Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 22bd213509 |
@@ -35,15 +35,10 @@ mod 'puppet-vault', '4.1.0'
|
|||||||
mod 'puppet-dhcp', '6.1.0'
|
mod 'puppet-dhcp', '6.1.0'
|
||||||
mod 'puppet-keepalived', '3.6.0'
|
mod 'puppet-keepalived', '3.6.0'
|
||||||
mod 'puppet-extlib', '7.0.0'
|
mod 'puppet-extlib', '7.0.0'
|
||||||
mod 'puppet-network', '2.2.0'
|
|
||||||
mod 'puppet-kmod', '4.0.1'
|
|
||||||
mod 'puppet-filemapper', '4.0.0'
|
|
||||||
mod 'puppet-letsencrypt', '11.0.0'
|
|
||||||
|
|
||||||
# other
|
# other
|
||||||
mod 'ghoneycutt-puppet', '3.3.0'
|
mod 'ghoneycutt-puppet', '3.3.0'
|
||||||
mod 'saz-sudo', '8.0.0'
|
mod 'saz-sudo', '8.0.0'
|
||||||
mod 'saz-ssh', '12.1.0'
|
|
||||||
mod 'ghoneycutt-timezone', '4.0.0'
|
mod 'ghoneycutt-timezone', '4.0.0'
|
||||||
mod 'dalen-puppetdbquery', '3.0.1'
|
mod 'dalen-puppetdbquery', '3.0.1'
|
||||||
mod 'markt-galera', '3.1.0'
|
mod 'markt-galera', '3.1.0'
|
||||||
@@ -51,7 +46,6 @@ mod 'kogitoapp-minio', '1.1.4'
|
|||||||
mod 'broadinstitute-certs', '3.0.1'
|
mod 'broadinstitute-certs', '3.0.1'
|
||||||
mod 'stm-file_capability', '6.0.0'
|
mod 'stm-file_capability', '6.0.0'
|
||||||
mod 'h0tw1r3-gitea', '3.2.0'
|
mod 'h0tw1r3-gitea', '3.2.0'
|
||||||
mod 'rehan-mkdir', '2.0.0'
|
|
||||||
|
|
||||||
mod 'bind',
|
mod 'bind',
|
||||||
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
||||||
|
|||||||
@@ -1,9 +0,0 @@
|
|||||||
# Group administration
|
|
||||||
|
|
||||||
This page exists to list all the locally managed groups, their gid's and what their general purpose is for.
|
|
||||||
|
|
||||||
## List of groups
|
|
||||||
| name | gid | purpose |
|
|
||||||
|-------------|-------------|-------------|
|
|
||||||
| admin | 10000 | admin group designed for system admins |
|
|
||||||
| media | 20000 | group permissions to manage media (*arrs) |
|
|
||||||
@@ -1,60 +0,0 @@
|
|||||||
# managing ceph
|
|
||||||
|
|
||||||
Always refer back to the official documentation at https://docs.ceph.com/en/latest
|
|
||||||
|
|
||||||
## adding new cephfs
|
|
||||||
- create a erasure code profile which will allow you to customise the raid level
|
|
||||||
- raid5 with 3 disks? k=2,m=1
|
|
||||||
- raid5 with 6 disks? k=5,m=1
|
|
||||||
- raid6 with 4 disks? k=2,m=2, etc
|
|
||||||
- create osd pool using custom profile for data
|
|
||||||
- create osd pool using default replicated profile for metadata
|
|
||||||
- enable ec_overwrites for the data pool
|
|
||||||
- create the ceph fs volume using data/metadata pools
|
|
||||||
- set ceph fs settings
|
|
||||||
- specify minimum number of metadata servers (mds)
|
|
||||||
- set fs to be for bulk data
|
|
||||||
- set mds fast failover with standby reply
|
|
||||||
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
|
|
||||||
sudo ceph osd pool create media_data 128 erasure ec_4_1
|
|
||||||
sudo ceph osd pool create media_metadata 32 replicated_rule
|
|
||||||
sudo ceph osd pool set media_data allow_ec_overwrites true
|
|
||||||
sudo ceph osd pool set media_data bulk true
|
|
||||||
sudo ceph fs new mediafs media_metadata media_data --force
|
|
||||||
sudo ceph fs set mediafs allow_standby_replay true
|
|
||||||
sudo ceph fs set mediafs max_mds 2
|
|
||||||
```
|
|
||||||
|
|
||||||
## creating authentication tokens
|
|
||||||
|
|
||||||
- this will create a client keyring named media
|
|
||||||
- this client will have the following capabilities:
|
|
||||||
- mon: read
|
|
||||||
- mds:
|
|
||||||
- read /
|
|
||||||
- read/write /media
|
|
||||||
- read/write /common
|
|
||||||
- osd: read/write to cephfs_data pool
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo ceph auth get-or-create client.media \
|
|
||||||
mon 'allow r' \
|
|
||||||
mds 'allow r path=/, allow rw path=/media, allow rw path=/common' \
|
|
||||||
osd 'allow rw pool=cephfs_data'
|
|
||||||
```
|
|
||||||
|
|
||||||
## list the authentication tokens and permissions
|
|
||||||
|
|
||||||
ceph auth ls
|
|
||||||
|
|
||||||
## change the capabilities of a token
|
|
||||||
|
|
||||||
this will overwrite the current capabilities of a given client.user
|
|
||||||
|
|
||||||
sudo ceph auth caps client.media \
|
|
||||||
mon 'allow r' \
|
|
||||||
mds 'allow rw path=/' \
|
|
||||||
osd 'allow rw pool=media_data'
|
|
||||||
@@ -1,31 +0,0 @@
|
|||||||
# add additional master
|
|
||||||
|
|
||||||
these steps are required when adding additional puppet masters, as the subject alternative names on the certificate will need to be changed. this requires the old certificate be revoked, cleaned up, and for a new certificate to be generated and signed.
|
|
||||||
|
|
||||||
## prepare a new node
|
|
||||||
- deploy a new now, or identify a space with the base role
|
|
||||||
- change the hosts class to roles::infra::puppet::master
|
|
||||||
- apply puppet until there are no more changes
|
|
||||||
|
|
||||||
## revoke the current certificate on the puppet master
|
|
||||||
|
|
||||||
sudo puppetserver ca clean --certname ausyd1nxvm1023.main.unkin.net
|
|
||||||
|
|
||||||
## stop the new puppetserver and cleanup revoked certificates
|
|
||||||
|
|
||||||
sudo systemctl stop puppetserver
|
|
||||||
sudo rm -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
|
|
||||||
sudo rm -f /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem
|
|
||||||
|
|
||||||
## copy the current crl.pem, as puppetserver will overwrite it when starting
|
|
||||||
|
|
||||||
sudo cp /etc/puppetlabs/puppet/ssl/crl.pem /root/current_crl.pem
|
|
||||||
|
|
||||||
## request new puppet agent certificate
|
|
||||||
|
|
||||||
sudo puppet ssl bootstrap
|
|
||||||
|
|
||||||
## start the puppetserver service and move the crl.pem back in place
|
|
||||||
|
|
||||||
sudo systemctl start puppetserver
|
|
||||||
sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
|
|
||||||
@@ -1,123 +0,0 @@
|
|||||||
# PKI
|
|
||||||
## root ca
|
|
||||||
vault secrets enable -path=pki_root pki
|
|
||||||
vault secrets tune -max-lease-ttl=87600h pki_root
|
|
||||||
|
|
||||||
vault write -field=certificate pki_root/root/generate/internal \
|
|
||||||
common_name="unkin.net" \
|
|
||||||
issuer_name="UNKIN_ROOTCA_2024" \
|
|
||||||
ttl=87600h > unkinroot_2024_ca.crt
|
|
||||||
|
|
||||||
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
|
|
||||||
|
|
||||||
vault write pki_root/roles/2024-servers allow_any_name=true
|
|
||||||
|
|
||||||
vault write pki_root/config/urls \
|
|
||||||
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
|
|
||||||
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
|
|
||||||
|
|
||||||
## intermediate
|
|
||||||
vault secrets enable -path=pki_int pki
|
|
||||||
vault secrets tune -max-lease-ttl=43800h pki_int
|
|
||||||
|
|
||||||
vault write -format=json pki_int/intermediate/generate/internal \
|
|
||||||
common_name="unkin.net Intermediate Authority" \
|
|
||||||
issuer_name="UNKIN_VAULTCA_2024" \
|
|
||||||
| jq -r '.data.csr' > pki_intermediate.csr
|
|
||||||
|
|
||||||
vault write -format=json pki_root/root/sign-intermediate \
|
|
||||||
issuer_ref="UNKIN_ROOTCA_2024" \
|
|
||||||
csr=@pki_intermediate.csr \
|
|
||||||
format=pem_bundle ttl="43800h" \
|
|
||||||
| jq -r '.data.certificate' > intermediate.cert.pem
|
|
||||||
|
|
||||||
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
|
|
||||||
|
|
||||||
## create role
|
|
||||||
vault write pki_int/roles/servers_default \
|
|
||||||
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
|
|
||||||
allow_ip_sans=true \
|
|
||||||
allowed_domains="unkin.net, *.unkin.net, localhost" \
|
|
||||||
allow_subdomains=true \
|
|
||||||
allow_glob_domains=true \
|
|
||||||
allow_bare_domains=true \
|
|
||||||
enforce_hostnames=true \
|
|
||||||
allow_any_name=true \
|
|
||||||
max_ttl="2160h" \
|
|
||||||
key_bits=4096 \
|
|
||||||
country="Australia"
|
|
||||||
|
|
||||||
## test generating a domain cert
|
|
||||||
vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
|
|
||||||
vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
|
|
||||||
vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
|
|
||||||
|
|
||||||
## remove expired certificates
|
|
||||||
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
|
|
||||||
|
|
||||||
# AUTH
|
|
||||||
## enable approles
|
|
||||||
vault auth enable approle
|
|
||||||
|
|
||||||
# CERTMANAGER
|
|
||||||
## create certmanager policy and token, limit to puppetmaster
|
|
||||||
cat <<EOF > certmanager.hcl
|
|
||||||
path "pki_int/issue/*" {
|
|
||||||
capabilities = ["create", "update", "read"]
|
|
||||||
}
|
|
||||||
path "pki_int/renew/*" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
path "pki_int/cert/*" {
|
|
||||||
capabilities = ["read"]
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
vault policy write certmanager certmanager.hcl
|
|
||||||
|
|
||||||
vault write auth/approle/role/certmanager \
|
|
||||||
bind_secret_id=false \
|
|
||||||
token_policies="certmanager" \
|
|
||||||
token_ttl=30s \
|
|
||||||
token_max_ttl=30s \
|
|
||||||
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
|
|
||||||
|
|
||||||
## get the certmanager approle id
|
|
||||||
vault read -field=role_id auth/approle/role/certmanager/role-id
|
|
||||||
|
|
||||||
|
|
||||||
# SSH Hostkey Signing
|
|
||||||
|
|
||||||
## create ssh engine, key, set ttl
|
|
||||||
vault secrets enable -path=ssh-host-signer ssh
|
|
||||||
vault write ssh-host-signer/config/ca generate_signing_key=true
|
|
||||||
vault secrets tune -max-lease-ttl=87600h ssh-host-signer
|
|
||||||
|
|
||||||
## create role
|
|
||||||
vault write ssh-host-signer/roles/hostrole \
|
|
||||||
key_type=ca \
|
|
||||||
algorithm_signer=rsa-sha2-256 \
|
|
||||||
ttl=87600h \
|
|
||||||
allow_host_certificates=true \
|
|
||||||
allowed_domains="unkin.net" \
|
|
||||||
allow_subdomains=true \
|
|
||||||
allow_baredomains=true
|
|
||||||
|
|
||||||
## create policy to use hostrole
|
|
||||||
cat <<EOF > sshsign-host.hcl
|
|
||||||
path "ssh-host-signer/sign/hostrole" {
|
|
||||||
capabilities = ["create", "update"]
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
vault policy write sshsign-host-policy sshsign-host.hcl
|
|
||||||
|
|
||||||
vault write auth/approle/role/sshsign-host-role \
|
|
||||||
bind_secret_id=false \
|
|
||||||
token_policies="sshsign-host-policy" \
