230 Commits

Author SHA1 Message Date
unkinben 23dd962d89 feat: allow specifying consul addr for exporters
- ensure frr/node exporter reachable on hosts with loopbacks
2025-08-09 17:08:38 +10:00
unkinben ac36d9627b feat: capture all journald logs (#377)
- create module class for journald clients
- ensure module class it used on all hosts
- use consul service address for insert/journald

Reviewed-on: #377
2025-08-09 15:11:47 +10:00
unkinben 198cee27c2 feat: enable https for vlstorage (#376)
- attempting to send to http:// fails as vlstorage is using tls
- enable tls on vlselect/vlinsert when writing to vlstorage
- add retention period to vlstorage

Reviewed-on: #376
2025-08-09 14:34:48 +10:00
unkinben f73d6f07ce fix: generate types as root (#375)
- larger permission issue that needs fixing
- reduce the number of failed runs

Reviewed-on: #375
2025-08-09 13:30:12 +10:00
unkinben 1c71229fd3 feat: add victorialogs module (#374)
- add module for victorialogs
- add hieradata for vl insert/select/storage
- manage packages, directories, services, etc
- manage exporting metrics

Reviewed-on: #374
2025-08-08 23:59:46 +10:00
unkinben d649195ccc fix: generate types needs to run more often (#373)
- seeing frequent errors in puppetboard about types missing
- change the puppet-generate-types timer from daily to per-minute

Reviewed-on: #373
2025-08-07 20:53:06 +10:00
unkinben fcd0bc4c74 feat: add victorialogs roles (#372)
- and hieradata
- empty roles currently

Reviewed-on: #372
2025-08-07 20:34:42 +10:00
unkinben a30ff81139 fix: reduce metadata lifetime (#371)
- metadata lifetime should be lowered to improve development speed

Reviewed-on: #371
2025-08-03 21:04:47 +10:00
unkinben bbed65b4b8 benvin/frr_exporter (#370)
Reviewed-on: #370
2025-08-03 20:14:19 +10:00
unkinben 75ca7a5685 feat: add frr_exporter class (#369)
- add frr exporter to all nodes running frr

Reviewed-on: #369
2025-08-03 16:15:29 +10:00
unkinben 53fabc923b feat: add nzbget_exporter (#368)
- add nzbget_exporter class
- add exporter to nzbget class

Reviewed-on: #368
2025-08-03 15:03:29 +10:00
unkinben 5a9241940f feat: export ceph metrics (#367)
- export cephmgr metrics
- will only be availabe from one host at a time

Reviewed-on: #367
2025-07-29 18:54:49 +10:00
unkinben df457306cc feat: add external grafana access (#366)
- enable access to grafana through haproxy
- ensure grafana cert created from letsencrypt
- enable user access to grafana

Reviewed-on: #366
2025-07-28 21:07:43 +10:00
unkinben 7fbb87b4b6 feat: add exportarr (#365)
- add exporters::exportarr
- deploy for radarr, sonarr and prowlarr

Reviewed-on: #365
2025-07-27 19:47:26 +10:00
unkinben fd902c1437 feat: create exporters module (#364)
- upgrade node_exporter, bring managed under exporters module
- upgrade postgres_exporter, bring managed under exporters module
- add flag to cleanup previous iterations of exporters from prometheus module
- fix issues with vmclusster: replication + dedup

Reviewed-on: #364
2025-07-27 13:28:41 +10:00
unkinben 0e64c9855a feat: add vmcluster module (#363)
- manage vmstorage package, service and environment file
- manage vmselect package, service and environment file
- manage vminsert package, service and environment file
- manage vmagent package, service and environment file
- manage options for vmstorage, vmselect, vminsert, vmagent role

Reviewed-on: #363
2025-07-26 18:17:20 +10:00
unkinben 3cfafbac44 feat: enable ceph on k8s nodes (#362)
- enable enough ceph/frr to join to cephfs
- notify sshd when restarting the network
- update ssh principals to include all ssh interfaces

Reviewed-on: #362
2025-07-19 20:30:46 +10:00
unkinben c5c40c3bfd chore: cleanup old physicals (#361)
- cleanup old nodes to redeploy them

Reviewed-on: #361
2025-07-15 22:34:46 +10:00
unkinben 98f1961a07 benvin/ceph_common (#360)
Reviewed-on: #360
2025-07-15 20:38:39 +10:00
unkinben eb1ada8ea5 fix: duplicate declatation (#359)
- only install ceph-common once

Reviewed-on: #359
2025-07-15 20:31:09 +10:00
unkinben ec3e42901a feat: add basic k8s node role (#358)
- update prodnxsr0001-8 to use networkd
- add basic k8s node role

Reviewed-on: #358
2025-07-15 20:18:17 +10:00
unkinben e905afcab0 chore: cleanup hieradata/nodes (#357)
- cleanup decommed nodes
- remove unneccessary node data

Reviewed-on: #357
2025-07-13 21:40:32 +10:00
unkinben de6e7d0ba9 feat: add vmagent role (#356)
- add vmagent role for vicmet

Reviewed-on: #356
2025-07-13 17:20:58 +10:00
unkinben 780a97dfe4 feat: add new cobbler master (#355)
- change cobbler.main.unkin.net to 2098

Reviewed-on: #355
2025-07-12 20:31:43 +10:00
unkinben 9aa6472e5b feat: ensure /etc/NetworkManager/conf.d exists (#354)
- required to create dns-none setting

Reviewed-on: #354
2025-07-12 14:19:22 +10:00
unkinben 80ab4e6889 chore: update cobbler for el9 (#353)
- update cobbler/cobbler-web package
- update path for ipxebins

Reviewed-on: #353
2025-07-12 14:19:14 +10:00
unkinben ccda327c7a gchore: cleanup old vms (#352)
- remove ntp01/ntp02
- remove old gitea
- remove mariadb galera vms

Reviewed-on: #352
2025-07-09 21:18:23 +10:00
unkinben acef1bde29 feat: move puppetca role (#351)
- move puppetca from vm to lxd

Reviewed-on: #351
2025-07-09 21:15:09 +10:00
unkinben 7d87e11e79 feat: add victoria metrics roles (#350)
- add vmstorage, vmselect and vminsert roles
- base roles, only adding packages
- preparation for standing up a vicmet cluster

Reviewed-on: #350
2025-07-08 20:34:46 +10:00
unkinben 40c57ede59 feat: add ci build task (#342)
- a ci workflow for build tests
- run pre-commit against all files

Reviewed-on: #342
2025-07-08 20:19:36 +10:00
unkinben be02d3d150 feat: migrate to external ntp (#349)
- removing ntp vms from proxmox
- redirect ntp to external time sources

Reviewed-on: #349
2025-07-07 20:27:02 +10:00
unkinben a550d48f21 fix: sort nameservers (#348)
- sort nameservers before creating glue records

Reviewed-on: #348
2025-07-06 20:09:19 +10:00
unkinben 2d9faf578f feat: add unkin.net domain (#347)
- manage the unkin.net domain
- ensure forwarding for unkin.net
- split domain from cname list and set zone correctly
- add fafflix to cnames list for haproxy2

Reviewed-on: #347
2025-07-06 20:02:20 +10:00
unkinben 2814a55df6 chore: hard-code git.unkin.net path (#346)
- dirty fix, set git.unkin.net in hosts file template
- avoid hairpint nat

Reviewed-on: #346
2025-07-06 16:43:07 +10:00
unkinben 73362a3bf9 feat: add stick tables for gitea (#345)
- stick tables are required for docker authentication

Reviewed-on: #345
2025-07-06 14:42:14 +10:00
unkinben 0063f68bc6 feat: enable external access to gitea (#344)
- add git.unkin.net to certbot
- export haproxy resources for gitea
- add be_gitea to haproxy, import the certbot cert
- update the ROOT_URL for gitea instances

Reviewed-on: #344
2025-07-06 13:47:56 +10:00
unkinben 372d99893a core: fix ROOT_URL (#343)
- root_url is used for docker authentication
- access to git.unkin.net is not yet ready

Reviewed-on: https://git.query.consul/unkin/puppet-prod/pulls/343
2025-07-06 13:20:27 +10:00
unkinben 620339f69d chore: cleanup hieradata/nodes (#341)
- remove all node hiera data for decommed hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/341
2025-07-06 12:23:22 +10:00
unkinben 2317d0af59 feat: expose gitea metrics (#340)
- add a gitea-metrics service to consul
- tag as metrics for victoria metrics
- check the /metrics endpoint (bypass nginx)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/340
2025-07-06 12:01:57 +10:00
unkinben cf0ff85b70 fix: manage git user (#339)
- prevent different gid/uid for git users when deploying cluster
- only add sudo conf when sudo_rules is a list

