Compare commits
122 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 90ce015d43 | |||
| b9465cd78b | |||
| ce12303576 | |||
| 09a448ea52 | |||
| 1db8847833 | |||
| 6d919580e1 | |||
| 5549275ecc | |||
| 7acfea8547 | |||
| 318e816568 | |||
| 2ef4fb0bf8 | |||
| 2013641720 | |||
| 4bf4b42fdf | |||
| 933427e861 | |||
| 4a0760516f | |||
| 10b57abffc | |||
| 5b4bb95ffe | |||
| e09819284d | |||
| addfa02e08 | |||
| 93b9629c5c | |||
| 9dea399377 | |||
| 0210d849c7 | |||
| 42d8047043 | |||
| c0b94c181f | |||
| 265400db91 | |||
| ccf4ef27f7 | |||
| afda425fab | |||
| 69c298e162 | |||
| 1ad2b806b4 | |||
| dc58084cc9 | |||
| 938db9880b | |||
| ecbea24ba8 | |||
| bcb9beae5f | |||
| e1e604516d | |||
| 0bed8ba4f4 | |||
| 5471adae32 | |||
| 91d9a073d6 | |||
| ec7814e2a9 | |||
| 71c134dc1a | |||
| cb803d885e | |||
| 90eabac007 | |||
| d79a5de17b | |||
| 0f755b231f | |||
| 2912cbb68b | |||
| 3d1ba79325 | |||
| c33b58ead6 | |||
| 9f937b2869 | |||
| 8660bec810 | |||
| f30325b3e9 | |||
| 76c1c93c02 | |||
| 4577997506 | |||
| 6326e820a9 | |||
| 757f3042ed | |||
| 5d36a4053b | |||
| 8fad79f2bc | |||
| 68c569b282 | |||
| 975adc31d7 | |||
| 8a8cc0ae1b | |||
| 70a9edd118 | |||
| 348d8889ed | |||
| 1a2023f4ff | |||
| 35834f8f5a | |||
| 4347faf153 | |||
| 5c731fef34 | |||
| b7fc6a1993 | |||
| afe2a2afb7 | |||
| c76ce3bf10 | |||
| af989a19c3 | |||
| 4d08e30733 | |||
| e2873a492a | |||
| 90af895a34 | |||
| 52e3d5b20b | |||
| aadd0275ac | |||
| 390a5a58c7 | |||
| 403e3eeb1b | |||
| 352878e27c | |||
| 0cad88cdad | |||
| 859fc0d909 | |||
| a5baed8cd9 | |||
| 44707910aa | |||
| dafac3d5ab | |||
| 3ce2ec3754 | |||
| 7863d54275 | |||
| 988e7c2a32 | |||
| 0c44654a47 | |||
| 20ee6fa19e | |||
| c846cc4e21 | |||
| 8e0f26e726 | |||
| 4579e268f0 | |||
| f1e1828a4a | |||
| 2ae8dbc0ac | |||
| 4338dfe27f | |||
| 66cb1e356d | |||
| 2bda41712a | |||
| d3daac3b71 | |||
| eb32a216f5 | |||
| 5354c99b1e | |||
| 6a3123e12e | |||
| 26ffe17ee1 | |||
| cb5bb0798f | |||
| 08241692ee | |||
| 76989e45c4 | |||
| cc01259a64 | |||
| b5148fc2a0 | |||
| ab44bfc430 | |||
| 4c38232ceb | |||
| 20686e04f4 | |||
| 480eced404 | |||
| 946922fdb9 | |||
| 1570bbd8f2 | |||
| 319c3b6d67 | |||
| e2f571649e | |||
| 0fb11b22cf | |||
| 01fc6aacd7 | |||
| 73c7dbd56c | |||
| 3ed692cc77 | |||
| ec92a6d3df | |||
| bbd6cdb228 | |||
| 2cbba808c3 | |||
| df9f31e0f7 | |||
| 95a0b543fd | |||
| 90d123f4d0 | |||
| 3dc8fb03fa |
+7
-2
@@ -11,13 +11,13 @@ mod 'puppetlabs-apt', '9.4.0'
|
||||
mod 'puppetlabs-lvm', '2.1.0'
|
||||
mod 'puppetlabs-puppetdb', '7.13.0'
|
||||
mod 'puppetlabs-postgresql', '9.1.0'
|
||||
mod 'puppetlabs-firewall', '6.0.0'
|
||||
mod 'puppetlabs-accounts', '8.1.0'
|
||||
mod 'puppetlabs-mysql', '15.0.0'
|
||||
mod 'puppetlabs-xinetd', '3.4.1'
|
||||
mod 'puppetlabs-haproxy', '8.0.0'
|
||||
mod 'puppetlabs-java', '10.1.2'
|
||||
mod 'puppetlabs-reboot', '5.0.0'
|
||||
mod 'puppetlabs-docker', '10.0.1'
|
||||
|
||||
# puppet
|
||||
mod 'puppet-python', '7.0.0'
|
||||
@@ -33,12 +33,16 @@ mod 'puppet-grafana', '13.1.0'
|
||||
mod 'puppet-consul', '8.0.0'
|
||||
mod 'puppet-vault', '4.1.0'
|
||||
mod 'puppet-dhcp', '6.1.0'
|
||||
mod 'puppet-keepalived', '3.6.0'
|
||||
mod 'puppet-keepalived', '5.1.0'
|
||||
mod 'puppet-extlib', '7.0.0'
|
||||
mod 'puppet-network', '2.2.0'
|
||||
mod 'puppet-kmod', '4.0.1'
|
||||
mod 'puppet-filemapper', '4.0.0'
|
||||
mod 'puppet-letsencrypt', '11.0.0'
|
||||
mod 'puppet-rundeck', '9.1.0'
|
||||
mod 'puppet-redis', '11.0.0'
|
||||
mod 'puppet-ipset', '4.3.0'
|
||||
mod 'puppet-nftables', '4.0.0'
|
||||
|
||||
# other
|
||||
mod 'ghoneycutt-puppet', '3.3.0'
|
||||
@@ -52,6 +56,7 @@ mod 'broadinstitute-certs', '3.0.1'
|
||||
mod 'stm-file_capability', '6.0.0'
|
||||
mod 'h0tw1r3-gitea', '3.2.0'
|
||||
mod 'rehan-mkdir', '2.0.0'
|
||||
mod 'tailoredautomation-patroni', '2.0.0'
|
||||
|
||||
mod 'bind',
|
||||
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
||||
|
||||
+112
-61
@@ -3,16 +3,10 @@ lookup_options:
|
||||
hiera_classes:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::install:
|
||||
profiles::packages::include:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::install_exclude:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::remove:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::remove_exclude:
|
||||
profiles::packages::exclude:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::pki::vault::alt_names:
|
||||
@@ -135,6 +129,12 @@ lookup_options:
|
||||
certbot::client::domains:
|
||||
merge:
|
||||
strategy: deep
|
||||
keepalived::vrrp_script:
|
||||
merge:
|
||||
strategy: deep
|
||||
keepalived::vrrp_instance:
|
||||
merge:
|
||||
strategy: deep
|
||||
|
||||
facts_path: '/opt/puppetlabs/facter/facts.d'
|
||||
|
||||
@@ -142,6 +142,16 @@ hiera_include:
|
||||
- timezone
|
||||
- networking
|
||||
- ssh::server
|
||||
- profiles::accounts::rundeck
|
||||
- firewall::rules::in::exporters
|
||||
- firewall::rules::in::consul
|
||||
- firewall::rules::out::consul
|
||||
- firewall::rules::out::dns
|
||||
- firewall::rules::out::http
|
||||
- firewall::rules::out::https
|
||||
- firewall::rules::out::ntp
|
||||
- firewall::rules::out::puppet
|
||||
- firewall::rules::out::vault
|
||||
|
||||
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
||||
profiles::ntp::client::use_ntp: 'region'
|
||||
@@ -172,59 +182,70 @@ profiles::consul::client::node_rules:
|
||||
segment: ''
|
||||
disposition: read
|
||||
|
||||
profiles::packages::install:
|
||||
- bash-completion
|
||||
- bzip2
|
||||
- ccze
|
||||
- curl
|
||||
- dstat
|
||||
- expect
|
||||
- gcc
|
||||
- gzip
|
||||
- git
|
||||
- htop
|
||||
- inotify-tools
|
||||
- iotop
|
||||
- jq
|
||||
- lz4
|
||||
- mtr
|
||||
- ncdu
|
||||
- neovim
|
||||
- p7zip
|
||||
- pbzip2
|
||||
- pigz
|
||||
- pv
|
||||
- python3.11
|
||||
- rsync
|
||||
- screen
|
||||
- socat
|
||||
- strace
|
||||
- sysstat
|
||||
- tar
|
||||
- tmux
|
||||
- traceroute
|
||||
- unzip
|
||||
- vim
|
||||
- vnstat
|
||||
- wget
|
||||
- zsh
|
||||
- zstd
|
||||
|
||||
profiles::packages::remove:
|
||||
- iwl100-firmware
|
||||
- iwl1000-firmware
|
||||
- iwl105-firmware
|
||||
- iwl135-firmware
|
||||
- iwl2000-firmware
|
||||
- iwl2030-firmware
|
||||
- iwl3160-firmware
|
||||
- iwl5000-firmware
|
||||
- iwl5150-firmware
|
||||
- iwl6000-firmware
|
||||
- iwl6000g2a-firmware
|
||||
- iwl6050-firmware
|
||||
- iwl7260-firmware
|
||||
- puppet7-release
|
||||
profiles::packages::include:
|
||||
bash-completion: {}
|
||||
bzip2: {}
|
||||
ccze: {}
|
||||
curl: {}
|
||||
dstat: {}
|
||||
expect: {}
|
||||
gzip: {}
|
||||
git: {}
|
||||
htop: {}
|
||||
inotify-tools: {}
|
||||
iotop: {}
|
||||
jq: {}
|
||||
lz4: {}
|
||||
mtr: {}
|
||||
ncdu: {}
|
||||
neovim: {}
|
||||
p7zip: {}
|
||||
pbzip2: {}
|
||||
pigz: {}
|
||||
pv: {}
|
||||
python3.11: {}
|
||||
rsync: {}
|
||||
screen: {}
|
||||
socat: {}
|
||||
strace: {}
|
||||
sysstat: {}
|
||||
tar: {}
|
||||
tmux: {}
|
||||
traceroute: {}
|
||||
unzip: {}
|
||||
vim: {}
|
||||
vnstat: {}
|
||||
wget: {}
|
||||
zsh: {}
|
||||
zstd: {}
|
||||
iwl100-firmware:
|
||||
ensure: absent
|
||||
iwl1000-firmware:
|
||||
ensure: absent
|
||||
iwl105-firmware:
|
||||
ensure: absent
|
||||
iwl135-firmware:
|
||||
ensure: absent
|
||||
iwl2000-firmware:
|
||||
ensure: absent
|
||||
iwl2030-firmware:
|
||||
ensure: absent
|
||||
iwl3160-firmware:
|
||||
ensure: absent
|
||||
iwl5000-firmware:
|
||||
ensure: absent
|
||||
iwl5150-firmware:
|
||||
ensure: absent
|
||||
iwl6000-firmware:
|
||||
ensure: absent
|
||||
iwl6000g2a-firmware:
|
||||
ensure: absent
|
||||
iwl6050-firmware:
|
||||
ensure: absent
|
||||
iwl7260-firmware:
|
||||
ensure: absent
|
||||
puppet7-release:
|
||||
ensure: absent
|
||||
|
||||
profiles::base::scripts::scripts:
|
||||
puppet: puppetwrapper.py
|
||||
@@ -293,6 +314,8 @@ sudo::configs:
|
||||
|
||||
profiles::accounts::sysadmin::sshkeys:
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
|
||||
profiles::accounts::rundeck::sshkeys:
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD4F7VcorbGpyZzBFexz7c/o1JBscrl7hZU0UkWV7fq6YLizW0r6fOzD99hMwu1kdYCjPxbvuUSDEHfyBIp2EgLWU6wFVoufQqlMyOV85+ivQZUc1VNV+X9T+U4v3u/01hkAmlpXtbkwhMSR4Wi+tdABd04+D3CuMDM37mvnFmBBmi41X4Mr1rJhOQumn1XHQ7EYbsdw2mxfEVVeWpZIHz5BjNKSGzEIAYZbFt6s0Y7X3J5RT+Gjqmu043Tc8nNIUFlR9E10qd3Euf9RiBYxBx3z+yfOzJPBzWNBSHv1+PIbO5Mq+z5JaAfoFZO41L7nw+FjV6JJUCVLr6Vq+bCxyA7LW4Oq9ZahSrt/vrT0kTa0tA5U9bqK6e7pB//dm7PzoROtTq0XksV8RseA/fvIje20uaN1z9dynx+UcbszXu9pQ5GIg1o7b5DEi3OZHJwpgdudiCyEeR4+00G0z4PjpEMnTSMHAJ53WxtjzrPAOBnAmPE7hPu4coU+XrCWEXAvRMloJmca68e+zFX7VvFK82KVDuQ99vQ6w4X73IESKoLzyAVxpelwHaDG4fN+zqYfqubVQU1L5cUeYKxqm5r3Us6VvMaYs1ZMUmDGXHOq4FNhGUJYxSjkLvunM6qyAAJQCd6Pw/2TV3UQVerbouGOZaeBLvRguHWSbDrO99Zu+t87w== rundeck_runner
|
||||
|
||||
networking::interface_defaults:
|
||||
ensure: present
