111 Commits

Author SHA1 Message Date
unkinben 3a798a20d7 feat: implement nested groups
- use includegroups feature to nest groups
- remove the trailing ',' from includegroups
2024-09-26 17:15:51 +10:00
unkinben 933427e861 Merge pull request 'neoloc/terraformsvc' (#162) from neoloc/terraformsvc into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/162
2024-09-23 22:14:27 +10:00
unkinben 4a0760516f feat: add vault service account
- used by vault to bind to ldap
2024-09-23 22:13:48 +10:00
unkinben 10b57abffc feat: add terraform service account
- add terraform service account
2024-09-23 22:08:52 +10:00
unkinben 5b4bb95ffe Merge pull request 'feat: add vault access group' (#161) from neoloc/vaultaccess into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/161
2024-09-20 23:24:44 +10:00
unkinben e09819284d feat: add vault access group
- add vault_access group
2024-09-20 23:17:35 +10:00
unkinben addfa02e08 Merge pull request 'feat: enable larger uploads to gitea' (#160) from neoloc/gitea_client_send into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/160
2024-09-08 01:44:04 +10:00
unkinben 93b9629c5c feat: enable larger uploads to gitea
- change client body max size to 1GB
2024-09-08 01:43:22 +10:00
unkinben 9dea399377 Merge pull request 'neoloc/gitearunner' (#159) from neoloc/gitearunner into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/159
2024-09-07 21:38:29 +10:00
unkinben 0210d849c7 feat: add gitea runner role
- ensure docker is configured
- create runner user/group
- deploy config.yaml from hiera hash
- install runner from url
- register the runner with the gitea instance
- manage the act_runner service
2024-09-07 17:59:02 +10:00
unkinben 42d8047043 fix: comments in gitea role
- was copy of puppetboard, missed updating the comment
2024-09-03 22:34:48 +10:00
unkinben c0b94c181f Merge pull request 'feat: confine fact to patroni' (#158) from neoloc/patroni_facts into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/158
2024-09-03 22:19:18 +10:00
unkinben 265400db91 feat: confine fact to patroni 2024-09-03 22:18:53 +10:00
unkinben ccf4ef27f7 Merge pull request 'feat: psql changes on master only' (#157) from neoloc/patroni_grant_on_master into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/157
2024-09-03 22:15:47 +10:00
unkinben afda425fab feat: psql changes on master only
- add fact to detect if a psql host is a slave
- only import users/db/grants on master
2024-09-03 22:13:50 +10:00
unkinben 69c298e162 Merge pull request 'feat: remove masterauth redis' (#156) from neoloc/redis_masterauth into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/156
2024-09-03 21:29:58 +10:00
unkinben 1ad2b806b4 feat: remove masterauth redis
- removed requirepass previously, also need to remove masterauth
2024-09-03 21:29:18 +10:00
unkinben dc58084cc9 Merge pull request 'Adding hieradata/node/ausyd1nxvm1059.main.unkin.net.yaml' (#155) from autonode/ausyd1nxvm1059.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/155
2024-09-01 00:18:34 +10:00
unkinben 938db9880b Adding hieradata/node/ausyd1nxvm1059.main.unkin.net.yaml 2024-09-01 00:17:59 +10:00
unkinben ecbea24ba8 Merge pull request 'fix: updated client secret' (#154) from neoloc/droneci_client_id into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/154
2024-08-31 23:01:39 +10:00
unkinben bcb9beae5f fix: updated client secret 2024-08-31 23:00:58 +10:00
unkinben e1e604516d Merge pull request 'feat: add droneci runner' (#153) from neoloc/runner into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/153
2024-08-27 22:02:00 +10:00
unkinben 0bed8ba4f4 Merge branch 'develop' into neoloc/runner 2024-08-27 22:01:24 +10:00
unkinben 5471adae32 Merge pull request 'feat: add droneadmin' (#152) from neoloc/droneadmin into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/152
2024-08-25 15:03:15 +10:00
unkinben 91d9a073d6 feat: add droneadmin
- add environment variable to assign primary admin
2024-08-25 14:58:56 +10:00
unkinben ec7814e2a9 Merge pull request 'Adding hieradata/node/ausyd1nxvm1058.main.unkin.net.yaml' (#151) from autonode/ausyd1nxvm1058.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/151
2024-08-25 14:28:20 +10:00
unkinben 71c134dc1a Merge pull request 'Adding hieradata/node/ausyd1nxvm1057.main.unkin.net.yaml' (#150) from autonode/ausyd1nxvm1057.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/150
2024-08-25 14:28:06 +10:00
unkinben cb803d885e Merge pull request 'feat: droneci for organisation' (#149) from neoloc/droneci_org into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/149
2024-08-25 14:25:25 +10:00
unkinben 90eabac007 feat: droneci for organisation
- change from personal account to organisation
2024-08-25 14:24:45 +10:00
unkinben d79a5de17b feat: add droneci runner
- ensure /data and docker are available
- add droneci runner configuration
2024-08-25 02:14:35 +10:00
unkinben 0f755b231f Merge pull request 'neoloc/droneci' (#148) from neoloc/droneci into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/148
2024-08-25 00:01:27 +10:00
unkinben 2912cbb68b feat: add droneci runner
- add runner role
2024-08-25 00:00:48 +10:00
unkinben 3d1ba79325 Adding hieradata/node/ausyd1nxvm1058.main.unkin.net.yaml 2024-08-24 23:36:52 +10:00
unkinben c33b58ead6 Adding hieradata/node/ausyd1nxvm1057.main.unkin.net.yaml 2024-08-24 23:30:37 +10:00
unkinben 9f937b2869 Merge pull request 'Adding hieradata/node/ausyd1nxvm1056.main.unkin.net.yaml' (#147) from autonode/ausyd1nxvm1056.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/147
2024-08-24 12:37:44 +10:00
unkinben 8660bec810 Merge pull request 'Adding hieradata/node/ausyd1nxvm1055.main.unkin.net.yaml' (#146) from autonode/ausyd1nxvm1055.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/146
2024-08-24 12:37:34 +10:00
unkinben f30325b3e9 Merge pull request 'Adding hieradata/node/ausyd1nxvm1054.main.unkin.net.yaml' (#145) from autonode/ausyd1nxvm1054.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/145
2024-08-24 12:37:25 +10:00
unkinben 76c1c93c02 Merge pull request 'Adding hieradata/node/ausyd1nxvm1053.main.unkin.net.yaml' (#144) from autonode/ausyd1nxvm1053.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/144
2024-08-24 12:37:16 +10:00
unkinben 4577997506 Merge pull request 'Adding hieradata/node/ausyd1nxvm1052.main.unkin.net.yaml' (#143) from autonode/ausyd1nxvm1052.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/143
2024-08-24 12:36:50 +10:00
unkinben 6326e820a9 Merge pull request 'chore: add new user' (#142) from neoloc/ryadun into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/142
2024-08-24 12:36:09 +10:00
unkinben 757f3042ed chore: add new user
- add ryadun
2024-08-24 12:35:34 +10:00
unkinben 5d36a4053b feat: add droneci module
- add droneci module for server
- add droneci/server role
- add consul query for droneci service
- manage certificates, ssh principals, consul services/checks
2024-08-24 00:34:15 +10:00
unkinben 8fad79f2bc feat: manage database/user/grants for patroni
- add defines for exporting/collecting psql objects for patroni
- add generic profile for managing patroni psql databases for an app
2024-08-24 00:33:18 +10:00
unkinben 68c569b282 feat: add docker module
- update puppet file with docker module
2024-08-24 00:28:39 +10:00
unkinben 975adc31d7 Merge pull request 'feat: remove requirepass' (#141) from neoloc/remove_requirepass into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/141
2024-08-23 23:28:30 +10:00
unkinben 8a8cc0ae1b feat: remove requirepass
- required for droneci
2024-08-23 23:18:02 +10:00
unkinben 70a9edd118 Adding hieradata/node/ausyd1nxvm1056.main.unkin.net.yaml 2024-08-16 22:13:16 +10:00
unkinben 348d8889ed Adding hieradata/node/ausyd1nxvm1055.main.unkin.net.yaml 2024-08-16 22:11:47 +10:00
unkinben 1a2023f4ff Merge pull request 'feat: add patroni/psql cluster' (#140) from neoloc/patroni into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/140
2024-08-10 23:40:29 +10:00
unkinben 35834f8f5a feat: add patroni/psql cluster
- add patroni puppet module
- add patroni role and hieradata
- add sql/patroni class that utilised consul
2024-08-10 22:34:43 +10:00
unkinben 4347faf153 Merge pull request 'neoloc/redis' (#139) from neoloc/redis into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/139
2024-08-10 18:47:17 +10:00
unkinben 5c731fef34 feat: deploy redisha cluster
- manage pki and ssh principals
- manage redis/sentinel with redisha module
- add consul checks to manage redis-replica/redis-master services
- manage sudo rules for consul checks
2024-08-10 17:39:30 +10:00
unkinben b7fc6a1993 feat: create redisha module
- manage redis/sentinel clusters
- ensure ulimit_managed is false
- dynamically find servers in role to identify master
- add redisadm and sentineladm commands
- add script to check if the current host in the master
2024-08-10 17:39:24 +10:00
unkinben afe2a2afb7 Adding hieradata/node/ausyd1nxvm1054.main.unkin.net.yaml 2024-08-10 14:13:59 +10:00
unkinben c76ce3bf10 Adding hieradata/node/ausyd1nxvm1053.main.unkin.net.yaml 2024-08-10 14:13:51 +10:00
unkinben af989a19c3 Adding hieradata/node/ausyd1nxvm1052.main.unkin.net.yaml 2024-08-10 14:11:47 +10:00
unkinben 4d08e30733 Merge pull request 'fix: also fix repodata' (#138) from neoloc/cephreef into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/138
2024-08-10 13:36:30 +10:00
unkinben e2873a492a fix: also fix repodata 2024-08-10 13:36:04 +10:00
unkinben 90af895a34 Merge pull request 'fix: ceph-reef 18.2.4 not on el8' (#137) from neoloc/cephreef into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/137
2024-08-10 13:30:54 +10:00
unkinben 52e3d5b20b fix: ceph-reef 18.2.4 not on el8
- force repo to use 18.2.2
2024-08-10 13:30:16 +10:00
unkinben aadd0275ac feat: add puppet-redis module 2024-08-08 19:28:50 +10:00
unkinben 390a5a58c7 Merge pull request 'chore: add account' (#136) from neoloc/kelly into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/136
2024-08-08 19:01:44 +10:00
unkinben 403e3eeb1b chore: add account 2024-08-08 19:01:18 +10:00
