam patterns
# HELO/EHLO access controls
# Format: pattern action
# Example: .dynamic.example.com REJECT
# Example: localhost REJECT You are not localhost
<% @helo_access_maps.each do |pattern, action| -%>
<%= pattern %> <%= action %>
<% end -%>
@@ -1,10 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls which IP addresses/networks are allowed through postscreen
# Postscreen access controls (CIDR format)
# Format: network/mask action
# Example: 192.168.1.0/24 permit
<% @postscreen_access_maps.each do |network, action| -%>
<%= network %> <%= action %>
<% end -%>
@@ -1,11 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on recipient email addresses or domains
# Recipient access controls
# Format: recipient_pattern action
# Example: @example.com OK
# Example: admin@foo.net REJECT
<% @recipient_access_maps.each do |recipient, action| -%>
<%= recipient %> <%= action %>
<% end -%>
@@ -1,10 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Rewrites recipient addresses before delivery (address normalization)
# Recipient canonical address mapping
# Format: original_address canonical_address
# Example: user@olddomain.com user@example.com
<% @recipient_canonical_maps.each do |original, canonical| -%>
<%= original %> <%= canonical %>
<% end -%>
@@ -1,10 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines which domains are allowed for mail relaying
# Relay domains control
# Format: domain action
# Example: example.com OK
<% @relay_domains_maps.each do |domain, action| -%>
<%= domain %> <%= action %>
<% end -%>
@@ -1,10 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines which recipient addresses are allowed for mail relaying
# Relay recipients control
# Format: recipient_pattern action
# Example: @example.com OK
<% @relay_recipients_maps.each do |recipient, action| -%>
<%= recipient %> <%= action %>
<% end -%>
@@ -1,11 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Controls access based on sender email addresses or domains
# Sender access controls
# Format: sender_pattern action
# Example: spammer@foo.net REJECT
# Example: @badspammer.com REJECT
<% @sender_access_maps.each do |sender, action| -%>
<%= sender %> <%= action %>
<% end -%>
@@ -1,10 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Rewrites sender addresses before sending (address masquerading)
# Sender canonical address mapping
# Format: original_address canonical_address
# Example: user@internal.local user@example.com
<% @sender_canonical_maps.each do |original, canonical| -%>
<%= original %> <%= canonical %>
<% end -%>
@@ -1,11 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Enforces TLS security policies for outbound mail per destination domain
# SMTP TLS policy map for outbound connections
# Format: destination policy
# Example: gmail.com encrypt
# Example: secure-bank.example.com secure
<% @smtp_tls_policy_maps.each do |destination, policy| -%>
<%= destination %> <%= policy %>
<% end -%>
@@ -1,9 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines virtual alias mappings
# Maps email addresses or patterns to target addresses
# Format: alias@foo.net real@corp.foo.net
<% @virtual_alias_maps.each do |source, target| -%>
<%= source %> <%= target %>
<% end -%>
@@ -1,9 +0,0 @@
# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
#
# Defines virtual mailbox mappings for dovecot delivery
# Maps email addresses to maildir paths
# Format: user@domain maildir/path/
<% @virtual_mailbox_maps.each do |email, path| -%>
<%= email %> <%= path %>
<% end -%>
@@ -1,72 +1,33 @@
#!/usr/bin/env bash
set -euo pipefail
: "${DRY_RUN:=}" # set DRY_RUN=1 to preview deletions
log() { printf '[%(%F %T)T] %s\n' -1 "$*" >&2; }
# Function to create symlink for snapshots
create_symlink() {
local osname="$1" # e.g. almalinux
local release="$2" # e.g. 9.6
local repository="$3" # e.g. appstream
local basepath="$4" # e.g. /shared/apps/packagerepo
