chore: cleanup gitea actions workflows (#451)

- migrated workflows to woodpeckerci

Reviewed-on: #451

.gitea/workflows/build.yaml

@@ -1,24 +0,0 @@
-name: Build
-
-on:
-  pull_request:
-
-jobs:
-  precommit:
-    runs-on: almalinux-8
-    container:
-      image: git.unkin.net/unkin/almalinux9-actionsdind:latest
-      options: --privileged
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Install requirements
-        run: |
-          dnf groupinstall -y "Development Tools" -y
-          dnf install rubygems ruby-devel gcc make redhat-rpm-config glibc-headers glibc-devel -y
-
-      - name: Pre-Commit All Files
-        run: |
-          uvx pre-commit run --all-files

.gitignore

@@ -1 +0,0 @@
-sources/

.woodpecker/pre-commit.yaml

@@ -0,0 +1,10 @@
+when:
+  - event: pull_request
+
+steps:
+  - name: pre-commit
+    image: git.unkin.net/unkin/almalinux9-base:latest
+    commands:
+      - dnf groupinstall -y "Development Tools" -y
+      - dnf install uv rubygems ruby-devel gcc make redhat-rpm-config glibc-headers glibc-devel libffi libffi-devel -y
+      - uvx pre-commit run --all-files

doc/ceph/README.md

@@ -28,6 +28,98 @@ Always refer back to the official documentation at https://docs.ceph.com/en/late
     sudo ceph fs set mediafs max_mds 2
 ```
 
+
+## managing cephfs with subvolumes
+
+Create erasure code profiles. The K and M values are equivalent to the number of data disks (K) and parity disks (M) in RAID5, RAID6, etc.
+
+    sudo ceph osd erasure-code-profile set ec_6_2 k=6 m=2
+    sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
+
+Create data pools using the erasure-code-profile, set some required options
+
+    sudo ceph osd pool create cephfs_data_ssd_ec_6_2 erasure ec_6_2
+    sudo ceph osd pool set cephfs_data_ssd_ec_6_2 allow_ec_overwrites true
+    sudo ceph osd pool set cephfs_data_ssd_ec_6_2 bulk true
+
+    sudo ceph osd pool create cephfs_data_ssd_ec_4_1 erasure ec_4_1
+    sudo ceph osd pool set cephfs_data_ssd_ec_4_1 allow_ec_overwrites true
+    sudo ceph osd pool set cephfs_data_ssd_ec_4_1 bulk true
+
+Add the pool to the fs `cephfs`
+
+    sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_6_2
+    sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_4_1
+
+Create a subvolumegroup using the new data pool
+
+    sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_6_2 --pool_layout cephfs_data_ssd_ec_6_2
+    sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_4_1 --pool_layout cephfs_data_ssd_ec_4_1
+
+All together:
+
+    sudo ceph osd erasure-code-profile set ec_6_2 k=6 m=2
+    sudo ceph osd pool create cephfs_data_ssd_ec_6_2 erasure ec_6_2
+    sudo ceph osd pool set cephfs_data_ssd_ec_6_2 allow_ec_overwrites true
+    sudo ceph osd pool set cephfs_data_ssd_ec_6_2 bulk true
+    sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_6_2
+    sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_6_2 --pool_layout cephfs_data_ssd_ec_6_2
+
+    sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
+    sudo ceph osd pool create cephfs_data_ssd_ec_4_1 erasure ec_4_1
+    sudo ceph osd pool set cephfs_data_ssd_ec_4_1 allow_ec_overwrites true
+    sudo ceph osd pool set cephfs_data_ssd_ec_4_1 bulk true
+    sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_4_1
+    sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_4_1 --pool_layout cephfs_data_ssd_ec_4_1
+
+Create a key with access to the new subvolume groups. Check if the user already exists first:
+
+    sudo ceph auth get client.kubernetes-cephfs
+
+If it doesnt:
+
+    sudo ceph auth get-or-create client.kubernetes-cephfs \
+      mgr 'allow rw' \
+      osd 'allow rw tag cephfs metadata=cephfs, allow rw tag cephfs data=cephfs' \
+      mds 'allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi_ssd_ec_6_2, allow rws fsname=cephfs path=/volumes/csi_ssd_ec_4_1' \
+      mon 'allow r fsname=cephfs'
+
+If it does, use `sudo ceph auth caps client.kubernetes-cephfs ...` instead to update existing capabilities.
+
+## removing a cephfs subvolumegroup from cephfs
+
+This will cleanup the subvolumegroup, and subvolumes if they exist, then remove the pool.
+
+Check for subvolumegroups first, then for subvolumes in it
+
+    sudo ceph fs subvolumegroup ls cephfs
+    sudo ceph fs subvolume ls cephfs --group_name csi_raid6
+
+
+If subvolumes exist, remove each one-by-one:
+
+    sudo ceph fs subvolume rm cephfs <subvol_name> --group_name csi_raid6
+
+If you have snapshots, remove snapshots first:
+
+    sudo ceph fs subvolume snapshot ls cephfs <subvol_name> --group_name csi_raid6
+    sudo ceph fs subvolume snapshot rm cephfs <subvol_name> <snap_name> --group_name csi_raid6
+
+Once the group is empty, remove it:
+
+    sudo ceph fs subvolumegroup rm cephfs csi_raid6
+
+If it complains it’s not empty, go back as there’s still a subvolume or snapshot.
+
+If you added it with `ceph fs add_data_pool`. Undo with `rm_data_pool`:
+
+    sudo ceph fs rm_data_pool cephfs cephfs_data_csi_raid6
+
+After it’s detached from CephFS, you can delete it.
+
+    sudo ceph osd pool rm cephfs_data_csi_raid6 cephfs_data_csi_raid6 --yes-i-really-really-mean-it
+
+
 ## creating authentication tokens
 
 - this will create a client keyring named media
@@ -58,3 +150,78 @@ this will overwrite the current capabilities of a given client.user
       mon 'allow r' \
       mds 'allow rw path=/' \
       osd 'allow rw pool=media_data'
+
+## adding a new osd on new node
+
+create the ceph conf (automate this?)
+
+    cat <<EOF | sudo tee /etc/ceph/ceph.conf
+    [global]
+      auth_client_required = cephx
+      auth_cluster_required = cephx
+      auth_service_required = cephx
+      fsid = de96a98f-3d23-465a-a899-86d3d67edab8
+      mon_allow_pool_delete = true
+      mon_initial_members = prodnxsr0009,prodnxsr0010,prodnxsr0011,prodnxsr0012,prodnxsr0013
+      mon_host = 198.18.23.9,198.18.23.10,198.18.23.11,198.18.23.12,198.18.23.13
+      ms_bind_ipv4 = true
+      ms_bind_ipv6 = false
+      osd_crush_chooseleaf_type = 1
+      osd_pool_default_min_size = 2
+      osd_pool_default_size = 3
+      osd_pool_default_pg_num = 128
+      public_network = 198.18.23.1/32,198.18.23.2/32,198.18.23.3/32,198.18.23.4/32,198.18.23.5/32,198.18.23.6/32,198.18.23.7/32,198.18.23.8/32,198.18.23.9/32,198.18.23.10/32,198.18.23.11/32,198.18.23.12/32,198.18.23.13/32
+    EOF
+
+ssh to one of the monitor hosts, then transfer the keys required
+
+    sudo cat /etc/ceph/ceph.client.admin.keyring | ssh prodnxsr0003 'sudo tee /etc/ceph/ceph.client.admin.keyring'
+    sudo cat /var/lib/ceph/bootstrap-osd/ceph.keyring | ssh prodnxsr0003 'sudo tee /var/lib/ceph/bootstrap-osd/ceph.keyring'
+
+assuming we are adding /dev/sda to the cluster, first zap the disk to remove partitions/lvm/metadata
+
+    sudo ceph-volume lvm zap /dev/sda --destroy
+
+then add it to the cluster
+
+    sudo ceph-volume lvm create --data /dev/sda
+
+## removing an osd
+
+check what OSD IDs were on this host (if you know it)
+
+    sudo ceph osd tree
+
+or check for any DOWN osds
+
+    sudo ceph osd stat
+    sudo ceph health detail
+
+once you identify the old OSD ID, remove it with these steps, replace X with the actual OSD ID:
+
+    sudo ceph osd out osd.X
+    sudo ceph osd down osd.X
+    sudo ceph osd crush remove osd.X
+    sudo ceph auth del osd.X
+    sudo ceph osd rm osd.X
+
+
+## maintenance mode for the cluster
+
+from one node in the cluster disable recovery
+
+    sudo ceph osd set noout
+    sudo ceph osd set nobackfill
+    sudo ceph osd set norecover
+    sudo ceph osd set norebalance
+    sudo ceph osd set nodown
+    sudo ceph osd set pause
+
+to undo the change, use unset
+
+    sudo ceph osd unset noout
+    sudo ceph osd unset nobackfill
+    sudo ceph osd unset norecover
+    sudo ceph osd unset norebalance
+    sudo ceph osd unset nodown
+    sudo ceph osd unset pause

hieradata/common.eyaml

@@ -1,6 +1,6 @@
 ---
 profiles::accounts::sysadmin::password: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoS7GyofFaXBNTWU+GtSiz4eCX/9j/sh3fDDRgOgNv1qpcQ87ZlTTenbHo9lxeURxKQ2HVVt7IsrBo/SC/WgipAKnliRkkIvo7nfAs+i+kEE8wakjAs0DcB4mhqtIZRuBkLG2Nay//DcG6cltVkbKEEKmKLMkDFZgTWreOZal8nDljpVe1S8QwtwP4/6hKTef5xsOnrisxuffWTXvwYJhj/VXrjdoH7EhtHGLybzEalglkVHEGft/WrrD/0bwJpmR0RegWI4HTsSvGiHgvf5DZJx8fXPZNPnicGtlfA9ccQPuVo17bY4Qf/WIc1A8Ssv4kHSbNIYJKRymI3UFb0Z4wzBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBBxDLb6pCGbittkcX6asd/gEBmMcUNupDjSECq5H09YA70eVwWWe0fBqxTxrr2cXCXtRKFvOk8SJmL0xHAWodaLN9+krTWHJcWbAK8JXEPC7rn]
-profiles::accounts::root::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAM79PRxeAZHrDcSm4eSFqU94/LjuSbdUmJWivX/Pa8GumoW2e/PT9nGHW3p98zHthMgCglk52PECQ+TBKjxr+9dTyNK5ePG6ZJEqSHNRqsPGm+kfQj/hlTmq8vOBaFM5GapD1iTHs5JFbGngI56swKBEVXW9+Z37BjQb2xJuyLsu5Bo/tA0BaOKuCtjq1a6E38bOX+nJ+YF1uZgV9ofAEh1YvkcTmnEWYXFRPWd7AaNcWn03V2pfhGqxc+xydak620I47P+FE+qIY72+aQ6tmLU3X9vyA1HLF2Tv572l4a2i+YIk6nAgQdi+hQKznqNL9M9YV+s1AcmcKLT7cfLrjsjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCMWrdCWBQgtW3NOEpERwP+gBA3KDiqe4pQq6DwRfsEXQNZ]
+profiles::accounts::root::password: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAIgzGQLoHrm7JSnWG4vdAtxSuETmnqbV7kUsQS8WCRUwFGenDFkps+OGMnOGEHLzMJzXihLfgfdWwTAI4fp48M+zhTMo9TQkdzZqtbFk3+RjV2jDF0wfe4kVUIpReOq+EkaDSkoRSG8V6hWvszhDHUrJBC9eDhomL0f3xNAWxmy5EIX/uMEvg9Ux5YX+E6k2pEIKnHNoVIaWDojlofSIzIqTSS7l3jQtJhs3YqBzLL1DsoF1kdn+Rwl5kcsKkhV+vzl76wEbpYVZW8lu4bFfP6QHMLPcep2tuUDMCDvARRXD7YyZcAtS7aMuqll+BLAszpWxAA7EU2hgvdr6t2uyVCTCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ4D5oDoyE6LPdjpVtGPoJD4BwfnQ9ORjYFPvHQmt+lgU4jMqh6BhqP0VN3lqVfUpOmiVMIqkO/cYtlwVLKEg36TPCHBSpqvhuahSF5saCVr8JY3xWOAmTSgnNjQOPlGrPnYWYbuRLxVRsU+KUkpAzR0c6VN0wYi6bI85Pcv8yHF3UYA==]
 profiles::consul::client::secret_id_salt: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAS7pNFRX4onccFaR87zB/eFFORuF22j6xqjyeAqqjgEduYhkt6w5kkz+YfUoHUesU0Q6F2p6HrCSZ8yAsx5M25NCiud9P4hIpjKmOZ4zCNO7uhATh4AQDYw3BrdRwfO+c6jOl5wOiNLCfDBJ0sFT3akCvcuPS1xIoRJq4Gyn+uCbOsMbvSl25ld2xKt1/cqs8gc1d8mkpjwWto7t+qZSUFMCehTbehH3G4a3Q5rvfBoNwv42Wbs676BDcCurDaAzHNqE7pDbOWhGuVOBl+q+BU0Ri/CRkGcTViN9fr8Dc9SveVC6EPsMbw+05/8/NlfzQse3KAwQ34nR9tR2PQw5qEzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB7LywscQtF7cG2nomfEsu9gDDVqJBFP1jAX2eGZ2crYS5gnBcsRwhc0HNo2/WWdhZprMW+vEJOOGXDelI53NxA3o0=]
 profiles::consul::token::node_editor::secret_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAO8IIF2r18dFf0bVKEwjJUe1TmXHH0AIzsQHxkHwV7d37kvH1cY9rYw0TtdHn7GTxvotJG7GZbWvbunpBs1g2p2RPADiM6TMhbO8mJ0tAWLnMk7bQ221xu8Pc7KceqWmU17dmgNhVCohyfwJNqbA756TlHVgxGA0LtNrKoLOmgKGXAL1VYZoKEQnWq7xOpO+z3e1UfjoO6CvX/Od2hGYfUkHdro8mwRw4GFKzU7XeKFdAMUGpn5rVmY3xe+1ARXwGFaSrTHzk2n85pvwhPRlQ+OwqzyT19Qo2FNeAO6RoCRIFTtqbsjTWPUlseHIhw4Q5bHO1I0Mrlm5IHDESw/22IzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCEe9wD72qxnpeq5nCi/d7BgDCP29sDFObkFTabt2uZ/nF9MT1g+QOrrdFKgnG6ThnwH1hwpZPsSVgIs+yRQH8laB4=]
 profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=]

hieradata/common.yaml

@@ -129,6 +129,9 @@ lookup_options:
   profiles::ceph::client::keyrings:
     merge:
       strategy: deep
+  profiles::ceph::conf::config:
+    merge:
+      strategy: deep
   profiles::nginx::simpleproxy::locations:
     merge:
       strategy: deep
@@ -167,6 +170,12 @@ lookup_options:
   postfix::virtuals:
     merge:
       strategy: deep
+  stalwart::postgresql_password:
+    convert_to: Sensitive
+  stalwart::s3_secret_key:
+    convert_to: Sensitive
+  stalwart::fallback_admin_password:
+    convert_to: Sensitive
 
 facts_path: '/opt/puppetlabs/facter/facts.d'
 
@@ -398,6 +407,49 @@ profiles::ceph::conf::config:
       198.18.23.5/32,198.18.23.6/32,198.18.23.7/32,198.18.23.8/32,
       198.18.23.9/32,198.18.23.10/32,198.18.23.11/32,198.18.23.12/32,
       198.18.23.13/32
+  client.rgw.ausyd1nxvm2115:
+    rgw_realm: unkin
+    rgw_zonegroup: au
+    rgw_zone: syd1
+  client.rgw.ausyd1nxvm2116:
+    rgw_realm: unkin
+    rgw_zonegroup: au
+    rgw_zone: syd1
+  client.rgw.ausyd1nxvm2117:
+    rgw_realm: unkin
+    rgw_zonegroup: au
+    rgw_zone: syd1
+  client.rgw.ausyd1nxvm2118:
+    rgw_realm: unkin
+    rgw_zonegroup: au
+    rgw_zone: syd1
+  client.rgw.ausyd1nxvm2119:
+    rgw_realm: unkin
+    rgw_zonegroup: au
+    rgw_zone: syd1
+  mds:
+    keyring: /var/lib/ceph/mds/ceph-$id/keyring
+    mds_standby_replay: true
+  mds.prodnxsr0009-1:
+    host: prodnxsr0009
+  mds.prodnxsr0009-2:
+    host: prodnxsr0009
+  mds.prodnxsr0010-1:
+    host: prodnxsr0010
+  mds.prodnxsr0010-2:
+    host: prodnxsr0010
+  mds.prodnxsr0011-1:
+    host: prodnxsr0011
+  mds.prodnxsr0011-2:
+    host: prodnxsr0011
+  mds.prodnxsr0012-1:
+    host: prodnxsr0012
+  mds.prodnxsr0012-2:
+    host: prodnxsr0012
+  mds.prodnxsr0013-1:
+    host: prodnxsr0013
+  mds.prodnxsr0013-2:
+    host: prodnxsr0013
 
 #profiles::base::hosts::additional_hosts:
 #  - ip: 198.18.17.9

hieradata/country/au/region/syd1.yaml

@@ -5,3 +5,5 @@ profiles_dns_upstream_forwarder_unkin:
   - 198.18.19.15
 profiles_dns_upstream_forwarder_consul:
   - 198.18.19.14
+profiles_dns_upstream_forwarder_k8s:
+  - 198.18.19.20

hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml

@@ -11,6 +11,11 @@ profiles::haproxy::dns::vrrp_cnames:
   - fafflix.unkin.net
   - grafana.unkin.net
   - dashboard.ceph.unkin.net
+  - mail-webadmin.main.unkin.net
+  - mail-in.main.unkin.net
+  - mail.main.unkin.net
+  - autoconfig.main.unkin.net
+  - autodiscover.main.unkin.net
 
 profiles::haproxy::mappings:
   fe_http:
@@ -29,6 +34,9 @@ profiles::haproxy::mappings:
       - 'git.unkin.net be_gitea'
       - 'grafana.unkin.net be_grafana'
       - 'dashboard.ceph.unkin.net be_ceph_dashboard'
+      - 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
+      - 'autoconfig.main.unkin.net be_stalwart_webadmin'
+      - 'autodiscovery.main.unkin.net be_stalwart_webadmin'
   fe_https:
     ensure: present
     mappings:
@@ -45,6 +53,9 @@ profiles::haproxy::mappings:
       - 'git.unkin.net be_gitea'
       - 'grafana.unkin.net be_grafana'
       - 'dashboard.ceph.unkin.net be_ceph_dashboard'
+      - 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
+      - 'autoconfig.main.unkin.net be_stalwart_webadmin'
+      - 'autodiscovery.main.unkin.net be_stalwart_webadmin'
 
 profiles::haproxy::frontends:
   fe_http:
@@ -66,6 +77,9 @@ profiles::haproxy::frontends:
         - 'acl_gitea req.hdr(host) -i git.unkin.net'
         - 'acl_grafana req.hdr(host) -i grafana.unkin.net'
         - 'acl_ceph_dashboard req.hdr(host) -i dashboard.ceph.unkin.net'
+        - 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
+        - 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
+        - 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
         - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
       use_backend:
         - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -84,6 +98,7 @@ profiles::haproxy::frontends:
         - 'set-header X-Frame-Options DENY if acl_gitea'
         - 'set-header X-Frame-Options DENY if acl_grafana'
         - 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
+        - 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
         - 'set-header X-Content-Type-Options nosniff'
         - 'set-header X-XSS-Protection 1;mode=block'
 
@@ -286,7 +301,83 @@ profiles::haproxy::backends:
         - add-header X-Forwarded-Proto https if { dst_port 9443 }
       redirect: 'scheme https if !{ ssl_fc }'
       stick-table: 'type ip size 200k expire 30m'
+  be_stalwart_webadmin:
+    description: Backend for Stalwart Webadmin
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+        - http-keep-alive
+        - prefer-last-server
+      cookie: SRVNAME insert indirect nocache
+      http-reuse: always
+      http-check:
+        - expect status 200
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 9443 }
+      redirect: 'scheme https if !{ ssl_fc }'
+      stick-table: 'type ip size 200k expire 30m'
+  be_stalwart_imap:
+    description: Backend for Stalwart IMAP (STARTTLS)
+    collect_exported: false
+    options:
+      mode: tcp
+      balance: roundrobin
+      option:
+        - tcp-check
+        - prefer-last-server
+      stick-table: 'type ip size 200k expire 30m'
       stick: 'on src'
+      tcp-check:
+        - connect port 143 send-proxy
+        - expect string "* OK"
+        - send "A001 STARTTLS\r\n"
+        - expect rstring "A001 (OK|2.0.0)"
+  be_stalwart_imaps:
+    description: Backend for Stalwart IMAPS (implicit TLS)
+    collect_exported: false
+    options:
+      mode: tcp
+      balance: roundrobin
+      option:
+        - tcp-check
+        - prefer-last-server
+      stick-table: 'type ip size 200k expire 30m'
+      stick: 'on src'
+      tcp-check:
+        - connect ssl send-proxy
+        - expect string "* OK"
+  be_stalwart_smtp:
+    description: Backend for Stalwart SMTP
+    collect_exported: false
+    options:
+      mode: tcp
+      balance: roundrobin
+      option:
+        - tcp-check
+        - prefer-last-server