unkinben 352878e27c Merge pull request 'chore: prevent empty lines' (#135) from neoloc/glauth_templates into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/135
2024-08-07 22:53:10 +10:00
unkinben 0cad88cdad chore: prevent empty lines
- prevent empty lines when user features are not enabled
- change epp to erb template for user objects
2024-08-07 22:51:13 +10:00
unkinben 859fc0d909 Merge pull request 'chore: add two new users' (#134) from neoloc/more_users into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/134
2024-08-07 22:19:41 +10:00
unkinben a5baed8cd9 chore: add two new users
- add marbal and seablo
2024-08-07 22:19:08 +10:00
unkinben 44707910aa Merge pull request 'fix: require vault-unseal.service' (#133) from neoloc/vault_unseal_fix into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/133
2024-08-07 22:12:12 +10:00
unkinben dafac3d5ab fix: require vault-unseal.service
- wrong service name specified
2024-08-07 22:05:50 +10:00
unkinben 3ce2ec3754 Merge pull request 'feat: auto-unseal vault every hour' (#132) from neoloc/vault_unseal_check into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/132
2024-08-06 22:51:54 +10:00
unkinben 7863d54275 feat: auto-unseal vault every hour
- add cron job to run vault unsealing service hourly
2024-08-06 22:51:16 +10:00
unkinben 988e7c2a32 Merge pull request 'feat: auto restart puppetdb' (#131) from neoloc/puppetdb_restart into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/131
2024-08-06 22:47:02 +10:00
unkinben 0c44654a47 feat: auto restart puppetdb
- found several times the puppetdb service locks up after a week of active time
- restart the puppetdb nightly to prevent lock ups
2024-08-06 22:43:07 +10:00
unkinben 20ee6fa19e Merge pull request 'feat: add rundeck runner user' (#130) from neoloc/rundeck_user into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/130
2024-08-06 22:36:54 +10:00
unkinben c846cc4e21 feat: add rundeck runner user
- add rundeck account on all hosts except rundeck
- add rundeck ssh private/public key to rundeck server
2024-08-06 22:33:32 +10:00
unkinben 8e0f26e726 Merge pull request 'Adding hieradata/node/ausyd1nxvm1050.main.unkin.net.yaml' (#124) from autonode/ausyd1nxvm1050.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/124
2024-08-01 22:41:27 +10:00
unkinben 4579e268f0 Merge pull request 'feat: add gonic role' (#125) from neoloc/gonic into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/125
2024-08-01 22:41:20 +10:00
unkinben f1e1828a4a Merge pull request 'Adding hieradata/node/ausyd1nxvm1051.main.unkin.net.yaml' (#123) from autonode/ausyd1nxvm1051.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/123
2024-08-01 22:40:59 +10:00
unkinben 2ae8dbc0ac feat: add gonic role
- basic role only
2024-08-01 22:38:32 +10:00
unkinben 4338dfe27f Adding hieradata/node/ausyd1nxvm1051.main.unkin.net.yaml 2024-08-01 22:35:03 +10:00
unkinben 66cb1e356d Adding hieradata/node/ausyd1nxvm1050.main.unkin.net.yaml 2024-08-01 22:33:26 +10:00
unkinben 2bda41712a Merge pull request 'fix: change debian repos to http' (#122) from neoloc/http_debian_apt into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/122
2024-07-31 21:51:44 +10:00
unkinben d3daac3b71 fix: change debian repos to http
- until https issues are resolved with https
2024-07-31 21:51:04 +10:00
unkinben eb32a216f5 Merge pull request 'neoloc/rundeck' (#121) from neoloc/rundeck into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/121
2024-07-28 02:05:20 +10:00
unkinben 5354c99b1e feat: add rundeck profile
- export mysql user for each rundeck server
- ensure the jdbc driver for mariadb is available
- exclude jq from default packages (managed by rundeck)
- add groups for admin/user for each project in rundeck
- add consul service
- add vault certificates
- add ssh principals
- add nginx simpleproxy
2024-07-28 01:51:41 +10:00
unkinben 6a3123e12e Merge pull request 'feat: change packages to Hash' (#120) from neoloc/packages_hash into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/120
2024-07-27 16:29:48 +10:00
unkinben 26ffe17ee1 feat: add database
- add database for rundeck
2024-07-27 13:06:14 +10:00
unkinben cb5bb0798f feat: add rundeck to ldap
- add service account for rundeck
- add rundeck_access group
2024-07-27 13:06:14 +10:00
unkinben 08241692ee feat: add rundeck
- add puppet-rundeck module
- add rundeck role
2024-07-27 13:06:14 +10:00
unkinben 76989e45c4 feat: change packages to Hash
- change from multiple arrays for managing packages to a hash
- change to ensure_packages to prevent duplicate resource conflicts
2024-07-27 13:05:54 +10:00
unkinben cc01259a64 feat: change packages to Hash
- change from multiple arrays for managing packages to a hash
- change to ensure_packages to prevent duplicate resource conflicts
2024-07-27 13:01:06 +10:00
unkinben b5148fc2a0 Merge pull request 'fix: generate_types cahnges' (#119) from neoloc/puppetserver_startup into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/119
2024-07-27 00:17:46 +10:00
unkinben ab44bfc430 fix: generate_types cahnges
- this command will always fail, remove the systemd dropin
- create script that will run and exit with 0
- create systemd service/timer to run script daily
2024-07-27 00:13:25 +10:00
unkinben 4c38232ceb Merge pull request 'Adding hieradata/node/ausyd1nxvm1049.main.unkin.net.yaml' (#118) from autonode/ausyd1nxvm1049.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/118
2024-07-26 23:46:51 +10:00
unkinben 20686e04f4 Adding hieradata/node/ausyd1nxvm1049.main.unkin.net.yaml 2024-07-26 23:27:10 +10:00
unkinben 480eced404 Merge pull request 'feat: add vrrp to halb' (#116) from neoloc/keepalived into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/116
2024-07-14 22:07:34 +10:00
unkinben 946922fdb9 feat: add vrrp to halb
- update keepalived module to 5.1.0
- add keepalived::vrrp::* to be deep merged in hiera
- add vrrp dns configuration
- add vrrp instance/script to halb in syd1
2024-07-13 20:15:13 +10:00
unkinben 1570bbd8f2 Merge pull request 'feat: ensure *arr can access prowlarr' (#115) from neoloc/prowlarr_auth into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/115
2024-07-13 16:58:42 +10:00
unkinben 319c3b6d67 feat: ensure *arr can access prowlarr 2024-07-13 16:55:21 +10:00
unkinben e2f571649e Merge pull request 'feat: add param for ffmpeg' (#114) from neoloc/ffpmeg_path into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/114
2024-07-12 18:17:16 +10:00
unkinben 0fb11b22cf feat: add param for ffmpeg
- add param to jellyfin class to specify the path to ffmpeg
- update templates to use location
2024-07-11 22:41:08 +10:00
unkinben 01fc6aacd7 Merge pull request 'fix: remove unkin.net from internal dns' (#113) from neoloc/bind_static_dns into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/113
2024-07-11 22:31:29 +10:00
unkinben 73c7dbd56c fix: remove unkin.net from internal dns
- unkin.net is entirely hosted externally
2024-07-11 22:30:44 +10:00
unkinben 3ed692cc77 Merge pull request 'feat: manage the nzbget service' (#112) from neoloc/nzbget_group_media into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/112
2024-07-11 22:27:44 +10:00
unkinben ec92a6d3df feat: manage the nzbget service 2024-07-11 21:39:34 +10:00
unkinben bbd6cdb228 Merge pull request 'feat: add rpmfusion to nzbget' (#110) from neoloc/rpmfusion_nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/110
2024-07-11 21:28:56 +10:00
unkinben 2cbba808c3 feat: add rpmfusion to nzbget 2024-07-11 21:24:35 +10:00
unkinben df9f31e0f7 Merge pull request 'feat: add othergroups support for services' (#109) from neoloc/nzbget_client into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/109
2024-07-11 20:00:10 +10:00
unkinben 95a0b543fd feat: add othergroups support for services
- extend glauth::obj::service to allow othergroups
2024-07-11 19:59:26 +10:00
unkinben 90d123f4d0 Merge pull request 'chore: add service account to submit nzbs' (#108) from neoloc/nzbget_client into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/108
2024-07-11 19:56:51 +10:00
unkinben 3dc8fb03fa chore: add service account to submit nzbs 2024-07-11 19:56:17 +10:00
90 changed files with 1808 additions and 174 deletions
+5 -1
View File
@@ -18,6 +18,7 @@ mod 'puppetlabs-xinetd', '3.4.1'
mod 'puppetlabs-haproxy', '8.0.0'
mod 'puppetlabs-java', '10.1.2'
mod 'puppetlabs-reboot', '5.0.0'
mod 'puppetlabs-docker', '10.0.1'
# puppet
mod 'puppet-python', '7.0.0'
@@ -33,12 +34,14 @@ mod 'puppet-grafana', '13.1.0'
mod 'puppet-consul', '8.0.0'
mod 'puppet-vault', '4.1.0'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '3.6.0'
mod 'puppet-keepalived', '5.1.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.0.0'
mod 'puppet-rundeck', '9.1.0'
mod 'puppet-redis', '11.0.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
@@ -52,6 +55,7 @@ mod 'broadinstitute-certs', '3.0.1'
mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0'
mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+75 -61
View File
@@ -3,16 +3,10 @@ lookup_options:
hiera_classes:
merge:
strategy: deep
profiles::packages::install:
profiles::packages::include:
merge:
strategy: deep
profiles::packages::install_exclude:
merge:
strategy: deep
profiles::packages::remove:
merge:
strategy: deep
profiles::packages::remove_exclude:
profiles::packages::exclude:
merge:
strategy: deep
profiles::pki::vault::alt_names:
@@ -135,6 +129,12 @@ lookup_options:
certbot::client::domains:
merge:
strategy: deep
keepalived::vrrp_script:
merge:
strategy: deep
keepalived::vrrp_instance:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
@@ -142,6 +142,7 @@ hiera_include:
- timezone
- networking
- ssh::server
- profiles::accounts::rundeck
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
@@ -172,59 +173,70 @@ profiles::consul::client::node_rules:
segment: ''
disposition: read
profiles::packages::install:
- bash-completion
- bzip2
- ccze
- curl
- dstat
- expect
- gcc
- gzip
- git
- htop
- inotify-tools
- iotop
- jq
- lz4