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/339
2025-07-06 11:27:35 +10:00
unkinben 359ce101f1 feat: add indexer for git (#338)
- reuse the database for the indexer

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/338
2025-07-05 17:12:38 +10:00
unkinben b6c959d368 feat: use redis for cache/queue (#337)
- use gitea redis cluster for queue/cache
- use redis+sentinel url (pass required for redis and sentinel)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/337
2025-07-05 16:42:01 +10:00
unkinben b976f2063a feat: deploy redis for git (#336)
- deploy redis/sentinel ha cluster for git
- update redis to 7 (required for almalinux 9)
- enable requirepass/masterauth

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/336
2025-07-05 15:51:28 +10:00
unkinben 93049707e7 benvin/gitea_cluster (#335)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/335
2025-07-05 14:49:56 +10:00
unkinben a9faa098ee benvin/grafana_postgres (#334)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/334
2025-07-01 19:07:24 +10:00
unkinben 61d912de30 feat: update password for grafana service account (#333)
- updated grafana password

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/333
2025-06-30 20:22:18 +10:00
unkinben 9bed18f78c fix: duplicate toml resources (#332)
- change resource name for puppetserver_gem
- ensure toml installed on all agents

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/332
2025-06-30 19:57:29 +10:00
unkinben aab3eaf9e7 feat: add grafana service to ldap (#331)
- add grafana service account for binding
- add grafana_user group
- add users to group

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/331
2025-06-30 19:17:56 +10:00
unkinben 33c8b226e0 feat: add puppetserver gem for toml (#330)
- require toml for puppetserver gem

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/330
2025-06-30 19:05:12 +10:00
unkinben 49ff7cc3ab feat: add toml puppet gem (#329)
- required for ldap support in grafana

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/329
2025-06-30 19:02:37 +10:00
unkinben d1e63ad18b feat: add shared pgsql instance (#328)
- add shared pgsql instance
- use patroni

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/328
2025-06-29 17:25:59 +10:00
unkinben 99b312669b benvin/dhcp_failover (#327)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/327
2025-06-29 13:36:16 +10:00
unkinben 715e88176b chore: confine incus facts to incus (#326)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/326
2025-06-28 21:24:08 +10:00
unkinben 1837506b6c feat: add incus facts (#325)
- incus container counts
- incus profile list
- allocated memory/cpu

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/325
2025-06-28 21:14:39 +10:00
unkinben 3bb2a5dbad fix: enable health check from haproxy2 (#324)
- tactical fix: enable dmz subnets container access to health url

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/324
2025-06-28 17:04:25 +10:00
unkinben 0ce6e95f2d chore: cleanup removed hosts (#323)
- remove 1018, 1031, 1032, 1033

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/323
2025-06-28 16:28:03 +10:00
unkinben 770fd643ac feat: add haproxy2 role (#322)
- add basic haproxy2 role
- add peers and resolvers
- add haproxy2+ metrics frontend

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/322
2025-06-28 16:20:06 +10:00
unkinben bd9e08dc24 feat: cleanup hieranodes settings (#321)
- migrate hieranodes values to roles yaml
- rename anycast ip keys to be similar

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/321
2025-06-21 23:16:34 +10:00
unkinben 62837bb22d feat: add zone to subnet facts (#320)
- add common and dmz zone fact information

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/320
2025-06-21 15:42:37 +10:00
unkinben ae57e0e81c feat: add openvox repos to reposync (#319)
- add el8/9/10 for openvox7/8

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/319
2025-06-19 06:06:41 +10:00
unkinben cb1d562cb0 feat: migrate pupeptdb sql to patroni (#318)
- change puppetdb::sql to using the patroni profile
- change puppetdb::api to use new patroni cluster
- remove references to puppetlabs-puppetdb managed database
- update consul rules to enable sessions

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/318
2025-06-19 05:52:32 +10:00
unkinben 26b908e5e7 feat: add node_pools (#317)
- change agentv2 to common node_pool
- set default node_pool to default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/317
2025-06-15 17:43:19 +10:00
unkinben a47c6155b8 feat: use fqdn in host_volumes (#316)
- fix hard-coded message

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/316
2025-06-15 17:34:03 +10:00
unkinben 1cbc1be808 feat: add host_volumes to nomad (#315)
- add puppet client certs
- add tls-ca-bundle

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/315
2025-06-14 19:37:50 +10:00
unkinben 60834ced00 feat: nomad cni additions (#314)
- add consul-cni package
- enable grpc for consul servers
- enable consul connect for consul servers
- set recursors for consul
- add ports to consul agent (grpc, dns, http for nomad)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/314
2025-06-14 18:47:24 +10:00
unkinben 890e9670f3 chore: update the consul service name (#313)
- update the name for the packagerepo service
- was copy/pasted from jupyterhub

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/313
2025-06-09 14:46:16 +10:00
unkinben a26daca28c feat: stop manage nginx repo (#312)
- use epel repo for nginx

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/312
2025-06-09 14:18:30 +10:00
unkinben 057c4ab747 feat: manage nginx resource ordering (#311)
- ensure the package is installed before creating directories
- ensure nginx is restarted when vhost config changes

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/311
2025-06-09 11:18:39 +10:00
unkinben 1fb46b5ab6 chore: use packagerepo for epel (#310)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/310
2025-06-09 10:24:56 +10:00
unkinben 66fdd7b615 feat: update incus image host to run on incus (#309)
- remove zfs
- remove some sysctl values
- remove memlocks from limits
- install iptables, required for creating bridges

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/309
2025-06-08 22:58:44 +10:00
unkinben f43d5f685b feat: update reposync repos (#308)
- remove almalinux 9.4
- add almalinux 9.6
- add epel 8 and 9
- update mssql
- add k8s 1.33

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/308
2025-06-01 18:20:10 +10:00
unkinben bb2f59621a feat: split reposync into two roles (#307)
- reposync and packagerepo web service
- change backing datastore to be cephfs /shared/app/packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/307
2025-06-01 11:33:44 +10:00
unkinben 1df11b8977 chore: migrate certbot webserver (#306)
- ausyd1nxvm1021 is decommed
- new source is ausyd1nxvm2057

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/306
2025-05-31 16:22:59 +10:00
unkinben 10f2dc7047 feat: cleanup removed hosts (#305)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/305
2025-05-31 14:26:16 +10:00
unkinben 1a904af2ee feat: change g10k to use a package (#304)
- the archive path is no longer valid
- produced a g10k rpm with rpmbuilder

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/304
2025-05-31 13:51:51 +10:00
unkinben ed1a4f6488 fix: missed address in consul service (#303)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/303
2025-05-30 23:27:44 +10:00
unkinben bdd833fa4e feat: create basic k8s roles to start deployment (#302)
- just create roles so can deploy hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/302
2025-05-30 23:21:02 +10:00
unkinben c10a3e49fa chore: add new user (#301)
- just jelly access

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/301
2025-05-28 19:46:45 +10:00
unkinben 3d5d40f381 chore: minor jellyfin updates (#300)
- add jellyfin to video group, for access to gpu
- install intel related gpu drivers
- export lxc jellyfin to haproxy

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/300
2025-05-27 19:55:55 +10:00
unkinben b3347f9226 chore: migrate media applications (#299)
- migrate media applications to new cephfs pool + incus
- enable exporting haproxy
- move ceph-client-setup to only apply to non-lxc hosts
- ensure unrar is installed for nzbget
- updated jellyfin use of data_dir
- set lxc instances for jellyfin to use /shared/apps/jellyfin

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/299
2025-05-25 20:27:17 +10:00
unkinben 1d23fef82e feat: update settings for ceph (#298)
- enable root logins via ssh with keys
- add ssh key for ceph to root user

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/298
2025-05-25 20:22:00 +10:00
unkinben c0aab1087e fix: readd to jellyfin_haproxy (#297)
- fix operator for jellyfin/haproxy

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/297
2025-05-24 21:10:56 +10:00
unkinben 596e498a00 feat: change media arr apps to hiera_include (#296)
- change profiles::media::* to be hiera_included
- this is required to enable it to be hiera_excluded on virtual == lxc

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/296
2025-05-24 20:23:56 +10:00
unkinben f6694599ef benvin/media_apps_incus (#295)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/295
2025-05-24 20:18:23 +10:00
unkinben 93cd02deec chore: update media roles for incus (#294)
- prevent incus roles from exporting haproxy endpoints (for now)
- incus doesnt need to mount cephfs

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/294
2025-05-24 18:59:46 +10:00
unkinben 520e8a34e0 feat: add a nomad agent v2 role (#293)
- excludes ceph (will be passed from incus)
- excludes frrouting (will use host-networking)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/293
2025-05-24 15:35:20 +10:00
unkinben 77d07672f8 chore: dont mount cephfs inside lxc (#292)
- lxc instances will have cephfs passed from the host
- skip cephfs mounting for lxc instances

