1 Commits

Author SHA1 Message Date
unkinben e9c69e0586 chore: bump rke2 version
Build / precommit (pull_request) Successful in 4m45s
2026-01-17 01:48:06 +11:00
69 changed files with 502 additions and 900 deletions
+24
View File
@@ -0,0 +1,24 @@
name: Build
on:
pull_request:
jobs:
precommit:
runs-on: almalinux-8
container:
image: git.unkin.net/unkin/almalinux9-actionsdind:latest
options: --privileged
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install requirements
run: |
dnf groupinstall -y "Development Tools" -y
dnf install rubygems ruby-devel gcc make redhat-rpm-config glibc-headers glibc-devel -y
- name: Pre-Commit All Files
run: |
uvx pre-commit run --all-files
-18
View File
@@ -1,18 +0,0 @@
when:
- event: pull_request
steps:
- name: bolt-validate
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
commands:
- uvx pre-commit run --all-files --config ci/bolt-validate.yaml
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 1
-18
View File
@@ -1,18 +0,0 @@
when:
- event: pull_request
steps:
- name: epp-validate
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
commands:
- uvx pre-commit run --all-files --config ci/epp-validate.yaml
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 1
-18
View File
@@ -1,18 +0,0 @@
when:
- event: pull_request
steps:
- name: erb-validate
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
commands:
- uvx pre-commit run --all-files --config ci/erb-validate.yaml
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 1
-18
View File
@@ -1,18 +0,0 @@
when:
- event: pull_request
steps:
- name: puppet-lint
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
commands:
- uvx pre-commit run --all-files --config ci/puppet-lint.yaml
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 1
-18
View File
@@ -1,18 +0,0 @@
when:
- event: pull_request
steps:
- name: puppet-validate
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
commands:
- uvx pre-commit run --all-files --config ci/puppet-validate.yaml
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 2
limits:
memory: 2Gi
cpu: 2
-18
View File
@@ -1,18 +0,0 @@
when:
- event: pull_request
steps:
- name: ruby-check
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
commands:
- uvx pre-commit run --all-files --config ci/ruby-check.yaml
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 1
-18
View File
@@ -1,18 +0,0 @@
when:
- event: pull_request
steps:
- name: ruby-validate
image: git.unkin.net/unkin/almalinux9-puppet-pr-validator:20260317
commands:
- uvx pre-commit run --all-files --config ci/ruby-validate.yaml
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 1
-18
View File
@@ -1,18 +0,0 @@
when:
- event: pull_request
steps:
- name: yamllint
image: git.unkin.net/unkin/almalinux9-base:20260606
commands:
- uvx pre-commit run --all-files --config ci/yamllint.yaml
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 1
+2 -1
View File
@@ -53,6 +53,7 @@ mod 'saz-ssh', '13.1.0'
mod 'saz-limits', '5.0.0' mod 'saz-limits', '5.0.0'
mod 'ghoneycutt-timezone', '4.0.0' mod 'ghoneycutt-timezone', '4.0.0'
mod 'ghoneycutt-puppet', '3.3.0' mod 'ghoneycutt-puppet', '3.3.0'
mod 'dalen-puppetdbquery', '3.0.1'
mod 'markt-galera', '3.1.0' mod 'markt-galera', '3.1.0'
mod 'kogitoapp-minio', '1.1.4' mod 'kogitoapp-minio', '1.1.4'
mod 'broadinstitute-certs', '3.0.1' mod 'broadinstitute-certs', '3.0.1'
@@ -65,5 +66,5 @@ mod 'thias-sysctl', '1.0.8'
mod 'cirrax-dovecot', '1.3.3' mod 'cirrax-dovecot', '1.3.3'
mod 'bind', mod 'bind',
:git => 'https://git.unkin.net/unkinben/puppet-bind.git', :git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
:tag => '1.0' :tag => '1.0'
-5
View File
@@ -1,5 +0,0 @@
repos:
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
rev: v2.2.0
hooks:
- id: bolt-validate
-5
View File
@@ -1,5 +0,0 @@
repos:
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
rev: v2.2.0
hooks:
- id: epp-validate
-5
View File
@@ -1,5 +0,0 @@
repos:
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
rev: v2.2.0
hooks:
- id: erb-validate
-10
View File
@@ -1,10 +0,0 @@
repos:
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
rev: v2.2.0
hooks:
- id: puppet-lint
args:
- --no-80chars-check
- --no-documentation-check
- --no-puppet_url_without_modules-check
- --fail-on-warnings
-5
View File
@@ -1,5 +0,0 @@
repos:
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
rev: v2.2.0
hooks:
- id: puppet-validate
-10
View File
@@ -1,10 +0,0 @@
repos:
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
rev: v2.2.0
hooks:
- id: ruby-validate
- repo: 'https://github.com/jumanjihouse/pre-commit-hooks'
rev: 3.0.0
hooks:
- id: reek
- id: rubocop
-5
View File
@@ -1,5 +0,0 @@
repos:
- repo: 'https://github.com/chriskuehl/puppet-pre-commit-hooks.git'
rev: v2.2.0
hooks:
- id: ruby-validate
-10
View File
@@ -1,10 +0,0 @@
repos:
- repo: 'https://github.com/adrienverge/yamllint'
rev: v1.32.0
hooks:
- id: 'yamllint'
args:
[
"-d {extends: relaxed, rules: {line-length: disable}, ignore: chart}",
"-s",
]
-167
View File
@@ -28,98 +28,6 @@ Always refer back to the official documentation at https://docs.ceph.com/en/late
sudo ceph fs set mediafs max_mds 2 sudo ceph fs set mediafs max_mds 2
``` ```
## managing cephfs with subvolumes
Create erasure code profiles. The K and M values are equivalent to the number of data disks (K) and parity disks (M) in RAID5, RAID6, etc.
sudo ceph osd erasure-code-profile set ec_6_2 k=6 m=2
sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
Create data pools using the erasure-code-profile, set some required options
sudo ceph osd pool create cephfs_data_ssd_ec_6_2 erasure ec_6_2
sudo ceph osd pool set cephfs_data_ssd_ec_6_2 allow_ec_overwrites true
sudo ceph osd pool set cephfs_data_ssd_ec_6_2 bulk true
sudo ceph osd pool create cephfs_data_ssd_ec_4_1 erasure ec_4_1
sudo ceph osd pool set cephfs_data_ssd_ec_4_1 allow_ec_overwrites true
sudo ceph osd pool set cephfs_data_ssd_ec_4_1 bulk true
Add the pool to the fs `cephfs`
sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_6_2
sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_4_1
Create a subvolumegroup using the new data pool
sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_6_2 --pool_layout cephfs_data_ssd_ec_6_2
sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_4_1 --pool_layout cephfs_data_ssd_ec_4_1
All together:
sudo ceph osd erasure-code-profile set ec_6_2 k=6 m=2
sudo ceph osd pool create cephfs_data_ssd_ec_6_2 erasure ec_6_2
sudo ceph osd pool set cephfs_data_ssd_ec_6_2 allow_ec_overwrites true
sudo ceph osd pool set cephfs_data_ssd_ec_6_2 bulk true
sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_6_2
sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_6_2 --pool_layout cephfs_data_ssd_ec_6_2
sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
sudo ceph osd pool create cephfs_data_ssd_ec_4_1 erasure ec_4_1
sudo ceph osd pool set cephfs_data_ssd_ec_4_1 allow_ec_overwrites true
sudo ceph osd pool set cephfs_data_ssd_ec_4_1 bulk true
sudo ceph fs add_data_pool cephfs cephfs_data_ssd_ec_4_1
sudo ceph fs subvolumegroup create cephfs csi_ssd_ec_4_1 --pool_layout cephfs_data_ssd_ec_4_1
Create a key with access to the new subvolume groups. Check if the user already exists first:
sudo ceph auth get client.kubernetes-cephfs
If it doesnt:
sudo ceph auth get-or-create client.kubernetes-cephfs \
mgr 'allow rw' \
osd 'allow rw tag cephfs metadata=cephfs, allow rw tag cephfs data=cephfs' \
mds 'allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi_ssd_ec_6_2, allow rws fsname=cephfs path=/volumes/csi_ssd_ec_4_1' \
mon 'allow r fsname=cephfs'
If it does, use `sudo ceph auth caps client.kubernetes-cephfs ...` instead to update existing capabilities.
## removing a cephfs subvolumegroup from cephfs
This will cleanup the subvolumegroup, and subvolumes if they exist, then remove the pool.
