Compare commits
117 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| f4ac1f2000 | |||
| 2321186ad5 | |||
| c24babe309 | |||
| bfda2b628b | |||
| 278f8001b0 | |||
| 0fe44cf4e2 | |||
| 25b06cde22 | |||
| 8c76e71dc4 | |||
| 0e3dd4d7d0 | |||
| 83d0b31753 | |||
| b6ea353cfb | |||
| c225564bdb | |||
| 06666fe488 | |||
| 9dc88e6db6 | |||
| d87983d8fc | |||
| 95bc2716cf | |||
| 978013f325 | |||
| 829b1b05fd | |||
| 6cb249ffbc | |||
| 427fe352b4 | |||
| 45b061a053 | |||
| d39d25d3f1 | |||
| 06b458cb0e | |||
| e3046563a2 | |||
| e025928d77 | |||
| e3e8b3484d | |||
| bdf420973d | |||
| 6a04701891 | |||
| dd5a4646ff | |||
| 4e47745077 | |||
| 3a4e606459 | |||
| d0eb4c078d | |||
| b95bcbd10a | |||
| adc0cf2c09 | |||
| 771b981d91 | |||
| e0c3a23424 | |||
| a309244713 | |||
| 8eb751e22f | |||
| b981a6fb01 | |||
| 7c1d96bd22 | |||
| 0222f5ec4a | |||
| afd3405c98 | |||
| ab7ce3bbfa | |||
| 4a85c5feff | |||
| 6134b4664b | |||
| e061a72996 | |||
| eaa15e92dc | |||
| a5a193d9eb | |||
| 4400456519 | |||
| d37fb5d7e1 | |||
| 022a564dc0 | |||
| 48e1fb8e30 | |||
| 561d74e9d9 | |||
| 281fdb33d4 | |||
| 1c04366eec | |||
| 86d3b61439 | |||
| 6ebf5c03a5 | |||
| c97db0f0aa | |||
| 46b4fdf632 | |||
| aaf81d0a6c | |||
| afbc15ff40 | |||
| 64248a45c2 | |||
| c7fb1f0cec | |||
| dbccaea24b | |||
| b244327c34 | |||
| 90bcdd1f51 | |||
| ec926dfe0a | |||
| 40af30d0ff | |||
| bac90b5459 | |||
| 41aab65f85 | |||
| c023cfe4dc | |||
| cffb6a54fc | |||
| fd7ced66ce | |||
| 766f124b2c | |||
| 4de772436b | |||
| 75f865c26c | |||
| 2fdc709a17 | |||
| ba3a9e374a | |||
| a28ef09f28 | |||
| 52fff0ccea | |||
| f097cf2550 | |||
| 58d31c5c9a | |||
| 92d6697175 | |||
| d3f471f3ed | |||
| ab1f4300a9 | |||
| 845b91b497 | |||
| 8f0b3e615c | |||
| 8679a0b904 | |||
| 16ba54ee0a | |||
| 4b3553b75c | |||
| abdb3ec8cb | |||
| c0623b64f7 | |||
| d286e2d816 | |||
| 71b29d5e88 | |||
| 6493f392b8 | |||
| 8586e9eb32 | |||
| 92a9655a50 | |||
| 42ad972697 | |||
| 61f5f1ce1f | |||
| 926d3d29d0 | |||
| c6bdae5790 | |||
| 159d66af18 | |||
| c728c1a5e0 | |||
| 4fec931fb1 | |||
| 76b4c8c930 | |||
| 0455965525 | |||
| 4e68900259 | |||
| ca87702466 | |||
| 09a448ea52 | |||
| 1db8847833 | |||
| 6d919580e1 | |||
| 5549275ecc | |||
| 7acfea8547 | |||
| 318e816568 | |||
| 2ef4fb0bf8 | |||
| 2013641720 | |||
| 4bf4b42fdf |
@@ -3,3 +3,8 @@
|
||||
detectors:
|
||||
FeatureEnvy:
|
||||
enabled: false
|
||||
TooManyStatements:
|
||||
enabled: false
|
||||
UncommunicativeVariableName:
|
||||
accept:
|
||||
- e
|
||||
|
||||
+41
-37
@@ -2,52 +2,54 @@ forge 'forge.puppetlabs.com'
|
||||
moduledir 'external_modules'
|
||||
|
||||
# puppetlabs
|
||||
mod 'puppetlabs-stdlib', '9.1.0'
|
||||
mod 'puppetlabs-inifile', '6.0.0'
|
||||
mod 'puppetlabs-concat', '9.0.0'
|
||||
mod 'puppetlabs-vcsrepo', '6.1.0'
|
||||
mod 'puppetlabs-yumrepo_core', '2.0.0'
|
||||
mod 'puppetlabs-apt', '9.4.0'
|
||||
mod 'puppetlabs-lvm', '2.1.0'
|
||||
mod 'puppetlabs-puppetdb', '7.13.0'
|
||||
mod 'puppetlabs-postgresql', '9.1.0'
|
||||
mod 'puppetlabs-firewall', '6.0.0'
|
||||
mod 'puppetlabs-accounts', '8.1.0'
|
||||
mod 'puppetlabs-mysql', '15.0.0'
|
||||
mod 'puppetlabs-stdlib', '9.7.0'
|
||||
mod 'puppetlabs-inifile', '6.2.0'
|
||||
mod 'puppetlabs-concat', '9.1.0'
|
||||
mod 'puppetlabs-vcsrepo', '7.0.0'
|
||||
mod 'puppetlabs-yumrepo_core', '2.1.0'
|
||||
mod 'puppetlabs-apt', '10.0.1'
|
||||
mod 'puppetlabs-lvm', '3.0.1'
|
||||
mod 'puppetlabs-puppetdb', '7.14.0'
|
||||
mod 'puppetlabs-postgresql', '9.2.0'
|
||||
mod 'puppetlabs-firewall', '8.1.4'
|
||||
mod 'puppetlabs-accounts', '8.2.2'
|
||||
mod 'puppetlabs-mysql', '16.2.0'
|
||||
mod 'puppetlabs-xinetd', '3.4.1'
|
||||
mod 'puppetlabs-haproxy', '8.0.0'
|
||||
mod 'puppetlabs-java', '10.1.2'
|
||||
mod 'puppetlabs-reboot', '5.0.0'
|
||||
mod 'puppetlabs-docker', '10.0.1'
|
||||
mod 'puppetlabs-haproxy', '8.2.0'
|
||||
mod 'puppetlabs-java', '11.1.0'
|
||||
mod 'puppetlabs-reboot', '5.1.0'
|
||||
mod 'puppetlabs-docker', '10.2.0'
|
||||
|
||||
# puppet
|
||||
mod 'puppet-python', '7.0.0'
|
||||
mod 'puppet-systemd', '5.1.0'
|
||||
mod 'puppet-yum', '7.0.0'
|
||||
mod 'puppet-archive', '7.0.0'
|
||||
mod 'puppet-chrony', '2.6.0'
|
||||
mod 'puppet-puppetboard', '9.0.0'
|
||||
mod 'puppet-nginx', '5.0.0'
|
||||
mod 'puppet-selinux', '4.1.0'
|
||||
mod 'puppet-prometheus', '13.4.0'
|
||||
mod 'puppet-grafana', '13.1.0'
|
||||
mod 'puppet-consul', '8.0.0'
|
||||
mod 'puppet-vault', '4.1.0'
|
||||
mod 'puppet-python', '7.4.0'
|
||||
mod 'puppet-systemd', '8.1.0'
|
||||
mod 'puppet-yum', '7.2.0'
|
||||
mod 'puppet-archive', '7.1.0'
|
||||
mod 'puppet-chrony', '3.0.0'
|
||||
mod 'puppet-puppetboard', '11.0.0'
|
||||
mod 'puppet-nginx', '6.0.1'
|
||||
mod 'puppet-selinux', '5.0.0'
|
||||
mod 'puppet-prometheus', '16.0.0'
|
||||
mod 'puppet-grafana', '14.1.0'
|
||||
mod 'puppet-consul', '9.1.0'
|
||||
mod 'puppet-vault', '4.1.1'
|
||||
mod 'puppet-dhcp', '6.1.0'
|
||||
mod 'puppet-keepalived', '5.1.0'
|
||||
mod 'puppet-extlib', '7.0.0'
|
||||
mod 'puppet-network', '2.2.0'
|
||||
mod 'puppet-kmod', '4.0.1'
|
||||
mod 'puppet-extlib', '7.5.1'
|
||||
mod 'puppet-network', '2.2.1'
|
||||
mod 'puppet-kmod', '4.1.0'
|
||||
mod 'puppet-filemapper', '4.0.0'
|
||||
mod 'puppet-letsencrypt', '11.0.0'
|
||||
mod 'puppet-rundeck', '9.1.0'
|
||||
mod 'puppet-redis', '11.0.0'
|
||||
mod 'puppet-letsencrypt', '11.1.0'
|
||||
mod 'puppet-rundeck', '9.2.0'
|
||||
mod 'puppet-redis', '11.1.0'
|
||||
mod 'puppet-nodejs', '11.0.0'
|
||||
|
||||
# other
|
||||
mod 'ghoneycutt-puppet', '3.3.0'
|
||||
mod 'saz-sudo', '8.0.0'
|
||||
mod 'saz-ssh', '12.1.0'
|
||||
mod 'saz-sudo', '9.0.2'
|
||||
mod 'saz-ssh', '13.1.0'
|
||||
mod 'saz-limits', '5.0.0'
|
||||
mod 'ghoneycutt-timezone', '4.0.0'
|
||||
mod 'ghoneycutt-puppet', '3.3.0'
|
||||
mod 'dalen-puppetdbquery', '3.0.1'
|
||||
mod 'markt-galera', '3.1.0'
|
||||
mod 'kogitoapp-minio', '1.1.4'
|
||||
@@ -56,6 +58,8 @@ mod 'stm-file_capability', '6.0.0'
|
||||
mod 'h0tw1r3-gitea', '3.2.0'
|
||||
mod 'rehan-mkdir', '2.0.0'
|
||||
mod 'tailoredautomation-patroni', '2.0.0'
|
||||
mod 'ssm-crypto_policies', '0.3.3'
|
||||
mod 'thias-sysctl', '1.0.8'
|
||||
|
||||
mod 'bind',
|
||||
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
||||
|
||||
@@ -135,6 +135,20 @@ lookup_options:
|
||||
keepalived::vrrp_instance:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::etcd::node::initial_cluster_token:
|
||||
convert_to: Sensitive
|
||||
sysctl::base::values:
|
||||
merge:
|
||||
strategy: deep
|
||||
limits::entries:
|
||||
merge:
|
||||
strategy: deep
|
||||
zfs::zpools:
|
||||
merge:
|
||||
strategy: deep
|
||||
zfs::datasets:
|
||||
merge:
|
||||
strategy: deep
|
||||
|
||||
facts_path: '/opt/puppetlabs/facter/facts.d'
|
||||
|
||||
@@ -143,6 +157,8 @@ hiera_include:
|
||||
- networking
|
||||
- ssh::server
|
||||
- profiles::accounts::rundeck
|
||||
- limits
|
||||
- sysctl::base
|
||||
|
||||
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
||||
profiles::ntp::client::use_ntp: 'region'
|
||||
@@ -155,6 +171,10 @@ profiles::ntp::client::peers:
|
||||
profiles::base::puppet_servers:
|
||||
- 'prodinf01n01.main.unkin.net'
|
||||
|
||||
consul::install_method: 'package'
|
||||
consul::manage_repo: false
|
||||
consul::bin_dir: /usr/bin
|
||||
|
||||
profiles::dns::master::basedir: '/var/named/sources'
|
||||
profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
|
||||
profiles::dns::base::use_ns: 'region'
|
||||
|
||||
@@ -260,6 +260,7 @@ profiles::haproxy::dns::cnames:
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
|
||||
# letsencrypt certificates
|
||||
certbot::client::service: haproxy
|
||||
certbot::client::domains:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.70
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.71
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.72
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.73
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,15 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.74
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.74
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.64.254/24'
|
||||
@@ -0,0 +1,15 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.75
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.75
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.65.254/24'
|
||||
@@ -0,0 +1,15 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.76
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.76
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.66.254/24'
|
||||
@@ -0,0 +1,15 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.77
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.77
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.67.254/24'
|
||||
@@ -0,0 +1,15 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.78
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.78
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.68.254/24'
|
||||
@@ -0,0 +1,15 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.79
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.79
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.69.254/24'
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.80
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.81
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.14 # management loopback
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
mac: 00:16:3e:69:0f:3b
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.15 # management loopback
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
mac: 00:16:3e:55:46:bd
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.16 # management loopback
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
mac: 00:16:3e:6a:25:6b
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.17 # management loopback
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
mac: 00:16:3e:63:89:f2
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.18 # management loopback
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
mac: 00:16:3e:ca:e1:51
|
||||
@@ -0,0 +1,18 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.9 # management loopback
|
||||
networking_loopback1_ip: 198.18.22.9 # ceph-cluster loopback
|
||||
networking_loopback2_ip: 198.18.23.9 # ceph-public loopback
|
||||
networking_br10_ip: 198.18.25.254
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
mac: 70:b5:e8:38:e9:8d
|
||||
ipaddress: 198.18.15.9
|
||||
gateway: 198.18.15.254
|
||||
enp3s0:
|
||||
mac: 00:e0:4c:68:0f:5d
|
||||
ipaddress: 198.18.21.9
|
||||
|
||||
#zfs::zpools:
|
||||
# fastpool:
|
||||
# ensure: present
|
||||
# disk: /dev/nvme0n1
|
||||
@@ -0,0 +1,13 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.10 # management loopback
|
||||
networking_loopback1_ip: 198.18.22.10 # ceph-cluster loopback
|
||||
networking_loopback2_ip: 198.18.23.10 # ceph-public loopback
|
||||
networking_br10_ip: 198.18.26.254
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
mac: 70:b5:e8:38:e9:37
|
||||
ipaddress: 198.18.15.10
|
||||
gateway: 198.18.15.254
|
||||
enp3s0:
|
||||
mac: 00:e0:4c:68:0f:de
|
||||
ipaddress: 198.18.21.10
|
||||
@@ -0,0 +1,13 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.11 # management loopback
|
||||
networking_loopback1_ip: 198.18.22.11 # ceph-cluster loopback
|
||||
networking_loopback2_ip: 198.18.23.11 # ceph-public loopback
|
||||
networking_br10_ip: 198.18.27.254
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
mac: 70:b5:e8:38:e9:0f
|
||||
ipaddress: 198.18.15.11
|
||||
gateway: 198.18.15.254
|
||||
enp3s0:
|
||||
mac: 00:e0:4c:68:0f:55
|
||||
ipaddress: 198.18.21.11
|
||||
@@ -0,0 +1,13 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.12 # management loopback
|
||||
networking_loopback1_ip: 198.18.22.12 # ceph-cluster loopback
|
||||
networking_loopback2_ip: 198.18.23.12 # ceph-public loopback
|
||||
networking_br10_ip: 198.18.28.254
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
mac: 70:b5:e8:4f:05:1e
|
||||
ipaddress: 198.18.15.12
|
||||
gateway: 198.18.15.254
|
||||
enp3s0:
|
||||
mac: 00:e0:4c:68:0f:e5
|
||||
ipaddress: 198.18.21.12
|
||||
@@ -0,0 +1,13 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.13 # management loopback
|
||||
networking_loopback1_ip: 198.18.22.13 # ceph-cluster loopback
|
||||
networking_loopback2_ip: 198.18.23.13 # ceph-public loopback
|
||||
networking_br10_ip: 198.18.29.254
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
mac: 70:b5:e8:4f:04:b0
|
||||
ipaddress: 198.18.15.13
|
||||
gateway: 198.18.15.254
|
||||
enp3s0:
|
||||
mac: 00:e0:4c:68:0f:36
|
||||
ipaddress: 198.18.21.13
|
||||
@@ -1,2 +1,23 @@
|
||||
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
|
||||
---
|
||||
crypto_policies::policy: 'DEFAULT'
|
||||
|
||||
profiles::packages::include:
|
||||
network-scripts: {}
|
||||
|
||||
profiles::yum::global::repos:
|
||||
powertools:
|
||||
name: powertools
|
||||
descr: powertools repository
|
||||
target: /etc/yum.repos.d/powertools.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
unkin:
|
||||
name: unkin
|
||||
descr: unkin repository
|
||||
target: /etc/yum.repos.d/unkin.repo
|
||||
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8
|
||||
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
|
||||
gpgcheck: false
|
||||
mirrorlist: absent
|
||||
|
||||
@@ -1,2 +1,36 @@
|
||||
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
|
||||
---
|
||||
crypto_policies::policy: 'DEFAULT:SHA1'
|
||||
|
||||
profiles::yum::global::repos:
|
||||
baseos:
|
||||
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
|
||||
mirrorlist: absent
|
||||
extras:
|
||||
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
|
||||
mirrorlist: absent
|
||||
appstream:
|
||||
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
|
||||
mirrorlist: absent
|
||||
highavailability:
|
||||
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
|
||||
mirrorlist: absent
|
||||
crb:
|
||||
name: crb
|
||||
descr: crb repository
|
||||
target: /etc/yum.repos.d/crb.repo
|
||||
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
|
||||
mirrorlist: absent
|
||||
unkin:
|
||||
name: unkin
|
||||
descr: unkin repository
|
||||
target: /etc/yum.repos.d/unkin.repo
|
||||
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el9
|
||||
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
|
||||
gpgcheck: false
|
||||
mirrorlist: absent
|
||||
|
||||
@@ -3,14 +3,13 @@
|
||||
profiles::firewall::firewalld::ensure_package: 'absent'
|
||||
profiles::firewall::firewalld::ensure_service: 'stopped'
|
||||
profiles::firewall::firewalld::enable_service: false
|
||||
profiles::puppet::agent::puppet_version: '7.26.0'
|
||||
profiles::puppet::agent::puppet_version: '7.34.0'
|
||||
|
||||
hiera_include:
|
||||
- profiles::almalinux::base
|
||||
|
||||
profiles::packages::include:
|
||||
lzo: {}