|
|
||||||
token_ttl=30s \
|
|
||||||
token_max_ttl=30s \
|
|
||||||
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
|
|
||||||
|
|
||||||
## get the sshsign-host-role approle id
|
|
||||||
vault read -field=role_id auth/approle/role/sshsign-host-role/role-id
|
|
||||||
@@ -0,0 +1,48 @@
|
|||||||
|
# root ca
|
||||||
|
vault secrets enable -path=pki_root pki
|
||||||
|
|
||||||
|
vault write -field=certificate pki_root/root/generate/internal \
|
||||||
|
common_name="unkin.net" \
|
||||||
|
issuer_name="unkinroot-2024" \
|
||||||
|
ttl=87600h > unkinroot_2024_ca.crt
|
||||||
|
|
||||||
|
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
|
||||||
|
|
||||||
|
vault write pki_root/roles/2024-servers allow_any_name=true
|
||||||
|
|
||||||
|
vault write pki_root/config/urls \
|
||||||
|
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
|
||||||
|
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
|
||||||
|
|
||||||
|
# intermediate
|
||||||
|
vault secrets enable -path=pki_int pki
|
||||||
|
vault secrets tune -max-lease-ttl=43800h pki_int
|
||||||
|
|
||||||
|
vault write -format=json pki_int/intermediate/generate/internal \
|
||||||
|
common_name="unkin.net Intermediate Authority" \
|
||||||
|
issuer_name="unkin-dot-net-intermediate" \
|
||||||
|
| jq -r '.data.csr' > pki_intermediate.csr
|
||||||
|
|
||||||
|
vault write -format=json pki_root/root/sign-intermediate \
|
||||||
|
issuer_ref="unkinroot-2024" \
|
||||||
|
csr=@pki_intermediate.csr \
|
||||||
|
format=pem_bundle ttl="43800h" \
|
||||||
|
| jq -r '.data.certificate' > intermediate.cert.pem
|
||||||
|
|
||||||
|
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
|
||||||
|
|
||||||
|
# create role
|
||||||
|
vault write pki_int/roles/unkin-dot-net \
|
||||||
|
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
|
||||||
|
allowed_domains="unkin.net" \
|
||||||
|
allow_subdomains=true \
|
||||||
|
max_ttl="2160h"
|
||||||
|
|
||||||
|
# test generating a domain cert
|
||||||
|
vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
|
||||||
|
vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
|
||||||
|
vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
|
||||||
|
|
||||||
|
|
||||||
|
# remove expired certificates
|
||||||
|
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
|
||||||
+36
-100
@@ -108,43 +108,11 @@ lookup_options:
|
|||||||
profiles::nginx::simpleproxy::nginx_aliases:
|
profiles::nginx::simpleproxy::nginx_aliases:
|
||||||
merge:
|
merge:
|
||||||
strategy: deep
|
strategy: deep
|
||||||
networking::interfaces:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
networking::interface_defaults:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
networking::routes:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
networking::route_defaults:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
ssh::server::options:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
mysql::db:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
profiles::ceph::client::keyrings:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
profiles::nginx::simpleproxy::locations:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
certbot::client::domains:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
profiles::metrics::exportarr:
|
|
||||||
merge:
|
|
||||||
strategy: deep
|
|
||||||
|
|
||||||
facts_path: '/opt/puppetlabs/facter/facts.d'
|
facts_path: '/opt/puppetlabs/facter/facts.d'
|
||||||
|
|
||||||
hiera_include:
|
hiera_classes:
|
||||||
- timezone
|
- timezone
|
||||||
- networking
|
|
||||||
- ssh::server
|
|
||||||
|
|
||||||
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
||||||
profiles::ntp::client::use_ntp: 'region'
|
profiles::ntp::client::use_ntp: 'region'
|
||||||
@@ -182,7 +150,6 @@ profiles::packages::install:
|
|||||||
- curl
|
- curl
|
||||||
- dstat
|
- dstat
|
||||||
- expect
|
- expect
|
||||||
- gcc
|
|
||||||
- gzip
|
- gzip
|
||||||
- git
|
- git
|
||||||
- htop
|
- htop
|
||||||
@@ -203,7 +170,6 @@ profiles::packages::install:
|
|||||||
- socat
|
- socat
|
||||||
- strace
|
- strace
|
||||||
- sysstat
|
- sysstat
|
||||||
- tar
|
|
||||||
- tmux
|
- tmux
|
||||||
- traceroute
|
- traceroute
|
||||||
- unzip
|
- unzip
|
||||||
@@ -249,38 +215,6 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
|
|||||||
prometheus::node_exporter::export_scrape_job: true
|
prometheus::node_exporter::export_scrape_job: true
|
||||||
prometheus::systemd_exporter::export_scrape_job: true
|
prometheus::systemd_exporter::export_scrape_job: true
|
||||||
|
|
||||||
ssh::server::storeconfigs_enabled: false
|
|
||||||
ssh::server::options:
|
|
||||||
Protocol: '2'
|
|
||||||
ListenAddress:
|
|
||||||
- '127.0.0.1'
|
|
||||||
- '%{facts.networking.ip}'
|
|
||||||
SyslogFacility: 'AUTHPRIV'
|
|
||||||
HostKey:
|
|
||||||
- /etc/ssh/ssh_host_rsa_key
|
|
||||||
- /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
- /etc/ssh/ssh_host_ed25519_key
|
|
||||||
HostCertificate: /etc/ssh/ssh_host_rsa_key-cert.pem
|
|
||||||
AuthorizedKeysFile: .ssh/authorized_keys
|
|
||||||
PermitRootLogin: no
|
|
||||||
PasswordAuthentication: no
|
|
||||||
ChallengeResponseAuthentication: no
|
|
||||||
PubkeyAuthentication: yes
|
|
||||||
GSSAPIAuthentication: yes
|
|
||||||
GSSAPICleanupCredentials: yes
|
|
||||||
UsePAM: yes
|
|
||||||
X11Forwarding: no
|
|
||||||
PrintMotd: no
|
|
||||||
AcceptEnv:
|
|
||||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
||||||
- XMODIFIERS
|
|
||||||
Subsystem: sftp /usr/libexec/openssh/sftp-server
|
|
||||||
|
|
||||||
profiles::ssh::knownhosts::lines:
|
|
||||||
- '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1HD97vYxLTniE4qNpGuftUlvmkEXIuX8+7nbENv/IzsGUghEDRtyThjQ7ojNKIsQ7f8wXr0gMcI+fAPfrbcOMHCAoYMomikwL0b3h95SZI40q3CyM+0DMnwiVVDX6C1QxkO2Rv9cszSkCa85NotJhXiUuTBI9BFcRPy+mAhbpAru+bfypYofI0wW97XNTl8Jgwmni5MgutBIQAokFIn5ux8iWxndCH3AqDtmkwC5DfQeQ+wZx7rkwqJEpJffQzrjb1gIM6P9hDCVBBVPh/3o80IJ69rFWrJAZUb+JpG4cXJH0NcSW+wqc3JCT/x3q8VlHwOTXSlNNKtOJCRx73mB8e1XTTy2a9FgpKDDg5XQXWHAViJDz1RTRL9gRefMylRgKz4bXoTuY9kJWM8hPTyUejtukbJThlBJc3OmDxBZBF7F0iqB11pHexok43OCEiANodVa36eWu9/5X032Vm48fZ1/akDPY/NSy3wAn7kwut+A0/JAHFHASrq+1mt9YurkJegI+YHXO6eEWpBIpmI7ORHJbGL4MhkHrxYzVamuP8CkU7tXzsv138+wpOcRHNp9yJY4PT40BZkRf/O3O+jt3pj9Dj8rvgywF2W6hFzywh3Y78upOprRkQlQtHfsI8EyrYI8/hUw2u3H+3yPXh3YjWfqvWVG1BRLRHBV7m90uaw=='
|
|
||||||
|
|
||||||
profiles::base::groups::local:
|
profiles::base::groups::local:
|
||||||
admins:
|
admins:
|
||||||
ensure: present
|
ensure: present
|
||||||
@@ -297,36 +231,38 @@ sudo::configs:
|
|||||||
profiles::accounts::sysadmin::sshkeys:
|
profiles::accounts::sysadmin::sshkeys:
|
||||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
|
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
|
||||||
|
|
||||||
networking::interface_defaults:
|
profiles::base::hosts::additional_hosts:
|
||||||
ensure: present
|
- ip: 198.18.17.3
|
||||||
family: inet
|
hostname: prodinf01n01.main.unkin.net
|
||||||
method: static
|
aliases:
|
||||||
netmask: 255.255.255.0
|
- prodinf01n01
|
||||||
onboot: true
|
- puppet
|
||||||
networking::route_defaults:
|
- puppetmaster
|
||||||
ensure: present
|
- puppetca
|
||||||
interface: eth0
|
- ip: 198.18.17.4
|
||||||
netmask: 0.0.0.0
|
hostname: prodinf01n04.main.unkin.net
|
||||||
network: default
|
aliases:
|
||||||
|
- prodinf01n04
|
||||||
profiles::ceph::client::fsid: 7f7f00cb-95de-498c-8dcc-14b54e4e9ca8
|
- ip: 198.18.17.5
|
||||||
profiles::ceph::client::mons:
|
hostname: prodinf01n05.main.unkin.net
|
||||||
- 10.18.15.1
|
aliases:
|
||||||
- 10.18.15.2
|
- prodinf01n05
|
||||||
- 10.18.15.3
|
- ip: 198.18.17.6
|
||||||
#profiles::base::hosts::additional_hosts:
|
hostname: prodinf01n06.main.unkin.net
|
||||||
# - ip: 198.18.17.9
|
aliases:
|
||||||
# hostname: prodinf01n09.main.unkin.net
|
- prodinf01n06
|
||||||
# aliases:
|
- ip: 198.18.17.9
|
||||||
# - prodinf01n09
|
hostname: prodinf01n09.main.unkin.net
|
||||||
# - ntp01.main.unkin.net
|
aliases:
|
||||||
# - ip: 198.18.17.10
|
- prodinf01n09
|
||||||
# hostname: prodinf01n10.main.unkin.net
|
- ntp01.main.unkin.net
|
||||||
# aliases:
|
- ip: 198.18.17.10
|
||||||
# - prodinf01n10
|
hostname: prodinf01n10.main.unkin.net
|
||||||
# - ntp02.main.unkin.net
|
aliases:
|
||||||
# - ip: 198.18.17.22
|
- prodinf01n10
|
||||||
# hostname: prodinf01n22.main.unkin.net
|
- ntp02.main.unkin.net
|
||||||
# aliases:
|
- ip: 198.18.17.22
|
||||||
# - prodinf01n22
|
hostname: prodinf01n22.main.unkin.net
|
||||||
# - repos.main.unkin.net
|
aliases:
|
||||||
|
- prodinf01n22
|
||||||
|
- repos.main.unkin.net
|
||||||
|
|||||||
@@ -1,4 +1,3 @@
|
|||||||
---
|
---
|
||||||
certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl]
|
certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl]
|
||||||
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
||||||
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
|
|
||||||
|
|||||||
@@ -1,3 +1,2 @@
|
|||||||
---
|
---
|
||||||
timezone::timezone: 'Australia/Sydney'
|
timezone::timezone: 'Australia/Sydney'
|
||||||
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
|
|
||||||
|
|||||||
@@ -6,27 +6,11 @@ profiles::haproxy::mappings:
|
|||||||
mappings:
|
mappings:
|
||||||
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
||||||
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
||||||
- 'sonarr.main.unkin.net be_sonarr'
|
|
||||||
- 'radarr.main.unkin.net be_radarr'
|
|
||||||
- 'lidarr.main.unkin.net be_lidarr'
|
|
||||||
- 'readarr.main.unkin.net be_readarr'
|
|
||||||
- 'prowlarr.main.unkin.net be_prowlarr'
|
|
||||||
- 'nzbget.main.unkin.net be_nzbget'
|
|
||||||
- 'jellyfin.main.unkin.net be_jellyfin'
|
|
||||||
- 'fafflix.unkin.net be_jellyfin'
|
|
||||||
fe_https:
|
fe_https:
|
||||||
ensure: present
|
ensure: present
|
||||||
mappings:
|
mappings:
|
||||||
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
||||||
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
||||||
- 'sonarr.main.unkin.net be_sonarr'
|
|
||||||
- 'radarr.main.unkin.net be_radarr'
|
|
||||||
- 'lidarr.main.unkin.net be_lidarr'
|
|
||||||
- 'readarr.main.unkin.net be_readarr'
|
|
||||||
- 'prowlarr.main.unkin.net be_prowlarr'
|
|
||||||
- 'nzbget.main.unkin.net be_nzbget'
|
|
||||||
- 'jellyfin.main.unkin.net be_jellyfin'
|