|
||||
@@ -327,3 +350,31 @@ profiles::ceph::client::mons:
|
||||
# aliases:
|
||||
# - prodinf01n22
|
||||
# - repos.main.unkin.net
|
||||
|
||||
firewall::enable: true
|
||||
firewall::ipset_queries:
|
||||
certbot: "enc_role=roles::infra::pki::certbot"
|
||||
cobbler: "enc_role=roles::infra::cobbler::server"
|
||||
consul: "enc_role=roles::infra::storage::consul"
|
||||
dhcp: "enc_role=roles::infra::dhcp::server"
|
||||
dns_master: "enc_role=roles::infra::dns::master"
|
||||
dns_resolver: "enc_role=roles::infra::dns::resolver"
|
||||
edgecache: "enc_role=roles::infra::storage::edgecache"
|
||||
gitea_runner: "enc_role=roles::infra::git::runner"
|
||||
gitea_server: "enc_role=roles::infra::git::gitea"
|
||||
glauth: "enc_role=roles::infra::auth::glauth"
|
||||
gonic: "enc_role=roles::apps::music::gonic"
|
||||
grafana: "enc_role=roles::infra::metrics::grafana"
|
||||
haproxy: "enc_role=roles::infra::halb::haproxy"
|
||||
jumphost: "enc_role=roles::infra::proxy::jumphost"
|
||||
ntp: "enc_role=roles::infra::ntp::server"
|
||||
prometheus: "enc_role=roles::infra::metrics::prometheus"
|
||||
puppetboard: "enc_role=roles::infra::puppetboard::server"
|
||||
puppetmaster: "enc_role=roles::infra::puppet::master"
|
||||
puppetdb_sql: "enc_role=roles::infra::puppetdb::sql"
|
||||
puppetdb_api: "enc_role=roles::infra::puppetdb::api"
|
||||
redis: "enc_role=roles::infra::db::redis"
|
||||
rundeck: "enc_role=roles::infra::automation::rundeck"
|
||||
sql_galera: "enc_role=roles::infra::sql::galera"
|
||||
sql_patroni: "enc_role=roles::infra::sql::patroni"
|
||||
vault: "enc_role=roles::infra::storage::vault"
|
||||
|
||||
@@ -1,4 +1,31 @@
|
||||
---
|
||||
hiera_include:
|
||||
- keepalived
|
||||
|
||||
# keepalived
|
||||
profiles::haproxy::dns::vrrp_ipaddr: '198.18.13.250'
|
||||
profiles::haproxy::dns::vrrp_cnames:
|
||||
- sonarr.main.unkin.net
|
||||
- radarr.main.unkin.net
|
||||
- lidarr.main.unkin.net
|
||||
- readarr.main.unkin.net
|
||||
- prowlarr.main.unkin.net
|
||||
- nzbget.main.unkin.net
|
||||
|
||||
keepalived::vrrp_script:
|
||||
check_haproxy:
|
||||
script: '/usr/bin/killall -0 haproxy'
|
||||
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
interface: 'eth0'
|
||||
virtual_router_id: 250
|
||||
auth_type: 'PASS'
|
||||
auth_pass: 'quiiK7oo'
|
||||
virtual_ipaddress: '198.18.13.250/32'
|
||||
track_script:
|
||||
- check_haproxy
|
||||
|
||||
# mappings
|
||||
profiles::haproxy::mappings:
|
||||
fe_http:
|
||||
@@ -233,6 +260,7 @@ profiles::haproxy::dns::cnames:
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
|
||||
# letsencrypt certificates
|
||||
certbot::client::service: haproxy
|
||||
certbot::client::domains:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
|
||||
@@ -1,2 +1,3 @@
|
||||
---
|
||||
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
|
||||
mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=]
|
||||
|
||||
@@ -13,3 +13,12 @@ mysql::db:
|
||||
- INSERT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
rundeck:
|
||||
name: rundeck
|
||||
user: rundeck
|
||||
password: "%{alias('mysql::db::rundeck::pass')}"
|
||||
grant:
|
||||
- SELECT
|
||||
- INSERT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
|
||||
@@ -5,3 +5,9 @@ networking::interfaces:
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
|
||||
profiles::haproxy::dns::vrrp_master: true
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
state: 'MASTER'
|
||||
priority: 101
|
||||
|
||||
@@ -5,3 +5,8 @@ networking::interfaces:
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
state: 'BACKUP'
|
||||
priority: 100
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.59
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.60
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.61
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.62
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.63
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.64
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.65
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.66
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.67
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.68
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.69
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -8,12 +8,14 @@ profiles::puppet::agent::puppet_version: '7.26.0'
|
||||
hiera_include:
|
||||
- profiles::almalinux::base
|
||||
|
||||
profiles::packages::install:
|
||||
- lzo
|
||||
- network-scripts
|
||||
- policycoreutils
|
||||
- unar
|
||||
- xz
|
||||
profiles::packages::include:
|
||||
lzo: {}
|
||||
firewalld:
|
||||
ensure: absent
|
||||
network-scripts: {}
|
||||
policycoreutils: {}
|
||||
unar: {}
|
||||
xz: {}
|
||||
|
||||
lm-sensors::package: lm_sensors
|
||||
|
||||
|
||||
@@ -1,15 +1,15 @@
|
||||
# hieradata/os/debian/all_releases.yaml
|
||||
---
|
||||
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
|
||||
profiles::apt::base::mirrorurl: http://edgecache.query.consul/debian/
|
||||
profiles::apt::base::secureurl: http://security.debian.org/debian-security
|
||||
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
|
||||
profiles::apt::puppet7::repo: puppet7
|
||||
profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
|
||||
|
||||
profiles::packages::install:
|
||||
- lzop
|
||||
- python3.11-venv
|
||||
- xz-utils
|
||||
profiles::packages::include:
|
||||
lzop: {}
|
||||
python3.11-venv: {}
|
||||
xz-utils: {}
|
||||
|
||||
lm-sensors::package: lm-sensors
|
||||
networking::nwmgr_dns_none: false
|
||||
|
||||
@@ -59,3 +59,19 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: nzbget
|
||||
disposition: write
|
||||
|
||||
profiles::yum::global::repos:
|
||||
rpmfusion-free:
|
||||
name: rpmfusion-free
|
||||
descr: rpmfusion-free repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
rpmfusion-nonfree:
|
||||
name: rpmfusion-nonfree
|
||||
descr: rpmfusion-nonfree repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
|
||||
@@ -54,3 +54,12 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: prowlarr
|
||||
disposition: write
|
||||
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
arrstack_web_external:
|
||||
location_satisfy: any
|
||||
location_allow:
|
||||
- 198.18.13.47
|
||||
- 198.18.13.50
|
||||
- 198.18.13.51
|
||||
- 198.18.13.52
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
profiles::packages::install:
|
||||
- policycoreutils
|
||||
profiles::packages::include:
|
||||
policycoreutils: {}
|
||||
|
||||
puppetdb::master::config::create_puppet_service_resource: false
|
||||
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
|
||||
|
||||
@@ -59,6 +59,10 @@ glauth::users:
|
||||
- 20014
|
||||
- 20015
|
||||
- 20016
|
||||
- 20017
|
||||
- 20018
|
||||
- 20023
|
||||
- 20024
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/benvin'
|
||||
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
||||
@@ -82,6 +86,91 @@ glauth::users:
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/matsol'
|
||||
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
|
||||
seablo:
|
||||
user_name: 'seablo'
|
||||
givenname: 'Sean'
|
||||
sn: 'Bloomfield'
|
||||
mail: 'seablo@users.main.unkin.net'
|
||||
uidnumber: 20002
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010 # jelly
|
||||
- 20011 # sonarr
|
||||
- 20012 # radarr
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/seablo'
|
||||
passsha256: '2db12484b2b5fdae7f3a1f9f870143c363af14bf2c31a415a9a7afcb02520df2'
|
||||
marbal:
|
||||
user_name: 'marbal'
|
||||
givenname: 'Mark'
|
||||
sn: 'Balch'
|
||||
mail: 'marbal@users.main.unkin.net'
|
||||
uidnumber: 20003
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010 # jelly
|
||||
- 20011 # sonarr
|
||||
- 20012 # radarr
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/marbal'
|
||||
passsha256: 'cc20cee6269b9970a76549c66b51d0c543352796180d4122260a47f0f7a442a9'
|
||||
kelren:
|
||||
user_name: 'kelren'
|
||||
givenname: 'Kelly'
|
||||
sn: 'Rennie'
|
||||
mail: 'kelren@users.main.unkin.net'
|
||||
uidnumber: 20004
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010 # jelly
|
||||
- 20011 # sonarr
|
||||
- 20012 # radarr
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/kelren'
|
||||
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
|
||||
ryadun:
|
||||
user_name: 'ryadun'
|
||||
givenname: 'Ryan'
|
||||
sn: 'Dunbar'
|
||||
mail: 'ryadun@users.main.unkin.net'
|
||||
uidnumber: 20005
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010 # jelly
|
||||
- 20011 # sonarr
|
||||
- 20012 # radarr
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/ryadun'
|
||||
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
|
||||
margol:
|
||||
user_name: 'margol'
|
||||
givenname: 'Maree'
|
||||
sn: 'Goldsworthy'
|
||||
