Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 2924b7ad6f | |||
| e6f243ef60 | |||
| 856a3901ac |
+4
-1
@@ -18,6 +18,7 @@ mod 'puppetlabs-xinetd', '3.4.1'
|
|||||||
mod 'puppetlabs-haproxy', '8.0.0'
|
mod 'puppetlabs-haproxy', '8.0.0'
|
||||||
mod 'puppetlabs-java', '10.1.2'
|
mod 'puppetlabs-java', '10.1.2'
|
||||||
mod 'puppetlabs-reboot', '5.0.0'
|
mod 'puppetlabs-reboot', '5.0.0'
|
||||||
|
mod 'puppetlabs-augeas_core', '1.5.0'
|
||||||
|
|
||||||
# puppet
|
# puppet
|
||||||
mod 'puppet-python', '7.0.0'
|
mod 'puppet-python', '7.0.0'
|
||||||
@@ -38,7 +39,9 @@ mod 'puppet-extlib', '7.0.0'
|
|||||||
mod 'puppet-network', '2.2.0'
|
mod 'puppet-network', '2.2.0'
|
||||||
mod 'puppet-kmod', '4.0.1'
|
mod 'puppet-kmod', '4.0.1'
|
||||||
mod 'puppet-filemapper', '4.0.0'
|
mod 'puppet-filemapper', '4.0.0'
|
||||||
mod 'puppet-letsencrypt', '11.0.0'
|
mod 'puppet-openldap', '8.0.0'
|
||||||
|
mod 'puppet-augeasproviders_shellvar', '6.0.1'
|
||||||
|
mod 'puppet-augeasproviders_core', '4.1.0'
|
||||||
|
|
||||||
# other
|
# other
|
||||||
mod 'ghoneycutt-puppet', '3.3.0'
|
mod 'ghoneycutt-puppet', '3.3.0'
|
||||||
|
|||||||
@@ -129,15 +129,6 @@ lookup_options:
|
|||||||
profiles::ceph::client::keyrings:
|
profiles::ceph::client::keyrings:
|
||||||
merge:
|
merge:
|
||||||
strategy: deep
|
strategy: deep
|
||||||
profiles::nginx::simpleproxy::locations:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
certbot::client::domains:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
profiles::metrics::exportarr:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
|
|
||||||
facts_path: '/opt/puppetlabs/facter/facts.d'
|
facts_path: '/opt/puppetlabs/facter/facts.d'
|
||||||
|
|
||||||
|
|||||||
@@ -1,3 +1,2 @@
|
|||||||
---
|
---
|
||||||
timezone::timezone: 'Australia/Sydney'
|
timezone::timezone: 'Australia/Sydney'
|
||||||
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
|
|
||||||
|
|||||||
@@ -11,9 +11,6 @@ profiles::haproxy::mappings:
|
|||||||
- 'lidarr.main.unkin.net be_lidarr'
|
- 'lidarr.main.unkin.net be_lidarr'
|
||||||
- 'readarr.main.unkin.net be_readarr'
|
- 'readarr.main.unkin.net be_readarr'
|
||||||
- 'prowlarr.main.unkin.net be_prowlarr'
|
- 'prowlarr.main.unkin.net be_prowlarr'
|
||||||
- 'nzbget.main.unkin.net be_nzbget'
|
|
||||||
- 'jellyfin.main.unkin.net be_jellyfin'
|
|
||||||
- 'fafflix.unkin.net be_jellyfin'
|
|
||||||
fe_https:
|
fe_https:
|
||||||
ensure: present
|
ensure: present
|
||||||
mappings:
|
mappings:
|
||||||
@@ -24,9 +21,6 @@ profiles::haproxy::mappings:
|
|||||||
- 'lidarr.main.unkin.net be_lidarr'
|
- 'lidarr.main.unkin.net be_lidarr'
|
||||||
- 'readarr.main.unkin.net be_readarr'
|
- 'readarr.main.unkin.net be_readarr'
|
||||||
- 'prowlarr.main.unkin.net be_prowlarr'
|
- 'prowlarr.main.unkin.net be_prowlarr'
|
||||||
- 'nzbget.main.unkin.net be_nzbget'
|
|
||||||
- 'jellyfin.main.unkin.net be_jellyfin'
|
|
||||||
- 'fafflix.unkin.net be_jellyfin'
|
|
||||||
|
|
||||||
profiles::haproxy::frontends:
|
profiles::haproxy::frontends:
|
||||||
fe_http:
|
fe_http:
|
||||||
@@ -36,15 +30,7 @@ profiles::haproxy::frontends:
|
|||||||
fe_https:
|
fe_https:
|
||||||
options:
|
options:
|
||||||
acl:
|
acl:
|
||||||
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
|
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
|
||||||
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
|
|
||||||
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
|
|
||||||
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
|
|
||||||
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
|
|
||||||
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
|
|
||||||
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
|
|
||||||
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
|
|
||||||
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
|
|
||||||
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
||||||
use_backend:
|
use_backend:
|
||||||
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
||||||
@@ -52,14 +38,6 @@ profiles::haproxy::frontends:
|
|||||||
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
|
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
|
||||||
http-response:
|
http-response:
|
||||||
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
|
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
|
||||||
- 'set-header X-Frame-Options DENY if acl_sonarr'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_radarr'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_lidarr'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_readarr'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_prowlarr'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_nzbget'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_jellyfin'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_fafflix'
|
|
||||||
- 'set-header X-Content-Type-Options nosniff'
|
- 'set-header X-Content-Type-Options nosniff'
|
||||||
- 'set-header X-XSS-Protection 1;mode=block'
|
- 'set-header X-XSS-Protection 1;mode=block'
|
||||||
|
|
||||||
@@ -101,7 +79,7 @@ profiles::haproxy::backends:
|
|||||||
options:
|
options:
|
||||||
balance: roundrobin
|
balance: roundrobin
|
||||||
option:
|
option:
|
||||||
- httpchk GET /consul/health
|
- httpchk GET /
|
||||||
- forwardfor
|
- forwardfor
|
||||||
- http-keep-alive
|
- http-keep-alive
|
||||||
- prefer-last-server
|
- prefer-last-server
|
||||||
@@ -117,7 +95,7 @@ profiles::haproxy::backends:
|
|||||||
options:
|
options:
|
||||||
balance: roundrobin
|
balance: roundrobin
|
||||||
option:
|
option:
|
||||||
- httpchk GET /consul/health
|
- httpchk GET /
|
||||||
- forwardfor
|
- forwardfor
|
||||||
- http-keep-alive
|
- http-keep-alive
|
||||||
- prefer-last-server
|
- prefer-last-server
|
||||||
@@ -133,7 +111,7 @@ profiles::haproxy::backends:
|
|||||||
options:
|
options:
|
||||||
balance: roundrobin
|
balance: roundrobin
|
||||||
option:
|
option:
|
||||||
- httpchk GET /consul/health
|
- httpchk GET /
|
||||||
- forwardfor
|
- forwardfor
|
||||||
- http-keep-alive
|
- http-keep-alive
|
||||||
- prefer-last-server
|
- prefer-last-server
|
||||||
@@ -149,7 +127,7 @@ profiles::haproxy::backends:
|
|||||||
options:
|
options:
|
||||||
balance: roundrobin
|
balance: roundrobin
|
||||||
option:
|
option:
|
||||||
- httpchk GET /consul/health
|
- httpchk GET /
|
||||||
- forwardfor
|
- forwardfor
|
||||||
- http-keep-alive
|
- http-keep-alive
|
||||||
- prefer-last-server
|
- prefer-last-server
|
||||||
@@ -162,38 +140,6 @@ profiles::haproxy::backends:
|
|||||||
be_prowlarr:
|
be_prowlarr:
|
||||||
description: Backend for au-syd1 prowlarr
|
description: Backend for au-syd1 prowlarr
|
||||||
collect_exported: false # handled in custom function
|
collect_exported: false # handled in custom function
|
||||||
options:
|
|
||||||
balance: roundrobin
|
|
||||||
option:
|
|
||||||
- httpchk GET /consul/health
|
|
||||||
- forwardfor
|
|
||||||
- http-keep-alive
|
|
||||||
- prefer-last-server
|
|
||||||
cookie: SRVNAME insert indirect nocache
|
|
||||||
http-reuse: always
|
|
||||||
http-request:
|
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
|
||||||
be_nzbget:
|
|
||||||
description: Backend for au-syd1 nzbget
|
|
||||||
collect_exported: false # handled in custom function
|
|
||||||
options:
|
|
||||||
balance: roundrobin
|
|
||||||
option:
|
|
||||||
- httpchk GET /consul/health
|
|
||||||
- forwardfor
|
|
||||||
- http-keep-alive
|
|
||||||
- prefer-last-server
|
|
||||||
cookie: SRVNAME insert indirect nocache
|
|
||||||
http-reuse: always
|
|
||||||
http-request:
|
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
|
||||||
be_jellyfin:
|
|
||||||
description: Backend for au-syd1 jellyfin
|
|
||||||
collect_exported: false # handled in custom function
|
|
||||||
options:
|
options:
|
||||||
balance: roundrobin
|
balance: roundrobin
|
||||||
option:
|
option:
|
||||||
@@ -210,30 +156,10 @@ profiles::haproxy::backends:
|
|||||||
|
|
||||||
profiles::haproxy::certlist::enabled: true
|
profiles::haproxy::certlist::enabled: true
|
||||||
profiles::haproxy::certlist::certificates:
|
profiles::haproxy::certlist::certificates:
|
||||||
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/vault/certificate.pem
|
- /etc/pki/tls/vault/certificate.pem
|
||||||
|
|
||||||
# additional altnames
|
# additional altnames
|
||||||
profiles::pki::vault::alt_names:
|
profiles::pki::vault::alt_names:
|
||||||
- au-syd1-pve.main.unkin.net
|
|
||||||
- au-syd1-pve-api.main.unkin.net
|
|
||||||
- jellyfin.main.unkin.net
|
|
||||||
|
|
||||||
# additional cnames
|
|
||||||
profiles::haproxy::dns::cnames:
|
|
||||||
- au-syd1-pve.main.unkin.net
|
|
||||||
- au-syd1-pve-api.main.unkin.net
|
|
||||||
|
|
||||||
# letsencrypt certificates
|
|
||||||
certbot::client::domains:
|
|
||||||
- au-syd1-pve.main.unkin.net
|
- au-syd1-pve.main.unkin.net
|
||||||
- au-syd1-pve-api.main.unkin.net
|
- au-syd1-pve-api.main.unkin.net
|
||||||
- sonarr.main.unkin.net
|
- sonarr.main.unkin.net
|
||||||
@@ -241,5 +167,8 @@ certbot::client::domains:
|
|||||||
- lidarr.main.unkin.net
|
- lidarr.main.unkin.net
|
||||||
- readarr.main.unkin.net
|
- readarr.main.unkin.net
|
||||||
- prowlarr.main.unkin.net
|
- prowlarr.main.unkin.net
|
||||||
- nzbget.main.unkin.net
|
|
||||||
- fafflix.unkin.net
|
# additional cnames
|
||||||
|
profiles::haproxy::dns::cnames:
|
||||||
|
- au-syd1-pve.main.unkin.net
|
||||||
|
- au-syd1-pve-api.main.unkin.net
|
||||||
|
|||||||
@@ -1,14 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.58
|
|
||||||
ens19:
|
|
||||||
ensure: present
|
|
||||||
family: inet
|
|
||||||
method: static
|
|
||||||
ipaddress: 10.18.15.58
|
|
||||||
netmask: 255.255.255.0
|
|
||||||
onboot: true
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -73,5 +73,4 @@ profiles::yum::global::repos:
|
|||||||
target: /etc/yum.repos.d/unkin.repo
|
target: /etc/yum.repos.d/unkin.repo
|
||||||
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
|
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
|
||||||
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
|
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
|
||||||
gpgcheck: false
|
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
|
|||||||
@@ -1,7 +1,4 @@
|
|||||||
---
|
---
|
||||||
hiera_include:
|
|
||||||
- profiles::nginx::simpleproxy
|
|
||||||
|
|
||||||
profiles::yum::global::repos:
|
profiles::yum::global::repos:
|
||||||
ceph-reef:
|
ceph-reef:
|
||||||
name: ceph-reef
|
name: ceph-reef
|
||||||
@@ -21,81 +18,3 @@ profiles::base::groups::local:
|
|||||||
gid: 20000
|
gid: 20000
|
||||||
allowdupe: false
|
allowdupe: false
|
||||||
forcelocal: true
|
forcelocal: true
|
||||||
|
|
||||||
ldap_host: 'ldap.service.consul'
|
|
||||||
ldap_basedn: 'dc=main,dc=unkin,dc=net'
|
|
||||||
|
|
||||||
profiles::nginx::simpleproxy::locations:
|
|
||||||
# authentication proxy
|
|
||||||
authproxy:
|
|
||||||
ensure: 'present'
|
|
||||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
||||||
ssl_only: true
|
|
||||||
internal: true
|
|
||||||
location: '= /auth-proxy'
|
|
||||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
|
|
||||||
proxy_set_header:
|
|
||||||
- 'Content-Length ""'
|
|
||||||
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
|
|
||||||
- 'X-Ldap-Starttls "false"'
|
|
||||||
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
|
|
||||||
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
|
|
||||||
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
|
|
||||||
- 'X-CookieName "nginxauth"'
|
|
||||||
- 'Cookie nginxauth=$cookie_nginxauth'
|
|
||||||
- "X-Ldap-Template %{lookup('ldap_template')}"
|
|
||||||
- 'X-Ldap-Realm "Restricted"'
|
|
||||||
proxy_cache: 'cache'
|
|
||||||
proxy_cache_valid: '200 10m'
|
|
||||||
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
|
|
||||||
location_cfg_append:
|
|
||||||
proxy_pass_request_body: 'off'
|
|
||||||
# health checks by consul/haproxy
|
|
||||||
arrstack_web_healthcheck:
|
|
||||||
ensure: 'present'
|
|
||||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
||||||
ssl_only: true
|
|
||||||
location: '/consul/health'
|
|
||||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
||||||
proxy_set_header:
|
|
||||||
- 'Host $host'
|
|
||||||
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
|
||||||
- 'X-Forwarded-Host $host'
|
|
||||||
- 'X-Forwarded-Proto $scheme'
|
|
||||||
- 'Upgrade $http_upgrade'
|
|
||||||
- 'Connection $http_connection'
|
|
||||||
proxy_redirect: 'off'
|
|
||||||
proxy_http_version: '1.1'
|
|
||||||
location_allow:
|
|
||||||
- 127.0.0.1
|
|
||||||
- "%{facts.networking.ip}"
|
|
||||||
- 198.18.13.25
|
|
||||||
- 198.18.13.26
|
|
||||||
location_deny:
|
|
||||||
- all
|
|
||||||
# authorised access from external
|
|
||||||
arrstack_web_external:
|
|
||||||
ensure: 'present'
|
|
||||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
||||||
ssl_only: true
|
|
||||||
location: '/'
|
|
||||||
auth_request: '/auth-proxy'
|
|
||||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
||||||
proxy_set_header:
|
|
||||||
- 'Host $host'
|
|
||||||
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
|
||||||
- 'X-Forwarded-Host $host'
|
|
||||||
- 'X-Forwarded-Proto $scheme'
|
|
||||||
- 'Upgrade $http_upgrade'
|
|
||||||
- 'Connection $http_connection'
|
|
||||||
proxy_redirect: 'off'
|
|
||||||
proxy_http_version: '1.1'
|
|
||||||
# location for api, which should be accessible without authentication
|
|
||||||
arrstack_api:
|
|
||||||
ensure: 'present'
|
|
||||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
||||||
ssl_only: true
|
|
||||||
location: '~ /api'
|
|
||||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
||||||
location_cfg_append:
|
|
||||||
client_max_body_size: '20m'
|
|
||||||
|
|||||||
@@ -1,63 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- jellyfin
|
|
||||||
|
|
||||||
# manage jellyfin
|
|
||||||
jellyfin::params::service_enable: true
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- jellyfin.main.unkin.net
|
|
||||||
- jellyfin.service.consul
|
|
||||||
- jellyfin.query.consul
|
|
||||||
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
# manage a simple nginx reverse proxy
|
|
||||||
profiles::nginx::simpleproxy::nginx_vhost: 'jellyfin.query.consul'
|
|
||||||
profiles::nginx::simpleproxy::nginx_aliases:
|
|
||||||
- jellyfin.main.unkin.net
|
|
||||||
- jellyfin.service.consul
|
|
||||||
- jellyfin.query.consul
|
|
||||||
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
profiles::nginx::simpleproxy::proxy_port: 8096
|
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
||||||
|
|
||||||
# configure consul service
|
|
||||||
nginx::client_max_body_size: 10M
|
|
||||||
consul::services:
|
|
||||||
jellyfin:
|
|
||||||
service_name: 'jellyfin'
|
|
||||||
tags:
|
|
||||||
- 'media'
|
|
||||||
- 'jellyfin'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 443
|
|
||||||
checks:
|
|
||||||
- id: 'jellyfin_http_check'
|
|
||||||
name: 'jellyfin HTTP Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:443"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: jellyfin
|
|
||||||
disposition: write
|
|
||||||
|
|
||||||
profiles::yum::global::repos:
|
|
||||||
rpmfusion-free:
|
|
||||||
name: rpmfusion-free
|
|
||||||
descr: rpmfusion-free repository
|
|
||||||
target: /etc/yum.repos.d/rpmfusion.repo
|
|
||||||
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
|
||||||
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
|
|
||||||
mirrorlist: absent
|
|
||||||
rpmfusion-nonfree:
|
|
||||||
name: rpmfusion-nonfree
|
|
||||||
descr: rpmfusion-nonfree repository
|
|
||||||
target: /etc/yum.repos.d/rpmfusion.repo
|
|
||||||
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
|
||||||
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
|
|
||||||
mirrorlist: absent
|
|
||||||
@@ -1,3 +1,2 @@
|
|||||||
---
|
---
|
||||||
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
|
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEDEyk6fBBnrjZvfK8MnUVOTWxhFGtgY34/2CuIq55MoVLsk2ZgVrL7Kt+94bqFhwEB67kuNpMGXqTgW5ose2yWs5iVSJLECsf9C+tvGBGwaV35LNwP5S3aQmFagyTpZZz9QlGKC7818jlXz7vZWDtiUhy5TGMHeyS0fdjCveavtZR28A+ZrvWjJeLdN47mmvYwYfFnQBs3kSgkl5KyMVhFWSFOSLeHsuEzCVXHoQ1jQG+2TV5m18wV0RR/sOju2E+vsulqlDgCyifgoiry4GzJeKNrNDI2bifzHCAi6yZqHL/klyqbGTnKLlA4xKoXsHF+xEwcoq4S9JDLAdWeH1SDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCdvh4yn8knozcYhinybRq3gDAwTKv8VakQG7XK/mcEplwtoiKqLnj9IIGdIUh1zPi2Sg48ET5rfZyl0p7ddIYoHjU=]
|
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
---
|
---
|
||||||
hiera_include:
|
hiera_include:
|
||||||
- lidarr
|
- lidarr
|
||||||
- profiles::nginx::ldapauth
|
- profiles::nginx::simpleproxy
|
||||||
- profiles::metrics::exportarr
|
|
||||||
|
|
||||||
# manage lidarr
|