Check for subvolumegroups first, then for subvolumes in it
sudo ceph fs subvolumegroup ls cephfs
sudo ceph fs subvolume ls cephfs --group_name csi_raid6
If subvolumes exist, remove each one-by-one:
sudo ceph fs subvolume rm cephfs <subvol_name> --group_name csi_raid6
If you have snapshots, remove snapshots first:
sudo ceph fs subvolume snapshot ls cephfs <subvol_name> --group_name csi_raid6
sudo ceph fs subvolume snapshot rm cephfs <subvol_name> <snap_name> --group_name csi_raid6
Once the group is empty, remove it:
sudo ceph fs subvolumegroup rm cephfs csi_raid6
If it complains its not empty, go back as theres still a subvolume or snapshot.
If you added it with `ceph fs add_data_pool`. Undo with `rm_data_pool`:
sudo ceph fs rm_data_pool cephfs cephfs_data_csi_raid6
After its detached from CephFS, you can delete it.
sudo ceph osd pool rm cephfs_data_csi_raid6 cephfs_data_csi_raid6 --yes-i-really-really-mean-it
## creating authentication tokens ## creating authentication tokens
- this will create a client keyring named media - this will create a client keyring named media
@@ -150,78 +58,3 @@ this will overwrite the current capabilities of a given client.user
mon 'allow r' \ mon 'allow r' \
mds 'allow rw path=/' \ mds 'allow rw path=/' \
osd 'allow rw pool=media_data' osd 'allow rw pool=media_data'
## adding a new osd on new node
create the ceph conf (automate this?)
cat <<EOF | sudo tee /etc/ceph/ceph.conf
[global]
auth_client_required = cephx
auth_cluster_required = cephx
auth_service_required = cephx
fsid = de96a98f-3d23-465a-a899-86d3d67edab8
mon_allow_pool_delete = true
mon_initial_members = prodnxsr0009,prodnxsr0010,prodnxsr0011,prodnxsr0012,prodnxsr0013
mon_host = 198.18.23.9,198.18.23.10,198.18.23.11,198.18.23.12,198.18.23.13
ms_bind_ipv4 = true
ms_bind_ipv6 = false
osd_crush_chooseleaf_type = 1
osd_pool_default_min_size = 2
osd_pool_default_size = 3
osd_pool_default_pg_num = 128
public_network = 198.18.23.1/32,198.18.23.2/32,198.18.23.3/32,198.18.23.4/32,198.18.23.5/32,198.18.23.6/32,198.18.23.7/32,198.18.23.8/32,198.18.23.9/32,198.18.23.10/32,198.18.23.11/32,198.18.23.12/32,198.18.23.13/32
EOF
ssh to one of the monitor hosts, then transfer the keys required
sudo cat /etc/ceph/ceph.client.admin.keyring | ssh prodnxsr0003 'sudo tee /etc/ceph/ceph.client.admin.keyring'
sudo cat /var/lib/ceph/bootstrap-osd/ceph.keyring | ssh prodnxsr0003 'sudo tee /var/lib/ceph/bootstrap-osd/ceph.keyring'
assuming we are adding /dev/sda to the cluster, first zap the disk to remove partitions/lvm/metadata
sudo ceph-volume lvm zap /dev/sda --destroy
then add it to the cluster
sudo ceph-volume lvm create --data /dev/sda
## removing an osd
check what OSD IDs were on this host (if you know it)
sudo ceph osd tree
or check for any DOWN osds
sudo ceph osd stat
sudo ceph health detail
once you identify the old OSD ID, remove it with these steps, replace X with the actual OSD ID:
sudo ceph osd out osd.X
sudo ceph osd down osd.X
sudo ceph osd crush remove osd.X
sudo ceph auth del osd.X
sudo ceph osd rm osd.X
## maintenance mode for the cluster
from one node in the cluster disable recovery
sudo ceph osd set noout
sudo ceph osd set nobackfill
sudo ceph osd set norecover
sudo ceph osd set norebalance
sudo ceph osd set nodown
sudo ceph osd set pause
to undo the change, use unset
sudo ceph osd unset noout
sudo ceph osd unset nobackfill
sudo ceph osd unset norecover
sudo ceph osd unset norebalance
sudo ceph osd unset nodown
sudo ceph osd unset pause
-1
View File
@@ -30,7 +30,6 @@ hierarchy:
- "roles/%{::enc_role_tier1}.eyaml" - "roles/%{::enc_role_tier1}.eyaml"
- "roles/%{::enc_role_tier1}.yaml" - "roles/%{::enc_role_tier1}.yaml"
- "virtual/%{facts.virtual}.yaml" - "virtual/%{facts.virtual}.yaml"
- "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.%{facts.os.release.minor}.yaml"
- "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml" - "os/%{facts.os.name}/%{facts.os.name}%{facts.os.release.major}.yaml"
- "os/%{facts.os.name}/all_releases.yaml" - "os/%{facts.os.name}/all_releases.yaml"
- "common.eyaml" - "common.eyaml"
@@ -1,7 +1,4 @@
--- ---
haproxy_server_k8s_syd1_traefik_internal: 'k8s-traefik-internal 198.18.200.4:443 ssl verify none check inter 2s rise 3 fall 2'
haproxy_server_k8s_syd1_traefik_external: 'k8s-traefik-external 198.18.199.0:443 ssl verify none check inter 2s rise 3 fall 2'
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}" profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
profiles::haproxy::dns::vrrp_cnames: profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net - sonarr.main.unkin.net
@@ -19,7 +16,6 @@ profiles::haproxy::dns::vrrp_cnames:
- mail.main.unkin.net - mail.main.unkin.net
- autoconfig.main.unkin.net - autoconfig.main.unkin.net
- autodiscover.main.unkin.net - autodiscover.main.unkin.net
- auth.unkin.net
profiles::haproxy::mappings: profiles::haproxy::mappings:
fe_http: fe_http:
@@ -41,7 +37,6 @@ profiles::haproxy::mappings:
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin' - 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
- 'autoconfig.main.unkin.net be_stalwart_webadmin' - 'autoconfig.main.unkin.net be_stalwart_webadmin'
- 'autodiscovery.main.unkin.net be_stalwart_webadmin' - 'autodiscovery.main.unkin.net be_stalwart_webadmin'
- 'auth.unkin.net be_k8s_kanidm'
fe_https: fe_https:
ensure: present ensure: present
mappings: mappings:
@@ -61,7 +56,6 @@ profiles::haproxy::mappings:
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin' - 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
- 'autoconfig.main.unkin.net be_stalwart_webadmin' - 'autoconfig.main.unkin.net be_stalwart_webadmin'
- 'autodiscovery.main.unkin.net be_stalwart_webadmin' - 'autodiscovery.main.unkin.net be_stalwart_webadmin'
- 'auth.unkin.net be_k8s_kanidm'
profiles::haproxy::frontends: profiles::haproxy::frontends:
fe_http: fe_http:
@@ -86,7 +80,6 @@ profiles::haproxy::frontends:
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net' - 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net' - 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net' - 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
- 'acl_kanidm req.hdr(host) -i auth.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24' - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend: use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -106,7 +99,6 @@ profiles::haproxy::frontends:
- 'set-header X-Frame-Options DENY if acl_grafana' - 'set-header X-Frame-Options DENY if acl_grafana'
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard' - 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin' - 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
- 'set-header X-Frame-Options DENY if acl_kanidm'
- 'set-header X-Content-Type-Options nosniff' - 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block' - 'set-header X-XSS-Protection 1;mode=block'
@@ -328,26 +320,6 @@ profiles::haproxy::backends:
- add-header X-Forwarded-Proto https if { dst_port 9443 } - add-header X-Forwarded-Proto https if { dst_port 9443 }
redirect: 'scheme https if !{ ssl_fc }' redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m' stick-table: 'type ip size 200k expire 30m'
be_k8s_kanidm:
description: Backend for Kanidm (auth.unkin.net via Kubernetes internal Traefik)
collect_exported: false
options:
balance: roundrobin
option:
- httpchk
- forwardfor
- http-keep-alive
- prefer-last-server
http-check:
- 'connect ssl sni auth.unkin.net'
- 'send meth GET uri /status ver HTTP/1.1 hdr Host auth.unkin.net'
- 'expect status 200'
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
server: "%{lookup('haproxy_server_k8s_syd1_traefik_internal')} sni str(auth.unkin.net)"
be_stalwart_imap: be_stalwart_imap:
description: Backend for Stalwart IMAP (STARTTLS) description: Backend for Stalwart IMAP (STARTTLS)
collect_exported: false collect_exported: false
@@ -421,7 +393,6 @@ profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/auth.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem - /etc/pki/tls/vault/certificate.pem
