Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 1156f3d72a |
+1
-5
@@ -18,7 +18,6 @@ mod 'puppetlabs-xinetd', '3.4.1'
|
||||
mod 'puppetlabs-haproxy', '8.0.0'
|
||||
mod 'puppetlabs-java', '10.1.2'
|
||||
mod 'puppetlabs-reboot', '5.0.0'
|
||||
mod 'puppetlabs-docker', '10.0.1'
|
||||
|
||||
# puppet
|
||||
mod 'puppet-python', '7.0.0'
|
||||
@@ -34,14 +33,12 @@ mod 'puppet-grafana', '13.1.0'
|
||||
mod 'puppet-consul', '8.0.0'
|
||||
mod 'puppet-vault', '4.1.0'
|
||||
mod 'puppet-dhcp', '6.1.0'
|
||||
mod 'puppet-keepalived', '5.1.0'
|
||||
mod 'puppet-keepalived', '3.6.0'
|
||||
mod 'puppet-extlib', '7.0.0'
|
||||
mod 'puppet-network', '2.2.0'
|
||||
mod 'puppet-kmod', '4.0.1'
|
||||
mod 'puppet-filemapper', '4.0.0'
|
||||
mod 'puppet-letsencrypt', '11.0.0'
|
||||
mod 'puppet-rundeck', '9.1.0'
|
||||
mod 'puppet-redis', '11.0.0'
|
||||
|
||||
# other
|
||||
mod 'ghoneycutt-puppet', '3.3.0'
|
||||
@@ -55,7 +52,6 @@ mod 'broadinstitute-certs', '3.0.1'
|
||||
mod 'stm-file_capability', '6.0.0'
|
||||
mod 'h0tw1r3-gitea', '3.2.0'
|
||||
mod 'rehan-mkdir', '2.0.0'
|
||||
mod 'tailoredautomation-patroni', '2.0.0'
|
||||
|
||||
mod 'bind',
|
||||
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
||||
|
||||
+62
-73
@@ -3,10 +3,16 @@ lookup_options:
|
||||
hiera_classes:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::include:
|
||||
profiles::packages::install:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::exclude:
|
||||
profiles::packages::install_exclude:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::remove:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::remove_exclude:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::pki::vault::alt_names:
|
||||
@@ -129,10 +135,7 @@ lookup_options:
|
||||
certbot::client::domains:
|
||||
merge:
|
||||
strategy: deep
|
||||
keepalived::vrrp_script:
|
||||
merge:
|
||||
strategy: deep
|
||||
keepalived::vrrp_instance:
|
||||
profiles::metrics::exportarr:
|
||||
merge:
|
||||
strategy: deep
|
||||
|
||||
@@ -142,7 +145,6 @@ hiera_include:
|
||||
- timezone
|
||||
- networking
|
||||
- ssh::server
|
||||
- profiles::accounts::rundeck
|
||||
|
||||
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
||||
profiles::ntp::client::use_ntp: 'region'
|
||||
@@ -173,70 +175,59 @@ profiles::consul::client::node_rules:
|
||||
segment: ''
|
||||
disposition: read
|
||||
|
||||
profiles::packages::include:
|
||||
bash-completion: {}
|
||||
bzip2: {}
|
||||
ccze: {}
|
||||
curl: {}
|
||||
dstat: {}
|
||||
expect: {}
|
||||
gzip: {}
|
||||
git: {}
|
||||
htop: {}
|
||||
inotify-tools: {}
|
||||
iotop: {}
|
||||
jq: {}
|
||||
lz4: {}
|
||||
mtr: {}
|
||||
ncdu: {}
|
||||
neovim: {}
|
||||
p7zip: {}
|
||||
pbzip2: {}
|
||||
pigz: {}
|
||||
pv: {}
|
||||
python3.11: {}
|
||||
rsync: {}
|
||||
screen: {}
|
||||
socat: {}
|
||||
strace: {}
|
||||
sysstat: {}
|
||||
tar: {}
|
||||
tmux: {}
|
||||
traceroute: {}
|
||||
unzip: {}
|
||||
vim: {}
|
||||
vnstat: {}
|
||||
wget: {}
|
||||
zsh: {}
|
||||
zstd: {}
|
||||
iwl100-firmware:
|
||||
ensure: absent
|
||||
iwl1000-firmware:
|
||||
ensure: absent
|
||||
iwl105-firmware:
|
||||
ensure: absent
|
||||
iwl135-firmware:
|
||||
ensure: absent
|
||||
iwl2000-firmware:
|
||||
ensure: absent
|
||||
iwl2030-firmware:
|
||||
ensure: absent
|
||||
iwl3160-firmware:
|
||||
ensure: absent
|
||||
iwl5000-firmware:
|
||||
ensure: absent
|
||||
iwl5150-firmware:
|
||||
ensure: absent
|
||||
iwl6000-firmware:
|
||||
ensure: absent
|
||||
iwl6000g2a-firmware:
|
||||
ensure: absent
|
||||
iwl6050-firmware:
|
||||
ensure: absent
|
||||
iwl7260-firmware:
|
||||
ensure: absent
|
||||
puppet7-release:
|
||||
ensure: absent
|
||||
profiles::packages::install:
|
||||
- bash-completion
|
||||
- bzip2
|
||||
- ccze
|
||||
- curl
|
||||
- dstat
|
||||
- expect
|
||||
- gcc
|
||||
- gzip
|
||||
- git
|
||||
- htop
|
||||
- inotify-tools
|
||||
- iotop
|
||||
- jq
|
||||
- lz4
|
||||
- mtr
|
||||
- ncdu
|
||||
- neovim
|
||||
- p7zip
|
||||
- pbzip2
|
||||
- pigz
|
||||
- pv
|
||||
- python3.11
|
||||
- rsync
|
||||
- screen
|
||||
- socat
|
||||
- strace
|
||||
- sysstat
|
||||
- tar
|
||||
- tmux
|
||||
- traceroute
|
||||
- unzip
|
||||
- vim
|
||||
- vnstat
|
||||
- wget
|
||||
- zsh
|
||||
- zstd
|
||||
|
||||
profiles::packages::remove:
|
||||
- iwl100-firmware
|
||||
- iwl1000-firmware
|
||||
- iwl105-firmware
|
||||
- iwl135-firmware
|
||||
- iwl2000-firmware
|
||||
- iwl2030-firmware
|
||||
- iwl3160-firmware
|
||||
- iwl5000-firmware
|
||||
- iwl5150-firmware
|
||||
- iwl6000-firmware
|
||||
- iwl6000g2a-firmware
|
||||
- iwl6050-firmware
|
||||
- iwl7260-firmware
|
||||
- puppet7-release
|
||||
|
||||
profiles::base::scripts::scripts:
|
||||
puppet: puppetwrapper.py
|
||||
@@ -305,8 +296,6 @@ sudo::configs:
|
||||
|
||||
profiles::accounts::sysadmin::sshkeys:
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
|
||||
profiles::accounts::rundeck::sshkeys:
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD4F7VcorbGpyZzBFexz7c/o1JBscrl7hZU0UkWV7fq6YLizW0r6fOzD99hMwu1kdYCjPxbvuUSDEHfyBIp2EgLWU6wFVoufQqlMyOV85+ivQZUc1VNV+X9T+U4v3u/01hkAmlpXtbkwhMSR4Wi+tdABd04+D3CuMDM37mvnFmBBmi41X4Mr1rJhOQumn1XHQ7EYbsdw2mxfEVVeWpZIHz5BjNKSGzEIAYZbFt6s0Y7X3J5RT+Gjqmu043Tc8nNIUFlR9E10qd3Euf9RiBYxBx3z+yfOzJPBzWNBSHv1+PIbO5Mq+z5JaAfoFZO41L7nw+FjV6JJUCVLr6Vq+bCxyA7LW4Oq9ZahSrt/vrT0kTa0tA5U9bqK6e7pB//dm7PzoROtTq0XksV8RseA/fvIje20uaN1z9dynx+UcbszXu9pQ5GIg1o7b5DEi3OZHJwpgdudiCyEeR4+00G0z4PjpEMnTSMHAJ53WxtjzrPAOBnAmPE7hPu4coU+XrCWEXAvRMloJmca68e+zFX7VvFK82KVDuQ99vQ6w4X73IESKoLzyAVxpelwHaDG4fN+zqYfqubVQU1L5cUeYKxqm5r3Us6VvMaYs1ZMUmDGXHOq4FNhGUJYxSjkLvunM6qyAAJQCd6Pw/2TV3UQVerbouGOZaeBLvRguHWSbDrO99Zu+t87w== rundeck_runner
|
||||
|
||||
networking::interface_defaults:
|
||||
ensure: present
|
||||
|
||||
@@ -1,31 +1,4 @@
|
||||
---
|
||||
hiera_include:
|
||||
- keepalived
|
||||
|
||||
# keepalived
|
||||
profiles::haproxy::dns::vrrp_ipaddr: '198.18.13.250'
|
||||
profiles::haproxy::dns::vrrp_cnames:
|
||||
- sonarr.main.unkin.net
|
||||
- radarr.main.unkin.net
|
||||
- lidarr.main.unkin.net
|
||||
- readarr.main.unkin.net
|
||||
- prowlarr.main.unkin.net
|
||||
- nzbget.main.unkin.net
|
||||
|
||||
keepalived::vrrp_script:
|
||||
check_haproxy:
|
||||
script: '/usr/bin/killall -0 haproxy'
|
||||
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
interface: 'eth0'
|
||||
virtual_router_id: 250
|
||||
auth_type: 'PASS'
|
||||
auth_pass: 'quiiK7oo'
|
||||
virtual_ipaddress: '198.18.13.250/32'
|
||||
track_script:
|
||||
- check_haproxy
|
||||
|
||||
# mappings
|
||||
profiles::haproxy::mappings:
|
||||
fe_http:
|
||||
|
||||
@@ -1,3 +1,2 @@
|
||||
---
|
||||
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
|
||||
mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=]
|
||||
|
||||
@@ -13,12 +13,3 @@ mysql::db:
|
||||
- INSERT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
rundeck:
|
||||
name: rundeck
|
||||
user: rundeck
|
||||
password: "%{alias('mysql::db::rundeck::pass')}"
|
||||
grant:
|
||||
- SELECT
|
||||
- INSERT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
|
||||
@@ -5,9 +5,3 @@ networking::interfaces:
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
|
||||
profiles::haproxy::dns::vrrp_master: true
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
state: 'MASTER'
|
||||
priority: 101
|
||||
|
||||
@@ -5,8 +5,3 @@ networking::interfaces:
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
state: 'BACKUP'
|
||||
priority: 100
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.59
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.60
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.61
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.62
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.63
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.64
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.65
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.66
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.67
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.68
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.69
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -8,12 +8,12 @@ profiles::puppet::agent::puppet_version: '7.26.0'
|
||||
hiera_include:
|
||||
- profiles::almalinux::base
|
||||
|
||||
profiles::packages::include:
|
||||
lzo: {}
|
||||
network-scripts: {}
|
||||
policycoreutils: {}
|
||||
unar: {}
|
||||
xz: {}
|
||||
profiles::packages::install:
|
||||
- lzo
|
||||
- network-scripts
|
||||
- policycoreutils
|
||||
- unar
|
||||
- xz
|
||||
|
||||
lm-sensors::package: lm_sensors
|
||||
|
||||
|
||||
@@ -1,15 +1,15 @@
|
||||
# hieradata/os/debian/all_releases.yaml
|
||||
---
|
||||
profiles::apt::base::mirrorurl: http://edgecache.query.consul/debian/
|
||||
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
|
||||
profiles::apt::base::secureurl: http://security.debian.org/debian-security
|
||||
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
|
||||
profiles::apt::puppet7::repo: puppet7
|
||||
profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
|
||||
|
||||
profiles::packages::include:
|
||||
lzop: {}
|
||||
python3.11-venv: {}
|
||||
xz-utils: {}
|
||||
profiles::packages::install:
|
||||
- lzop
|
||||
- python3.11-venv
|
||||
- xz-utils
|
||||
|
||||
lm-sensors::package: lm-sensors
|
||||
networking::nwmgr_dns_none: false
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
hiera_include:
|
||||
- lidarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::metrics::exportarr
|
||||
|
||||
# manage lidarr
|
||||
lidarr::params::user: lidarr
|
||||
@@ -54,3 +55,11 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: lidarr
|
||||
disposition: write
|
||||
|
||||
profiles::metrics::exportarr:
|
||||
app: 'lidarr'
|
||||
config_path: '/opt/lidarr/config.xml'
|
||||
api_key: "%{hiera('lidarr::api_key')}"
|
||||
version: '2.0.1'
|
||||
app_port: "%hiera('lidarr::params::port')"
|
||||
enable_additional_metrics: true
|
||||
|
||||
@@ -59,19 +59,3 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: nzbget
|
||||
disposition: write