mail: 'margol@users.main.unkin.net'
|
||||
uidnumber: 20006
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010 # jelly
|
||||
- 20011 # sonarr
|
||||
- 20012 # radarr
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/margol'
|
||||
passsha256: '31a66085fb7eaeb059e51d1376233db72b54f96a6c45947aafbb350c83e618ef'
|
||||
|
||||
glauth::services:
|
||||
svc_jellyfin:
|
||||
@@ -126,6 +215,32 @@ glauth::services:
|
||||
uidnumber: 30006
|
||||
primarygroup: 20001
|
||||
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
|
||||
svc_nzbsubmit:
|
||||
service_name: 'svc_nzbsubmit'
|
||||
mail: 'nzbsubmit@service.main.unkin.net'
|
||||
uidnumber: 30007
|
||||
primarygroup: 20001
|
||||
othergroups:
|
||||
- 20016
|
||||
passsha256: '7af7e12fdc56e9050d16c167f4e34091ad3cf938283e13451b35f9b3d212bfa2'
|
||||
svc_rundeck:
|
||||
service_name: 'svc_rundeck'
|
||||
mail: 'rundeck@service.main.unkin.net'
|
||||
uidnumber: 30007
|
||||
primarygroup: 20001
|
||||
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
|
||||
svc_terraform:
|
||||
service_name: 'svc_terraform'
|
||||
mail: 'terraform@service.main.unkin.net'
|
||||
uidnumber: 30008
|
||||
primarygroup: 20001
|
||||
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
|
||||
svc_vault:
|
||||
service_name: 'svc_vault'
|
||||
mail: 'vault@service.main.unkin.net'
|
||||
uidnumber: 30009
|
||||
primarygroup: 20001
|
||||
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
|
||||
|
||||
glauth::groups:
|
||||
users:
|
||||
@@ -155,3 +270,27 @@ glauth::groups:
|
||||
nzbget_access:
|
||||
group_name: 'nzbget_access'
|
||||
gidnumber: 20016
|
||||
rundeck_access:
|
||||
group_name: 'rundeck_access'
|
||||
gidnumber: 20017
|
||||
rundeck_globaladmin:
|
||||
group_name: 'rundeck_globaladmin'
|
||||
gidnumber: 20018
|
||||
rundeck_selfservice_admin:
|
||||
group_name: 'rundeck_selfservice_admin'
|
||||
gidnumber: 20019
|
||||
rundeck_selfservice_user:
|
||||
group_name: 'rundeck_selfservice_user'
|
||||
gidnumber: 20020
|
||||
rundeck_infrastructure_admin:
|
||||
group_name: 'rundeck_infrastructure_admin'
|
||||
gidnumber: 20021
|
||||
rundeck_infrastructure_user:
|
||||
group_name: 'rundeck_infrastructure_user'
|
||||
gidnumber: 20022
|
||||
vault_access:
|
||||
group_name: 'vault_access'
|
||||
gidnumber: 20023
|
||||
vault_admin:
|
||||
group_name: 'vault_admin'
|
||||
gidnumber: 20024
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -0,0 +1,205 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::rundeck::server
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
hiera_exclude:
|
||||
- profiles::accounts::rundeck
|
||||
|
||||
profiles::packages::exclude:
|
||||
- jq
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::nginx::simpleproxy::proxy_port: 4440
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
nginx::client_max_body_size: 20M
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
rundeck:
|
||||
service_name: 'rundeck'
|
||||
tags:
|
||||
- 'automation'
|
||||
- 'rundeck'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'glauth_http_check'
|
||||
name: 'glauth HTTP Check'
|
||||
http: "http://%{facts.networking.fqdn}:4440"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: rundeck
|
||||
disposition: write
|
||||
|
||||
profiles::rundeck::server::mysql_backend: true
|
||||
profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
|
||||
profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
|
||||
profiles::rundeck::server::auth_config:
|
||||
file:
|
||||
auth_flag: 'sufficient'
|
||||
jaas_config:
|
||||
file: '/etc/rundeck/realm.properties'
|
||||
realm_config:
|
||||
admin_user: 'admin'
|
||||
admin_password: "%{hiera('rundeck_admin_pass')}"
|
||||
ldap:
|
||||
jaas_config:
|
||||
debug: 'true'
|
||||
providerUrl: 'ldap://ldap.service.consul:389'
|
||||
bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
bindPassword: "%{hiera('ldap_bindpass')}"
|
||||
authenticationMethod: 'simple'
|
||||
forceBindingLogin: 'true'
|
||||
userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
|
||||
userRdnAttribute: 'uid'
|
||||
userIdAttribute: 'uid'
|
||||
userPasswordAttribute: 'userPassword'
|
||||
userObjectClass: 'posixAccount'
|
||||
roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
|
||||
roleNameAttribute: 'uid'
|
||||
roleMemberAttribute: 'uniqueMember'
|
||||
roleObjectClass: 'groupOfUniqueNames'
|
||||
nestedGroups: 'true'
|
||||
|
||||
profiles::rundeck::server::key_storage_config:
|
||||
- type: 'db'
|
||||
path: 'keys'
|
||||
- type: 'vault-storage'
|
||||
path: 'vault'
|
||||
config:
|
||||
prefix: 'rundeck'
|
||||
address: https://vault.query.consul:8200
|
||||
storageBehaviour: 'vault'
|
||||
secretBackend: rundeck
|
||||
engineVersion: '2'
|
||||
authBackend: approle
|
||||
approleAuthMount: approle
|
||||
approleId: "%{hiera('vault::roleid')}"
|
||||
|
||||
profiles::rundeck::server::cli_projects:
|
||||
Self-Service:
|
||||
update_method: 'set'
|
||||
config:
|
||||
project.description: 'self-service tasks'
|
||||
project.disable.executions: 'false'
|
||||
Infrastructure:
|
||||
config:
|
||||
project.description: 'infrastructure management'
|
||||
project.disable.schedule: 'false'
|
||||
|
||||
profiles::rundeck::server::acl_policies:
|
||||
global_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Global Admin, all access'
|
||||
context:
|
||||
application: "rundeck"
|
||||
for:
|
||||
project:
|
||||
- allow: '*'
|
||||
resource:
|
||||
- allow: '*'
|
||||
storage:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_globaladmin']
|
||||
- description: 'Global Admin, all access'
|
||||
context:
|
||||
project: '.*'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_globaladmin']
|
||||
selfservice_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Admin, all access for Self-Service project'
|
||||
context:
|
||||
project: 'Self-Service'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_selfserice_admin']
|
||||
selfservice_user_policy:
|
||||
acl_policies:
|
||||
- description: 'Users can execute tasks but not edit for Self-Service project'
|
||||
context:
|
||||
project: 'Self-Service'
|
||||
for:
|
||||
resource:
|
||||
- allow: ['read']
|
||||
adhoc:
|
||||
- allow: ['run']
|
||||
job:
|
||||
- allow: ['read', 'run']
|
||||
node:
|
||||
- allow: ['read', 'run']
|
||||
by:
|
||||
- group: ['rundeck_selfserice_user']
|
||||
infrastructure_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Admin, all access for Infrastructure project'
|
||||
context:
|
||||
project: 'Infrastructure'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_infrastructure_admin']
|
||||
infrastructure_user_policy:
|
||||
acl_policies:
|
||||
- description: 'Users can execute tasks but not edit for Infrastructure project'
|
||||
context:
|
||||
project: 'Infrastructure'
|
||||
for:
|
||||
resource:
|
||||
- allow: ['read']
|
||||
adhoc:
|
||||
- allow: ['run']
|
||||
job:
|
||||
- allow: ['read', 'run']
|
||||
node:
|
||||
- allow: ['read', 'run']
|
||||
by:
|
||||
- group: ['rundeck_infrastructure_user']
|
||||
@@ -1,15 +1,15 @@
|
||||
---
|
||||
profiles::packages::install:
|
||||
- cobbler
|
||||
- cobbler3.2-web
|
||||
- httpd
|
||||
- syslinux
|
||||
- dnf-plugins-core
|
||||
- debmirror
|
||||
- pykickstart
|
||||
- fence-agents
|
||||
- selinux-policy-devel
|
||||
- ipxe-bootimgs
|
||||
profiles::packages::include:
|
||||
cobbler: {}
|
||||
cobbler3.2-web: {}
|
||||
httpd: {}
|
||||
syslinux: {}
|
||||
dnf-plugins-core: {}
|
||||
debmirror: {}
|
||||
pykickstart: {}
|
||||
fence-agents: {}
|
||||
selinux-policy-devel: {}
|
||||
ipxe-bootimgs: {}
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- cobbler.main.unkin.net
|
||||
@@ -19,3 +19,8 @@ profiles::selinux::setenforce::mode: permissive
|
||||
|
||||
hiera_include:
|
||||
- profiles::selinux::setenforce
|
||||
- firewall::rules::in::cobbler
|
||||
- firewall::rules::in::http
|
||||
- firewall::rules::in::https
|
||||
- firewall::rules::in::tftp
|
||||
- firewall::rules::in::sshd
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
redisha::masterauth: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAV8znsSGAbPpPUhAcyOIWFltVyAcx3yVcIvC+JFndkkuVBT1813GSURrXIreXSilvJEHlwRC03A9NhjWJSsHBIS12uUb+7ap95oh2JJ7OHmeWSVD1GDDRpTQAgDEOikAnioRNJfQ83jUa11nJrsavt46hSq8vDq+rZ2P8ugiNk59mNX5vgYthCPXcEJd7UmpLZhgxZ8+42l4TKo7QpqKRcIMteJXk1NvyYfYGnGTZhknuyHM3xPGauGjKzamMlTzD9dGnn2K0/Q7I4PUyT24ZEG3kNVyDlVHTYcKnIT5q8qvmJdDQfZwOETF3SrzcqhQ2nqFvmI19sCTsQVmveb/2ITBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9KML3vzwF4vGZdtiu++jmgDAWPZspCckgoXPkgNRMePov3pXSlKUAGxwmdsuIM75rJMxlSTiil2lzMMBWXmUofys=]
|
||||
@@ -0,0 +1,67 @@
|
||||
---
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- redis.main.unkin.net
|
||||
- redis.service.consul
|
||||
- redis.query.consul
|
||||