# additional altnames # additional altnames
@@ -451,4 +422,3 @@ certbot::client::domains:
- git.unkin.net - git.unkin.net
- grafana.unkin.net - grafana.unkin.net
- dashboard.ceph.unkin.net - dashboard.ceph.unkin.net
- auth.unkin.net
+1 -1
View File
@@ -1,7 +1,7 @@
# hieradata/os/AlmaLinux/AlmaLinux8.yaml # hieradata/os/AlmaLinux/AlmaLinux8.yaml
--- ---
crypto_policies::policy: 'DEFAULT' crypto_policies::policy: 'DEFAULT'
almalinux-base-repo: almalinux
profiles::packages::include: profiles::packages::include:
network-scripts: {} network-scripts: {}
-2
View File
@@ -1,2 +0,0 @@
---
almalinux-base-repo: almalinux-vault
+1 -1
View File
@@ -1,7 +1,7 @@
# hieradata/os/AlmaLinux/AlmaLinux9.yaml # hieradata/os/AlmaLinux/AlmaLinux9.yaml
--- ---
crypto_policies::policy: 'DEFAULT:SHA1' crypto_policies::policy: 'DEFAULT:SHA1'
almalinux-base-repo: almalinux
profiles::yum::global::repos: profiles::yum::global::repos:
crb: crb:
ensure: present ensure: present
+12 -12
View File
@@ -23,45 +23,45 @@ profiles::yum::global::repos:
name: baseos name: baseos
descr: baseos repository descr: baseos repository
target: /etc/yum.repos.d/baseos.repo target: /etc/yum.repos.d/baseos.repo
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/ baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent mirrorlist: absent
extras: extras:
name: extras name: extras
descr: extras repository descr: extras repository
target: /etc/yum.repos.d/extras.repo target: /etc/yum.repos.d/extras.repo
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/ baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent mirrorlist: absent
appstream: appstream:
name: appstream name: appstream
descr: appstream repository descr: appstream repository
target: /etc/yum.repos.d/appstream.repo target: /etc/yum.repos.d/appstream.repo
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/ baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent mirrorlist: absent
highavailability: highavailability:
name: highavailability name: highavailability
descr: highavailability repository descr: highavailability repository
target: /etc/yum.repos.d/highavailability.repo target: /etc/yum.repos.d/highavailability.repo
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/ baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent mirrorlist: absent
crb: crb:
ensure: absent ensure: absent
name: crb name: crb
descr: crb repository descr: crb repository
target: /etc/yum.repos.d/crb.repo target: /etc/yum.repos.d/crb.repo
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/ baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/CRB/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent mirrorlist: absent
powertools: powertools:
ensure: absent ensure: absent
name: powertools name: powertools
descr: powertools repository descr: powertools repository
target: /etc/yum.repos.d/powertools.repo target: /etc/yum.repos.d/powertools.repo
baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/ baseurl: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/
gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/%{lookup('almalinux-base-repo')}/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major} gpgkey: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent mirrorlist: absent
epel: epel:
name: epel name: epel
-30
View File
@@ -66,9 +66,6 @@ glauth::users:
- 20025 # jupyterhub_admin - 20025 # jupyterhub_admin
- 20026 # jupyterhub_user - 20026 # jupyterhub_user
- 20027 # grafana_user - 20027 # grafana_user
- 20028 # k8s/au/syd1 operator
- 20029 # k8s/au/syd1 admin
- 20030 # k8s/au/syd1 root
loginshell: '/bin/bash' loginshell: '/bin/bash'
homedir: '/home/benvin' homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a' passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
@@ -226,24 +223,6 @@ glauth::users:
loginshell: '/bin/bash' loginshell: '/bin/bash'
homedir: '/home/debvin' homedir: '/home/debvin'
passsha256: 'cdac05ddb02e665d4ea65a974995f38a10236bc158731d92d78f6cde89b294a1' passsha256: 'cdac05ddb02e665d4ea65a974995f38a10236bc158731d92d78f6cde89b294a1'
jassol:
user_name: 'jassol'
givenname: 'Jason'
sn: 'Solomon'
mail: 'jassol@users.main.unkin.net'
uidnumber: 20010
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
- 20027 # grafana user
loginshell: '/bin/bash'
homedir: '/home/jassol'
passsha256: 'd8e215d3c94b954e1318c9c7243ce72713f2fb1d006037724fe857c1fb7e88e9'
glauth::services: glauth::services:
svc_jellyfin: svc_jellyfin:
@@ -388,12 +367,3 @@ glauth::groups:
grafana_user: grafana_user:
group_name: 'grafana_user' group_name: 'grafana_user'
gidnumber: 20027 gidnumber: 20027
kubernetes_au_syd1_cluster_operator:
group_name: 'kubernetes_au_syd1_cluster_operator'
gidnumber: 20028
kubernetes_au_syd1_cluster_admin:
group_name: 'kubernetes_au_syd1_cluster_admin'
gidnumber: 20029
kubernetes_au_syd1_cluster_root:
group_name: 'kubernetes_au_syd1_cluster_root'
gidnumber: 20030
+1 -3
View File
@@ -6,10 +6,8 @@ hiera_include:
profiles::dns::resolver::acls: profiles::dns::resolver::acls:
acl-main.unkin.net: acl-main.unkin.net:
addresses: addresses:
- 198.18.1.10/32 - 10.10.8.1/32
- 198.18.2.160/27
- 198.18.21.160/27 - 198.18.21.160/27
- 198.18.2.192/27
- 198.18.21.192/27 - 198.18.21.192/27
- 198.18.13.0/24 - 198.18.13.0/24
- 198.18.14.0/24 - 198.18.14.0/24
+2 -8
View File
@@ -82,14 +82,8 @@ profiles::sql::postgresdb::dbname: gitea
profiles::sql::postgresdb::dbuser: gitea profiles::sql::postgresdb::dbuser: gitea
# deploy gitea # deploy gitea
gitea::base_url: 'https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/gitea-dl/gitea' gitea::ensure: '1.22.4'
gitea::install::checksums: gitea::checksum: 'd549104f55067e6fb156e7ba060c9af488f36e12d5e747db7563fcc99eaf8532'
1.26.2:
linux:
amd64: 5b37937b625de69196748f7293eee1a7363f8637ae6e3da3c359bb380bd61a6a
gitea::ensure: '1.26.2'
gitea::checksum: '5b37937b625de69196748f7293eee1a7363f8637ae6e3da3c359bb380bd61a6a'
gitea::manage_user: false gitea::manage_user: false
gitea::manage_group: false gitea::manage_group: false
gitea::manage_home: false gitea::manage_home: false
+1 -5
View File
@@ -5,10 +5,6 @@ hiera_include:
- incus - incus
- zfs - zfs
- profiles::ceph::node - profiles::ceph::node
- profiles::ceph::mon
- profiles::ceph::mgr
- profiles::ceph::mds
- profiles::ceph::osd
- profiles::ceph::client - profiles::ceph::client
- profiles::ceph::dashboard - profiles::ceph::dashboard
- profiles::storage::cephfsvols - profiles::storage::cephfsvols
@@ -103,7 +99,7 @@ profiles::yum::global::repos:
profiles::dns::base::primary_interface: loopback0 profiles::dns::base::primary_interface: loopback0
# dashboard/haproxy # dashboard/haproxy
profiles::ceph::dashboard::ipaddress: "%{hiera('networking_loopback2_ip')}" profiles::ceph::dashboard::ipaddress: "%{hiera('networking_loopback0_ip')}"
# networking # networking
systemd::manage_networkd: true systemd::manage_networkd: true
-68
View File
@@ -2,7 +2,6 @@
hiera_include: hiera_include:
- profiles::selinux::setenforce - profiles::selinux::setenforce
- profiles::ceph::node - profiles::ceph::node
- profiles::ceph::osd
- profiles::ceph::client - profiles::ceph::client
- exporters::frr_exporter - exporters::frr_exporter
- frrouting - frrouting
@@ -11,62 +10,6 @@ hiera_include:
# manage rke2 # manage rke2
rke2::bootstrap_node: prodnxsr0001.main.unkin.net rke2::bootstrap_node: prodnxsr0001.main.unkin.net
rke2::join_url: https://join-k8s.service.consul:9345 rke2::join_url: https://join-k8s.service.consul:9345
rke2::manage_registries: true
rke2::registries:
docker.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "dockerhub/$1"
disable-default-registry-endpoint: true
ghcr.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "ghcr/$1"
disable-default-registry-endpoint: true
quay.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "quay/$1"
disable-default-registry-endpoint: true
registry.k8s.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "k8s-registry/$1"