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/292
2025-05-22 21:06:15 +10:00
unkinben 89a0f329d8 feat: update vault url (#291)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/291
2025-05-21 19:58:12 +10:00
unkinben 6dcc7343e0 feat: updated ceph ssh authorized_key (#290)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/290
2025-05-17 14:05:25 +10:00
unkinben e7d4c75192 feat: enable ssh access to enp3s0 (#289)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/289
2025-05-17 13:50:35 +10:00
unkinben d9e8637ad6 feat: manage more ceph requirements (#288)
- add ceph-common to provide utilities for managing ceph
- add root and sysadmin ssh keys for ceph deployments

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/288
2025-05-17 11:14:45 +10:00
unkinben 92f0ae64b9 feat: enable ssh on all loopbacks (#287)
- required for cephadm to manage roles

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/287
2025-05-16 07:05:31 +10:00
unkinben c1637d9f43 feat: add cephadm to incus hosts (#286)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/286
2025-05-16 05:56:28 +10:00
unkinben 1aabe21173 feat: manage mon loopback0 (#285)
- add frrouting
- set all ceph nodes to use ospf + loopback0 + networkd
- fix ceph repos for mons

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/285
2025-05-15 19:46:59 +10:00
unkinben 2f088c461f feat: add ceph roles (#284)
- add hieradata to manage ceph repo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/284
2025-05-15 19:29:53 +10:00
unkinben 90504e5b02 chore: use alias for nameservers (#283)
- use an alias for nameservers for dhcp ranges
- move aliased nameservers to region-wide hiera

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/283
2025-05-14 20:19:18 +10:00
unkinben a7b793238a fix: exclude docker0 interfaces (#282)
- docker0 is the same on many hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/282
2025-05-11 16:53:34 +10:00
unkinben 87a6c73578 neoloc/loopback_dns (#281)
- manage all interfaces in dns (except lo and anycast)
- move loopback0 anycast addresses to be anycast0

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/281
2025-05-11 16:36:04 +10:00
unkinben 3e0141bb1b feat: change to anycast resolver (#280)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/280
2025-05-11 11:39:00 +10:00
unkinben bb6f6cbd49 feat: anycast dnsmasters (#279)
- change dns masters on incus to anycast for bind
- change to networkd to support anycast/loopbacks

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/279
2025-05-10 23:00:03 +10:00
unkinben 51d6c1e81d fix: enable dns resolver access for dmz1 (#278)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/278
2025-05-10 06:57:05 +10:00
unkinben 537a207779 feat: update upstream ip for consul dns (#277)
- set bind resolvers to use consuls anycast address for forwarding

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/277
2025-05-09 22:10:35 +10:00
unkinben f322440d01 feat: setup anycast consul dns (#276)
- manage frrouting repo/ospf
- change to systemd-networkd
- enable ospf on incus nodes bridges

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/276
2025-05-09 22:07:42 +10:00
unkinben ed947dee59 fix: listen-addr -> listen-address (#275)
- listen-address is the correct option

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/275
2025-05-04 00:07:45 +10:00
unkinben a70b6492b0 feat: update consul/dnsmasq (#274)
- update params with bind/advertise addr
- update params with anycast ip option
- migrate dnsmasq config to template

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/274
2025-05-03 23:51:29 +10:00
unkinben 3079f7d000 feat: enable use of dhcp addresses in networkd (#273)
- change ipaddress to be optional
- add dhcp option

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/273
2025-05-03 23:51:17 +10:00
unkinben 1b8f50786f feat: ensure the vault audit_log exists (#272)
- without this, vault will not take a leadership role

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/272
2025-05-03 22:25:10 +10:00
unkinben b05acb23f4 feat: use custom cert for puppetdb access (#271)
- manually generated certificate using sudo puppetserver ca generate --certname puppetdbapi.query.consul
- saved certificate and private_key in eyaml

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/271
2025-05-03 12:41:23 +10:00
unkinben 62f71e1feb chore: change puppetboard python version (#270)
- change python version to follow python3_release fact
- this will follow os-release upgrades

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/270
2025-05-03 01:07:52 +10:00
unkinben cdf9456456 feat: update psql15 repos for roles (#269)
- update patroni to use packagerepo
- update puppetdb to use packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/269
2025-04-29 21:04:45 +10:00
unkinben 2323ef7749 feat: postgresql15/postgresql17 (#268)
- add postgresql15 and 17 to reposync

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/268
2025-04-28 21:39:45 +10:00
unkinben 07b89ab737 feat: enable terraform access to puppetca (#267)
- enable terraform to clean certificates

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/267
2025-04-28 18:46:58 +10:00
unkinben 9359b8902e feat: vault mlock (#266)
- enable mlock by default
- disable mlock on lxd/incus nodes (lxc doesnt support it)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/266
2025-04-26 22:43:20 +10:00
unkinben 1e3ce0ec1c feat: dont set gid/uid for sysadmin (#265)
- sysadmin doesnt need to be a specific uid/gid, the next available
  uid/gid is fine

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/265
2025-04-26 20:02:57 +10:00
unkinben 496ed12a58 feat: change vault to use package install (#264)
- vault 18.2 rpm produced by rpmbuilder repo
- ensure the /etc/vault directory is managed
- ensure service file is managed by puppet
- ensure package comes from unkin repo (not hashicorp)
- disable_mlock as unprivileged containers cannot use mlock

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/264
2025-04-26 18:40:31 +10:00
unkinben e4166c6b14 feat: lxc compatability with datavol (#263)
- lxc doesnt mount block devices, just check for mountpoint

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/263
2025-04-26 17:28:57 +10:00
unkinben 78f4d2a88f feat: cleanup mpls configuration (#262)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/262
2025-04-26 00:39:23 +10:00
unkinben 762d980ea8 feat: update dns resolver zone management (#261)
- move zones to common role path
- specify forwarders for each zone in region based hiera

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/261
2025-04-25 01:01:47 +10:00
unkinben 463abe4b9d feat: add reverse dns zones for incus (#260)
- add reverse dns zones for incus hosts
- update acls for openresolver

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/260
2025-04-24 23:48:34 +10:00
unkinben ecce93bedb feat: lxc cannot use chronyd (#259)
- ensure lxc nodes do not attempt to install chronyd
- ensure chrony is removed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/259
2025-04-24 23:18:45 +10:00
unkinben 9dcaafb8ba feat: lxc updates (#258)
- add virtual/lxc.yaml
- add crypto crypto-policies-scripts
- ensure ssh::server is managed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/258
2025-04-24 23:03:01 +10:00
unkinben a21c1b3697 Adding hieradata/node/ausyd1nxvm1072.main.unkin.net.yaml (#257)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/257
2025-04-24 21:25:00 +10:00
unkinben bc5bd11f5e feat: disable cobbler cache (#256)
- this is required to resolve issues with terraform deploying cobbler
  settings

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/256
2025-04-24 21:18:59 +10:00
unkinben 2321186ad5 neoloc/mpls_ldp_frr (#255)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/255
2025-04-24 16:51:31 +10:00
unkinben c24babe309 feat: add incus image host (#254)
- add role
- add consul service + checks
- manage the datavol as zfs
- insure the incus fact exists before attempting to read it

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/254
2025-04-24 01:00:39 +10:00
unkinben bfda2b628b feat: enable ip forwarding for gitea runners (#253)
- required to enable docker containers reach git service

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/253
2025-04-21 18:40:17 +10:00
unkinben 278f8001b0 feat: add frr synced repo (#252)
- add frr repo to incus hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/252
2025-04-18 21:21:23 +10:00
unkinben 0fe44cf4e2 feat: add frr repos (#251)
- add frr/stable/el8
- add frr/stable/el9
- add frr/extras/el8
- add frr/extras/el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/251
2025-04-15 02:21:55 +10:00
unkinben 25b06cde22 feat: move bridge management to incus (#250)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/250
2025-04-15 00:04:14 +10:00
unkinben 8c76e71dc4 chore: set core.https_address for incus (#249)
- check the current config and update core.https_address if its wrong

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/249
2025-04-07 11:04:12 +10:00
unkinben 0e3dd4d7d0 feat: initialise barebones server (#248)
- manage incus servers init

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/248
2025-04-06 23:56:50 +10:00
unkinben 83d0b31753 fix: set default for use_networkd (#247)
- resolving issue where the systemd::manage_networkd is missing for most
  hosts, setting a default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/247
2025-04-06 19:24:39 +10:00
unkinben b6ea353cfb feat: update dns resolver acls (#246)
- add dmz acl
- add common acl
- add loopback/ceph/physical subnets to main acl

