108 Commits

Author SHA1 Message Date
unkinben f4ac1f2000 feat: manage route-reflectors
- add route-reflector role and hieradata
- enable using dhcp in networkd
- add hieradata/node/* entries for route-reflectors
2025-04-26 00:22:49 +10:00
unkinben 2321186ad5 neoloc/mpls_ldp_frr (#255)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/255
2025-04-24 16:51:31 +10:00
unkinben c24babe309 feat: add incus image host (#254)
- add role
- add consul service + checks
- manage the datavol as zfs
- insure the incus fact exists before attempting to read it

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/254
2025-04-24 01:00:39 +10:00
unkinben bfda2b628b feat: enable ip forwarding for gitea runners (#253)
- required to enable docker containers reach git service

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/253
2025-04-21 18:40:17 +10:00
unkinben 278f8001b0 feat: add frr synced repo (#252)
- add frr repo to incus hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/252
2025-04-18 21:21:23 +10:00
unkinben 0fe44cf4e2 feat: add frr repos (#251)
- add frr/stable/el8
- add frr/stable/el9
- add frr/extras/el8
- add frr/extras/el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/251
2025-04-15 02:21:55 +10:00
unkinben 25b06cde22 feat: move bridge management to incus (#250)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/250
2025-04-15 00:04:14 +10:00
unkinben 8c76e71dc4 chore: set core.https_address for incus (#249)
- check the current config and update core.https_address if its wrong

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/249
2025-04-07 11:04:12 +10:00
unkinben 0e3dd4d7d0 feat: initialise barebones server (#248)
- manage incus servers init

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/248
2025-04-06 23:56:50 +10:00
unkinben 83d0b31753 fix: set default for use_networkd (#247)
- resolving issue where the systemd::manage_networkd is missing for most
  hosts, setting a default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/247
2025-04-06 19:24:39 +10:00
unkinben b6ea353cfb feat: update dns resolver acls (#246)
- add dmz acl
- add common acl
- add loopback/ceph/physical subnets to main acl

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/246
2025-04-06 16:44:16 +10:00
unkinben c225564bdb feat: continue incus implementation (#245)
- migrate to systemd-networkd
- setup dummy, bridge and static/ethernet interfaces
- manage sshd.service droping to start ssh after networking is online
- enable ip forewarding
- add fastpool/data/incus dataset
- enable ospf and frr
- add loopback0 as ssh listenaddress
- add loopback1/2 for ceph cluster/public traffic

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/245
2025-04-06 16:38:04 +10:00
unkinben 06666fe488 fix: resolve issue with baseos in el9 (#244)
- was not correctly provisioning the baseos repo for el9 incus hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/244
2025-04-02 21:02:08 +11:00
unkinben 9dc88e6db6 feat: deep merge zpools/datasets (#243)
- change prodnxsr0009 to use nvme0n1 as zfs device

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/243
2025-04-02 20:35:04 +11:00
unkinben d87983d8fc chore: add sysadmin user after first run (#242)
- enables extra_groups to function correctly

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/242
2025-04-02 20:27:11 +11:00
unkinben 95bc2716cf neoloc/incus_deploy (#241)
feat: deploy incus

- manage sysctl based on incus recommendations
- manage limits based on incus recommendations
- manage zpools and zfs datasets
- add incus hiera settings

feat: manage repo for zfs

- dont use zfs module to manage repo, use profiles::yum::global::repos

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/241
2025-03-31 23:14:05 +11:00
unkinben 978013f325 chore: set default nameservers (#240)
- if no nameservers are returned from puppetdb query, use default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/240
2025-03-31 22:49:47 +11:00
unkinben 829b1b05fd feat: cleanup consul from url install (#239)
- set bind_dir to be /usr/bin for rhel, /usr/local/bin for debian
- remove url-installed consul from rhel

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/239
2025-03-30 18:40:09 +11:00
unkinben 6cb249ffbc fix: backtrack to 9.2.0 for postgresql (#238)
- no parameter named 'instance'
- no parameter named 'port'

downgrading due to incompatibilities between the latest version of puppetdb and postgresql

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/238
2025-03-30 17:51:33 +11:00
unkinben 427fe352b4 feat: debian package for consul not managed (#237)
- change debian hosts to use the url method to download consul

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/237
2025-03-30 17:13:54 +11:00
unkinben 45b061a053 feat: change almalinux9 to use packagerepo (#236)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/236
2025-03-30 17:05:03 +11:00
unkinben d39d25d3f1 feat: add almalinux 9.5 repos using mirrorlist (#235)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/235
2025-03-30 16:24:55 +11:00
unkinben 06b458cb0e feat: reposync for almalinux 9.4 (in vault) (#234)
- sync baseos, ha, appstream and crb repos

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/234
2025-03-30 12:31:09 +11:00
unkinben e3046563a2 chore: install consul from package (#233)
- upgrade to puppet-consul changed default install method to archive
- ensure package method is used
- dont manage the repo, consul is packaged by rpmbuilder

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/233
2025-03-30 02:04:13 +11:00
unkinben e025928d77 chore: set secretid for puppetboard (#232)
- manage the secret_key for puppetboard
- required since module upgrade

https://github.com/voxpupuli/puppetboard/issues/721

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/232
2025-03-30 01:53:25 +11:00
unkinben e3e8b3484d chore: enable extra groups (#231)
- enable adding extra groups to the sysadmin user

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/231
2025-03-30 01:20:59 +11:00
unkinben bdf420973d feat: add incus module (#230)
- add a basic incus module

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/230
2025-03-30 01:12:53 +11:00
unkinben 6a04701891 feat: add incus role (#229)
- add basic infra::incus role
- add autossl, consul and ssh-principals for incus

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/229
2025-03-30 00:56:04 +11:00
unkinben dd5a4646ff feat: update all modules (#228)
- update puppetlabs-* modules
- update puppet-* modules
- add limits and sysctl

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/228
2025-03-30 00:51:49 +11:00
unkinben 4e47745077 chore: setup unkin repo for el9 and el8 (#227)
- update the unkin repo definition for el8 and el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/227
2025-03-29 22:50:08 +11:00
unkinben 3a4e606459 chore: set yum/dnf metadata expiry (#226)
- set expiry to 1 day so that dnf frequently checks for updates from packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/226
2025-03-29 22:37:37 +11:00
unkinben d0eb4c078d feat: add zfs modules (#225)
- add zfs_core module to puppetfile (provides zfs/zpool provider)
- add module to manage zfs

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/225
2025-03-29 22:31:02 +11:00
unkinben b95bcbd10a feat: add zfs to reposync (#224)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/224
2025-03-29 20:08:31 +11:00
unkinben adc0cf2c09 neoloc/lxd_hosts (#223)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/223
2025-03-29 19:40:01 +11:00
unkinben 771b981d91 feat: enable nomad to manage sessions/services (#222)
- this is required to start patroni

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/222
2025-03-20 19:21:40 +11:00
unkinben e0c3a23424 fix: define missing .cache directory (#221)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/221
2025-03-13 21:48:47 +11:00
unkinben a309244713 feat: add nomad nodes (#220)
- change existing nodes to be nomad-agents

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/220
2025-03-13 21:23:40 +11:00
unkinben 8eb751e22f feat: change enc_* fact to read direct from cobbler (#219)
- change enc_role and enc_env to read direct from cobbler
- cleanup profiles::base::facts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/219
2025-03-12 23:09:15 +11:00
unkinben b981a6fb01 feat: enable nomad jobs to query dns (#218)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/218
2025-03-09 17:49:35 +11:00
unkinben 7c1d96bd22 feat: add k8s and docker repos (#217)
- add docker stable repos to packagerepo
- add k8s 1.32 to packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/217
2025-01-27 12:59:59 +11:00
unkinben 0222f5ec4a feat: update consul etcd check (#216)
- check the health api endpoint

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/216
2025-01-26 20:05:18 +11:00
unkinben afd3405c98 feat: add etcd module/role (#215)
- add etcd module
- add etcd role, profile and hieradata

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/215
2025-01-26 20:00:20 +11:00
unkinben ab7ce3bbfa Adding hieradata/node/ausyd1nxvm1071.main.unkin.net.yaml (#214)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/214
2025-01-25 20:15:20 +11:00
unkinben 4a85c5feff Adding hieradata/node/ausyd1nxvm1070.main.unkin.net.yaml (#213)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/213
2025-01-25 20:15:05 +11:00
unkinben 6134b4664b Adding hieradata/node/ausyd1nxvm1069.main.unkin.net.yaml (#212)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/212
2025-01-05 12:51:57 +11:00
unkinben e061a72996 Adding hieradata/node/ausyd1nxvm1067.main.unkin.net.yaml (#211)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/211
2025-01-05 12:51:46 +11:00
unkinben eaa15e92dc Adding hieradata/node/ausyd1nxvm1068.main.unkin.net.yaml (#210)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/210
2025-01-05 12:51:37 +11:00
unkinben a5a193d9eb feat: update jupyterlab container (#209)
- change to packer created alma9 instance
- change docker root to use /data volume

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/209
2025-01-04 14:10:44 +11:00
unkinben 4400456519 feat: add frrouting module (#208)
- add frrouting module
- enable ospf daemon on nomad agents
- enable docker volumes

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/208
2024-12-27 23:39:03 +11:00
unkinben d37fb5d7e1 neoloc/nomad_agent (#207)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/207
2024-12-26 20:23:27 +11:00
unkinben 022a564dc0 feat: add nomad agent role (#206)
- add nomad agent role
- mount cephfs volume nomadfs to /shared/nomad
- manage docker volume path to be /shared/nomad

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/206
2024-12-26 20:20:51 +11:00
unkinben 48e1fb8e30 Adding hieradata/node/ausyd1nxvm1062.main.unkin.net.yaml (#204)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/204
2024-12-23 17:28:47 +11:00
unkinben 561d74e9d9 Adding hieradata/node/ausyd1nxvm1063.main.unkin.net.yaml (#205)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/205
2024-12-23 17:28:37 +11:00
unkinben 281fdb33d4 Adding hieradata/node/ausyd1nxvm1064.main.unkin.net.yaml (#203)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/203
2024-12-23 17:28:09 +11:00
unkinben 1c04366eec Adding hieradata/node/ausyd1nxvm1066.main.unkin.net.yaml (#202)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/202
2024-12-23 17:27:59 +11:00
unkinben 86d3b61439 Adding hieradata/node/ausyd1nxvm1065.main.unkin.net.yaml (#201)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/201
2024-12-23 17:27:49 +11:00
unkinben 6ebf5c03a5 feat: add nomad profile/role (#200)
- add basic consul manage nomad servers

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/200
2024-12-22 22:35:31 +11:00
unkinben c97db0f0aa Adding hieradata/node/ausyd1nxvm1061.main.unkin.net.yaml (#198)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/198
2024-12-10 22:15:10 +11:00
unkinben 46b4fdf632 neoloc/sysadmin_early (#197)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/197
2024-12-09 22:12:01 +11:00
unkinben aaf81d0a6c feat: create sysadmin on firstrun (#196)
- prevent packages from using uid 1000

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/196
2024-12-09 21:51:37 +11:00
unkinben afbc15ff40 feat: import crypto-policices earlier (#195)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/195
2024-12-08 22:50:25 +11:00
unkinben 64248a45c2 feat: ensure crypto-policices are managed before yumrepos (#194)
- ensure crypto_policies are set before creating yum yumrepos
- ensure that they rpmdb is rebuilt after upgrading to el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/194
2024-12-08 20:30:08 +11:00
unkinben c7fb1f0cec neoloc/crypto_policices_el8 (#193)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/193
2024-12-08 19:54:15 +11:00
unkinben dbccaea24b feat: add crypto_policies (#192)
- ensure DEFAULT is used for EL8
- ensure DEFAULT:SHA1 is used for EL9, until issues with crypto are resolved for EL9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/192
2024-12-08 19:47:59 +11:00
unkinben b244327c34 neoloc/alma9 (#191)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/191
2024-12-08 19:22:58 +11:00
unkinben 90bcdd1f51 neoloc/alma9 (#190)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/190
2024-12-08 19:16:54 +11:00
unkinben ec926dfe0a feat: enable network manager on el9 (#189)
- el9 doesnt have the network-scripts scripts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/189
2024-12-08 19:11:54 +11:00
unkinben 40af30d0ff chore: change packagerepo vhost name (#188)
- ensure http endpoint works for packagerepo.service.consul