|
||||||
- 'fafflix.unkin.net be_jellyfin'
|
|
||||||
|
|
||||||
profiles::haproxy::frontends:
|
profiles::haproxy::frontends:
|
||||||
fe_http:
|
fe_http:
|
||||||
@@ -36,15 +20,7 @@ profiles::haproxy::frontends:
|
|||||||
fe_https:
|
fe_https:
|
||||||
options:
|
options:
|
||||||
acl:
|
acl:
|
||||||
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
|
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
|
||||||
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
|
|
||||||
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
|
|
||||||
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
|
|
||||||
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
|
|
||||||
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
|
|
||||||
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
|
|
||||||
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
|
|
||||||
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
|
|
||||||
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
||||||
use_backend:
|
use_backend:
|
||||||
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
||||||
@@ -52,14 +28,6 @@ profiles::haproxy::frontends:
|
|||||||
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
|
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
|
||||||
http-response:
|
http-response:
|
||||||
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
|
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
|
||||||
- 'set-header X-Frame-Options DENY if acl_sonarr'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_radarr'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_lidarr'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_readarr'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_prowlarr'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_nzbget'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_jellyfin'
|
|
||||||
- 'set-header X-Frame-Options DENY if acl_fafflix'
|
|
||||||
- 'set-header X-Content-Type-Options nosniff'
|
- 'set-header X-Content-Type-Options nosniff'
|
||||||
- 'set-header X-XSS-Protection 1;mode=block'
|
- 'set-header X-XSS-Protection 1;mode=block'
|
||||||
|
|
||||||
@@ -95,151 +63,17 @@ profiles::haproxy::backends:
|
|||||||
- set-header X-Forwarded-Port %[dst_port]
|
- set-header X-Forwarded-Port %[dst_port]
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
redirect: 'scheme https if !{ ssl_fc }'
|
||||||
be_sonarr:
|
|
||||||
description: Backend for au-syd1 sonarr
|
|
||||||
collect_exported: false # handled in custom function
|
|
||||||
options:
|
|
||||||
balance: roundrobin
|
|
||||||
option:
|
|
||||||
- httpchk GET /consul/health
|
|
||||||
- forwardfor
|
|
||||||
- http-keep-alive
|
|
||||||
- prefer-last-server
|
|
||||||
cookie: SRVNAME insert indirect nocache
|
|
||||||
http-reuse: always
|
|
||||||
http-request:
|
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
|
||||||
be_radarr:
|
|
||||||
description: Backend for au-syd1 radarr
|
|
||||||
collect_exported: false # handled in custom function
|
|
||||||
options:
|
|
||||||
balance: roundrobin
|
|
||||||
option:
|
|
||||||
- httpchk GET /consul/health
|
|
||||||
- forwardfor
|
|
||||||
- http-keep-alive
|
|
||||||
- prefer-last-server
|
|
||||||
cookie: SRVNAME insert indirect nocache
|
|
||||||
http-reuse: always
|
|
||||||
http-request:
|
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
|
||||||
be_lidarr:
|
|
||||||
description: Backend for au-syd1 lidarr
|
|
||||||
collect_exported: false # handled in custom function
|
|
||||||
options:
|
|
||||||
balance: roundrobin
|
|
||||||
option:
|
|
||||||
- httpchk GET /consul/health
|
|
||||||
- forwardfor
|
|
||||||
- http-keep-alive
|
|
||||||
- prefer-last-server
|
|
||||||
cookie: SRVNAME insert indirect nocache
|
|
||||||
http-reuse: always
|
|
||||||
http-request:
|
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
|
||||||
be_readarr:
|
|
||||||
description: Backend for au-syd1 readarr
|
|
||||||
collect_exported: false # handled in custom function
|
|
||||||
options:
|
|
||||||
balance: roundrobin
|
|
||||||
option:
|
|
||||||
- httpchk GET /consul/health
|
|
||||||
- forwardfor
|
|
||||||
- http-keep-alive
|
|
||||||
- prefer-last-server
|
|
||||||
cookie: SRVNAME insert indirect nocache
|
|
||||||
http-reuse: always
|
|
||||||
http-request:
|
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
|
||||||
be_prowlarr:
|
|
||||||
description: Backend for au-syd1 prowlarr
|
|
||||||
collect_exported: false # handled in custom function
|
|
||||||
options:
|
|
||||||
balance: roundrobin
|
|
||||||
option:
|
|
||||||
- httpchk GET /consul/health
|
|
||||||
- forwardfor
|
|
||||||
- http-keep-alive
|
|
||||||
- prefer-last-server
|
|
||||||
cookie: SRVNAME insert indirect nocache
|
|
||||||
http-reuse: always
|
|
||||||
http-request:
|
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
|
||||||
be_nzbget:
|
|
||||||
description: Backend for au-syd1 nzbget
|
|
||||||
collect_exported: false # handled in custom function
|
|
||||||
options:
|
|
||||||
balance: roundrobin
|
|
||||||
option:
|
|
||||||
- httpchk GET /consul/health
|
|
||||||
- forwardfor
|
|
||||||
- http-keep-alive
|
|
||||||
- prefer-last-server
|
|
||||||
cookie: SRVNAME insert indirect nocache
|
|
||||||
http-reuse: always
|
|
||||||
http-request:
|
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
|
||||||
be_jellyfin:
|
|
||||||
description: Backend for au-syd1 jellyfin
|
|
||||||
collect_exported: false # handled in custom function
|
|
||||||
options:
|
|
||||||
balance: roundrobin
|
|
||||||
option:
|
|
||||||
- httpchk GET /
|
|
||||||
- forwardfor
|
|
||||||
- http-keep-alive
|
|
||||||
- prefer-last-server
|
|
||||||
cookie: SRVNAME insert indirect nocache
|
|
||||||
http-reuse: always
|
|
||||||
http-request:
|
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
||||||
redirect: 'scheme https if !{ ssl_fc }'
|
|
||||||
|
|
||||||
profiles::haproxy::certlist::enabled: true
|
profiles::haproxy::certlist::enabled: true
|
||||||
profiles::haproxy::certlist::certificates:
|
profiles::haproxy::certlist::certificates:
|
||||||
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
|
|
||||||
- /etc/pki/tls/vault/certificate.pem
|
- /etc/pki/tls/vault/certificate.pem
|
||||||
|
|
||||||
# additional altnames
|
# additional altnames
|
||||||
profiles::pki::vault::alt_names:
|
profiles::pki::vault::alt_names:
|
||||||
- au-syd1-pve.main.unkin.net
|
- au-syd1-pve.main.unkin.net
|
||||||
- au-syd1-pve-api.main.unkin.net
|
- au-syd1-pve-api.main.unkin.net
|
||||||
- jellyfin.main.unkin.net
|
|
||||||
|
|
||||||
# additional cnames
|
# additional cnames
|
||||||
profiles::haproxy::dns::cnames:
|
profiles::haproxy::dns::cnames:
|
||||||
- au-syd1-pve.main.unkin.net
|
- au-syd1-pve.main.unkin.net
|
||||||
- au-syd1-pve-api.main.unkin.net
|
- au-syd1-pve-api.main.unkin.net
|
||||||
|
|
||||||
# letsencrypt certificates
|
|
||||||
certbot::client::domains:
|
|
||||||
- au-syd1-pve.main.unkin.net
|
|
||||||
- au-syd1-pve-api.main.unkin.net
|
|
||||||
- sonarr.main.unkin.net
|
|
||||||
- radarr.main.unkin.net
|
|
||||||
- lidarr.main.unkin.net
|
|
||||||
- readarr.main.unkin.net
|
|
||||||
- prowlarr.main.unkin.net
|
|
||||||
- nzbget.main.unkin.net
|
|
||||||
- fafflix.unkin.net
|
|
||||||
|
|||||||
@@ -1,4 +1,3 @@
|
|||||||
---
|
---
|
||||||
certmanager::vault_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
certmanager::vault_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
||||||
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
||||||
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
|
|
||||||
|
|||||||
@@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
|
|
||||||
@@ -2,14 +2,3 @@
|
|||||||
profiles::sql::galera_member::cluster_name: au-syd1
|
profiles::sql::galera_member::cluster_name: au-syd1
|
||||||
profiles::sql::galera_member::galera_master: ausyd1nxvm1027.main.unkin.net
|
profiles::sql::galera_member::galera_master: ausyd1nxvm1027.main.unkin.net
|
||||||
profiles::sql::galera_member::innodb_buffer_pool_size: 256M
|
profiles::sql::galera_member::innodb_buffer_pool_size: 256M
|
||||||
|
|
||||||
mysql::db:
|
|
||||||
grafana:
|
|
||||||
name: grafana
|
|
||||||
user: grafana
|
|
||||||
password: "%{alias('mysql::db::grafana::pass')}"
|
|
||||||
grant:
|
|
||||||
- SELECT
|
|
||||||
- INSERT
|
|
||||||
- UPDATE
|
|
||||||
- DELETE
|
|
||||||
|
|||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.10
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.11
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.12
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.13
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.14
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.15
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.16
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.17
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.18
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.19
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.20
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.21
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.22
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.23
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.24
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.25
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.26
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,11 +1,2 @@
|
|||||||
---
|
---
|
||||||
profiles::cobbler::params::is_cobbler_master: true
|
profiles::cobbler::params::is_cobbler_master: true
|
||||||
networking::interfaces:
|
|
||||||
ens18:
|
|
||||||
ipaddress: 198.18.13.27
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
interface: ens18
|
|
||||||
|
|
||||||
profiles::almalinux::base::remove_ens18: false
|
|
||||||
|
|||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.28
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.29
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.30
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
ens18:
|
|
||||||
ipaddress: 198.18.13.31
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
interface: ens18
|
|
||||||
|
|
||||||
profiles::almalinux::base::remove_ens18: false
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.32