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/246
2025-04-06 16:44:16 +10:00
unkinben c225564bdb feat: continue incus implementation (#245)
- migrate to systemd-networkd
- setup dummy, bridge and static/ethernet interfaces
- manage sshd.service droping to start ssh after networking is online
- enable ip forewarding
- add fastpool/data/incus dataset
- enable ospf and frr
- add loopback0 as ssh listenaddress
- add loopback1/2 for ceph cluster/public traffic

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/245
2025-04-06 16:38:04 +10:00
unkinben 06666fe488 fix: resolve issue with baseos in el9 (#244)
- was not correctly provisioning the baseos repo for el9 incus hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/244
2025-04-02 21:02:08 +11:00
unkinben 9dc88e6db6 feat: deep merge zpools/datasets (#243)
- change prodnxsr0009 to use nvme0n1 as zfs device

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/243
2025-04-02 20:35:04 +11:00
unkinben d87983d8fc chore: add sysadmin user after first run (#242)
- enables extra_groups to function correctly

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/242
2025-04-02 20:27:11 +11:00
unkinben 95bc2716cf neoloc/incus_deploy (#241)
feat: deploy incus

- manage sysctl based on incus recommendations
- manage limits based on incus recommendations
- manage zpools and zfs datasets
- add incus hiera settings

feat: manage repo for zfs

- dont use zfs module to manage repo, use profiles::yum::global::repos

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/241
2025-03-31 23:14:05 +11:00
unkinben 978013f325 chore: set default nameservers (#240)
- if no nameservers are returned from puppetdb query, use default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/240
2025-03-31 22:49:47 +11:00
unkinben 829b1b05fd feat: cleanup consul from url install (#239)
- set bind_dir to be /usr/bin for rhel, /usr/local/bin for debian
- remove url-installed consul from rhel

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/239
2025-03-30 18:40:09 +11:00
unkinben 6cb249ffbc fix: backtrack to 9.2.0 for postgresql (#238)
- no parameter named 'instance'
- no parameter named 'port'

downgrading due to incompatibilities between the latest version of puppetdb and postgresql

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/238
2025-03-30 17:51:33 +11:00
unkinben 427fe352b4 feat: debian package for consul not managed (#237)
- change debian hosts to use the url method to download consul

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/237
2025-03-30 17:13:54 +11:00
unkinben 45b061a053 feat: change almalinux9 to use packagerepo (#236)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/236
2025-03-30 17:05:03 +11:00
unkinben d39d25d3f1 feat: add almalinux 9.5 repos using mirrorlist (#235)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/235
2025-03-30 16:24:55 +11:00
unkinben 06b458cb0e feat: reposync for almalinux 9.4 (in vault) (#234)
- sync baseos, ha, appstream and crb repos

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/234
2025-03-30 12:31:09 +11:00
unkinben e3046563a2 chore: install consul from package (#233)
- upgrade to puppet-consul changed default install method to archive
- ensure package method is used
- dont manage the repo, consul is packaged by rpmbuilder

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/233
2025-03-30 02:04:13 +11:00
unkinben e025928d77 chore: set secretid for puppetboard (#232)
- manage the secret_key for puppetboard
- required since module upgrade

https://github.com/voxpupuli/puppetboard/issues/721

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/232
2025-03-30 01:53:25 +11:00
unkinben e3e8b3484d chore: enable extra groups (#231)
- enable adding extra groups to the sysadmin user

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/231
2025-03-30 01:20:59 +11:00
unkinben bdf420973d feat: add incus module (#230)
- add a basic incus module

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/230
2025-03-30 01:12:53 +11:00
unkinben 6a04701891 feat: add incus role (#229)
- add basic infra::incus role
- add autossl, consul and ssh-principals for incus

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/229
2025-03-30 00:56:04 +11:00
unkinben dd5a4646ff feat: update all modules (#228)
- update puppetlabs-* modules
- update puppet-* modules
- add limits and sysctl

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/228
2025-03-30 00:51:49 +11:00
unkinben 4e47745077 chore: setup unkin repo for el9 and el8 (#227)
- update the unkin repo definition for el8 and el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/227
2025-03-29 22:50:08 +11:00
unkinben 3a4e606459 chore: set yum/dnf metadata expiry (#226)
- set expiry to 1 day so that dnf frequently checks for updates from packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/226
2025-03-29 22:37:37 +11:00
unkinben d0eb4c078d feat: add zfs modules (#225)
- add zfs_core module to puppetfile (provides zfs/zpool provider)
- add module to manage zfs

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/225
2025-03-29 22:31:02 +11:00
unkinben b95bcbd10a feat: add zfs to reposync (#224)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/224
2025-03-29 20:08:31 +11:00
unkinben adc0cf2c09 neoloc/lxd_hosts (#223)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/223
2025-03-29 19:40:01 +11:00
unkinben 771b981d91 feat: enable nomad to manage sessions/services (#222)
- this is required to start patroni

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/222
2025-03-20 19:21:40 +11:00
unkinben e0c3a23424 fix: define missing .cache directory (#221)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/221
2025-03-13 21:48:47 +11:00
unkinben a309244713 feat: add nomad nodes (#220)
- change existing nodes to be nomad-agents

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/220
2025-03-13 21:23:40 +11:00
unkinben 8eb751e22f feat: change enc_* fact to read direct from cobbler (#219)
- change enc_role and enc_env to read direct from cobbler
- cleanup profiles::base::facts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/219
2025-03-12 23:09:15 +11:00
unkinben b981a6fb01 feat: enable nomad jobs to query dns (#218)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/218
2025-03-09 17:49:35 +11:00
unkinben 7c1d96bd22 feat: add k8s and docker repos (#217)
- add docker stable repos to packagerepo
- add k8s 1.32 to packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/217
2025-01-27 12:59:59 +11:00
unkinben 0222f5ec4a feat: update consul etcd check (#216)
- check the health api endpoint

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/216
2025-01-26 20:05:18 +11:00
unkinben afd3405c98 feat: add etcd module/role (#215)
- add etcd module
- add etcd role, profile and hieradata

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/215
2025-01-26 20:00:20 +11:00
unkinben ab7ce3bbfa Adding hieradata/node/ausyd1nxvm1071.main.unkin.net.yaml (#214)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/214
2025-01-25 20:15:20 +11:00
unkinben 4a85c5feff Adding hieradata/node/ausyd1nxvm1070.main.unkin.net.yaml (#213)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/213
2025-01-25 20:15:05 +11:00
unkinben 6134b4664b Adding hieradata/node/ausyd1nxvm1069.main.unkin.net.yaml (#212)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/212
2025-01-05 12:51:57 +11:00
unkinben e061a72996 Adding hieradata/node/ausyd1nxvm1067.main.unkin.net.yaml (#211)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/211
2025-01-05 12:51:46 +11:00
unkinben eaa15e92dc Adding hieradata/node/ausyd1nxvm1068.main.unkin.net.yaml (#210)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/210
2025-01-05 12:51:37 +11:00
unkinben a5a193d9eb feat: update jupyterlab container (#209)
- change to packer created alma9 instance
- change docker root to use /data volume

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/209
2025-01-04 14:10:44 +11:00
unkinben 4400456519 feat: add frrouting module (#208)
- add frrouting module
- enable ospf daemon on nomad agents
- enable docker volumes

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/208
2024-12-27 23:39:03 +11:00
unkinben d37fb5d7e1 neoloc/nomad_agent (#207)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/207
2024-12-26 20:23:27 +11:00
unkinben 022a564dc0 feat: add nomad agent role (#206)
- add nomad agent role
- mount cephfs volume nomadfs to /shared/nomad
- manage docker volume path to be /shared/nomad

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/206
2024-12-26 20:20:51 +11:00
unkinben 48e1fb8e30 Adding hieradata/node/ausyd1nxvm1062.main.unkin.net.yaml (#204)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/204
2024-12-23 17:28:47 +11:00
unkinben 561d74e9d9 Adding hieradata/node/ausyd1nxvm1063.main.unkin.net.yaml (#205)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/205
2024-12-23 17:28:37 +11:00
unkinben 281fdb33d4 Adding hieradata/node/ausyd1nxvm1064.main.unkin.net.yaml (#203)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/203
2024-12-23 17:28:09 +11:00
unkinben 1c04366eec Adding hieradata/node/ausyd1nxvm1066.main.unkin.net.yaml (#202)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/202
2024-12-23 17:27:59 +11:00
unkinben 86d3b61439 Adding hieradata/node/ausyd1nxvm1065.main.unkin.net.yaml (#201)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/201
2024-12-23 17:27:49 +11:00
unkinben 6ebf5c03a5 feat: add nomad profile/role (#200)
- add basic consul manage nomad servers