+      stick-table: 'type ip size 200k expire 30m'
+      stick: 'on src'
+      tcp-check:
+        - connect port 25 send-proxy
+        - expect string "220 "
+  be_stalwart_submission:
+    description: Backend for Stalwart SMTP Submission
+    collect_exported: false
+    options:
+      mode: tcp
+      balance: roundrobin
+      option:
+        - tcp-check
+        - prefer-last-server
+      stick-table: 'type ip size 200k expire 30m'
+      stick: 'on src'
+      tcp-check:
+        - connect port 587 send-proxy
+        - expect string "220 "
 
 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
@@ -309,6 +400,7 @@ profiles::pki::vault::alt_names:
   - au-syd1-pve.main.unkin.net
   - au-syd1-pve-api.main.unkin.net
   - jellyfin.main.unkin.net
+  - mail-webadmin.main.unkin.net
 
 # additional cnames
 profiles::haproxy::dns::cnames:

hieradata/os/AlmaLinux/AlmaLinux8.yaml

@@ -7,17 +7,4 @@ profiles::packages::include:
 
 profiles::yum::global::repos:
   powertools:
-    name: powertools
-    descr: powertools repository
-    target: /etc/yum.repos.d/powertools.repo
-    baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
-    gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
-    mirrorlist: absent
-  unkin:
-    name: unkin
-    descr: unkin repository
-    target: /etc/yum.repos.d/unkin.repo
-    baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8
-    gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
-    gpgcheck: false
-    mirrorlist: absent
+    ensure: present

hieradata/os/AlmaLinux/AlmaLinux9.yaml

@@ -3,34 +3,5 @@
 crypto_policies::policy: 'DEFAULT:SHA1'
 
 profiles::yum::global::repos:
-  baseos:
-    baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os/
-    gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
-    mirrorlist: absent
-  extras:
-    baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os/
-    gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
-    mirrorlist: absent
-  appstream:
-    baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os/
-    gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
-    mirrorlist: absent
-  highavailability:
-    baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os/
-    gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
-    mirrorlist: absent
   crb:
-    name: crb
-    descr: crb repository
-    target: /etc/yum.repos.d/crb.repo
-    baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os/
-    gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
-    mirrorlist: absent
-  unkin:
-    name: unkin
-    descr: unkin repository
-    target: /etc/yum.repos.d/unkin.repo
-    baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el9
-    gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
-    gpgcheck: false
-    mirrorlist: absent
+    ensure: present

hieradata/os/AlmaLinux/all_releases.yaml

@@ -23,36 +23,52 @@ profiles::yum::global::repos:
     name: baseos
     descr: baseos repository
     target: /etc/yum.repos.d/baseos.repo
-    baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
-    gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
     mirrorlist: absent
   extras:
     name: extras
     descr: extras repository
     target: /etc/yum.repos.d/extras.repo
-    baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
-    gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
     mirrorlist: absent
   appstream:
     name: appstream
     descr: appstream repository
     target: /etc/yum.repos.d/appstream.repo
-    baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
-    gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
     mirrorlist: absent
   highavailability:
     name: highavailability
     descr: highavailability repository
     target: /etc/yum.repos.d/highavailability.repo
-    baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
-    gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
+    mirrorlist: absent
+  crb:
+    ensure: absent
+    name: crb
+    descr: crb repository
+    target: /etc/yum.repos.d/crb.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
+    mirrorlist: absent
+  powertools:
+    ensure: absent
+    name: powertools
+    descr: powertools repository
+    target: /etc/yum.repos.d/powertools.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
     mirrorlist: absent
   epel:
     name: epel
     descr: epel repository
     target: /etc/yum.repos.d/epel.repo
-    baseurl: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/
-    gpgkey: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
     mirrorlist: absent
   unkinben:
     name: unkinben
@@ -62,3 +78,193 @@ profiles::yum::global::repos:
     gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
     gpgcheck: false
     mirrorlist: absent
+
+  # Additional repositories - default to absent, roles can override with ensure: present
+  # FRRouting repositories
+  frr-extras:
+    ensure: absent
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/frr/el%{facts.os.release.major}/extras
+    gpgcheck: false
+    mirrorlist: absent
+  frr-stable:
+    ensure: absent
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/frr/el%{facts.os.release.major}/frr
+    gpgcheck: false
+    mirrorlist: absent
+
+  # PostgreSQL repositories
+  postgresql-15:
+    ensure: absent
+    name: postgresql-15
+    descr: postgresql-15 repository
+    target: /etc/yum.repos.d/postgresql.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/15/redhat/rhel-%{facts.os.release.major}-%{facts.os.architecture}
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/keys/PGDG-RPM-GPG-KEY-RHEL
+  postgresql-17:
+    ensure: absent
+    name: postgresql-17
+    descr: postgresql-17 repository
+    target: /etc/yum.repos.d/postgresql.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/17/redhat/rhel-%{facts.os.release.major}-%{facts.os.architecture}
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/keys/PGDG-RPM-GPG-KEY-RHEL
+  postgresql-common:
+    ensure: absent
+    name: postgresql-common
+    descr: postgresql-common repository
+    target: /etc/yum.repos.d/postgresql.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/common/redhat/rhel-%{facts.os.release.major}-%{facts.os.architecture}
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/postgresql/keys/PGDG-RPM-GPG-KEY-RHEL
+
+  # Ceph repositories
+  ceph:
+    ensure: absent
+    name: ceph
+    descr: ceph repository
+    target: /etc/yum.repos.d/ceph.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/ceph-reef/el%{facts.os.release.major}/%{facts.os.architecture}
+    gpgcheck: false
+    mirrorlist: absent
+  ceph-noarch:
+    ensure: absent
+    name: ceph-noarch
+    descr: ceph noarch repository
+    target: /etc/yum.repos.d/ceph.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/ceph-reef/el%{facts.os.release.major}/noarch
+    gpgcheck: false
+    mirrorlist: absent
+
+  # Rancher RKE2 repositories
+  rancher-rke2-common-latest:
+    ensure: absent
+    name: rancher-rke2-common
+    descr: rancher-rke2-common repository
+    target: /etc/yum.repos.d/rancher-rke2-common.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/rke2/rke2/latest/common/centos/%{facts.os.release.major}/noarch
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/rke2/public.key
+    gpgcheck: 1
+    mirrorlist: absent
+  rancher-rke2-1-33-latest:
+    ensure: absent
+    name: rancher-rke2-1.33-latest
+    descr: rancher-rke2-1.33-latest repository
+    target: /etc/yum.repos.d/rancher-rke2.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/rke2/rke2/latest/1.33/centos/%{facts.os.release.major}/%{facts.os.architecture}
+    gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/rke2/public.key
+    gpgcheck: 1
+    mirrorlist: absent
+
+  # CentOS repositories for legacy systems
+  centos_8_advanced_virtualization:
+    ensure: absent
+    name: centos_8_advanced_virtualization
+    descr: centos_8_advanced_virtualization repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/virt/x86_64/advanced-virtualization
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Virtualization
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_ceph_pacific:
+    ensure: absent
+    name: centos_8_ceph_pacific
+    descr: centos_8_ceph_pacific repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/storage/x86_64/ceph-pacific
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Storage
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_rabbitmq_38:
+    ensure: absent
+    name: centos_8_rabbitmq_38
+    descr: centos_8_rabbitmq_38 repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/messaging/x86_64/rabbitmq-38
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Messaging
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_nfv_openvswitch:
+    ensure: absent
+    name: centos_8_nfv_openvswitch
+    descr: centos_8_nfv_openvswitch repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/nfv/x86_64/openvswitch-2
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-NFV
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_openstack_xena:
+    ensure: absent
+    name: centos_8_openstack_xena
+    descr: centos_8_openstack_xena repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/cloud/x86_64/openstack-xena
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Cloud
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_opstools:
+    ensure: absent
+    name: centos_8_opstools
+    descr: centos_8_opstools repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/opstools/x86_64/collectd-5
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-OpsTools
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_ovirt45:
+    ensure: absent
+    name: centos_8_ovirt45
+    descr: centos_8_ovirt45 repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8/virt/x86_64/ovirt-45
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Virtualization
+    gpgcheck: 1
+    mirrorlist: absent
+  centos_8_stream_gluster10:
+    ensure: absent
+    name: centos_8_stream_gluster10
+    descr: centos_8_stream_gluster10 repository
+    target: /etc/yum.repos.d/centos.repo
+    baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10
+    gpgkey: http://edgecache.query.consul/centos/RPM-GPG-KEY-CentOS-SIG-Storage
+    gpgcheck: 1
+    mirrorlist: absent
+
+  # Additional repositories
+  zfs-kmod:
+    ensure: absent
+    name: zfs-kmod
+    descr: zfs-kmod repository
+    target: /etc/yum.repos.d/zfs.repo
+    baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/zfs/epel/%{facts.os.release.major}/kmod/%{facts.os.architecture}/
+    gpgcheck: false
+    mirrorlist: absent
+  rpmfusion-free:
+    ensure: absent
+    name: rpmfusion-free
+    descr: rpmfusion-free repository
+    target: /etc/yum.repos.d/rpmfusion-free.repo
+    baseurl: https://packagerepo.service.consul/rpmfusion-free-el%{facts.os.release.major}-%{facts.os.architecture}/
+    gpgkey: https://packagerepo.service.consul/rpmfusion-free-el%{facts.os.release.major}-%{facts.os.architecture}/repodata/repomd.xml.key
+    gpgcheck: 1
+    mirrorlist: absent
+  rpmfusion-nonfree:
+    ensure: absent
+    name: rpmfusion-nonfree
+    descr: rpmfusion-nonfree repository
+    target: /etc/yum.repos.d/rpmfusion-nonfree.repo
+    baseurl: https://packagerepo.service.consul/rpmfusion-nonfree-el%{facts.os.release.major}-%{facts.os.architecture}/
+    gpgkey: https://packagerepo.service.consul/rpmfusion-nonfree-el%{facts.os.release.major}-%{facts.os.architecture}/repodata/repomd.xml.key
+    gpgcheck: 1
+    mirrorlist: absent
+  unkin:
+    name: unkin
+    descr: unkin repository
+    target: /etc/yum.repos.d/unkin.repo
+    baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el%{facts.os.release.major}
+    gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
+    gpgcheck: false
+    mirrorlist: absent

hieradata/roles/apps/media.yaml

@@ -3,13 +3,8 @@ hiera_include:
   - profiles::nginx::simpleproxy
 
 profiles::yum::global::repos:
-  ceph-reef:
-    name: ceph-reef
-    descr: ceph reef repository
-    target: /etc/yum.repos.d/ceph-reef.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgcheck: 0,
-    mirrorlist: absent
+  ceph:
+    ensure: present
 
 profiles::ceph::client::keyrings:
   media:

hieradata/roles/apps/media/jellyfin.yaml

@@ -54,24 +54,8 @@ profiles::consul::client::node_rules:
 
 profiles::yum::global::repos:
   rpmfusion-free:
-    name: rpmfusion-free
-    descr: rpmfusion-free repository
-    target: /etc/yum.repos.d/rpmfusion.repo
-    baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
-    mirrorlist: absent
+    ensure: present
   rpmfusion-nonfree:
-    name: rpmfusion-nonfree
-    descr: rpmfusion-nonfree repository
-    target: /etc/yum.repos.d/rpmfusion.repo
-    baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
-    mirrorlist: absent
+    ensure: present
   unkinben:
-    name: unkinben
-    descr: unkinben repository
-    target: /etc/yum.repos.d/unkin.repo
-    baseurl: https://git.query.consul/api/packages/unkinben/rpm/el8
-    gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
-    gpgcheck: false
-    mirrorlist: absent
+    ensure: present

hieradata/roles/apps/media/nzbget.yaml

@@ -72,16 +72,6 @@ profiles::consul::client::node_rules:
 
 profiles::yum::global::repos:
   rpmfusion-free:
-    name: rpmfusion-free
-    descr: rpmfusion-free repository
-    target: /etc/yum.repos.d/rpmfusion.repo
-    baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
-    mirrorlist: absent
+    ensure: present
   rpmfusion-nonfree:
-    name: rpmfusion-nonfree
-    descr: rpmfusion-nonfree repository
-    target: /etc/yum.repos.d/rpmfusion.repo
-    baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
-    mirrorlist: absent
+    ensure: present

hieradata/roles/ceph.yaml

@@ -31,30 +31,10 @@ frrouting::daemons:
 # additional repos
 profiles::yum::global::repos:
   ceph:
-    name: ceph
-    descr: ceph repository
-    target: /etc/yum.repos.d/ceph.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
+    ensure: present
   ceph-noarch:
-    name: ceph-noarch
-    descr: ceph-noarch repository
-    target: /etc/yum.repos.d/ceph-noarch.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
+    ensure: present
   frr-extras:
-    name: frr-extras
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   frr-stable:
-    name: frr-stable
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present

hieradata/roles/infra/auth/glauth.yaml

@@ -66,6 +66,9 @@ glauth::users:
       - 20025   # jupyterhub_admin
       - 20026   # jupyterhub_user
       - 20027   # grafana_user
+      - 20028   # k8s/au/syd1 operator
+      - 20029   # k8s/au/syd1 admin
+      - 20030   # k8s/au/syd1 root
     loginshell: '/bin/bash'
     homedir: '/home/benvin'
     passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
@@ -223,6 +226,24 @@ glauth::users:
     loginshell: '/bin/bash'
     homedir: '/home/debvin'
     passsha256: 'cdac05ddb02e665d4ea65a974995f38a10236bc158731d92d78f6cde89b294a1'
+  jassol:
+    user_name: 'jassol'
+    givenname: 'Jason'
+    sn: 'Solomon'
+    mail: 'jassol@users.main.unkin.net'
+    uidnumber: 20010
+    primarygroup: 20000
+    othergroups:
+      - 20010 # jelly
+      - 20011 # sonarr
+      - 20012 # radarr
+      - 20013 # lidarr
+      - 20014 # readarr
+      - 20016 # nzbget
+      - 20027 # grafana user
+    loginshell: '/bin/bash'
+    homedir: '/home/jassol'
+    passsha256: 'd8e215d3c94b954e1318c9c7243ce72713f2fb1d006037724fe857c1fb7e88e9'
 
 glauth::services:
   svc_jellyfin:
@@ -367,3 +388,12 @@ glauth::groups:
   grafana_user:
     group_name: 'grafana_user'
     gidnumber: 20027
+  kubernetes_au_syd1_cluster_operator:
+    group_name: 'kubernetes_au_syd1_cluster_operator'
+    gidnumber: 20028
+  kubernetes_au_syd1_cluster_admin:
+    group_name: 'kubernetes_au_syd1_cluster_admin'
+    gidnumber: 20029
+  kubernetes_au_syd1_cluster_root:
+    group_name: 'kubernetes_au_syd1_cluster_root'
+    gidnumber: 20030

hieradata/roles/infra/ceph/rgw.yaml

@@ -18,19 +18,9 @@ profiles::pki::vault::alt_names:
 # additional repos
 profiles::yum::global::repos:
   ceph:
-    name: ceph
-    descr: ceph repository
-    target: /etc/yum.repos.d/ceph.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
+    ensure: present
   ceph-noarch:
-    name: ceph-noarch
-    descr: ceph-noarch repository
-    target: /etc/yum.repos.d/ceph-noarch.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
+    ensure: present
 
 # manage a simple nginx reverse proxy
 profiles::nginx::simpleproxy::nginx_vhost: 'radosgw.service.consul'
@@ -38,7 +28,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
   - radosgw.service.au-syd1.consul
 profiles::nginx::simpleproxy::proxy_port: 7480
 profiles::nginx::simpleproxy::proxy_path: '/'
-nginx::client_max_body_size: 100M
+nginx::client_max_body_size: 5000M
 
 # manage consul service
 consul::services:

hieradata/roles/infra/cobbler/server.yaml

@@ -57,19 +57,9 @@ profiles::consul::client::node_rules:
 # additional repos
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el%{facts.os.release.major}/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el%{facts.os.release.major}/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   frr-stable:
-    name: frr-stable
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el%{facts.os.release.major}/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el%{facts.os.release.major}/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
 
 # cobbler settings
 profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'

hieradata/roles/infra/dhcp/server.yaml

@@ -41,19 +41,9 @@ profiles::consul::client::node_rules:
 # additional repos
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   frr-stable:
-    name: frr-stable
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
 
 profiles::dhcp::server::ntpservers:
   - 0.au.pool.ntp.org

hieradata/roles/infra/dns/externaldns.eyaml

@@ -0,0 +1,2 @@
+---
+externaldns::externaldns_key_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEABqbZiK1NDTU+w2k7orz2HrB0EXwun7hn4pR6TeCHMp2IfrkPxlQT+f1J9c0PqJaAKvnyz+Cx0xNCrlnONqk+J57f48kYKYV+Vw+L0AYHYFj8/TizY5CwLpJS2XKyfRd4iEsWMonvfIYn71t3+YuXm4dkoEqGekW93qCr/KFtjAu0K3e+ypyl4EJqWokiUs7IbcSBNvrjUkP4yR8F/wHVKM1E5yfr+D1+nmMmt7Ob/J+am14492TppE2C7Xadg4us+kdYtuBsv9kTSi1GwwqUDjbeJVmfK3pKHjXdF+PI07AFLzo5bBZTJOzQfQ4SywpH8R5BDQoUCyHiaskB5wrmSDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB2LU9ZhefSg9PqqkwnfV65gDBvXuXco0moKCGjHqm5KcojWCK1BoS/+mltlr8kw9grZjN9jxHRLn1FjgBlq418c8w=]

hieradata/roles/infra/dns/externaldns.yaml

@@ -0,0 +1,55 @@
+---
+hiera_include:
+  - externaldns
+  - frrouting
+  - exporters::frr_exporter
+
+externaldns::bind_master_hostname: 'ausyd1nxvm2127.main.unkin.net'
+externaldns::k8s_zones:
+  - 'k8s.syd1.au.unkin.net'
+  - '200.18.198.in-addr.arpa'
+externaldns::slave_servers:
+  - 'ausyd1nxvm2128.main.unkin.net'
+  - 'ausyd1nxvm2129.main.unkin.net'
+externaldns::externaldns_key_algorithm: 'hmac-sha256'
+
+# networking
+anycast_ip: 198.18.19.20
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+exporters::frr_exporter::enable: true
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# consul
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: frr_exporter
+    disposition: write
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    ensure: present
+  frr-stable:
+    ensure: present

hieradata/roles/infra/dns/master.yaml

@@ -200,16 +200,6 @@ profiles::consul::client::node_rules:
 # additional repos
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   frr-stable:
-    name: frr-stable
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present

hieradata/roles/infra/dns/resolver.yaml

@@ -82,6 +82,11 @@ profiles::dns::resolver::zones:
       - 10.10.16.32
       - 10.10.16.33
     forward: 'only'
+  k8s.syd1.au.unkin.net-forward:
+    domain: 'k8s.syd1.au.unkin.net'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_k8s')}"
+    forward: 'only'
   unkin.net-forward:
     domain: 'unkin.net'
     zone_type: 'forward'
@@ -172,6 +177,11 @@ profiles::dns::resolver::zones:
     zone_type: 'forward'
     forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
     forward: 'only'
+  200.18.198.in-addr.arpa-forward:
+    domain: '200.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_k8s')}"
+    forward: 'only'
   consul-forward:
     domain: 'consul'
     zone_type: 'forward'
@@ -188,6 +198,7 @@ profiles::dns::resolver::views:
       - network.unkin.net-forward
       - prod.unkin.net-forward
       - consul-forward
+      - k8s.syd1.au.unkin.net-forward
       - 13.18.198.in-addr.arpa-forward
       - 14.18.198.in-addr.arpa-forward
       - 15.18.198.in-addr.arpa-forward
@@ -250,16 +261,6 @@ profiles::consul::client::node_rules:
 # additional repos
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   frr-stable:
-    name: frr-stable
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present

hieradata/roles/infra/git/runner.yaml

@@ -8,9 +8,9 @@ docker::version: latest
 docker::curl_ensure: false
 docker::root_dir: /data/docker
 
+profiles::gitea::runner::instance: https://git.unkin.net
 profiles::gitea::runner::home: /data/runner
-profiles::gitea::runner::version: '0.2.10'
-profiles::gitea::runner::source: "https://gitea.com/gitea/act_runner/releases/download/v%{hiera('profiles::gitea::runner::version')}/act_runner-%{hiera('profiles::gitea::runner::version')}-linux-amd64"
+profiles::gitea::runner::version: '0.2.12'
 profiles::gitea::runner::config:
   log:
     level: info

hieradata/roles/infra/git/server.yaml

@@ -71,7 +71,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
 
 profiles::nginx::simpleproxy::proxy_port: 3000
 profiles::nginx::simpleproxy::proxy_path: '/'
-nginx::client_max_body_size: 1024M
+nginx::client_max_body_size: 5144M
 
 # enable external access via haproxy
 profiles::gitea::haproxy::enable: true

hieradata/roles/infra/halb/haproxy2.yaml

@@ -35,19 +35,9 @@ frrouting::daemons:
 # additional repos
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   frr-stable:
-    name: frr-stable
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
 
 # haproxy metrics
 consul::services:
@@ -163,6 +153,50 @@ profiles::haproxy::frontends:
         - 'set-header X-Forwarded-Proto https'
         - 'set-header X-Real-IP %[src]'
         - 'use-service prometheus-exporter if { path /metrics }'
+  fe_imap:
+    description: 'Frontend for Stalwart IMAP (STARTTLS)'
+    bind:
+      0.0.0.0:143: []
+    mode: 'tcp'
+    options:
+      log: global
+      default_backend: be_stalwart_imap
+      tcp-request:
+        - inspect-delay 5s
+        - content accept if { req_len 0 }
+  fe_imaps:
+    description: 'Frontend for Stalwart IMAPS (implicit TLS)'
+    bind:
+      0.0.0.0:993: []
+    mode: 'tcp'
+    options:
+      log: global
+      default_backend: be_stalwart_imaps
+      tcp-request:
+        - inspect-delay 5s
+        - content accept if { req_len 0 }
+  fe_smtp:
+    description: 'Frontend for Stalwart SMTP'
+    bind:
+      0.0.0.0:25: []
+    mode: 'tcp'
+    options:
+      log: global
+      default_backend: be_stalwart_smtp
+      tcp-request:
+        - inspect-delay 5s
+        - content accept if { req_len 0 }
+  fe_submission:
+    description: 'Frontend for Stalwart SMTP Submission'
+    bind:
+      0.0.0.0:587: []
+    mode: 'tcp'
+    options:
+      log: global
+      default_backend: be_stalwart_submission
+      tcp-request:
+        - inspect-delay 5s
+        - content accept if { req_len 0 }
 
 profiles::haproxy::backends:
   be_letsencrypt:

hieradata/roles/infra/incus/node.yaml

@@ -85,40 +85,15 @@ profiles::consul::client::node_rules:
 # additional repos
 profiles::yum::global::repos:
   ceph:
-    name: ceph
-    descr: ceph repository
-    target: /etc/yum.repos.d/ceph.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
+    ensure: present
   ceph-noarch:
-    name: ceph-noarch
-    descr: ceph-noarch repository
-    target: /etc/yum.repos.d/ceph-noarch.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
+    ensure: present
   frr-extras:
-    name: frr-extras
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   frr-stable:
-    name: frr-stable
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   zfs-kmod:
-    name: zfs-kmod
-    descr: zfs-kmod repository
-    target: /etc/yum.repos.d/zfs-kmod.repo
-    baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
-    mirrorlist: absent
+    ensure: present
 
 # dns
 profiles::dns::base::primary_interface: loopback0

hieradata/roles/infra/k8s.yaml

@@ -47,47 +47,17 @@ profiles::ceph::client::mons:
 # additional repos
 profiles::yum::global::repos:
   ceph:
-    name: ceph
-    descr: ceph repository
-    target: /etc/yum.repos.d/ceph.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
+    ensure: present
   ceph-noarch:
-    name: ceph-noarch
-    descr: ceph-noarch repository
-    target: /etc/yum.repos.d/ceph-noarch.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
+    ensure: present
   frr-extras:
-    name: frr-extras
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   frr-stable:
-    name: frr-stable
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   rancher-rke2-common-latest:
-    name: rancher-rke2-common-latest
-    descr: rancher-rke2-common-latest
-    target: /etc/yum.repos.d/rke2-common.repo
-    baseurl: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/common-daily/x86_64/os/
-    gpgkey: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/common-daily/x86_64/os/public.key
-    mirrorlist: absent
+    ensure: present
   rancher-rke2-1-33-latest:
-    name: rancher-rke2-1-33-latest
-    descr: rancher-rke2-1-33-latest
-    target: /etc/yum.repos.d/rke2-1-33.repo
-    baseurl: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/1.33-daily/x86_64/os/
-    gpgkey: https://packagerepo.service.consul/rke2/rhel%{facts.os.release.major}/1.33-daily/x86_64/os/public.key
-    mirrorlist: absent
+    ensure: present
 
 # dns
 profiles::dns::base::primary_interface: loopback0

hieradata/roles/infra/k8s/control.yaml

@@ -3,9 +3,6 @@
 rke2::node_type: server
 rke2::helm_install: true
 rke2::helm_repos:
-  rancher-stable: https://releases.rancher.com/server-charts/stable
-  purelb: https://gitlab.com/api/v4/projects/20400619/packages/helm/stable
-  jetstack: https://charts.jetstack.io
   harbor: https://helm.goharbor.io
   traefik: https://traefik.github.io/charts
   hashicorp: https://helm.releases.hashicorp.com
@@ -58,6 +55,12 @@ consul::services:
         tcp: "%{hiera('networking_loopback0_ip')}:9345"
         interval: '10s'
         timeout: '1s'
+      - id: 'rke2_server_ping_check'
+        name: 'rke2 Server Ping Check'
+        http: "https://%{hiera('networking_loopback0_ip')}:9345/ping"
+        interval: '10s'
+        timeout: '3s'
+        tls_skip_verify: true
 profiles::consul::client::node_rules:
   - resource: service
     segment: api-k8s

hieradata/roles/infra/k8s/node.yaml

@@ -47,47 +47,17 @@ profiles::ceph::client::mons:
 # additional repos
 profiles::yum::global::repos:
   ceph:
-    name: ceph
-    descr: ceph repository
-    target: /etc/yum.repos.d/ceph.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
+    ensure: present
   ceph-noarch:
-    name: ceph-noarch
-    descr: ceph-noarch repository
-    target: /etc/yum.repos.d/ceph-noarch.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
-    gpgkey: https://download.ceph.com/keys/release.asc
-    mirrorlist: absent
+    ensure: present
   frr-extras:
-    name: frr-extras
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   frr-stable:
-    name: frr-stable
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   rancher-rke2-common-latest:
-    name: rancher-rke2-common-latest
-    descr: rancher-rke2-common-latest
-    target: /etc/yum.repos.d/rke2-common.repo
-    baseurl: https://rpm.rancher.io/rke2/latest/common/centos/%{facts.os.release.major}/noarch
-    gpgkey: https://rpm.rancher.io/public.key
-    mirrorlist: absent
+    ensure: present
   rancher-rke2-1-33-latest:
-    name: rancher-rke2-1-33-latest
-    descr: rancher-rke2-1-33-latest
-    target: /etc/yum.repos.d/rke2-1-33.repo
-    baseurl: https://rpm.rancher.io/rke2/latest/1.33/centos/%{facts.os.release.major}/x86_64
-    gpgkey: https://rpm.rancher.io/public.key
-    mirrorlist: absent
+    ensure: present
 
 # dns
 profiles::dns::base::primary_interface: loopback0

hieradata/roles/infra/logs/vlinsert.yaml

@@ -14,6 +14,8 @@ victorialogs::node::options:
   envflag.enable: 'true'
   select.disable: 'undef'
   storageNode.tls: 'undef'
+  syslog.listenAddr.tcp: ':21514'
+  syslog.timezone: 'Australia/Sydney'
   storageNode:
     - ausyd1nxvm2108.main.unkin.net:9428
     - ausyd1nxvm2109.main.unkin.net:9428
@@ -45,7 +47,20 @@ consul::services:
         tls_skip_verify: true
         interval: '10s'
         timeout: '1s'
+  syslog:
+    service_name: 'syslog'
+    address: "%{facts.networking.ip}"
+    port: 21514
+    checks:
+      - id: 'vlinsert_syslog_tcp_check'
+        name: 'VictoriaLogs Syslog TCP Check'
+        tcp: "%{facts.networking.fqdn}:21514"
+        interval: '30s'
+        timeout: '5s'
 profiles::consul::client::node_rules:
   - resource: service
     segment: vlinsert
     disposition: write
+  - resource: service
+    segment: syslog
+    disposition: write

hieradata/roles/infra/mail.yaml

@@ -1,20 +0,0 @@
----
-
-# Common mail server configuration
-
-# base postfix configuration (passed to postfix class)
-postfix::relayhost: 'direct'
-postfix::myorigin: 'main.unkin.net'
-postfix::manage_aliases: true
-
-# Common postfix virtuals for all mail servers
-postfix::virtuals:
-  'root':
-    ensure: present
-    destination: 'ben@main.unkin.net'
-  'postmaster':
-    ensure: present
-    destination: 'ben@main.unkin.net'
-  'abuse':
-    ensure: present
-    destination: 'ben@main.unkin.net'

hieradata/roles/infra/mail/backend.eyaml

@@ -0,0 +1,5 @@
+---
+profiles::sql::postgresdb::dbpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEZkKX2ThGom2PffofEuRBHbyiq68PCsq0+19eSa02fpVPKgZ/5BEjzBhwvrt0BWZWsjYGhccFQ69DR+lTuqS50GcRSAiNQ2LDX2a3J1pu39oIKsNVmcJTza0f5T0VeI3A7sZkn7jL+NVz5ANp8V0EMfAjaduGQ7Jac+8dBsvTrLbJ+1AZVrjaKPxOI1+5tpE7qx35mM0oDVy0NwmlaVf8vbK6jyzyUJRs4Sb+mpioPi5sDxHgClzsQnu93HqqAIqR5UzsUv7MDMljOGYUF5ITyPU836I1LEZ9UfiVO7AikQ3A31LaSUWvwsxRHKxiQXJ7v6W/O+Nt3jdIR0eoqC5xTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC11+SUDLmz6bBrGyfYT9DPgDB3UhuhJ3kUruMTdRCW0Y6hoSBBQYCO+ZRFJToGTkz/BcxVw2Xtwjc7UmKmLodsDAo=]
+stalwart::s3_access_key: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAm1fkuVcAt4UKFnpljH0o3eb3x1r2ieEU4NUzuSx8DDdOv4rh8rkqghPGn1xs6LGd9zLprc9ZWFowXCP4I2L0gZ4PekI04rV4lL02xYechIah1JAntdwECEks7rmI4BbPabIUIkaHW4i/WtntRNvv38g9JjiWrvOoJSABEsiIVZL0ct6NykLgQk27r4rcP8j7ukNQqPCAA02d4y9CB/5g6RKtYkv6FwZfLA/rFTUIXhKJsNtTa9Gm1yhvb/Y859X4qvsSFymCm/B8+2Bz5H57lE0r6xOBBBS5PfpeQ2YRxmedlkj0HxRFpl2e1W94OazMbbI6dlXa5ceHqHXDZL78EzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDhiBSQPgE+fwD1Y9Gc1wQ3gCCGeGdA4BKCvIhYaQmzv9wUFuNaO75qHrub0vY8Od1ilQ==]
+stalwart::s3_secret_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdFOGR2axfPIksXExnW8vAZBSBm8V/QqPtIMtuzleDLOGsOuyLgJAbHPZJoj/w5bBV9bBKMGfWs94GGbKZ2PafiJeCtqfFJnUAIpVBTZ5cfUhQXERAHcketMvKUi1J8jKLSFc9I3uTjIVcIasjk0oe7WmCPnoikjl1qJZ/lVDH0cXHevjMuohxEyyka5jzC0ixCOkxyqOV2LOqSc6J5d0WSsSWqw0lDmY7vJAtqNtH6y6ghKZo5zdLQOsF2Bseg3oVejRNqYwfUsaDnfiRwJS/Rm/TmtXb4i6Jn8coYplDaJHtxQSXJ+KvOy6LS7M8X5sQ/UZSRqcwM647Yg4pwVWqDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBKBF7hTs0e0FKdRpFYbx4kgDB0xkNe78n6VLbUTHX7vTw6J+K/mxf+XCV95/EIkvBbWBYuU8ZMHNQKMEExmci4C4o=]
+stalwart::fallback_admin_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMp9wmIhRwj5kxfUcvc+/q/oUs/vBhSqP19ZfErM4vLDK20VOBTnPhSP2lfVh9pqO0c2hpWFeuqBWMynghO+HUBJfAn29Vrc8a9iSBxQ3XuF/uiRq1inOKCQpdsU18TyCrYV9AJFNf9U20JuUoav79m7EKLHS07PHAZ0osqIYy93eXdCFhwXAGHijp4wMMQz/5z1F1mZoSrc1cXe3y8iBeAvvjnRfpw14gOKZBjmEGUbo7AIyc3wax5hbOQYf/v+Hd90JarvAufxGytg9WKO20cChWYbmYDnIkytVt3vHdHf4RT8M635l6qwLr/70O1MdE7bkrVRKP8M3KLyH072pJTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDSJwptBDvPd0WpxiIovZsjgDBBwesNW+UNo4b0idhyqsyWL2rtO7wLStWHgUIvRFJACCrTKKqlu7sta6mhu/ZsnF0=]

hieradata/roles/infra/mail/backend.yaml

@@ -1,87 +1,46 @@
 ---
+hiera_include:
+  - stalwart
+  - profiles::sql::postgresdb
+  - profiles::stalwart::haproxy
+
 # additional altnames
 profiles::pki::vault::alt_names:
   - mail.main.unkin.net
+  - mail-webadmin.main.unkin.net
+  - main-in.main.unkin.net
+  - autoconfig.main.unkin.net
+  - autodiscovery.main.unkin.net
 
-# manage dovecot
-dovecot::install::packages:
-  - dovecot
-  - dovecot-pgsql
-profiles::dovecot::server::maildir_path: "%{hiera('profiles::postfix::gateway::virtual_mailbox_base')}"
+# manage a pgsql database + user
+profiles::sql::postgresdb::cluster_name: "patroni-shared-%{facts.environment}"
+profiles::sql::postgresdb::dbname: stalwart
+profiles::sql::postgresdb::dbuser: stalwart
 
-#dovecot::config:
-#  auth.conf:
-#    values:
-#      auth_mechanisms: 'plain login'
-#      auth_username_format: '%Lu'
-#      auth_default_realm: 'main.unkin.net'
-#  auth-vmail.conf:
-#    values:
-#      passdb: |
-#        {
-#          driver = pam
-#        }
-#      userdb: |
-#        {
-#          driver = passwd
-#          override_fields = uid=vmail gid=vmail home=/shared/apps/maildata/%u
-#        }
-#  mail.conf:
-#    values:
-#      mail_plugins: '$mail_plugins'
-#      namespace inbox: |
-#        {
-#          inbox = yes
-#          location =
-#          mailbox Drafts {
-#            special_use = \Drafts
-#          }
-#          mailbox Junk {
-#            special_use = \Junk
-#          }
-#          mailbox Sent {
-#            special_use = \Sent
-#          }
-#          mailbox "Sent Messages" {
-#            special_use = \Sent
-#          }
-#          mailbox Trash {
-#            special_use = \Trash
-#          }
-#        }
-#    sections:
-#      - name: 'namespace inbox'
-#        values:
-#          'inbox': 'yes'
-#          'seperator': '.'