disable-default-registry-endpoint: true
registry.gitlab.com:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "gitlab/$1"
disable-default-registry-endpoint: true
docker.elastic.co:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "elastic/$1"
disable-default-registry-endpoint: true
gcr.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "gcr/$1"
disable-default-registry-endpoint: true
docker.litellm.ai:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "litellm/$1"
disable-default-registry-endpoint: true
public.ecr.aws:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "ecr-public/$1"
disable-default-registry-endpoint: true
rke2::config_hash: rke2::config_hash:
bind-address: "%{hiera('networking_loopback0_ip')}" bind-address: "%{hiera('networking_loopback0_ip')}"
node-ip: "%{hiera('networking_loopback0_ip')}" node-ip: "%{hiera('networking_loopback0_ip')}"
@@ -182,17 +125,6 @@ frrouting::ospf_exclude_k8s_enable: true
frrouting::k8s_cluster_cidr: '10.42.0.0/16' # RKE2 cluster-cidr (pods) frrouting::k8s_cluster_cidr: '10.42.0.0/16' # RKE2 cluster-cidr (pods)
frrouting::k8s_service_cidr: '10.43.0.0/16' # RKE2 service-cidr frrouting::k8s_service_cidr: '10.43.0.0/16' # RKE2 service-cidr
# sysctl recommendations
sysctl::base::values:
net.ipv4.conf.default.rp_filter:
value: '0'
net.ipv4.conf.all.rp_filter:
value: '0'
fs.inotify.max_user_watches:
value: '524288'
fs.inotify.max_user_instances:
value: '512'
# add loopback interfaces to ssh list # add loopback interfaces to ssh list
ssh::server::options: ssh::server::options:
ListenAddress: ListenAddress:
+3
View File
@@ -3,6 +3,9 @@
rke2::node_type: server rke2::node_type: server
rke2::helm_install: true rke2::helm_install: true
rke2::helm_repos: rke2::helm_repos:
rancher-stable: https://releases.rancher.com/server-charts/stable
purelb: https://gitlab.com/api/v4/projects/20400619/packages/helm/stable
jetstack: https://charts.jetstack.io
harbor: https://helm.goharbor.io harbor: https://helm.goharbor.io
traefik: https://traefik.github.io/charts traefik: https://traefik.github.io/charts
hashicorp: https://helm.releases.hashicorp.com hashicorp: https://helm.releases.hashicorp.com
@@ -11,7 +11,6 @@ profiles::metrics::grafana::db_name: "%{hiera('profiles::sql::postgresdb::dbname
profiles::metrics::grafana::db_user: "%{hiera('profiles::sql::postgresdb::dbuser')}" profiles::metrics::grafana::db_user: "%{hiera('profiles::sql::postgresdb::dbuser')}"
profiles::metrics::grafana::db_pass: "%{hiera('profiles::sql::postgresdb::dbpass')}" profiles::metrics::grafana::db_pass: "%{hiera('profiles::sql::postgresdb::dbpass')}"
profiles::metrics::grafana::pgsql_backend: true profiles::metrics::grafana::pgsql_backend: true
profiles::metrics::grafana::version: '13.0.2'
profiles::metrics::grafana::plugins: profiles::metrics::grafana::plugins:
victoriametrics-logs-datasource: victoriametrics-logs-datasource:
ensure: present ensure: present
-1
View File
@@ -16,4 +16,3 @@ certbot::domains:
- git.unkin.net - git.unkin.net
- grafana.unkin.net - grafana.unkin.net
- dashboard.ceph.unkin.net - dashboard.ceph.unkin.net
- auth.unkin.net
+1 -1
View File
@@ -26,7 +26,7 @@ profiles::puppet::cobbler_enc::packages:
- 'requests' - 'requests'
- 'PyYAML' - 'PyYAML'
profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkin/puppet-r10k.git profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkin/puppet-r10k.git
profiles::puppet::g10k::bin_path: '/usr/bin/g10k' profiles::puppet::g10k::bin_path: '/usr/bin/g10k'
profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml' profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments' profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
+273
View File
@@ -3,6 +3,125 @@ profiles::packages::include:
createrepo: {} createrepo: {}
profiles::reposync::repos_list: profiles::reposync::repos_list:
almalinux_9.7_baseos:
repository: 'baseos'
description: 'AlmaLinux 9.7 BaseOS'
osname: 'almalinux'
release: '9.7'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/baseos'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9.7_appstream:
repository: 'appstream'
description: 'AlmaLinux 9.7 AppStream'
osname: 'almalinux'
release: '9.7'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/appstream'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9.7_crb:
repository: 'crb'
description: 'AlmaLinux 9.7 CRB'
osname: 'almalinux'
release: '9.7'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/crb'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9.7_ha:
repository: 'ha'
description: 'AlmaLinux 9.7 HighAvailability'
osname: 'almalinux'
release: '9.7'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/highavailability'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9.7_extras:
repository: 'extras'
description: 'AlmaLinux 9.7 extras'
osname: 'almalinux'
release: '9.7'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.7/extras'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9.6_baseos:
repository: 'baseos'
description: 'AlmaLinux 9.6 BaseOS'
osname: 'almalinux'
release: '9.6'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/baseos'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9.6_appstream:
repository: 'appstream'
description: 'AlmaLinux 9.6 AppStream'
osname: 'almalinux'
release: '9.6'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/appstream'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9.6_crb:
repository: 'crb'
description: 'AlmaLinux 9.6 CRB'
osname: 'almalinux'
release: '9.6'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/crb'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9.6_ha:
repository: 'ha'
description: 'AlmaLinux 9.6 HighAvailability'
osname: 'almalinux'
release: '9.6'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/highavailability'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9.6_extras:
repository: 'extras'
description: 'AlmaLinux 9.6 extras'
osname: 'almalinux'
release: '9.6'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.6/extras'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_baseos:
repository: 'baseos'
description: 'AlmaLinux 9.5 BaseOS'
osname: 'almalinux'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_appstream:
repository: 'appstream'
description: 'AlmaLinux 9.5 AppStream'
osname: 'almalinux'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_crb:
repository: 'crb'
description: 'AlmaLinux 9.5 CRB'
osname: 'almalinux'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_ha:
repository: 'ha'
description: 'AlmaLinux 9.5 HighAvailability'
osname: 'almalinux'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_extras:
repository: 'extras'
description: 'AlmaLinux 9.5 extras'
osname: 'almalinux'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
epel_8:
repository: 'everything'
description: 'EPEL8'
osname: 'epel'
release: '8'
mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64'
gpgkey: 'https://epel.mirror.digitalpacific.com.au/RPM-GPG-KEY-EPEL-8'
epel_9:
repository: 'everything'
description: 'EPEL9'
osname: 'epel'
release: '9'
mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-9&arch=x86_64'
gpgkey: 'https://epel.mirror.digitalpacific.com.au/RPM-GPG-KEY-EPEL-9'
docker_stable_el8: docker_stable_el8:
repository: 'stable' repository: 'stable'
description: 'Docker CE Stable EL8' description: 'Docker CE Stable EL8'
@@ -17,6 +136,34 @@ profiles::reposync::repos_list:
release: 'el9' release: 'el9'
baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/' baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/'
gpgkey: 'https://download.docker.com/linux/centos/gpg' gpgkey: 'https://download.docker.com/linux/centos/gpg'
frr_stable_el8:
repository: 'stable'
description: 'FRR Stable EL8'
osname: 'frr'
release: 'el8'
baseurl: 'https://rpm.frrouting.org/repo/el8/frr/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_extras_el8:
repository: 'extras'
description: 'FRR Extras EL8'
osname: 'frr'
release: 'el8'