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/200
2024-12-22 22:35:31 +11:00
unkinben c97db0f0aa Adding hieradata/node/ausyd1nxvm1061.main.unkin.net.yaml (#198)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/198
2024-12-10 22:15:10 +11:00
unkinben 46b4fdf632 neoloc/sysadmin_early (#197)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/197
2024-12-09 22:12:01 +11:00
unkinben aaf81d0a6c feat: create sysadmin on firstrun (#196)
- prevent packages from using uid 1000

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/196
2024-12-09 21:51:37 +11:00
unkinben afbc15ff40 feat: import crypto-policices earlier (#195)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/195
2024-12-08 22:50:25 +11:00
unkinben 64248a45c2 feat: ensure crypto-policices are managed before yumrepos (#194)
- ensure crypto_policies are set before creating yum yumrepos
- ensure that they rpmdb is rebuilt after upgrading to el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/194
2024-12-08 20:30:08 +11:00
unkinben c7fb1f0cec neoloc/crypto_policices_el8 (#193)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/193
2024-12-08 19:54:15 +11:00
unkinben dbccaea24b feat: add crypto_policies (#192)
- ensure DEFAULT is used for EL8
- ensure DEFAULT:SHA1 is used for EL9, until issues with crypto are resolved for EL9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/192
2024-12-08 19:47:59 +11:00
unkinben b244327c34 neoloc/alma9 (#191)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/191
2024-12-08 19:22:58 +11:00
unkinben 90bcdd1f51 neoloc/alma9 (#190)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/190
2024-12-08 19:16:54 +11:00
unkinben ec926dfe0a feat: enable network manager on el9 (#189)
- el9 doesnt have the network-scripts scripts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/189
2024-12-08 19:11:54 +11:00
unkinben 40af30d0ff chore: change packagerepo vhost name (#188)
- ensure http endpoint works for packagerepo.service.consul