- "redis.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- redis.main.unkin.net
|
||||
- redis.service.consul
|
||||
- redis.query.consul
|
||||
|
||||
|
||||
hiera_include:
|
||||
- redisha
|
||||
|
||||
redisha::manage_repo: false
|
||||
redisha::redisha_members_lookup: true
|
||||
redisha::redisha_members_role: roles::infra::db::redis
|
||||
#redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
#redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
|
||||
redisha::sentinel::master_name: "%{facts.country}-%{facts.region}"
|
||||
redisha::sentinel::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
redisha::sentinel::auth_pass: "%{hiera('redisha::masterauth')}"
|
||||
redisha::tools::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
|
||||
sudo::configs:
|
||||
consul:
|
||||
priority: 20
|
||||
content: |
|
||||
consul ALL=(ALL) NOPASSWD: /usr/local/sbin/sentineladm info
|
||||
consul::services:
|
||||
redis-replica:
|
||||
service_name: "redis-replica-%{facts.environment}"
|
||||
tags:
|
||||
- 'redis'
|
||||
- 'redis-replica'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 6379
|
||||
checks:
|
||||
- id: 'redis-replica_tcp_check'
|
||||
name: 'Redis Replica TCP Check'
|
||||
tcp: "%{facts.networking.ip}:6379"
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
redis-master:
|
||||
service_name: "redis-master-%{facts.environment}"
|
||||
tags:
|
||||
- 'redis'
|
||||
- 'redis-master'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 6379
|
||||
checks:
|
||||
- id: 'redis-master_tcp_check'
|
||||
name: "Redis Master Check"
|
||||
args:
|
||||
- '/usr/local/bin/check_redis_master'
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: "redis-replica-%{facts.environment}"
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: "redis-master-%{facts.environment}"
|
||||
disposition: write
|
||||
@@ -1,4 +1,8 @@
|
||||
---
|
||||
hiera_include:
|
||||
- firewall::rules::in::dhcp
|
||||
- firewall::rules::in::sshd
|
||||
|
||||
profiles::dhcp::server::ntpservers:
|
||||
- ntp01.main.unkin.net
|
||||
- ntp02.main.unkin.net
|
||||
|
||||
@@ -33,13 +33,6 @@ profiles::dns::resolver::zones:
|
||||
- 10.10.16.32
|
||||
- 10.10.16.33
|
||||
forward: 'only'
|
||||
unkin.net-forward:
|
||||
domain: 'unkin.net'
|
||||
zone_type: 'forward'
|
||||
forwarders:
|
||||
- 10.10.16.32
|
||||
- 10.10.16.33
|
||||
forward: 'only'
|
||||
dmz.unkin.net-forward:
|
||||
domain: 'dmz.unkin.net'
|
||||
zone_type: 'forward'
|
||||
@@ -67,7 +60,6 @@ profiles::dns::resolver::views:
|
||||
recursion: true
|
||||
zones:
|
||||
- main.unkin.net-forward
|
||||
- unkin.net-forward
|
||||
- dmz.unkin.net-forward
|
||||
- network.unkin.net-forward
|
||||
- prod.unkin.net-forward
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
droneci_server::rpc_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF8cEANj72ACYYdilP52Oz4EXVt+stx838tFVV4SFukoCTmN+kJ3GUUEM9x+oDvo17CsZhDzx5dX0JGo7N9MCLHsR4XKx3GSoAKvaSiD73TbzbdTNJgTIE1tRP9HNbJKizwWLo4lo+OUNtwnu0Z5dkMLYRHyvZ1hG24qmdXVn9DI06gVGQw9YXGmNy8AvA0BKnaHvUnE5XoLNVKZ4g1yvc/nkYpK6nLB+X4sZ96PRig7khiuFVvAfpg5c2iWnF13ljIajnG9uY12RyGaAGfH4l/d3UEyuHyQL4zzT8N7gGt8fvg7eNFx51TyEpVRFLyQ7dqq/lzn0moXVT35PQr9K3DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCGJ+rkxhqmyUUiIQLG7PnggDBPH9gyYAW5/XjDp5xd6GnuSt/WWOwOGxhg+1BoPzbV5o+Xufg5zyMVdYeI1MWD/u8=]
|
||||
@@ -0,0 +1,25 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::base::datavol
|
||||
- docker
|
||||
- droneci::runner
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
droneci::runner::ports:
|
||||
- 3000:3000
|
||||
droneci::runner::volumes:
|
||||
- type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock
|
||||
- type=bind,source=/data,target=/data
|
||||
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
|
||||
droneci::runner::env_vars:
|
||||
DRONE_RPC_PROTO: https
|
||||
DRONE_RPC_HOST: droneci.query.consul
|
||||
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
|
||||
DRONE_RUNNER_CAPACITY: 2
|
||||
DRONE_RUNNER_NAME: "%{facts.networking.fqdn}"
|
||||
DRONE_RUNNER_VOLUMES: /etc/pki/tls/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt
|
||||
@@ -0,0 +1,6 @@
|
||||
---
|
||||
droneci_server::gitea_client_secret: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJLcMKV4EevB8V/vjex+Srq47pWLvPozjSb+vjS/crFpKq3/dgtkJ8WkqF98fPnXxkMowP/BpNexJBCmPtTR2pPTKHIYkXjxGax0g3P2gcgeT7wsNl24mnUJDWZs1/z8ibwUXv4Zg0nbKi+YdomjsvT3vl2IPI88TKZDkq6HBoturwqx2l/edC5IeAi8vgPRXF8hn2TVuslkmoNXoI28Qp10b2XNOCss6KUJ4rbOwpIgdOVFbXqi7CFjhGz/3uS9xK+2m3iuE/gXi8KSKfiQ+QcGuXL9Zy5PH5rrNg4mbrFiaFfTevsHInl1wwRmULilQ0kEY3NW4b/URXqBBuwcN/TBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDlv7tA+6OQwDuL7z3xGYZjgEBcEAj3TQ9R9TntxTyBa9mKFRXimFTDDxdZ2zD96qFNz+7ZZFGD6pFQNHSMC9AYlAue94UsIHJZaXwgAo5zc98Q]
|
||||
droneci_server::cookie_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKTWrB7Cca8RgFEeP46puzhVWOAiI6nB+m5+/sgz1qNnn6VgNh9Q6D26p9HISrMp4k60KVuGXrIbZYpkvKZmv4zHgK2et+50sr/F1anhDRX4rsmGWVV9n8VhaIJFAyQkW4de9YxV9LAgk0tWs1BgfXv4cV4+sDBv0OSVIFJDst3LUWpBR6lsiV9IifvNNUrdOHkdt5XjuL4JVmc0nkjetAg9HSvJ9VHYLIQagFHnTQp0FWluE1/ibGNc2kz7D4K7cPz2bBxRJWomckSUwgQK0NrGID4D13haZXhKXAO/8QpQOwPra8vD9FYrFenMeFLwdw43NzSr2g/W1ss5PekbWGjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBASshs2UwkGqK4ShFfXni7cgDCDCnEiqcfxIz4X/Bq71IpRKan3uQbHOewFqjNGqoR+1oWupjRxzNL39H9YF1a6i6s=]
|
||||
droneci_server::database_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASu4C45TYWZKgIoyqC3YdwYYXn+T+ruP6oIvhYFJ5dxeZ+6HtWbRMViErvpPuWYfgs5qt6Zj9eLz2hqimFCvKiAvzANeZ9hkhw/jkpmvG8iXpDFw6x8QKcPJteRo896KSLiGiVlZfRbgQCGAqiEMw6y6M9CvfCLzE/mZ9gOKjSJVKiioAnXU2fyq0Y0M6g0iLRw0VXl2BVc4ORCnVECARQPo48T3U+TT39q0ar4mRO1AFO0VA5iDJ6/EMPBcH3ekKO/1dB1UbV6VkD3s9BAHGyL5a5Wr6ztg/5Yl6VBCXmECZqpCx8jx8KDUoaj1R/+I83YQxbw9ch76j79haIK6+jzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAh6MmfbUELaWbSNZ9/Dev2gDD/E3G/uYJGXNGl1+PIVwGmi0z2BTXNqg7ax/b/uF5Xc9ZtBSPiSxR6BPRXN3GleNo=]
|
||||
droneci_server::postgres_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANpDnrpratpuYheXFrN4nwRTauPm9rZz2ubDyJlcxmah+kOWqsWIeEkv5GuATlymfAx5UuHPOv3dJPCSK+YuyQY+kGW/8uEFM68QrNi38NdRqEpdXuPBe5+AmWxcjYK3mdJ4maEwsbbxtYJmD8TF6kskS2P/KhnIzYR5PPHZTaYbEf/W5Da3l+J5WnFYpStuLq+86yZokBAygFPI+y/Ic+zJIdhpzVdLyGuqxGLXZq7nNMrjuNyFPKkCj1BBpuJTMCS4oPKCUTlm5hIIeeC2pFREI0CMTV5siZB8NphobPNn/ZbJrcs9q75LtIa47pkFYRbmV4WPctCwZXg6jtMleuzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDHJaChyidZq/5FN5n+ASJWgDCqUcR/DG9e8AD7fRmTb5BZM8XQ77a1hUJoaCycnMQ/5UyKmqU/7fLPrsxCf2vZU1M=]
|
||||
droneci_server::redis_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAYMoZlVXHC1qfkDptPy3PyWGrUs5y9M9AOv5Vn1AK6DYViixhjwPZUCfwTONmt7CiBuqmkDOpR5isWFiBo/+TMeMXlM9C/D+Svc9tpeHLpVaXAYeoz5um2InyBFkLWSaUaWSftF9U7O5Nv/OiLIsd7nn4T8Dd21rfUiRfUN/2HPLMCs+mW15Az9XNOcvfm+kPXDAcB+ukHde0vvtYTZEFWjMdwJjjE43DiCmAoLTcpvQxdlclojotBpFeBLZs/F21FDQ4hvBUvPBMuZ1o7ImSP5fuomYSFK8etbD7JO5gg5BN59lGl1ljyR83phv6wmmqlzB8wQl0pjEpni9o7fa9hTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCKJrkPA78qx3wAu1eroIjRgDA72N9U0YZf1MzACcGSOMU5RGO242RwlIKUrnuYcdC0dKkjLXtP+yVpSKkX5WxcsDQ=]
|
||||
@@ -0,0 +1,79 @@
|
||||
---
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- droneci.main.unkin.net
|
||||
- droneci.service.consul
|
||||
- droneci.query.consul
|
||||
- "droneci.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- droneci.main.unkin.net
|
||||
- droneci.service.consul
|
||||
- droneci.query.consul
|
||||
|
||||
hiera_include:
|
||||
- docker
|
||||
- profiles::sql::postgresdb
|
||||
- droneci
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
profiles::sql::postgresdb::dbname: droneci
|
||||
profiles::sql::postgresdb::dbuser: droneci
|
||||
profiles::sql::postgresdb::dbpass: "%{hiera('droneci_server::postgres_password')}"
|
||||
profiles::sql::postgresdb::members_lookup: true
|
||||
profiles::sql::postgresdb::members_role: roles::infra::droneci::server
|
||||
|
||||
droneci::ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
droneci::volumes:
|
||||
- type=bind,source=/var/lib/drone,target=/data
|
||||
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
|
||||
droneci::env_vars:
|
||||
DRONE_GITEA_SERVER: https://git.query.consul
|
||||
DRONE_GITEA_CLIENT_ID: dda67581-86df-4e65-88ae-1e505b849082
|
||||
DRONE_USER_CREATE: username:unkinben,admin:true
|
||||
DRONE_GITEA_CLIENT_SECRET: "%{hiera('droneci_server::gitea_client_secret')}"
|
||||
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
|
||||
DRONE_SERVER_HOST: droneci.query.consul
|
||||
DRONE_SERVER_PROTO: https
|
||||
DRONE_TLS_CERT: /etc/pki/tls/vault/certificate.crt
|
||||
DRONE_TLS_KEY: /etc/pki/tls/vault/private.key
|
||||
DRONE_COOKIE_SECRET: "%{hiera('droneci_server::cookie_secret')}"
|
||||
DRONE_COOKIE_TIMEOUT: 720h
|
||||
DRONE_HTTP_SSL_REDIRECT: true
|
||||
DRONE_HTTP_SSL_TEMPORARY_REDIRECT: true
|
||||