baseurl: 'https://rpm.frrouting.org/repo/el8/extras/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_stable_el9:
repository: 'stable'
description: 'FRR Stable EL9'
osname: 'frr'
release: 'el9'
baseurl: 'https://rpm.frrouting.org/repo/el9/frr/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_extras_el9:
repository: 'extras'
description: 'FRR Extras el9'
osname: 'frr'
release: 'el9'
baseurl: 'https://rpm.frrouting.org/repo/el9/extras/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
k8s_1.32: k8s_1.32:
repository: '1.32' repository: '1.32'
description: 'Kubernetes 1.32' description: 'Kubernetes 1.32'
@@ -31,6 +178,62 @@ profiles::reposync::repos_list:
release: '1.33' release: '1.33'
baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/' baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/'
gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/repodata/repomd.xml.key' gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.33/rpm/repodata/repomd.xml.key'
mariadb_11_8_el8:
repository: 'el8'
description: 'MariaDB 11.8'
osname: 'mariadb'
release: '11.8'
baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.8/rhel8-amd64/'
gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB'
mariadb_11_8_el9:
repository: 'el9'
description: 'MariaDB 11.8'
osname: 'mariadb'
release: '11.8'
baseurl: 'http://mariadb.mirror.digitalpacific.com.au/yum/11.8/rhel9-amd64/'
gpgkey: 'https://mariadb.mirror.digitalpacific.com.au/yum/RPM-GPG-KEY-MariaDB'
openvox7_el8:
repository: '8'
description: 'openvox 7 EL8'
osname: 'openvox7'
release: 'el'
baseurl: 'https://yum.voxpupuli.org/openvox7/el/8/x86_64/'
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
openvox7_el9:
repository: '9'
description: 'openvox 7 EL9'
osname: 'openvox7'
release: 'el'
baseurl: 'https://yum.voxpupuli.org/openvox7/el/9/x86_64/'
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
openvox7_el10:
repository: '10'
description: 'openvox 7 EL10'
osname: 'openvox7'
release: 'el'
baseurl: 'https://yum.voxpupuli.org/openvox7/el/10/x86_64/'
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
openvox8_el8:
repository: '8'
description: 'openvox 8 EL8'
osname: 'openvox8'
release: 'el'
baseurl: 'https://yum.voxpupuli.org/openvox8/el/8/x86_64/'
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
openvox8_el9:
repository: '9'
description: 'openvox 8 EL9'
osname: 'openvox8'
release: 'el'
baseurl: 'https://yum.voxpupuli.org/openvox8/el/9/x86_64/'
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
openvox8_el10:
repository: '10'
description: 'openvox 8 EL10'
osname: 'openvox8'
release: 'el'
baseurl: 'https://yum.voxpupuli.org/openvox8/el/10/x86_64/'
gpgkey: 'https://yum.voxpupuli.org/GPG-KEY-openvox.pub'
puppet7_el8: puppet7_el8:
repository: '8' repository: '8'
description: 'Puppet 7 EL8' description: 'Puppet 7 EL8'
@@ -59,6 +262,76 @@ profiles::reposync::repos_list:
release: 'el' release: 'el'
baseurl: 'https://yum.puppet.com/puppet8/el/9/x86_64/' baseurl: 'https://yum.puppet.com/puppet8/el/9/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406' gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
postgresql_rhel8_common:
repository: 'common'
description: 'PostgreSQL Common RHEL 8'
osname: 'postgresql'
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_common:
repository: 'common'
description: 'PostgreSQL Common RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel8_15:
repository: '15'
description: 'PostgreSQL 15 RHEL 8'
osname: 'postgresql'
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_15:
repository: '15'
description: 'PostgreSQL 15 RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel8_16:
repository: '16'
description: 'PostgreSQL 16 RHEL 8'
osname: 'postgresql'
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_16:
repository: '16'
description: 'PostgreSQL 16 RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel8_17:
repository: '17'
description: 'PostgreSQL 17 RHEL 8'
osname: 'postgresql'
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_17:
repository: '17'
description: 'PostgreSQL 17 RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
rke2_common_el9:
repository: 'common'
description: 'RKE2 common RHEL 9'
osname: 'rke2'
release: "rhel9"
baseurl: "https://rpm.rancher.io/rke2/latest/common/centos/9/noarch"
gpgkey: "https://rpm.rancher.io/public.key"
rke2_1_33_el9:
repository: '1.33'
description: 'RKE2 1.33 RHEL 9'
osname: 'rke2'
release: "rhel9"
baseurl: "https://rpm.rancher.io/rke2/latest/1.33/centos/9/x86_64"
gpgkey: "https://rpm.rancher.io/public.key"
zfs_dkms_rhel8: zfs_dkms_rhel8:
repository: 'dkms' repository: 'dkms'
description: 'ZFS DKMS RHEL 8' description: 'ZFS DKMS RHEL 8'
@@ -29,7 +29,6 @@ profiles::consul::server::acl:
profiles::pki::vault::alt_names: profiles::pki::vault::alt_names:
- consul.main.unkin.net - consul.main.unkin.net
- consul.service.consul - consul.service.consul
- "consul.service.%{facts.country}-%{facts.region}.consul"
- consul - consul
# manage a simple nginx reverse proxy # manage a simple nginx reverse proxy
@@ -39,7 +38,6 @@ profiles::nginx::simpleproxy::nginx_aliases:
- consul.main.unkin.net - consul.main.unkin.net
profiles::nginx::simpleproxy::proxy_port: 8500 profiles::nginx::simpleproxy::proxy_port: 8500
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 512M
# consul # consul
profiles::consul::client::node_rules: profiles::consul::client::node_rules:
+2 -7
View File
@@ -2,12 +2,10 @@
profiles::vault::server::members_role: roles::infra::storage::vault profiles::vault::server::members_role: roles::infra::storage::vault
profiles::vault::server::members_lookup: true profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault profiles::vault::server::data_dir: /data/vault
profiles::vault::server::plugin_dir: /opt/openbao-plugins
profiles::vault::server::manage_storage_dir: true profiles::vault::server::manage_storage_dir: true
profiles::vault::server::tls_disable: false profiles::vault::server::tls_disable: false
profiles::vault::server::package_name: openbao vault::package_name: openbao
profiles::vault::server::package_ensure: 2.4.4 vault::package_ensure: latest
profiles::vault::server::disable_openbao: false
# additional altnames # additional altnames
profiles::pki::vault::alt_names: profiles::pki::vault::alt_names:
@@ -25,6 +23,3 @@ profiles::nginx::simpleproxy::proxy_scheme: 'http'
profiles::nginx::simpleproxy::proxy_host: '127.0.0.1' profiles::nginx::simpleproxy::proxy_host: '127.0.0.1'
profiles::nginx::simpleproxy::proxy_port: 8200 profiles::nginx::simpleproxy::proxy_port: 8200
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
profiles::packages::include:
openbao-plugins: {}
+3 -3
View File
@@ -28,8 +28,8 @@ class externaldns::master inherits externaldns {
dynamic => true, dynamic => true,
allow_updates => ['key externaldns-key'], allow_updates => ['key externaldns-key'],
allow_transfers => empty($slave_ips) ? { allow_transfers => empty($slave_ips) ? {
true => ['key externaldns-key'], true => [],
false => ['key externaldns-key','dns-slaves'], false => ['dns-slaves'],
}, },
ns_notify => !empty($slave_ips), ns_notify => !empty($slave_ips),
also_notify => $slave_ips, also_notify => $slave_ips,
@@ -42,4 +42,4 @@ class externaldns::master inherits externaldns {
recursion => false, recursion => false,
zones => $externaldns::k8s_zones, zones => $externaldns::k8s_zones,
} }
} }
+1 -6
View File
@@ -22,12 +22,7 @@ class incus::cluster (
} }
# if it is, find hosts, sort them so they dont cause changes every run # if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(puppetdb_query( $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
"facts[certname] {
name = 'enc_role' and value = '${members_role}' and
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
}"
).map |$fact| { $fact['certname'] })
# else use provided array from params # else use provided array from params
}else{ }else{
-56
View File
@@ -1,56 +0,0 @@
# frozen_string_literal: true
require 'facter'