# manage lidarr
|
||||||
lidarr::params::user: lidarr
|
lidarr::params::user: lidarr
|
||||||
@@ -28,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
|||||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_lidarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=lidarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
# configure consul service
|
# configure consul service
|
||||||
|
nginx::client_max_body_size: 10M
|
||||||
consul::services:
|
consul::services:
|
||||||
lidarr:
|
lidarr:
|
||||||
service_name: 'lidarr'
|
service_name: 'lidarr'
|
||||||
@@ -46,7 +41,7 @@ consul::services:
|
|||||||
checks:
|
checks:
|
||||||
- id: 'lidarr_http_check'
|
- id: 'lidarr_http_check'
|
||||||
name: 'Lidarr HTTP Check'
|
name: 'Lidarr HTTP Check'
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
http: "https://%{facts.networking.fqdn}:443"
|
||||||
method: 'GET'
|
method: 'GET'
|
||||||
tls_skip_verify: true
|
tls_skip_verify: true
|
||||||
interval: '10s'
|
interval: '10s'
|
||||||
@@ -55,11 +50,3 @@ profiles::consul::client::node_rules:
|
|||||||
- resource: service
|
- resource: service
|
||||||
segment: lidarr
|
segment: lidarr
|
||||||
disposition: write
|
disposition: write
|
||||||
|
|
||||||
profiles::metrics::exportarr:
|
|
||||||
app: 'lidarr'
|
|
||||||
config_path: '/opt/lidarr/config.xml'
|
|
||||||
api_key: "%{hiera('lidarr::api_key')}"
|
|
||||||
version: '2.0.1'
|
|
||||||
app_port: "%hiera('lidarr::params::port')"
|
|
||||||
enable_additional_metrics: true
|
|
||||||
|
|||||||
@@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPomn4iZbT0JEysvDo7OgblpoQLFp9DzryY558UfVWQq6HDAkgoSC42cbgZGBPFclCgLaO/LfBrFpRXkafEVV33Vg2AmP/FiS9SmmwREc3t/ZTvENlDIgasY3pDIph0/i5u0S45mjyzzciBK0KY6cMZvPDVRvU+d0SyVnbSBlef6VmyZOhUk6ILpaYTGu+suVR/BAL/DTKsmmY7iTotTWN+IW/1cY3vprvBMJQVftaO1WSqKftmX29/PAsxbQo6AMpuQFx/dMcMe3d5JTB0mgzIhAFaKmSC8vJFqe21Nrr8F+PxJMSEl1saBJTwJc5RyPVm9ejVKfcPhDfWK5stNNvjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAo205Hvo/Z+rhnSGgkTS2YgDB7pTHdgnQz1UOK323DRljWcqx+SnCA7izyF1SNMlzlCck79Fr4zKh0qnbYsMZDWZU=]
|
|
||||||
@@ -1,61 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
hiera_include:
|
|
||||||
- nzbget
|
|
||||||
- profiles::media::nzbget
|
|
||||||
- profiles::nginx::ldapauth
|
|
||||||
|
|
||||||
# manage nzbget
|
|
||||||
nzbget::params::user: nzbget
|
|
||||||
nzbget::params::group: media
|
|
||||||
nzbget::params::manage_group: false
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- nzbget.main.unkin.net
|
|
||||||
- nzbget.service.consul
|
|
||||||
- nzbget.query.consul
|
|
||||||
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
# manage a simple nginx reverse proxy
|
|
||||||
profiles::nginx::simpleproxy::nginx_vhost: 'nzbget.query.consul'
|
|
||||||
profiles::nginx::simpleproxy::nginx_aliases:
|
|
||||||
- nzbget.main.unkin.net
|
|
||||||
- nzbget.service.consul
|
|
||||||
- nzbget.query.consul
|
|
||||||
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
profiles::nginx::simpleproxy::proxy_port: 6789
|
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_nzbget,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=nzbget_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
profiles::nginx::simpleproxy::locations:
|
|
||||||
arrstack_web_healthcheck:
|
|
||||||
location_cfg_append:
|
|
||||||
rewrite: '/consul/health / break'
|
|
||||||
|
|
||||||
# configure consul service
|
|
||||||
consul::services:
|
|
||||||
nzbget:
|
|
||||||
service_name: 'nzbget'
|
|
||||||
tags:
|
|
||||||
- 'media'
|
|
||||||
- 'nzbget'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 443
|
|
||||||
checks:
|
|
||||||
- id: 'nzbget_http_check'
|
|
||||||
name: 'nzbget HTTP Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: nzbget
|
|
||||||
disposition: write
|
|
||||||
@@ -1,3 +1,2 @@
|
|||||||
---
|
---
|
||||||
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
|
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhduPAqoZuq/xeRs4f/KX4r88evPMogQX79yofLAB5Qqdr48s2X0BAa1iiw0vMdL6Tf0uc794WJN5MP2Yp365Vk1yhwgqH92rt5hKPI+wBN5uak2iLgLzLWsp0HOx7d1ukDWBbj0lI6G5LiofsL3KJbbTnkovn06L4PRJXgn44+ynfywiCl2tPy2294DhfooeM6/Cy+t9lA6blzHLCOHtt/rBKmk1GT2y3YBCPhRfOumWXQWnv4Q+f6KkQkvpfPyAFYNiQxQYBv5bGwLnwiDk3xQnPM4FfcutVuAOKjsoeMa+K1KShDFyEfBxIER8JSpigj2/khstyihcVW0Xrod3uDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCRqqRwMThwn1F/6byFhTWxgDAfucfkFhmqxBv/u5H+wWnjvK5EH7eU/fECrajYPBW/cmsYjLgXlwrAzFGqWze3AZc=]
|
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
---
|
---
|
||||||
hiera_include:
|
hiera_include:
|
||||||
- prowlarr
|
- prowlarr
|
||||||
- profiles::nginx::ldapauth
|
- profiles::nginx::simpleproxy
|
||||||
- profiles::metrics::exportarr
|
|
||||||
|
|
||||||
# manage prowlarr
|
# manage prowlarr
|
||||||
prowlarr::params::user: prowlarr
|
prowlarr::params::user: prowlarr
|
||||||
@@ -28,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
|||||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_prowlarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=prowlarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
# configure consul service
|
# configure consul service
|
||||||
|
nginx::client_max_body_size: 10M
|
||||||
consul::services:
|
consul::services:
|
||||||
prowlarr:
|
prowlarr:
|
||||||
service_name: 'prowlarr'
|
service_name: 'prowlarr'
|
||||||
@@ -46,7 +41,7 @@ consul::services:
|
|||||||
checks:
|
checks:
|
||||||
- id: 'prowlarr_http_check'
|
- id: 'prowlarr_http_check'
|
||||||
name: 'Prowlarr HTTP Check'
|
name: 'Prowlarr HTTP Check'
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
http: "https://%{facts.networking.fqdn}:443"
|
||||||
method: 'GET'
|
method: 'GET'
|
||||||
tls_skip_verify: true
|
tls_skip_verify: true
|
||||||
interval: '10s'
|
interval: '10s'
|
||||||
@@ -55,11 +50,3 @@ profiles::consul::client::node_rules:
|
|||||||
- resource: service
|
- resource: service
|
||||||
segment: prowlarr
|
segment: prowlarr
|
||||||
disposition: write
|
disposition: write
|
||||||
|
|
||||||
profiles::metrics::exportarr:
|
|
||||||
app: 'prowlarr'
|
|
||||||
config_path: '/opt/prowlarr/config.xml'
|
|
||||||
api_key: "%{hiera('prowlarr::api_key')}"
|
|
||||||
version: '2.0.1'
|
|
||||||
app_port: "%hiera('prowlarr::params::port')"
|
|
||||||
enable_additional_metrics: true
|
|
||||||
|
|||||||
@@ -1,3 +1,2 @@
|
|||||||
---
|
---
|
||||||
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
|
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf6LbAXy3EsJqkf4KO8xikpXfSVIVOD2obnwZLPEiCfbC0iJyZ2Uc/RbHM9NnIpg8dgEnYGgaBM9HC+kFKYFP4skLsPQ0mpqOv13WbOAHOphhyBxWc/n4Eg4HqMAiHsC4qA9Sj5j4F29tNiMmpNM0eqDXD6YIrajV5IF+SKQQzZrNSrcDrzjqENaMnJWVc2gj7Zb9kPB1LdM5ZfljpPtfQHXHhh9ShTDKuWMx46nc+UYaRcJqHEns7OExwpsEAtA1SSunD81PTijJ6Bn1Y6cAsZoBot5YgFGaWtgQ4jvEqj7EbG8gDJuHMSwa9RzA9SMsVwEh2g1pko7wYbBR/arV7jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAhZlVaEdaLNh60gAY0KwEKgDAHPoXfFRq0I2K2J+NFgNFm/A00jYGVRfuPsX6VZfPaJ499dtMiJifrK3Kfk1oXpvk=]
|
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
---
|
---
|
||||||
hiera_include:
|
hiera_include:
|
||||||
- radarr
|
- radarr
|
||||||
- profiles::nginx::ldapauth
|
- profiles::nginx::simpleproxy
|
||||||
- profiles::metrics::exportarr
|
|
||||||
|
|
||||||
# manage radarr
|
# manage radarr
|
||||||
radarr::params::user: radarr
|
radarr::params::user: radarr
|
||||||
@@ -29,13 +28,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
|||||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_radarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=radarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
# configure consul service
|
# configure consul service
|
||||||
|
nginx::client_max_body_size: 10M
|
||||||
consul::services:
|
consul::services:
|
||||||
radarr:
|
radarr:
|
||||||
service_name: 'radarr'
|
service_name: 'radarr'
|
||||||
@@ -47,7 +42,7 @@ consul::services:
|
|||||||
checks:
|
checks:
|
||||||
- id: 'radarr_http_check'
|
- id: 'radarr_http_check'
|
||||||
name: 'radarr HTTP Check'
|
name: 'radarr HTTP Check'
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
http: "https://%{facts.networking.fqdn}:443"
|
||||||
method: 'GET'
|
method: 'GET'
|
||||||
tls_skip_verify: true
|
tls_skip_verify: true
|
||||||
interval: '10s'
|
interval: '10s'
|
||||||
@@ -56,11 +51,3 @@ profiles::consul::client::node_rules:
|
|||||||
- resource: service
|
- resource: service
|
||||||
segment: radarr
|
segment: radarr
|
||||||
disposition: write
|
disposition: write
|
||||||
|
|
||||||
profiles::metrics::exportarr:
|
|
||||||
app: 'radarr'
|
|
||||||
config_path: '/opt/radarr/config.xml'
|
|
||||||
api_key: "%{hiera('radarr::api_key')}"
|
|
||||||
version: '2.0.1'
|
|
||||||
app_port: "%hiera('radarr::params::port')"
|
|
||||||
enable_additional_metrics: true
|
|
||||||
|
|||||||
@@ -1,3 +1,2 @@
|
|||||||
---
|
---
|
||||||
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
|
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcOegaqGEsivQAlhSYvaiVUij4QJ/kterSg+wX/7P/oWjSN1oSNAFfco6lg5fYUsR7HDKZ4IwYuO1Q/q8hOxYkqzYrH/MIAhZatfQxyxriKuekxqOMuXgwrWCzAexQL0Fb4s5gcHQ4fwy5OxsM1CxFXnSSm1eYNXl5IERd//c0dFoIcshiGlOCFsj8Ne9mookFTJQDZrxM4VMXaVb+Fl9mOyy1ppDBKHTP/1ise/6LIUi+9YngamAWLIrsur5KvR45kvRoxDNLfJZasAqhD/5QLceDdSxqKBDur57QzmoPo2lFdT4WlzphKOdyHZtYOYr7BPdbtCqkXTWdkXvqFlRxjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXhYe6zoRW7/OxVrZnAEoTgDDPFTz5S4nZWiwzjdT7Yd88Ii6I/v6ckaKTx0gd0pZKsVZkFYQBBhIfqFS2ho0UG3Y=]
|
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
---
|
---
|
||||||
hiera_include:
|
hiera_include:
|
||||||
- readarr
|
- readarr
|
||||||
- profiles::nginx::ldapauth
|
- profiles::nginx::simpleproxy
|
||||||
- profiles::metrics::exportarr
|
|
||||||
|
|
||||||
# manage readarr
|
# manage readarr
|
||||||
readarr::params::user: readarr
|
readarr::params::user: readarr
|
||||||
@@ -28,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
|||||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_readarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=readarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
# configure consul service
|
# configure consul service
|
||||||
|
nginx::client_max_body_size: 10M
|
||||||
consul::services:
|
consul::services:
|
||||||
readarr:
|
readarr:
|
||||||
service_name: 'readarr'
|
service_name: 'readarr'
|
||||||
@@ -46,7 +41,7 @@ consul::services:
|
|||||||
checks:
|
checks:
|
||||||
- id: 'readarr_http_check'
|
- id: 'readarr_http_check'
|
||||||
name: 'Readarr HTTP Check'
|
name: 'Readarr HTTP Check'
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
http: "https://%{facts.networking.fqdn}:443"
|
||||||
method: 'GET'
|
method: 'GET'
|
||||||
tls_skip_verify: true
|
tls_skip_verify: true
|
||||||
interval: '10s'
|
interval: '10s'
|
||||||
@@ -55,11 +50,3 @@ profiles::consul::client::node_rules:
|
|||||||
- resource: service
|
- resource: service
|
||||||
segment: readarr
|
segment: readarr
|
||||||
disposition: write
|
disposition: write
|
||||||
|
|
||||||
profiles::metrics::exportarr:
|
|
||||||
app: 'readarr'
|
|
||||||
config_path: '/opt/readarr/config.xml'
|
|
||||||
api_key: "%{hiera('readarr::api_key')}"
|
|
||||||
version: '2.0.1'
|
|
||||||
app_port: "%hiera('readarr::params::port')"
|
|
||||||
enable_additional_metrics: true
|
|
||||||
|
|||||||
@@ -1,2 +1 @@
|
|||||||
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
|
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF5/sP43SJX/FB6cAS0GPqxC78JS7jSNKoUqWB/IXkv8uXYiClqk+Xw4nFx8EtknNn628DHBY3vCLQ59Xk89p0fyimP70m3BM6or5iRGdCqEAOzL399GbYX8WFHjyQRBmGdaLR5h2r5UnmjuPpDtV+fgsqxo4gNpXnuQ+46ZZPQce/dzHzux+4aEK4Q6UbD/ZZSQklD6zEUV+Agj6E9cQlJPBiHtTyUdXOYHYlJN1HhFPXu3C6KIz63YioVCah1n6T/rJtPQ07pVUfizIaJiPpzcUN91+ZWyyjUPo0bRGZtYKVs/uCAYXht4F5ttKQDaGa3wd4a5IdtacmEWQWFqk3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDtB/68xkjxK3nrNh0MilACgDDt85aBvSp/Oj9EY67eNPr+JcnQ7WfyuqAYAnmYqfbQI8MDtYAx7br0+inJXvQ1BvI=]
|
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
---
|
---
|
||||||
hiera_include:
|
hiera_include:
|
||||||
- sonarr
|
- sonarr
|
||||||
- profiles::nginx::ldapauth
|
- profiles::nginx::simpleproxy
|
||||||
- profiles::metrics::exportarr
|
|
||||||
|
|
||||||
# manage sonarr
|
# manage sonarr
|
||||||
sonarr::params::user: sonarr
|
sonarr::params::user: sonarr
|
||||||
@@ -28,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
|||||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
# configure consul service
|
# configure consul service
|
||||||
|
nginx::client_max_body_size: 10M
|
||||||
consul::services:
|
consul::services:
|
||||||
sonarr:
|
sonarr:
|
||||||
service_name: 'sonarr'
|
service_name: 'sonarr'
|
||||||
@@ -46,7 +41,7 @@ consul::services:
|
|||||||
checks:
|
checks:
|
||||||
- id: 'sonarr_http_check'
|
- id: 'sonarr_http_check'
|
||||||
name: 'Sonarr HTTP Check'
|
name: 'Sonarr HTTP Check'
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
http: "https://%{facts.networking.fqdn}:443"
|
||||||
method: 'GET'
|
method: 'GET'
|
||||||
tls_skip_verify: true
|
tls_skip_verify: true
|
||||||
interval: '10s'
|
interval: '10s'
|
||||||
|
|||||||
@@ -1,157 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- glauth
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- ldap.main.unkin.net
|
|
||||||
- ldap.service.consul
|
|
||||||
- ldap.query.consul
|
|
||||||
- "ldap.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
glauth::params::download_version: 2.3.2
|
|
||||||
glauth::params::ldap_enabled: true
|
|
||||||
glauth::params::ldaps_enabled: true
|
|
||||||
glauth::params::basedn: 'dc=main,dc=unkin,dc=net'
|
|
||||||
glauth::params::behaviors_ignorecapabilities: true
|
|
||||||
glauth::params::ldap_tlscertpath: /etc/pki/tls/vault/certificate.crt
|
|
||||||
glauth::params::ldap_tlskeypath: /etc/pki/tls/vault/private.key
|
|
||||||
glauth::params::ldaps_cert: /etc/pki/tls/vault/certificate.crt
|
|
||||||
glauth::params::ldaps_key: /etc/pki/tls/vault/private.key
|
|
||||||
glauth::params::api_cert: /etc/pki/tls/vault/certificate.crt
|
|
||||||
glauth::params::api_key: /etc/pki/tls/vault/private.key
|
|
||||||
|
|
||||||
# configure consul service
|
|
||||||
consul::services:
|
|
||||||
ldap:
|
|
||||||
service_name: 'ldap'
|
|
||||||
tags:
|
|
||||||
- 'media'
|
|
||||||
- 'ldap'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 636
|
|
||||||
checks:
|
|
||||||
- id: 'glauth_http_check'
|
|
||||||
name: 'glauth HTTP Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:5555"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: ldap
|
|
||||||
disposition: write
|
|
||||||
|
|
||||||
glauth::users:
|
|
||||||
benvin:
|
|
||||||
user_name: 'benvin'
|
|
||||||
givenname: 'Ben'
|
|
||||||
sn: 'Vincent'
|
|
||||||
mail: 'benvin@users.main.unkin.net'
|
|
||||||
uidnumber: 20000
|
|
||||||
primarygroup: 20000
|
|
||||||
othergroups:
|
|
||||||
- 20010
|
|
||||||
- 20011
|
|
||||||
- 20012
|
|
||||||
- 20013
|
|
||||||
- 20014
|
|
||||||
- 20015
|
|
||||||
- 20016
|
|
||||||
loginshell: '/bin/bash'
|
|
||||||
homedir: '/home/benvin'
|
|
||||||
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
|
||||||
sshkeys:
|
|
||||||
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
|
|
||||||
matsol:
|
|
||||||
user_name: 'matsol'
|
|
||||||
givenname: 'Matt'
|
|
||||||
sn: 'Solomon'
|
|
||||||
mail: 'matsol@users.main.unkin.net'
|
|
||||||
uidnumber: 20001
|
|
||||||
primarygroup: 20000
|
|
||||||
othergroups:
|
|
||||||
- 20010
|
|
||||||
- 20011
|
|
||||||
- 20012
|
|
||||||
- 20013
|
|
||||||
- 20014
|
|
||||||
- 20015
|
|
||||||
- 20016
|
|
||||||
loginshell: '/bin/bash'
|
|
||||||
homedir: '/home/matsol'
|
|
||||||
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
|
|
||||||
|
|
||||||
glauth::services:
|
|
||||||
svc_jellyfin:
|
|
||||||
service_name: 'svc_jellyfin'
|
|
||||||
mail: 'jellyfin@service.main.unkin.net'
|
|
||||||
uidnumber: 30000
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: '97f7b1eb24deb0a86e812d79c56f4901d39a24128dc9f6fde033e7195f7d0739'
|
|
||||||
svc_sonarr:
|
|
||||||
service_name: 'svc_sonarr'
|
|
||||||
mail: 'sonarr@service.main.unkin.net'
|
|
||||||
uidnumber: 30001
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: '2c32d4cb831183cfbef15835cc76f99b401d0159621bc580e852253d4d8f8722'
|
|
||||||
svc_radarr:
|
|
||||||
service_name: 'svc_radarr'
|
|
||||||
mail: 'radarr@service.main.unkin.net'
|
|
||||||
uidnumber: 30002
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: '805b0182d90c2b5b3ba43e50988447a0bff0115eb5fedd8eeae8eac00ba53025'
|
|
||||||
svc_lidarr:
|
|
||||||
service_name: 'svc_lidarr'
|
|
||||||
mail: 'lidarr@service.main.unkin.net'
|
|
||||||
uidnumber: 30003
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: '6d04cd2a45784bacbd50e6714710b55805c7e9886665a6d7790e6d8712b67aff'
|
|
||||||
svc_readarr:
|
|
||||||
service_name: 'svc_readarr'