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/188
2024-12-08 17:05:38 +11:00
unkinben bac90b5459 Merge pull request 'fix: permissions for cobbler files' (#187) from neoloc/cobbler_perms into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/187
2024-12-08 08:37:36 +11:00
unkinben 41aab65f85 fix: permissions for cobbler files
- ensure idempotency for /var/lib/cobbler/web.ss
2024-12-08 08:36:35 +11:00
unkinben c023cfe4dc Merge pull request 'feat: upgrade puppet agent' (#186) from neoloc/puppet_updates into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/186
2024-12-08 00:11:30 +11:00
unkinben cffb6a54fc feat: upgrade puppet agent
- move all almalinux hosts to 7.34
2024-12-08 00:09:40 +11:00
unkinben fd7ced66ce Merge pull request 'feat: edgecache updates' (#185) from neoloc/edgecache_pki into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/185
2024-12-07 23:51:57 +11:00
unkinben 766f124b2c feat: edgecache updates
- update metadatacache size
- increase cache age from 60d to 365d
- subscribe nginx service to ssl certs
2024-12-07 23:50:45 +11:00
unkinben 4de772436b Merge pull request 'feat: update puppet repo' (#184) from neoloc/almalinuxrepo into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/184
2024-12-07 23:32:48 +11:00
unkinben 75f865c26c feat: update puppet repo
- move puppet repo to packagerepo
2024-12-07 23:31:40 +11:00
unkinben 2fdc709a17 Merge pull request 'feat: update repos' (#183) from neoloc/almalinuxrepo into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/183
2024-12-01 00:33:10 +11:00
unkinben ba3a9e374a feat: update repos
- add unkin
- rename unkin -> unkinben
2024-12-01 00:30:58 +11:00
unkinben a28ef09f28 Merge pull request 'feat: enable root_dir for docker' (#182) from neoloc/docker_root into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/182
2024-12-01 00:27:04 +11:00
unkinben 52fff0ccea feat: enable root_dir for docker
- move docker root_dir to /data/docker for runners
2024-11-30 23:11:24 +11:00
unkinben f097cf2550 Merge pull request 'chore: migrate puppet-r10k' (#181) from neoloc/r10k_adjustment into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/181
2024-11-17 19:27:43 +11:00
unkinben 58d31c5c9a chore: migrate puppet-r10k
- moved puppet-r10k the unkin organisation
- ensure branch is set to follow origin/master
2024-11-17 19:26:27 +11:00
unkinben 92d6697175 Merge pull request 'fix: fix release name' (#180) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/180
2024-11-16 22:36:02 +11:00
unkinben d3f471f3ed fix: fix release name
- fix release name for postgresql repos
2024-11-16 22:35:23 +11:00
unkinben ab1f4300a9 Merge pull request 'fix: ensure reposync directories exist' (#179) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/179
2024-11-16 22:32:47 +11:00
unkinben 845b91b497 fix: ensure reposync directories exist 2024-11-16 22:32:15 +11:00
unkinben 8f0b3e615c Merge pull request 'feat: add el9 puppet/posgresql repos' (#178) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/178
2024-11-16 22:25:48 +11:00
unkinben 8679a0b904 feat: add el9 puppet/posgresql repos
- will upgrade to el9 soon, so need to store these repos
2024-11-16 22:25:06 +11:00
unkinben 16ba54ee0a Merge pull request 'feat: update packagerepo' (#176) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/176
2024-11-16 22:02:46 +11:00
unkinben 4b3553b75c Merge pull request 'Adding hieradata/node/ausyd1nxvm1060.main.unkin.net.yaml' (#177) from autonode/ausyd1nxvm1060.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/177
2024-11-16 21:44:57 +11:00
unkinben abdb3ec8cb feat: update packagerepo
- remove almalinux/centos/epel repos
- manage consul service `packagerepo`
- manage ssh principals
- update vault alt-names
2024-11-16 21:43:11 +11:00
unkinben c0623b64f7 Adding hieradata/node/ausyd1nxvm1060.main.unkin.net.yaml 2024-11-16 21:36:58 +11:00
unkinben d286e2d816 Merge pull request 'feat: add sudaporn account' (#175) from neoloc/addying into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/175
2024-11-16 20:24:14 +11:00
unkinben 71b29d5e88 feat: add sudaporn account
- enable access to media
- enable access to jupyter
2024-11-16 20:23:01 +11:00
unkinben 6493f392b8 Merge pull request 'neoloc/jupyterhub' (#174) from neoloc/jupyterhub into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/174
2024-11-16 20:20:16 +11:00
unkinben 8586e9eb32 feat: enable web-sockets
- change simpleproxy config for jupyter::hub role to use websockets
2024-11-16 20:15:03 +11:00
unkinben 92a9655a50 feat: jupyterhub updates
- always pull containers when starting new instance
- enable access to terminal
2024-11-16 19:54:19 +11:00
unkinben 42ad972697 feat: add ldap configuration
- add group members to jupyterhub_user
- add svc_jupyterhub user for ldap binding
- paramatarise all ldap fields required
- manage the notebook data directory
2024-11-16 19:20:20 +11:00
unkinben 61f5f1ce1f feat: add docker settings
- list docker network and image
- fix ldap_admin setting to be a list of users
2024-11-10 20:26:18 +11:00
unkinben 926d3d29d0 fix: enable docker for jupyterhub
- install/manage docker
2024-11-10 20:21:51 +11:00
unkinben c6bdae5790 Merge pull request 'feat: add jupyterhub role' (#173) from neoloc/jupyterhub into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/173
2024-11-10 19:14:49 +11:00
unkinben 159d66af18 feat: add jupyterhub role
- add nodejs module to use npm package provider
- add jupyterhub role
- add class to configure the jupyterhub instance
- add ldap groups
- add nginx simpleproxy
2024-11-10 19:09:50 +11:00
unkinben c728c1a5e0 Merge pull request 'feat: add service data' (#172) from neoloc/jumphost into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/172
2024-10-27 14:03:28 +11:00
unkinben 4fec931fb1 feat: add service data
- add pki certificates
- add consul service
- add ssh principals
2024-10-27 13:26:07 +11:00
unkinben 76b4c8c930 Merge pull request 'feat: add jumphost role' (#171) from neoloc/jumphost into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/171
2024-10-27 13:18:50 +11:00
unkinben 0455965525 feat: add jumphost role
- add role for ssh proxy/jumphost
2024-10-27 13:15:28 +11:00
unkinben 4e68900259 Merge pull request 'feat: ensure vault restarts with ssl cert' (#170) from neoloc/vault_reload into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/170
2024-10-27 13:10:51 +11:00
unkinben ca87702466 feat: ensure vault restarts with ssl cert
- ensure the vault service resource subscribes to the ssl crt/key
- update unseal script to retry unseal process until it completes
2024-10-27 12:59:36 +11:00
330 changed files with 7736 additions and 1430 deletions
+24
View File
@@ -0,0 +1,24 @@
name: Build
on:
pull_request:
jobs:
precommit:
runs-on: almalinux-8
container:
image: git.unkin.net/unkin/almalinux9-actionsdind:latest
options: --privileged
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install requirements
run: |
dnf groupinstall -y "Development Tools" -y
dnf install rubygems ruby-devel gcc make redhat-rpm-config glibc-headers glibc-devel -y
- name: Pre-Commit All Files
run: |
uvx pre-commit run --all-files
+5
View File
@@ -3,3 +3,8 @@
detectors:
FeatureEnvy:
enabled: false
TooManyStatements:
enabled: false
UncommunicativeVariableName:
accept:
- e
+3
View File
@@ -8,3 +8,6 @@ Style/Documentation:
Layout/LineLength:
Max: 140
Metrics/BlockNesting:
Max: 4
+41 -37
View File
@@ -2,52 +2,54 @@ forge 'forge.puppetlabs.com'
moduledir 'external_modules'
# puppetlabs
mod 'puppetlabs-stdlib', '9.1.0'
mod 'puppetlabs-inifile', '6.0.0'
mod 'puppetlabs-concat', '9.0.0'
mod 'puppetlabs-vcsrepo', '6.1.0'
mod 'puppetlabs-yumrepo_core', '2.0.0'
mod 'puppetlabs-apt', '9.4.0'
mod 'puppetlabs-lvm', '2.1.0'
mod 'puppetlabs-puppetdb', '7.13.0'
mod 'puppetlabs-postgresql', '9.1.0'
mod 'puppetlabs-firewall', '6.0.0'
mod 'puppetlabs-accounts', '8.1.0'
mod 'puppetlabs-mysql', '15.0.0'
mod 'puppetlabs-stdlib', '9.7.0'
mod 'puppetlabs-inifile', '6.2.0'
mod 'puppetlabs-concat', '9.1.0'
mod 'puppetlabs-vcsrepo', '7.0.0'
mod 'puppetlabs-yumrepo_core', '2.1.0'
mod 'puppetlabs-apt', '10.0.1'
mod 'puppetlabs-lvm', '3.0.1'
mod 'puppetlabs-puppetdb', '7.14.0'
mod 'puppetlabs-postgresql', '9.2.0'
mod 'puppetlabs-firewall', '8.1.4'
mod 'puppetlabs-accounts', '8.2.2'
mod 'puppetlabs-mysql', '16.2.0'
mod 'puppetlabs-xinetd', '3.4.1'
mod 'puppetlabs-haproxy', '8.0.0'
mod 'puppetlabs-java', '10.1.2'
mod 'puppetlabs-reboot', '5.0.0'
mod 'puppetlabs-docker', '10.0.1'
mod 'puppetlabs-haproxy', '8.2.0'
mod 'puppetlabs-java', '11.1.0'
mod 'puppetlabs-reboot', '5.1.0'
mod 'puppetlabs-docker', '10.2.0'
# puppet
mod 'puppet-python', '7.0.0'
mod 'puppet-systemd', '5.1.0'
mod 'puppet-yum', '7.0.0'
mod 'puppet-archive', '7.0.0'
mod 'puppet-chrony', '2.6.0'
mod 'puppet-puppetboard', '9.0.0'
mod 'puppet-nginx', '5.0.0'
mod 'puppet-selinux', '4.1.0'
mod 'puppet-prometheus', '13.4.0'
mod 'puppet-grafana', '13.1.0'
mod 'puppet-consul', '8.0.0'
mod 'puppet-vault', '4.1.0'
mod 'puppet-python', '7.4.0'
mod 'puppet-systemd', '8.1.0'
mod 'puppet-yum', '7.2.0'
mod 'puppet-archive', '7.1.0'
mod 'puppet-chrony', '3.0.0'
mod 'puppet-puppetboard', '11.0.0'
mod 'puppet-nginx', '6.0.1'
mod 'puppet-selinux', '5.0.0'
mod 'puppet-prometheus', '16.0.0'
mod 'puppet-grafana', '14.1.0'
mod 'puppet-consul', '9.1.0'
mod 'puppet-vault', '4.1.1'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '5.1.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-extlib', '7.5.1'
mod 'puppet-network', '2.2.1'
mod 'puppet-kmod', '4.1.0'
mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.0.0'
mod 'puppet-rundeck', '9.1.0'
mod 'puppet-redis', '11.0.0'
mod 'puppet-letsencrypt', '11.1.0'
mod 'puppet-rundeck', '9.2.0'
mod 'puppet-redis', '11.1.0'
mod 'puppet-nodejs', '11.0.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
mod 'saz-sudo', '8.0.0'
mod 'saz-ssh', '12.1.0'
mod 'saz-sudo', '9.0.2'
mod 'saz-ssh', '13.1.0'
mod 'saz-limits', '5.0.0'
mod 'ghoneycutt-timezone', '4.0.0'
mod 'ghoneycutt-puppet', '3.3.0'
mod 'dalen-puppetdbquery', '3.0.1'
mod 'markt-galera', '3.1.0'
mod 'kogitoapp-minio', '1.1.4'
@@ -56,6 +58,8 @@ mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0'
mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'ssm-crypto_policies', '0.3.3'
mod 'thias-sysctl', '1.0.8'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+52 -9
View File
@@ -36,6 +36,12 @@ lookup_options:
profiles::haproxy::server::listeners:
merge:
strategy: deep
profiles::accounts::root::sshkeys:
merge:
strategy: deep
profiles::accounts::sysadmin::sshkeys:
merge:
strategy: deep
haproxy::backend:
merge:
strategy: deep
@@ -135,6 +141,20 @@ lookup_options:
keepalived::vrrp_instance:
merge:
strategy: deep
profiles::etcd::node::initial_cluster_token:
convert_to: Sensitive
sysctl::base::values:
merge:
strategy: deep
limits::entries:
merge:
strategy: deep
zfs::zpools:
merge:
strategy: deep
zfs::datasets:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
@@ -143,21 +163,35 @@ hiera_include:
- networking
- ssh::server
- profiles::accounts::rundeck
- limits
- sysctl::base
- exporters::node_exporter
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
profiles::ntp::client::peers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
- 0.au.pool.ntp.org
- 1.au.pool.ntp.org
- 2.au.pool.ntp.org
- 3.au.pool.ntp.org
profiles::base::puppet_servers:
- 'prodinf01n01.main.unkin.net'
consul::install_method: 'package'
consul::manage_repo: false
consul::bin_dir: /usr/bin
vault::install_method: 'repo'
vault::manage_repo: false
vault::bin_dir: /usr/bin
vault::manage_service_file: true
vault::manage_config_dir: true
vault::disable_mlock: false
profiles::dns::base::nameservers:
- 198.18.19.16
profiles::dns::master::basedir: '/var/named/sources'
profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
profiles::dns::base::use_ns: 'region'
