fix: ensure join-api is functioning (#434)

- consul was directing new rke2 control nodes to a dead join api
- add additional check to verify its responding (not just up)

Reviewed-on: #434

hieradata/common.eyaml

@@ -1,6 +1,6 @@
 ---
 profiles::accounts::sysadmin::password: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoS7GyofFaXBNTWU+GtSiz4eCX/9j/sh3fDDRgOgNv1qpcQ87ZlTTenbHo9lxeURxKQ2HVVt7IsrBo/SC/WgipAKnliRkkIvo7nfAs+i+kEE8wakjAs0DcB4mhqtIZRuBkLG2Nay//DcG6cltVkbKEEKmKLMkDFZgTWreOZal8nDljpVe1S8QwtwP4/6hKTef5xsOnrisxuffWTXvwYJhj/VXrjdoH7EhtHGLybzEalglkVHEGft/WrrD/0bwJpmR0RegWI4HTsSvGiHgvf5DZJx8fXPZNPnicGtlfA9ccQPuVo17bY4Qf/WIc1A8Ssv4kHSbNIYJKRymI3UFb0Z4wzBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBBxDLb6pCGbittkcX6asd/gEBmMcUNupDjSECq5H09YA70eVwWWe0fBqxTxrr2cXCXtRKFvOk8SJmL0xHAWodaLN9+krTWHJcWbAK8JXEPC7rn]
-profiles::accounts::root::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAM79PRxeAZHrDcSm4eSFqU94/LjuSbdUmJWivX/Pa8GumoW2e/PT9nGHW3p98zHthMgCglk52PECQ+TBKjxr+9dTyNK5ePG6ZJEqSHNRqsPGm+kfQj/hlTmq8vOBaFM5GapD1iTHs5JFbGngI56swKBEVXW9+Z37BjQb2xJuyLsu5Bo/tA0BaOKuCtjq1a6E38bOX+nJ+YF1uZgV9ofAEh1YvkcTmnEWYXFRPWd7AaNcWn03V2pfhGqxc+xydak620I47P+FE+qIY72+aQ6tmLU3X9vyA1HLF2Tv572l4a2i+YIk6nAgQdi+hQKznqNL9M9YV+s1AcmcKLT7cfLrjsjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCMWrdCWBQgtW3NOEpERwP+gBA3KDiqe4pQq6DwRfsEXQNZ]
+profiles::accounts::root::password: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAIgzGQLoHrm7JSnWG4vdAtxSuETmnqbV7kUsQS8WCRUwFGenDFkps+OGMnOGEHLzMJzXihLfgfdWwTAI4fp48M+zhTMo9TQkdzZqtbFk3+RjV2jDF0wfe4kVUIpReOq+EkaDSkoRSG8V6hWvszhDHUrJBC9eDhomL0f3xNAWxmy5EIX/uMEvg9Ux5YX+E6k2pEIKnHNoVIaWDojlofSIzIqTSS7l3jQtJhs3YqBzLL1DsoF1kdn+Rwl5kcsKkhV+vzl76wEbpYVZW8lu4bFfP6QHMLPcep2tuUDMCDvARRXD7YyZcAtS7aMuqll+BLAszpWxAA7EU2hgvdr6t2uyVCTCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ4D5oDoyE6LPdjpVtGPoJD4BwfnQ9ORjYFPvHQmt+lgU4jMqh6BhqP0VN3lqVfUpOmiVMIqkO/cYtlwVLKEg36TPCHBSpqvhuahSF5saCVr8JY3xWOAmTSgnNjQOPlGrPnYWYbuRLxVRsU+KUkpAzR0c6VN0wYi6bI85Pcv8yHF3UYA==]
 profiles::consul::client::secret_id_salt: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAS7pNFRX4onccFaR87zB/eFFORuF22j6xqjyeAqqjgEduYhkt6w5kkz+YfUoHUesU0Q6F2p6HrCSZ8yAsx5M25NCiud9P4hIpjKmOZ4zCNO7uhATh4AQDYw3BrdRwfO+c6jOl5wOiNLCfDBJ0sFT3akCvcuPS1xIoRJq4Gyn+uCbOsMbvSl25ld2xKt1/cqs8gc1d8mkpjwWto7t+qZSUFMCehTbehH3G4a3Q5rvfBoNwv42Wbs676BDcCurDaAzHNqE7pDbOWhGuVOBl+q+BU0Ri/CRkGcTViN9fr8Dc9SveVC6EPsMbw+05/8/NlfzQse3KAwQ34nR9tR2PQw5qEzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB7LywscQtF7cG2nomfEsu9gDDVqJBFP1jAX2eGZ2crYS5gnBcsRwhc0HNo2/WWdhZprMW+vEJOOGXDelI53NxA3o0=]
 profiles::consul::token::node_editor::secret_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAO8IIF2r18dFf0bVKEwjJUe1TmXHH0AIzsQHxkHwV7d37kvH1cY9rYw0TtdHn7GTxvotJG7GZbWvbunpBs1g2p2RPADiM6TMhbO8mJ0tAWLnMk7bQ221xu8Pc7KceqWmU17dmgNhVCohyfwJNqbA756TlHVgxGA0LtNrKoLOmgKGXAL1VYZoKEQnWq7xOpO+z3e1UfjoO6CvX/Od2hGYfUkHdro8mwRw4GFKzU7XeKFdAMUGpn5rVmY3xe+1ARXwGFaSrTHzk2n85pvwhPRlQ+OwqzyT19Qo2FNeAO6RoCRIFTtqbsjTWPUlseHIhw4Q5bHO1I0Mrlm5IHDESw/22IzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCEe9wD72qxnpeq5nCi/d7BgDCP29sDFObkFTabt2uZ/nF9MT1g+QOrrdFKgnG6ThnwH1hwpZPsSVgIs+yRQH8laB4=]
 profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=]