- mtr
- ncdu
- neovim
- p7zip
- pbzip2
- pigz
- pv
- python3.11
- rsync
- screen
- socat
- strace
- sysstat
- tar
- tmux
- traceroute
- unzip
- vim
- vnstat
- wget
- zsh
- zstd
profiles::packages::remove:
- iwl100-firmware
- iwl1000-firmware
- iwl105-firmware
- iwl135-firmware
- iwl2000-firmware
- iwl2030-firmware
- iwl3160-firmware
- iwl5000-firmware
- iwl5150-firmware
- iwl6000-firmware
- iwl6000g2a-firmware
- iwl6050-firmware
- iwl7260-firmware
- puppet7-release
profiles::packages::include:
bash-completion: {}
bzip2: {}
ccze: {}
curl: {}
dstat: {}
expect: {}
gzip: {}
git: {}
htop: {}
inotify-tools: {}
iotop: {}
jq: {}
lz4: {}
mtr: {}
ncdu: {}
neovim: {}
p7zip: {}
pbzip2: {}
pigz: {}
pv: {}
python3.11: {}
rsync: {}
screen: {}
socat: {}
strace: {}
sysstat: {}
tar: {}
tmux: {}
traceroute: {}
unzip: {}
vim: {}
vnstat: {}
wget: {}
zsh: {}
zstd: {}
iwl100-firmware:
ensure: absent
iwl1000-firmware:
ensure: absent
iwl105-firmware:
ensure: absent
iwl135-firmware:
ensure: absent
iwl2000-firmware:
ensure: absent
iwl2030-firmware:
ensure: absent
iwl3160-firmware:
ensure: absent
iwl5000-firmware:
ensure: absent
iwl5150-firmware:
ensure: absent
iwl6000-firmware:
ensure: absent
iwl6000g2a-firmware:
ensure: absent
iwl6050-firmware:
ensure: absent
iwl7260-firmware:
ensure: absent
puppet7-release:
ensure: absent
profiles::base::scripts::scripts:
puppet: puppetwrapper.py
@@ -293,6 +305,8 @@ sudo::configs:
profiles::accounts::sysadmin::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
profiles::accounts::rundeck::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD4F7VcorbGpyZzBFexz7c/o1JBscrl7hZU0UkWV7fq6YLizW0r6fOzD99hMwu1kdYCjPxbvuUSDEHfyBIp2EgLWU6wFVoufQqlMyOV85+ivQZUc1VNV+X9T+U4v3u/01hkAmlpXtbkwhMSR4Wi+tdABd04+D3CuMDM37mvnFmBBmi41X4Mr1rJhOQumn1XHQ7EYbsdw2mxfEVVeWpZIHz5BjNKSGzEIAYZbFt6s0Y7X3J5RT+Gjqmu043Tc8nNIUFlR9E10qd3Euf9RiBYxBx3z+yfOzJPBzWNBSHv1+PIbO5Mq+z5JaAfoFZO41L7nw+FjV6JJUCVLr6Vq+bCxyA7LW4Oq9ZahSrt/vrT0kTa0tA5U9bqK6e7pB//dm7PzoROtTq0XksV8RseA/fvIje20uaN1z9dynx+UcbszXu9pQ5GIg1o7b5DEi3OZHJwpgdudiCyEeR4+00G0z4PjpEMnTSMHAJ53WxtjzrPAOBnAmPE7hPu4coU+XrCWEXAvRMloJmca68e+zFX7VvFK82KVDuQ99vQ6w4X73IESKoLzyAVxpelwHaDG4fN+zqYfqubVQU1L5cUeYKxqm5r3Us6VvMaYs1ZMUmDGXHOq4FNhGUJYxSjkLvunM6qyAAJQCd6Pw/2TV3UQVerbouGOZaeBLvRguHWSbDrO99Zu+t87w== rundeck_runner
networking::interface_defaults:
ensure: present
@@ -1,4 +1,31 @@
---
hiera_include:
- keepalived
# keepalived
profiles::haproxy::dns::vrrp_ipaddr: '198.18.13.250'
profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
keepalived::vrrp_script:
check_haproxy:
script: '/usr/bin/killall -0 haproxy'
keepalived::vrrp_instance:
VI_250:
interface: 'eth0'
virtual_router_id: 250
auth_type: 'PASS'
auth_pass: 'quiiK7oo'
virtual_ipaddress: '198.18.13.250/32'
track_script:
- check_haproxy
# mappings
profiles::haproxy::mappings:
fe_http:
@@ -1,2 +1,3 @@
---
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=]
@@ -13,3 +13,12 @@ mysql::db:
- INSERT
- UPDATE
- DELETE
rundeck:
name: rundeck
user: rundeck
password: "%{alias('mysql::db::rundeck::pass')}"
grant:
- SELECT
- INSERT
- UPDATE
- DELETE
@@ -5,3 +5,9 @@ networking::interfaces:
networking::routes:
default:
gateway: 198.18.13.254
profiles::haproxy::dns::vrrp_master: true
keepalived::vrrp_instance:
VI_250:
state: 'MASTER'
priority: 101
@@ -5,3 +5,8 @@ networking::interfaces:
networking::routes:
default:
gateway: 198.18.13.254
keepalived::vrrp_instance:
VI_250:
state: 'BACKUP'
priority: 100
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.59
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.60
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.61
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.62
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.63
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.64
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.65
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.66
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.67
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.68
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.69
networking::routes:
default:
gateway: 198.18.13.254
+6 -6
View File
@@ -8,12 +8,12 @@ profiles::puppet::agent::puppet_version: '7.26.0'
hiera_include:
- profiles::almalinux::base
profiles::packages::install:
- lzo
- network-scripts
- policycoreutils
- unar
- xz
profiles::packages::include:
lzo: {}
network-scripts: {}
policycoreutils: {}
unar: {}
xz: {}
lm-sensors::package: lm_sensors
+5 -5
View File
@@ -1,15 +1,15 @@
# hieradata/os/debian/all_releases.yaml
---
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
profiles::apt::base::mirrorurl: http://edgecache.query.consul/debian/
profiles::apt::base::secureurl: http://security.debian.org/debian-security
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
profiles::apt::puppet7::repo: puppet7
profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
profiles::packages::install:
- lzop
- python3.11-venv
- xz-utils
profiles::packages::include:
lzop: {}
python3.11-venv: {}
xz-utils: {}
lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false
+16
View File
@@ -59,3 +59,19 @@ profiles::consul::client::node_rules:
- resource: service
segment: nzbget
disposition: write
profiles::yum::global::repos:
rpmfusion-free:
name: rpmfusion-free
descr: rpmfusion-free repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
mirrorlist: absent
rpmfusion-nonfree:
name: rpmfusion-nonfree
descr: rpmfusion-nonfree repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
+9
View File
@@ -54,3 +54,12 @@ profiles::consul::client::node_rules:
- resource: service
segment: prowlarr
disposition: write
profiles::nginx::simpleproxy::locations:
arrstack_web_external:
location_satisfy: any
location_allow:
- 198.18.13.47
- 198.18.13.50
- 198.18.13.51
- 198.18.13.52
+2 -2
View File
@@ -1,6 +1,6 @@
---
profiles::packages::install:
- policycoreutils
profiles::packages::include:
policycoreutils: {}
puppetdb::master::config::create_puppet_service_resource: false
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
+108 -14
View File
@@ -52,13 +52,10 @@ glauth::users:
uidnumber: 20000
primarygroup: 20000
othergroups:
- 20010
- 20011
- 20012
- 20013
- 20014
- 20015
- 20016
- 20025 # media_admin
- 20017 # rundeck_access
- 20018 # rundeck_globaladmin
- 20023 # vault_access
loginshell: '/bin/bash'
homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
@@ -72,16 +69,58 @@ glauth::users:
uidnumber: 20001
primarygroup: 20000
othergroups:
- 20010
- 20011
- 20012
- 20013
- 20014
- 20015
- 20016
- 20025 # media_admin
loginshell: '/bin/bash'
homedir: '/home/matsol'
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
seablo:
user_name: 'seablo'
givenname: 'Sean'
sn: 'Bloomfield'
mail: 'seablo@users.main.unkin.net'
uidnumber: 20002
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/seablo'
passsha256: '2db12484b2b5fdae7f3a1f9f870143c363af14bf2c31a415a9a7afcb02520df2'
marbal:
user_name: 'marbal'
givenname: 'Mark'
sn: 'Balch'
mail: 'marbal@users.main.unkin.net'
uidnumber: 20003
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/marbal'
passsha256: 'cc20cee6269b9970a76549c66b51d0c543352796180d4122260a47f0f7a442a9'
kelren:
user_name: 'kelren'
givenname: 'Kelly'
sn: 'Rennie'
mail: 'kelren@users.main.unkin.net'
uidnumber: 20004
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/kelren'
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
ryadun:
user_name: 'ryadun'
givenname: 'Dunbar'
sn: 'Ryan'
mail: 'ryadun@users.main.unkin.net'
uidnumber: 20005
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/ryadun'
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
glauth::services:
svc_jellyfin:
@@ -126,6 +165,32 @@ glauth::services:
uidnumber: 30006
primarygroup: 20001
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
svc_nzbsubmit:
service_name: 'svc_nzbsubmit'
mail: 'nzbsubmit@service.main.unkin.net'
uidnumber: 30007
primarygroup: 20001
othergroups:
- 20016
passsha256: '7af7e12fdc56e9050d16c167f4e34091ad3cf938283e13451b35f9b3d212bfa2'
svc_rundeck:
service_name: 'svc_rundeck'
mail: 'rundeck@service.main.unkin.net'
uidnumber: 30007
primarygroup: 20001
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
svc_terraform:
service_name: 'svc_terraform'
mail: 'terraform@service.main.unkin.net'
uidnumber: 30008
primarygroup: 20001
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
svc_vault:
service_name: 'svc_vault'
mail: 'vault@service.main.unkin.net'
uidnumber: 30009
primarygroup: 20001
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
glauth::groups:
users:
@@ -155,3 +220,32 @@ glauth::groups:
nzbget_access:
group_name: 'nzbget_access'
gidnumber: 20016
rundeck_access:
group_name: 'rundeck_access'
gidnumber: 20017
rundeck_globaladmin:
group_name: 'rundeck_globaladmin'
gidnumber: 20018
rundeck_selfservice_admin:
group_name: 'rundeck_selfservice_admin'
gidnumber: 20019
rundeck_selfservice_user:
group_name: 'rundeck_selfservice_user'
gidnumber: 20020
rundeck_infrastructure_admin:
group_name: 'rundeck_infrastructure_admin'
gidnumber: 20021
rundeck_infrastructure_user:
group_name: 'rundeck_infrastructure_user'
gidnumber: 20022
vault_access:
group_name: 'vault_access'
gidnumber: 20023
media_access:
group_name: 'media_access'
gidnumber: 20024
includegroups: [20010, 20011, 20012, 20013, 20014, 20016]
media_admin:
group_name: 'media_admin'
gidnumber: 20025
includegroups: [20024, 20015]
File diff suppressed because one or more lines are too long
@@ -0,0 +1,205 @@
---
hiera_include:
- profiles::rundeck::server
- profiles::nginx::simpleproxy
hiera_exclude:
- profiles::accounts::rundeck
profiles::packages::exclude:
- jq
profiles::ssh::sign::principals:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 4440
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 20M
# additional altnames
profiles::pki::vault::alt_names:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
rundeck:
service_name: 'rundeck'
tags:
- 'automation'
- 'rundeck'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'glauth_http_check'
