Compare commits
111 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 3a798a20d7 | |||
| 933427e861 | |||
| 4a0760516f | |||
| 10b57abffc | |||
| 5b4bb95ffe | |||
| e09819284d | |||
| addfa02e08 | |||
| 93b9629c5c | |||
| 9dea399377 | |||
| 0210d849c7 | |||
| 42d8047043 | |||
| c0b94c181f | |||
| 265400db91 | |||
| ccf4ef27f7 | |||
| afda425fab | |||
| 69c298e162 | |||
| 1ad2b806b4 | |||
| dc58084cc9 | |||
| 938db9880b | |||
| ecbea24ba8 | |||
| bcb9beae5f | |||
| e1e604516d | |||
| 0bed8ba4f4 | |||
| 5471adae32 | |||
| 91d9a073d6 | |||
| ec7814e2a9 | |||
| 71c134dc1a | |||
| cb803d885e | |||
| 90eabac007 | |||
| d79a5de17b | |||
| 0f755b231f | |||
| 2912cbb68b | |||
| 3d1ba79325 | |||
| c33b58ead6 | |||
| 9f937b2869 | |||
| 8660bec810 | |||
| f30325b3e9 | |||
| 76c1c93c02 | |||
| 4577997506 | |||
| 6326e820a9 | |||
| 757f3042ed | |||
| 5d36a4053b | |||
| 8fad79f2bc | |||
| 68c569b282 | |||
| 975adc31d7 | |||
| 8a8cc0ae1b | |||
| 70a9edd118 | |||
| 348d8889ed | |||
| 1a2023f4ff | |||
| 35834f8f5a | |||
| 4347faf153 | |||
| 5c731fef34 | |||
| b7fc6a1993 | |||
| afe2a2afb7 | |||
| c76ce3bf10 | |||
| af989a19c3 | |||
| 4d08e30733 | |||
| e2873a492a | |||
| 90af895a34 | |||
| 52e3d5b20b | |||
| aadd0275ac | |||
| 390a5a58c7 | |||
| 403e3eeb1b | |||
| 352878e27c | |||
| 0cad88cdad | |||
| 859fc0d909 | |||
| a5baed8cd9 | |||
| 44707910aa | |||
| dafac3d5ab | |||
| 3ce2ec3754 | |||
| 7863d54275 | |||
| 988e7c2a32 | |||
| 0c44654a47 | |||
| 20ee6fa19e | |||
| c846cc4e21 | |||
| 8e0f26e726 | |||
| 4579e268f0 | |||
| f1e1828a4a | |||
| 2ae8dbc0ac | |||
| 4338dfe27f | |||
| 66cb1e356d | |||
| 2bda41712a | |||
| d3daac3b71 | |||
| eb32a216f5 | |||
| 5354c99b1e | |||
| 6a3123e12e | |||
| 26ffe17ee1 | |||
| cb5bb0798f | |||
| 08241692ee | |||
| 76989e45c4 | |||
| cc01259a64 | |||
| b5148fc2a0 | |||
| ab44bfc430 | |||
| 4c38232ceb | |||
| 20686e04f4 | |||
| 480eced404 | |||
| 946922fdb9 | |||
| 1570bbd8f2 | |||
| 319c3b6d67 | |||
| e2f571649e | |||
| 0fb11b22cf | |||
| 01fc6aacd7 | |||
| 73c7dbd56c | |||
| 3ed692cc77 | |||
| ec92a6d3df | |||
| bbd6cdb228 | |||
| 2cbba808c3 | |||
| df9f31e0f7 | |||
| 95a0b543fd | |||
| 90d123f4d0 | |||
| 3dc8fb03fa |
+5
-1
@@ -18,6 +18,7 @@ mod 'puppetlabs-xinetd', '3.4.1'
|
||||
mod 'puppetlabs-haproxy', '8.0.0'
|
||||
mod 'puppetlabs-java', '10.1.2'
|
||||
mod 'puppetlabs-reboot', '5.0.0'
|
||||
mod 'puppetlabs-docker', '10.0.1'
|
||||
|
||||
# puppet
|
||||
mod 'puppet-python', '7.0.0'
|
||||
@@ -33,12 +34,14 @@ mod 'puppet-grafana', '13.1.0'
|
||||
mod 'puppet-consul', '8.0.0'
|
||||
mod 'puppet-vault', '4.1.0'
|
||||
mod 'puppet-dhcp', '6.1.0'
|
||||
mod 'puppet-keepalived', '3.6.0'
|
||||
mod 'puppet-keepalived', '5.1.0'
|
||||
mod 'puppet-extlib', '7.0.0'
|
||||
mod 'puppet-network', '2.2.0'
|
||||
mod 'puppet-kmod', '4.0.1'
|
||||
mod 'puppet-filemapper', '4.0.0'
|
||||
mod 'puppet-letsencrypt', '11.0.0'
|
||||
mod 'puppet-rundeck', '9.1.0'
|
||||
mod 'puppet-redis', '11.0.0'
|
||||
|
||||
# other
|
||||
mod 'ghoneycutt-puppet', '3.3.0'
|
||||
@@ -52,6 +55,7 @@ mod 'broadinstitute-certs', '3.0.1'
|
||||
mod 'stm-file_capability', '6.0.0'
|
||||
mod 'h0tw1r3-gitea', '3.2.0'
|
||||
mod 'rehan-mkdir', '2.0.0'
|
||||
mod 'tailoredautomation-patroni', '2.0.0'
|
||||
|
||||
mod 'bind',
|
||||
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
||||
|
||||
+75
-61
@@ -3,16 +3,10 @@ lookup_options:
|
||||
hiera_classes:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::install:
|
||||
profiles::packages::include:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::install_exclude:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::remove:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::remove_exclude:
|
||||
profiles::packages::exclude:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::pki::vault::alt_names:
|
||||
@@ -135,6 +129,12 @@ lookup_options:
|
||||
certbot::client::domains:
|
||||
merge:
|
||||
strategy: deep
|
||||
keepalived::vrrp_script:
|
||||
merge:
|
||||
strategy: deep
|
||||
keepalived::vrrp_instance:
|
||||
merge:
|
||||
strategy: deep
|
||||
|
||||
facts_path: '/opt/puppetlabs/facter/facts.d'
|
||||
|
||||
@@ -142,6 +142,7 @@ hiera_include:
|
||||
- timezone
|
||||
- networking
|
||||
- ssh::server
|
||||
- profiles::accounts::rundeck
|
||||
|
||||
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
||||
profiles::ntp::client::use_ntp: 'region'
|
||||
@@ -172,59 +173,70 @@ profiles::consul::client::node_rules:
|
||||
segment: ''
|
||||
disposition: read
|
||||
|
||||
profiles::packages::install:
|
||||
- bash-completion
|
||||
- bzip2
|
||||
- ccze
|
||||
- curl
|
||||
- dstat
|
||||
- expect
|
||||
- gcc
|
||||
- gzip
|
||||
- git
|
||||
- htop
|
||||
- inotify-tools
|
||||
- iotop
|
||||
- jq
|
||||
- lz4
|
||||
- mtr
|
||||
- ncdu
|
||||
- neovim
|
||||
- p7zip
|
||||
- pbzip2
|
||||
- pigz
|
||||
- pv
|
||||
- python3.11
|
||||
- rsync
|
||||
- screen
|
||||
- socat
|
||||
- strace
|
||||
- sysstat
|
||||
- tar
|
||||
- tmux
|
||||
- traceroute
|
||||
- unzip
|
||||
- vim
|
||||
- vnstat
|
||||
- wget
|
||||
- zsh
|
||||
- zstd
|
||||
|
||||
profiles::packages::remove:
|
||||
- iwl100-firmware
|
||||
- iwl1000-firmware
|
||||
- iwl105-firmware
|
||||
- iwl135-firmware
|
||||
- iwl2000-firmware
|
||||
- iwl2030-firmware
|
||||
- iwl3160-firmware
|
||||
- iwl5000-firmware
|
||||
- iwl5150-firmware
|
||||
- iwl6000-firmware
|
||||
- iwl6000g2a-firmware
|
||||
- iwl6050-firmware
|
||||
- iwl7260-firmware
|
||||
- puppet7-release
|
||||
profiles::packages::include:
|
||||
bash-completion: {}
|
||||
bzip2: {}
|
||||
ccze: {}
|
||||
curl: {}
|
||||
dstat: {}
|
||||
expect: {}
|
||||
gzip: {}
|
||||
git: {}
|
||||
htop: {}
|
||||
inotify-tools: {}
|
||||
iotop: {}
|
||||
jq: {}
|
||||
lz4: {}
|
||||
mtr: {}
|
||||
ncdu: {}
|
||||
neovim: {}
|
||||
p7zip: {}
|
||||
pbzip2: {}
|
||||
pigz: {}
|
||||
pv: {}
|
||||
python3.11: {}
|
||||
rsync: {}
|
||||
screen: {}
|
||||
socat: {}
|
||||
strace: {}
|
||||
sysstat: {}
|
||||
tar: {}
|
||||
tmux: {}
|
||||
traceroute: {}
|
||||
unzip: {}
|
||||
vim: {}
|
||||
vnstat: {}
|
||||
wget: {}
|
||||
zsh: {}
|
||||
zstd: {}
|
||||
iwl100-firmware:
|
||||
ensure: absent
|
||||
iwl1000-firmware:
|
||||
ensure: absent
|
||||
iwl105-firmware:
|
||||
ensure: absent
|
||||
iwl135-firmware:
|
||||
ensure: absent
|
||||
iwl2000-firmware:
|
||||
ensure: absent
|
||||
iwl2030-firmware:
|
||||
ensure: absent
|
||||
iwl3160-firmware:
|
||||
ensure: absent
|
||||
iwl5000-firmware:
|
||||
ensure: absent
|
||||
iwl5150-firmware:
|
||||
ensure: absent
|
||||
iwl6000-firmware:
|
||||
ensure: absent
|
||||
iwl6000g2a-firmware:
|
||||
ensure: absent
|
||||
iwl6050-firmware:
|
||||
ensure: absent
|
||||
iwl7260-firmware:
|
||||
ensure: absent
|
||||
puppet7-release:
|
||||
ensure: absent
|
||||
|
||||
profiles::base::scripts::scripts:
|
||||
puppet: puppetwrapper.py
|
||||
@@ -293,6 +305,8 @@ sudo::configs:
|
||||
|
||||
profiles::accounts::sysadmin::sshkeys:
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
|
||||
profiles::accounts::rundeck::sshkeys:
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD4F7VcorbGpyZzBFexz7c/o1JBscrl7hZU0UkWV7fq6YLizW0r6fOzD99hMwu1kdYCjPxbvuUSDEHfyBIp2EgLWU6wFVoufQqlMyOV85+ivQZUc1VNV+X9T+U4v3u/01hkAmlpXtbkwhMSR4Wi+tdABd04+D3CuMDM37mvnFmBBmi41X4Mr1rJhOQumn1XHQ7EYbsdw2mxfEVVeWpZIHz5BjNKSGzEIAYZbFt6s0Y7X3J5RT+Gjqmu043Tc8nNIUFlR9E10qd3Euf9RiBYxBx3z+yfOzJPBzWNBSHv1+PIbO5Mq+z5JaAfoFZO41L7nw+FjV6JJUCVLr6Vq+bCxyA7LW4Oq9ZahSrt/vrT0kTa0tA5U9bqK6e7pB//dm7PzoROtTq0XksV8RseA/fvIje20uaN1z9dynx+UcbszXu9pQ5GIg1o7b5DEi3OZHJwpgdudiCyEeR4+00G0z4PjpEMnTSMHAJ53WxtjzrPAOBnAmPE7hPu4coU+XrCWEXAvRMloJmca68e+zFX7VvFK82KVDuQ99vQ6w4X73IESKoLzyAVxpelwHaDG4fN+zqYfqubVQU1L5cUeYKxqm5r3Us6VvMaYs1ZMUmDGXHOq4FNhGUJYxSjkLvunM6qyAAJQCd6Pw/2TV3UQVerbouGOZaeBLvRguHWSbDrO99Zu+t87w== rundeck_runner
|
||||
|
||||
networking::interface_defaults:
|
||||
ensure: present
|
||||
|
||||
@@ -1,4 +1,31 @@
|
||||
---
|
||||
hiera_include:
|
||||
- keepalived
|
||||
|
||||
# keepalived
|
||||
profiles::haproxy::dns::vrrp_ipaddr: '198.18.13.250'
|
||||
profiles::haproxy::dns::vrrp_cnames:
|
||||
- sonarr.main.unkin.net
|
||||
- radarr.main.unkin.net
|
||||
- lidarr.main.unkin.net
|
||||
- readarr.main.unkin.net
|
||||
- prowlarr.main.unkin.net
|
||||
- nzbget.main.unkin.net
|
||||
|
||||
keepalived::vrrp_script:
|
||||
check_haproxy:
|
||||
script: '/usr/bin/killall -0 haproxy'
|
||||
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
interface: 'eth0'
|
||||
virtual_router_id: 250
|
||||
auth_type: 'PASS'
|
||||
auth_pass: 'quiiK7oo'
|
||||
virtual_ipaddress: '198.18.13.250/32'
|
||||
track_script:
|
||||
- check_haproxy
|
||||
|
||||
# mappings
|
||||
profiles::haproxy::mappings:
|
||||
fe_http:
|
||||
|
||||
@@ -1,2 +1,3 @@
|
||||
---
|
||||
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
|
||||
mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=]
|
||||
|
||||
@@ -13,3 +13,12 @@ mysql::db:
|
||||
- INSERT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
rundeck:
|
||||
name: rundeck
|
||||
user: rundeck
|
||||
password: "%{alias('mysql::db::rundeck::pass')}"
|
||||
grant:
|
||||
- SELECT
|
||||
- INSERT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
|
||||
@@ -5,3 +5,9 @@ networking::interfaces:
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
|
||||
profiles::haproxy::dns::vrrp_master: true
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
state: 'MASTER'
|
||||
priority: 101
|
||||
|
||||
@@ -5,3 +5,8 @@ networking::interfaces:
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
state: 'BACKUP'
|
||||
priority: 100
