1 Commits

Author SHA1 Message Date
unkinben e20f3bc372 nginx authproxy module 2024-07-05 22:49:22 +10:00
144 changed files with 363 additions and 4930 deletions
+1 -6
View File
@@ -18,7 +18,6 @@ mod 'puppetlabs-xinetd', '3.4.1'
mod 'puppetlabs-haproxy', '8.0.0' mod 'puppetlabs-haproxy', '8.0.0'
mod 'puppetlabs-java', '10.1.2' mod 'puppetlabs-java', '10.1.2'
mod 'puppetlabs-reboot', '5.0.0' mod 'puppetlabs-reboot', '5.0.0'
mod 'puppetlabs-docker', '10.0.1'
# puppet # puppet
mod 'puppet-python', '7.0.0' mod 'puppet-python', '7.0.0'
@@ -34,14 +33,11 @@ mod 'puppet-grafana', '13.1.0'
mod 'puppet-consul', '8.0.0' mod 'puppet-consul', '8.0.0'
mod 'puppet-vault', '4.1.0' mod 'puppet-vault', '4.1.0'
mod 'puppet-dhcp', '6.1.0' mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '5.1.0' mod 'puppet-keepalived', '3.6.0'
mod 'puppet-extlib', '7.0.0' mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0' mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1' mod 'puppet-kmod', '4.0.1'
mod 'puppet-filemapper', '4.0.0' mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.0.0'
mod 'puppet-rundeck', '9.1.0'
mod 'puppet-redis', '11.0.0'
# other # other
mod 'ghoneycutt-puppet', '3.3.0' mod 'ghoneycutt-puppet', '3.3.0'
@@ -55,7 +51,6 @@ mod 'broadinstitute-certs', '3.0.1'
mod 'stm-file_capability', '6.0.0' mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0' mod 'h0tw1r3-gitea', '3.2.0'
mod 'rehan-mkdir', '2.0.0' mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'bind', mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git', :git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+61 -81
View File
@@ -3,10 +3,16 @@ lookup_options:
hiera_classes: hiera_classes:
merge: merge:
strategy: deep strategy: deep
profiles::packages::include: profiles::packages::install:
merge: merge:
strategy: deep strategy: deep
profiles::packages::exclude: profiles::packages::install_exclude:
merge:
strategy: deep
profiles::packages::remove:
merge:
strategy: deep
profiles::packages::remove_exclude:
merge: merge:
strategy: deep strategy: deep
profiles::pki::vault::alt_names: profiles::pki::vault::alt_names:
@@ -123,18 +129,6 @@ lookup_options:
profiles::ceph::client::keyrings: profiles::ceph::client::keyrings:
merge: merge:
strategy: deep strategy: deep
profiles::nginx::simpleproxy::locations:
merge:
strategy: deep
certbot::client::domains:
merge:
strategy: deep
keepalived::vrrp_script:
merge:
strategy: deep
keepalived::vrrp_instance:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d' facts_path: '/opt/puppetlabs/facter/facts.d'
@@ -142,7 +136,6 @@ hiera_include:
- timezone - timezone
- networking - networking
- ssh::server - ssh::server
- profiles::accounts::rundeck
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region' profiles::ntp::client::use_ntp: 'region'
@@ -173,70 +166,59 @@ profiles::consul::client::node_rules:
segment: '' segment: ''
disposition: read disposition: read
profiles::packages::include: profiles::packages::install:
bash-completion: {} - bash-completion
bzip2: {} - bzip2
ccze: {} - ccze
curl: {} - curl
dstat: {} - dstat
expect: {} - expect
gzip: {} - gcc
git: {} - gzip
htop: {} - git
inotify-tools: {} - htop
iotop: {} - inotify-tools
jq: {} - iotop
lz4: {} - jq
mtr: {} - lz4
ncdu: {} - mtr
neovim: {} - ncdu
p7zip: {} - neovim
pbzip2: {} - p7zip
pigz: {} - pbzip2
pv: {} - pigz
python3.11: {} - pv
rsync: {} - python3.11
screen: {} - rsync
socat: {} - screen
strace: {} - socat
sysstat: {} - strace
tar: {} - sysstat
tmux: {} - tar
traceroute: {} - tmux
unzip: {} - traceroute
vim: {} - unzip
vnstat: {} - vim
wget: {} - vnstat
zsh: {} - wget
zstd: {} - zsh
iwl100-firmware: - zstd
ensure: absent
iwl1000-firmware: profiles::packages::remove:
ensure: absent - iwl100-firmware
iwl105-firmware: - iwl1000-firmware
ensure: absent - iwl105-firmware
iwl135-firmware: - iwl135-firmware
ensure: absent - iwl2000-firmware
iwl2000-firmware: - iwl2030-firmware
ensure: absent - iwl3160-firmware
iwl2030-firmware: - iwl5000-firmware
ensure: absent - iwl5150-firmware
iwl3160-firmware: - iwl6000-firmware
ensure: absent - iwl6000g2a-firmware
iwl5000-firmware: - iwl6050-firmware
ensure: absent - iwl7260-firmware
iwl5150-firmware: - puppet7-release
ensure: absent
iwl6000-firmware:
ensure: absent
iwl6000g2a-firmware:
ensure: absent
iwl6050-firmware:
ensure: absent
iwl7260-firmware:
ensure: absent
puppet7-release:
ensure: absent
profiles::base::scripts::scripts: profiles::base::scripts::scripts:
puppet: puppetwrapper.py puppet: puppetwrapper.py
@@ -305,8 +287,6 @@ sudo::configs:
profiles::accounts::sysadmin::sshkeys: profiles::accounts::sysadmin::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
profiles::accounts::rundeck::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD4F7VcorbGpyZzBFexz7c/o1JBscrl7hZU0UkWV7fq6YLizW0r6fOzD99hMwu1kdYCjPxbvuUSDEHfyBIp2EgLWU6wFVoufQqlMyOV85+ivQZUc1VNV+X9T+U4v3u/01hkAmlpXtbkwhMSR4Wi+tdABd04+D3CuMDM37mvnFmBBmi41X4Mr1rJhOQumn1XHQ7EYbsdw2mxfEVVeWpZIHz5BjNKSGzEIAYZbFt6s0Y7X3J5RT+Gjqmu043Tc8nNIUFlR9E10qd3Euf9RiBYxBx3z+yfOzJPBzWNBSHv1+PIbO5Mq+z5JaAfoFZO41L7nw+FjV6JJUCVLr6Vq+bCxyA7LW4Oq9ZahSrt/vrT0kTa0tA5U9bqK6e7pB//dm7PzoROtTq0XksV8RseA/fvIje20uaN1z9dynx+UcbszXu9pQ5GIg1o7b5DEi3OZHJwpgdudiCyEeR4+00G0z4PjpEMnTSMHAJ53WxtjzrPAOBnAmPE7hPu4coU+XrCWEXAvRMloJmca68e+zFX7VvFK82KVDuQ99vQ6w4X73IESKoLzyAVxpelwHaDG4fN+zqYfqubVQU1L5cUeYKxqm5r3Us6VvMaYs1ZMUmDGXHOq4FNhGUJYxSjkLvunM6qyAAJQCd6Pw/2TV3UQVerbouGOZaeBLvRguHWSbDrO99Zu+t87w== rundeck_runner
networking::interface_defaults: networking::interface_defaults:
ensure: present ensure: present
-1
View File
@@ -1,3 +1,2 @@
--- ---
timezone::timezone: 'Australia/Sydney' timezone::timezone: 'Australia/Sydney'
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
@@ -1,31 +1,4 @@
--- ---
hiera_include:
- keepalived
# keepalived
profiles::haproxy::dns::vrrp_ipaddr: '198.18.13.250'
profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
keepalived::vrrp_script:
check_haproxy:
script: '/usr/bin/killall -0 haproxy'
keepalived::vrrp_instance:
VI_250:
interface: 'eth0'
virtual_router_id: 250
auth_type: 'PASS'
auth_pass: 'quiiK7oo'
virtual_ipaddress: '198.18.13.250/32'
track_script:
- check_haproxy
# mappings # mappings
profiles::haproxy::mappings: profiles::haproxy::mappings:
fe_http: fe_http:
@@ -38,9 +11,7 @@ profiles::haproxy::mappings:
- 'lidarr.main.unkin.net be_lidarr' - 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr' - 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr' - 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin' - 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
fe_https: fe_https:
ensure: present ensure: present
mappings: mappings:
@@ -51,9 +22,7 @@ profiles::haproxy::mappings:
- 'lidarr.main.unkin.net be_lidarr' - 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr' - 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr' - 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin' - 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
profiles::haproxy::frontends: profiles::haproxy::frontends:
fe_http: fe_http:
@@ -63,15 +32,7 @@ profiles::haproxy::frontends:
fe_https: fe_https:
options: options:
acl: acl:
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net' - 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24' - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend: use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -79,14 +40,6 @@ profiles::haproxy::frontends:
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets' - 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
http-response: http-response:
- 'set-header X-Frame-Options DENY if acl_ausyd1pve' - 'set-header X-Frame-Options DENY if acl_ausyd1pve'
- 'set-header X-Frame-Options DENY if acl_sonarr'
- 'set-header X-Frame-Options DENY if acl_radarr'
- 'set-header X-Frame-Options DENY if acl_lidarr'
- 'set-header X-Frame-Options DENY if acl_readarr'
- 'set-header X-Frame-Options DENY if acl_prowlarr'
- 'set-header X-Frame-Options DENY if acl_nzbget'
- 'set-header X-Frame-Options DENY if acl_jellyfin'
- 'set-header X-Frame-Options DENY if acl_fafflix'
- 'set-header X-Content-Type-Options nosniff' - 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block' - 'set-header X-XSS-Protection 1;mode=block'
@@ -128,7 +81,7 @@ profiles::haproxy::backends:
options: options:
balance: roundrobin balance: roundrobin
option: option:
- httpchk GET /consul/health - httpchk GET /
- forwardfor - forwardfor
- http-keep-alive - http-keep-alive
- prefer-last-server - prefer-last-server
@@ -144,7 +97,7 @@ profiles::haproxy::backends:
options: options:
balance: roundrobin balance: roundrobin
option: option:
- httpchk GET /consul/health - httpchk GET /
- forwardfor - forwardfor
- http-keep-alive - http-keep-alive
- prefer-last-server - prefer-last-server
@@ -160,7 +113,7 @@ profiles::haproxy::backends:
options: options:
balance: roundrobin balance: roundrobin
option: option:
- httpchk GET /consul/health - httpchk GET /
- forwardfor - forwardfor
- http-keep-alive - http-keep-alive
- prefer-last-server - prefer-last-server
@@ -176,7 +129,7 @@ profiles::haproxy::backends:
options: options:
balance: roundrobin balance: roundrobin
option: option:
- httpchk GET /consul/health - httpchk GET /
