Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 51e8fa7526 |
@@ -6,13 +6,3 @@ steps:
|
|||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
||||||
commands:
|
commands:
|
||||||
- uvx pre-commit run --all-files --config ci/bolt-validate.yaml
|
- uvx pre-commit run --all-files --config ci/bolt-validate.yaml
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
|
|||||||
@@ -6,13 +6,3 @@ steps:
|
|||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
||||||
commands:
|
commands:
|
||||||
- uvx pre-commit run --all-files --config ci/epp-validate.yaml
|
- uvx pre-commit run --all-files --config ci/epp-validate.yaml
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
|
|||||||
@@ -6,13 +6,3 @@ steps:
|
|||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
||||||
commands:
|
commands:
|
||||||
- uvx pre-commit run --all-files --config ci/erb-validate.yaml
|
- uvx pre-commit run --all-files --config ci/erb-validate.yaml
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
|
|||||||
@@ -6,13 +6,3 @@ steps:
|
|||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
||||||
commands:
|
commands:
|
||||||
- uvx pre-commit run --all-files --config ci/puppet-lint.yaml
|
- uvx pre-commit run --all-files --config ci/puppet-lint.yaml
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
|
|||||||
@@ -6,13 +6,3 @@ steps:
|
|||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
||||||
commands:
|
commands:
|
||||||
- uvx pre-commit run --all-files --config ci/puppet-validate.yaml
|
- uvx pre-commit run --all-files --config ci/puppet-validate.yaml
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 2
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 2
|
|
||||||
|
|||||||
@@ -6,13 +6,3 @@ steps:
|
|||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
||||||
commands:
|
commands:
|
||||||
- uvx pre-commit run --all-files --config ci/ruby-check.yaml
|
- uvx pre-commit run --all-files --config ci/ruby-check.yaml
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
|
|||||||
@@ -6,13 +6,3 @@ steps:
|
|||||||
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
|
||||||
commands:
|
commands:
|
||||||
- uvx pre-commit run --all-files --config ci/ruby-validate.yaml
|
- uvx pre-commit run --all-files --config ci/ruby-validate.yaml
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
|
|||||||
@@ -3,16 +3,6 @@ when:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: yamllint
|
- name: yamllint
|
||||||
image: git.unkin.net/unkin/almalinux9-base:20260606
|
image: git.unkin.net/unkin/almalinux9-base:20260317
|
||||||
commands:
|
commands:
|
||||||
- uvx pre-commit run --all-files --config ci/yamllint.yaml
|
- uvx pre-commit run --all-files --config ci/yamllint.yaml
|
||||||
backend_options:
|
|
||||||
kubernetes:
|
|
||||||
serviceAccountName: default
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 512Mi
|
|
||||||
cpu: 1
|
|
||||||
limits:
|
|
||||||
memory: 2Gi
|
|
||||||
cpu: 1
|
|
||||||
|
|||||||
@@ -53,6 +53,7 @@ mod 'saz-ssh', '13.1.0'
|
|||||||
mod 'saz-limits', '5.0.0'
|
mod 'saz-limits', '5.0.0'
|
||||||
mod 'ghoneycutt-timezone', '4.0.0'
|
mod 'ghoneycutt-timezone', '4.0.0'
|
||||||
mod 'ghoneycutt-puppet', '3.3.0'
|
mod 'ghoneycutt-puppet', '3.3.0'
|
||||||
|
mod 'dalen-puppetdbquery', '3.0.1'
|
||||||
mod 'markt-galera', '3.1.0'
|
mod 'markt-galera', '3.1.0'
|
||||||
mod 'kogitoapp-minio', '1.1.4'
|
mod 'kogitoapp-minio', '1.1.4'
|
||||||
mod 'broadinstitute-certs', '3.0.1'
|
mod 'broadinstitute-certs', '3.0.1'
|
||||||
|
|||||||
@@ -30,7 +30,6 @@ hierarchy:
|
|||||||
- "roles/%{::enc_role_tier1}.eyaml"
|
- "roles/%{::enc_role_tier1}.eyaml"
|
||||||
- "roles/%{::enc_role_tier1}.yaml"
|
- "roles/%{::enc_role_tier1}.yaml"
|
||||||
- "virtual/%{facts.virtual}.yaml"
|
- "virtual/%{facts.virtual}.yaml"
|
||||||
- "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.%{facts.os.release.minor}.yaml"
|
|
||||||
- "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml"
|
- "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml"
|
||||||
- "os/%{facts.os.name}/all_releases.yaml"
|
- "os/%{facts.os.name}/all_releases.yaml"
|
||||||
- "common.eyaml"
|
- "common.eyaml"
|
||||||
|
|||||||
@@ -1,7 +1,4 @@
|
|||||||
---
|
---
|
||||||
haproxy_server_k8s_syd1_traefik_internal: 'k8s-traefik-internal 198.18.200.4:443 ssl verify none check inter 2s rise 3 fall 2'
|
|
||||||
haproxy_server_k8s_syd1_traefik_external: 'k8s-traefik-external 198.18.199.0:443 ssl verify none check inter 2s rise 3 fall 2'
|
|
||||||
|
|
||||||
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
|
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
|
||||||
profiles::haproxy::dns::vrrp_cnames:
|
profiles::haproxy::dns::vrrp_cnames:
|
||||||
- sonarr.main.unkin.net
|
- sonarr.main.unkin.net
|
||||||
@@ -19,7 +16,6 @@ profiles::haproxy::dns::vrrp_cnames:
|
|||||||
- mail.main.unkin.net
|
- mail.main.unkin.net
|
||||||
- autoconfig.main.unkin.net
|
- autoconfig.main.unkin.net
|
||||||
- autodiscover.main.unkin.net
|
- autodiscover.main.unkin.net
|
||||||
- auth.unkin.net
|
|
||||||
|
|
||||||
profiles::haproxy::mappings:
|