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.59
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.60
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.61
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.62
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.63
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.64
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.65
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.66
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.67
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.68
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.69
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -8,12 +8,12 @@ profiles::puppet::agent::puppet_version: '7.26.0'
|
||||
hiera_include:
|
||||
- profiles::almalinux::base
|
||||
|
||||
profiles::packages::install:
|
||||
- lzo
|
||||
- network-scripts
|
||||
- policycoreutils
|
||||
- unar
|
||||
- xz
|
||||
profiles::packages::include:
|
||||
lzo: {}
|
||||
network-scripts: {}
|
||||
policycoreutils: {}
|
||||
unar: {}
|
||||
xz: {}
|
||||
|
||||
lm-sensors::package: lm_sensors
|
||||
|
||||
|
||||
@@ -1,15 +1,15 @@
|
||||
# hieradata/os/debian/all_releases.yaml
|
||||
---
|
||||
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
|
||||
profiles::apt::base::mirrorurl: http://edgecache.query.consul/debian/
|
||||
profiles::apt::base::secureurl: http://security.debian.org/debian-security
|
||||
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
|
||||
profiles::apt::puppet7::repo: puppet7
|
||||
profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
|
||||
|
||||
profiles::packages::install:
|
||||
- lzop
|
||||
- python3.11-venv
|
||||
- xz-utils
|
||||
profiles::packages::include:
|
||||
lzop: {}
|
||||
python3.11-venv: {}
|
||||
xz-utils: {}
|
||||
|
||||
lm-sensors::package: lm-sensors
|
||||
networking::nwmgr_dns_none: false
|
||||
|
||||
@@ -59,3 +59,19 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: nzbget
|
||||
disposition: write
|
||||
|
||||
profiles::yum::global::repos:
|
||||
rpmfusion-free:
|
||||
name: rpmfusion-free
|
||||
descr: rpmfusion-free repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
rpmfusion-nonfree:
|
||||
name: rpmfusion-nonfree
|
||||
descr: rpmfusion-nonfree repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
|
||||
@@ -54,3 +54,12 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: prowlarr
|
||||
disposition: write
|
||||
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
arrstack_web_external:
|
||||
location_satisfy: any
|
||||
location_allow:
|
||||
- 198.18.13.47
|
||||
- 198.18.13.50
|
||||
- 198.18.13.51
|
||||
- 198.18.13.52
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
profiles::packages::install:
|
||||
- policycoreutils
|
||||
profiles::packages::include:
|
||||
policycoreutils: {}
|
||||
|
||||
puppetdb::master::config::create_puppet_service_resource: false
|
||||
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
|
||||
|
||||
@@ -52,13 +52,10 @@ glauth::users:
|
||||
uidnumber: 20000
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010
|
||||
- 20011
|
||||
- 20012
|
||||
- 20013
|
||||
- 20014
|
||||
- 20015
|
||||
- 20016
|
||||
- 20025 # media_admin
|
||||
- 20017 # rundeck_access
|
||||
- 20018 # rundeck_globaladmin
|
||||
- 20023 # vault_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/benvin'
|
||||
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
||||
@@ -72,16 +69,58 @@ glauth::users:
|
||||
uidnumber: 20001
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010
|
||||
- 20011
|
||||
- 20012
|
||||
- 20013
|
||||
- 20014
|
||||
- 20015
|
||||
- 20016
|
||||
- 20025 # media_admin
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/matsol'
|
||||
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
|
||||
seablo:
|
||||
user_name: 'seablo'
|
||||
givenname: 'Sean'
|
||||
sn: 'Bloomfield'
|
||||
mail: 'seablo@users.main.unkin.net'
|
||||
uidnumber: 20002
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/seablo'
|
||||
passsha256: '2db12484b2b5fdae7f3a1f9f870143c363af14bf2c31a415a9a7afcb02520df2'
|
||||
marbal:
|
||||
user_name: 'marbal'
|
||||
givenname: 'Mark'
|
||||
sn: 'Balch'
|
||||
mail: 'marbal@users.main.unkin.net'
|
||||
uidnumber: 20003
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/marbal'
|
||||
passsha256: 'cc20cee6269b9970a76549c66b51d0c543352796180d4122260a47f0f7a442a9'
|
||||
kelren:
|
||||
user_name: 'kelren'
|
||||
givenname: 'Kelly'
|
||||
sn: 'Rennie'
|
||||
mail: 'kelren@users.main.unkin.net'
|
||||
uidnumber: 20004
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/kelren'
|
||||
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
|
||||
ryadun:
|
||||
user_name: 'ryadun'
|
||||
givenname: 'Dunbar'
|
||||
sn: 'Ryan'
|
||||
mail: 'ryadun@users.main.unkin.net'
|
||||
uidnumber: 20005
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/ryadun'
|
||||
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
|
||||
|
||||
glauth::services:
|
||||
svc_jellyfin:
|
||||
@@ -126,6 +165,32 @@ glauth::services:
|
||||
uidnumber: 30006
|
||||
primarygroup: 20001
|
||||
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
|
||||
svc_nzbsubmit:
|
||||
service_name: 'svc_nzbsubmit'
|
||||
mail: 'nzbsubmit@service.main.unkin.net'
|
||||
uidnumber: 30007
|
||||
primarygroup: 20001
|
||||
othergroups:
|
||||
- 20016
|
||||
passsha256: '7af7e12fdc56e9050d16c167f4e34091ad3cf938283e13451b35f9b3d212bfa2'
|
||||
svc_rundeck:
|
||||
service_name: 'svc_rundeck'
|
||||
mail: 'rundeck@service.main.unkin.net'
|
||||
uidnumber: 30007
|
||||
primarygroup: 20001
|
||||
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
|
||||
svc_terraform:
|
||||
service_name: 'svc_terraform'
|
||||
mail: 'terraform@service.main.unkin.net'
|
||||
uidnumber: 30008
|
||||
primarygroup: 20001
|
||||
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
|
||||
svc_vault:
|
||||
service_name: 'svc_vault'
|
||||
mail: 'vault@service.main.unkin.net'
|
||||
uidnumber: 30009
|
||||
primarygroup: 20001
|
||||
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
|
||||
|
||||
glauth::groups:
|
||||
users:
|
||||
@@ -155,3 +220,32 @@ glauth::groups:
|
||||
nzbget_access:
|
||||
group_name: 'nzbget_access'
|
||||
gidnumber: 20016
|
||||
rundeck_access:
|
||||
group_name: 'rundeck_access'
|
||||
gidnumber: 20017
|
||||
rundeck_globaladmin:
|
||||
group_name: 'rundeck_globaladmin'
|
||||
gidnumber: 20018
|
||||
rundeck_selfservice_admin:
|
||||
group_name: 'rundeck_selfservice_admin'
|
||||
gidnumber: 20019
|
||||
rundeck_selfservice_user:
|
||||
group_name: 'rundeck_selfservice_user'
|
||||
gidnumber: 20020
|
||||
rundeck_infrastructure_admin:
|
||||
group_name: 'rundeck_infrastructure_admin'
|
||||
gidnumber: 20021
|
||||
rundeck_infrastructure_user:
|
||||
group_name: 'rundeck_infrastructure_user'
|
||||
gidnumber: 20022
|
||||
vault_access:
|
||||
group_name: 'vault_access'
|
||||
gidnumber: 20023
|
||||
media_access:
|
||||
group_name: 'media_access'
|
||||
gidnumber: 20024
|
||||
includegroups: [20010, 20011, 20012, 20013, 20014, 20016]
|
||||
media_admin:
|
||||
group_name: 'media_admin'
|
||||
gidnumber: 20025
|
||||
includegroups: [20024, 20015]
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -0,0 +1,205 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::rundeck::server
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
hiera_exclude:
|
||||
- profiles::accounts::rundeck
|
||||
|
||||
profiles::packages::exclude:
|
||||
- jq
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::nginx::simpleproxy::proxy_port: 4440
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
nginx::client_max_body_size: 20M
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
rundeck:
|
||||
service_name: 'rundeck'
|
||||
tags:
|
||||
- 'automation'
|
||||
- 'rundeck'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'glauth_http_check'
|
||||
name: 'glauth HTTP Check'
|
||||
http: "http://%{facts.networking.fqdn}:4440"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: rundeck
|
||||
disposition: write
|
||||
|
||||
profiles::rundeck::server::mysql_backend: true
|
||||
profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
|
||||
profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
|
||||
profiles::rundeck::server::auth_config:
|
||||
file:
|
||||
auth_flag: 'sufficient'
|
||||
jaas_config:
|
||||
file: '/etc/rundeck/realm.properties'
|
||||
realm_config:
|
||||
admin_user: 'admin'
|
||||
admin_password: "%{hiera('rundeck_admin_pass')}"
|
||||
ldap:
|
||||
jaas_config:
|
||||
debug: 'true'
|
||||
providerUrl: 'ldap://ldap.service.consul:389'
|
||||
bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
bindPassword: "%{hiera('ldap_bindpass')}"
|
||||
authenticationMethod: 'simple'
|
||||
forceBindingLogin: 'true'
|
||||
userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
|
||||
userRdnAttribute: 'uid'
|
||||
userIdAttribute: 'uid'
|
||||
userPasswordAttribute: 'userPassword'
|
||||
userObjectClass: 'posixAccount'
|
||||
roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
|
||||
roleNameAttribute: 'uid'
|
||||
roleMemberAttribute: 'uniqueMember'
|
||||
roleObjectClass: 'groupOfUniqueNames'
|
||||
nestedGroups: 'true'
|
||||
|
||||
profiles::rundeck::server::key_storage_config:
|
||||
- type: 'db'
|
||||
path: 'keys'
|
||||
- type: 'vault-storage'
|
||||
path: 'vault'
|
||||
config:
|
||||
prefix: 'rundeck'
|
||||
address: https://vault.query.consul:8200
|
||||
storageBehaviour: 'vault'
|
||||
secretBackend: rundeck
|
||||
engineVersion: '2'
|
||||
authBackend: approle
|
||||
approleAuthMount: approle
|
||||