|
||||
network-scripts: {}
|
||||
policycoreutils: {}
|
||||
unar: {}
|
||||
xz: {}
|
||||
@@ -39,13 +38,6 @@ profiles::yum::global::repos:
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
powertools:
|
||||
name: powertools
|
||||
descr: powertools repository
|
||||
target: /etc/yum.repos.d/powertools.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
highavailability:
|
||||
name: highavailability
|
||||
descr: highavailability repository
|
||||
@@ -64,12 +56,12 @@ profiles::yum::global::repos:
|
||||
name: puppet
|
||||
descr: puppet repository
|
||||
target: /etc/yum.repos.d/puppet.repo
|
||||
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
|
||||
baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
|
||||
mirrorlist: absent
|
||||
unkin:
|
||||
name: unkin
|
||||
descr: unkin repository
|
||||
unkinben:
|
||||
name: unkinben
|
||||
descr: unkinben repository
|
||||
target: /etc/yum.repos.d/unkin.repo
|
||||
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
|
||||
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
|
||||
|
||||
@@ -13,3 +13,7 @@ profiles::packages::include:
|
||||
|
||||
lm-sensors::package: lm-sensors
|
||||
networking::nwmgr_dns_none: false
|
||||
|
||||
consul::install_method: 'url'
|
||||
consul::manage_repo: false
|
||||
consul::bin_dir: /usr/local/bin
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
profiles::jupyter::jupyterhub::ldap_bind_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJspN3e2WzA0uZaLgFZ0Ewqii9dY0tTgbirsW70M2VZtLY+s+C6HE8ZZUtpfnRsFwUUhOj7s25X9xVOZNTpZIGPyfx9MWlSyFw2RFuXSEwaydf1DcBbg8261YrTTysA4Jsa1L4DLsX55q+XJUyeUbimVQkIacVIvzTdnZCBKnVNUh3U2PNAmV7SOL2KH8Jpbfs/EQfBt8XuGMCg3I/4RDyoNERqthW6W2KiMX2Gmd8iQ5+W9udH0lEAMx415oyImmN+dEuThcx9FGMi8BWYtnxH96yWafpT5qltwW6EVzIGWuLhiD1LcWYc5RB8jc3DhbeouChpKsN6c4EHoKt3aWsTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC8jcnqilJgY1/AnHWHfX4bgDCi2a3Rj43Z0dgfB5HaHdpfked3Cx+u94r2S5+Cg3QogU1AIF04rjzOL+bD2HdaMfo=]
|
||||
@@ -0,0 +1,74 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
python3.12: {}
|
||||
python3.12-pip: {}
|
||||
|
||||
hiera_include:
|
||||
- docker
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage docker
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
docker::root_dir: /data/docker
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'jupyterhub.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- jupyterhub.service.consul
|
||||
- jupyterhub.query.consul
|
||||
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
# authorised access from external
|
||||
default:
|
||||
ensure: 'present'
|
||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
||||
ssl_only: true
|
||||
location: '/'
|
||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
||||
proxy_set_header:
|
||||
- 'Host $host'
|
||||
- 'X-Real-IP $remote_addr'
|
||||
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
||||
- 'X-Forwarded-Host $host'
|
||||
- 'X-Forwarded-Proto $scheme'
|
||||
- 'Upgrade $http_upgrade'
|
||||
- 'Connection $http_connection'
|
||||
- 'X-Scheme $scheme'
|
||||
proxy_redirect: 'off'
|
||||
proxy_http_version: '1.1'
|
||||
proxy_buffering: 'off'
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- jupyterhub.service.consul
|
||||
- jupyterhub.query.consul
|
||||
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
jupyterhub:
|
||||
service_name: 'jupyterhub'
|
||||
tags:
|
||||
- 'jupyterhub'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'jupyterhub_http_check'
|
||||
name: 'jupyterhub HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: jupyterhub
|
||||
disposition: write
|
||||
@@ -62,6 +62,9 @@ glauth::users:
|
||||
- 20017
|
||||
- 20018
|
||||
- 20023
|
||||
- 20024
|
||||
- 20025 # jupyterhub_admin
|
||||
- 20026 # jupyterhub_user
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/benvin'
|
||||
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
||||
@@ -138,8 +141,8 @@ glauth::users:
|
||||
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
|
||||
ryadun:
|
||||
user_name: 'ryadun'
|
||||
givenname: 'Dunbar'
|
||||
sn: 'Ryan'
|
||||
givenname: 'Ryan'
|
||||
sn: 'Dunbar'
|
||||
mail: 'ryadun@users.main.unkin.net'
|
||||
uidnumber: 20005
|
||||
primarygroup: 20000
|
||||
@@ -153,6 +156,41 @@ glauth::users:
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/ryadun'
|
||||
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
|
||||
margol:
|
||||
user_name: 'margol'
|
||||
givenname: 'Maree'
|
||||
sn: 'Goldsworthy'
|
||||
mail: 'margol@users.main.unkin.net'
|
||||
uidnumber: 20006
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010 # jelly
|
||||
- 20011 # sonarr
|
||||
- 20012 # radarr
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/margol'
|
||||
passsha256: '31a66085fb7eaeb059e51d1376233db72b54f96a6c45947aafbb350c83e618ef'
|
||||
sudobo:
|
||||
user_name: 'sudobo'
|
||||
givenname: 'Sudaporn'
|
||||
sn: 'Obom'
|
||||
mail: 'sudobo@users.main.unkin.net'
|
||||
uidnumber: 20007
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010 # jelly
|
||||
- 20011 # sonarr
|
||||
- 20012 # radarr
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
- 20026 # jupyterhub_user
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/sudobo'
|
||||
passsha256: 'a326e049c2a615226877946220a978a0a8247c569be1adcd73539b09b14136d0'
|
||||
|
||||
glauth::services:
|
||||
svc_jellyfin:
|
||||
@@ -223,6 +261,12 @@ glauth::services:
|
||||
uidnumber: 30009
|
||||
primarygroup: 20001
|
||||
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
|
||||
svc_jupyterhub:
|
||||
service_name: 'svc_jupyterhub'
|
||||
mail: 'jupyterhub@service.main.unkin.net'
|
||||
uidnumber: 30010
|
||||
primarygroup: 20001
|
||||
passsha256: '09db1e0c2498214da35f3f2ed46a90a7b90635c207f8725e7abf76b48345a39b'
|
||||
|
||||
glauth::groups:
|
||||
users:
|
||||
@@ -273,3 +317,12 @@ glauth::groups:
|
||||
vault_access:
|
||||
group_name: 'vault_access'
|
||||
gidnumber: 20023
|
||||
vault_admin:
|
||||
group_name: 'vault_admin'
|
||||
gidnumber: 20024
|
||||
jupyterhub_admin:
|
||||
group_name: 'jupyterhub_admin'
|
||||
gidnumber: 20025
|
||||
jupyterhub_user:
|
||||
group_name: 'jupyterhub_user'
|
||||
gidnumber: 20026
|
||||
|
||||
@@ -10,6 +10,30 @@ profiles::dns::resolver::acls:
|
||||
- 198.18.15.0/24
|
||||
- 198.18.16.0/24
|
||||
- 198.18.17.0/24
|
||||
- 198.18.18.0/24
|
||||
- 198.18.19.0/24
|
||||
- 198.18.20.0/24
|
||||
- 198.18.21.0/24
|
||||
- 198.18.22.0/24
|
||||
- 198.18.23.0/24
|
||||
acl-dmz:
|
||||
addresses:
|
||||
- 198.18.24.0/24
|
||||
acl-common:
|
||||
addresses:
|
||||
- 198.18.25.0/24
|
||||
- 198.18.26.0/24
|
||||
- 198.18.27.0/24
|
||||
- 198.18.28.0/24
|
||||
- 198.18.29.0/24
|
||||
acl-nomad-jobs:
|
||||
addresses:
|
||||
- 198.18.64.0/24
|
||||
- 198.18.65.0/24
|
||||
- 198.18.66.0/24
|
||||
- 198.18.67.0/24
|
||||
- 198.18.68.0/24
|
||||
- 198.18.69.0/24
|
||||
|
||||
profiles::dns::resolver::zones:
|
||||
8.10.10.in-addr.arpa-forward:
|
||||
@@ -74,3 +98,5 @@ profiles::dns::resolver::views:
|
||||
- 20.10.10.in-addr.arpa-forward
|
||||
match_clients:
|
||||
- acl-main.unkin.net
|
||||
- acl-nomad-jobs
|
||||
- acl-common
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
profiles::etcd::node::initial_cluster_token: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhLyXszXUU6Dkiw9bEJTH0RXGaV2751NzvLH94i7QHfNukvOslF/kaDOA+FwqG06xSKSKo24Qyj4ewYA3BzhN8XLf2E9uW2LuDrUoA6aXUP2tYPqiTw8zmmgsVV5t7Y5PeNcleV3KmfcJZJKp33yGCKtGF7ggvNvnied5slO6E1BDkcVnqO7sdyI0MqSvsvH4IvEmeiSWAcBRBnwVLIwfn10frIvUg0fH4uZR7DASfO/HstYWKAEacz4xYBv74TtVVtYHlPvnVwC20YIYDMrgBsm3XngyWIQvruQCgyIkRzHjUKCpp76HpyEqzdJdEdaywkODYNOT6ab1B5uUu9WaMjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBADXLPOqFHdnVgJW5+iXJYcgCDK1Eyr+RwvMA+3VszYALU5B6OCH5maplwC5aUgiQZ7ew==]
|
||||
@@ -0,0 +1,62 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::etcd::node
|
||||
|
||||
profiles::etcd::node::members_lookup: true
|
||||
profiles::etcd::node::members_role: roles::infra::etcd::node
|
||||
|
||||
profiles::etcd::node::config:
|
||||
data-dir: /data/etcd
|
||||
client-cert-auth: false
|
||||
client-transport-security:
|
||||
cert-file: /etc/pki/tls/vault/certificate.crt
|
||||
key-file: /etc/pki/tls/vault/private.key
|
||||
client-cert-auth: false
|
||||
auto-tls: false
|
||||
peer-transport-security:
|
||||
cert-file: /etc/pki/tls/vault/certificate.crt
|
||||
key-file: /etc/pki/tls/vault/private.key
|
||||
client-cert-auth: false
|
||||
auto-tls: false
|
||||
allowed-cn:
|
||||
max-wals: 5
|
||||
max-snapshots: 5
|
||||
snapshot-count: 10000
|
||||
heartbeat-interval: 100
|
||||
election-timeout: 1000
|
||||
cipher-suites: [
|
||||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
]
|
||||
tls-min-version: 'TLS1.2'
|
||||
tls-max-version: 'TLS1.3'
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- etcd.service.consul
|
||||
- etcd.query.consul
|
||||
- "etcd.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- etcd.query.consul
|
||||
- etcd.service.consul
|
||||
- etcd.service.%{facts.country}-%{facts.region}.consul
|
||||
|
||||
consul::services:
|
||||
etcd:
|
||||
service_name: 'etcd'
|
||||
tags:
|
||||
- 'etcd'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 2379
|
||||
checks:
|
||||
- id: 'etcd_http_health_check'
|
||||
name: 'ETCD HTTP Health Check'
|
||||
http: "https://%{facts.networking.ip}:2379/health"
|
||||
method: 'GET'
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
tls_skip_verify: true
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: etcd
|
||||
disposition: write
|
||||
@@ -5,6 +5,7 @@ hiera_include:
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
docker::root_dir: /data/docker
|
||||
|
||||
profiles::gitea::runner::home: /data/runner
|
||||
profiles::gitea::runner::version: '0.2.10'
|
||||
@@ -44,3 +45,10 @@ profiles::gitea::runner::config:
|
||||
force_rebuild: false
|
||||
host:
|
||||
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
|
||||
|
||||
# enable ip forwarding for docker containers
|
||||
sysctl::base::values:
|
||||
net.ipv4.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv6.conf.all.forwarding:
|
||||
value: '1'
|
||||
|
||||
@@ -0,0 +1,125 @@
|
||||
---
|
||||
hiera_include:
|
||||
- incus
|
||||
- zfs
|
||||
|
||||
profiles::packages::include:
|
||||
bridge-utils: {}
|
||||
dnsmasq: {}
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- incus-images.service.consul
|
||||
- incus-images.query.consul
|
||||
- "incus-images.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- incus-images.service.consul
|
||||
- incus-images.query.consul
|
||||
- "incus-images.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
incus-images:
|
||||
service_name: 'incus-images'
|
||||
tags:
|
||||
- 'incus'
|
||||
- 'images'
|
||||
- 'container'
|
||||
- 'lxd'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 8443
|
||||
checks:
|
||||
- id: 'incus_https_check'
|
||||
name: 'incus HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:8443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: incus-images
|
||||
disposition: write
|
||||
|
||||
# additional repos
|
||||
profiles::yum::global::repos:
|
||||
zfs-kmod:
|
||||
name: zfs-kmod
|
||||
descr: zfs-kmod repository
|
||||
target: /etc/yum.repos.d/zfs-kmod.repo
|
||||
baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
|
||||
mirrorlist: absent
|
||||
|
||||
# zfs settings
|
||||
zfs::manage_repo: false
|
||||
zfs::zfs_arc_min: ~
|
||||
zfs::zfs_arc_max: 429496729 # 400MB
|
||||
zfs::zpools:
|
||||
fastpool:
|
||||
ensure: present
|
||||
disk: /dev/vdb
|
||||
ashift: 12
|
||||
zfs::datasets:
|
||||
fastpool:
|
||||
canmount: 'off'
|
||||
acltype: posix
|
||||
atime: 'off'
|
||||
relatime: 'off'
|
||||
compression: 'zstd'
|
||||
xattr: 'sa'
|
||||
fastpool/data:
|
||||
canmount: 'on'
|
||||
mountpoint: '/data'
|
||||
fastpool/data/incus:
|
||||
canmount: 'on'
|
||||
mountpoint: '/data/incus'
|
||||
|
||||
# manage incus
|
||||
incus::init: true
|
||||
incus::server_port: 8443
|
||||
incus::storage_images_volume: fastpool/imagestore
|
||||
|
||||
# add sysadmin to incus-admin group
|
||||
profiles::accounts::sysadmin::extra_groups:
|
||||
- incus-admin
|
||||
|
||||
# sysctl recommendations
|
||||
sysctl::base::values:
|
||||
fs.aio-max-nr:
|
||||
value: '524288'
|
||||
fs.inotify.max_queued_events:
|
||||
value: '1048576'
|
||||
fs.inotify.max_user_instances:
|
||||
value: '1048576'
|
||||
fs.inotify.max_user_watches:
|
||||
value: '1048576'
|
||||
kernel.dmesg_restrict:
|
||||
value: '1'
|
||||
kernel.keys.maxbytes:
|
||||
value: '2000000'
|
||||
kernel.keys.maxkeys:
|
||||
value: '2000'
|
||||
net.core.bpf_jit_limit:
|
||||
value: '1000000000'
|
||||
net.ipv4.neigh.default.gc_thresh3:
|
||||
value: '8192'
|
||||
net.ipv6.neigh.default.gc_thresh3:
|
||||
value: '8192'
|
||||
vm.max_map_count:
|
||||
value: '262144'
|
||||
net.ipv4.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv6.conf.all.forwarding:
|
||||
value: '1'
|
||||
|
||||
# limits.d recommendations
|
||||
limits::entries:
|
||||
'*/nofile':
|
||||
both: 1048576
|
||||
'root/nofile':
|
||||
both: 1048576
|
||||
'*/memlock':
|
||||
both: unlimited
|
||||
'root/memlock':
|
||||
both: unlimited
|
||||
@@ -0,0 +1,220 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::selinux::frr
|
||||
- frrouting
|
||||
- incus
|
||||
- zfs
|
||||
|
||||
profiles::packages::include:
|
||||
bridge-utils: {}
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- incus.service.consul
|
||||
- incus.query.consul
|
||||
- "incus.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- incus.service.consul
|
||||
- incus.query.consul
|
||||
- "incus.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
incus:
|
||||
service_name: 'incus'
|
||||
tags:
|
||||
- 'incus'
|
||||
- 'container'
|
||||
- 'lxd'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 8443
|
||||
checks:
|
||||
- id: 'incus_https_check'
|
||||
name: 'incus HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:8443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: incus
|
||||
disposition: write
|
||||
|
||||
# additional repos
|
||||
profiles::yum::global::repos:
|
||||
frr-extras:
|
||||
name: frr-extras
|
||||
descr: frr-extras repository
|
||||
target: /etc/yum.repos.d/frr-extras.repo
|
||||
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||
mirrorlist: absent
|
||||
frr-stable:
|
||||
name: frr-stable
|
||||
descr: frr-stable repository
|
||||
target: /etc/yum.repos.d/frr-stable.repo
|
||||
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||
mirrorlist: absent
|
||||
zfs-kmod:
|
||||
name: zfs-kmod
|
||||
descr: zfs-kmod repository
|
||||
target: /etc/yum.repos.d/zfs-kmod.repo
|
||||
baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
|
||||
mirrorlist: absent
|
||||
|
||||
# networking
|
||||
systemd::manage_networkd: true
|
||||