|
|
||||||
mail: 'readarr@service.main.unkin.net'
|
|
||||||
uidnumber: 30004
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: '751f22fbd9c052b2cd0c1cb4be514d8710f1a51f84ce44f607ab3a5591162f8c'
|
|
||||||
svc_prowlarr:
|
|
||||||
service_name: 'svc_prowlarr'
|
|
||||||
mail: 'prowlarr@service.main.unkin.net'
|
|
||||||
uidnumber: 30005
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043'
|
|
||||||
svc_nzbget:
|
|
||||||
service_name: 'svc_nzbget'
|
|
||||||
mail: 'nzbget@service.main.unkin.net'
|
|
||||||
uidnumber: 30006
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
|
|
||||||
|
|
||||||
glauth::groups:
|
|
||||||
users:
|
|
||||||
group_name: 'people'
|
|
||||||
gidnumber: 20000
|
|
||||||
services:
|
|
||||||
group_name: 'services'
|
|
||||||
gidnumber: 20001
|
|
||||||
jellyfin_access:
|
|
||||||
group_name: 'jellyfin_access'
|
|
||||||
gidnumber: 20010
|
|
||||||
sonarr_access:
|
|
||||||
group_name: 'sonarr_access'
|
|
||||||
gidnumber: 20011
|
|
||||||
radarr_access:
|
|
||||||
group_name: 'radarr_access'
|
|
||||||
gidnumber: 20012
|
|
||||||
lidarr_access:
|
|
||||||
group_name: 'lidarr_access'
|
|
||||||
gidnumber: 20013
|
|
||||||
readarr_access:
|
|
||||||
group_name: 'readarr_access'
|
|
||||||
gidnumber: 20014
|
|
||||||
prowlarr_access:
|
|
||||||
group_name: 'prowlarr_access'
|
|
||||||
gidnumber: 20015
|
|
||||||
nzbget_access:
|
|
||||||
group_name: 'nzbget_access'
|
|
||||||
gidnumber: 20016
|
|
||||||
@@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
profiles::openldap::params::rootpw: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMPu8Asw6L7+k8SRXbPqw62B3ldiE5f2CaDSQbhrOc2u2ULdKvOVpWZnr5cKekl4L8un3zRCiNgY7IG008011jh7oXtTqEGJB2hD/ANHlRawoduft798rRKkDuFqET1rw+komuM7ACJsxXGPO9jB7HjycoJHr4+2yV4o3DlazR0+Ha8kPs8U4C/G/UEWQYOsrP964UZ2CgsHSdozgWj304fVJZ/fWqfOSgipKi2GjNK+TD7g9H12ouGaOjTeOsFBo33QWrikYi6MBFE42p3BLoaBX6Gk6KBzmkhYT7Hyvc/ASP65MpDbXffKp2kcqq++VIb7WhsRydaudRP9wyEJOjzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBVYwJ47CXR2LGgbZOOrd7cgDBCgqTmI4Y5G7x8ZNxEm9WzVY1E7SiKrSnKWF3ntekOhL8ABOk8Y0uODE2HYE+jkJw=]
|
||||||
@@ -0,0 +1,22 @@
|
|||||||
|
---
|
||||||
|
# additional altnames
|
||||||
|
profiles::pki::vault::alt_names:
|
||||||
|
- ldap.main.unkin.net
|
||||||
|
- ldap.service.consul
|
||||||
|
- ldap.query.consul
|
||||||
|
- "ldap.service.%{facts.country}-%{facts.region}.consul"
|
||||||
|
|
||||||
|
openldap::server::manage_epel: false
|
||||||
|
profiles::openldap::params::data_path: '/data/ldap/main.unkin.net'
|
||||||
|
profiles::openldap::params::database: 'dc=main,dc=unkin,dc=net'
|
||||||
|
profiles::openldap::params::rootdn: "cn=admin,%{hiera('profiles::openldap::params::database')}"
|
||||||
|
profiles::openldap::params::ldap_server:
|
||||||
|
- rid: 1
|
||||||
|
provider: ldap://ausyd1nxvm1044.main.unkin.net
|
||||||
|
searchbase: "%{hiera('profiles::openldap::params::database')}"
|
||||||
|
- rid: 2
|
||||||
|
provider: ldap://ausyd1nxvm1045.main.unkin.net
|
||||||
|
searchbase: "%{hiera('profiles::openldap::params::database')}"
|
||||||
|
- rid: 3
|
||||||
|
provider: ldap://ausyd1nxvm1046.main.unkin.net
|
||||||
|
searchbase: "%{hiera('profiles::openldap::params::database')}"
|
||||||
@@ -53,8 +53,6 @@ profiles::haproxy::frontends:
|
|||||||
options:
|
options:
|
||||||
acl:
|
acl:
|
||||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||||
use_backend:
|
|
||||||
- 'be_letsencrypt if acl-letsencrypt'
|
|
||||||
http-request:
|
http-request:
|
||||||
- 'set-header X-Forwarded-Proto https'
|
- 'set-header X-Forwarded-Proto https'
|
||||||
- 'set-header X-Real-IP %[src]'
|
- 'set-header X-Real-IP %[src]'
|
||||||
@@ -70,8 +68,6 @@ profiles::haproxy::frontends:
|
|||||||
options:
|
options:
|
||||||
acl:
|
acl:
|
||||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||||
use_backend:
|
|
||||||
- 'be_letsencrypt if acl-letsencrypt'
|
|
||||||
http-request:
|
http-request:
|
||||||
- 'set-header X-Forwarded-Proto https'
|
- 'set-header X-Forwarded-Proto https'
|
||||||
- 'set-header X-Real-IP %[src]'
|
- 'set-header X-Real-IP %[src]'
|
||||||
|
|||||||
@@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- certbot
|
|
||||||
- profiles::pki::puppetcerts
|
|
||||||
|
|
||||||
certbot::domains:
|
|
||||||
- au-syd1-pve.main.unkin.net
|
|
||||||
- au-syd1-pve-api.main.unkin.net
|
|
||||||
- sonarr.main.unkin.net
|
|
||||||
- radarr.main.unkin.net
|
|
||||||
- lidarr.main.unkin.net
|
|
||||||
- readarr.main.unkin.net
|
|
||||||
- prowlarr.main.unkin.net
|
|
||||||
- nzbget.main.unkin.net
|
|
||||||
- fafflix.unkin.net
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
Facter.add(:certbot_available_certs) do
|
|
||||||
confine enc_role: 'roles::infra::pki::certbot'
|
|
||||||
setcode do
|
|
||||||
certs_dir = '/etc/letsencrypt/live'
|
|
||||||
available_certs = []
|
|
||||||
|
|
||||||
if Dir.exist?(certs_dir)
|
|
||||||
Dir.children(certs_dir).each do |entry|
|
|
||||||
fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
|
|
||||||
available_certs << entry if File.exist?(fullchain_pem)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
available_certs.join(',')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
# certbot::cert
|
|
||||||
define certbot::cert (
|
|
||||||
Stdlib::Fqdn $domain,
|
|
||||||
Array $additional_args = ['--http-01-port=8888'],
|
|
||||||
Boolean $manage_cron = true,
|
|
||||||
) {
|
|
||||||
|
|
||||||
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
|
||||||
|
|
||||||
@@letsencrypt::certonly { $domain:
|
|
||||||
additional_args => $additional_args,
|
|
||||||
manage_cron => $manage_cron,
|
|
||||||
tag => $location_environment,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,23 +0,0 @@
|
|||||||
class certbot::client (
|
|
||||||
Array[Stdlib::Fqdn] $domains,
|
|
||||||
Stdlib::Fqdn $webserver,
|
|
||||||
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
|
|
||||||
) {
|
|
||||||
|
|
||||||
mkdir::p {$data_dir:}
|
|
||||||
file { $data_dir:
|
|
||||||
ensure => directory,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0755',
|
|
||||||
}
|
|
||||||
|
|
||||||
$domains.each |$domain| {
|
|
||||||
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
|
|
||||||
domain => $domain,
|
|
||||||
destination => "${data_dir}/${domain}",
|
|
||||||
webserver => $webserver,
|
|
||||||
require => File[$data_dir],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,51 +0,0 @@
|
|||||||
define certbot::client::cert (
|
|
||||||
Stdlib::Fqdn $domain,
|
|
||||||
Stdlib::Fqdn $webserver,
|
|
||||||
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
|
|
||||||
) {
|
|
||||||
|
|
||||||
file { $destination:
|
|
||||||
ensure => directory,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0755',
|
|
||||||
}
|
|
||||||
|
|
||||||
$cert_ready_nodes = puppetdb_query("
|
|
||||||
facts {
|
|
||||||
name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
|
|
||||||
}"
|
|
||||||
)
|
|
||||||
|
|
||||||
# Define the certificate files
|
|
||||||
$cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
|
|
||||||
|
|
||||||
if !empty($cert_ready_nodes) {
|
|
||||||
$files_to_create = $cert_files.reduce({}) |$acc, $file| {
|
|
||||||
$acc + {
|
|
||||||
"${destination}/${file}" => {
|
|
||||||
ensure => 'file',
|
|
||||||
source => "https://${webserver}/${domain}/${file}",
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0644',
|
|
||||||
notify => Exec["concat_${domain}_certs"],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
create_resources(file, $files_to_create)
|
|
||||||
|
|
||||||
exec { "concat_${domain}_certs":
|
|
||||||
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
|
|
||||||
path => ['/bin', '/usr/bin'],
|
|
||||||
refreshonly => true,
|
|
||||||
require => [
|
|
||||||
File["${destination}/fullchain.pem"],
|
|
||||||
File["${destination}/privkey.pem"],
|
|
||||||
],
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
notify { 'Certificates are not yet ready on the generator server.': }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
# certbot::haproxy
|
|
||||||
class certbot::haproxy {
|
|
||||||
# export haproxy balancemember
|
|
||||||
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
|
|
||||||
service => 'be_letsencrypt',
|
|
||||||
ports => [8888],
|
|
||||||
options => []
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,19 +0,0 @@
|
|||||||
# certbot::init
|
|
||||||
class certbot (
|
|
||||||
String $contact,
|
|
||||||
Array[Stdlib::Fqdn] $domains = [],
|
|
||||||
Stdlib::Absolutepath $data_root = '/var/www',
|
|
||||||
Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
|
|
||||||
Array[Stdlib::Host] $nginx_aliases = [],
|
|
||||||
Stdlib::Port $nginx_port = 80,
|
|
||||||
Stdlib::Port $nginx_ssl_port = 443,
|
|
||||||
Enum['http','https','both'] $nginx_listen_mode = 'https',
|
|
||||||
Enum['puppet', 'vault'] $nginx_cert_type = 'puppet',
|
|
||||||
) {
|
|
||||||
|
|
||||||
include certbot::nginx
|
|
||||||
include certbot::selinux
|
|
||||||
include certbot::haproxy
|
|
||||||
include certbot::letsencrypt
|
|
||||||
|
|
||||||
}
|
|
||||||
@@ -1,37 +0,0 @@
|
|||||||
# certbot::letsencrypt
|
|
||||||
class certbot::letsencrypt (
|
|
||||||
String $contact = $certbot::contact,
|
|
||||||
Array[Stdlib::Fqdn] $domains = $certbot::domains,
|
|
||||||
Stdlib::Absolutepath $data_root = $certbot::data_root,
|
|
||||||
) {
|
|
||||||
|
|
||||||
class { 'letsencrypt':
|
|
||||||
configure_epel => false,
|
|
||||||
package_ensure => 'latest',
|
|
||||||
email => $contact,
|
|
||||||
}
|
|
||||||
|
|
||||||
# set location_environment
|
|
||||||
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
|
||||||
|
|
||||||
# collect exported resources
|
|
||||||
Letsencrypt::Certonly <<| tag == $location_environment |>>
|
|
||||||
|
|
||||||
# statically defined certificate
|
|
||||||
$domains.each | $domain | {
|
|
||||||
certbot::cert {$domain:
|
|
||||||
domain => $domain,
|
|
||||||
require => Class['letsencrypt'],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
systemd::timer { 'certbot-syncer.timer':
|
|
||||||
timer_content => epp('certbot/certbot-syncer.timer.epp'),
|
|
||||||
service_content => epp('certbot/certbot-syncer.service.epp', {
|
|
||||||
'data_root' => $data_root,
|
|
||||||
}),
|
|
||||||
active => true,
|
|
||||||
enable => true,
|
|
||||||
require => Class['letsencrypt'],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,91 +0,0 @@
|
|||||||
# certbot::nginx
|
|
||||||
class certbot::nginx (
|
|
||||||
Stdlib::Absolutepath $data_root = $certbot::data_root,
|
|
||||||
Stdlib::Fqdn $nginx_vhost = $certbot::nginx_vhost,
|
|
||||||
Array[Stdlib::Host] $nginx_aliases = $certbot::nginx_aliases,
|
|
||||||
Stdlib::Port $nginx_port = $certbot::nginx_port,
|
|
||||||
Stdlib::Port $nginx_ssl_port = $certbot::nginx_ssl_port,
|
|
||||||
Enum['http','https','both'] $nginx_listen_mode = $certbot::nginx_listen_mode,
|
|
||||||
Enum['puppet', 'vault'] $nginx_cert_type = $certbot::nginx_cert_type,
|
|
||||||
) {
|
|
||||||
|
|
||||||
# select the certificates to use based on cert type
|
|
||||||
case $nginx_cert_type {
|
|
||||||
'puppet': {
|
|
||||||
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
|
|
||||||
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
|
|
||||||
}
|
|
||||||
'vault': {
|
|
||||||
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
|
|
||||||
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
|
|
||||||
}
|
|
||||||
default: {
|
|
||||||
# enum param prevents this ever being reached
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# set variables based on the listen_mode
|
|
||||||
case $nginx_listen_mode {
|
|
||||||
'http': {
|
|
||||||
$enable_ssl = false
|
|
||||||
$ssl_cert = undef
|
|
||||||
$ssl_key = undef
|
|
||||||
$listen_port = $nginx_port
|
|
||||||
$listen_ssl_port = undef
|
|
||||||
$extras_hash = {}
|
|
||||||
}
|
|
||||||
'https': {
|
|
||||||
$enable_ssl = true
|
|
||||||
$ssl_cert = $selected_ssl_cert
|
|
||||||
$ssl_key = $selected_ssl_key
|
|
||||||
$listen_port = $nginx_ssl_port
|
|
||||||
$listen_ssl_port = $nginx_ssl_port
|
|
||||||
$extras_hash = {
|
|
||||||
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
'both': {
|
|
||||||
$enable_ssl = true
|
|
||||||
$ssl_cert = $selected_ssl_cert
|
|
||||||
$ssl_key = $selected_ssl_key
|
|
||||||
$listen_port = $nginx_port
|
|
||||||
$listen_ssl_port = $nginx_ssl_port
|
|
||||||
$extras_hash = {
|
|
||||||
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
default: {
|
|
||||||
# enum param prevents this ever being reached
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
mkdir::p {"${data_root}/pub":}
|
|
||||||
|
|
||||||
# set the server_names
|
|
||||||
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
|
|
||||||
|
|
||||||
# define the default parameters for the nginx server
|
|
||||||
$defaults = {
|
|
||||||
'listen_port' => $listen_port,
|
|
||||||
'server_name' => $server_names,
|
|
||||||
'use_default_location' => true,
|
|
||||||
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
|
|
||||||
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
|
|
||||||
'www_root' => "${data_root}/pub",
|
|
||||||
'autoindex' => 'on',
|
|
||||||
'ssl' => $enable_ssl,
|
|
||||||
'ssl_cert' => $ssl_cert,
|
|
||||||
'ssl_key' => $ssl_key,
|
|
||||||
'ssl_port' => $listen_ssl_port,
|
|
||||||
}
|
|
||||||
|
|
||||||
# merge the hashes conditionally
|
|
||||||
$nginx_parameters = merge($defaults, $extras_hash)
|
|
||||||
|
|
||||||
# manage the nginx class
|
|
||||||
include nginx
|
|
||||||
|
|
||||||
# create the nginx vhost with the merged parameters
|
|
||||||
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
|
|
||||||
|
|
||||||
}
|
|
||||||
@@ -1,40 +0,0 @@
|
|||||||
# certbot::selinux
|
|
||||||
class certbot::selinux (
|
|
||||||
Stdlib::Absolutepath $data_root = $certbot::data_root,
|
|
||||||
) {
|
|
||||||
|
|
||||||
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
|
|
||||||
|
|
||||||
# set httpd_sys_content_t to all files under the www_root
|
|
||||||
selinux::fcontext { "${data_root}/pub":
|
|
||||||
ensure => 'present',
|
|
||||||
seltype => 'httpd_sys_content_t',
|
|
||||||
pathspec => "${data_root}/pub(/.*)?",
|
|
||||||
}
|
|
||||||
|
|
||||||
# make sure we can connect to other hosts
|
|
||||||
selboolean { 'httpd_can_network_connect':
|
|
||||||
persistent => true,
|
|
||||||
value => 'on',
|
|
||||||
}
|
|
||||||
selboolean { 'rsync_client':
|
|
||||||
persistent => true,
|
|
||||||
value => 'on',
|
|
||||||
}
|
|
||||||
selboolean { 'rsync_export_all_ro':
|
|
||||||
persistent => true,
|
|
||||||
value => 'on',
|
|
||||||
}
|
|
||||||
selboolean { 'rsync_full_access':
|
|
||||||
persistent => true,
|
|
||||||
value => 'on',
|
|
||||||
}
|
|
||||||
|
|
||||||
exec { "restorecon_${data_root}/pub":
|
|
||||||
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
|
||||||
command => "restorecon -Rv ${data_root}/pub",
|
|
||||||
refreshonly => true,
|
|
||||||
subscribe => Selinux::Fcontext["${data_root}/pub"],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,8 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=certbot-syncer service
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
|
|
||||||
User=root
|
|
||||||
Group=root
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=certbot-syncer timer
|
|
||||||
|
|
||||||
[Timer]
|
|
||||||
OnCalendar=hourly
|
|
||||||
Persistent=true
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=timers.target
|
|
||||||
@@ -1,155 +0,0 @@
|
|||||||
# configure glauth
|
|
||||||
class glauth::config (
|
|
||||||
Boolean $debug = $glauth::debug,
|
|
||||||
Boolean $syslog = $glauth::syslog,
|
|
||||||
Boolean $structuredlog = $glauth::structuredlog,
|
|
||||||
Boolean $watchconfig = $glauth::watchconfig,
|
|
||||||
|
|
||||||
Boolean $ldap_enabled = $glauth::ldap_enabled,
|
|
||||||
Stdlib::IP::Address $ldap_address = $glauth::ldap_address,
|
|
||||||
Stdlib::Port $ldap_port = $glauth::ldap_port,
|
|
||||||
Boolean $ldap_tls = $glauth::ldap_tls,
|
|
||||||
Stdlib::Absolutepath $ldap_tlscertpath = $glauth::ldap_tlscertpath,
|
|
||||||
Stdlib::Absolutepath $ldap_tlskeypath = $glauth::ldap_tlskeypath,
|
|
||||||
|
|
||||||
Boolean $ldaps_enabled = $glauth::ldaps_enabled,
|
|
||||||
Stdlib::IP::Address $ldaps_address = $glauth::ldaps_address,
|
|
||||||
Stdlib::Port $ldaps_port = $glauth::ldaps_port,
|
|
||||||
Stdlib::Absolutepath $ldaps_cert = $glauth::ldaps_cert,
|
|
||||||
Stdlib::Absolutepath $ldaps_key = $glauth::ldaps_key,
|
|
||||||
|
|
||||||
String $backend_datastore = $glauth::backend_datastore,
|
|
||||||
String $backend_basedn = $glauth::backend_basedn,
|
|
||||||
String $backend_nameformat = $glauth::backend_nameformat,
|
|
||||||
String $backend_groupformat = $glauth::backend_groupformat,