DRONE_HTTP_SSL_HOST: droneci.query.consul
|
||||
DRONE_LOGS_TEXT: true
|
||||
DRONE_LOGS_PRETTY: true
|
||||
DRONE_LOGS_COLOR: true
|
||||
DRONE_DATABASE_SECRET: "%{hiera('droneci_server::database_secret')}"
|
||||
DRONE_DATABASE_DRIVER: postgres
|
||||
DRONE_DATABASE_DATASOURCE: "postgres://droneci:%{hiera('droneci_server::postgres_password')}@master.patroni-prod.service.au-syd1.consul:5432/droneci?sslmode=disable"
|
||||
DRONE_REDIS_CONNECTION: "redis://%{hiera('droneci_server::redis_password')}@redis-master-prod.service.au-syd1.consul:6379/2"
|
||||
|
||||
consul::services:
|
||||
droneci:
|
||||
service_name: 'droneci'
|
||||
tags:
|
||||
- 'drone'
|
||||
- 'droneci'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'droneci_https_check'
|
||||
name: 'droneci HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: droneci
|
||||
disposition: write
|
||||
@@ -41,7 +41,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- "git.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 3000
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
nginx::client_max_body_size: 250M
|
||||
nginx::client_max_body_size: 1024M
|
||||
|
||||
profiles::gitea::init::root:
|
||||
APP_NAME: 'Gitea'
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
profiles::gitea::runner::registration_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOL/ug4IPhEW1n+Lq+SsMSEJUYsDDK2s0+oNF3unxcbH3QDqWo7kuYKkDWQ+W3otcxvuRlbC8+0W2fO2udhF7sSGrF93INsTCDqWlLnaaAgxlgNSXthA4OCJlI8DCLeD/Sr0TTCchUdpQrIpDo6Gh0EUjgRv5574q26or7c/vvtQ4nfLVQOqEV9UpsCgEYiQvXVcf55LEpgaDp4mFL0qCnfzDnGNbZ0GUo6552ka19IocqOqILPnZO0qDcEoLbQ90sP197+5Jw611i1Akx1C4lFP81bazFMpbdiEP0V4Ax+33LfZEb0KnXuMbKOF23vIwwwfpFJaSOAjA5YehA3xM2zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDPJHB2uL+VEyntgZocyoMXgDBJ1dnRWiJM77XomzbNdDUO+ktIHLOTL5do0m4CkXZ1s42KtaAwWL+/EGdxg80UMC8=]
|
||||
@@ -0,0 +1,46 @@
|
||||
---
|
||||
hiera_include:
|
||||
- docker
|
||||
- profiles::gitea::runner
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
profiles::gitea::runner::home: /data/runner
|
||||
profiles::gitea::runner::version: '0.2.10'
|
||||
profiles::gitea::runner::source: "https://gitea.com/gitea/act_runner/releases/download/v%{hiera('profiles::gitea::runner::version')}/act_runner-%{hiera('profiles::gitea::runner::version')}-linux-amd64"
|
||||
profiles::gitea::runner::config:
|
||||
log:
|
||||
level: info
|
||||
runner:
|
||||
file: "%{hiera('profiles::gitea::runner::home')}/.runner"
|
||||
capacity: 2
|
||||
envs:
|
||||
A_TEST_ENV_NAME_1: a_test_env_value_1
|
||||
A_TEST_ENV_NAME_2: a_test_env_value_2
|
||||
env_file: .env
|
||||
timeout: 3h
|
||||
insecure: false
|
||||
fetch_timeout: 5s
|
||||
fetch_interval: 2s
|
||||
labels:
|
||||
- "almalinux-latest"
|
||||
- "almalinux-8:docker"
|
||||
- "almalinux-8.10:docker"
|
||||
cache:
|
||||
enabled: true
|
||||
dir: "%{hiera('profiles::gitea::runner::home')}/.cache/actcache"
|
||||
host: ""
|
||||
port: 0
|
||||
external_server: ""
|
||||
container:
|
||||
network: ""
|
||||
privileged: false
|
||||
options:
|
||||
workdir_parent: /workspace
|
||||
valid_volumes: []
|
||||
docker_host: ""
|
||||
force_pull: true
|
||||
force_rebuild: false
|
||||
host:
|
||||
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
|
||||
@@ -9,4 +9,5 @@ profiles::metrics::server::scrape_jobs:
|
||||
- puppetdb
|
||||
- systemd
|
||||
- haproxy
|
||||
- postgres
|
||||
profiles::metrics::server::localstorage: /data/prometheus
|
||||
|
||||
@@ -2,6 +2,8 @@
|
||||
hiera_include:
|
||||
- certbot
|
||||
- profiles::pki::puppetcerts
|
||||
- firewall::rules::in::sshd
|
||||
- firewall::rules::in::https
|
||||
|
||||
certbot::domains:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
---
|
||||
profiles::packages::install:
|
||||
- puppetserver
|
||||
profiles::packages::include:
|
||||
puppetserver: {}
|
||||
|
||||
@@ -37,3 +37,12 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: puppetdbapi
|
||||
disposition: write
|
||||
|
||||
hiera_include:
|
||||
- firewall::rules::in::sshd
|
||||
- firewall::rules::in::puppetdbapi
|
||||
|
||||
firewall::rules::in::exporters::ports:
|
||||
- 9100
|
||||
- 9558
|
||||
- 9635
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
profiles::packages::install:
|
||||
- createrepo
|
||||
profiles::packages::include:
|
||||
createrepo: {}
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- repos.main.unkin.net
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
profiles::sql::patroni::superuser_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAImaYEH6ktU6KYDu96OtuJu11FbmE+b9YwrkJiv72QfuVivR7lGfieRKcvkrq3IsNcwhhnl1lzyMZHteib7jLEIiaq59AZFiZyfF2E5bhNYfW4QcDJd4QOheU2awkZkl6oaoMUxgWOnqvihYVLDfoJ0lj6hBTFuqIzO/KU+AJ4NMO3+/+AK9+HB0u/8Iyuev4RQBkvaRAoszCcFCWTAZJTmhOgWe4xJIxfbh0/5k/dmT5WQ1JPEQK7hnVly9iToROZJDjuyndNHbrhCQUg4+DYMPS2fZVWvcESfxN8lJjBFPojj9ZbG5mLlq1e4A4KiZNwHfA1V4D88VWOkRg65XtZDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBzToImdK5/pk3UeZPyavjTgDCcYBzwY/g353Pbh0xr/we8KmvsQEtfxPDuPm4Kv4hsD5X0dHu2nGzBAZq5uWcE3RE=]
|
||||
profiles::sql::patroni::replication_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWyCj+7WfzpTcpBg6uQ5ykGmLZmb/avW3Pc+VWj9bGvxSQCA8LA6HJlEhhL3mrJSTGUyHLgeEebEup9AVHe2k2l/JHIvhyfx7LI+mNDp8u5p40pM6ZxTdIJFOZmOS/nGjAR6mTv6Ennhpw4sWSDYXU0mJPTHGAked2FXV1xsS0zpTY7hccJHuww5ixOw6jP8E1Pu0ex4LmefOXApowf0jZ2pARndlsXwZldahUHIF48XejclpgCK9rTrb4eQsOZr5ozcj0BBpWg/JKNkQt8mQU5l5/z0GDT08Op8g6MVdJuOWr92uPqjc8sydrz0QAx4l8t1KY2fMWK7BPKqSdcOxiDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDEZBNd56BHVGRVfHDPPwZHgDAZKnqicbF/MVKPi1PwwyHrXMW/fWqocgr1zWx6RXWgXICqjJdEFXwFerXXb39RSDg=]
|
||||
profiles::sql::patroni::postgres_exporter_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAL5brQt9CGFU7okDXZWF1jL1j+RbrQZhKfzGWyWl+SqRK6q+xH0LIzYQhOAji7tlDBzvFZpzglmzj0xDrAkQA46jg1DkR5+9Ozru9jL1nhg/6z/F54DlhAG7Ui0hjgSLal79VABLXa/cb9xJThx97b9xoOW+/vpfSKa4izFtkN9fliClFTVafxLlLLD/yABW99aq1OK+9MyCsppvs/rjWbXvjEKL+C0jawh4dBnc+tYJMHC/k5NIK0th4A/zSYVH5q6gFakpxrV2ubETIbVTDncC8zfRLhnrikZYNbCy5PuJb2a4vW1O0AOzUWqvqbRkWpYF7dJB9fzW/Tu8f8d10KTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAJS5PcA9aJvjGIfKSciLLpgDAU7xXGF+Sj+g1ABMvsenEmgXsdSKVU9ZYusIiGnPdFdN4EF9usi7g4SahochlG0NU=]
|
||||
@@ -0,0 +1,28 @@
|
||||
---
|
||||
profiles::yum::global::repos:
|
||||
postgresql-15:
|
||||
name: postgresql-15
|
||||
descr: postgresql-15 repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
postgresql-common:
|
||||
name: postgresql-common
|
||||
descr: postgresql-common repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
|
||||
profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
|
||||
profiles::sql::patroni::postgres_exporter_enabled: true
|
||||
profiles::sql::patroni::postgres_exporter_user: postgres_exporter
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service_prefix
|
||||
segment: "%{hiera('profiles::sql::patroni::cluster_name')}"
|
||||
disposition: write
|
||||
- resource: key_prefix
|
||||
segment: "service/%{hiera('profiles::sql::patroni::cluster_name')}"
|
||||
disposition: write
|
||||
- resource: session_prefix
|
||||
segment: ""
|
||||
disposition: write
|
||||
@@ -1,4 +1,13 @@
|
||||
---
|
||||
hiera_include:
|
||||
- firewall::rules::in::consul
|
||||
- firewall::rules::in::dns
|
||||
- firewall::rules::in::http
|
||||
- firewall::rules::in::https
|
||||
- firewall::rules::in::sshd
|
||||
|
||||
firewall::rules::in::consul::is_server: true
|
||||
|
||||
profiles::consul::server::members_lookup: true
|
||||
profiles::consul::server::data_dir: /data/consul
|
||||
profiles::consul::server::addresses:
|
||||
@@ -89,3 +98,9 @@ profiles::consul::prepared_query::rules:
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
droneci:
|
||||
ensure: 'present'
|
||||
service_name: 'droneci'
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
|
||||
@@ -125,12 +125,12 @@ profiles::edgecache::params::mirrors:
|
||||
ensure: present
|
||||
location: '~* ^/ceph/yum/.*/repodata/'
|
||||
rewrite_rules:
|
||||
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
|
||||
- '^/ceph/yum/(.*)$ /rpm-18.2.2/$1 break'
|
||||
proxy: http://158.69.68.124
|
||||
ceph_yum_data:
|
||||
ensure: present
|
||||
location: /ceph/yum
|
||||
proxy: http://158.69.68.124/rpm-reef
|
||||
proxy: http://158.69.68.124/rpm-18.2.2
|
||||
proxy_cache: cache
|
||||
proxy_cache_valid:
|
||||
- '200 302 1440h'
|
||||
|
||||
@@ -1,4 +1,10 @@
|
||||
---
|
||||
hiera_include:
|
||||
- firewall::rules::in::sshd
|
||||
- firewall::rules::in::vault
|
||||
|
||||
firewall::rules::in::ssh::ipset: jumphost
|
||||
|
||||
profiles::vault::server::members_role: roles::infra::storage::vault
|
||||
profiles::vault::server::members_lookup: true
|
||||
profiles::vault::server::data_dir: /data/vault
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
---
|
||||
profiles::packages::install:
|
||||
- "%{hiera('lm-sensors::package')}"
|
||||
profiles::packages::include:
|
||||
"%{hiera('lm-sensors::package')}": {}
|
||||
|
||||
@@ -1,7 +1,14 @@
|
||||
# used by certbot clients to request letsencrypt certificates
|
||||
# - domains: list of certificates to generate
|
||||
# - webserver: where the client downloads certificates from
|
||||
# - data_dir: where to store the certificates on the client
|
||||
# - services: the services to notify when certificates change
|
||||
#
|
||||
class certbot::client (
|
||||
Array[Stdlib::Fqdn] $domains,
|
||||
Stdlib::Fqdn $webserver,
|
||||
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
|
||||
Optional[String] $service = undef,
|
||||
) {
|
||||
|
||||
mkdir::p {$data_dir:}
|
||||
@@ -14,10 +21,11 @@ class certbot::client (
|
||||
|
||||
$domains.each |$domain| {
|
||||
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
|
||||
domain => $domain,
|
||||
destination => "${data_dir}/${domain}",
|
||||
webserver => $webserver,
|
||||
require => File[$data_dir],
|
||||
domain => $domain,
|
||||
destination => "${data_dir}/${domain}",
|
||||
webserver => $webserver,
|
||||
require => File[$data_dir],
|
||||
notify_service => $service,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,13 @@
|
||||
# a define for creating a single certificate
|
||||
# - domain: the domain to generate a certificate for
|
||||
# - webserver: where to download the certificate from
|
||||
# - destination: the data directory on the client
|
||||
# - notify_service: what service to notify when the concat exec completes
|
||||
define certbot::client::cert (
|
||||
Stdlib::Fqdn $domain,
|
||||
Stdlib::Fqdn $webserver,
|
||||
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
|
||||
Optional[String] $notify_service = undef,
|
||||
) {
|
||||
|
||||
file { $destination:
|
||||
@@ -34,8 +40,16 @@ define certbot::client::cert (
|
||||
}
|
||||
}
|
||||
|
||||
# create file resources
|
||||
create_resources(file, $files_to_create)
|
||||
|
||||
# if notify_service is specified
|
||||
if $notify_service != undef {
|
||||
$service = Service[$notify_service]
|
||||
}else{
|
||||
$service = undef
|
||||
}
|
||||
|
||||
exec { "concat_${domain}_certs":
|
||||
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
|
||||
path => ['/bin', '/usr/bin'],
|
||||
@@ -44,6 +58,7 @@ define certbot::client::cert (
|
||||
File["${destination}/fullchain.pem"],
|
||||
File["${destination}/privkey.pem"],
|
||||
],
|
||||
notify => $service,
|
||||
}
|
||||
} else {
|
||||
notify { 'Certificates are not yet ready on the generator server.': }
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
class droneci (
|
||||
Hash $env_vars = {},
|
||||
String $docker_image = 'drone/drone:2',
|
||||
Array[String] $ports = [],
|
||||
Array[String] $volumes = [],
|
||||
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci',
|
||||
) {
|
||||
|
||||
# Create the environment file from a template
|
||||
file { $env_file:
|
||||
ensure => file,
|
||||
content => template('droneci/droneci_env.erb'),
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
# Define the systemd service for Drone CI
|
||||
systemd::unit_file { 'droneci.service':
|
||||
ensure => present,
|
||||
content => template('droneci/droneci_service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => File[$env_file],
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,24 @@
|
||||
class droneci::runner (
|
||||
Hash $env_vars = {},
|
||||
String $docker_image = 'drone/drone-runner-docker:1',
|
||||
Array[String] $ports = [],
|
||||
Array[String] $volumes = [],
|
||||
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci_runner',
|
||||
) {
|
||||
|
||||
# Create the environment file from a template
|
||||
file { $env_file:
|
||||
ensure => file,
|
||||
content => template('droneci/droneci_env.erb'),
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
# Define the systemd service for Drone CI runner
|
||||
systemd::unit_file { 'droneci-runner.service':
|
||||
ensure => present,
|
||||
content => template('droneci/droneci_runner_service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => File[$env_file],
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
<% @env_vars.each do |key, value| -%>
|
||||
<%= key.upcase %>=<%= value %>
|
||||
<% end -%>
|
||||
@@ -0,0 +1,20 @@
|
||||
[Unit]
|
||||
Description=Drone CI Runner
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/docker run --rm \
|
||||
--name=drone-runner \
|
||||
<% @ports.each do |port| -%>
|
||||
-p <%= port %> \
|
||||
<% end -%>
|
||||
<% @volumes.each do |volume| -%>
|
||||
--mount <%= volume %> \
|
||||
<% end -%>
|
||||
--env-file <%= @env_file %> \
|
||||
<%= @docker_image %>
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,20 @@
|
||||
[Unit]
|
||||
Description=Drone CI Service
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/docker run --rm \
|
||||
--name=drone \
|
||||
<% @ports.each do |port| -%>
|
||||
-p <%= port %> \
|
||||
<% end -%>
|
||||
<% @volumes.each do |volume| -%>
|
||||
--mount <%= volume %> \
|
||||
<% end -%>
|
||||
--env-file <%= @env_file %> \
|
||||
<%= @docker_image %>
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,29 @@
|
||||
# manage the firewall
|
||||
class firewall (
|
||||
Boolean $enable = false,
|
||||
Hash $ipset_queries = {},
|
||||
){
|
||||
|
||||
if $enable {
|
||||
$ipset_queries.each |$ipset, $query| {
|
||||
$ips = sort(query_nodes($query, 'networking.ip'))
|
||||
|
||||
nftables::set{$ipset:
|
||||
type => 'ipv4_addr',
|
||||
flags => ['dynamic'],
|
||||
elements => $ips,
|
||||
}
|
||||
}
|
||||
|
||||
class {'nftables':
|
||||
in_ssh => false,
|
||||
in_icmp => true,
|
||||
out_ntp => false,
|
||||
out_dns => false,
|
||||
out_http => false,
|
||||
out_https => false,
|
||||
out_icmp => true,
|
||||
out_all => false,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
class firewall::rules::in::cobbler (
|
||||
Array[Stdlib::Port] $ports = [25150,25151],
|
||||
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
$protocols.each |$proto| {
|
||||
nftables::rule { "default_in-cobbler_${proto}_${port}":
|
||||
content => "${proto} dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,39 @@
|
||||
class firewall::rules::in::consul (
|
||||
Boolean $is_server = false,
|
||||
) {
|
||||
|
||||
# serf traffic (lan and wan)
|
||||
nftables::rule { 'default_in-consul_udp_8301':
|
||||
content => 'udp dport 8301 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_tcp_8301':
|
||||
content => 'tcp dport 8301 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_udp_8302':
|
||||
content => 'udp dport 8302 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_tcp_8302':
|
||||
content => 'tcp dport 8302 accept',
|
||||
}
|
||||
|
||||
if $is_server {
|
||||
# dns interface
|
||||
nftables::rule { 'default_in-consul_udp_8600':
|
||||
content => 'udp dport 8600 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_tcp_8600':
|
||||
content => 'tcp dport 8600 accept',
|
||||
}
|
||||
|
||||
# communication with servers
|
||||
nftables::rule { 'default_in-consul_tcp_8300':
|
||||
content => 'tcp dport 8300 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_tcp_8500':
|
||||
content => 'tcp dport 8500 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_tcp_8503':
|
||||
content => 'tcp dport 8503 accept',
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
class firewall::rules::in::dhcp {
|
||||
nftables::rule { 'default_in-dhcp':
|
||||
content => 'udp sport {67, 68} udp dport {67, 68} accept';
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
class firewall::rules::in::dns (
|
||||
Array[Stdlib::Port] $ports = [53],
|
||||
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||
Optional[String] $ipset = undef,
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
$protocols.each |$proto| {
|
||||
if $ipset != '' {
|
||||
$rule = "${proto} dport ${port} ip saddr @${ipset} accept"
|
||||
}else{
|
||||
$rule = "${proto} dport ${port} accept"
|
||||
}
|
||||
nftables::rule { "default_in-dns_${proto}_${port}":
|
||||
content => $rule,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
# 9100: node_exporter
|
||||
# 9558: sysstemd_exporter
|
||||
class firewall::rules::in::exporters (
|
||||
Array[Stdlib::Port] $ports = [9100,9558],
|
||||
String $ipset = 'prometheus',
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-metrics_exporter_tcp_${port}":
|
||||
content => "tcp dport ${port} ip saddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::http (
|
||||
Array[Stdlib::Port] $ports = [80],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-http_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::https (
|
||||
Array[Stdlib::Port] $ports = [443],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-https_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::mysql (