-#          'prefix': 'INBOX'
+# export backends to haproxy
+profiles::stalwart::haproxy::enable: true
 
-# backend-specific postfix configuration
-postfix::mydestination: 'localhost'
-postfix::mynetworks: '127.0.0.0/8 [::1]/128 10.10.12.0/24'
-postfix::smtp_listen: ['0.0.0.0', '::']
-postfix::use_dovecot_lda: true        # use built-in dovecot LDA support
-postfix::mail_user: 'vmail:vmail'
-profiles::postfix::gateway::enable_postscreen: false  # disable postscreen (backend doesn't need it)
-profiles::postfix::gateway::myhostname: 'mail.main.unkin.net'
-profiles::postfix::gateway::enable_dovecot: true    # enable dovecot integration
-profiles::postfix::gateway::virtual_mailbox_domains:
-  - 'main.unkin.net'
-profiles::postfix::gateway::virtual_mailbox_base: '/shared/apps/maildata'
+# Cluster role for node discovery
+stalwart::cluster_role: "%{facts.enc_role}"
 
-profiles::postfix::gateway::virtual_mailbox_maps:
-  'ben@main.unkin.net': 'main.unkin.net/ben/'
-  'root@main.unkin.net': 'main.unkin.net/ben/'
-  'postmaster@main.unkin.net': 'main.unkin.net/ben/'
-  'abuse@main.unkin.net': 'main.unkin.net/ben/'
+# PostgreSQL connection
+stalwart::postgresql_host: "master.%{hiera('profiles::sql::postgresdb::cluster_name')}.service.%{facts.country}-%{facts.region}.consul"
+stalwart::postgresql_database: "%{hiera('profiles::sql::postgresdb::dbname')}"
+stalwart::postgresql_user: "%{hiera('profiles::sql::postgresdb::dbuser')}"
+stalwart::postgresql_password: "%{hiera('profiles::sql::postgresdb::dbpass')}"
 
-profiles::postfix::gateway::smtpd_client_restrictions:
-  - 'permit_mynetworks'
-  - 'reject_unauth_destination'
-profiles::postfix::gateway::smtpd_sender_restrictions:
-  - 'permit_mynetworks'
-  - 'reject_non_fqdn_sender'
-profiles::postfix::gateway::smtpd_recipient_restrictions:
-  - 'permit_mynetworks'
-  - 'reject_non_fqdn_recipient'
-  - 'reject_unauth_destination'
+# S3/Ceph-RGW connection
+stalwart::s3_endpoint: 'https://radosgw.service.consul'
+stalwart::s3_bucket: 'stalwart-maildata'
+stalwart::s3_region: "%{facts.region}"
+
+# Domains and relay
+stalwart::domains:
+  - 'mail.unkin.net'
+stalwart::postfix_relay_host: 'out-mta.main.unkin.net'
+stalwart::service_hostname: 'mail.main.unkin.net'
+stalwart::manage_dns_records: false
+
+## With load balancer:
+#stalwart::manage_dns_records: true
+#stalwart::loadbalancer_host: 'mail-lb.example.com'

hieradata/roles/infra/mail/gateway.yaml

@@ -1,15 +1,21 @@
 ---
+
 # additional altnames
 profiles::pki::vault::alt_names:
   - in-mta.main.unkin.net
 
-# gateway-specific postfix configuration
+# base postfix configuration (passed to postfix class)
+postfix::relayhost: 'direct'
+postfix::myorigin: 'main.unkin.net'
 postfix::mydestination: 'blank'
 postfix::mynetworks: '127.0.0.0/8 [::1]/128'
-postfix::smtp_listen: '0.0.0.0'
 postfix::mta: true
+postfix::manage_aliases: true
+
+# profile parameters for customization
 profiles::postfix::gateway::myhostname: 'in-mta.main.unkin.net'
 
+# postfix map content (templates)
 profiles::postfix::gateway::relay_recipients_maps:
   '@main.unkin.net': 'OK'
 
@@ -31,4 +37,16 @@ postfix::transports:
   'main.unkin.net':
     ensure: present
     destination: 'relay'
-    nexthop: 'ausyd1nxvm2120.main.unkin.net:25'
+    nexthop: 'mail-in.main.unkin.net:25'
+
+# postfix virtuals
+postfix::virtuals:
+  'root':
+    ensure: present
+    destination: 'ben@main.unkin.net'
+  'postmaster':
+    ensure: present
+    destination: 'ben@main.unkin.net'
+  'abuse':
+    ensure: present
+    destination: 'ben@main.unkin.net'

hieradata/roles/infra/metrics/vmagent.yaml

@@ -3,6 +3,16 @@ hiera_include:
   - vmcluster::vmagent
 
 vmcluster::vmagent::enable: true
+vmcluster::vmagent::static_targets:
+  vyos_node:
+    targets:
+      - '198.18.21.160:9100'
+    scrape_interval: '15s'
+    metrics_path: '/metrics'
+    scheme: 'http'
+    labels:
+      instance: 'syrtvm0001.main.unkin.net'
+      job: 'vyos_node'
 vmcluster::vmagent::options:
   tls: 'true'
   tlsCertFile: '/etc/pki/tls/vault/certificate.crt'

hieradata/roles/infra/nomad/agent.yaml

@@ -24,13 +24,8 @@ frrouting::ospfd_interfaces:
     area: 0.0.0.1
 
 profiles::yum::global::repos:
-  ceph-reef:
-    name: ceph-reef
-    descr: ceph reef repository
-    target: /etc/yum.repos.d/ceph-reef.repo
-    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
-    gpgcheck: 0,
-    mirrorlist: absent
+  ceph:
+    ensure: present
 
 profiles::ceph::client::keyrings:
   nomad:

hieradata/roles/infra/ovirt/engine.yaml

@@ -1,50 +1,18 @@
 ---
 profiles::yum::global::repos:
   centos_8_advanced_virtualization:
-    name: 'virt-advanced-virtualization'
-    descr: 'CentOS Advanced Virtualization'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
+    ensure: present
   centos_8_ceph_pacific:
-    name: 'storage-ceph-pacific'
-    descr: 'CentOS Ceph Pacific'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
+    ensure: present
   centos_8_rabbitmq_38:
-    name: 'messaging-rabbitmq-38'
-    descr: 'CentOS RabbitMQ 38'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
+    ensure: present
   centos_8_nfv_openvswitch:
-    name: 'nfv-openvswitch-2'
-    descr: 'CentOS NFV OpenvSwitch'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
+    ensure: present
   centos_8_openstack_xena:
-    name: 'cloud-openstack-xena'
-    descr: 'CentOS OpenStack Xena'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
+    ensure: present
   centos_8_opstools:
-    name: 'opstools-collectd-5'
-    descr: 'CentOS OpsTools - collectd'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
+    ensure: present
   centos_8_ovirt45:
-    name: 'virt-ovirt-45'
-    descr: 'CentOS oVirt 4.5'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
+    ensure: present
   centos_8_stream_gluster10:
-    name: 'storage-gluster-10'
-    descr: 'CentOS oVirt 4.5 - Glusterfs 10'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
+    ensure: present

hieradata/roles/infra/ovirt/node.yaml

@@ -9,50 +9,18 @@ sudo::purge_ignore:
 
 profiles::yum::global::repos:
   centos_8_advanced_virtualization:
-    name: 'virt-advanced-virtualization'
-    descr: 'CentOS Advanced Virtualization'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
+    ensure: present
   centos_8_ceph_pacific:
-    name: 'storage-ceph-pacific'
-    descr: 'CentOS Ceph Pacific'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
+    ensure: present
   centos_8_rabbitmq_38:
-    name: 'messaging-rabbitmq-38'
-    descr: 'CentOS RabbitMQ 38'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
+    ensure: present
   centos_8_nfv_openvswitch:
-    name: 'nfv-openvswitch-2'
-    descr: 'CentOS NFV OpenvSwitch'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
+    ensure: present
   centos_8_openstack_xena:
-    name: 'cloud-openstack-xena'
-    descr: 'CentOS OpenStack Xena'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
+    ensure: present
   centos_8_opstools:
-    name: 'opstools-collectd-5'
-    descr: 'CentOS OpsTools - collectd'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
+    ensure: present
   centos_8_ovirt45:
-    name: 'virt-ovirt-45'
-    descr: 'CentOS oVirt 4.5'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
+    ensure: present
   centos_8_stream_gluster10:
-    name: 'storage-gluster-10'
-    descr: 'CentOS oVirt 4.5 - Glusterfs 10'
-    target: /etc/yum.repos.d/ovirt.repo
-    baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10
-    gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
+    ensure: present

hieradata/roles/infra/puppetdb/sql.yaml

@@ -62,14 +62,6 @@ profiles::consul::client::node_rules:
 
 profiles::yum::global::repos:
   postgresql-17:
-    name: postgresql-17
-    descr: postgresql-17 repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/17-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/17-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
+    ensure: present
   postgresql-common:
-    name: postgresql-common
-    descr: postgresql-common repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
+    ensure: present

hieradata/roles/infra/reposync/syncer.yaml

@@ -3,90 +3,6 @@ profiles::packages::include:
   createrepo: {}
 
 profiles::reposync::repos_list:
-  almalinux_9.6_baseos:
-    repository: 'baseos'
-    description: 'AlmaLinux 9.6 BaseOS'
-    osname: 'almalinux'
-    release: '9.6'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/baseos'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.6_appstream:
-    repository: 'appstream'
-    description: 'AlmaLinux 9.6 AppStream'
-    osname: 'almalinux'
-    release: '9.6'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/appstream'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.6_crb:
-    repository: 'crb'
-    description: 'AlmaLinux 9.6 CRB'
-    osname: 'almalinux'
-    release: '9.6'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/crb'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.6_ha:
-    repository: 'ha'
-    description: 'AlmaLinux 9.6 HighAvailability'
-    osname: 'almalinux'
-    release: '9.6'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/highavailability'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9.6_extras:
-    repository: 'extras'
-    description: 'AlmaLinux 9.6 extras'
-    osname: 'almalinux'
-    release: '9.6'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/extras'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9_5_baseos:
-    repository: 'baseos'
-    description: 'AlmaLinux 9.5 BaseOS'
-    osname: 'almalinux'
-    release: '9.5'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9_5_appstream:
-    repository: 'appstream'
-    description: 'AlmaLinux 9.5 AppStream'
-    osname: 'almalinux'
-    release: '9.5'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9_5_crb:
-    repository: 'crb'
-    description: 'AlmaLinux 9.5 CRB'
-    osname: 'almalinux'
-    release: '9.5'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9_5_ha:
-    repository: 'ha'
-    description: 'AlmaLinux 9.5 HighAvailability'
-    osname: 'almalinux'
-    release: '9.5'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  almalinux_9_5_extras:
-    repository: 'extras'
-    description: 'AlmaLinux 9.5 extras'
-    osname: 'almalinux'
-    release: '9.5'
-    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras'
-    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
-  epel_8:
-    repository: 'everything'
-    description: 'EPEL8'
-    osname: 'epel'
-    release: '8'
-    mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64'
-    gpgkey: 'https://epel.mirror.digitalpacific.com.au/RPM-GPG-KEY-EPEL-8'
-  epel_9:
-    repository: 'everything'
-    description: 'EPEL9'
-    osname: 'epel'
-    release: '9'
-    mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-9&arch=x86_64'
-    gpgkey: 'https://epel.mirror.digitalpacific.com.au/RPM-GPG-KEY-EPEL-9'
   docker_stable_el8:
     repository: 'stable'
     description: 'Docker CE Stable EL8'
@@ -101,34 +17,6 @@ profiles::reposync::repos_list:
     release: 'el9'
     baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/'
     gpgkey: 'https://download.docker.com/linux/centos/gpg'
-  frr_stable_el8:
-    repository: 'stable'
-    description: 'FRR Stable EL8'
-    osname: 'frr'
-    release: 'el8'
-    baseurl: 'https://rpm.frrouting.org/repo/el8/frr/'
-    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
-  frr_extras_el8:
-    repository: 'extras'
-    description: 'FRR Extras EL8'
-    osname: 'frr'
-    release: 'el8'
-    baseurl: 'https://rpm.frrouting.org/repo/el8/extras/'
-    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
-  frr_stable_el9:
-    repository: 'stable'
-    description: 'FRR Stable EL9'
-    osname: 'frr'
-    release: 'el9'
-    baseurl: 'https://rpm.frrouting.org/repo/el9/frr/'
-    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
-  frr_extras_el9:
-    repository: 'extras'
-    description: 'FRR Extras el9'
-    osname: 'frr'
-    release: 'el9'
-    baseurl: 'https://rpm.frrouting.org/repo/el9/extras/'
-    gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
   k8s_1.32:
     repository: '1.32'
     description: 'Kubernetes 1.32'
@@ -143,62 +31,6 @@ profiles::reposync::repos_list:
     release: '1.33'
     baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/'
     gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/repodata/repomd.xml.key'
-  mariadb_11_8_el8:
-    repository: 'el8'
-    description: 'MariaDB 11.8'
-    osname: 'mariadb'
-    release: '11.8'
-    baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.8/rhel8-amd64/'
-    gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB'
-  mariadb_11_8_el9:
-    repository: 'el9'
-    description: 'MariaDB 11.8'
-    osname: 'mariadb'
-    release: '11.8'
-    baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.8/rhel9-amd64/'
-    gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB'
-  openvox7_el8:
-    repository: '8'
-    description: 'openvox 7 EL8'
-    osname: 'openvox7'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox7/el/8/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
-  openvox7_el9:
-    repository: '9'
-    description: 'openvox 7 EL9'
-    osname: 'openvox7'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox7/el/9/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
-  openvox7_el10:
-    repository: '10'
-    description: 'openvox 7 EL10'
-    osname: 'openvox7'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox7/el/10/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
-  openvox8_el8:
-    repository: '8'
-    description: 'openvox 8 EL8'
-    osname: 'openvox8'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox8/el/8/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
-  openvox8_el9:
-    repository: '9'
-    description: 'openvox 8 EL9'
-    osname: 'openvox8'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox8/el/9/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
-  openvox8_el10:
-    repository: '10'
-    description: 'openvox 8 EL10'
-    osname: 'openvox8'
-    release: 'el'
-    baseurl: 'https://yum.voxpupuli.org/openvox8/el/10/x86_64/'
-    gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
   puppet7_el8:
     repository: '8'
     description: 'Puppet 7 EL8'
@@ -227,76 +59,6 @@ profiles::reposync::repos_list:
     release: 'el'
     baseurl: 'https://yum.puppet.com/puppet8/el/9/x86_64/'
     gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
-  postgresql_rhel8_common:
-    repository: 'common'
-    description: 'PostgreSQL Common RHEL 8'
-    osname: 'postgresql'
-    release: 'rhel8'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel9_common:
-    repository: 'common'
-    description: 'PostgreSQL Common RHEL 9'
-    osname: 'postgresql'
-    release: 'rhel9'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel8_15:
-    repository: '15'
-    description: 'PostgreSQL 15 RHEL 8'
-    osname: 'postgresql'
-    release: 'rhel8'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-8-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel9_15:
-    repository: '15'
-    description: 'PostgreSQL 15 RHEL 9'
-    osname: 'postgresql'
-    release: 'rhel9'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-9-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel8_16:
-    repository: '16'
-    description: 'PostgreSQL 16 RHEL 8'
-    osname: 'postgresql'
-    release: 'rhel8'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel9_16:
-    repository: '16'
-    description: 'PostgreSQL 16 RHEL 9'