profiles::haproxy::mappings:
|
||||||
fe_http:
|
fe_http:
|
||||||
@@ -41,7 +37,6 @@ profiles::haproxy::mappings:
|
|||||||
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'auth.unkin.net be_k8s_kanidm'
|
|
||||||
fe_https:
|
fe_https:
|
||||||
ensure: present
|
ensure: present
|
||||||
mappings:
|
mappings:
|
||||||
@@ -61,7 +56,6 @@ profiles::haproxy::mappings:
|
|||||||
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
||||||
- 'auth.unkin.net be_k8s_kanidm'
|
|
||||||
|
|
||||||
profiles::haproxy::frontends:
|
profiles::haproxy::frontends:
|
||||||
fe_http:
|
fe_http:
|
||||||
@@ -86,7 +80,6 @@ profiles::haproxy::frontends:
|
|||||||
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
|
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
|
||||||
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
|
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
|
||||||
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
|
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
|
||||||
- 'acl_kanidm req.hdr(host) -i auth.unkin.net'
|
|
||||||
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
||||||
use_backend:
|
use_backend:
|
||||||
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
||||||
@@ -106,7 +99,6 @@ profiles::haproxy::frontends:
|
|||||||
- 'set-header X-Frame-Options DENY if acl_grafana'
|
- 'set-header X-Frame-Options DENY if acl_grafana'
|
||||||
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
|
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
|
||||||
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
|
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
|
||||||
- 'set-header X-Frame-Options DENY if acl_kanidm'
|
|
||||||
- 'set-header X-Content-Type-Options nosniff'
|
- 'set-header X-Content-Type-Options nosniff'
|
||||||
- 'set-header X-XSS-Protection 1;mode=block'
|
- 'set-header X-XSS-Protection 1;mode=block'
|
||||||
|
|
||||||
@@ -328,26 +320,6 @@ profiles::haproxy::backends:
|
|||||||
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
redirect: 'scheme https if !{ ssl_fc }'
|
||||||
stick-table: 'type ip size 200k expire 30m'
|
stick-table: 'type ip size 200k expire 30m'
|
||||||
be_k8s_kanidm:
|
|
||||||
description: Backend for Kanidm (auth.unkin.net via Kubernetes internal Traefik)
|
|
||||||
collect_exported: false
|
|
||||||
options:
|
|
||||||
balance: roundrobin
|
|
||||||
option:
|
|
||||||
- httpchk
|
|
||||||
- forwardfor
|
|
||||||
- http-keep-alive
|
|
||||||
- prefer-last-server
|
|
||||||
http-check:
|
|
||||||
- 'connect ssl sni auth.unkin.net'
|
|
||||||
- 'send meth GET uri /status ver HTTP/1.1 hdr Host auth.unkin.net'
|
|
||||||
- 'expect status 200'
|
|
||||||
http-reuse: always
|
|
||||||
http-request:
|
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
|
||||||
server: "%{lookup('haproxy_server_k8s_syd1_traefik_internal')} sni str(auth.unkin.net)"
|
|
||||||
be_stalwart_imap:
|
be_stalwart_imap:
|
||||||
description: Backend for Stalwart IMAP (STARTTLS)
|
description: Backend for Stalwart IMAP (STARTTLS)
|
||||||
collect_exported: false
|
collect_exported: false
|
||||||
@@ -421,7 +393,6 @@ profiles::haproxy::certlist::certificates:
|
|||||||
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
|
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
|
||||||
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
|
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
|
||||||
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
|
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
|
||||||
- /etc/pki/tls/letsencrypt/auth.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/vault/certificate.pem
|
- /etc/pki/tls/vault/certificate.pem
|
||||||
|
|
||||||
# additional altnames
|
# additional altnames
|
||||||
@@ -451,4 +422,3 @@ certbot::client::domains:
|
|||||||
- git.unkin.net
|
- git.unkin.net
|
||||||
- grafana.unkin.net
|
- grafana.unkin.net
|
||||||
- dashboard.ceph.unkin.net
|
- dashboard.ceph.unkin.net
|
||||||
- auth.unkin.net
|
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
|
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
|
||||||
---
|
---
|
||||||
crypto_policies::policy: 'DEFAULT'
|
crypto_policies::policy: 'DEFAULT'
|
||||||
almalinux-base-repo: almalinux
|
|
||||||
profiles::packages::include:
|
profiles::packages::include:
|
||||||
network-scripts: {}
|
network-scripts: {}
|
||||||
|
|
||||||
|
|||||||
@@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
almalinux-base-repo: almalinux-vault
|
|
||||||
@@ -1,7 +1,7 @@
|
|||||||
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
|
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
|
||||||
---
|
---
|
||||||
crypto_policies::policy: 'DEFAULT:SHA1'
|
crypto_policies::policy: 'DEFAULT:SHA1'
|
||||||
almalinux-base-repo: almalinux
|
|
||||||
profiles::yum::global::repos:
|
profiles::yum::global::repos:
|
||||||
crb:
|
crb:
|
||||||
ensure: present
|
ensure: present
|
||||||
|
|||||||
@@ -23,45 +23,45 @@ profiles::yum::global::repos:
|
|||||||
name: baseos
|
name: baseos
|
||||||
descr: baseos repository
|
descr: baseos repository
|
||||||