approleId: "%{hiera('vault::roleid')}"
|
||||
|
||||
profiles::rundeck::server::cli_projects:
|
||||
Self-Service:
|
||||
update_method: 'set'
|
||||
config:
|
||||
project.description: 'self-service tasks'
|
||||
project.disable.executions: 'false'
|
||||
Infrastructure:
|
||||
config:
|
||||
project.description: 'infrastructure management'
|
||||
project.disable.schedule: 'false'
|
||||
|
||||
profiles::rundeck::server::acl_policies:
|
||||
global_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Global Admin, all access'
|
||||
context:
|
||||
application: "rundeck"
|
||||
for:
|
||||
project:
|
||||
- allow: '*'
|
||||
resource:
|
||||
- allow: '*'
|
||||
storage:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_globaladmin']
|
||||
- description: 'Global Admin, all access'
|
||||
context:
|
||||
project: '.*'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_globaladmin']
|
||||
selfservice_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Admin, all access for Self-Service project'
|
||||
context:
|
||||
project: 'Self-Service'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_selfserice_admin']
|
||||
selfservice_user_policy:
|
||||
acl_policies:
|
||||
- description: 'Users can execute tasks but not edit for Self-Service project'
|
||||
context:
|
||||
project: 'Self-Service'
|
||||
for:
|
||||
resource:
|
||||
- allow: ['read']
|
||||
adhoc:
|
||||
- allow: ['run']
|
||||
job:
|
||||
- allow: ['read', 'run']
|
||||
node:
|
||||
- allow: ['read', 'run']
|
||||
by:
|
||||
- group: ['rundeck_selfserice_user']
|
||||
infrastructure_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Admin, all access for Infrastructure project'
|
||||
context:
|
||||
project: 'Infrastructure'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_infrastructure_admin']
|
||||
infrastructure_user_policy:
|
||||
acl_policies:
|
||||
- description: 'Users can execute tasks but not edit for Infrastructure project'
|
||||
context:
|
||||
project: 'Infrastructure'
|
||||
for:
|
||||
resource:
|
||||
- allow: ['read']
|
||||
adhoc:
|
||||
- allow: ['run']
|
||||
job:
|
||||
- allow: ['read', 'run']
|
||||
node:
|
||||
- allow: ['read', 'run']
|
||||
by:
|
||||
- group: ['rundeck_infrastructure_user']
|
||||
@@ -1,15 +1,15 @@
|
||||
---
|
||||
profiles::packages::install:
|
||||
- cobbler
|
||||
- cobbler3.2-web
|
||||
- httpd
|
||||
- syslinux
|
||||
- dnf-plugins-core
|
||||
- debmirror
|
||||
- pykickstart
|
||||
- fence-agents
|
||||
- selinux-policy-devel
|
||||
- ipxe-bootimgs
|
||||
profiles::packages::include:
|
||||
cobbler: {}
|
||||
cobbler3.2-web: {}
|
||||
httpd: {}
|
||||
syslinux: {}
|
||||
dnf-plugins-core: {}
|
||||
debmirror: {}
|
||||
pykickstart: {}
|
||||
fence-agents: {}
|
||||
selinux-policy-devel: {}
|
||||
ipxe-bootimgs: {}
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- cobbler.main.unkin.net
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
redisha::masterauth: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAV8znsSGAbPpPUhAcyOIWFltVyAcx3yVcIvC+JFndkkuVBT1813GSURrXIreXSilvJEHlwRC03A9NhjWJSsHBIS12uUb+7ap95oh2JJ7OHmeWSVD1GDDRpTQAgDEOikAnioRNJfQ83jUa11nJrsavt46hSq8vDq+rZ2P8ugiNk59mNX5vgYthCPXcEJd7UmpLZhgxZ8+42l4TKo7QpqKRcIMteJXk1NvyYfYGnGTZhknuyHM3xPGauGjKzamMlTzD9dGnn2K0/Q7I4PUyT24ZEG3kNVyDlVHTYcKnIT5q8qvmJdDQfZwOETF3SrzcqhQ2nqFvmI19sCTsQVmveb/2ITBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9KML3vzwF4vGZdtiu++jmgDAWPZspCckgoXPkgNRMePov3pXSlKUAGxwmdsuIM75rJMxlSTiil2lzMMBWXmUofys=]
|
||||
@@ -0,0 +1,67 @@
|
||||
---
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- redis.main.unkin.net
|
||||
- redis.service.consul
|
||||
- redis.query.consul
|
||||
- "redis.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- redis.main.unkin.net
|
||||
- redis.service.consul
|
||||
- redis.query.consul
|
||||
|
||||
|
||||
hiera_include:
|
||||
- redisha
|
||||
|
||||
redisha::manage_repo: false
|
||||
redisha::redisha_members_lookup: true
|
||||
redisha::redisha_members_role: roles::infra::db::redis
|
||||
#redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
#redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
|
||||
redisha::sentinel::master_name: "%{facts.country}-%{facts.region}"
|
||||
redisha::sentinel::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
redisha::sentinel::auth_pass: "%{hiera('redisha::masterauth')}"
|
||||
redisha::tools::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
|
||||
sudo::configs:
|
||||
consul:
|
||||
priority: 20
|
||||
content: |
|
||||
consul ALL=(ALL) NOPASSWD: /usr/local/sbin/sentineladm info
|
||||
consul::services:
|
||||
redis-replica:
|
||||
service_name: "redis-replica-%{facts.environment}"
|
||||
tags:
|
||||
- 'redis'
|
||||
- 'redis-replica'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 6379
|
||||
checks:
|
||||
- id: 'redis-replica_tcp_check'
|
||||
name: 'Redis Replica TCP Check'
|
||||
tcp: "%{facts.networking.ip}:6379"
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
redis-master:
|
||||
service_name: "redis-master-%{facts.environment}"
|
||||
tags:
|
||||
- 'redis'
|
||||
- 'redis-master'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 6379
|
||||
checks:
|
||||
- id: 'redis-master_tcp_check'
|
||||
name: "Redis Master Check"
|
||||
args:
|
||||
- '/usr/local/bin/check_redis_master'
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: "redis-replica-%{facts.environment}"
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: "redis-master-%{facts.environment}"
|
||||
disposition: write
|
||||
@@ -33,13 +33,6 @@ profiles::dns::resolver::zones:
|
||||
- 10.10.16.32
|
||||
- 10.10.16.33
|
||||
forward: 'only'
|
||||
unkin.net-forward:
|
||||
domain: 'unkin.net'
|
||||
zone_type: 'forward'
|
||||
forwarders:
|
||||
- 10.10.16.32
|
||||
- 10.10.16.33
|
||||
forward: 'only'
|
||||
dmz.unkin.net-forward:
|
||||
domain: 'dmz.unkin.net'
|
||||
zone_type: 'forward'
|
||||
@@ -67,7 +60,6 @@ profiles::dns::resolver::views:
|
||||
recursion: true
|
||||
zones:
|
||||
- main.unkin.net-forward
|
||||
- unkin.net-forward
|
||||
- dmz.unkin.net-forward
|
||||
- network.unkin.net-forward
|
||||
- prod.unkin.net-forward
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
droneci_server::rpc_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF8cEANj72ACYYdilP52Oz4EXVt+stx838tFVV4SFukoCTmN+kJ3GUUEM9x+oDvo17CsZhDzx5dX0JGo7N9MCLHsR4XKx3GSoAKvaSiD73TbzbdTNJgTIE1tRP9HNbJKizwWLo4lo+OUNtwnu0Z5dkMLYRHyvZ1hG24qmdXVn9DI06gVGQw9YXGmNy8AvA0BKnaHvUnE5XoLNVKZ4g1yvc/nkYpK6nLB+X4sZ96PRig7khiuFVvAfpg5c2iWnF13ljIajnG9uY12RyGaAGfH4l/d3UEyuHyQL4zzT8N7gGt8fvg7eNFx51TyEpVRFLyQ7dqq/lzn0moXVT35PQr9K3DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCGJ+rkxhqmyUUiIQLG7PnggDBPH9gyYAW5/XjDp5xd6GnuSt/WWOwOGxhg+1BoPzbV5o+Xufg5zyMVdYeI1MWD/u8=]
|
||||
@@ -0,0 +1,25 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::base::datavol
|
||||
- docker
|
||||
- droneci::runner
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
droneci::runner::ports:
|
||||
- 3000:3000
|
||||
droneci::runner::volumes:
|
||||
- type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock
|
||||
- type=bind,source=/data,target=/data
|
||||
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
|
||||
droneci::runner::env_vars:
|
||||
DRONE_RPC_PROTO: https
|
||||
DRONE_RPC_HOST: droneci.query.consul
|
||||
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
|
||||
DRONE_RUNNER_CAPACITY: 2
|
||||
DRONE_RUNNER_NAME: "%{facts.networking.fqdn}"
|
||||
DRONE_RUNNER_VOLUMES: /etc/pki/tls/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt
|
||||
@@ -0,0 +1,6 @@
|
||||
---
|
||||
droneci_server::gitea_client_secret: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJLcMKV4EevB8V/vjex+Srq47pWLvPozjSb+vjS/crFpKq3/dgtkJ8WkqF98fPnXxkMowP/BpNexJBCmPtTR2pPTKHIYkXjxGax0g3P2gcgeT7wsNl24mnUJDWZs1/z8ibwUXv4Zg0nbKi+YdomjsvT3vl2IPI88TKZDkq6HBoturwqx2l/edC5IeAi8vgPRXF8hn2TVuslkmoNXoI28Qp10b2XNOCss6KUJ4rbOwpIgdOVFbXqi7CFjhGz/3uS9xK+2m3iuE/gXi8KSKfiQ+QcGuXL9Zy5PH5rrNg4mbrFiaFfTevsHInl1wwRmULilQ0kEY3NW4b/URXqBBuwcN/TBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDlv7tA+6OQwDuL7z3xGYZjgEBcEAj3TQ9R9TntxTyBa9mKFRXimFTDDxdZ2zD96qFNz+7ZZFGD6pFQNHSMC9AYlAue94UsIHJZaXwgAo5zc98Q]
|
||||
droneci_server::cookie_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKTWrB7Cca8RgFEeP46puzhVWOAiI6nB+m5+/sgz1qNnn6VgNh9Q6D26p9HISrMp4k60KVuGXrIbZYpkvKZmv4zHgK2et+50sr/F1anhDRX4rsmGWVV9n8VhaIJFAyQkW4de9YxV9LAgk0tWs1BgfXv4cV4+sDBv0OSVIFJDst3LUWpBR6lsiV9IifvNNUrdOHkdt5XjuL4JVmc0nkjetAg9HSvJ9VHYLIQagFHnTQp0FWluE1/ibGNc2kz7D4K7cPz2bBxRJWomckSUwgQK0NrGID4D13haZXhKXAO/8QpQOwPra8vD9FYrFenMeFLwdw43NzSr2g/W1ss5PekbWGjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBASshs2UwkGqK4ShFfXni7cgDCDCnEiqcfxIz4X/Bq71IpRKan3uQbHOewFqjNGqoR+1oWupjRxzNL39H9YF1a6i6s=]
|
||||
droneci_server::database_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASu4C45TYWZKgIoyqC3YdwYYXn+T+ruP6oIvhYFJ5dxeZ+6HtWbRMViErvpPuWYfgs5qt6Zj9eLz2hqimFCvKiAvzANeZ9hkhw/jkpmvG8iXpDFw6x8QKcPJteRo896KSLiGiVlZfRbgQCGAqiEMw6y6M9CvfCLzE/mZ9gOKjSJVKiioAnXU2fyq0Y0M6g0iLRw0VXl2BVc4ORCnVECARQPo48T3U+TT39q0ar4mRO1AFO0VA5iDJ6/EMPBcH3ekKO/1dB1UbV6VkD3s9BAHGyL5a5Wr6ztg/5Yl6VBCXmECZqpCx8jx8KDUoaj1R/+I83YQxbw9ch76j79haIK6+jzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAh6MmfbUELaWbSNZ9/Dev2gDD/E3G/uYJGXNGl1+PIVwGmi0z2BTXNqg7ax/b/uF5Xc9ZtBSPiSxR6BPRXN3GleNo=]
|
||||
droneci_server::postgres_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANpDnrpratpuYheXFrN4nwRTauPm9rZz2ubDyJlcxmah+kOWqsWIeEkv5GuATlymfAx5UuHPOv3dJPCSK+YuyQY+kGW/8uEFM68QrNi38NdRqEpdXuPBe5+AmWxcjYK3mdJ4maEwsbbxtYJmD8TF6kskS2P/KhnIzYR5PPHZTaYbEf/W5Da3l+J5WnFYpStuLq+86yZokBAygFPI+y/Ic+zJIdhpzVdLyGuqxGLXZq7nNMrjuNyFPKkCj1BBpuJTMCS4oPKCUTlm5hIIeeC2pFREI0CMTV5siZB8NphobPNn/ZbJrcs9q75LtIa47pkFYRbmV4WPctCwZXg6jtMleuzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDHJaChyidZq/5FN5n+ASJWgDCqUcR/DG9e8AD7fRmTb5BZM8XQ77a1hUJoaCycnMQ/5UyKmqU/7fLPrsxCf2vZU1M=]