|
||||
Array[Stdlib::Port] $ports = [3306],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-mysql_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::ntp (
|
||||
Array[Stdlib::Port] $ports = [123],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-ntp_${port}":
|
||||
content => "udp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::postgres (
|
||||
Array[Stdlib::Port] $ports = [5432],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-postgres_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::puppetdbapi (
|
||||
Array[Stdlib::Port] $ports = [8080,8081],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-puppetdbapi_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
class firewall::rules::in::sshd (
|
||||
Array[Stdlib::Port] $ports = [22],
|
||||
Optional[String] $ipset = undef,
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
if $ipset != '' {
|
||||
$rule = "tcp dport ${port} ip saddr @${ipset} accept"
|
||||
}else{
|
||||
$rule = "tcp dport ${port} accept"
|
||||
}
|
||||
nftables::rule { "default_in-sshd_tcp_${port}":
|
||||
content => $rule,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
class firewall::rules::in::tftp (
|
||||
Array[Stdlib::Port] $ports = [69],
|
||||
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
$protocols.each |$proto| {
|
||||
nftables::rule { "default_in-tftp_${proto}_${port}":
|
||||
content => "${proto} dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::vault (
|
||||
Array[Stdlib::Port] $ports = [8200, 8201],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-vaultserver_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
class firewall::rules::out::ceph_client (
|
||||
Array[Stdlib::Port,1] $ports = [3300, 6789],
|
||||
) {
|
||||
nftables::rule {
|
||||
'default_out-ceph_client':
|
||||
content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,29 @@
|
||||
class firewall::rules::out::consul (
|
||||
String $ipset = 'consul',
|
||||
) {
|
||||
|
||||
# serf traffic (lan and wan)
|
||||
nftables::rule { 'default_out-consul_udp_8301':
|
||||
content => 'udp dport 8301 accept',
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8301':
|
||||
content => 'tcp dport 8301 accept',
|
||||
}
|
||||
nftables::rule { 'default_out-consul_udp_8302':
|
||||
content => 'udp dport 8302 accept',
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8302':
|
||||
content => 'tcp dport 8302 accept',
|
||||
}
|
||||
|
||||
# communication with servers
|
||||
nftables::rule { 'default_out-consul_tcp_8300':
|
||||
content => "tcp dport 8300 ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8500':
|
||||
content => "tcp dport 8500 ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8503':
|
||||
content => "tcp dport 8503 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
class firewall::rules::out::dhcp {
|
||||
nftables::rule { 'default_out-dhcpc':
|
||||
content => 'udp sport {67, 68} udp dport {67, 68} accept';
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
class firewall::rules::out::dns (
|
||||
String $ipset = 'dns_resolver',
|
||||
) {
|
||||
|
||||
nftables::rule { 'default_out-dns_udp_53':
|
||||
content => "udp dport 53 ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { 'default_out-dns_tcp_53':
|
||||
content => "tcp dport 53 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::out::http (
|
||||
Array[Stdlib::Port] $ports = [80],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-http_tcp_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::out::https (
|
||||
Array[Stdlib::Port] $ports = [443],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-https_tcp_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
class firewall::rules::out::mysql (
|
||||
String $ipset = 'sql_galera',
|
||||
){
|
||||
nftables::rule { 'default_out-mysql_tcp_3306':
|
||||
content => "tcp dport 3306 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
class firewall::rules::out::ntp (
|
||||
String $ipset = 'ntp',
|
||||
Array[Stdlib::Port] $ports = [123],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-ntp_udp_${port}":
|
||||
content => "udp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
class firewall::rules::out::postgres (
|
||||
String $ipset = 'sql_galera',
|
||||
){
|
||||
nftables::rule { 'default_out-postgres_tcp_5432':
|
||||
content => "tcp dport 5432 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
class firewall::rules::out::puppet (
|
||||
String $ipset = 'puppetmaster',
|
||||
Array[Stdlib::Port] $ports = [8140],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-puppet_${port}":
|
||||
content => "tcp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
class firewall::rules::out::vault (
|
||||
String $ipset = 'vault',
|
||||
Array[Stdlib::Port] $ports = [8200],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-vault_${port}":
|
||||
content => "tcp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -6,7 +6,12 @@ define glauth::obj::service (
|
||||
Integer $primarygroup,
|
||||
String $passsha256,
|
||||
Stdlib::Absolutepath $config_path,
|
||||
Optional[Array[Integer]] $othergroups = [],
|
||||
) {
|
||||
$formatted_othergroups = $othergroups.empty ? {
|
||||
true => '[]',
|
||||
false => "[${othergroups.join(', ')}]",
|
||||
}
|
||||
concat::fragment { "glauth_service_${service_name}":
|
||||
target => $config_path,
|
||||
content => epp('glauth/obj/service.epp', {
|
||||
@@ -15,6 +20,7 @@ define glauth::obj::service (
|
||||
'uidnumber' => $uidnumber,
|
||||
'primarygroup' => $primarygroup,
|
||||
'passsha256' => $passsha256,
|
||||
'othergroups' => $formatted_othergroups,
|
||||
}),
|
||||
order => '80',
|
||||
}
|
||||
|
||||
@@ -20,20 +20,7 @@ define glauth::obj::user (
|
||||
}
|
||||
concat::fragment { "glauth_user_${user_name}":
|
||||
target => $config_path,
|
||||
content => epp('glauth/obj/user.epp', {
|
||||
'name' => $user_name,
|
||||
'givenname' => $givenname,
|
||||
'sn' => $sn,
|
||||
'mail' => $mail,
|
||||
'uidnumber' => $uidnumber,
|
||||
'primarygroup' => $primarygroup,
|
||||
'loginshell' => $loginshell,
|
||||
'homedir' => $homedir,
|
||||
'passsha256' => $passsha256,
|
||||
'sshkeys' => $sshkeys,
|
||||
'passappsha256' => $passappsha256,
|
||||
'othergroups' => $formatted_othergroups,
|
||||
}),
|
||||
content => template('glauth/obj/user.erb'),
|
||||
order => '70',
|
||||
}
|
||||
}
|
||||
|
||||
@@ -4,4 +4,5 @@
|
||||
uidnumber = <%= $uidnumber %>
|
||||
primarygroup = <%= $primarygroup %>
|
||||
passsha256 = "<%= $passsha256 %>"
|
||||
othergroups = <%= $othergroups %>
|
||||
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
[[users]]
|
||||
name = "<%= $name %>"
|
||||
<% if $givenname != '' { %>givenname = "<%= $givenname %>"<% } %>
|
||||
<% if $sn != '' { %>sn = "<%= $sn %>"<% } %>
|
||||
mail = "<%= $mail %>"
|
||||
uidnumber = <%= $uidnumber %>
|
||||
primarygroup = <%= $primarygroup %>
|
||||
<% if $loginshell != '' { %>loginShell = "<%= $loginshell %>"<% } %>
|
||||
<% if $homedir != '' { %>homeDir = "<%= $homedir %>"<% } %>
|
||||
passsha256 = "<%= $passsha256 %>"
|
||||
<% if $sshkeys.length > 0 { %>sshkeys = [<% $sshkeys.each |String $key| { %>"<%= $key %>", <% } %>]<% } %>
|
||||
<% if $passappsha256.length > 0 { %>passappsha256 = [<% $passappsha256.each |String $pass| { %>"<%= $pass %>", <% } %>]<% } %>
|
||||
othergroups = <%= $othergroups %>
|
||||
|
||||
@@ -0,0 +1,26 @@
|
||||
[[users]]
|
||||
name = "<%= @user_name %>"
|
||||
<% if @givenname != '' -%>
|
||||
givenname = "<%= @givenname %>"
|
||||
<% end -%>
|
||||
<% if @sn != '' -%>
|
||||
sn = "<%= @sn %>"
|
||||
<% end -%>
|
||||
mail = "<%= @mail %>"
|
||||
uidnumber = <%= @uidnumber %>
|
||||
primarygroup = <%= @primarygroup %>
|
||||
<% if @loginshell != '' -%>
|
||||
loginShell = "<%= @loginshell %>"
|
||||
<% end -%>
|
||||
<% if @homedir != '' -%>
|
||||
homeDir = "<%= @homedir %>"
|
||||
<% end -%>
|
||||
passsha256 = "<%= @passsha256 %>"
|
||||
<% if @sshkeys.length > 0 -%>
|
||||
sshkeys = [<%= @sshkeys.map { |key| "\"#{key}\"" }.join(', ') %>]
|
||||
<% end -%>
|
||||
<% if @passappsha256.length > 0 -%>
|
||||
passappsha256 = [<%= @passappsha256.map { |pass| "\"#{pass}\"" }.join(', ') %>]
|
||||
<% end -%>
|
||||
othergroups = <%= @formatted_othergroups %>
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
Facter.add(:psql_is_slave) do
|
||||
confine enc_role: 'roles::infra::sql::patroni'
|
||||
setcode do
|
||||
# Command to check if PostgreSQL is in recovery mode
|
||||
command = 'sudo -iu postgres psql -tAc "select pg_is_in_recovery()"'
|
||||
|
||||
# Execute the command and map the output to a boolean value
|
||||
{ 't' => true, 'f' => false }[Facter::Core::Execution.execute(command, on_fail: nil)]
|
||||
end