- forwardfor - forwardfor
- http-keep-alive - http-keep-alive
- prefer-last-server - prefer-last-server
@@ -192,23 +145,7 @@ profiles::haproxy::backends:
options: options:
balance: roundrobin balance: roundrobin
option: option:
- httpchk GET /consul/health - httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_nzbget:
description: Backend for au-syd1 nzbget
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor - forwardfor
- http-keep-alive - http-keep-alive
- prefer-last-server - prefer-last-server
@@ -237,30 +174,10 @@ profiles::haproxy::backends:
profiles::haproxy::certlist::enabled: true profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates: profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem - /etc/pki/tls/vault/certificate.pem
# additional altnames # additional altnames
profiles::pki::vault::alt_names: profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- jellyfin.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
# letsencrypt certificates
certbot::client::domains:
- au-syd1-pve.main.unkin.net - au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net - au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net - sonarr.main.unkin.net
@@ -268,5 +185,9 @@ certbot::client::domains:
- lidarr.main.unkin.net - lidarr.main.unkin.net
- readarr.main.unkin.net - readarr.main.unkin.net
- prowlarr.main.unkin.net - prowlarr.main.unkin.net
- nzbget.main.unkin.net - jellyfin.main.unkin.net
- fafflix.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
@@ -1,3 +1,2 @@
--- ---
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==] mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=]
@@ -13,12 +13,3 @@ mysql::db:
- INSERT - INSERT
- UPDATE - UPDATE
- DELETE - DELETE
rundeck:
name: rundeck
user: rundeck
password: "%{alias('mysql::db::rundeck::pass')}"
grant:
- SELECT
- INSERT
- UPDATE
- DELETE
@@ -5,9 +5,3 @@ networking::interfaces:
networking::routes: networking::routes:
default: default:
gateway: 198.18.13.254 gateway: 198.18.13.254
profiles::haproxy::dns::vrrp_master: true
keepalived::vrrp_instance:
VI_250:
state: 'MASTER'
priority: 101
@@ -5,8 +5,3 @@ networking::interfaces:
networking::routes: networking::routes:
default: default:
gateway: 198.18.13.254 gateway: 198.18.13.254
keepalived::vrrp_instance:
VI_250:
state: 'BACKUP'
priority: 100
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.58
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.58
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.59
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.60
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.61
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.62
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.63
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.64
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.65
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.66
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.67
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.68
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.69
networking::routes:
default:
gateway: 198.18.13.254
+6 -7
View File
@@ -8,12 +8,12 @@ profiles::puppet::agent::puppet_version: '7.26.0'
hiera_include: hiera_include:
- profiles::almalinux::base - profiles::almalinux::base
profiles::packages::include: profiles::packages::install:
lzo: {} - lzo
network-scripts: {} - network-scripts
policycoreutils: {} - policycoreutils
unar: {} - unar
xz: {} - xz
lm-sensors::package: lm_sensors lm-sensors::package: lm_sensors
@@ -73,5 +73,4 @@ profiles::yum::global::repos:
target: /etc/yum.repos.d/unkin.repo target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major} baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
gpgcheck: false
mirrorlist: absent mirrorlist: absent
+5 -5
View File
@@ -1,15 +1,15 @@
# hieradata/os/debian/all_releases.yaml # hieradata/os/debian/all_releases.yaml
--- ---
profiles::apt::base::mirrorurl: http://edgecache.query.consul/debian/ profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
profiles::apt::base::secureurl: http://security.debian.org/debian-security profiles::apt::base::secureurl: http://security.debian.org/debian-security
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
profiles::apt::puppet7::repo: puppet7 profiles::apt::puppet7::repo: puppet7
profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/ profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
profiles::packages::include: profiles::packages::install:
lzop: {} - lzop
python3.11-venv: {} - python3.11-venv
xz-utils: {} - xz-utils
lm-sensors::package: lm-sensors lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false networking::nwmgr_dns_none: false
-81
View File
@@ -1,7 +1,4 @@
--- ---
hiera_include:
- profiles::nginx::simpleproxy
profiles::yum::global::repos: profiles::yum::global::repos:
ceph-reef: ceph-reef:
name: ceph-reef name: ceph-reef
@@ -21,81 +18,3 @@ profiles::base::groups::local:
gid: 20000 gid: 20000
allowdupe: false allowdupe: false
forcelocal: true forcelocal: true
ldap_host: 'ldap.service.consul'
ldap_basedn: 'dc=main,dc=unkin,dc=net'
profiles::nginx::simpleproxy::locations:
# authentication proxy
authproxy:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
internal: true
location: '= /auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
proxy_set_header:
- 'Content-Length ""'
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
- 'X-Ldap-Starttls "false"'
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
- 'X-CookieName "nginxauth"'
- 'Cookie nginxauth=$cookie_nginxauth'
- "X-Ldap-Template %{lookup('ldap_template')}"
- 'X-Ldap-Realm "Restricted"'
proxy_cache: 'cache'
proxy_cache_valid: '200 10m'
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
location_cfg_append:
proxy_pass_request_body: 'off'
# health checks by consul/haproxy
arrstack_web_healthcheck:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/consul/health'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
location_allow:
- 127.0.0.1
- "%{facts.networking.ip}"
- 198.18.13.25
- 198.18.13.26
location_deny:
- all
# authorised access from external
arrstack_web_external:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
auth_request: '/auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
# location for api, which should be accessible without authentication
arrstack_api:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '~ /api'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
location_cfg_append:
client_max_body_size: '20m'
+1 -16
View File
@@ -1,6 +1,7 @@
--- ---
hiera_include: hiera_include:
- jellyfin - jellyfin
- profiles::nginx::simpleproxy
# manage jellyfin # manage jellyfin
jellyfin::params::service_enable: true jellyfin::params::service_enable: true
@@ -45,19 +46,3 @@ profiles::consul::client::node_rules:
- resource: service - resource: service
segment: jellyfin segment: jellyfin
disposition: write disposition: write
profiles::yum::global::repos:
rpmfusion-free:
name: rpmfusion-free
descr: rpmfusion-free repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
mirrorlist: absent
rpmfusion-nonfree:
name: rpmfusion-nonfree
descr: rpmfusion-nonfree repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
-1
View File
@@ -1,3 +1,2 @@
--- ---
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=] lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEDEyk6fBBnrjZvfK8MnUVOTWxhFGtgY34/2CuIq55MoVLsk2ZgVrL7Kt+94bqFhwEB67kuNpMGXqTgW5ose2yWs5iVSJLECsf9C+tvGBGwaV35LNwP5S3aQmFagyTpZZz9QlGKC7818jlXz7vZWDtiUhy5TGMHeyS0fdjCveavtZR28A+ZrvWjJeLdN47mmvYwYfFnQBs3kSgkl5KyMVhFWSFOSLeHsuEzCVXHoQ1jQG+2TV5m18wV0RR/sOju2E+vsulqlDgCyifgoiry4GzJeKNrNDI2bifzHCAi6yZqHL/klyqbGTnKLlA4xKoXsHF+xEwcoq4S9JDLAdWeH1SDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCdvh4yn8knozcYhinybRq3gDAwTKv8VakQG7XK/mcEplwtoiKqLnj9IIGdIUh1zPi2Sg48ET5rfZyl0p7ddIYoHjU=]
+3 -7
View File
@@ -1,7 +1,7 @@
--- ---
hiera_include: hiera_include:
- lidarr - lidarr
- profiles::nginx::ldapauth - profiles::nginx::simpleproxy
# manage lidarr # manage lidarr
lidarr::params::user: lidarr lidarr::params::user: lidarr
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_lidarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=lidarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service # configure consul service
nginx::client_max_body_size: 10M
consul::services: consul::services:
lidarr: lidarr:
service_name: 'lidarr' service_name: 'lidarr'
@@ -45,7 +41,7 @@ consul::services:
checks: checks:
- id: 'lidarr_http_check' - id: 'lidarr_http_check'
name: 'Lidarr HTTP Check' name: 'Lidarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health" http: "https://%{facts.networking.fqdn}:443"
method: 'GET' method: 'GET'
tls_skip_verify: true tls_skip_verify: true
interval: '10s' interval: '10s'
-2
View File
@@ -1,2 +0,0 @@
---
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPomn4iZbT0JEysvDo7OgblpoQLFp9DzryY558UfVWQq6HDAkgoSC42cbgZGBPFclCgLaO/LfBrFpRXkafEVV33Vg2AmP/FiS9SmmwREc3t/ZTvENlDIgasY3pDIph0/i5u0S45mjyzzciBK0KY6cMZvPDVRvU+d0SyVnbSBlef6VmyZOhUk6ILpaYTGu+suVR/BAL/DTKsmmY7iTotTWN+IW/1cY3vprvBMJQVftaO1WSqKftmX29/PAsxbQo6AMpuQFx/dMcMe3d5JTB0mgzIhAFaKmSC8vJFqe21Nrr8F+PxJMSEl1saBJTwJc5RyPVm9ejVKfcPhDfWK5stNNvjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAo205Hvo/Z+rhnSGgkTS2YgDB7pTHdgnQz1UOK323DRljWcqx+SnCA7izyF1SNMlzlCck79Fr4zKh0qnbYsMZDWZU=]