local label="$5" # monthly|weekly|daily
local date_value="$6" # YYYYMMDD for the snapshot to promote
local snap_path="${basepath}/snap/${osname}/${release}/${repository}-${date_value}"
local symlink_target="${basepath}/snap/${osname}/${release}/${repository}-${label}"
if [[ -d "$snap_path" ]]; then
ln -sfn "$snap_path" "$symlink_target"
log "Symlink set: ${symlink_target} -> ${snap_path}"
return 0
else
log "Snapshot path does not exist: $snap_path"
return 1
fi
}
# Cleanup snapshot directories older than a cutoff date (YYYYMMDD)
cleanup_older_than_monthly() {
local osname="$1"
local release="$2"
local repository="$3"
local basepath="$4"
local cutoff_date="$5" # newly promoted monthly date, YYYYMMDD
local label="$5" # 'monthly', 'weekly', or 'daily'
local date_format="$6" # Date format for finding the snapshot
local root="${basepath}/snap/${osname}/${release}"
local pattern="${repository}-"[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]
# The path where snapshots are stored
local snap_path="${basepath}/snap/${osname}/${release}/${repository}-${date_format}"
shopt -s nullglob
for dir in "${root}"/${pattern}; do
# Skip symlinks and non-directories
[[ -L "$dir" ]] && continue
[[ -d "$dir" ]] || continue
# The target path for the symlink
local symlink_target="${basepath}/snap/${osname}/${release}/${repository}-${label}"
# Extract the date suffix
local name base datepart
name="$(basename -- "$dir")"
base="${name%-????????}" # remove last 8 chars
datepart="${name#${base}-}" # after "<repo>-"
# Only act on valid YYYYMMDD dates
if [[ "$datepart" =~ ^[0-9]{8}$ ]]; then
if [[ "$datepart" -lt "$cutoff_date" ]]; then
if [[ -n "${DRY_RUN}" ]]; then
log "[DRY_RUN] Would remove: $dir"
else
log "Removing: $dir"
rm -rf --one-file-system -- "$dir"
fi
fi
fi
done
shopt -u nullglob
# Check if the source directory exists
if [[ -d "$snap_path" ]]; then
# Create the symlink, overwrite if it already exists
ln -sfn "$snap_path" "$symlink_target"
echo "Symlink created for $snap_path -> $symlink_target"
else
echo "Snapshot path does not exist: $snap_path"
return 1
fi
}
# Determine which snapshot to promote based on the passed argument
case "${1:-}" in
case "$1" in
monthly)
promote_date=$(date --date="$(date +%Y%m01) -1 month" +%Y%m%d)
;;
@@ -82,26 +43,11 @@ case "${1:-}" in
;;
esac
label="$1"
# Process each repo conf
# Call the function with appropriate arguments
# Iterate over the repositories to create symlinks for each
for conf in /etc/reposync/conf.d/*.conf; do
# shellcheck disable=SC1090
source "$conf"
# Expecting these vars in the conf: OSNAME, RELEASE, REPOSITORY, BASEPATH
: "${OSNAME:?missing OSNAME in $conf}"
: "${RELEASE:?missing RELEASE in $conf}"
: "${REPOSITORY:?missing REPOSITORY in $conf}"
: "${BASEPATH:?missing BASEPATH in $conf}"
# 1) Promote the symlink for this label
if create_symlink "$OSNAME" "$RELEASE" "$REPOSITORY" "$BASEPATH" "$label" "$promote_date"; then
# 2) If monthly, clean up older snapshot dirs for this repo
if [[ "$label" == "monthly" ]]; then
cleanup_older_than_monthly "$OSNAME" "$RELEASE" "$REPOSITORY" "$BASEPATH" "$promote_date"
fi
else
log "Skipping cleanup for ${OSNAME}/${RELEASE}/${REPOSITORY} due to missing ${REPOSITORY}-${promote_date}"
fi
# Create symlink based on the provided argument
create_symlink "$OSNAME" "$RELEASE" "$REPOSITORY" "$BASEPATH" "$1" "$promote_date"
done
-10
View File
@@ -1,10 +0,0 @@
# a role to deploy the ceph rgw
class roles::infra::ceph::rgw {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}
@@ -1,12 +0,0 @@
# a role to deploy a imap/pop3 backend for mail services
class roles::infra::mail::backend {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::dovecot::server
include profiles::postfix::gateway
}
}
@@ -1,11 +0,0 @@
# a role to deploy a dmz mx gateway for mail services
class roles::infra::mail::gateway {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::postfix::gateway
}
}