-    osname: 'postgresql'
-    release: 'rhel9'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel8_17:
-    repository: '17'
-    description: 'PostgreSQL 17 RHEL 8'
-    osname: 'postgresql'
-    release: 'rhel8'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-8-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  postgresql_rhel9_17:
-    repository: '17'
-    description: 'PostgreSQL 17 RHEL 9'
-    osname: 'postgresql'
-    release: 'rhel9'
-    baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-9-x86_64/'
-    gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
-  rke2_common_el9:
-    repository: 'common'
-    description: 'RKE2 common RHEL 9'
-    osname: 'rke2'
-    release: "rhel9"
-    baseurl: "https://rpm.rancher.io/rke2/latest/common/centos/9/noarch"
-    gpgkey: "https://rpm.rancher.io/public.key"
-  rke2_1_33_el9:
-    repository: '1.33'
-    description: 'RKE2 1.33 RHEL 9'
-    osname: 'rke2'
-    release: "rhel9"
-    baseurl: "https://rpm.rancher.io/rke2/latest/1.33/centos/9/x86_64"
-    gpgkey: "https://rpm.rancher.io/public.key"
   zfs_dkms_rhel8:
     repository: 'dkms'
     description: 'ZFS DKMS RHEL 8'

hieradata/roles/infra/sql/patroni.yaml

@@ -1,17 +1,9 @@
 ---
 profiles::yum::global::repos:
   postgresql-15:
-    name: postgresql-15
-    descr: postgresql-15 repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
+    ensure: present
   postgresql-common:
-    name: postgresql-common
-    descr: postgresql-common repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
+    ensure: present
 
 profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
 profiles::sql::patroni::postgres_exporter_enabled: true

hieradata/roles/infra/sql/shared.yaml

@@ -47,14 +47,6 @@ profiles::consul::client::node_rules:
 
 profiles::yum::global::repos:
   postgresql-17:
-    name: postgresql-17
-    descr: postgresql-17 repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/17-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/17-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
+    ensure: present
   postgresql-common:
-    name: postgresql-common
-    descr: postgresql-common repository
-    target: /etc/yum.repos.d/postgresql.repo
-    baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
+    ensure: present

hieradata/roles/infra/storage/consul.yaml

@@ -29,6 +29,7 @@ profiles::consul::server::acl:
 profiles::pki::vault::alt_names:
   - consul.main.unkin.net
   - consul.service.consul
+  - "consul.service.%{facts.country}-%{facts.region}.consul"
   - consul
 
 # manage a simple nginx reverse proxy
@@ -38,6 +39,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
   - consul.main.unkin.net
 profiles::nginx::simpleproxy::proxy_port: 8500
 profiles::nginx::simpleproxy::proxy_path: '/'
+nginx::client_max_body_size: 512M
 
 # consul
 profiles::consul::client::node_rules:
@@ -134,19 +136,9 @@ frrouting::ospfd_interfaces:
 frrouting::daemons:
   ospfd: true
 
-# additional repos
+# additional repos - enable needed repositories
 profiles::yum::global::repos:
   frr-extras:
-    name: frr-extras
-    descr: frr-extras repository
-    target: /etc/yum.repos.d/frr-extras.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present
   frr-stable:
-    name: frr-stable
-    descr: frr-stable repository
-    target: /etc/yum.repos.d/frr-stable.repo
-    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
-    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
-    mirrorlist: absent
+    ensure: present

hieradata/roles/infra/storage/vault.yaml

@@ -2,10 +2,12 @@
 profiles::vault::server::members_role: roles::infra::storage::vault
 profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
+profiles::vault::server::plugin_dir: /opt/openbao-plugins
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
-vault::package_name: openbao
-vault::package_ensure: 2.4.1
+profiles::vault::server::package_name: openbao
+profiles::vault::server::package_ensure: 2.4.4
+profiles::vault::server::disable_openbao: false
 
 # additional altnames
 profiles::pki::vault::alt_names:
@@ -23,3 +25,6 @@ profiles::nginx::simpleproxy::proxy_scheme: 'http'
 profiles::nginx::simpleproxy::proxy_host: '127.0.0.1'
 profiles::nginx::simpleproxy::proxy_port: 8200
 profiles::nginx::simpleproxy::proxy_path: '/'
+
+profiles::packages::include:
+  openbao-plugins: {}

modules/externaldns/manifests/init.pp

@@ -0,0 +1,15 @@
+# ExternalDNS BIND module - automatically configures master or slave
+class externaldns (
+  Stdlib::Fqdn $bind_master_hostname,
+  Array[Stdlib::Fqdn] $k8s_zones = [],
+  Array[Stdlib::Fqdn] $slave_servers = [],
+  String $externaldns_key_secret = '',
+  String $externaldns_key_algorithm = 'hmac-sha256',
+) {
+
+  if $trusted['certname'] == $bind_master_hostname {
+    include externaldns::master
+  } else {
+    include externaldns::slave
+  }
+}

modules/externaldns/manifests/master.pp

@@ -0,0 +1,45 @@
+# ExternalDNS BIND master server class
+class externaldns::master inherits externaldns {
+
+  include bind
+
+  # Query PuppetDB for slave server IP addresses
+  $slave_ips = $externaldns::slave_servers.map |$fqdn| {
+    puppetdb_query("inventory[facts.networking.ip] { certname = '${fqdn}' }")[0]['facts.networking.ip']
+  }.filter |$ip| { $ip != undef }
+
+  # Create TSIG key for ExternalDNS authentication
+  bind::key { 'externaldns-key':
+    algorithm => $externaldns::externaldns_key_algorithm,
+    secret    => $externaldns::externaldns_key_secret,
+  }
+
+  # Create ACL for slave servers
+  if !empty($slave_ips) {
+    bind::acl { 'dns-slaves':
+      addresses => $slave_ips,
+    }
+  }
+
+  # Create master zones for each Kubernetes domain
+  $externaldns::k8s_zones.each |$zone| {
+    bind::zone { $zone:
+      zone_type       => 'master',
+      dynamic         => true,
+      allow_updates   => ['key externaldns-key'],
+      allow_transfers => empty($slave_ips) ? {
+        true  => [],
+        false => ['dns-slaves'],
+      },
+      ns_notify       => !empty($slave_ips),
+      also_notify     => $slave_ips,
+      dnssec          => false,
+    }
+  }
+
+  # Create default view to include the zones
+  bind::view { 'externaldns':
+    recursion => false,
+    zones     => $externaldns::k8s_zones,
+  }
+}

modules/externaldns/manifests/slave.pp

@@ -0,0 +1,36 @@
+# ExternalDNS BIND slave server class
+class externaldns::slave inherits externaldns {
+
+  include bind
+
+  # Query PuppetDB for master server IP address
+  $query = "inventory[facts.networking.ip] { certname = '${externaldns::bind_master_hostname}' }"
+  $master_ip = puppetdb_query($query)[0]['facts.networking.ip']
+
+  # Create TSIG key for zone transfers (same as master)
+  bind::key { 'externaldns-key':
+    algorithm => $externaldns::externaldns_key_algorithm,
+    secret    => $externaldns::externaldns_key_secret,
+  }
+
+  # Create ACL for master server
+  bind::acl { 'dns-master':
+    addresses => [$master_ip],
+  }
+
+  # Create slave zones for each Kubernetes domain
+  $externaldns::k8s_zones.each |$zone| {
+    bind::zone { $zone:
+      zone_type    => 'slave',
+      masters      => [$master_ip],
+      allow_notify => ['dns-master'],
+      ns_notify    => false,
+    }
+  }
+
+  # Create default view to include the zones
+  bind::view { 'externaldns':
+    recursion => false,
+    zones     => $externaldns::k8s_zones,
+  }
+}

modules/rke2/files/ingress-route-rancher.yaml

@@ -1,23 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: rancher
-  namespace: cattle-system
-  annotations:
-    kubernetes.io/ingress.class: nginx
-spec:
-  tls:
-    - hosts: [rancher.main.unkin.net]
-      secretName: tls-rancher
-  rules:
-    - host: rancher.main.unkin.net
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: rancher
-                port:
-                  number: 80

modules/rke2/files/purelb-config.yaml

@@ -1,45 +0,0 @@
-apiVersion: purelb.io/v1
-kind: LBNodeAgent
-metadata:
-  name: common
-  namespace: purelb
-spec:
-  local:
-    extlbint: kube-lb0
-    localint: default
-    sendgarp: false
----
-apiVersion: purelb.io/v1
-kind: LBNodeAgent
-metadata:
-  name: dmz
-  namespace: purelb
-spec:
-  local:
-    extlbint: kube-lb0
-    localint: default
-    sendgarp: false
----
-apiVersion: purelb.io/v1
-kind: ServiceGroup
-metadata:
-  name: dmz
-  namespace: purelb
-spec:
-  local:
-    v4pools:
-      - subnet: 198.18.199.0/24
-        pool: 198.18.199.0/24
-        aggregation: /32
----
-apiVersion: purelb.io/v1
-kind: ServiceGroup
-metadata:
-  name: common
-  namespace: purelb
-spec:
-  local:
-    v4pools:
-      - subnet: 198.18.200.0/24
-        pool: 198.18.200.0/24
-        aggregation: /32

modules/rke2/manifests/config.pp

@@ -68,30 +68,6 @@ class rke2::config (
   # on the controller nodes only
   if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 {
 
-    # wait for purelb helm to setup namespace
-    if 'purelb' in $facts['k8s_namespaces'] {
-      file {'/var/lib/rancher/rke2/server/manifests/purelb-config.yaml':
-        ensure  => file,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0644',
-        source  => 'puppet:///modules/rke2/purelb-config.yaml',
-        require => Service['rke2-server'],
-      }
-    }
-
-    # wait for rancher helm to setup namespace
-    if 'cattle-system' in $facts['k8s_namespaces'] {
-      file {'/var/lib/rancher/rke2/server/manifests/ingress-route-rancher.yaml':
-        ensure  => file,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0644',
-        source  => 'puppet:///modules/rke2/ingress-route-rancher.yaml',
-        require => Service['rke2-server'],
-      }
-    }
-
     # manage extra config config (these are not dependent on helm)
     $extra_config_files.each |$file| {
 

modules/rke2/manifests/helm.pp

@@ -38,44 +38,6 @@ class rke2::helm (
           }
         }
       }
-
-      # install specific helm charts to bootstrap environment
-      $plb_cmd = 'helm install purelb purelb/purelb \
-                  --create-namespace \
-                  --namespace=purelb \
-                  --repository-config /etc/helm/repositories.yaml'
-      exec { 'install_purelb':
-        command     => $plb_cmd,
-        path        => ['/usr/bin', '/bin'],
-        environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
-        unless      => 'helm list -n purelb | grep -q ^purelb',
-      }
-
-      $cm_cmd = 'helm install cert-manager jetstack/cert-manager \
-                  --namespace cert-manager \
-                  --create-namespace \
-                  --set crds.enabled=true \
-                  --repository-config /etc/helm/repositories.yaml'
-      exec { 'install_cert_manager':
-        command     => $cm_cmd,
-        path        => ['/usr/bin', '/bin'],
-        environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
-        unless      => 'helm list -n cert-manager | grep -q ^cert-manager',
-      }
-
-      $r_cmd = 'helm install rancher rancher-stable/rancher \
-                  --namespace cattle-system \
-                  --create-namespace \
-                  --set hostname=rancher.main.unkin.net \
-                  --set bootstrapPassword=admin \
-                  --set ingress.tls.source=secret \
-                  --repository-config /etc/helm/repositories.yaml'
-      exec { 'install_rancher':
-        command     => $r_cmd,
-        path        => ['/usr/bin', '/bin'],
-        environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
-        unless      => 'helm list -n cattle-system | grep -q ^rancher',
-      }
     }
   }
 }

modules/rke2/manifests/install.pp

@@ -30,7 +30,7 @@ class rke2::install (
   # download required archive of containers
   archive { '/var/lib/rancher/rke2/agent/images/rke2-images.linux-amd64.tar.zst':
     ensure  => present,
-    source  => "https://github.com/rancher/rke2/releases/download/v${rke2_version}%2B${rke2_release}/rke2-images.linux-amd64.tar.zst",
+    source  => "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/rancher/rke2/releases/download/v${rke2_version}%2B${rke2_release}/rke2-images.linux-amd64.tar.zst",
     require => [
       Package["rke2-${node_type}"],
       File['/var/lib/rancher/rke2/agent/images'],

modules/stalwart/README.md

@@ -0,0 +1,230 @@
+# Stalwart Mail Server Module
+
+This Puppet module manages Stalwart Mail Server, a modern, secure, and scalable mail server implementation that supports IMAP, JMAP, WebDAV, and SMTP protocols.
+
+## Overview
+
+The `stalwart` module provides a comprehensive solution for deploying Stalwart Mail Server in a clustered environment with:
+
+- **PostgreSQL backend** for data, full-text search, and in-memory storage
+- **S3/Ceph-RGW backend** for blob storage (emails, attachments, sieve scripts)
+- **Automatic cluster discovery** using `query_nodes()`
+- **DNS autodiscovery records** for email client configuration
+- **TLS certificate management** integration
+- **Postfix relay integration** for SMTP routing
+
+## Features
+
+- ✅ **Multi-node clustering** with peer-to-peer coordination
+- ✅ **PostgreSQL authentication** with SQL directory backend
+- ✅ **S3 blob storage** with compression support
+- ✅ **IMAP/IMAPS protocols** for email access
+- ✅ **HTTP/HTTPS protocols** for JMAP, WebDAV, and autodiscovery
+- ✅ **SMTP relay** for postfix integration
+- ✅ **DNS autodiscovery** record management
+- ✅ **Automatic role distribution** across cluster nodes
+- ✅ **TLS security** with Vault PKI integration
+
+## Requirements
+
+- **Puppet 6+** with `query_nodes()` function support
+- **Stalwart RPM package** (creates user, directories, systemd service)
+- **PostgreSQL cluster** for data storage
+- **S3-compatible storage** (Ceph-RGW, MinIO, AWS S3)
+- **DNS management** via `profiles::dns::record`
+- **PKI management** via `profiles::pki::vault::alt_names`
+
+## Usage
+
+### Recommended Usage with Role
+
+The recommended way to use this module is via the `roles::infra::mail::backend` role with hieradata configuration:
+
+```puppet
+include roles::infra::mail::backend
+```
+
+Configure all parameters in `hieradata/roles/infra/mail/backend.yaml` - see `examples/role-hieradata.yaml` for a complete example.
+
+### Direct Class Usage
+
+```puppet
+class { 'stalwart':
+  node_id             => 1,
+  cluster_role        => 'mail-backend',
+  postgresql_host     => 'pgsql.example.com',
+  postgresql_database => 'stalwart',
+  postgresql_user     => 'stalwart',
+  postgresql_password => Sensitive('secretpassword'),
+  s3_endpoint         => 'https://ceph-rgw.example.com',
+  s3_bucket           => 'stalwart-blobs',
+  s3_access_key       => 'accesskey',
+  s3_secret_key       => Sensitive('secretkey'),
+  domains             => ['example.com'],
+  postfix_relay_host  => 'postfix.example.com',
+}
+```
+
+## Hieradata Configuration
+
+See `examples/role-hieradata.yaml` for a complete example of role-based hieradata configuration.
+
+### Required Parameters
+
+```yaml
+# Cluster role for node discovery
+stalwart::cluster_role: 'mail-backend'
+
+# Optional: Unique node identifier (auto-calculated if not specified)
+# stalwart::node_id: 1
+
+# PostgreSQL connection
+stalwart::postgresql_host: 'pgsql.example.com'
+stalwart::postgresql_database: 'stalwart'
+stalwart::postgresql_user: 'stalwart'
+stalwart::postgresql_password: >
+  ENC[PKCS7,encrypted_password...]
+
+# S3/Ceph-RGW connection
+stalwart::s3_endpoint: 'https://ceph-rgw.example.com'
+stalwart::s3_bucket: 'stalwart-blobs'
+stalwart::s3_access_key: 'access_key'
+stalwart::s3_secret_key: >
+  ENC[PKCS7,encrypted_secret...]