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
#profiles::dns::base::use_ns: 'region'
profiles::consul::server::members_role: roles::infra::storage::consul
profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
profiles::consul::client::members_lookup: true
@@ -172,6 +206,9 @@ profiles::consul::client::node_rules:
- resource: node
segment: ''
disposition: read
- resource: service
segment: node_exporter
disposition: write
profiles::packages::include:
bash-completion: {}
@@ -255,7 +292,8 @@ profiles::puppet::client::dns_alt_names:
puppetdbapi: puppetdbapi.query.consul
puppetdbsql: puppetdbsql.service.au-syd1.consul
prometheus::node_exporter::export_scrape_job: true
exporters::node_exporter::enable: true
exporters::node_exporter::cleanup_old_node_exporter: true
prometheus::systemd_exporter::export_scrape_job: true
ssh::server::storeconfigs_enabled: false
@@ -320,6 +358,11 @@ networking::route_defaults:
netmask: 0.0.0.0
network: default
# logging:
victorialogs::client::journald::enable: true
victorialogs::client::journald::inserturl: https://vlinsert.service.consul:9428/insert/journald
# FIXME these are for the proxmox ceph cluster
profiles::ceph::client::fsid: 7f7f00cb-95de-498c-8dcc-14b54e4e9ca8
profiles::ceph::client::mons:
- 10.18.15.1
+7
View File
@@ -1,2 +1,9 @@
---
timezone::timezone: 'Australia/Darwin'
profiles_dns_upstream_forwarder_unkin:
- 198.18.17.23
- 198.18.17.24
profiles_dns_upstream_forwarder_consul:
- 198.18.17.34
- 198.18.17.35
- 198.18.17.36
@@ -1,52 +1 @@
---
profiles::dns::resolver::zones:
main.unkin.net-forward:
domain: 'main.unkin.net'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
consul-forward:
domain: 'consul'
zone_type: 'forward'
forwarders:
- 198.18.17.34
- 198.18.17.35
- 198.18.17.36
forward: 'only'
+5 -1
View File
@@ -1,3 +1,7 @@
---
timezone::timezone: 'Australia/Sydney'
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
certbot::client::webserver: ausyd1nxvm2057.main.unkin.net
profiles_dns_upstream_forwarder_unkin:
- 198.18.19.15
profiles_dns_upstream_forwarder_consul:
- 198.18.19.14
@@ -1,52 +1 @@
---
profiles::dns::resolver::zones:
main.unkin.net-forward:
domain: 'main.unkin.net'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
consul-forward:
domain: 'consul'
zone_type: 'forward'
forwarders:
- 198.18.13.19
- 198.18.13.20
- 198.18.13.21
forward: 'only'
@@ -3,7 +3,7 @@ hiera_include:
- keepalived
# keepalived
profiles::haproxy::dns::vrrp_ipaddr: '198.18.13.250'
profiles::haproxy::dns::ipaddr: '198.18.13.250'
profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net
- radarr.main.unkin.net
@@ -0,0 +1,305 @@
---
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- git.unkin.net
- fafflix.unkin.net
- grafana.unkin.net
profiles::haproxy::mappings:
fe_http:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
- 'git.unkin.net be_gitea'
- 'grafana.unkin.net be_grafana'
fe_https:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
- 'git.unkin.net be_gitea'
- 'grafana.unkin.net be_grafana'
profiles::haproxy::frontends:
fe_http:
options:
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]"
fe_https:
options:
acl:
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
- 'acl_gitea req.hdr(host) -i git.unkin.net'
- 'acl_grafana req.hdr(host) -i grafana.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
http-request:
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
http-response:
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
- 'set-header X-Frame-Options DENY if acl_sonarr'
- 'set-header X-Frame-Options DENY if acl_radarr'
- 'set-header X-Frame-Options DENY if acl_lidarr'
- 'set-header X-Frame-Options DENY if acl_readarr'
- 'set-header X-Frame-Options DENY if acl_prowlarr'
- 'set-header X-Frame-Options DENY if acl_nzbget'
- 'set-header X-Frame-Options DENY if acl_jellyfin'
- 'set-header X-Frame-Options DENY if acl_fafflix'
- 'set-header X-Frame-Options DENY if acl_gitea'
- 'set-header X-Frame-Options DENY if acl_grafana'
- 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block'
profiles::haproxy::backends:
be_ausyd1pve_web:
description: Backend for au-syd1 pve cluster (Web)
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_ausyd1pve_api:
description: Backend for au-syd1 pve cluster (API only)
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_sonarr:
description: Backend for au-syd1 sonarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_radarr:
description: Backend for au-syd1 radarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_lidarr:
description: Backend for au-syd1 lidarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_readarr:
description: Backend for au-syd1 readarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_prowlarr:
description: Backend for au-syd1 prowlarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_nzbget:
description: Backend for au-syd1 nzbget
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_jellyfin:
description: Backend for au-syd1 jellyfin
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_gitea:
description: Backend for gitea cluster
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
be_grafana:
description: Backend for grafana nodes
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem
# additional altnames
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- jellyfin.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
# letsencrypt certificates
certbot::client::service: haproxy
certbot::client::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- fafflix.unkin.net
- git.unkin.net
- grafana.unkin.net
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.10
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.11
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.12
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.13
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.14
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.15
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.16
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.17
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.18
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.19
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.20
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.21
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.22
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.23
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.24
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,13 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.25
networking::routes:
default:
gateway: 198.18.13.254
profiles::haproxy::dns::vrrp_master: true
keepalived::vrrp_instance:
VI_250:
state: 'MASTER'
priority: 101
@@ -1,12 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.26
networking::routes:
default:
gateway: 198.18.13.254
keepalived::vrrp_instance:
VI_250:
state: 'BACKUP'
priority: 100
@@ -1,11 +0,0 @@
---
profiles::cobbler::params::is_cobbler_master: true
networking::interfaces:
ens18:
ipaddress: 198.18.13.27
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.28
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.29
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.30
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,10 +0,0 @@
---
networking::interfaces:
ens18:
ipaddress: 198.18.13.31
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.32
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.33
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.34
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.35
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.36
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.37
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.38
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.39
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.40
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.41
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.42
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.43
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.44
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.45
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.47
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.47
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.48
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.49
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.50
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.50
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.51
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.51
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.52
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.52
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.53
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.53
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.54
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.55
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.56
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.57
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.57
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.58
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.58
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.59
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.60
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.61
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.62
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.63
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.64
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.65
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.66
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.67
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.68
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.69
networking::routes:
default:
gateway: 198.18.13.254
@@ -13,9 +13,3 @@ profiles::ssh::sign::principals:
profiles::puppet::puppetca::is_puppetca: true
profiles::puppet::puppetca::allow_subject_alt_names: true
networking::interfaces:
eth0:
ipaddress: 198.18.13.46
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,2 @@
---
profiles::cobbler::params::is_cobbler_master: true
@@ -1,12 +0,0 @@
---
profiles::puppet::server::dns_alt_names:
- puppetca.main.unkin.net
- puppetca.service.consul
- puppetca.query.consul
- puppetca
profiles::puppet::puppetca::is_puppetca: false
profiles::puppet::puppetca::allow_subject_alt_names: true
hiera_exclude:
- networking
@@ -1,5 +1,13 @@
---
profiles::proxmox::params::pve_clusterinit_master: true
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.1 # management loopback
networking_loopback1_ip: 198.18.22.1 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.1 # ceph-public loopback
networking_1000_ip: 198.18.15.1 # 1gbe network
networking_2500_ip: 198.18.21.1 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:c3:60
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:50
@@ -1,4 +1,13 @@
---
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.2 # management loopback
networking_loopback1_ip: 198.18.22.2 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.2 # ceph-public loopback
networking_1000_ip: 198.18.15.2 # 1gbe network
networking_2500_ip: 198.18.21.2 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:74:b6:08
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:08:43
@@ -1,4 +1,13 @@
---
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.3 # management loopback
networking_loopback1_ip: 198.18.22.3 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.3 # ceph-public loopback
networking_1000_ip: 198.18.15.3 # 1gbe network
networking_2500_ip: 198.18.21.3 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: b8:85:84:a3:25:c5
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:07:82