target: /etc/yum.repos.d/baseos.repo
|
target: /etc/yum.repos.d/baseos.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
extras:
|
extras:
|
||||||
name: extras
|
name: extras
|
||||||
descr: extras repository
|
descr: extras repository
|
||||||
target: /etc/yum.repos.d/extras.repo
|
target: /etc/yum.repos.d/extras.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
appstream:
|
appstream:
|
||||||
name: appstream
|
name: appstream
|
||||||
descr: appstream repository
|
descr: appstream repository
|
||||||
target: /etc/yum.repos.d/appstream.repo
|
target: /etc/yum.repos.d/appstream.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
highavailability:
|
highavailability:
|
||||||
name: highavailability
|
name: highavailability
|
||||||
descr: highavailability repository
|
descr: highavailability repository
|
||||||
target: /etc/yum.repos.d/highavailability.repo
|
target: /etc/yum.repos.d/highavailability.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
crb:
|
crb:
|
||||||
ensure: absent
|
ensure: absent
|
||||||
name: crb
|
name: crb
|
||||||
descr: crb repository
|
descr: crb repository
|
||||||
target: /etc/yum.repos.d/crb.repo
|
target: /etc/yum.repos.d/crb.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
powertools:
|
powertools:
|
||||||
ensure: absent
|
ensure: absent
|
||||||
name: powertools
|
name: powertools
|
||||||
descr: powertools repository
|
descr: powertools repository
|
||||||
target: /etc/yum.repos.d/powertools.repo
|
target: /etc/yum.repos.d/powertools.repo
|
||||||
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/
|
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/
|
||||||
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
epel:
|
epel:
|
||||||
name: epel
|
name: epel
|
||||||
|
|||||||
@@ -6,10 +6,8 @@ hiera_include:
|
|||||||
profiles::dns::resolver::acls:
|
profiles::dns::resolver::acls:
|
||||||
acl-main.unkin.net:
|
acl-main.unkin.net:
|
||||||
addresses:
|
addresses:
|
||||||
- 198.18.1.10/32
|
- 10.10.8.1/32
|
||||||
- 198.18.2.160/27
|
|
||||||
- 198.18.21.160/27
|
- 198.18.21.160/27
|
||||||
- 198.18.2.192/27
|
|
||||||
- 198.18.21.192/27
|
- 198.18.21.192/27
|
||||||
- 198.18.13.0/24
|
- 198.18.13.0/24
|
||||||
- 198.18.14.0/24
|
- 198.18.14.0/24
|
||||||
|
|||||||
@@ -82,14 +82,8 @@ profiles::sql::postgresdb::dbname: gitea
|
|||||||
profiles::sql::postgresdb::dbuser: gitea
|
profiles::sql::postgresdb::dbuser: gitea
|
||||||
|
|
||||||
# deploy gitea
|
# deploy gitea
|
||||||
gitea::base_url: 'https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/gitea-dl/gitea'
|
gitea::ensure: '1.22.4'
|
||||||
gitea::install::checksums:
|
gitea::checksum: 'd549104f55067e6fb156e7ba060c9af488f36e12d5e747db7563fcc99eaf8532'
|
||||||
1.26.2:
|
|
||||||
linux:
|
|
||||||
amd64: 5b37937b625de69196748f7293eee1a7363f8637ae6e3da3c359bb380bd61a6a
|
|
||||||
|
|
||||||
gitea::ensure: '1.26.2'
|
|
||||||
gitea::checksum: '5b37937b625de69196748f7293eee1a7363f8637ae6e3da3c359bb380bd61a6a'
|
|
||||||
gitea::manage_user: false
|
gitea::manage_user: false
|
||||||
gitea::manage_group: false
|
gitea::manage_group: false
|
||||||
gitea::manage_home: false
|
gitea::manage_home: false
|
||||||
|
|||||||
@@ -5,10 +5,6 @@ hiera_include:
|
|||||||
- incus
|
- incus
|
||||||
- zfs
|
- zfs
|
||||||
- profiles::ceph::node
|
- profiles::ceph::node
|
||||||
- profiles::ceph::mon
|
|
||||||
- profiles::ceph::mgr
|
|
||||||
- profiles::ceph::mds
|
|
||||||
- profiles::ceph::osd
|
|
||||||
- profiles::ceph::client
|
- profiles::ceph::client
|
||||||
- profiles::ceph::dashboard
|
- profiles::ceph::dashboard
|
||||||
- profiles::storage::cephfsvols
|
- profiles::storage::cephfsvols
|
||||||
@@ -103,7 +99,7 @@ profiles::yum::global::repos:
|
|||||||
profiles::dns::base::primary_interface: loopback0
|
profiles::dns::base::primary_interface: loopback0
|
||||||
|
|
||||||
# dashboard/haproxy
|
# dashboard/haproxy
|
||||||
profiles::ceph::dashboard::ipaddress: "%{hiera('networking_loopback2_ip')}"
|
profiles::ceph::dashboard::ipaddress: "%{hiera('networking_loopback0_ip')}"
|
||||||
|
|
||||||
# networking
|
# networking
|
||||||
systemd::manage_networkd: true
|
systemd::manage_networkd: true
|
||||||
|
|||||||
@@ -2,7 +2,6 @@
|
|||||||
hiera_include:
|
hiera_include:
|
||||||
- profiles::selinux::setenforce
|
- profiles::selinux::setenforce
|
||||||
- profiles::ceph::node
|
- profiles::ceph::node
|
||||||
- profiles::ceph::osd
|
|
||||||
- profiles::ceph::client
|
- profiles::ceph::client
|
||||||
- exporters::frr_exporter
|
- exporters::frr_exporter
|
||||||
- frrouting
|
- frrouting
|
||||||
@@ -11,62 +10,6 @@ hiera_include:
|
|||||||
# manage rke2
|
# manage rke2
|
||||||
rke2::bootstrap_node: prodnxsr0001.main.unkin.net
|
rke2::bootstrap_node: prodnxsr0001.main.unkin.net
|
||||||
rke2::join_url: https://join-k8s.service.consul:9345
|
rke2::join_url: https://join-k8s.service.consul:9345
|
||||||
rke2::manage_registries: true
|
|
||||||
rke2::registries:
|
|
||||||
docker.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "dockerhub/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