|
|
||||||
Boolean $backend_anonymousdse = $glauth::backend_anonymousdse,
|
|
||||||
String $backend_sshkeyattr = $glauth::backend_sshkeyattr,
|
|
||||||
|
|
||||||
Boolean $behaviors_ignorecapabilities = $glauth::behaviors_ignorecapabilities,
|
|
||||||
Boolean $behaviors_limitfailedbinds = $glauth::behaviors_limitfailedbinds,
|
|
||||||
Integer $behaviors_numberoffailedbinds = $glauth::behaviors_numberoffailedbinds,
|
|
||||||
Integer $behaviors_periodoffailedbinds = $glauth::behaviors_periodoffailedbinds,
|
|
||||||
Integer $behaviors_blockfailedbindsfor = $glauth::behaviors_blockfailedbindsfor,
|
|
||||||
Integer $behaviors_prunesourcetableevery = $glauth::behaviors_prunesourcetableevery,
|
|
||||||
Integer $behaviors_prunesourcesolderthan = $glauth::behaviors_prunesourcesolderthan,
|
|
||||||
|
|
||||||
Boolean $api_enabled = $glauth::api_enabled,
|
|
||||||
Boolean $api_internals = $glauth::api_internals,
|
|
||||||
Boolean $api_tls = $glauth::api_tls,
|
|
||||||
Stdlib::IP::Address $api_address = $glauth::api_address,
|
|
||||||
Stdlib::Port $api_port = $glauth::api_port,
|
|
||||||
Stdlib::Absolutepath $api_cert = $glauth::api_cert,
|
|
||||||
Stdlib::Absolutepath $api_key = $glauth::api_key,
|
|
||||||
|
|
||||||
String $user = $glauth::user,
|
|
||||||
String $group = $glauth::group,
|
|
||||||
Stdlib::Absolutepath $bin_dir = $glauth::bin_dir,
|
|
||||||
Stdlib::Absolutepath $bin_path = $glauth::bin_path,
|
|
||||||
Stdlib::Absolutepath $config_dir = $glauth::config_dir,
|
|
||||||
Stdlib::Absolutepath $config_path = $glauth::config_path,
|
|
||||||
Boolean $manage_defaults = $glauth::manage_defaults,
|
|
||||||
) {
|
|
||||||
|
|
||||||
mkdir::p {$config_dir:}
|
|
||||||
file { [ $config_dir ]:
|
|
||||||
ensure => directory,
|
|
||||||
owner => $user,
|
|
||||||
group => $group,
|
|
||||||
}
|
|
||||||
|
|
||||||
concat { $config_path:
|
|
||||||
owner => $user,
|
|
||||||
group => $group,
|
|
||||||
mode => '0644',
|
|
||||||
require => File[$config_dir],
|
|
||||||
}
|
|
||||||
|
|
||||||
if $manage_defaults {
|
|
||||||
Glauth::Obj::User {
|
|
||||||
config_path => $config_path,
|
|
||||||
}
|
|
||||||
Glauth::Obj::Service {
|
|
||||||
config_path => $config_path,
|
|
||||||
}
|
|
||||||
Glauth::Obj::Group {
|
|
||||||
config_path => $config_path,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
concat::fragment { 'glauth_general':
|
|
||||||
target => $config_path,
|
|
||||||
content => epp('glauth/general.epp', {
|
|
||||||
'debug' => $debug,
|
|
||||||
'syslog' => $syslog,
|
|
||||||
'structuredlog' => $structuredlog,
|
|
||||||
'watchconfig' => $watchconfig,
|
|
||||||
}),
|
|
||||||
order => 10,
|
|
||||||
}
|
|
||||||
|
|
||||||
concat::fragment { 'glauth_ldap':
|
|
||||||
target => $config_path,
|
|
||||||
content => epp('glauth/ldap.epp', {
|
|
||||||
'ldap_enabled' => $ldap_enabled,
|
|
||||||
'ldap_address' => $ldap_address,
|
|
||||||
'ldap_port' => $ldap_port,
|
|
||||||
'ldap_tls' => $ldap_tls,
|
|
||||||
'ldap_tlscertpath' => $ldap_tlscertpath,
|
|
||||||
'ldap_tlskeypath' => $ldap_tlskeypath,
|
|
||||||
}),
|
|
||||||
order => 20,
|
|
||||||
}
|
|
||||||
|
|
||||||
concat::fragment { 'glauth_ldaps':
|
|
||||||
target => $config_path,
|
|
||||||
content => epp('glauth/ldaps.epp', {
|
|
||||||
'ldaps_enabled' => $ldaps_enabled,
|
|
||||||
'ldaps_address' => $ldaps_address,
|
|
||||||
'ldaps_port' => $ldaps_port,
|
|
||||||
'ldaps_cert' => $ldaps_cert,
|
|
||||||
'ldaps_key' => $ldaps_key,
|
|
||||||
}),
|
|
||||||
order => 30,
|
|
||||||
}
|
|
||||||
|
|
||||||
concat::fragment { 'glauth_backend':
|
|
||||||
target => $config_path,
|
|
||||||
content => epp('glauth/backend.epp', {
|
|
||||||
'backend_datastore' => $backend_datastore,
|
|
||||||
'backend_basedn' => $backend_basedn,
|
|
||||||
'backend_nameformat' => $backend_nameformat,
|
|
||||||
'backend_groupformat' => $backend_groupformat,
|
|
||||||
'backend_anonymousdse' => $backend_anonymousdse,
|
|
||||||
'backend_sshkeyattr' => $backend_sshkeyattr,
|
|
||||||
}),
|
|
||||||
order => 40,
|
|
||||||
}
|
|
||||||
|
|
||||||
concat::fragment { 'glauth_behaviors':
|
|
||||||
target => $config_path,
|
|
||||||
content => epp('glauth/behaviors.epp', {
|
|
||||||
'ignorecapabilities' => $behaviors_ignorecapabilities,
|
|
||||||
'limitfailedbinds' => $behaviors_limitfailedbinds,
|
|
||||||
'numberoffailedbinds' => $behaviors_numberoffailedbinds,
|
|
||||||
'periodoffailedbinds' => $behaviors_periodoffailedbinds,
|
|
||||||
'blockfailedbindsfor' => $behaviors_blockfailedbindsfor,
|
|
||||||
'prunesourcetableevery' => $behaviors_prunesourcetableevery,
|
|
||||||
'prunesourcesolderthan' => $behaviors_prunesourcesolderthan,
|
|
||||||
}),
|
|
||||||
order => 50,
|
|
||||||
}
|
|
||||||
|
|
||||||
concat::fragment { 'glauth_api':
|
|
||||||
target => $config_path,
|
|
||||||
content => epp('glauth/api.epp', {
|
|
||||||
'api_enabled' => $api_enabled,
|
|
||||||
'api_internals' => $api_internals,
|
|
||||||
'api_tls' => $api_tls,
|
|
||||||
'api_address' => $api_address,
|
|
||||||
'api_port' => $api_port,
|
|
||||||
'api_cert' => $api_cert,
|
|
||||||
'api_key' => $api_key,
|
|
||||||
}),
|
|
||||||
order => 60,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,64 +0,0 @@
|
|||||||
# glauth inititalisation class
|
|
||||||
class glauth (
|
|
||||||
Boolean $debug = $glauth::params::debug,
|
|
||||||
Boolean $syslog = $glauth::params::syslog,
|
|
||||||
Boolean $structuredlog = $glauth::params::structuredlog,
|
|
||||||
Boolean $watchconfig = $glauth::params::watchconfig,
|
|
||||||
Array $packages = $glauth::params::packages,
|
|
||||||
|
|
||||||
Boolean $ldap_enabled = $glauth::params::ldap_enabled,
|
|
||||||
Stdlib::IP::Address $ldap_address = $glauth::params::ldap_address,
|
|
||||||
Stdlib::Port $ldap_port = $glauth::params::ldap_port,
|
|
||||||
Boolean $ldap_tls = $glauth::params::ldap_tls,
|
|
||||||
Stdlib::Absolutepath $ldap_tlscertpath = $glauth::params::ldap_tlscertpath,
|
|
||||||
Stdlib::Absolutepath $ldap_tlskeypath = $glauth::params::ldap_tlskeypath,
|
|
||||||
|
|
||||||
Boolean $ldaps_enabled = $glauth::params::ldaps_enabled,
|
|
||||||
Stdlib::IP::Address $ldaps_address = $glauth::params::ldaps_address,
|
|
||||||
Stdlib::Port $ldaps_port = $glauth::params::ldaps_port,
|
|
||||||
Stdlib::Absolutepath $ldaps_cert = $glauth::params::ldaps_cert,
|
|
||||||
Stdlib::Absolutepath $ldaps_key = $glauth::params::ldaps_key,
|
|
||||||
|
|
||||||
String $backend_datastore = $glauth::params::backend_datastore,
|
|
||||||
String $backend_basedn = $glauth::params::backend_basedn,
|
|
||||||
String $backend_nameformat = $glauth::params::backend_nameformat,
|
|
||||||
String $backend_groupformat = $glauth::params::backend_groupformat,
|
|
||||||
Boolean $backend_anonymousdse = $glauth::params::backend_anonymousdse,
|
|
||||||
String $backend_sshkeyattr = $glauth::params::backend_sshkeyattr,
|
|
||||||
|
|
||||||
Boolean $behaviors_ignorecapabilities = $glauth::params::behaviors_ignorecapabilities,
|
|
||||||
Boolean $behaviors_limitfailedbinds = $glauth::params::behaviors_limitfailedbinds,
|
|
||||||
Integer $behaviors_numberoffailedbinds = $glauth::params::behaviors_numberoffailedbinds,
|
|
||||||
Integer $behaviors_periodoffailedbinds = $glauth::params::behaviors_periodoffailedbinds,
|
|
||||||
Integer $behaviors_blockfailedbindsfor = $glauth::params::behaviors_blockfailedbindsfor,
|
|
||||||
Integer $behaviors_prunesourcetableevery = $glauth::params::behaviors_prunesourcetableevery,
|
|
||||||
Integer $behaviors_prunesourcesolderthan = $glauth::params::behaviors_prunesourcesolderthan,
|
|
||||||
|
|
||||||
Boolean $api_enabled = $glauth::params::api_enabled,
|
|
||||||
Boolean $api_internals = $glauth::params::api_internals,
|
|
||||||
Boolean $api_tls = $glauth::params::api_tls,
|
|
||||||
Stdlib::IP::Address $api_address = $glauth::params::api_address,
|
|
||||||
Stdlib::Port $api_port = $glauth::params::api_port,
|
|
||||||
Stdlib::Absolutepath $api_cert = $glauth::params::api_cert,
|
|
||||||
Stdlib::Absolutepath $api_key = $glauth::params::api_key,
|
|
||||||
|
|
||||||
String $user = $glauth::params::user,
|
|
||||||
String $group = $glauth::params::group,
|
|
||||||
Stdlib::Absolutepath $bin_dir = $glauth::params::bin_dir,
|
|
||||||
Stdlib::Absolutepath $bin_path = $glauth::params::bin_path,
|
|
||||||
Stdlib::Absolutepath $config_dir = $glauth::params::config_dir,
|
|
||||||
Stdlib::Absolutepath $config_path = $glauth::params::config_path,
|
|
||||||
Boolean $service_enable = $glauth::params::service_enable,
|
|
||||||
String $service_name = $glauth::params::service_name,
|
|
||||||
String $download_version = $glauth::params::download_version,
|
|
||||||
String $download_url = $glauth::params::download_url,
|
|
||||||
Boolean $manage_defaults = $glauth::params::manage_defaults,
|
|
||||||
|
|
||||||
) inherits glauth::params {
|
|
||||||
|
|
||||||
include glauth::install
|
|
||||||
include glauth::config
|
|
||||||
include glauth::service
|
|
||||||
|
|
||||||
Class['glauth::install'] -> Class['glauth::config'] -> Class['glauth::service']
|
|
||||||
}
|
|
||||||
@@ -1,45 +0,0 @@
|
|||||||
# install the glauth directories and binary
|
|
||||||
class glauth::install (
|
|
||||||
String $user = $glauth::user,
|
|
||||||
String $group = $glauth::group,
|
|
||||||
Stdlib::Absolutepath $bin_dir = $glauth::bin_dir,
|
|
||||||
Stdlib::Absolutepath $bin_path = $glauth::bin_path,
|
|
||||||
Stdlib::Absolutepath $config_dir = $glauth::config_path,
|
|
||||||
Stdlib::Absolutepath $config_path = $glauth::config_path,
|
|
||||||
String $download_url = $glauth::download_url,
|
|
||||||
Array $packages = $glauth::packages,
|
|
||||||
){
|
|
||||||
user { $user:
|
|
||||||
ensure => present,
|
|
||||||
system => true,
|
|
||||||
gid => $group,
|
|
||||||
require => Group[$group],
|
|
||||||
}
|
|
||||||
|
|
||||||
group { $group:
|
|
||||||
ensure => present,
|
|
||||||
system => true,
|
|
||||||
}
|
|
||||||
|
|
||||||
ensure_resources('package', $packages => {ensure => 'present'})
|
|
||||||
|
|
||||||
archive { 'glauth':
|
|
||||||
ensure => present,
|
|
||||||
url => $download_url,
|
|
||||||
extract => false,
|
|
||||||
path => $bin_path,
|
|
||||||
creates => $bin_path,
|
|
||||||
cleanup => false,
|
|
||||||
extract_path => $bin_dir,
|
|
||||||
user => 'root',
|
|
||||||
group => 'root',
|
|
||||||
}
|
|
||||||
|
|
||||||
file{ $bin_path:
|
|
||||||
ensure => file,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0755',
|
|
||||||
require => Archive['glauth'],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
# define a group object
|
|
||||||
define glauth::obj::group (
|
|
||||||
String $group_name,
|
|
||||||
Integer $gidnumber,
|
|
||||||
Stdlib::Absolutepath $config_path,
|
|
||||||
Optional[Array[Integer]] $includegroups = [],
|
|
||||||
) {
|
|
||||||
concat::fragment { "glauth_group_${group_name}":
|
|
||||||
target => $config_path,
|
|
||||||
content => epp('glauth/obj/group.epp', {
|
|
||||||
'name' => $group_name,
|
|
||||||
'gidnumber' => $gidnumber,
|
|
||||||
'includegroups' => $includegroups,
|
|
||||||
}),
|
|
||||||
order => '90',
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,21 +0,0 @@
|
|||||||
# define a service object
|
|
||||||
define glauth::obj::service (
|
|
||||||
String $service_name,
|
|
||||||
String $mail,
|
|
||||||
Integer $uidnumber,
|
|
||||||
Integer $primarygroup,
|
|
||||||
String $passsha256,
|
|
||||||
Stdlib::Absolutepath $config_path,
|
|
||||||
) {
|
|
||||||
concat::fragment { "glauth_service_${service_name}":
|
|
||||||
target => $config_path,
|
|
||||||
content => epp('glauth/obj/service.epp', {
|
|
||||||
'name' => $service_name,
|
|
||||||
'mail' => $mail,
|
|
||||||
'uidnumber' => $uidnumber,
|
|
||||||
'primarygroup' => $primarygroup,
|
|
||||||
'passsha256' => $passsha256,
|
|
||||||
}),
|
|
||||||
order => '80',
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,39 +0,0 @@
|
|||||||
# define a user object
|
|
||||||
define glauth::obj::user (
|
|
||||||
String $user_name,
|
|
||||||
String $mail,
|
|
||||||
Integer $uidnumber,
|
|
||||||
Integer $primarygroup,
|
|
||||||
String $passsha256,
|
|
||||||
Stdlib::Absolutepath $config_path,
|
|
||||||
String $givenname = '',
|
|
||||||
String $sn = '',
|
|
||||||
String $loginshell = '',
|
|
||||||
String $homedir = '',
|
|
||||||
Optional[Array[String]] $sshkeys = [],
|
|
||||||
Optional[Array[String]] $passappsha256 = [],
|
|
||||||
Optional[Array[Integer]] $othergroups = [],
|
|
||||||
) {
|
|
||||||
$formatted_othergroups = $othergroups.empty ? {
|
|
||||||
true => '[]',
|
|
||||||
false => "[${othergroups.join(', ')}]",
|
|
||||||
}
|
|
||||||
concat::fragment { "glauth_user_${user_name}":
|
|
||||||
target => $config_path,
|
|
||||||
content => epp('glauth/obj/user.epp', {
|
|
||||||
'name' => $user_name,
|
|
||||||
'givenname' => $givenname,
|
|
||||||
'sn' => $sn,
|
|
||||||
'mail' => $mail,
|
|
||||||
'uidnumber' => $uidnumber,
|
|
||||||
'primarygroup' => $primarygroup,
|
|
||||||
'loginshell' => $loginshell,
|
|
||||||
'homedir' => $homedir,
|
|
||||||
'passsha256' => $passsha256,
|
|
||||||
'sshkeys' => $sshkeys,
|
|
||||||
'passappsha256' => $passappsha256,
|
|
||||||
'othergroups' => $formatted_othergroups,
|
|
||||||
}),
|
|
||||||
order => '70',
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,58 +0,0 @@
|
|||||||
# params class for glauth
|
|
||||||
class glauth::params (
|
|
||||||
Boolean $debug = true,
|
|
||||||
Boolean $syslog = true,
|
|
||||||
Boolean $structuredlog = true,
|
|
||||||
Boolean $watchconfig = true,
|
|
||||||
Array $packages = [
|
|
||||||
'openldap-clients',
|
|
||||||
],
|
|
||||||
|
|
||||||
Boolean $ldap_enabled = true,
|
|
||||||
Stdlib::IP::Address $ldap_address = '0.0.0.0',
|
|
||||||
Stdlib::Port $ldap_port = 389,
|
|
||||||
Boolean $ldap_tls = false,
|
|
||||||
Stdlib::Absolutepath $ldap_tlscertpath = '/etc/glauth/glauth.crt',
|
|
||||||
Stdlib::Absolutepath $ldap_tlskeypath = '/etc/glauth/glauth.key',
|
|
||||||
|
|
||||||
Boolean $ldaps_enabled = false,
|
|
||||||
Stdlib::IP::Address $ldaps_address = '0.0.0.0',
|
|
||||||
Stdlib::Port $ldaps_port = 636,
|
|
||||||
Stdlib::Absolutepath $ldaps_cert = '/etc/glauth/glauth.crt',
|
|
||||||
Stdlib::Absolutepath $ldaps_key = '/etc/glauth/glauth.key',
|
|
||||||
|
|
||||||
String $backend_datastore = 'config',
|
|
||||||
String $backend_basedn = 'dc=main,dc=unkin,dc=net',
|
|
||||||
String $backend_nameformat = 'cn',
|
|
||||||
String $backend_groupformat = 'ou',
|
|
||||||
Boolean $backend_anonymousdse = true,
|
|
||||||
String $backend_sshkeyattr = 'sshPublicKey',
|
|
||||||
|
|
||||||
Boolean $behaviors_ignorecapabilities = true,
|
|
||||||
Boolean $behaviors_limitfailedbinds = true,
|
|
||||||
Integer $behaviors_numberoffailedbinds = 3,
|
|
||||||
Integer $behaviors_periodoffailedbinds = 10,
|
|
||||||
Integer $behaviors_blockfailedbindsfor = 60,
|
|
||||||
Integer $behaviors_prunesourcetableevery = 600,
|
|
||||||
Integer $behaviors_prunesourcesolderthan = 600,
|
|
||||||
|
|
||||||
Boolean $api_enabled = true,
|
|
||||||
Boolean $api_internals = true,
|
|
||||||
Boolean $api_tls = true,
|
|
||||||
Stdlib::IP::Address $api_address = '0.0.0.0',
|
|
||||||
Stdlib::Port $api_port = 5555,
|
|
||||||
Stdlib::Absolutepath $api_cert = '/etc/glauth/cert.pem',
|
|
||||||
Stdlib::Absolutepath $api_key = '/etc/glauth/key.pem',
|
|
||||||
|
|
||||||
String $user = 'glauth',
|
|
||||||
String $group = 'glauth',
|
|
||||||
Stdlib::Absolutepath $bin_dir = '/usr/local/bin',
|
|
||||||
Stdlib::Absolutepath $bin_path = "${bin_dir}/glauth",
|
|
||||||
Stdlib::Absolutepath $config_dir = '/etc/glauth',
|
|
||||||
Stdlib::Absolutepath $config_path = "${config_dir}/glauth.conf",
|
|
||||||
Boolean $service_enable = true,
|
|
||||||
String $service_name = 'glauth',
|
|
||||||
String $download_version = '2.3.2',
|
|
||||||
String $download_url = "https://git.query.consul/api/packages/unkinben/generic/glauth/${download_version}/glauth-linux-amd64",
|
|
||||||
Boolean $manage_defaults = true,
|
|
||||||
){}
|
|
||||||
@@ -1,30 +0,0 @@
|
|||||||
# manage the glauth service/socket
|
|
||||||
class glauth::service (
|
|
||||||
$service_enable = $glauth::service_enable,
|
|
||||||
$service_name = $glauth::service_name,
|
|
||||||
$user = $glauth::user,
|
|
||||||
$group = $glauth::group,
|
|
||||||
$config_path = $glauth::config_path,
|
|
||||||
$bin_path = $glauth::bin_path,
|
|
||||||
$ldap_port = $glauth::ldap_port,
|
|
||||||
$ldaps_port = $glauth::ldaps_port,
|
|
||||||
$api_port = $glauth::api_port,
|
|
||||||
){
|
|
||||||
if $service_enable {
|
|
||||||
include ::systemd
|
|
||||||
|
|
||||||
systemd::unit_file { "${service_name}.service":