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.33
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.34
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.35
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.36
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.37
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.38
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.39
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.40
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.41
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.42
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.43
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.44
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.45
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -5,17 +5,5 @@ profiles::puppet::server::dns_alt_names:
|
|||||||
- puppetca.query.consul
|
- puppetca.query.consul
|
||||||
- puppetca
|
- puppetca
|
||||||
|
|
||||||
profiles::ssh::sign::principals:
|
|
||||||
- puppetca.main.unkin.net
|
|
||||||
- puppetca.service.consul
|
|
||||||
- puppetca.query.consul
|
|
||||||
- puppetca
|
|
||||||
|
|
||||||
profiles::puppet::puppetca::is_puppetca: true
|
profiles::puppet::puppetca::is_puppetca: true
|
||||||
profiles::puppet::puppetca::allow_subject_alt_names: true
|
profiles::puppet::puppetca::allow_subject_alt_names: true
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.46
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
|
|||||||
@@ -1,14 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.47
|
|
||||||
ens19:
|
|
||||||
ensure: present
|
|
||||||
family: inet
|
|
||||||
method: static
|
|
||||||
ipaddress: 10.18.15.47
|
|
||||||
netmask: 255.255.255.0
|
|
||||||
onboot: true
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.48
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.49
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.50
|
|
||||||
ens19:
|
|
||||||
ensure: present
|
|
||||||
family: inet
|
|
||||||
method: static
|
|
||||||
ipaddress: 10.18.15.50
|
|
||||||
netmask: 255.255.255.0
|
|
||||||
onboot: true
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.51
|
|
||||||
ens19:
|
|
||||||
ensure: present
|
|
||||||
family: inet
|
|
||||||
method: static
|
|
||||||
ipaddress: 10.18.15.51
|
|
||||||
netmask: 255.255.255.0
|
|
||||||
onboot: true
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.52
|
|
||||||
ens19:
|
|
||||||
ensure: present
|
|
||||||
family: inet
|
|
||||||
method: static
|
|
||||||
ipaddress: 10.18.15.52
|
|
||||||
netmask: 255.255.255.0
|
|
||||||
onboot: true
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.53
|
|
||||||
ens19:
|
|
||||||
ensure: present
|
|
||||||
family: inet
|
|
||||||
method: static
|
|
||||||
ipaddress: 10.18.15.53
|
|
||||||
netmask: 255.255.255.0
|
|
||||||
onboot: true
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.54
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.55
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.56
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.57
|
|
||||||
ens19:
|
|
||||||
ensure: present
|
|
||||||
family: inet
|
|
||||||
method: static
|
|
||||||
ipaddress: 10.18.15.57
|
|
||||||
netmask: 255.255.255.0
|
|
||||||
onboot: true
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
---
|
|
||||||
networking::interfaces:
|
|
||||||
eth0:
|
|
||||||
ipaddress: 198.18.13.58
|
|
||||||
ens19:
|
|
||||||
ensure: present
|
|
||||||
family: inet
|
|
||||||
method: static
|
|
||||||
ipaddress: 10.18.15.58
|
|
||||||
netmask: 255.255.255.0
|
|
||||||
onboot: true
|
|
||||||
networking::routes:
|
|
||||||
default:
|
|
||||||
gateway: 198.18.13.254
|
|
||||||
@@ -7,6 +7,3 @@ profiles::puppet::server::dns_alt_names:
|
|||||||
|
|
||||||
profiles::puppet::puppetca::is_puppetca: false
|
profiles::puppet::puppetca::is_puppetca: false
|
||||||
profiles::puppet::puppetca::allow_subject_alt_names: true
|
profiles::puppet::puppetca::allow_subject_alt_names: true
|
||||||
|
|
||||||
hiera_exclude:
|
|
||||||
- networking
|
|
||||||
|
|||||||
@@ -5,15 +5,10 @@ profiles::firewall::firewalld::ensure_service: 'stopped'
|
|||||||
profiles::firewall::firewalld::enable_service: false
|
profiles::firewall::firewalld::enable_service: false
|
||||||
profiles::puppet::agent::puppet_version: '7.26.0'
|
profiles::puppet::agent::puppet_version: '7.26.0'
|
||||||
|
|
||||||
hiera_include:
|
|
||||||
- profiles::almalinux::base
|
|
||||||
|
|
||||||
profiles::packages::install:
|
profiles::packages::install:
|
||||||
- lzo
|
- lzo
|
||||||
- network-scripts
|
|
||||||
- policycoreutils
|
|
||||||
- unar
|
|
||||||
- xz
|
- xz
|
||||||
|
- policycoreutils
|
||||||
|
|
||||||
lm-sensors::package: lm_sensors
|
lm-sensors::package: lm_sensors
|
||||||
|
|
||||||
@@ -24,54 +19,44 @@ profiles::yum::global::repos:
|
|||||||
target: /etc/yum.repos.d/baseos.repo
|
target: /etc/yum.repos.d/baseos.repo
|
||||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
|
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
|
||||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
|
||||||
extras:
|
extras:
|
||||||
name: extras
|
name: extras
|
||||||
descr: extras repository
|
descr: extras repository
|
||||||
target: /etc/yum.repos.d/extras.repo
|
target: /etc/yum.repos.d/extras.repo
|
||||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
|
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
|
||||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
|
||||||
appstream:
|
appstream:
|
||||||
name: appstream
|
name: appstream
|
||||||
descr: appstream repository
|
descr: appstream repository
|
||||||
target: /etc/yum.repos.d/appstream.repo
|
target: /etc/yum.repos.d/appstream.repo
|
||||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
|
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
|
||||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
|
||||||
powertools:
|
powertools:
|
||||||
name: powertools
|
name: powertools
|
||||||
descr: powertools repository
|
descr: powertools repository
|
||||||
target: /etc/yum.repos.d/powertools.repo
|
target: /etc/yum.repos.d/powertools.repo
|
||||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
|
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
|
||||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
|
||||||
highavailability:
|
highavailability:
|
||||||
name: highavailability
|
name: highavailability
|
||||||
descr: highavailability repository
|
descr: highavailability repository
|
||||||
target: /etc/yum.repos.d/highavailability.repo
|
target: /etc/yum.repos.d/highavailability.repo
|
||||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
|
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
|
||||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
|
||||||
epel:
|
epel:
|
||||||
name: epel
|
name: epel
|
||||||
descr: epel repository
|
descr: epel repository
|
||||||
target: /etc/yum.repos.d/epel.repo
|
target: /etc/yum.repos.d/epel.repo
|
||||||
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
|
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
|
||||||
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
|
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
|
||||||
mirrorlist: absent
|
|
||||||
puppet:
|
puppet:
|
||||||
name: puppet
|
name: puppet
|
||||||
descr: puppet repository
|
descr: puppet repository
|
||||||
target: /etc/yum.repos.d/puppet.repo
|
target: /etc/yum.repos.d/puppet.repo
|
||||||
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
|
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
|
||||||
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
|
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
|
||||||
mirrorlist: absent
|
|
||||||
unkin:
|
unkin:
|
||||||
name: unkin
|
name: unkin
|
||||||
descr: unkin repository
|
descr: unkin repository
|
||||||
target: /etc/yum.repos.d/unkin.repo
|
target: /etc/yum.repos.d/unkin.repo
|
||||||
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
|
baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os
|
||||||
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
|
|
||||||
gpgcheck: false
|
|
||||||
mirrorlist: absent
|
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
# hieradata/os/debian/all_releases.yaml
|
# hieradata/os/debian/all_releases.yaml
|
||||||
---
|
---
|
||||||
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
|
profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian
|
||||||
profiles::apt::base::secureurl: http://security.debian.org/debian-security
|
profiles::apt::base::secureurl: http://security.debian.org/debian-security
|
||||||
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
|
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
|
||||||
profiles::apt::puppet7::repo: puppet7
|
profiles::apt::puppet7::repo: puppet7
|
||||||
@@ -12,4 +12,3 @@ profiles::packages::install:
|
|||||||
- xz-utils
|
- xz-utils
|
||||||
|
|
||||||
lm-sensors::package: lm-sensors
|
lm-sensors::package: lm-sensors
|
||||||
networking::nwmgr_dns_none: false
|
|
||||||
|
|||||||
@@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEBANgP2ifU7NbuMs+kWpeg1tchR5IMD7Z7kMpRBejgCMHludTYGf/BzxTe36YjpwLsuUd658QK5vE4EYpM1MuzqfuNiWJa5ec1IR/AgWQUMZcpjEDEqpHTb2qygmpc+jb3vW1EMBleZL2Z4GrgJ00gWO/EvukBSPgyxBsFe4Bb/L3aK6xiucG3JA9A7qA6cS4Oz5pf8dfC0FBjsc+XN7++bJN5pWUgMcEDgiyCy3bkL2gWfPKOWfabTRwuC3qd6SihZMg/tY8uoDfYoI8jHkjU07/mhC6AD930wgcFG+xJwNAX7FxLvLyJ8iN/648LVoZFuszYiTwPib1CszksdYBjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBSGXrbrl4FisZN5FT1hfmrgDBnV2SVfCJIYYyZ9+Vo1ykNmzUypJdJ+4llyXA7FOuH90xVZvLZMjNMhVCxP48CiYI=]
|
|
||||||
@@ -1,101 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- profiles::nginx::simpleproxy
|
|
||||||
|
|
||||||
profiles::yum::global::repos:
|
|
||||||
ceph-reef:
|
|
||||||
name: ceph-reef
|
|
||||||
descr: ceph reef repository
|
|
||||||
target: /etc/yum.repos.d/ceph-reef.repo
|
|
||||||
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
|
|
||||||
gpgcheck: 0,
|
|
||||||
mirrorlist: absent
|
|
||||||
|
|
||||||
profiles::ceph::client::keyrings:
|
|
||||||
media:
|
|
||||||
key: "%{hiera('ceph::key::media')}"
|
|
||||||
|
|
||||||
profiles::base::groups::local:
|
|
||||||
media:
|
|
||||||
ensure: present
|
|
||||||
gid: 20000
|
|
||||||
allowdupe: false
|
|
||||||
forcelocal: true
|
|