hieradata/country/au/region/syd1.yaml

@@ -5,3 +5,5 @@ profiles_dns_upstream_forwarder_unkin:
   - 198.18.19.15
 profiles_dns_upstream_forwarder_consul:
   - 198.18.19.14
+profiles_dns_upstream_forwarder_k8s:
+  - 198.18.19.20

hieradata/roles/infra/ceph/rgw.yaml

@@ -38,7 +38,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
   - radosgw.service.au-syd1.consul
 profiles::nginx::simpleproxy::proxy_port: 7480
 profiles::nginx::simpleproxy::proxy_path: '/'
-nginx::client_max_body_size: 100M
+nginx::client_max_body_size: 5000M
 
 # manage consul service
 consul::services:

hieradata/roles/infra/dns/externaldns.eyaml

@@ -0,0 +1,2 @@
+---
+externaldns::externaldns_key_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEABqbZiK1NDTU+w2k7orz2HrB0EXwun7hn4pR6TeCHMp2IfrkPxlQT+f1J9c0PqJaAKvnyz+Cx0xNCrlnONqk+J57f48kYKYV+Vw+L0AYHYFj8/TizY5CwLpJS2XKyfRd4iEsWMonvfIYn71t3+YuXm4dkoEqGekW93qCr/KFtjAu0K3e+ypyl4EJqWokiUs7IbcSBNvrjUkP4yR8F/wHVKM1E5yfr+D1+nmMmt7Ob/J+am14492TppE2C7Xadg4us+kdYtuBsv9kTSi1GwwqUDjbeJVmfK3pKHjXdF+PI07AFLzo5bBZTJOzQfQ4SywpH8R5BDQoUCyHiaskB5wrmSDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB2LU9ZhefSg9PqqkwnfV65gDBvXuXco0moKCGjHqm5KcojWCK1BoS/+mltlr8kw9grZjN9jxHRLn1FjgBlq418c8w=]