systemd::manage_all_network_files: true
|
||||
#networking::use_networkd: true
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
type: physical
|
||||
txqueuelen: 10000
|
||||
forwarding: true
|
||||
enp3s0:
|
||||
type: physical
|
||||
mtu: 9000
|
||||
txqueuelen: 10000
|
||||
forwarding: true
|
||||
loopback0:
|
||||
type: dummy
|
||||
ipaddress: "%{hiera('networking_loopback0_ip')}"
|
||||
netmask: 255.255.255.255
|
||||
mtu: 9000
|
||||
loopback1:
|
||||
type: dummy
|
||||
ipaddress: "%{hiera('networking_loopback1_ip')}"
|
||||
netmask: 255.255.255.255
|
||||
mtu: 9000
|
||||
loopback2:
|
||||
type: dummy
|
||||
ipaddress: "%{hiera('networking_loopback2_ip')}"
|
||||
netmask: 255.255.255.255
|
||||
mtu: 9000
|
||||
|
||||
# frrouting
|
||||
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::ospfd_redistribute:
|
||||
- connected
|
||||
frrouting::ospfd_interfaces:
|
||||
enp2s0:
|
||||
area: 0.0.0.0
|
||||
enp3s0:
|
||||
area: 0.0.0.0
|
||||
loopback0:
|
||||
area: 0.0.0.0
|
||||
loopback1:
|
||||
area: 0.0.0.0
|
||||
loopback2:
|
||||
area: 0.0.0.0
|
||||
brmplscore:
|
||||
area: 0.0.0.0
|
||||
frrouting::mpls_te_enabled: true
|
||||
frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::mpls_ldp_interfaces:
|
||||
- loopback0
|
||||
- enp2s0
|
||||
- enp3s0
|
||||
- brmplscore
|
||||
frrouting::daemons:
|
||||
ldpd: true
|
||||
ospfd: true
|
||||
|
||||
# add loopback interfaces to ssh list
|
||||
ssh::server::options:
|
||||
ListenAddress:
|
||||
- "%{hiera('networking_loopback0_ip')}"
|
||||
|
||||
# zfs settings
|
||||
zfs::manage_repo: false
|
||||
zfs::zfs_arc_min: ~
|
||||
zfs::zfs_arc_max: 4294967296 # 4GB
|
||||
zfs::zpools:
|
||||
fastpool:
|
||||
ensure: present
|
||||
disk: /dev/nvme1n1
|
||||
ashift: 12
|
||||
zfs::datasets:
|
||||
fastpool:
|
||||
canmount: 'off'
|
||||
acltype: posix
|
||||
atime: 'off'
|
||||
relatime: 'off'
|
||||
compression: 'zstd'
|
||||
xattr: 'sa'
|
||||
fastpool/data:
|
||||
canmount: 'on'
|
||||
mountpoint: '/data'
|
||||
fastpool/data/incus:
|
||||
canmount: 'on'
|
||||
mountpoint: '/data/incus'
|
||||
|
||||
# manage incus
|
||||
incus::init: true
|
||||
incus::bridge: br10
|
||||
incus::server_port: 8443
|
||||
incus::server_addr: "%{hiera('networking_loopback0_ip')}"
|
||||
|
||||
# add sysadmin to incus-admin group
|
||||
profiles::accounts::sysadmin::extra_groups:
|
||||
- incus-admin
|
||||
|
||||
# sysctl recommendations
|
||||
sysctl::base::values:
|
||||
fs.aio-max-nr:
|
||||
value: '524288'
|
||||
fs.inotify.max_queued_events:
|
||||
value: '1048576'
|
||||
fs.inotify.max_user_instances:
|
||||
value: '1048576'
|
||||
fs.inotify.max_user_watches:
|
||||
value: '1048576'
|
||||
kernel.dmesg_restrict:
|
||||
value: '1'
|
||||
kernel.keys.maxbytes:
|
||||
value: '2000000'
|
||||
kernel.keys.maxkeys:
|
||||
value: '2000'
|
||||
net.core.bpf_jit_limit:
|
||||
value: '1000000000'
|
||||
net.ipv4.neigh.default.gc_thresh3:
|
||||
value: '8192'
|
||||
net.ipv6.neigh.default.gc_thresh3:
|
||||
value: '8192'
|
||||
vm.max_map_count:
|
||||
value: '262144'
|
||||
net.ipv4.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv6.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv4.tcp_l3mdev_accept:
|
||||
value: '0'
|
||||
net.ipv4.conf.default.rp_filter:
|
||||
value: '0'
|
||||
net.ipv4.conf.all.rp_filter:
|
||||
value: '0'
|
||||
net.mpls.platform_labels:
|
||||
value: '1048575'
|
||||
net.mpls.conf.enp2s0.input:
|
||||
value: '1'
|
||||
net.mpls.conf.enp3s0.input:
|
||||
value: '1'
|
||||
net.mpls.conf.brmplscore.input:
|
||||
value: '1'
|
||||
net.mpls.conf.loopback0.input:
|
||||
value: '1'
|
||||
|
||||
# limits.d recommendations
|
||||
limits::entries:
|
||||
'*/nofile':
|
||||
both: 1048576
|
||||
'root/nofile':
|
||||
both: 1048576
|
||||
'*/memlock':
|
||||
both: unlimited
|
||||
'root/memlock':
|
||||
both: unlimited
|
||||
@@ -0,0 +1,79 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::selinux::frr
|
||||
- frrouting
|
||||
|
||||
# additional repos
|
||||
profiles::yum::global::repos:
|
||||
frr-extras:
|
||||
name: frr-extras
|
||||
descr: frr-extras repository
|
||||
target: /etc/yum.repos.d/frr-extras.repo
|
||||
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||
mirrorlist: absent
|
||||
frr-stable:
|
||||
name: frr-stable
|
||||
descr: frr-stable repository
|
||||
target: /etc/yum.repos.d/frr-stable.repo
|
||||
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||
mirrorlist: absent
|
||||
|
||||
# networking
|
||||
systemd::manage_networkd: true
|
||||
systemd::manage_all_network_files: true
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
dhcp: true
|
||||
type: physical
|
||||
mtu: 8000
|
||||
forwarding: true
|
||||
loopback0:
|
||||
type: dummy
|
||||
ipaddress: "%{hiera('networking_loopback0_ip')}"
|
||||
netmask: 255.255.255.255
|
||||
mtu: 8000
|
||||
|
||||
# frrouting
|
||||
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::ospfd_redistribute:
|
||||
- connected
|
||||
frrouting::ospfd_interfaces:
|
||||
eth0:
|
||||
area: 0.0.0.0
|
||||
loopback0:
|
||||
area: 0.0.0.0
|
||||
frrouting::mpls_te_enabled: true
|
||||
frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::mpls_ldp_interfaces:
|
||||
- eth0
|
||||
- loopback0
|
||||
frrouting::daemons:
|
||||
ldpd: true
|
||||
ospfd: true
|
||||
|
||||
# add loopback interfaces to ssh list
|
||||
ssh::server::options:
|
||||
ListenAddress:
|
||||
- "%{hiera('networking_loopback0_ip')}"
|
||||
|
||||
# sysctl recommendations
|
||||
sysctl::base::values:
|
||||
net.ipv4.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv6.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv4.tcp_l3mdev_accept:
|
||||
value: '0'
|
||||
net.ipv4.conf.default.rp_filter:
|
||||
value: '0'
|
||||
net.ipv4.conf.all.rp_filter:
|
||||
value: '0'
|
||||
net.mpls.platform_labels:
|
||||
value: '1048575'
|
||||
net.mpls.conf.eth0.input:
|
||||
value: '1'
|
||||
net.mpls.conf.loopback0.input:
|
||||
value: '1'
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEzl2zX8ok6iURymPLbvkFE/dZhunzwisNCsLE5Tx6Pmil0PNx7iFULHXxWU6HMVOxzJmgcnTY+NsRnoTMSpXHGeC3wmD525T4xO4wvG/l9apzmPs1NTI4hcyYCj4NkAKyo249xXEodU4uM2AZp3ZgLBLf2cZpOe0/SPngWSq0kC4pJMnxWH+YsQ/O/1EMxpjSgMMna4YcMtcW2M0+wRhASNSTV7icsiAp6F/cInZuP44ASviHmM6+aMEhygBariOT80kaHZZI+aP6vqSd9lChXCV5qjRzeoEBIKOzT2ZBj41RTsF75J8UYFPwY7dp584tDpiIedUSR9IRCJe4d0uTjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCau9oXJiYiCGgvxZl62EsagDDgX2cU3+3QCkImEGS1oBahkPl3fYHKynbRi0ZQW1CoW0UFRzY8FmWmGkowns9OsIM=]
|
||||
@@ -0,0 +1,72 @@
|
||||
---
|
||||
|
||||
hiera_include:
|
||||
- docker
|
||||
- docker::networks
|
||||
- frrouting
|
||||
- profiles::nomad::node
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
docker::root_dir: /data/docker
|
||||
docker::ip_forward: true
|
||||
docker::ip_masq: false
|
||||
docker::iptables: false
|
||||
|
||||
frrouting::ospfd_redistribute:
|
||||
- connected
|
||||
frrouting::ospfd_interfaces:
|
||||
eth0:
|
||||
area: 0.0.0.0
|
||||
ens19:
|
||||
passive: true
|
||||
docker0:
|
||||
area: 0.0.0.1
|
||||
|
||||
profiles::yum::global::repos:
|
||||
ceph-reef:
|
||||
name: ceph-reef
|
||||
descr: ceph reef repository
|
||||
target: /etc/yum.repos.d/ceph-reef.repo
|
||||
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgcheck: 0,
|
||||
mirrorlist: absent
|
||||
|
||||
profiles::ceph::client::keyrings:
|
||||
nomad:
|
||||
key: "%{hiera('ceph::key::media')}"
|
||||
|
||||
profiles::packages::include:
|
||||
nomad: {}
|
||||
cni-plugins: {}
|
||||
|
||||
profiles::nomad::node::client: true
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- client.global.nomad
|
||||
- client.au-syd1.nomad
|
||||
- nomad-client.service.consul
|
||||
- nomad-client.query.consul
|
||||
- "nomad-client.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: nomad-client
|
||||
disposition: write
|
||||
- resource: agent_prefix
|
||||
segment: ''
|
||||
disposition: read
|
||||
- resource: node_prefix
|
||||
segment: ''
|
||||
disposition: write
|
||||
- resource: service_prefix
|
||||
segment: ''
|
||||
disposition: write
|
||||
- resource: key_prefix
|
||||
segment: "nomad"
|
||||
disposition: write
|
||||
- resource: session_prefix
|
||||
segment: ""
|
||||
disposition: write
|
||||
@@ -0,0 +1,34 @@
|
||||
---
|
||||
|
||||
hiera_include:
|
||||
- profiles::nomad::node
|
||||
|
||||
profiles::packages::include:
|
||||
nomad: {}
|
||||
|
||||
profiles::nomad::node::server: true
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- client.global.nomad
|
||||
- client.au-syd1.nomad
|
||||
- server.global.nomad
|
||||
- server.au-syd1.nomad
|
||||
- nomad.service.consul
|
||||
- nomad.query.consul
|
||||
- "nomad.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: nomad
|
||||
disposition: write
|
||||
- resource: agent_prefix
|
||||
segment: ''
|
||||
disposition: read
|
||||
- resource: node_prefix
|
||||
segment: ''
|
||||
disposition: write
|
||||
- resource: service_prefix
|
||||
segment: ''
|
||||
disposition: write
|
||||
@@ -0,0 +1,29 @@
|
||||
profiles::pki::vault::alt_names:
|
||||
- jumphost.service.consul
|
||||
- jumphost.query.consul
|
||||
- "jumphost.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- jumphost.query.consul
|
||||
- jumphost.service.consul
|
||||
- jumphost.service.%{facts.country}-%{facts.region}.consul
|
||||
|
||||
consul::services:
|
||||
jumphost:
|
||||
service_name: 'jumphost'
|
||||
tags:
|
||||
- 'jumphost'
|
||||
- 'proxy'
|
||||
- 'ssh'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 22
|
||||
checks:
|
||||
- id: 'ssh_tcp_check'
|
||||
name: 'SSH TCP Check'
|
||||
tcp: "%{facts.networking.ip}:22"
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: jumphost
|
||||
disposition: write
|
||||
@@ -5,6 +5,13 @@ profiles::puppet::autosign::subnet_ranges:
|
||||
- '198.18.15.0/24'
|
||||
- '198.18.16.0/24'
|
||||
- '198.18.17.0/24'
|
||||
- '198.18.20.0/24'
|
||||
- '198.18.24.0/24'
|
||||
- '198.18.25.0/24'
|
||||
- '198.18.26.0/24'
|
||||
- '198.18.27.0/24'
|
||||
- '198.18.28.0/24'
|
||||
- '198.18.29.0/24'
|
||||
|
||||
profiles::puppet::autosign::domains:
|
||||
- '*.main.unkin.net'
|
||||
@@ -19,7 +26,7 @@ profiles::puppet::cobbler_enc::packages:
|
||||
- 'requests'
|
||||
- 'PyYAML'
|
||||
profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
|
||||
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkinben/puppet-r10k.git
|
||||
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkin/puppet-r10k.git
|
||||
profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
|
||||
profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
|
||||
profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
profiles::puppet::puppetboard::secret_key: ENC[PKCS7,MIIB+wYJKoZIhvcNAQcDoIIB7DCCAegCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoCr9JTtrnMaVjJlEpA0NYNt/QAgTGiEmS3kPn2oJ80Ay7fUl79pop95uLQIfw6C3e8WGUhxYt31wmzent4Bfbced7uF/tjhP2cniKPmZGuf/tmVrGIHIh4T4g0Wz2K0DIU/dGWUlgE03ICRxXlAy0atjUuAp02ehj7bzLuMf+vZbghm8vnOoDCTKjeZNAJEkDvBkIzwUu9JiM9Gn6BzoLLGdEERqs/LR832vjjNmF7KUEH/Ntt47wbLdfCzawsZsBNLggEb1HNGu0aSb0qBXYBPRq6w1L/RU8gX2dCqGRbhDZymihebaOcwU1AtbLEBdHTYQpga+c4bcTz9rJplLtjCBvQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAdSjLEaZPK47TY7LDCB7b4CBkOTvHbi4nb+pB/Kng+Z3N9ocZPZdGbV6WzMNGxsxmhWXoi+XKEzEvfB10UhQwDcvZXd2W9hhiRkakq7+S0uLWzCX1jNMH2LXZAzoiyGM4FFvGpx7Z64OhmVrOJuKnxD+3zK6PZqvMb3g7CjZeAr5vyhcT/zO75krhJuYp11ZFpLCRcuASf0ru+Jq5OKD4+ZI/g==]
|
||||
@@ -2,110 +2,161 @@
|
||||
profiles::packages::include:
|
||||
createrepo: {}
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- packagerepo.service.consul
|
||||
- packagerepo.query.consul
|
||||
- "packagerepo.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- repos.main.unkin.net
|
||||
- packagerepo.main.unkin.net
|
||||
- packagerepo.service.consul
|
||||
- packagerepo.query.consul
|
||||
- "packagerepo.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
jupyterhub:
|
||||
service_name: 'packagerepo'
|
||||
tags:
|
||||
- 'packagerepo'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'packagerepo_http_check'
|
||||
name: 'packagerepo HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: packagerepo
|
||||
disposition: write
|
||||
|
||||
profiles::reposync::webserver::nginx_listen_mode: both
|
||||
profiles::reposync::webserver::nginx_cert_type: vault
|
||||
profiles::reposync::repos_list:
|
||||
almalinux_8_9_baseos:
|
||||
repository: 'BaseOS'
|
||||
description: 'AlmaLinux 8.9 - BaseOS'
|
||||
almalinux_9_5_baseos:
|
||||
repository: 'baseos'
|
||||
description: 'AlmaLinux 9.5 BaseOS'
|
||||
osname: 'almalinux'
|
||||
release: '8.9'
|
||||
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/baseos
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
|
||||
almalinux_8_9_appstream:
|
||||
repository: 'AppStream'
|
||||
description: 'AlmaLinux 8.9 - AppStream'
|
||||
release: '9.5'
|
||||
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos'
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_5_appstream:
|
||||
repository: 'appstream'
|
||||
description: 'AlmaLinux 9.5 AppStream'
|
||||
osname: 'almalinux'
|
||||
release: '8.9'
|
||||
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/appstream
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
|
||||
almalinux_8_9_highavailability:
|
||||
repository: 'HighAvailability'
|
||||
description: 'AlmaLinux 8.9 - HighAvailability'
|
||||
release: '9.5'
|
||||
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream'
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_5_crb:
|
||||
repository: 'crb'
|
||||
description: 'AlmaLinux 9.5 CRB'
|
||||
osname: 'almalinux'
|
||||
release: '8.9'
|
||||
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/ha
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
|
||||
almalinux_8_9_powertools:
|
||||
repository: 'PowerTools'
|
||||
description: 'AlmaLinux 8.9 - PowerTools'
|
||||
release: '9.5'
|
||||
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb'
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_5_ha:
|
||||
repository: 'ha'
|
||||
description: 'AlmaLinux 9.5 HighAvailability'
|
||||
osname: 'almalinux'
|
||||
release: '8.9'
|
||||
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/powertools
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
|
||||
almalinux_8_9_extras:
|
||||
release: '9.5'
|
||||
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability'
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_5_extras:
|
||||
repository: 'extras'
|
||||
description: 'AlmaLinux 8.9 - extras'
|
||||
description: 'AlmaLinux 9.5 extras'
|
||||
osname: 'almalinux'
|
||||
release: '8.9'
|
||||
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/extras
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
|
||||
centos_8_advanced_virtualization:
|
||||
repository: 'virt-advanced-virtualization'
|
||||