-77
View File
@@ -1,77 +0,0 @@
---
hiera_include:
- nzbget
- profiles::media::nzbget
- profiles::nginx::ldapauth
# manage nzbget
nzbget::params::user: nzbget
nzbget::params::group: media
nzbget::params::manage_group: false
# additional altnames
profiles::pki::vault::alt_names:
- nzbget.main.unkin.net
- nzbget.service.consul
- nzbget.query.consul
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'nzbget.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- nzbget.main.unkin.net
- nzbget.service.consul
- nzbget.query.consul
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 6789
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_nzbget,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=nzbget_access,ou=groups,dc=main,dc=unkin,dc=net))'
profiles::nginx::simpleproxy::locations:
arrstack_web_healthcheck:
location_cfg_append:
rewrite: '/consul/health / break'
# configure consul service
consul::services:
nzbget:
service_name: 'nzbget'
tags:
- 'media'
- 'nzbget'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'nzbget_http_check'
name: 'nzbget HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: nzbget
disposition: write
profiles::yum::global::repos:
rpmfusion-free:
name: rpmfusion-free
descr: rpmfusion-free repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
mirrorlist: absent
rpmfusion-nonfree:
name: rpmfusion-nonfree
descr: rpmfusion-nonfree repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
@@ -1,3 +1,2 @@
--- ---
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=] prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhduPAqoZuq/xeRs4f/KX4r88evPMogQX79yofLAB5Qqdr48s2X0BAa1iiw0vMdL6Tf0uc794WJN5MP2Yp365Vk1yhwgqH92rt5hKPI+wBN5uak2iLgLzLWsp0HOx7d1ukDWBbj0lI6G5LiofsL3KJbbTnkovn06L4PRJXgn44+ynfywiCl2tPy2294DhfooeM6/Cy+t9lA6blzHLCOHtt/rBKmk1GT2y3YBCPhRfOumWXQWnv4Q+f6KkQkvpfPyAFYNiQxQYBv5bGwLnwiDk3xQnPM4FfcutVuAOKjsoeMa+K1KShDFyEfBxIER8JSpigj2/khstyihcVW0Xrod3uDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCRqqRwMThwn1F/6byFhTWxgDAfucfkFhmqxBv/u5H+wWnjvK5EH7eU/fECrajYPBW/cmsYjLgXlwrAzFGqWze3AZc=]
+3 -16
View File
@@ -1,7 +1,7 @@
--- ---
hiera_include: hiera_include:
- prowlarr - prowlarr
- profiles::nginx::ldapauth - profiles::nginx::simpleproxy
# manage prowlarr # manage prowlarr
prowlarr::params::user: prowlarr prowlarr::params::user: prowlarr
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_prowlarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=prowlarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service # configure consul service
nginx::client_max_body_size: 10M
consul::services: consul::services:
prowlarr: prowlarr:
service_name: 'prowlarr' service_name: 'prowlarr'
@@ -45,7 +41,7 @@ consul::services:
checks: checks:
- id: 'prowlarr_http_check' - id: 'prowlarr_http_check'
name: 'Prowlarr HTTP Check' name: 'Prowlarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health" http: "https://%{facts.networking.fqdn}:443"
method: 'GET' method: 'GET'
tls_skip_verify: true tls_skip_verify: true
interval: '10s' interval: '10s'
@@ -54,12 +50,3 @@ profiles::consul::client::node_rules:
- resource: service - resource: service
segment: prowlarr segment: prowlarr
disposition: write disposition: write
profiles::nginx::simpleproxy::locations:
arrstack_web_external:
location_satisfy: any
location_allow:
- 198.18.13.47
- 198.18.13.50
- 198.18.13.51
- 198.18.13.52
-1
View File
@@ -1,3 +1,2 @@
--- ---
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=] radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf6LbAXy3EsJqkf4KO8xikpXfSVIVOD2obnwZLPEiCfbC0iJyZ2Uc/RbHM9NnIpg8dgEnYGgaBM9HC+kFKYFP4skLsPQ0mpqOv13WbOAHOphhyBxWc/n4Eg4HqMAiHsC4qA9Sj5j4F29tNiMmpNM0eqDXD6YIrajV5IF+SKQQzZrNSrcDrzjqENaMnJWVc2gj7Zb9kPB1LdM5ZfljpPtfQHXHhh9ShTDKuWMx46nc+UYaRcJqHEns7OExwpsEAtA1SSunD81PTijJ6Bn1Y6cAsZoBot5YgFGaWtgQ4jvEqj7EbG8gDJuHMSwa9RzA9SMsVwEh2g1pko7wYbBR/arV7jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAhZlVaEdaLNh60gAY0KwEKgDAHPoXfFRq0I2K2J+NFgNFm/A00jYGVRfuPsX6VZfPaJ499dtMiJifrK3Kfk1oXpvk=]
+3 -7
View File
@@ -1,7 +1,7 @@
--- ---
hiera_include: hiera_include:
- radarr - radarr
- profiles::nginx::ldapauth - profiles::nginx::simpleproxy
# manage radarr # manage radarr
radarr::params::user: radarr radarr::params::user: radarr
@@ -28,13 +28,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_radarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=radarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service # configure consul service
nginx::client_max_body_size: 10M
consul::services: consul::services:
radarr: radarr:
service_name: 'radarr' service_name: 'radarr'
@@ -46,7 +42,7 @@ consul::services:
checks: checks:
- id: 'radarr_http_check' - id: 'radarr_http_check'
name: 'radarr HTTP Check' name: 'radarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health" http: "https://%{facts.networking.fqdn}:443"
method: 'GET' method: 'GET'
tls_skip_verify: true tls_skip_verify: true
interval: '10s' interval: '10s'
-1
View File
@@ -1,3 +1,2 @@
--- ---
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=] readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcOegaqGEsivQAlhSYvaiVUij4QJ/kterSg+wX/7P/oWjSN1oSNAFfco6lg5fYUsR7HDKZ4IwYuO1Q/q8hOxYkqzYrH/MIAhZatfQxyxriKuekxqOMuXgwrWCzAexQL0Fb4s5gcHQ4fwy5OxsM1CxFXnSSm1eYNXl5IERd//c0dFoIcshiGlOCFsj8Ne9mookFTJQDZrxM4VMXaVb+Fl9mOyy1ppDBKHTP/1ise/6LIUi+9YngamAWLIrsur5KvR45kvRoxDNLfJZasAqhD/5QLceDdSxqKBDur57QzmoPo2lFdT4WlzphKOdyHZtYOYr7BPdbtCqkXTWdkXvqFlRxjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXhYe6zoRW7/OxVrZnAEoTgDDPFTz5S4nZWiwzjdT7Yd88Ii6I/v6ckaKTx0gd0pZKsVZkFYQBBhIfqFS2ho0UG3Y=]
+3 -7
View File
@@ -1,7 +1,7 @@
--- ---
hiera_include: hiera_include:
- readarr - readarr
- profiles::nginx::ldapauth - profiles::nginx::simpleproxy
# manage readarr # manage readarr
readarr::params::user: readarr readarr::params::user: readarr
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_readarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=readarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service # configure consul service
nginx::client_max_body_size: 10M
consul::services: consul::services:
readarr: readarr:
service_name: 'readarr' service_name: 'readarr'
@@ -45,7 +41,7 @@ consul::services:
checks: checks:
- id: 'readarr_http_check' - id: 'readarr_http_check'
name: 'Readarr HTTP Check' name: 'Readarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health" http: "https://%{facts.networking.fqdn}:443"
method: 'GET' method: 'GET'
tls_skip_verify: true tls_skip_verify: true
interval: '10s' interval: '10s'
-1
View File
@@ -1,2 +1 @@
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=] sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF5/sP43SJX/FB6cAS0GPqxC78JS7jSNKoUqWB/IXkv8uXYiClqk+Xw4nFx8EtknNn628DHBY3vCLQ59Xk89p0fyimP70m3BM6or5iRGdCqEAOzL399GbYX8WFHjyQRBmGdaLR5h2r5UnmjuPpDtV+fgsqxo4gNpXnuQ+46ZZPQce/dzHzux+4aEK4Q6UbD/ZZSQklD6zEUV+Agj6E9cQlJPBiHtTyUdXOYHYlJN1HhFPXu3C6KIz63YioVCah1n6T/rJtPQ07pVUfizIaJiPpzcUN91+ZWyyjUPo0bRGZtYKVs/uCAYXht4F5ttKQDaGa3wd4a5IdtacmEWQWFqk3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDtB/68xkjxK3nrNh0MilACgDDt85aBvSp/Oj9EY67eNPr+JcnQ7WfyuqAYAnmYqfbQI8MDtYAx7br0+inJXvQ1BvI=]
+3 -7
View File
@@ -1,7 +1,7 @@
--- ---
hiera_include: hiera_include:
- sonarr - sonarr
- profiles::nginx::ldapauth - profiles::nginx::simpleproxy
# manage sonarr # manage sonarr
sonarr::params::user: sonarr sonarr::params::user: sonarr
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service # configure consul service
nginx::client_max_body_size: 10M
consul::services: consul::services:
sonarr: sonarr:
service_name: 'sonarr' service_name: 'sonarr'
@@ -45,7 +41,7 @@ consul::services:
checks: checks:
- id: 'sonarr_http_check' - id: 'sonarr_http_check'
name: 'Sonarr HTTP Check' name: 'Sonarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health" http: "https://%{facts.networking.fqdn}:443"
method: 'GET' method: 'GET'
tls_skip_verify: true tls_skip_verify: true
interval: '10s' interval: '10s'
+2 -2
View File
@@ -1,6 +1,6 @@
--- ---
profiles::packages::include: profiles::packages::install:
policycoreutils: {} - policycoreutils
puppetdb::master::config::create_puppet_service_resource: false puppetdb::master::config::create_puppet_service_resource: false
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}" #puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
+8 -130
View File
@@ -48,79 +48,21 @@ glauth::users:
user_name: 'benvin' user_name: 'benvin'
givenname: 'Ben' givenname: 'Ben'
sn: 'Vincent' sn: 'Vincent'
mail: 'benvin@users.main.unkin.net' mail: 'ben@users.main.unkin.net'
uidnumber: 20000 uidnumber: 20000
primarygroup: 20000 primarygroup: 20000
othergroups: othergroups:
- 20025 # media_admin - 20010
- 20017 # rundeck_access - 20011
- 20018 # rundeck_globaladmin - 20012
- 20023 # vault_access - 20013
- 20014
- 20015
loginshell: '/bin/bash' loginshell: '/bin/bash'
homedir: '/home/benvin' homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a' passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