||||||
|
|
||||||
ldap_host: 'ldap.service.consul'
|
|
||||||
ldap_basedn: 'dc=main,dc=unkin,dc=net'
|
|
||||||
|
|
||||||
profiles::nginx::simpleproxy::locations:
|
|
||||||
# authentication proxy
|
|
||||||
authproxy:
|
|
||||||
ensure: 'present'
|
|
||||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
||||||
ssl_only: true
|
|
||||||
internal: true
|
|
||||||
location: '= /auth-proxy'
|
|
||||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
|
|
||||||
proxy_set_header:
|
|
||||||
- 'Content-Length ""'
|
|
||||||
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
|
|
||||||
- 'X-Ldap-Starttls "false"'
|
|
||||||
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
|
|
||||||
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
|
|
||||||
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
|
|
||||||
- 'X-CookieName "nginxauth"'
|
|
||||||
- 'Cookie nginxauth=$cookie_nginxauth'
|
|
||||||
- "X-Ldap-Template %{lookup('ldap_template')}"
|
|
||||||
- 'X-Ldap-Realm "Restricted"'
|
|
||||||
proxy_cache: 'cache'
|
|
||||||
proxy_cache_valid: '200 10m'
|
|
||||||
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
|
|
||||||
location_cfg_append:
|
|
||||||
proxy_pass_request_body: 'off'
|
|
||||||
# health checks by consul/haproxy
|
|
||||||
arrstack_web_healthcheck:
|
|
||||||
ensure: 'present'
|
|
||||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
||||||
ssl_only: true
|
|
||||||
location: '/consul/health'
|
|
||||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
||||||
proxy_set_header:
|
|
||||||
- 'Host $host'
|
|
||||||
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
|
||||||
- 'X-Forwarded-Host $host'
|
|
||||||
- 'X-Forwarded-Proto $scheme'
|
|
||||||
- 'Upgrade $http_upgrade'
|
|
||||||
- 'Connection $http_connection'
|
|
||||||
proxy_redirect: 'off'
|
|
||||||
proxy_http_version: '1.1'
|
|
||||||
location_allow:
|
|
||||||
- 127.0.0.1
|
|
||||||
- "%{facts.networking.ip}"
|
|
||||||
- 198.18.13.25
|
|
||||||
- 198.18.13.26
|
|
||||||
location_deny:
|
|
||||||
- all
|
|
||||||
# authorised access from external
|
|
||||||
arrstack_web_external:
|
|
||||||
ensure: 'present'
|
|
||||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
||||||
ssl_only: true
|
|
||||||
location: '/'
|
|
||||||
auth_request: '/auth-proxy'
|
|
||||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
||||||
proxy_set_header:
|
|
||||||
- 'Host $host'
|
|
||||||
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
|
||||||
- 'X-Forwarded-Host $host'
|
|
||||||
- 'X-Forwarded-Proto $scheme'
|
|
||||||
- 'Upgrade $http_upgrade'
|
|
||||||
- 'Connection $http_connection'
|
|
||||||
proxy_redirect: 'off'
|
|
||||||
proxy_http_version: '1.1'
|
|
||||||
# location for api, which should be accessible without authentication
|
|
||||||
arrstack_api:
|
|
||||||
ensure: 'present'
|
|
||||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
||||||
ssl_only: true
|
|
||||||
location: '~ /api'
|
|
||||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
||||||
location_cfg_append:
|
|
||||||
client_max_body_size: '20m'
|
|
||||||
@@ -1,63 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- jellyfin
|
|
||||||
|
|
||||||
# manage jellyfin
|
|
||||||
jellyfin::params::service_enable: true
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- jellyfin.main.unkin.net
|
|
||||||
- jellyfin.service.consul
|
|
||||||
- jellyfin.query.consul
|
|
||||||
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
# manage a simple nginx reverse proxy
|
|
||||||
profiles::nginx::simpleproxy::nginx_vhost: 'jellyfin.query.consul'
|
|
||||||
profiles::nginx::simpleproxy::nginx_aliases:
|
|
||||||
- jellyfin.main.unkin.net
|
|
||||||
- jellyfin.service.consul
|
|
||||||
- jellyfin.query.consul
|
|
||||||
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
profiles::nginx::simpleproxy::proxy_port: 8096
|
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
||||||
|
|
||||||
# configure consul service
|
|
||||||
nginx::client_max_body_size: 10M
|
|
||||||
consul::services:
|
|
||||||
jellyfin:
|
|
||||||
service_name: 'jellyfin'
|
|
||||||
tags:
|
|
||||||
- 'media'
|
|
||||||
- 'jellyfin'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 443
|
|
||||||
checks:
|
|
||||||
- id: 'jellyfin_http_check'
|
|
||||||
name: 'jellyfin HTTP Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:443"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: jellyfin
|
|
||||||
disposition: write
|
|
||||||
|
|
||||||
profiles::yum::global::repos:
|
|
||||||
rpmfusion-free:
|
|
||||||
name: rpmfusion-free
|
|
||||||
descr: rpmfusion-free repository
|
|
||||||
target: /etc/yum.repos.d/rpmfusion.repo
|
|
||||||
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
|
||||||
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
|
|
||||||
mirrorlist: absent
|
|
||||||
rpmfusion-nonfree:
|
|
||||||
name: rpmfusion-nonfree
|
|
||||||
descr: rpmfusion-nonfree repository
|
|
||||||
target: /etc/yum.repos.d/rpmfusion.repo
|
|
||||||
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
|
||||||
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
|
|
||||||
mirrorlist: absent
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
|
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEDEyk6fBBnrjZvfK8MnUVOTWxhFGtgY34/2CuIq55MoVLsk2ZgVrL7Kt+94bqFhwEB67kuNpMGXqTgW5ose2yWs5iVSJLECsf9C+tvGBGwaV35LNwP5S3aQmFagyTpZZz9QlGKC7818jlXz7vZWDtiUhy5TGMHeyS0fdjCveavtZR28A+ZrvWjJeLdN47mmvYwYfFnQBs3kSgkl5KyMVhFWSFOSLeHsuEzCVXHoQ1jQG+2TV5m18wV0RR/sOju2E+vsulqlDgCyifgoiry4GzJeKNrNDI2bifzHCAi6yZqHL/klyqbGTnKLlA4xKoXsHF+xEwcoq4S9JDLAdWeH1SDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCdvh4yn8knozcYhinybRq3gDAwTKv8VakQG7XK/mcEplwtoiKqLnj9IIGdIUh1zPi2Sg48ET5rfZyl0p7ddIYoHjU=]
|
|
||||||
@@ -1,65 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- lidarr
|
|
||||||
- profiles::nginx::ldapauth
|
|
||||||
- profiles::metrics::exportarr
|
|
||||||
|
|
||||||
# manage lidarr
|
|
||||||
lidarr::params::user: lidarr
|
|
||||||
lidarr::params::group: media
|
|
||||||
lidarr::params::manage_group: false
|
|
||||||
lidarr::params::archive_version: 2.3.3
|
|
||||||
lidarr::params::port: 8000
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- lidarr.main.unkin.net
|
|
||||||
- lidarr.service.consul
|
|
||||||
- lidarr.query.consul
|
|
||||||
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
# manage a simple nginx reverse proxy
|
|
||||||
profiles::nginx::simpleproxy::nginx_vhost: 'lidarr.query.consul'
|
|
||||||
profiles::nginx::simpleproxy::nginx_aliases:
|
|
||||||
- lidarr.main.unkin.net
|
|
||||||
- lidarr.service.consul
|
|
||||||
- lidarr.query.consul
|
|
||||||
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_lidarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=lidarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
# configure consul service
|
|
||||||
consul::services:
|
|
||||||
lidarr:
|
|
||||||
service_name: 'lidarr'
|
|
||||||
tags:
|
|
||||||
- 'media'
|
|
||||||
- 'lidarr'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 443
|
|
||||||
checks:
|
|
||||||
- id: 'lidarr_http_check'
|
|
||||||
name: 'Lidarr HTTP Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: lidarr
|
|
||||||
disposition: write
|
|
||||||
|
|
||||||
profiles::metrics::exportarr:
|
|
||||||
app: 'lidarr'
|
|
||||||
config_path: '/opt/lidarr/config.xml'
|
|
||||||
api_key: "%{hiera('lidarr::api_key')}"
|
|
||||||
version: '2.0.1'
|
|
||||||
app_port: "%hiera('lidarr::params::port')"
|
|
||||||
enable_additional_metrics: true
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPomn4iZbT0JEysvDo7OgblpoQLFp9DzryY558UfVWQq6HDAkgoSC42cbgZGBPFclCgLaO/LfBrFpRXkafEVV33Vg2AmP/FiS9SmmwREc3t/ZTvENlDIgasY3pDIph0/i5u0S45mjyzzciBK0KY6cMZvPDVRvU+d0SyVnbSBlef6VmyZOhUk6ILpaYTGu+suVR/BAL/DTKsmmY7iTotTWN+IW/1cY3vprvBMJQVftaO1WSqKftmX29/PAsxbQo6AMpuQFx/dMcMe3d5JTB0mgzIhAFaKmSC8vJFqe21Nrr8F+PxJMSEl1saBJTwJc5RyPVm9ejVKfcPhDfWK5stNNvjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAo205Hvo/Z+rhnSGgkTS2YgDB7pTHdgnQz1UOK323DRljWcqx+SnCA7izyF1SNMlzlCck79Fr4zKh0qnbYsMZDWZU=]
|
|
||||||
@@ -1,61 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
hiera_include:
|
|
||||||
- nzbget
|
|
||||||
- profiles::media::nzbget
|
|
||||||
- profiles::nginx::ldapauth
|
|
||||||
|
|
||||||
# manage nzbget
|
|
||||||
nzbget::params::user: nzbget
|
|
||||||
nzbget::params::group: media
|
|
||||||
nzbget::params::manage_group: false
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- nzbget.main.unkin.net
|
|
||||||
- nzbget.service.consul
|
|
||||||
- nzbget.query.consul
|
|
||||||
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
# manage a simple nginx reverse proxy
|
|
||||||
profiles::nginx::simpleproxy::nginx_vhost: 'nzbget.query.consul'
|
|
||||||
profiles::nginx::simpleproxy::nginx_aliases:
|
|
||||||
- nzbget.main.unkin.net
|
|
||||||
- nzbget.service.consul
|
|
||||||
- nzbget.query.consul
|
|
||||||
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
profiles::nginx::simpleproxy::proxy_port: 6789
|
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_nzbget,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=nzbget_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
profiles::nginx::simpleproxy::locations:
|
|
||||||
arrstack_web_healthcheck:
|
|
||||||
location_cfg_append:
|
|
||||||
rewrite: '/consul/health / break'
|
|
||||||
|
|
||||||
# configure consul service
|
|
||||||
consul::services:
|
|
||||||
nzbget:
|
|
||||||
service_name: 'nzbget'
|
|
||||||
tags:
|
|
||||||
- 'media'
|
|
||||||
- 'nzbget'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 443
|
|
||||||
checks:
|
|
||||||
- id: 'nzbget_http_check'
|
|
||||||
name: 'nzbget HTTP Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: nzbget
|
|
||||||
disposition: write
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
|
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhduPAqoZuq/xeRs4f/KX4r88evPMogQX79yofLAB5Qqdr48s2X0BAa1iiw0vMdL6Tf0uc794WJN5MP2Yp365Vk1yhwgqH92rt5hKPI+wBN5uak2iLgLzLWsp0HOx7d1ukDWBbj0lI6G5LiofsL3KJbbTnkovn06L4PRJXgn44+ynfywiCl2tPy2294DhfooeM6/Cy+t9lA6blzHLCOHtt/rBKmk1GT2y3YBCPhRfOumWXQWnv4Q+f6KkQkvpfPyAFYNiQxQYBv5bGwLnwiDk3xQnPM4FfcutVuAOKjsoeMa+K1KShDFyEfBxIER8JSpigj2/khstyihcVW0Xrod3uDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCRqqRwMThwn1F/6byFhTWxgDAfucfkFhmqxBv/u5H+wWnjvK5EH7eU/fECrajYPBW/cmsYjLgXlwrAzFGqWze3AZc=]