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/188
2024-12-08 17:05:38 +11:00
unkinben bac90b5459 Merge pull request 'fix: permissions for cobbler files' (#187) from neoloc/cobbler_perms into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/187
2024-12-08 08:37:36 +11:00
unkinben 41aab65f85 fix: permissions for cobbler files
- ensure idempotency for /var/lib/cobbler/web.ss
2024-12-08 08:36:35 +11:00
unkinben c023cfe4dc Merge pull request 'feat: upgrade puppet agent' (#186) from neoloc/puppet_updates into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/186
2024-12-08 00:11:30 +11:00
unkinben cffb6a54fc feat: upgrade puppet agent
- move all almalinux hosts to 7.34
2024-12-08 00:09:40 +11:00
unkinben fd7ced66ce Merge pull request 'feat: edgecache updates' (#185) from neoloc/edgecache_pki into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/185
2024-12-07 23:51:57 +11:00
unkinben 766f124b2c feat: edgecache updates
- update metadatacache size
- increase cache age from 60d to 365d
- subscribe nginx service to ssl certs
2024-12-07 23:50:45 +11:00
unkinben 4de772436b Merge pull request 'feat: update puppet repo' (#184) from neoloc/almalinuxrepo into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/184
2024-12-07 23:32:48 +11:00
unkinben 75f865c26c feat: update puppet repo
- move puppet repo to packagerepo
2024-12-07 23:31:40 +11:00
unkinben 2fdc709a17 Merge pull request 'feat: update repos' (#183) from neoloc/almalinuxrepo into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/183
2024-12-01 00:33:10 +11:00
unkinben ba3a9e374a feat: update repos
- add unkin
- rename unkin -> unkinben
2024-12-01 00:30:58 +11:00
unkinben a28ef09f28 Merge pull request 'feat: enable root_dir for docker' (#182) from neoloc/docker_root into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/182
2024-12-01 00:27:04 +11:00
unkinben 52fff0ccea feat: enable root_dir for docker
- move docker root_dir to /data/docker for runners
2024-11-30 23:11:24 +11:00
unkinben f097cf2550 Merge pull request 'chore: migrate puppet-r10k' (#181) from neoloc/r10k_adjustment into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/181
2024-11-17 19:27:43 +11:00
unkinben 58d31c5c9a chore: migrate puppet-r10k
- moved puppet-r10k the unkin organisation
- ensure branch is set to follow origin/master
2024-11-17 19:26:27 +11:00
unkinben 92d6697175 Merge pull request 'fix: fix release name' (#180) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/180
2024-11-16 22:36:02 +11:00
unkinben d3f471f3ed fix: fix release name
- fix release name for postgresql repos
2024-11-16 22:35:23 +11:00
unkinben ab1f4300a9 Merge pull request 'fix: ensure reposync directories exist' (#179) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/179
2024-11-16 22:32:47 +11:00
unkinben 845b91b497 fix: ensure reposync directories exist 2024-11-16 22:32:15 +11:00
unkinben 8f0b3e615c Merge pull request 'feat: add el9 puppet/posgresql repos' (#178) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/178
2024-11-16 22:25:48 +11:00
unkinben 8679a0b904 feat: add el9 puppet/posgresql repos
- will upgrade to el9 soon, so need to store these repos
2024-11-16 22:25:06 +11:00
unkinben 16ba54ee0a Merge pull request 'feat: update packagerepo' (#176) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/176
2024-11-16 22:02:46 +11:00
unkinben 4b3553b75c Merge pull request 'Adding hieradata/node/ausyd1nxvm1060.main.unkin.net.yaml' (#177) from autonode/ausyd1nxvm1060.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/177
2024-11-16 21:44:57 +11:00
unkinben abdb3ec8cb feat: update packagerepo
- remove almalinux/centos/epel repos
- manage consul service `packagerepo`
- manage ssh principals
- update vault alt-names
2024-11-16 21:43:11 +11:00
unkinben c0623b64f7 Adding hieradata/node/ausyd1nxvm1060.main.unkin.net.yaml 2024-11-16 21:36:58 +11:00
unkinben d286e2d816 Merge pull request 'feat: add sudaporn account' (#175) from neoloc/addying into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/175
2024-11-16 20:24:14 +11:00
unkinben 71b29d5e88 feat: add sudaporn account
- enable access to media
- enable access to jupyter
2024-11-16 20:23:01 +11:00
unkinben 6493f392b8 Merge pull request 'neoloc/jupyterhub' (#174) from neoloc/jupyterhub into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/174
2024-11-16 20:20:16 +11:00
unkinben 8586e9eb32 feat: enable web-sockets
- change simpleproxy config for jupyter::hub role to use websockets
2024-11-16 20:15:03 +11:00
unkinben 92a9655a50 feat: jupyterhub updates
- always pull containers when starting new instance
- enable access to terminal
2024-11-16 19:54:19 +11:00
unkinben 42ad972697 feat: add ldap configuration
- add group members to jupyterhub_user
- add svc_jupyterhub user for ldap binding
- paramatarise all ldap fields required
- manage the notebook data directory
2024-11-16 19:20:20 +11:00
unkinben 61f5f1ce1f feat: add docker settings
- list docker network and image
- fix ldap_admin setting to be a list of users
2024-11-10 20:26:18 +11:00
unkinben 926d3d29d0 fix: enable docker for jupyterhub
- install/manage docker
2024-11-10 20:21:51 +11:00
unkinben c6bdae5790 Merge pull request 'feat: add jupyterhub role' (#173) from neoloc/jupyterhub into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/173
2024-11-10 19:14:49 +11:00
unkinben 159d66af18 feat: add jupyterhub role
- add nodejs module to use npm package provider
- add jupyterhub role
- add class to configure the jupyterhub instance
- add ldap groups
- add nginx simpleproxy
2024-11-10 19:09:50 +11:00
unkinben c728c1a5e0 Merge pull request 'feat: add service data' (#172) from neoloc/jumphost into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/172
2024-10-27 14:03:28 +11:00
unkinben 4fec931fb1 feat: add service data
- add pki certificates
- add consul service
- add ssh principals
2024-10-27 13:26:07 +11:00
unkinben 76b4c8c930 Merge pull request 'feat: add jumphost role' (#171) from neoloc/jumphost into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/171
2024-10-27 13:18:50 +11:00
unkinben 0455965525 feat: add jumphost role
- add role for ssh proxy/jumphost
2024-10-27 13:15:28 +11:00
unkinben 4e68900259 Merge pull request 'feat: ensure vault restarts with ssl cert' (#170) from neoloc/vault_reload into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/170
2024-10-27 13:10:51 +11:00
unkinben ca87702466 feat: ensure vault restarts with ssl cert
- ensure the vault service resource subscribes to the ssl crt/key
- update unseal script to retry unseal process until it completes
2024-10-27 12:59:36 +11:00
110 changed files with 3096 additions and 286 deletions
+5
View File
@@ -3,3 +3,8 @@
detectors:
FeatureEnvy:
enabled: false
TooManyStatements:
enabled: false
UncommunicativeVariableName:
accept:
- e
+41 -37
View File
@@ -2,52 +2,54 @@ forge 'forge.puppetlabs.com'
moduledir 'external_modules'
# puppetlabs
mod 'puppetlabs-stdlib', '9.1.0'
mod 'puppetlabs-inifile', '6.0.0'
mod 'puppetlabs-concat', '9.0.0'
mod 'puppetlabs-vcsrepo', '6.1.0'
mod 'puppetlabs-yumrepo_core', '2.0.0'
mod 'puppetlabs-apt', '9.4.0'
mod 'puppetlabs-lvm', '2.1.0'
mod 'puppetlabs-puppetdb', '7.13.0'
mod 'puppetlabs-postgresql', '9.1.0'
mod 'puppetlabs-firewall', '6.0.0'
mod 'puppetlabs-accounts', '8.1.0'
mod 'puppetlabs-mysql', '15.0.0'
mod 'puppetlabs-stdlib', '9.7.0'
mod 'puppetlabs-inifile', '6.2.0'
mod 'puppetlabs-concat', '9.1.0'
mod 'puppetlabs-vcsrepo', '7.0.0'
mod 'puppetlabs-yumrepo_core', '2.1.0'
mod 'puppetlabs-apt', '10.0.1'
mod 'puppetlabs-lvm', '3.0.1'
mod 'puppetlabs-puppetdb', '7.14.0'
mod 'puppetlabs-postgresql', '9.2.0'
mod 'puppetlabs-firewall', '8.1.4'
mod 'puppetlabs-accounts', '8.2.2'
mod 'puppetlabs-mysql', '16.2.0'
mod 'puppetlabs-xinetd', '3.4.1'
mod 'puppetlabs-haproxy', '8.0.0'
mod 'puppetlabs-java', '10.1.2'
mod 'puppetlabs-reboot', '5.0.0'
mod 'puppetlabs-docker', '10.0.1'
mod 'puppetlabs-haproxy', '8.2.0'
mod 'puppetlabs-java', '11.1.0'
mod 'puppetlabs-reboot', '5.1.0'
mod 'puppetlabs-docker', '10.2.0'
# puppet
mod 'puppet-python', '7.0.0'
mod 'puppet-systemd', '5.1.0'
mod 'puppet-yum', '7.0.0'
mod 'puppet-archive', '7.0.0'
mod 'puppet-chrony', '2.6.0'
mod 'puppet-puppetboard', '9.0.0'
mod 'puppet-nginx', '5.0.0'
mod 'puppet-selinux', '4.1.0'
mod 'puppet-prometheus', '13.4.0'
mod 'puppet-grafana', '13.1.0'
mod 'puppet-consul', '8.0.0'
mod 'puppet-vault', '4.1.0'
mod 'puppet-python', '7.4.0'
mod 'puppet-systemd', '8.1.0'
mod 'puppet-yum', '7.2.0'
mod 'puppet-archive', '7.1.0'
mod 'puppet-chrony', '3.0.0'
mod 'puppet-puppetboard', '11.0.0'
mod 'puppet-nginx', '6.0.1'
mod 'puppet-selinux', '5.0.0'
mod 'puppet-prometheus', '16.0.0'
mod 'puppet-grafana', '14.1.0'
mod 'puppet-consul', '9.1.0'
mod 'puppet-vault', '4.1.1'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '5.1.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-extlib', '7.5.1'
mod 'puppet-network', '2.2.1'
mod 'puppet-kmod', '4.1.0'
mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.0.0'
mod 'puppet-rundeck', '9.1.0'
mod 'puppet-redis', '11.0.0'
mod 'puppet-letsencrypt', '11.1.0'
mod 'puppet-rundeck', '9.2.0'
mod 'puppet-redis', '11.1.0'
mod 'puppet-nodejs', '11.0.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
mod 'saz-sudo', '8.0.0'
mod 'saz-ssh', '12.1.0'
mod 'saz-sudo', '9.0.2'
mod 'saz-ssh', '13.1.0'
mod 'saz-limits', '5.0.0'
mod 'ghoneycutt-timezone', '4.0.0'
mod 'ghoneycutt-puppet', '3.3.0'
mod 'dalen-puppetdbquery', '3.0.1'
mod 'markt-galera', '3.1.0'
mod 'kogitoapp-minio', '1.1.4'
@@ -56,6 +58,8 @@ mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0'
mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'ssm-crypto_policies', '0.3.3'
mod 'thias-sysctl', '1.0.8'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+20
View File
@@ -135,6 +135,20 @@ lookup_options:
keepalived::vrrp_instance:
merge:
strategy: deep
profiles::etcd::node::initial_cluster_token:
convert_to: Sensitive
sysctl::base::values:
merge:
strategy: deep
limits::entries:
merge:
strategy: deep
zfs::zpools:
merge:
strategy: deep
zfs::datasets:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
@@ -143,6 +157,8 @@ hiera_include:
- networking
- ssh::server
- profiles::accounts::rundeck
- limits
- sysctl::base
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
@@ -155,6 +171,10 @@ profiles::ntp::client::peers:
profiles::base::puppet_servers:
- 'prodinf01n01.main.unkin.net'
consul::install_method: 'package'
consul::manage_repo: false
consul::bin_dir: /usr/bin
profiles::dns::master::basedir: '/var/named/sources'
profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
profiles::dns::base::use_ns: 'region'
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.70
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.71
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.72
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.73
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.74
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.74
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.64.254/24'
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.75
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.75
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.65.254/24'
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.76
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.76
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.66.254/24'
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.77
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.77
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.67.254/24'
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.78
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.78
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.68.254/24'
@@ -0,0 +1,15 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.79
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.79
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.69.254/24'
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.80
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.81
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,5 @@
---
networking_loopback0_ip: 198.18.19.14 # management loopback
networking::interfaces:
eth0:
mac: 00:16:3e:69:0f:3b
@@ -0,0 +1,5 @@
---
networking_loopback0_ip: 198.18.19.15 # management loopback
networking::interfaces:
eth0:
mac: 00:16:3e:55:46:bd
@@ -0,0 +1,5 @@
---
networking_loopback0_ip: 198.18.19.16 # management loopback
networking::interfaces:
eth0:
mac: 00:16:3e:6a:25:6b
@@ -0,0 +1,5 @@
---
networking_loopback0_ip: 198.18.19.17 # management loopback
networking::interfaces:
eth0:
mac: 00:16:3e:63:89:f2
@@ -0,0 +1,5 @@
---
networking_loopback0_ip: 198.18.19.18 # management loopback
networking::interfaces:
eth0:
mac: 00:16:3e:ca:e1:51
@@ -0,0 +1,18 @@
---
networking_loopback0_ip: 198.18.19.9 # management loopback
networking_loopback1_ip: 198.18.22.9 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.9 # ceph-public loopback
networking_br10_ip: 198.18.25.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:8d
ipaddress: 198.18.15.9
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:5d