ghcr.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "ghcr/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
quay.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "quay/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
registry.k8s.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "k8s-registry/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
registry.gitlab.com:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "gitlab/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
docker.elastic.co:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "elastic/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
gcr.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "gcr/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
docker.litellm.ai:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "litellm/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
public.ecr.aws:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "ecr-public/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
rke2::config_hash:
|
rke2::config_hash:
|
||||||
bind-address: "%{hiera('networking_loopback0_ip')}"
|
bind-address: "%{hiera('networking_loopback0_ip')}"
|
||||||
node-ip: "%{hiera('networking_loopback0_ip')}"
|
node-ip: "%{hiera('networking_loopback0_ip')}"
|
||||||
@@ -182,17 +125,6 @@ frrouting::ospf_exclude_k8s_enable: true
|
|||||||
frrouting::k8s_cluster_cidr: '10.42.0.0/16' # RKE2 cluster-cidr (pods)
|
frrouting::k8s_cluster_cidr: '10.42.0.0/16' # RKE2 cluster-cidr (pods)
|
||||||
frrouting::k8s_service_cidr: '10.43.0.0/16' # RKE2 service-cidr
|
frrouting::k8s_service_cidr: '10.43.0.0/16' # RKE2 service-cidr
|
||||||
|
|
||||||
# sysctl recommendations
|
|
||||||
sysctl::base::values:
|
|
||||||
net.ipv4.conf.default.rp_filter:
|
|
||||||
value: '0'
|
|
||||||
net.ipv4.conf.all.rp_filter:
|
|
||||||
value: '0'
|
|
||||||
fs.inotify.max_user_watches:
|
|
||||||
value: '524288'
|
|
||||||
fs.inotify.max_user_instances:
|
|
||||||
value: '512'
|
|
||||||
|
|
||||||
# add loopback interfaces to ssh list
|
# add loopback interfaces to ssh list
|
||||||
ssh::server::options:
|
ssh::server::options:
|
||||||
ListenAddress:
|
ListenAddress:
|
||||||
|
|||||||
@@ -11,7 +11,6 @@ profiles::metrics::grafana::db_name: "%{hiera('profiles::sql::postgresdb::dbname
|
|||||||
profiles::metrics::grafana::db_user: "%{hiera('profiles::sql::postgresdb::dbuser')}"
|
profiles::metrics::grafana::db_user: "%{hiera('profiles::sql::postgresdb::dbuser')}"
|
||||||
profiles::metrics::grafana::db_pass: "%{hiera('profiles::sql::postgresdb::dbpass')}"
|
profiles::metrics::grafana::db_pass: "%{hiera('profiles::sql::postgresdb::dbpass')}"
|
||||||
profiles::metrics::grafana::pgsql_backend: true
|
profiles::metrics::grafana::pgsql_backend: true
|
||||||
profiles::metrics::grafana::version: '13.0.2'
|
|
||||||
profiles::metrics::grafana::plugins:
|
profiles::metrics::grafana::plugins:
|
||||||
victoriametrics-logs-datasource:
|
victoriametrics-logs-datasource:
|
||||||
ensure: present
|
ensure: present
|
||||||
|
|||||||
@@ -16,4 +16,3 @@ certbot::domains:
|
|||||||
- git.unkin.net
|
- git.unkin.net
|
||||||
- grafana.unkin.net
|
- grafana.unkin.net
|
||||||
- dashboard.ceph.unkin.net
|
- dashboard.ceph.unkin.net
|
||||||
- auth.unkin.net
|
|
||||||
|
|||||||
@@ -26,7 +26,7 @@ profiles::puppet::cobbler_enc::packages:
|
|||||||
- 'requests'
|
- 'requests'
|
||||||
- 'PyYAML'
|
- 'PyYAML'
|
||||||
profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
|
profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
|
||||||
profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkin/puppet-r10k.git
|
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkin/puppet-r10k.git
|
||||||
profiles::puppet::g10k::bin_path: '/usr/bin/g10k'
|
profiles::puppet::g10k::bin_path: '/usr/bin/g10k'
|
||||||
profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
|
profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
|
||||||
profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
|
profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
|
||||||
|
|||||||
@@ -28,8 +28,8 @@ class externaldns::master inherits externaldns {
|
|||||||
dynamic => true,
|
dynamic => true,
|
||||||
allow_updates => ['key externaldns-key'],
|
allow_updates => ['key externaldns-key'],
|
||||||
allow_transfers => empty($slave_ips) ? {
|
allow_transfers => empty($slave_ips) ? {
|
||||||
true => ['key externaldns-key'],
|
true => [],
|
||||||
false => ['key externaldns-key','dns-slaves'],
|
false => ['dns-slaves'],
|
||||||
},
|
},
|
||||||
ns_notify => !empty($slave_ips),
|
ns_notify => !empty($slave_ips),
|
||||||
also_notify => $slave_ips,
|
also_notify => $slave_ips,
|
||||||
@@ -42,4 +42,4 @@ class externaldns::master inherits externaldns {
|
|||||||
recursion => false,
|
recursion => false,
|
||||||
zones => $externaldns::k8s_zones,
|
zones => $externaldns::k8s_zones,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -22,12 +22,7 @@ class incus::cluster (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -1,56 +0,0 @@
|
|||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
require 'facter'