|
|
||||||
@@ -1,65 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- prowlarr
|
|
||||||
- profiles::nginx::ldapauth
|
|
||||||
- profiles::metrics::exportarr
|
|
||||||
|
|
||||||
# manage prowlarr
|
|
||||||
prowlarr::params::user: prowlarr
|
|
||||||
prowlarr::params::group: media
|
|
||||||
prowlarr::params::manage_group: false
|
|
||||||
prowlarr::params::archive_version: 1.19.0
|
|
||||||
prowlarr::params::port: 8000
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- prowlarr.main.unkin.net
|
|
||||||
- prowlarr.service.consul
|
|
||||||
- prowlarr.query.consul
|
|
||||||
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
# manage a simple nginx reverse proxy
|
|
||||||
profiles::nginx::simpleproxy::nginx_vhost: 'prowlarr.query.consul'
|
|
||||||
profiles::nginx::simpleproxy::nginx_aliases:
|
|
||||||
- prowlarr.main.unkin.net
|
|
||||||
- prowlarr.service.consul
|
|
||||||
- prowlarr.query.consul
|
|
||||||
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_prowlarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=prowlarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
# configure consul service
|
|
||||||
consul::services:
|
|
||||||
prowlarr:
|
|
||||||
service_name: 'prowlarr'
|
|
||||||
tags:
|
|
||||||
- 'media'
|
|
||||||
- 'prowlarr'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 443
|
|
||||||
checks:
|
|
||||||
- id: 'prowlarr_http_check'
|
|
||||||
name: 'Prowlarr HTTP Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: prowlarr
|
|
||||||
disposition: write
|
|
||||||
|
|
||||||
profiles::metrics::exportarr:
|
|
||||||
app: 'prowlarr'
|
|
||||||
config_path: '/opt/prowlarr/config.xml'
|
|
||||||
api_key: "%{hiera('prowlarr::api_key')}"
|
|
||||||
version: '2.0.1'
|
|
||||||
app_port: "%hiera('prowlarr::params::port')"
|
|
||||||
enable_additional_metrics: true
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
|
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf6LbAXy3EsJqkf4KO8xikpXfSVIVOD2obnwZLPEiCfbC0iJyZ2Uc/RbHM9NnIpg8dgEnYGgaBM9HC+kFKYFP4skLsPQ0mpqOv13WbOAHOphhyBxWc/n4Eg4HqMAiHsC4qA9Sj5j4F29tNiMmpNM0eqDXD6YIrajV5IF+SKQQzZrNSrcDrzjqENaMnJWVc2gj7Zb9kPB1LdM5ZfljpPtfQHXHhh9ShTDKuWMx46nc+UYaRcJqHEns7OExwpsEAtA1SSunD81PTijJ6Bn1Y6cAsZoBot5YgFGaWtgQ4jvEqj7EbG8gDJuHMSwa9RzA9SMsVwEh2g1pko7wYbBR/arV7jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAhZlVaEdaLNh60gAY0KwEKgDAHPoXfFRq0I2K2J+NFgNFm/A00jYGVRfuPsX6VZfPaJ499dtMiJifrK3Kfk1oXpvk=]
|
|
||||||
@@ -1,66 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- radarr
|
|
||||||
- profiles::nginx::ldapauth
|
|
||||||
- profiles::metrics::exportarr
|
|
||||||
|
|
||||||
# manage radarr
|
|
||||||
radarr::params::user: radarr
|
|
||||||
radarr::params::group: media
|
|
||||||
radarr::params::manage_group: false
|
|
||||||
radarr::params::archive_version: 5.7.0
|
|
||||||
radarr::params::port: 8000
|
|
||||||
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- radarr.main.unkin.net
|
|
||||||
- radarr.service.consul
|
|
||||||
- radarr.query.consul
|
|
||||||
- "radarr.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
# manage a simple nginx reverse proxy
|
|
||||||
profiles::nginx::simpleproxy::nginx_vhost: 'radarr.query.consul'
|
|
||||||
profiles::nginx::simpleproxy::nginx_aliases:
|
|
||||||
- radarr.main.unkin.net
|
|
||||||
- radarr.service.consul
|
|
||||||
- radarr.query.consul
|
|
||||||
- "radarr.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_radarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=radarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
# configure consul service
|
|
||||||
consul::services:
|
|
||||||
radarr:
|
|
||||||
service_name: 'radarr'
|
|
||||||
tags:
|
|
||||||
- 'media'
|
|
||||||
- 'radarr'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 443
|
|
||||||
checks:
|
|
||||||
- id: 'radarr_http_check'
|
|
||||||
name: 'radarr HTTP Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: radarr
|
|
||||||
disposition: write
|
|
||||||
|
|
||||||
profiles::metrics::exportarr:
|
|
||||||
app: 'radarr'
|
|
||||||
config_path: '/opt/radarr/config.xml'
|
|
||||||
api_key: "%{hiera('radarr::api_key')}"
|
|
||||||
version: '2.0.1'
|
|
||||||
app_port: "%hiera('radarr::params::port')"
|
|
||||||
enable_additional_metrics: true
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
|
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcOegaqGEsivQAlhSYvaiVUij4QJ/kterSg+wX/7P/oWjSN1oSNAFfco6lg5fYUsR7HDKZ4IwYuO1Q/q8hOxYkqzYrH/MIAhZatfQxyxriKuekxqOMuXgwrWCzAexQL0Fb4s5gcHQ4fwy5OxsM1CxFXnSSm1eYNXl5IERd//c0dFoIcshiGlOCFsj8Ne9mookFTJQDZrxM4VMXaVb+Fl9mOyy1ppDBKHTP/1ise/6LIUi+9YngamAWLIrsur5KvR45kvRoxDNLfJZasAqhD/5QLceDdSxqKBDur57QzmoPo2lFdT4WlzphKOdyHZtYOYr7BPdbtCqkXTWdkXvqFlRxjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXhYe6zoRW7/OxVrZnAEoTgDDPFTz5S4nZWiwzjdT7Yd88Ii6I/v6ckaKTx0gd0pZKsVZkFYQBBhIfqFS2ho0UG3Y=]
|
|
||||||
@@ -1,65 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- readarr
|
|
||||||
- profiles::nginx::ldapauth
|
|
||||||
- profiles::metrics::exportarr
|
|
||||||
|
|
||||||
# manage readarr
|
|
||||||
readarr::params::user: readarr
|
|
||||||
readarr::params::group: media
|
|
||||||
readarr::params::manage_group: false
|
|
||||||
readarr::params::archive_version: 0.3.28
|
|
||||||
readarr::params::port: 8000
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- readarr.main.unkin.net
|
|
||||||
- readarr.service.consul
|
|
||||||
- readarr.query.consul
|
|
||||||
- "readarr.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
# manage a simple nginx reverse proxy
|
|
||||||
profiles::nginx::simpleproxy::nginx_vhost: 'readarr.query.consul'
|
|
||||||
profiles::nginx::simpleproxy::nginx_aliases:
|
|
||||||
- readarr.main.unkin.net
|
|
||||||
- readarr.service.consul
|
|
||||||
- readarr.query.consul
|
|
||||||
- "readarr.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_readarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=readarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
# configure consul service
|
|
||||||
consul::services:
|
|
||||||
readarr:
|
|
||||||
service_name: 'readarr'
|
|
||||||
tags:
|
|
||||||
- 'media'
|
|
||||||
- 'readarr'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 443
|
|
||||||
checks:
|
|
||||||
- id: 'readarr_http_check'
|
|
||||||
name: 'Readarr HTTP Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: readarr
|
|
||||||
disposition: write
|
|
||||||
|
|
||||||
profiles::metrics::exportarr:
|
|
||||||
app: 'readarr'
|
|
||||||
config_path: '/opt/readarr/config.xml'
|
|
||||||
api_key: "%{hiera('readarr::api_key')}"
|
|
||||||
version: '2.0.1'
|
|
||||||
app_port: "%hiera('readarr::params::port')"
|
|
||||||
enable_additional_metrics: true
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
|
|
||||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF5/sP43SJX/FB6cAS0GPqxC78JS7jSNKoUqWB/IXkv8uXYiClqk+Xw4nFx8EtknNn628DHBY3vCLQ59Xk89p0fyimP70m3BM6or5iRGdCqEAOzL399GbYX8WFHjyQRBmGdaLR5h2r5UnmjuPpDtV+fgsqxo4gNpXnuQ+46ZZPQce/dzHzux+4aEK4Q6UbD/ZZSQklD6zEUV+Agj6E9cQlJPBiHtTyUdXOYHYlJN1HhFPXu3C6KIz63YioVCah1n6T/rJtPQ07pVUfizIaJiPpzcUN91+ZWyyjUPo0bRGZtYKVs/uCAYXht4F5ttKQDaGa3wd4a5IdtacmEWQWFqk3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDtB/68xkjxK3nrNh0MilACgDDt85aBvSp/Oj9EY67eNPr+JcnQ7WfyuqAYAnmYqfbQI8MDtYAx7br0+inJXvQ1BvI=]
|
|
||||||
@@ -1,57 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- sonarr
|
|
||||||
- profiles::nginx::ldapauth
|
|
||||||
- profiles::metrics::exportarr
|
|
||||||
|
|
||||||
# manage sonarr
|
|
||||||
sonarr::params::user: sonarr
|
|
||||||
sonarr::params::group: media
|
|
||||||
sonarr::params::manage_group: false
|
|
||||||
sonarr::params::archive_version: 4.0.5
|
|
||||||
sonarr::params::port: 8000
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- sonarr.main.unkin.net
|
|
||||||
- sonarr.service.consul
|
|
||||||
- sonarr.query.consul
|
|
||||||
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
# manage a simple nginx reverse proxy
|
|
||||||
profiles::nginx::simpleproxy::nginx_vhost: 'sonarr.query.consul'
|
|
||||||
profiles::nginx::simpleproxy::nginx_aliases:
|
|
||||||
- sonarr.main.unkin.net
|
|
||||||
- sonarr.service.consul
|
|
||||||
- sonarr.query.consul
|
|
||||||
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
|
||||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
||||||
profiles::nginx::simpleproxy::use_default_location: false
|
|
||||||
nginx::client_max_body_size: 20M
|
|
||||||
|
|
||||||
ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
||||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
|
||||||
|
|
||||||
# configure consul service
|
|
||||||
consul::services:
|
|
||||||
sonarr:
|
|
||||||
service_name: 'sonarr'
|
|
||||||
tags:
|
|
||||||
- 'media'
|
|
||||||
- 'sonarr'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 443
|
|
||||||
checks:
|
|
||||||
- id: 'sonarr_http_check'
|
|
||||||
name: 'Sonarr HTTP Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: sonarr
|
|
||||||
disposition: write
|
|
||||||
@@ -3,4 +3,3 @@ profiles::packages::install:
|
|||||||
- policycoreutils
|
- policycoreutils
|
||||||
|
|
||||||
puppetdb::master::config::create_puppet_service_resource: false
|
puppetdb::master::config::create_puppet_service_resource: false
|
||||||
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
|
|
||||||
|
|||||||
@@ -1,157 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- glauth
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- ldap.main.unkin.net
|
|
||||||
- ldap.service.consul
|
|
||||||
- ldap.query.consul
|
|
||||||
- "ldap.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
glauth::params::download_version: 2.3.2
|
|
||||||
glauth::params::ldap_enabled: true
|
|
||||||
glauth::params::ldaps_enabled: true
|
|
||||||
glauth::params::basedn: 'dc=main,dc=unkin,dc=net'
|
|
||||||
glauth::params::behaviors_ignorecapabilities: true
|
|
||||||
glauth::params::ldap_tlscertpath: /etc/pki/tls/vault/certificate.crt
|
|
||||||
glauth::params::ldap_tlskeypath: /etc/pki/tls/vault/private.key
|
|
||||||
glauth::params::ldaps_cert: /etc/pki/tls/vault/certificate.crt
|
|
||||||
glauth::params::ldaps_key: /etc/pki/tls/vault/private.key
|
|
||||||
