255 Commits

Author SHA1 Message Date
unkinben 03094712d5 feat: deploy ceph
- cleanup subnet_facts, add transit links
- cleanup role::ceph::*
- add openstack-ceph module
- add ceph-mon profile
2025-05-15 07:14:04 +10:00
unkinben 90504e5b02 chore: use alias for nameservers (#283)
- use an alias for nameservers for dhcp ranges
- move aliased nameservers to region-wide hiera

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/283
2025-05-14 20:19:18 +10:00
unkinben a7b793238a fix: exclude docker0 interfaces (#282)
- docker0 is the same on many hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/282
2025-05-11 16:53:34 +10:00
unkinben 87a6c73578 neoloc/loopback_dns (#281)
- manage all interfaces in dns (except lo and anycast)
- move loopback0 anycast addresses to be anycast0

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/281
2025-05-11 16:36:04 +10:00
unkinben 3e0141bb1b feat: change to anycast resolver (#280)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/280
2025-05-11 11:39:00 +10:00
unkinben bb6f6cbd49 feat: anycast dnsmasters (#279)
- change dns masters on incus to anycast for bind
- change to networkd to support anycast/loopbacks

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/279
2025-05-10 23:00:03 +10:00
unkinben 51d6c1e81d fix: enable dns resolver access for dmz1 (#278)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/278
2025-05-10 06:57:05 +10:00
unkinben 537a207779 feat: update upstream ip for consul dns (#277)
- set bind resolvers to use consuls anycast address for forwarding

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/277
2025-05-09 22:10:35 +10:00
unkinben f322440d01 feat: setup anycast consul dns (#276)
- manage frrouting repo/ospf
- change to systemd-networkd
- enable ospf on incus nodes bridges

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/276
2025-05-09 22:07:42 +10:00
unkinben ed947dee59 fix: listen-addr -> listen-address (#275)
- listen-address is the correct option

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/275
2025-05-04 00:07:45 +10:00
unkinben a70b6492b0 feat: update consul/dnsmasq (#274)
- update params with bind/advertise addr
- update params with anycast ip option
- migrate dnsmasq config to template

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/274
2025-05-03 23:51:29 +10:00
unkinben 3079f7d000 feat: enable use of dhcp addresses in networkd (#273)
- change ipaddress to be optional
- add dhcp option

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/273
2025-05-03 23:51:17 +10:00
unkinben 1b8f50786f feat: ensure the vault audit_log exists (#272)
- without this, vault will not take a leadership role

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/272
2025-05-03 22:25:10 +10:00
unkinben b05acb23f4 feat: use custom cert for puppetdb access (#271)
- manually generated certificate using sudo puppetserver ca generate --certname puppetdbapi.query.consul
- saved certificate and private_key in eyaml

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/271
2025-05-03 12:41:23 +10:00
unkinben 62f71e1feb chore: change puppetboard python version (#270)
- change python version to follow python3_release fact
- this will follow os-release upgrades

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/270
2025-05-03 01:07:52 +10:00
unkinben cdf9456456 feat: update psql15 repos for roles (#269)
- update patroni to use packagerepo
- update puppetdb to use packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/269
2025-04-29 21:04:45 +10:00
unkinben 2323ef7749 feat: postgresql15/postgresql17 (#268)
- add postgresql15 and 17 to reposync

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/268
2025-04-28 21:39:45 +10:00
unkinben 07b89ab737 feat: enable terraform access to puppetca (#267)
- enable terraform to clean certificates

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/267
2025-04-28 18:46:58 +10:00
unkinben 9359b8902e feat: vault mlock (#266)
- enable mlock by default
- disable mlock on lxd/incus nodes (lxc doesnt support it)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/266
2025-04-26 22:43:20 +10:00
unkinben 1e3ce0ec1c feat: dont set gid/uid for sysadmin (#265)
- sysadmin doesnt need to be a specific uid/gid, the next available
  uid/gid is fine

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/265
2025-04-26 20:02:57 +10:00
unkinben 496ed12a58 feat: change vault to use package install (#264)
- vault 18.2 rpm produced by rpmbuilder repo
- ensure the /etc/vault directory is managed
- ensure service file is managed by puppet
- ensure package comes from unkin repo (not hashicorp)
- disable_mlock as unprivileged containers cannot use mlock

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/264
2025-04-26 18:40:31 +10:00
unkinben e4166c6b14 feat: lxc compatability with datavol (#263)
- lxc doesnt mount block devices, just check for mountpoint

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/263
2025-04-26 17:28:57 +10:00
unkinben 78f4d2a88f feat: cleanup mpls configuration (#262)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/262
2025-04-26 00:39:23 +10:00
unkinben 762d980ea8 feat: update dns resolver zone management (#261)
- move zones to common role path
- specify forwarders for each zone in region based hiera

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/261
2025-04-25 01:01:47 +10:00
unkinben 463abe4b9d feat: add reverse dns zones for incus (#260)
- add reverse dns zones for incus hosts
- update acls for openresolver

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/260
2025-04-24 23:48:34 +10:00
unkinben ecce93bedb feat: lxc cannot use chronyd (#259)
- ensure lxc nodes do not attempt to install chronyd
- ensure chrony is removed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/259
2025-04-24 23:18:45 +10:00
unkinben 9dcaafb8ba feat: lxc updates (#258)
- add virtual/lxc.yaml
- add crypto crypto-policies-scripts
- ensure ssh::server is managed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/258
2025-04-24 23:03:01 +10:00
unkinben a21c1b3697 Adding hieradata/node/ausyd1nxvm1072.main.unkin.net.yaml (#257)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/257
2025-04-24 21:25:00 +10:00
unkinben bc5bd11f5e feat: disable cobbler cache (#256)
- this is required to resolve issues with terraform deploying cobbler
  settings

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/256
2025-04-24 21:18:59 +10:00
unkinben 2321186ad5 neoloc/mpls_ldp_frr (#255)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/255
2025-04-24 16:51:31 +10:00
unkinben c24babe309 feat: add incus image host (#254)
- add role
- add consul service + checks
- manage the datavol as zfs
- insure the incus fact exists before attempting to read it

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/254
2025-04-24 01:00:39 +10:00
unkinben bfda2b628b feat: enable ip forwarding for gitea runners (#253)
- required to enable docker containers reach git service

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/253
2025-04-21 18:40:17 +10:00
unkinben 278f8001b0 feat: add frr synced repo (#252)
- add frr repo to incus hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/252
2025-04-18 21:21:23 +10:00
unkinben 0fe44cf4e2 feat: add frr repos (#251)
- add frr/stable/el8
- add frr/stable/el9
- add frr/extras/el8
- add frr/extras/el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/251
2025-04-15 02:21:55 +10:00
unkinben 25b06cde22 feat: move bridge management to incus (#250)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/250
2025-04-15 00:04:14 +10:00
unkinben 8c76e71dc4 chore: set core.https_address for incus (#249)
- check the current config and update core.https_address if its wrong

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/249
2025-04-07 11:04:12 +10:00
unkinben 0e3dd4d7d0 feat: initialise barebones server (#248)
- manage incus servers init

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/248
2025-04-06 23:56:50 +10:00
unkinben 83d0b31753 fix: set default for use_networkd (#247)
- resolving issue where the systemd::manage_networkd is missing for most
  hosts, setting a default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/247
2025-04-06 19:24:39 +10:00
unkinben b6ea353cfb feat: update dns resolver acls (#246)
- add dmz acl
- add common acl
- add loopback/ceph/physical subnets to main acl

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/246
2025-04-06 16:44:16 +10:00
unkinben c225564bdb feat: continue incus implementation (#245)
- migrate to systemd-networkd
- setup dummy, bridge and static/ethernet interfaces
- manage sshd.service droping to start ssh after networking is online
- enable ip forewarding
- add fastpool/data/incus dataset
- enable ospf and frr
- add loopback0 as ssh listenaddress
- add loopback1/2 for ceph cluster/public traffic

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/245
2025-04-06 16:38:04 +10:00
unkinben 06666fe488 fix: resolve issue with baseos in el9 (#244)
- was not correctly provisioning the baseos repo for el9 incus hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/244
2025-04-02 21:02:08 +11:00
unkinben 9dc88e6db6 feat: deep merge zpools/datasets (#243)
- change prodnxsr0009 to use nvme0n1 as zfs device

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/243
2025-04-02 20:35:04 +11:00
unkinben d87983d8fc chore: add sysadmin user after first run (#242)
- enables extra_groups to function correctly

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/242
2025-04-02 20:27:11 +11:00
unkinben 95bc2716cf neoloc/incus_deploy (#241)
feat: deploy incus

- manage sysctl based on incus recommendations
- manage limits based on incus recommendations
- manage zpools and zfs datasets
- add incus hiera settings

feat: manage repo for zfs

- dont use zfs module to manage repo, use profiles::yum::global::repos

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/241
2025-03-31 23:14:05 +11:00
unkinben 978013f325 chore: set default nameservers (#240)
- if no nameservers are returned from puppetdb query, use default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/240
2025-03-31 22:49:47 +11:00
unkinben 829b1b05fd feat: cleanup consul from url install (#239)
- set bind_dir to be /usr/bin for rhel, /usr/local/bin for debian
- remove url-installed consul from rhel

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/239
2025-03-30 18:40:09 +11:00
unkinben 6cb249ffbc fix: backtrack to 9.2.0 for postgresql (#238)
- no parameter named 'instance'
- no parameter named 'port'

downgrading due to incompatibilities between the latest version of puppetdb and postgresql

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/238
2025-03-30 17:51:33 +11:00
unkinben 427fe352b4 feat: debian package for consul not managed (#237)
- change debian hosts to use the url method to download consul

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/237
2025-03-30 17:13:54 +11:00
unkinben 45b061a053 feat: change almalinux9 to use packagerepo (#236)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/236
2025-03-30 17:05:03 +11:00
unkinben d39d25d3f1 feat: add almalinux 9.5 repos using mirrorlist (#235)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/235
2025-03-30 16:24:55 +11:00
unkinben 06b458cb0e feat: reposync for almalinux 9.4 (in vault) (#234)
- sync baseos, ha, appstream and crb repos

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/234
2025-03-30 12:31:09 +11:00
unkinben e3046563a2 chore: install consul from package (#233)
- upgrade to puppet-consul changed default install method to archive
- ensure package method is used
- dont manage the repo, consul is packaged by rpmbuilder

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/233
2025-03-30 02:04:13 +11:00
unkinben e025928d77 chore: set secretid for puppetboard (#232)
- manage the secret_key for puppetboard
- required since module upgrade

https://github.com/voxpupuli/puppetboard/issues/721

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/232
2025-03-30 01:53:25 +11:00
unkinben e3e8b3484d chore: enable extra groups (#231)
- enable adding extra groups to the sysadmin user

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/231
2025-03-30 01:20:59 +11:00
unkinben bdf420973d feat: add incus module (#230)
- add a basic incus module

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/230
2025-03-30 01:12:53 +11:00
unkinben 6a04701891 feat: add incus role (#229)
- add basic infra::incus role
- add autossl, consul and ssh-principals for incus

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/229
2025-03-30 00:56:04 +11:00
unkinben dd5a4646ff feat: update all modules (#228)
- update puppetlabs-* modules
- update puppet-* modules
- add limits and sysctl

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/228
2025-03-30 00:51:49 +11:00
unkinben 4e47745077 chore: setup unkin repo for el9 and el8 (#227)
- update the unkin repo definition for el8 and el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/227
2025-03-29 22:50:08 +11:00
unkinben 3a4e606459 chore: set yum/dnf metadata expiry (#226)
- set expiry to 1 day so that dnf frequently checks for updates from packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/226
2025-03-29 22:37:37 +11:00
unkinben d0eb4c078d feat: add zfs modules (#225)
- add zfs_core module to puppetfile (provides zfs/zpool provider)
- add module to manage zfs

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/225
2025-03-29 22:31:02 +11:00
unkinben b95bcbd10a feat: add zfs to reposync (#224)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/224
2025-03-29 20:08:31 +11:00
unkinben adc0cf2c09 neoloc/lxd_hosts (#223)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/223
2025-03-29 19:40:01 +11:00
unkinben 771b981d91 feat: enable nomad to manage sessions/services (#222)
- this is required to start patroni

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/222
2025-03-20 19:21:40 +11:00
unkinben e0c3a23424 fix: define missing .cache directory (#221)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/221
2025-03-13 21:48:47 +11:00
unkinben a309244713 feat: add nomad nodes (#220)
- change existing nodes to be nomad-agents

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/220
2025-03-13 21:23:40 +11:00
unkinben 8eb751e22f feat: change enc_* fact to read direct from cobbler (#219)
- change enc_role and enc_env to read direct from cobbler
- cleanup profiles::base::facts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/219
2025-03-12 23:09:15 +11:00
unkinben b981a6fb01 feat: enable nomad jobs to query dns (#218)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/218
2025-03-09 17:49:35 +11:00
unkinben 7c1d96bd22 feat: add k8s and docker repos (#217)
- add docker stable repos to packagerepo
- add k8s 1.32 to packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/217
2025-01-27 12:59:59 +11:00
unkinben 0222f5ec4a feat: update consul etcd check (#216)
- check the health api endpoint

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/216
2025-01-26 20:05:18 +11:00
unkinben afd3405c98 feat: add etcd module/role (#215)
- add etcd module
- add etcd role, profile and hieradata

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/215
2025-01-26 20:00:20 +11:00
unkinben ab7ce3bbfa Adding hieradata/node/ausyd1nxvm1071.main.unkin.net.yaml (#214)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/214
2025-01-25 20:15:20 +11:00
unkinben 4a85c5feff Adding hieradata/node/ausyd1nxvm1070.main.unkin.net.yaml (#213)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/213
2025-01-25 20:15:05 +11:00
unkinben 6134b4664b Adding hieradata/node/ausyd1nxvm1069.main.unkin.net.yaml (#212)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/212
2025-01-05 12:51:57 +11:00
unkinben e061a72996 Adding hieradata/node/ausyd1nxvm1067.main.unkin.net.yaml (#211)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/211
2025-01-05 12:51:46 +11:00
unkinben eaa15e92dc Adding hieradata/node/ausyd1nxvm1068.main.unkin.net.yaml (#210)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/210
2025-01-05 12:51:37 +11:00
unkinben a5a193d9eb feat: update jupyterlab container (#209)
- change to packer created alma9 instance
- change docker root to use /data volume

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/209
2025-01-04 14:10:44 +11:00
unkinben 4400456519 feat: add frrouting module (#208)
- add frrouting module
- enable ospf daemon on nomad agents
- enable docker volumes

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/208
2024-12-27 23:39:03 +11:00
unkinben d37fb5d7e1 neoloc/nomad_agent (#207)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/207
2024-12-26 20:23:27 +11:00
unkinben 022a564dc0 feat: add nomad agent role (#206)
- add nomad agent role
- mount cephfs volume nomadfs to /shared/nomad
- manage docker volume path to be /shared/nomad

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/206
2024-12-26 20:20:51 +11:00
unkinben 48e1fb8e30 Adding hieradata/node/ausyd1nxvm1062.main.unkin.net.yaml (#204)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/204
2024-12-23 17:28:47 +11:00
unkinben 561d74e9d9 Adding hieradata/node/ausyd1nxvm1063.main.unkin.net.yaml (#205)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/205
2024-12-23 17:28:37 +11:00
unkinben 281fdb33d4 Adding hieradata/node/ausyd1nxvm1064.main.unkin.net.yaml (#203)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/203
2024-12-23 17:28:09 +11:00
unkinben 1c04366eec Adding hieradata/node/ausyd1nxvm1066.main.unkin.net.yaml (#202)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/202
2024-12-23 17:27:59 +11:00
unkinben 86d3b61439 Adding hieradata/node/ausyd1nxvm1065.main.unkin.net.yaml (#201)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/201
2024-12-23 17:27:49 +11:00
unkinben 6ebf5c03a5 feat: add nomad profile/role (#200)
- add basic consul manage nomad servers

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/200
2024-12-22 22:35:31 +11:00
unkinben c97db0f0aa Adding hieradata/node/ausyd1nxvm1061.main.unkin.net.yaml (#198)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/198
2024-12-10 22:15:10 +11:00
unkinben 46b4fdf632 neoloc/sysadmin_early (#197)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/197
2024-12-09 22:12:01 +11:00
unkinben aaf81d0a6c feat: create sysadmin on firstrun (#196)
- prevent packages from using uid 1000

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/196
2024-12-09 21:51:37 +11:00
unkinben afbc15ff40 feat: import crypto-policices earlier (#195)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/195
2024-12-08 22:50:25 +11:00
unkinben 64248a45c2 feat: ensure crypto-policices are managed before yumrepos (#194)
- ensure crypto_policies are set before creating yum yumrepos
- ensure that they rpmdb is rebuilt after upgrading to el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/194
2024-12-08 20:30:08 +11:00
unkinben c7fb1f0cec neoloc/crypto_policices_el8 (#193)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/193
2024-12-08 19:54:15 +11:00
unkinben dbccaea24b feat: add crypto_policies (#192)
- ensure DEFAULT is used for EL8
- ensure DEFAULT:SHA1 is used for EL9, until issues with crypto are resolved for EL9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/192
2024-12-08 19:47:59 +11:00
unkinben b244327c34 neoloc/alma9 (#191)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/191
2024-12-08 19:22:58 +11:00
unkinben 90bcdd1f51 neoloc/alma9 (#190)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/190
2024-12-08 19:16:54 +11:00
unkinben ec926dfe0a feat: enable network manager on el9 (#189)
- el9 doesnt have the network-scripts scripts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/189
2024-12-08 19:11:54 +11:00
unkinben 40af30d0ff chore: change packagerepo vhost name (#188)
- ensure http endpoint works for packagerepo.service.consul