|
|
||||||
|
|
||||||
# Detects active ceph service instances via systemctl and exposes facts
|
|
||||||
# for use in ceph service management profiles.
|
|
||||||
# rubocop:disable Style/ClassAndModuleChildren
|
|
||||||
module Unkin
|
|
||||||
module Ceph
|
|
||||||
# Detects active ceph service instances via systemctl and exposes Facter facts.
|
|
||||||
module Utils
|
|
||||||
TYPES = %w[mon mgr mds osd].freeze
|
|
||||||
|
|
||||||
def self.services
|
|
||||||
output = Facter::Core::Execution.execute(
|
|
||||||
'systemctl list-units "ceph*" --no-legend --plain --all 2>/dev/null',
|
|
||||||
on_fail: ''
|
|
||||||
)
|
|
||||||
parse_units(output)
|
|
||||||
end
|
|
||||||
|
|
||||||
def self.parse_units(output)
|
|
||||||
result = TYPES.each_with_object({}) { |type, hash| hash[type] = [] }
|
|
||||||
output.each_line do |line|
|
|
||||||
unit = line.split.first
|
|
||||||
next unless unit
|
|
||||||
|
|
||||||
match_unit(result, unit)
|
|
||||||
end
|
|
||||||
result
|
|
||||||
end
|
|
||||||
|
|
||||||
def self.match_unit(result, unit)
|
|
||||||
TYPES.each do |type|
|
|
||||||
match = unit.match(/\Aceph-#{type}@(.+)\.service\z/)
|
|
||||||
result[type] << "ceph-#{type}@#{match[1]}" if match
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
TYPES.each do |type|
|
|
||||||
define_singleton_method(:"#{type}?") { !services[type].empty? }
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
# rubocop:enable Style/ClassAndModuleChildren
|
|
||||||
|
|
||||||
Facter.add('ceph_services') do
|
|
||||||
setcode { Unkin::Ceph::Utils.services }
|
|
||||||
end
|
|
||||||
|
|
||||||
Unkin::Ceph::Utils::TYPES.each do |type|
|
|
||||||
Facter.add("is_ceph_#{type}") do
|
|
||||||
setcode { Unkin::Ceph::Utils.public_send(:"#{type}?") }
|
|
||||||
end
|
|
||||||
end
|
|
||||||
@@ -20,12 +20,7 @@ class redisha::redis (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${redisha_members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -23,12 +23,7 @@ class redisha::sentinel (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${redisha_members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -7,8 +7,6 @@ class rke2::config (
|
|||||||
Stdlib::Fqdn $bootstrap_node = $rke2::bootstrap_node,
|
Stdlib::Fqdn $bootstrap_node = $rke2::bootstrap_node,
|
||||||
String $node_token = $rke2::node_token,
|
String $node_token = $rke2::node_token,
|
||||||
Array[String[1]] $extra_config_files = $rke2::extra_config_files,
|
Array[String[1]] $extra_config_files = $rke2::extra_config_files,
|
||||||
Boolean $manage_registries = $rke2::manage_registries,
|
|
||||||
Hash $registries = $rke2::registries,
|
|
||||||
){
|
){
|
||||||
|
|
||||||
# if its not the bootstrap node, add join path to config
|
# if its not the bootstrap node, add join path to config
|
||||||
@@ -30,24 +28,6 @@ class rke2::config (
|
|||||||
$config = $config_hash
|
$config = $config_hash
|
||||||
}
|
}
|
||||||
|
|
||||||
if $manage_registries {
|
|
||||||
file { '/etc/rancher/rke2/registries.yaml':
|
|
||||||
ensure => file,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0644',
|
|
||||||
content => epp('rke2/registries.yaml.epp', { registries => $registries }),
|
|
||||||
require => Package["rke2-${node_type}"],
|
|
||||||
notify => Service["rke2-${node_type}"],
|
|
||||||
}
|
|
||||||
}else{
|
|
||||||
file { '/etc/rancher/rke2/registries.yaml':
|
|
||||||
ensure => absent,
|
|
||||||
require => Package["rke2-${node_type}"],
|
|
||||||
notify => Service["rke2-${node_type}"],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# create the config file
|
# create the config file
|
||||||
file { $config_file:
|
file { $config_file:
|
||||||
ensure => file,
|
ensure => file,
|
||||||
|
|||||||
@@ -12,8 +12,6 @@ class rke2 (
|
|||||||
Hash $helm_repos = $rke2::params::helm_repos,
|
Hash $helm_repos = $rke2::params::helm_repos,
|
||||||
Array[String[1]] $extra_config_files = $rke2::params::extra_config_files,
|
Array[String[1]] $extra_config_files = $rke2::params::extra_config_files,
|
||||||
Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source,
|
Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source,
|
||||||
Boolean $manage_registries = $rke2::params::manage_registries,
|
|
||||||
Hash $registries = $rke2::params::registries,
|
|
||||||
) inherits rke2::params {
|
) inherits rke2::params {
|
||||||
|
|
||||||
include rke2::install
|
include rke2::install
|
||||||
|
|||||||
@@ -12,6 +12,4 @@ class rke2::params (
|
|||||||
Hash $helm_repos = {},
|
Hash $helm_repos = {},
|
||||||
Array[String[1]] $extra_config_files = [],
|
Array[String[1]] $extra_config_files = [],
|
||||||
Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download',
|
Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download',
|
||||||
Boolean $manage_registries = false,
|
|
||||||
Hash $registries = {},
|
|
||||||
) {}
|
) {}
|
||||||
|
|||||||
@@ -1,20 +0,0 @@
|
|||||||
<%- | Hash $registries | -%>
|
|
||||||
---
|
|
||||||
# DO NOT MODIFY - MANAGED BY PUPPET
|
|
||||||
mirrors:
|
|
||||||
<%- $registries.each |$registry, $config| { -%>
|
|
||||||
<%= $registry %>:
|
|
||||||
endpoint:
|
|
||||||
<%- $config['endpoint'].each |$ep| { -%>