description: 'CentOS Advanced Virtualization'
|
||||
osname: 'centos'
|
||||
release: '8' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=virt-advanced-virtualization' # Assuming 'stream' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
|
||||
centos_8_ceph_pacific:
|
||||
repository: 'storage-ceph-pacific'
|
||||
description: 'CentOS Ceph Pacific'
|
||||
osname: 'centos'
|
||||
release: '8' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=storage-ceph-pacific' # Assuming '8' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
|
||||
centos_8_rabbitmq_38:
|
||||
repository: 'messaging-rabbitmq-38'
|
||||
description: 'CentOS RabbitMQ 38'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Specified based on the repository name
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=messaging-rabbitmq-38' # Assuming '8' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
|
||||
centos_8_nfv_openvswitch:
|
||||
repository: 'nfv-openvswitch-2'
|
||||
description: 'CentOS NFV OpenvSwitch'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=nfv-openvswitch-2' # Assuming 'stream' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
|
||||
centos_8_openstack_xena:
|
||||
repository: 'cloud-openstack-xena'
|
||||
description: 'CentOS OpenStack Xena'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Directly taken from the provided mirrorlist
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=cloud-openstack-xena' # Assuming 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
|
||||
centos_8_opstools:
|
||||
repository: 'opstools-collectd-5'
|
||||
description: 'CentOS OpsTools - collectd'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?arch=x86_64&release=8-stream&repo=opstools-collectd-5' # Assuming 'stream' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
|
||||
centos_8_ovirt45:
|
||||
repository: 'virt-ovirt-45'
|
||||
description: 'CentOS oVirt 4.5'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=virt-ovirt-45' # Assuming 'stream' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
|
||||
centos_8_stream_gluster10:
|
||||
repository: 'storage-gluster-10'
|
||||
description: 'CentOS oVirt 4.5 - Glusterfs 10'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=storage-gluster-10' # Assuming 'stream' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
|
||||
epel_8_everything:
|
||||
repository: 'Everything'
|
||||
description: 'EPEL 8 Everything'
|
||||
osname: 'epel'
|
||||
release: '8'
|
||||
mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64'
|
||||
gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8'
|
||||
release: '9.5'
|
||||
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras'
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_4_baseos:
|
||||
repository: 'baseos'
|
||||
description: 'AlmaLinux 9.4 BaseOS'
|
||||
osname: 'almalinux'
|
||||
release: '9.4'
|
||||
baseurl: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/'
|
||||
gpgkey: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_4_appstream:
|
||||
repository: 'appstream'
|
||||
description: 'AlmaLinux 9.4 AppStream'
|
||||
osname: 'almalinux'
|
||||
release: '9.4'
|
||||
baseurl: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/'
|
||||
gpgkey: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_4_crb:
|
||||
repository: 'crb'
|
||||
description: 'AlmaLinux 9.4 CRB'
|
||||
osname: 'almalinux'
|
||||
release: '9.4'
|
||||
baseurl: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/'
|
||||
gpgkey: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_4_ha:
|
||||
repository: 'ha'
|
||||
description: 'AlmaLinux 9.4 HighAvailability'
|
||||
osname: 'almalinux'
|
||||
release: '9.4'
|
||||
baseurl: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/'
|
||||
gpgkey: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_4_extras:
|
||||
repository: 'extras'
|
||||
description: 'AlmaLinux 9.4 extras'
|
||||
osname: 'almalinux'
|
||||
release: '9.4'
|
||||
baseurl: 'https://vault.almalinux.org/9.4/extras/x86_64/os/'
|
||||
gpgkey: 'https://vault.almalinux.org/9.4/extras/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
|
||||
docker_stable_el8:
|
||||
repository: 'stable'
|
||||
description: 'Docker CE Stable EL8'
|
||||
osname: 'docker'
|
||||
release: 'el8'
|
||||
baseurl: 'https://download.docker.com/linux/centos/8/x86_64/stable/'
|
||||
gpgkey: 'https://download.docker.com/linux/centos/gpg'
|
||||
docker_stable_el9:
|
||||
repository: 'stable'
|
||||
description: 'Docker CE Stable EL9'
|
||||
osname: 'docker'
|
||||
release: 'el9'
|
||||
baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/'
|
||||
gpgkey: 'https://download.docker.com/linux/centos/gpg'
|
||||
frr_stable_el8:
|
||||
repository: 'stable'
|
||||
description: 'FRR Stable EL8'
|
||||
osname: 'frr'
|
||||
release: 'el8'
|
||||
baseurl: 'https://rpm.frrouting.org/repo/el8/frr/'
|
||||
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||
frr_extras_el8:
|
||||
repository: 'extras'
|
||||
description: 'FRR Extras EL8'
|
||||
osname: 'frr'
|
||||
release: 'el8'
|
||||
baseurl: 'https://rpm.frrouting.org/repo/el8/extras/'
|
||||
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||
frr_stable_el9:
|
||||
repository: 'stable'
|
||||
description: 'FRR Stable EL9'
|
||||
osname: 'frr'
|
||||
release: 'el9'
|
||||
baseurl: 'https://rpm.frrouting.org/repo/el9/frr/'
|
||||
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||
frr_extras_el9:
|
||||
repository: 'extras'
|
||||
description: 'FRR Extras el9'
|
||||
osname: 'frr'
|
||||
release: 'el9'
|
||||
baseurl: 'https://rpm.frrouting.org/repo/el9/extras/'
|
||||
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||
k8s_1.32:
|
||||
repository: '1.32'
|
||||
description: 'Kubernetes 1.32'
|
||||
osname: 'k8s'
|
||||
release: '1.32'
|
||||
baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/'
|
||||
gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/repodata/repomd.xml.key'
|
||||
mariadb_11_2_el8:
|
||||
repository: 'el8'
|
||||
description: 'MariaDB 11.2'
|
||||
@@ -120,6 +171,27 @@ profiles::reposync::repos_list:
|
||||
release: 'el'
|
||||
baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/'
|
||||
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
|
||||
puppet7_el9:
|
||||
repository: '9'
|
||||
description: 'Puppet 7 EL9'
|
||||
osname: 'puppet7'
|
||||
release: 'el'
|
||||
baseurl: 'https://yum.puppet.com/puppet7/el/9/x86_64/'
|
||||
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
|
||||
puppet8_el8:
|
||||
repository: '8'
|
||||
description: 'Puppet 8 EL8'
|
||||
osname: 'puppet8'
|
||||
release: 'el'
|
||||
baseurl: 'https://yum.puppet.com/puppet8/el/8/x86_64/'
|
||||
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
|
||||
puppet8_el9:
|
||||
repository: '9'
|
||||
description: 'Puppet 8 EL9'
|
||||
osname: 'puppet8'
|
||||
release: 'el'
|
||||
baseurl: 'https://yum.puppet.com/puppet8/el/9/x86_64/'
|
||||
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
|
||||
postgresql_rhel8_common:
|
||||
repository: 'common'
|
||||
description: 'PostgreSQL Common RHEL 8'
|
||||
@@ -127,6 +199,13 @@ profiles::reposync::repos_list:
|
||||
release: 'rhel8'
|
||||
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/'
|
||||
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||
postgresql_rhel9_common:
|
||||
repository: 'common'
|
||||
description: 'PostgreSQL Common RHEL 9'
|
||||
osname: 'postgresql'
|
||||
release: 'rhel9'
|
||||
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
|
||||
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||
postgresql_rhel8_16:
|
||||
repository: '16'
|
||||
description: 'PostgreSQL 16 RHEL 8'
|
||||
@@ -134,3 +213,38 @@ profiles::reposync::repos_list:
|
||||
release: 'rhel8'
|
||||
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/'
|
||||
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||
postgresql_rhel9_16:
|
||||
repository: '16'
|
||||
description: 'PostgreSQL 16 RHEL 9'
|
||||
osname: 'postgresql'
|
||||
release: 'rhel9'
|
||||
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
|
||||
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||
zfs_dkms_rhel8:
|
||||
repository: 'dkms'
|
||||
description: 'ZFS DKMS RHEL 8'
|
||||
osname: 'zfs'
|
||||
release: 'rhel8'
|
||||
baseurl: 'http://download.zfsonlinux.org/epel/8/x86_64/'
|
||||
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
|
||||
zfs_kmod_rhel8:
|
||||
repository: 'kmod'
|
||||
description: 'ZFS KMOD RHEL 8'
|
||||
osname: 'zfs'
|
||||
release: 'rhel8'
|
||||
baseurl: 'http://download.zfsonlinux.org/epel/8/kmod/x86_64/'
|
||||
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
|
||||
zfs_dkms_rhel9:
|
||||
repository: 'dkms'
|
||||
description: 'ZFS DKMS RHEL 9'
|
||||
osname: 'zfs'
|
||||
release: 'rhel9'
|
||||
baseurl: 'http://download.zfsonlinux.org/epel/9/x86_64/'
|
||||
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'
|
||||
zfs_kmod_rhel9:
|
||||
repository: 'kmod'
|
||||
description: 'ZFS KMOD RHEL 9'
|
||||
osname: 'zfs'
|
||||
release: 'rhel9'
|
||||
baseurl: 'http://download.zfsonlinux.org/epel/9/kmod/x86_64/'
|
||||
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'
|
||||
|
||||
@@ -1,7 +1,14 @@
|
||||
# used by certbot clients to request letsencrypt certificates
|
||||
# - domains: list of certificates to generate
|
||||
# - webserver: where the client downloads certificates from
|
||||
# - data_dir: where to store the certificates on the client
|
||||
# - services: the services to notify when certificates change
|
||||
#
|
||||
class certbot::client (
|
||||
Array[Stdlib::Fqdn] $domains,
|
||||
Stdlib::Fqdn $webserver,
|
||||
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
|
||||
Optional[String] $service = undef,
|
||||
) {
|
||||
|
||||
mkdir::p {$data_dir:}
|
||||
@@ -14,10 +21,11 @@ class certbot::client (
|
||||
|
||||
$domains.each |$domain| {
|
||||
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
|
||||
domain => $domain,
|
||||
destination => "${data_dir}/${domain}",
|
||||
webserver => $webserver,
|
||||
require => File[$data_dir],
|
||||
domain => $domain,
|
||||
destination => "${data_dir}/${domain}",
|
||||
webserver => $webserver,
|
||||
require => File[$data_dir],
|
||||
notify_service => $service,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,13 @@
|
||||
# a define for creating a single certificate
|
||||
# - domain: the domain to generate a certificate for
|
||||
# - webserver: where to download the certificate from
|
||||
# - destination: the data directory on the client
|
||||
# - notify_service: what service to notify when the concat exec completes
|
||||
define certbot::client::cert (
|
||||
Stdlib::Fqdn $domain,
|
||||
Stdlib::Fqdn $webserver,
|
||||
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
|
||||
Optional[String] $notify_service = undef,
|
||||
) {
|
||||
|
||||
file { $destination:
|
||||
@@ -34,8 +40,16 @@ define certbot::client::cert (
|
||||
}
|
||||
}
|
||||
|
||||
# create file resources
|
||||
create_resources(file, $files_to_create)
|
||||
|
||||
# if notify_service is specified
|
||||
if $notify_service != undef {
|
||||
$service = Service[$notify_service]
|
||||
}else{
|
||||
$service = undef
|
||||
}
|
||||
|
||||
exec { "concat_${domain}_certs":
|
||||
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
|
||||
path => ['/bin', '/usr/bin'],
|
||||
@@ -44,6 +58,7 @@ define certbot::client::cert (
|
||||
File["${destination}/fullchain.pem"],
|
||||
File["${destination}/privkey.pem"],
|
||||
],
|
||||
notify => $service,
|
||||
}
|
||||
} else {
|
||||
notify { 'Certificates are not yet ready on the generator server.': }
|
||||
|
||||
@@ -0,0 +1,110 @@
|
||||
# manage etcd
|
||||
class etcd (
|
||||
Boolean $manage_user = true,
|
||||
Boolean $manage_group = true,
|
||||
Boolean $manage_package = true,
|
||||
Boolean $manage_service = true,
|
||||
String[1] $package_name = 'etcd',
|
||||
String[1] $user = 'etcd',
|
||||
String[1] $group = 'etcd',
|
||||
Stdlib::Absolutepath $config_path = '/etc/etcd',
|
||||
Stdlib::Absolutepath $config_file = "${config_path}/etcd.yaml",
|
||||
Hash $config = { 'data-dir' => '/var/lib/etcd' },
|
||||
Integer $max_open_files = 40000,
|
||||
) {
|
||||
if downcase($facts['kernel']) != 'linux' {
|
||||
fail("Module etcd only supports Linux, not ${facts['kernel']}")
|
||||
}
|
||||
if $facts['service_provider'] != 'systemd' {
|
||||
fail('Module etcd only supported on systems using systemd')
|
||||
}
|
||||
if ! $config['data-dir'] {
|
||||
fail('Module etcd requires data-dir be specified in config Hash')
|
||||
}
|
||||
|
||||
if $manage_package {
|
||||
package { $package_name:
|
||||
ensure => installed,
|
||||
}
|
||||
}
|
||||
|
||||
if $manage_user {
|
||||
user { 'etcd':
|
||||
ensure => 'present',
|
||||
name => $user,
|
||||
forcelocal => true,
|
||||
shell => '/bin/false',
|
||||
gid => $group,
|
||||
home => $config['data-dir'],
|
||||
managehome => false,
|
||||
system => true,
|
||||
before => Systemd::Unit_file['etcd.service'],
|
||||
}
|
||||
}
|
||||
if $manage_group {
|
||||
group { 'etcd':
|
||||
ensure => 'present',
|
||||
name => $group,
|
||||
forcelocal => true,
|
||||
system => true,
|
||||
before => Systemd::Unit_file['etcd.service'],
|
||||
}
|
||||
}
|
||||
|
||||
mkdir::p { $config_path: }
|
||||
mkdir::p { $config['data-dir']: }
|
||||
|
||||
file { $config_file:
|
||||
ensure => 'file',
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => '0600',
|
||||
content => to_yaml($config),
|
||||
notify => Systemd::Unit_file['etcd.service'],
|
||||
require => Mkdir::P[$config_path],
|
||||
}
|
||||
|
||||
file { 'etcd-data-dir':
|
||||
ensure => 'directory',
|
||||
path => $config['data-dir'],
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => '0700',
|
||||
notify => Systemd::Unit_file['etcd.service'],
|
||||
require => Mkdir::P[$config['data-dir']],
|
||||
}
|
||||
|
||||
file { 'etcd-data-dir-wal.tmp':
|
||||
ensure => 'directory',
|
||||
path => "${config['data-dir']}/wal.tmp",
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => '0700',
|
||||
notify => Systemd::Unit_file['etcd.service'],
|
||||
require => File['etcd-data-dir'],
|
||||
}
|
||||
|
||||
if $config['wal-dir'] {
|
||||
mkdir::p { $config['wal-dir']: }
|
||||
file { 'etcd-wal-dir':
|
||||
ensure => 'directory',
|
||||
path => $config['wal-dir'],
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => '0700',
|
||||
notify => Systemd::Unit_file['etcd.service'],
|
||||
require => Mkdir::P[$config['wal-dir']],
|
||||
}
|
||||
}
|
||||
|
||||
if $manage_service {
|
||||
include ::systemd
|
||||
|
||||
systemd::unit_file { 'etcd.service':
|
||||
content => template('etcd/etcd.service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
require => Package[$package_name],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