sshkeys: sshkeys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net' - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
matsol:
user_name: 'matsol'
givenname: 'Matt'
sn: 'Solomon'
mail: 'matsol@users.main.unkin.net'
uidnumber: 20001
primarygroup: 20000
othergroups:
- 20025 # media_admin
loginshell: '/bin/bash'
homedir: '/home/matsol'
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
seablo:
user_name: 'seablo'
givenname: 'Sean'
sn: 'Bloomfield'
mail: 'seablo@users.main.unkin.net'
uidnumber: 20002
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/seablo'
passsha256: '2db12484b2b5fdae7f3a1f9f870143c363af14bf2c31a415a9a7afcb02520df2'
marbal:
user_name: 'marbal'
givenname: 'Mark'
sn: 'Balch'
mail: 'marbal@users.main.unkin.net'
uidnumber: 20003
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/marbal'
passsha256: 'cc20cee6269b9970a76549c66b51d0c543352796180d4122260a47f0f7a442a9'
kelren:
user_name: 'kelren'
givenname: 'Kelly'
sn: 'Rennie'
mail: 'kelren@users.main.unkin.net'
uidnumber: 20004
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/kelren'
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
ryadun:
user_name: 'ryadun'
givenname: 'Dunbar'
sn: 'Ryan'
mail: 'ryadun@users.main.unkin.net'
uidnumber: 20005
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/ryadun'
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
glauth::services: glauth::services:
svc_jellyfin: svc_jellyfin:
@@ -134,7 +76,7 @@ glauth::services:
mail: 'sonarr@service.main.unkin.net' mail: 'sonarr@service.main.unkin.net'
uidnumber: 30001 uidnumber: 30001
primarygroup: 20001 primarygroup: 20001
passsha256: '2c32d4cb831183cfbef15835cc76f99b401d0159621bc580e852253d4d8f8722' passsha256: 'e4068a02bb930c2c2ccfea6b638df1fb4c29c1b083732b92e91da47d5de4a51d'
svc_radarr: svc_radarr:
service_name: 'svc_radarr' service_name: 'svc_radarr'
mail: 'radarr@service.main.unkin.net' mail: 'radarr@service.main.unkin.net'
@@ -159,38 +101,6 @@ glauth::services:
uidnumber: 30005 uidnumber: 30005
primarygroup: 20001 primarygroup: 20001
passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043' passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043'
svc_nzbget:
service_name: 'svc_nzbget'
mail: 'nzbget@service.main.unkin.net'
uidnumber: 30006
primarygroup: 20001
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
svc_nzbsubmit:
service_name: 'svc_nzbsubmit'
mail: 'nzbsubmit@service.main.unkin.net'
uidnumber: 30007
primarygroup: 20001
othergroups:
- 20016
passsha256: '7af7e12fdc56e9050d16c167f4e34091ad3cf938283e13451b35f9b3d212bfa2'
svc_rundeck:
service_name: 'svc_rundeck'
mail: 'rundeck@service.main.unkin.net'
uidnumber: 30007
primarygroup: 20001
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
svc_terraform:
service_name: 'svc_terraform'
mail: 'terraform@service.main.unkin.net'
uidnumber: 30008
primarygroup: 20001
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
svc_vault:
service_name: 'svc_vault'
mail: 'vault@service.main.unkin.net'
uidnumber: 30009
primarygroup: 20001
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
glauth::groups: glauth::groups:
users: users:
@@ -217,35 +127,3 @@ glauth::groups:
prowlarr_access: prowlarr_access:
group_name: 'prowlarr_access' group_name: 'prowlarr_access'
gidnumber: 20015 gidnumber: 20015
nzbget_access:
group_name: 'nzbget_access'
gidnumber: 20016
rundeck_access:
group_name: 'rundeck_access'
gidnumber: 20017
rundeck_globaladmin:
group_name: 'rundeck_globaladmin'
gidnumber: 20018
rundeck_selfservice_admin:
group_name: 'rundeck_selfservice_admin'
gidnumber: 20019
rundeck_selfservice_user:
group_name: 'rundeck_selfservice_user'
gidnumber: 20020
rundeck_infrastructure_admin:
group_name: 'rundeck_infrastructure_admin'
gidnumber: 20021
rundeck_infrastructure_user:
group_name: 'rundeck_infrastructure_user'
gidnumber: 20022
vault_access:
group_name: 'vault_access'
gidnumber: 20023
media_access:
group_name: 'media_access'
gidnumber: 20024
includegroups: [20010, 20011, 20012, 20013, 20014, 20016]
media_admin:
group_name: 'media_admin'
gidnumber: 20025
includegroups: [20024, 20015]
File diff suppressed because one or more lines are too long
@@ -1,205 +0,0 @@
---
hiera_include:
- profiles::rundeck::server
- profiles::nginx::simpleproxy
hiera_exclude:
- profiles::accounts::rundeck
profiles::packages::exclude:
- jq
profiles::ssh::sign::principals:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 4440
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 20M
# additional altnames
profiles::pki::vault::alt_names:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
rundeck:
service_name: 'rundeck'
tags:
- 'automation'
- 'rundeck'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'glauth_http_check'
name: 'glauth HTTP Check'
http: "http://%{facts.networking.fqdn}:4440"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: rundeck
disposition: write
profiles::rundeck::server::mysql_backend: true
profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
profiles::rundeck::server::auth_config:
file:
auth_flag: 'sufficient'
jaas_config:
file: '/etc/rundeck/realm.properties'
realm_config:
admin_user: 'admin'
admin_password: "%{hiera('rundeck_admin_pass')}"
ldap:
jaas_config:
debug: 'true'
providerUrl: 'ldap://ldap.service.consul:389'
bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
bindPassword: "%{hiera('ldap_bindpass')}"
authenticationMethod: 'simple'
forceBindingLogin: 'true'
userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
userRdnAttribute: 'uid'
userIdAttribute: 'uid'
userPasswordAttribute: 'userPassword'
userObjectClass: 'posixAccount'
roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
roleNameAttribute: 'uid'
roleMemberAttribute: 'uniqueMember'
roleObjectClass: 'groupOfUniqueNames'
nestedGroups: 'true'
profiles::rundeck::server::key_storage_config:
- type: 'db'
path: 'keys'
- type: 'vault-storage'
path: 'vault'
config:
prefix: 'rundeck'
address: https://vault.query.consul:8200
storageBehaviour: 'vault'
secretBackend: rundeck
engineVersion: '2'
authBackend: approle
approleAuthMount: approle
approleId: "%{hiera('vault::roleid')}"
profiles::rundeck::server::cli_projects:
Self-Service:
update_method: 'set'
config:
project.description: 'self-service tasks'
project.disable.executions: 'false'
Infrastructure:
config:
project.description: 'infrastructure management'
project.disable.schedule: 'false'
profiles::rundeck::server::acl_policies:
global_admin_policy:
acl_policies:
- description: 'Global Admin, all access'
context:
application: "rundeck"
for:
project:
- allow: '*'
resource:
- allow: '*'
storage:
- allow: '*'
by:
- group: ['rundeck_globaladmin']
- description: 'Global Admin, all access'
context:
project: '.*'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_globaladmin']
selfservice_admin_policy:
acl_policies:
- description: 'Admin, all access for Self-Service project'
context:
project: 'Self-Service'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_selfserice_admin']
selfservice_user_policy:
acl_policies:
- description: 'Users can execute tasks but not edit for Self-Service project'
context:
project: 'Self-Service'
for:
resource:
- allow: ['read']
adhoc:
- allow: ['run']
job:
- allow: ['read', 'run']
node:
- allow: ['read', 'run']
by:
- group: ['rundeck_selfserice_user']
infrastructure_admin_policy:
acl_policies:
- description: 'Admin, all access for Infrastructure project'
context:
project: 'Infrastructure'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_infrastructure_admin']
infrastructure_user_policy:
acl_policies:
- description: 'Users can execute tasks but not edit for Infrastructure project'
context:
project: 'Infrastructure'
for:
resource:
- allow: ['read']
adhoc:
- allow: ['run']
job:
- allow: ['read', 'run']
node:
- allow: ['read', 'run']
by:
- group: ['rundeck_infrastructure_user']
+11 -11
View File
@@ -1,15 +1,15 @@
--- ---
profiles::packages::include: profiles::packages::install:
cobbler: {} - cobbler
cobbler3.2-web: {} - cobbler3.2-web
httpd: {} - httpd
syslinux: {} - syslinux
dnf-plugins-core: {} - dnf-plugins-core
debmirror: {} - debmirror
pykickstart: {} - pykickstart
fence-agents: {} - fence-agents
selinux-policy-devel: {} - selinux-policy-devel
ipxe-bootimgs: {} - ipxe-bootimgs
profiles::pki::vault::alt_names: profiles::pki::vault::alt_names:
- cobbler.main.unkin.net - cobbler.main.unkin.net
-2
View File
@@ -1,2 +0,0 @@
---
redisha::masterauth: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAV8znsSGAbPpPUhAcyOIWFltVyAcx3yVcIvC+JFndkkuVBT1813GSURrXIreXSilvJEHlwRC03A9NhjWJSsHBIS12uUb+7ap95oh2JJ7OHmeWSVD1GDDRpTQAgDEOikAnioRNJfQ83jUa11nJrsavt46hSq8vDq+rZ2P8ugiNk59mNX5vgYthCPXcEJd7UmpLZhgxZ8+42l4TKo7QpqKRcIMteJXk1NvyYfYGnGTZhknuyHM3xPGauGjKzamMlTzD9dGnn2K0/Q7I4PUyT24ZEG3kNVyDlVHTYcKnIT5q8qvmJdDQfZwOETF3SrzcqhQ2nqFvmI19sCTsQVmveb/2ITBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9KML3vzwF4vGZdtiu++jmgDAWPZspCckgoXPkgNRMePov3pXSlKUAGxwmdsuIM75rJMxlSTiil2lzMMBWXmUofys=]
-67
View File
@@ -1,67 +0,0 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- redis.main.unkin.net
- redis.service.consul
- redis.query.consul
- "redis.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- redis.main.unkin.net
- redis.service.consul
- redis.query.consul
hiera_include:
- redisha