hieradata/roles/infra/dns/externaldns.yaml

@@ -0,0 +1,65 @@
+---
+hiera_include:
+  - externaldns
+  - frrouting
+  - exporters::frr_exporter
+
+externaldns::bind_master_hostname: 'ausyd1nxvm2127.main.unkin.net'
+externaldns::k8s_zones:
+  - 'k8s.syd1.au.unkin.net'
+  - '200.18.198.in-addr.arpa'
+externaldns::slave_servers:
+  - 'ausyd1nxvm2128.main.unkin.net'
+  - 'ausyd1nxvm2129.main.unkin.net'
+externaldns::externaldns_key_algorithm: 'hmac-sha256'
+
+# networking
+anycast_ip: 198.18.19.20
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true
+  anycast0:
+    type: dummy
+    ipaddress: "%{hiera('anycast_ip')}"
+    netmask: 255.255.255.255
+    mtu: 1500
+
+# frrouting
+exporters::frr_exporter::enable: true
+frrouting::ospfd_router_id: "%{facts.networking.ip}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  anycast0:
+    area: 0.0.0.0
+frrouting::daemons:
+  ospfd: true
+
+# consul
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: frr_exporter
+    disposition: write
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent

hieradata/roles/infra/dns/resolver.yaml

@@ -82,6 +82,11 @@ profiles::dns::resolver::zones:
       - 10.10.16.32
       - 10.10.16.33
     forward: 'only'
+  k8s.syd1.au.unkin.net-forward:
+    domain: 'k8s.syd1.au.unkin.net'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_k8s')}"
+    forward: 'only'
   unkin.net-forward:
     domain: 'unkin.net'
     zone_type: 'forward'
@@ -172,6 +177,11 @@ profiles::dns::resolver::zones:
     zone_type: 'forward'
     forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
     forward: 'only'
+  200.18.198.in-addr.arpa-forward:
+    domain: '200.18.198.in-addr.arpa'
+    zone_type: 'forward'
+    forwarders: "%{alias('profiles_dns_upstream_forwarder_k8s')}"
+    forward: 'only'
   consul-forward:
     domain: 'consul'
     zone_type: 'forward'
@@ -188,6 +198,7 @@ profiles::dns::resolver::views:
       - network.unkin.net-forward
       - prod.unkin.net-forward
       - consul-forward
+      - k8s.syd1.au.unkin.net-forward
       - 13.18.198.in-addr.arpa-forward
       - 14.18.198.in-addr.arpa-forward
       - 15.18.198.in-addr.arpa-forward

hieradata/roles/infra/git/runner.yaml

@@ -8,9 +8,9 @@ docker::version: latest
 docker::curl_ensure: false
 docker::root_dir: /data/docker
 
+profiles::gitea::runner::instance: https://git.unkin.net
 profiles::gitea::runner::home: /data/runner
-profiles::gitea::runner::version: '0.2.10'
+profiles::gitea::runner::version: '0.2.12'
-profiles::gitea::runner::source: "https://gitea.com/gitea/act_runner/releases/download/v%{hiera('profiles::gitea::runner::version')}/act_runner-%{hiera('profiles::gitea::runner::version')}-linux-amd64"
 profiles::gitea::runner::config:
   log:
     level: info

hieradata/roles/infra/git/server.yaml

@@ -71,7 +71,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
 
 profiles::nginx::simpleproxy::proxy_port: 3000
 profiles::nginx::simpleproxy::proxy_path: '/'
-nginx::client_max_body_size: 1024M
+nginx::client_max_body_size: 5144M
 
 # enable external access via haproxy
 profiles::gitea::haproxy::enable: true

hieradata/roles/infra/k8s/control.yaml

@@ -58,6 +58,12 @@ consul::services:
         tcp: "%{hiera('networking_loopback0_ip')}:9345"
         interval: '10s'
         timeout: '1s'
+      - id: 'rke2_server_ping_check'
+        name: 'rke2 Server Ping Check'
+        http: "https://%{hiera('networking_loopback0_ip')}:9345/ping"
+        interval: '10s'
+        timeout: '3s'
+        tls_skip_verify: true
 profiles::consul::client::node_rules:
   - resource: service
     segment: api-k8s