ipaddress: 198.18.21.9
#zfs::zpools:
# fastpool:
# ensure: present
# disk: /dev/nvme0n1
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.10 # management loopback
networking_loopback1_ip: 198.18.22.10 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.10 # ceph-public loopback
networking_br10_ip: 198.18.26.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:37
ipaddress: 198.18.15.10
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:de
ipaddress: 198.18.21.10
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.11 # management loopback
networking_loopback1_ip: 198.18.22.11 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.11 # ceph-public loopback
networking_br10_ip: 198.18.27.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:0f
ipaddress: 198.18.15.11
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:55
ipaddress: 198.18.21.11
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.12 # management loopback
networking_loopback1_ip: 198.18.22.12 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.12 # ceph-public loopback
networking_br10_ip: 198.18.28.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:4f:05:1e
ipaddress: 198.18.15.12
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:e5
ipaddress: 198.18.21.12
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.13 # management loopback
networking_loopback1_ip: 198.18.22.13 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.13 # ceph-public loopback
networking_br10_ip: 198.18.29.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:4f:04:b0
ipaddress: 198.18.15.13
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:36
ipaddress: 198.18.21.13
+21
View File
@@ -1,2 +1,23 @@
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
---
crypto_policies::policy: 'DEFAULT'
profiles::packages::include:
network-scripts: {}
profiles::yum::global::repos:
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+34
View File
@@ -1,2 +1,36 @@
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
---
crypto_policies::policy: 'DEFAULT:SHA1'
profiles::yum::global::repos:
baseos:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
extras:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
appstream:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
highavailability:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
crb:
name: crb
descr: crb repository
target: /etc/yum.repos.d/crb.repo
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el9
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+6 -14
View File
@@ -3,14 +3,13 @@
profiles::firewall::firewalld::ensure_package: 'absent'
profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::puppet_version: '7.26.0'
profiles::puppet::agent::puppet_version: '7.34.0'
hiera_include:
- profiles::almalinux::base
profiles::packages::include:
lzo: {}
network-scripts: {}
policycoreutils: {}
unar: {}
xz: {}
@@ -39,13 +38,6 @@ profiles::yum::global::repos:
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
highavailability:
name: highavailability
descr: highavailability repository
@@ -64,12 +56,12 @@ profiles::yum::global::repos:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
unkinben:
name: unkinben
descr: unkinben repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
+4
View File
@@ -13,3 +13,7 @@ profiles::packages::include:
lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false
consul::install_method: 'url'
consul::manage_repo: false
consul::bin_dir: /usr/local/bin
+1
View File
@@ -0,0 +1 @@
profiles::jupyter::jupyterhub::ldap_bind_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJspN3e2WzA0uZaLgFZ0Ewqii9dY0tTgbirsW70M2VZtLY+s+C6HE8ZZUtpfnRsFwUUhOj7s25X9xVOZNTpZIGPyfx9MWlSyFw2RFuXSEwaydf1DcBbg8261YrTTysA4Jsa1L4DLsX55q+XJUyeUbimVQkIacVIvzTdnZCBKnVNUh3U2PNAmV7SOL2KH8Jpbfs/EQfBt8XuGMCg3I/4RDyoNERqthW6W2KiMX2Gmd8iQ5+W9udH0lEAMx415oyImmN+dEuThcx9FGMi8BWYtnxH96yWafpT5qltwW6EVzIGWuLhiD1LcWYc5RB8jc3DhbeouChpKsN6c4EHoKt3aWsTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC8jcnqilJgY1/AnHWHfX4bgDCi2a3Rj43Z0dgfB5HaHdpfked3Cx+u94r2S5+Cg3QogU1AIF04rjzOL+bD2HdaMfo=]
+74
View File
@@ -0,0 +1,74 @@
---
profiles::packages::include:
python3.12: {}
python3.12-pip: {}
hiera_include:
- docker
- profiles::nginx::simpleproxy
# manage docker
docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'jupyterhub.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- jupyterhub.service.consul
- jupyterhub.query.consul
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
profiles::nginx::simpleproxy::locations:
# authorised access from external
default:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Real-IP $remote_addr'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
- 'X-Scheme $scheme'
proxy_redirect: 'off'
proxy_http_version: '1.1'
proxy_buffering: 'off'
# additional altnames
profiles::pki::vault::alt_names:
- jupyterhub.service.consul
- jupyterhub.query.consul
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
jupyterhub:
service_name: 'jupyterhub'
tags:
- 'jupyterhub'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'jupyterhub_http_check'
name: 'jupyterhub HTTP Check'
http: "https://%{facts.networking.fqdn}"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jupyterhub
disposition: write
+32
View File
@@ -63,6 +63,8 @@ glauth::users:
- 20018
- 20023
- 20024
- 20025 # jupyterhub_admin
- 20026 # jupyterhub_user
loginshell: '/bin/bash'
homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
@@ -171,6 +173,24 @@ glauth::users:
loginshell: '/bin/bash'
homedir: '/home/margol'
passsha256: '31a66085fb7eaeb059e51d1376233db72b54f96a6c45947aafbb350c83e618ef'
sudobo:
user_name: 'sudobo'
givenname: 'Sudaporn'
sn: 'Obom'
mail: 'sudobo@users.main.unkin.net'
uidnumber: 20007
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
- 20026 # jupyterhub_user
loginshell: '/bin/bash'
homedir: '/home/sudobo'
passsha256: 'a326e049c2a615226877946220a978a0a8247c569be1adcd73539b09b14136d0'
glauth::services:
svc_jellyfin:
@@ -241,6 +261,12 @@ glauth::services:
uidnumber: 30009
primarygroup: 20001
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
svc_jupyterhub:
service_name: 'svc_jupyterhub'
mail: 'jupyterhub@service.main.unkin.net'
uidnumber: 30010
primarygroup: 20001
passsha256: '09db1e0c2498214da35f3f2ed46a90a7b90635c207f8725e7abf76b48345a39b'
glauth::groups:
users:
@@ -294,3 +320,9 @@ glauth::groups:
vault_admin:
group_name: 'vault_admin'
gidnumber: 20024
jupyterhub_admin:
group_name: 'jupyterhub_admin'
gidnumber: 20025
jupyterhub_user:
group_name: 'jupyterhub_user'
gidnumber: 20026
+26
View File
@@ -10,6 +10,30 @@ profiles::dns::resolver::acls:
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
- 198.18.18.0/24
- 198.18.19.0/24
- 198.18.20.0/24
- 198.18.21.0/24
- 198.18.22.0/24
- 198.18.23.0/24
acl-dmz:
addresses:
- 198.18.24.0/24
acl-common:
addresses:
- 198.18.25.0/24
- 198.18.26.0/24
- 198.18.27.0/24
- 198.18.28.0/24
- 198.18.29.0/24
acl-nomad-jobs:
addresses:
- 198.18.64.0/24
- 198.18.65.0/24
- 198.18.66.0/24
- 198.18.67.0/24
- 198.18.68.0/24
- 198.18.69.0/24
profiles::dns::resolver::zones:
8.10.10.in-addr.arpa-forward:
@@ -74,3 +98,5 @@ profiles::dns::resolver::views:
- 20.10.10.in-addr.arpa-forward
match_clients:
- acl-main.unkin.net
- acl-nomad-jobs
- acl-common
+2
View File
@@ -0,0 +1,2 @@
---
profiles::etcd::node::initial_cluster_token: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhLyXszXUU6Dkiw9bEJTH0RXGaV2751NzvLH94i7QHfNukvOslF/kaDOA+FwqG06xSKSKo24Qyj4ewYA3BzhN8XLf2E9uW2LuDrUoA6aXUP2tYPqiTw8zmmgsVV5t7Y5PeNcleV3KmfcJZJKp33yGCKtGF7ggvNvnied5slO6E1BDkcVnqO7sdyI0MqSvsvH4IvEmeiSWAcBRBnwVLIwfn10frIvUg0fH4uZR7DASfO/HstYWKAEacz4xYBv74TtVVtYHlPvnVwC20YIYDMrgBsm3XngyWIQvruQCgyIkRzHjUKCpp76HpyEqzdJdEdaywkODYNOT6ab1B5uUu9WaMjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBADXLPOqFHdnVgJW5+iXJYcgCDK1Eyr+RwvMA+3VszYALU5B6OCH5maplwC5aUgiQZ7ew==]
+62
View File
@@ -0,0 +1,62 @@
---
hiera_include:
- profiles::etcd::node
profiles::etcd::node::members_lookup: true
profiles::etcd::node::members_role: roles::infra::etcd::node
profiles::etcd::node::config:
data-dir: /data/etcd
client-cert-auth: false
client-transport-security:
cert-file: /etc/pki/tls/vault/certificate.crt
key-file: /etc/pki/tls/vault/private.key
client-cert-auth: false
auto-tls: false
peer-transport-security:
cert-file: /etc/pki/tls/vault/certificate.crt
key-file: /etc/pki/tls/vault/private.key
client-cert-auth: false
auto-tls: false
allowed-cn:
max-wals: 5
max-snapshots: 5
snapshot-count: 10000
heartbeat-interval: 100
election-timeout: 1000
cipher-suites: [
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
]
tls-min-version: 'TLS1.2'
tls-max-version: 'TLS1.3'
profiles::pki::vault::alt_names:
- etcd.service.consul
- etcd.query.consul
- "etcd.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- etcd.query.consul
- etcd.service.consul
- etcd.service.%{facts.country}-%{facts.region}.consul
consul::services:
etcd:
service_name: 'etcd'
tags:
- 'etcd'
address: "%{facts.networking.ip}"
port: 2379
checks:
- id: 'etcd_http_health_check'
name: 'ETCD HTTP Health Check'
http: "https://%{facts.networking.ip}:2379/health"
method: 'GET'
interval: '10s'
timeout: '1s'
tls_skip_verify: true
profiles::consul::client::node_rules:
- resource: service
segment: etcd
disposition: write
+8
View File
@@ -5,6 +5,7 @@ hiera_include:
docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
profiles::gitea::runner::home: /data/runner
profiles::gitea::runner::version: '0.2.10'
@@ -44,3 +45,10 @@ profiles::gitea::runner::config:
force_rebuild: false
host:
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
# enable ip forwarding for docker containers
sysctl::base::values:
net.ipv4.conf.all.forwarding:
value: '1'
net.ipv6.conf.all.forwarding:
value: '1'
+125
View File
@@ -0,0 +1,125 @@
---
hiera_include:
- incus
- zfs
profiles::packages::include:
bridge-utils: {}
dnsmasq: {}
profiles::pki::vault::alt_names:
- incus-images.service.consul
- incus-images.query.consul
- "incus-images.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- incus-images.service.consul
- incus-images.query.consul
- "incus-images.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
incus-images:
service_name: 'incus-images'
tags:
- 'incus'
- 'images'
- 'container'
- 'lxd'
address: "%{facts.networking.ip}"
port: 8443
checks:
- id: 'incus_https_check'
name: 'incus HTTPS Check'
http: "https://%{facts.networking.fqdn}:8443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: incus-images
disposition: write
# additional repos
profiles::yum::global::repos:
zfs-kmod:
name: zfs-kmod
descr: zfs-kmod repository
target: /etc/yum.repos.d/zfs-kmod.repo
baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
mirrorlist: absent
# zfs settings
zfs::manage_repo: false
zfs::zfs_arc_min: ~
zfs::zfs_arc_max: 429496729 # 400MB
zfs::zpools:
fastpool:
ensure: present
disk: /dev/vdb
ashift: 12
zfs::datasets:
fastpool:
canmount: 'off'
acltype: posix
atime: 'off'
relatime: 'off'
compression: 'zstd'
xattr: 'sa'
fastpool/data:
canmount: 'on'
mountpoint: '/data'
fastpool/data/incus:
canmount: 'on'
mountpoint: '/data/incus'
# manage incus
incus::init: true
incus::server_port: 8443
incus::storage_images_volume: fastpool/imagestore
# add sysadmin to incus-admin group
profiles::accounts::sysadmin::extra_groups:
- incus-admin
# sysctl recommendations
sysctl::base::values:
fs.aio-max-nr:
value: '524288'
fs.inotify.max_queued_events:
value: '1048576'
fs.inotify.max_user_instances:
value: '1048576'
fs.inotify.max_user_watches:
value: '1048576'
kernel.dmesg_restrict:
value: '1'
kernel.keys.maxbytes:
value: '2000000'
kernel.keys.maxkeys:
value: '2000'
net.core.bpf_jit_limit:
value: '1000000000'
net.ipv4.neigh.default.gc_thresh3:
value: '8192'
net.ipv6.neigh.default.gc_thresh3:
value: '8192'
vm.max_map_count:
value: '262144'
net.ipv4.conf.all.forwarding:
value: '1'
net.ipv6.conf.all.forwarding:
value: '1'
# limits.d recommendations
limits::entries:
'*/nofile':
both: 1048576
'root/nofile':
both: 1048576
'*/memlock':
both: unlimited
'root/memlock':
both: unlimited
+220
View File
@@ -0,0 +1,220 @@
---
hiera_include:
- profiles::selinux::frr
- frrouting
- incus
- zfs
profiles::packages::include:
bridge-utils: {}
profiles::pki::vault::alt_names:
- incus.service.consul
- incus.query.consul
- "incus.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- incus.service.consul
- incus.query.consul
- "incus.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
incus:
service_name: 'incus'
tags:
- 'incus'
- 'container'
- 'lxd'
address: "%{facts.networking.ip}"
port: 8443
checks:
- id: 'incus_https_check'
name: 'incus HTTPS Check'
http: "https://%{facts.networking.fqdn}:8443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: incus
disposition: write
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
zfs-kmod:
name: zfs-kmod
descr: zfs-kmod repository
target: /etc/yum.repos.d/zfs-kmod.repo
baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
mirrorlist: absent
# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
#networking::use_networkd: true
networking::interfaces:
enp2s0:
type: physical
txqueuelen: 10000
forwarding: true