name: 'glauth HTTP Check'
http: "http://%{facts.networking.fqdn}:4440"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: rundeck
disposition: write
profiles::rundeck::server::mysql_backend: true
profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
profiles::rundeck::server::auth_config:
file:
auth_flag: 'sufficient'
jaas_config:
file: '/etc/rundeck/realm.properties'
realm_config:
admin_user: 'admin'
admin_password: "%{hiera('rundeck_admin_pass')}"
ldap:
jaas_config:
debug: 'true'
providerUrl: 'ldap://ldap.service.consul:389'
bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
bindPassword: "%{hiera('ldap_bindpass')}"
authenticationMethod: 'simple'
forceBindingLogin: 'true'
userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
userRdnAttribute: 'uid'
userIdAttribute: 'uid'
userPasswordAttribute: 'userPassword'
userObjectClass: 'posixAccount'
roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
roleNameAttribute: 'uid'
roleMemberAttribute: 'uniqueMember'
roleObjectClass: 'groupOfUniqueNames'
nestedGroups: 'true'
profiles::rundeck::server::key_storage_config:
- type: 'db'
path: 'keys'
- type: 'vault-storage'
path: 'vault'
config:
prefix: 'rundeck'
address: https://vault.query.consul:8200
storageBehaviour: 'vault'
secretBackend: rundeck
engineVersion: '2'
authBackend: approle
approleAuthMount: approle
approleId: "%{hiera('vault::roleid')}"
profiles::rundeck::server::cli_projects:
Self-Service:
update_method: 'set'
config:
project.description: 'self-service tasks'
project.disable.executions: 'false'
Infrastructure:
config:
project.description: 'infrastructure management'
project.disable.schedule: 'false'
profiles::rundeck::server::acl_policies:
global_admin_policy:
acl_policies:
- description: 'Global Admin, all access'
context:
application: "rundeck"
for:
project:
- allow: '*'
resource:
- allow: '*'
storage:
- allow: '*'
by:
- group: ['rundeck_globaladmin']
- description: 'Global Admin, all access'
context:
project: '.*'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_globaladmin']
selfservice_admin_policy:
acl_policies:
- description: 'Admin, all access for Self-Service project'
context:
project: 'Self-Service'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_selfserice_admin']
selfservice_user_policy:
acl_policies:
- description: 'Users can execute tasks but not edit for Self-Service project'
context:
project: 'Self-Service'
for:
resource:
- allow: ['read']
adhoc:
- allow: ['run']
job:
- allow: ['read', 'run']
node:
- allow: ['read', 'run']
by:
- group: ['rundeck_selfserice_user']
infrastructure_admin_policy:
acl_policies:
- description: 'Admin, all access for Infrastructure project'
context:
project: 'Infrastructure'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_infrastructure_admin']
infrastructure_user_policy:
acl_policies:
- description: 'Users can execute tasks but not edit for Infrastructure project'
context:
project: 'Infrastructure'
for:
resource:
- allow: ['read']
adhoc:
- allow: ['run']
job:
- allow: ['read', 'run']
node:
- allow: ['read', 'run']
by:
- group: ['rundeck_infrastructure_user']
+11 -11
View File
@@ -1,15 +1,15 @@
---
profiles::packages::install:
- cobbler
- cobbler3.2-web
- httpd
- syslinux
- dnf-plugins-core
- debmirror
- pykickstart
- fence-agents
- selinux-policy-devel
- ipxe-bootimgs
profiles::packages::include:
cobbler: {}
cobbler3.2-web: {}
httpd: {}
syslinux: {}
dnf-plugins-core: {}
debmirror: {}
pykickstart: {}
fence-agents: {}
selinux-policy-devel: {}
ipxe-bootimgs: {}
profiles::pki::vault::alt_names:
- cobbler.main.unkin.net
+2
View File
@@ -0,0 +1,2 @@
---
redisha::masterauth: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAV8znsSGAbPpPUhAcyOIWFltVyAcx3yVcIvC+JFndkkuVBT1813GSURrXIreXSilvJEHlwRC03A9NhjWJSsHBIS12uUb+7ap95oh2JJ7OHmeWSVD1GDDRpTQAgDEOikAnioRNJfQ83jUa11nJrsavt46hSq8vDq+rZ2P8ugiNk59mNX5vgYthCPXcEJd7UmpLZhgxZ8+42l4TKo7QpqKRcIMteJXk1NvyYfYGnGTZhknuyHM3xPGauGjKzamMlTzD9dGnn2K0/Q7I4PUyT24ZEG3kNVyDlVHTYcKnIT5q8qvmJdDQfZwOETF3SrzcqhQ2nqFvmI19sCTsQVmveb/2ITBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9KML3vzwF4vGZdtiu++jmgDAWPZspCckgoXPkgNRMePov3pXSlKUAGxwmdsuIM75rJMxlSTiil2lzMMBWXmUofys=]
+67
View File
@@ -0,0 +1,67 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- redis.main.unkin.net
- redis.service.consul
- redis.query.consul
- "redis.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- redis.main.unkin.net
- redis.service.consul
- redis.query.consul
hiera_include:
- redisha
redisha::manage_repo: false
redisha::redisha_members_lookup: true
redisha::redisha_members_role: roles::infra::db::redis
#redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
#redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
redisha::sentinel::master_name: "%{facts.country}-%{facts.region}"
redisha::sentinel::requirepass: "%{hiera('redisha::masterauth')}"
redisha::sentinel::auth_pass: "%{hiera('redisha::masterauth')}"
redisha::tools::requirepass: "%{hiera('redisha::masterauth')}"
sudo::configs:
consul:
priority: 20
content: |
consul ALL=(ALL) NOPASSWD: /usr/local/sbin/sentineladm info
consul::services:
redis-replica:
service_name: "redis-replica-%{facts.environment}"
tags:
- 'redis'
- 'redis-replica'
address: "%{facts.networking.ip}"
port: 6379
checks:
- id: 'redis-replica_tcp_check'
name: 'Redis Replica TCP Check'
tcp: "%{facts.networking.ip}:6379"
interval: '10s'
timeout: '1s'
redis-master:
service_name: "redis-master-%{facts.environment}"
tags:
- 'redis'
- 'redis-master'
address: "%{facts.networking.ip}"
port: 6379
checks:
- id: 'redis-master_tcp_check'
name: "Redis Master Check"
args:
- '/usr/local/bin/check_redis_master'
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: "redis-replica-%{facts.environment}"
disposition: write
- resource: service
segment: "redis-master-%{facts.environment}"
disposition: write
-8
View File
@@ -33,13 +33,6 @@ profiles::dns::resolver::zones:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
unkin.net-forward:
domain: 'unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
dmz.unkin.net-forward:
domain: 'dmz.unkin.net'
zone_type: 'forward'
@@ -67,7 +60,6 @@ profiles::dns::resolver::views:
recursion: true
zones:
- main.unkin.net-forward
- unkin.net-forward
- dmz.unkin.net-forward
- network.unkin.net-forward
- prod.unkin.net-forward
+2
View File
@@ -0,0 +1,2 @@
---
droneci_server::rpc_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF8cEANj72ACYYdilP52Oz4EXVt+stx838tFVV4SFukoCTmN+kJ3GUUEM9x+oDvo17CsZhDzx5dX0JGo7N9MCLHsR4XKx3GSoAKvaSiD73TbzbdTNJgTIE1tRP9HNbJKizwWLo4lo+OUNtwnu0Z5dkMLYRHyvZ1hG24qmdXVn9DI06gVGQw9YXGmNy8AvA0BKnaHvUnE5XoLNVKZ4g1yvc/nkYpK6nLB+X4sZ96PRig7khiuFVvAfpg5c2iWnF13ljIajnG9uY12RyGaAGfH4l/d3UEyuHyQL4zzT8N7gGt8fvg7eNFx51TyEpVRFLyQ7dqq/lzn0moXVT35PQr9K3DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCGJ+rkxhqmyUUiIQLG7PnggDBPH9gyYAW5/XjDp5xd6GnuSt/WWOwOGxhg+1BoPzbV5o+Xufg5zyMVdYeI1MWD/u8=]
+25
View File
@@ -0,0 +1,25 @@
---
hiera_include:
- profiles::base::datavol
- docker
- droneci::runner
docker::version: latest
docker::curl_ensure: false
droneci::runner::ports:
- 3000:3000
droneci::runner::volumes:
- type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock
- type=bind,source=/data,target=/data
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
droneci::runner::env_vars:
DRONE_RPC_PROTO: https
DRONE_RPC_HOST: droneci.query.consul
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: "%{facts.networking.fqdn}"
DRONE_RUNNER_VOLUMES: /etc/pki/tls/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt
@@ -0,0 +1,6 @@
---
droneci_server::gitea_client_secret: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJLcMKV4EevB8V/vjex+Srq47pWLvPozjSb+vjS/crFpKq3/dgtkJ8WkqF98fPnXxkMowP/BpNexJBCmPtTR2pPTKHIYkXjxGax0g3P2gcgeT7wsNl24mnUJDWZs1/z8ibwUXv4Zg0nbKi+YdomjsvT3vl2IPI88TKZDkq6HBoturwqx2l/edC5IeAi8vgPRXF8hn2TVuslkmoNXoI28Qp10b2XNOCss6KUJ4rbOwpIgdOVFbXqi7CFjhGz/3uS9xK+2m3iuE/gXi8KSKfiQ+QcGuXL9Zy5PH5rrNg4mbrFiaFfTevsHInl1wwRmULilQ0kEY3NW4b/URXqBBuwcN/TBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDlv7tA+6OQwDuL7z3xGYZjgEBcEAj3TQ9R9TntxTyBa9mKFRXimFTDDxdZ2zD96qFNz+7ZZFGD6pFQNHSMC9AYlAue94UsIHJZaXwgAo5zc98Q]
droneci_server::cookie_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKTWrB7Cca8RgFEeP46puzhVWOAiI6nB+m5+/sgz1qNnn6VgNh9Q6D26p9HISrMp4k60KVuGXrIbZYpkvKZmv4zHgK2et+50sr/F1anhDRX4rsmGWVV9n8VhaIJFAyQkW4de9YxV9LAgk0tWs1BgfXv4cV4+sDBv0OSVIFJDst3LUWpBR6lsiV9IifvNNUrdOHkdt5XjuL4JVmc0nkjetAg9HSvJ9VHYLIQagFHnTQp0FWluE1/ibGNc2kz7D4K7cPz2bBxRJWomckSUwgQK0NrGID4D13haZXhKXAO/8QpQOwPra8vD9FYrFenMeFLwdw43NzSr2g/W1ss5PekbWGjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBASshs2UwkGqK4ShFfXni7cgDCDCnEiqcfxIz4X/Bq71IpRKan3uQbHOewFqjNGqoR+1oWupjRxzNL39H9YF1a6i6s=]
droneci_server::database_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASu4C45TYWZKgIoyqC3YdwYYXn+T+ruP6oIvhYFJ5dxeZ+6HtWbRMViErvpPuWYfgs5qt6Zj9eLz2hqimFCvKiAvzANeZ9hkhw/jkpmvG8iXpDFw6x8QKcPJteRo896KSLiGiVlZfRbgQCGAqiEMw6y6M9CvfCLzE/mZ9gOKjSJVKiioAnXU2fyq0Y0M6g0iLRw0VXl2BVc4ORCnVECARQPo48T3U+TT39q0ar4mRO1AFO0VA5iDJ6/EMPBcH3ekKO/1dB1UbV6VkD3s9BAHGyL5a5Wr6ztg/5Yl6VBCXmECZqpCx8jx8KDUoaj1R/+I83YQxbw9ch76j79haIK6+jzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAh6MmfbUELaWbSNZ9/Dev2gDD/E3G/uYJGXNGl1+PIVwGmi0z2BTXNqg7ax/b/uF5Xc9ZtBSPiSxR6BPRXN3GleNo=]
droneci_server::postgres_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANpDnrpratpuYheXFrN4nwRTauPm9rZz2ubDyJlcxmah+kOWqsWIeEkv5GuATlymfAx5UuHPOv3dJPCSK+YuyQY+kGW/8uEFM68QrNi38NdRqEpdXuPBe5+AmWxcjYK3mdJ4maEwsbbxtYJmD8TF6kskS2P/KhnIzYR5PPHZTaYbEf/W5Da3l+J5WnFYpStuLq+86yZokBAygFPI+y/Ic+zJIdhpzVdLyGuqxGLXZq7nNMrjuNyFPKkCj1BBpuJTMCS4oPKCUTlm5hIIeeC2pFREI0CMTV5siZB8NphobPNn/ZbJrcs9q75LtIa47pkFYRbmV4WPctCwZXg6jtMleuzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDHJaChyidZq/5FN5n+ASJWgDCqUcR/DG9e8AD7fRmTb5BZM8XQ77a1hUJoaCycnMQ/5UyKmqU/7fLPrsxCf2vZU1M=]