redisha::manage_repo: false
redisha::redisha_members_lookup: true
redisha::redisha_members_role: roles::infra::db::redis
#redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
#redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
redisha::sentinel::master_name: "%{facts.country}-%{facts.region}"
redisha::sentinel::requirepass: "%{hiera('redisha::masterauth')}"
redisha::sentinel::auth_pass: "%{hiera('redisha::masterauth')}"
redisha::tools::requirepass: "%{hiera('redisha::masterauth')}"
sudo::configs:
consul:
priority: 20
content: |
consul ALL=(ALL) NOPASSWD: /usr/local/sbin/sentineladm info
consul::services:
redis-replica:
service_name: "redis-replica-%{facts.environment}"
tags:
- 'redis'
- 'redis-replica'
address: "%{facts.networking.ip}"
port: 6379
checks:
- id: 'redis-replica_tcp_check'
name: 'Redis Replica TCP Check'
tcp: "%{facts.networking.ip}:6379"
interval: '10s'
timeout: '1s'
redis-master:
service_name: "redis-master-%{facts.environment}"
tags:
- 'redis'
- 'redis-master'
address: "%{facts.networking.ip}"
port: 6379
checks:
- id: 'redis-master_tcp_check'
name: "Redis Master Check"
args:
- '/usr/local/bin/check_redis_master'
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: "redis-replica-%{facts.environment}"
disposition: write
- resource: service
segment: "redis-master-%{facts.environment}"
disposition: write
+8
View File
@@ -33,6 +33,13 @@ profiles::dns::resolver::zones:
- 10.10.16.32 - 10.10.16.32
- 10.10.16.33 - 10.10.16.33
forward: 'only' forward: 'only'
unkin.net-forward:
domain: 'unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
dmz.unkin.net-forward: dmz.unkin.net-forward:
domain: 'dmz.unkin.net' domain: 'dmz.unkin.net'
zone_type: 'forward' zone_type: 'forward'
@@ -60,6 +67,7 @@ profiles::dns::resolver::views:
recursion: true recursion: true
zones: zones:
- main.unkin.net-forward - main.unkin.net-forward
- unkin.net-forward
- dmz.unkin.net-forward - dmz.unkin.net-forward
- network.unkin.net-forward - network.unkin.net-forward
- prod.unkin.net-forward - prod.unkin.net-forward
-2
View File
@@ -1,2 +0,0 @@
---
droneci_server::rpc_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF8cEANj72ACYYdilP52Oz4EXVt+stx838tFVV4SFukoCTmN+kJ3GUUEM9x+oDvo17CsZhDzx5dX0JGo7N9MCLHsR4XKx3GSoAKvaSiD73TbzbdTNJgTIE1tRP9HNbJKizwWLo4lo+OUNtwnu0Z5dkMLYRHyvZ1hG24qmdXVn9DI06gVGQw9YXGmNy8AvA0BKnaHvUnE5XoLNVKZ4g1yvc/nkYpK6nLB+X4sZ96PRig7khiuFVvAfpg5c2iWnF13ljIajnG9uY12RyGaAGfH4l/d3UEyuHyQL4zzT8N7gGt8fvg7eNFx51TyEpVRFLyQ7dqq/lzn0moXVT35PQr9K3DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCGJ+rkxhqmyUUiIQLG7PnggDBPH9gyYAW5/XjDp5xd6GnuSt/WWOwOGxhg+1BoPzbV5o+Xufg5zyMVdYeI1MWD/u8=]
-25
View File
@@ -1,25 +0,0 @@
---
hiera_include:
- profiles::base::datavol
- docker
- droneci::runner
docker::version: latest
docker::curl_ensure: false
droneci::runner::ports:
- 3000:3000
droneci::runner::volumes:
- type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock
- type=bind,source=/data,target=/data
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
droneci::runner::env_vars:
DRONE_RPC_PROTO: https
DRONE_RPC_HOST: droneci.query.consul
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: "%{facts.networking.fqdn}"
DRONE_RUNNER_VOLUMES: /etc/pki/tls/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt
@@ -1,6 +0,0 @@
---
droneci_server::gitea_client_secret: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJLcMKV4EevB8V/vjex+Srq47pWLvPozjSb+vjS/crFpKq3/dgtkJ8WkqF98fPnXxkMowP/BpNexJBCmPtTR2pPTKHIYkXjxGax0g3P2gcgeT7wsNl24mnUJDWZs1/z8ibwUXv4Zg0nbKi+YdomjsvT3vl2IPI88TKZDkq6HBoturwqx2l/edC5IeAi8vgPRXF8hn2TVuslkmoNXoI28Qp10b2XNOCss6KUJ4rbOwpIgdOVFbXqi7CFjhGz/3uS9xK+2m3iuE/gXi8KSKfiQ+QcGuXL9Zy5PH5rrNg4mbrFiaFfTevsHInl1wwRmULilQ0kEY3NW4b/URXqBBuwcN/TBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDlv7tA+6OQwDuL7z3xGYZjgEBcEAj3TQ9R9TntxTyBa9mKFRXimFTDDxdZ2zD96qFNz+7ZZFGD6pFQNHSMC9AYlAue94UsIHJZaXwgAo5zc98Q]
droneci_server::cookie_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKTWrB7Cca8RgFEeP46puzhVWOAiI6nB+m5+/sgz1qNnn6VgNh9Q6D26p9HISrMp4k60KVuGXrIbZYpkvKZmv4zHgK2et+50sr/F1anhDRX4rsmGWVV9n8VhaIJFAyQkW4de9YxV9LAgk0tWs1BgfXv4cV4+sDBv0OSVIFJDst3LUWpBR6lsiV9IifvNNUrdOHkdt5XjuL4JVmc0nkjetAg9HSvJ9VHYLIQagFHnTQp0FWluE1/ibGNc2kz7D4K7cPz2bBxRJWomckSUwgQK0NrGID4D13haZXhKXAO/8QpQOwPra8vD9FYrFenMeFLwdw43NzSr2g/W1ss5PekbWGjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBASshs2UwkGqK4ShFfXni7cgDCDCnEiqcfxIz4X/Bq71IpRKan3uQbHOewFqjNGqoR+1oWupjRxzNL39H9YF1a6i6s=]
droneci_server::database_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASu4C45TYWZKgIoyqC3YdwYYXn+T+ruP6oIvhYFJ5dxeZ+6HtWbRMViErvpPuWYfgs5qt6Zj9eLz2hqimFCvKiAvzANeZ9hkhw/jkpmvG8iXpDFw6x8QKcPJteRo896KSLiGiVlZfRbgQCGAqiEMw6y6M9CvfCLzE/mZ9gOKjSJVKiioAnXU2fyq0Y0M6g0iLRw0VXl2BVc4ORCnVECARQPo48T3U+TT39q0ar4mRO1AFO0VA5iDJ6/EMPBcH3ekKO/1dB1UbV6VkD3s9BAHGyL5a5Wr6ztg/5Yl6VBCXmECZqpCx8jx8KDUoaj1R/+I83YQxbw9ch76j79haIK6+jzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAh6MmfbUELaWbSNZ9/Dev2gDD/E3G/uYJGXNGl1+PIVwGmi0z2BTXNqg7ax/b/uF5Xc9ZtBSPiSxR6BPRXN3GleNo=]
droneci_server::postgres_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANpDnrpratpuYheXFrN4nwRTauPm9rZz2ubDyJlcxmah+kOWqsWIeEkv5GuATlymfAx5UuHPOv3dJPCSK+YuyQY+kGW/8uEFM68QrNi38NdRqEpdXuPBe5+AmWxcjYK3mdJ4maEwsbbxtYJmD8TF6kskS2P/KhnIzYR5PPHZTaYbEf/W5Da3l+J5WnFYpStuLq+86yZokBAygFPI+y/Ic+zJIdhpzVdLyGuqxGLXZq7nNMrjuNyFPKkCj1BBpuJTMCS4oPKCUTlm5hIIeeC2pFREI0CMTV5siZB8NphobPNn/ZbJrcs9q75LtIa47pkFYRbmV4WPctCwZXg6jtMleuzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDHJaChyidZq/5FN5n+ASJWgDCqUcR/DG9e8AD7fRmTb5BZM8XQ77a1hUJoaCycnMQ/5UyKmqU/7fLPrsxCf2vZU1M=]
droneci_server::redis_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAYMoZlVXHC1qfkDptPy3PyWGrUs5y9M9AOv5Vn1AK6DYViixhjwPZUCfwTONmt7CiBuqmkDOpR5isWFiBo/+TMeMXlM9C/D+Svc9tpeHLpVaXAYeoz5um2InyBFkLWSaUaWSftF9U7O5Nv/OiLIsd7nn4T8Dd21rfUiRfUN/2HPLMCs+mW15Az9XNOcvfm+kPXDAcB+ukHde0vvtYTZEFWjMdwJjjE43DiCmAoLTcpvQxdlclojotBpFeBLZs/F21FDQ4hvBUvPBMuZ1o7ImSP5fuomYSFK8etbD7JO5gg5BN59lGl1ljyR83phv6wmmqlzB8wQl0pjEpni9o7fa9hTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCKJrkPA78qx3wAu1eroIjRgDA72N9U0YZf1MzACcGSOMU5RGO242RwlIKUrnuYcdC0dKkjLXtP+yVpSKkX5WxcsDQ=]
-79
View File
@@ -1,79 +0,0 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- droneci.main.unkin.net
- droneci.service.consul
- droneci.query.consul
- "droneci.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- droneci.main.unkin.net
- droneci.service.consul
- droneci.query.consul
hiera_include:
- docker
- profiles::sql::postgresdb
- droneci
docker::version: latest
docker::curl_ensure: false
profiles::sql::postgresdb::dbname: droneci
profiles::sql::postgresdb::dbuser: droneci
profiles::sql::postgresdb::dbpass: "%{hiera('droneci_server::postgres_password')}"
profiles::sql::postgresdb::members_lookup: true
profiles::sql::postgresdb::members_role: roles::infra::droneci::server
droneci::ports:
- 80:80
- 443:443
droneci::volumes:
- type=bind,source=/var/lib/drone,target=/data
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
droneci::env_vars:
DRONE_GITEA_SERVER: https://git.query.consul
DRONE_GITEA_CLIENT_ID: dda67581-86df-4e65-88ae-1e505b849082
DRONE_USER_CREATE: username:unkinben,admin:true
DRONE_GITEA_CLIENT_SECRET: "%{hiera('droneci_server::gitea_client_secret')}"
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
DRONE_SERVER_HOST: droneci.query.consul
DRONE_SERVER_PROTO: https
DRONE_TLS_CERT: /etc/pki/tls/vault/certificate.crt
DRONE_TLS_KEY: /etc/pki/tls/vault/private.key
DRONE_COOKIE_SECRET: "%{hiera('droneci_server::cookie_secret')}"
DRONE_COOKIE_TIMEOUT: 720h
DRONE_HTTP_SSL_REDIRECT: true
DRONE_HTTP_SSL_TEMPORARY_REDIRECT: true
DRONE_HTTP_SSL_HOST: droneci.query.consul
DRONE_LOGS_TEXT: true
DRONE_LOGS_PRETTY: true
DRONE_LOGS_COLOR: true
DRONE_DATABASE_SECRET: "%{hiera('droneci_server::database_secret')}"
DRONE_DATABASE_DRIVER: postgres
DRONE_DATABASE_DATASOURCE: "postgres://droneci:%{hiera('droneci_server::postgres_password')}@master.patroni-prod.service.au-syd1.consul:5432/droneci?sslmode=disable"
DRONE_REDIS_CONNECTION: "redis://%{hiera('droneci_server::redis_password')}@redis-master-prod.service.au-syd1.consul:6379/2"
consul::services:
droneci:
service_name: 'droneci'
tags:
- 'drone'
- 'droneci'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'droneci_https_check'
name: 'droneci HTTPS Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: droneci
disposition: write
+1 -1
View File
@@ -41,7 +41,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
- "git.service.%{facts.country}-%{facts.region}.consul" - "git.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 3000 profiles::nginx::simpleproxy::proxy_port: 3000
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 1024M nginx::client_max_body_size: 250M
profiles::gitea::init::root: profiles::gitea::init::root:
APP_NAME: 'Gitea' APP_NAME: 'Gitea'
-1
View File
@@ -1 +0,0 @@
profiles::gitea::runner::registration_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOL/ug4IPhEW1n+Lq+SsMSEJUYsDDK2s0+oNF3unxcbH3QDqWo7kuYKkDWQ+W3otcxvuRlbC8+0W2fO2udhF7sSGrF93INsTCDqWlLnaaAgxlgNSXthA4OCJlI8DCLeD/Sr0TTCchUdpQrIpDo6Gh0EUjgRv5574q26or7c/vvtQ4nfLVQOqEV9UpsCgEYiQvXVcf55LEpgaDp4mFL0qCnfzDnGNbZ0GUo6552ka19IocqOqILPnZO0qDcEoLbQ90sP197+5Jw611i1Akx1C4lFP81bazFMpbdiEP0V4Ax+33LfZEb0KnXuMbKOF23vIwwwfpFJaSOAjA5YehA3xM2zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDPJHB2uL+VEyntgZocyoMXgDBJ1dnRWiJM77XomzbNdDUO+ktIHLOTL5do0m4CkXZ1s42KtaAwWL+/EGdxg80UMC8=]