+
+# Domains and relay
+stalwart::domains:
+  - 'example.com'
+stalwart::postfix_relay_host: 'postfix.example.com'
+```
+
+## Architecture
+
+### Cluster Setup
+
+The module automatically discovers cluster members using `query_nodes()` based on:
+- `enc_role` matching `cluster_role` parameter
+- `country` fact matching the node's country fact
+- `region` fact matching the node's region fact
+
+**Node ID Assignment:**
+- Node IDs are **automatically extracted** from the last 4 digits of the hostname
+- Example: `ausyd1nxvm1234` → node ID `1234`
+- Manual override available via `stalwart::node_id` parameter if needed
+- Hostname must end with 4 digits for automatic extraction to work
+- Ensures unique IDs when following consistent hostname patterns
+
+### Storage Layout
+
+- **Data Store**: PostgreSQL (metadata, folders, settings)
+- **Full-Text Search**: PostgreSQL (search indexes)
+- **In-Memory Store**: PostgreSQL (caching, sessions)
+- **Blob Store**: S3/Ceph-RGW (emails, attachments, files)
+
+### Directory Structure (Created by RPM)
+
+- **Config**: `/opt/stalwart/etc/config.toml`
+- **Data**: `/var/lib/stalwart/` (queue, reports)
+- **Logs**: `/var/log/stalwart/stalwart.log`
+- **Binary**: `/opt/stalwart/bin/stalwart`
+- **User**: `stalwart:stalwart` (system user)
+
+### Network Ports
+
+- **143**: IMAP (STARTTLS)
+- **993**: IMAPS (implicit TLS)
+- **443**: HTTPS (JMAP, WebDAV, autodiscovery)
+- **2525**: SMTP relay (postfix communication)
+- **11200**: Cluster coordination (peer-to-peer)
+- **9090**: Prometheus metrics
+
+### DNS Records
+
+When `manage_dns_records: true`, the module creates:
+- `autoconfig.domain.com` → server FQDN (Thunderbird)
+- `autodiscover.domain.com` → server FQDN (Outlook)
+- `_imap._tcp.domain.com` SRV record
+- `_imaps._tcp.domain.com` SRV record
+- `_caldav._tcp.domain.com` SRV record
+- `_carddav._tcp.domain.com` SRV record
+
+## PostgreSQL Schema
+
+The module expects these tables in the PostgreSQL database:
+
+```sql
+CREATE TABLE accounts (
+  name TEXT PRIMARY KEY,
+  secret TEXT,
+  description TEXT,
+  type TEXT NOT NULL,
+  quota INTEGER DEFAULT 0,
+  active BOOLEAN DEFAULT true
+);
+
+CREATE TABLE group_members (
+  name TEXT NOT NULL,
+  member_of TEXT NOT NULL,
+  PRIMARY KEY (name, member_of)
+);
+
+CREATE TABLE emails (
+  name TEXT NOT NULL,
+  address TEXT NOT NULL,
+  type TEXT,
+  PRIMARY KEY (name, address)
+);
+```
+
+## Security
+
+- **TLS required** for all connections
+- **PostgreSQL SSL** enabled by default
+- **S3 HTTPS** endpoints required
+- **Password hashing** supported (SHA512, BCRYPT, etc.)
+- **Certificate management** via Vault PKI
+
+### Fallback Administrator
+
+Stalwart includes a fallback administrator account for initial setup and emergency access:
+
+- **Default username**: `admin` (configurable via `stalwart::fallback_admin_user`)
+- **Default password**: `admin` (configurable via `stalwart::fallback_admin_password`)
+- **Purpose**: Initial server configuration and emergency access when directory services are unavailable
+- **Security**: Password is automatically hashed using SHA-512 crypt format
+
+**Important**: Change the default password in production by setting different hieradata values:
+
+```yaml
+stalwart::fallback_admin_password: "your-secure-password"
+```
+
+The fallback admin should only be used for initial setup and emergencies. Create regular admin accounts in PostgreSQL for day-to-day management.
+
+## Monitoring
+
+- **Prometheus metrics** on port 9090
+- **Log files** in `/var/log/stalwart/`
+- **Queue monitoring** in `/var/lib/stalwart/queue/`
+- **Service status** via systemd (`stalwart.service`)
+
+## Troubleshooting
+
+### Cluster Formation Issues
+- Verify `query_nodes()` returns expected nodes
+- Check `country` and `region` facts are consistent
+- Ensure `cluster_role` matches across all nodes
+
+### Storage Connection Issues
+- Test PostgreSQL connectivity and credentials
+- Verify S3 endpoint accessibility and credentials
+- Check network connectivity between nodes
+
+### TLS Certificate Issues
+- Ensure PKI alt_names include all required domains
+- Verify certificate paths exist and are readable
+- Check certificate expiration dates
+
+## License
+
+This module is part of the internal infrastructure management system.

modules/stalwart/examples/hieradata.yaml

@@ -0,0 +1,57 @@
+# Example hieradata for profiles::mail::stalwart
+# This shows the required and optional parameters for Stalwart configuration
+
+# Required: Unique node ID for each server in the cluster (1, 2, 3, etc.)
+profiles::mail::stalwart::node_id: 1
+
+# Required: Cluster role name for query_nodes() discovery
+profiles::mail::stalwart::cluster_role: 'mail-backend'
+
+# Required: PostgreSQL connection settings
+profiles::mail::stalwart::postgresql_host: 'pgsql.example.com'
+profiles::mail::stalwart::postgresql_port: 5432
+profiles::mail::stalwart::postgresql_database: 'stalwart'
+profiles::mail::stalwart::postgresql_user: 'stalwart'
+profiles::mail::stalwart::postgresql_password: >
+  ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
+profiles::mail::stalwart::postgresql_ssl: true
+
+# Required: S3/Ceph-RGW connection settings
+profiles::mail::stalwart::s3_endpoint: 'https://ceph-rgw.example.com'
+profiles::mail::stalwart::s3_bucket: 'stalwart-blobs'
+profiles::mail::stalwart::s3_region: 'default'
+profiles::mail::stalwart::s3_access_key: 'stalwart_access_key'
+profiles::mail::stalwart::s3_secret_key: >
+  ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
+profiles::mail::stalwart::s3_key_prefix: 'stalwart/'
+
+# Required: Domains this mail backend serves
+profiles::mail::stalwart::domains:
+  - 'example.com'
+  - 'mail.example.com'
+
+# Required: Postfix relay host for SMTP delivery
+profiles::mail::stalwart::postfix_relay_host: 'postfix.example.com'
+
+# Optional: Protocol configuration (defaults shown)
+profiles::mail::stalwart::enable_imap: true
+profiles::mail::stalwart::enable_imap_tls: true
+profiles::mail::stalwart::enable_http: true
+profiles::mail::stalwart::enable_smtp_relay: true
+
+# Optional: Management settings
+profiles::mail::stalwart::manage_dns_records: true
+profiles::mail::stalwart::log_level: 'info'
+
+# Optional: TLS certificate paths (defaults shown)
+profiles::mail::stalwart::tls_cert: '/etc/pki/tls/vault/certificate.crt'
+profiles::mail::stalwart::tls_key: '/etc/pki/tls/vault/private.key'
+
+# Example PKI alt_names configuration for TLS certificates
+# This should include all domains and hostnames that need certificates
+profiles::pki::vault::alt_names:
+  mail-backend:
+    - 'imap.example.com'
+    - 'mail.example.com'
+    - 'autoconfig.example.com'
+    - 'autodiscover.example.com'

modules/stalwart/examples/role-hieradata.yaml

@@ -0,0 +1,58 @@
+# Example hieradata for roles::infra::mail::backend
+# Place this in: hieradata/roles/infra/mail/backend.yaml
+
+# Stalwart module configuration - all parameters passed directly to the module
+# stalwart::node_id: 1234  # Optional - automatically extracted from last 4 digits of hostname
+stalwart::cluster_role: 'mail-backend'
+
+# PostgreSQL connection settings
+stalwart::postgresql_host: 'pgsql.example.com'
+stalwart::postgresql_port: 5432
+stalwart::postgresql_database: 'stalwart'
+stalwart::postgresql_user: 'stalwart'
+stalwart::postgresql_password: >
+  ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
+stalwart::postgresql_ssl: true
+
+# S3/Ceph-RGW connection settings
+stalwart::s3_endpoint: 'https://ceph-rgw.example.com'
+stalwart::s3_bucket: 'stalwart-blobs'
+stalwart::s3_region: 'default'
+stalwart::s3_access_key: 'stalwart_access_key'
+stalwart::s3_secret_key: >
+  ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
+stalwart::s3_key_prefix: 'stalwart/'
+
+# Domains this mail backend serves
+stalwart::domains:
+  - 'example.com'
+  - 'mail.example.com'
+
+# Postfix relay host for SMTP delivery
+stalwart::postfix_relay_host: 'postfix.example.com'
+
+# Optional protocol configuration (defaults shown)
+stalwart::enable_imap: true
+stalwart::enable_imap_tls: true
+stalwart::enable_http: true
+stalwart::enable_smtp_relay: true
+
+# Optional management settings
+stalwart::manage_dns_records: true
+stalwart::log_level: 'info'
+
+# Optional TLS certificate paths (defaults work with profiles::pki::vault)
+# stalwart::tls_cert: '/etc/pki/tls/vault/certificate.crt'
+# stalwart::tls_key: '/etc/pki/tls/vault/private.key'
+
+# Optional path overrides (RPM package sets up these defaults)
+# stalwart::config_dir: '/opt/stalwart/etc'
+# stalwart::data_dir: '/var/lib/stalwart'
+
+# PKI alt_names configuration for TLS certificates
+# This should include all domains and hostnames that need certificates
+profiles::pki::vault::alt_names:
+  - 'imap.example.com'
+  - 'mail.example.com'
+  - 'autoconfig.example.com'
+  - 'autodiscover.example.com'

modules/stalwart/manifests/config.pp

@@ -0,0 +1,84 @@
+# @summary Manages Stalwart Mail Server configuration
+#
+# @api private
+class stalwart::config {
+  assert_private()
+
+  # Create base directories (package creates user/group and base dirs)
+  file { [$stalwart::config_dir, $stalwart::data_dir, $stalwart::webadmin_unpack_path]:
+    ensure => directory,
+    owner  => 'stalwart',
+    group  => 'stalwart',
+    mode   => '0750',
+  }
+
+  # Ensure log directory exists
+  file { '/var/log/stalwart':
+    ensure => directory,
+    owner  => 'stalwart',
+    group  => 'stalwart',
+    mode   => '0755',
+  }
+
+  # Main configuration file
+  file { "${stalwart::config_dir}/config.toml":
+    ensure  => file,
+    owner   => 'stalwart',
+    group   => 'stalwart',
+    mode    => '0640',
+    content => epp('stalwart/config.toml.epp', {
+      'cluster_size'            => $stalwart::cluster_size,
+      'other_cluster_members'   => $stalwart::other_cluster_members,
+      'haproxy_ips'             => $stalwart::haproxy_ips,
+      'effective_node_id'       => $stalwart::effective_node_id,
+      'bind_address'            => $stalwart::bind_address,
+      'advertise_address'       => $stalwart::advertise_address,
+      'postgresql_host'         => $stalwart::postgresql_host,
+      'postgresql_port'         => $stalwart::postgresql_port,
+      'postgresql_database'     => $stalwart::postgresql_database,
+      'postgresql_user'         => $stalwart::postgresql_user,
+      'postgresql_password'     => $stalwart::postgresql_password.unwrap,
+      'postgresql_ssl'          => $stalwart::postgresql_ssl,
+      's3_endpoint'             => $stalwart::s3_endpoint,
+      's3_bucket'               => $stalwart::s3_bucket,
+      's3_region'               => $stalwart::s3_region,
+      's3_access_key'           => $stalwart::s3_access_key,
+      's3_secret_key'           => $stalwart::s3_secret_key.unwrap,
+      's3_key_prefix'           => $stalwart::s3_key_prefix,
+      'domains'                 => $stalwart::domains,
+      'postfix_relay_host'      => $stalwart::postfix_relay_host,
+      'enable_imap'             => $stalwart::enable_imap,
+      'enable_imap_tls'         => $stalwart::enable_imap_tls,
+      'enable_http'             => $stalwart::enable_http,
+      'enable_smtp_submission'  => $stalwart::enable_smtp_submission,
+      'data_dir'                => $stalwart::data_dir,
+      'tls_cert'                => $stalwart::tls_cert,
+      'tls_key'                 => $stalwart::tls_key,
+      'log_level'               => $stalwart::log_level,
+      'service_hostname'        => $stalwart::service_hostname,
+      'fallback_admin_user'     => $stalwart::fallback_admin_user,
+      'fallback_admin_password' => $stalwart::fallback_admin_password,
+      'webadmin_unpack_path'    => $stalwart::webadmin_unpack_path,
+      'webadmin_resource_url'   => $stalwart::webadmin_resource_url,
+      'webadmin_auto_update'    => $stalwart::webadmin_auto_update,
+      'node_facts'              => $facts,
+    }),
+    notify  => Service['stalwart'],
+  }
+
+  # Create directories for storage
+  file { "${stalwart::data_dir}/queue":
+    ensure => directory,
+    owner  => 'stalwart',
+    group  => 'stalwart',
+    mode   => '0750',
+  }
+
+  file { "${stalwart::data_dir}/reports":
+    ensure => directory,
+    owner  => 'stalwart',
+    group  => 'stalwart',
+    mode   => '0750',
+  }
+
+}

modules/stalwart/manifests/dns.pp

@@ -0,0 +1,67 @@
+# @summary Manages DNS autodiscovery records for Stalwart
+#
+# @param target_host
+#   FQDN to point DNS records to (defaults to current server)
+#
+# @api private
+class stalwart::dns (
+  Stdlib::Fqdn $target_host = $facts['networking']['fqdn'],
+) {
+  assert_private()
+
+  # Create autodiscovery DNS records for each domain
+  $stalwart::domains.each |$domain| {
+
+    # Autoconfig record for Thunderbird/Mozilla clients
+    profiles::dns::record { "autoconfig_${domain}":
+      record => "autoconfig.${domain}",
+      type   => 'CNAME',
+      value  => "${target_host}.",
+      zone   => $domain,
+      order  => 100,
+    }
+
+    # Autodiscover record for Outlook/Microsoft clients
+    profiles::dns::record { "autodiscover_${domain}":
+      record => "autodiscover.${domain}",
+      type   => 'CNAME',
+      value  => "${target_host}.",
+      zone   => $domain,
+      order  => 101,
+    }
+
+    # IMAP SRV records
+    profiles::dns::record { "imap_srv_${domain}":
+      record => "_imap._tcp.${domain}",
+      type   => 'SRV',
+      value  => "10 1 143 ${target_host}.",
+      zone   => $domain,
+      order  => 102,
+    }
+
+    profiles::dns::record { "imaps_srv_${domain}":
+      record => "_imaps._tcp.${domain}",
+      type   => 'SRV',
+      value  => "10 1 993 ${target_host}.",
+      zone   => $domain,
+      order  => 103,
+    }
+
+    # CalDAV and CardDAV SRV records
+    profiles::dns::record { "caldav_srv_${domain}":
+      record => "_caldav._tcp.${domain}",
+      type   => 'SRV',
+      value  => "10 1 443 ${target_host}.",
+      zone   => $domain,
+      order  => 104,
+    }
+
+    profiles::dns::record { "carddav_srv_${domain}":
+      record => "_carddav._tcp.${domain}",
+      type   => 'SRV',
+      value  => "10 1 443 ${target_host}.",
+      zone   => $domain,
+      order  => 105,
+    }
+  }
+}

modules/stalwart/manifests/init.pp

@@ -0,0 +1,245 @@
+# @summary Main class for managing Stalwart Mail Server
+#
+# This class provides a comprehensive setup of Stalwart Mail Server with
+# clustering, authentication, storage, and protocol support.
+#
+# @example Basic Stalwart setup
+#   class { 'stalwart':
+#     node_id                => 1,
+#     postgresql_host        => 'pgsql.example.com',
+#     postgresql_database    => 'stalwart',
+#     postgresql_user        => 'stalwart',
+#     postgresql_password    => Sensitive('secretpassword'),
+#     s3_endpoint            => 'https://ceph-rgw.example.com',
+#     s3_bucket              => 'stalwart-blobs',
+#     s3_access_key          => 'accesskey',
+#     s3_secret_key          => Sensitive('secretkey'),
+#     domains                => ['example.com'],
+#     postfix_relay_host     => 'postfix.example.com',
+#   }
+#
+# @param node_id
+#   Unique identifier for this node in the cluster (1-N). If not specified,
+#   automatically calculated based on sorted position in cluster member list.