|
||||
end
|
||||
@@ -8,4 +8,6 @@ class nzbget::params (
|
||||
Boolean $manage_group = true,
|
||||
Stdlib::Host $bind_address = '127.0.0.1',
|
||||
Stdlib::Port $port = 6789,
|
||||
Boolean $service_enable = true,
|
||||
String $service_name = 'nzbget',
|
||||
) { }
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
# manage RedisHA
|
||||
class redisha (
|
||||
Boolean $manage_repo = $redisha::params::manage_repo,
|
||||
Boolean $redisha_members_lookup = $redisha::params::redisha_members_lookup,
|
||||
Optional[String] $redisha_members_role = $redisha::params::redisha_members_role,
|
||||
Array $redisha_servers = $redisha::params::redisha_servers,
|
||||
) inherits redisha::params {
|
||||
|
||||
include redisha::redis
|
||||
include redisha::sentinel
|
||||
include redisha::tools
|
||||
|
||||
Class['redisha::redis'] -> Class['redisha::sentinel'] -> Class['redisha::tools']
|
||||
}
|
||||
@@ -0,0 +1,25 @@
|
||||
class redisha::params (
|
||||
Boolean $redisha_members_lookup = false,
|
||||
Optional[String] $redisha_members_role = undef,
|
||||
Array $redisha_servers = [],
|
||||
|
||||
# both
|
||||
Stdlib::Host $redis_host = $facts['networking']['ip'],
|
||||
Stdlib::Port $redis_port = 6379,
|
||||
Optional[String] $requirepass = undef,
|
||||
|
||||
# redis
|
||||
Optional[String] $dnf_module_stream = '6',
|
||||
Integer[1] $databases = 16,
|
||||
Optional[Variant[String, Sensitive[String], Deferred]] $masterauth = $redisha::params::requirepass,
|
||||
|
||||
# sentinel
|
||||
String[1] $master_name = 'mymaster',
|
||||
Optional[Variant[String, Sensitive[String]]] $auth_pass = $redisha::params::requirepass,
|
||||
Integer[1] $quorum = 2,
|
||||
Enum['yes', 'no'] $sentinel_resolve_hostnames = 'yes',
|
||||
Enum['yes', 'no'] $sentinel_announce_hostnames = 'yes',
|
||||
Stdlib::Host $sentinel_announce_ip = $facts['networking']['ip'],
|
||||
Array[Stdlib::IP::Address] $sentinel_bind = [$facts['networking']['ip']],
|
||||
Stdlib::Port $sentinel_port = 26379,
|
||||
){}
|
||||
@@ -0,0 +1,59 @@
|
||||
class redisha::redis (
|
||||
Boolean $manage_repo = $redisha::manage_repo,
|
||||
Boolean $redisha_members_lookup = $redisha::redisha_members_lookup,
|
||||
Optional[String] $redisha_members_role = $redisha::redisha_members_role,
|
||||
Array $redisha_servers = $redisha::redisha_servers,
|
||||
Stdlib::Host $redis_host = $redisha::params::redis_host,
|
||||
Stdlib::Port $redis_port = $redisha::params::redis_port,
|
||||
Optional[String] $requirepass = $redisha::params::requirepass,
|
||||
Optional[String] $dnf_module_stream = $redisha::params::dnf_module_stream,
|
||||
Integer[1] $databases = $redisha::params::databases,
|
||||
Optional[Variant[String, Sensitive[String], Deferred]] $masterauth = $redisha::params::masterauth,
|
||||
) inherits redisha::params {
|
||||
|
||||
# if lookup is enabled
|
||||
if $redisha_members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($redisha_members_role == undef) {
|
||||
fail("redisha_members_role must be provided for ${title} when redisha_members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $redisha_servers
|
||||
}
|
||||
|
||||
|
||||
if length($servers_array) >= 3 {
|
||||
|
||||
# check if this is the master_node
|
||||
if $servers_array[0] == $::facts['networking']['fqdn'] {
|
||||
class { 'redis':
|
||||
bind => $redis_host,
|
||||
port => $redis_port,
|
||||
databases => $databases,
|
||||
requirepass => $requirepass,
|
||||
masterauth => $masterauth,
|
||||
dnf_module_stream => $dnf_module_stream,
|
||||
ulimit_managed => false,
|
||||
}
|
||||
}else{
|
||||
class { 'redis':
|
||||
bind => $redis_host,
|
||||
port => $redis_port,
|
||||
databases => $databases,
|
||||
requirepass => $requirepass,
|
||||
masterauth => $masterauth,
|
||||
dnf_module_stream => $dnf_module_stream,
|
||||
ulimit_managed => false,
|
||||
replicaof => "${servers_array[0]} ${redis_port}",
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,49 @@
|
||||
class redisha::sentinel (
|
||||
Boolean $redisha_members_lookup = $redisha::redisha_members_lookup,
|
||||
Optional[String] $redisha_members_role = $redisha::redisha_members_role,
|
||||
Array $redisha_servers = $redisha::redisha_servers,
|
||||
Stdlib::Port $redis_port = $redisha::params::redis_port,
|
||||
Optional[String] $requirepass = $redisha::params::requirepass,
|
||||
String[1] $master_name = $redisha::params::master_name,
|
||||
Optional[Variant[String, Sensitive[String]]] $auth_pass = $redisha::params::auth_pass,
|
||||
Integer[1] $quorum = $redisha::params::quorum,
|
||||
Enum['yes', 'no'] $sentinel_resolve_hostnames = $redisha::params::sentinel_resolve_hostnames,
|
||||
Enum['yes', 'no'] $sentinel_announce_hostnames = $redisha::params::sentinel_announce_hostnames,
|
||||
Stdlib::Host $sentinel_announce_ip = $redisha::params::sentinel_announce_ip,
|
||||
Array[Stdlib::IP::Address] $sentinel_bind = $redisha::params::sentinel_bind,
|
||||
Stdlib::Port $sentinel_port = $redisha::params::sentinel_port,
|
||||
) inherits redisha::params {
|
||||
|
||||
# if lookup is enabled
|
||||
if $redisha_members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($redisha_members_role == undef) {
|
||||
fail("redisha_members_role must be provided for ${title} when redisha_members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $redisha_servers
|
||||
}
|
||||
|
||||
if length($servers_array) >= 3 {
|
||||
|
||||
class { 'redis::sentinel':
|
||||
master_name => $master_name,
|
||||
redis_host => $servers_array[0],
|
||||
redis_port => $redis_port,
|
||||
requirepass => $requirepass,
|
||||
auth_pass => $auth_pass,
|
||||
quorum => $quorum,
|
||||
sentinel_resolve_hostnames => $sentinel_resolve_hostnames,
|
||||
sentinel_announce_ip => $sentinel_announce_ip,
|
||||
sentinel_announce_hostnames => $sentinel_announce_hostnames,
|
||||
sentinel_port => $sentinel_port,
|
||||
sentinel_bind => $sentinel_bind,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,35 @@
|
||||
class redisha::tools (
|
||||
Stdlib::Host $redis_host = $redisha::params::redis_host,
|
||||
Stdlib::Port $redis_port = $redisha::params::redis_port,
|
||||
Stdlib::Port $sentinel_port = $redisha::params::sentinel_port,
|
||||
Optional[String] $requirepass = $redisha::params::requirepass,
|
||||
) inherits redisha::params {
|
||||
|
||||
# add command to automate redis-cli commands against redis
|
||||
file {'/usr/local/sbin/redisadm':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0700',
|
||||
content => template('redisha/redisadm.erb'),
|
||||
}
|
||||
|
||||
# add command to automate redis-cli commands against sentinel
|
||||
file {'/usr/local/sbin/sentineladm':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0700',
|
||||
content => template('redisha/sentineladm.erb'),
|
||||
}
|
||||
|
||||
# add command to check if current host is the redis master
|
||||
file {'/usr/local/bin/check_redis_master':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
content => template('redisha/check_redis_master.erb'),
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
#!/usr/bin/bash
|
||||
sudo /usr/local/sbin/sentineladm info | grep -q <%= @facts['networking']['fqdn'] %>
|
||||
@@ -0,0 +1,9 @@
|
||||
#!/usr/bin/bash
|
||||
REDIS_HOST=<%= @redis_host %>
|
||||
REDIS_PORT=<%= @redis_port %>
|
||||
|
||||
if [ $# -gt 0 ]; then
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" "$@"
|
||||
else
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT"
|
||||
fi
|
||||
@@ -0,0 +1,9 @@
|
||||
#!/usr/bin/bash
|
||||
REDIS_HOST=<%= @redis_host %>
|
||||
SENTINEL_PORT=<%= @sentinel_port %>
|
||||
|
||||
if [ $# -gt 0 ]; then
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$SENTINEL_PORT" "$@"
|
||||
else
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$SENTINEL_PORT"
|
||||
fi
|
||||
@@ -0,0 +1,14 @@
|
||||
# create the rundeck user
|
||||
class profiles::accounts::rundeck (
|
||||
Array[String] $sshkeys = [],
|
||||
){
|
||||
profiles::base::account {'rundeck':
|
||||
username => 'rundeck',
|
||||
uid => 1100,
|
||||
gid => 1100,
|
||||
groups => ['adm', 'admins', 'systemd-journal'],
|
||||
sshkeys => $sshkeys,
|
||||
require => Group['admins'],
|
||||
system => true,
|
||||
}
|
||||
}
|
||||
@@ -38,6 +38,7 @@ class profiles::base (
|
||||
include profiles::metrics::default
|
||||
include profiles::helpers::node_lookup
|
||||
include profiles::consul::client
|
||||
include firewall
|
||||
|
||||
# include the python class
|
||||
class { 'python':
|
||||
|
||||
@@ -4,7 +4,6 @@ class profiles::base::repos {
|
||||
case $facts['os']['family'] {
|
||||
'RedHat': {
|
||||
include profiles::yum::global
|
||||
include profiles::firewall::firewalld
|
||||
}
|
||||
'Debian': {
|
||||
include profiles::apt::global
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user