|
|
||||||
- "<%= $ep %>"
|
|
||||||
<%- } -%>
|
|
||||||
<%- if $config['rewrite'] { -%>
|
|
||||||
rewrite:
|
|
||||||
<%- $config['rewrite'].each |$pattern, $replacement| { -%>
|
|
||||||
"<%= $pattern %>": "<%= $replacement %>"
|
|
||||||
<%- } -%>
|
|
||||||
<%- } -%>
|
|
||||||
<%- if $config['disable-default-registry-endpoint'] { -%>
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
<%- } -%>
|
|
||||||
<%- } -%>
|
|
||||||
@@ -167,13 +167,7 @@ class stalwart (
|
|||||||
|
|
||||||
# Query cluster members for validation
|
# Query cluster members for validation
|
||||||
$cluster_query = "enc_role='${cluster_role}' and country='${facts['country']}' and region='${facts['region']}'"
|
$cluster_query = "enc_role='${cluster_role}' and country='${facts['country']}' and region='${facts['region']}'"
|
||||||
$cluster_members_raw = puppetdb_query(
|
$cluster_members_raw = query_nodes($cluster_query, 'networking.fqdn')
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${cluster_role}' and
|
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] }
|
|
||||||
$cluster_members = $cluster_members_raw ? {
|
$cluster_members = $cluster_members_raw ? {
|
||||||
undef => [],
|
undef => [],
|
||||||
default => $cluster_members_raw,
|
default => $cluster_members_raw,
|
||||||
@@ -186,20 +180,7 @@ class stalwart (
|
|||||||
|
|
||||||
# Query HAProxy nodes for proxy trusted networks
|
# Query HAProxy nodes for proxy trusted networks
|
||||||
$haproxy_query = "enc_role='${haproxy_role}' and country='${facts['country']}' and region='${facts['region']}'"
|
$haproxy_query = "enc_role='${haproxy_role}' and country='${facts['country']}' and region='${facts['region']}'"
|
||||||
$haproxy_members_raw = puppetdb_query(
|
$haproxy_members_raw = query_nodes($haproxy_query, 'networking.ip')
|
||||||
"facts[certname,value] {
|
|
||||||
name = 'networking' and
|
|
||||||
certname in facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${haproxy_role}'
|
|
||||||
} and
|
|
||||||
certname in facts[certname] {
|
|
||||||
name = 'country' and value = '${facts['country']}'
|
|
||||||
} and
|
|
||||||
certname in facts[certname] {
|
|
||||||
name = 'region' and value = '${facts['region']}'
|
|
||||||
}
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['value']['ip'] }
|
|
||||||
$haproxy_ips = $haproxy_members_raw ? {
|
$haproxy_ips = $haproxy_members_raw ? {
|
||||||
undef => [],
|
undef => [],
|
||||||
default => sort($haproxy_members_raw),
|
default => sort($haproxy_members_raw),
|
||||||
|
|||||||
@@ -1,13 +0,0 @@
|
|||||||
class profiles::ceph::mds (
|
|
||||||
Boolean $ensure_running = true,
|
|
||||||
) {
|
|
||||||
|
|
||||||
if $ensure_running and $facts['is_ceph_mds'] {
|
|
||||||
$facts['ceph_services']['mds'].each |String $svc| {
|
|
||||||
service { $svc:
|
|
||||||
ensure => running,
|
|
||||||
enable => true,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
class profiles::ceph::mgr (
|
|
||||||
Boolean $ensure_running = true,
|
|
||||||
) {
|
|
||||||
|
|
||||||
if $ensure_running and $facts['is_ceph_mgr'] {
|
|
||||||
$facts['ceph_services']['mgr'].each |String $svc| {
|
|
||||||
service { $svc:
|
|
||||||
ensure => running,
|
|
||||||
enable => true,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
class profiles::ceph::mon (
|
|
||||||
Boolean $ensure_running = true,
|
|
||||||
) {
|
|
||||||
|
|
||||||
if $ensure_running and $facts['is_ceph_mon'] {
|
|
||||||
$facts['ceph_services']['mon'].each |String $svc| {
|
|
||||||
service { $svc:
|
|
||||||
ensure => running,
|
|
||||||
enable => true,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
class profiles::ceph::osd (
|
|
||||||
Boolean $ensure_running = true,
|
|
||||||
) {
|
|
||||||
|
|
||||||
if $ensure_running and $facts['is_ceph_osd'] {
|
|
||||||
$facts['ceph_services']['osd'].each |String $svc| {
|
|
||||||
service { $svc:
|
|
||||||
ensure => running,
|
|
||||||
enable => true,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -28,12 +28,7 @@ class profiles::consul::client (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${::facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -65,22 +65,12 @@ class profiles::consul::server (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${::facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
if $join_remote_regions {
|
if $join_remote_regions {
|
||||||
# get all nodes in the members_role for each other region
|
# get all nodes in the members_role for each other region
|
||||||
$region_to_servers = $remote_regions.reduce({}) |$memo, $region| {
|
$region_to_servers = $remote_regions.reduce({}) |$memo, $region| {
|
||||||
$servers = sort(puppetdb_query(
|
$servers = sort(query_nodes("enc_role='${members_role}' and region='${region}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${region}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
$memo + { $region => $servers }
|
$memo + { $region => $servers }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -18,28 +18,9 @@ class profiles::dns::base (
|
|||||||
$nameserver_array = $ns_role ? {
|
$nameserver_array = $ns_role ? {
|
||||||
undef => $nameservers,
|
undef => $nameservers,