|
|
||||||
content => epp('glauth/systemd.service.epp', {
|
|
||||||
'bin_path' => $bin_path,
|
|
||||||
'config_path' => $config_path,
|
|
||||||
'user' => $user,
|
|
||||||
'group' => $group,
|
|
||||||
'service_name' => $service_name,
|
|
||||||
}),
|
|
||||||
enable => true,
|
|
||||||
active => true,
|
|
||||||
subscribe => Concat[$config_path],
|
|
||||||
# should also subscribe to tls certs
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
#################
|
|
||||||
# API configuration.
|
|
||||||
[api]
|
|
||||||
enabled = <%= $api_enabled %>
|
|
||||||
internals = <%= $api_internals %>
|
|
||||||
tls = <%= $api_tls %>
|
|
||||||
listen = "<%= $api_address %>:<%= $api_port %>"
|
|
||||||
cert = "<%= $api_cert %>"
|
|
||||||
key = "<%= $api_key %>"
|
|
||||||
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
#################
|
|
||||||
# The backend section controls the data store.
|
|
||||||
[backend]
|
|
||||||
datastore = "<%= $backend_datastore %>"
|
|
||||||
baseDN = "<%= $backend_basedn %>"
|
|
||||||
nameformat = "<%= $backend_nameformat %>"
|
|
||||||
groupformat = "<%= $backend_groupformat %>"
|
|
||||||
anonymousdse = <%= $backend_anonymousdse %>
|
|
||||||
sshkeyattr = "<%= $backend_sshkeyattr %>"
|
|
||||||
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
#################
|
|
||||||
# Behaviors configuration.
|
|
||||||
[behaviors]
|
|
||||||
IgnoreCapabilities = <%= $ignorecapabilities %>
|
|
||||||
LimitFailedBinds = <%= $limitfailedbinds %>
|
|
||||||
NumberOfFailedBinds = <%= $numberoffailedbinds %>
|
|
||||||
PeriodOfFailedBinds = <%= $periodoffailedbinds %>
|
|
||||||
BlockFailedBindsFor = <%= $blockfailedbindsfor %>
|
|
||||||
PruneSourceTableEvery = <%= $prunesourcetableevery %>
|
|
||||||
PruneSourcesOlderThan = <%= $prunesourcesolderthan %>
|
|
||||||
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
#################
|
|
||||||
# General configuration.
|
|
||||||
debug = <%= $debug %>
|
|
||||||
syslog = <%= $syslog %>
|
|
||||||
structuredlog = <%= $structuredlog %>
|
|
||||||
watchconfig = <%= $watchconfig %>
|
|
||||||
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
#################
|
|
||||||
# Server configuration.
|
|
||||||
[ldap]
|
|
||||||
enabled = <%= $ldap_enabled %>
|
|
||||||
listen = "<%= $ldap_address %>:<%= $ldap_port %>"
|
|
||||||
tls = <%= $ldap_tls %>
|
|
||||||
tlsCertPath = "<%= $ldap_tlscertpath %>"
|
|
||||||
tlsKeyPath = "<%= $ldap_tlskeypath %>"
|
|
||||||
|
|
||||||
@@ -1,8 +0,0 @@
|
|||||||
#################
|
|
||||||
# Server configuration.
|
|
||||||
[ldaps]
|
|
||||||
enabled = <%= $ldaps_enabled %>
|
|
||||||
listen = "<%= $ldaps_address %>:<%= $ldaps_port %>"
|
|
||||||
cert = "<%= $ldaps_cert %>"
|
|
||||||
key = "<%= $ldaps_key %>"
|
|
||||||
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
[[groups]]
|
|
||||||
name = "<%= $name %>"
|
|
||||||
gidnumber = <%= $gidnumber %>
|
|
||||||
<% if $includegroups.length > 0 { %>includegroups = [<% $includegroups.each |Integer $group| { %><%= $group %>, <% } %>]<% } %>
|
|
||||||
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
[[users]]
|
|
||||||
name = "<%= $name %>"
|
|
||||||
mail = "<%= $mail %>"
|
|
||||||
uidnumber = <%= $uidnumber %>
|
|
||||||
primarygroup = <%= $primarygroup %>
|
|
||||||
passsha256 = "<%= $passsha256 %>"
|
|
||||||
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
[[users]]
|
|
||||||
name = "<%= $name %>"
|
|
||||||
<% if $givenname != '' { %>givenname = "<%= $givenname %>"<% } %>
|
|
||||||
<% if $sn != '' { %>sn = "<%= $sn %>"<% } %>
|
|
||||||
mail = "<%= $mail %>"
|
|
||||||
uidnumber = <%= $uidnumber %>
|
|
||||||
primarygroup = <%= $primarygroup %>
|
|
||||||
<% if $loginshell != '' { %>loginShell = "<%= $loginshell %>"<% } %>
|
|
||||||
<% if $homedir != '' { %>homeDir = "<%= $homedir %>"<% } %>
|
|
||||||
passsha256 = "<%= $passsha256 %>"
|
|
||||||
<% if $sshkeys.length > 0 { %>sshkeys = [<% $sshkeys.each |String $key| { %>"<%= $key %>", <% } %>]<% } %>
|
|
||||||
<% if $passappsha256.length > 0 { %>passappsha256 = [<% $passappsha256.each |String $pass| { %>"<%= $pass %>", <% } %>]<% } %>
|
|
||||||
othergroups = <%= $othergroups %>
|
|
||||||
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=GLAuth Service
|
|
||||||
After=network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
User=<%= $user %>
|
|
||||||
Group=<%= $group %>
|
|
||||||
ExecStart=<%= $bin_path %> -c <%= $config_path %>
|
|
||||||
Restart=always
|
|
||||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
Also=<%= $service_name %>.socket
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=GLAuth Socket
|
|
||||||
|
|
||||||
[Socket]
|
|
||||||
ListenStream=<%= $ldap_port %>
|
|
||||||
ListenStream=<%= $ldaps_port %>
|
|
||||||
ListenStream=<%= $api_port %>
|
|
||||||
NoDelay=true
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=sockets.target
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
# manage jellyfin
|
|
||||||
class jellyfin (
|
|
||||||
$packages = $jellyfin::params::packages,
|
|
||||||
$service_enable = $jellyfin::params::service_enable,
|
|
||||||
) inherits jellyfin::params {
|
|
||||||
|
|
||||||
include jellyfin::install
|
|
||||||
include jellyfin::service
|
|
||||||
|
|
||||||
Class['jellyfin::install'] -> Class['jellyfin::service']
|
|
||||||
}
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
# install jellyfin
|
|
||||||
class jellyfin::install (
|
|
||||||
$packages = $jellyfin::packages,
|
|
||||||
) {
|
|
||||||
|
|
||||||
$_packages = $packages ? {
|
|
||||||
Array => true,
|
|
||||||
default => false,
|
|
||||||
}
|
|
||||||
|
|
||||||
if $_packages {
|
|
||||||
ensure_packages($packages, {ensure => 'installed'})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
# jellyfin params
|
|
||||||
class jellyfin::params (
|
|
||||||
Array[String] $packages = [
|
|
||||||
'jellyfin',
|
|
||||||
'jellyfin-web',
|
|
||||||
'jellyfin-server',
|
|
||||||
'SDL2',
|
|
||||||
'ffmpeg',
|
|
||||||
'ffmpeg-devel',
|
|
||||||
],
|
|
||||||
String $service_name = 'jellyfin',
|
|
||||||
Boolean $service_enable = true,
|
|
||||||
) { }
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
# manage jellyfin service
|
|
||||||
class jellyfin::service (
|
|
||||||
$service_enable = $jellyfin::service_enable,
|
|
||||||
$service_name = $jellyfin::service_name,
|
|
||||||
) {
|
|
||||||
service{$service_name:
|
|
||||||
ensure => $service_enable,
|
|
||||||
enable => $service_enable,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
require 'facter'
|
|
||||||
|
|
||||||
Facter.add(:jellyfin_migration_done) do
|
|
||||||
setcode do
|
|
||||||
File.exist?('/etc/sysconfig/jellyfin_migration_done')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
@@ -9,37 +9,19 @@ class networking (
|
|||||||
include network
|
include network
|
||||||
include networking::params
|
include networking::params
|
||||||
|
|
||||||
# manage interfaces
|
|
||||||
$interfaces.each | $interface, $data | {
|
$interfaces.each | $interface, $data | {
|
||||||
$merged_data = merge($interface_defaults, $data)
|
$merged_data = merge($interface_defaults, $data)
|
||||||
network_config { $interface:
|
network_config {$interface:
|
||||||
* => $merged_data,
|
* => $merged_data,
|
||||||
notify => Exec['networking_reload_network'],
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# manage routes
|
|
||||||
$routes.each | $route, $data | {
|
$routes.each | $route, $data | {
|
||||||
$merged_data = merge($route_defaults, $data)
|
$merged_data = merge($route_defaults, $data)
|
||||||
network_route { $route:
|
network_route {$route:
|
||||||
* => $merged_data,
|
* => $merged_data,
|
||||||
notify => Exec['networking_reload_network'],
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# determine which networking service to restart
|
|
||||||
$restart_command = $facts['os']['family'] ? {
|
|
||||||
'RedHat' => '/usr/bin/systemctl restart network',
|
|
||||||
'Debian' => '/usr/bin/systemctl restart networking',
|
|
||||||
default => fail('Unsupported OS in networking-restart-command'),
|
|
||||||
}
|
|
||||||
|
|
||||||
# restart network/networking only if $restart_networking boolean is true
|
|
||||||
exec { 'networking_reload_network':
|
|
||||||
command => $restart_command,
|
|
||||||
refreshonly => true,
|
|
||||||
}
|
|
||||||
|
|
||||||
# prevent DNS from being overwritten by networkmanager
|
# prevent DNS from being overwritten by networkmanager
|
||||||
if $networking::params::nwmgr_dns_none {
|
if $networking::params::nwmgr_dns_none {
|
||||||
file {'/etc/NetworkManager/conf.d/dns_none.conf':
|
file {'/etc/NetworkManager/conf.d/dns_none.conf':
|
||||||
|
|||||||
@@ -1,6 +0,0 @@
|
|||||||
class nzbget::config (
|
|
||||||
$user = $nzbget::params::user,
|
|
||||||
$group = $nzbget::params::group,
|
|
||||||
) {
|
|
||||||
# todo
|
|
||||||
}
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
# manage nzbget
|
|
||||||
class nzbget (
|
|
||||||
$packages = $nzbget::params::packages,
|
|
||||||
$user = $nzbget::params::user,
|
|
||||||
$group = $nzbget::params::group,
|
|
||||||
$manage_group = $nzbget::params::manage_group,
|
|
||||||
$service_enable = $nzbget::params::service_enable,
|
|
||||||
$service_name = $nzbget::params::service_name,
|
|
||||||
$bind_address = $sonarr::params::bind_address,
|
|
||||||
$port = $sonarr::params::port,
|
|
||||||
) inherits nzbget::params {
|
|
||||||
|
|
||||||
include nzbget::install
|
|
||||||
include nzbget::config
|
|
||||||
include nzbget::service
|
|
||||||
|
|
||||||
Class['nzbget::install'] -> Class['nzbget::config'] -> Class['nzbget::service']
|
|
||||||
}
|
|
||||||
@@ -1,29 +0,0 @@
|
|||||||
# instsall nzbget
|
|
||||||
class nzbget::install (
|
|
||||||
$packages = $nzbget::packages,
|
|
||||||
$user = $nzbget::user,
|
|
||||||
$group = $nzbget::group,
|
|
||||||
$manage_group = $nzbget::manage_group,
|
|
||||||
) {
|
|
||||||
|
|
||||||
$_packages = $packages ? {
|
|
||||||
Array => true,
|
|
||||||
default => false,
|
|
||||||
}
|
|
||||||
|
|
||||||
if $_packages {
|
|
||||||
ensure_packages($packages, {ensure => 'installed'})
|
|
||||||
}
|
|
||||||
|
|
||||||
if $manage_group {
|
|
||||||
group { $group:
|
|
||||||
ensure => present,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
user { $user:
|
|
||||||
ensure => present,
|
|
||||||
shell => '/sbin/nologin',
|
|
||||||
groups => $group,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
# nzbget params
|
|
||||||
class nzbget::params (
|
|
||||||
Array[String] $packages = [
|
|
||||||
'nzbget'
|
|
||||||
],
|
|
||||||
String $user = 'nzbget',
|
|
||||||
String $group = 'nzbget',
|
|
||||||
Boolean $manage_group = true,
|
|
||||||
Stdlib::Host $bind_address = '127.0.0.1',
|
|
||||||
Stdlib::Port $port = 6789,
|
|
||||||
) { }
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
# manage nzbget service
|
|
||||||
class nzbget::service (
|
|
||||||
$service_enable = $nzbget::service_enable,
|
|
||||||
$service_name = $nzbget::service_name,
|
|
||||||
$user = $nzbget::user,
|
|
||||||
$group = $nzbget::group,
|
|
||||||
) {
|
|
||||||
if $service_enable {
|
|
||||||
include ::systemd
|
|
||||||
|
|
||||||
systemd::unit_file { "${service_name}.service":
|
|
||||||
content => template('nzbget/nzbget.service.erb'),
|
|
||||||
enable => true,
|
|
||||||
active => true,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
File diff suppressed because it is too large
Load Diff
@@ -1,17 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=<%= @service_name %> Daemon
|
|
||||||
Documentation=http://nzbget.com/documentation/
|
|
||||||
After=network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
User=<%= @user %>
|
|
||||||
Group=<%= @group %>
|
|
||||||
WorkingDirectory=/var/lib/nzbget
|
|
||||||
ExecStart=/usr/bin/nzbget -s -c /var/lib/nzbget/nzbget.conf -o OutputMode=log -o WriteLog=none
|
|
||||||
ExecReload=/usr/bin/nzbget -O -c /var/lib/nzbget/nzbget.conf
|
|
||||||
ExecStop=/usr/bin/nzbget -Q -c /var/lib/nzbget/nzbget.conf
|
|
||||||
Restart=on-failure
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
@@ -16,7 +16,7 @@ class profiles::cobbler::service inherits profiles::cobbler::params {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# ensure tftp is running
|
# ensure tftp is running
|
||||||
service {'tftp.socket':
|
service {'tftp':
|
||||||
ensure => 'running',
|
ensure => 'running',
|
||||||
enable => true,
|
enable => true,
|
||||||
require => Package['cobbler'],
|
require => Package['cobbler'],
|
||||||
|
|||||||
@@ -48,7 +48,6 @@ class profiles::haproxy::server (
|
|||||||
require => Class['profiles::haproxy::selinux']
|
require => Class['profiles::haproxy::selinux']
|
||||||
}
|
}
|
||||||
|
|
||||||
include certbot::client # download certbot certs
|
|
||||||
include profiles::haproxy::certlist # manage the certificate list file
|
include profiles::haproxy::certlist # manage the certificate list file
|
||||||
include profiles::haproxy::mappings # manage the domain to backend mappings
|
include profiles::haproxy::mappings # manage the domain to backend mappings
|
||||||
include profiles::haproxy::ls_stats # default status listener
|
include profiles::haproxy::ls_stats # default status listener
|
||||||
|
|||||||
@@ -1,21 +0,0 @@
|
|||||||
# profiles::ldap::server
|
|
||||||
class profiles::ldap::server (
|
|
||||||
Hash $users = lookup('glauth::users', { default_value => {} }),
|
|
||||||
Hash $services = lookup('glauth::services', { default_value => {} }),
|
|
||||||
Hash $groups = lookup('glauth::groups', { default_value => {} }),
|
|
||||||
) {
|
|
||||||
|
|
||||||
Glauth::Obj::User {
|
|
||||||
config_path => '/etc/glauth/glauth.conf',
|
|
||||||
}
|
|
||||||
Glauth::Obj::Service {
|
|
||||||
config_path => '/etc/glauth/glauth.conf',
|
|
||||||
}
|
|
||||||
Glauth::Obj::Group {
|
|
||||||
config_path => '/etc/glauth/glauth.conf',
|
|
||||||
}
|
|
||||||
|
|
||||||
create_resources('glauth::obj::user', $users)
|
|
||||||
create_resources('glauth::obj::service', $services)
|
|
||||||
create_resources('glauth::obj::group', $groups)
|
|
||||||
}
|
|
||||||
@@ -1,116 +0,0 @@
|
|||||||
# profiles::media::jellyfin
|
|
||||||
class profiles::media::jellyfin (
|
|
||||||
Stdlib::Absolutepath $media_root = '/shared/media',
|
|
||||||
Stdlib::Absolutepath $data_dir = '/data/jellyfin',
|
|
||||||
Stdlib::Absolutepath $lib_dir = '/data/jellyfin/var/lib',
|
|
||||||
Stdlib::Absolutepath $cache_dir = '/data/jellyfin/var/cache',
|
|
||||||
Stdlib::Absolutepath $config_dir = '/data/jellyfin/etc',
|
|
||||||
Stdlib::Absolutepath $log_dir = '/data/jellyfin/var/log',
|
|
||||||