glauth::params::api_cert: /etc/pki/tls/vault/certificate.crt
|
|
||||||
glauth::params::api_key: /etc/pki/tls/vault/private.key
|
|
||||||
|
|
||||||
# configure consul service
|
|
||||||
consul::services:
|
|
||||||
ldap:
|
|
||||||
service_name: 'ldap'
|
|
||||||
tags:
|
|
||||||
- 'media'
|
|
||||||
- 'ldap'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 636
|
|
||||||
checks:
|
|
||||||
- id: 'glauth_http_check'
|
|
||||||
name: 'glauth HTTP Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:5555"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: ldap
|
|
||||||
disposition: write
|
|
||||||
|
|
||||||
glauth::users:
|
|
||||||
benvin:
|
|
||||||
user_name: 'benvin'
|
|
||||||
givenname: 'Ben'
|
|
||||||
sn: 'Vincent'
|
|
||||||
mail: 'benvin@users.main.unkin.net'
|
|
||||||
uidnumber: 20000
|
|
||||||
primarygroup: 20000
|
|
||||||
othergroups:
|
|
||||||
- 20010
|
|
||||||
- 20011
|
|
||||||
- 20012
|
|
||||||
- 20013
|
|
||||||
- 20014
|
|
||||||
- 20015
|
|
||||||
- 20016
|
|
||||||
loginshell: '/bin/bash'
|
|
||||||
homedir: '/home/benvin'
|
|
||||||
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
|
||||||
sshkeys:
|
|
||||||
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
|
|
||||||
matsol:
|
|
||||||
user_name: 'matsol'
|
|
||||||
givenname: 'Matt'
|
|
||||||
sn: 'Solomon'
|
|
||||||
mail: 'matsol@users.main.unkin.net'
|
|
||||||
uidnumber: 20001
|
|
||||||
primarygroup: 20000
|
|
||||||
othergroups:
|
|
||||||
- 20010
|
|
||||||
- 20011
|
|
||||||
- 20012
|
|
||||||
- 20013
|
|
||||||
- 20014
|
|
||||||
- 20015
|
|
||||||
- 20016
|
|
||||||
loginshell: '/bin/bash'
|
|
||||||
homedir: '/home/matsol'
|
|
||||||
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
|
|
||||||
|
|
||||||
glauth::services:
|
|
||||||
svc_jellyfin:
|
|
||||||
service_name: 'svc_jellyfin'
|
|
||||||
mail: 'jellyfin@service.main.unkin.net'
|
|
||||||
uidnumber: 30000
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: '97f7b1eb24deb0a86e812d79c56f4901d39a24128dc9f6fde033e7195f7d0739'
|
|
||||||
svc_sonarr:
|
|
||||||
service_name: 'svc_sonarr'
|
|
||||||
mail: 'sonarr@service.main.unkin.net'
|
|
||||||
uidnumber: 30001
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: '2c32d4cb831183cfbef15835cc76f99b401d0159621bc580e852253d4d8f8722'
|
|
||||||
svc_radarr:
|
|
||||||
service_name: 'svc_radarr'
|
|
||||||
mail: 'radarr@service.main.unkin.net'
|
|
||||||
uidnumber: 30002
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: '805b0182d90c2b5b3ba43e50988447a0bff0115eb5fedd8eeae8eac00ba53025'
|
|
||||||
svc_lidarr:
|
|
||||||
service_name: 'svc_lidarr'
|
|
||||||
mail: 'lidarr@service.main.unkin.net'
|
|
||||||
uidnumber: 30003
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: '6d04cd2a45784bacbd50e6714710b55805c7e9886665a6d7790e6d8712b67aff'
|
|
||||||
svc_readarr:
|
|
||||||
service_name: 'svc_readarr'
|
|
||||||
mail: 'readarr@service.main.unkin.net'
|
|
||||||
uidnumber: 30004
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: '751f22fbd9c052b2cd0c1cb4be514d8710f1a51f84ce44f607ab3a5591162f8c'
|
|
||||||
svc_prowlarr:
|
|
||||||
service_name: 'svc_prowlarr'
|
|
||||||
mail: 'prowlarr@service.main.unkin.net'
|
|
||||||
uidnumber: 30005
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043'
|
|
||||||
svc_nzbget:
|
|
||||||
service_name: 'svc_nzbget'
|
|
||||||
mail: 'nzbget@service.main.unkin.net'
|
|
||||||
uidnumber: 30006
|
|
||||||
primarygroup: 20001
|
|
||||||
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
|
|
||||||
|
|
||||||
glauth::groups:
|
|
||||||
users:
|
|
||||||
group_name: 'people'
|
|
||||||
gidnumber: 20000
|
|
||||||
services:
|
|
||||||
group_name: 'services'
|
|
||||||
gidnumber: 20001
|
|
||||||
jellyfin_access:
|
|
||||||
group_name: 'jellyfin_access'
|
|
||||||
gidnumber: 20010
|
|
||||||
sonarr_access:
|
|
||||||
group_name: 'sonarr_access'
|
|
||||||
gidnumber: 20011
|
|
||||||
radarr_access:
|
|
||||||
group_name: 'radarr_access'
|
|
||||||
gidnumber: 20012
|
|
||||||
lidarr_access:
|
|
||||||
group_name: 'lidarr_access'
|
|
||||||
gidnumber: 20013
|
|
||||||
readarr_access:
|
|
||||||
group_name: 'readarr_access'
|
|
||||||
gidnumber: 20014
|
|
||||||
prowlarr_access:
|
|
||||||
group_name: 'prowlarr_access'
|
|
||||||
gidnumber: 20015
|
|
||||||
nzbget_access:
|
|
||||||
group_name: 'nzbget_access'
|
|
||||||
gidnumber: 20016
|
|
||||||
@@ -17,5 +17,5 @@ profiles::pki::vault::alt_names:
|
|||||||
profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
|
profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
|
||||||
profiles::selinux::setenforce::mode: permissive
|
profiles::selinux::setenforce::mode: permissive
|
||||||
|
|
||||||
hiera_include:
|
hiera_classes:
|
||||||
- profiles::selinux::setenforce
|
- profiles::selinux::setenforce
|
||||||
|
|||||||
@@ -1,3 +1,3 @@
|
|||||||
---
|
---
|
||||||
profiles::gitea::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
|
profiles::gitea::init::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
|
||||||
profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=]
|
profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=]
|
||||||
|
|||||||
@@ -6,11 +6,6 @@ profiles::pki::vault::alt_names:
|
|||||||
- git.query.consul
|
- git.query.consul
|
||||||
- "git.service.%{facts.country}-%{facts.region}.consul"
|
- "git.service.%{facts.country}-%{facts.region}.consul"
|
||||||
|
|
||||||
profiles::ssh::sign::principals:
|
|
||||||
- git.main.unkin.net
|
|
||||||
- git.service.consul
|
|
||||||
- git.query.consul
|
|
||||||
|
|
||||||
consul::services:
|
consul::services:
|
||||||
git:
|
git:
|
||||||
service_name: 'git'
|
service_name: 'git'
|
||||||
@@ -42,43 +37,3 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
|||||||
profiles::nginx::simpleproxy::proxy_port: 3000
|
profiles::nginx::simpleproxy::proxy_port: 3000
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||||
nginx::client_max_body_size: 250M
|
nginx::client_max_body_size: 250M
|
||||||
|
|
||||||
profiles::gitea::init::root:
|
|
||||||
APP_NAME: 'Gitea'
|
|
||||||
RUN_USER: 'git'
|
|
||||||
RUN_MODE: 'prod'
|
|
||||||
profiles::gitea::init::repository:
|
|
||||||
ROOT: '/data/gitea/repos'
|
|
||||||
FORCE_PRIVATE: false
|
|
||||||
MAX_CREATION_LIMIT: -1
|
|
||||||
DISABLE_HTTP_GIT: false
|
|
||||||
DEFAULT_BRANCH: 'main'
|
|
||||||
DEFAULT_PRIVATE: 'last'
|
|
||||||
profiles::gitea::init::ui:
|
|
||||||
SHOW_USER_EMAIL: false
|
|
||||||
profiles::gitea::init::server:
|
|
||||||
PROTOCOL: 'http'
|
|
||||||
DOMAIN: 'git.query.consul'
|
|
||||||
ROOT_URL: 'https://git.query.consul'
|
|
||||||
HTTP_ADDR: '0.0.0.0'
|
|
||||||
HTTP_PORT: 3000
|
|
||||||
START_SSH_SERVER: false
|
|
||||||
SSH_DOMAIN: 'git.query.consul'
|
|
||||||
SSH_PORT: 2222
|
|
||||||
SSH_LISTEN_HOST: '0.0.0.0'
|
|
||||||
OFFLINE_MODE: true
|
|
||||||
APP_DATA_PATH: '/data/gitea'
|
|
||||||
SSH_LISTEN_PORT: 22
|
|
||||||
LFS_START_SERVER: true
|
|
||||||
profiles::gitea::init::database:
|
|
||||||
DB_TYPE: 'mysql'
|
|
||||||
HOST: 'mariadb-prod.service.au-syd1.consul:3306'
|
|
||||||
NAME: 'gitea'
|
|
||||||
USER: 'gitea'
|
|
||||||
PASSWD: "%{hiera('profiles::gitea::mysql_pass')}"
|
|
||||||
SSL_MODE: 'disable'
|
|
||||||
LOG_SQL: false
|
|
||||||
profiles::gitea::init::lfs:
|
|
||||||
PATH: '/data/gitea/lfs'
|
|
||||||
profiles::gitea::init::session:
|
|
||||||
PROVIDER: db
|
|
||||||
|
|||||||
@@ -15,7 +15,6 @@ profiles::haproxy::server::globals:
|
|||||||
stats:
|
stats:
|
||||||
- timeout 30s
|
- timeout 30s
|
||||||
- socket /var/lib/haproxy/stats
|
- socket /var/lib/haproxy/stats
|
||||||
- socket /var/lib/haproxy/admin.sock mode 660 level admin
|
|
||||||
ca-base: /etc/ssl/certs
|
ca-base: /etc/ssl/certs
|
||||||
crt-base: /etc/ssl/private
|
crt-base: /etc/ssl/private
|
||||||
ssl-default-bind-ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
ssl-default-bind-ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||||
@@ -53,8 +52,6 @@ profiles::haproxy::frontends:
|
|||||||
options:
|
options:
|
||||||
acl:
|
acl:
|
||||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||||
use_backend:
|
|
||||||
- 'be_letsencrypt if acl-letsencrypt'
|
|
||||||
http-request:
|
http-request:
|
||||||
- 'set-header X-Forwarded-Proto https'
|
- 'set-header X-Forwarded-Proto https'
|
||||||
- 'set-header X-Real-IP %[src]'
|
- 'set-header X-Real-IP %[src]'
|
||||||
@@ -70,8 +67,6 @@ profiles::haproxy::frontends:
|
|||||||
options:
|
options:
|
||||||
acl:
|
acl:
|
||||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||||
use_backend:
|
|
||||||
- 'be_letsencrypt if acl-letsencrypt'
|
|
||||||
http-request:
|
http-request:
|
||||||
- 'set-header X-Forwarded-Proto https'
|
- 'set-header X-Forwarded-Proto https'
|
||||||
- 'set-header X-Real-IP %[src]'
|
- 'set-header X-Real-IP %[src]'
|
||||||
@@ -94,6 +89,3 @@ profiles::haproxy::backends:
|
|||||||
http-request:
|
http-request:
|
||||||
- set-header X-Forwarded-Port %[dst_port]
|
- set-header X-Forwarded-Port %[dst_port]
|
||||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||||
|
|
||||||
prometheus::haproxy_exporter::cnf_scrape_uri: unix:/var/lib/haproxy/stats
|
|
||||||
prometheus::haproxy_exporter::export_scrape_job: true
|
|
||||||
|
|||||||
@@ -1,49 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- profiles::nginx::simpleproxy
|
|
||||||
|
|
||||||
profiles::metrics::grafana::mysql_host: "mariadb-%{facts.environment}.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
profiles::metrics::grafana::mysql_port: 3306
|
|
||||||
|
|
||||||
# additional altnames
|
|
||||||
profiles::pki::vault::alt_names:
|
|
||||||
- grafana.main.unkin.net
|
|
||||||
- grafana.service.consul
|
|
||||||
- grafana.query.consul
|
|
||||||
- "grafana.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
|
|
||||||
profiles::ssh::sign::principals:
|
|
||||||
- grafana.main.unkin.net
|
|
||||||
- grafana.service.consul
|
|
||||||
- grafana.query.consul
|
|
||||||
|
|
||||||
consul::services:
|
|
||||||
grafana:
|
|
||||||
service_name: 'grafana'
|
|
||||||
tags:
|
|
||||||
- 'grafana'
|
|
||||||
- 'metrics'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 443
|
|
||||||
checks:
|
|
||||||
- id: 'Grafana_https_check'
|
|
||||||
name: 'Grafana HTTPS Check'
|
|
||||||
http: "https://%{facts.networking.fqdn}:443"
|
|