|
||||
droneci_server::redis_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAYMoZlVXHC1qfkDptPy3PyWGrUs5y9M9AOv5Vn1AK6DYViixhjwPZUCfwTONmt7CiBuqmkDOpR5isWFiBo/+TMeMXlM9C/D+Svc9tpeHLpVaXAYeoz5um2InyBFkLWSaUaWSftF9U7O5Nv/OiLIsd7nn4T8Dd21rfUiRfUN/2HPLMCs+mW15Az9XNOcvfm+kPXDAcB+ukHde0vvtYTZEFWjMdwJjjE43DiCmAoLTcpvQxdlclojotBpFeBLZs/F21FDQ4hvBUvPBMuZ1o7ImSP5fuomYSFK8etbD7JO5gg5BN59lGl1ljyR83phv6wmmqlzB8wQl0pjEpni9o7fa9hTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCKJrkPA78qx3wAu1eroIjRgDA72N9U0YZf1MzACcGSOMU5RGO242RwlIKUrnuYcdC0dKkjLXtP+yVpSKkX5WxcsDQ=]
|
||||
@@ -0,0 +1,79 @@
|
||||
---
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- droneci.main.unkin.net
|
||||
- droneci.service.consul
|
||||
- droneci.query.consul
|
||||
- "droneci.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- droneci.main.unkin.net
|
||||
- droneci.service.consul
|
||||
- droneci.query.consul
|
||||
|
||||
hiera_include:
|
||||
- docker
|
||||
- profiles::sql::postgresdb
|
||||
- droneci
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
profiles::sql::postgresdb::dbname: droneci
|
||||
profiles::sql::postgresdb::dbuser: droneci
|
||||
profiles::sql::postgresdb::dbpass: "%{hiera('droneci_server::postgres_password')}"
|
||||
profiles::sql::postgresdb::members_lookup: true
|
||||
profiles::sql::postgresdb::members_role: roles::infra::droneci::server
|
||||
|
||||
droneci::ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
droneci::volumes:
|
||||
- type=bind,source=/var/lib/drone,target=/data
|
||||
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
|
||||
droneci::env_vars:
|
||||
DRONE_GITEA_SERVER: https://git.query.consul
|
||||
DRONE_GITEA_CLIENT_ID: dda67581-86df-4e65-88ae-1e505b849082
|
||||
DRONE_USER_CREATE: username:unkinben,admin:true
|
||||
DRONE_GITEA_CLIENT_SECRET: "%{hiera('droneci_server::gitea_client_secret')}"
|
||||
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
|
||||
DRONE_SERVER_HOST: droneci.query.consul
|
||||
DRONE_SERVER_PROTO: https
|
||||
DRONE_TLS_CERT: /etc/pki/tls/vault/certificate.crt
|
||||
DRONE_TLS_KEY: /etc/pki/tls/vault/private.key
|
||||
DRONE_COOKIE_SECRET: "%{hiera('droneci_server::cookie_secret')}"
|
||||
DRONE_COOKIE_TIMEOUT: 720h
|
||||
DRONE_HTTP_SSL_REDIRECT: true
|
||||
DRONE_HTTP_SSL_TEMPORARY_REDIRECT: true
|
||||
DRONE_HTTP_SSL_HOST: droneci.query.consul
|
||||
DRONE_LOGS_TEXT: true
|
||||
DRONE_LOGS_PRETTY: true
|
||||
DRONE_LOGS_COLOR: true
|
||||
DRONE_DATABASE_SECRET: "%{hiera('droneci_server::database_secret')}"
|
||||
DRONE_DATABASE_DRIVER: postgres
|
||||
DRONE_DATABASE_DATASOURCE: "postgres://droneci:%{hiera('droneci_server::postgres_password')}@master.patroni-prod.service.au-syd1.consul:5432/droneci?sslmode=disable"
|
||||
DRONE_REDIS_CONNECTION: "redis://%{hiera('droneci_server::redis_password')}@redis-master-prod.service.au-syd1.consul:6379/2"
|
||||
|
||||
consul::services:
|
||||
droneci:
|
||||
service_name: 'droneci'
|
||||
tags:
|
||||
- 'drone'
|
||||
- 'droneci'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'droneci_https_check'
|
||||
name: 'droneci HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: droneci
|
||||
disposition: write
|
||||
@@ -41,7 +41,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- "git.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 3000
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
nginx::client_max_body_size: 250M
|
||||
nginx::client_max_body_size: 1024M
|
||||
|
||||
profiles::gitea::init::root:
|
||||
APP_NAME: 'Gitea'
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
profiles::gitea::runner::registration_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOL/ug4IPhEW1n+Lq+SsMSEJUYsDDK2s0+oNF3unxcbH3QDqWo7kuYKkDWQ+W3otcxvuRlbC8+0W2fO2udhF7sSGrF93INsTCDqWlLnaaAgxlgNSXthA4OCJlI8DCLeD/Sr0TTCchUdpQrIpDo6Gh0EUjgRv5574q26or7c/vvtQ4nfLVQOqEV9UpsCgEYiQvXVcf55LEpgaDp4mFL0qCnfzDnGNbZ0GUo6552ka19IocqOqILPnZO0qDcEoLbQ90sP197+5Jw611i1Akx1C4lFP81bazFMpbdiEP0V4Ax+33LfZEb0KnXuMbKOF23vIwwwfpFJaSOAjA5YehA3xM2zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDPJHB2uL+VEyntgZocyoMXgDBJ1dnRWiJM77XomzbNdDUO+ktIHLOTL5do0m4CkXZ1s42KtaAwWL+/EGdxg80UMC8=]
|
||||
@@ -0,0 +1,46 @@
|
||||
---
|
||||
hiera_include:
|
||||
- docker
|
||||
- profiles::gitea::runner
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
profiles::gitea::runner::home: /data/runner
|
||||
profiles::gitea::runner::version: '0.2.10'
|
||||
profiles::gitea::runner::source: "https://gitea.com/gitea/act_runner/releases/download/v%{hiera('profiles::gitea::runner::version')}/act_runner-%{hiera('profiles::gitea::runner::version')}-linux-amd64"
|
||||
profiles::gitea::runner::config:
|
||||
log:
|
||||
level: info
|
||||
runner:
|
||||
file: "%{hiera('profiles::gitea::runner::home')}/.runner"
|
||||
capacity: 2
|
||||
envs:
|
||||
A_TEST_ENV_NAME_1: a_test_env_value_1
|
||||
A_TEST_ENV_NAME_2: a_test_env_value_2
|
||||
env_file: .env
|
||||
timeout: 3h
|
||||
insecure: false
|
||||
fetch_timeout: 5s
|
||||
fetch_interval: 2s
|
||||
labels:
|
||||
- "almalinux-latest"
|
||||
- "almalinux-8:docker"
|
||||
- "almalinux-8.10:docker"
|
||||
cache:
|
||||
enabled: true
|
||||
dir: "%{hiera('profiles::gitea::runner::home')}/.cache/actcache"
|
||||
host: ""
|
||||
port: 0
|
||||
external_server: ""
|
||||
container:
|
||||
network: ""
|
||||
privileged: false
|
||||
options:
|
||||
workdir_parent: /workspace
|
||||
valid_volumes: []
|
||||
docker_host: ""
|
||||
force_pull: true
|
||||
force_rebuild: false
|
||||
host:
|
||||
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
|
||||
@@ -9,4 +9,5 @@ profiles::metrics::server::scrape_jobs:
|
||||
- puppetdb
|
||||
- systemd
|
||||
- haproxy
|
||||
- postgres
|
||||
profiles::metrics::server::localstorage: /data/prometheus
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
---
|
||||
profiles::packages::install:
|
||||
- puppetserver
|
||||
profiles::packages::include:
|
||||
puppetserver: {}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
profiles::packages::install:
|
||||
- createrepo
|
||||
profiles::packages::include:
|
||||
createrepo: {}
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- repos.main.unkin.net
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
profiles::sql::patroni::superuser_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAImaYEH6ktU6KYDu96OtuJu11FbmE+b9YwrkJiv72QfuVivR7lGfieRKcvkrq3IsNcwhhnl1lzyMZHteib7jLEIiaq59AZFiZyfF2E5bhNYfW4QcDJd4QOheU2awkZkl6oaoMUxgWOnqvihYVLDfoJ0lj6hBTFuqIzO/KU+AJ4NMO3+/+AK9+HB0u/8Iyuev4RQBkvaRAoszCcFCWTAZJTmhOgWe4xJIxfbh0/5k/dmT5WQ1JPEQK7hnVly9iToROZJDjuyndNHbrhCQUg4+DYMPS2fZVWvcESfxN8lJjBFPojj9ZbG5mLlq1e4A4KiZNwHfA1V4D88VWOkRg65XtZDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBzToImdK5/pk3UeZPyavjTgDCcYBzwY/g353Pbh0xr/we8KmvsQEtfxPDuPm4Kv4hsD5X0dHu2nGzBAZq5uWcE3RE=]
|
||||
profiles::sql::patroni::replication_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWyCj+7WfzpTcpBg6uQ5ykGmLZmb/avW3Pc+VWj9bGvxSQCA8LA6HJlEhhL3mrJSTGUyHLgeEebEup9AVHe2k2l/JHIvhyfx7LI+mNDp8u5p40pM6ZxTdIJFOZmOS/nGjAR6mTv6Ennhpw4sWSDYXU0mJPTHGAked2FXV1xsS0zpTY7hccJHuww5ixOw6jP8E1Pu0ex4LmefOXApowf0jZ2pARndlsXwZldahUHIF48XejclpgCK9rTrb4eQsOZr5ozcj0BBpWg/JKNkQt8mQU5l5/z0GDT08Op8g6MVdJuOWr92uPqjc8sydrz0QAx4l8t1KY2fMWK7BPKqSdcOxiDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDEZBNd56BHVGRVfHDPPwZHgDAZKnqicbF/MVKPi1PwwyHrXMW/fWqocgr1zWx6RXWgXICqjJdEFXwFerXXb39RSDg=]
|
||||
profiles::sql::patroni::postgres_exporter_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAL5brQt9CGFU7okDXZWF1jL1j+RbrQZhKfzGWyWl+SqRK6q+xH0LIzYQhOAji7tlDBzvFZpzglmzj0xDrAkQA46jg1DkR5+9Ozru9jL1nhg/6z/F54DlhAG7Ui0hjgSLal79VABLXa/cb9xJThx97b9xoOW+/vpfSKa4izFtkN9fliClFTVafxLlLLD/yABW99aq1OK+9MyCsppvs/rjWbXvjEKL+C0jawh4dBnc+tYJMHC/k5NIK0th4A/zSYVH5q6gFakpxrV2ubETIbVTDncC8zfRLhnrikZYNbCy5PuJb2a4vW1O0AOzUWqvqbRkWpYF7dJB9fzW/Tu8f8d10KTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAJS5PcA9aJvjGIfKSciLLpgDAU7xXGF+Sj+g1ABMvsenEmgXsdSKVU9ZYusIiGnPdFdN4EF9usi7g4SahochlG0NU=]
|
||||
@@ -0,0 +1,28 @@
|
||||
---
|
||||
profiles::yum::global::repos:
|
||||
postgresql-15:
|
||||
name: postgresql-15
|
||||
descr: postgresql-15 repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
postgresql-common:
|
||||
name: postgresql-common
|
||||
descr: postgresql-common repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
|
||||
profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
|
||||
profiles::sql::patroni::postgres_exporter_enabled: true
|
||||
profiles::sql::patroni::postgres_exporter_user: postgres_exporter
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service_prefix
|
||||
segment: "%{hiera('profiles::sql::patroni::cluster_name')}"
|
||||
disposition: write
|
||||
- resource: key_prefix
|
||||
segment: "service/%{hiera('profiles::sql::patroni::cluster_name')}"
|
||||
disposition: write
|
||||
- resource: session_prefix
|
||||
segment: ""
|
||||
disposition: write
|
||||
@@ -89,3 +89,9 @@ profiles::consul::prepared_query::rules:
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
droneci:
|
||||
ensure: 'present'
|
||||
service_name: 'droneci'
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
|
||||
@@ -125,12 +125,12 @@ profiles::edgecache::params::mirrors:
|
||||
ensure: present
|
||||
location: '~* ^/ceph/yum/.*/repodata/'
|
||||
rewrite_rules:
|
||||
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