# DO NOT EDIT: This file is being managed by Puppet.
|
||||
[Unit]
|
||||
Description=etcd key-value store
|
||||
Documentation=https://github.com/etcd-io/etcd
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
User=<%= @user %>
|
||||
Group=<%= @group %>
|
||||
Type=notify
|
||||
ExecStart=/usr/bin/etcd --config-file <%= @config_file %>
|
||||
Restart=always
|
||||
RestartSec=10s
|
||||
LimitNOFILE=<%= @max_open_files %>
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,89 @@
|
||||
class frrouting (
|
||||
Boolean $manage_package = true,
|
||||
Boolean $manage_config = true,
|
||||
Boolean $manage_service = true,
|
||||
String $package_name = 'frr',
|
||||
String $service_name = 'frr',
|
||||
Hash $daemons = {},
|
||||
Hash $ospfd_interfaces = {},
|
||||
String $ospfd_router_id = $facts['networking']['ip'],
|
||||
Array[String] $ospfd_redistribute = [],
|
||||
Array[String] $ospfd_networks = [],
|
||||
Boolean $ospfd_default_originate_always = false,
|
||||
Boolean $mpls_te_enabled = false,
|
||||
Optional[String] $mpls_ldp_router_id = undef,
|
||||
Optional[String] $mpls_ldp_transport_addr = undef,
|
||||
Array[String] $mpls_ldp_interfaces = [],
|
||||
) {
|
||||
|
||||
$daemons_defaults = {
|
||||
'bgpd' => false,
|
||||
'ospfd' => true,
|
||||
'ospf6d' => false,
|
||||
'ldpd' => false,
|
||||
'ripd' => false,
|
||||
'ripngd' => false,
|
||||
'isisd' => false,
|
||||
'pimd' => false,
|
||||
'pim6d' => false,
|
||||
'nhrpd' => false,
|
||||
'eigrpd' => false,
|
||||
'sharpd' => false,
|
||||
'pbrd' => false,
|
||||
'bfdd' => false,
|
||||
'fabricd' => false,
|
||||
'vrrpd' => false,
|
||||
'pathd' => false,
|
||||
'staticd' => false,
|
||||
}
|
||||
|
||||
$daemons_merged = merge($daemons_defaults, $daemons)
|
||||
|
||||
if $manage_package {
|
||||
package { $package_name:
|
||||
ensure => installed,
|
||||
}
|
||||
}
|
||||
|
||||
if $manage_config {
|
||||
file { '/etc/frr/frr.conf':
|
||||
ensure => file,
|
||||
content => template('frrouting/frr.conf.erb'),
|
||||
notify => Service[$service_name],
|
||||
}
|
||||
|
||||
file { '/etc/frr/daemons':
|
||||
ensure => file,
|
||||
content => template('frrouting/daemons.erb'),
|
||||
notify => Service[$service_name],
|
||||
}
|
||||
}
|
||||
|
||||
if $manage_service {
|
||||
service { $service_name:
|
||||
ensure => running,
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
}
|
||||
}
|
||||
|
||||
if $mpls_ldp_router_id and $mpls_ldp_transport_addr and !empty($mpls_ldp_interfaces) {
|
||||
file { '/etc/modules-load.d/mpls_ldp_modules.conf':
|
||||
ensure => file,
|
||||
content => @(EOT/L),
|
||||
# Load MPLS Kernel Modules
|
||||
mpls_router
|
||||
mpls_iptunnel
|
||||
| EOT
|
||||
}
|
||||
|
||||
['mpls_router', 'mpls_iptunnel'].each |$mod| {
|
||||
exec { "load_${mod}":
|
||||
command => "/sbin/modprobe ${mod}",
|
||||
unless => "/sbin/lsmod | /bin/grep -q ^${mod}",
|
||||
path => ['/sbin', '/bin', '/usr/sbin', '/usr/bin'],
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,29 @@
|
||||
# THIS FILE IS MANAGED BY PUPPET
|
||||
<% @daemons_merged.each do |daemon, status| -%>
|
||||
<% if status -%>
|
||||
<%= daemon %>=yes
|
||||
<% else -%>
|
||||
<%= daemon %>=no
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
vtysh_enable=yes
|
||||
zebra_options=" -A 127.0.0.1 -s 90000000"
|
||||
bgpd_options=" -A 127.0.0.1"
|
||||
ospfd_options=" -A 127.0.0.1"
|
||||
ospf6d_options=" -A ::1"
|
||||
ldpd_options=" -A 127.0.0.1"
|
||||
ripd_options=" -A 127.0.0.1"
|
||||
ripngd_options=" -A ::1"
|
||||
isisd_options=" -A 127.0.0.1"
|
||||
pimd_options=" -A 127.0.0.1"
|
||||
pim6d_options=" -A ::1"
|
||||
nhrpd_options=" -A 127.0.0.1"
|
||||
eigrpd_options=" -A 127.0.0.1"
|
||||
sharpd_options=" -A 127.0.0.1"
|
||||
pbrd_options=" -A 127.0.0.1"
|
||||
staticd_options="-A 127.0.0.1"
|
||||
bfdd_options=" -A 127.0.0.1"
|
||||
fabricd_options="-A 127.0.0.1"
|
||||
vrrpd_options=" -A 127.0.0.1"
|
||||
pathd_options=" -A 127.0.0.1"
|
||||
@@ -0,0 +1,48 @@
|
||||
# THIS FILE IS MANAGED BY PUPPET
|
||||
frr defaults traditional
|
||||
hostname <%= @hostname %>
|
||||
no ipv6 forwarding
|
||||
<% @ospfd_interfaces.each do |iface, params| -%>
|
||||
interface <%= iface %>
|
||||
<% if params['area'] -%>
|
||||
ip ospf area <%= params['area'] %>
|
||||
<% end -%>
|
||||
<% if params['passive'] == true -%>
|
||||
ip ospf passive
|
||||
<% end -%>
|
||||
<% if @mpls_ldp_interfaces and @mpls_ldp_interfaces.include?(iface) -%>
|
||||
mpls enable
|
||||
<% end -%>
|
||||
exit
|
||||
<% end -%>
|
||||
router ospf
|
||||
ospf router-id <%= @ospfd_router_id %>
|
||||
log-adjacency-changes detail
|
||||
<% @ospfd_redistribute.each do |type| -%>
|
||||
redistribute <%= type %>
|
||||
<% end -%>
|
||||
<% @ospfd_networks.each do |network| -%>
|
||||
network <%= network %>
|
||||
<% end -%>
|
||||
<% if @ospfd_default_originate_always -%>
|
||||
default-information originate always
|
||||
<% end -%>
|
||||
<% if @mpls_te_enabled -%>
|
||||
capability opaque
|
||||
mpls-te on
|
||||
mpls-te router-address <%= @ospfd_router_id %>
|
||||
mpls-te inter-as area 0.0.0.0
|
||||
<% end -%>
|
||||
exit
|
||||
<% if @mpls_ldp_router_id and @mpls_ldp_transport_addr and @mpls_ldp_interfaces.any? -%>
|
||||
mpls ldp
|
||||
router-id <%= @mpls_ldp_router_id %>
|
||||
address-family ipv4
|
||||
discovery transport-address <%= @mpls_ldp_transport_addr %>
|
||||
<% @mpls_ldp_interfaces.each do |iface| -%>
|
||||
interface <%= iface %>
|
||||
exit
|
||||
<% end -%>
|
||||
exit-address-family
|
||||
exit
|
||||
<% end -%>
|
||||
@@ -0,0 +1,18 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
require 'yaml'
|
||||
|
||||
Facter.add(:incus) do
|
||||
setcode do
|
||||
# Check if the 'incus' executable exists
|
||||
incus_path = Facter::Util::Resolution.which('incus')
|
||||
next {} unless incus_path # Return an empty fact if incus isn't found
|
||||
|
||||
# Run the `incus info` command using the found path
|
||||
incus_output = Facter::Core::Execution.execute("#{incus_path} info")
|
||||
next {} if incus_output.empty? # Return an empty fact if there's no output
|
||||
|
||||
# Parse the output as YAML and return it
|
||||
YAML.safe_load(incus_output, permitted_classes: [Symbol, Time, Date])
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,57 @@
|
||||
# manage incus clusters
|
||||
class incus::cluster (
|
||||
Boolean $members_lookup = false,
|
||||
String $members_role = undef,
|
||||
String $master = undef,
|
||||
Array $servers = [],
|
||||
Stdlib::Fqdn $server_fqdn = $facts['networking']['fqdn'],
|
||||
Stdlib::Port $server_port = 8443,
|
||||
){
|
||||
|
||||
# check that the master is named
|
||||
unless !($master == undef) {
|
||||
fail("master must be provided for ${title}")
|
||||
}
|
||||
|
||||
# if lookup is enabled
|
||||
if $members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($members_role == undef) {
|
||||
fail("members_role must be provided for ${title} when members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $servers
|
||||
}
|
||||
|
||||
# if its not an empty array. Give puppetdb a chance to be populated with data.
|
||||
if length($servers_array) >= 3 {
|
||||
|
||||
# check if this is the master_node
|
||||
if $master == $trusted['certname'] {
|
||||
$master_bool = true
|
||||
}else{
|
||||
$master_bool = false
|
||||
}
|
||||
|
||||
# find bootstrap status for servers
|
||||
$bootstrap_array = puppetdb_query("inventory[certname, facts] { facts.enc_role = '${members_role}' }").map |$node| {
|
||||
{
|
||||
'fqdn' => $node['certname'],
|
||||
'ip' => $node['facts']['networking']['ip'],
|
||||
'clustered' => $node['facts']['incus']['environment']['server_clustered'],
|
||||
'certificate' => $node['facts']['incus']['environment']['certificate'],
|
||||
}
|
||||
}
|
||||
|
||||
# determine if the cluster is bootstrapped
|
||||
$cluster_bootstrapped = $bootstrap_array.any |$server| {
|
||||
$server['fqdn'] == $master and $server['clustered'] == true
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,77 @@
|
||||
class incus (
|
||||
Array[String] $packages = [
|
||||
'incus',
|
||||
'incus-tools',
|
||||
'incus-client'
|
||||
],
|
||||
Boolean $cluster = false,
|
||||
Boolean $init = true,
|
||||
String $bridge = 'incusbr0',
|
||||
Stdlib::Port $server_port = 8443,
|
||||
Stdlib::IP::Address $server_addr = $facts['networking']['ip'],
|
||||
Optional[String] $storage_images_volume = undef,
|
||||
) {
|
||||
|
||||
package { $packages:
|
||||
ensure => installed,
|
||||
}
|
||||
|
||||
service { 'incus':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
}
|
||||
|
||||
file_line { 'subuid_root':
|
||||
ensure => present,
|
||||
path => '/etc/subuid',
|
||||
line => 'root:1000000:1000000000',
|
||||
match => '^root:',
|
||||
notify => Service['incus'],
|
||||
}
|
||||
|
||||
file_line { 'subgid_root':
|
||||
ensure => present,
|
||||
path => '/etc/subgid',
|
||||
line => 'root:1000000:1000000000',
|
||||
match => '^root:',
|
||||
notify => Service['incus'],
|
||||
}
|
||||
|
||||
if $init {
|
||||
file {'/root/incus.preseed.yaml':
|
||||
ensure => file,
|
||||
owner => root,
|
||||
group => root,
|
||||
content => template('incus/join_preseed.yaml.erb')
|
||||
}
|
||||
|
||||
exec { 'initiate_incus':
|
||||
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
||||
command => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized',
|
||||
refreshonly => true,
|
||||
creates => '/root/.incus_initialized',
|
||||
subscribe => File['/root/incus.preseed.yaml'],
|
||||
}
|
||||
}
|
||||
|
||||
if $facts['incus'] and $facts['incus']['config'] {
|
||||
# set core.https_address
|
||||
if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {
|
||||
exec { 'incus_config_set_core_https_address':
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "incus config set core.https_address ${server_addr}:${server_port}",
|
||||
}
|
||||
}
|
||||
# set storage.images_volume # path to store images
|
||||
if $storage_images_volume {
|
||||
if $facts['incus']['config']['storage.images_volume'] != $storage_images_volume {
|
||||
exec { 'incus_config_set_storage_images_volume':
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "incus config set storage.images_volume ${storage_images_volume}",
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
config:
|
||||
core.https_address: <%= @server_fqdn %>:<%= @server_port %>
|
||||
networks: []
|
||||
storage_pools: []
|
||||
storage_volumes: []
|
||||
profiles:
|
||||
- config: {}
|
||||
description: ""
|
||||
devices:
|
||||
eth0:
|
||||
name: eth0
|
||||
nictype: bridged
|
||||
parent: <%= @bridge %>
|
||||
type: nic
|
||||
name: default
|
||||
project: default
|
||||
projects: []
|
||||
cluster: null
|
||||
@@ -0,0 +1,74 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
require 'facter'
|
||||
require 'yaml'
|
||||
require 'net/http'
|
||||
require 'uri'
|
||||
require 'fileutils'
|
||||
|
||||
# CobblerENC module: Fetches ENC data from Cobbler, caches it, and provides structured facts.
|
||||
module CobblerENC
|
||||
CACHE_FILE = '/var/cache/puppet_enc.yaml'
|
||||
CACHE_TTL = 7 * 24 * 60 * 60 # 7 days in seconds
|
||||
@enc_data = nil # In-memory cache for the ENC response
|
||||
|
||||
def self.read_cache
|
||||
return {} unless File.exist?(CACHE_FILE)
|
||||
|
||||
cache_data = YAML.safe_load(File.read(CACHE_FILE)) || {}
|
||||
timestamp = cache_data.fetch('timestamp', 0)
|
||||
|
||||
return cache_data if Time.now.to_i - timestamp < CACHE_TTL
|
||||
|
||||
{}
|
||||
end
|
||||
|
||||
def self.write_cache(enc_data)
|
||||
FileUtils.mkdir_p(File.dirname(CACHE_FILE))
|
||||
cache_data = enc_data.merge({ 'timestamp' => Time.now.to_i })
|
||||
File.write(CACHE_FILE, cache_data.to_yaml)
|
||||
end
|
||||
|
||||
def self.fetch_from_cobbler
|
||||
uri = URI("http://cobbler.main.unkin.net/cblr/svc/op/puppet/hostname/#{Facter.value(:fqdn) || Facter.value(:hostname)}")
|
||||
response = Net::HTTP.get_response(uri)
|
||||
|
||||
raise "Failed to fetch ENC data. HTTP #{response.code}" unless response.is_a?(Net::HTTPSuccess)
|
||||
|
||||
YAML.safe_load(response.body) || {}
|
||||
end
|
||||
|
||||
def self.retrieve_enc_data
|
||||
return @enc_data if @enc_data
|
||||
|
||||
@enc_data = fetch_from_cobbler
|
||||
write_cache(@enc_data)
|
||||
@enc_data
|
||||
end
|
||||
|
||||
def self.fetch_enc_data
|
||||
retrieve_enc_data
|
||||
rescue StandardError => e
|
||||
Facter.warn("Error retrieving Cobbler ENC data: #{e.message}")
|
||||
@enc_data = read_cache
|
||||
return @enc_data unless @enc_data.empty?