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/188
2024-12-08 17:05:38 +11:00
unkinben bac90b5459 Merge pull request 'fix: permissions for cobbler files' (#187) from neoloc/cobbler_perms into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/187
2024-12-08 08:37:36 +11:00
unkinben 41aab65f85 fix: permissions for cobbler files
- ensure idempotency for /var/lib/cobbler/web.ss
2024-12-08 08:36:35 +11:00
unkinben c023cfe4dc Merge pull request 'feat: upgrade puppet agent' (#186) from neoloc/puppet_updates into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/186
2024-12-08 00:11:30 +11:00
unkinben cffb6a54fc feat: upgrade puppet agent
- move all almalinux hosts to 7.34
2024-12-08 00:09:40 +11:00
unkinben fd7ced66ce Merge pull request 'feat: edgecache updates' (#185) from neoloc/edgecache_pki into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/185
2024-12-07 23:51:57 +11:00
unkinben 766f124b2c feat: edgecache updates
- update metadatacache size
- increase cache age from 60d to 365d
- subscribe nginx service to ssl certs
2024-12-07 23:50:45 +11:00
unkinben 4de772436b Merge pull request 'feat: update puppet repo' (#184) from neoloc/almalinuxrepo into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/184
2024-12-07 23:32:48 +11:00
unkinben 75f865c26c feat: update puppet repo
- move puppet repo to packagerepo
2024-12-07 23:31:40 +11:00
unkinben 2fdc709a17 Merge pull request 'feat: update repos' (#183) from neoloc/almalinuxrepo into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/183
2024-12-01 00:33:10 +11:00
unkinben ba3a9e374a feat: update repos
- add unkin
- rename unkin -> unkinben
2024-12-01 00:30:58 +11:00
unkinben a28ef09f28 Merge pull request 'feat: enable root_dir for docker' (#182) from neoloc/docker_root into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/182
2024-12-01 00:27:04 +11:00
unkinben 52fff0ccea feat: enable root_dir for docker
- move docker root_dir to /data/docker for runners
2024-11-30 23:11:24 +11:00
unkinben f097cf2550 Merge pull request 'chore: migrate puppet-r10k' (#181) from neoloc/r10k_adjustment into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/181
2024-11-17 19:27:43 +11:00
unkinben 58d31c5c9a chore: migrate puppet-r10k
- moved puppet-r10k the unkin organisation
- ensure branch is set to follow origin/master
2024-11-17 19:26:27 +11:00
unkinben 92d6697175 Merge pull request 'fix: fix release name' (#180) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/180
2024-11-16 22:36:02 +11:00
unkinben d3f471f3ed fix: fix release name
- fix release name for postgresql repos
2024-11-16 22:35:23 +11:00
unkinben ab1f4300a9 Merge pull request 'fix: ensure reposync directories exist' (#179) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/179
2024-11-16 22:32:47 +11:00
unkinben 845b91b497 fix: ensure reposync directories exist 2024-11-16 22:32:15 +11:00
unkinben 8f0b3e615c Merge pull request 'feat: add el9 puppet/posgresql repos' (#178) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/178
2024-11-16 22:25:48 +11:00
unkinben 8679a0b904 feat: add el9 puppet/posgresql repos
- will upgrade to el9 soon, so need to store these repos
2024-11-16 22:25:06 +11:00
unkinben 16ba54ee0a Merge pull request 'feat: update packagerepo' (#176) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/176
2024-11-16 22:02:46 +11:00
unkinben 4b3553b75c Merge pull request 'Adding hieradata/node/ausyd1nxvm1060.main.unkin.net.yaml' (#177) from autonode/ausyd1nxvm1060.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/177
2024-11-16 21:44:57 +11:00
unkinben abdb3ec8cb feat: update packagerepo
- remove almalinux/centos/epel repos
- manage consul service `packagerepo`
- manage ssh principals
- update vault alt-names
2024-11-16 21:43:11 +11:00
unkinben c0623b64f7 Adding hieradata/node/ausyd1nxvm1060.main.unkin.net.yaml 2024-11-16 21:36:58 +11:00
unkinben d286e2d816 Merge pull request 'feat: add sudaporn account' (#175) from neoloc/addying into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/175
2024-11-16 20:24:14 +11:00
unkinben 71b29d5e88 feat: add sudaporn account
- enable access to media
- enable access to jupyter
2024-11-16 20:23:01 +11:00
unkinben 6493f392b8 Merge pull request 'neoloc/jupyterhub' (#174) from neoloc/jupyterhub into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/174
2024-11-16 20:20:16 +11:00
unkinben 8586e9eb32 feat: enable web-sockets
- change simpleproxy config for jupyter::hub role to use websockets
2024-11-16 20:15:03 +11:00
unkinben 92a9655a50 feat: jupyterhub updates
- always pull containers when starting new instance
- enable access to terminal
2024-11-16 19:54:19 +11:00
unkinben 42ad972697 feat: add ldap configuration
- add group members to jupyterhub_user
- add svc_jupyterhub user for ldap binding
- paramatarise all ldap fields required
- manage the notebook data directory
2024-11-16 19:20:20 +11:00
unkinben 61f5f1ce1f feat: add docker settings
- list docker network and image
- fix ldap_admin setting to be a list of users
2024-11-10 20:26:18 +11:00
unkinben 926d3d29d0 fix: enable docker for jupyterhub
- install/manage docker
2024-11-10 20:21:51 +11:00
unkinben c6bdae5790 Merge pull request 'feat: add jupyterhub role' (#173) from neoloc/jupyterhub into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/173
2024-11-10 19:14:49 +11:00
unkinben 159d66af18 feat: add jupyterhub role
- add nodejs module to use npm package provider
- add jupyterhub role
- add class to configure the jupyterhub instance
- add ldap groups
- add nginx simpleproxy
2024-11-10 19:09:50 +11:00
unkinben c728c1a5e0 Merge pull request 'feat: add service data' (#172) from neoloc/jumphost into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/172
2024-10-27 14:03:28 +11:00
unkinben 4fec931fb1 feat: add service data
- add pki certificates
- add consul service
- add ssh principals
2024-10-27 13:26:07 +11:00
unkinben 76b4c8c930 Merge pull request 'feat: add jumphost role' (#171) from neoloc/jumphost into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/171
2024-10-27 13:18:50 +11:00
unkinben 0455965525 feat: add jumphost role
- add role for ssh proxy/jumphost
2024-10-27 13:15:28 +11:00
unkinben 4e68900259 Merge pull request 'feat: ensure vault restarts with ssl cert' (#170) from neoloc/vault_reload into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/170
2024-10-27 13:10:51 +11:00
unkinben ca87702466 feat: ensure vault restarts with ssl cert
- ensure the vault service resource subscribes to the ssl crt/key
- update unseal script to retry unseal process until it completes
2024-10-27 12:59:36 +11:00
unkinben 09a448ea52 Merge pull request 'feat: add vault admin group' (#166) from neoloc/vault_global_admin into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/166
2024-10-21 19:41:31 +11:00
unkinben 1db8847833 feat: add vault admin group
- group will be assigned global admin rights
2024-10-21 19:40:52 +11:00
unkinben 6d919580e1 Merge pull request 'neoloc/adduser' (#165) from neoloc/adduser into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/165
2024-10-20 13:14:50 +11:00
unkinben 5549275ecc chore: add new user
- add margol as standard media user
2024-10-20 13:12:36 +11:00
unkinben 7acfea8547 fix: correct given/sn fields
- fix ryadun's given/sn fields
2024-10-20 13:12:02 +11:00
unkinben 318e816568 Merge pull request 'feat: update certbot module' (#164) from neoloc/restart_nginx into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/164
2024-10-07 13:42:57 +11:00
unkinben 2ef4fb0bf8 feat: update certbot module
- update documentation
- add option to notify services
- set haproxy role to notify the haproxy service
2024-10-07 13:40:53 +11:00
unkinben 2013641720 Merge pull request 'feat: restart nginx on ssl change' (#163) from neoloc/restart_nginx into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/163
2024-09-27 21:51:15 +10:00
unkinben 4bf4b42fdf feat: restart nginx on ssl change
- manage nginx service from simpleproxy class
- ensure nginx restarts when ssl certificates are changed
2024-09-27 21:46:46 +10:00
unkinben 933427e861 Merge pull request 'neoloc/terraformsvc' (#162) from neoloc/terraformsvc into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/162
2024-09-23 22:14:27 +10:00
unkinben 4a0760516f feat: add vault service account
- used by vault to bind to ldap
2024-09-23 22:13:48 +10:00
unkinben 10b57abffc feat: add terraform service account
- add terraform service account
2024-09-23 22:08:52 +10:00
unkinben 5b4bb95ffe Merge pull request 'feat: add vault access group' (#161) from neoloc/vaultaccess into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/161
2024-09-20 23:24:44 +10:00
unkinben e09819284d feat: add vault access group
- add vault_access group
2024-09-20 23:17:35 +10:00
unkinben addfa02e08 Merge pull request 'feat: enable larger uploads to gitea' (#160) from neoloc/gitea_client_send into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/160
2024-09-08 01:44:04 +10:00
unkinben 93b9629c5c feat: enable larger uploads to gitea
- change client body max size to 1GB
2024-09-08 01:43:22 +10:00
unkinben 9dea399377 Merge pull request 'neoloc/gitearunner' (#159) from neoloc/gitearunner into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/159
2024-09-07 21:38:29 +10:00
unkinben 0210d849c7 feat: add gitea runner role
- ensure docker is configured
- create runner user/group
- deploy config.yaml from hiera hash
- install runner from url
- register the runner with the gitea instance
- manage the act_runner service
2024-09-07 17:59:02 +10:00
unkinben 42d8047043 fix: comments in gitea role
- was copy of puppetboard, missed updating the comment
2024-09-03 22:34:48 +10:00
unkinben c0b94c181f Merge pull request 'feat: confine fact to patroni' (#158) from neoloc/patroni_facts into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/158
2024-09-03 22:19:18 +10:00
unkinben 265400db91 feat: confine fact to patroni 2024-09-03 22:18:53 +10:00
unkinben ccf4ef27f7 Merge pull request 'feat: psql changes on master only' (#157) from neoloc/patroni_grant_on_master into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/157
2024-09-03 22:15:47 +10:00
unkinben afda425fab feat: psql changes on master only
- add fact to detect if a psql host is a slave
- only import users/db/grants on master
2024-09-03 22:13:50 +10:00
unkinben 69c298e162 Merge pull request 'feat: remove masterauth redis' (#156) from neoloc/redis_masterauth into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/156
2024-09-03 21:29:58 +10:00
unkinben 1ad2b806b4 feat: remove masterauth redis
- removed requirepass previously, also need to remove masterauth
2024-09-03 21:29:18 +10:00
unkinben dc58084cc9 Merge pull request 'Adding hieradata/node/ausyd1nxvm1059.main.unkin.net.yaml' (#155) from autonode/ausyd1nxvm1059.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/155
2024-09-01 00:18:34 +10:00
unkinben 938db9880b Adding hieradata/node/ausyd1nxvm1059.main.unkin.net.yaml 2024-09-01 00:17:59 +10:00
unkinben ecbea24ba8 Merge pull request 'fix: updated client secret' (#154) from neoloc/droneci_client_id into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/154
2024-08-31 23:01:39 +10:00
unkinben bcb9beae5f fix: updated client secret 2024-08-31 23:00:58 +10:00
unkinben e1e604516d Merge pull request 'feat: add droneci runner' (#153) from neoloc/runner into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/153
2024-08-27 22:02:00 +10:00
unkinben 0bed8ba4f4 Merge branch 'develop' into neoloc/runner 2024-08-27 22:01:24 +10:00
unkinben 5471adae32 Merge pull request 'feat: add droneadmin' (#152) from neoloc/droneadmin into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/152
2024-08-25 15:03:15 +10:00
unkinben 91d9a073d6 feat: add droneadmin
- add environment variable to assign primary admin
2024-08-25 14:58:56 +10:00
unkinben ec7814e2a9 Merge pull request 'Adding hieradata/node/ausyd1nxvm1058.main.unkin.net.yaml' (#151) from autonode/ausyd1nxvm1058.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/151
2024-08-25 14:28:20 +10:00
unkinben 71c134dc1a Merge pull request 'Adding hieradata/node/ausyd1nxvm1057.main.unkin.net.yaml' (#150) from autonode/ausyd1nxvm1057.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/150
2024-08-25 14:28:06 +10:00
unkinben cb803d885e Merge pull request 'feat: droneci for organisation' (#149) from neoloc/droneci_org into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/149
2024-08-25 14:25:25 +10:00
unkinben 90eabac007 feat: droneci for organisation
- change from personal account to organisation
2024-08-25 14:24:45 +10:00
unkinben d79a5de17b feat: add droneci runner
- ensure /data and docker are available
- add droneci runner configuration
2024-08-25 02:14:35 +10:00
unkinben 0f755b231f Merge pull request 'neoloc/droneci' (#148) from neoloc/droneci into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/148
2024-08-25 00:01:27 +10:00
unkinben 2912cbb68b feat: add droneci runner
- add runner role
2024-08-25 00:00:48 +10:00
unkinben 3d1ba79325 Adding hieradata/node/ausyd1nxvm1058.main.unkin.net.yaml 2024-08-24 23:36:52 +10:00
unkinben c33b58ead6 Adding hieradata/node/ausyd1nxvm1057.main.unkin.net.yaml 2024-08-24 23:30:37 +10:00
unkinben 9f937b2869 Merge pull request 'Adding hieradata/node/ausyd1nxvm1056.main.unkin.net.yaml' (#147) from autonode/ausyd1nxvm1056.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/147
2024-08-24 12:37:44 +10:00
unkinben 8660bec810 Merge pull request 'Adding hieradata/node/ausyd1nxvm1055.main.unkin.net.yaml' (#146) from autonode/ausyd1nxvm1055.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/146
2024-08-24 12:37:34 +10:00
unkinben f30325b3e9 Merge pull request 'Adding hieradata/node/ausyd1nxvm1054.main.unkin.net.yaml' (#145) from autonode/ausyd1nxvm1054.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/145
2024-08-24 12:37:25 +10:00
unkinben 76c1c93c02 Merge pull request 'Adding hieradata/node/ausyd1nxvm1053.main.unkin.net.yaml' (#144) from autonode/ausyd1nxvm1053.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/144
2024-08-24 12:37:16 +10:00
unkinben 4577997506 Merge pull request 'Adding hieradata/node/ausyd1nxvm1052.main.unkin.net.yaml' (#143) from autonode/ausyd1nxvm1052.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/143
2024-08-24 12:36:50 +10:00
unkinben 6326e820a9 Merge pull request 'chore: add new user' (#142) from neoloc/ryadun into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/142
2024-08-24 12:36:09 +10:00
unkinben 757f3042ed chore: add new user
- add ryadun
2024-08-24 12:35:34 +10:00
unkinben 5d36a4053b feat: add droneci module
- add droneci module for server
- add droneci/server role
- add consul query for droneci service
- manage certificates, ssh principals, consul services/checks
2024-08-24 00:34:15 +10:00
unkinben 8fad79f2bc feat: manage database/user/grants for patroni
- add defines for exporting/collecting psql objects for patroni
- add generic profile for managing patroni psql databases for an app
2024-08-24 00:33:18 +10:00
unkinben 68c569b282 feat: add docker module
- update puppet file with docker module
2024-08-24 00:28:39 +10:00
unkinben 975adc31d7 Merge pull request 'feat: remove requirepass' (#141) from neoloc/remove_requirepass into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/141
2024-08-23 23:28:30 +10:00
unkinben 8a8cc0ae1b feat: remove requirepass
- required for droneci
2024-08-23 23:18:02 +10:00
unkinben 70a9edd118 Adding hieradata/node/ausyd1nxvm1056.main.unkin.net.yaml 2024-08-16 22:13:16 +10:00
unkinben 348d8889ed Adding hieradata/node/ausyd1nxvm1055.main.unkin.net.yaml 2024-08-16 22:11:47 +10:00
unkinben 1a2023f4ff Merge pull request 'feat: add patroni/psql cluster' (#140) from neoloc/patroni into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/140
2024-08-10 23:40:29 +10:00
unkinben 35834f8f5a feat: add patroni/psql cluster
- add patroni puppet module
- add patroni role and hieradata
- add sql/patroni class that utilised consul