-46
View File
@@ -1,46 +0,0 @@
---
hiera_include:
- docker
- profiles::gitea::runner
docker::version: latest
docker::curl_ensure: false
profiles::gitea::runner::home: /data/runner
profiles::gitea::runner::version: '0.2.10'
profiles::gitea::runner::source: "https://gitea.com/gitea/act_runner/releases/download/v%{hiera('profiles::gitea::runner::version')}/act_runner-%{hiera('profiles::gitea::runner::version')}-linux-amd64"
profiles::gitea::runner::config:
log:
level: info
runner:
file: "%{hiera('profiles::gitea::runner::home')}/.runner"
capacity: 2
envs:
A_TEST_ENV_NAME_1: a_test_env_value_1
A_TEST_ENV_NAME_2: a_test_env_value_2
env_file: .env
timeout: 3h
insecure: false
fetch_timeout: 5s
fetch_interval: 2s
labels:
- "almalinux-latest"
- "almalinux-8:docker"
- "almalinux-8.10:docker"
cache:
enabled: true
dir: "%{hiera('profiles::gitea::runner::home')}/.cache/actcache"
host: ""
port: 0
external_server: ""
container:
network: ""
privileged: false
options:
workdir_parent: /workspace
valid_volumes: []
docker_host: ""
force_pull: true
force_rebuild: false
host:
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
-4
View File
@@ -53,8 +53,6 @@ profiles::haproxy::frontends:
options: options:
acl: acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/' - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
use_backend:
- 'be_letsencrypt if acl-letsencrypt'
http-request: http-request:
- 'set-header X-Forwarded-Proto https' - 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]' - 'set-header X-Real-IP %[src]'
@@ -70,8 +68,6 @@ profiles::haproxy::frontends:
options: options:
acl: acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/' - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
use_backend:
- 'be_letsencrypt if acl-letsencrypt'
http-request: http-request:
- 'set-header X-Forwarded-Proto https' - 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]' - 'set-header X-Real-IP %[src]'
@@ -9,5 +9,4 @@ profiles::metrics::server::scrape_jobs:
- puppetdb - puppetdb
- systemd - systemd
- haproxy - haproxy
- postgres
profiles::metrics::server::localstorage: /data/prometheus profiles::metrics::server::localstorage: /data/prometheus
-2
View File
@@ -1,2 +0,0 @@
---
certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
-15
View File
@@ -1,15 +0,0 @@
---
hiera_include:
- certbot
- profiles::pki::puppetcerts
certbot::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- fafflix.unkin.net
+2 -2
View File
@@ -1,3 +1,3 @@
--- ---
profiles::packages::include: profiles::packages::install:
puppetserver: {} - puppetserver
+2 -2
View File
@@ -1,6 +1,6 @@
--- ---
profiles::packages::include: profiles::packages::install:
createrepo: {} - createrepo
profiles::pki::vault::alt_names: profiles::pki::vault::alt_names:
- repos.main.unkin.net - repos.main.unkin.net
-4
View File
@@ -1,4 +0,0 @@
---
profiles::sql::patroni::superuser_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAImaYEH6ktU6KYDu96OtuJu11FbmE+b9YwrkJiv72QfuVivR7lGfieRKcvkrq3IsNcwhhnl1lzyMZHteib7jLEIiaq59AZFiZyfF2E5bhNYfW4QcDJd4QOheU2awkZkl6oaoMUxgWOnqvihYVLDfoJ0lj6hBTFuqIzO/KU+AJ4NMO3+/+AK9+HB0u/8Iyuev4RQBkvaRAoszCcFCWTAZJTmhOgWe4xJIxfbh0/5k/dmT5WQ1JPEQK7hnVly9iToROZJDjuyndNHbrhCQUg4+DYMPS2fZVWvcESfxN8lJjBFPojj9ZbG5mLlq1e4A4KiZNwHfA1V4D88VWOkRg65XtZDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBzToImdK5/pk3UeZPyavjTgDCcYBzwY/g353Pbh0xr/we8KmvsQEtfxPDuPm4Kv4hsD5X0dHu2nGzBAZq5uWcE3RE=]
profiles::sql::patroni::replication_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWyCj+7WfzpTcpBg6uQ5ykGmLZmb/avW3Pc+VWj9bGvxSQCA8LA6HJlEhhL3mrJSTGUyHLgeEebEup9AVHe2k2l/JHIvhyfx7LI+mNDp8u5p40pM6ZxTdIJFOZmOS/nGjAR6mTv6Ennhpw4sWSDYXU0mJPTHGAked2FXV1xsS0zpTY7hccJHuww5ixOw6jP8E1Pu0ex4LmefOXApowf0jZ2pARndlsXwZldahUHIF48XejclpgCK9rTrb4eQsOZr5ozcj0BBpWg/JKNkQt8mQU5l5/z0GDT08Op8g6MVdJuOWr92uPqjc8sydrz0QAx4l8t1KY2fMWK7BPKqSdcOxiDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDEZBNd56BHVGRVfHDPPwZHgDAZKnqicbF/MVKPi1PwwyHrXMW/fWqocgr1zWx6RXWgXICqjJdEFXwFerXXb39RSDg=]
profiles::sql::patroni::postgres_exporter_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAL5brQt9CGFU7okDXZWF1jL1j+RbrQZhKfzGWyWl+SqRK6q+xH0LIzYQhOAji7tlDBzvFZpzglmzj0xDrAkQA46jg1DkR5+9Ozru9jL1nhg/6z/F54DlhAG7Ui0hjgSLal79VABLXa/cb9xJThx97b9xoOW+/vpfSKa4izFtkN9fliClFTVafxLlLLD/yABW99aq1OK+9MyCsppvs/rjWbXvjEKL+C0jawh4dBnc+tYJMHC/k5NIK0th4A/zSYVH5q6gFakpxrV2ubETIbVTDncC8zfRLhnrikZYNbCy5PuJb2a4vW1O0AOzUWqvqbRkWpYF7dJB9fzW/Tu8f8d10KTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAJS5PcA9aJvjGIfKSciLLpgDAU7xXGF+Sj+g1ABMvsenEmgXsdSKVU9ZYusIiGnPdFdN4EF9usi7g4SahochlG0NU=]
-28
View File
@@ -1,28 +0,0 @@
---
profiles::yum::global::repos:
postgresql-15:
name: postgresql-15
descr: postgresql-15 repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
postgresql-common:
name: postgresql-common
descr: postgresql-common repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
profiles::sql::patroni::postgres_exporter_enabled: true
profiles::sql::patroni::postgres_exporter_user: postgres_exporter
profiles::consul::client::node_rules:
- resource: service_prefix
segment: "%{hiera('profiles::sql::patroni::cluster_name')}"
disposition: write
- resource: key_prefix
segment: "service/%{hiera('profiles::sql::patroni::cluster_name')}"
disposition: write
- resource: session_prefix
segment: ""
disposition: write
@@ -89,9 +89,3 @@ profiles::consul::prepared_query::rules:
service_failover_n: 3 service_failover_n: 3
service_only_passing: true service_only_passing: true
ttl: 10 ttl: 10
droneci:
ensure: 'present'
service_name: 'droneci'
service_failover_n: 3
service_only_passing: true
ttl: 10
+2 -2
View File
@@ -125,12 +125,12 @@ profiles::edgecache::params::mirrors:
ensure: present ensure: present
location: '~* ^/ceph/yum/.*/repodata/' location: '~* ^/ceph/yum/.*/repodata/'
rewrite_rules: rewrite_rules:
- '^/ceph/yum/(.*)$ /rpm-18.2.2/$1 break' - '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
proxy: http://158.69.68.124 proxy: http://158.69.68.124
ceph_yum_data: ceph_yum_data:
ensure: present ensure: present
location: /ceph/yum location: /ceph/yum
proxy: http://158.69.68.124/rpm-18.2.2 proxy: http://158.69.68.124/rpm-reef
proxy_cache: cache proxy_cache: cache
proxy_cache_valid: proxy_cache_valid:
- '200 302 1440h' - '200 302 1440h'
+2 -2
View File
@@ -1,3 +1,3 @@
--- ---
profiles::packages::include: profiles::packages::install:
"%{hiera('lm-sensors::package')}": {} - "%{hiera('lm-sensors::package')}"
@@ -1,18 +0,0 @@
# frozen_string_literal: true
Facter.add(:certbot_available_certs) do
confine enc_role: 'roles::infra::pki::certbot'
setcode do
certs_dir = '/etc/letsencrypt/live'
available_certs = []
if Dir.exist?(certs_dir)
Dir.children(certs_dir).each do |entry|
fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
available_certs << entry if File.exist?(fullchain_pem)
end
end
available_certs.join(',')
end
end
-15
View File
@@ -1,15 +0,0 @@
# certbot::cert
define certbot::cert (
Stdlib::Fqdn $domain,
Array $additional_args = ['--http-01-port=8888'],
Boolean $manage_cron = true,
) {
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
@@letsencrypt::certonly { $domain:
additional_args => $additional_args,
manage_cron => $manage_cron,
tag => $location_environment,
}
}
-23
View File
@@ -1,23 +0,0 @@
class certbot::client (
Array[Stdlib::Fqdn] $domains,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
) {
mkdir::p {$data_dir:}
file { $data_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
$domains.each |$domain| {
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
domain => $domain,
destination => "${data_dir}/${domain}",
webserver => $webserver,
require => File[$data_dir],
}
}
}
-51
View File
@@ -1,51 +0,0 @@
define certbot::client::cert (
Stdlib::Fqdn $domain,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
) {
file { $destination:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
$cert_ready_nodes = puppetdb_query("
facts {
name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
}"
)
# Define the certificate files
$cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
if !empty($cert_ready_nodes) {
$files_to_create = $cert_files.reduce({}) |$acc, $file| {
$acc + {
"${destination}/${file}" => {
ensure => 'file',
source => "https://${webserver}/${domain}/${file}",
owner => 'root',
group => 'root',
mode => '0644',
notify => Exec["concat_${domain}_certs"],
}
}
}
create_resources(file, $files_to_create)
exec { "concat_${domain}_certs":
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
path => ['/bin', '/usr/bin'],
refreshonly => true,
require => [
File["${destination}/fullchain.pem"],
File["${destination}/privkey.pem"],
],
}
} else {
notify { 'Certificates are not yet ready on the generator server.': }
}
}
-9
View File
@@ -1,9 +0,0 @@
# certbot::haproxy
class certbot::haproxy {
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
service => 'be_letsencrypt',
ports => [8888],
options => []
}
}
-19
View File
@@ -1,19 +0,0 @@
# certbot::init
class certbot (
String $contact,