Stdlib::Absolutepath $sysconfig_file = '/etc/sysconfig/jellyfin',
|
|
||||||
Stdlib::Absolutepath $migration_flag = '/etc/sysconfig/jellyfin_migration_done',
|
|
||||||
String $service_name = 'jellyfin',
|
|
||||||
Boolean $migrate_data = true,
|
|
||||||
) {
|
|
||||||
|
|
||||||
include profiles::ceph::client
|
|
||||||
|
|
||||||
# manage the sharedvol
|
|
||||||
profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media":
|
|
||||||
mount => $media_root,
|
|
||||||
keyring => '/etc/ceph/ceph.client.media.keyring',
|
|
||||||
cephfs_name => 'media',
|
|
||||||
cephfs_fs => 'mediafs',
|
|
||||||
require => Profiles::Ceph::Keyring['media'],
|
|
||||||
}
|
|
||||||
|
|
||||||
# export haproxy balancemember
|
|
||||||
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
|
|
||||||
service => 'be_jellyfin',
|
|
||||||
ports => [443],
|
|
||||||
options => [
|
|
||||||
"cookie ${facts['networking']['hostname']}",
|
|
||||||
'ssl',
|
|
||||||
'verify none',
|
|
||||||
'check',
|
|
||||||
'inter 2s',
|
|
||||||
'rise 3',
|
|
||||||
'fall 2',
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
mkdir::p {[$data_dir, $lib_dir, $cache_dir, $config_dir, $log_dir]:}
|
|
||||||
-> file { [$data_dir, $lib_dir, $cache_dir, $config_dir, $log_dir]:
|
|
||||||
ensure => directory,
|
|
||||||
owner => 'jellyfin',
|
|
||||||
group => 'jellyfin',
|
|
||||||
mode => '0755',
|
|
||||||
}
|
|
||||||
|
|
||||||
if $migrate_data and ! $facts['jellyfin_migration_done'] {
|
|
||||||
|
|
||||||
exec { "stop-${service_name}":
|
|
||||||
command => "/usr/bin/systemctl stop ${service_name}",
|
|
||||||
require => File[$sysconfig_file],
|
|
||||||
}
|
|
||||||
|
|
||||||
exec { 'move-jellyfin-lib':
|
|
||||||
command => "/usr/bin/rsync -av /var/lib/jellyfin/ ${lib_dir}/ && rm -rf /var/lib/jellyfin",
|
|
||||||
creates => "${lib_dir}/config",
|
|
||||||
require => [File[$lib_dir], Exec["stop-${service_name}"]],
|
|
||||||
}
|
|
||||||
|
|
||||||
exec { 'move-jellyfin-cache':
|
|
||||||
command => "/usr/bin/rsync -av /var/cache/jellyfin/ ${cache_dir}/ && rm -rf /var/cache/jellyfin",
|
|
||||||
creates => "${cache_dir}/config",
|
|
||||||
require => [File[$cache_dir], Exec["stop-${service_name}"]],
|
|
||||||
}
|
|
||||||
|
|
||||||
exec { 'move-jellyfin-config':
|
|
||||||
command => "/usr/bin/rsync -av /etc/jellyfin/ ${config_dir}/ && rm -rf /etc/jellyfin",
|
|
||||||
creates => "${config_dir}/config",
|
|
||||||
require => [File[$config_dir], Exec["stop-${service_name}"]],
|
|
||||||
}
|
|
||||||
|
|
||||||
exec { 'move-jellyfin-log':
|
|
||||||
command => "/usr/bin/rsync -av /var/log/jellyfin/ ${log_dir}/ && rm -rf /var/log/jellyfin",
|
|
||||||
creates => "${log_dir}/config",
|
|
||||||
require => [File[$log_dir], Exec["stop-${service_name}"]],
|
|
||||||
}
|
|
||||||
|
|
||||||
exec { 'create-migration-flag':
|
|
||||||
command => "/usr/bin/touch ${migration_flag}",
|
|
||||||
creates => $migration_flag,
|
|
||||||
require => [
|
|
||||||
Exec['move-jellyfin-lib'],
|
|
||||||
Exec['move-jellyfin-cache'],
|
|
||||||
Exec['move-jellyfin-config'],
|
|
||||||
Exec['move-jellyfin-log']
|
|
||||||
],
|
|
||||||
}
|
|
||||||
|
|
||||||
exec { "start-${service_name}":
|
|
||||||
command => "/usr/bin/systemctl start ${service_name}",
|
|
||||||
require => Exec['create-migration-flag'],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $sysconfig_file:
|
|
||||||
ensure => file,
|
|
||||||
content => template('profiles/jellyfin/sysconfig.erb'),
|
|
||||||
notify => [
|
|
||||||
Systemd::Daemon_reload["${service_name}_service"],
|
|
||||||
Service[$service_name]
|
|
||||||
],
|
|
||||||
}
|
|
||||||
|
|
||||||
file { '/etc/systemd/system/jellyfin.service.d/override.conf':
|
|
||||||
ensure => file,
|
|
||||||
content => template('profiles/jellyfin/override.conf.erb'),
|
|
||||||
notify => [
|
|
||||||
Systemd::Daemon_reload["${service_name}_service"],
|
|
||||||
Service[$service_name]
|
|
||||||
],
|
|
||||||
}
|
|
||||||
|
|
||||||
systemd::daemon_reload {"${service_name}_service":}
|
|
||||||
}
|
|
||||||
@@ -1,31 +0,0 @@
|
|||||||
# profiles::media::nzbget
|
|
||||||
class profiles::media::nzbget (
|
|
||||||
Stdlib::Absolutepath $media_root = '/shared/media',
|
|
||||||
) {
|
|
||||||
|
|
||||||
include profiles::ceph::client
|
|
||||||
|
|
||||||
# manage the sharedvol
|
|
||||||
profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media":
|
|
||||||
mount => $media_root,
|
|
||||||
keyring => '/etc/ceph/ceph.client.media.keyring',
|
|
||||||
cephfs_name => 'media',
|
|
||||||
cephfs_fs => 'mediafs',
|
|
||||||
require => Profiles::Ceph::Keyring['media'],
|
|
||||||
}
|
|
||||||
|
|
||||||
# export haproxy balancemember
|
|
||||||
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
|
|
||||||
service => 'be_nzbget',
|
|
||||||
ports => [443],
|
|
||||||
options => [
|
|
||||||
"cookie ${facts['networking']['hostname']}",
|
|
||||||
'ssl',
|
|
||||||
'verify none',
|
|
||||||
'check',
|
|
||||||
'inter 2s',
|
|
||||||
'rise 3',
|
|
||||||
'fall 2',
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -3,9 +3,9 @@
|
|||||||
# these exporters will be setup on all nodes
|
# these exporters will be setup on all nodes
|
||||||
class profiles::metrics::default (
|
class profiles::metrics::default (
|
||||||
Boolean $node_exporter = true,
|
Boolean $node_exporter = true,
|
||||||
Boolean $systemd_exporter = false,
|
Boolean $systemd_exporter = true,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
if $node_exporter { include prometheus::node_exporter }
|
include prometheus::node_exporter
|
||||||
if $systemd_exporter { include prometheus::systemd_exporter }
|
include prometheus::systemd_exporter
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,239 +0,0 @@
|
|||||||
# Class: profiles::metrics::exportarr
|
|
||||||
#
|
|
||||||
# This module manages exportarr for Prometheus metrics.
|
|
||||||
#
|
|
||||||
# @param arch
|
|
||||||
# Architecture (amd64 or i386)
|
|
||||||
#
|
|
||||||
# @param bin_dir
|
|
||||||
# Directory where binaries are located
|
|
||||||
#
|
|
||||||
# @param config_mode
|
|
||||||
# The permissions of the configuration files
|
|
||||||
#
|
|
||||||
# @param download_extension
|
|
||||||
# Extension for the release binary archive
|
|
||||||
#
|
|
||||||
# @param download_url
|
|
||||||
# Complete URL where the release binary archive can be downloaded
|
|
||||||
#
|
|
||||||
# @param download_url_base
|
|
||||||
# Base URL for the binary archive
|
|
||||||
#
|
|
||||||
# @param extra_groups
|
|
||||||
# Extra groups to add the binary user to
|
|
||||||
#
|
|
||||||
# @param extra_options
|
|
||||||
# Extra options added to the startup command
|
|
||||||
#
|
|
||||||
# @param env_vars
|
|
||||||
# The environment variables to pass to the daemon
|
|
||||||
#
|
|
||||||
# @param group
|
|
||||||
# Group under which the binary is running
|
|
||||||
#
|
|
||||||
# @param init_style
|
|
||||||
# Service startup scripts style (e.g. rc, upstart or systemd)
|
|
||||||
#
|
|
||||||
# @param install_method
|
|
||||||
# Installation method: url or package (only url is supported currently)
|
|
||||||
#
|
|
||||||
# @param manage_group
|
|
||||||
# Whether to create a group or rely on external code for that
|
|
||||||
#
|
|
||||||
# @param manage_service
|
|
||||||
# Should Puppet manage the service? (default true)
|
|
||||||
#
|
|
||||||
# @param manage_user
|
|
||||||
# Whether to create user or rely on external code for that
|
|
||||||
#
|
|
||||||
# @param os
|
|
||||||
# Operating system (linux is the only one supported)
|
|
||||||
#
|
|
||||||
# @param package_ensure
|
|
||||||
# If package, then use this for package ensure (default 'latest')
|
|
||||||
#
|
|
||||||
# @param package_name
|
|
||||||
# The binary package name - not available yet
|
|
||||||
#
|
|
||||||
# @param purge_config_dir
|
|
||||||
# Purge config files no longer generated by Puppet
|
|
||||||
#
|
|
||||||
# @param restart_on_change
|
|
||||||
# Should Puppet restart the service on configuration change? (default true)
|
|
||||||
#
|
|
||||||
# @param service_enable
|
|
||||||
# Whether to enable the service from Puppet (default true)
|
|
||||||
#
|
|
||||||
# @param service_ensure
|
|
||||||
# State ensured for the service (default 'running')
|
|
||||||
#
|
|
||||||
# @param service_name
|
|
||||||
# Name of the exportarr service (default 'exportarr')
|
|
||||||
#
|
|
||||||
# @param user
|
|
||||||
# User which runs the service
|
|
||||||
#
|
|
||||||
# @param version
|
|
||||||
# The binary release version
|
|
||||||
#
|
|
||||||
# @param export_scrape_job
|
|
||||||
# Whether to export a `prometheus::scrape_job` to PuppetDB for
|
|
||||||
# collecting on your Prometheus server.
|
|
||||||
#
|
|
||||||
# @param scrape_job_name
|
|
||||||
# The name of the scrape job. When configuring Prometheus with this
|
|
||||||
# Puppet module, the jobs to be collected are configured with
|
|
||||||
# `prometheus::collect_scrape_jobs`.
|
|
||||||
#
|
|
||||||
# @param scrape_port
|
|
||||||
# The port to use in the scrape job. This won't normally need to be
|
|
||||||
# changed unless you run the exporter with a non-default port by
|
|
||||||
# overriding `extra_options`.
|
|
||||||
#
|
|
||||||
# @param scrape_job_labels
|
|
||||||
# Labels to configure on the scrape job. If not set, the
|
|
||||||
# `prometheus::daemon` default (`{ 'alias' => $scrape_host }`) will
|
|
||||||
# be used.
|
|
||||||
#
|
|
||||||
# @param proxy_server
|
|
||||||
# Optional proxy server, with port number if needed, e.g., https://example.com:8080
|
|
||||||
#
|
|
||||||
# @param proxy_type
|
|
||||||
# Optional proxy server type (none|http|https|ftp)
|
|
||||||
#
|
|
||||||
# @param app
|
|
||||||
# Application name (e.g., sonarr, radarr, or lidarr)
|
|
||||||
#
|
|
||||||
# @param config_path
|
|
||||||
# Path to Sonarr, Radarr, or Lidarr's config.xml (advanced)
|
|
||||||
#
|
|
||||||
# @param api_key
|
|
||||||
# API Key for Sonarr, Radarr, or Lidarr
|
|
||||||
#
|
|
||||||
# @param api_key_file
|
|
||||||
# API Key file location for Sonarr, Radarr, or Lidarr
|
|
||||||
#
|
|
||||||
# @param interface
|
|
||||||
# The interface IP Exportarr will listen on
|
|
||||||
#
|
|
||||||
# @param enable_additional_metrics
|
|
||||||
# Set to true to enable gathering of additional metrics (slow)
|
|
||||||
|
|
||||||
class profiles::metrics::exportarr (
|
|
||||||
Optional[Stdlib::HTTPSUrl] $download_url = undef,
|
|
||||||
Array[String[1]] $extra_groups = [],
|
|
||||||
String[1] $group = 'exportarr',
|
|
||||||
String[1] $package_ensure = 'latest',
|
|
||||||
String[1] $package_name = 'exportarr',
|
|
||||||
String[1] $user = 'exportarr',
|
|
||||||
String[1] $version = '2.0.1',
|
|
||||||
Boolean $purge_config_dir = true,
|
|
||||||
Boolean $restart_on_change = true,
|
|
||||||
Boolean $service_enable = true,
|
|
||||||
String[1] $service_ensure = 'running',
|
|
||||||
String[1] $service_name = 'exportarr',
|
|
||||||
Prometheus::Initstyle $init_style = $facts['service_provider'],
|
|
||||||
Prometheus::Install $install_method = 'url',
|
|
||||||
Boolean $manage_group = true,
|
|
||||||
Boolean $manage_service = true,
|
|
||||||
Boolean $manage_user = true,
|
|
||||||
String[1] $os = downcase($facts['kernel']),
|
|
||||||
Optional[String[1]] $extra_options = undef,
|
|
||||||
Hash[String, Scalar] $env_vars = {},
|
|
||||||
String $download_extension = 'tar.gz',
|
|
||||||
Stdlib::HTTPSUrl $download_url_base = 'https://github.com/onedr0p/exportarr/releases',
|
|
||||||
String[1] $config_mode = '0640',
|
|
||||||
String[1] $arch = $facts['os']['architecture'],
|
|
||||||
Stdlib::Absolutepath $bin_dir = '/usr/local/bin',
|
|
||||||
Boolean $export_scrape_job = false,
|
|
||||||
Stdlib::Port $scrape_port = 9707,
|
|
||||||
Stdlib::Port $app_port = 8000,
|
|
||||||
Stdlib::Host $app_addr = '127.0.0.1',
|
|
||||||
String[1] $scrape_job_name = 'exportarr',
|
|
||||||
Optional[Hash] $scrape_job_labels = undef,
|
|
||||||
Optional[String[1]] $proxy_server = undef,
|
|
||||||
Optional[Enum['none', 'http', 'https', 'ftp']] $proxy_type = undef,
|
|
||||||
String[1] $app = 'sonarr',
|
|
||||||
Optional[Stdlib::Absolutepath] $config_path = undef,
|
|
||||||
String[1] $api_key = '',
|
|
||||||
Optional[Stdlib::Absolutepath] $api_key_file = undef,
|
|
||||||
Optional[Stdlib::IP::Address::V4] $interface = undef,
|
|
||||||
Boolean $enable_additional_metrics = false,
|
|
||||||
) {
|
|
||||||
|
|
||||||
$real_arch = $arch ? {
|
|
||||||
'x86_64' => 'amd64',
|
|
||||||
'i386' => '386',
|
|
||||||
'aarch64' => 'arm64',
|
|
||||||
'armv7l' => 'armv7',
|
|
||||||
'armv6l' => 'armv6',
|
|
||||||
'armv5l' => 'armv5',
|
|
||||||
default => $arch,
|
|
||||||
}
|
|
||||||
# Construct the real download URL if not provided
|
|
||||||
$real_download_url = pick(
|
|
||||||
$download_url,
|
|
||||||
"${download_url_base}/download/v${version}/${package_name}_${version}_${os}_${real_arch}.${download_extension}"
|
|
||||||
)
|
|
||||||
|
|
||||||
# Determine if the service should be notified
|
|
||||||
$notify_service = $restart_on_change ? {
|
|
||||||
true => Service[$service_name],
|
|
||||||
default => undef,
|
|
||||||
}
|
|
||||||
|
|
||||||
# Define the startup options
|
|
||||||
$startup_options = [
|
|
||||||
$app,
|
|
||||||
"--port ${scrape_port}",
|
|
||||||
"--url http://${app_addr}:${app_port}",
|
|
||||||
"--api-key ${api_key}",
|
|
||||||
$extra_options,
|
|
||||||
]
|
|
||||||
|
|
||||||
# Add advanced options if provided
|
|
||||||
unless $config_path == undef {
|
|
||||||
$startup_options = concat($startup_options, ["--config ${config_path}"])
|
|
||||||
}
|
|
||||||
unless $api_key_file == undef {
|
|
||||||
$startup_options = concat($startup_options, ["--api-key-file ${api_key_file}"])
|
|
||||||
}
|
|
||||||
unless $interface == undef {
|
|
||||||
$startup_options = concat($startup_options, ["--interface ${interface}"])
|
|
||||||
}
|
|
||||||
if $enable_additional_metrics {
|
|
||||||
$startup_options = concat($startup_options, ['--enable-additional-metrics'])
|
|
||||||
}
|
|
||||||
|
|
||||||
prometheus::daemon { $service_name:
|
|
||||||
install_method => $install_method,
|
|
||||||
version => $version,
|
|
||||||
download_extension => $download_extension,
|
|
||||||
os => $os,
|
|
||||||
arch => $arch,
|
|
||||||
real_download_url => $real_download_url,
|
|
||||||
bin_dir => $bin_dir,
|
|
||||||
notify_service => $notify_service,
|
|
||||||
package_name => $package_name,
|
|
||||||
package_ensure => $package_ensure,
|
|
||||||
manage_user => $manage_user,
|
|
||||||
user => $user,
|
|
||||||
extra_groups => $extra_groups,
|
|
||||||
group => $group,
|
|
||||||