|
||||
- '^/ceph/yum/(.*)$ /rpm-18.2.2/$1 break'
|
||||
proxy: http://158.69.68.124
|
||||
ceph_yum_data:
|
||||
ensure: present
|
||||
location: /ceph/yum
|
||||
proxy: http://158.69.68.124/rpm-reef
|
||||
proxy: http://158.69.68.124/rpm-18.2.2
|
||||
proxy_cache: cache
|
||||
proxy_cache_valid:
|
||||
- '200 302 1440h'
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
---
|
||||
profiles::packages::install:
|
||||
- "%{hiera('lm-sensors::package')}"
|
||||
profiles::packages::include:
|
||||
"%{hiera('lm-sensors::package')}": {}
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
class droneci (
|
||||
Hash $env_vars = {},
|
||||
String $docker_image = 'drone/drone:2',
|
||||
Array[String] $ports = [],
|
||||
Array[String] $volumes = [],
|
||||
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci',
|
||||
) {
|
||||
|
||||
# Create the environment file from a template
|
||||
file { $env_file:
|
||||
ensure => file,
|
||||
content => template('droneci/droneci_env.erb'),
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
# Define the systemd service for Drone CI
|
||||
systemd::unit_file { 'droneci.service':
|
||||
ensure => present,
|
||||
content => template('droneci/droneci_service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => File[$env_file],
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,24 @@
|
||||
class droneci::runner (
|
||||
Hash $env_vars = {},
|
||||
String $docker_image = 'drone/drone-runner-docker:1',
|
||||
Array[String] $ports = [],
|
||||
Array[String] $volumes = [],
|
||||
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci_runner',
|
||||
) {
|
||||
|
||||
# Create the environment file from a template
|
||||
file { $env_file:
|
||||
ensure => file,
|
||||
content => template('droneci/droneci_env.erb'),
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
# Define the systemd service for Drone CI runner
|
||||
systemd::unit_file { 'droneci-runner.service':
|
||||
ensure => present,
|
||||
content => template('droneci/droneci_runner_service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => File[$env_file],
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
<% @env_vars.each do |key, value| -%>
|
||||
<%= key.upcase %>=<%= value %>
|
||||
<% end -%>
|
||||
@@ -0,0 +1,20 @@
|
||||
[Unit]
|
||||
Description=Drone CI Runner
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/docker run --rm \
|
||||
--name=drone-runner \
|
||||
<% @ports.each do |port| -%>
|
||||
-p <%= port %> \
|
||||
<% end -%>
|
||||
<% @volumes.each do |volume| -%>
|
||||
--mount <%= volume %> \
|
||||
<% end -%>
|
||||
--env-file <%= @env_file %> \
|
||||
<%= @docker_image %>
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,20 @@
|
||||
[Unit]
|
||||
Description=Drone CI Service
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/docker run --rm \
|
||||
--name=drone \
|
||||
<% @ports.each do |port| -%>
|
||||
-p <%= port %> \
|
||||
<% end -%>
|
||||
<% @volumes.each do |volume| -%>
|
||||
--mount <%= volume %> \
|
||||
<% end -%>
|
||||
--env-file <%= @env_file %> \
|
||||
<%= @docker_image %>
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -6,7 +6,12 @@ define glauth::obj::service (
|
||||
Integer $primarygroup,
|
||||
String $passsha256,
|
||||
Stdlib::Absolutepath $config_path,
|
||||
Optional[Array[Integer]] $othergroups = [],
|
||||
) {
|
||||
$formatted_othergroups = $othergroups.empty ? {
|
||||
true => '[]',
|
||||
false => "[${othergroups.join(', ')}]",
|
||||
}
|
||||
concat::fragment { "glauth_service_${service_name}":
|
||||
target => $config_path,
|
||||
content => epp('glauth/obj/service.epp', {
|
||||
@@ -15,6 +20,7 @@ define glauth::obj::service (
|
||||
'uidnumber' => $uidnumber,
|
||||
'primarygroup' => $primarygroup,
|
||||
'passsha256' => $passsha256,
|
||||
'othergroups' => $formatted_othergroups,
|
||||
}),
|
||||
order => '80',
|
||||
}
|
||||
|
||||
@@ -20,20 +20,7 @@ define glauth::obj::user (
|
||||
}
|
||||
concat::fragment { "glauth_user_${user_name}":
|
||||
target => $config_path,
|
||||
content => epp('glauth/obj/user.epp', {
|
||||
'name' => $user_name,
|
||||
'givenname' => $givenname,
|
||||
'sn' => $sn,
|
||||
'mail' => $mail,
|
||||
'uidnumber' => $uidnumber,
|
||||
'primarygroup' => $primarygroup,
|
||||
'loginshell' => $loginshell,
|
||||
'homedir' => $homedir,
|
||||
'passsha256' => $passsha256,
|
||||
'sshkeys' => $sshkeys,
|
||||
'passappsha256' => $passappsha256,
|
||||
'othergroups' => $formatted_othergroups,
|
||||
}),
|
||||
content => template('glauth/obj/user.erb'),
|
||||
order => '70',
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
[[groups]]
|
||||
name = "<%= $name %>"
|
||||
gidnumber = <%= $gidnumber %>
|
||||
<% if $includegroups.length > 0 { %>includegroups = [<% $includegroups.each |Integer $group| { %><%= $group %>, <% } %>]<% } %>
|
||||
<% if $includegroups.length > 0 { %>includegroups = [<%= $includegroups.join(', ') %>]<% } %>
|
||||
|
||||
|
||||
@@ -4,4 +4,5 @@
|
||||
uidnumber = <%= $uidnumber %>
|
||||
primarygroup = <%= $primarygroup %>
|
||||
passsha256 = "<%= $passsha256 %>"
|
||||
othergroups = <%= $othergroups %>
|
||||
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
[[users]]
|
||||
name = "<%= $name %>"
|
||||
<% if $givenname != '' { %>givenname = "<%= $givenname %>"<% } %>
|
||||
<% if $sn != '' { %>sn = "<%= $sn %>"<% } %>
|
||||
mail = "<%= $mail %>"
|
||||
uidnumber = <%= $uidnumber %>
|
||||
primarygroup = <%= $primarygroup %>
|
||||
<% if $loginshell != '' { %>loginShell = "<%= $loginshell %>"<% } %>
|
||||
<% if $homedir != '' { %>homeDir = "<%= $homedir %>"<% } %>
|
||||
passsha256 = "<%= $passsha256 %>"
|
||||
<% if $sshkeys.length > 0 { %>sshkeys = [<% $sshkeys.each |String $key| { %>"<%= $key %>", <% } %>]<% } %>
|
||||
<% if $passappsha256.length > 0 { %>passappsha256 = [<% $passappsha256.each |String $pass| { %>"<%= $pass %>", <% } %>]<% } %>
|
||||
othergroups = <%= $othergroups %>
|
||||
|
||||
@@ -0,0 +1,26 @@
|
||||
[[users]]
|
||||
name = "<%= @user_name %>"
|
||||
<% if @givenname != '' -%>
|
||||
givenname = "<%= @givenname %>"
|
||||
<% end -%>
|
||||
<% if @sn != '' -%>
|
||||
sn = "<%= @sn %>"
|
||||
<% end -%>
|
||||
mail = "<%= @mail %>"
|
||||
uidnumber = <%= @uidnumber %>
|
||||
primarygroup = <%= @primarygroup %>
|
||||
<% if @loginshell != '' -%>
|
||||
loginShell = "<%= @loginshell %>"
|
||||
<% end -%>
|
||||
<% if @homedir != '' -%>
|
||||
homeDir = "<%= @homedir %>"
|
||||
<% end -%>
|
||||
passsha256 = "<%= @passsha256 %>"
|
||||
<% if @sshkeys.length > 0 -%>
|
||||
sshkeys = [<%= @sshkeys.map { |key| "\"#{key}\"" }.join(', ') %>]
|
||||
<% end -%>
|
||||
<% if @passappsha256.length > 0 -%>
|
||||
passappsha256 = [<%= @passappsha256.map { |pass| "\"#{pass}\"" }.join(', ') %>]
|
||||
<% end -%>
|
||||
othergroups = <%= @formatted_othergroups %>
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
Facter.add(:psql_is_slave) do
|
||||
confine enc_role: 'roles::infra::sql::patroni'
|
||||
setcode do
|
||||
# Command to check if PostgreSQL is in recovery mode
|
||||
command = 'sudo -iu postgres psql -tAc "select pg_is_in_recovery()"'
|
||||
|
||||
# Execute the command and map the output to a boolean value
|
||||
{ 't' => true, 'f' => false }[Facter::Core::Execution.execute(command, on_fail: nil)]
|
||||
end
|
||||
end
|
||||
@@ -8,4 +8,6 @@ class nzbget::params (
|
||||
Boolean $manage_group = true,
|
||||
Stdlib::Host $bind_address = '127.0.0.1',
|
||||
Stdlib::Port $port = 6789,
|
||||
Boolean $service_enable = true,
|
||||
String $service_name = 'nzbget',
|
||||
) { }
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
# manage RedisHA
|
||||
class redisha (
|
||||
Boolean $manage_repo = $redisha::params::manage_repo,
|
||||
Boolean $redisha_members_lookup = $redisha::params::redisha_members_lookup,
|
||||
Optional[String] $redisha_members_role = $redisha::params::redisha_members_role,
|
||||
Array $redisha_servers = $redisha::params::redisha_servers,
|
||||
) inherits redisha::params {
|
||||
|
||||
include redisha::redis
|
||||
include redisha::sentinel
|
||||
include redisha::tools
|
||||
|
||||
Class['redisha::redis'] -> Class['redisha::sentinel'] -> Class['redisha::tools']
|
||||
}
|
||||
@@ -0,0 +1,25 @@
|
||||
class redisha::params (
|
||||
Boolean $redisha_members_lookup = false,
|
||||
Optional[String] $redisha_members_role = undef,
|
||||
Array $redisha_servers = [],
|
||||
|
||||
# both
|
||||
Stdlib::Host $redis_host = $facts['networking']['ip'],
|
||||
Stdlib::Port $redis_port = 6379,
|
||||
Optional[String] $requirepass = undef,
|
||||
|
||||
# redis
|
||||
Optional[String] $dnf_module_stream = '6',
|
||||
Integer[1] $databases = 16,
|
||||
Optional[Variant[String, Sensitive[String], Deferred]] $masterauth = $redisha::params::requirepass,
|
||||
|
||||
# sentinel
|
||||
String[1] $master_name = 'mymaster',
|
||||
Optional[Variant[String, Sensitive[String]]] $auth_pass = $redisha::params::requirepass,
|
||||
Integer[1] $quorum = 2,
|
||||
Enum['yes', 'no'] $sentinel_resolve_hostnames = 'yes',
|
||||
Enum['yes', 'no'] $sentinel_announce_hostnames = 'yes',
|
||||
Stdlib::Host $sentinel_announce_ip = $facts['networking']['ip'],
|
||||
Array[Stdlib::IP::Address] $sentinel_bind = [$facts['networking']['ip']],
|
||||
Stdlib::Port $sentinel_port = 26379,
|
||||
){}
|
||||
@@ -0,0 +1,59 @@
|
||||
class redisha::redis (
|
||||
Boolean $manage_repo = $redisha::manage_repo,
|
||||
Boolean $redisha_members_lookup = $redisha::redisha_members_lookup,
|
||||
Optional[String] $redisha_members_role = $redisha::redisha_members_role,
|
||||
Array $redisha_servers = $redisha::redisha_servers,