@@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.4 # management loopback
networking_loopback1_ip: 198.18.22.4 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.4 # ceph-public loopback
networking_1000_ip: 198.18.15.4 # 1gbe network
networking_2500_ip: 198.18.21.4 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:d5:00
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:43
@@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.5 # management loopback
networking_loopback1_ip: 198.18.22.5 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.5 # ceph-public loopback
networking_1000_ip: 198.18.15.5 # 1gbe network
networking_2500_ip: 198.18.21.5 # 2.5gbe network
networking_1000_iface: enp1s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: 54:bf:64:a0:08:64
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:07:79
@@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.6 # management loopback
networking_loopback1_ip: 198.18.22.6 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.6 # ceph-public loopback
networking_1000_ip: 198.18.15.6 # 1gbe network
networking_2500_ip: 198.18.21.6 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:10:8d
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:53
@@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.7 # management loopback
networking_loopback1_ip: 198.18.22.7 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.7 # ceph-public loopback
networking_1000_ip: 198.18.15.7 # 1gbe network
networking_2500_ip: 198.18.21.7 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:74:b4:27
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:5b
@@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.8 # management loopback
networking_loopback1_ip: 198.18.22.8 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.8 # ceph-public loopback
networking_1000_ip: 198.18.15.8 # 1gbe network
networking_2500_ip: 198.18.21.8 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:06:18
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:08:4b
@@ -0,0 +1,18 @@
---
networking_loopback0_ip: 198.18.19.9 # management loopback
networking_loopback1_ip: 198.18.22.9 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.9 # ceph-public loopback
networking_br10_ip: 198.18.25.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:8d
ipaddress: 198.18.15.9
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:5d
ipaddress: 198.18.21.9
#zfs::zpools:
# fastpool:
# ensure: present
# disk: /dev/nvme0n1
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.10 # management loopback
networking_loopback1_ip: 198.18.22.10 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.10 # ceph-public loopback
networking_br10_ip: 198.18.26.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:37
ipaddress: 198.18.15.10
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:de
ipaddress: 198.18.21.10
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.11 # management loopback
networking_loopback1_ip: 198.18.22.11 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.11 # ceph-public loopback
networking_br10_ip: 198.18.27.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:0f
ipaddress: 198.18.15.11
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:55
ipaddress: 198.18.21.11
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.12 # management loopback
networking_loopback1_ip: 198.18.22.12 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.12 # ceph-public loopback
networking_br10_ip: 198.18.28.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:4f:05:1e
ipaddress: 198.18.15.12
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:e5
ipaddress: 198.18.21.12
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.13 # management loopback
networking_loopback1_ip: 198.18.22.13 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.13 # ceph-public loopback
networking_br10_ip: 198.18.29.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:4f:04:b0
ipaddress: 198.18.15.13
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:36
ipaddress: 198.18.21.13
+21
View File
@@ -1,2 +1,23 @@
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
---
crypto_policies::policy: 'DEFAULT'
profiles::packages::include:
network-scripts: {}
profiles::yum::global::repos:
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+34
View File
@@ -1,2 +1,36 @@
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
---
crypto_policies::policy: 'DEFAULT:SHA1'
profiles::yum::global::repos:
baseos:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
extras:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
appstream:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
highavailability:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
crb:
name: crb
descr: crb repository
target: /etc/yum.repos.d/crb.repo
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el9
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+9 -16
View File
@@ -3,14 +3,14 @@
profiles::firewall::firewalld::ensure_package: 'absent'
profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::puppet_version: '7.26.0'
profiles::puppet::agent::puppet_version: '7.34.0'
hiera_include:
- profiles::almalinux::base
profiles::packages::include:
crypto-policies-scripts: {}
lzo: {}
network-scripts: {}
policycoreutils: {}
unar: {}
xz: {}
@@ -39,13 +39,6 @@ profiles::yum::global::repos:
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
highavailability:
name: highavailability
descr: highavailability repository
@@ -57,19 +50,19 @@ profiles::yum::global::repos:
name: epel
descr: epel repository
target: /etc/yum.repos.d/epel.repo
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
baseurl: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
mirrorlist: absent
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
unkinben:
name: unkinben
descr: unkinben repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
+4
View File
@@ -13,3 +13,7 @@ profiles::packages::include:
lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false
consul::install_method: 'url'
consul::manage_repo: false
consul::bin_dir: /usr/local/bin
+1
View File
@@ -0,0 +1 @@
profiles::jupyter::jupyterhub::ldap_bind_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJspN3e2WzA0uZaLgFZ0Ewqii9dY0tTgbirsW70M2VZtLY+s+C6HE8ZZUtpfnRsFwUUhOj7s25X9xVOZNTpZIGPyfx9MWlSyFw2RFuXSEwaydf1DcBbg8261YrTTysA4Jsa1L4DLsX55q+XJUyeUbimVQkIacVIvzTdnZCBKnVNUh3U2PNAmV7SOL2KH8Jpbfs/EQfBt8XuGMCg3I/4RDyoNERqthW6W2KiMX2Gmd8iQ5+W9udH0lEAMx415oyImmN+dEuThcx9FGMi8BWYtnxH96yWafpT5qltwW6EVzIGWuLhiD1LcWYc5RB8jc3DhbeouChpKsN6c4EHoKt3aWsTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC8jcnqilJgY1/AnHWHfX4bgDCi2a3Rj43Z0dgfB5HaHdpfked3Cx+u94r2S5+Cg3QogU1AIF04rjzOL+bD2HdaMfo=]
+74
View File
@@ -0,0 +1,74 @@
---
profiles::packages::include:
python3.12: {}
python3.12-pip: {}
hiera_include:
- docker
- profiles::nginx::simpleproxy
# manage docker
docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'jupyterhub.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- jupyterhub.service.consul
- jupyterhub.query.consul
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
profiles::nginx::simpleproxy::locations:
# authorised access from external
default:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Real-IP $remote_addr'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
- 'X-Scheme $scheme'
proxy_redirect: 'off'
proxy_http_version: '1.1'
proxy_buffering: 'off'
# additional altnames
profiles::pki::vault::alt_names:
- jupyterhub.service.consul
- jupyterhub.query.consul
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
jupyterhub:
service_name: 'jupyterhub'
tags:
- 'jupyterhub'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'jupyterhub_http_check'
name: 'jupyterhub HTTP Check'
http: "https://%{facts.networking.fqdn}"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jupyterhub
disposition: write
+1 -2
View File
@@ -69,8 +69,7 @@ profiles::nginx::simpleproxy::locations:
location_allow:
- 127.0.0.1
- "%{facts.networking.ip}"
- 198.18.13.25
- 198.18.13.26
- 198.18.24.0/24
location_deny:
- all
# authorised access from external
+14
View File
@@ -2,6 +2,12 @@
hiera_include:
- jellyfin
profiles::packages::include:
intel-media-driver: {}
libva-intel-driver: {}
libva-intel-hybrid-driver: {}
intel-mediasdk: {}
# manage jellyfin
jellyfin::params::service_enable: true
@@ -61,3 +67,11 @@ profiles::yum::global::repos:
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
unkinben:
name: unkinben
descr: unkinben repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el8
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+1
View File
@@ -2,6 +2,7 @@
hiera_include:
- lidarr
- profiles::nginx::ldapauth
- profiles::media::lidarr
# manage lidarr
lidarr::params::user: lidarr
+10
View File
@@ -4,12 +4,19 @@ hiera_include:
- nzbget
- profiles::media::nzbget
- profiles::nginx::ldapauth
- exporters::nzbget_exporter
profiles::packages::include:
unrar: {}
# manage nzbget
nzbget::params::user: nzbget
nzbget::params::group: media
nzbget::params::manage_group: false
# nzbget_exporter
exporters::nzbget_exporter::enable: true
# additional altnames
profiles::pki::vault::alt_names:
- nzbget.main.unkin.net
@@ -59,6 +66,9 @@ profiles::consul::client::node_rules:
- resource: service
segment: nzbget
disposition: write
- resource: service
segment: nzbget_exporter
disposition: write
profiles::yum::global::repos:
rpmfusion-free:
+11
View File
@@ -2,6 +2,8 @@
hiera_include:
- prowlarr
- profiles::nginx::ldapauth
- profiles::media::prowlarr
- exporters::exportarr
# manage prowlarr
prowlarr::params::user: prowlarr
@@ -10,6 +12,12 @@ prowlarr::params::manage_group: false
prowlarr::params::archive_version: 1.19.0
prowlarr::params::port: 8000
# exportarr
exporters::exportarr::enable: true
exporters::exportarr::app: prowlarr
exporters::exportarr::api_key: "%{hiera('prowlarr::api_key')}"
exporters::exportarr::backfill: true
# additional altnames
profiles::pki::vault::alt_names:
- prowlarr.main.unkin.net
@@ -54,6 +62,9 @@ profiles::consul::client::node_rules:
- resource: service
segment: prowlarr
disposition: write
- resource: service
segment: exportarr
disposition: write
profiles::nginx::simpleproxy::locations:
arrstack_web_external:
+9
View File
@@ -2,6 +2,8 @@
hiera_include:
- radarr
- profiles::nginx::ldapauth
- profiles::media::radarr
- exporters::exportarr
# manage radarr
radarr::params::user: radarr
@@ -10,6 +12,10 @@ radarr::params::manage_group: false
radarr::params::archive_version: 5.7.0
radarr::params::port: 8000
# exportarr
exporters::exportarr::enable: true
exporters::exportarr::app: radarr
exporters::exportarr::api_key: "%{hiera('radarr::api_key')}"
# additional altnames
profiles::pki::vault::alt_names:
@@ -55,3 +61,6 @@ profiles::consul::client::node_rules:
- resource: service
segment: radarr
disposition: write
- resource: service
segment: exportarr
disposition: write
+1
View File
@@ -2,6 +2,7 @@
hiera_include:
- readarr
- profiles::nginx::ldapauth
- profiles::media::readarr
# manage readarr
readarr::params::user: readarr
+10
View File
@@ -2,6 +2,8 @@
hiera_include:
- sonarr
- profiles::nginx::ldapauth
- profiles::media::sonarr
- exporters::exportarr
# manage sonarr
sonarr::params::user: sonarr
@@ -10,6 +12,11 @@ sonarr::params::manage_group: false
sonarr::params::archive_version: 4.0.5
sonarr::params::port: 8000
# exportarr
exporters::exportarr::enable: true
exporters::exportarr::app: sonarr
exporters::exportarr::api_key: "%{hiera('sonarr::api_key')}"
# additional altnames
profiles::pki::vault::alt_names:
- sonarr.main.unkin.net
@@ -54,3 +61,6 @@ profiles::consul::client::node_rules:
- resource: service
segment: sonarr
disposition: write
- resource: service
segment: exportarr
disposition: write

Some files were not shown because too many files have changed in this diff Show More