manage_group => $manage_group,
|
|
||||||
purge => $purge_config_dir,
|
|
||||||
options => join($startup_options, ' '),
|
|
||||||
env_vars => $env_vars,
|
|
||||||
init_style => $init_style,
|
|
||||||
service_ensure => $service_ensure,
|
|
||||||
service_enable => $service_enable,
|
|
||||||
manage_service => $manage_service,
|
|
||||||
export_scrape_job => $export_scrape_job,
|
|
||||||
scrape_port => $scrape_port,
|
|
||||||
scrape_job_name => $scrape_job_name,
|
|
||||||
scrape_job_labels => $scrape_job_labels,
|
|
||||||
proxy_server => $proxy_server,
|
|
||||||
proxy_type => $proxy_type,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,72 +0,0 @@
|
|||||||
class profiles::nginx::ldapauth (
|
|
||||||
Stdlib::AbsolutePath $bin_path = '/usr/local/bin/nginx-ldap-auth',
|
|
||||||
Stdlib::AbsolutePath $env_path = '/etc/default/nginx-ldap-auth',
|
|
||||||
String $user = 'nginx-ldap-auth',
|
|
||||||
String $group = 'nginx-ldap-auth',
|
|
||||||
Boolean $systempkgs = false,
|
|
||||||
String $version = 'system',
|
|
||||||
Hash $packages = {
|
|
||||||
'python3.11-ldap' => { ensure => 'present' }
|
|
||||||
}
|
|
||||||
){
|
|
||||||
|
|
||||||
|
|
||||||
if $::facts['python3_version'] {
|
|
||||||
|
|
||||||
$python_version = $version ? {
|
|
||||||
'system' => $::facts['python3_version'],
|
|
||||||
default => $version,
|
|
||||||
}
|
|
||||||
|
|
||||||
ensure_resources('package', $packages)
|
|
||||||
|
|
||||||
# Deploy the default configuration file using a template
|
|
||||||
file { $env_path:
|
|
||||||
ensure => file,
|
|
||||||
content => template('profiles/ldapauth/nginx-ldap-auth.default.erb'),
|
|
||||||
}
|
|
||||||
|
|
||||||
# Deploy the daemon script using a template
|
|
||||||
file { $bin_path:
|
|
||||||
ensure => file,
|
|
||||||
content => template('profiles/ldapauth/nginx-ldap-auth-daemon.py.erb'),
|
|
||||||
mode => '0755',
|
|
||||||
}
|
|
||||||
|
|
||||||
# Manage user and group
|
|
||||||
group { $group:
|
|
||||||
ensure => present,
|
|
||||||
system => true,
|
|
||||||
}
|
|
||||||
|
|
||||||
user { $user:
|
|
||||||
ensure => present,
|
|
||||||
comment => 'nginx-ldap-auth helper',
|
|
||||||
gid => $group,
|
|
||||||
shell => '/sbin/nologin',
|
|
||||||
system => true,
|
|
||||||
require => Group[$group],
|
|
||||||
}
|
|
||||||
|
|
||||||
# Create log directory for nginx-ldap-auth
|
|
||||||
file { '/var/log/nginx-ldap-auth':
|
|
||||||
ensure => directory,
|
|
||||||
owner => $user,
|
|
||||||
group => $group,
|
|
||||||
mode => '0755',
|
|
||||||
require => User[$user],
|
|
||||||
}
|
|
||||||
|
|
||||||
# Ensure the systemd service is enabled and started
|
|
||||||
systemd::unit_file { 'nginx-ldap-auth.service':
|
|
||||||
content => template('profiles/ldapauth/nginx-ldap-auth.service.erb'),
|
|
||||||
enable => true,
|
|
||||||
active => true,
|
|
||||||
require => [
|
|
||||||
File[$bin_path],
|
|
||||||
File[$env_path],
|
|
||||||
User[$user],
|
|
||||||
],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -12,8 +12,6 @@ class profiles::nginx::simpleproxy (
|
|||||||
Stdlib::Port $proxy_port = 80,
|
Stdlib::Port $proxy_port = 80,
|
||||||
Stdlib::Host $proxy_host = $facts['networking']['ip'],
|
Stdlib::Host $proxy_host = $facts['networking']['ip'],
|
||||||
String $proxy_path = '/',
|
String $proxy_path = '/',
|
||||||
Boolean $use_default_location = true,
|
|
||||||
Hash $locations = {},
|
|
||||||
) {
|
) {
|
||||||
|
|
||||||
# if nginx_version isnt set, install nginx
|
# if nginx_version isnt set, install nginx
|
||||||
@@ -85,7 +83,7 @@ class profiles::nginx::simpleproxy (
|
|||||||
$defaults = {
|
$defaults = {
|
||||||
'listen_port' => $listen_port,
|
'listen_port' => $listen_port,
|
||||||
'server_name' => $server_names,
|
'server_name' => $server_names,
|
||||||
'use_default_location' => $use_default_location,
|
'use_default_location' => true,
|
||||||
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
|
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
|
||||||
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
|
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
|
||||||
'autoindex' => 'on',
|
'autoindex' => 'on',
|
||||||
@@ -99,30 +97,12 @@ class profiles::nginx::simpleproxy (
|
|||||||
# merge the hashes conditionally
|
# merge the hashes conditionally
|
||||||
$nginx_parameters = merge($defaults, $extras_hash)
|
$nginx_parameters = merge($defaults, $extras_hash)
|
||||||
|
|
||||||
mkdir::p {'/var/cache/nginx':
|
|
||||||
before => Class['nginx'],
|
|
||||||
}
|
|
||||||
|
|
||||||
# manage the nginx class
|
# manage the nginx class
|
||||||
class { 'nginx':
|
include 'nginx'
|
||||||
proxy_cache_path => {
|
|
||||||
'/var/cache/nginx/cache' => 'cache:128m',
|
|
||||||
},
|
|
||||||
proxy_cache_levels => '1:2',
|
|
||||||
proxy_cache_keys_zone => 'cache:128m',
|
|
||||||
proxy_cache_max_size => '1024m',
|
|
||||||
proxy_cache_inactive => '10m',
|
|
||||||
proxy_temp_path => '/var/cache/nginx/cache_temp',
|
|
||||||
}
|
|
||||||
|
|
||||||
# create the nginx vhost with the merged parameters
|
# create the nginx vhost with the merged parameters
|
||||||
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
|
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
|
||||||
|
|
||||||
# create nginx locations
|
|
||||||
if $use_default_location == false {
|
|
||||||
create_resources('nginx::resource::location', $locations)
|
|
||||||
}
|
|
||||||
|
|
||||||
# manage selinux
|
# manage selinux
|
||||||
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
|
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,17 @@
|
|||||||
|
# profiles::openldap::params
|
||||||
|
class profiles::openldap::params (
|
||||||
|
String $rootdn,
|
||||||
|
String $rootpw,
|
||||||
|
String $database = 'dc=domain,dc=tld',
|
||||||
|
Array[Hash] $syncrepl = [],
|
||||||
|
Boolean $multiprovider = true,
|
||||||
|
Stdlib::Absolutepath $data_path = '/opt/ldap',
|
||||||
|
Stdlib::Absolutepath $ssl_cert = '/etc/pki/tls/vault/certificate.crt',
|
||||||
|
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
|
||||||
|
Stdlib::Absolutepath $ssl_ca = '/etc/pki/ca-trust/source/anchors/vaultcaroot.pem',
|
||||||
|
Stdlib::Absolutepath $db_config_path = "${data_path}/DB_CONFIG",
|
||||||
|
String $cache_size_gb = '1G',
|
||||||
|
String $log_buffer_size_mb = '8M',
|
||||||
|
String $log_max_size_mb = '100M',
|
||||||
|
Stdlib::Absolutepath $log_dir = '/var/lib/ldap/logs',
|
||||||
|
){}
|
||||||
@@ -0,0 +1,183 @@
|
|||||||
|
# profiles::openldap::init
|
||||||
|
class profiles::openldap::server (
|
||||||
|
$database = $profiles::openldap::params::database,
|
||||||
|
$syncrepl = $profiles::openldap::params::syncrepl,
|
||||||
|
$multiprovider = $profiles::openldap::params::multiprovider,
|
||||||
|
$data_path = $profiles::openldap::params::data_path,
|
||||||
|
$ssl_cert = $profiles::openldap::params::ssl_cert,
|
||||||
|
$ssl_key = $profiles::openldap::params::ssl_key,
|
||||||
|
$ssl_ca = $profiles::openldap::params::ssl_ca,
|
||||||
|
$rootdn = $profiles::openldap::params::rootdn,
|
||||||
|
$rootpw = $profiles::openldap::params::rootpw,
|
||||||
|
$db_config_path = $profiles::openldap::params::db_config_path,
|
||||||
|
$cache_size_gb = $profiles::openldap::params::cache_size_gb,
|
||||||
|
$log_dir = $profiles::openldap::params::log_dir,
|
||||||
|
$log_max_size_mb = $profiles::openldap::params::log_max_size_mb,
|
||||||
|
$log_buffer_size_mb = $profiles::openldap::params::log_buffer_size_mb,
|
||||||
|
) inherits profiles::openldap::params {
|
||||||
|
|
||||||
|
# ensure the path to $data_path exists
|
||||||
|
mkdir::p {$data_path:}
|
||||||
|
|
||||||
|
# if selinux is defined, manage it
|
||||||
|
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
|
||||||
|
|
||||||
|
# set slapd_db_t to all files under the data_path
|
||||||
|
selinux::fcontext { $data_path:
|
||||||
|
ensure => 'present',
|
||||||
|
seltype => 'slapd_db_t',
|
||||||
|
pathspec => "${data_path}(/.*)?",
|
||||||
|
}
|
||||||
|
|
||||||
|
exec { "restorecon_${data_path}":
|
||||||
|
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
||||||
|
command => "restorecon -Rv ${data_path}",
|
||||||
|
refreshonly => true,
|
||||||
|
subscribe => Selinux::Fcontext[$data_path],
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# manage the openldap server
|
||||||
|
class { 'openldap::server':
|
||||||
|
ldap_address => $facts['networking']['ip'],
|
||||||
|
ldaps_address => $facts['networking']['ip'],
|
||||||
|
ssl_cert => $ssl_cert,
|
||||||
|
ssl_key => $ssl_key,
|
||||||
|
ssl_ca => $ssl_ca,
|
||||||
|
subscribe => [
|
||||||
|
File[$ssl_key],
|
||||||
|
File[$ssl_ca],
|
||||||
|
],
|
||||||
|
}
|
||||||
|
|
||||||
|
openldap::server::database { $database:
|
||||||
|
ensure => present,
|
||||||
|
syncrepl => $syncrepl,
|
||||||
|
directory => $data_path,
|
||||||
|
rootdn => $rootdn,
|
||||||
|
rootpw => $rootpw,
|
||||||
|
mirrormode => true,
|
||||||
|
}
|
||||||
|
|
||||||
|
# manage modules
|
||||||
|
openldap::server::module { 'memberof':
|
||||||
|
ensure => present,
|
||||||
|
}
|
||||||
|
openldap::server::module { 'syncprov':
|
||||||
|
ensure => present,
|
||||||
|
}
|
||||||
|
|
||||||
|
# manage overlays
|
||||||
|
openldap::server::overlay { "memberof on ${database}":
|
||||||
|
ensure => present,
|
||||||
|
}
|
||||||
|
|
||||||
|
# Update after 10 changes or 1 minute.
|
||||||
|
# Ensure there's enough room for 1000 changes in the log.
|
||||||
|
openldap::server::overlay { "syncprov on ${database}":
|
||||||
|
ensure => present,
|
||||||
|
options => {
|
||||||
|
'olcSpCheckpoint' => '10 1',
|
||||||
|
'olcSpSessionlog' => '100'
|
||||||
|
},
|
||||||
|
require => [
|
||||||
|
Openldap::Server::Dbindex['entryCSN'],
|
||||||
|
Openldap::Server::Dbindex['entryUUID'],
|
||||||
|
Openldap::Server::Module['syncprov'],
|
||||||
|
],
|
||||||
|
}
|
||||||
|
|
||||||
|
# add schemas
|
||||||
|
openldap::server::schema { 'cosine':
|
||||||
|
ensure => present,
|
||||||
|
path => '/etc/openldap/schema/cosine.schema',
|
||||||
|
}
|
||||||
|
openldap::server::schema { 'inetorgperson':
|
||||||
|
ensure => present,
|
||||||
|
path => '/etc/openldap/schema/inetorgperson.schema',
|
||||||
|
require => Openldap::Server::Schema['cosine'],
|
||||||
|
}
|
||||||
|
openldap::server::schema { 'nis':
|
||||||
|
ensure => present,
|
||||||
|
path => '/etc/openldap/schema/nis.ldif',
|
||||||
|
require => Openldap::Server::Schema['inetorgperson'],
|
||||||
|
}
|
||||||
|
|
||||||
|
$acls = [
|
||||||
|
{
|
||||||
|
'to attrs=userPassword,shadowLastChange' => [
|
||||||
|
"by dn=\"${rootdn}\" write",
|
||||||
|
'by self write',
|
||||||
|
'by anonymous auth',
|
||||||
|
'by * none',
|
||||||
|
],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'to dn.base=""' => [
|
||||||
|
'by * read',
|
||||||
|
],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'to *' => [
|
||||||
|
"by dn=\"${rootdn}\" write",
|
||||||
|
'by self write',
|
||||||
|
'by users read',
|
||||||
|
'by anonymous auth',
|
||||||
|
'by * none',
|
||||||
|
],
|
||||||
|
},
|
||||||
|
]
|
||||||
|
openldap::server::access_wrapper { $database :
|
||||||
|
acl => $acls,
|
||||||
|
}
|
||||||
|
|
||||||
|
# manage dbindex
|
||||||
|
Openldap::Server::Dbindex {
|
||||||
|
suffix => $database,
|
||||||
|
}
|
||||||
|
openldap::server::dbindex {
|
||||||
|
'cn':
|
||||||
|
attribute => 'cn',
|
||||||
|
indices => 'eq,pres,sub';
|
||||||
|
'uid':
|
||||||
|
attribute => 'uid',
|
||||||
|
indices => 'eq,pres,sub';
|
||||||
|
'uidNumber':
|
||||||
|
attribute => 'uidNumber',
|
||||||
|
indices => 'eq,pres';
|
||||||
|
'gidNumber':
|
||||||
|
attribute => 'gidNumber',
|
||||||
|
indices => 'eq,pres';
|
||||||
|
'member':
|
||||||
|
attribute => 'member',
|
||||||
|
indices => 'eq,pres';
|
||||||
|
'memberUid':
|
||||||
|
attribute => 'memberUid',
|
||||||
|
indices => 'eq,pres';
|
||||||
|
'entryCSN':
|
||||||
|
attribute => 'entryCSN',
|
||||||
|
indices => 'eq,pres';
|
||||||
|
'entryUUID':
|
||||||
|
attribute => 'entryUUID',
|
||||||
|
indices => 'eq,pres';
|
||||||
|
}
|
||||||
|
|
||||||
|
# manage DB_CONFIG
|
||||||
|
file { $db_config_path:
|
||||||
|
ensure => file,
|
||||||
|
content => template('profiles/openldap/db_config.erb'),
|
||||||
|
owner => 'ldap',
|
||||||
|
group => 'ldap',
|
||||||
|
mode => '0644',
|
||||||
|
}
|
||||||
|
|
||||||
|
file { $log_dir:
|
||||||
|
ensure => directory,
|
||||||
|
owner => 'ldap',
|
||||||
|
group => 'ldap',
|
||||||
|
mode => '0755',
|
||||||
|
require => Class['openldap::server'],
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
@@ -1,8 +0,0 @@
|
|||||||
# Jellyfin systemd configuration options
|
|
||||||
|
|
||||||
# Use this file to override the user or environment file location.
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
#User = jellyfin
|
|
||||||
EnvironmentFile = <%= @environment_file %>
|
|
||||||
WorkingDirectory = <%= @lib_dir %>
|
|
||||||
@@ -1,38 +0,0 @@
|
|||||||
# Jellyfin default configuration options
|
|
||||||
|
|
||||||
# Use this file to override the default configurations; add additional
|
|
||||||
# options with JELLYFIN_ADD_OPTS.
|
|
||||||
|
|
||||||
# To override the user or this config file's location, use
|
|
||||||
# /etc/systemd/system/jellyfin.service.d/override.conf
|
|
||||||
|
|
||||||
#
|
|
||||||
# This is a POSIX shell fragment
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# General options
|
|
||||||
#
|
|
||||||
|
|
||||||
# Program directories
|
|
||||||
JELLYFIN_DATA_DIR="<%= @lib_dir %>"
|
|
||||||
JELLYFIN_CONFIG_DIR="<%= @config_dir %>"
|
|
||||||
JELLYFIN_LOG_DIR="<%= @log_dir %>"
|
|
||||||
JELLYFIN_CACHE_DIR="<%= @cache_dir %>"
|
|
||||||
|
|
||||||
# web client path, installed by the jellyfin-web package
|
|
||||||
JELLYFIN_WEB_OPT="--webdir=/usr/share/jellyfin-web"
|
|
||||||
|
|
||||||
# [OPTIONAL] ffmpeg binary paths, overriding the UI-configured values
|
|
||||||
#JELLYFIN_FFMPEG_OPT="--ffmpeg=/usr/bin/ffmpeg"
|
|
||||||
|
|
||||||
# [OPTIONAL] run Jellyfin as a headless service
|
|
||||||
#JELLYFIN_SERVICE_OPT="--service"
|
|
||||||
|
|
||||||
# [OPTIONAL] run Jellyfin without the web app
|
|
||||||
#JELLYFIN_NOWEBAPP_OPT="--noautorunwebapp"
|
|
||||||
|
|
||||||
# [OPTIONAL] run Jellyfin with ASP.NET Server Garbage Collection (uses more RAM and less CPU than Workstation GC)
|
|
||||||
# 0 = Workstation
|
|
||||||
# 1 = Server
|
|
||||||
#COMPlus_gcServer=1
|
|
||||||
@@ -1,351 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
''''[ -z $LOG ] && export LOG=/dev/stdout # '''
|
|
||||||
''''which python3.11 >/dev/null && exec python3.11 -u "$0" "$@" >> $LOG 2>&1 # '''