hieradata/roles/infra/reposync/syncer.yaml

@@ -3,6 +3,41 @@ profiles::packages::include:
   createrepo: {}
 
 profiles::reposync::repos_list:
+  almalinux_9.7_baseos:
+    repository: 'baseos'
+    description: 'AlmaLinux 9.7 BaseOS'
+    osname: 'almalinux'
+    release: '9.7'
+    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/baseos'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9.7_appstream:
+    repository: 'appstream'
+    description: 'AlmaLinux 9.7 AppStream'
+    osname: 'almalinux'
+    release: '9.7'
+    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/appstream'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9.7_crb:
+    repository: 'crb'
+    description: 'AlmaLinux 9.7 CRB'
+    osname: 'almalinux'
+    release: '9.7'
+    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/crb'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9.7_ha:
+    repository: 'ha'
+    description: 'AlmaLinux 9.7 HighAvailability'
+    osname: 'almalinux'
+    release: '9.7'
+    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/highavailability'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
+  almalinux_9.7_extras:
+    repository: 'extras'
+    description: 'AlmaLinux 9.7 extras'
+    osname: 'almalinux'
+    release: '9.7'
+    mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/extras'
+    gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
   almalinux_9.6_baseos:
     repository: 'baseos'
     description: 'AlmaLinux 9.6 BaseOS'

modules/externaldns/manifests/init.pp

@@ -0,0 +1,15 @@
+# ExternalDNS BIND module - automatically configures master or slave
+class externaldns (
+  Stdlib::Fqdn $bind_master_hostname,
+  Array[Stdlib::Fqdn] $k8s_zones = [],
+  Array[Stdlib::Fqdn] $slave_servers = [],
+  String $externaldns_key_secret = '',
+  String $externaldns_key_algorithm = 'hmac-sha256',
+) {
+
+  if $trusted['certname'] == $bind_master_hostname {
+    include externaldns::master
+  } else {
+    include externaldns::slave
+  }
+}

modules/externaldns/manifests/master.pp

@@ -0,0 +1,45 @@
+# ExternalDNS BIND master server class
+class externaldns::master inherits externaldns {
+
+  include bind
+
+  # Query PuppetDB for slave server IP addresses
+  $slave_ips = $externaldns::slave_servers.map |$fqdn| {
+    puppetdb_query("inventory[facts.networking.ip] { certname = '${fqdn}' }")[0]['facts.networking.ip']
+  }.filter |$ip| { $ip != undef }
+
+  # Create TSIG key for ExternalDNS authentication
+  bind::key { 'externaldns-key':
+    algorithm => $externaldns::externaldns_key_algorithm,
+    secret    => $externaldns::externaldns_key_secret,
+  }
+
+  # Create ACL for slave servers
+  if !empty($slave_ips) {
+    bind::acl { 'dns-slaves':
+      addresses => $slave_ips,
+    }
+  }
+
+  # Create master zones for each Kubernetes domain
+  $externaldns::k8s_zones.each |$zone| {
+    bind::zone { $zone:
+      zone_type       => 'master',
+      dynamic         => true,
+      allow_updates   => ['key externaldns-key'],
+      allow_transfers => empty($slave_ips) ? {
+        true  => [],
+        false => ['dns-slaves'],
+      },
+      ns_notify       => !empty($slave_ips),
+      also_notify     => $slave_ips,
+      dnssec          => false,
+    }
+  }
+
+  # Create default view to include the zones
+  bind::view { 'externaldns':
+    recursion => false,
+    zones     => $externaldns::k8s_zones,
+  }
+}