+#
+# @param cluster_role
+#   Role name for cluster member discovery via query_nodes()
+#
+#
+# @param postgresql_host
+#   PostgreSQL server hostname/IP
+#
+# @param postgresql_port
+#   PostgreSQL server port
+#
+# @param postgresql_database
+#   PostgreSQL database name
+#
+# @param postgresql_user
+#   PostgreSQL username
+#
+# @param postgresql_password
+#   PostgreSQL password (Sensitive)
+#
+# @param postgresql_ssl
+#   Enable SSL/TLS for PostgreSQL connections
+#
+# @param s3_endpoint
+#   S3/Ceph-RGW endpoint URL
+#
+# @param s3_bucket
+#   S3 bucket name for blob storage
+#
+# @param s3_region
+#   S3 region
+#
+# @param s3_access_key
+#   S3 access key
+#
+# @param s3_secret_key
+#   S3 secret key (Sensitive)
+#
+# @param s3_key_prefix
+#   S3 key prefix for stalwart objects
+#
+# @param domains
+#   Array of domains this server handles
+#
+# @param postfix_relay_host
+#   Postfix relay host for SMTP delivery
+#
+# @param bind_address
+#   IP address to bind services to
+#
+# @param advertise_address
+#   IP address to advertise to cluster members
+#
+# @param enable_imap
+#   Enable IMAP protocol listener
+#
+# @param enable_imap_tls
+#   Enable IMAP over TLS listener
+#
+# @param enable_http
+#   Enable HTTP listener for JMAP/WebDAV/Autodiscovery
+#
+# @param enable_smtp_relay
+#   Enable SMTP for postfix relay communication
+#
+# @param enable_smtp_submission
+#   Enable SMTP submission listener on port 587
+#
+# @param haproxy_role
+#   Role name for HAProxy nodes to include in proxy trusted networks
+#
+# @param service_hostname
+#   Service hostname used for autoconfig/autodiscover and SMTP greeting
+#
+# @param package_ensure
+#   Package version to install
+#
+# @param config_dir
+#   Stalwart configuration directory
+#
+# @param data_dir
+#   Stalwart data directory
+#
+# @param log_level
+#   Logging verbosity level
+#
+# @param manage_firewall
+#   Whether to manage firewall rules
+#
+# @param tls_cert
+#   Path to TLS certificate file
+#
+# @param tls_key
+#   Path to TLS private key file
+#
+# @param manage_dns_records
+#   Whether to create DNS autodiscovery records
+#
+class stalwart (
+  String                    $cluster_role,
+  Stdlib::Host              $postgresql_host,
+  String                    $postgresql_database,
+  String                    $postgresql_user,
+  Sensitive[String]         $postgresql_password,
+  Stdlib::HTTPUrl           $s3_endpoint,
+  String                    $s3_bucket,
+  String                    $s3_access_key,
+  Sensitive[String]         $s3_secret_key,
+  Array[Stdlib::Fqdn]       $domains,
+  Stdlib::Host              $postfix_relay_host,
+  Optional[Integer]         $node_id                 = undef,
+  Stdlib::Port              $postgresql_port          = 5432,
+  Boolean                   $postgresql_ssl           = true,
+  String                    $s3_region               = 'us-east-1',
+  String                    $s3_key_prefix           = 'stalwart/',
+  Stdlib::IP::Address       $bind_address            = $facts['networking']['ip'],
+  Stdlib::IP::Address       $advertise_address       = $facts['networking']['ip'],
+  Boolean                   $enable_imap             = true,
+  Boolean                   $enable_imap_tls         = true,
+  Boolean                   $enable_http             = true,
+  Boolean                   $enable_smtp_relay       = true,
+  Boolean                   $enable_smtp_submission  = true,
+  String                    $haproxy_role            = 'roles::infra::halb::haproxy2',
+  Stdlib::Fqdn              $service_hostname        = $facts['networking']['fqdn'],
+  String                    $package_ensure          = 'present',
+  Stdlib::Absolutepath      $config_dir              = '/opt/stalwart/etc',
+  Stdlib::Absolutepath      $data_dir                = '/var/lib/stalwart',
+  Enum['error','warn','info','debug','trace'] $log_level = 'info',
+  Boolean                   $manage_firewall         = false,
+  Stdlib::Absolutepath      $tls_cert                = '/etc/pki/tls/vault/certificate.crt',
+  Stdlib::Absolutepath      $tls_key                 = '/etc/pki/tls/vault/private.key',
+  Boolean                   $manage_dns_records      = true,
+  Optional[Stdlib::Fqdn]    $loadbalancer_host       = undef,
+  String                    $fallback_admin_user     = 'admin',
+  Sensitive[String]         $fallback_admin_password = Sensitive('admin'),
+  Stdlib::Absolutepath      $webadmin_unpack_path    = "${data_dir}/webadmin",
+  Stdlib::HTTPUrl           $webadmin_resource_url   = 'https://github.com/stalwartlabs/webadmin/releases/latest/download/webadmin.zip',
+  Boolean                   $webadmin_auto_update    = true,
+) {
+
+  # Calculate node_id from last 4 digits of hostname if not provided
+  $my_fqdn = $facts['networking']['fqdn']
+  $hostname = $facts['networking']['hostname']
+
+  # Query cluster members for validation
+  $cluster_query = "enc_role='${cluster_role}' and country='${facts['country']}' and region='${facts['region']}'"
+  $cluster_members_raw = query_nodes($cluster_query, 'networking.fqdn')
+  $cluster_members = $cluster_members_raw ? {
+    undef   => [],
+    default => $cluster_members_raw,
+  }
+  $sorted_cluster_members = sort($cluster_members)
+
+  # Calculate cluster information for templates
+  $other_cluster_members = $sorted_cluster_members.filter |$member| { $member != $my_fqdn }
+  $cluster_size = length($sorted_cluster_members)
+
+  # Query HAProxy nodes for proxy trusted networks
+  $haproxy_query = "enc_role='${haproxy_role}' and country='${facts['country']}' and region='${facts['region']}'"
+  $haproxy_members_raw = query_nodes($haproxy_query, 'networking.ip')
+  $haproxy_ips = $haproxy_members_raw ? {
+    undef   => [],
+    default => sort($haproxy_members_raw),
+  }
+
+  # Extract last 4 digits from hostname (e.g., ausyd1nxvm1234 -> 1234)
+  if $hostname =~ /^.*(\d{4})$/ {
+    $hostname_digits = $1
+    $calculated_node_id = Integer($hostname_digits)
+  } else {
+    fail("Unable to extract 4-digit node ID from hostname '${hostname}'. Hostname must end with 4 digits or specify node_id manually.")
+  }
+
+  # Use provided node_id or calculated one
+  $effective_node_id = $node_id ? {
+    undef   => $calculated_node_id,
+    default => $node_id,
+  }
+
+  # Validate parameters
+  if $effective_node_id < 1 {
+    fail('node_id must be a positive integer')
+  }
+
+  if empty($domains) {
+    fail('At least one domain must be specified')
+  }
+
+  if !($my_fqdn in $sorted_cluster_members) {
+    fail("This node (${my_fqdn}) is not found in cluster members for role '${cluster_role}' in ${facts['country']}-${facts['region']}")
+  }
+
+
+  # Include sub-classes in dependency order
+  include stalwart::install
+  include stalwart::config
+  include stalwart::service
+
+  # Handle DNS records if requested
+  if $manage_dns_records {
+    if $loadbalancer_host {
+      # Only first node in cluster creates DNS records pointing to load balancer
+      if $my_fqdn == $sorted_cluster_members[0] {
+        class { 'stalwart::dns':
+          target_host => $loadbalancer_host,
+        }
+      }
+    } else {
+      # Current behavior: each server creates its own DNS records
+      include stalwart::dns
+    }
+  }
+
+  # Class ordering
+  Class['stalwart::install']
+  -> Class['stalwart::config']
+  -> Class['stalwart::service']
+
+  if $manage_dns_records {
+    Class['stalwart::service'] -> Class['stalwart::dns']
+  }
+}

modules/stalwart/manifests/install.pp

@@ -0,0 +1,11 @@
+# @summary Manages Stalwart Mail Server package installation
+#
+# @api private
+class stalwart::install {
+  assert_private()
+
+  # Install stalwart package (user/group created by package preinstall script)
+  package { 'stalwart':
+    ensure => $stalwart::package_ensure,
+  }
+}

modules/stalwart/manifests/service.pp

@@ -0,0 +1,26 @@
+# @summary Manages Stalwart Mail Server service
+#
+# @api private
+class stalwart::service {
+  assert_private()
+
+  # Service is installed by the RPM package
+  service { 'stalwart':
+    ensure    => running,
+    enable    => true,
+    subscribe => [
+      File[$stalwart::tls_cert],
+      File[$stalwart::tls_key],
+    ],
+  }
+
+  # Add capability to bind to privileged ports (143, 443, 993)
+  systemd::manage_dropin { 'bind-capabilities.conf':
+    ensure        => present,
+    unit          => 'stalwart.service',
+    service_entry => {
+      'AmbientCapabilities' => 'CAP_NET_BIND_SERVICE',
+    },
+    notify        => Service['stalwart'],
+  }
+}

modules/stalwart/templates/config.toml.epp

@@ -0,0 +1,296 @@
+# Stalwart Mail Server Configuration
+# Generated by Puppet - DO NOT EDIT MANUALLY
+
+[server]
+hostname = "<%= $service_hostname %>"
+greeting = "Stalwart ESMTP"
+
+[server.listener."smtp-relay"]
+bind = ["<%= $bind_address %>:25"]
+protocol = "smtp"
+greeting = "Stalwart SMTP Relay"
+
+<% if !$haproxy_ips.empty { -%>
+[server.listener."smtp-relay".proxy]
+trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
+<% } -%>
+
+<% if $enable_smtp_submission { -%>
+[server.listener."submission"]
+bind = ["<%= $bind_address %>:587"]
+protocol = "smtp"
+greeting = "Stalwart SMTP Submission"
+tls.require = true
+
+<% if !$haproxy_ips.empty { -%>
+[server.listener."submission".proxy]
+trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
+<% } -%>
+<% } -%>
+
+<% if $enable_imap { -%>
+[server.listener."imap"]
+bind = ["<%= $bind_address %>:143"]
+protocol = "imap"
+
+<% if !$haproxy_ips.empty { -%>
+[server.listener."imap".proxy]
+trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
+<% } -%>
+<% } -%>
+
+<% if $enable_imap_tls { -%>
+[server.listener."imaps"]
+bind = ["<%= $bind_address %>:993"]
+protocol = "imap"
+tls.implicit = true
+
+<% if !$haproxy_ips.empty { -%>
+[server.listener."imaps".proxy]
+trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
+<% } -%>
+<% } -%>
+
+<% if $enable_http { -%>
+[server.listener."https"]
+bind = ["<%= $bind_address %>:443"]
+protocol = "http"
+tls.implicit = true
+
+<% if !$haproxy_ips.empty { -%>
+[server.listener."https".proxy]
+trusted-networks = ["127.0.0.0/8", "::1"<% $haproxy_ips.each |$ip| { %>, "<%= $ip %>"<% } %>]
+<% } -%>
+<% } -%>
+
+[server.tls]
+enable = true
+implicit = false
+certificate = "default"
+
+
+[webadmin]
+path = "<%= $webadmin_unpack_path %>"
+auto-update = <%= $webadmin_auto_update %>
+resource = "<%= $webadmin_resource_url %>"
+
+# Cluster Configuration
+[cluster]
+node-id = <%= $effective_node_id %>
+
+<% if $cluster_size > 1 { -%>
+# Peer-to-peer coordination
+[cluster.coordinator]
+type = "peer-to-peer"
+addr = "<%= $bind_address %>:11200"
+advertise-addr = "<%= $advertise_address %>:11200"
+
+<% $other_cluster_members.each |$node| { -%>
+[[cluster.coordinator.peers]]
+addr = "<%= $node %>:11200"
+<% } -%>
+
+# Cluster roles for 3-node setup
+[cluster.roles.purge]
+stores = ["1", "2", "3"]
+accounts = ["1", "2"]
+
+[cluster.roles.acme]
+renew = ["1"]
+
+[cluster.roles.metrics]
+calculate = ["1", "2"]
+push = ["1"]
+
+[cluster.roles.push-notifications]
+push-notifications = ["1", "3"]
+
+[cluster.roles.fts-indexing]
+fts-indexing = ["2", "3"]
+
+[cluster.roles.bayes-training]
+bayes-training = ["1"]
+
+[cluster.roles.imip-processing]
+imip-processing = ["2"]
+
+[cluster.roles.calendar-alerts]
+calendar-alerts = ["3"]
+<% } -%>
+
+# Storage Configuration
+
+# PostgreSQL store for data, FTS, and in-memory
+[store."postgresql"]
+type = "postgresql"
+host = "<%= $postgresql_host %>"
+port = <%= $postgresql_port %>
+database = "<%= $postgresql_database %>"
+user = "<%= $postgresql_user %>"
+password = "<%= $postgresql_password %>"
+timeout = "15s"
+
+[store."postgresql".tls]
+enable = <%= $postgresql_ssl %>
+allow-invalid-certs = false
+
+[store."postgresql".pool]
+max-connections = 10
+
+[store."postgresql".purge]
+frequency = "0 3 *"
+
+# S3/Ceph-RGW store for blobs
+[store."s3"]
+type = "s3"
+bucket = "<%= $s3_bucket %>"
+region = "<%= $s3_region %>"
+access-key = "<%= $s3_access_key %>"
+secret-key = "<%= $s3_secret_key %>"
+endpoint = "<%= $s3_endpoint %>"
+timeout = "30s"
+key-prefix = "<%= $s3_key_prefix %>"
+compression = "lz4"
+
+[store."s3".purge]
+frequency = "30 5 *"
+
+# Storage assignment
+[storage]
+data = "postgresql"
+fts = "postgresql"
+blob = "s3"
+lookup = "postgresql"
+directory = "internal"
+in-memory = "postgresql"
+
+# Directory configuration
+[directory.internal]
+type = "internal"
+store = "postgresql"
+
+# Authentication configuration
+[authentication.fallback-admin]
+user = "<%= $fallback_admin_user %>"
+secret = "<%= pw_hash($fallback_admin_password.unwrap, 'SHA-512', 'stalwart') %>"
+
+[authentication]
+[authentication.directory]
+directories = ["internal"]
+
+# Authorization configuration
+[authorization]
+directory = "internal"
+
+# JMAP configuration
+[jmap]
+directory = "internal"
+
+[jmap.protocol]
+request-max-size = 10485760
+get.max-objects = 500
+query.max-results = 5000
+changes.max-results = 5000
+upload.max-size = 50000000
+upload.ttl = "1h"
+
+# IMAP configuration
+[imap]
+directory = "internal"
+
+[imap.protocol]
+max-requests = 64
+
+# Inbound rate limiting
+[[queue.limiter.inbound]]
+key = ["remote_ip"]
+rate = "500/1s"
+enable = true
+
+# SMTP configuration for postfix relay
+[session.data]
+pipe.command = "sendmail"
+pipe.arguments = ["-i", "-f", "{sender}", "{recipient}"]
+
+# Outbound SMTP configuration
+[queue]
+path = "<%= $data_dir %>/queue"
+
+[queue.schedule]
+retry = ["2s", "5s", "1m", "5m", "15m", "30m", "1h", "2h"]
+notify = ["1d", "3d"]
+expire = "5d"
+
+[session.extensions]
+future-release = "7d"
+
+# Relay configuration for postfix
+[remote."postfix"]
+address = "<%= $postfix_relay_host %>"
+port = 25
+protocol = "smtp"
+
+# HTTP configuration
+[server.http]
+use-x-forwarded = false
+permissive-cors = false
+
+# Disable spam filtering (handled by postfix)
+[session.ehlo]
+reject-non-fqdn = false
+
+[session.rcpt]
+type = "internal"
+store = "postgresql"
+max-recipients = 25
+
+[session.data]
+max-messages = 10
+max-message-size = 52428800
+
+# TLS configuration
+[certificate."default"]
+cert = "%{file:<%= $tls_cert %>}%"
+private-key = "%{file:<%= $tls_key %>}%"
+default = true
+
+# Logging configuration
+[tracer]
+type = "log"
+level = "<%= $log_level %>"
+ansi = false
+multiline = true
+
+[tracer.file]
+path = "/var/log/stalwart/stalwart.log"
+rotate = "daily"
+keep = 30
+
+# Report storage
+[report]
+path = "<%= $data_dir %>/reports"
+hash = "sha256"
+encrypt = false
+
+# Metrics configuration
+[metrics]
+prometheus.enable = true
+prometheus.port = 9090
+
+# Queue routing configuration
+[queue.strategy]
+route = [ { if = "is_local_domain('', rcpt_domain)", then = "'local'" },
+          { else = "'relay'" } ]
+
+[queue.route."local"]
+type = "local"
+
+[queue.route."relay"]
+type = "relay"
+address = "<%= $postfix_relay_host %>"
+port = 25
+protocol = "smtp"
+
+[queue.route."relay".tls]
+implicit = false
+allow-invalid-certs = false

modules/vmcluster/manifests/vmagent.pp

@@ -10,6 +10,7 @@ class vmcluster::vmagent (
   Stdlib::Absolutepath $vars_file = '/etc/default/vmagent',
   String  $consul_node_token      = $facts['consul_node_token'],
   Hash[String, Variant[String, Array[String]]] $options = {},
+  Hash[String, Hash] $static_targets = {},
 ) {
 
   # if enabled, manage this service

modules/vmcluster/templates/vmagent.scrape.yaml.erb

@@ -35,3 +35,28 @@ scrape_configs:
       - source_labels: [__meta_consul_tag_metrics_job]
         target_label: job
         action: replace
+
+<% if @static_targets -%>
+<% @static_targets.each do |job_name, config| -%>
+  - job_name: '<%= job_name %>'
+    static_configs:
+<% config['targets'].each do |target| -%>
+      - targets: ['<%= target %>']
+<% if config['labels'] -%>
+        labels:
+<% config['labels'].each do |label_name, label_value| -%>
+          <%= label_name %>: '<%= label_value %>'
+<% end -%>
+<% end -%>
+<% end -%>
+<% if config['scrape_interval'] -%>
+    scrape_interval: <%= config['scrape_interval'] %>
+<% end -%>
+<% if config['metrics_path'] -%>
+    metrics_path: <%= config['metrics_path'] %>
+<% end -%>
+<% if config['scheme'] -%>
+    scheme: <%= config['scheme'] %>
+<% end -%>
+<% end -%>
+<% end -%>

site/profiles/manifests/accounts/root.pp

@@ -1,12 +1,12 @@
 # manage the root user
 class profiles::accounts::root (
+  String $password,
   Optional[Array[String]] $sshkeys = undef,
 ) {
 
-  if $sshkeys {
-    accounts::user { 'root':
-      sshkeys => $sshkeys,
-    }
+  accounts::user { 'root':
+    sshkeys  => $sshkeys,
+    password => $password,
   }
 
   file {'/root/.config':

site/profiles/manifests/dovecot/server.pp

@@ -1,99 +0,0 @@
-class profiles::dovecot::server (
-  Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