# Detects active ceph service instances via systemctl and exposes facts
# for use in ceph service management profiles.
# rubocop:disable Style/ClassAndModuleChildren
module Unkin
module Ceph
# Detects active ceph service instances via systemctl and exposes Facter facts.
module Utils
TYPES = %w[mon mgr mds osd].freeze
def self.services
output = Facter::Core::Execution.execute(
'systemctl list-units "ceph*" --no-legend --plain --all 2>/dev/null',
on_fail: ''
)
parse_units(output)
end
def self.parse_units(output)
result = TYPES.each_with_object({}) { |type, hash| hash[type] = [] }
output.each_line do |line|
unit = line.split.first
next unless unit
match_unit(result, unit)
end
result
end
def self.match_unit(result, unit)
TYPES.each do |type|
match = unit.match(/\Aceph-#{type}@(.+)\.service\z/)
result[type] << "ceph-#{type}@#{match[1]}" if match
end
end
TYPES.each do |type|
define_singleton_method(:"#{type}?") { !services[type].empty? }
end
end
end
end
# rubocop:enable Style/ClassAndModuleChildren
Facter.add('ceph_services') do
setcode { Unkin::Ceph::Utils.services }
end
Unkin::Ceph::Utils::TYPES.each do |type|
Facter.add("is_ceph_#{type}") do
setcode { Unkin::Ceph::Utils.public_send(:"#{type}?") }
end
end
+1 -6
View File
@@ -20,12 +20,7 @@ class redisha::redis (
} }
# if it is, find hosts, sort them so they dont cause changes every run # if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(puppetdb_query( $servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
"facts[certname] {
name = 'enc_role' and value = '${redisha_members_role}' and
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
}"
).map |$fact| { $fact['certname'] })
# else use provided array from params # else use provided array from params
}else{ }else{
+1 -6
View File
@@ -23,12 +23,7 @@ class redisha::sentinel (
} }
# if it is, find hosts, sort them so they dont cause changes every run # if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(puppetdb_query( $servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
"facts[certname] {
name = 'enc_role' and value = '${redisha_members_role}' and
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
}"
).map |$fact| { $fact['certname'] })
# else use provided array from params # else use provided array from params
}else{ }else{
@@ -0,0 +1,23 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rancher
namespace: cattle-system
annotations:
kubernetes.io/ingress.class: nginx
spec:
tls:
- hosts: [rancher.main.unkin.net]
secretName: tls-rancher
rules:
- host: rancher.main.unkin.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rancher
port:
number: 80
+45
View File
@@ -0,0 +1,45 @@
apiVersion: purelb.io/v1
kind: LBNodeAgent
metadata:
name: common
namespace: purelb
spec:
local:
extlbint: kube-lb0
localint: default
sendgarp: false
---
apiVersion: purelb.io/v1
kind: LBNodeAgent
metadata:
name: dmz
namespace: purelb
spec:
local:
extlbint: kube-lb0
localint: default
sendgarp: false
---
apiVersion: purelb.io/v1
kind: ServiceGroup
metadata:
name: dmz
namespace: purelb
spec:
local:
v4pools:
- subnet: 198.18.199.0/24
pool: 198.18.199.0/24
aggregation: /32
---
apiVersion: purelb.io/v1
kind: ServiceGroup
metadata:
name: common
namespace: purelb
spec:
local:
v4pools:
- subnet: 198.18.200.0/24
pool: 198.18.200.0/24
aggregation: /32
+24 -20
View File
@@ -7,8 +7,6 @@ class rke2::config (
Stdlib::Fqdn $bootstrap_node = $rke2::bootstrap_node, Stdlib::Fqdn $bootstrap_node = $rke2::bootstrap_node,
String $node_token = $rke2::node_token, String $node_token = $rke2::node_token,
Array[String[1]] $extra_config_files = $rke2::extra_config_files, Array[String[1]] $extra_config_files = $rke2::extra_config_files,
Boolean $manage_registries = $rke2::manage_registries,
Hash $registries = $rke2::registries,
){ ){
# if its not the bootstrap node, add join path to config # if its not the bootstrap node, add join path to config
@@ -30,24 +28,6 @@ class rke2::config (
$config = $config_hash $config = $config_hash
} }
if $manage_registries {
file { '/etc/rancher/rke2/registries.yaml':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => epp('rke2/registries.yaml.epp', { registries => $registries }),
require => Package["rke2-${node_type}"],
notify => Service["rke2-${node_type}"],
}
}else{
file { '/etc/rancher/rke2/registries.yaml':
ensure => absent,
require => Package["rke2-${node_type}"],
notify => Service["rke2-${node_type}"],
}
}
# create the config file # create the config file
file { $config_file: file { $config_file:
ensure => file, ensure => file,
@@ -88,6 +68,30 @@ class rke2::config (
# on the controller nodes only # on the controller nodes only
if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 { if $node_type == 'server' and $facts['k8s_masters'] and $facts['k8s_masters'] > 2 {
# wait for purelb helm to setup namespace
if 'purelb' in $facts['k8s_namespaces'] {
file {'/var/lib/rancher/rke2/server/manifests/purelb-config.yaml':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/rke2/purelb-config.yaml',
require => Service['rke2-server'],
}
}
# wait for rancher helm to setup namespace
if 'cattle-system' in $facts['k8s_namespaces'] {
file {'/var/lib/rancher/rke2/server/manifests/ingress-route-rancher.yaml':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/rke2/ingress-route-rancher.yaml',
require => Service['rke2-server'],
}
}
# manage extra config config (these are not dependent on helm) # manage extra config config (these are not dependent on helm)
$extra_config_files.each |$file| { $extra_config_files.each |$file| {
+38
View File
@@ -38,6 +38,44 @@ class rke2::helm (
} }
} }
} }
# install specific helm charts to bootstrap environment
$plb_cmd = 'helm install purelb purelb/purelb \
--create-namespace \
--namespace=purelb \
--repository-config /etc/helm/repositories.yaml'
exec { 'install_purelb':
command => $plb_cmd,
path => ['/usr/bin', '/bin'],
environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
unless => 'helm list -n purelb | grep -q ^purelb',
}
$cm_cmd = 'helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set crds.enabled=true \
--repository-config /etc/helm/repositories.yaml'
exec { 'install_cert_manager':
command => $cm_cmd,
path => ['/usr/bin', '/bin'],
environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
unless => 'helm list -n cert-manager | grep -q ^cert-manager',
}
$r_cmd = 'helm install rancher rancher-stable/rancher \
--namespace cattle-system \
--create-namespace \
--set hostname=rancher.main.unkin.net \
--set bootstrapPassword=admin \
--set ingress.tls.source=secret \
--repository-config /etc/helm/repositories.yaml'
exec { 'install_rancher':
command => $r_cmd,
path => ['/usr/bin', '/bin'],
environment => ['KUBECONFIG=/etc/rancher/rke2/rke2.yaml'],
unless => 'helm list -n cattle-system | grep -q ^rancher',
}
} }
} }
} }
-2
View File
@@ -12,8 +12,6 @@ class rke2 (
Hash $helm_repos = $rke2::params::helm_repos, Hash $helm_repos = $rke2::params::helm_repos,
Array[String[1]] $extra_config_files = $rke2::params::extra_config_files, Array[String[1]] $extra_config_files = $rke2::params::extra_config_files,
Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source, Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source,
Boolean $manage_registries = $rke2::params::manage_registries,
Hash $registries = $rke2::params::registries,
) inherits rke2::params { ) inherits rke2::params {
include rke2::install include rke2::install
+1 -3
View File
@@ -1,7 +1,7 @@
# rke2 params # rke2 params
class rke2::params ( class rke2::params (
Enum['server', 'agent'] $node_type = 'agent', Enum['server', 'agent'] $node_type = 'agent',
String $rke2_version = '1.33.4', String $rke2_version = '1.33.7',
String $rke2_release = 'rke2r1', String $rke2_release = 'rke2r1',
Stdlib::Absolutepath $config_file = '/etc/rancher/rke2/config.yaml', Stdlib::Absolutepath $config_file = '/etc/rancher/rke2/config.yaml',
Hash $config_hash = {}, Hash $config_hash = {},
@@ -12,6 +12,4 @@ class rke2::params (
Hash $helm_repos = {}, Hash $helm_repos = {},
Array[String[1]] $extra_config_files = [], Array[String[1]] $extra_config_files = [],
Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download', Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download',
Boolean $manage_registries = false,
Hash $registries = {},
) {} ) {}
@@ -1,20 +0,0 @@
<%- | Hash $registries | -%>
---
# DO NOT MODIFY - MANAGED BY PUPPET
mirrors:
<%- $registries.each |$registry, $config| { -%>
<%= $registry %>:
endpoint:
<%- $config['endpoint'].each |$ep| { -%>
- "<%= $ep %>"
<%- } -%>
<%- if $config['rewrite'] { -%>
rewrite:
<%- $config['rewrite'].each |$pattern, $replacement| { -%>
"<%= $pattern %>": "<%= $replacement %>"
<%- } -%>
<%- } -%>
<%- if $config['disable-default-registry-endpoint'] { -%>
disable-default-registry-endpoint: true
<%- } -%>
<%- } -%>
+2 -21
View File
@@ -167,13 +167,7 @@ class stalwart (