|
||||||
default => $use_ns ? {
|
default => $use_ns ? {
|
||||||
'all' => puppetdb_query(
|
'all' => query_nodes("enc_role='${ns_role}'", 'networking.ip'),
|
||||||
"facts[certname,value] {
|
'region' => query_nodes("enc_role='${ns_role}' and region=${facts['region']}", 'networking.ip'),
|
||||||
name = 'networking' and
|
'country' => query_nodes("enc_role='${ns_role}' and country=${facts['country']}", 'networking.ip'),
|
||||||
certname in nodes[certname] { facts.enc_role = '${ns_role}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['value']['ip'] },
|
|
||||||
'region' => puppetdb_query(
|
|
||||||
"facts[certname,value] {
|
|
||||||
name = 'networking' and
|
|
||||||
certname in nodes[certname] {
|
|
||||||
facts.enc_role = '${ns_role}' and facts.region = '${facts['region']}'
|
|
||||||
}
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['value']['ip'] },
|
|
||||||
'country' => puppetdb_query(
|
|
||||||
"facts[certname,value] {
|
|
||||||
name = 'networking' and
|
|
||||||
certname in nodes[certname] {
|
|
||||||
facts.enc_role = '${ns_role}' and facts.country = '${facts['country']}'
|
|
||||||
}
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['value']['ip'] },
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -20,21 +20,9 @@ class profiles::dns::master (
|
|||||||
$nameservers_array = $ns_role ? {
|
$nameservers_array = $ns_role ? {
|
||||||
undef => [$facts['networking']['fqdn']],
|
undef => [$facts['networking']['fqdn']],
|
||||||
default => $use_ns ? {
|
default => $use_ns ? {
|
||||||
'all' => sort(puppetdb_query(
|
'all' => sort(query_nodes("enc_role='${ns_role}'", 'networking.fqdn')),
|
||||||
"facts[certname] { name = 'enc_role' and value = '${ns_role}' }"
|
'region' => sort(query_nodes("enc_role='${ns_role}' and region=${facts['region']}", 'networking.fqdn')),
|
||||||
).map |$fact| { $fact['certname'] }),
|
'country' => sort(query_nodes("enc_role='${ns_role}' and country=${facts['country']}", 'networking.fqdn')),
|
||||||
'region' => sort(puppetdb_query(
|
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${ns_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] }),
|
|
||||||
'country' => sort(puppetdb_query(
|
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${ns_role}' and
|
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] }),
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -44,9 +32,7 @@ class profiles::dns::master (
|
|||||||
$facts['networking']['fqdn'] => $facts['networking']['ip']
|
$facts['networking']['fqdn'] => $facts['networking']['ip']
|
||||||
},
|
},
|
||||||
default => $nameservers_array.reduce({}) |$acc, $fqdn| {
|
default => $nameservers_array.reduce({}) |$acc, $fqdn| {
|
||||||
$result = puppetdb_query(
|
$result = query_nodes("networking.fqdn='${fqdn}'", 'networking.ip')
|
||||||
"facts[certname,value] { name = 'networking' and certname = '${fqdn}' }"
|
|
||||||
).map |$fact| { $fact['value']['ip'] }
|
|
||||||
$ip = $result[0]
|
$ip = $result[0]
|
||||||
$acc + { "${fqdn}." => $ip }
|
$acc + { "${fqdn}." => $ip }
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -18,12 +18,7 @@ class profiles::etcd::node (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
@@ -36,7 +31,7 @@ class profiles::etcd::node (
|
|||||||
$initial_cluster = $servers_array.map |$fqdn| {
|
$initial_cluster = $servers_array.map |$fqdn| {
|
||||||
|
|
||||||
# lookup the ip address for the current fqdn
|
# lookup the ip address for the current fqdn
|
||||||
$ip = puppetdb_query("facts[certname,value] { name = 'networking' and certname = '${fqdn}' }").map |$fact| { $fact['value']['ip'] }[0]
|
$ip = query_nodes("networking.fqdn='${fqdn}'", 'networking.ip')[0]
|
||||||
|
|
||||||
# construct the string for this server
|
# construct the string for this server
|
||||||
"${fqdn}=https://${ip}:${peer_port}"
|
"${fqdn}=https://${ip}:${peer_port}"
|
||||||
|
|||||||
@@ -30,14 +30,13 @@ class profiles::haproxy::dns (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes(
|
||||||
"facts[certname] {
|
"enc_role='${facts['enc_role']}' and
|
||||||
name = 'enc_role' and value = '${facts['enc_role']}' and
|
country='${facts['country']}' and
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and
|
region='${facts['region']}' and
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' } and
|
environment='${facts['environment']}'",
|
||||||
certname in facts[certname] { name = 'environment' and value = '${facts['environment']}' }
|
'networking.fqdn'
|
||||||
}"
|
))
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# give enough time for a few hosts to be provisioned
|
# give enough time for a few hosts to be provisioned
|
||||||
if length($servers_array) >= 3 {
|
if length($servers_array) >= 3 {
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
# profiles::metrics::grafana
|
# profiles::metrics::grafana
|
||||||
class profiles::metrics::grafana (
|
class profiles::metrics::grafana (
|
||||||
String $ldap_bind_pass,
|
String $ldap_bind_pass,
|
||||||
String $version = 'installed',
|
|
||||||
Stdlib::Port $http_port = 8080,
|
Stdlib::Port $http_port = 8080,
|
||||||
String $app_mode = 'production',
|
String $app_mode = 'production',