enp3s0:
type: physical
mtu: 9000
txqueuelen: 10000
forwarding: true
loopback0:
type: dummy
ipaddress: "%{hiera('networking_loopback0_ip')}"
netmask: 255.255.255.255
mtu: 9000
loopback1:
type: dummy
ipaddress: "%{hiera('networking_loopback1_ip')}"
netmask: 255.255.255.255
mtu: 9000
loopback2:
type: dummy
ipaddress: "%{hiera('networking_loopback2_ip')}"
netmask: 255.255.255.255
mtu: 9000
# frrouting
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
enp2s0:
area: 0.0.0.0
enp3s0:
area: 0.0.0.0
loopback0:
area: 0.0.0.0
loopback1:
area: 0.0.0.0
loopback2:
area: 0.0.0.0
brmplscore:
area: 0.0.0.0
frrouting::mpls_te_enabled: true
frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
frrouting::mpls_ldp_interfaces:
- loopback0
- enp2s0
- enp3s0
- brmplscore
frrouting::daemons:
ldpd: true
ospfd: true
# add loopback interfaces to ssh list
ssh::server::options:
ListenAddress:
- "%{hiera('networking_loopback0_ip')}"
# zfs settings
zfs::manage_repo: false
zfs::zfs_arc_min: ~
zfs::zfs_arc_max: 4294967296 # 4GB
zfs::zpools:
fastpool:
ensure: present
disk: /dev/nvme1n1
ashift: 12
zfs::datasets:
fastpool:
canmount: 'off'
acltype: posix
atime: 'off'
relatime: 'off'
compression: 'zstd'
xattr: 'sa'
fastpool/data:
canmount: 'on'
mountpoint: '/data'
fastpool/data/incus:
canmount: 'on'
mountpoint: '/data/incus'
# manage incus
incus::init: true
incus::bridge: br10
incus::server_port: 8443
incus::server_addr: "%{hiera('networking_loopback0_ip')}"
# add sysadmin to incus-admin group
profiles::accounts::sysadmin::extra_groups:
- incus-admin
# sysctl recommendations
sysctl::base::values:
fs.aio-max-nr:
value: '524288'
fs.inotify.max_queued_events:
value: '1048576'
fs.inotify.max_user_instances:
value: '1048576'
fs.inotify.max_user_watches:
value: '1048576'
kernel.dmesg_restrict:
value: '1'
kernel.keys.maxbytes:
value: '2000000'
kernel.keys.maxkeys:
value: '2000'
net.core.bpf_jit_limit:
value: '1000000000'
net.ipv4.neigh.default.gc_thresh3:
value: '8192'
net.ipv6.neigh.default.gc_thresh3:
value: '8192'
vm.max_map_count:
value: '262144'
net.ipv4.conf.all.forwarding:
value: '1'
net.ipv6.conf.all.forwarding:
value: '1'
net.ipv4.tcp_l3mdev_accept:
value: '0'
net.ipv4.conf.default.rp_filter:
value: '0'
net.ipv4.conf.all.rp_filter:
value: '0'
net.mpls.platform_labels:
value: '1048575'
net.mpls.conf.enp2s0.input:
value: '1'
net.mpls.conf.enp3s0.input:
value: '1'
net.mpls.conf.brmplscore.input:
value: '1'
net.mpls.conf.loopback0.input:
value: '1'
# limits.d recommendations
limits::entries:
'*/nofile':
both: 1048576
'root/nofile':
both: 1048576
'*/memlock':
both: unlimited
'root/memlock':
both: unlimited
+79
View File
@@ -0,0 +1,79 @@
---
hiera_include:
- profiles::selinux::frr
- frrouting
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
dhcp: true
type: physical
mtu: 8000
forwarding: true
loopback0:
type: dummy
ipaddress: "%{hiera('networking_loopback0_ip')}"
netmask: 255.255.255.255
mtu: 8000
# frrouting
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
loopback0:
area: 0.0.0.0
frrouting::mpls_te_enabled: true
frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
frrouting::mpls_ldp_interfaces:
- eth0
- loopback0
frrouting::daemons:
ldpd: true
ospfd: true
# add loopback interfaces to ssh list
ssh::server::options:
ListenAddress:
- "%{hiera('networking_loopback0_ip')}"
# sysctl recommendations
sysctl::base::values:
net.ipv4.conf.all.forwarding:
value: '1'
net.ipv6.conf.all.forwarding:
value: '1'
net.ipv4.tcp_l3mdev_accept:
value: '0'
net.ipv4.conf.default.rp_filter:
value: '0'
net.ipv4.conf.all.rp_filter:
value: '0'
net.mpls.platform_labels:
value: '1048575'
net.mpls.conf.eth0.input:
value: '1'
net.mpls.conf.loopback0.input:
value: '1'
+2
View File
@@ -0,0 +1,2 @@
---
ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEzl2zX8ok6iURymPLbvkFE/dZhunzwisNCsLE5Tx6Pmil0PNx7iFULHXxWU6HMVOxzJmgcnTY+NsRnoTMSpXHGeC3wmD525T4xO4wvG/l9apzmPs1NTI4hcyYCj4NkAKyo249xXEodU4uM2AZp3ZgLBLf2cZpOe0/SPngWSq0kC4pJMnxWH+YsQ/O/1EMxpjSgMMna4YcMtcW2M0+wRhASNSTV7icsiAp6F/cInZuP44ASviHmM6+aMEhygBariOT80kaHZZI+aP6vqSd9lChXCV5qjRzeoEBIKOzT2ZBj41RTsF75J8UYFPwY7dp584tDpiIedUSR9IRCJe4d0uTjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCau9oXJiYiCGgvxZl62EsagDDgX2cU3+3QCkImEGS1oBahkPl3fYHKynbRi0ZQW1CoW0UFRzY8FmWmGkowns9OsIM=]
+72
View File
@@ -0,0 +1,72 @@
---
hiera_include:
- docker
- docker::networks
- frrouting
- profiles::nomad::node
docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
docker::ip_forward: true
docker::ip_masq: false
docker::iptables: false
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
ens19:
passive: true
docker0:
area: 0.0.0.1
profiles::yum::global::repos:
ceph-reef:
name: ceph-reef
descr: ceph reef repository
target: /etc/yum.repos.d/ceph-reef.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
gpgcheck: 0,
mirrorlist: absent
profiles::ceph::client::keyrings:
nomad:
key: "%{hiera('ceph::key::media')}"
profiles::packages::include:
nomad: {}
cni-plugins: {}
profiles::nomad::node::client: true
# additional altnames
profiles::pki::vault::alt_names:
- client.global.nomad
- client.au-syd1.nomad
- nomad-client.service.consul
- nomad-client.query.consul
- "nomad-client.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
profiles::consul::client::node_rules:
- resource: service
segment: nomad-client
disposition: write
- resource: agent_prefix
segment: ''
disposition: read
- resource: node_prefix
segment: ''
disposition: write
- resource: service_prefix
segment: ''
disposition: write
- resource: key_prefix
segment: "nomad"
disposition: write
- resource: session_prefix
segment: ""
disposition: write
+34
View File
@@ -0,0 +1,34 @@
---
hiera_include:
- profiles::nomad::node
profiles::packages::include:
nomad: {}
profiles::nomad::node::server: true
# additional altnames
profiles::pki::vault::alt_names:
- client.global.nomad
- client.au-syd1.nomad
- server.global.nomad
- server.au-syd1.nomad
- nomad.service.consul
- nomad.query.consul
- "nomad.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
profiles::consul::client::node_rules:
- resource: service
segment: nomad
disposition: write
- resource: agent_prefix
segment: ''
disposition: read
- resource: node_prefix
segment: ''
disposition: write
- resource: service_prefix
segment: ''
disposition: write
+29
View File
@@ -0,0 +1,29 @@
profiles::pki::vault::alt_names:
- jumphost.service.consul
- jumphost.query.consul
- "jumphost.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- jumphost.query.consul
- jumphost.service.consul
- jumphost.service.%{facts.country}-%{facts.region}.consul
consul::services:
jumphost:
service_name: 'jumphost'
tags:
- 'jumphost'
- 'proxy'
- 'ssh'
address: "%{facts.networking.ip}"
port: 22
checks:
- id: 'ssh_tcp_check'
name: 'SSH TCP Check'
tcp: "%{facts.networking.ip}:22"
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jumphost
disposition: write
+8 -1
View File
@@ -5,6 +5,13 @@ profiles::puppet::autosign::subnet_ranges:
- '198.18.15.0/24'
- '198.18.16.0/24'
- '198.18.17.0/24'
- '198.18.20.0/24'
- '198.18.24.0/24'
- '198.18.25.0/24'
- '198.18.26.0/24'
- '198.18.27.0/24'
- '198.18.28.0/24'
- '198.18.29.0/24'
profiles::puppet::autosign::domains:
- '*.main.unkin.net'
@@ -19,7 +26,7 @@ profiles::puppet::cobbler_enc::packages:
- 'requests'
- 'PyYAML'
profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkinben/puppet-r10k.git
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkin/puppet-r10k.git
profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
@@ -0,0 +1 @@
profiles::puppet::puppetboard::secret_key: ENC[PKCS7,MIIB+wYJKoZIhvcNAQcDoIIB7DCCAegCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoCr9JTtrnMaVjJlEpA0NYNt/QAgTGiEmS3kPn2oJ80Ay7fUl79pop95uLQIfw6C3e8WGUhxYt31wmzent4Bfbced7uF/tjhP2cniKPmZGuf/tmVrGIHIh4T4g0Wz2K0DIU/dGWUlgE03ICRxXlAy0atjUuAp02ehj7bzLuMf+vZbghm8vnOoDCTKjeZNAJEkDvBkIzwUu9JiM9Gn6BzoLLGdEERqs/LR832vjjNmF7KUEH/Ntt47wbLdfCzawsZsBNLggEb1HNGu0aSb0qBXYBPRq6w1L/RU8gX2dCqGRbhDZymihebaOcwU1AtbLEBdHTYQpga+c4bcTz9rJplLtjCBvQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAdSjLEaZPK47TY7LDCB7b4CBkOTvHbi4nb+pB/Kng+Z3N9ocZPZdGbV6WzMNGxsxmhWXoi+XKEzEvfB10UhQwDcvZXd2W9hhiRkakq7+S0uLWzCX1jNMH2LXZAzoiyGM4FFvGpx7Z64OhmVrOJuKnxD+3zK6PZqvMb3g7CjZeAr5vyhcT/zO75krhJuYp11ZFpLCRcuASf0ru+Jq5OKD4+ZI/g==]
+207 -93
View File
@@ -2,110 +2,161 @@
profiles::packages::include:
createrepo: {}
profiles::ssh::sign::principals:
- packagerepo.service.consul
- packagerepo.query.consul
- "packagerepo.service.%{facts.country}-%{facts.region}.consul"
# additional altnames
profiles::pki::vault::alt_names:
- repos.main.unkin.net
- packagerepo.main.unkin.net
- packagerepo.service.consul
- packagerepo.query.consul
- "packagerepo.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
jupyterhub:
service_name: 'packagerepo'
tags:
- 'packagerepo'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'packagerepo_http_check'
name: 'packagerepo HTTP Check'
http: "https://%{facts.networking.fqdn}"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: packagerepo
disposition: write
profiles::reposync::webserver::nginx_listen_mode: both
profiles::reposync::webserver::nginx_cert_type: vault
profiles::reposync::repos_list:
almalinux_8_9_baseos:
repository: 'BaseOS'
description: 'AlmaLinux 8.9 - BaseOS'
almalinux_9_5_baseos:
repository: 'baseos'
description: 'AlmaLinux 9.5 BaseOS'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/baseos
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_appstream:
repository: 'AppStream'
description: 'AlmaLinux 8.9 - AppStream'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_appstream:
repository: 'appstream'
description: 'AlmaLinux 9.5 AppStream'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/appstream
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_highavailability:
repository: 'HighAvailability'
description: 'AlmaLinux 8.9 - HighAvailability'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_crb:
repository: 'crb'
description: 'AlmaLinux 9.5 CRB'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/ha
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_powertools:
repository: 'PowerTools'
description: 'AlmaLinux 8.9 - PowerTools'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_ha:
repository: 'ha'
description: 'AlmaLinux 9.5 HighAvailability'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/powertools
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_extras:
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_extras:
repository: 'extras'
description: 'AlmaLinux 8.9 - extras'
description: 'AlmaLinux 9.5 extras'
osname: 'almalinux'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/extras
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
centos_8_advanced_virtualization:
repository: 'virt-advanced-virtualization'
description: 'CentOS Advanced Virtualization'
osname: 'centos'
release: '8' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=virt-advanced-virtualization' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_ceph_pacific:
repository: 'storage-ceph-pacific'
description: 'CentOS Ceph Pacific'
osname: 'centos'
release: '8' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=storage-ceph-pacific' # Assuming '8' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
centos_8_rabbitmq_38:
repository: 'messaging-rabbitmq-38'
description: 'CentOS RabbitMQ 38'
osname: 'centos'
release: '8-stream' # Specified based on the repository name
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=messaging-rabbitmq-38' # Assuming '8' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
centos_8_nfv_openvswitch:
repository: 'nfv-openvswitch-2'
description: 'CentOS NFV OpenvSwitch'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=nfv-openvswitch-2' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
centos_8_openstack_xena:
repository: 'cloud-openstack-xena'
description: 'CentOS OpenStack Xena'
osname: 'centos'
release: '8-stream' # Directly taken from the provided mirrorlist
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=cloud-openstack-xena' # Assuming 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
centos_8_opstools:
repository: 'opstools-collectd-5'
description: 'CentOS OpsTools - collectd'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?arch=x86_64&release=8-stream&repo=opstools-collectd-5' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
centos_8_ovirt45:
repository: 'virt-ovirt-45'
description: 'CentOS oVirt 4.5'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=virt-ovirt-45' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_stream_gluster10:
repository: 'storage-gluster-10'
description: 'CentOS oVirt 4.5 - Glusterfs 10'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=storage-gluster-10' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
epel_8_everything:
repository: 'Everything'
description: 'EPEL 8 Everything'
osname: 'epel'
release: '8'
mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64'
gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_baseos:
repository: 'baseos'
description: 'AlmaLinux 9.4 BaseOS'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_appstream:
repository: 'appstream'
description: 'AlmaLinux 9.4 AppStream'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_crb:
repository: 'crb'
description: 'AlmaLinux 9.4 CRB'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_ha:
repository: 'ha'
description: 'AlmaLinux 9.4 HighAvailability'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_extras:
repository: 'extras'
description: 'AlmaLinux 9.4 extras'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/extras/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/extras/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
docker_stable_el8:
repository: 'stable'
description: 'Docker CE Stable EL8'
osname: 'docker'
release: 'el8'
baseurl: 'https://download.docker.com/linux/centos/8/x86_64/stable/'
gpgkey: 'https://download.docker.com/linux/centos/gpg'
docker_stable_el9:
repository: 'stable'
description: 'Docker CE Stable EL9'
osname: 'docker'
release: 'el9'
baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/'
gpgkey: 'https://download.docker.com/linux/centos/gpg'
frr_stable_el8:
repository: 'stable'
description: 'FRR Stable EL8'
osname: 'frr'
release: 'el8'
baseurl: 'https://rpm.frrouting.org/repo/el8/frr/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_extras_el8:
repository: 'extras'
description: 'FRR Extras EL8'
osname: 'frr'
release: 'el8'
baseurl: 'https://rpm.frrouting.org/repo/el8/extras/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_stable_el9:
repository: 'stable'
description: 'FRR Stable EL9'
osname: 'frr'
release: 'el9'
baseurl: 'https://rpm.frrouting.org/repo/el9/frr/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_extras_el9:
repository: 'extras'
description: 'FRR Extras el9'
osname: 'frr'
release: 'el9'
baseurl: 'https://rpm.frrouting.org/repo/el9/extras/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
k8s_1.32:
repository: '1.32'
description: 'Kubernetes 1.32'
osname: 'k8s'
release: '1.32'
baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/'
gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/repodata/repomd.xml.key'
mariadb_11_2_el8:
repository: 'el8'
description: 'MariaDB 11.2'
@@ -120,6 +171,27 @@ profiles::reposync::repos_list:
release: 'el'
baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
puppet7_el9:
repository: '9'
description: 'Puppet 7 EL9'
osname: 'puppet7'
release: 'el'
baseurl: 'https://yum.puppet.com/puppet7/el/9/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
puppet8_el8:
repository: '8'
description: 'Puppet 8 EL8'
osname: 'puppet8'
release: 'el'
baseurl: 'https://yum.puppet.com/puppet8/el/8/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
puppet8_el9:
repository: '9'
description: 'Puppet 8 EL9'
osname: 'puppet8'
release: 'el'
baseurl: 'https://yum.puppet.com/puppet8/el/9/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
postgresql_rhel8_common:
repository: 'common'
description: 'PostgreSQL Common RHEL 8'
@@ -127,6 +199,13 @@ profiles::reposync::repos_list:
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_common:
repository: 'common'
description: 'PostgreSQL Common RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel8_16:
repository: '16'
description: 'PostgreSQL 16 RHEL 8'
@@ -134,3 +213,38 @@ profiles::reposync::repos_list:
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_16:
repository: '16'
description: 'PostgreSQL 16 RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
zfs_dkms_rhel8:
repository: 'dkms'
description: 'ZFS DKMS RHEL 8'
osname: 'zfs'
release: 'rhel8'
baseurl: 'http://download.zfsonlinux.org/epel/8/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
zfs_kmod_rhel8:
repository: 'kmod'
description: 'ZFS KMOD RHEL 8'
osname: 'zfs'
release: 'rhel8'
baseurl: 'http://download.zfsonlinux.org/epel/8/kmod/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
zfs_dkms_rhel9:
repository: 'dkms'
description: 'ZFS DKMS RHEL 9'
osname: 'zfs'
release: 'rhel9'
baseurl: 'http://download.zfsonlinux.org/epel/9/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'
zfs_kmod_rhel9:
repository: 'kmod'
description: 'ZFS KMOD RHEL 9'
osname: 'zfs'
release: 'rhel9'
baseurl: 'http://download.zfsonlinux.org/epel/9/kmod/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'
+110
View File
@@ -0,0 +1,110 @@
# manage etcd
class etcd (
Boolean $manage_user = true,
Boolean $manage_group = true,
Boolean $manage_package = true,
Boolean $manage_service = true,
String[1] $package_name = 'etcd',
String[1] $user = 'etcd',
String[1] $group = 'etcd',
Stdlib::Absolutepath $config_path = '/etc/etcd',
Stdlib::Absolutepath $config_file = "${config_path}/etcd.yaml",
Hash $config = { 'data-dir' => '/var/lib/etcd' },
Integer $max_open_files = 40000,
) {
if downcase($facts['kernel']) != 'linux' {
fail("Module etcd only supports Linux, not ${facts['kernel']}")
}
if $facts['service_provider'] != 'systemd' {
fail('Module etcd only supported on systems using systemd')
}
if ! $config['data-dir'] {
fail('Module etcd requires data-dir be specified in config Hash')
}
if $manage_package {
package { $package_name:
ensure => installed,
}
}
if $manage_user {
user { 'etcd':
ensure => 'present',
name => $user,
forcelocal => true,
shell => '/bin/false',
gid => $group,
home => $config['data-dir'],
managehome => false,
system => true,
before => Systemd::Unit_file['etcd.service'],
}
}
if $manage_group {
group { 'etcd':
ensure => 'present',
name => $group,
forcelocal => true,
system => true,
before => Systemd::Unit_file['etcd.service'],
}
}
mkdir::p { $config_path: }
mkdir::p { $config['data-dir']: }
file { $config_file:
ensure => 'file',
owner => $user,
group => $group,
mode => '0600',
content => to_yaml($config),
notify => Systemd::Unit_file['etcd.service'],
require => Mkdir::P[$config_path],
}
file { 'etcd-data-dir':
ensure => 'directory',
path => $config['data-dir'],
owner => $user,
group => $group,
mode => '0700',
notify => Systemd::Unit_file['etcd.service'],
require => Mkdir::P[$config['data-dir']],
}
file { 'etcd-data-dir-wal.tmp':
ensure => 'directory',
path => "${config['data-dir']}/wal.tmp",
owner => $user,
group => $group,
mode => '0700',
notify => Systemd::Unit_file['etcd.service'],
require => File['etcd-data-dir'],
}
if $config['wal-dir'] {
mkdir::p { $config['wal-dir']: }
file { 'etcd-wal-dir':
ensure => 'directory',
path => $config['wal-dir'],
owner => $user,
group => $group,
mode => '0700',
notify => Systemd::Unit_file['etcd.service'],
require => Mkdir::P[$config['wal-dir']],
}
}
if $manage_service {
include ::systemd
systemd::unit_file { 'etcd.service':
content => template('etcd/etcd.service.erb'),
enable => true,
active => true,
require => Package[$package_name],
}
}
}
+17
View File
@@ -0,0 +1,17 @@
# DO NOT EDIT: This file is being managed by Puppet.
[Unit]
Description=etcd key-value store
Documentation=https://github.com/etcd-io/etcd
After=network.target
[Service]
User=<%= @user %>
Group=<%= @group %>
Type=notify
ExecStart=/usr/bin/etcd --config-file <%= @config_file %>
Restart=always
RestartSec=10s
LimitNOFILE=<%= @max_open_files %>
[Install]
WantedBy=multi-user.target
+89
View File
@@ -0,0 +1,89 @@
class frrouting (
Boolean $manage_package = true,
Boolean $manage_config = true,
Boolean $manage_service = true,
String $package_name = 'frr',
String $service_name = 'frr',
Hash $daemons = {},
Hash $ospfd_interfaces = {},
String $ospfd_router_id = $facts['networking']['ip'],
Array[String] $ospfd_redistribute = [],
Array[String] $ospfd_networks = [],
Boolean $ospfd_default_originate_always = false,
Boolean $mpls_te_enabled = false,
Optional[String] $mpls_ldp_router_id = undef,
Optional[String] $mpls_ldp_transport_addr = undef,
Array[String] $mpls_ldp_interfaces = [],
) {
$daemons_defaults = {
'bgpd' => false,
'ospfd' => true,
'ospf6d' => false,
'ldpd' => false,
'ripd' => false,
'ripngd' => false,
'isisd' => false,
'pimd' => false,
'pim6d' => false,
'nhrpd' => false,
'eigrpd' => false,
'sharpd' => false,
'pbrd' => false,
'bfdd' => false,
'fabricd' => false,
'vrrpd' => false,
'pathd' => false,
'staticd' => false,
}
$daemons_merged = merge($daemons_defaults, $daemons)
if $manage_package {
package { $package_name:
ensure => installed,
}
}
if $manage_config {
file { '/etc/frr/frr.conf':
ensure => file,
content => template('frrouting/frr.conf.erb'),
notify => Service[$service_name],
}
file { '/etc/frr/daemons':
ensure => file,
content => template('frrouting/daemons.erb'),
notify => Service[$service_name],
}
}
if $manage_service {
service { $service_name:
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
}
}
if $mpls_ldp_router_id and $mpls_ldp_transport_addr and !empty($mpls_ldp_interfaces) {
file { '/etc/modules-load.d/mpls_ldp_modules.conf':
ensure => file,
content => @(EOT/L),
# Load MPLS Kernel Modules
mpls_router
mpls_iptunnel
| EOT
}
['mpls_router', 'mpls_iptunnel'].each |$mod| {
exec { "load_${mod}":
command => "/sbin/modprobe ${mod}",
unless => "/sbin/lsmod | /bin/grep -q ^${mod}",
path => ['/sbin', '/bin', '/usr/sbin', '/usr/bin'],
}
}
}
}
+29
View File
@@ -0,0 +1,29 @@
# THIS FILE IS MANAGED BY PUPPET
<% @daemons_merged.each do |daemon, status| -%>
<% if status -%>
<%= daemon %>=yes
<% else -%>
<%= daemon %>=no
<% end -%>
<% end -%>
vtysh_enable=yes
zebra_options=" -A 127.0.0.1 -s 90000000"
bgpd_options=" -A 127.0.0.1"
ospfd_options=" -A 127.0.0.1"
ospf6d_options=" -A ::1"
ldpd_options=" -A 127.0.0.1"
ripd_options=" -A 127.0.0.1"
ripngd_options=" -A ::1"
isisd_options=" -A 127.0.0.1"
pimd_options=" -A 127.0.0.1"
pim6d_options=" -A ::1"
nhrpd_options=" -A 127.0.0.1"
eigrpd_options=" -A 127.0.0.1"
sharpd_options=" -A 127.0.0.1"
pbrd_options=" -A 127.0.0.1"
staticd_options="-A 127.0.0.1"
bfdd_options=" -A 127.0.0.1"
fabricd_options="-A 127.0.0.1"
vrrpd_options=" -A 127.0.0.1"
pathd_options=" -A 127.0.0.1"
+48
View File
@@ -0,0 +1,48 @@
# THIS FILE IS MANAGED BY PUPPET
frr defaults traditional
hostname <%= @hostname %>
no ipv6 forwarding
<% @ospfd_interfaces.each do |iface, params| -%>
interface <%= iface %>
<% if params['area'] -%>
ip ospf area <%= params['area'] %>
<% end -%>
<% if params['passive'] == true -%>
ip ospf passive
<% end -%>
<% if @mpls_ldp_interfaces and @mpls_ldp_interfaces.include?(iface) -%>
mpls enable
<% end -%>
exit
<% end -%>
router ospf
ospf router-id <%= @ospfd_router_id %>
log-adjacency-changes detail
<% @ospfd_redistribute.each do |type| -%>
redistribute <%= type %>
<% end -%>
<% @ospfd_networks.each do |network| -%>
network <%= network %>
<% end -%>
<% if @ospfd_default_originate_always -%>
default-information originate always
<% end -%>
<% if @mpls_te_enabled -%>
capability opaque
mpls-te on
mpls-te router-address <%= @ospfd_router_id %>
mpls-te inter-as area 0.0.0.0
<% end -%>
exit
<% if @mpls_ldp_router_id and @mpls_ldp_transport_addr and @mpls_ldp_interfaces.any? -%>
mpls ldp
router-id <%= @mpls_ldp_router_id %>
address-family ipv4
discovery transport-address <%= @mpls_ldp_transport_addr %>
<% @mpls_ldp_interfaces.each do |iface| -%>
interface <%= iface %>
exit
<% end -%>
exit-address-family
exit
<% end -%>
+18
View File
@@ -0,0 +1,18 @@
# frozen_string_literal: true
require 'yaml'
Facter.add(:incus) do
setcode do
# Check if the 'incus' executable exists
incus_path = Facter::Util::Resolution.which('incus')
next {} unless incus_path # Return an empty fact if incus isn't found
# Run the `incus info` command using the found path
incus_output = Facter::Core::Execution.execute("#{incus_path} info")
next {} if incus_output.empty? # Return an empty fact if there's no output
# Parse the output as YAML and return it
YAML.safe_load(incus_output, permitted_classes: [Symbol, Time, Date])
end
end
+57
View File
@@ -0,0 +1,57 @@
# manage incus clusters
class incus::cluster (
Boolean $members_lookup = false,
String $members_role = undef,
String $master = undef,
Array $servers = [],
Stdlib::Fqdn $server_fqdn = $facts['networking']['fqdn'],
Stdlib::Port $server_port = 8443,
){
# check that the master is named
unless !($master == undef) {
fail("master must be provided for ${title}")
}
# if lookup is enabled
if $members_lookup {
# check that the role is also set
unless !($members_role == undef) {
fail("members_role must be provided for ${title} when members_lookup is True")
}
# if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
# else use provided array from params
}else{
$servers_array = $servers
}
# if its not an empty array. Give puppetdb a chance to be populated with data.
if length($servers_array) >= 3 {
# check if this is the master_node
if $master == $trusted['certname'] {
$master_bool = true
}else{
$master_bool = false
}
# find bootstrap status for servers
$bootstrap_array = puppetdb_query("inventory[certname, facts] { facts.enc_role = '${members_role}' }").map |$node| {
{
'fqdn' => $node['certname'],
'ip' => $node['facts']['networking']['ip'],
'clustered' => $node['facts']['incus']['environment']['server_clustered'],
'certificate' => $node['facts']['incus']['environment']['certificate'],
}
}
# determine if the cluster is bootstrapped
$cluster_bootstrapped = $bootstrap_array.any |$server| {
$server['fqdn'] == $master and $server['clustered'] == true
}
}
}
+77
View File