Array[Stdlib::Fqdn] $domains = [],
Stdlib::Absolutepath $data_root = '/var/www',
Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
Array[Stdlib::Host] $nginx_aliases = [],
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Enum['http','https','both'] $nginx_listen_mode = 'https',
Enum['puppet', 'vault'] $nginx_cert_type = 'puppet',
) {
include certbot::nginx
include certbot::selinux
include certbot::haproxy
include certbot::letsencrypt
}
-37
View File
@@ -1,37 +0,0 @@
# certbot::letsencrypt
class certbot::letsencrypt (
String $contact = $certbot::contact,
Array[Stdlib::Fqdn] $domains = $certbot::domains,
Stdlib::Absolutepath $data_root = $certbot::data_root,
) {
class { 'letsencrypt':
configure_epel => false,
package_ensure => 'latest',
email => $contact,
}
# set location_environment
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
# collect exported resources
Letsencrypt::Certonly <<| tag == $location_environment |>>
# statically defined certificate
$domains.each | $domain | {
certbot::cert {$domain:
domain => $domain,
require => Class['letsencrypt'],
}
}
systemd::timer { 'certbot-syncer.timer':
timer_content => epp('certbot/certbot-syncer.timer.epp'),
service_content => epp('certbot/certbot-syncer.service.epp', {
'data_root' => $data_root,
}),
active => true,
enable => true,
require => Class['letsencrypt'],
}
}
-91
View File
@@ -1,91 +0,0 @@
# certbot::nginx
class certbot::nginx (
Stdlib::Absolutepath $data_root = $certbot::data_root,
Stdlib::Fqdn $nginx_vhost = $certbot::nginx_vhost,
Array[Stdlib::Host] $nginx_aliases = $certbot::nginx_aliases,
Stdlib::Port $nginx_port = $certbot::nginx_port,
Stdlib::Port $nginx_ssl_port = $certbot::nginx_ssl_port,
Enum['http','https','both'] $nginx_listen_mode = $certbot::nginx_listen_mode,
Enum['puppet', 'vault'] $nginx_cert_type = $certbot::nginx_cert_type,
) {
# select the certificates to use based on cert type
case $nginx_cert_type {
'puppet': {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
# enum param prevents this ever being reached
}
}
# set variables based on the listen_mode
case $nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_ssl_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
'both': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
# enum param prevents this ever being reached
}
}
mkdir::p {"${data_root}/pub":}
# set the server_names
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
# define the default parameters for the nginx server
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
'www_root' => "${data_root}/pub",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
}
# merge the hashes conditionally
$nginx_parameters = merge($defaults, $extras_hash)
# manage the nginx class
include nginx
# create the nginx vhost with the merged parameters
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
}
-40
View File
@@ -1,40 +0,0 @@
# certbot::selinux
class certbot::selinux (
Stdlib::Absolutepath $data_root = $certbot::data_root,
) {
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
# set httpd_sys_content_t to all files under the www_root
selinux::fcontext { "${data_root}/pub":
ensure => 'present',
seltype => 'httpd_sys_content_t',
pathspec => "${data_root}/pub(/.*)?",
}
# make sure we can connect to other hosts
selboolean { 'httpd_can_network_connect':
persistent => true,
value => 'on',
}
selboolean { 'rsync_client':
persistent => true,
value => 'on',
}
selboolean { 'rsync_export_all_ro':
persistent => true,
value => 'on',
}
selboolean { 'rsync_full_access':
persistent => true,
value => 'on',
}
exec { "restorecon_${data_root}/pub":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${data_root}/pub",
refreshonly => true,
subscribe => Selinux::Fcontext["${data_root}/pub"],
}
}
}
@@ -1,8 +0,0 @@
[Unit]
Description=certbot-syncer service
[Service]
Type=oneshot
ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
User=root
Group=root
@@ -1,9 +0,0 @@
[Unit]
Description=certbot-syncer timer
[Timer]
OnCalendar=hourly
Persistent=true
[Install]
WantedBy=timers.target
-24
View File
@@ -1,24 +0,0 @@
class droneci (
Hash $env_vars = {},
String $docker_image = 'drone/drone:2',
Array[String] $ports = [],
Array[String] $volumes = [],
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci',
) {
# Create the environment file from a template
file { $env_file:
ensure => file,
content => template('droneci/droneci_env.erb'),
mode => '0644',
}
# Define the systemd service for Drone CI
systemd::unit_file { 'droneci.service':
ensure => present,
content => template('droneci/droneci_service.erb'),
enable => true,
active => true,
subscribe => File[$env_file],
}
}
-24
View File
@@ -1,24 +0,0 @@
class droneci::runner (
Hash $env_vars = {},
String $docker_image = 'drone/drone-runner-docker:1',
Array[String] $ports = [],
Array[String] $volumes = [],
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci_runner',
) {
# Create the environment file from a template
file { $env_file:
ensure => file,
content => template('droneci/droneci_env.erb'),
mode => '0644',
}
# Define the systemd service for Drone CI runner
systemd::unit_file { 'droneci-runner.service':
ensure => present,
content => template('droneci/droneci_runner_service.erb'),
enable => true,
active => true,
subscribe => File[$env_file],
}
}
@@ -1,3 +0,0 @@
<% @env_vars.each do |key, value| -%>
<%= key.upcase %>=<%= value %>
<% end -%>
@@ -1,20 +0,0 @@
[Unit]
Description=Drone CI Runner
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/docker run --rm \
--name=drone-runner \
<% @ports.each do |port| -%>
-p <%= port %> \
<% end -%>
<% @volumes.each do |volume| -%>
--mount <%= volume %> \
<% end -%>
--env-file <%= @env_file %> \
<%= @docker_image %>
Restart=always
[Install]
WantedBy=multi-user.target
@@ -1,20 +0,0 @@
[Unit]
Description=Drone CI Service
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/docker run --rm \
--name=drone \
<% @ports.each do |port| -%>
-p <%= port %> \
<% end -%>
<% @volumes.each do |volume| -%>
--mount <%= volume %> \
<% end -%>
--env-file <%= @env_file %> \
<%= @docker_image %>
Restart=always
[Install]
WantedBy=multi-user.target
-6
View File
@@ -6,12 +6,7 @@ define glauth::obj::service (
Integer $primarygroup, Integer $primarygroup,
String $passsha256, String $passsha256,
Stdlib::Absolutepath $config_path, Stdlib::Absolutepath $config_path,
Optional[Array[Integer]] $othergroups = [],
) { ) {
$formatted_othergroups = $othergroups.empty ? {
true => '[]',
false => "[${othergroups.join(', ')}]",
}
concat::fragment { "glauth_service_${service_name}": concat::fragment { "glauth_service_${service_name}":
target => $config_path, target => $config_path,
content => epp('glauth/obj/service.epp', { content => epp('glauth/obj/service.epp', {
@@ -20,7 +15,6 @@ define glauth::obj::service (
'uidnumber' => $uidnumber, 'uidnumber' => $uidnumber,
'primarygroup' => $primarygroup, 'primarygroup' => $primarygroup,
'passsha256' => $passsha256, 'passsha256' => $passsha256,
'othergroups' => $formatted_othergroups,
}), }),
order => '80', order => '80',
} }
+14 -1
View File
@@ -20,7 +20,20 @@ define glauth::obj::user (
} }
concat::fragment { "glauth_user_${user_name}": concat::fragment { "glauth_user_${user_name}":
target => $config_path, target => $config_path,
content => template('glauth/obj/user.erb'), content => epp('glauth/obj/user.epp', {
'name' => $user_name,
'givenname' => $givenname,
'sn' => $sn,
'mail' => $mail,
'uidnumber' => $uidnumber,
'primarygroup' => $primarygroup,
'loginshell' => $loginshell,
'homedir' => $homedir,
'passsha256' => $passsha256,
'sshkeys' => $sshkeys,
'passappsha256' => $passappsha256,
'othergroups' => $formatted_othergroups,
}),
order => '70', order => '70',
} }
} }
+1 -1
View File
@@ -1,5 +1,5 @@
[[groups]] [[groups]]
name = "<%= $name %>" name = "<%= $name %>"
gidnumber = <%= $gidnumber %> gidnumber = <%= $gidnumber %>
<% if $includegroups.length > 0 { %>includegroups = [<%= $includegroups.join(', ') %>]<% } %> <% if $includegroups.length > 0 { %>includegroups = [<% $includegroups.each |Integer $group| { %><%= $group %>, <% } %>]<% } %>
-1
View File
@@ -4,5 +4,4 @@
uidnumber = <%= $uidnumber %> uidnumber = <%= $uidnumber %>
primarygroup = <%= $primarygroup %> primarygroup = <%= $primarygroup %>
passsha256 = "<%= $passsha256 %>" passsha256 = "<%= $passsha256 %>"
othergroups = <%= $othergroups %>
+14
View File
@@ -0,0 +1,14 @@
[[users]]
name = "<%= $name %>"
<% if $givenname != '' { %>givenname = "<%= $givenname %>"<% } %>
<% if $sn != '' { %>sn = "<%= $sn %>"<% } %>
mail = "<%= $mail %>"
uidnumber = <%= $uidnumber %>
primarygroup = <%= $primarygroup %>
<% if $loginshell != '' { %>loginShell = "<%= $loginshell %>"<% } %>
<% if $homedir != '' { %>homeDir = "<%= $homedir %>"<% } %>
passsha256 = "<%= $passsha256 %>"
<% if $sshkeys.length > 0 { %>sshkeys = [<% $sshkeys.each |String $key| { %>"<%= $key %>", <% } %>]<% } %>
<% if $passappsha256.length > 0 { %>passappsha256 = [<% $passappsha256.each |String $pass| { %>"<%= $pass %>", <% } %>]<% } %>
othergroups = <%= $othergroups %>
-26
View File
@@ -1,26 +0,0 @@
[[users]]
name = "<%= @user_name %>"
<% if @givenname != '' -%>
givenname = "<%= @givenname %>"
<% end -%>
<% if @sn != '' -%>
sn = "<%= @sn %>"
<% end -%>