|
||||
Stdlib::Host $redis_host = $redisha::params::redis_host,
|
||||
Stdlib::Port $redis_port = $redisha::params::redis_port,
|
||||
Optional[String] $requirepass = $redisha::params::requirepass,
|
||||
Optional[String] $dnf_module_stream = $redisha::params::dnf_module_stream,
|
||||
Integer[1] $databases = $redisha::params::databases,
|
||||
Optional[Variant[String, Sensitive[String], Deferred]] $masterauth = $redisha::params::masterauth,
|
||||
) inherits redisha::params {
|
||||
|
||||
# if lookup is enabled
|
||||
if $redisha_members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($redisha_members_role == undef) {
|
||||
fail("redisha_members_role must be provided for ${title} when redisha_members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $redisha_servers
|
||||
}
|
||||
|
||||
|
||||
if length($servers_array) >= 3 {
|
||||
|
||||
# check if this is the master_node
|
||||
if $servers_array[0] == $::facts['networking']['fqdn'] {
|
||||
class { 'redis':
|
||||
bind => $redis_host,
|
||||
port => $redis_port,
|
||||
databases => $databases,
|
||||
requirepass => $requirepass,
|
||||
masterauth => $masterauth,
|
||||
dnf_module_stream => $dnf_module_stream,
|
||||
ulimit_managed => false,
|
||||
}
|
||||
}else{
|
||||
class { 'redis':
|
||||
bind => $redis_host,
|
||||
port => $redis_port,
|
||||
databases => $databases,
|
||||
requirepass => $requirepass,
|
||||
masterauth => $masterauth,
|
||||
dnf_module_stream => $dnf_module_stream,
|
||||
ulimit_managed => false,
|
||||
replicaof => "${servers_array[0]} ${redis_port}",
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,49 @@
|
||||
class redisha::sentinel (
|
||||
Boolean $redisha_members_lookup = $redisha::redisha_members_lookup,
|
||||
Optional[String] $redisha_members_role = $redisha::redisha_members_role,
|
||||
Array $redisha_servers = $redisha::redisha_servers,
|
||||
Stdlib::Port $redis_port = $redisha::params::redis_port,
|
||||
Optional[String] $requirepass = $redisha::params::requirepass,
|
||||
String[1] $master_name = $redisha::params::master_name,
|
||||
Optional[Variant[String, Sensitive[String]]] $auth_pass = $redisha::params::auth_pass,
|
||||
Integer[1] $quorum = $redisha::params::quorum,
|
||||
Enum['yes', 'no'] $sentinel_resolve_hostnames = $redisha::params::sentinel_resolve_hostnames,
|
||||
Enum['yes', 'no'] $sentinel_announce_hostnames = $redisha::params::sentinel_announce_hostnames,
|
||||
Stdlib::Host $sentinel_announce_ip = $redisha::params::sentinel_announce_ip,
|
||||
Array[Stdlib::IP::Address] $sentinel_bind = $redisha::params::sentinel_bind,
|
||||
Stdlib::Port $sentinel_port = $redisha::params::sentinel_port,
|
||||
) inherits redisha::params {
|
||||
|
||||
# if lookup is enabled
|
||||
if $redisha_members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($redisha_members_role == undef) {
|
||||
fail("redisha_members_role must be provided for ${title} when redisha_members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $redisha_servers
|
||||
}
|
||||
|
||||
if length($servers_array) >= 3 {
|
||||
|
||||
class { 'redis::sentinel':
|
||||
master_name => $master_name,
|
||||
redis_host => $servers_array[0],
|
||||
redis_port => $redis_port,
|
||||
requirepass => $requirepass,
|
||||
auth_pass => $auth_pass,
|
||||
quorum => $quorum,
|
||||
sentinel_resolve_hostnames => $sentinel_resolve_hostnames,
|
||||
sentinel_announce_ip => $sentinel_announce_ip,
|
||||
sentinel_announce_hostnames => $sentinel_announce_hostnames,
|
||||
sentinel_port => $sentinel_port,
|
||||
sentinel_bind => $sentinel_bind,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,35 @@
|
||||
class redisha::tools (
|
||||
Stdlib::Host $redis_host = $redisha::params::redis_host,
|
||||
Stdlib::Port $redis_port = $redisha::params::redis_port,
|
||||
Stdlib::Port $sentinel_port = $redisha::params::sentinel_port,
|
||||
Optional[String] $requirepass = $redisha::params::requirepass,
|
||||
) inherits redisha::params {
|
||||
|
||||
# add command to automate redis-cli commands against redis
|
||||
file {'/usr/local/sbin/redisadm':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0700',
|
||||
content => template('redisha/redisadm.erb'),
|
||||
}
|
||||
|
||||
# add command to automate redis-cli commands against sentinel
|
||||
file {'/usr/local/sbin/sentineladm':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0700',
|
||||
content => template('redisha/sentineladm.erb'),
|
||||
}
|
||||
|
||||
# add command to check if current host is the redis master
|
||||
file {'/usr/local/bin/check_redis_master':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
content => template('redisha/check_redis_master.erb'),
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
#!/usr/bin/bash
|
||||
sudo /usr/local/sbin/sentineladm info | grep -q <%= @facts['networking']['fqdn'] %>
|
||||
@@ -0,0 +1,9 @@
|
||||
#!/usr/bin/bash
|
||||
REDIS_HOST=<%= @redis_host %>
|
||||
REDIS_PORT=<%= @redis_port %>
|
||||
|
||||
if [ $# -gt 0 ]; then
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" "$@"
|
||||
else
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT"
|
||||
fi
|
||||
@@ -0,0 +1,9 @@
|
||||
#!/usr/bin/bash
|
||||
REDIS_HOST=<%= @redis_host %>
|
||||
SENTINEL_PORT=<%= @sentinel_port %>
|
||||
|
||||
if [ $# -gt 0 ]; then
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$SENTINEL_PORT" "$@"
|
||||
else
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$SENTINEL_PORT"
|
||||
fi
|
||||
@@ -0,0 +1,14 @@
|
||||
# create the rundeck user
|
||||
class profiles::accounts::rundeck (
|
||||
Array[String] $sshkeys = [],
|
||||
){
|
||||
profiles::base::account {'rundeck':
|
||||
username => 'rundeck',
|
||||
uid => 1100,
|
||||
gid => 1100,
|
||||
groups => ['adm', 'admins', 'systemd-journal'],
|
||||
sshkeys => $sshkeys,
|
||||
require => Group['admins'],
|
||||
system => true,
|
||||
}
|
||||
}
|
||||
@@ -1,5 +1,7 @@
|
||||
# profiles::firstrun::packages
|
||||
class profiles::firstrun::packages {
|
||||
class profiles::firstrun::packages (
|
||||
Hash $manage = lookup('profiles::packages::include'),
|
||||
) {
|
||||
# include the correct package repositories, define the install_packages exec
|
||||
case $facts['os']['family'] {
|
||||
'RedHat': {
|
||||
@@ -15,8 +17,13 @@ class profiles::firstrun::packages {
|
||||
}
|
||||
}
|
||||
|
||||
# filter out packages with 'ensure' set to 'absent'
|
||||
$packages_to_install = $manage.filter |$package, $options| {
|
||||
!($options['ensure'] and $options['ensure'] == 'absent')
|
||||
}
|
||||
|
||||
# get all the packages to install, and convert into a space separated list
|
||||
$packages = hiera_array('profiles::packages::install', [])
|
||||
$packages = $packages_to_install.keys
|
||||
$package_list = $packages.join(' ')
|
||||
|
||||
# install all the packages
|
||||
|
||||
@@ -0,0 +1,73 @@
|
||||
# profiles::gitea::init
|
||||
class profiles::gitea::runner (
|
||||
String $registration_token,
|
||||
Stdlib::HTTPSUrl $source,
|
||||
String $user = 'runner',
|
||||
String $group = 'runner',
|
||||
Stdlib::Absolutepath $home = '/data/runner',
|
||||
Hash $config = {},
|
||||
Stdlib::HTTPSUrl $instance = 'https://git.query.consul',
|
||||
String $version = '0.2.10',
|
||||
) {
|
||||
|
||||
group { $group:
|
||||
ensure => 'present',
|
||||
}
|
||||
|
||||
user { $user:
|
||||
ensure => 'present',
|
||||
home => $home,
|
||||
managehome => true,
|
||||
forcelocal => true,
|
||||
groups => ['docker'],
|
||||
gid => $group,
|
||||
require => Group[$group],
|
||||
}
|
||||
|
||||
file { "${home}/config.yaml":
|
||||
ensure => file,
|
||||
content => to_yaml($config),
|
||||
owner => $user,
|
||||
group => $group,
|
||||
require => User[$user],
|
||||
}
|
||||
|
||||
archive { '/usr/local/bin/act_runner':
|
||||
ensure => present,
|
||||
extract => false,
|
||||
source => $source,
|
||||
creates => '/usr/local/bin/act_runner',
|
||||
cleanup => true,
|
||||
}
|
||||
|
||||
file { '/usr/local/bin/act_runner':
|
||||
ensure => 'file',
|
||||
mode => '0755',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
require => Archive['/usr/local/bin/act_runner'],
|
||||
}
|
||||
|
||||
exec {'register_act_runner':
|
||||
command => "/usr/local/bin/act_runner register \
|
||||
--no-interactive \
|
||||
--instance ${instance} \
|
||||
--token ${registration_token} \
|
||||
--name ${facts['networking']['hostname']} \
|
||||
--config ${home}/config.yaml",
|
||||
creates => "${home}/.runner",
|
||||
cwd => $home,
|
||||
user => $user,
|
||||
group => $group,
|
||||
require => [
|
||||
File['/usr/local/bin/act_runner'],
|
||||
File["${home}/config.yaml"],
|
||||
],
|
||||
}
|
||||
|
||||
systemd::unit_file {'act_runner.service':
|
||||
enable => true,
|
||||
active => true,
|
||||
content => template('profiles/gitea/act_runner.service.erb'),
|
||||
}
|
||||
}
|
||||
@@ -1,5 +1,8 @@
|
||||
# profiles::haproxy::dns
|
||||
class profiles::haproxy::dns (
|
||||
Stdlib::IP::Address $vrrp_ipaddr,
|
||||
Boolean $vrrp_master = false,
|
||||
Array[Stdlib::Fqdn] $vrrp_cnames = [],
|
||||
Array[Stdlib::Fqdn] $cnames = [],
|
||||
Integer $order = 10,
|
||||
){
|
||||
@@ -24,4 +27,25 @@ class profiles::haproxy::dns (
|
||||
order => $order,
|
||||
}
|
||||
}
|
||||
|
||||
# export a/cnames for haproxy applications
|
||||
if $vrrp_master {
|
||||
profiles::dns::record { "${facts['networking']['fqdn']}_vrrp_${location_environment}-halb-vrrp":
|
||||
value => $vrrp_ipaddr,
|
||||
type => 'A',
|
||||
record => "${location_environment}-halb-vrrp",
|
||||
zone => $::facts['networking']['domain'],
|
||||
order => $order,
|
||||
}
|
||||