@@ -0,0 +1,77 @@
class incus (
Array[String] $packages = [
'incus',
'incus-tools',
'incus-client'
],
Boolean $cluster = false,
Boolean $init = true,
String $bridge = 'incusbr0',
Stdlib::Port $server_port = 8443,
Stdlib::IP::Address $server_addr = $facts['networking']['ip'],
Optional[String] $storage_images_volume = undef,
) {
package { $packages:
ensure => installed,
}
service { 'incus':
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
}
file_line { 'subuid_root':
ensure => present,
path => '/etc/subuid',
line => 'root:1000000:1000000000',
match => '^root:',
notify => Service['incus'],
}
file_line { 'subgid_root':
ensure => present,
path => '/etc/subgid',
line => 'root:1000000:1000000000',
match => '^root:',
notify => Service['incus'],
}
if $init {
file {'/root/incus.preseed.yaml':
ensure => file,
owner => root,
group => root,
content => template('incus/join_preseed.yaml.erb')
}
exec { 'initiate_incus':
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized',
refreshonly => true,
creates => '/root/.incus_initialized',
subscribe => File['/root/incus.preseed.yaml'],
}
}
if $facts['incus'] and $facts['incus']['config'] {
# set core.https_address
if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {
exec { 'incus_config_set_core_https_address':
path => ['/bin', '/usr/bin'],
command => "incus config set core.https_address ${server_addr}:${server_port}",
}
}
# set storage.images_volume # path to store images
if $storage_images_volume {
if $facts['incus']['config']['storage.images_volume'] != $storage_images_volume {
exec { 'incus_config_set_storage_images_volume':
path => ['/bin', '/usr/bin'],
command => "incus config set storage.images_volume ${storage_images_volume}",
}
}
}
}
}
@@ -0,0 +1,18 @@
config:
core.https_address: <%= @server_fqdn %>:<%= @server_port %>
networks: []
storage_pools: []
storage_volumes: []
profiles:
- config: {}
description: ""
devices:
eth0:
name: eth0
nictype: bridged
parent: <%= @bridge %>
type: nic
name: default
project: default
projects: []
cluster: null
@@ -0,0 +1,74 @@
# frozen_string_literal: true
require 'facter'
require 'yaml'
require 'net/http'
require 'uri'
require 'fileutils'
# CobblerENC module: Fetches ENC data from Cobbler, caches it, and provides structured facts.
module CobblerENC
CACHE_FILE = '/var/cache/puppet_enc.yaml'
CACHE_TTL = 7 * 24 * 60 * 60 # 7 days in seconds
@enc_data = nil # In-memory cache for the ENC response
def self.read_cache
return {} unless File.exist?(CACHE_FILE)
cache_data = YAML.safe_load(File.read(CACHE_FILE)) || {}
timestamp = cache_data.fetch('timestamp', 0)
return cache_data if Time.now.to_i - timestamp < CACHE_TTL
{}
end
def self.write_cache(enc_data)
FileUtils.mkdir_p(File.dirname(CACHE_FILE))
cache_data = enc_data.merge({ 'timestamp' => Time.now.to_i })
File.write(CACHE_FILE, cache_data.to_yaml)
end
def self.fetch_from_cobbler
uri = URI("http://cobbler.main.unkin.net/cblr/svc/op/puppet/hostname/#{Facter.value(:fqdn) || Facter.value(:hostname)}")
response = Net::HTTP.get_response(uri)
raise "Failed to fetch ENC data. HTTP #{response.code}" unless response.is_a?(Net::HTTPSuccess)
YAML.safe_load(response.body) || {}
end
def self.retrieve_enc_data
return @enc_data if @enc_data
@enc_data = fetch_from_cobbler
write_cache(@enc_data)
@enc_data
end
def self.fetch_enc_data
retrieve_enc_data
rescue StandardError => e
Facter.warn("Error retrieving Cobbler ENC data: #{e.message}")
@enc_data = read_cache
return @enc_data unless @enc_data.empty?
raise 'No cached ENC data available and Cobbler is down.'
end
def self.enc_role
fetch_enc_data.fetch('classes', {}).keys.first || raise('ENC Role not found in Cobbler ENC response')
end
def self.enc_env
fetch_enc_data.fetch('environment', nil) || raise('ENC Environment not found in Cobbler ENC response')
end
end
Facter.add('enc_role') do
setcode { CobblerENC.enc_role }
end
Facter.add('enc_env') do
setcode { CobblerENC.enc_env }
end
-13
View File
@@ -1,13 +0,0 @@
# frozen_string_literal: true
Facter.add('enc_env') do
setcode do
require 'yaml'
# Check if the YAML file exists
if File.exist?('/root/.cache/custom_facts.yaml')
data = YAML.load_file('/root/.cache/custom_facts.yaml')
# Use safe navigation to return 'enc_env' or nil
data&.dig('enc_env')
end
end
end
-13
View File
@@ -1,13 +0,0 @@
# frozen_string_literal: true
Facter.add('enc_role') do
setcode do
require 'yaml'
# Check if the YAML file exists
if File.exist?('/root/.cache/custom_facts.yaml')
data = YAML.load_file('/root/.cache/custom_facts.yaml')
# Use safe navigation to return 'enc_role' or nil
data&.dig('enc_role')
end
end
end
+12 -1
View File
@@ -10,7 +10,18 @@ class SubnetAttributes
'198.18.15.0/24' => { environment: 'prod', region: 'syd1', country: 'au' },
'198.18.16.0/24' => { environment: 'test', region: 'syd1', country: 'au' },
'198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' },
'198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' }
'198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' },
'198.18.19.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # loopbacks
'198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # MPLS CORE BLOCKS
'198.18.21.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # physical network 2.5gbe
'198.18.22.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph cluster
'198.18.23.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph public
'198.18.24.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # dmz 1
'198.18.25.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0009
'198.18.26.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0010
'198.18.27.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0011
'198.18.28.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0012
'198.18.29.0/24' => { environment: 'prod', region: 'syd1', country: 'au' } # common node0013
}.freeze
# Default attributes if no subnet matches, also defined as a constant
+22
View File
@@ -0,0 +1,22 @@
# manage bridges and bridge slaves
define networking::bridge (
String $type,
Optional[Stdlib::IP::Address] $ipaddress,
Optional[Stdlib::IP::Address] $netmask = undef,
Optional[Stdlib::IP::Address] $gateway = undef,
Optional[Boolean] $nocarrier = undef,
Boolean $bridge = true,
Integer[100-9200] $mtu = 1500,
Optional[Boolean] $forwarding = false,
) {
include systemd
systemd::network { "${title}.netdev":
content => template('networking/bridge.netdev.erb'),
}
# Use shared template, it will detect bridge=true and skip Address/DNS/etc
systemd::network { "${title}.network":
content => template('networking/networkd-network.erb'),
}
}
+18
View File
@@ -0,0 +1,18 @@
# manage dummy/loopback interfaces
define networking::dummy (
String $type,
Stdlib::IP::Address $ipaddress,
Stdlib::IP::Address $netmask,
Integer[100-9200] $mtu = 1500,
Optional[Boolean] $forwarding = false,
) {
include systemd
systemd::network { "${title}.netdev":
content => template('networking/dummy.netdev.erb'),
}
systemd::network { "${title}.network":
content => template('networking/networkd-network.erb'),
}
}
+51 -18
View File
@@ -4,34 +4,67 @@ class networking (
Hash $interface_defaults = {},
Hash $routes = {},
Hash $route_defaults = {},
Boolean $use_networkd = lookup('systemd::manage_networkd', undef, undef, false),
){
include network
include networking::params
# manage interfaces
$interfaces.each | $interface, $data | {
$merged_data = merge($interface_defaults, $data)
network_config { $interface:
* => $merged_data,
notify => Exec['networking_reload_network'],
}
}
if $use_networkd {
# manage routes
$routes.each | $route, $data | {
$merged_data = merge($route_defaults, $data)
network_route { $route:
* => $merged_data,
notify => Exec['networking_reload_network'],
include systemd
service { 'NetworkManager':
ensure => 'stopped',
enable => false,
}
$interfaces.each |String $iface, Hash $data| {
$type = $data['type']
#$params = $data.filter |$key, $value| { $key != 'type' }
case $type {
'bridge': { networking::bridge { $iface: * => $data } }
'dummy': { networking::dummy { $iface: * => $data } }
'static': { networking::static { $iface: * => $data } }
'physical': { networking::static { $iface: * => $data } }
default: {
fail("Unsupported interface type '${type}' for interface '${iface}'")
}
}
}
}else{
# manage interfaces
$interfaces.each | $interface, $data | {
$merged_data = merge($interface_defaults, $data)
network_config { $interface:
* => $merged_data,
notify => Exec['networking_reload_network'],
}
}
# manage routes
$routes.each | $route, $data | {
$merged_data = merge($route_defaults, $data)
network_route { $route:
* => $merged_data,
notify => Exec['networking_reload_network'],
}
}
}
# determine which networking service to restart
$restart_command = $facts['os']['family'] ? {
'RedHat' => '/usr/bin/systemctl restart network',
'Debian' => '/usr/bin/systemctl restart networking',
default => fail('Unsupported OS in networking-restart-command'),
$restart_command = $use_networkd ? {
true => '/usr/bin/systemctl restart systemd-networkd',
default => $facts['os']['family'] ? {
'RedHat' => $facts['os']['release']['major'] ? {
'8' => '/usr/bin/systemctl restart network',
'9' => '/usr/bin/systemctl restart NetworkManager',
default => fail('Unsupported RedHat OS release for networking restart'),
},
'Debian' => '/usr/bin/systemctl restart networking',
default => fail('Unsupported OS in networking-restart-command'),
}
}
# restart network/networking only if $restart_networking boolean is true
+27
View File
@@ -0,0 +1,27 @@
# manage static interfaces
define networking::static (
String $type,
Stdlib::IP::Address $netmask = '255.255.255.0',
Integer[100-9200] $mtu = 1500,
Boolean $dhcp = false,
Optional[Boolean] $forwarding = false,
Optional[Stdlib::IP::Address] $ipaddress = undef,
Optional[Stdlib::IP::Address] $gateway = undef,
Optional[Array[Stdlib::IP::Address]] $dns = undef,
Optional[Array[Stdlib::Fqdn]] $domains = undef,
Optional[Integer[0-4096]] $vlan = undef,
Optional[Variant[Boolean,String]] $bridge = undef,
Optional[Integer[0-4294967294]] $txqueuelen = undef,
Optional[Stdlib::MAC] $mac = undef,
) {
include systemd
systemd::network { "${title}.network":
content => template('networking/networkd-network.erb'),
}
#if $type == 'physical' and $mac {
# systemd::network { "${title}.link":
# content => template('networking/networkd-link.erb'),
# }
#}
}
@@ -0,0 +1,3 @@
[NetDev]
Name=<%= @title %>
Kind=bridge
@@ -0,0 +1,3 @@
[NetDev]
Name=<%= @title %>
Kind=dummy
@@ -0,0 +1,8 @@
[Match]
MACAddress=<%= @mac %>
[Link]
MTUBytes=<%= @mtu %>
<% if @txqueuelen and @txqueuelen >= 1 -%>
TransmitQueueLength=<%= @txqueuelen %>
<% end -%>
@@ -0,0 +1,41 @@
[Match]
Name=<%= @title %>
[Network]
<% if @dhcp == true -%>
DHCP=yes
<% else -%>
<% if @ipaddress && @netmask -%>
Address=<%= @ipaddress %>/<%= IPAddr.new(@netmask).to_i.to_s(2).count('1') %>
<% end -%>
<% if @gateway -%>
Gateway=<%= @gateway %>
<% end -%>
<% if @dns -%>
DNS=<%= Array(@dns).join(' ') %>
<% end -%>
<% if @domains -%>
Domains=<%= Array(@domains).join(' ') %>
<% end -%>
<% end -%>
<% if @bridge and @bridge != true -%>
Bridge=<%= @bridge %>
<% end -%>
<% if @vlan -%>
VLAN=<%= @vlan %>
<% end -%>
<% if @nocarrier and @nocarrier == true -%>
ConfigureWithoutCarrier=true
DuplicateAddressDetection=none
RequiredForOnline=no-carrier
<% end -%>
<% if @type == 'dummy' -%>
LinkLocalAddressing=no
ActivationPolicy=always-up
<% end -%>
<% if @forwarding and @forwarding == true -%>
IPForward=true
<% end -%>
[Link]
MTUBytes=<%= @mtu %>
@@ -0,0 +1,14 @@
# frozen_string_literal: true
Facter.add('zfs_zpool_cache_present') do
confine kernel: 'Linux'
setcode do
File.exist?('/etc/zfs/zpool.cache')
end
end
Facter.add('zfs_zpool_cache_present') do
setcode do
false
end
end
+10
View File
@@ -0,0 +1,10 @@
# manage zfs config
class zfs::config {
file { $zfs::conf_dir:
ensure => directory,
owner => 0,
group => 0,
mode => '0644',
}
}
+52
View File
@@ -0,0 +1,52 @@
# Installs basic ZFS kernel and userland support.
#
# @example Declaring the class
# include zfs
#
# @example Tuning the ZFS ARC
# class { 'zfs':
# zfs_arc_max => to_bytes('256 M'),
# zfs_arc_min => to_bytes('128 M'),
# }
#
# @param conf_dir Top-level configuration directory, usually `/etc/zfs`.
# @param kmod_type Whether to use DKMS kernel packages or ones built to match
# the running kernel (only applies to RHEL platforms).
# @param manage_repo Whether to setup and manage external package repositories.
# @param package_name The name of the top-level metapackage that installs ZFS
# support.
# @param service_manage Whether to manage the various ZFS services.
# @param zfs_arc_max Maximum size of the ARC in bytes.
# @param zfs_arc_min Minimum size of the ARC in bytes.
class zfs (
Optional[Integer[0]] $zfs_arc_max,
Optional[Integer[0]] $zfs_arc_min,
Optional[Hash] $zpools,
Optional[Hash] $datasets,
Stdlib::Absolutepath $conf_dir = '/etc/zfs',
Enum['dkms', 'kabi'] $kmod_type = 'kabi',
Boolean $manage_repo = true,
Variant[String, Array[String, 1]] $package_name = 'zfs',
Boolean $service_manage = true,
) {
contain zfs::install
contain zfs::config
contain zfs::service
Class['zfs::install'] ~> Class['zfs::config'] ~> Class['zfs::service']