mail = "<%= @mail %>"
uidnumber = <%= @uidnumber %>
primarygroup = <%= @primarygroup %>
<% if @loginshell != '' -%>
loginShell = "<%= @loginshell %>"
<% end -%>
<% if @homedir != '' -%>
homeDir = "<%= @homedir %>"
<% end -%>
passsha256 = "<%= @passsha256 %>"
<% if @sshkeys.length > 0 -%>
sshkeys = [<%= @sshkeys.map { |key| "\"#{key}\"" }.join(', ') %>]
<% end -%>
<% if @passappsha256.length > 0 -%>
passappsha256 = [<%= @passappsha256.map { |pass| "\"#{pass}\"" }.join(', ') %>]
<% end -%>
othergroups = <%= @formatted_othergroups %>
@@ -1,9 +0,0 @@
# frozen_string_literal: true
require 'facter'
Facter.add(:jellyfin_migration_done) do
setcode do
File.exist?('/etc/sysconfig/jellyfin_migration_done')
end
end
-12
View File
@@ -1,12 +0,0 @@
# frozen_string_literal: true
Facter.add(:psql_is_slave) do
confine enc_role: 'roles::infra::sql::patroni'
setcode do
# Command to check if PostgreSQL is in recovery mode
command = 'sudo -iu postgres psql -tAc "select pg_is_in_recovery()"'
# Execute the command and map the output to a boolean value
{ 't' => true, 'f' => false }[Facter::Core::Execution.execute(command, on_fail: nil)]
end
end
+2 -20
View File
@@ -9,37 +9,19 @@ class networking (
include network include network
include networking::params include networking::params
# manage interfaces
$interfaces.each | $interface, $data | { $interfaces.each | $interface, $data | {
$merged_data = merge($interface_defaults, $data) $merged_data = merge($interface_defaults, $data)
network_config { $interface: network_config {$interface:
* => $merged_data, * => $merged_data,
notify => Exec['networking_reload_network'],
} }
} }
# manage routes
$routes.each | $route, $data | { $routes.each | $route, $data | {
$merged_data = merge($route_defaults, $data) $merged_data = merge($route_defaults, $data)
network_route { $route: network_route {$route:
* => $merged_data, * => $merged_data,
notify => Exec['networking_reload_network'],
} }
} }
# determine which networking service to restart
$restart_command = $facts['os']['family'] ? {
'RedHat' => '/usr/bin/systemctl restart network',
'Debian' => '/usr/bin/systemctl restart networking',
default => fail('Unsupported OS in networking-restart-command'),
}
# restart network/networking only if $restart_networking boolean is true
exec { 'networking_reload_network':
command => $restart_command,
refreshonly => true,
}
# prevent DNS from being overwritten by networkmanager # prevent DNS from being overwritten by networkmanager
if $networking::params::nwmgr_dns_none { if $networking::params::nwmgr_dns_none {
file {'/etc/NetworkManager/conf.d/dns_none.conf': file {'/etc/NetworkManager/conf.d/dns_none.conf':
+15
View File
@@ -0,0 +1,15 @@
class nginxproxy::authproxy {
file { $nginxproxy::auth_ldap_config:
ensure => file,
content => epp('nginxproxy/auth-ldap.py.epp', {
'params' => $nginxproxy::auth_ldap_params
}
),
mode => '0644',
}
#package { 'nginx-auth-ldap':
# ensure => 'present',
# provider => 'pip',
#}
}
+67
View File
@@ -0,0 +1,67 @@
# manage configuration for nginxproxy
class nginxproxy::config {
$proxyurl = "${nginxproxy::proxy_scheme}://${nginxproxy::proxy_host}:${nginxproxy::proxy_port}${nginxproxy::proxy_path}"
$server_names = unique([$facts['networking']['fqdn'], $nginxproxy::nginx_vhost] + $nginxproxy::nginx_aliases)
case $nginxproxy::nginx_cert_type {
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
}
case $nginxproxy::nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginxproxy::nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginxproxy::nginx_ssl_port
$listen_ssl_port = $nginxproxy::nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginxproxy::nginx_port
$listen_ssl_port = $nginxproxy::nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
}
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginxproxy::nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginxproxy::nginx_vhost}_error.log",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
'proxy' => $proxyurl,
}
$nginx_parameters = merge($defaults, $extras_hash)
include 'nginx'
create_resources('nginx::resource::server', { $nginxproxy::nginx_vhost => $nginx_parameters })
}
+38
View File
@@ -0,0 +1,38 @@
# manage a nginx proxy with a wraoper module
class nginxproxy (
Stdlib::Fqdn $nginx_vhost = $nginxproxy::params::nginx_vhost,
Array[Stdlib::Host] $nginx_aliases = $nginxproxy::params::nginx_aliases,
Stdlib::Port $nginx_port = $nginxproxy::params::nginx_port,
Stdlib::Port $nginx_ssl_port = $nginxproxy::params::nginx_ssl_port,
Enum['http','https','both'] $nginx_listen_mode = $nginxproxy::params::nginx_listen_mode,
Enum['puppet', 'vault'] $nginx_cert_type = $nginxproxy::params::nginx_cert_type,
Enum['http','https'] $proxy_scheme = $nginxproxy::params::proxy_scheme,
Stdlib::Port $proxy_port = $nginxproxy::params::proxy_port,
Stdlib::Host $proxy_host = $nginxproxy::params::proxy_host,
String $proxy_path = $nginxproxy::params::proxy_path,
Boolean $simple_mode = $nginxproxy::params::simple_mode,
Array[Hash] $locations = $nginxproxy::params::locations,
Boolean $manage_auth_ldap = $nginxproxy::params::manage_auth_ldap,
Stdlib::Absolutepath $auth_ldap_config = $nginxproxy::params::auth_ldap_config,
Hash $auth_ldap_params = $nginxproxy::params::auth_ldap_params,
) {
if ! $facts['nginx_version'] {
package { 'nginx':
ensure => 'present',
}
} else {
include nginxproxy::config
include nginxproxy::selinux
if $manage_auth_ldap {
include nginxproxy::authproxy
}
if ! $simple_mode {
nginxproxy::locations { 'default':
locations => $locations,
}
}
}
}
+10
View File
@@ -0,0 +1,10 @@
define nginxproxy::locations (
Array[Hash] $locations = [],
) {
$locations.each |$location| {
nginx::resource::location { $location['path']:
server => $nginxproxy::nginx_vhost,
proxy => $location['proxy'],
}
}
}
+18
View File
@@ -0,0 +1,18 @@
# nginxproxy params
class nginxproxy::params (
Stdlib::Fqdn $nginx_vhost = 'localhost',
Array[Stdlib::Host] $nginx_aliases = [],
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Enum['http','https','both'] $nginx_listen_mode = 'https',
Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
Enum['http','https'] $proxy_scheme = 'http',
Stdlib::Port $proxy_port = 80,
Stdlib::Host $proxy_host = $facts['networking']['ip'],
String $proxy_path = '/',
Boolean $simple_mode = true,
Array[Hash] $locations = [],
Boolean $manage_auth_ldap = false,
Stdlib::Absolutepath $auth_ldap_config = '/etc/nginx/auth-ldap.conf',
Hash $auth_ldap_params = {},
){}
+9
View File
@@ -0,0 +1,9 @@
# manage selinux for nginxproxy
class nginxproxy::selinux {
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
selboolean { 'httpd_can_network_connect':
persistent => true,
value => 'on',
}
}
}
-6
View File
@@ -1,6 +0,0 @@
class nzbget::config (
$user = $nzbget::params::user,
$group = $nzbget::params::group,
) {
# todo
}
-18
View File
@@ -1,18 +0,0 @@
# manage nzbget
class nzbget (
$packages = $nzbget::params::packages,
$user = $nzbget::params::user,
$group = $nzbget::params::group,
$manage_group = $nzbget::params::manage_group,
$service_enable = $nzbget::params::service_enable,
$service_name = $nzbget::params::service_name,
$bind_address = $sonarr::params::bind_address,
$port = $sonarr::params::port,
) inherits nzbget::params {
include nzbget::install
include nzbget::config
include nzbget::service
Class['nzbget::install'] -> Class['nzbget::config'] -> Class['nzbget::service']
}
-29
View File
@@ -1,29 +0,0 @@
# instsall nzbget
class nzbget::install (
$packages = $nzbget::packages,
$user = $nzbget::user,
$group = $nzbget::group,
$manage_group = $nzbget::manage_group,
) {
$_packages = $packages ? {
Array => true,
default => false,
}
if $_packages {
ensure_packages($packages, {ensure => 'installed'})
}
if $manage_group {
group { $group:
ensure => present,
}
}
user { $user:
ensure => present,
shell => '/sbin/nologin',
groups => $group,
}
}
-13
View File
@@ -1,13 +0,0 @@
# nzbget params
class nzbget::params (
Array[String] $packages = [
'nzbget'
],
String $user = 'nzbget',
String $group = 'nzbget',
Boolean $manage_group = true,
Stdlib::Host $bind_address = '127.0.0.1',
Stdlib::Port $port = 6789,
Boolean $service_enable = true,
String $service_name = 'nzbget',
) { }
-17
View File
@@ -1,17 +0,0 @@
# manage nzbget service
class nzbget::service (
$service_enable = $nzbget::service_enable,
$service_name = $nzbget::service_name,
$user = $nzbget::user,
$group = $nzbget::group,
) {
if $service_enable {
include ::systemd
systemd::unit_file { "${service_name}.service":
content => template('nzbget/nzbget.service.erb'),
enable => true,
active => true,
}
}
}
File diff suppressed because it is too large Load Diff
@@ -1,17 +0,0 @@
[Unit]
Description=<%= @service_name %> Daemon
Documentation=http://nzbget.com/documentation/
After=network.target
[Service]
Type=simple
User=<%= @user %>
Group=<%= @group %>
WorkingDirectory=/var/lib/nzbget
ExecStart=/usr/bin/nzbget -s -c /var/lib/nzbget/nzbget.conf -o OutputMode=log -o WriteLog=none
ExecReload=/usr/bin/nzbget -O -c /var/lib/nzbget/nzbget.conf
ExecStop=/usr/bin/nzbget -Q -c /var/lib/nzbget/nzbget.conf
Restart=on-failure
[Install]
WantedBy=multi-user.target

Some files were not shown because too many files have changed in this diff Show More