|
||||
|
||||
profiles::yum::global::repos:
|
||||
rpmfusion-free:
|
||||
name: rpmfusion-free
|
||||
descr: rpmfusion-free repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
rpmfusion-nonfree:
|
||||
name: rpmfusion-nonfree
|
||||
descr: rpmfusion-nonfree repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
hiera_include:
|
||||
- prowlarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::metrics::exportarr
|
||||
|
||||
# manage prowlarr
|
||||
prowlarr::params::user: prowlarr
|
||||
@@ -55,11 +56,10 @@ profiles::consul::client::node_rules:
|
||||
segment: prowlarr
|
||||
disposition: write
|
||||
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
arrstack_web_external:
|
||||
location_satisfy: any
|
||||
location_allow:
|
||||
- 198.18.13.47
|
||||
- 198.18.13.50
|
||||
- 198.18.13.51
|
||||
- 198.18.13.52
|
||||
profiles::metrics::exportarr:
|
||||
app: 'prowlarr'
|
||||
config_path: '/opt/prowlarr/config.xml'
|
||||
api_key: "%{hiera('prowlarr::api_key')}"
|
||||
version: '2.0.1'
|
||||
app_port: "%hiera('prowlarr::params::port')"
|
||||
enable_additional_metrics: true
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
hiera_include:
|
||||
- radarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::metrics::exportarr
|
||||
|
||||
# manage radarr
|
||||
radarr::params::user: radarr
|
||||
@@ -55,3 +56,11 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: radarr
|
||||
disposition: write
|
||||
|
||||
profiles::metrics::exportarr:
|
||||
app: 'radarr'
|
||||
config_path: '/opt/radarr/config.xml'
|
||||
api_key: "%{hiera('radarr::api_key')}"
|
||||
version: '2.0.1'
|
||||
app_port: "%hiera('radarr::params::port')"
|
||||
enable_additional_metrics: true
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
hiera_include:
|
||||
- readarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::metrics::exportarr
|
||||
|
||||
# manage readarr
|
||||
readarr::params::user: readarr
|
||||
@@ -54,3 +55,11 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: readarr
|
||||
disposition: write
|
||||
|
||||
profiles::metrics::exportarr:
|
||||
app: 'readarr'
|
||||
config_path: '/opt/readarr/config.xml'
|
||||
api_key: "%{hiera('readarr::api_key')}"
|
||||
version: '2.0.1'
|
||||
app_port: "%hiera('readarr::params::port')"
|
||||
enable_additional_metrics: true
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
hiera_include:
|
||||
- sonarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::metrics::exportarr
|
||||
|
||||
# manage sonarr
|
||||
sonarr::params::user: sonarr
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
policycoreutils: {}
|
||||
profiles::packages::install:
|
||||
- policycoreutils
|
||||
|
||||
puppetdb::master::config::create_puppet_service_resource: false
|
||||
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
|
||||
|
||||
@@ -52,10 +52,13 @@ glauth::users:
|
||||
uidnumber: 20000
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20025 # media_admin
|
||||
- 20017 # rundeck_access
|
||||
- 20018 # rundeck_globaladmin
|
||||
- 20023 # vault_access
|
||||
- 20010
|
||||
- 20011
|
||||
- 20012
|
||||
- 20013
|
||||
- 20014
|
||||
- 20015
|
||||
- 20016
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/benvin'
|
||||
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
||||
@@ -69,58 +72,16 @@ glauth::users:
|
||||
uidnumber: 20001