# create zpools
$zpools.each | $zpool, $data | {
zpool { $zpool:
* => $data
}
}
# create datasets
$datasets.each | $dataset, $data | {
zfs { $dataset:
* => $data
}
}
}
+151
View File
@@ -0,0 +1,151 @@
# manage zfs install/repos
class zfs::install {
if $zfs::manage_repo {
case $facts['os']['family'] {
'RedHat': {
$baseurl = 'http://download.zfsonlinux.org'
$release = $facts['os']['release']['major'] ? {
'6' => '6',
'7' => $facts['os']['release']['full'] ? {
/^7\.[012]/ => '7',
default => regsubst($facts['os']['release']['full'], '^7\.(\d+).*$', '7.\1'),
},
'8' => $facts['os']['release']['full'] ? {
/^8\.4/ => '8.3',
default => regsubst($facts['os']['release']['full'], '^8\.(\d+).*$', '8.\1'),
},
default => regsubst($facts['os']['release']['full'], '^(\d\.\d+).*$', '\1'),
}
yumrepo { 'zfs':
baseurl => "${baseurl}/epel/${release}/\$basearch/",
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - dkms",
enabled => Integer($zfs::kmod_type == 'dkms'),
before => Package[$zfs::package_name],
}
yumrepo { 'zfs-kmod':
baseurl => "${baseurl}/epel/${release}/kmod/\$basearch/",
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - kmod",
enabled => Integer($zfs::kmod_type == 'kabi'),
}
yumrepo { 'zfs-source':
baseurl => "${baseurl}/epel/${release}/SRPMS/",
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - Source",
enabled => 0,
}
yumrepo { 'zfs-testing':
baseurl => "${baseurl}/epel-testing/${release}/\$basearch/",
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - dkms - Testing",
enabled => 0,
}
yumrepo { 'zfs-testing-kmod':
baseurl => "${baseurl}/epel-testing/${release}/kmod/\$basearch/",
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - kmod - Testing",
enabled => 0,
}
yumrepo { 'zfs-testing-source':
baseurl => "${baseurl}/epel-testing/${release}/SRPMS/",
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - Testing Source",
enabled => 0,
}
}
default: {
# noop
}
}
}
# Handle these dependencies separately as they shouldn't be guarded by
# `$zfs::manage_repo`
case $facts['os']['family'] {
'RedHat': {
case $zfs::kmod_type {
'dkms': {
# Puppet doesn't like managing multiple versions of the same package.
# By using the version in the name Yum will do the right thing
ensure_packages(["kernel-devel-${facts['kernelrelease']}"], {
ensure => present,
before => Package[$zfs::package_name],
})
}
default: {
# noop
}
}
}
'Debian': {
case $facts['os']['name'] {
'Ubuntu': {
# noop
}
default: {
ensure_packages(["linux-headers-${facts['kernelrelease']}", "linux-headers-${facts['os']['architecture']}"], {
before => Package[$zfs::package_name],
})
}
}
}
default: {
# noop
}
}
# This is to work around the broken Debian 9 packages. Upon install the
# zfs-mount.service is started first which is the only unit that doesn't
# have an "ExecStartPre=-/sbin/modprobe zfs" line so the package can never
# be installed!
if $facts['os']['name'] == 'Debian' and $facts['os']['release']['major'] == '9' {
exec { 'zfs systemctl daemon-reload':
command => 'systemctl daemon-reload',
refreshonly => true,
path => $facts['path'],
}
Exec['zfs systemctl daemon-reload'] -> Package[$zfs::package_name]
file { '/etc/systemd/system/zfs-mount.service.d':
ensure => directory,
owner => 0,
group => 0,
mode => '0644',
}
file { '/etc/systemd/system/zfs-mount.service.d/override.conf':
ensure => file,
owner => 0,
group => 0,
mode => '0644',
content => @(EOS/L),
[Service]
ExecStartPre=-/sbin/modprobe zfs
| EOS
notify => Exec['zfs systemctl daemon-reload'],
}
}
# These need to be done here so the kernel settings are present before the
# package is installed and potentially loading the kernel module
$config = delete_undef_values({
'zfs_arc_max' => $zfs::zfs_arc_max,
'zfs_arc_min' => $zfs::zfs_arc_min,
})
$config.each |$option,$value| {
kmod::option { "zfs ${option}":
module => 'zfs',
option => $option,
value => $value,
before => Package[$zfs::package_name],
}
}
package { $zfs::package_name:
ensure => present,
}
}
+90
View File
@@ -0,0 +1,90 @@
# manage zfs services
class zfs::service {
if $zfs::service_manage {
exec { 'modprobe zfs':
path => $facts['path'],
unless => 'grep -q "^zfs " /proc/modules',
}
case $facts['service_provider'] {
'systemd': {
$cache_ensure = str2bool($facts['zfs_zpool_cache_present']) ? {
true => 'running',
default => 'stopped',
}
$scan_ensure = str2bool($facts['zfs_zpool_cache_present']) ? {
true => 'stopped',
default => 'running',
}
service { 'zfs-import-cache':
ensure => $cache_ensure,
enable => true,
hasstatus => true,
hasrestart => true,
require => Exec['modprobe zfs'],
before => Service['zfs-mount'],
}
service { 'zfs-import-scan':
ensure => $scan_ensure,
enable => true,
hasstatus => true,
hasrestart => true,
require => Exec['modprobe zfs'],
before => Service['zfs-mount'],
}
}
default: {
case $facts['os']['family'] {
'RedHat': {
service { 'zfs-import':
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
require => Exec['modprobe zfs'],
before => Service['zfs-mount'],
}
}
'Debian': {
$import_ensure = str2bool($facts['zfs_zpool_cache_present']) ? {
true => 'running',
default => 'stopped',
}
service { 'zpool-import':
ensure => $import_ensure,
enable => true,
hasstatus => true,
hasrestart => true,
require => Exec['modprobe zfs'],
}
}
default: {
# noop
}
}
}
}
service { 'zfs-mount':
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
before => Service['zfs-share'],
}
service { 'zfs-share':
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
}
}
}
+11 -1
View File
@@ -2,12 +2,22 @@
class profiles::accounts::sysadmin(
String $password,
Array[String] $sshkeys = [],
Array[String] $extra_groups = [],
){
$default_groups = [
'adm',
'admins',
'systemd-journal'
]
$groups = $extra_groups + $default_groups
profiles::base::account {'sysadmin':
username => 'sysadmin',
uid => 1000,
gid => 1000,
groups => ['adm', 'admins', 'systemd-journal'],
groups => $groups,
sshkeys => $sshkeys,
sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
password => $password,
+16 -9
View File
@@ -8,14 +8,21 @@ class profiles::almalinux::base (
ensure => absent,
}
}
service {'NetworkManager':
ensure => false,
enable => false,
require => Package['network-scripts'],
}
-> service {'network':
ensure => true,
enable => true,
require => Package['network-scripts'],
if $facts['os']['release'] == '8' {
service {'NetworkManager':
ensure => false,
enable => false,
require => Package['network-scripts'],
}
-> service {'network':
ensure => true,
enable => true,
require => Package['network-scripts'],
}
} elsif $facts['os']['release'] == '8' {
service {'NetworkManager':
ensure => true,
enable => true,
}
}
}
+5 -1
View File
@@ -22,7 +22,6 @@ class profiles::base (
# include the base profiles
include profiles::base::repos
include profiles::packages
include profiles::base::facts
include profiles::base::motd
include profiles::base::scripts
include profiles::base::hosts
@@ -34,6 +33,7 @@ class profiles::base (
include profiles::pki::vault
include profiles::ssh::sign
include profiles::ssh::knownhosts
include profiles::ssh::service
include profiles::cloudinit::init
include profiles::metrics::default
include profiles::helpers::node_lookup
@@ -57,6 +57,10 @@ class profiles::base (
include profiles::qemu::agent
}
class { 'limits':
purge_limits_d_dir => false,
}
# include classes from hiera
$hiera_include = lookup('hiera_include', Array[String], 'unique', [])
$hiera_exclude = lookup('hiera_exclude', Array[String], 'unique', [])
-39
View File
@@ -1,39 +0,0 @@
# a class to define some global facts
class profiles::base::facts {
# The path where external facts are stored
$facts_d_path = '/opt/puppetlabs/facter/facts.d'
# Ensure the directory exists
file { $facts_d_path:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
# cleanup old facts files
$fact_list = [ 'enc_role', 'enc_env' ]
$fact_list.each | String $item | {
file { "${facts_d_path}/${item}.txt":
ensure => absent,
}
}
# ensure the path to the custom store exists
file { '/root/.cache':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0750',
}
# create the file that will be read
file { '/root/.cache/custom_facts.yaml':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profiles/base/facts/custom_facts.yaml.erb'),
}
}
+1
View File
@@ -3,6 +3,7 @@ class profiles::base::repos {
# manage package repositories
case $facts['os']['family'] {
'RedHat': {
include crypto_policies
include profiles::yum::global
include profiles::firewall::firewalld
}
+2 -2
View File
@@ -47,8 +47,8 @@ class profiles::cobbler::config {
# fix permissions in /var/lib/cobbler/web.ss
file {'/var/lib/cobbler/web.ss':
ensure => 'file',
group => 'root',
owner => 'apache',
group => 'apache',
owner => 'root',
mode => '0660',
require => Package['cobbler'],
notify => Service['cobblerd'],
+6
View File
@@ -85,4 +85,10 @@ class profiles::consul::client (
require => File['/root/.config'],
}
# cleanup /usr/local/bin/consul which was created by url install method
if $facts['os']['family'] == 'RedHat' {
file {'/usr/local/bin/consul':
ensure => absent,
}
}
}
+12 -7
View File
@@ -9,8 +9,9 @@ class profiles::defaults {
Package {
ensure => present,
require => Class['profiles::base::repos']
require => [
Class['profiles::base::repos'],
]
}
File {
@@ -31,10 +32,14 @@ class profiles::defaults {
}
Yumrepo {
ensure => 'present',
enabled => 1,
gpgcheck => 1,
require => Class['profiles::pki::vaultca'],
notify => Exec['dnf_makecache'],
ensure => 'present',
enabled => 1,
gpgcheck => 1,
metadata_expire => '1d',
require => [
Class['profiles::pki::vaultca'],
Class['crypto_policies'],
],
notify => Exec['dnf_makecache'],
}
}
+8 -2
View File
@@ -2,7 +2,7 @@
class profiles::dns::base (
String $ns_role = undef,
Array $search = [],
Array $nameservers = ['8.8.8.8', '1.1.1.1'],
Array $nameservers = ['198.18.13.12', '198.18.13.13'],
Enum[
'all',
'region',
@@ -23,6 +23,12 @@ class profiles::dns::base (
}
}
# if nameservers not returned from puppetdb, use default
$use_nameservers = empty($nameserver_array) ? {
true => $nameservers,
false => $nameserver_array,
}
# if search is undef, fallback to domainname from facts
if $search == [] {
$search_array = [$::facts['networking']['domain']]
@@ -32,7 +38,7 @@ class profiles::dns::base (
# include resolvconf class
class { 'profiles::dns::resolvconf':
nameservers => sort($nameserver_array),
nameservers => sort($use_nameservers),
search_domains => sort($search_array),
}
+10 -3
View File
@@ -105,13 +105,14 @@ class profiles::edgecache::nginx {
# manage the nginx class
class { 'nginx':
proxy_cache_path => {
"${data_root}/cache" => 'cache:128m',
"${data_root}/cache" => 'cache:256m',
},
proxy_cache_levels => '1:2',
proxy_cache_keys_zone => 'cache:128m',
proxy_cache_keys_zone => 'cache:256m',
proxy_cache_max_size => '30000m',
proxy_cache_inactive => '60d',
proxy_cache_inactive => '365d',
proxy_temp_path => "${data_root}/cache_tmp",
service_manage => false,
}
# create the nginx vhost with the merged parameters
@@ -126,4 +127,10 @@ class profiles::edgecache::nginx {
* => $data,
}
}
service { 'nginx':
ensure => true,
enable => true,
subscribe => [File[$selected_ssl_cert], File[$selected_ssl_key]],
}
}
+58
View File
@@ -0,0 +1,58 @@
# manage the use of the etcd module
class profiles::etcd::node (
Sensitive[String[1]] $initial_cluster_token,
Boolean $members_lookup = false,
String $members_role = undef,
Array $servers = [],
Stdlib::Port $client_port = 2379,
Stdlib::Port $peer_port = 2380,
Hash $config = {},
){
# if lookup is enabled
if $members_lookup {
# check that the role is also set
unless !($members_role == undef) {
fail("members_role must be provided for ${title} when members_lookup is True")
}
# if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
# else use provided array from params
}else{
$servers_array = sort($servers)
}
if length($servers_array) >= 3 {
# construct the initial-cluster string
$initial_cluster = $servers_array.map |$fqdn| {
# lookup the ip address for the current fqdn
$ip = query_nodes("networking.fqdn='${fqdn}'", 'networking.ip')[0]
# construct the string for this server
"${fqdn}=https://${ip}:${peer_port}"
}.join(',')
$defaults = {
'data-dir' => '/var/lib/etcd',
'name' => $facts['networking']['fqdn'],
'listen-client-urls' => "https://${facts['networking']['ip']}:${client_port}",
'listen-peer-urls' => "https://${facts['networking']['ip']}:${peer_port}",
'advertise-client-urls' => "https://${facts['networking']['ip']}:${client_port}",
'initial-advertise-peer-urls' => "https://${facts['networking']['ip']}:${peer_port}",
'initial-cluster-token' => $initial_cluster_token.unwrap,
'initial-cluster' => $initial_cluster,
'initial-cluster-state' => 'new',
}
$merged_config = merge($defaults, $config)
class { 'etcd':
config => $merged_config,
}
}
}
@@ -1,6 +1,11 @@
# profiles::firstrun::complete
class profiles::firstrun::complete {
file {'/root/.cache':
ensure => 'directory',
owner => 'root',
group => 'root',
}
file {'/root/.cache/puppet_firstrun_complete':
ensure => 'file',
owner => 'root',
+4 -2
View File
@@ -8,10 +8,12 @@ class profiles::firstrun::init {
include profiles::base::repos
include profiles::firstrun::packages
# set the motd and base facts
include profiles::base::facts