2024-08-10 22:34:43 +10:00
unkinben 4347faf153 Merge pull request 'neoloc/redis' (#139) from neoloc/redis into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/139
2024-08-10 18:47:17 +10:00
unkinben 5c731fef34 feat: deploy redisha cluster
- manage pki and ssh principals
- manage redis/sentinel with redisha module
- add consul checks to manage redis-replica/redis-master services
- manage sudo rules for consul checks
2024-08-10 17:39:30 +10:00
unkinben b7fc6a1993 feat: create redisha module
- manage redis/sentinel clusters
- ensure ulimit_managed is false
- dynamically find servers in role to identify master
- add redisadm and sentineladm commands
- add script to check if the current host in the master
2024-08-10 17:39:24 +10:00
unkinben afe2a2afb7 Adding hieradata/node/ausyd1nxvm1054.main.unkin.net.yaml 2024-08-10 14:13:59 +10:00
unkinben c76ce3bf10 Adding hieradata/node/ausyd1nxvm1053.main.unkin.net.yaml 2024-08-10 14:13:51 +10:00
unkinben af989a19c3 Adding hieradata/node/ausyd1nxvm1052.main.unkin.net.yaml 2024-08-10 14:11:47 +10:00
unkinben 4d08e30733 Merge pull request 'fix: also fix repodata' (#138) from neoloc/cephreef into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/138
2024-08-10 13:36:30 +10:00
unkinben e2873a492a fix: also fix repodata 2024-08-10 13:36:04 +10:00
unkinben 90af895a34 Merge pull request 'fix: ceph-reef 18.2.4 not on el8' (#137) from neoloc/cephreef into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/137
2024-08-10 13:30:54 +10:00
unkinben 52e3d5b20b fix: ceph-reef 18.2.4 not on el8
- force repo to use 18.2.2
2024-08-10 13:30:16 +10:00
unkinben aadd0275ac feat: add puppet-redis module 2024-08-08 19:28:50 +10:00
unkinben 390a5a58c7 Merge pull request 'chore: add account' (#136) from neoloc/kelly into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/136
2024-08-08 19:01:44 +10:00
unkinben 403e3eeb1b chore: add account 2024-08-08 19:01:18 +10:00
unkinben 352878e27c Merge pull request 'chore: prevent empty lines' (#135) from neoloc/glauth_templates into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/135
2024-08-07 22:53:10 +10:00
unkinben 0cad88cdad chore: prevent empty lines
- prevent empty lines when user features are not enabled
- change epp to erb template for user objects
2024-08-07 22:51:13 +10:00
unkinben 859fc0d909 Merge pull request 'chore: add two new users' (#134) from neoloc/more_users into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/134
2024-08-07 22:19:41 +10:00
unkinben a5baed8cd9 chore: add two new users
- add marbal and seablo
2024-08-07 22:19:08 +10:00
unkinben 44707910aa Merge pull request 'fix: require vault-unseal.service' (#133) from neoloc/vault_unseal_fix into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/133
2024-08-07 22:12:12 +10:00
unkinben dafac3d5ab fix: require vault-unseal.service
- wrong service name specified
2024-08-07 22:05:50 +10:00
unkinben 3ce2ec3754 Merge pull request 'feat: auto-unseal vault every hour' (#132) from neoloc/vault_unseal_check into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/132
2024-08-06 22:51:54 +10:00
unkinben 7863d54275 feat: auto-unseal vault every hour
- add cron job to run vault unsealing service hourly
2024-08-06 22:51:16 +10:00
unkinben 988e7c2a32 Merge pull request 'feat: auto restart puppetdb' (#131) from neoloc/puppetdb_restart into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/131
2024-08-06 22:47:02 +10:00
unkinben 0c44654a47 feat: auto restart puppetdb
- found several times the puppetdb service locks up after a week of active time
- restart the puppetdb nightly to prevent lock ups
2024-08-06 22:43:07 +10:00
unkinben 20ee6fa19e Merge pull request 'feat: add rundeck runner user' (#130) from neoloc/rundeck_user into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/130
2024-08-06 22:36:54 +10:00
unkinben c846cc4e21 feat: add rundeck runner user
- add rundeck account on all hosts except rundeck
- add rundeck ssh private/public key to rundeck server
2024-08-06 22:33:32 +10:00
unkinben 8e0f26e726 Merge pull request 'Adding hieradata/node/ausyd1nxvm1050.main.unkin.net.yaml' (#124) from autonode/ausyd1nxvm1050.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/124
2024-08-01 22:41:27 +10:00
unkinben 4579e268f0 Merge pull request 'feat: add gonic role' (#125) from neoloc/gonic into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/125
2024-08-01 22:41:20 +10:00
unkinben f1e1828a4a Merge pull request 'Adding hieradata/node/ausyd1nxvm1051.main.unkin.net.yaml' (#123) from autonode/ausyd1nxvm1051.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/123
2024-08-01 22:40:59 +10:00
unkinben 2ae8dbc0ac feat: add gonic role
- basic role only
2024-08-01 22:38:32 +10:00
unkinben 4338dfe27f Adding hieradata/node/ausyd1nxvm1051.main.unkin.net.yaml 2024-08-01 22:35:03 +10:00
unkinben 66cb1e356d Adding hieradata/node/ausyd1nxvm1050.main.unkin.net.yaml 2024-08-01 22:33:26 +10:00
unkinben 2bda41712a Merge pull request 'fix: change debian repos to http' (#122) from neoloc/http_debian_apt into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/122
2024-07-31 21:51:44 +10:00
unkinben d3daac3b71 fix: change debian repos to http
- until https issues are resolved with https
2024-07-31 21:51:04 +10:00
unkinben eb32a216f5 Merge pull request 'neoloc/rundeck' (#121) from neoloc/rundeck into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/121
2024-07-28 02:05:20 +10:00
unkinben 5354c99b1e feat: add rundeck profile
- export mysql user for each rundeck server
- ensure the jdbc driver for mariadb is available
- exclude jq from default packages (managed by rundeck)
- add groups for admin/user for each project in rundeck
- add consul service
- add vault certificates
- add ssh principals
- add nginx simpleproxy
2024-07-28 01:51:41 +10:00
unkinben 6a3123e12e Merge pull request 'feat: change packages to Hash' (#120) from neoloc/packages_hash into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/120
2024-07-27 16:29:48 +10:00
unkinben 26ffe17ee1 feat: add database
- add database for rundeck
2024-07-27 13:06:14 +10:00
unkinben cb5bb0798f feat: add rundeck to ldap
- add service account for rundeck
- add rundeck_access group
2024-07-27 13:06:14 +10:00
unkinben 08241692ee feat: add rundeck
- add puppet-rundeck module
- add rundeck role
2024-07-27 13:06:14 +10:00
unkinben 76989e45c4 feat: change packages to Hash
- change from multiple arrays for managing packages to a hash
- change to ensure_packages to prevent duplicate resource conflicts
2024-07-27 13:05:54 +10:00
unkinben cc01259a64 feat: change packages to Hash
- change from multiple arrays for managing packages to a hash
- change to ensure_packages to prevent duplicate resource conflicts
2024-07-27 13:01:06 +10:00
unkinben b5148fc2a0 Merge pull request 'fix: generate_types cahnges' (#119) from neoloc/puppetserver_startup into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/119
2024-07-27 00:17:46 +10:00
unkinben ab44bfc430 fix: generate_types cahnges
- this command will always fail, remove the systemd dropin
- create script that will run and exit with 0
- create systemd service/timer to run script daily
2024-07-27 00:13:25 +10:00
unkinben 4c38232ceb Merge pull request 'Adding hieradata/node/ausyd1nxvm1049.main.unkin.net.yaml' (#118) from autonode/ausyd1nxvm1049.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/118
2024-07-26 23:46:51 +10:00
unkinben 20686e04f4 Adding hieradata/node/ausyd1nxvm1049.main.unkin.net.yaml 2024-07-26 23:27:10 +10:00
unkinben 480eced404 Merge pull request 'feat: add vrrp to halb' (#116) from neoloc/keepalived into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/116
2024-07-14 22:07:34 +10:00
unkinben 946922fdb9 feat: add vrrp to halb
- update keepalived module to 5.1.0
- add keepalived::vrrp::* to be deep merged in hiera
- add vrrp dns configuration
- add vrrp instance/script to halb in syd1
2024-07-13 20:15:13 +10:00
unkinben 1570bbd8f2 Merge pull request 'feat: ensure *arr can access prowlarr' (#115) from neoloc/prowlarr_auth into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/115
2024-07-13 16:58:42 +10:00
unkinben 319c3b6d67 feat: ensure *arr can access prowlarr 2024-07-13 16:55:21 +10:00
unkinben e2f571649e Merge pull request 'feat: add param for ffmpeg' (#114) from neoloc/ffpmeg_path into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/114
2024-07-12 18:17:16 +10:00
unkinben 0fb11b22cf feat: add param for ffmpeg
- add param to jellyfin class to specify the path to ffmpeg
- update templates to use location
2024-07-11 22:41:08 +10:00
unkinben 01fc6aacd7 Merge pull request 'fix: remove unkin.net from internal dns' (#113) from neoloc/bind_static_dns into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/113
2024-07-11 22:31:29 +10:00
unkinben 73c7dbd56c fix: remove unkin.net from internal dns
- unkin.net is entirely hosted externally
2024-07-11 22:30:44 +10:00
unkinben 3ed692cc77 Merge pull request 'feat: manage the nzbget service' (#112) from neoloc/nzbget_group_media into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/112
2024-07-11 22:27:44 +10:00
unkinben ec92a6d3df feat: manage the nzbget service 2024-07-11 21:39:34 +10:00
unkinben bbd6cdb228 Merge pull request 'feat: add rpmfusion to nzbget' (#110) from neoloc/rpmfusion_nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/110
2024-07-11 21:28:56 +10:00
unkinben 2cbba808c3 feat: add rpmfusion to nzbget 2024-07-11 21:24:35 +10:00
unkinben df9f31e0f7 Merge pull request 'feat: add othergroups support for services' (#109) from neoloc/nzbget_client into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/109
2024-07-11 20:00:10 +10:00
unkinben 95a0b543fd feat: add othergroups support for services
- extend glauth::obj::service to allow othergroups
2024-07-11 19:59:26 +10:00
unkinben 90d123f4d0 Merge pull request 'chore: add service account to submit nzbs' (#108) from neoloc/nzbget_client into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/108
2024-07-11 19:56:51 +10:00
unkinben 3dc8fb03fa chore: add service account to submit nzbs 2024-07-11 19:56:17 +10:00
220 changed files with 6107 additions and 650 deletions
+5
View File
@@ -3,3 +3,8 @@
detectors:
FeatureEnvy:
enabled: false
TooManyStatements:
enabled: false
UncommunicativeVariableName:
accept:
- e
+45 -35
View File
@@ -2,49 +2,54 @@ forge 'forge.puppetlabs.com'
moduledir 'external_modules'
# puppetlabs
mod 'puppetlabs-stdlib', '9.1.0'
mod 'puppetlabs-inifile', '6.0.0'
mod 'puppetlabs-concat', '9.0.0'
mod 'puppetlabs-vcsrepo', '6.1.0'
mod 'puppetlabs-yumrepo_core', '2.0.0'
mod 'puppetlabs-apt', '9.4.0'
mod 'puppetlabs-lvm', '2.1.0'
mod 'puppetlabs-puppetdb', '7.13.0'
mod 'puppetlabs-postgresql', '9.1.0'
mod 'puppetlabs-firewall', '6.0.0'
mod 'puppetlabs-accounts', '8.1.0'
mod 'puppetlabs-mysql', '15.0.0'
mod 'puppetlabs-stdlib', '9.7.0'
mod 'puppetlabs-inifile', '6.2.0'
mod 'puppetlabs-concat', '9.1.0'
mod 'puppetlabs-vcsrepo', '7.0.0'
mod 'puppetlabs-yumrepo_core', '2.1.0'
mod 'puppetlabs-apt', '10.0.1'
mod 'puppetlabs-lvm', '3.0.1'
mod 'puppetlabs-puppetdb', '7.14.0'
mod 'puppetlabs-postgresql', '9.2.0'
mod 'puppetlabs-firewall', '8.1.4'
mod 'puppetlabs-accounts', '8.2.2'
mod 'puppetlabs-mysql', '16.2.0'
mod 'puppetlabs-xinetd', '3.4.1'
mod 'puppetlabs-haproxy', '8.0.0'
mod 'puppetlabs-java', '10.1.2'
mod 'puppetlabs-reboot', '5.0.0'
mod 'puppetlabs-haproxy', '8.2.0'
mod 'puppetlabs-java', '11.1.0'
mod 'puppetlabs-reboot', '5.1.0'
mod 'puppetlabs-docker', '10.2.0'
# puppet
mod 'puppet-python', '7.0.0'
mod 'puppet-systemd', '5.1.0'
mod 'puppet-yum', '7.0.0'
mod 'puppet-archive', '7.0.0'
mod 'puppet-chrony', '2.6.0'
mod 'puppet-puppetboard', '9.0.0'
mod 'puppet-nginx', '5.0.0'
mod 'puppet-selinux', '4.1.0'
mod 'puppet-prometheus', '13.4.0'
mod 'puppet-grafana', '13.1.0'
mod 'puppet-consul', '8.0.0'
mod 'puppet-vault', '4.1.0'
mod 'puppet-python', '7.4.0'
mod 'puppet-systemd', '8.1.0'
mod 'puppet-yum', '7.2.0'
mod 'puppet-archive', '7.1.0'
mod 'puppet-chrony', '3.0.0'
mod 'puppet-puppetboard', '11.0.0'
mod 'puppet-nginx', '6.0.1'
mod 'puppet-selinux', '5.0.0'
mod 'puppet-prometheus', '16.0.0'
mod 'puppet-grafana', '14.1.0'
mod 'puppet-consul', '9.1.0'
mod 'puppet-vault', '4.1.1'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '3.6.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-keepalived', '5.1.0'
mod 'puppet-extlib', '7.5.1'
mod 'puppet-network', '2.2.1'
mod 'puppet-kmod', '4.1.0'
mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.0.0'
mod 'puppet-letsencrypt', '11.1.0'
mod 'puppet-rundeck', '9.2.0'
mod 'puppet-redis', '11.1.0'
mod 'puppet-nodejs', '11.0.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
mod 'saz-sudo', '8.0.0'
mod 'saz-ssh', '12.1.0'
mod 'saz-sudo', '9.0.2'
mod 'saz-ssh', '13.1.0'
mod 'saz-limits', '5.0.0'
mod 'ghoneycutt-timezone', '4.0.0'
mod 'ghoneycutt-puppet', '3.3.0'
mod 'dalen-puppetdbquery', '3.0.1'
mod 'markt-galera', '3.1.0'
mod 'kogitoapp-minio', '1.1.4'
@@ -52,6 +57,11 @@ mod 'broadinstitute-certs', '3.0.1'
mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0'
mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'ssm-crypto_policies', '0.3.3'
mod 'thias-sysctl', '1.0.8'
mod 'openstack-ceph', '7.0.0'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+106 -63
View File
@@ -3,16 +3,10 @@ lookup_options:
hiera_classes:
merge:
strategy: deep
profiles::packages::install:
profiles::packages::include:
merge:
strategy: deep
profiles::packages::install_exclude:
merge:
strategy: deep
profiles::packages::remove:
merge:
strategy: deep
profiles::packages::remove_exclude:
profiles::packages::exclude:
merge:
strategy: deep
profiles::pki::vault::alt_names:
@@ -135,6 +129,26 @@ lookup_options:
certbot::client::domains:
merge:
strategy: deep
keepalived::vrrp_script:
merge:
strategy: deep
keepalived::vrrp_instance:
merge:
strategy: deep
profiles::etcd::node::initial_cluster_token:
convert_to: Sensitive
sysctl::base::values:
merge:
strategy: deep
limits::entries:
merge:
strategy: deep
zfs::zpools:
merge:
strategy: deep
zfs::datasets:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
@@ -142,6 +156,9 @@ hiera_include:
- timezone
- networking
- ssh::server
- profiles::accounts::rundeck
- limits
- sysctl::base
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
@@ -154,9 +171,22 @@ profiles::ntp::client::peers:
profiles::base::puppet_servers:
- 'prodinf01n01.main.unkin.net'
consul::install_method: 'package'
consul::manage_repo: false
consul::bin_dir: /usr/bin
vault::install_method: 'repo'
vault::manage_repo: false
vault::bin_dir: /usr/bin
vault::manage_service_file: true
vault::manage_config_dir: true
vault::disable_mlock: false
profiles::dns::base::nameservers:
- 198.18.19.16
profiles::dns::master::basedir: '/var/named/sources'
profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
profiles::dns::base::use_ns: 'region'
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
#profiles::dns::base::use_ns: 'region'
profiles::consul::server::members_role: roles::infra::storage::consul
profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
profiles::consul::client::members_lookup: true
@@ -172,59 +202,70 @@ profiles::consul::client::node_rules:
segment: ''
disposition: read
profiles::packages::install:
- bash-completion
- bzip2
- ccze
- curl
- dstat
- expect
- gcc
- gzip
- git
- htop
- inotify-tools
- iotop
- jq
- lz4
- mtr
- ncdu
- neovim
- p7zip
- pbzip2
- pigz
- pv
- python3.11
- rsync
- screen
- socat
- strace
- sysstat
- tar
- tmux
- traceroute
- unzip
- vim
- vnstat
- wget
- zsh
- zstd
profiles::packages::remove:
- iwl100-firmware
- iwl1000-firmware
- iwl105-firmware
- iwl135-firmware
- iwl2000-firmware
- iwl2030-firmware
- iwl3160-firmware
- iwl5000-firmware
- iwl5150-firmware
- iwl6000-firmware
- iwl6000g2a-firmware
- iwl6050-firmware
- iwl7260-firmware
- puppet7-release
profiles::packages::include:
bash-completion: {}
bzip2: {}
ccze: {}
curl: {}
dstat: {}
expect: {}
gzip: {}
git: {}
htop: {}
inotify-tools: {}
iotop: {}