modules/externaldns/manifests/slave.pp

@@ -0,0 +1,36 @@
+# ExternalDNS BIND slave server class
+class externaldns::slave inherits externaldns {
+
+  include bind
+
+  # Query PuppetDB for master server IP address
+  $query = "inventory[facts.networking.ip] { certname = '${externaldns::bind_master_hostname}' }"
+  $master_ip = puppetdb_query($query)[0]['facts.networking.ip']
+
+  # Create TSIG key for zone transfers (same as master)
+  bind::key { 'externaldns-key':
+    algorithm => $externaldns::externaldns_key_algorithm,
+    secret    => $externaldns::externaldns_key_secret,
+  }
+
+  # Create ACL for master server
+  bind::acl { 'dns-master':
+    addresses => [$master_ip],
+  }
+
+  # Create slave zones for each Kubernetes domain
+  $externaldns::k8s_zones.each |$zone| {
+    bind::zone { $zone:
+      zone_type    => 'slave',
+      masters      => [$master_ip],
+      allow_notify => ['dns-master'],
+      ns_notify    => false,
+    }
+  }
+
+  # Create default view to include the zones
+  bind::view { 'externaldns':
+    recursion => false,
+    zones     => $externaldns::k8s_zones,
+  }
+}

site/profiles/manifests/accounts/root.pp

@@ -1,12 +1,12 @@
 # manage the root user
 class profiles::accounts::root (
+  String $password,
   Optional[Array[String]] $sshkeys = undef,
 ) {
 
-  if $sshkeys {
   accounts::user { 'root':
     sshkeys  => $sshkeys,
-    }
+    password => $password,
   }
 
   file {'/root/.config':

site/profiles/manifests/gitea/runner.pp

@@ -1,13 +1,12 @@
 # profiles::gitea::init
 class profiles::gitea::runner (
   String $registration_token,
-  Stdlib::HTTPSUrl $source,
   String $user = 'runner',
   String $group = 'runner',
   Stdlib::Absolutepath $home = '/data/runner',
   Hash $config = {},
   Stdlib::HTTPSUrl $instance = 'https://git.query.consul',
-  String $version = '0.2.10',
+  String $version = 'latest',
 ) {
 
   group { $group:
@@ -32,24 +31,27 @@ class profiles::gitea::runner (
     require => User[$user],
   }
 
-  archive { '/usr/local/bin/act_runner':
+  unless $version in ['latest', 'present'] {
+    # versionlock act
+    yum::versionlock{ 'act_runner':
       ensure  => present,
-    extract => false,
+      version => $version,
-    source  => $source,
+      before  => Package['act_runner'],
-    creates => '/usr/local/bin/act_runner',
+    }
-    cleanup => true,
   }
 
+  # install act
+  package { 'act_runner':
+    ensure => $version,
+  }
+
+  # remove manually installed act_runner
   file { '/usr/local/bin/act_runner':
-    ensure  => 'file',
+    ensure => absent,
-    mode    => '0755',
-    owner   => 'root',
-    group   => 'root',
-    require => Archive['/usr/local/bin/act_runner'],
   }
 
   exec { 'register_act_runner':
-    command => "/usr/local/bin/act_runner register \
+    command => "/usr/bin/act_runner register \
                 --no-interactive \
                 --instance ${instance} \
                 --token ${registration_token} \
@@ -60,7 +62,7 @@ class profiles::gitea::runner (
     user    => $user,
     group   => $group,
     require => [
-      File['/usr/local/bin/act_runner'],
+      Package['act_runner'],
       File["${home}/config.yaml"],
     ],
   }

site/profiles/templates/gitea/act_runner.service.erb

@@ -4,7 +4,7 @@ Documentation=https://gitea.com/gitea/act_runner
 After=docker.service
 
 [Service]
-ExecStart=/usr/local/bin/act_runner daemon --config <%= @home %>/config.yaml
+ExecStart=/usr/bin/act_runner daemon --config <%= @home %>/config.yaml
 ExecReload=/bin/kill -s HUP $MAINPID
 WorkingDirectory=<%= @home %>
 TimeoutSec=0

site/roles/manifests/infra/dns/externaldns.pp

@@ -0,0 +1,11 @@
+# BIND server role for ExternalDNS integration
+class roles::infra::dns::externaldns {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  } else {
+    include profiles::defaults
+    include profiles::base
+    include externaldns
+  }
+}