# set the motd
include profiles::base::motd
# create groups
include profiles::base::groups
# mark the firstrun as done
include profiles::firstrun::complete
@@ -0,0 +1,118 @@
# profiles::jupyter::jupyterhub
class profiles::jupyter::jupyterhub (
Stdlib::AbsolutePath $base_path = '/opt/jupyterhub',
Stdlib::AbsolutePath $venv_path = "${base_path}/venv",
Stdlib::AbsolutePath $config_path = "${base_path}/config.py",
Stdlib::AbsolutePath $notebook_path = '/home/jupyter/work',
Hash $vault_config = {},
String $owner = 'jupyterhub',
String $group = 'jupyterhub',
Boolean $systempkgs = false,
String $version = '3.12',
Array[String[1]] $packages = [
'jupyterhub',
'dockerspawner',
'jupyterhub-ldapauthenticator',
],
String $ldap_server_address = 'ldap://ldap.service.consul',
String $ldap_tls_strategy = 'insecure',
Array $ldap_allowed_groups = ['ou=jupyterhub_user,ou=groups,dc=main,dc=unkin,dc=net'],
Array $ldap_admin_users = [],
String $ldap_bind_user = 'cn=svc_jupyterhub,ou=services,ou=users,dc=main,dc=unkin,dc=net',
String $ldap_bind_pass = 'change-me',
String $ldap_user_search_base = 'ou=people,ou=users,dc=main,dc=unkin,dc=net',
String $ldap_user_search_filter = '({login_attr}={login})',
String $ldap_group_search_filter = '(uniqueMember={userdn})',
String $ldap_user_attribute = 'uid',
String $ldap_user_dn_attribute = 'cn',
String $docker_image = 'git.query.consul/unkin/almalinux9-jupyterlab:latest',
String $docker_network = 'bridge',
){
# ensure nodejs:20 is installed
package { 'nodejs_module':
ensure => '20',
name => 'nodejs',
provider => 'dnfmodule',
enable_only => true,
}
-> package { 'nodejs':
ensure => 'installed',
provider => 'dnf',
}
-> package { 'npm':
ensure => 'installed',
provider => 'dnf',
}
-> package { 'configurable-http-proxy':
ensure => installed,
provider => 'npm',
}
# ensure python3.12 is installed
if $::facts['python3_version'] {
$python_version = $version ? {
'system' => $::facts['python3_version'],
default => $version,
}
# ensure the base_path exists
file { $base_path:
ensure => directory,
mode => '0755',
owner => $owner,
group => $group,
require => Profiles::Base::Account['jupyterhub'],
}
# create a venv
python::pyvenv { $venv_path :
ensure => present,
version => $python_version,
systempkgs => $systempkgs,
venv_dir => $venv_path,
owner => $owner,
group => $group,
require => File[$base_path],
}
# install the required pip packages
$packages.each |String $package| {
python::pip { "${venv_path}_${package}":
ensure => present,
pkgname => $package,
virtualenv => $venv_path,
}
}
# create the config from a template
file { $config_path:
ensure => file,
mode => '0660',
owner => $owner,
group => $group,
content => Sensitive(template('profiles/jupyterhub/config.py.erb')),
require => Python::Pyvenv[$venv_path],
}
profiles::base::account {$owner:
username => $owner,
uid => 1101,
gid => 1101,
groups => ['systemd-journal', 'docker'],
system => true,
}
systemd::unit_file { 'jupyterhub.service':
content => template('profiles/jupyterhub/jupyterhub.service.erb'),
enable => true,
active => true,
subscribe => File[$config_path],
require => [
File[$config_path],
],
}
}
}
+84
View File
@@ -0,0 +1,84 @@
# profiles::nomad::node
class profiles::nomad::node (
Stdlib::Absolutepath $data_dir = '/data/nomad',
Stdlib::Absolutepath $nomad_root = '/shared/nomad',
Integer $bootstrap_expect = 3,
Boolean $server = false,
Boolean $client = false,
Boolean $manage_service = true,
Boolean $manage_user = true,
String $user = 'nomad',
String $group = 'nomad',
){
if $manage_user {
# Define the group for Nomad
group { $group:
ensure => 'present',
system => true,
}
# Define the user for Nomad
user { $user:
ensure => 'present',
comment => 'Nomad System User',
home => '/var/lib/nomad',
managehome => true,
shell => '/sbin/nologin',
system => true,
gid => $group,
require => Group[$group],
}
}
if $client {
include profiles::ceph::client
# manage the sharedvol
profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_nomad":
mount => $nomad_root,
keyring => '/etc/ceph/ceph.client.nomad.keyring',
cephfs_name => 'nomad',
cephfs_fs => 'nomadfs',
require => Profiles::Ceph::Keyring['nomad'],
}
}
file { $data_dir:
ensure => directory,
owner => $user,
group => $group,
mode => '0755',
require => [
User[$user],
Group[$group],
],
}
mkdir::p {'/etc/nomad.d/':}
-> file { '/etc/nomad.d/config.hcl':
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
content => template('profiles/nomad/config.hcl.erb'),
require => [
Package['nomad'],
],
}
if $manage_service {
include ::systemd
systemd::unit_file { 'nomad.service':
content => template('profiles/nomad/nomad.service.erb'),
enable => true,
active => true,
subscribe => [
File['/etc/pki/tls/vault/private.key'],
File['/etc/nomad.d/config.hcl']
],
}
}
}
@@ -21,7 +21,7 @@ class profiles::puppet::puppetboard (
Stdlib::Port $nginx_port = 80,
Stdlib::Host $nginx_vhost = 'puppetboard.main.unkin.net',
Array[Stdlib::Host] $nginx_aliases = [],
#String[1] $secret_key = "${fqdn_rand_string(32)}",
String[1] $secret_key = "${fqdn_rand_string(32)}",
) {
# store puppet-agents ssl settings/certname
@@ -37,7 +37,7 @@ class profiles::puppet::puppetboard (
basedir => $basedir,
virtualenv_dir => $virtualenv_dir,
settings_file => $settings_file,
#secret_key => $secret_key,
secret_key => $secret_key,
default_environment => $default_environment,
puppetdb_host => $puppetdb_host,
puppetdb_port => 8081,
+1
View File
@@ -22,6 +22,7 @@ class profiles::puppet::r10k (
mode => '0755',
content => "#!/bin/bash\n(
cd /etc/puppetlabs/r10k
git branch --set-upstream-to=origin/master master
git reset --hard master
git clean -fd
git pull\n)",
@@ -2,7 +2,7 @@
class profiles::reposync::webserver (
String $www_root = '/data/repos/snap',
String $cache_root = '/data/repos/cache',
String $nginx_vhost = 'repos.main.unkin.net',
String $nginx_vhost = 'packagerepo.service.consul',
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Boolean $favicon = true,
@@ -10,6 +10,10 @@ class profiles::reposync::webserver (
Enum['puppet', 'vault'] $nginx_cert_type = 'vault'
) {
# ensure all the required directories exist
mkdir::p { $www_root: }
mkdir::p { $cache_root: }
# select the certificates to use based on cert type
case $nginx_cert_type {
'puppet': {
+48
View File
@@ -0,0 +1,48 @@
# this is a modification to frr-selinux that ships with EL9, adding support for frr10
class profiles::selinux::frr {
$frr_te_content = @("EOF")
module frr_local 1.0;
require {
type frr_t;
type initrc_t;
type kernel_t;
type var_run_t;
type frr_tmp_t;
type frr_var_run_t;
type init_t;
class unix_stream_socket connectto;
class system module_request;
class sock_file { getattr write };
class dir { add_name write };
class file { create write open };
class process setpgid;
}
#============= frr_t ==============
allow frr_t initrc_t:unix_stream_socket connectto;
allow frr_t kernel_t:system module_request;
allow frr_t var_run_t:sock_file { getattr write };
#============= init_t ==============
allow init_t frr_tmp_t:dir add_name;
allow init_t frr_var_run_t:dir { write add_name };
allow init_t frr_var_run_t:file { create open write };
allow init_t self:process setpgid;
| EOF
if $facts['virtual'] != 'lxc' {
selinux::module { 'frr_local':
ensure => 'present',
content_te => $frr_te_content,
builder => 'simple',
before => Service['frr'],
}
selboolean { 'domain_can_mmap_files':
value => 'on',
persistent => true,
before => Service['frr'],
}
}
}
+15
View File
@@ -0,0 +1,15 @@
# profiles::ssh::service
# saz-ssh manages the service, this is just some additional stuff
class profiles::ssh::service {
# set sshd to start
systemd::manage_dropin { 'after-network-online.conf':
ensure => present,
unit => 'sshd.service',
unit_entry => {
'After' => [
'network-online.target',
],
},
}
}
+15 -5
View File
@@ -16,6 +16,9 @@ class profiles::vault::server (
Boolean $manage_storage_dir = false,
Stdlib::Absolutepath $data_dir = '/opt/vault',
Stdlib::Absolutepath $bin_dir = '/usr/bin',
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt',
){
# set a datacentre/cluster name
@@ -45,13 +48,14 @@ class profiles::vault::server (
$server_urls = $servers_array.map |$fqdn| {
{
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt',
leader_client_key_file => '/etc/pki/tls/vault/private.key',
leader_ca_cert_file => '/etc/pki/tls/certs/ca-bundle.crt',
leader_client_cert_file => $ssl_crt,
leader_client_key_file => $ssl_key,
leader_ca_cert_file => $ssl_ca,
}
}
class { 'vault':
manage_service => false,
install_method => $install_method,
manage_storage_dir => $manage_storage_dir,
enable_ui => true,
@@ -79,13 +83,19 @@ class profiles::vault::server (
address => "${::facts['networking']['ip']}:${client_port}",
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
tls_disable => $tls_disable,
tls_cert_file => '/etc/pki/tls/vault/certificate.crt',
tls_key_file => '/etc/pki/tls/vault/private.key',
tls_cert_file => $ssl_crt,
tls_key_file => $ssl_key,
}
}
]
}
service { 'vault':
ensure => true,
enable => true,
subscribe => [File[$ssl_crt], File[$ssl_key]],
}
# include classes to manage vault
include profiles::vault::unseal
}
+9 -6
View File
@@ -16,12 +16,15 @@ class profiles::yum::global (
purge => $purge,
}
#exec {'purge_almalinux_default_repos':
# command => 'rm -f /etc/yum.repos.d/almalinux*.repo',
# path => ['/bin', '/usr/bin'],
# onlyif => 'find /etc/yum.repos.d/ -type f -name *almalinux* | grep .',
# before => Resources['yumrepo'],
#}
# el9 needs to rpmdb rebuild after crypto-policies
if $facts['os']['release']['major'] == '9' {
exec { 'rebuild_rpmdb':
command => '/usr/bin/rpmdb --rebuilddb && /usr/bin/touch /root/almalinux9_upgrade_rebuilddb_flag',
unless => '/usr/bin/test -f /root/almalinux9_upgrade_rebuilddb_flag',
timeout => 180,
require => Class['crypto_policies'],
}
}
# download all gpg keys if a repo defines it
$repos.each |$name, $repo| {
@@ -1,3 +0,0 @@
---
enc_role: <%= @enc_role[0] %>
enc_env: <%= @enc_env %>
@@ -1 +0,0 @@
enc_env=<%= @enc_env %>
@@ -1 +0,0 @@
enc_role=<%= @enc_role[0] %>
@@ -0,0 +1,53 @@
# jupyterhub_config.py
from dockerspawner import DockerSpawner
import os
c = get_config()
# Basic JupyterHub settings
c.JupyterHub.bind_url = 'http://:8000'
c.JupyterHub.hub_ip = '0.0.0.0'
c.JupyterHub.hub_port = 8081
c.NotebookApp.enable_terminals = True
# Configure the DockerSpawner
c.JupyterHub.spawner_class = DockerSpawner
c.DockerSpawner.image = '<%= @docker_image %>'
c.DockerSpawner.network_name = '<%= @docker_network %>'
# Notebook directory and mount location
c.DockerSpawner.notebook_dir = '<%= @notebook_path %>'
# Optional: Volume mapping for user data persistence
c.DockerSpawner.volumes = {
'jupyterhub-user-{username}': '<%= @notebook_path %>'
}
# DockerSpawner options
c.DockerSpawner.remove = True
c.DockerSpawner.debug = True
c.DockerSpawner.pull_policy = "always"
# LDAP Authentication
c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
# LDAP Server settings
c.LDAPAuthenticator.server_address = '<%= @ldap_server_address %>'
c.LDAPAuthenticator.tls_strategy = '<%= @ldap_tls_strategy %>'
# Restrict access to a specific LDAP group
c.LDAPAuthenticator.allowed_groups = <%= @ldap_allowed_groups.to_s %>
# List LDAP users as admins
c.LDAPAuthenticator.admin_users = <%= @ldap_admin_users.to_s %>
# Lookup settings
c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.lookup_dn_search_filter = '<%= @ldap_user_search_filter %>'
c.LDAPAuthenticator.lookup_dn_search_user = '<%= @ldap_bind_user %>'
c.LDAPAuthenticator.lookup_dn_search_password = '<%= @ldap_bind_pass %>'
c.LDAPAuthenticator.user_search_base = '<%= @ldap_user_search_base %>'
c.LDAPAuthenticator.user_attribute = '<%= @ldap_user_attribute %>'
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = '<%= @ldap_user_dn_attribute %>'
c.LDAPAuthenticator.group_search_filter = '<%= @ldap_group_search_filter %>'
@@ -0,0 +1,16 @@
[Unit]
Description=JupyterHub
After=network.target
[Service]
Type=simple
ExecStart=/opt/jupyterhub/venv/bin/jupyterhub -f /opt/jupyterhub/config.py
WorkingDirectory=/opt/jupyterhub
User=<%= @owner %>
Group=<%= @group %>
Environment="PATH=/opt/jupyterhub/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Restart=always
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,45 @@
# data_dir tends to be environment specific.
data_dir = "<%= @data_dir %>"
bind_addr = "0.0.0.0"
datacenter = "<%= scope['facts']['country'] %>-<%= scope['facts']['region'] %>"
<% if @server -%>
# Manage Servers
advertise {
http = "<%= @facts['networking']['ip'] %>"
rpc = "<%= @facts['networking']['ip'] %>"
serf = "<%= @facts['networking']['ip'] %>"
}
server {
enabled = true
bootstrap_expect = <%= @bootstrap_expect %>
}
<% end -%>
<% if @client -%>
# Manage clients/agents
client {
enabled = true
}
plugin "docker" {
config {
volumes {
enabled = true
}
}
}
<% end -%>
# Require TLS
tls {
http = true
rpc = true
ca_file = "/etc/pki/ca-trust/source/anchors/vaultcaroot.pem"
cert_file = "/etc/pki/tls/vault/certificate.crt"
key_file = "/etc/pki/tls/vault/private.key"
verify_server_hostname = true
verify_https_client = false
}

Some files were not shown because too many files have changed in this diff Show More