jq: {}
lz4: {}
mtr: {}
ncdu: {}
neovim: {}
p7zip: {}
pbzip2: {}
pigz: {}
pv: {}
python3.11: {}
rsync: {}
screen: {}
socat: {}
strace: {}
sysstat: {}
tar: {}
tmux: {}
traceroute: {}
unzip: {}
vim: {}
vnstat: {}
wget: {}
zsh: {}
zstd: {}
iwl100-firmware:
ensure: absent
iwl1000-firmware:
ensure: absent
iwl105-firmware:
ensure: absent
iwl135-firmware:
ensure: absent
iwl2000-firmware:
ensure: absent
iwl2030-firmware:
ensure: absent
iwl3160-firmware:
ensure: absent
iwl5000-firmware:
ensure: absent
iwl5150-firmware:
ensure: absent
iwl6000-firmware:
ensure: absent
iwl6000g2a-firmware:
ensure: absent
iwl6050-firmware:
ensure: absent
iwl7260-firmware:
ensure: absent
puppet7-release:
ensure: absent
profiles::base::scripts::scripts:
puppet: puppetwrapper.py
@@ -293,6 +334,8 @@ sudo::configs:
profiles::accounts::sysadmin::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
profiles::accounts::rundeck::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD4F7VcorbGpyZzBFexz7c/o1JBscrl7hZU0UkWV7fq6YLizW0r6fOzD99hMwu1kdYCjPxbvuUSDEHfyBIp2EgLWU6wFVoufQqlMyOV85+ivQZUc1VNV+X9T+U4v3u/01hkAmlpXtbkwhMSR4Wi+tdABd04+D3CuMDM37mvnFmBBmi41X4Mr1rJhOQumn1XHQ7EYbsdw2mxfEVVeWpZIHz5BjNKSGzEIAYZbFt6s0Y7X3J5RT+Gjqmu043Tc8nNIUFlR9E10qd3Euf9RiBYxBx3z+yfOzJPBzWNBSHv1+PIbO5Mq+z5JaAfoFZO41L7nw+FjV6JJUCVLr6Vq+bCxyA7LW4Oq9ZahSrt/vrT0kTa0tA5U9bqK6e7pB//dm7PzoROtTq0XksV8RseA/fvIje20uaN1z9dynx+UcbszXu9pQ5GIg1o7b5DEi3OZHJwpgdudiCyEeR4+00G0z4PjpEMnTSMHAJ53WxtjzrPAOBnAmPE7hPu4coU+XrCWEXAvRMloJmca68e+zFX7VvFK82KVDuQ99vQ6w4X73IESKoLzyAVxpelwHaDG4fN+zqYfqubVQU1L5cUeYKxqm5r3Us6VvMaYs1ZMUmDGXHOq4FNhGUJYxSjkLvunM6qyAAJQCd6Pw/2TV3UQVerbouGOZaeBLvRguHWSbDrO99Zu+t87w== rundeck_runner
networking::interface_defaults:
ensure: present
+7
View File
@@ -1,2 +1,9 @@
---
timezone::timezone: 'Australia/Darwin'
profiles_dns_upstream_forwarder_unkin:
- 198.18.17.23
- 198.18.17.24
profiles_dns_upstream_forwarder_consul:
- 198.18.17.34
- 198.18.17.35
- 198.18.17.36
@@ -1,52 +1 @@
---
profiles::dns::resolver::zones:
main.unkin.net-forward:
domain: 'main.unkin.net'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
consul-forward:
domain: 'consul'
zone_type: 'forward'
forwarders:
- 198.18.17.34
- 198.18.17.35
- 198.18.17.36
forward: 'only'
+4
View File
@@ -1,3 +1,7 @@
---
timezone::timezone: 'Australia/Sydney'
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
profiles_dns_upstream_forwarder_unkin:
- 198.18.19.15
profiles_dns_upstream_forwarder_consul:
- 198.18.19.14
@@ -1,52 +1 @@
---
profiles::dns::resolver::zones:
main.unkin.net-forward:
domain: 'main.unkin.net'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
consul-forward:
domain: 'consul'
zone_type: 'forward'
forwarders:
- 198.18.13.19
- 198.18.13.20
- 198.18.13.21
forward: 'only'
@@ -1,4 +1,31 @@
---
hiera_include:
- keepalived
# keepalived
profiles::haproxy::dns::vrrp_ipaddr: '198.18.13.250'
profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
keepalived::vrrp_script:
check_haproxy:
script: '/usr/bin/killall -0 haproxy'
keepalived::vrrp_instance:
VI_250:
interface: 'eth0'
virtual_router_id: 250
auth_type: 'PASS'
auth_pass: 'quiiK7oo'
virtual_ipaddress: '198.18.13.250/32'
track_script:
- check_haproxy
# mappings
profiles::haproxy::mappings:
fe_http:
@@ -233,6 +260,7 @@ profiles::haproxy::dns::cnames:
- au-syd1-pve-api.main.unkin.net
# letsencrypt certificates
certbot::client::service: haproxy
certbot::client::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
@@ -1,2 +1,3 @@
---
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=]
@@ -13,3 +13,12 @@ mysql::db:
- INSERT
- UPDATE
- DELETE
rundeck:
name: rundeck
user: rundeck
password: "%{alias('mysql::db::rundeck::pass')}"
grant:
- SELECT
- INSERT
- UPDATE
- DELETE
@@ -5,3 +5,9 @@ networking::interfaces:
networking::routes:
default:
gateway: 198.18.13.254
profiles::haproxy::dns::vrrp_master: true
keepalived::vrrp_instance:
VI_250:
state: 'MASTER'
priority: 101
@@ -5,3 +5,8 @@ networking::interfaces:
networking::routes:
default:
gateway: 198.18.13.254
keepalived::vrrp_instance:
VI_250:
state: 'BACKUP'
priority: 100
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.59
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.60
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.61
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.62
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.63
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.64
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.65
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.66
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.67
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.68
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.69
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.70
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.71
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.72
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.73
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.74
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.74
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.64.254/24'
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.75
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.75
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.65.254/24'
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.76
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.76
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.66.254/24'
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.77
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.77
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.67.254/24'
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.78
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.78
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.68.254/24'
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.79
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.79
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.69.254/24'
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.80
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.81
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.82
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,47 @@
---
hiera_include:
- frrouting
# networking
profiles::consul::server::anycast_ip: 198.18.19.14
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
anycast0:
type: dummy
ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
anycast0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
@@ -0,0 +1,47 @@
---
hiera_include:
- frrouting
# networking
profiles::consul::server::anycast_ip: 198.18.19.14
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
anycast0:
type: dummy
ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
anycast0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
@@ -0,0 +1,47 @@
---
hiera_include:
- frrouting
# networking
profiles::consul::server::anycast_ip: 198.18.19.14
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
anycast0:
type: dummy
ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
anycast0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
@@ -0,0 +1,47 @@
---
hiera_include:
- frrouting
# networking
profiles::consul::server::anycast_ip: 198.18.19.14
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
anycast0:
type: dummy
ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
anycast0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
@@ -0,0 +1,47 @@
---
hiera_include:
- frrouting
# networking
profiles::consul::server::anycast_ip: 198.18.19.14
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
anycast0:
type: dummy
ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
anycast0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
@@ -0,0 +1,47 @@
---
hiera_include:
- frrouting
# networking
dns_master_anycast_ip: 198.18.19.15
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
anycast0:
type: dummy
ipaddress: "%{hiera('dns_master_anycast_ip')}"
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
anycast0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
@@ -0,0 +1,47 @@
---
hiera_include:
- frrouting
# networking
dns_master_anycast_ip: 198.18.19.15
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
anycast0:
type: dummy
ipaddress: "%{hiera('dns_master_anycast_ip')}"
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
anycast0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
@@ -0,0 +1,47 @@
---
hiera_include:
- frrouting
# networking
dns_master_anycast_ip: 198.18.19.15
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
anycast0:
type: dummy
ipaddress: "%{hiera('dns_master_anycast_ip')}"
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
anycast0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
@@ -0,0 +1,47 @@
---
hiera_include:
- frrouting
# networking
dns_resolver_anycast_ip: 198.18.19.16
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
anycast0:
type: dummy
ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
anycast0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
@@ -0,0 +1,47 @@
---
hiera_include:
- frrouting
# networking
dns_resolver_anycast_ip: 198.18.19.16
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
anycast0:
type: dummy
ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
anycast0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
@@ -0,0 +1,47 @@
---
hiera_include:
- frrouting
# networking
dns_resolver_anycast_ip: 198.18.19.16
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
anycast0:
type: dummy
ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
anycast0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
@@ -0,0 +1,18 @@
---
networking_loopback0_ip: 198.18.19.9 # management loopback
networking_loopback1_ip: 198.18.22.9 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.9 # ceph-public loopback
networking_br10_ip: 198.18.25.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:8d
ipaddress: 198.18.15.9
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:5d
ipaddress: 198.18.21.9
#zfs::zpools:
# fastpool:
# ensure: present
# disk: /dev/nvme0n1
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.10 # management loopback
networking_loopback1_ip: 198.18.22.10 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.10 # ceph-public loopback
networking_br10_ip: 198.18.26.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:37
ipaddress: 198.18.15.10
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:de
ipaddress: 198.18.21.10
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.11 # management loopback
networking_loopback1_ip: 198.18.22.11 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.11 # ceph-public loopback
networking_br10_ip: 198.18.27.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:0f
ipaddress: 198.18.15.11
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:55
ipaddress: 198.18.21.11
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.12 # management loopback
networking_loopback1_ip: 198.18.22.12 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.12 # ceph-public loopback
networking_br10_ip: 198.18.28.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:4f:05:1e
ipaddress: 198.18.15.12
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:e5
ipaddress: 198.18.21.12
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.13 # management loopback
networking_loopback1_ip: 198.18.22.13 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.13 # ceph-public loopback
networking_br10_ip: 198.18.29.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:4f:04:b0
ipaddress: 198.18.15.13
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:36
ipaddress: 198.18.21.13
+21
View File
@@ -1,2 +1,23 @@
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
---
crypto_policies::policy: 'DEFAULT'
profiles::packages::include:
network-scripts: {}
profiles::yum::global::repos:
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+34
View File
@@ -1,2 +1,36 @@
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
---
crypto_policies::policy: 'DEFAULT:SHA1'
profiles::yum::global::repos:
baseos:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
extras:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
appstream:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
highavailability:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
crb:
name: crb
descr: crb repository
target: /etc/yum.repos.d/crb.repo
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el9
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+12 -19
View File
@@ -3,17 +3,17 @@
profiles::firewall::firewalld::ensure_package: 'absent'
profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::puppet_version: '7.26.0'
profiles::puppet::agent::puppet_version: '7.34.0'
hiera_include:
- profiles::almalinux::base
profiles::packages::install:
- lzo
- network-scripts
- policycoreutils
- unar
- xz
profiles::packages::include:
crypto-policies-scripts: {}
lzo: {}
policycoreutils: {}
unar: {}
xz: {}
lm-sensors::package: lm_sensors
@@ -39,13 +39,6 @@ profiles::yum::global::repos:
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
highavailability:
name: highavailability
descr: highavailability repository
@@ -64,12 +57,12 @@ profiles::yum::global::repos:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
unkinben:
name: unkinben
descr: unkinben repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
+9 -5
View File
@@ -1,15 +1,19 @@
# hieradata/os/debian/all_releases.yaml
---
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
profiles::apt::base::mirrorurl: http://edgecache.query.consul/debian/
profiles::apt::base::secureurl: http://security.debian.org/debian-security
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
profiles::apt::puppet7::repo: puppet7
profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
profiles::packages::install:
- lzop
- python3.11-venv
- xz-utils
profiles::packages::include:
lzop: {}
python3.11-venv: {}
xz-utils: {}
lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false
consul::install_method: 'url'
consul::manage_repo: false
consul::bin_dir: /usr/local/bin
+1
View File
@@ -0,0 +1 @@
profiles::jupyter::jupyterhub::ldap_bind_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJspN3e2WzA0uZaLgFZ0Ewqii9dY0tTgbirsW70M2VZtLY+s+C6HE8ZZUtpfnRsFwUUhOj7s25X9xVOZNTpZIGPyfx9MWlSyFw2RFuXSEwaydf1DcBbg8261YrTTysA4Jsa1L4DLsX55q+XJUyeUbimVQkIacVIvzTdnZCBKnVNUh3U2PNAmV7SOL2KH8Jpbfs/EQfBt8XuGMCg3I/4RDyoNERqthW6W2KiMX2Gmd8iQ5+W9udH0lEAMx415oyImmN+dEuThcx9FGMi8BWYtnxH96yWafpT5qltwW6EVzIGWuLhiD1LcWYc5RB8jc3DhbeouChpKsN6c4EHoKt3aWsTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC8jcnqilJgY1/AnHWHfX4bgDCi2a3Rj43Z0dgfB5HaHdpfked3Cx+u94r2S5+Cg3QogU1AIF04rjzOL+bD2HdaMfo=]
+74
View File
@@ -0,0 +1,74 @@
---
profiles::packages::include:
python3.12: {}
python3.12-pip: {}
hiera_include:
- docker
- profiles::nginx::simpleproxy
# manage docker
docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'jupyterhub.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- jupyterhub.service.consul
- jupyterhub.query.consul
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
profiles::nginx::simpleproxy::locations:
# authorised access from external
default:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Real-IP $remote_addr'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
- 'X-Scheme $scheme'
proxy_redirect: 'off'
proxy_http_version: '1.1'
proxy_buffering: 'off'
# additional altnames
profiles::pki::vault::alt_names:
- jupyterhub.service.consul
- jupyterhub.query.consul
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
jupyterhub:
service_name: 'jupyterhub'
tags:
- 'jupyterhub'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'jupyterhub_http_check'
name: 'jupyterhub HTTP Check'
http: "https://%{facts.networking.fqdn}"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jupyterhub
disposition: write
+16
View File
@@ -59,3 +59,19 @@ profiles::consul::client::node_rules:
- resource: service
segment: nzbget