|
||||
|
||||
raise 'No cached ENC data available and Cobbler is down.'
|
||||
end
|
||||
|
||||
def self.enc_role
|
||||
fetch_enc_data.fetch('classes', {}).keys.first || raise('ENC Role not found in Cobbler ENC response')
|
||||
end
|
||||
|
||||
def self.enc_env
|
||||
fetch_enc_data.fetch('environment', nil) || raise('ENC Environment not found in Cobbler ENC response')
|
||||
end
|
||||
end
|
||||
|
||||
Facter.add('enc_role') do
|
||||
setcode { CobblerENC.enc_role }
|
||||
end
|
||||
|
||||
Facter.add('enc_env') do
|
||||
setcode { CobblerENC.enc_env }
|
||||
end
|
||||
@@ -1,13 +0,0 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
Facter.add('enc_env') do
|
||||
setcode do
|
||||
require 'yaml'
|
||||
# Check if the YAML file exists
|
||||
if File.exist?('/root/.cache/custom_facts.yaml')
|
||||
data = YAML.load_file('/root/.cache/custom_facts.yaml')
|
||||
# Use safe navigation to return 'enc_env' or nil
|
||||
data&.dig('enc_env')
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -1,13 +0,0 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
Facter.add('enc_role') do
|
||||
setcode do
|
||||
require 'yaml'
|
||||
# Check if the YAML file exists
|
||||
if File.exist?('/root/.cache/custom_facts.yaml')
|
||||
data = YAML.load_file('/root/.cache/custom_facts.yaml')
|
||||
# Use safe navigation to return 'enc_role' or nil
|
||||
data&.dig('enc_role')
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -10,7 +10,18 @@ class SubnetAttributes
|
||||
'198.18.15.0/24' => { environment: 'prod', region: 'syd1', country: 'au' },
|
||||
'198.18.16.0/24' => { environment: 'test', region: 'syd1', country: 'au' },
|
||||
'198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' },
|
||||
'198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' }
|
||||
'198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' },
|
||||
'198.18.19.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # loopbacks
|
||||
'198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # MPLS CORE BLOCKS
|
||||
'198.18.21.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # physical network 2.5gbe
|
||||
'198.18.22.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph cluster
|
||||
'198.18.23.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph public
|
||||
'198.18.24.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # dmz 1
|
||||
'198.18.25.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0009
|
||||
'198.18.26.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0010
|
||||
'198.18.27.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0011
|
||||
'198.18.28.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0012
|
||||
'198.18.29.0/24' => { environment: 'prod', region: 'syd1', country: 'au' } # common node0013
|
||||
}.freeze
|
||||
|
||||
# Default attributes if no subnet matches, also defined as a constant
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
# manage bridges and bridge slaves
|
||||
define networking::bridge (
|
||||
String $type,
|
||||
Optional[Stdlib::IP::Address] $ipaddress,
|
||||
Optional[Stdlib::IP::Address] $netmask = undef,
|
||||
Optional[Stdlib::IP::Address] $gateway = undef,
|
||||
Optional[Boolean] $nocarrier = undef,
|
||||
Boolean $bridge = true,
|
||||
Integer[100-9200] $mtu = 1500,
|
||||
Optional[Boolean] $forwarding = false,
|
||||
) {
|
||||
include systemd
|
||||
|
||||
systemd::network { "${title}.netdev":
|
||||
content => template('networking/bridge.netdev.erb'),
|
||||
}
|
||||
|
||||
# Use shared template, it will detect bridge=true and skip Address/DNS/etc
|
||||
systemd::network { "${title}.network":
|
||||
content => template('networking/networkd-network.erb'),
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
# manage dummy/loopback interfaces
|
||||
define networking::dummy (
|
||||
String $type,
|
||||
Stdlib::IP::Address $ipaddress,
|
||||
Stdlib::IP::Address $netmask,
|
||||
Integer[100-9200] $mtu = 1500,
|
||||
Optional[Boolean] $forwarding = false,
|
||||
) {
|
||||
include systemd
|
||||
|
||||
systemd::network { "${title}.netdev":
|
||||
content => template('networking/dummy.netdev.erb'),
|
||||
}
|
||||
|
||||
systemd::network { "${title}.network":
|
||||
content => template('networking/networkd-network.erb'),
|
||||
}
|
||||
}
|
||||
@@ -4,34 +4,67 @@ class networking (
|
||||
Hash $interface_defaults = {},
|
||||
Hash $routes = {},
|
||||
Hash $route_defaults = {},
|
||||
Boolean $use_networkd = lookup('systemd::manage_networkd', undef, undef, false),
|
||||
){
|
||||
|
||||
include network
|
||||
include networking::params
|
||||
|
||||
# manage interfaces
|
||||
$interfaces.each | $interface, $data | {
|
||||
$merged_data = merge($interface_defaults, $data)
|
||||
network_config { $interface:
|
||||
* => $merged_data,
|
||||
notify => Exec['networking_reload_network'],
|
||||
}
|
||||
}
|
||||
if $use_networkd {
|
||||
|
||||
# manage routes
|
||||
$routes.each | $route, $data | {
|
||||
$merged_data = merge($route_defaults, $data)
|
||||
network_route { $route:
|
||||
* => $merged_data,
|
||||
notify => Exec['networking_reload_network'],
|
||||
include systemd
|
||||
|
||||
service { 'NetworkManager':
|
||||
ensure => 'stopped',
|
||||
enable => false,
|
||||
}
|
||||
|
||||
$interfaces.each |String $iface, Hash $data| {
|
||||
$type = $data['type']
|
||||
#$params = $data.filter |$key, $value| { $key != 'type' }
|
||||
|
||||
case $type {
|
||||
'bridge': { networking::bridge { $iface: * => $data } }
|
||||
'dummy': { networking::dummy { $iface: * => $data } }
|
||||
'static': { networking::static { $iface: * => $data } }
|
||||
'physical': { networking::static { $iface: * => $data } }
|
||||
default: {
|
||||
fail("Unsupported interface type '${type}' for interface '${iface}'")
|
||||
}
|
||||
}
|
||||
}
|
||||
}else{
|
||||
# manage interfaces
|
||||
$interfaces.each | $interface, $data | {
|
||||
$merged_data = merge($interface_defaults, $data)
|
||||
network_config { $interface:
|
||||
* => $merged_data,
|
||||
notify => Exec['networking_reload_network'],
|
||||
}
|
||||
}
|
||||
|
||||
# manage routes
|
||||
$routes.each | $route, $data | {
|
||||
$merged_data = merge($route_defaults, $data)
|
||||
network_route { $route:
|
||||
* => $merged_data,
|
||||
notify => Exec['networking_reload_network'],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# determine which networking service to restart
|
||||
$restart_command = $facts['os']['family'] ? {
|
||||
'RedHat' => '/usr/bin/systemctl restart network',
|
||||
'Debian' => '/usr/bin/systemctl restart networking',
|
||||
default => fail('Unsupported OS in networking-restart-command'),
|
||||
$restart_command = $use_networkd ? {
|
||||
true => '/usr/bin/systemctl restart systemd-networkd',
|
||||
default => $facts['os']['family'] ? {
|
||||
'RedHat' => $facts['os']['release']['major'] ? {
|
||||
'8' => '/usr/bin/systemctl restart network',
|
||||
'9' => '/usr/bin/systemctl restart NetworkManager',
|
||||
default => fail('Unsupported RedHat OS release for networking restart'),
|
||||
},
|
||||
'Debian' => '/usr/bin/systemctl restart networking',
|
||||
default => fail('Unsupported OS in networking-restart-command'),
|
||||
}
|
||||
}
|
||||
|
||||
# restart network/networking only if $restart_networking boolean is true
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
# manage static interfaces
|
||||
define networking::static (
|
||||
String $type,
|
||||
Stdlib::IP::Address $netmask = '255.255.255.0',
|
||||
Integer[100-9200] $mtu = 1500,
|
||||
Boolean $dhcp = false,
|
||||
Optional[Boolean] $forwarding = false,
|
||||
Optional[Stdlib::IP::Address] $ipaddress = undef,
|
||||
Optional[Stdlib::IP::Address] $gateway = undef,
|
||||
Optional[Array[Stdlib::IP::Address]] $dns = undef,
|
||||
Optional[Array[Stdlib::Fqdn]] $domains = undef,
|
||||
Optional[Integer[0-4096]] $vlan = undef,
|
||||
Optional[Variant[Boolean,String]] $bridge = undef,
|
||||
Optional[Integer[0-4294967294]] $txqueuelen = undef,
|
||||
Optional[Stdlib::MAC] $mac = undef,
|
||||
) {
|
||||
include systemd
|
||||
|
||||
systemd::network { "${title}.network":
|
||||
content => template('networking/networkd-network.erb'),
|
||||
}
|
||||
#if $type == 'physical' and $mac {
|
||||
# systemd::network { "${title}.link":
|
||||
# content => template('networking/networkd-link.erb'),
|
||||
# }
|
||||
#}
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
[NetDev]
|
||||
Name=<%= @title %>
|
||||
Kind=bridge
|
||||
@@ -0,0 +1,3 @@
|
||||
[NetDev]
|
||||
Name=<%= @title %>
|
||||
Kind=dummy
|
||||
@@ -0,0 +1,8 @@
|
||||
[Match]
|
||||
MACAddress=<%= @mac %>
|
||||
|
||||
[Link]
|
||||
MTUBytes=<%= @mtu %>
|
||||
<% if @txqueuelen and @txqueuelen >= 1 -%>
|
||||
TransmitQueueLength=<%= @txqueuelen %>
|
||||
<% end -%>
|
||||
@@ -0,0 +1,41 @@
|
||||
[Match]
|
||||
Name=<%= @title %>
|
||||
|
||||
[Network]
|
||||
<% if @dhcp == true -%>
|
||||
DHCP=yes
|
||||
<% else -%>
|
||||
<% if @ipaddress && @netmask -%>
|
||||
Address=<%= @ipaddress %>/<%= IPAddr.new(@netmask).to_i.to_s(2).count('1') %>
|
||||
<% end -%>
|
||||
<% if @gateway -%>
|
||||
Gateway=<%= @gateway %>
|
||||
<% end -%>
|
||||
<% if @dns -%>
|
||||
DNS=<%= Array(@dns).join(' ') %>
|
||||
<% end -%>
|
||||
<% if @domains -%>
|
||||
Domains=<%= Array(@domains).join(' ') %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
<% if @bridge and @bridge != true -%>
|
||||
Bridge=<%= @bridge %>
|
||||
<% end -%>
|
||||
<% if @vlan -%>
|
||||
VLAN=<%= @vlan %>
|
||||
<% end -%>
|
||||
<% if @nocarrier and @nocarrier == true -%>
|
||||
ConfigureWithoutCarrier=true
|
||||
DuplicateAddressDetection=none
|
||||
RequiredForOnline=no-carrier
|
||||
<% end -%>
|
||||
<% if @type == 'dummy' -%>
|
||||
LinkLocalAddressing=no
|
||||
ActivationPolicy=always-up
|
||||
<% end -%>
|
||||
<% if @forwarding and @forwarding == true -%>
|
||||
IPForward=true
|
||||
<% end -%>
|
||||
|
||||
[Link]
|
||||
MTUBytes=<%= @mtu %>
|
||||
@@ -0,0 +1,14 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
Facter.add('zfs_zpool_cache_present') do
|
||||
confine kernel: 'Linux'
|
||||
setcode do
|
||||
File.exist?('/etc/zfs/zpool.cache')
|
||||
end
|
||||
end
|
||||
|
||||
Facter.add('zfs_zpool_cache_present') do
|
||||
setcode do
|
||||
false
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,10 @@
|
||||
# manage zfs config
|
||||
class zfs::config {
|
||||
|
||||
file { $zfs::conf_dir:
|
||||
ensure => directory,
|
||||
owner => 0,
|
||||
group => 0,
|
||||
mode => '0644',
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,52 @@
|
||||
# Installs basic ZFS kernel and userland support.
|
||||
#
|
||||
# @example Declaring the class
|
||||
# include zfs
|
||||
#
|
||||
# @example Tuning the ZFS ARC
|
||||
# class { 'zfs':
|
||||
# zfs_arc_max => to_bytes('256 M'),
|
||||
# zfs_arc_min => to_bytes('128 M'),
|
||||
# }
|
||||
#
|
||||
# @param conf_dir Top-level configuration directory, usually `/etc/zfs`.
|
||||
# @param kmod_type Whether to use DKMS kernel packages or ones built to match
|
||||
# the running kernel (only applies to RHEL platforms).
|
||||
# @param manage_repo Whether to setup and manage external package repositories.
|
||||
# @param package_name The name of the top-level metapackage that installs ZFS
|
||||
# support.
|
||||
# @param service_manage Whether to manage the various ZFS services.
|
||||
# @param zfs_arc_max Maximum size of the ARC in bytes.
|
||||
# @param zfs_arc_min Minimum size of the ARC in bytes.
|
||||
class zfs (
|
||||
Optional[Integer[0]] $zfs_arc_max,
|
||||
Optional[Integer[0]] $zfs_arc_min,
|
||||
Optional[Hash] $zpools,
|
||||
Optional[Hash] $datasets,
|
||||
Stdlib::Absolutepath $conf_dir = '/etc/zfs',
|
||||
Enum['dkms', 'kabi'] $kmod_type = 'kabi',
|
||||
Boolean $manage_repo = true,
|
||||
Variant[String, Array[String, 1]] $package_name = 'zfs',
|
||||
Boolean $service_manage = true,
|
||||
) {
|
||||
|
||||
contain zfs::install
|
||||
contain zfs::config
|
||||
contain zfs::service
|
||||
|
||||
Class['zfs::install'] ~> Class['zfs::config'] ~> Class['zfs::service']
|
||||
|
||||
# create zpools
|
||||
$zpools.each | $zpool, $data | {
|
||||
zpool { $zpool:
|
||||
* => $data
|
||||
}
|
||||
}
|
||||
|
||||
# create datasets
|
||||
$datasets.each | $dataset, $data | {
|
||||
zfs { $dataset:
|
||||
* => $data
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,151 @@
|
||||
# manage zfs install/repos
|
||||
class zfs::install {
|
||||
|
||||
if $zfs::manage_repo {
|
||||
case $facts['os']['family'] {
|
||||
'RedHat': {
|
||||
$baseurl = 'http://download.zfsonlinux.org'
|
||||
$release = $facts['os']['release']['major'] ? {
|
||||
'6' => '6',
|
||||
'7' => $facts['os']['release']['full'] ? {
|
||||
/^7\.[012]/ => '7',
|
||||
default => regsubst($facts['os']['release']['full'], '^7\.(\d+).*$', '7.\1'),
|
||||
},
|
||||
'8' => $facts['os']['release']['full'] ? {
|
||||
/^8\.4/ => '8.3',
|
||||
default => regsubst($facts['os']['release']['full'], '^8\.(\d+).*$', '8.\1'),
|
||||
},
|
||||
default => regsubst($facts['os']['release']['full'], '^(\d\.\d+).*$', '\1'),
|
||||
}
|
||||
|
||||
yumrepo { 'zfs':
|
||||
baseurl => "${baseurl}/epel/${release}/\$basearch/",
|
||||
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - dkms",
|
||||
enabled => Integer($zfs::kmod_type == 'dkms'),
|
||||
before => Package[$zfs::package_name],
|
||||
}
|
||||
|
||||
yumrepo { 'zfs-kmod':
|
||||
baseurl => "${baseurl}/epel/${release}/kmod/\$basearch/",
|
||||
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - kmod",
|
||||
enabled => Integer($zfs::kmod_type == 'kabi'),
|
||||
}
|
||||
|
||||
yumrepo { 'zfs-source':
|
||||
baseurl => "${baseurl}/epel/${release}/SRPMS/",
|
||||
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - Source",
|
||||
enabled => 0,
|
||||
}
|
||||
|
||||
yumrepo { 'zfs-testing':
|
||||
baseurl => "${baseurl}/epel-testing/${release}/\$basearch/",
|
||||
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - dkms - Testing",
|
||||
enabled => 0,
|
||||
}
|
||||
|
||||
yumrepo { 'zfs-testing-kmod':
|
||||
baseurl => "${baseurl}/epel-testing/${release}/kmod/\$basearch/",
|
||||
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - kmod - Testing",
|
||||
enabled => 0,
|
||||
}
|
||||
|
||||
yumrepo { 'zfs-testing-source':
|
||||
baseurl => "${baseurl}/epel-testing/${release}/SRPMS/",
|
||||
descr => "ZFS on Linux for EL${facts['os']['release']['major']} - Testing Source",
|
||||
enabled => 0,
|
||||
}
|
||||
}
|
||||
default: {
|
||||
# noop
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Handle these dependencies separately as they shouldn't be guarded by