# Query cluster members for validation # Query cluster members for validation
$cluster_query = "enc_role='${cluster_role}' and country='${facts['country']}' and region='${facts['region']}'" $cluster_query = "enc_role='${cluster_role}' and country='${facts['country']}' and region='${facts['region']}'"
$cluster_members_raw = puppetdb_query( $cluster_members_raw = query_nodes($cluster_query, 'networking.fqdn')
"facts[certname] {
name = 'enc_role' and value = '${cluster_role}' and
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
}"
).map |$fact| { $fact['certname'] }
$cluster_members = $cluster_members_raw ? { $cluster_members = $cluster_members_raw ? {
undef => [], undef => [],
default => $cluster_members_raw, default => $cluster_members_raw,
@@ -186,20 +180,7 @@ class stalwart (
# Query HAProxy nodes for proxy trusted networks # Query HAProxy nodes for proxy trusted networks
$haproxy_query = "enc_role='${haproxy_role}' and country='${facts['country']}' and region='${facts['region']}'" $haproxy_query = "enc_role='${haproxy_role}' and country='${facts['country']}' and region='${facts['region']}'"
$haproxy_members_raw = puppetdb_query( $haproxy_members_raw = query_nodes($haproxy_query, 'networking.ip')
"facts[certname,value] {
name = 'networking' and
certname in facts[certname] {
name = 'enc_role' and value = '${haproxy_role}'
} and
certname in facts[certname] {
name = 'country' and value = '${facts['country']}'
} and
certname in facts[certname] {
name = 'region' and value = '${facts['region']}'
}
}"
).map |$fact| { $fact['value']['ip'] }
$haproxy_ips = $haproxy_members_raw ? { $haproxy_ips = $haproxy_members_raw ? {
undef => [], undef => [],
default => sort($haproxy_members_raw), default => sort($haproxy_members_raw),
-13
View File
@@ -1,13 +0,0 @@
class profiles::ceph::mds (
Boolean $ensure_running = true,
) {
if $ensure_running and $facts['is_ceph_mds'] {
$facts['ceph_services']['mds'].each |String $svc| {
service { $svc:
ensure => running,
enable => true,
}
}
}
}
-13
View File
@@ -1,13 +0,0 @@
class profiles::ceph::mgr (
Boolean $ensure_running = true,
) {
if $ensure_running and $facts['is_ceph_mgr'] {
$facts['ceph_services']['mgr'].each |String $svc| {
service { $svc:
ensure => running,
enable => true,
}
}
}
}
-13
View File
@@ -1,13 +0,0 @@
class profiles::ceph::mon (
Boolean $ensure_running = true,
) {
if $ensure_running and $facts['is_ceph_mon'] {
$facts['ceph_services']['mon'].each |String $svc| {
service { $svc:
ensure => running,
enable => true,
}
}
}
}
-13
View File
@@ -1,13 +0,0 @@
class profiles::ceph::osd (
Boolean $ensure_running = true,
) {
if $ensure_running and $facts['is_ceph_osd'] {
$facts['ceph_services']['osd'].each |String $svc| {
service { $svc:
ensure => running,
enable => true,
}
}
}
}
+1 -6
View File
@@ -28,12 +28,7 @@ class profiles::consul::client (
} }
# if it is, find hosts, sort them so they dont cause changes every run # if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(puppetdb_query( $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
"facts[certname] {
name = 'enc_role' and value = '${members_role}' and
certname in facts[certname] { name = 'region' and value = '${::facts['region']}' }
}"
).map |$fact| { $fact['certname'] })
# else use provided array from params # else use provided array from params
}else{ }else{
+2 -12
View File
@@ -65,22 +65,12 @@ class profiles::consul::server (
} }
# if it is, find hosts, sort them so they dont cause changes every run # if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(puppetdb_query( $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
"facts[certname] {
name = 'enc_role' and value = '${members_role}' and
certname in facts[certname] { name = 'region' and value = '${::facts['region']}' }
}"
).map |$fact| { $fact['certname'] })
if $join_remote_regions { if $join_remote_regions {
# get all nodes in the members_role for each other region # get all nodes in the members_role for each other region
$region_to_servers = $remote_regions.reduce({}) |$memo, $region| { $region_to_servers = $remote_regions.reduce({}) |$memo, $region| {
$servers = sort(puppetdb_query( $servers = sort(query_nodes("enc_role='${members_role}' and region='${region}'", 'networking.fqdn'))
"facts[certname] {
name = 'enc_role' and value = '${members_role}' and
certname in facts[certname] { name = 'region' and value = '${region}' }
}"
).map |$fact| { $fact['certname'] })
$memo + { $region => $servers } $memo + { $region => $servers }
} }
+3 -22
View File
@@ -18,28 +18,9 @@ class profiles::dns::base (
$nameserver_array = $ns_role ? { $nameserver_array = $ns_role ? {
undef => $nameservers, undef => $nameservers,
default => $use_ns ? { default => $use_ns ? {
'all' => puppetdb_query( 'all' => query_nodes("enc_role='${ns_role}'", 'networking.ip'),
"facts[certname,value] { 'region' => query_nodes("enc_role='${ns_role}' and region=${facts['region']}", 'networking.ip'),
name = 'networking' and 'country' => query_nodes("enc_role='${ns_role}' and country=${facts['country']}", 'networking.ip'),
certname in nodes[certname] { facts.enc_role = '${ns_role}' }
}"
).map |$fact| { $fact['value']['ip'] },
'region' => puppetdb_query(
"facts[certname,value] {
name = 'networking' and
certname in nodes[certname] {
facts.enc_role = '${ns_role}' and facts.region = '${facts['region']}'
}
}"
).map |$fact| { $fact['value']['ip'] },
'country' => puppetdb_query(
"facts[certname,value] {
name = 'networking' and
certname in nodes[certname] {
facts.enc_role = '${ns_role}' and facts.country = '${facts['country']}'
}
}"
).map |$fact| { $fact['value']['ip'] },
} }
} }
+4 -18
View File
@@ -20,21 +20,9 @@ class profiles::dns::master (
$nameservers_array = $ns_role ? { $nameservers_array = $ns_role ? {
undef => [$facts['networking']['fqdn']], undef => [$facts['networking']['fqdn']],
default => $use_ns ? { default => $use_ns ? {
'all' => sort(puppetdb_query( 'all' => sort(query_nodes("enc_role='${ns_role}'", 'networking.fqdn')),
"facts[certname] { name = 'enc_role' and value = '${ns_role}' }" 'region' => sort(query_nodes("enc_role='${ns_role}' and region=${facts['region']}", 'networking.fqdn')),
).map |$fact| { $fact['certname'] }), 'country' => sort(query_nodes("enc_role='${ns_role}' and country=${facts['country']}", 'networking.fqdn')),
'region' => sort(puppetdb_query(
"facts[certname] {
name = 'enc_role' and value = '${ns_role}' and
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
}"
).map |$fact| { $fact['certname'] }),
'country' => sort(puppetdb_query(
"facts[certname] {
name = 'enc_role' and value = '${ns_role}' and
certname in facts[certname] { name = 'country' and value = '${facts['country']}' }
}"
).map |$fact| { $fact['certname'] }),
} }
} }
@@ -44,9 +32,7 @@ class profiles::dns::master (
$facts['networking']['fqdn'] => $facts['networking']['ip'] $facts['networking']['fqdn'] => $facts['networking']['ip']
}, },
default => $nameservers_array.reduce({}) |$acc, $fqdn| { default => $nameservers_array.reduce({}) |$acc, $fqdn| {
$result = puppetdb_query( $result = query_nodes("networking.fqdn='${fqdn}'", 'networking.ip')
"facts[certname,value] { name = 'networking' and certname = '${fqdn}' }"
).map |$fact| { $fact['value']['ip'] }
$ip = $result[0] $ip = $result[0]
$acc + { "${fqdn}." => $ip } $acc + { "${fqdn}." => $ip }
} }
+2 -7
View File
@@ -18,12 +18,7 @@ class profiles::etcd::node (
} }
# if it is, find hosts, sort them so they dont cause changes every run # if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(puppetdb_query( $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
"facts[certname] {
name = 'enc_role' and value = '${members_role}' and
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
}"
).map |$fact| { $fact['certname'] })
# else use provided array from params # else use provided array from params
}else{ }else{
@@ -36,7 +31,7 @@ class profiles::etcd::node (
$initial_cluster = $servers_array.map |$fqdn| { $initial_cluster = $servers_array.map |$fqdn| {
# lookup the ip address for the current fqdn # lookup the ip address for the current fqdn
$ip = puppetdb_query("facts[certname,value] { name = 'networking' and certname = '${fqdn}' }").map |$fact| { $fact['value']['ip'] }[0] $ip = query_nodes("networking.fqdn='${fqdn}'", 'networking.ip')[0]
# construct the string for this server # construct the string for this server
"${fqdn}=https://${ip}:${peer_port}" "${fqdn}=https://${ip}:${peer_port}"
+7 -8
View File
@@ -30,14 +30,13 @@ class profiles::haproxy::dns (
} }
# if it is, find hosts, sort them so they dont cause changes every run # if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(puppetdb_query( $servers_array = sort(query_nodes(
"facts[certname] { "enc_role='${facts['enc_role']}' and
name = 'enc_role' and value = '${facts['enc_role']}' and country='${facts['country']}' and
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and region='${facts['region']}' and
certname in facts[certname] { name = 'region' and value = '${facts['region']}' } and environment='${facts['environment']}'",
certname in facts[certname] { name = 'environment' and value = '${facts['environment']}' } 'networking.fqdn'