|
||||
$vrrp_cnames.each |$cname| {
|
||||
profiles::dns::record { "${::facts['networking']['fqdn']}_${cname}_CNAME":
|
||||
value => "${location_environment}-halb-vrrp",
|
||||
type => 'CNAME',
|
||||
record => "${cname}.",
|
||||
zone => $::facts['networking']['domain'],
|
||||
order => $order,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,7 @@ class profiles::media::jellyfin (
|
||||
Stdlib::Absolutepath $cache_dir = '/data/jellyfin/var/cache',
|
||||
Stdlib::Absolutepath $config_dir = '/data/jellyfin/etc',
|
||||
Stdlib::Absolutepath $log_dir = '/data/jellyfin/var/log',
|
||||
Stdlib::Absolutepath $ffmpeg_path = '/usr/local/bin/ffmpeg',
|
||||
Stdlib::Absolutepath $sysconfig_file = '/etc/sysconfig/jellyfin',
|
||||
Stdlib::Absolutepath $migration_flag = '/etc/sysconfig/jellyfin_migration_done',
|
||||
String $service_name = 'jellyfin',
|
||||
|
||||
@@ -1,23 +1,19 @@
|
||||
# This class manages the installation of packages for the base profile
|
||||
#
|
||||
# Parameters:
|
||||
# - $install: An array of package names to be installed
|
||||
# - $remove: An array of package names to be removed
|
||||
# - $include: A hash of package names to be managed
|
||||
# - $exclude: An array of package names to be removed from managed hash
|
||||
#
|
||||
class profiles::packages (
|
||||
Array $install = [],
|
||||
Array $install_exclude = [],
|
||||
Array $remove = [],
|
||||
Array $remove_exclude = [],
|
||||
Hash $include = {},
|
||||
Array[String] $exclude = [],
|
||||
) {
|
||||
|
||||
# Filter out excluded packages
|
||||
$install_real = $install.filter |$item| { !$install_exclude.any |$exclude_item| { $exclude_item == $item } }
|
||||
$remove_real = $remove.filter |$item| { !$remove_exclude.any |$exclude_item| { $exclude_item == $item } }
|
||||
# Filter the include hash to remove the packages listed in exclude
|
||||
$filtered_include = filter($include) |$key, $value| {
|
||||
!($key in $exclude)
|
||||
}
|
||||
|
||||
# Ensure packages to install are installed
|
||||
ensure_packages($install_real, {'ensure' => 'present'})
|
||||
|
||||
# Ensure packages to remove are absent
|
||||
ensure_packages($remove_real, {'ensure' => 'absent'})
|
||||
# Manage packages
|
||||
ensure_packages($filtered_include)
|
||||
}
|
||||
|
||||
@@ -24,6 +24,19 @@ class profiles::puppet::puppetdb_api (
|
||||
|
||||
contain ::puppetdb::server
|
||||
|
||||
# generate the minute for the cron job using fqdn_rand
|
||||
$random_minute = fqdn_rand(60)
|
||||
|
||||
# create cron task to restart the puppetdb service daily at 3am
|
||||
cron { 'restart_puppetdb':
|
||||
ensure => 'present',
|
||||
user => 'root',
|
||||
command => '/bin/systemctl restart puppetdb',
|
||||
minute => $random_minute,
|
||||
hour => '3',
|
||||
require => Service['puppetdb'],
|
||||
}
|
||||
|
||||
class { 'prometheus::puppetdb_exporter':
|
||||
puppetdb_url => "http://${listen_address}:8080/pdb/query",
|
||||
export_scrape_job => true,
|
||||
|
||||
@@ -71,14 +71,55 @@ class profiles::puppet::server (
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
}
|
||||
# generate puppet types when restarting
|
||||
systemd::manage_dropin { 'generate_types.conf':
|
||||
ensure => present,
|
||||
unit => 'puppetserver.service',
|
||||
service_entry => {
|
||||
'ExecStartPost' => [
|
||||
"/opt/puppetlabs/bin/puppet generate types --environmentpath ${codedir}/environments",
|
||||
],
|
||||
},
|
||||
}
|
||||
|
||||
# generate puppet types when restarting
|
||||
systemd::manage_dropin { 'generate_types.conf':
|
||||
ensure => absent,
|
||||
unit => 'puppetserver.service',
|
||||
service_entry => {
|
||||
'ExecStartPost' => [
|
||||
"/opt/puppetlabs/bin/puppet generate types --environmentpath ${codedir}/environments",
|
||||
],
|
||||
},
|
||||
}
|
||||
|
||||
file { '/usr/local/bin/puppet_generate_types.sh':
|
||||
ensure => file,
|
||||
mode => '0755',
|
||||
content => @("EOF")
|
||||
#!/bin/bash
|
||||
sudo -u puppet /opt/puppetlabs/bin/puppet generate types --environmentpath ${codedir}/environments
|
||||
exit 0
|
||||
| EOF
|
||||
}
|
||||
|
||||
$_timer = @(EOT)
|
||||
[Unit]
|
||||
Description=puppet-generate-types timer
|
||||
[Timer]
|
||||
OnCalendar=daily
|
||||
Persistent=true
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
EOT
|
||||
|
||||
$_service = @(EOT)
|
||||
[Unit]
|
||||
Description=puppet-generate-types service
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/local/bin/puppet_generate_types.sh
|
||||
User=root
|
||||
Group=root
|
||||
PermissionsStartOnly=false
|
||||
PrivateTmp=no
|
||||
EOT
|
||||
|
||||
systemd::timer { 'puppet-generate-types.timer':
|
||||
timer_content => $_timer,
|
||||
service_content => $_service,
|
||||
active => true,
|
||||
enable => true,
|
||||
require => File['/usr/local/bin/puppet_generate_types.sh'],
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,105 @@
|
||||
# profiles::rundeck::server
|
||||
class profiles::rundeck::server (
|
||||
Struct[{
|
||||
Optional['file'] => Hash[String, Any],
|
||||
Optional['ldap'] => Hash[String, Any],
|
||||
Optional['pam'] => Hash[String, Any]
|
||||
}] $auth_config = {},
|
||||
Array[Hash] $key_storage_config = [],
|
||||
Hash $acl_policies = {},
|
||||
Hash $cli_projects = {},
|
||||
String $cli_user = 'admin',
|
||||
String $cli_password = lookup('rundeck_admin_pass'),
|
||||
Boolean $mysql_backend = true,
|
||||
String $mysql_user = 'rundeck',
|
||||
String $mysql_name = 'rundeck',
|
||||
String $mysql_pass = fqdn_rand_string(16),
|
||||
Stdlib::Host $mysql_host = '127.0.0.1',
|
||||
Stdlib::Port $mysql_port = 3306,
|
||||
Stdlib::Absolutepath $extra_libs_dir = '/var/lib/rundeck/lib',
|
||||
Stdlib::Absolutepath $jdbc_driver_dest = "${extra_libs_dir}/mariadb-java-client-3.4.1.jar",
|
||||
Stdlib::HTTPSUrl $jdbc_driver_url = 'https://dlm.mariadb.com/3852266/Connectors/java/connector-java-3.4.1/mariadb-java-client-3.4.1.jar',
|
||||
Stdlib::HTTPSUrl $grails_server_url = "https://${facts['networking']['fqdn']}:4440",
|
||||
String $jvm_args = '-Xmx1024m -Xms256m -server -Drundeck.jetty.connector.forwarded=true',
|
||||
){
|
||||
|
||||
# when using mysql backend
|
||||
if $mysql_backend {
|
||||
|
||||
# export a mariadb user
|
||||
@@mysql_user { "${mysql_user}@${facts['networking']['fqdn']}":
|
||||
ensure => present,
|
||||
password_hash => mysql::password($mysql_pass),
|
||||
tag => $facts['region'],
|
||||
}
|
||||
|
||||
# export a mariadb permission
|
||||
@@mysql_grant { "${mysql_user}@${facts['networking']['fqdn']}/${mysql_name}.*":
|
||||
ensure => present,
|
||||
table => "${mysql_name}.*",
|
||||
user => "${mysql_user}@${facts['networking']['fqdn']}",
|
||||
privileges => ['ALL'],
|
||||
tag => $facts['region'],
|
||||
}
|
||||
|
||||
# create the missing /var/lib/rundeck/lib directory
|
||||
mkdir::p {$extra_libs_dir:}
|
||||
file {$extra_libs_dir:
|
||||
ensure => directory,
|
||||
owner => 'rundeck',
|
||||
group => 'rundeck',
|
||||
mode => '0755',
|
||||
require => Package['rundeck'],
|
||||
before => Service['rundeckd'],
|
||||
}
|
||||
|
||||
# download the jdbc driver, place in /var/lib/rundeck/lib
|
||||
archive { $jdbc_driver_dest:
|
||||
ensure => present,
|
||||
source => $jdbc_driver_url,
|
||||
extract => false,
|
||||
user => 'rundeck',
|
||||
group => 'rundeck',
|
||||
require => File[$extra_libs_dir],
|
||||
before => Service['rundeckd'],
|
||||
}
|
||||
|
||||
$database_config = {
|
||||
'url' => "jdbc:mysql://${mysql_host}:${mysql_port}/${mysql_name}",
|
||||
'username' => $mysql_user,
|
||||
'password' => $mysql_pass,
|
||||
'driverClassName' => 'org.mariadb.jdbc.Driver',
|
||||
}
|
||||
}else{
|
||||
$database_config = {}
|
||||
}
|
||||
|
||||
class { 'rundeck':
|
||||
grails_server_url => $grails_server_url,
|
||||
auth_config => $auth_config,
|
||||
key_storage_config => $key_storage_config,
|
||||
database_config => $database_config,
|
||||
cli_user => $cli_user,
|
||||
cli_password => $cli_password,
|
||||
jvm_args => $jvm_args,
|
||||
}
|
||||
|
||||
create_resources('rundeck::config::aclpolicyfile', $acl_policies)
|
||||
create_resources('rundeck::config::project', $cli_projects)
|
||||
|
||||
# create rundeck runner ssh key
|
||||
file {'/var/lib/rundeck/.ssh/rundeck_id_rsa':
|
||||
ensure => 'file',
|
||||
owner => 'rundeck',
|
||||
group => 'rundeck',
|
||||
mode => '0600',
|
||||
content => lookup('rundeck::ssh::private_key'),
|
||||
}
|
||||
file {'/var/lib/rundeck/.ssh/rundeck_id_rsa.pub':
|
||||
ensure => 'file',
|
||||
owner => 'rundeck',
|
||||
group => 'rundeck',
|
||||
mode => '0644',
|
||||
content => lookup('profiles::accounts::rundeck::sshkeys'),
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,108 @@
|
||||
# profiles::sql::patroni
|
||||
class profiles::sql::patroni (
|
||||
String $cluster_name,
|
||||
String $superuser_password,
|
||||
String $replication_password,
|
||||
String $superuser_username = 'postgres',
|
||||
String $replication_username = 'repl',
|
||||
String $pgsql_version = '15',
|
||||
Stdlib::Absolutepath $pgsql_data_base = '/data/pgsql',
|
||||
Stdlib::Absolutepath $pgsql_data_dir = "${pgsql_data_base}/${pgsql_version}/data",
|
||||
Boolean $use_consul = true,
|
||||
String $consul_host = 'localhost',
|
||||
Stdlib::Port $consul_port = 8500,
|
||||
Enum['http','https'] $consul_scheme = 'http',
|
||||
Variant[Undef,String] $consul_token = undef,
|
||||
Boolean $consul_verify = false,
|
||||
Boolean $consul_register_service = true,
|
||||
String $consul_service_check_interval = '5s',
|
||||
String $consul_cacert = '/etc/pki/ca-trust/source/anchors/vaultcaroot.pem',
|
||||
Boolean $postgres_exporter_enabled = false,