droneci_server::redis_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAYMoZlVXHC1qfkDptPy3PyWGrUs5y9M9AOv5Vn1AK6DYViixhjwPZUCfwTONmt7CiBuqmkDOpR5isWFiBo/+TMeMXlM9C/D+Svc9tpeHLpVaXAYeoz5um2InyBFkLWSaUaWSftF9U7O5Nv/OiLIsd7nn4T8Dd21rfUiRfUN/2HPLMCs+mW15Az9XNOcvfm+kPXDAcB+ukHde0vvtYTZEFWjMdwJjjE43DiCmAoLTcpvQxdlclojotBpFeBLZs/F21FDQ4hvBUvPBMuZ1o7ImSP5fuomYSFK8etbD7JO5gg5BN59lGl1ljyR83phv6wmmqlzB8wQl0pjEpni9o7fa9hTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCKJrkPA78qx3wAu1eroIjRgDA72N9U0YZf1MzACcGSOMU5RGO242RwlIKUrnuYcdC0dKkjLXtP+yVpSKkX5WxcsDQ=]
+79
View File
@@ -0,0 +1,79 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- droneci.main.unkin.net
- droneci.service.consul
- droneci.query.consul
- "droneci.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- droneci.main.unkin.net
- droneci.service.consul
- droneci.query.consul
hiera_include:
- docker
- profiles::sql::postgresdb
- droneci
docker::version: latest
docker::curl_ensure: false
profiles::sql::postgresdb::dbname: droneci
profiles::sql::postgresdb::dbuser: droneci
profiles::sql::postgresdb::dbpass: "%{hiera('droneci_server::postgres_password')}"
profiles::sql::postgresdb::members_lookup: true
profiles::sql::postgresdb::members_role: roles::infra::droneci::server
droneci::ports:
- 80:80
- 443:443
droneci::volumes:
- type=bind,source=/var/lib/drone,target=/data
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
droneci::env_vars:
DRONE_GITEA_SERVER: https://git.query.consul
DRONE_GITEA_CLIENT_ID: dda67581-86df-4e65-88ae-1e505b849082
DRONE_USER_CREATE: username:unkinben,admin:true
DRONE_GITEA_CLIENT_SECRET: "%{hiera('droneci_server::gitea_client_secret')}"
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
DRONE_SERVER_HOST: droneci.query.consul
DRONE_SERVER_PROTO: https
DRONE_TLS_CERT: /etc/pki/tls/vault/certificate.crt
DRONE_TLS_KEY: /etc/pki/tls/vault/private.key
DRONE_COOKIE_SECRET: "%{hiera('droneci_server::cookie_secret')}"
DRONE_COOKIE_TIMEOUT: 720h
DRONE_HTTP_SSL_REDIRECT: true
DRONE_HTTP_SSL_TEMPORARY_REDIRECT: true
DRONE_HTTP_SSL_HOST: droneci.query.consul
DRONE_LOGS_TEXT: true
DRONE_LOGS_PRETTY: true
DRONE_LOGS_COLOR: true
DRONE_DATABASE_SECRET: "%{hiera('droneci_server::database_secret')}"
DRONE_DATABASE_DRIVER: postgres
DRONE_DATABASE_DATASOURCE: "postgres://droneci:%{hiera('droneci_server::postgres_password')}@master.patroni-prod.service.au-syd1.consul:5432/droneci?sslmode=disable"
DRONE_REDIS_CONNECTION: "redis://%{hiera('droneci_server::redis_password')}@redis-master-prod.service.au-syd1.consul:6379/2"
consul::services:
droneci:
service_name: 'droneci'
tags:
- 'drone'
- 'droneci'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'droneci_https_check'
name: 'droneci HTTPS Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: droneci
disposition: write
+1 -1
View File
@@ -41,7 +41,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
- "git.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 3000
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 250M
nginx::client_max_body_size: 1024M
profiles::gitea::init::root:
APP_NAME: 'Gitea'
+1
View File
@@ -0,0 +1 @@
profiles::gitea::runner::registration_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOL/ug4IPhEW1n+Lq+SsMSEJUYsDDK2s0+oNF3unxcbH3QDqWo7kuYKkDWQ+W3otcxvuRlbC8+0W2fO2udhF7sSGrF93INsTCDqWlLnaaAgxlgNSXthA4OCJlI8DCLeD/Sr0TTCchUdpQrIpDo6Gh0EUjgRv5574q26or7c/vvtQ4nfLVQOqEV9UpsCgEYiQvXVcf55LEpgaDp4mFL0qCnfzDnGNbZ0GUo6552ka19IocqOqILPnZO0qDcEoLbQ90sP197+5Jw611i1Akx1C4lFP81bazFMpbdiEP0V4Ax+33LfZEb0KnXuMbKOF23vIwwwfpFJaSOAjA5YehA3xM2zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDPJHB2uL+VEyntgZocyoMXgDBJ1dnRWiJM77XomzbNdDUO+ktIHLOTL5do0m4CkXZ1s42KtaAwWL+/EGdxg80UMC8=]
+46
View File
@@ -0,0 +1,46 @@
---
hiera_include:
- docker
- profiles::gitea::runner
docker::version: latest
docker::curl_ensure: false
profiles::gitea::runner::home: /data/runner
profiles::gitea::runner::version: '0.2.10'
profiles::gitea::runner::source: "https://gitea.com/gitea/act_runner/releases/download/v%{hiera('profiles::gitea::runner::version')}/act_runner-%{hiera('profiles::gitea::runner::version')}-linux-amd64"
profiles::gitea::runner::config:
log:
level: info
runner:
file: "%{hiera('profiles::gitea::runner::home')}/.runner"
capacity: 2
envs:
A_TEST_ENV_NAME_1: a_test_env_value_1
A_TEST_ENV_NAME_2: a_test_env_value_2
env_file: .env
timeout: 3h
insecure: false
fetch_timeout: 5s
fetch_interval: 2s
labels:
- "almalinux-latest"
- "almalinux-8:docker"
- "almalinux-8.10:docker"
cache:
enabled: true
dir: "%{hiera('profiles::gitea::runner::home')}/.cache/actcache"
host: ""
port: 0
external_server: ""
container:
network: ""
privileged: false
options:
workdir_parent: /workspace
valid_volumes: []
docker_host: ""
force_pull: true
force_rebuild: false
host:
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
@@ -9,4 +9,5 @@ profiles::metrics::server::scrape_jobs:
- puppetdb
- systemd
- haproxy
- postgres
profiles::metrics::server::localstorage: /data/prometheus
+2 -2
View File
@@ -1,3 +1,3 @@
---
profiles::packages::install:
- puppetserver
profiles::packages::include:
puppetserver: {}
+2 -2
View File
@@ -1,6 +1,6 @@
---
profiles::packages::install:
- createrepo
profiles::packages::include:
createrepo: {}
profiles::pki::vault::alt_names:
- repos.main.unkin.net
+4
View File
@@ -0,0 +1,4 @@
---
profiles::sql::patroni::superuser_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAImaYEH6ktU6KYDu96OtuJu11FbmE+b9YwrkJiv72QfuVivR7lGfieRKcvkrq3IsNcwhhnl1lzyMZHteib7jLEIiaq59AZFiZyfF2E5bhNYfW4QcDJd4QOheU2awkZkl6oaoMUxgWOnqvihYVLDfoJ0lj6hBTFuqIzO/KU+AJ4NMO3+/+AK9+HB0u/8Iyuev4RQBkvaRAoszCcFCWTAZJTmhOgWe4xJIxfbh0/5k/dmT5WQ1JPEQK7hnVly9iToROZJDjuyndNHbrhCQUg4+DYMPS2fZVWvcESfxN8lJjBFPojj9ZbG5mLlq1e4A4KiZNwHfA1V4D88VWOkRg65XtZDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBzToImdK5/pk3UeZPyavjTgDCcYBzwY/g353Pbh0xr/we8KmvsQEtfxPDuPm4Kv4hsD5X0dHu2nGzBAZq5uWcE3RE=]
profiles::sql::patroni::replication_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWyCj+7WfzpTcpBg6uQ5ykGmLZmb/avW3Pc+VWj9bGvxSQCA8LA6HJlEhhL3mrJSTGUyHLgeEebEup9AVHe2k2l/JHIvhyfx7LI+mNDp8u5p40pM6ZxTdIJFOZmOS/nGjAR6mTv6Ennhpw4sWSDYXU0mJPTHGAked2FXV1xsS0zpTY7hccJHuww5ixOw6jP8E1Pu0ex4LmefOXApowf0jZ2pARndlsXwZldahUHIF48XejclpgCK9rTrb4eQsOZr5ozcj0BBpWg/JKNkQt8mQU5l5/z0GDT08Op8g6MVdJuOWr92uPqjc8sydrz0QAx4l8t1KY2fMWK7BPKqSdcOxiDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDEZBNd56BHVGRVfHDPPwZHgDAZKnqicbF/MVKPi1PwwyHrXMW/fWqocgr1zWx6RXWgXICqjJdEFXwFerXXb39RSDg=]
profiles::sql::patroni::postgres_exporter_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAL5brQt9CGFU7okDXZWF1jL1j+RbrQZhKfzGWyWl+SqRK6q+xH0LIzYQhOAji7tlDBzvFZpzglmzj0xDrAkQA46jg1DkR5+9Ozru9jL1nhg/6z/F54DlhAG7Ui0hjgSLal79VABLXa/cb9xJThx97b9xoOW+/vpfSKa4izFtkN9fliClFTVafxLlLLD/yABW99aq1OK+9MyCsppvs/rjWbXvjEKL+C0jawh4dBnc+tYJMHC/k5NIK0th4A/zSYVH5q6gFakpxrV2ubETIbVTDncC8zfRLhnrikZYNbCy5PuJb2a4vW1O0AOzUWqvqbRkWpYF7dJB9fzW/Tu8f8d10KTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAJS5PcA9aJvjGIfKSciLLpgDAU7xXGF+Sj+g1ABMvsenEmgXsdSKVU9ZYusIiGnPdFdN4EF9usi7g4SahochlG0NU=]
+28
View File
@@ -0,0 +1,28 @@
---
profiles::yum::global::repos:
postgresql-15:
name: postgresql-15
descr: postgresql-15 repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
postgresql-common:
name: postgresql-common
descr: postgresql-common repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
profiles::sql::patroni::postgres_exporter_enabled: true
profiles::sql::patroni::postgres_exporter_user: postgres_exporter
profiles::consul::client::node_rules:
- resource: service_prefix
segment: "%{hiera('profiles::sql::patroni::cluster_name')}"
disposition: write
- resource: key_prefix
segment: "service/%{hiera('profiles::sql::patroni::cluster_name')}"
disposition: write
- resource: session_prefix
segment: ""
disposition: write
@@ -89,3 +89,9 @@ profiles::consul::prepared_query::rules:
service_failover_n: 3
service_only_passing: true
ttl: 10
droneci:
ensure: 'present'
service_name: 'droneci'
service_failover_n: 3
service_only_passing: true
ttl: 10
+2 -2
View File
@@ -125,12 +125,12 @@ profiles::edgecache::params::mirrors:
ensure: present
location: '~* ^/ceph/yum/.*/repodata/'
rewrite_rules:
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
- '^/ceph/yum/(.*)$ /rpm-18.2.2/$1 break'
proxy: http://158.69.68.124
ceph_yum_data:
ensure: present
location: /ceph/yum
proxy: http://158.69.68.124/rpm-reef
proxy: http://158.69.68.124/rpm-18.2.2
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
+2 -2
View File
@@ -1,3 +1,3 @@
---
profiles::packages::install:
- "%{hiera('lm-sensors::package')}"
profiles::packages::include:
"%{hiera('lm-sensors::package')}": {}
+24
View File
@@ -0,0 +1,24 @@
class droneci (
Hash $env_vars = {},
String $docker_image = 'drone/drone:2',
Array[String] $ports = [],
Array[String] $volumes = [],
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci',
) {
# Create the environment file from a template
file { $env_file:
ensure => file,
content => template('droneci/droneci_env.erb'),
mode => '0644',
}
# Define the systemd service for Drone CI
systemd::unit_file { 'droneci.service':
ensure => present,
content => template('droneci/droneci_service.erb'),
enable => true,
active => true,
subscribe => File[$env_file],
}
}
+24
View File
@@ -0,0 +1,24 @@
class droneci::runner (
Hash $env_vars = {},
String $docker_image = 'drone/drone-runner-docker:1',
Array[String] $ports = [],
Array[String] $volumes = [],
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci_runner',
) {
# Create the environment file from a template
file { $env_file:
ensure => file,
content => template('droneci/droneci_env.erb'),
mode => '0644',
}
# Define the systemd service for Drone CI runner
systemd::unit_file { 'droneci-runner.service':
ensure => present,
content => template('droneci/droneci_runner_service.erb'),
enable => true,
active => true,
subscribe => File[$env_file],
}
}
@@ -0,0 +1,3 @@
<% @env_vars.each do |key, value| -%>
<%= key.upcase %>=<%= value %>
<% end -%>
@@ -0,0 +1,20 @@
[Unit]
Description=Drone CI Runner
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/docker run --rm \
--name=drone-runner \
<% @ports.each do |port| -%>
-p <%= port %> \
<% end -%>