}" ))
).map |$fact| { $fact['certname'] })
# give enough time for a few hosts to be provisioned # give enough time for a few hosts to be provisioned
if length($servers_array) >= 3 { if length($servers_array) >= 3 {
@@ -1,7 +1,6 @@
# profiles::metrics::grafana # profiles::metrics::grafana
class profiles::metrics::grafana ( class profiles::metrics::grafana (
String $ldap_bind_pass, String $ldap_bind_pass,
String $version = 'installed',
Stdlib::Port $http_port = 8080, Stdlib::Port $http_port = 8080,
String $app_mode = 'production', String $app_mode = 'production',
Boolean $allow_sign_up = false, Boolean $allow_sign_up = false,
@@ -108,7 +107,6 @@ class profiles::metrics::grafana (
# deploy grafana # deploy grafana
class { 'grafana': class { 'grafana':
version => $version,
cfg => $cfg, cfg => $cfg,
ldap_cfg => $ldap_cfg, ldap_cfg => $ldap_cfg,
plugins => $plugins, plugins => $plugins,
+2 -9
View File
@@ -98,15 +98,8 @@ class profiles::minio::server (
} }
# if it is, find hosts, sort them so they dont cause changes every run # if it is, find hosts, sort them so they dont cause changes every run
#$servers_array = sort(puppetdb_query( #$servers_array = sort(query_nodes("enc_role='${minio_members_role}'", 'networking.fqdn'))
# "facts[certname] { name = 'enc_role' and value = '${minio_members_role}' }" $servers_array = sort(query_nodes("enc_role='${minio_members_role}' and minio_region='${minio_region}'", 'networking.fqdn'))
#).map |$fact| { $fact['certname'] })
$servers_array = sort(puppetdb_query(
"facts[certname] {
name = 'enc_role' and value = '${minio_members_role}' and
certname in facts[certname] { name = 'minio_region' and value = '${minio_region}' }
}"
).map |$fact| { $fact['certname'] })
# else use provided array from params # else use provided array from params
}else{ }else{
+3 -15
View File
@@ -26,21 +26,9 @@ class profiles::ntp::client (
$ntpserver_array = $ntp_role ? { $ntpserver_array = $ntp_role ? {
undef => $peers, undef => $peers,
default => $use_ntp ? { default => $use_ntp ? {
'all' => puppetdb_query( 'all' => query_nodes("enc_role='${ntp_role}'", 'networking.fqdn'),
"facts[certname] { name = 'enc_role' and value = '${ntp_role}' }" 'region' => query_nodes("enc_role='${ntp_role}' and region=${facts['region']}", 'networking.fqdn'),
).map |$fact| { $fact['certname'] }, 'country' => query_nodes("enc_role='${ntp_role}' and country=${facts['country']}", 'networking.fqdn'),
'region' => puppetdb_query(
"facts[certname] {
name = 'enc_role' and value = '${ntp_role}' and
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
}"
).map |$fact| { $fact['certname'] },
'country' => puppetdb_query(
"facts[certname] {
name = 'enc_role' and value = '${ntp_role}' and
certname in facts[certname] { name = 'country' and value = '${facts['country']}' }
}"
).map |$fact| { $fact['certname'] },
} }
} }
@@ -24,13 +24,10 @@ class profiles::proxmox::clusterinit {
} }
} }
$servers_array = sort(puppetdb_query( $servers_array = sort(query_nodes(
"facts[certname] { "enc_role='${membersrole}' and country='${facts['country']}' and region='${facts['region']}'",
name = 'enc_role' and value = '${membersrole}' and 'networking.fqdn'
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and ))
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
}"
).map |$fact| { $fact['certname'] })
if ! $profiles::proxmox::params::pve_clusterinit_master { if ! $profiles::proxmox::params::pve_clusterinit_master {
if !empty($servers_array) { if !empty($servers_array) {
@@ -11,14 +11,13 @@ class profiles::proxmox::clusterjoin {
$root_password = $profiles::proxmox::params::root_password $root_password = $profiles::proxmox::params::root_password
# query puppetdb for list of cluster members # query puppetdb for list of cluster members
$members_array = sort(puppetdb_query( $members_array = sort(query_nodes(
"facts[certname] { "enc_role='${membersrole}' and \
name = 'enc_role' and value = '${membersrole}' and country='${facts['country']}' and \
certname in facts[certname] { name = 'country' and value = '${facts['country']}' } and region='${facts['region']}' and \
certname in facts[certname] { name = 'region' and value = '${facts['region']}' } and pve_cluster.cluster_name='${clustername}'",
certname in facts[certname] { name = 'pve_cluster' and value.cluster_name = '${clustername}' } 'networking.fqdn'
}" ))
).map |$fact| { $fact['certname'] })
# check if the pve kernerl is running # check if the pve kernerl is running
if $facts['kernelrelease'] == $profiles::proxmox::params::pve_kernel_release { if $facts['kernelrelease'] == $profiles::proxmox::params::pve_kernel_release {
@@ -3,7 +3,7 @@
# This class manages the Puppetboard, a web interface to PuppetDB. # This class manages the Puppetboard, a web interface to PuppetDB.
# #
class profiles::puppet::puppetboard ( class profiles::puppet::puppetboard (
String $python_version = '3.12', String $python_version = $facts['python3_release'],
Boolean $manage_virtualenv = false, Boolean $manage_virtualenv = false,
Integer $reports_count = 40, Integer $reports_count = 40,
Boolean $offline_mode = true, Boolean $offline_mode = true,
+1 -6
View File
@@ -48,12 +48,7 @@ class profiles::sql::galera_member (
} }
# if it is, find hosts, sort them so they dont cause changes every run # if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(puppetdb_query( $servers_array = sort(query_nodes("enc_role='${galera_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
"facts[certname] {
name = 'enc_role' and value = '${galera_members_role}' and
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
}"
).map |$fact| { $fact['certname'] })
# else use provided array from params # else use provided array from params
}else{ }else{
+1 -6
View File
@@ -18,12 +18,7 @@ class profiles::sql::postgresdb (
} }
# if it is, find hosts, sort them so they dont cause changes every run # if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(puppetdb_query( $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
"facts[certname] {
name = 'enc_role' and value = '${members_role}' and
certname in facts[certname] { name = 'region' and value = '${facts['region']}' }
}"
).map |$fact| { $fact['certname'] })
# else use provided array from params # else use provided array from params
}else{ }else{
+2 -38
View File
@@ -6,15 +6,11 @@ class profiles::vault::server (
Undef Undef
] $members_role = undef, ] $members_role = undef,
Array $vault_servers = [], Array $vault_servers = [],
String $package_name = 'vault',
String $package_ensure = 'latest',
Boolean $disable_openbao = true,
Boolean $tls_disable = false, Boolean $tls_disable = false,
Stdlib::Port $client_port = 8200, Stdlib::Port $client_port = 8200,
Stdlib::Port $cluster_port = 8201, Stdlib::Port $cluster_port = 8201,
Boolean $manage_storage_dir = false, Boolean $manage_storage_dir = false,
Stdlib::Absolutepath $data_dir = '/opt/vault', Stdlib::Absolutepath $data_dir = '/opt/vault',
Stdlib::Absolutepath $plugin_dir = '/opt/vault_plugins',
Stdlib::Absolutepath $bin_dir = '/usr/bin', Stdlib::Absolutepath $bin_dir = '/usr/bin',
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt', Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key', Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
@@ -29,12 +25,7 @@ class profiles::vault::server (
if $members_lookup and $members_role != undef { if $members_lookup and $members_role != undef {
# if it is, find hosts, sort them so they dont cause changes every run # if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(puppetdb_query( $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
"facts[certname] {
name = 'enc_role' and value = '${members_role}' and
certname in facts[certname] { name = 'region' and value = '${::facts['region']}' }
}"
).map |$fact| { $fact['certname'] })
# else use provided array from params # else use provided array from params
}else{ }else{
@@ -60,33 +51,7 @@ class profiles::vault::server (
} }
} }
# cleanup openbao?
if $disable_openbao {
package {'openbao':
ensure => absent,
before => Class['vault']
}
package {'openbao-vault-compat':
ensure => absent,
before => [
Class['vault'],
Package['openbao']
]
}
}
# add versionlock for package_name?
if $package_ensure != 'latest' {
yum::versionlock{$package_name:
ensure => present,
version => $package_ensure,
before => Class['vault']
}
}
class { 'vault': class { 'vault':
package_name => $package_name,
package_ensure => $package_ensure,
manage_service => false, manage_service => false,
manage_storage_dir => $manage_storage_dir, manage_storage_dir => $manage_storage_dir,
enable_ui => true, enable_ui => true,
@@ -99,8 +64,7 @@ class profiles::vault::server (
}, },
api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}", api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
extra_config => { extra_config => {
cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}", cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
plugin_directory => $plugin_dir,
}, },
listener => [ listener => [
{ {