|
||||
# `$zfs::manage_repo`
|
||||
case $facts['os']['family'] {
|
||||
'RedHat': {
|
||||
case $zfs::kmod_type {
|
||||
'dkms': {
|
||||
# Puppet doesn't like managing multiple versions of the same package.
|
||||
# By using the version in the name Yum will do the right thing
|
||||
ensure_packages(["kernel-devel-${facts['kernelrelease']}"], {
|
||||
ensure => present,
|
||||
before => Package[$zfs::package_name],
|
||||
})
|
||||
}
|
||||
default: {
|
||||
# noop
|
||||
}
|
||||
}
|
||||
}
|
||||
'Debian': {
|
||||
case $facts['os']['name'] {
|
||||
'Ubuntu': {
|
||||
# noop
|
||||
}
|
||||
default: {
|
||||
ensure_packages(["linux-headers-${facts['kernelrelease']}", "linux-headers-${facts['os']['architecture']}"], {
|
||||
before => Package[$zfs::package_name],
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
default: {
|
||||
# noop
|
||||
}
|
||||
}
|
||||
|
||||
# This is to work around the broken Debian 9 packages. Upon install the
|
||||
# zfs-mount.service is started first which is the only unit that doesn't
|
||||
# have an "ExecStartPre=-/sbin/modprobe zfs" line so the package can never
|
||||
# be installed!
|
||||
if $facts['os']['name'] == 'Debian' and $facts['os']['release']['major'] == '9' {
|
||||
exec { 'zfs systemctl daemon-reload':
|
||||
command => 'systemctl daemon-reload',
|
||||
refreshonly => true,
|
||||
path => $facts['path'],
|
||||
}
|
||||
|
||||
Exec['zfs systemctl daemon-reload'] -> Package[$zfs::package_name]
|
||||
|
||||
file { '/etc/systemd/system/zfs-mount.service.d':
|
||||
ensure => directory,
|
||||
owner => 0,
|
||||
group => 0,
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
file { '/etc/systemd/system/zfs-mount.service.d/override.conf':
|
||||
ensure => file,
|
||||
owner => 0,
|
||||
group => 0,
|
||||
mode => '0644',
|
||||
content => @(EOS/L),
|
||||
[Service]
|
||||
ExecStartPre=-/sbin/modprobe zfs
|
||||
| EOS
|
||||
notify => Exec['zfs systemctl daemon-reload'],
|
||||
}
|
||||
}
|
||||
|
||||
# These need to be done here so the kernel settings are present before the
|
||||
# package is installed and potentially loading the kernel module
|
||||
$config = delete_undef_values({
|
||||
'zfs_arc_max' => $zfs::zfs_arc_max,
|
||||
'zfs_arc_min' => $zfs::zfs_arc_min,
|
||||
})
|
||||
|
||||
$config.each |$option,$value| {
|
||||
kmod::option { "zfs ${option}":
|
||||
module => 'zfs',
|
||||
option => $option,
|
||||
value => $value,
|
||||
before => Package[$zfs::package_name],
|
||||
}
|
||||
}
|
||||
|
||||
package { $zfs::package_name:
|
||||
ensure => present,
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,90 @@
|
||||
# manage zfs services
|
||||
class zfs::service {
|
||||
|
||||
if $zfs::service_manage {
|
||||
|
||||
exec { 'modprobe zfs':
|
||||
path => $facts['path'],
|
||||
unless => 'grep -q "^zfs " /proc/modules',
|
||||
}
|
||||
|
||||
case $facts['service_provider'] {
|
||||
'systemd': {
|
||||
$cache_ensure = str2bool($facts['zfs_zpool_cache_present']) ? {
|
||||
true => 'running',
|
||||
default => 'stopped',
|
||||
}
|
||||
|
||||
$scan_ensure = str2bool($facts['zfs_zpool_cache_present']) ? {
|
||||
true => 'stopped',
|
||||
default => 'running',
|
||||
}
|
||||
|
||||
service { 'zfs-import-cache':
|
||||
ensure => $cache_ensure,
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
require => Exec['modprobe zfs'],
|
||||
before => Service['zfs-mount'],
|
||||
}
|
||||
|
||||
service { 'zfs-import-scan':
|
||||
ensure => $scan_ensure,
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
require => Exec['modprobe zfs'],
|
||||
before => Service['zfs-mount'],
|
||||
}
|
||||
}
|
||||
default: {
|
||||
|
||||
case $facts['os']['family'] {
|
||||
'RedHat': {
|
||||
service { 'zfs-import':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
require => Exec['modprobe zfs'],
|
||||
before => Service['zfs-mount'],
|
||||
}
|
||||
}
|
||||
'Debian': {
|
||||
$import_ensure = str2bool($facts['zfs_zpool_cache_present']) ? {
|
||||
true => 'running',
|
||||
default => 'stopped',
|
||||
}
|
||||
|
||||
service { 'zpool-import':
|
||||
ensure => $import_ensure,
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
require => Exec['modprobe zfs'],
|
||||
}
|
||||
}
|
||||
default: {
|
||||
# noop
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
service { 'zfs-mount':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
before => Service['zfs-share'],
|
||||
}
|
||||
|
||||
service { 'zfs-share':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2,12 +2,22 @@
|
||||
class profiles::accounts::sysadmin(
|
||||
String $password,
|
||||
Array[String] $sshkeys = [],
|
||||
Array[String] $extra_groups = [],
|
||||
){
|
||||
|
||||
$default_groups = [
|
||||
'adm',
|
||||
'admins',
|
||||
'systemd-journal'
|
||||
]
|
||||
|
||||
$groups = $extra_groups + $default_groups
|
||||
|
||||
profiles::base::account {'sysadmin':
|
||||
username => 'sysadmin',
|
||||
uid => 1000,
|
||||
gid => 1000,
|
||||
groups => ['adm', 'admins', 'systemd-journal'],
|
||||
groups => $groups,
|
||||
sshkeys => $sshkeys,
|
||||
sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
|
||||
password => $password,
|
||||
|
||||
@@ -8,14 +8,21 @@ class profiles::almalinux::base (
|
||||
ensure => absent,
|
||||
}
|
||||
}
|
||||
service {'NetworkManager':
|
||||
ensure => false,
|
||||
enable => false,
|
||||
require => Package['network-scripts'],
|
||||
}
|
||||
-> service {'network':
|
||||
ensure => true,
|
||||
enable => true,
|
||||
require => Package['network-scripts'],
|
||||
if $facts['os']['release'] == '8' {
|
||||
service {'NetworkManager':
|
||||
ensure => false,
|
||||
enable => false,
|
||||
require => Package['network-scripts'],
|
||||
}
|
||||
-> service {'network':
|
||||
ensure => true,
|
||||
enable => true,
|
||||
require => Package['network-scripts'],
|
||||
}
|
||||
} elsif $facts['os']['release'] == '8' {
|
||||
service {'NetworkManager':
|
||||
ensure => true,
|
||||
enable => true,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -22,7 +22,6 @@ class profiles::base (
|
||||
# include the base profiles
|
||||
include profiles::base::repos
|
||||
include profiles::packages
|
||||
include profiles::base::facts
|
||||
include profiles::base::motd
|
||||
include profiles::base::scripts
|
||||
include profiles::base::hosts
|
||||
@@ -34,6 +33,7 @@ class profiles::base (
|
||||
include profiles::pki::vault
|
||||
include profiles::ssh::sign
|
||||
include profiles::ssh::knownhosts
|
||||
include profiles::ssh::service
|
||||
include profiles::cloudinit::init
|
||||
include profiles::metrics::default
|
||||
include profiles::helpers::node_lookup
|
||||
@@ -57,6 +57,10 @@ class profiles::base (
|
||||
include profiles::qemu::agent
|
||||
}
|
||||
|
||||
class { 'limits':
|
||||
purge_limits_d_dir => false,
|
||||
}
|
||||
|
||||
# include classes from hiera
|
||||
$hiera_include = lookup('hiera_include', Array[String], 'unique', [])
|
||||
$hiera_exclude = lookup('hiera_exclude', Array[String], 'unique', [])
|
||||
|
||||
@@ -1,39 +0,0 @@
|
||||
# a class to define some global facts
|
||||
class profiles::base::facts {
|
||||
|
||||
# The path where external facts are stored
|
||||
$facts_d_path = '/opt/puppetlabs/facter/facts.d'
|
||||
|
||||
# Ensure the directory exists
|
||||
file { $facts_d_path:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
# cleanup old facts files
|
||||
$fact_list = [ 'enc_role', 'enc_env' ]
|
||||
$fact_list.each | String $item | {
|
||||
file { "${facts_d_path}/${item}.txt":
|
||||
ensure => absent,
|
||||
}
|
||||
}
|
||||
|
||||
# ensure the path to the custom store exists
|
||||
file { '/root/.cache':
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0750',
|
||||
}
|
||||
|
||||
# create the file that will be read
|
||||
file { '/root/.cache/custom_facts.yaml':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => template('profiles/base/facts/custom_facts.yaml.erb'),
|
||||
}
|
||||
}
|
||||
@@ -3,6 +3,7 @@ class profiles::base::repos {
|
||||
# manage package repositories
|
||||
case $facts['os']['family'] {
|
||||
'RedHat': {
|
||||
include crypto_policies
|
||||
include profiles::yum::global
|
||||
include profiles::firewall::firewalld
|
||||
}
|
||||
|
||||
@@ -47,8 +47,8 @@ class profiles::cobbler::config {
|
||||
# fix permissions in /var/lib/cobbler/web.ss
|
||||
file {'/var/lib/cobbler/web.ss':
|
||||
ensure => 'file',
|
||||
group => 'root',
|
||||
owner => 'apache',
|
||||
group => 'apache',
|
||||
owner => 'root',
|
||||
mode => '0660',
|
||||
require => Package['cobbler'],
|
||||
notify => Service['cobblerd'],
|
||||
|
||||
@@ -85,4 +85,10 @@ class profiles::consul::client (
|
||||
require => File['/root/.config'],
|
||||
}
|
||||
|
||||
# cleanup /usr/local/bin/consul which was created by url install method
|
||||
if $facts['os']['family'] == 'RedHat' {
|
||||
file {'/usr/local/bin/consul':
|
||||
ensure => absent,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -9,8 +9,9 @@ class profiles::defaults {
|
||||
|
||||
Package {
|
||||
ensure => present,
|
||||
require => Class['profiles::base::repos']
|
||||
|
||||
require => [
|
||||
Class['profiles::base::repos'],
|
||||
]
|
||||
}
|
||||
|
||||
File {
|
||||
@@ -31,10 +32,14 @@ class profiles::defaults {
|
||||
}
|
||||
|
||||
Yumrepo {
|
||||
ensure => 'present',
|
||||
enabled => 1,
|
||||
gpgcheck => 1,
|
||||
require => Class['profiles::pki::vaultca'],
|
||||
notify => Exec['dnf_makecache'],
|
||||
ensure => 'present',
|
||||
enabled => 1,
|
||||
gpgcheck => 1,
|
||||
metadata_expire => '1d',
|
||||
require => [
|
||||
Class['profiles::pki::vaultca'],
|
||||
Class['crypto_policies'],
|
||||
],
|
||||
notify => Exec['dnf_makecache'],
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
class profiles::dns::base (
|
||||
String $ns_role = undef,
|
||||
Array $search = [],
|
||||
Array $nameservers = ['8.8.8.8', '1.1.1.1'],
|
||||
Array $nameservers = ['198.18.13.12', '198.18.13.13'],
|
||||
Enum[
|
||||
'all',
|
||||
'region',
|
||||
@@ -23,6 +23,12 @@ class profiles::dns::base (
|
||||
}
|
||||
}
|
||||
|
||||
# if nameservers not returned from puppetdb, use default
|
||||
$use_nameservers = empty($nameserver_array) ? {
|
||||
true => $nameservers,
|
||||
false => $nameserver_array,
|
||||
}
|
||||
|
||||
# if search is undef, fallback to domainname from facts
|
||||
if $search == [] {
|
||||
$search_array = [$::facts['networking']['domain']]
|
||||
@@ -32,7 +38,7 @@ class profiles::dns::base (
|
||||
|
||||
# include resolvconf class
|
||||
class { 'profiles::dns::resolvconf':
|
||||
nameservers => sort($nameserver_array),
|
||||
nameservers => sort($use_nameservers),
|
||||
search_domains => sort($search_array),
|
||||
}
|
||||
|
||||
|
||||
@@ -105,13 +105,14 @@ class profiles::edgecache::nginx {
|
||||
# manage the nginx class
|
||||
class { 'nginx':
|
||||
proxy_cache_path => {
|
||||
"${data_root}/cache" => 'cache:128m',
|
||||
"${data_root}/cache" => 'cache:256m',
|
||||
},
|
||||
proxy_cache_levels => '1:2',
|
||||
proxy_cache_keys_zone => 'cache:128m',
|
||||
proxy_cache_keys_zone => 'cache:256m',
|
||||
proxy_cache_max_size => '30000m',
|
||||
proxy_cache_inactive => '60d',
|
||||
proxy_cache_inactive => '365d',
|
||||
proxy_temp_path => "${data_root}/cache_tmp",
|
||||
service_manage => false,
|
||||
}
|
||||
|
||||
# create the nginx vhost with the merged parameters
|
||||
@@ -126,4 +127,10 @@ class profiles::edgecache::nginx {
|
||||
* => $data,
|
||||
}
|
||||
}
|
||||
|
||||
service { 'nginx':
|
||||
ensure => true,
|
||||
enable => true,
|
||||
subscribe => [File[$selected_ssl_cert], File[$selected_ssl_key]],
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,58 @@
|
||||
# manage the use of the etcd module
|
||||
class profiles::etcd::node (
|
||||
Sensitive[String[1]] $initial_cluster_token,
|
||||
Boolean $members_lookup = false,
|
||||
String $members_role = undef,
|
||||
Array $servers = [],
|
||||
Stdlib::Port $client_port = 2379,
|
||||
Stdlib::Port $peer_port = 2380,
|
||||
Hash $config = {},
|
||||
){
|
||||
|
||||
# if lookup is enabled
|
||||
if $members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($members_role == undef) {
|
||||
fail("members_role must be provided for ${title} when members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = sort($servers)
|
||||
}
|
||||
|
||||
if length($servers_array) >= 3 {
|
||||
|
||||
# construct the initial-cluster string
|
||||
$initial_cluster = $servers_array.map |$fqdn| {
|
||||
|
||||
# lookup the ip address for the current fqdn
|
||||
$ip = query_nodes("networking.fqdn='${fqdn}'", 'networking.ip')[0]
|
||||
|
||||
# construct the string for this server
|
||||
"${fqdn}=https://${ip}:${peer_port}"
|
||||
}.join(',')
|
||||
|
||||
$defaults = {
|
||||
'data-dir' => '/var/lib/etcd',
|
||||
'name' => $facts['networking']['fqdn'],
|
||||
'listen-client-urls' => "https://${facts['networking']['ip']}:${client_port}",
|
||||
'listen-peer-urls' => "https://${facts['networking']['ip']}:${peer_port}",
|
||||
'advertise-client-urls' => "https://${facts['networking']['ip']}:${client_port}",
|
||||
'initial-advertise-peer-urls' => "https://${facts['networking']['ip']}:${peer_port}",
|
||||
'initial-cluster-token' => $initial_cluster_token.unwrap,
|
||||
'initial-cluster' => $initial_cluster,
|
||||
'initial-cluster-state' => 'new',
|
||||
}
|
||||
|
||||
$merged_config = merge($defaults, $config)
|
||||
|
||||
class { 'etcd':
|
||||
config => $merged_config,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,6 +1,11 @@
|
||||
# profiles::firstrun::complete
|
||||
class profiles::firstrun::complete {
|
||||
|
||||
file {'/root/.cache':
|
||||
ensure => 'directory',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
}
|
||||