|
||||||
Boolean $allow_sign_up = false,
|
Boolean $allow_sign_up = false,
|
||||||
@@ -108,7 +107,6 @@ class profiles::metrics::grafana (
|
|||||||
|
|
||||||
# deploy grafana
|
# deploy grafana
|
||||||
class { 'grafana':
|
class { 'grafana':
|
||||||
version => $version,
|
|
||||||
cfg => $cfg,
|
cfg => $cfg,
|
||||||
ldap_cfg => $ldap_cfg,
|
ldap_cfg => $ldap_cfg,
|
||||||
plugins => $plugins,
|
plugins => $plugins,
|
||||||
|
|||||||
@@ -98,15 +98,8 @@ class profiles::minio::server (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
#$servers_array = sort(puppetdb_query(
|
#$servers_array = sort(query_nodes("enc_role='${minio_members_role}'", 'networking.fqdn'))
|
||||||
# "facts[certname] { name = 'enc_role' and value = '${minio_members_role}' }"
|
$servers_array = sort(query_nodes("enc_role='${minio_members_role}' and minio_region='${minio_region}'", 'networking.fqdn'))
|
||||||
#).map |$fact| { $fact['certname'] })
|
|
||||||
$servers_array = sort(puppetdb_query(
|
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${minio_members_role}' and
|
|
||||||
certname in facts[certname] { name = 'minio_region' and value = '${minio_region}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -26,21 +26,9 @@ class profiles::ntp::client (
|
|||||||
$ntpserver_array = $ntp_role ? {
|
$ntpserver_array = $ntp_role ? {
|
||||||
undef => $peers,
|
undef => $peers,
|
||||||
default => $use_ntp ? {
|
default => $use_ntp ? {
|
||||||
'all' => puppetdb_query(
|
'all' => query_nodes("enc_role='${ntp_role}'", 'networking.fqdn'),
|
||||||
"facts[certname] { name = 'enc_role' and value = '${ntp_role}' }"
|
'region' => query_nodes("enc_role='${ntp_role}' and region=${facts['region']}", 'networking.fqdn'),
|
||||||
).map |$fact| { $fact['certname'] },
|
'country' => query_nodes("enc_role='${ntp_role}' and country=${facts['country']}", 'networking.fqdn'),
|
||||||
'region' => puppetdb_query(
|
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${ntp_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] },
|
|
||||||
'country' => puppetdb_query(
|
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${ntp_role}' and
|
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] },
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -24,13 +24,10 @@ class profiles::proxmox::clusterinit {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes(
|
||||||
"facts[certname] {
|
"enc_role='${membersrole}' and country='${facts['country']}' and region='${facts['region']}'",
|
||||||
name = 'enc_role' and value = '${membersrole}' and
|
'networking.fqdn'
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and
|
))
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
if ! $profiles::proxmox::params::pve_clusterinit_master {
|
if ! $profiles::proxmox::params::pve_clusterinit_master {
|
||||||
if !empty($servers_array) {
|
if !empty($servers_array) {
|
||||||
|
|||||||
@@ -11,14 +11,13 @@ class profiles::proxmox::clusterjoin {
|
|||||||
$root_password = $profiles::proxmox::params::root_password
|
$root_password = $profiles::proxmox::params::root_password
|
||||||
|
|
||||||
# query puppetdb for list of cluster members
|
# query puppetdb for list of cluster members
|
||||||
$members_array = sort(puppetdb_query(
|
$members_array = sort(query_nodes(
|
||||||
"facts[certname] {
|
"enc_role='${membersrole}' and \
|
||||||
name = 'enc_role' and value = '${membersrole}' and
|
country='${facts['country']}' and \
|
||||||
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and
|
region='${facts['region']}' and \
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' } and
|
pve_cluster.cluster_name='${clustername}'",
|
||||||
certname in facts[certname] { name = 'pve_cluster' and value.cluster_name = '${clustername}' }
|
'networking.fqdn'
|
||||||
}"
|
))
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# check if the pve kernerl is running
|
# check if the pve kernerl is running
|
||||||
if $facts['kernelrelease'] == $profiles::proxmox::params::pve_kernel_release {
|
if $facts['kernelrelease'] == $profiles::proxmox::params::pve_kernel_release {
|
||||||
|
|||||||
@@ -48,12 +48,7 @@ class profiles::sql::galera_member (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${galera_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${galera_members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -18,12 +18,7 @@ class profiles::sql::postgresdb (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
@@ -29,12 +29,7 @@ class profiles::vault::server (
|
|||||||
if $members_lookup and $members_role != undef {
|
if $members_lookup and $members_role != undef {
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(puppetdb_query(
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
||||||
"facts[certname] {
|
|
||||||
name = 'enc_role' and value = '${members_role}' and
|
|
||||||
certname in facts[certname] { name = 'region' and value = '${::facts['region']}' }
|
|
||||||
}"
|
|
||||||
).map |$fact| { $fact['certname'] })
|
|
||||||
|
|
||||||
# else use provided array from params
|
# else use provided array from params
|
||||||
}else{
|
}else{
|
||||||
|
|||||||
Reference in New Issue
Block a user