disposition: write
profiles::yum::global::repos:
rpmfusion-free:
name: rpmfusion-free
descr: rpmfusion-free repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
mirrorlist: absent
rpmfusion-nonfree:
name: rpmfusion-nonfree
descr: rpmfusion-nonfree repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
+9
View File
@@ -54,3 +54,12 @@ profiles::consul::client::node_rules:
- resource: service
segment: prowlarr
disposition: write
profiles::nginx::simpleproxy::locations:
arrstack_web_external:
location_satisfy: any
location_allow:
- 198.18.13.47
- 198.18.13.50
- 198.18.13.51
- 198.18.13.52
+2 -2
View File
@@ -1,6 +1,6 @@
---
profiles::packages::install:
- policycoreutils
profiles::packages::include:
policycoreutils: {}
puppetdb::master::config::create_puppet_service_resource: false
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
+171
View File
@@ -59,6 +59,12 @@ glauth::users:
- 20014
- 20015
- 20016
- 20017
- 20018
- 20023
- 20024
- 20025 # jupyterhub_admin
- 20026 # jupyterhub_user
loginshell: '/bin/bash'
homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
@@ -82,6 +88,109 @@ glauth::users:
loginshell: '/bin/bash'
homedir: '/home/matsol'
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
seablo:
user_name: 'seablo'
givenname: 'Sean'
sn: 'Bloomfield'
mail: 'seablo@users.main.unkin.net'
uidnumber: 20002
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
loginshell: '/bin/bash'
homedir: '/home/seablo'
passsha256: '2db12484b2b5fdae7f3a1f9f870143c363af14bf2c31a415a9a7afcb02520df2'
marbal:
user_name: 'marbal'
givenname: 'Mark'
sn: 'Balch'
mail: 'marbal@users.main.unkin.net'
uidnumber: 20003
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
loginshell: '/bin/bash'
homedir: '/home/marbal'
passsha256: 'cc20cee6269b9970a76549c66b51d0c543352796180d4122260a47f0f7a442a9'
kelren:
user_name: 'kelren'
givenname: 'Kelly'
sn: 'Rennie'
mail: 'kelren@users.main.unkin.net'
uidnumber: 20004
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
loginshell: '/bin/bash'
homedir: '/home/kelren'
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
ryadun:
user_name: 'ryadun'
givenname: 'Ryan'
sn: 'Dunbar'
mail: 'ryadun@users.main.unkin.net'
uidnumber: 20005
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
loginshell: '/bin/bash'
homedir: '/home/ryadun'
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
margol:
user_name: 'margol'
givenname: 'Maree'
sn: 'Goldsworthy'
mail: 'margol@users.main.unkin.net'
uidnumber: 20006
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
loginshell: '/bin/bash'
homedir: '/home/margol'
passsha256: '31a66085fb7eaeb059e51d1376233db72b54f96a6c45947aafbb350c83e618ef'
sudobo:
user_name: 'sudobo'
givenname: 'Sudaporn'
sn: 'Obom'
mail: 'sudobo@users.main.unkin.net'
uidnumber: 20007
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
- 20026 # jupyterhub_user
loginshell: '/bin/bash'
homedir: '/home/sudobo'
passsha256: 'a326e049c2a615226877946220a978a0a8247c569be1adcd73539b09b14136d0'
glauth::services:
svc_jellyfin:
@@ -126,6 +235,38 @@ glauth::services:
uidnumber: 30006
primarygroup: 20001
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
svc_nzbsubmit:
service_name: 'svc_nzbsubmit'
mail: 'nzbsubmit@service.main.unkin.net'
uidnumber: 30007
primarygroup: 20001
othergroups:
- 20016
passsha256: '7af7e12fdc56e9050d16c167f4e34091ad3cf938283e13451b35f9b3d212bfa2'
svc_rundeck:
service_name: 'svc_rundeck'
mail: 'rundeck@service.main.unkin.net'
uidnumber: 30007
primarygroup: 20001
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
svc_terraform:
service_name: 'svc_terraform'
mail: 'terraform@service.main.unkin.net'
uidnumber: 30008
primarygroup: 20001
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
svc_vault:
service_name: 'svc_vault'
mail: 'vault@service.main.unkin.net'
uidnumber: 30009
primarygroup: 20001
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
svc_jupyterhub:
service_name: 'svc_jupyterhub'
mail: 'jupyterhub@service.main.unkin.net'
uidnumber: 30010
primarygroup: 20001
passsha256: '09db1e0c2498214da35f3f2ed46a90a7b90635c207f8725e7abf76b48345a39b'
glauth::groups:
users:
@@ -155,3 +296,33 @@ glauth::groups:
nzbget_access:
group_name: 'nzbget_access'
gidnumber: 20016
rundeck_access:
group_name: 'rundeck_access'
gidnumber: 20017
rundeck_globaladmin:
group_name: 'rundeck_globaladmin'
gidnumber: 20018
rundeck_selfservice_admin:
group_name: 'rundeck_selfservice_admin'
gidnumber: 20019
rundeck_selfservice_user:
group_name: 'rundeck_selfservice_user'
gidnumber: 20020
rundeck_infrastructure_admin:
group_name: 'rundeck_infrastructure_admin'
gidnumber: 20021
rundeck_infrastructure_user:
group_name: 'rundeck_infrastructure_user'
gidnumber: 20022
vault_access:
group_name: 'vault_access'
gidnumber: 20023
vault_admin:
group_name: 'vault_admin'
gidnumber: 20024
jupyterhub_admin:
group_name: 'jupyterhub_admin'
gidnumber: 20025
jupyterhub_user:
group_name: 'jupyterhub_user'
gidnumber: 20026
File diff suppressed because one or more lines are too long
@@ -0,0 +1,205 @@
---
hiera_include:
- profiles::rundeck::server
- profiles::nginx::simpleproxy
hiera_exclude:
- profiles::accounts::rundeck
profiles::packages::exclude:
- jq
profiles::ssh::sign::principals:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 4440
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 20M
# additional altnames
profiles::pki::vault::alt_names:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
rundeck:
service_name: 'rundeck'
tags:
- 'automation'
- 'rundeck'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'glauth_http_check'
name: 'glauth HTTP Check'
http: "http://%{facts.networking.fqdn}:4440"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: rundeck
disposition: write
profiles::rundeck::server::mysql_backend: true
profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
profiles::rundeck::server::auth_config:
file:
auth_flag: 'sufficient'
jaas_config:
file: '/etc/rundeck/realm.properties'
realm_config:
admin_user: 'admin'
admin_password: "%{hiera('rundeck_admin_pass')}"
ldap:
jaas_config:
debug: 'true'
providerUrl: 'ldap://ldap.service.consul:389'
bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
bindPassword: "%{hiera('ldap_bindpass')}"
authenticationMethod: 'simple'
forceBindingLogin: 'true'
userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
userRdnAttribute: 'uid'
userIdAttribute: 'uid'
userPasswordAttribute: 'userPassword'
userObjectClass: 'posixAccount'
roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
roleNameAttribute: 'uid'
roleMemberAttribute: 'uniqueMember'
roleObjectClass: 'groupOfUniqueNames'
nestedGroups: 'true'
profiles::rundeck::server::key_storage_config:
- type: 'db'
path: 'keys'
- type: 'vault-storage'
path: 'vault'
config:
prefix: 'rundeck'
address: https://vault.query.consul:8200
storageBehaviour: 'vault'
secretBackend: rundeck
engineVersion: '2'
authBackend: approle
approleAuthMount: approle
approleId: "%{hiera('vault::roleid')}"
profiles::rundeck::server::cli_projects:
Self-Service:
update_method: 'set'
config:
project.description: 'self-service tasks'
project.disable.executions: 'false'
Infrastructure:
config:
project.description: 'infrastructure management'
project.disable.schedule: 'false'
profiles::rundeck::server::acl_policies:
global_admin_policy:
acl_policies:
- description: 'Global Admin, all access'
context:
application: "rundeck"
for:
project:
- allow: '*'
resource:
- allow: '*'
storage:
- allow: '*'
by:
- group: ['rundeck_globaladmin']
- description: 'Global Admin, all access'
context:
project: '.*'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_globaladmin']
selfservice_admin_policy:
acl_policies:
- description: 'Admin, all access for Self-Service project'
context:
project: 'Self-Service'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_selfserice_admin']
selfservice_user_policy:
acl_policies:
- description: 'Users can execute tasks but not edit for Self-Service project'
context:
project: 'Self-Service'
for:
resource:
- allow: ['read']
adhoc:
- allow: ['run']
job:
- allow: ['read', 'run']
node:
- allow: ['read', 'run']
by:
- group: ['rundeck_selfserice_user']
infrastructure_admin_policy:
acl_policies:
- description: 'Admin, all access for Infrastructure project'
context:
project: 'Infrastructure'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_infrastructure_admin']
infrastructure_user_policy:
acl_policies:
- description: 'Users can execute tasks but not edit for Infrastructure project'
context:
project: 'Infrastructure'
for:
resource:
- allow: ['read']
adhoc:
- allow: ['run']
job:
- allow: ['read', 'run']
node:
- allow: ['read', 'run']
by:
- group: ['rundeck_infrastructure_user']
+11 -11
View File
@@ -1,15 +1,15 @@
---
profiles::packages::install:
- cobbler
- cobbler3.2-web
- httpd
- syslinux
- dnf-plugins-core
- debmirror
- pykickstart
- fence-agents
- selinux-policy-devel
- ipxe-bootimgs
profiles::packages::include:
cobbler: {}
cobbler3.2-web: {}
httpd: {}
syslinux: {}
dnf-plugins-core: {}
debmirror: {}
pykickstart: {}
fence-agents: {}
selinux-policy-devel: {}
ipxe-bootimgs: {}
profiles::pki::vault::alt_names:
- cobbler.main.unkin.net
+2
View File
@@ -0,0 +1,2 @@
---
redisha::masterauth: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAV8znsSGAbPpPUhAcyOIWFltVyAcx3yVcIvC+JFndkkuVBT1813GSURrXIreXSilvJEHlwRC03A9NhjWJSsHBIS12uUb+7ap95oh2JJ7OHmeWSVD1GDDRpTQAgDEOikAnioRNJfQ83jUa11nJrsavt46hSq8vDq+rZ2P8ugiNk59mNX5vgYthCPXcEJd7UmpLZhgxZ8+42l4TKo7QpqKRcIMteJXk1NvyYfYGnGTZhknuyHM3xPGauGjKzamMlTzD9dGnn2K0/Q7I4PUyT24ZEG3kNVyDlVHTYcKnIT5q8qvmJdDQfZwOETF3SrzcqhQ2nqFvmI19sCTsQVmveb/2ITBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9KML3vzwF4vGZdtiu++jmgDAWPZspCckgoXPkgNRMePov3pXSlKUAGxwmdsuIM75rJMxlSTiil2lzMMBWXmUofys=]
+67
View File
@@ -0,0 +1,67 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- redis.main.unkin.net
- redis.service.consul
- redis.query.consul
- "redis.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- redis.main.unkin.net
- redis.service.consul
- redis.query.consul
hiera_include:
- redisha
redisha::manage_repo: false
redisha::redisha_members_lookup: true
redisha::redisha_members_role: roles::infra::db::redis
#redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
#redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
redisha::sentinel::master_name: "%{facts.country}-%{facts.region}"
redisha::sentinel::requirepass: "%{hiera('redisha::masterauth')}"
redisha::sentinel::auth_pass: "%{hiera('redisha::masterauth')}"
redisha::tools::requirepass: "%{hiera('redisha::masterauth')}"
sudo::configs:
consul:
priority: 20
content: |
consul ALL=(ALL) NOPASSWD: /usr/local/sbin/sentineladm info
consul::services:
redis-replica:
service_name: "redis-replica-%{facts.environment}"
tags:
- 'redis'
- 'redis-replica'
address: "%{facts.networking.ip}"
port: 6379
checks:
- id: 'redis-replica_tcp_check'
name: 'Redis Replica TCP Check'
tcp: "%{facts.networking.ip}:6379"
interval: '10s'
timeout: '1s'
redis-master:
service_name: "redis-master-%{facts.environment}"
tags:
- 'redis'
- 'redis-master'
address: "%{facts.networking.ip}"
port: 6379
checks:
- id: 'redis-master_tcp_check'
name: "Redis Master Check"
args:
- '/usr/local/bin/check_redis_master'
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: "redis-replica-%{facts.environment}"
disposition: write
- resource: service
segment: "redis-master-%{facts.environment}"
disposition: write
+5 -15
View File
@@ -15,9 +15,7 @@ profiles::dhcp::server::pools:
range:
- '198.18.15.200 198.18.15.220'
gateway: 198.18.15.254
nameservers:
- 198.18.13.12
- 198.18.13.13
nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
domain_name: main.unkin.net
pxeserver: 198.18.13.27
syd1-test:
@@ -26,9 +24,7 @@ profiles::dhcp::server::pools:
range:
- '198.18.16.200 198.18.16.220'
gateway: 198.18.16.254
nameservers:
- 198.18.13.12
- 198.18.13.13
nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
domain_name: main.unkin.net
pxeserver: 198.18.13.27
syd1-prod1:
@@ -37,9 +33,7 @@ profiles::dhcp::server::pools:
range:
- '198.18.13.200 198.18.13.220'
gateway: 198.18.13.254
nameservers:
- 198.18.13.12
- 198.18.13.13
nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
domain_name: main.unkin.net
pxeserver: 198.18.13.27
syd1-prod2:
@@ -48,9 +42,7 @@ profiles::dhcp::server::pools:
range:
- '198.18.14.200 198.18.14.220'
gateway: 198.18.14.254
nameservers:
- 198.18.13.12
- 198.18.13.13
nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
domain_name: main.unkin.net
pxeserver: 198.18.13.27
drw1-prod:
@@ -59,9 +51,7 @@ profiles::dhcp::server::pools:
range:
- '198.18.17.200 198.18.17.220'
gateway: 198.18.17.1
nameservers:
- 198.18.17.7
- 198.18.17.8
nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
domain_name: main.unkin.net
pxeserver: 198.18.13.27
+85
View File
@@ -9,6 +9,14 @@ profiles::dns::master::acls:
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
- 198.18.19.0/24
- 198.18.20.0/24
- 198.18.24.0/24
- 198.18.25.0/24
- 198.18.26.0/24
- 198.18.27.0/24
- 198.18.28.0/24
- 198.18.29.0/24
profiles::dns::master::zones:
main.unkin.net:
@@ -47,6 +55,72 @@ profiles::dns::master::zones:
dynamic: false
ns_notify: true
source: '/var/named/sources/17.18.198.in-addr.arpa.conf'
19.18.198.in-addr.arpa:
domain: '19.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/19.18.198.in-addr.arpa.conf'
20.18.198.in-addr.arpa:
domain: '20.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/20.18.198.in-addr.arpa.conf'
21.18.198.in-addr.arpa:
domain: '21.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/21.18.198.in-addr.arpa.conf'
22.18.198.in-addr.arpa:
domain: '22.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/22.18.198.in-addr.arpa.conf'
23.18.198.in-addr.arpa:
domain: '23.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/23.18.198.in-addr.arpa.conf'
24.18.198.in-addr.arpa:
domain: '24.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/24.18.198.in-addr.arpa.conf'
25.18.198.in-addr.arpa:
domain: '25.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/25.18.198.in-addr.arpa.conf'
26.18.198.in-addr.arpa:
domain: '26.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/26.18.198.in-addr.arpa.conf'
27.18.198.in-addr.arpa:
domain: '27.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/27.18.198.in-addr.arpa.conf'
28.18.198.in-addr.arpa:
domain: '28.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/28.18.198.in-addr.arpa.conf'
29.18.198.in-addr.arpa:
domain: '29.18.198.in-addr.arpa'
zone_type: 'master'
dynamic: false
ns_notify: true
source: '/var/named/sources/29.18.198.in-addr.arpa.conf'
profiles::dns::master::views:
master-zones:
@@ -58,6 +132,17 @@ profiles::dns::master::views:
- 15.18.198.in-addr.arpa
- 16.18.198.in-addr.arpa
- 17.18.198.in-addr.arpa
- 19.18.198.in-addr.arpa
- 20.18.198.in-addr.arpa
- 21.18.198.in-addr.arpa
- 22.18.198.in-addr.arpa
- 23.18.198.in-addr.arpa
- 24.18.198.in-addr.arpa
- 25.18.198.in-addr.arpa
- 26.18.198.in-addr.arpa
- 27.18.198.in-addr.arpa
- 28.18.198.in-addr.arpa
- 29.18.198.in-addr.arpa
match_clients:
- acl-main.unkin.net
+128 -8
View File
@@ -10,6 +10,30 @@ profiles::dns::resolver::acls:
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
- 198.18.18.0/24
- 198.18.19.0/24
- 198.18.20.0/24
- 198.18.21.0/24
- 198.18.22.0/24
- 198.18.23.0/24
acl-dmz:
addresses:
- 198.18.24.0/24
acl-common:
addresses:
- 198.18.25.0/24
- 198.18.26.0/24
- 198.18.27.0/24
- 198.18.28.0/24
- 198.18.29.0/24
acl-nomad-jobs:
addresses:
- 198.18.64.0/24
- 198.18.65.0/24
- 198.18.66.0/24
- 198.18.67.0/24
- 198.18.68.0/24
- 198.18.69.0/24
profiles::dns::resolver::zones:
8.10.10.in-addr.arpa-forward:
@@ -33,13 +57,6 @@ profiles::dns::resolver::zones:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
unkin.net-forward:
domain: 'unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
dmz.unkin.net-forward:
domain: 'dmz.unkin.net'
zone_type: 'forward'
@@ -61,13 +78,102 @@ profiles::dns::resolver::zones:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