<% @volumes.each do |volume| -%>
--mount <%= volume %> \
<% end -%>
--env-file <%= @env_file %> \
<%= @docker_image %>
Restart=always
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,20 @@
[Unit]
Description=Drone CI Service
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/docker run --rm \
--name=drone \
<% @ports.each do |port| -%>
-p <%= port %> \
<% end -%>
<% @volumes.each do |volume| -%>
--mount <%= volume %> \
<% end -%>
--env-file <%= @env_file %> \
<%= @docker_image %>
Restart=always
[Install]
WantedBy=multi-user.target
+6
View File
@@ -6,7 +6,12 @@ define glauth::obj::service (
Integer $primarygroup,
String $passsha256,
Stdlib::Absolutepath $config_path,
Optional[Array[Integer]] $othergroups = [],
) {
$formatted_othergroups = $othergroups.empty ? {
true => '[]',
false => "[${othergroups.join(', ')}]",
}
concat::fragment { "glauth_service_${service_name}":
target => $config_path,
content => epp('glauth/obj/service.epp', {
@@ -15,6 +20,7 @@ define glauth::obj::service (
'uidnumber' => $uidnumber,
'primarygroup' => $primarygroup,
'passsha256' => $passsha256,
'othergroups' => $formatted_othergroups,
}),
order => '80',
}
+1 -14
View File
@@ -20,20 +20,7 @@ define glauth::obj::user (
}
concat::fragment { "glauth_user_${user_name}":
target => $config_path,
content => epp('glauth/obj/user.epp', {
'name' => $user_name,
'givenname' => $givenname,
'sn' => $sn,
'mail' => $mail,
'uidnumber' => $uidnumber,
'primarygroup' => $primarygroup,
'loginshell' => $loginshell,
'homedir' => $homedir,
'passsha256' => $passsha256,
'sshkeys' => $sshkeys,
'passappsha256' => $passappsha256,
'othergroups' => $formatted_othergroups,
}),
content => template('glauth/obj/user.erb'),
order => '70',
}
}
+1 -1
View File
@@ -1,5 +1,5 @@
[[groups]]
name = "<%= $name %>"
gidnumber = <%= $gidnumber %>
<% if $includegroups.length > 0 { %>includegroups = [<% $includegroups.each |Integer $group| { %><%= $group %>, <% } %>]<% } %>
<% if $includegroups.length > 0 { %>includegroups = [<%= $includegroups.join(', ') %>]<% } %>
+1
View File
@@ -4,4 +4,5 @@
uidnumber = <%= $uidnumber %>
primarygroup = <%= $primarygroup %>
passsha256 = "<%= $passsha256 %>"
othergroups = <%= $othergroups %>
-14
View File
@@ -1,14 +0,0 @@
[[users]]
name = "<%= $name %>"
<% if $givenname != '' { %>givenname = "<%= $givenname %>"<% } %>
<% if $sn != '' { %>sn = "<%= $sn %>"<% } %>
mail = "<%= $mail %>"
uidnumber = <%= $uidnumber %>
primarygroup = <%= $primarygroup %>
<% if $loginshell != '' { %>loginShell = "<%= $loginshell %>"<% } %>
<% if $homedir != '' { %>homeDir = "<%= $homedir %>"<% } %>
passsha256 = "<%= $passsha256 %>"
<% if $sshkeys.length > 0 { %>sshkeys = [<% $sshkeys.each |String $key| { %>"<%= $key %>", <% } %>]<% } %>
<% if $passappsha256.length > 0 { %>passappsha256 = [<% $passappsha256.each |String $pass| { %>"<%= $pass %>", <% } %>]<% } %>
othergroups = <%= $othergroups %>
+26
View File
@@ -0,0 +1,26 @@
[[users]]
name = "<%= @user_name %>"
<% if @givenname != '' -%>
givenname = "<%= @givenname %>"
<% end -%>
<% if @sn != '' -%>
sn = "<%= @sn %>"
<% end -%>
mail = "<%= @mail %>"
uidnumber = <%= @uidnumber %>
primarygroup = <%= @primarygroup %>
<% if @loginshell != '' -%>
loginShell = "<%= @loginshell %>"
<% end -%>
<% if @homedir != '' -%>
homeDir = "<%= @homedir %>"
<% end -%>
passsha256 = "<%= @passsha256 %>"
<% if @sshkeys.length > 0 -%>
sshkeys = [<%= @sshkeys.map { |key| "\"#{key}\"" }.join(', ') %>]
<% end -%>
<% if @passappsha256.length > 0 -%>
passappsha256 = [<%= @passappsha256.map { |pass| "\"#{pass}\"" }.join(', ') %>]
<% end -%>
othergroups = <%= @formatted_othergroups %>
+12
View File
@@ -0,0 +1,12 @@
# frozen_string_literal: true
Facter.add(:psql_is_slave) do
confine enc_role: 'roles::infra::sql::patroni'
setcode do
# Command to check if PostgreSQL is in recovery mode
command = 'sudo -iu postgres psql -tAc "select pg_is_in_recovery()"'
# Execute the command and map the output to a boolean value
{ 't' => true, 'f' => false }[Facter::Core::Execution.execute(command, on_fail: nil)]
end
end
+2
View File
@@ -8,4 +8,6 @@ class nzbget::params (
Boolean $manage_group = true,
Stdlib::Host $bind_address = '127.0.0.1',
Stdlib::Port $port = 6789,
Boolean $service_enable = true,
String $service_name = 'nzbget',
) { }
+14
View File
@@ -0,0 +1,14 @@
# manage RedisHA
class redisha (
Boolean $manage_repo = $redisha::params::manage_repo,
Boolean $redisha_members_lookup = $redisha::params::redisha_members_lookup,
Optional[String] $redisha_members_role = $redisha::params::redisha_members_role,
Array $redisha_servers = $redisha::params::redisha_servers,
) inherits redisha::params {
include redisha::redis
include redisha::sentinel
include redisha::tools
Class['redisha::redis'] -> Class['redisha::sentinel'] -> Class['redisha::tools']
}
+25
View File
@@ -0,0 +1,25 @@
class redisha::params (
Boolean $redisha_members_lookup = false,
Optional[String] $redisha_members_role = undef,
Array $redisha_servers = [],
# both
Stdlib::Host $redis_host = $facts['networking']['ip'],
Stdlib::Port $redis_port = 6379,
Optional[String] $requirepass = undef,
# redis
Optional[String] $dnf_module_stream = '6',
Integer[1] $databases = 16,
Optional[Variant[String, Sensitive[String], Deferred]] $masterauth = $redisha::params::requirepass,
# sentinel
String[1] $master_name = 'mymaster',
Optional[Variant[String, Sensitive[String]]] $auth_pass = $redisha::params::requirepass,
Integer[1] $quorum = 2,
Enum['yes', 'no'] $sentinel_resolve_hostnames = 'yes',
Enum['yes', 'no'] $sentinel_announce_hostnames = 'yes',
Stdlib::Host $sentinel_announce_ip = $facts['networking']['ip'],
Array[Stdlib::IP::Address] $sentinel_bind = [$facts['networking']['ip']],
Stdlib::Port $sentinel_port = 26379,
){}
+59
View File
@@ -0,0 +1,59 @@
class redisha::redis (
Boolean $manage_repo = $redisha::manage_repo,
Boolean $redisha_members_lookup = $redisha::redisha_members_lookup,
Optional[String] $redisha_members_role = $redisha::redisha_members_role,
Array $redisha_servers = $redisha::redisha_servers,
Stdlib::Host $redis_host = $redisha::params::redis_host,
Stdlib::Port $redis_port = $redisha::params::redis_port,
Optional[String] $requirepass = $redisha::params::requirepass,
Optional[String] $dnf_module_stream = $redisha::params::dnf_module_stream,
Integer[1] $databases = $redisha::params::databases,
Optional[Variant[String, Sensitive[String], Deferred]] $masterauth = $redisha::params::masterauth,
) inherits redisha::params {
# if lookup is enabled
if $redisha_members_lookup {
# check that the role is also set
unless !($redisha_members_role == undef) {
fail("redisha_members_role must be provided for ${title} when redisha_members_lookup is True")
}
# if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
# else use provided array from params
}else{
$servers_array = $redisha_servers
}
if length($servers_array) >= 3 {
# check if this is the master_node
if $servers_array[0] == $::facts['networking']['fqdn'] {
class { 'redis':
bind => $redis_host,
port => $redis_port,
databases => $databases,
requirepass => $requirepass,
masterauth => $masterauth,
dnf_module_stream => $dnf_module_stream,
ulimit_managed => false,
}
}else{
class { 'redis':
bind => $redis_host,
port => $redis_port,
databases => $databases,
requirepass => $requirepass,
masterauth => $masterauth,
dnf_module_stream => $dnf_module_stream,
ulimit_managed => false,
replicaof => "${servers_array[0]} ${redis_port}",
}
}
}
}
+49
View File
@@ -0,0 +1,49 @@
class redisha::sentinel (
Boolean $redisha_members_lookup = $redisha::redisha_members_lookup,
Optional[String] $redisha_members_role = $redisha::redisha_members_role,
Array $redisha_servers = $redisha::redisha_servers,
Stdlib::Port $redis_port = $redisha::params::redis_port,
Optional[String] $requirepass = $redisha::params::requirepass,
String[1] $master_name = $redisha::params::master_name,
Optional[Variant[String, Sensitive[String]]] $auth_pass = $redisha::params::auth_pass,
Integer[1] $quorum = $redisha::params::quorum,
Enum['yes', 'no'] $sentinel_resolve_hostnames = $redisha::params::sentinel_resolve_hostnames,
Enum['yes', 'no'] $sentinel_announce_hostnames = $redisha::params::sentinel_announce_hostnames,
Stdlib::Host $sentinel_announce_ip = $redisha::params::sentinel_announce_ip,
Array[Stdlib::IP::Address] $sentinel_bind = $redisha::params::sentinel_bind,
Stdlib::Port $sentinel_port = $redisha::params::sentinel_port,
) inherits redisha::params {
# if lookup is enabled
if $redisha_members_lookup {
# check that the role is also set
unless !($redisha_members_role == undef) {
fail("redisha_members_role must be provided for ${title} when redisha_members_lookup is True")
}
# if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
# else use provided array from params
}else{
$servers_array = $redisha_servers
}
if length($servers_array) >= 3 {
class { 'redis::sentinel':
master_name => $master_name,
redis_host => $servers_array[0],
redis_port => $redis_port,
requirepass => $requirepass,
auth_pass => $auth_pass,
quorum => $quorum,
sentinel_resolve_hostnames => $sentinel_resolve_hostnames,
sentinel_announce_ip => $sentinel_announce_ip,
sentinel_announce_hostnames => $sentinel_announce_hostnames,
sentinel_port => $sentinel_port,
sentinel_bind => $sentinel_bind,
}
}
}
+35
View File
@@ -0,0 +1,35 @@
class redisha::tools (
Stdlib::Host $redis_host = $redisha::params::redis_host,
Stdlib::Port $redis_port = $redisha::params::redis_port,
Stdlib::Port $sentinel_port = $redisha::params::sentinel_port,
Optional[String] $requirepass = $redisha::params::requirepass,
) inherits redisha::params {
# add command to automate redis-cli commands against redis
file {'/usr/local/sbin/redisadm':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0700',
content => template('redisha/redisadm.erb'),
}
# add command to automate redis-cli commands against sentinel
file {'/usr/local/sbin/sentineladm':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0700',
content => template('redisha/sentineladm.erb'),
}