|
|
||||||
# Copyright (C) 2014-2022 Nginx, Inc.
|
|
||||||
|
|
||||||
import sys
|
|
||||||
import os
|
|
||||||
import signal
|
|
||||||
import base64
|
|
||||||
import ldap
|
|
||||||
from ldap.filter import escape_filter_chars
|
|
||||||
import argparse
|
|
||||||
|
|
||||||
if sys.version_info.major == 2:
|
|
||||||
from Cookie import BaseCookie
|
|
||||||
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
|
|
||||||
elif sys.version_info.major == 3:
|
|
||||||
from http.cookies import BaseCookie
|
|
||||||
from http.server import HTTPServer, BaseHTTPRequestHandler
|
|
||||||
|
|
||||||
if not hasattr(__builtins__, "basestring"): basestring = (str, bytes)
|
|
||||||
|
|
||||||
#Listen = ('localhost', 8888)
|
|
||||||
#Listen = "/tmp/auth.sock" # Also uncomment lines in 'Requests are
|
|
||||||
# processed with UNIX sockets' section below
|
|
||||||
|
|
||||||
# -----------------------------------------------------------------------------
|
|
||||||
# Different request processing models: select one
|
|
||||||
# -----------------------------------------------------------------------------
|
|
||||||
# Requests are processed in separate thread
|
|
||||||
import threading
|
|
||||||
|
|
||||||
if sys.version_info.major == 2:
|
|
||||||
from SocketServer import ThreadingMixIn
|
|
||||||
elif sys.version_info.major == 3:
|
|
||||||
from socketserver import ThreadingMixIn
|
|
||||||
|
|
||||||
class AuthHTTPServer(ThreadingMixIn, HTTPServer):
|
|
||||||
pass
|
|
||||||
# -----------------------------------------------------------------------------
|
|
||||||
# Requests are processed in separate process
|
|
||||||
#from SocketServer import ForkingMixIn
|
|
||||||
#class AuthHTTPServer(ForkingMixIn, HTTPServer):
|
|
||||||
# pass
|
|
||||||
# -----------------------------------------------------------------------------
|
|
||||||
# Requests are processed with UNIX sockets
|
|
||||||
#import threading
|
|
||||||
#from SocketServer import ThreadingUnixStreamServer
|
|
||||||
#class AuthHTTPServer(ThreadingUnixStreamServer, HTTPServer):
|
|
||||||
# pass
|
|
||||||
# -----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
class AuthHandler(BaseHTTPRequestHandler):
|
|
||||||
|
|
||||||
# Return True if request is processed and response sent, otherwise False
|
|
||||||
# Set ctx['user'] and ctx['pass'] for authentication
|
|
||||||
def do_GET(self):
|
|
||||||
|
|
||||||
ctx = self.ctx
|
|
||||||
|
|
||||||
ctx['action'] = 'input parameters check'
|
|
||||||
for k, v in self.get_params().items():
|
|
||||||
ctx[k] = self.headers.get(v[0], v[1])
|
|
||||||
if ctx[k] == None:
|
|
||||||
self.auth_failed(ctx, 'required "%s" header was not passed' % k)
|
|
||||||
return True
|
|
||||||
|
|
||||||
ctx['action'] = 'performing authorization'
|
|
||||||
auth_header = self.headers.get('Authorization')
|
|
||||||
auth_cookie = self.get_cookie(ctx['cookiename'])
|
|
||||||
|
|
||||||
if auth_cookie != None and auth_cookie != '':
|
|
||||||
auth_header = "Basic " + auth_cookie
|
|
||||||
self.log_message("using username/password from cookie %s" %
|
|
||||||
ctx['cookiename'])
|
|
||||||
else:
|
|
||||||
self.log_message("using username/password from authorization header")
|
|
||||||
|
|
||||||
if auth_header is None or not auth_header.lower().startswith('basic '):
|
|
||||||
|
|
||||||
self.send_response(401)
|
|
||||||
self.send_header('WWW-Authenticate', 'Basic realm="' + ctx['realm'] + '"')
|
|
||||||
self.send_header('Cache-Control', 'no-cache')
|
|
||||||
self.end_headers()
|
|
||||||
|
|
||||||
return True
|
|
||||||
|
|
||||||
ctx['action'] = 'decoding credentials'
|
|
||||||
|
|
||||||
try:
|
|
||||||
auth_decoded = base64.b64decode(auth_header[6:])
|
|
||||||
if sys.version_info.major == 3: auth_decoded = auth_decoded.decode("utf-8")
|
|
||||||
user, passwd = auth_decoded.split(':', 1)
|
|
||||||
|
|
||||||
except:
|
|
||||||
self.auth_failed(ctx)
|
|
||||||
return True
|
|
||||||
|
|
||||||
ctx['pass'] = passwd
|
|
||||||
ctx['user'] = ldap.filter.escape_filter_chars(user)
|
|
||||||
|
|
||||||
# Continue request processing
|
|
||||||
return False
|
|
||||||
|
|
||||||
def get_cookie(self, name):
|
|
||||||
cookies = self.headers.get('Cookie')
|
|
||||||
if cookies:
|
|
||||||
authcookie = BaseCookie(cookies).get(name)
|
|
||||||
if authcookie:
|
|
||||||
return authcookie.value
|
|
||||||
else:
|
|
||||||
return None
|
|
||||||
else:
|
|
||||||
return None
|
|
||||||
|
|
||||||
|
|
||||||
# Log the error and complete the request with appropriate status
|
|
||||||
def auth_failed(self, ctx, errmsg = None):
|
|
||||||
|
|
||||||
msg = 'Error while ' + ctx['action']
|
|
||||||
if errmsg:
|
|
||||||
msg += ': ' + errmsg
|
|
||||||
|
|
||||||
ex, value, trace = sys.exc_info()
|
|
||||||
|
|
||||||
if ex != None:
|
|
||||||
msg += ": " + str(value)
|
|
||||||
|
|
||||||
if ctx.get('url'):
|
|
||||||
msg += ', server="%s"' % ctx['url']
|
|
||||||
|
|
||||||
if ctx.get('user'):
|
|
||||||
msg += ', login="%s"' % ctx['user']
|
|
||||||
|
|
||||||
self.log_error(msg)
|
|
||||||
self.send_response(401)
|
|
||||||
self.send_header('WWW-Authenticate', 'Basic realm="' + ctx['realm'] + '"')
|
|
||||||
self.send_header('Cache-Control', 'no-cache')
|
|
||||||
self.end_headers()
|
|
||||||
|
|
||||||
def get_params(self):
|
|
||||||
return {}
|
|
||||||
|
|
||||||
def log_message(self, format, *args):
|
|
||||||
if len(self.client_address) > 0:
|
|
||||||
addr = BaseHTTPRequestHandler.address_string(self)
|
|
||||||
else:
|
|
||||||
addr = "-"
|
|
||||||
|
|
||||||
if not hasattr(self, 'ctx'):
|
|
||||||
user = '-'
|
|
||||||
else:
|
|
||||||
user = self.ctx['user']
|
|
||||||
|
|
||||||
sys.stdout.write("%s - %s [%s] %s\n" % (addr, user,
|
|
||||||
self.log_date_time_string(), format % args))
|
|
||||||
|
|
||||||
def log_error(self, format, *args):
|
|
||||||
self.log_message(format, *args)
|
|
||||||
|
|
||||||
|
|
||||||
# Verify username/password against LDAP server
|
|
||||||
class LDAPAuthHandler(AuthHandler):
|
|
||||||
# Parameters to put into self.ctx from the HTTP header of auth request
|
|
||||||
params = {
|
|
||||||
# parameter header default
|
|
||||||
'realm': ('X-Ldap-Realm', 'Restricted'),
|
|
||||||
'url': ('X-Ldap-URL', None),
|
|
||||||
'starttls': ('X-Ldap-Starttls', 'false'),
|
|
||||||
'disable_referrals': ('X-Ldap-DisableReferrals', 'false'),
|
|
||||||
'basedn': ('X-Ldap-BaseDN', None),
|
|
||||||
'template': ('X-Ldap-Template', '(cn=%(username)s)'),
|
|
||||||
'binddn': ('X-Ldap-BindDN', ''),
|
|
||||||
'bindpasswd': ('X-Ldap-BindPass', ''),
|
|
||||||
'cookiename': ('X-CookieName', '')
|
|
||||||
}
|
|
||||||
|
|
||||||
@classmethod
|
|
||||||
def set_params(cls, params):
|
|
||||||
cls.params = params
|
|
||||||
|
|
||||||
def get_params(self):
|
|
||||||
return self.params
|
|
||||||
|
|
||||||
# GET handler for the authentication request
|
|
||||||
def do_GET(self):
|
|
||||||
|
|
||||||
ctx = dict()
|
|
||||||
self.ctx = ctx
|
|
||||||
|
|
||||||
ctx['action'] = 'initializing basic auth handler'
|
|
||||||
ctx['user'] = '-'
|
|
||||||
|
|
||||||
if AuthHandler.do_GET(self):
|
|
||||||
# request already processed
|
|
||||||
return
|
|
||||||
|
|
||||||
ctx['action'] = 'empty password check'
|
|
||||||
if not ctx['pass']:
|
|
||||||
self.auth_failed(ctx, 'attempt to use empty password')
|
|
||||||
return
|
|
||||||
|
|
||||||
try:
|
|
||||||
# check that uri and baseDn are set
|
|
||||||
# either from cli or a request
|
|
||||||
if not ctx['url']:
|
|
||||||
self.log_message('LDAP URL is not set!')
|
|
||||||
return
|
|
||||||
if not ctx['basedn']:
|
|
||||||
self.log_message('LDAP baseDN is not set!')
|
|
||||||
return
|
|
||||||
|
|
||||||
ctx['action'] = 'initializing LDAP connection'
|
|
||||||
ldap_obj = ldap.initialize(ctx['url']);
|
|
||||||
|
|
||||||
# Python-ldap module documentation advises to always
|
|
||||||
# explicitely set the LDAP version to use after running
|
|
||||||
# initialize() and recommends using LDAPv3. (LDAPv2 is
|
|
||||||
# deprecated since 2003 as per RFC3494)
|
|
||||||
#
|
|
||||||
# Also, the STARTTLS extension requires the
|
|
||||||
# use of LDAPv3 (RFC2830).
|
|
||||||
ldap_obj.protocol_version=ldap.VERSION3
|
|
||||||
|
|
||||||
# Establish a STARTTLS connection if required by the
|
|
||||||
# headers.
|
|
||||||
if ctx['starttls'] == 'true':
|
|
||||||
ldap_obj.start_tls_s()
|
|
||||||
|
|
||||||
# See https://www.python-ldap.org/en/latest/faq.html
|
|
||||||
if ctx['disable_referrals'] == 'true':
|
|
||||||
ldap_obj.set_option(ldap.OPT_REFERRALS, 0)
|
|
||||||
|
|
||||||
ctx['action'] = 'binding as search user'
|
|
||||||
ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
|
|
||||||
|
|
||||||
ctx['action'] = 'preparing search filter'
|
|
||||||
searchfilter = ctx['template'] % {'username': ctx['user']}
|
|
||||||
|
|
||||||
self.log_message(('searching on server "%s" with base dn ' + \
|
|
||||||
'"%s" with filter "%s"') %
|
|
||||||
(ctx['url'], ctx['basedn'], searchfilter))
|
|
||||||
|
|
||||||
ctx['action'] = 'running search query'
|
|
||||||
results = ldap_obj.search_s(ctx['basedn'], ldap.SCOPE_SUBTREE,
|
|
||||||
searchfilter, ['objectclass'], 1)
|
|
||||||
|
|
||||||
ctx['action'] = 'verifying search query results'
|
|
||||||
|
|
||||||
nres = len(results)
|
|
||||||
|
|
||||||
if nres < 1:
|
|
||||||
self.auth_failed(ctx, 'no objects found')
|
|
||||||
return
|
|
||||||
|
|
||||||
if nres > 1:
|
|
||||||
self.log_message("note: filter match multiple objects: %d, using first" % nres)
|
|
||||||
|
|
||||||
user_entry = results[0]
|
|
||||||
ldap_dn = user_entry[0]
|
|
||||||
|
|
||||||
if ldap_dn == None:
|
|
||||||
self.auth_failed(ctx, 'matched object has no dn')
|
|
||||||
return
|
|
||||||
|
|
||||||
self.log_message('attempting to bind using dn "%s"' % (ldap_dn))
|
|
||||||
|
|
||||||
ctx['action'] = 'binding as an existing user "%s"' % ldap_dn
|
|
||||||
|
|
||||||
ldap_obj.bind_s(ldap_dn, ctx['pass'], ldap.AUTH_SIMPLE)
|
|
||||||
|
|
||||||
self.log_message('Auth OK for user "%s"' % (ctx['user']))
|
|
||||||
|
|
||||||
# Successfully authenticated user
|
|
||||||
self.send_response(200)
|
|
||||||
self.end_headers()
|
|
||||||
|
|
||||||
except:
|
|
||||||
self.auth_failed(ctx)
|
|
||||||
|
|
||||||
def exit_handler(signal, frame):
|
|
||||||
global Listen
|
|
||||||
|
|
||||||
if isinstance(Listen, basestring):
|
|
||||||
try:
|
|
||||||
os.unlink(Listen)
|
|
||||||
except:
|
|
||||||
ex, value, trace = sys.exc_info()
|
|
||||||
sys.stderr.write('Failed to remove socket "%s": %s\n' %
|
|
||||||
(Listen, str(value)))
|
|
||||||
sys.stderr.flush()
|
|
||||||
sys.exit(0)
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
parser = argparse.ArgumentParser(
|
|
||||||
description="""Simple Nginx LDAP authentication helper.""")
|
|
||||||
# Group for listen options:
|
|
||||||
group = parser.add_argument_group("Listen options")
|
|
||||||
group.add_argument('--host', metavar="hostname",
|
|
||||||
default="localhost", help="host to bind (Default: localhost)")
|
|
||||||
group.add_argument('-p', '--port', metavar="port", type=int,
|
|
||||||
default=8888, help="port to bind (Default: 8888)")
|
|
||||||
# ldap options:
|
|
||||||
group = parser.add_argument_group(title="LDAP options")
|
|
||||||
group.add_argument('-u', '--url', metavar="URL",
|
|
||||||
default="ldap://localhost:389",
|
|
||||||
help=("LDAP URI to query (Default: ldap://localhost:389)"))
|
|
||||||
group.add_argument('-s', '--starttls', metavar="starttls",
|
|
||||||
default="false",
|
|
||||||
help=("Establish a STARTTLS protected session (Default: false)"))
|
|
||||||
group.add_argument('--disable-referrals', metavar="disable_referrals",
|
|
||||||
default="false",
|
|
||||||
help=("Sets ldap.OPT_REFERRALS to zero (Default: false)"))
|
|
||||||
group.add_argument('-b', metavar="baseDn", dest="basedn", default='',
|
|
||||||
help="LDAP base dn (Default: unset)")
|
|
||||||
group.add_argument('-D', metavar="bindDn", dest="binddn", default='',
|
|
||||||
help="LDAP bind DN (Default: anonymous)")
|
|
||||||
group.add_argument('-w', metavar="passwd", dest="bindpw", default='',
|
|
||||||
help="LDAP password for the bind DN (Default: unset)")
|
|
||||||
group.add_argument('-f', '--filter', metavar='filter',
|
|
||||||
default='(cn=%(username)s)',
|
|
||||||
help="LDAP filter (Default: cn=%%(username)s)")
|
|
||||||
# http options:
|
|
||||||
group = parser.add_argument_group(title="HTTP options")
|
|
||||||
group.add_argument('-R', '--realm', metavar='"Restricted Area"',
|
|
||||||
default="Restricted", help='HTTP auth realm (Default: "Restricted")')
|
|
||||||
group.add_argument('-c', '--cookie', metavar="cookiename",
|
|
||||||
default="", help="HTTP cookie name to set in (Default: unset)")
|
|
||||||
|
|
||||||
args = parser.parse_args()
|
|
||||||
global Listen
|
|
||||||
Listen = (args.host, args.port)
|
|
||||||
auth_params = {
|
|
||||||
'realm': ('X-Ldap-Realm', args.realm),
|
|
||||||
'url': ('X-Ldap-URL', args.url),
|
|
||||||
'starttls': ('X-Ldap-Starttls', args.starttls),
|
|
||||||
'disable_referrals': ('X-Ldap-DisableReferrals', args.disable_referrals),
|
|
||||||
'basedn': ('X-Ldap-BaseDN', args.basedn),
|
|
||||||
'template': ('X-Ldap-Template', args.filter),
|
|
||||||
'binddn': ('X-Ldap-BindDN', args.binddn),
|
|
||||||
'bindpasswd': ('X-Ldap-BindPass', args.bindpw),
|
|
||||||
'cookiename': ('X-CookieName', args.cookie)
|
|
||||||
}
|
|
||||||
LDAPAuthHandler.set_params(auth_params)
|
|
||||||
server = AuthHTTPServer(Listen, LDAPAuthHandler)
|
|
||||||
signal.signal(signal.SIGINT, exit_handler)
|
|
||||||
signal.signal(signal.SIGTERM, exit_handler)
|
|
||||||
|
|
||||||
sys.stdout.write("Start listening on %s:%d...\n" % Listen)
|
|
||||||
sys.stdout.flush()
|
|
||||||
server.serve_forever()
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
#
|
|
||||||
# these are used with systemd too
|
|
||||||
# so please keep options names inside variables
|
|
||||||
#
|
|
||||||
#URL="--url ldap://example.com:389"
|
|
||||||
#BASE="-b dc=nodomain"
|
|
||||||
#BIND_DN="-D cn=admin,dc=nodomain"
|
|
||||||
#BIND_PASS="-w secret"
|
|
||||||
#COOKIE="-c nginxauth"
|
|
||||||
#FILTER="-f (cn=%(username)s)"
|
|
||||||
#REALM="-R 'Restricted Area'"
|
|
||||||
|
|
||||||
# these are used with init scripts only
|
|
||||||
LOG=/var/log/nginx-ldap-auth/daemon.log
|
|
||||||
RUNDIR=/var/run/nginx-ldap-auth/
|
|
||||||
PIDFILE=/var/run/nginx-ldap-auth/nginx-ldap-auth.pid
|
|
||||||
USER=<%= @user %>
|
|
||||||
GROUP=<%= @group %>
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=LDAP authentication helper for Nginx
|
|
||||||
After=network.target network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
User=<%= @user %>
|
|
||||||
Group=<%= @group %>
|
|
||||||
WorkingDirectory=/var/run
|
|
||||||
EnvironmentFile=<%= @env_path %>
|
|
||||||
ExecStart=<%= @bin_path %> $URL $BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $REALM
|
|
||||||
KillMode=process
|
|
||||||
KillSignal=SIGINT
|
|
||||||
Restart=on-failure
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
set_cachesize <%= scope.lookupvar('openldap::db_config::cache_size_gb').to_i * 1024 %> 0 1
|
||||||
|
set_lg_bsize <%= scope.lookupvar('openldap::db_config::log_buffer_size_mb').to_i * 1024 %>
|
||||||
|
set_lg_max <%= scope.lookupvar('openldap::db_config::log_max_size_mb').to_i * 1024 %>
|
||||||
|
set_lg_dir <%= scope.lookupvar('openldap::db_config::log_dir') %>
|
||||||
|
set_flags DB_LOG_AUTOREMOVE
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
# a role to deploy glauth
|
|
||||||
class roles::infra::auth::glauth {
|
|
||||||
if $facts['firstrun'] {
|
|
||||||
include profiles::defaults
|
|
||||||
include profiles::firstrun::init
|
|
||||||
}else{
|
|
||||||
include profiles::defaults
|
|
||||||
include profiles::base
|
|
||||||
include profiles::ldap::server
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+3
-3
@@ -1,5 +1,5 @@
|
|||||||
# jellyfin server profile
|
# a role to deploy an openldap master
|
||||||
class roles::apps::media::jellyfin {
|
class roles::infra::auth::openldap {
|
||||||
if $facts['firstrun'] {
|
if $facts['firstrun'] {
|
||||||
include profiles::defaults
|
include profiles::defaults
|
||||||
include profiles::firstrun::init
|
include profiles::firstrun::init
|
||||||
@@ -7,6 +7,6 @@ class roles::apps::media::jellyfin {
|
|||||||
include profiles::defaults
|
include profiles::defaults
|
||||||
include profiles::base
|
include profiles::base
|
||||||
include profiles::base::datavol
|
include profiles::base::datavol
|
||||||
include profiles::media::jellyfin
|
include profiles::openldap::server
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
# a role to deploy a certbot server
|
|
||||||
class roles::infra::pki::certbot {
|
|
||||||
if $facts['firstrun'] {
|
|
||||||
include profiles::defaults
|
|
||||||
include profiles::firstrun::init
|
|
||||||
}else{
|
|
||||||
include profiles::defaults
|
|
||||||
include profiles::base
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Reference in New Issue
Block a user