main.unkin.net-forward:
domain: 'main.unkin.net'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
19.18.198.in-addr.arpa-forward:
domain: '19.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
20.18.198.in-addr.arpa-forward:
domain: '20.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
21.18.198.in-addr.arpa-forward:
domain: '21.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
22.18.198.in-addr.arpa-forward:
domain: '22.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
23.18.198.in-addr.arpa-forward:
domain: '23.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
24.18.198.in-addr.arpa-forward:
domain: '24.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
25.18.198.in-addr.arpa-forward:
domain: '25.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
26.18.198.in-addr.arpa-forward:
domain: '26.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
27.18.198.in-addr.arpa-forward:
domain: '27.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
28.18.198.in-addr.arpa-forward:
domain: '28.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
29.18.198.in-addr.arpa-forward:
domain: '29.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
forward: 'only'
consul-forward:
domain: 'consul'
zone_type: 'forward'
forwarders: "%{alias('profiles_dns_upstream_forwarder_consul')}"
forward: 'only'
profiles::dns::resolver::views:
openforwarder:
recursion: true
zones:
- main.unkin.net-forward
- unkin.net-forward
- dmz.unkin.net-forward
- network.unkin.net-forward
- prod.unkin.net-forward
@@ -77,8 +183,22 @@ profiles::dns::resolver::views:
- 15.18.198.in-addr.arpa-forward
- 16.18.198.in-addr.arpa-forward
- 17.18.198.in-addr.arpa-forward
- 19.18.198.in-addr.arpa-forward
- 20.18.198.in-addr.arpa-forward
- 21.18.198.in-addr.arpa-forward
- 22.18.198.in-addr.arpa-forward
- 23.18.198.in-addr.arpa-forward
- 24.18.198.in-addr.arpa-forward
- 25.18.198.in-addr.arpa-forward
- 26.18.198.in-addr.arpa-forward
- 27.18.198.in-addr.arpa-forward
- 28.18.198.in-addr.arpa-forward
- 29.18.198.in-addr.arpa-forward
- 8.10.10.in-addr.arpa-forward
- 16.10.10.in-addr.arpa-forward
- 20.10.10.in-addr.arpa-forward
match_clients:
- acl-main.unkin.net
- acl-nomad-jobs
- acl-common
- acl-dmz
+2
View File
@@ -0,0 +1,2 @@
---
droneci_server::rpc_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF8cEANj72ACYYdilP52Oz4EXVt+stx838tFVV4SFukoCTmN+kJ3GUUEM9x+oDvo17CsZhDzx5dX0JGo7N9MCLHsR4XKx3GSoAKvaSiD73TbzbdTNJgTIE1tRP9HNbJKizwWLo4lo+OUNtwnu0Z5dkMLYRHyvZ1hG24qmdXVn9DI06gVGQw9YXGmNy8AvA0BKnaHvUnE5XoLNVKZ4g1yvc/nkYpK6nLB+X4sZ96PRig7khiuFVvAfpg5c2iWnF13ljIajnG9uY12RyGaAGfH4l/d3UEyuHyQL4zzT8N7gGt8fvg7eNFx51TyEpVRFLyQ7dqq/lzn0moXVT35PQr9K3DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCGJ+rkxhqmyUUiIQLG7PnggDBPH9gyYAW5/XjDp5xd6GnuSt/WWOwOGxhg+1BoPzbV5o+Xufg5zyMVdYeI1MWD/u8=]
+25
View File
@@ -0,0 +1,25 @@
---
hiera_include:
- profiles::base::datavol
- docker
- droneci::runner
docker::version: latest
docker::curl_ensure: false
droneci::runner::ports:
- 3000:3000
droneci::runner::volumes:
- type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock
- type=bind,source=/data,target=/data
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
droneci::runner::env_vars:
DRONE_RPC_PROTO: https
DRONE_RPC_HOST: droneci.query.consul
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: "%{facts.networking.fqdn}"
DRONE_RUNNER_VOLUMES: /etc/pki/tls/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt
@@ -0,0 +1,6 @@
---
droneci_server::gitea_client_secret: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJLcMKV4EevB8V/vjex+Srq47pWLvPozjSb+vjS/crFpKq3/dgtkJ8WkqF98fPnXxkMowP/BpNexJBCmPtTR2pPTKHIYkXjxGax0g3P2gcgeT7wsNl24mnUJDWZs1/z8ibwUXv4Zg0nbKi+YdomjsvT3vl2IPI88TKZDkq6HBoturwqx2l/edC5IeAi8vgPRXF8hn2TVuslkmoNXoI28Qp10b2XNOCss6KUJ4rbOwpIgdOVFbXqi7CFjhGz/3uS9xK+2m3iuE/gXi8KSKfiQ+QcGuXL9Zy5PH5rrNg4mbrFiaFfTevsHInl1wwRmULilQ0kEY3NW4b/URXqBBuwcN/TBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDlv7tA+6OQwDuL7z3xGYZjgEBcEAj3TQ9R9TntxTyBa9mKFRXimFTDDxdZ2zD96qFNz+7ZZFGD6pFQNHSMC9AYlAue94UsIHJZaXwgAo5zc98Q]
droneci_server::cookie_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKTWrB7Cca8RgFEeP46puzhVWOAiI6nB+m5+/sgz1qNnn6VgNh9Q6D26p9HISrMp4k60KVuGXrIbZYpkvKZmv4zHgK2et+50sr/F1anhDRX4rsmGWVV9n8VhaIJFAyQkW4de9YxV9LAgk0tWs1BgfXv4cV4+sDBv0OSVIFJDst3LUWpBR6lsiV9IifvNNUrdOHkdt5XjuL4JVmc0nkjetAg9HSvJ9VHYLIQagFHnTQp0FWluE1/ibGNc2kz7D4K7cPz2bBxRJWomckSUwgQK0NrGID4D13haZXhKXAO/8QpQOwPra8vD9FYrFenMeFLwdw43NzSr2g/W1ss5PekbWGjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBASshs2UwkGqK4ShFfXni7cgDCDCnEiqcfxIz4X/Bq71IpRKan3uQbHOewFqjNGqoR+1oWupjRxzNL39H9YF1a6i6s=]
droneci_server::database_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASu4C45TYWZKgIoyqC3YdwYYXn+T+ruP6oIvhYFJ5dxeZ+6HtWbRMViErvpPuWYfgs5qt6Zj9eLz2hqimFCvKiAvzANeZ9hkhw/jkpmvG8iXpDFw6x8QKcPJteRo896KSLiGiVlZfRbgQCGAqiEMw6y6M9CvfCLzE/mZ9gOKjSJVKiioAnXU2fyq0Y0M6g0iLRw0VXl2BVc4ORCnVECARQPo48T3U+TT39q0ar4mRO1AFO0VA5iDJ6/EMPBcH3ekKO/1dB1UbV6VkD3s9BAHGyL5a5Wr6ztg/5Yl6VBCXmECZqpCx8jx8KDUoaj1R/+I83YQxbw9ch76j79haIK6+jzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAh6MmfbUELaWbSNZ9/Dev2gDD/E3G/uYJGXNGl1+PIVwGmi0z2BTXNqg7ax/b/uF5Xc9ZtBSPiSxR6BPRXN3GleNo=]
droneci_server::postgres_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANpDnrpratpuYheXFrN4nwRTauPm9rZz2ubDyJlcxmah+kOWqsWIeEkv5GuATlymfAx5UuHPOv3dJPCSK+YuyQY+kGW/8uEFM68QrNi38NdRqEpdXuPBe5+AmWxcjYK3mdJ4maEwsbbxtYJmD8TF6kskS2P/KhnIzYR5PPHZTaYbEf/W5Da3l+J5WnFYpStuLq+86yZokBAygFPI+y/Ic+zJIdhpzVdLyGuqxGLXZq7nNMrjuNyFPKkCj1BBpuJTMCS4oPKCUTlm5hIIeeC2pFREI0CMTV5siZB8NphobPNn/ZbJrcs9q75LtIa47pkFYRbmV4WPctCwZXg6jtMleuzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDHJaChyidZq/5FN5n+ASJWgDCqUcR/DG9e8AD7fRmTb5BZM8XQ77a1hUJoaCycnMQ/5UyKmqU/7fLPrsxCf2vZU1M=]
droneci_server::redis_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAYMoZlVXHC1qfkDptPy3PyWGrUs5y9M9AOv5Vn1AK6DYViixhjwPZUCfwTONmt7CiBuqmkDOpR5isWFiBo/+TMeMXlM9C/D+Svc9tpeHLpVaXAYeoz5um2InyBFkLWSaUaWSftF9U7O5Nv/OiLIsd7nn4T8Dd21rfUiRfUN/2HPLMCs+mW15Az9XNOcvfm+kPXDAcB+ukHde0vvtYTZEFWjMdwJjjE43DiCmAoLTcpvQxdlclojotBpFeBLZs/F21FDQ4hvBUvPBMuZ1o7ImSP5fuomYSFK8etbD7JO5gg5BN59lGl1ljyR83phv6wmmqlzB8wQl0pjEpni9o7fa9hTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCKJrkPA78qx3wAu1eroIjRgDA72N9U0YZf1MzACcGSOMU5RGO242RwlIKUrnuYcdC0dKkjLXtP+yVpSKkX5WxcsDQ=]
+79
View File
@@ -0,0 +1,79 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- droneci.main.unkin.net
- droneci.service.consul
- droneci.query.consul
- "droneci.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- droneci.main.unkin.net
- droneci.service.consul
- droneci.query.consul
hiera_include:
- docker
- profiles::sql::postgresdb
- droneci
docker::version: latest
docker::curl_ensure: false
profiles::sql::postgresdb::dbname: droneci
profiles::sql::postgresdb::dbuser: droneci
profiles::sql::postgresdb::dbpass: "%{hiera('droneci_server::postgres_password')}"
profiles::sql::postgresdb::members_lookup: true
profiles::sql::postgresdb::members_role: roles::infra::droneci::server
droneci::ports:
- 80:80
- 443:443
droneci::volumes:
- type=bind,source=/var/lib/drone,target=/data
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
droneci::env_vars:
DRONE_GITEA_SERVER: https://git.query.consul
DRONE_GITEA_CLIENT_ID: dda67581-86df-4e65-88ae-1e505b849082
DRONE_USER_CREATE: username:unkinben,admin:true
DRONE_GITEA_CLIENT_SECRET: "%{hiera('droneci_server::gitea_client_secret')}"
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
DRONE_SERVER_HOST: droneci.query.consul
DRONE_SERVER_PROTO: https
DRONE_TLS_CERT: /etc/pki/tls/vault/certificate.crt
DRONE_TLS_KEY: /etc/pki/tls/vault/private.key
DRONE_COOKIE_SECRET: "%{hiera('droneci_server::cookie_secret')}"
DRONE_COOKIE_TIMEOUT: 720h
DRONE_HTTP_SSL_REDIRECT: true
DRONE_HTTP_SSL_TEMPORARY_REDIRECT: true
DRONE_HTTP_SSL_HOST: droneci.query.consul
DRONE_LOGS_TEXT: true
DRONE_LOGS_PRETTY: true
DRONE_LOGS_COLOR: true
DRONE_DATABASE_SECRET: "%{hiera('droneci_server::database_secret')}"
DRONE_DATABASE_DRIVER: postgres
DRONE_DATABASE_DATASOURCE: "postgres://droneci:%{hiera('droneci_server::postgres_password')}@master.patroni-prod.service.au-syd1.consul:5432/droneci?sslmode=disable"
DRONE_REDIS_CONNECTION: "redis://%{hiera('droneci_server::redis_password')}@redis-master-prod.service.au-syd1.consul:6379/2"
consul::services:
droneci:
service_name: 'droneci'
tags:
- 'drone'
- 'droneci'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'droneci_https_check'
name: 'droneci HTTPS Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: droneci
disposition: write
+2
View File
@@ -0,0 +1,2 @@
---
profiles::etcd::node::initial_cluster_token: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhLyXszXUU6Dkiw9bEJTH0RXGaV2751NzvLH94i7QHfNukvOslF/kaDOA+FwqG06xSKSKo24Qyj4ewYA3BzhN8XLf2E9uW2LuDrUoA6aXUP2tYPqiTw8zmmgsVV5t7Y5PeNcleV3KmfcJZJKp33yGCKtGF7ggvNvnied5slO6E1BDkcVnqO7sdyI0MqSvsvH4IvEmeiSWAcBRBnwVLIwfn10frIvUg0fH4uZR7DASfO/HstYWKAEacz4xYBv74TtVVtYHlPvnVwC20YIYDMrgBsm3XngyWIQvruQCgyIkRzHjUKCpp76HpyEqzdJdEdaywkODYNOT6ab1B5uUu9WaMjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBADXLPOqFHdnVgJW5+iXJYcgCDK1Eyr+RwvMA+3VszYALU5B6OCH5maplwC5aUgiQZ7ew==]
+62
View File
@@ -0,0 +1,62 @@
---
hiera_include:
- profiles::etcd::node
profiles::etcd::node::members_lookup: true
profiles::etcd::node::members_role: roles::infra::etcd::node
profiles::etcd::node::config:
data-dir: /data/etcd
client-cert-auth: false
client-transport-security:
cert-file: /etc/pki/tls/vault/certificate.crt
key-file: /etc/pki/tls/vault/private.key
client-cert-auth: false
auto-tls: false
peer-transport-security:
cert-file: /etc/pki/tls/vault/certificate.crt
key-file: /etc/pki/tls/vault/private.key
client-cert-auth: false
auto-tls: false
allowed-cn:
max-wals: 5
max-snapshots: 5
snapshot-count: 10000
heartbeat-interval: 100
election-timeout: 1000
cipher-suites: [
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
]
tls-min-version: 'TLS1.2'
tls-max-version: 'TLS1.3'
profiles::pki::vault::alt_names:
- etcd.service.consul
- etcd.query.consul
- "etcd.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- etcd.query.consul
- etcd.service.consul
- etcd.service.%{facts.country}-%{facts.region}.consul
consul::services:
etcd:
service_name: 'etcd'
tags:
- 'etcd'
address: "%{facts.networking.ip}"
port: 2379
checks:
- id: 'etcd_http_health_check'
name: 'ETCD HTTP Health Check'
http: "https://%{facts.networking.ip}:2379/health"
method: 'GET'
interval: '10s'
timeout: '1s'
tls_skip_verify: true
profiles::consul::client::node_rules:
- resource: service
segment: etcd
disposition: write
+1 -1
View File
@@ -41,7 +41,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
- "git.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 3000
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 250M
nginx::client_max_body_size: 1024M
profiles::gitea::init::root:
APP_NAME: 'Gitea'
+1
View File
@@ -0,0 +1 @@
profiles::gitea::runner::registration_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOL/ug4IPhEW1n+Lq+SsMSEJUYsDDK2s0+oNF3unxcbH3QDqWo7kuYKkDWQ+W3otcxvuRlbC8+0W2fO2udhF7sSGrF93INsTCDqWlLnaaAgxlgNSXthA4OCJlI8DCLeD/Sr0TTCchUdpQrIpDo6Gh0EUjgRv5574q26or7c/vvtQ4nfLVQOqEV9UpsCgEYiQvXVcf55LEpgaDp4mFL0qCnfzDnGNbZ0GUo6552ka19IocqOqILPnZO0qDcEoLbQ90sP197+5Jw611i1Akx1C4lFP81bazFMpbdiEP0V4Ax+33LfZEb0KnXuMbKOF23vIwwwfpFJaSOAjA5YehA3xM2zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDPJHB2uL+VEyntgZocyoMXgDBJ1dnRWiJM77XomzbNdDUO+ktIHLOTL5do0m4CkXZ1s42KtaAwWL+/EGdxg80UMC8=]
+54
View File
@@ -0,0 +1,54 @@
---
hiera_include:
- docker
- profiles::gitea::runner
docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
profiles::gitea::runner::home: /data/runner
profiles::gitea::runner::version: '0.2.10'
profiles::gitea::runner::source: "https://gitea.com/gitea/act_runner/releases/download/v%{hiera('profiles::gitea::runner::version')}/act_runner-%{hiera('profiles::gitea::runner::version')}-linux-amd64"
profiles::gitea::runner::config:
log:
level: info
runner:
file: "%{hiera('profiles::gitea::runner::home')}/.runner"
capacity: 2
envs:
A_TEST_ENV_NAME_1: a_test_env_value_1
A_TEST_ENV_NAME_2: a_test_env_value_2
env_file: .env
timeout: 3h
insecure: false
fetch_timeout: 5s
fetch_interval: 2s
labels:
- "almalinux-latest"
- "almalinux-8:docker"
- "almalinux-8.10:docker"
cache:
enabled: true
dir: "%{hiera('profiles::gitea::runner::home')}/.cache/actcache"
host: ""
port: 0
external_server: ""
container:
network: ""
privileged: false
options:
workdir_parent: /workspace
valid_volumes: []
docker_host: ""
force_pull: true
force_rebuild: false
host:
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
# enable ip forwarding for docker containers
sysctl::base::values:
net.ipv4.conf.all.forwarding:
value: '1'
net.ipv6.conf.all.forwarding:
value: '1'
+125
View File
@@ -0,0 +1,125 @@
---
hiera_include:
- incus
- zfs
profiles::packages::include:
bridge-utils: {}
dnsmasq: {}
profiles::pki::vault::alt_names:
- incus-images.service.consul
- incus-images.query.consul
- "incus-images.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- incus-images.service.consul
- incus-images.query.consul
- "incus-images.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
incus-images:
service_name: 'incus-images'
tags:
- 'incus'
- 'images'
- 'container'
- 'lxd'
address: "%{facts.networking.ip}"
port: 8443
checks:
- id: 'incus_https_check'
name: 'incus HTTPS Check'
http: "https://%{facts.networking.fqdn}:8443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: incus-images
disposition: write
# additional repos
profiles::yum::global::repos:
zfs-kmod:
name: zfs-kmod
descr: zfs-kmod repository
target: /etc/yum.repos.d/zfs-kmod.repo
baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
mirrorlist: absent
# zfs settings
zfs::manage_repo: false
zfs::zfs_arc_min: ~
zfs::zfs_arc_max: 429496729 # 400MB
zfs::zpools:
fastpool:
ensure: present
disk: /dev/vdb
ashift: 12
zfs::datasets:
fastpool:
canmount: 'off'
acltype: posix
atime: 'off'
relatime: 'off'
compression: 'zstd'
xattr: 'sa'
fastpool/data:
canmount: 'on'
mountpoint: '/data'
fastpool/data/incus:
canmount: 'on'
mountpoint: '/data/incus'
# manage incus
incus::init: true
incus::server_port: 8443
incus::storage_images_volume: fastpool/imagestore
# add sysadmin to incus-admin group
profiles::accounts::sysadmin::extra_groups:
- incus-admin
# sysctl recommendations
sysctl::base::values:
fs.aio-max-nr:
value: '524288'
fs.inotify.max_queued_events:
value: '1048576'
fs.inotify.max_user_instances:
value: '1048576'
fs.inotify.max_user_watches:
value: '1048576'
kernel.dmesg_restrict:
value: '1'
kernel.keys.maxbytes:
value: '2000000'
kernel.keys.maxkeys:
value: '2000'
net.core.bpf_jit_limit:
value: '1000000000'
net.ipv4.neigh.default.gc_thresh3:
value: '8192'
net.ipv6.neigh.default.gc_thresh3:
value: '8192'
vm.max_map_count:
value: '262144'
net.ipv4.conf.all.forwarding:
value: '1'
net.ipv6.conf.all.forwarding:
value: '1'
# limits.d recommendations
limits::entries:
'*/nofile':
both: 1048576
'root/nofile':
both: 1048576
'*/memlock':
both: unlimited
'root/memlock':
both: unlimited
+230
View File
@@ -0,0 +1,230 @@
---
hiera_include:
- profiles::selinux::frr
- frrouting
- incus
- zfs
- profiles::ceph::mon
profiles::packages::include:
bridge-utils: {}
profiles::pki::vault::alt_names:
- incus.service.consul
- incus.query.consul
- "incus.service.%{facts.country}-%{facts.region}.consul"
profiles::pki::vault::ip_sans:
- "%{hiera('networking_loopback0_ip')}"
- "%{hiera('networking_loopback1_ip')}"
- "%{hiera('networking_loopback2_ip')}"
profiles::ssh::sign::principals:
- incus.service.consul
- incus.query.consul
- "incus.service.%{facts.country}-%{facts.region}.consul"
- "%{hiera('networking_loopback0_ip')}"
- "%{hiera('networking_loopback1_ip')}"
- "%{hiera('networking_loopback2_ip')}"
# configure consul service
consul::services:
incus:
service_name: 'incus'
tags:
- 'incus'
- 'container'
- 'lxd'
address: "%{hiera('networking_loopback0_ip')}"
port: 8443
checks:
- id: 'incus_https_check'