file {'/root/.cache/puppet_firstrun_complete':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
|
||||
@@ -8,10 +8,12 @@ class profiles::firstrun::init {
|
||||
include profiles::base::repos
|
||||
include profiles::firstrun::packages
|
||||
|
||||
# set the motd and base facts
|
||||
include profiles::base::facts
|
||||
# set the motd
|
||||
include profiles::base::motd
|
||||
|
||||
# create groups
|
||||
include profiles::base::groups
|
||||
|
||||
# mark the firstrun as done
|
||||
include profiles::firstrun::complete
|
||||
|
||||
|
||||
@@ -0,0 +1,118 @@
|
||||
# profiles::jupyter::jupyterhub
|
||||
class profiles::jupyter::jupyterhub (
|
||||
Stdlib::AbsolutePath $base_path = '/opt/jupyterhub',
|
||||
Stdlib::AbsolutePath $venv_path = "${base_path}/venv",
|
||||
Stdlib::AbsolutePath $config_path = "${base_path}/config.py",
|
||||
Stdlib::AbsolutePath $notebook_path = '/home/jupyter/work',
|
||||
Hash $vault_config = {},
|
||||
String $owner = 'jupyterhub',
|
||||
String $group = 'jupyterhub',
|
||||
Boolean $systempkgs = false,
|
||||
String $version = '3.12',
|
||||
Array[String[1]] $packages = [
|
||||
'jupyterhub',
|
||||
'dockerspawner',
|
||||
'jupyterhub-ldapauthenticator',
|
||||
],
|
||||
String $ldap_server_address = 'ldap://ldap.service.consul',
|
||||
String $ldap_tls_strategy = 'insecure',
|
||||
Array $ldap_allowed_groups = ['ou=jupyterhub_user,ou=groups,dc=main,dc=unkin,dc=net'],
|
||||
Array $ldap_admin_users = [],
|
||||
String $ldap_bind_user = 'cn=svc_jupyterhub,ou=services,ou=users,dc=main,dc=unkin,dc=net',
|
||||
String $ldap_bind_pass = 'change-me',
|
||||
String $ldap_user_search_base = 'ou=people,ou=users,dc=main,dc=unkin,dc=net',
|
||||
String $ldap_user_search_filter = '({login_attr}={login})',
|
||||
String $ldap_group_search_filter = '(uniqueMember={userdn})',
|
||||
String $ldap_user_attribute = 'uid',
|
||||
String $ldap_user_dn_attribute = 'cn',
|
||||
String $docker_image = 'git.query.consul/unkin/almalinux9-jupyterlab:latest',
|
||||
String $docker_network = 'bridge',
|
||||
){
|
||||
|
||||
# ensure nodejs:20 is installed
|
||||
package { 'nodejs_module':
|
||||
ensure => '20',
|
||||
name => 'nodejs',
|
||||
provider => 'dnfmodule',
|
||||
enable_only => true,
|
||||
}
|
||||
-> package { 'nodejs':
|
||||
ensure => 'installed',
|
||||
provider => 'dnf',
|
||||
}
|
||||
-> package { 'npm':
|
||||
ensure => 'installed',
|
||||
provider => 'dnf',
|
||||
}
|
||||
-> package { 'configurable-http-proxy':
|
||||
ensure => installed,
|
||||
provider => 'npm',
|
||||
}
|
||||
|
||||
# ensure python3.12 is installed
|
||||
if $::facts['python3_version'] {
|
||||
|
||||
$python_version = $version ? {
|
||||
'system' => $::facts['python3_version'],
|
||||
default => $version,
|
||||
}
|
||||
|
||||
# ensure the base_path exists
|
||||
file { $base_path:
|
||||
ensure => directory,
|
||||
mode => '0755',
|
||||
owner => $owner,
|
||||
group => $group,
|
||||
require => Profiles::Base::Account['jupyterhub'],
|
||||
}
|
||||
|
||||
# create a venv
|
||||
python::pyvenv { $venv_path :
|
||||
ensure => present,
|
||||
version => $python_version,
|
||||
systempkgs => $systempkgs,
|
||||
venv_dir => $venv_path,
|
||||
owner => $owner,
|
||||
group => $group,
|
||||
require => File[$base_path],
|
||||
}
|
||||
|
||||
# install the required pip packages
|
||||
$packages.each |String $package| {
|
||||
python::pip { "${venv_path}_${package}":
|
||||
ensure => present,
|
||||
pkgname => $package,
|
||||
virtualenv => $venv_path,
|
||||
}
|
||||
}
|
||||
|
||||
# create the config from a template
|
||||
file { $config_path:
|
||||
ensure => file,
|
||||
mode => '0660',
|
||||
owner => $owner,
|
||||
group => $group,
|
||||
content => Sensitive(template('profiles/jupyterhub/config.py.erb')),
|
||||
require => Python::Pyvenv[$venv_path],
|
||||
}
|
||||
|
||||
profiles::base::account {$owner:
|
||||
username => $owner,
|
||||
uid => 1101,
|
||||
gid => 1101,
|
||||
groups => ['systemd-journal', 'docker'],
|
||||
system => true,
|
||||
}
|
||||
|
||||
systemd::unit_file { 'jupyterhub.service':
|
||||
content => template('profiles/jupyterhub/jupyterhub.service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => File[$config_path],
|
||||
require => [
|
||||
File[$config_path],
|
||||
],
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
@@ -113,6 +113,7 @@ class profiles::nginx::simpleproxy (
|
||||
proxy_cache_max_size => '1024m',
|
||||
proxy_cache_inactive => '10m',
|
||||
proxy_temp_path => '/var/cache/nginx/cache_temp',
|
||||
service_manage => false,
|
||||
}
|
||||
|
||||
# create the nginx vhost with the merged parameters
|
||||
@@ -132,5 +133,11 @@ class profiles::nginx::simpleproxy (
|
||||
value => 'on',
|
||||
}
|
||||
}
|
||||
|
||||
service { 'nginx':
|
||||
ensure => true,
|
||||
enable => true,
|
||||
subscribe => [File[$selected_ssl_cert], File[$selected_ssl_key]],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,84 @@
|
||||
# profiles::nomad::node
|
||||
class profiles::nomad::node (
|
||||
Stdlib::Absolutepath $data_dir = '/data/nomad',
|
||||
Stdlib::Absolutepath $nomad_root = '/shared/nomad',
|
||||
Integer $bootstrap_expect = 3,
|
||||
Boolean $server = false,
|
||||
Boolean $client = false,
|
||||
Boolean $manage_service = true,
|
||||
Boolean $manage_user = true,
|
||||
String $user = 'nomad',
|
||||
String $group = 'nomad',
|
||||
){
|
||||
|
||||
if $manage_user {
|
||||
# Define the group for Nomad
|
||||
group { $group:
|
||||
ensure => 'present',
|
||||
system => true,
|
||||
}
|
||||
|
||||
# Define the user for Nomad
|
||||
user { $user:
|
||||
ensure => 'present',
|
||||
comment => 'Nomad System User',
|
||||
home => '/var/lib/nomad',
|
||||
managehome => true,
|
||||
shell => '/sbin/nologin',
|
||||
system => true,
|
||||
gid => $group,
|
||||
require => Group[$group],
|
||||
}
|
||||
}
|
||||
|
||||
if $client {
|
||||
|
||||
include profiles::ceph::client
|
||||
|
||||
# manage the sharedvol
|
||||
profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_nomad":
|
||||
mount => $nomad_root,
|
||||
keyring => '/etc/ceph/ceph.client.nomad.keyring',
|
||||
cephfs_name => 'nomad',
|
||||
cephfs_fs => 'nomadfs',
|
||||
require => Profiles::Ceph::Keyring['nomad'],
|
||||
}
|
||||
}
|
||||
|
||||
file { $data_dir:
|
||||
ensure => directory,
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => '0755',
|
||||
require => [
|
||||
User[$user],
|
||||
Group[$group],
|
||||
],
|
||||
}
|
||||
|
||||
mkdir::p {'/etc/nomad.d/':}
|
||||
-> file { '/etc/nomad.d/config.hcl':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
content => template('profiles/nomad/config.hcl.erb'),
|
||||
require => [
|
||||
Package['nomad'],
|
||||
],
|
||||
}
|
||||
|
||||
if $manage_service {
|
||||
include ::systemd
|
||||
|
||||
systemd::unit_file { 'nomad.service':
|
||||
content => template('profiles/nomad/nomad.service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => [
|
||||
File['/etc/pki/tls/vault/private.key'],
|
||||
File['/etc/nomad.d/config.hcl']
|
||||
],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -21,7 +21,7 @@ class profiles::puppet::puppetboard (
|
||||
Stdlib::Port $nginx_port = 80,
|
||||
Stdlib::Host $nginx_vhost = 'puppetboard.main.unkin.net',
|
||||
Array[Stdlib::Host] $nginx_aliases = [],
|
||||
#String[1] $secret_key = "${fqdn_rand_string(32)}",
|
||||
String[1] $secret_key = "${fqdn_rand_string(32)}",
|
||||
) {
|
||||
|
||||
# store puppet-agents ssl settings/certname
|
||||
@@ -37,7 +37,7 @@ class profiles::puppet::puppetboard (
|
||||
basedir => $basedir,
|
||||
virtualenv_dir => $virtualenv_dir,
|
||||
settings_file => $settings_file,
|
||||
#secret_key => $secret_key,
|
||||
secret_key => $secret_key,
|
||||
default_environment => $default_environment,
|
||||
puppetdb_host => $puppetdb_host,
|
||||
puppetdb_port => 8081,
|
||||
|
||||
@@ -22,6 +22,7 @@ class profiles::puppet::r10k (
|
||||
mode => '0755',
|
||||
content => "#!/bin/bash\n(
|
||||
cd /etc/puppetlabs/r10k
|
||||
git branch --set-upstream-to=origin/master master
|
||||
git reset --hard master
|
||||
git clean -fd
|
||||
git pull\n)",
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
class profiles::reposync::webserver (
|
||||
String $www_root = '/data/repos/snap',
|
||||
String $cache_root = '/data/repos/cache',
|
||||
String $nginx_vhost = 'repos.main.unkin.net',
|
||||
String $nginx_vhost = 'packagerepo.service.consul',
|
||||
Stdlib::Port $nginx_port = 80,
|
||||
Stdlib::Port $nginx_ssl_port = 443,
|
||||
Boolean $favicon = true,
|
||||
@@ -10,6 +10,10 @@ class profiles::reposync::webserver (
|
||||
Enum['puppet', 'vault'] $nginx_cert_type = 'vault'
|
||||
) {
|
||||
|
||||
# ensure all the required directories exist
|
||||
mkdir::p { $www_root: }
|
||||
mkdir::p { $cache_root: }
|
||||
|
||||
# select the certificates to use based on cert type
|
||||
case $nginx_cert_type {
|
||||
'puppet': {
|
||||
|
||||
@@ -0,0 +1,48 @@
|
||||
# this is a modification to frr-selinux that ships with EL9, adding support for frr10
|
||||
class profiles::selinux::frr {
|
||||
|
||||
$frr_te_content = @("EOF")
|
||||
module frr_local 1.0;
|
||||
|
||||
require {
|
||||
type frr_t;
|
||||
type initrc_t;
|
||||
type kernel_t;
|
||||
type var_run_t;
|
||||
type frr_tmp_t;
|
||||
type frr_var_run_t;
|
||||
type init_t;
|
||||
class unix_stream_socket connectto;
|
||||
class system module_request;
|
||||
class sock_file { getattr write };
|
||||
class dir { add_name write };
|
||||
class file { create write open };
|
||||
class process setpgid;
|
||||
}
|
||||
|
||||
#============= frr_t ==============
|
||||
allow frr_t initrc_t:unix_stream_socket connectto;
|
||||
allow frr_t kernel_t:system module_request;
|
||||
allow frr_t var_run_t:sock_file { getattr write };
|
||||
|
||||
#============= init_t ==============
|
||||
allow init_t frr_tmp_t:dir add_name;
|
||||
allow init_t frr_var_run_t:dir { write add_name };
|
||||
allow init_t frr_var_run_t:file { create open write };
|
||||
allow init_t self:process setpgid;
|
||||
| EOF
|
||||
|
||||
if $facts['virtual'] != 'lxc' {
|
||||
selinux::module { 'frr_local':
|
||||
ensure => 'present',
|
||||
content_te => $frr_te_content,
|
||||
builder => 'simple',
|
||||
before => Service['frr'],
|
||||
}
|
||||
selboolean { 'domain_can_mmap_files':
|
||||
value => 'on',
|
||||
persistent => true,
|
||||
before => Service['frr'],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# profiles::ssh::service
|
||||
# saz-ssh manages the service, this is just some additional stuff
|
||||
class profiles::ssh::service {
|
||||
|
||||
# set sshd to start
|
||||
systemd::manage_dropin { 'after-network-online.conf':
|
||||
ensure => present,
|
||||
unit => 'sshd.service',
|
||||
unit_entry => {
|
||||
'After' => [
|
||||
'network-online.target',
|
||||
],
|
||||
},
|
||||
}
|
||||
}
|
||||
@@ -16,6 +16,9 @@ class profiles::vault::server (
|
||||
Boolean $manage_storage_dir = false,
|
||||
Stdlib::Absolutepath $data_dir = '/opt/vault',
|
||||
Stdlib::Absolutepath $bin_dir = '/usr/bin',
|
||||
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
|
||||
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
|
||||
Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt',
|
||||
){
|
||||
|
||||
# set a datacentre/cluster name
|
||||
@@ -45,13 +48,14 @@ class profiles::vault::server (
|
||||
$server_urls = $servers_array.map |$fqdn| {
|
||||
{
|
||||
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
|
||||
leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt',
|
||||
leader_client_key_file => '/etc/pki/tls/vault/private.key',
|
||||
leader_ca_cert_file => '/etc/pki/tls/certs/ca-bundle.crt',
|
||||
leader_client_cert_file => $ssl_crt,
|
||||
leader_client_key_file => $ssl_key,
|
||||
leader_ca_cert_file => $ssl_ca,
|
||||
}
|
||||
}
|
||||
|
||||
class { 'vault':
|
||||
manage_service => false,
|
||||
install_method => $install_method,
|
||||
manage_storage_dir => $manage_storage_dir,
|
||||
enable_ui => true,
|
||||
@@ -79,13 +83,19 @@ class profiles::vault::server (
|
||||
address => "${::facts['networking']['ip']}:${client_port}",
|
||||
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
|
||||
tls_disable => $tls_disable,
|
||||
tls_cert_file => '/etc/pki/tls/vault/certificate.crt',
|
||||
tls_key_file => '/etc/pki/tls/vault/private.key',
|
||||
tls_cert_file => $ssl_crt,
|
||||
tls_key_file => $ssl_key,
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
service { 'vault':
|
||||
ensure => true,
|
||||
enable => true,
|
||||
subscribe => [File[$ssl_crt], File[$ssl_key]],
|
||||
}
|
||||
|
||||
# include classes to manage vault
|
||||
include profiles::vault::unseal
|
||||
}
|
||||
|
||||
@@ -16,12 +16,15 @@ class profiles::yum::global (
|
||||
purge => $purge,
|
||||
}
|
||||
|
||||
#exec {'purge_almalinux_default_repos':
|
||||
# command => 'rm -f /etc/yum.repos.d/almalinux*.repo',
|
||||
# path => ['/bin', '/usr/bin'],
|
||||
# onlyif => 'find /etc/yum.repos.d/ -type f -name *almalinux* | grep .',
|
||||
# before => Resources['yumrepo'],
|
||||
#}
|
||||
# el9 needs to rpmdb rebuild after crypto-policies
|
||||
if $facts['os']['release']['major'] == '9' {
|
||||
exec { 'rebuild_rpmdb':
|
||||
command => '/usr/bin/rpmdb --rebuilddb && /usr/bin/touch /root/almalinux9_upgrade_rebuilddb_flag',
|
||||
unless => '/usr/bin/test -f /root/almalinux9_upgrade_rebuilddb_flag',
|
||||
timeout => 180,
|
||||
require => Class['crypto_policies'],
|
||||
}
|
||||
}
|
||||
|
||||
# download all gpg keys if a repo defines it
|
||||
$repos.each |$name, $repo| {
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
---
|
||||
enc_role: <%= @enc_role[0] %>
|
||||
enc_env: <%= @enc_env %>
|
||||
@@ -1 +0,0 @@
|
||||
enc_env=<%= @enc_env %>
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user