||||||
method: 'GET'
|
|
||||||
tls_skip_verify: true
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: grafana
|
|
||||||
disposition: write
|
|
||||||
|
|
||||||
# manage a simple nginx reverse proxy
|
|
||||||
profiles::nginx::simpleproxy::nginx_vhost: 'grafana.query.consul'
|
|
||||||
profiles::nginx::simpleproxy::nginx_aliases:
|
|
||||||
- grafana.main.unkin.net
|
|
||||||
- grafana.service.consul
|
|
||||||
- grafana.query.consul
|
|
||||||
- "grafana.service.%{facts.country}-%{facts.region}.consul"
|
|
||||||
profiles::nginx::simpleproxy::proxy_port: 8080
|
|
||||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
||||||
@@ -8,5 +8,4 @@ profiles::metrics::server::scrape_jobs:
|
|||||||
- bind
|
- bind
|
||||||
- puppetdb
|
- puppetdb
|
||||||
- systemd
|
- systemd
|
||||||
- haproxy
|
|
||||||
profiles::metrics::server::localstorage: /data/prometheus
|
profiles::metrics::server::localstorage: /data/prometheus
|
||||||
|
|||||||
@@ -12,24 +12,3 @@ profiles::ntp::server::peers:
|
|||||||
- '1.au.pool.ntp.org'
|
- '1.au.pool.ntp.org'
|
||||||
- '2.au.pool.ntp.org'
|
- '2.au.pool.ntp.org'
|
||||||
- '3.au.pool.ntp.org'
|
- '3.au.pool.ntp.org'
|
||||||
|
|
||||||
consul::services:
|
|
||||||
ntp:
|
|
||||||
service_name: 'ntp'
|
|
||||||
tags:
|
|
||||||
- 'ntp'
|
|
||||||
- 'time'
|
|
||||||
- 'sync'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 123
|
|
||||||
checks:
|
|
||||||
- id: ntp_check
|
|
||||||
name: "NTP Service Check"
|
|
||||||
args:
|
|
||||||
- '/usr/local/bin/check_ntp.sh'
|
|
||||||
interval: '15s'
|
|
||||||
timeout: '5s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: ntp
|
|
||||||
disposition: write
|
|
||||||
|
|||||||
@@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
hiera_include:
|
|
||||||
- certbot
|
|
||||||
- profiles::pki::puppetcerts
|
|
||||||
|
|
||||||
certbot::domains:
|
|
||||||
- au-syd1-pve.main.unkin.net
|
|
||||||
- au-syd1-pve-api.main.unkin.net
|
|
||||||
- sonarr.main.unkin.net
|
|
||||||
- radarr.main.unkin.net
|
|
||||||
- lidarr.main.unkin.net
|
|
||||||
- readarr.main.unkin.net
|
|
||||||
- prowlarr.main.unkin.net
|
|
||||||
- nzbget.main.unkin.net
|
|
||||||
- fafflix.unkin.net
|
|
||||||
@@ -5,31 +5,3 @@ sudo::configs:
|
|||||||
content: |
|
content: |
|
||||||
ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
|
ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
|
||||||
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*
|
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*
|
||||||
|
|
||||||
hiera_exclude:
|
|
||||||
- networking
|
|
||||||
|
|
||||||
# proxmox tools use root to authenticate against each other
|
|
||||||
ssh::server::options:
|
|
||||||
PermitRootLogin: yes
|
|
||||||
AcceptEnv:
|
|
||||||
- LANG LC_*
|
|
||||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
||||||
- XMODIFIERS
|
|
||||||
ListenAddress:
|
|
||||||
- "%{facts.networking.interfaces.vmbr1.ip}"
|
|
||||||
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: ceph-mon
|
|
||||||
disposition: write
|
|
||||||
- resource: service
|
|
||||||
segment: ceph-mds
|
|
||||||
disposition: write
|
|
||||||
- resource: service
|
|
||||||
segment: ceph-mgr
|
|
||||||
disposition: write
|
|
||||||
- resource: service
|
|
||||||
segment: ceph-osd
|
|
||||||
disposition: write
|
|
||||||
|
|||||||
@@ -37,14 +37,6 @@ profiles::helpers::certmanager::vault_config:
|
|||||||
output_path: '/tmp/certmanager'
|
output_path: '/tmp/certmanager'
|
||||||
role_id: "%{lookup('certmanager::role_id')}"
|
role_id: "%{lookup('certmanager::role_id')}"
|
||||||
|
|
||||||
profiles::helpers::sshsignhost::vault_config:
|
|
||||||
addr: 'https://vault.service.consul:8200'
|
|
||||||
mount_point: 'ssh-host-signer'
|
|
||||||
approle_path: 'approle'
|
|
||||||
role_name: 'hostrole'
|
|
||||||
output_path: '/tmp/sshsignhost'
|
|
||||||
role_id: "%{lookup('sshsignhost::role_id')}"
|
|
||||||
|
|
||||||
profiles::puppet::server::agent_server: 'puppet.query.consul'
|
profiles::puppet::server::agent_server: 'puppet.query.consul'
|
||||||
profiles::puppet::server::report_server: 'puppet.query.consul'
|
profiles::puppet::server::report_server: 'puppet.query.consul'
|
||||||
profiles::puppet::server::ca_server: 'puppetca.query.consul'
|
profiles::puppet::server::ca_server: 'puppetca.query.consul'
|
||||||
@@ -58,10 +50,6 @@ profiles::puppet::server::dns_alt_names:
|
|||||||
- puppetmaster
|
- puppetmaster
|
||||||
- puppet
|
- puppet
|
||||||
|
|
||||||
profiles::ssh::sign::principals:
|
|
||||||
- puppet.service.consul
|
|
||||||
- puppet.query.consul
|
|
||||||
|
|
||||||
consul::services:
|
consul::services:
|
||||||
puppet:
|
puppet:
|
||||||
service_name: 'puppet'
|
service_name: 'puppet'
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
profiles::puppet::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java
|
profiles::puppetdb::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java
|
||||||
profiles::puppet::puppetdb_api::java_args:
|
profiles::puppetdb::puppetdb_api::java_args:
|
||||||
'-Xmx': '2048m'
|
'-Xmx': '2048m'
|
||||||
'-Xms': '256m'
|
'-Xms': '256m'
|
||||||
|
|
||||||
|
|||||||
@@ -1 +0,0 @@
|
|||||||
profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==]
|
|
||||||
@@ -2,38 +2,3 @@
|
|||||||
postgresql_config_entries:
|
postgresql_config_entries:
|
||||||
max_connections: 300
|
max_connections: 300
|
||||||
shared_buffers: '256MB'
|
shared_buffers: '256MB'
|
||||||
|
|
||||||
consul::services:
|
|
||||||
puppetdbsql:
|
|
||||||
service_name: 'puppetdbsql'
|
|
||||||
tags:
|
|
||||||
- 'puppet'
|
|
||||||
- 'puppetdb'
|
|
||||||
- 'database'
|
|
||||||
address: "%{facts.networking.ip}"
|
|
||||||
port: 5432
|
|
||||||
checks:
|
|
||||||
- id: 'psql-check'
|
|
||||||
name: 'PostgreSQL Health Check'
|
|
||||||
args:
|
|
||||||
- '/usr/local/bin/check_consul_postgresql'
|
|
||||||
interval: '10s'
|
|
||||||
timeout: '1s'
|
|
||||||
profiles::consul::client::node_rules:
|
|
||||||
- resource: service
|
|
||||||
segment: puppetdbsql
|
|
||||||
disposition: write
|
|
||||||
|
|
||||||
profiles::yum::global::repos:
|
|
||||||
postgresql-15:
|
|
||||||
name: postgresql-15
|
|
||||||
descr: postgresql-15 repository
|
|
||||||
target: /etc/yum.repos.d/postgresql.repo
|
|
||||||
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
|
||||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
|
||||||
postgresql-common:
|
|
||||||
name: postgresql-common
|
|
||||||
descr: postgresql-common repository
|
|
||||||
target: /etc/yum.repos.d/postgresql.repo
|
|
||||||
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
|
||||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
|
||||||
|
|||||||
@@ -77,15 +77,3 @@ profiles::consul::prepared_query::rules:
|
|||||||
service_failover_n: 3
|
service_failover_n: 3
|
||||||
service_only_passing: true
|
service_only_passing: true
|
||||||
ttl: 10
|
ttl: 10
|
||||||
ntp:
|
|
||||||
ensure: 'present'
|
|
||||||
service_name: 'ntp'
|
|
||||||
service_failover_n: 3
|
|
||||||
service_only_passing: true
|
|
||||||
ttl: 10
|
|
||||||
grafana:
|
|
||||||
ensure: 'present'
|
|
||||||
service_name: 'grafana'
|
|
||||||
service_failover_n: 3
|
|
||||||
service_only_passing: true
|
|
||||||
ttl: 10
|
|
||||||
|
|||||||
@@ -42,9 +42,6 @@ profiles::edgecache::params::directories:
|
|||||||
/data/edgecache/pub/postgres: { owner: nginx, group: nginx }
|
/data/edgecache/pub/postgres: { owner: nginx, group: nginx }
|
||||||
/data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx }
|
/data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx }
|
||||||
/data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx }
|
/data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx }
|
||||||
/data/edgecache/pub/ceph: { owner: nginx, group: nginx }
|
|
||||||
/data/edgecache/pub/ceph/apt: { owner: nginx, group: nginx }
|
|
||||||
/data/edgecache/pub/ceph/yum: { owner: nginx, group: nginx }
|
|
||||||
|
|
||||||
profiles::edgecache::params::mirrors:
|
profiles::edgecache::params::mirrors:
|
||||||
debian:
|
debian:
|
||||||
@@ -121,29 +118,3 @@ profiles::edgecache::params::mirrors:
|
|||||||
proxy_cache_valid:
|
proxy_cache_valid:
|
||||||
- '200 302 1440h'
|
- '200 302 1440h'
|
||||||
- '404 1m'
|
- '404 1m'
|
||||||
ceph_yum_repodata:
|
|
||||||
ensure: present
|
|
||||||
location: '~* ^/ceph/yum/.*/repodata/'
|
|
||||||
rewrite_rules:
|
|
||||||
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
|
|
||||||
proxy: http://158.69.68.124
|
|
||||||
ceph_yum_data:
|
|
||||||
ensure: present
|
|
||||||
location: /ceph/yum
|
|
||||||
proxy: http://158.69.68.124/rpm-reef
|
|
||||||
proxy_cache: cache
|
|
||||||
proxy_cache_valid:
|
|
||||||
- '200 302 1440h'
|
|
||||||
- '404 1m'
|
|
||||||
ceph_apt:
|
|
||||||
ensure: present
|
|
||||||
location: /ceph/apt
|
|
||||||
proxy: http://158.69.68.124/debian-reef
|
|
||||||
ceph_apt_pool:
|
|
||||||
ensure: present
|
|
||||||
location: /ceph/apt/pool
|
|
||||||
proxy: http://158.69.68.124/debian-reef/pool
|
|
||||||
proxy_cache: cache
|
|
||||||
proxy_cache_valid:
|
|
||||||
- '200 302 1440h'
|
|
||||||
- '404 1m'
|
|
||||||
|
|||||||
@@ -1,18 +0,0 @@
|
|||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
Facter.add(:certbot_available_certs) do
|
|
||||||
confine enc_role: 'roles::infra::pki::certbot'
|
|
||||||
setcode do
|
|
||||||
certs_dir = '/etc/letsencrypt/live'
|
|
||||||
available_certs = []
|
|
||||||
|
|
||||||
if Dir.exist?(certs_dir)
|
|
||||||
Dir.children(certs_dir).each do |entry|
|
|
||||||
fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
|
|
||||||
available_certs << entry if File.exist?(fullchain_pem)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
available_certs.join(',')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
# certbot::cert
|
|
||||||
define certbot::cert (
|
|
||||||
Stdlib::Fqdn $domain,
|
|
||||||
Array $additional_args = ['--http-01-port=8888'],
|
|
||||||
Boolean $manage_cron = true,
|
|
||||||
) {
|
|
||||||
|
|
||||||
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
|
||||||
|
|
||||||
@@letsencrypt::certonly { $domain:
|
|
||||||
additional_args => $additional_args,
|
|
||||||
manage_cron => $manage_cron,
|
|
||||||
tag => $location_environment,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user