name: 'incus HTTPS Check'
http: "https://%{hiera('networking_loopback0_ip')}:8443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: incus
disposition: write
# additional repos
profiles::yum::global::repos:
ceph:
name: ceph
descr: ceph repository
target: /etc/yum.repos.d/ceph.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download.ceph.com/keys/release.asc
mirrorlist: absent
ceph-noarch:
name: ceph-noarch
descr: ceph-noarch repository
target: /etc/yum.repos.d/ceph-noarch.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
gpgkey: https://download.ceph.com/keys/release.asc
mirrorlist: absent
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
zfs-kmod:
name: zfs-kmod
descr: zfs-kmod repository
target: /etc/yum.repos.d/zfs-kmod.repo
baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
mirrorlist: absent
# dns
profiles::dns::base::primary_interface: loopback0
# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
enp2s0:
type: physical
txqueuelen: 10000
forwarding: true
enp3s0:
type: physical
mtu: 9000
txqueuelen: 10000
forwarding: true
loopback0:
type: dummy
ipaddress: "%{hiera('networking_loopback0_ip')}"
netmask: 255.255.255.255
mtu: 9000
loopback1:
type: dummy
ipaddress: "%{hiera('networking_loopback1_ip')}"
netmask: 255.255.255.255
mtu: 9000
loopback2:
type: dummy
ipaddress: "%{hiera('networking_loopback2_ip')}"
netmask: 255.255.255.255
mtu: 9000
# frrouting
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
enp2s0:
area: 0.0.0.0
enp3s0:
area: 0.0.0.0
loopback0:
area: 0.0.0.0
loopback1:
area: 0.0.0.0
loopback2:
area: 0.0.0.0
brcom1:
area: 0.0.0.0
brdmz1:
area: 0.0.0.0
brwan1:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# add loopback interfaces to ssh list
ssh::server::options:
ListenAddress:
- "%{hiera('networking_loopback0_ip')}"
# zfs settings
zfs::manage_repo: false
zfs::zfs_arc_min: ~
zfs::zfs_arc_max: 4294967296 # 4GB
zfs::zpools:
fastpool:
ensure: present
disk: /dev/nvme1n1
ashift: 12
zfs::datasets:
fastpool:
canmount: 'off'
acltype: posix
atime: 'off'
relatime: 'off'
compression: 'zstd'
xattr: 'sa'
fastpool/data:
canmount: 'on'
mountpoint: '/data'
fastpool/data/incus:
canmount: 'on'
mountpoint: '/data/incus'
# manage incus
incus::init: true
incus::bridge: br10
incus::server_port: 8443
incus::server_addr: "%{hiera('networking_loopback0_ip')}"
# add sysadmin to incus-admin group
profiles::accounts::sysadmin::extra_groups:
- incus-admin
# sysctl recommendations
sysctl::base::values:
fs.aio-max-nr:
value: '524288'
fs.inotify.max_queued_events:
value: '1048576'
fs.inotify.max_user_instances:
value: '1048576'
fs.inotify.max_user_watches:
value: '1048576'
kernel.dmesg_restrict:
value: '1'
kernel.keys.maxbytes:
value: '2000000'
kernel.keys.maxkeys:
value: '2000'
net.core.bpf_jit_limit:
value: '1000000000'
net.ipv4.neigh.default.gc_thresh3:
value: '8192'
net.ipv6.neigh.default.gc_thresh3:
value: '8192'
vm.max_map_count:
value: '262144'
net.ipv4.conf.all.forwarding:
value: '1'
net.ipv6.conf.all.forwarding:
value: '1'
net.ipv4.tcp_l3mdev_accept:
value: '0'
net.ipv4.conf.default.rp_filter:
value: '0'
net.ipv4.conf.all.rp_filter:
value: '0'
# limits.d recommendations
limits::entries:
'*/nofile':
both: 1048576
'root/nofile':
both: 1048576
'*/memlock':
both: unlimited
'root/memlock':
both: unlimited
@@ -9,4 +9,5 @@ profiles::metrics::server::scrape_jobs:
- puppetdb
- systemd
- haproxy
- postgres
profiles::metrics::server::localstorage: /data/prometheus
+2
View File
@@ -0,0 +1,2 @@
---
ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEzl2zX8ok6iURymPLbvkFE/dZhunzwisNCsLE5Tx6Pmil0PNx7iFULHXxWU6HMVOxzJmgcnTY+NsRnoTMSpXHGeC3wmD525T4xO4wvG/l9apzmPs1NTI4hcyYCj4NkAKyo249xXEodU4uM2AZp3ZgLBLf2cZpOe0/SPngWSq0kC4pJMnxWH+YsQ/O/1EMxpjSgMMna4YcMtcW2M0+wRhASNSTV7icsiAp6F/cInZuP44ASviHmM6+aMEhygBariOT80kaHZZI+aP6vqSd9lChXCV5qjRzeoEBIKOzT2ZBj41RTsF75J8UYFPwY7dp584tDpiIedUSR9IRCJe4d0uTjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCau9oXJiYiCGgvxZl62EsagDDgX2cU3+3QCkImEGS1oBahkPl3fYHKynbRi0ZQW1CoW0UFRzY8FmWmGkowns9OsIM=]
+72
View File
@@ -0,0 +1,72 @@
---
hiera_include:
- docker
- docker::networks
- frrouting
- profiles::nomad::node
docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
docker::ip_forward: true
docker::ip_masq: false
docker::iptables: false
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
ens19:
passive: true
docker0:
area: 0.0.0.1
profiles::yum::global::repos:
ceph-reef:
name: ceph-reef
descr: ceph reef repository
target: /etc/yum.repos.d/ceph-reef.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
gpgcheck: 0,
mirrorlist: absent
profiles::ceph::client::keyrings:
nomad:
key: "%{hiera('ceph::key::media')}"
profiles::packages::include:
nomad: {}
cni-plugins: {}
profiles::nomad::node::client: true
# additional altnames
profiles::pki::vault::alt_names:
- client.global.nomad
- client.au-syd1.nomad
- nomad-client.service.consul
- nomad-client.query.consul
- "nomad-client.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
profiles::consul::client::node_rules:
- resource: service
segment: nomad-client
disposition: write
- resource: agent_prefix
segment: ''
disposition: read
- resource: node_prefix
segment: ''
disposition: write
- resource: service_prefix
segment: ''
disposition: write
- resource: key_prefix
segment: "nomad"
disposition: write
- resource: session_prefix
segment: ""
disposition: write
+34
View File
@@ -0,0 +1,34 @@
---
hiera_include:
- profiles::nomad::node
profiles::packages::include:
nomad: {}
profiles::nomad::node::server: true
# additional altnames
profiles::pki::vault::alt_names:
- client.global.nomad
- client.au-syd1.nomad
- server.global.nomad
- server.au-syd1.nomad
- nomad.service.consul
- nomad.query.consul
- "nomad.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
profiles::consul::client::node_rules:
- resource: service
segment: nomad
disposition: write
- resource: agent_prefix
segment: ''
disposition: read
- resource: node_prefix
segment: ''
disposition: write
- resource: service_prefix
segment: ''
disposition: write
+29
View File
@@ -0,0 +1,29 @@
profiles::pki::vault::alt_names:
- jumphost.service.consul
- jumphost.query.consul
- "jumphost.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- jumphost.query.consul
- jumphost.service.consul
- jumphost.service.%{facts.country}-%{facts.region}.consul
consul::services:
jumphost:
service_name: 'jumphost'
tags:
- 'jumphost'
- 'proxy'
- 'ssh'
address: "%{facts.networking.ip}"
port: 22
checks:
- id: 'ssh_tcp_check'
name: 'SSH TCP Check'
tcp: "%{facts.networking.ip}:22"
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jumphost
disposition: write
+2 -2
View File
@@ -1,3 +1,3 @@
---
profiles::packages::install:
- puppetserver
profiles::packages::include:
puppetserver: {}
+8 -1
View File
@@ -5,6 +5,13 @@ profiles::puppet::autosign::subnet_ranges:
- '198.18.15.0/24'
- '198.18.16.0/24'
- '198.18.17.0/24'
- '198.18.20.0/24'
- '198.18.24.0/24'
- '198.18.25.0/24'
- '198.18.26.0/24'
- '198.18.27.0/24'
- '198.18.28.0/24'
- '198.18.29.0/24'
profiles::puppet::autosign::domains:
- '*.main.unkin.net'
@@ -19,7 +26,7 @@ profiles::puppet::cobbler_enc::packages:
- 'requests'
- 'PyYAML'
profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkinben/puppet-r10k.git
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkin/puppet-r10k.git
profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
@@ -0,0 +1 @@
profiles::puppet::puppetboard::secret_key: ENC[PKCS7,MIIB+wYJKoZIhvcNAQcDoIIB7DCCAegCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoCr9JTtrnMaVjJlEpA0NYNt/QAgTGiEmS3kPn2oJ80Ay7fUl79pop95uLQIfw6C3e8WGUhxYt31wmzent4Bfbced7uF/tjhP2cniKPmZGuf/tmVrGIHIh4T4g0Wz2K0DIU/dGWUlgE03ICRxXlAy0atjUuAp02ehj7bzLuMf+vZbghm8vnOoDCTKjeZNAJEkDvBkIzwUu9JiM9Gn6BzoLLGdEERqs/LR832vjjNmF7KUEH/Ntt47wbLdfCzawsZsBNLggEb1HNGu0aSb0qBXYBPRq6w1L/RU8gX2dCqGRbhDZymihebaOcwU1AtbLEBdHTYQpga+c4bcTz9rJplLtjCBvQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAdSjLEaZPK47TY7LDCB7b4CBkOTvHbi4nb+pB/Kng+Z3N9ocZPZdGbV6WzMNGxsxmhWXoi+XKEzEvfB10UhQwDcvZXd2W9hhiRkakq7+S0uLWzCX1jNMH2LXZAzoiyGM4FFvGpx7Z64OhmVrOJuKnxD+3zK6PZqvMb3g7CjZeAr5vyhcT/zO75krhJuYp11ZFpLCRcuASf0ru+Jq5OKD4+ZI/g==]
+2
View File
@@ -0,0 +1,2 @@
profiles::puppet::puppetdb_api::public_cert: ENC[PKCS7,MIIJrQYJKoZIhvcNAQcDoIIJnjCCCZoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEATUl7Aa6W6Q0gWWPet6fufBUtFUO7wCkED8w3NojkDYNR0Cine5+yWupy1FZ0d75mtdjI16DgZ9d2BhNlnbvPrZHuFSfBFj0s6lc0cYs1dpEUwPwPssmfNNfLe+73Fn0e43fguXisBYiE0Xn4x9UqGEIXXnwBqucIo4lkR0QAvhrmgEsNJKrxKV2isBZOnV40hrilnK3fLszGlfEfEuK1ZLrdtQV54Cl/Fpga8OOEk3Ji+WO/qC3WSQ+RWmc+si5L7w6raFLcHb3ZN96BHNVN2h2rBe85RRTg08LT+9Eyge3Fc0/+eoRmzTvnHMc4RptRfvopv5RGGyOma0mExmD6CzCCCG4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEB2t8I7YdvzPGIuGG1fUIViAgghAKhUoHO1UphPXu/KwYgo3xPSmWWF76B/ZKPd3SdzobYBsfK7CEhRiONU29W/wEzDdn7An2E16bIuecxT114z0i6OqQc3W92jBETWlpV1IRWs4DTb2QWjA4l74KdwRtltpeAKeFjSjuW2+L5UUOgGsaW4lxR0wP/uIqUT76/wQCoCAIw/i+YcIvIJDpeVPKSyaA6GFJbiT8CuG1SzD/1tb+XOxEf3WpeUwVNrPIO1ADjdi3cha6bJDa6Dvrtz8ornYwsfZ9cIlhDb6kmz938+EWpH5swCppfHcMncSd+R1zST6DzhN54+kvWGjvrN79m5+f0al/t3a85iZ6boLXSE8VkPLWZnlAt0ISdCtt0m7luxWWUN3AvmBmLZ5hhjnHUQC4RNCmu3BrjB7bN/nvInZQNcBlArhthiy/DpbdjLpF5kkUq+J+S7I898rG/B8lWrWjYsQvOUM/yiVbpCtsLJS9Pv1UjlkHcere6YgOq4gZKaESF19npV6SLU2MfC+Raefj1biE+haOOjpDdR+xQLAHmZqgOBUFMkYh1RH77zg2QPtz5aDLGypO/yVuJDcuSGV6qpoxc0uu7EmihfOg2cHF6FtSlStwFQYw3mG3oyuByv527lVRUjNHOx85bXeFccb96lyTzStAopLADo9nuOHjDxs6qzXj4h0y5w0ODh3Wyy/h4EXYaTrXuSB/FJJb1rvToC+XJ7ABxzt0rB8ySNtt+DFRssZQ5ZXWF6T88YKLcigKYGNTGmf92Iwpq6+hw0NEF1OWy7aHDzog6xORilgy6zcPTWkz2TUxzOuwN6Y0UeLlj+C4r+hl17/9aYhls6UJ+5xF+ZNcJmqEXqZ5HHykcYRwaWI0FF4tkbsto8Is2/aZVfeQc/2JZ+9IbLXlh1Km6hJxWJmw/S9RwTXVK7kGO/IlIoQiYTFYoeSU4RDPVUXZTBmGxuBmz37JPVMLXkL6tGUPwTz6pa+AMppT/qMLC8y2LhLm+eRsfz4w2ySc/kBR0FKsD0Z1h9h4zM+VtNnxaSYmxkFG77pX+bi/ToQqaydWblf0NPdw2t+uoULzkxxhX3wjZi8V9gGOhZ7s7YUKJFljZZYcl0MnDab+xGjD8DGiq/vHqTLXm8DYpVOxsryGIJ3zXf5KPvo8y6/wQAkKq6Vb4lraqkg9m5wGLxQDemE4h2OWgjcnWOXx/N9bcVO0xMyqrFo337wPoZ+hYQhwxzrfiQZ87nLe28OstaWS8OK6KoAx95LvMypaFURf+EoZkYO8wFiLmFBNAMMOkf/TJjmXoeDw46Qv1sZi57239pgzxz6RXEjd5TBURli7tSaniqKNarRY7ZoYymzYBv9Kyj6zQGgXxozhQsMsju9fTo2l+bXQ2siBljHnNkI+I3aO5Q6FLpM57h5xhA86ayJzfaKSbniMARGY2inG3qUfKafgQUvrYBxaIxSBAg7LfE2GRJx8gEioATFZpclrm+0fP3xaXW3I/wiyl/EPKIP2aPP8lqJam/KWXZ46nYdgrKIrg51tXp/YUcgR6geZYHIBWkAgofJeThKPz9ervLzu3dYS0FgMiRcyCOXfI4nttW/QCNl5a19UXXYpSgj0MOAKuSZYkHYgaSt7DNt3sZtWLtCZ1M/QFLSiqsfUAULVwUJpOCS4Ul0Bn9gu038xCBCkaQ8VnSHtvl6NsCUHDhk/JGq5pmZjrE5zTEnlMBUBoQ1sun/HwLAnoX24KV+3pzwul0eCLm2pBndWvgnHsEY7COiookx7mwvg93xuejN7zQk/NAJp4L3haT5ueVTcUcEsTPmsIDMn2xg2HSGLum6yG02XPMBYJlG/GHtu2kuvOV2UFqxkzje4FB3cNishelQ1VRDOBJodt8xmfKkgPciFChEOVe5OY7AbBvKIBab+kjbG78guGReqkmePFkEtsnL7KouiERojAVsGXtvqOT2dQvO7xLrozLk+kY/Xk6HkGedmc2PUEc/CSKPy73k2a154ByzwfOaAaTM1XCvo4Ff7hTA7VHUu3rWpHmd2LZbKN1nlGbrrX0Wk0jt72OsRWRzgKp+81jEkNh/hbD9xCjmIbzdloOmcJJbcyikmThVpFaUMaHowZmrBtQxE7pR2ARbhVvNXH3fZQnIpxMcHEPoKh12pOTlp+GIO8H1EsGZ6tOjXniBiy/szoa8Oi/eJp/Co8uRoDSyBc5t6ZD6ciLHOVG4c0nCdMHaouA/EXNe/EOzLg4fYk7cLBNGoaBUo8LbXv0Z2tkhtE1ctl8NBvZS3X80VchtmQg7lVlqZUEkcXEtoadrjRpiWL9EW68mzjTsejePMNBb6CCL4zGqQwCfA1zUVtlNJslguClQ2u0IlqPjBYsj3Xy+leg24YrHKB1zEu1/aGuVxCBlJMozQj//5OCTp+1iO0EExnGBYjZuk8UTYrUj9FZeu5GiRlBvky1HBE/fq4LPD7l/Gr0npAwKJofIglA2DZe9Sr4VmA8oi4vsmbpmtyPLVa/pfVXrl/w2dLH/Y2TI8MbPFMvjtAgdlK6endrxpb9EC2YeWrFibDXL9EsOAXo5droa6WyIDoVr7GBZ0Faa19uW2IZf0fw02tz0L1Bg/4RopeIZpbH0CKCwpqg5GNb7gKvKkXt9ugI84ZGnF5CgrqXH+lXXtMgHsEkUQ6vAJeKioLSMVla6Pu/BdztDKBVuKTEzV/lH/nbR2qhjlIEm+AntndtRNU3J6Aakje0keGjDV66paCnh/v7fha3SOPkgCV8OxrqMDAUl9/RxB907OF/Ethg4F/gsWfwDJLcAoS206rV6r+VZyurb3xx6HSLFzh+MMBgNlJhf]
profiles::puppet::puppetdb_api::private_cert: ENC[PKCS7,MIIOHQYJKoZIhvcNAQcDoIIODjCCDgoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAR7TO46Sg7DTeJmy+YMKpcKgcbbyDed4zHib7Jii2ltlFBMzFAJ49u986i13pSE0qaPIgydc94ILKc0oTwTWvstbiBJB2NYikswKHIJwKKSTzzbfCz1/eyfVKwKyp3DakdImdPClmjZIp/eQyWsLkZjxmJ5T9MVHSo3l8sNVY3WyGbKwEi0TwZabE9Op8cvFTifcBL5zDwKMrhwghAPEoVz8DALoMOko8Lp2K7yCo+LvyvY/Ib9CtIfbgpXQTo2NDbww29/KWHqw6PjzRdyuswUDdnCuLOaThUQkDopTZyhhJ9Y5z5/7Doo/zGYQLBkyThjtKkKwsPlq1eGkjFzY/ITCCDN4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEAvibroua3O2ot73run7uWKAggywIm7gZ/o/vc47kaCICTS2LtsHDmTe9HHqujdAdQLlBGvEhasKGDMr8s54aIbNUbLhD82Vuvwjl2GShqSg/IATfwzDPoqm982KrVZd/9kO61o3vBdtqZO1+InbY7iDbTqf45A7Ar3545aF+/y30WDamFyECwCePrQu1Y9bw6VhLTEVYO+A8zr8y0CYRKAtWNYcPpTP/3VO8/RKtMV+nWrUzS00zAp56lA7xeOzdeKdHzCkpKeaHrpSEN6YGrZmAhTdKBxHYiez9h3eZprEtqoAz0I5DL9Y54t74+pZxicFjQKYPxUGccqg0dIkFZUgE1dxuOkASspydJ890xC/SYJZxREeuF9SPCUkT4Szc814/JHzfqrHt5ZfdzQcBX0xjtEfwoud+Hc4MVerT4cmhyaJLP1/jEe8l3B3Cj4uVilbfAyxOAmAHZl4lcKawdzqUm1os6bsBzCwQU0usKYlW1vczvjvxHvq5z/+IQvCvvlPlUrVIlB7XaiIihkW4LbgZBKNaCWW8rihewX5FUTtvjveHzkGqXnzBBF8WfQmNvVtjKFGdkz3teOHShZOZO7fYo4rHGAV+KVz3kzSCZ8pgqAUsYYW5z/aViNnFuNdDz8xiq05DfUtD3GwbydH2mr5IN8bAFwufAidKEfuQeAusCuS5k6PRJyXK81ErqYMW/H+mSLVw9jCNOqqGGfiYdfcx8oNw+U1Vz/fDmQIQ+eT/JKDSOCbBYjrydC9WBzvgRngDoLQ/UXGCnIENqLJekvVJ0x9KTUhrzQyZVky+INyzp3i5UDyu2uLH55vJEI7qSmcM0Y8Eyj3Buc+0k739OQCC56IiQm/Aw6Uh+6Vi+/MfevcI5K0etMgTZ+dIhRAJAT5Jd4vRu4ge8M1HqEOQQj5lQfO+WtHcgwFyg1dGeQF6I6iy0JfMqXZVDsEkyCsDN6ZDaLcgMQN0FYWSsqy7tCzU9ZbvQ/pAHT/Ed1mNDWs+w0YzgcVv8+XCBGVzunpqcjbi08aKDYIKOIL5EBVOfDwGIeYjBuJhINQa49tNryXEkjZs+OxXDM4YvvksvwfNq4P4OLNJHoQ4DCEyqVbdqGGksRjNtU28Lu8y2M5eX6ehG8ismBMSgUy0SIbR5vTDVNjguo4HD7slVNYqERfMjlwHbnOLajoPl8nWIrhW3glWKBvJ1bQKWU81TRawlCAQ3k5DFnebFgoBagtqo0+Zoygt29Bz38wwqfF90jvfzVEM0sy4X+7FxZFYX2WTWKyZV3+16a7hWBjMbJeulU1chzs1V0/lPMXVEa+c3xcO8W2DyrX4wR27fUEfjPmug49tMhMSFOZXEOwzUMsXjz3K4XhEcC0mtYHDMT0EYtRX8pHe62RkMILuJGRHvw3Wwg2GzZRMpZfPQy8jLhkOhUSGc7z4XEWC/PdLmfGjBTZsZ6G2FfKlGLbSxOlgQlew2sZ+oNTHRrN+aMrkgyG11TheXDbE0y+Sxls+13DEYbMaflq5wjE2FlvD3b5X7/Pu4BizQI7Ski7jjb5qcqik8xoin2qGfhnY6H6PNSPz67J1RTxVZjHgUtZQKG56e+aKIv5FFyjFTgEPRqj3Yyrzh7+E6gt+LETh3vuJDUxKPLZskLD03xP6E/yiLbIu5DIYzK9+uuS/JGF3OibE93hgwp9uzDFirDzRbcuDVDxZyToSfH8P7m58lhp/FiKO3rpUqRqaC/GXz5xbekQ+yGuMKk6qEmiPj7B3pHm2Ic2tJIGTpTNCDNfsqefplUJXbKskiKRxOP04yCIn3XuHu8jUDhWZW848RWHgXfySdqEAFKrvsyamJKXz/1IGIdDzOgnAcd/wiudhZ41gDaCyA1DQYxU9T04106eD9aTZwj+mS9uZmfwHfROiBinC1ZAHsXfjLtwVZj3gpdUsieIqAiuAuMKle9yOMn3np4NEu5vjj/SOZeVWCvBfcPg8VB+uj6s7FtXRH5jdxkaB72PykYa8aTAbNKqcw/qlowv0k/vWnWa++fFFVfbg+VZ3a6oEW2YKvcVefQg/R4nEeTusmH/tnOl7SHLlJ4WLQ+U+v0GLeCY6zJKS6WweN+6SXIbkB9BLES2VpvxlYAmjqLlQuJBpcIuxL1SwCIkKUXdWjQqp6WzfS4XSxuxizZNL8xlEjXSJzFXvo+rPZXF37gHvmLHnjJkQdhctZUjyzDUfgLdR4FcMsp/U8qugWtbbemARFtrXHT9D3M/hVp0z/0ho80LB2chI1nOfY0u8GXgHtJfwZtoeyctud6JLo4zUxZy0zQMqIqgpytVNhjMPOIK5sWpKCKscPlg8+vANhPQHze7Wc8PXwC7jbSMH4QqqnGz+fPB/KKl+wz4jICe/vu7fNJRq0pehibPifXJtBDBH+i+s/U3ZX2WECKPYsF0DXq8Askisa3b97WPO7oWk8ghzE8ZXZs5CypkLpq+oPRg/WrsRJea+EWmkzKmBXtS23AQzhItNB0KFP18elLVmb6atYNs4lzv22ptifD+5wbYmk+/mAVgInqqixLPAy2uofCXvlXhIPd4vgkwpjar/lxcZWGtX7c7EUzDND1AyirMjcZyTaMsHEzYybT3S/8n8OgxVvyemLvgHnmZxmWnUBFUhItQ2Pt6iF2Dn68huo+0PE5K5qlKzoRPbfNLrNYImn4KxmLW5+bT2STe1j8aowyY3ROY1r+4BxHIbDknCb5aj6N4WR14SeUWSSPu23oK1VDLBlQUMiHHqfJwu0NiGhsI8Vl0Mp5Slp6FK0UvZz2O7C+x0HGaWVK9mMuP40BKHjEo7T97ZoXMN0uX4GmBQ3jEwXzsPpuPbZI5JnwwEyp5YX+IyYWJyCww2fntSQ/fS509b6mvG5isUMK3lpiogucROtJTA1KrODrocpTgUGvIwDUP/tosGT57lmXjTmHbTf6WjCHIUZsrbT5ycjYNJI0sn+dfx3Tba289CEeBEaX2FefnHX+o8HMLlRI4JmiD6faswCjC2IFMjDVfkJoie45Y+8Q9LSVZ8TkZey1QucNRrMIKpNLo4cPDCdUJIOPUDbfX4I1g0Qhk7T5WYX/JUtiaUgKiR5Gc/PHmV8oL8G9P+OSgg2Lc5XaN7/PevHCiBOLwAXsKbSCwL7oGmxyw90+sHIZr+ZyClNnfuXE3UrW7NXQI6mCxvQWKtJKn1trO17I6Cd00RMfC3uPy5/LIicubunfvDjp3BlaatxIrzDg3rVnFPX0dKzt/s4iuSyK3IT0le/x9OBLIp4EhdQdvd2HOFYxOtjxzbvWRzWrqGpBsLQLg7EG5adrqg69VOQMCT2pq0sCJp6hk4yGHbuz4hoX2PIeiI3l/Z0TwDGopGWW3uWRWxH/6bq1a6idgxHYhruUmR8aFpUKSsVyodiDV1PtK1zj5mKcZdeXx0THBYTEUWyo3RI9iLUnMcDYyPRTjCKoCm6pPS7yjIT7tq+MUi3iWo2XijY8AaV/K+WrnkcqoQH2cXsrBoH0sZMksdWwYBYz97+RKkx3FSxgdXJb1xxr0X21oPW1PhJq/zHSxe3OmxwYMPeZsGPaG8UngxTdfTQ3KPn+mN9NRXvlXkqudGJa/d/QMinCf/tp9eU1WX5xktqDgqBbPD391+6gcDsFgdidFdpLKf6yGLEovTwE9GrLX7srAC2dPOxviWekqng8H0N9RjHT06NVD9kAnnR/01ZkmmPzdP7vLX9imy0j/huTpN8i9XpFS6za4jdGt46Y5SfRKg/4qpwtE6meElgiOnTkP2uBI5cF4czaK1rYr1ZlwoneFzNHnBVFctAP7CD+w98hYexQ5RrdUYgFrMB5+88Y1IrI8Gd02RCEycPCoxdEFXqBVWmu2N/fuovgihTn9qf/mUxpQPsiUHjCgmV5w+ALs02oiRf08b8mTBAjy8utziFA6efpAppv98bQUfTs8lyNn7sH6OCoa4ZKeB51wqPXZBsKZ8Ja9VDZXjpCV+MB0b9XuSgOx2Y3UD/GJ/+eW7J6MiYFTHrhB1kRert5vRdF4M2KMoyYnVRFMBRqimnNBq6xrOvz4D6dSiquhFRtxlnb6dPCyRgHImsFbR/qdDukLB6DB+vfjzZQArLbkaMVF86hX1+9xP+BdZPsnVapY9u+DSZP7ZkEP/VftTl7uJZnqAWUis+jOncUizmzSIpV6cZO7SVdiQicHiRm6VSOmpBhniRKYN13Ct8B0g+JJeyMlx6OGALMLvcXKDXxJNvyYL9FuXyRvOygButRRjvLsEku+fl9ESD27r56ZNExf7w411cGbKQ+obhSnMsBM2qGBDR97VJyLGhbFX7SKl7CGOAWZF3TbOe4PU4Ty75qb8+U5R8amQ1FFQD4r65M=]