|
||||
Optional[String] $postgres_exporter_user = undef,
|
||||
Optional[String] $postgres_exporter_pass = undef,
|
||||
){
|
||||
|
||||
# disable the postgresql dnf module for el8+
|
||||
if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] >= '8' {
|
||||
# based on https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/dnfmodule.pp
|
||||
package { 'postgresql dnf module':
|
||||
ensure => 'disabled',
|
||||
name => 'postgresql',
|
||||
provider => 'dnfmodule',
|
||||
before => Class['patroni'],
|
||||
}
|
||||
}
|
||||
|
||||
# prepare data path
|
||||
mkdir::p {$pgsql_data_dir:}
|
||||
file {$pgsql_data_dir:
|
||||
ensure => 'directory',
|
||||
owner => 'postgres',
|
||||
group => 'postgres',
|
||||
mode => '0700',
|
||||
require => Class['patroni'],
|
||||
}
|
||||
|
||||
# manage patroni
|
||||
class { 'patroni':
|
||||
scope => $cluster_name,
|
||||
use_consul => $use_consul,
|
||||
consul_host => $consul_host,
|
||||
consul_port => $consul_port,
|
||||
consul_scheme => $consul_scheme,
|
||||
consul_token => $consul_token,
|
||||
consul_verify => $consul_verify,
|
||||
consul_register_service => $consul_register_service,
|
||||
consul_service_check_interval => $consul_service_check_interval,
|
||||
consul_cacert => $consul_cacert,
|
||||
manage_python => false,
|
||||
pgsql_connect_address => "${facts['networking']['fqdn']}:5432",
|
||||
restapi_connect_address => "${facts['networking']['fqdn']}:8008",
|
||||
postgresql_version => $pgsql_version,
|
||||
pgsql_data_dir => $pgsql_data_dir,
|
||||
pgsql_pgpass_path => '/var/lib/pgsql/pgpass',
|
||||
pgsql_parameters => {
|
||||
'max_connections' => 5000,
|
||||
},
|
||||
bootstrap_pg_hba => [
|
||||
'local all postgres ident',
|
||||
'host all all 0.0.0.0/0 md5',
|
||||
'host replication repl 0.0.0.0/0 md5',
|
||||
],
|
||||
pgsql_pg_hba => [
|
||||
'local all postgres ident',
|
||||
'host all all 0.0.0.0/0 md5',
|
||||
'host replication repl 0.0.0.0/0 md5',
|
||||
],
|
||||
superuser_username => $superuser_username,
|
||||
superuser_password => $superuser_password,
|
||||
replication_username => $replication_username,
|
||||
replication_password => $replication_password,
|
||||
require => [
|
||||
Yumrepo["postgresql-${pgsql_version}"],
|
||||
Yumrepo['postgresql-common']
|
||||
],
|
||||
}
|
||||
|
||||
$connect_settings = {
|
||||
|
||||
}
|
||||
|
||||
# only apply changes to DBs/Users/Grants on master
|
||||
if ! $facts['psql_is_slave'] {
|
||||
# collect exported resources
|
||||
$tag = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
||||
Profiles::Sql::Postgres::Db <<| tag == $tag |>> {}
|
||||
Profiles::Sql::Postgres::User <<| tag == $tag |>> {}
|
||||
Profiles::Sql::Postgres::Grant <<| tag == $tag |>> {}
|
||||
}
|
||||
|
||||
if $postgres_exporter_enabled {
|
||||
class { 'prometheus::postgres_exporter':
|
||||
postgres_user => $postgres_exporter_user,
|
||||
postgres_pass => $postgres_exporter_pass,
|
||||
data_source_uri => "${facts['networking']['ip']}:5432/postgres?sslmode=disable",
|
||||
export_scrape_job => true,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
define profiles::sql::postgres::db (
|
||||
String $dbname,
|
||||
) {
|
||||
postgresql_psql { "create_database_${dbname}":
|
||||
command => "CREATE DATABASE \"${dbname}\"",
|
||||
unless => "SELECT 1 FROM pg_database WHERE datname = '${dbname}'",
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
define profiles::sql::postgres::grant (
|
||||
String $username,
|
||||
Enum['SCHEMA', 'DATABASE'] $type = 'DATABASE',
|
||||
Optional[String] $dbname = undef,
|
||||
Optional[String] $schema = undef,
|
||||
String $privilege = 'ALL PRIVILEGES',
|
||||
) {
|
||||
# Validate parameters based on type
|
||||
if $type == 'DATABASE' and $dbname == undef {
|
||||
fail('The dbname parameter must be provided when type is DATABASE')
|
||||
}
|
||||
|
||||
if $type == 'SCHEMA' and ($dbname == undef or $schema == undef) {
|
||||
fail('Both dbname and schema parameters must be provided when type is SCHEMA')
|
||||
}
|
||||
|
||||
# Determine the appropriate SQL command and unless condition
|
||||
$command = $type ? {
|
||||
'DATABASE' => "GRANT ${privilege} ON DATABASE ${dbname} TO ${username}",
|
||||
'SCHEMA' => "GRANT ${privilege} ON SCHEMA ${schema} TO ${username}",
|
||||
}
|
||||
|
||||
$unless = $type ? {
|
||||
'DATABASE' => "SELECT 1 FROM pg_roles r WHERE r.rolname='${username}' AND has_database_privilege('${username}', '${dbname}', 'CONNECT')", # lint:ignore:140chars
|
||||
'SCHEMA' => "SELECT 1 FROM pg_namespace n JOIN pg_roles r ON r.oid = n.nspowner WHERE nspname = '${schema}' AND r.rolname = '${username}'", # lint:ignore:140chars
|
||||
}
|
||||
# Ensure the db parameter is set correctly when type is SCHEMA
|
||||
$effective_dbname = $type ? {
|
||||
'SCHEMA' => $dbname,
|
||||
'DATABASE' => $dbname,
|
||||
}
|
||||
|
||||
postgresql_psql { "grant_${privilege}_on_${type}_${effective_dbname}_${schema}_to_${username}":
|
||||
command => $command,
|
||||
unless => $unless,
|
||||
db => $effective_dbname,
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
define profiles::sql::postgres::user (
|
||||
String $username,
|
||||
String $password,
|
||||
) {
|
||||
postgresql_psql { "create_user_${username}":
|
||||
command => "CREATE USER \"${username}\" WITH ENCRYPTED PASSWORD '${password}'",
|
||||
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,61 @@
|
||||
class profiles::sql::postgresdb (
|
||||
String $dbname,
|
||||
String $dbuser,
|
||||
String $dbpass,
|
||||
Boolean $create_host_users = false,
|
||||
Boolean $members_lookup = false,
|
||||
String $members_role = undef,
|
||||
Array $servers = [],
|
||||
){
|
||||
|
||||
# if lookup is enabled
|
||||
if $members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($members_role == undef) {
|
||||
fail("members_role must be provided for ${title} when members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $servers
|
||||
}
|
||||
|
||||
$tag = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
||||
|
||||
# only export from the first server in a cluster
|
||||
if $servers_array[0] == $facts['networking']['fqdn'] {
|
||||
|
||||
# manage the postgres db
|
||||
@@profiles::sql::postgres::db { "${facts['networking']['fqdn']}_db_${dbname}":
|
||||
dbname => $dbname,
|
||||
tag => $tag,
|
||||
}
|
||||
|
||||
@@profiles::sql::postgres::user { "${facts['networking']['fqdn']}_role_${dbuser}":
|
||||
username => $dbuser,
|
||||
password => $dbpass,
|
||||
tag => $tag,
|
||||
}
|
||||
|
||||
@@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_db_${dbuser}_${dbuser}}":
|
||||
dbname => $dbname,
|
||||
username => $dbuser,
|
||||
type => 'DATABASE',
|
||||
privilege => 'ALL PRIVILEGES',
|
||||
tag => $tag,
|
||||
}
|
||||
|
||||
@@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_schema_${dbuser}_${dbuser}}":
|
||||
dbname => $dbname,
|
||||
username => $dbuser,
|
||||
type => 'SCHEMA',
|
||||
schema => 'public',
|
||||
privilege => 'ALL PRIVILEGES',
|
||||
tag => $tag,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -34,4 +34,14 @@ class profiles::vault::unseal (
|
||||
require => File['/usr/local/bin/vault-unseal.sh'],
|
||||
subscribe => [Service['vault'],File['/etc/vault/unseal_keys']],
|
||||
}
|
||||
|
||||
# restart the vault-unseal service hourly to ensure vault is unsealled
|
||||
cron { 'restart_vault_unseal':
|
||||
ensure => 'present',
|
||||
user => 'root',
|
||||
command => '/bin/systemctl restart vault-unseal',
|
||||
minute => fqdn_rand(60),
|
||||
hour => '*',
|
||||
require => Service['vault-unseal.service'],
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
[Unit]
|
||||
Description=Gitea Actions runner
|
||||
Documentation=https://gitea.com/gitea/act_runner
|
||||
After=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/act_runner daemon --config <%= @home %>/config.yaml
|
||||
ExecReload=/bin/kill -s HUP $MAINPID
|
||||
WorkingDirectory=<%= @home %>
|
||||
TimeoutSec=0
|
||||
RestartSec=10
|
||||
Restart=always
|
||||
User=<%= @user %>
|
||||
Group=<%= @group %>
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -24,7 +24,7 @@ JELLYFIN_CACHE_DIR="<%= @cache_dir %>"
|
||||
JELLYFIN_WEB_OPT="--webdir=/usr/share/jellyfin-web"
|
||||
|
||||
# [OPTIONAL] ffmpeg binary paths, overriding the UI-configured values
|
||||
#JELLYFIN_FFMPEG_OPT="--ffmpeg=/usr/bin/ffmpeg"
|
||||
JELLYFIN_FFMPEG_OPT="--ffmpeg=<% @ffmpeg_path %>"
|
||||
|
||||
# [OPTIONAL] run Jellyfin as a headless service
|
||||
#JELLYFIN_SERVICE_OPT="--service"
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
# gonic server profile
|
||||
class roles::apps::music::gonic {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# a role to deploy rundeck
|
||||
class roles::infra::automation::rundeck {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# a role to deploy droneci
|
||||
class roles::infra::droneci::runner {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# a role to deploy droneci
|
||||
class roles::infra::droneci::server {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
@@ -1,4 +1,4 @@
|
||||
# a role to deploy the puppetboard
|
||||
# a role to deploy the gitea
|
||||
class roles::infra::git::gitea {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
# a role to deploy the gitea runner
|
||||
class roles::infra::git::runner {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
# a role to deploy a postgresql/patroni node
|
||||
class roles::infra::sql::patroni {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::sql::patroni
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user