# add command to check if current host is the redis master
file {'/usr/local/bin/check_redis_master':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0755',
content => template('redisha/check_redis_master.erb'),
}
}
@@ -0,0 +1,2 @@
#!/usr/bin/bash
sudo /usr/local/sbin/sentineladm info | grep -q <%= @facts['networking']['fqdn'] %>
+9
View File
@@ -0,0 +1,9 @@
#!/usr/bin/bash
REDIS_HOST=<%= @redis_host %>
REDIS_PORT=<%= @redis_port %>
if [ $# -gt 0 ]; then
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" "$@"
else
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT"
fi
@@ -0,0 +1,9 @@
#!/usr/bin/bash
REDIS_HOST=<%= @redis_host %>
SENTINEL_PORT=<%= @sentinel_port %>
if [ $# -gt 0 ]; then
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$SENTINEL_PORT" "$@"
else
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$SENTINEL_PORT"
fi
@@ -0,0 +1,14 @@
# create the rundeck user
class profiles::accounts::rundeck (
Array[String] $sshkeys = [],
){
profiles::base::account {'rundeck':
username => 'rundeck',
uid => 1100,
gid => 1100,
groups => ['adm', 'admins', 'systemd-journal'],
sshkeys => $sshkeys,
require => Group['admins'],
system => true,
}
}
+9 -2
View File
@@ -1,5 +1,7 @@
# profiles::firstrun::packages
class profiles::firstrun::packages {
class profiles::firstrun::packages (
Hash $manage = lookup('profiles::packages::include'),
) {
# include the correct package repositories, define the install_packages exec
case $facts['os']['family'] {
'RedHat': {
@@ -15,8 +17,13 @@ class profiles::firstrun::packages {
}
}
# filter out packages with 'ensure' set to 'absent'
$packages_to_install = $manage.filter |$package, $options| {
!($options['ensure'] and $options['ensure'] == 'absent')
}
# get all the packages to install, and convert into a space separated list
$packages = hiera_array('profiles::packages::install', [])
$packages = $packages_to_install.keys
$package_list = $packages.join(' ')
# install all the packages
+73
View File
@@ -0,0 +1,73 @@
# profiles::gitea::init
class profiles::gitea::runner (
String $registration_token,
Stdlib::HTTPSUrl $source,
String $user = 'runner',
String $group = 'runner',
Stdlib::Absolutepath $home = '/data/runner',
Hash $config = {},
Stdlib::HTTPSUrl $instance = 'https://git.query.consul',
String $version = '0.2.10',
) {
group { $group:
ensure => 'present',
}
user { $user:
ensure => 'present',
home => $home,
managehome => true,
forcelocal => true,
groups => ['docker'],
gid => $group,
require => Group[$group],
}
file { "${home}/config.yaml":
ensure => file,
content => to_yaml($config),
owner => $user,
group => $group,
require => User[$user],
}
archive { '/usr/local/bin/act_runner':
ensure => present,
extract => false,
source => $source,
creates => '/usr/local/bin/act_runner',
cleanup => true,
}
file { '/usr/local/bin/act_runner':
ensure => 'file',
mode => '0755',
owner => 'root',
group => 'root',
require => Archive['/usr/local/bin/act_runner'],
}
exec {'register_act_runner':
command => "/usr/local/bin/act_runner register \
--no-interactive \
--instance ${instance} \
--token ${registration_token} \
--name ${facts['networking']['hostname']} \
--config ${home}/config.yaml",
creates => "${home}/.runner",
cwd => $home,
user => $user,
group => $group,
require => [
File['/usr/local/bin/act_runner'],
File["${home}/config.yaml"],
],
}
systemd::unit_file {'act_runner.service':
enable => true,
active => true,
content => template('profiles/gitea/act_runner.service.erb'),
}
}
+24
View File
@@ -1,5 +1,8 @@
# profiles::haproxy::dns
class profiles::haproxy::dns (
Stdlib::IP::Address $vrrp_ipaddr,
Boolean $vrrp_master = false,
Array[Stdlib::Fqdn] $vrrp_cnames = [],
Array[Stdlib::Fqdn] $cnames = [],
Integer $order = 10,
){
@@ -24,4 +27,25 @@ class profiles::haproxy::dns (
order => $order,
}
}
# export a/cnames for haproxy applications
if $vrrp_master {
profiles::dns::record { "${facts['networking']['fqdn']}_vrrp_${location_environment}-halb-vrrp":
value => $vrrp_ipaddr,
type => 'A',
record => "${location_environment}-halb-vrrp",
zone => $::facts['networking']['domain'],
order => $order,
}
$vrrp_cnames.each |$cname| {
profiles::dns::record { "${::facts['networking']['fqdn']}_${cname}_CNAME":
value => "${location_environment}-halb-vrrp",
type => 'CNAME',
record => "${cname}.",
zone => $::facts['networking']['domain'],
order => $order,
}
}
}
}
@@ -6,6 +6,7 @@ class profiles::media::jellyfin (
Stdlib::Absolutepath $cache_dir = '/data/jellyfin/var/cache',
Stdlib::Absolutepath $config_dir = '/data/jellyfin/etc',
Stdlib::Absolutepath $log_dir = '/data/jellyfin/var/log',
Stdlib::Absolutepath $ffmpeg_path = '/usr/local/bin/ffmpeg',
Stdlib::Absolutepath $sysconfig_file = '/etc/sysconfig/jellyfin',
Stdlib::Absolutepath $migration_flag = '/etc/sysconfig/jellyfin_migration_done',
String $service_name = 'jellyfin',
+10 -14
View File
@@ -1,23 +1,19 @@
# This class manages the installation of packages for the base profile
#
# Parameters:
# - $install: An array of package names to be installed
# - $remove: An array of package names to be removed
# - $include: A hash of package names to be managed
# - $exclude: An array of package names to be removed from managed hash
#
class profiles::packages (
Array $install = [],
Array $install_exclude = [],
Array $remove = [],
Array $remove_exclude = [],
Hash $include = {},
Array[String] $exclude = [],
) {
# Filter out excluded packages
$install_real = $install.filter |$item| { !$install_exclude.any |$exclude_item| { $exclude_item == $item } }
$remove_real = $remove.filter |$item| { !$remove_exclude.any |$exclude_item| { $exclude_item == $item } }
# Filter the include hash to remove the packages listed in exclude
$filtered_include = filter($include) |$key, $value| {
!($key in $exclude)
}
# Ensure packages to install are installed
ensure_packages($install_real, {'ensure' => 'present'})
# Ensure packages to remove are absent
ensure_packages($remove_real, {'ensure' => 'absent'})
# Manage packages
ensure_packages($filtered_include)
}
@@ -24,6 +24,19 @@ class profiles::puppet::puppetdb_api (
contain ::puppetdb::server
# generate the minute for the cron job using fqdn_rand
$random_minute = fqdn_rand(60)
# create cron task to restart the puppetdb service daily at 3am
cron { 'restart_puppetdb':
ensure => 'present',
user => 'root',
command => '/bin/systemctl restart puppetdb',
minute => $random_minute,
hour => '3',
require => Service['puppetdb'],
}
class { 'prometheus::puppetdb_exporter':
puppetdb_url => "http://${listen_address}:8080/pdb/query",
export_scrape_job => true,
+51 -10
View File
@@ -71,14 +71,55 @@ class profiles::puppet::server (
hasstatus => true,
hasrestart => true,
}
# generate puppet types when restarting
systemd::manage_dropin { 'generate_types.conf':
ensure => present,
unit => 'puppetserver.service',
service_entry => {
'ExecStartPost' => [
"/opt/puppetlabs/bin/puppet generate types --environmentpath ${codedir}/environments",
],
},
}
# generate puppet types when restarting
systemd::manage_dropin { 'generate_types.conf':
ensure => absent,
unit => 'puppetserver.service',
service_entry => {
'ExecStartPost' => [
"/opt/puppetlabs/bin/puppet generate types --environmentpath ${codedir}/environments",
],
},
}
file { '/usr/local/bin/puppet_generate_types.sh':
ensure => file,
mode => '0755',
content => @("EOF")
#!/bin/bash
sudo -u puppet /opt/puppetlabs/bin/puppet generate types --environmentpath ${codedir}/environments
exit 0
| EOF
}
$_timer = @(EOT)
[Unit]
Description=puppet-generate-types timer
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target
EOT
$_service = @(EOT)
[Unit]
Description=puppet-generate-types service
[Service]
Type=oneshot
ExecStart=/usr/local/bin/puppet_generate_types.sh
User=root
Group=root
PermissionsStartOnly=false
PrivateTmp=no
EOT
systemd::timer { 'puppet-generate-types.timer':
timer_content => $_timer,
service_content => $_service,
active => true,
enable => true,
require => File['/usr/local/bin/puppet_generate_types.sh'],
}
}
+105
View File
@@ -0,0 +1,105 @@
# profiles::rundeck::server
class profiles::rundeck::server (
Struct[{
Optional['file'] => Hash[String, Any],
Optional['ldap'] => Hash[String, Any],
Optional['pam'] => Hash[String, Any]
}] $auth_config = {},
Array[Hash] $key_storage_config = [],
Hash $acl_policies = {},
Hash $cli_projects = {},
String $cli_user = 'admin',
String $cli_password = lookup('rundeck_admin_pass'),
Boolean $mysql_backend = true,
String $mysql_user = 'rundeck',
String $mysql_name = 'rundeck',
String $mysql_pass = fqdn_rand_string(16),
Stdlib::Host $mysql_host = '127.0.0.1',
Stdlib::Port $mysql_port = 3306,
Stdlib::Absolutepath $extra_libs_dir = '/var/lib/rundeck/lib',
Stdlib::Absolutepath $jdbc_driver_dest = "${extra_libs_dir}/mariadb-java-client-3.4.1.jar",
Stdlib::HTTPSUrl $jdbc_driver_url = 'https://dlm.mariadb.com/3852266/Connectors/java/connector-java-3.4.1/mariadb-java-client-3.4.1.jar',
Stdlib::HTTPSUrl $grails_server_url = "https://${facts['networking']['fqdn']}:4440",
String $jvm_args = '-Xmx1024m -Xms256m -server -Drundeck.jetty.connector.forwarded=true',
){
# when using mysql backend
if $mysql_backend {
# export a mariadb user
@@mysql_user { "${mysql_user}@${facts['networking']['fqdn']}":
ensure => present,
password_hash => mysql::password($mysql_pass),
tag => $facts['region'],
}
# export a mariadb permission
@@mysql_grant { "${mysql_user}@${facts['networking']['fqdn']}/${mysql_name}.*":
ensure => present,
table => "${mysql_name}.*",
user => "${mysql_user}@${facts['networking']['fqdn']}",
privileges => ['ALL'],
tag => $facts['region'],
}
# create the missing /var/lib/rundeck/lib directory
mkdir::p {$extra_libs_dir:}
file {$extra_libs_dir:
ensure => directory,
owner => 'rundeck',
group => 'rundeck',
mode => '0755',
require => Package['rundeck'],
before => Service['rundeckd'],
}
# download the jdbc driver, place in /var/lib/rundeck/lib
archive { $jdbc_driver_dest:
ensure => present,
source => $jdbc_driver_url,
extract => false,
user => 'rundeck',
group => 'rundeck',
require => File[$extra_libs_dir],