+4 -4
View File
@@ -29,11 +29,11 @@ profiles::yum::global::repos:
name: postgresql-15
descr: postgresql-15 repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
postgresql-common:
name: postgresql-common
descr: postgresql-common repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
+237 -95
View File
@@ -1,111 +1,162 @@
---
profiles::packages::install:
- createrepo
profiles::packages::include:
createrepo: {}
profiles::ssh::sign::principals:
- packagerepo.service.consul
- packagerepo.query.consul
- "packagerepo.service.%{facts.country}-%{facts.region}.consul"
# additional altnames
profiles::pki::vault::alt_names:
- repos.main.unkin.net
- packagerepo.main.unkin.net
- packagerepo.service.consul
- packagerepo.query.consul
- "packagerepo.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
jupyterhub:
service_name: 'packagerepo'
tags:
- 'packagerepo'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'packagerepo_http_check'
name: 'packagerepo HTTP Check'
http: "https://%{facts.networking.fqdn}"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: packagerepo
disposition: write
profiles::reposync::webserver::nginx_listen_mode: both
profiles::reposync::webserver::nginx_cert_type: vault
profiles::reposync::repos_list:
almalinux_8_9_baseos:
repository: 'BaseOS'
description: 'AlmaLinux 8.9 - BaseOS'
almalinux_9_5_baseos:
repository: 'baseos'
description: 'AlmaLinux 9.5 BaseOS'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/baseos
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_appstream:
repository: 'AppStream'
description: 'AlmaLinux 8.9 - AppStream'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_appstream:
repository: 'appstream'
description: 'AlmaLinux 9.5 AppStream'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/appstream
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_highavailability:
repository: 'HighAvailability'
description: 'AlmaLinux 8.9 - HighAvailability'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_crb:
repository: 'crb'
description: 'AlmaLinux 9.5 CRB'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/ha
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_powertools:
repository: 'PowerTools'
description: 'AlmaLinux 8.9 - PowerTools'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_ha:
repository: 'ha'
description: 'AlmaLinux 9.5 HighAvailability'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/powertools
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_extras:
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_extras:
repository: 'extras'
description: 'AlmaLinux 8.9 - extras'
description: 'AlmaLinux 9.5 extras'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/extras
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
centos_8_advanced_virtualization:
repository: 'virt-advanced-virtualization'
description: 'CentOS Advanced Virtualization'
osname: 'centos'
release: '8' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=virt-advanced-virtualization' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_ceph_pacific:
repository: 'storage-ceph-pacific'
description: 'CentOS Ceph Pacific'
osname: 'centos'
release: '8' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=storage-ceph-pacific' # Assuming '8' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
centos_8_rabbitmq_38:
repository: 'messaging-rabbitmq-38'
description: 'CentOS RabbitMQ 38'
osname: 'centos'
release: '8-stream' # Specified based on the repository name
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=messaging-rabbitmq-38' # Assuming '8' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
centos_8_nfv_openvswitch:
repository: 'nfv-openvswitch-2'
description: 'CentOS NFV OpenvSwitch'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=nfv-openvswitch-2' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
centos_8_openstack_xena:
repository: 'cloud-openstack-xena'
description: 'CentOS OpenStack Xena'
osname: 'centos'
release: '8-stream' # Directly taken from the provided mirrorlist
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=cloud-openstack-xena' # Assuming 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
centos_8_opstools:
repository: 'opstools-collectd-5'
description: 'CentOS OpsTools - collectd'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?arch=x86_64&release=8-stream&repo=opstools-collectd-5' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
centos_8_ovirt45:
repository: 'virt-ovirt-45'
description: 'CentOS oVirt 4.5'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=virt-ovirt-45' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_stream_gluster10:
repository: 'storage-gluster-10'
description: 'CentOS oVirt 4.5 - Glusterfs 10'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=storage-gluster-10' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
epel_8_everything:
repository: 'Everything'
description: 'EPEL 8 Everything'
osname: 'epel'
release: '8'
mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64'
gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_baseos:
repository: 'baseos'
description: 'AlmaLinux 9.4 BaseOS'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_appstream:
repository: 'appstream'
description: 'AlmaLinux 9.4 AppStream'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_crb:
repository: 'crb'
description: 'AlmaLinux 9.4 CRB'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_ha:
repository: 'ha'
description: 'AlmaLinux 9.4 HighAvailability'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_extras:
repository: 'extras'
description: 'AlmaLinux 9.4 extras'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/extras/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/extras/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
docker_stable_el8:
repository: 'stable'
description: 'Docker CE Stable EL8'
osname: 'docker'
release: 'el8'
baseurl: 'https://download.docker.com/linux/centos/8/x86_64/stable/'
gpgkey: 'https://download.docker.com/linux/centos/gpg'
docker_stable_el9:
repository: 'stable'
description: 'Docker CE Stable EL9'
osname: 'docker'
release: 'el9'
baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/'
gpgkey: 'https://download.docker.com/linux/centos/gpg'
frr_stable_el8:
repository: 'stable'
description: 'FRR Stable EL8'
osname: 'frr'
release: 'el8'
baseurl: 'https://rpm.frrouting.org/repo/el8/frr/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_extras_el8:
repository: 'extras'
description: 'FRR Extras EL8'
osname: 'frr'
release: 'el8'
baseurl: 'https://rpm.frrouting.org/repo/el8/extras/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_stable_el9:
repository: 'stable'
description: 'FRR Stable EL9'
osname: 'frr'
release: 'el9'
baseurl: 'https://rpm.frrouting.org/repo/el9/frr/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_extras_el9:
repository: 'extras'
description: 'FRR Extras el9'
osname: 'frr'
release: 'el9'
baseurl: 'https://rpm.frrouting.org/repo/el9/extras/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
k8s_1.32:
repository: '1.32'
description: 'Kubernetes 1.32'
osname: 'k8s'
release: '1.32'
baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/'
gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/repodata/repomd.xml.key'
mariadb_11_2_el8:
repository: 'el8'
description: 'MariaDB 11.2'
@@ -120,6 +171,27 @@ profiles::reposync::repos_list:
release: 'el'
baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
puppet7_el9:
repository: '9'
description: 'Puppet 7 EL9'
osname: 'puppet7'
release: 'el'
baseurl: 'https://yum.puppet.com/puppet7/el/9/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
puppet8_el8:
repository: '8'
description: 'Puppet 8 EL8'
osname: 'puppet8'
release: 'el'
baseurl: 'https://yum.puppet.com/puppet8/el/8/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
puppet8_el9:
repository: '9'
description: 'Puppet 8 EL9'
osname: 'puppet8'
release: 'el'
baseurl: 'https://yum.puppet.com/puppet8/el/9/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
postgresql_rhel8_common:
repository: 'common'
description: 'PostgreSQL Common RHEL 8'
@@ -127,6 +199,27 @@ profiles::reposync::repos_list:
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_common:
repository: 'common'
description: 'PostgreSQL Common RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel8_15:
repository: '15'
description: 'PostgreSQL 15 RHEL 8'
osname: 'postgresql'
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_15:
repository: '15'
description: 'PostgreSQL 15 RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel8_16:
repository: '16'
description: 'PostgreSQL 16 RHEL 8'
@@ -134,3 +227,52 @@ profiles::reposync::repos_list:
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_16:
repository: '16'
description: 'PostgreSQL 16 RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel8_17:
repository: '17'
description: 'PostgreSQL 17 RHEL 8'
osname: 'postgresql'
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_17:
repository: '17'
description: 'PostgreSQL 17 RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
zfs_dkms_rhel8:
repository: 'dkms'
description: 'ZFS DKMS RHEL 8'
osname: 'zfs'
release: 'rhel8'
baseurl: 'http://download.zfsonlinux.org/epel/8/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
zfs_kmod_rhel8:
repository: 'kmod'
description: 'ZFS KMOD RHEL 8'
osname: 'zfs'
release: 'rhel8'
baseurl: 'http://download.zfsonlinux.org/epel/8/kmod/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
zfs_dkms_rhel9:
repository: 'dkms'
description: 'ZFS DKMS RHEL 9'
osname: 'zfs'
release: 'rhel9'
baseurl: 'http://download.zfsonlinux.org/epel/9/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'
zfs_kmod_rhel9:
repository: 'kmod'
description: 'ZFS KMOD RHEL 9'
osname: 'zfs'
release: 'rhel9'
baseurl: 'http://download.zfsonlinux.org/epel/9/kmod/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'
+4
View File
@@ -0,0 +1,4 @@
---
profiles::sql::patroni::superuser_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAImaYEH6ktU6KYDu96OtuJu11FbmE+b9YwrkJiv72QfuVivR7lGfieRKcvkrq3IsNcwhhnl1lzyMZHteib7jLEIiaq59AZFiZyfF2E5bhNYfW4QcDJd4QOheU2awkZkl6oaoMUxgWOnqvihYVLDfoJ0lj6hBTFuqIzO/KU+AJ4NMO3+/+AK9+HB0u/8Iyuev4RQBkvaRAoszCcFCWTAZJTmhOgWe4xJIxfbh0/5k/dmT5WQ1JPEQK7hnVly9iToROZJDjuyndNHbrhCQUg4+DYMPS2fZVWvcESfxN8lJjBFPojj9ZbG5mLlq1e4A4KiZNwHfA1V4D88VWOkRg65XtZDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBzToImdK5/pk3UeZPyavjTgDCcYBzwY/g353Pbh0xr/we8KmvsQEtfxPDuPm4Kv4hsD5X0dHu2nGzBAZq5uWcE3RE=]
profiles::sql::patroni::replication_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWyCj+7WfzpTcpBg6uQ5ykGmLZmb/avW3Pc+VWj9bGvxSQCA8LA6HJlEhhL3mrJSTGUyHLgeEebEup9AVHe2k2l/JHIvhyfx7LI+mNDp8u5p40pM6ZxTdIJFOZmOS/nGjAR6mTv6Ennhpw4sWSDYXU0mJPTHGAked2FXV1xsS0zpTY7hccJHuww5ixOw6jP8E1Pu0ex4LmefOXApowf0jZ2pARndlsXwZldahUHIF48XejclpgCK9rTrb4eQsOZr5ozcj0BBpWg/JKNkQt8mQU5l5/z0GDT08Op8g6MVdJuOWr92uPqjc8sydrz0QAx4l8t1KY2fMWK7BPKqSdcOxiDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDEZBNd56BHVGRVfHDPPwZHgDAZKnqicbF/MVKPi1PwwyHrXMW/fWqocgr1zWx6RXWgXICqjJdEFXwFerXXb39RSDg=]
profiles::sql::patroni::postgres_exporter_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAL5brQt9CGFU7okDXZWF1jL1j+RbrQZhKfzGWyWl+SqRK6q+xH0LIzYQhOAji7tlDBzvFZpzglmzj0xDrAkQA46jg1DkR5+9Ozru9jL1nhg/6z/F54DlhAG7Ui0hjgSLal79VABLXa/cb9xJThx97b9xoOW+/vpfSKa4izFtkN9fliClFTVafxLlLLD/yABW99aq1OK+9MyCsppvs/rjWbXvjEKL+C0jawh4dBnc+tYJMHC/k5NIK0th4A/zSYVH5q6gFakpxrV2ubETIbVTDncC8zfRLhnrikZYNbCy5PuJb2a4vW1O0AOzUWqvqbRkWpYF7dJB9fzW/Tu8f8d10KTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAJS5PcA9aJvjGIfKSciLLpgDAU7xXGF+Sj+g1ABMvsenEmgXsdSKVU9ZYusIiGnPdFdN4EF9usi7g4SahochlG0NU=]
+28
View File
@@ -0,0 +1,28 @@
---
profiles::yum::global::repos:
postgresql-15:
name: postgresql-15
descr: postgresql-15 repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
postgresql-common:
name: postgresql-common
descr: postgresql-common repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
profiles::sql::patroni::postgres_exporter_enabled: true
profiles::sql::patroni::postgres_exporter_user: postgres_exporter
profiles::consul::client::node_rules:
- resource: service_prefix
segment: "%{hiera('profiles::sql::patroni::cluster_name')}"
disposition: write
- resource: key_prefix
segment: "service/%{hiera('profiles::sql::patroni::cluster_name')}"
disposition: write
- resource: session_prefix
segment: ""
disposition: write
@@ -89,3 +89,9 @@ profiles::consul::prepared_query::rules:
service_failover_n: 3
service_only_passing: true
ttl: 10
droneci:
ensure: 'present'
service_name: 'droneci'
service_failover_n: 3
service_only_passing: true
ttl: 10
+2 -2
View File
@@ -125,12 +125,12 @@ profiles::edgecache::params::mirrors:
ensure: present
location: '~* ^/ceph/yum/.*/repodata/'
rewrite_rules:
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
- '^/ceph/yum/(.*)$ /rpm-18.2.2/$1 break'
proxy: http://158.69.68.124
ceph_yum_data:
ensure: present
location: /ceph/yum
proxy: http://158.69.68.124/rpm-reef
proxy: http://158.69.68.124/rpm-18.2.2
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
+7
View File
@@ -0,0 +1,7 @@
---
profiles::packages::include:
chrony:
ensure: absent
# disable mlock for vault nodes on lxd/incus
vault::disable_mlock: true
+2 -2
View File
@@ -1,3 +1,3 @@
---
profiles::packages::install:
- "%{hiera('lm-sensors::package')}"
profiles::packages::include:
"%{hiera('lm-sensors::package')}": {}
+12 -4
View File
@@ -1,7 +1,14 @@
# used by certbot clients to request letsencrypt certificates
# - domains: list of certificates to generate
# - webserver: where the client downloads certificates from
# - data_dir: where to store the certificates on the client
# - services: the services to notify when certificates change
#
class certbot::client (
Array[Stdlib::Fqdn] $domains,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
Optional[String] $service = undef,
) {
mkdir::p {$data_dir:}
@@ -14,10 +21,11 @@ class certbot::client (
$domains.each |$domain| {
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
domain => $domain,
destination => "${data_dir}/${domain}",
webserver => $webserver,
require => File[$data_dir],
domain => $domain,
destination => "${data_dir}/${domain}",
webserver => $webserver,
require => File[$data_dir],
notify_service => $service,
}
}
}
+15
View File
@@ -1,7 +1,13 @@
# a define for creating a single certificate
# - domain: the domain to generate a certificate for
# - webserver: where to download the certificate from
# - destination: the data directory on the client
# - notify_service: what service to notify when the concat exec completes
define certbot::client::cert (
Stdlib::Fqdn $domain,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
Optional[String] $notify_service = undef,
) {
file { $destination:
@@ -34,8 +40,16 @@ define certbot::client::cert (
}
}
# create file resources
create_resources(file, $files_to_create)
# if notify_service is specified
if $notify_service != undef {
$service = Service[$notify_service]
}else{
$service = undef
}
exec { "concat_${domain}_certs":
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
path => ['/bin', '/usr/bin'],
@@ -44,6 +58,7 @@ define certbot::client::cert (
File["${destination}/fullchain.pem"],
File["${destination}/privkey.pem"],
],
notify => $service,
}
} else {
notify { 'Certificates are not yet ready on the generator server.': }

Some files were not shown because too many files have changed in this diff Show More