-  Stdlib::Absolutepath $tls_key_file  = '/etc/pki/tls/vault/certificate.pem',
-  Stdlib::Absolutepath $tls_ca_file   = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
-  Stdlib::Absolutepath $maildir_path  = '/var/vmail',
-  String $maildir_var                 = '%d/%n',
-  String $hostname                    = $trusted['certname'],
-  Array[String] $listen               = ['*', '::'],
-  Array[String] $protocols            = ['imap'],
-) {
-
-  # Ensure the maildata directory exists
-  file { $maildir_path:
-    ensure => directory,
-    owner  => 'vmail',
-    group  => 'vmail',
-    mode   => '0755',
-  }
-
-  # Create vmail user for dovecot
-  user { 'vmail':
-    ensure     => present,
-    uid        => 5000,
-    gid        => 5000,
-    home       => $maildir_path,
-    shell      => '/usr/sbin/nologin',
-    managehome => false,
-    system     => true,
-  }
-
-  group { 'vmail':
-    ensure => present,
-    gid    => 5000,
-    system => true,
-  }
-
-  # Main dovecot configuration
-  $main_config = {
-    values => {
-      'listen'                    => join($listen, ', '),
-      'protocols'                 => join($protocols, ' '),
-      'default_login_user'        => 'vmail',
-      'default_internal_user'     => 'vmail',
-      'first_valid_uid'           => '5000',
-      'last_valid_uid'            => '5000',
-      'first_valid_gid'           => '5000',
-      'last_valid_gid'            => '5000',
-      'mail_uid'                  => 'vmail',
-      'mail_gid'                  => 'vmail',
-      'mail_location'             => "maildir:${maildir_path}/${maildir_var}/Maildir",
-      'login_trusted_networks'    => '10.0.0.0/8 127.0.0.0/8 [::1]/128',
-      'disable_plaintext_auth'    => 'no',
-      'auth_mechanisms'           => 'cram-md5 plain login',
-      'ssl'                       => 'required',
-      'ssl_cert'                  => $tls_cert_file,
-      'ssl_key'                   => $tls_key_file,
-      'ssl_ca'                    => $tls_ca_file,
-      'ssl_min_protocol'          => 'TLSv1.2',
-      'ssl_cipher_list'           => join([
-        'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES',
-        'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
-      ], ':'),
-      'ssl_prefer_server_ciphers' => 'yes',
-    },
-    sections => [
-      {
-        name   => 'passdb',
-        values => {
-          'driver' => 'passwd-file',
-          'args'   => 'scheme=CRAM-MD5 username_format=%u /etc/dovecot/users',
-        },
-      },
-      {
-        name   => 'userdb',
-        values => {
-          'driver' => 'static',
-          'args'   => "uid=vmail gid=vmail home=${maildir_path}/${maildir_var}",
-        },
-      },
-    ],
-  }
-
-
-  #  # Postfix smtp-auth
-  #  unix_listener /var/spool/postfix/private/auth {
-  #    mode = 0666
-  #    user = postfix
-  #    group = postfix
-  #  }
-
-
-  # Configure dovecot
-  class { 'dovecot':
-    main_config        => $main_config,
-    include_sysdefault => false,
-    require            => [User['vmail'], Group['vmail'], File[$maildir_path]],
-  }
-
-}

site/profiles/manifests/gitea/runner.pp

@@ -1,13 +1,12 @@
 # profiles::gitea::init
 class profiles::gitea::runner (
   String $registration_token,
-  Stdlib::HTTPSUrl $source,
   String $user = 'runner',
   String $group = 'runner',
   Stdlib::Absolutepath $home = '/data/runner',
   Hash $config = {},
   Stdlib::HTTPSUrl $instance = 'https://git.query.consul',
-  String $version = '0.2.10',
+  String $version = 'latest',
 ) {
 
   group { $group:
@@ -32,24 +31,27 @@ class profiles::gitea::runner (
     require => User[$user],
   }
 
-  archive { '/usr/local/bin/act_runner':
-    ensure  => present,
-    extract => false,
-    source  => $source,
-    creates => '/usr/local/bin/act_runner',
-    cleanup => true,
+  unless $version in ['latest', 'present'] {
+    # versionlock act
+    yum::versionlock{ 'act_runner':
+      ensure  => present,
+      version => $version,
+      before  => Package['act_runner'],
+    }
   }
 
+  # install act
+  package { 'act_runner':
+    ensure => $version,
+  }
+
+  # remove manually installed act_runner
   file { '/usr/local/bin/act_runner':
-    ensure  => 'file',
-    mode    => '0755',
-    owner   => 'root',
-    group   => 'root',
-    require => Archive['/usr/local/bin/act_runner'],
+    ensure => absent,
   }
 
-  exec {'register_act_runner':
-    command => "/usr/local/bin/act_runner register \
+  exec { 'register_act_runner':
+    command => "/usr/bin/act_runner register \
                 --no-interactive \
                 --instance ${instance} \
                 --token ${registration_token} \
@@ -60,12 +62,12 @@ class profiles::gitea::runner (
     user    => $user,
     group   => $group,
     require => [
-      File['/usr/local/bin/act_runner'],
+      Package['act_runner'],
       File["${home}/config.yaml"],
     ],
   }
 
-  systemd::unit_file {'act_runner.service':
+  systemd::unit_file { 'act_runner.service':
     enable  => true,
     active  => true,
     content => template('profiles/gitea/act_runner.service.erb'),

site/profiles/manifests/postfix/gateway.pp

@@ -47,24 +47,15 @@ class profiles::postfix::gateway (
     'permit_mynetworks',
     'reject_unauth_destination',
   ],
-  Hash[Stdlib::Fqdn, String] $smtp_tls_policy_maps = {},
+  Hash[String, String] $smtp_tls_policy_maps = {},
   Hash[String, String] $sender_canonical_maps = {},
-  Hash[Stdlib::Email, String] $sender_access_maps = {},
+  Hash[String, String] $sender_access_maps = {},
   Hash[String, String] $relay_recipients_maps = {},
-  Hash[Stdlib::Fqdn, String] $relay_domains_maps = {},
+  Hash[String, String] $relay_domains_maps = {},
   Hash[String, String] $recipient_canonical_maps = {},
-  Hash[Stdlib::Email, String] $recipient_access_maps = {},
-  Hash[Variant[Stdlib::IP::Address, Stdlib::IP::Address::CIDR], String] $postscreen_access_maps = {},
+  Hash[String, String] $recipient_access_maps = {},
+  Hash[String, String] $postscreen_access_maps = {},
   Hash[String, String] $helo_access_maps = {},
-  Hash[Stdlib::Email, String] $virtual_mailbox_maps = {},
-  Hash[Variant[Stdlib::Email, Pattern[/^@.+$/]], Stdlib::Email] $virtual_alias_maps = {},
-  # Dovecot integration
-  Boolean $enable_dovecot = false,
-  Array[Stdlib::Fqdn] $virtual_mailbox_domains = [],
-  String $virtual_uid_maps = 'static:5000',
-  String $virtual_gid_maps = 'static:5000',
-  Stdlib::Absolutepath $virtual_mailbox_base = '/var/vmail',
-  String $virtual_transport = 'dovecot',
 ) {
 
   $alias_maps_string = join($alias_maps, ', ')
@@ -290,7 +281,6 @@ class profiles::postfix::gateway (
     },
   }
 
-
   # Postfix maps (all using templates now)
   $postfix_maps = {
     'postscreen_access' => {
@@ -343,39 +333,6 @@ class profiles::postfix::gateway (
       'type'    => 'hash',
       'content' => template('profiles/postfix/gateway/smtp_tls_policy_maps.erb')
     },
-    'virtual_mailbox_maps' => {
-      'ensure'  => 'present',
-      'type'    => 'hash',
-      'content' => template('profiles/postfix/gateway/virtual_mailbox_maps.erb')
-    },
-    'virtual_alias_maps' => {
-      'ensure'  => 'present',
-      'type'    => 'hash',
-      'content' => template('profiles/postfix/gateway/virtual_alias_maps.erb')
-    },
-  }
-
-  if $enable_dovecot {
-    postfix::config {
-      'virtual_mailbox_domains': value => join($virtual_mailbox_domains, ', ');
-      'virtual_mailbox_maps':    value => 'hash:/etc/postfix/virtual_mailbox_maps';
-      'virtual_alias_maps':      value => 'hash:/etc/postfix/virtual_alias_maps';
-      'virtual_uid_maps':        value => $virtual_uid_maps;
-      'virtual_gid_maps':        value => $virtual_gid_maps;
-      'virtual_mailbox_base':    value => $virtual_mailbox_base;
-      'virtual_transport':       value => $virtual_transport;
-      'home_mailbox':            value => "${virtual_mailbox_base}/%d/%n/Maildir";
-    }
-  } else {
-    postfix::config {
-      'virtual_mailbox_domains': ensure => 'absent';
-      'virtual_mailbox_maps':    ensure => 'absent';
-      'virtual_uid_maps':        ensure => 'absent';
-      'virtual_gid_maps':        ensure => 'absent';
-      'virtual_mailbox_base':    ensure => 'absent';
-      'virtual_transport':       ensure => 'absent';
-      'home_mailbox':            ensure => 'absent';
-    }
   }
 
   # Merge base configs with postscreen configs

site/profiles/manifests/puppet/agent.pp

@@ -20,9 +20,9 @@ class profiles::puppet::agent (
   if $openvox_enable and $facts['os']['family'] == 'RedHat' {
     yumrepo { 'openvox':
       ensure  => 'present',
-      baseurl => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/",
+      baseurl => "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/openvox/openvox7/el/${facts['os']['release']['major']}/${facts['os']['architecture']}/",
       descr   => 'openvox repository',
-      gpgkey  => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/GPG-KEY-openvox.pub",
+      gpgkey  => 'https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/openvox/GPG-KEY-openvox.pub',
       notify  => Exec['dnf_makecache'],
     }
   }else{

site/profiles/manifests/puppet/client.pp

@@ -13,6 +13,8 @@ class profiles::puppet::client (
   Boolean $show_diff          = true,
   Boolean $usecacheonfailure  = false,
   Integer $facts_soft_limit   = 4096,
+  Boolean $splay              = true,
+  Integer $splaylimit         = 600,
 ) {
 
   # dont manage puppet.conf if this is a puppetmaster

site/profiles/manifests/stalwart/haproxy.pp

@@ -0,0 +1,76 @@
+# enable external access via haproxy
+class profiles::stalwart::haproxy (
+  Boolean $enable = false,
+){
+
+  # webadmin
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
+    service => 'be_stalwart_webadmin',
+    ports   => [443],
+    options => [
+      "cookie ${facts['networking']['hostname']}",
+      'ssl',
+      'verify none',
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+      'send-proxy-v2',
+    ]
+  }
+
+  # imap
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_143":
+    service => 'be_stalwart_imap',
+    ports   => [143],
+    options => [
+      'check',
+      'inter 3s',
+      'rise 2',
+      'fall 3',
+      'send-proxy-v2',
+    ]
+  }
+
+  # imaps
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_993":
+    service => 'be_stalwart_imaps',
+    ports   => [993],
+    options => [
+      'check',
+      'ssl',
+      'verify none',
+      'inter 3s',
+      'rise 2',
+      'fall 3',
+      'send-proxy-v2',
+    ]
+  }
+
+  # smtp
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_25":
+    service => 'be_stalwart_smtp',
+    ports   => [25],
+    options => [
+      'check',
+      'inter 3s',
+      'rise 2',
+      'fall 3',
+      'send-proxy-v2',
+    ]
+  }
+
+  # smtp submission
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_587":
+    service => 'be_stalwart_submission',
+    ports   => [587],
+    options => [
+      'check',
+      'inter 3s',
+      'rise 2',
+      'fall 3',
+      'send-proxy-v2',
+    ]
+  }
+
+}

site/profiles/manifests/vault/server.pp

@@ -6,11 +6,15 @@ class profiles::vault::server (
     Undef
   ]         $members_role   = undef,
   Array     $vault_servers  = [],
+  String        $package_name       = 'vault',
+  String        $package_ensure     = 'latest',
+  Boolean       $disable_openbao    = true,
   Boolean       $tls_disable        = false,
   Stdlib::Port  $client_port        = 8200,
   Stdlib::Port  $cluster_port       = 8201,
   Boolean   $manage_storage_dir     = false,
   Stdlib::Absolutepath $data_dir    = '/opt/vault',
+  Stdlib::Absolutepath $plugin_dir  = '/opt/vault_plugins',
   Stdlib::Absolutepath $bin_dir     = '/usr/bin',
   Stdlib::Absolutepath $ssl_crt     = '/etc/pki/tls/vault/certificate.crt',
   Stdlib::Absolutepath $ssl_key     = '/etc/pki/tls/vault/private.key',
@@ -51,7 +55,33 @@ class profiles::vault::server (
       }
     }
 
+    # cleanup openbao?
+    if $disable_openbao {
+      package {'openbao':
+        ensure => absent,
+        before => Class['vault']
+      }
+      package {'openbao-vault-compat':
+        ensure => absent,
+        before => [
+          Class['vault'],
+          Package['openbao']
+        ]
+      }
+    }
+
+    # add versionlock for package_name?
+    if $package_ensure != 'latest' {
+      yum::versionlock{$package_name:
+        ensure  => present,
+        version => $package_ensure,
+        before  => Class['vault']
+      }
+    }
+
     class { 'vault':
+      package_name       => $package_name,
+      package_ensure     => $package_ensure,
       manage_service     => false,
       manage_storage_dir => $manage_storage_dir,
       enable_ui          => true,
@@ -64,7 +94,8 @@ class profiles::vault::server (
       },
       api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
       extra_config       => {
-        cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        cluster_addr     => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        plugin_directory => $plugin_dir,
       },
       listener           => [
         {

site/profiles/manifests/yum/global.pp

@@ -32,11 +32,14 @@ class profiles::yum::global (
       $key_url = $repo['gpgkey']
       $key_file = "/etc/pki/rpm-gpg/${name}-gpg-key"
 
-      exec { "download_gpg_key_${name}":
-        command => "curl -s -o ${key_file} ${key_url} && rpm --import ${key_file}",
-        path    => ['/bin', 'usr/bin'],
-        creates => $key_file,
-        before  => Yumrepo[$name],
+      # only download the key if the repo is present
+      if $repo['ensure'] == 'present' {
+        exec { "download_gpg_key_${name}":
+          command => "curl -s -o ${key_file} ${key_url} && rpm --import ${key_file}",
+          path    => ['/bin', 'usr/bin'],
+          creates => $key_file,
+          before  => Yumrepo[$name],
+        }
       }
     }
     # create the repo

site/profiles/templates/ceph/conf.erb

@@ -2,7 +2,7 @@
 <% @config.each do |section, settings| -%>
 [<%= section %>]
 <% settings.each do |key, value| -%>
-<%# Convert booleans and numbers to strings, leave strings untouched %>
+<%# Convert booleans and numbers to strings, leave strings untouched -%>
 <%= key %> = <%= value.is_a?(TrueClass) ? 'true' : value.is_a?(FalseClass) ? 'false' : value %>
 <% end -%>
 

site/profiles/templates/gitea/act_runner.service.erb

@@ -4,7 +4,7 @@ Documentation=https://gitea.com/gitea/act_runner
 After=docker.service
 
 [Service]
-ExecStart=/usr/local/bin/act_runner daemon --config <%= @home %>/config.yaml
+ExecStart=/usr/bin/act_runner daemon --config <%= @home %>/config.yaml
 ExecReload=/bin/kill -s HUP $MAINPID
 WorkingDirectory=<%= @home %>
 TimeoutSec=0

site/profiles/templates/postfix/gateway/virtual_alias_maps.erb

@@ -1,9 +0,0 @@
-# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
-#
-# Defines virtual alias mappings
-# Maps email addresses or patterns to target addresses
-# Format: alias@foo.net    real@corp.foo.net
-
-<% @virtual_alias_maps.each do |source, target| -%>
-<%= source %>       <%= target %>
-<% end -%>

site/profiles/templates/postfix/gateway/virtual_mailbox_maps.erb

@@ -1,9 +0,0 @@
-# FILE MANAGED BY PUPPET, CHANGES WILL BE REPLACED
-#
-# Defines virtual mailbox mappings for dovecot delivery
-# Maps email addresses to maildir paths
-# Format: user@domain    maildir/path/
-
-<% @virtual_mailbox_maps.each do |email, path| -%>
-<%= email %>       <%= path %>
-<% end -%>

site/profiles/templates/puppet/client/puppet.conf.erb

@@ -12,3 +12,5 @@ runtimeout = <%= @runtimeout %>
 show_diff = <%= @show_diff %>
 usecacheonfailure = <%= @usecacheonfailure %>
 number_of_facts_soft_limit = <%= @facts_soft_limit %>
+splay = <%= @splay %>
+splaylimit = <%= @splaylimit %>

site/roles/manifests/infra/dns/externaldns.pp

@@ -0,0 +1,11 @@
+# BIND server role for ExternalDNS integration
+class roles::infra::dns::externaldns {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  } else {
+    include profiles::defaults
+    include profiles::base
+    include externaldns
+  }
+}

site/roles/manifests/infra/mail/backend.pp

@@ -1,12 +1,15 @@
-# a role to deploy a imap/pop3 backend for mail services
+# roles::infra::mail::backend
+#
+# Configures Stalwart IMAP backend servers in a clustered configuration
+# with PostgreSQL for data/fts/memory storage and S3/Ceph-RGW for blob storage.
+# Integrates with postfix hosts for SMTP relay functionality.
+#
 class roles::infra::mail::backend {
   if $facts['firstrun'] {
     include profiles::defaults
     include profiles::firstrun::init
-  }else{
+  } else {
     include profiles::defaults
     include profiles::base
-    include profiles::dovecot::server
-    include profiles::postfix::gateway
   }
 }