before => Service['rundeckd'],
}
$database_config = {
'url' => "jdbc:mysql://${mysql_host}:${mysql_port}/${mysql_name}",
'username' => $mysql_user,
'password' => $mysql_pass,
'driverClassName' => 'org.mariadb.jdbc.Driver',
}
}else{
$database_config = {}
}
class { 'rundeck':
grails_server_url => $grails_server_url,
auth_config => $auth_config,
key_storage_config => $key_storage_config,
database_config => $database_config,
cli_user => $cli_user,
cli_password => $cli_password,
jvm_args => $jvm_args,
}
create_resources('rundeck::config::aclpolicyfile', $acl_policies)
create_resources('rundeck::config::project', $cli_projects)
# create rundeck runner ssh key
file {'/var/lib/rundeck/.ssh/rundeck_id_rsa':
ensure => 'file',
owner => 'rundeck',
group => 'rundeck',
mode => '0600',
content => lookup('rundeck::ssh::private_key'),
}
file {'/var/lib/rundeck/.ssh/rundeck_id_rsa.pub':
ensure => 'file',
owner => 'rundeck',
group => 'rundeck',
mode => '0644',
content => lookup('profiles::accounts::rundeck::sshkeys'),
}
}
+108
View File
@@ -0,0 +1,108 @@
# profiles::sql::patroni
class profiles::sql::patroni (
String $cluster_name,
String $superuser_password,
String $replication_password,
String $superuser_username = 'postgres',
String $replication_username = 'repl',
String $pgsql_version = '15',
Stdlib::Absolutepath $pgsql_data_base = '/data/pgsql',
Stdlib::Absolutepath $pgsql_data_dir = "${pgsql_data_base}/${pgsql_version}/data",
Boolean $use_consul = true,
String $consul_host = 'localhost',
Stdlib::Port $consul_port = 8500,
Enum['http','https'] $consul_scheme = 'http',
Variant[Undef,String] $consul_token = undef,
Boolean $consul_verify = false,
Boolean $consul_register_service = true,
String $consul_service_check_interval = '5s',
String $consul_cacert = '/etc/pki/ca-trust/source/anchors/vaultcaroot.pem',
Boolean $postgres_exporter_enabled = false,
Optional[String] $postgres_exporter_user = undef,
Optional[String] $postgres_exporter_pass = undef,
){
# disable the postgresql dnf module for el8+
if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] >= '8' {
# based on https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/dnfmodule.pp
package { 'postgresql dnf module':
ensure => 'disabled',
name => 'postgresql',
provider => 'dnfmodule',
before => Class['patroni'],
}
}
# prepare data path
mkdir::p {$pgsql_data_dir:}
file {$pgsql_data_dir:
ensure => 'directory',
owner => 'postgres',
group => 'postgres',
mode => '0700',
require => Class['patroni'],
}
# manage patroni
class { 'patroni':
scope => $cluster_name,
use_consul => $use_consul,
consul_host => $consul_host,
consul_port => $consul_port,
consul_scheme => $consul_scheme,
consul_token => $consul_token,
consul_verify => $consul_verify,
consul_register_service => $consul_register_service,
consul_service_check_interval => $consul_service_check_interval,
consul_cacert => $consul_cacert,
manage_python => false,
pgsql_connect_address => "${facts['networking']['fqdn']}:5432",
restapi_connect_address => "${facts['networking']['fqdn']}:8008",
postgresql_version => $pgsql_version,
pgsql_data_dir => $pgsql_data_dir,
pgsql_pgpass_path => '/var/lib/pgsql/pgpass',
pgsql_parameters => {
'max_connections' => 5000,
},
bootstrap_pg_hba => [
'local all postgres ident',
'host all all 0.0.0.0/0 md5',
'host replication repl 0.0.0.0/0 md5',
],
pgsql_pg_hba => [
'local all postgres ident',
'host all all 0.0.0.0/0 md5',
'host replication repl 0.0.0.0/0 md5',
],
superuser_username => $superuser_username,
superuser_password => $superuser_password,
replication_username => $replication_username,
replication_password => $replication_password,
require => [
Yumrepo["postgresql-${pgsql_version}"],
Yumrepo['postgresql-common']
],
}
$connect_settings = {
}
# only apply changes to DBs/Users/Grants on master
if ! $facts['psql_is_slave'] {
# collect exported resources
$tag = "${facts['country']}-${facts['region']}-${facts['environment']}"
Profiles::Sql::Postgres::Db <<| tag == $tag |>> {}
Profiles::Sql::Postgres::User <<| tag == $tag |>> {}
Profiles::Sql::Postgres::Grant <<| tag == $tag |>> {}
}
if $postgres_exporter_enabled {
class { 'prometheus::postgres_exporter':
postgres_user => $postgres_exporter_user,
postgres_pass => $postgres_exporter_pass,
data_source_uri => "${facts['networking']['ip']}:5432/postgres?sslmode=disable",
export_scrape_job => true,
}
}
}
@@ -0,0 +1,9 @@
define profiles::sql::postgres::db (
String $dbname,
) {
postgresql_psql { "create_database_${dbname}":
command => "CREATE DATABASE \"${dbname}\"",
unless => "SELECT 1 FROM pg_database WHERE datname = '${dbname}'",
}
}
@@ -0,0 +1,38 @@
define profiles::sql::postgres::grant (
String $username,
Enum['SCHEMA', 'DATABASE'] $type = 'DATABASE',
Optional[String] $dbname = undef,
Optional[String] $schema = undef,
String $privilege = 'ALL PRIVILEGES',
) {
# Validate parameters based on type
if $type == 'DATABASE' and $dbname == undef {
fail('The dbname parameter must be provided when type is DATABASE')
}
if $type == 'SCHEMA' and ($dbname == undef or $schema == undef) {
fail('Both dbname and schema parameters must be provided when type is SCHEMA')
}
# Determine the appropriate SQL command and unless condition
$command = $type ? {
'DATABASE' => "GRANT ${privilege} ON DATABASE ${dbname} TO ${username}",
'SCHEMA' => "GRANT ${privilege} ON SCHEMA ${schema} TO ${username}",
}
$unless = $type ? {
'DATABASE' => "SELECT 1 FROM pg_roles r WHERE r.rolname='${username}' AND has_database_privilege('${username}', '${dbname}', 'CONNECT')", # lint:ignore:140chars
'SCHEMA' => "SELECT 1 FROM pg_namespace n JOIN pg_roles r ON r.oid = n.nspowner WHERE nspname = '${schema}' AND r.rolname = '${username}'", # lint:ignore:140chars
}
# Ensure the db parameter is set correctly when type is SCHEMA
$effective_dbname = $type ? {
'SCHEMA' => $dbname,
'DATABASE' => $dbname,
}
postgresql_psql { "grant_${privilege}_on_${type}_${effective_dbname}_${schema}_to_${username}":
command => $command,
unless => $unless,
db => $effective_dbname,
}
}
@@ -0,0 +1,9 @@
define profiles::sql::postgres::user (
String $username,
String $password,
) {
postgresql_psql { "create_user_${username}":
command => "CREATE USER \"${username}\" WITH ENCRYPTED PASSWORD '${password}'",
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
}
}
+61
View File
@@ -0,0 +1,61 @@
class profiles::sql::postgresdb (
String $dbname,
String $dbuser,
String $dbpass,
Boolean $create_host_users = false,
Boolean $members_lookup = false,
String $members_role = undef,
Array $servers = [],
){
# if lookup is enabled
if $members_lookup {
# check that the role is also set
unless !($members_role == undef) {
fail("members_role must be provided for ${title} when members_lookup is True")
}
# if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
# else use provided array from params
}else{
$servers_array = $servers
}
$tag = "${facts['country']}-${facts['region']}-${facts['environment']}"
# only export from the first server in a cluster
if $servers_array[0] == $facts['networking']['fqdn'] {
# manage the postgres db
@@profiles::sql::postgres::db { "${facts['networking']['fqdn']}_db_${dbname}":
dbname => $dbname,
tag => $tag,
}
@@profiles::sql::postgres::user { "${facts['networking']['fqdn']}_role_${dbuser}":
username => $dbuser,
password => $dbpass,
tag => $tag,
}
@@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_db_${dbuser}_${dbuser}}":
dbname => $dbname,
username => $dbuser,
type => 'DATABASE',
privilege => 'ALL PRIVILEGES',
tag => $tag,
}
@@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_schema_${dbuser}_${dbuser}}":
dbname => $dbname,
username => $dbuser,
type => 'SCHEMA',
schema => 'public',
privilege => 'ALL PRIVILEGES',
tag => $tag,
}
}
}
+10
View File
@@ -34,4 +34,14 @@ class profiles::vault::unseal (
require => File['/usr/local/bin/vault-unseal.sh'],
subscribe => [Service['vault'],File['/etc/vault/unseal_keys']],
}
# restart the vault-unseal service hourly to ensure vault is unsealled
cron { 'restart_vault_unseal':
ensure => 'present',
user => 'root',
command => '/bin/systemctl restart vault-unseal',
minute => fqdn_rand(60),
hour => '*',
require => Service['vault-unseal.service'],
}
}
@@ -0,0 +1,17 @@
[Unit]
Description=Gitea Actions runner
Documentation=https://gitea.com/gitea/act_runner
After=docker.service
[Service]
ExecStart=/usr/local/bin/act_runner daemon --config <%= @home %>/config.yaml
ExecReload=/bin/kill -s HUP $MAINPID
WorkingDirectory=<%= @home %>
TimeoutSec=0
RestartSec=10
Restart=always
User=<%= @user %>
Group=<%= @group %>
[Install]
WantedBy=multi-user.target
@@ -24,7 +24,7 @@ JELLYFIN_CACHE_DIR="<%= @cache_dir %>"
JELLYFIN_WEB_OPT="--webdir=/usr/share/jellyfin-web"
# [OPTIONAL] ffmpeg binary paths, overriding the UI-configured values
#JELLYFIN_FFMPEG_OPT="--ffmpeg=/usr/bin/ffmpeg"
JELLYFIN_FFMPEG_OPT="--ffmpeg=<% @ffmpeg_path %>"
# [OPTIONAL] run Jellyfin as a headless service
#JELLYFIN_SERVICE_OPT="--service"
+10
View File
@@ -0,0 +1,10 @@
# gonic server profile
class roles::apps::music::gonic {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}
@@ -0,0 +1,10 @@
# a role to deploy rundeck
class roles::infra::automation::rundeck {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}
@@ -0,0 +1,10 @@
# a role to deploy droneci
class roles::infra::droneci::runner {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}
@@ -0,0 +1,10 @@
# a role to deploy droneci
class roles::infra::droneci::server {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}
+1 -1
View File
@@ -1,4 +1,4 @@
# a role to deploy the puppetboard
# a role to deploy the gitea
class roles::infra::git::gitea {
if $facts['firstrun'] {
include profiles::defaults
+11
View File
@@ -0,0 +1,11 @@
# a role to deploy the gitea runner
class roles::infra::git::runner {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
}
}
+12
View File
@@ -0,0 +1,12 @@
# a role to deploy a postgresql/patroni node
class roles::infra::sql::patroni {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::sql::patroni
}
}