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20025 # media_admin
|
||||
- 20010
|
||||
- 20011
|
||||
- 20012
|
||||
- 20013
|
||||
- 20014
|
||||
- 20015
|
||||
- 20016
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/matsol'
|
||||
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
|
||||
seablo:
|
||||
user_name: 'seablo'
|
||||
givenname: 'Sean'
|
||||
sn: 'Bloomfield'
|
||||
mail: 'seablo@users.main.unkin.net'
|
||||
uidnumber: 20002
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/seablo'
|
||||
passsha256: '2db12484b2b5fdae7f3a1f9f870143c363af14bf2c31a415a9a7afcb02520df2'
|
||||
marbal:
|
||||
user_name: 'marbal'
|
||||
givenname: 'Mark'
|
||||
sn: 'Balch'
|
||||
mail: 'marbal@users.main.unkin.net'
|
||||
uidnumber: 20003
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/marbal'
|
||||
passsha256: 'cc20cee6269b9970a76549c66b51d0c543352796180d4122260a47f0f7a442a9'
|
||||
kelren:
|
||||
user_name: 'kelren'
|
||||
givenname: 'Kelly'
|
||||
sn: 'Rennie'
|
||||
mail: 'kelren@users.main.unkin.net'
|
||||
uidnumber: 20004
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/kelren'
|
||||
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
|
||||
ryadun:
|
||||
user_name: 'ryadun'
|
||||
givenname: 'Dunbar'
|
||||
sn: 'Ryan'
|
||||
mail: 'ryadun@users.main.unkin.net'
|
||||
uidnumber: 20005
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/ryadun'
|
||||
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
|
||||
|
||||
glauth::services:
|
||||
svc_jellyfin:
|
||||
@@ -165,32 +126,6 @@ glauth::services:
|
||||
uidnumber: 30006
|
||||
primarygroup: 20001
|
||||
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
|
||||
svc_nzbsubmit:
|
||||
service_name: 'svc_nzbsubmit'
|
||||
mail: 'nzbsubmit@service.main.unkin.net'
|
||||
uidnumber: 30007
|
||||
primarygroup: 20001
|
||||
othergroups:
|
||||
- 20016
|
||||
passsha256: '7af7e12fdc56e9050d16c167f4e34091ad3cf938283e13451b35f9b3d212bfa2'
|
||||
svc_rundeck:
|
||||
service_name: 'svc_rundeck'
|
||||
mail: 'rundeck@service.main.unkin.net'
|
||||
uidnumber: 30007
|
||||
primarygroup: 20001
|
||||
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
|
||||
svc_terraform:
|
||||
service_name: 'svc_terraform'
|
||||
mail: 'terraform@service.main.unkin.net'
|
||||
uidnumber: 30008
|
||||
primarygroup: 20001
|
||||
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
|
||||
svc_vault:
|
||||
service_name: 'svc_vault'
|
||||
mail: 'vault@service.main.unkin.net'
|
||||
uidnumber: 30009
|
||||
primarygroup: 20001
|
||||
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
|
||||
|
||||
glauth::groups:
|
||||
users:
|
||||
@@ -220,32 +155,3 @@ glauth::groups:
|
||||
nzbget_access:
|
||||
group_name: 'nzbget_access'
|
||||
gidnumber: 20016
|
||||
rundeck_access:
|
||||
group_name: 'rundeck_access'
|
||||
gidnumber: 20017
|
||||
rundeck_globaladmin:
|
||||
group_name: 'rundeck_globaladmin'
|
||||
gidnumber: 20018
|
||||
rundeck_selfservice_admin:
|
||||
group_name: 'rundeck_selfservice_admin'
|
||||
gidnumber: 20019
|
||||
rundeck_selfservice_user:
|
||||
group_name: 'rundeck_selfservice_user'
|
||||
gidnumber: 20020
|
||||
rundeck_infrastructure_admin:
|
||||
group_name: 'rundeck_infrastructure_admin'
|
||||
gidnumber: 20021
|
||||
rundeck_infrastructure_user:
|
||||
group_name: 'rundeck_infrastructure_user'
|
||||
gidnumber: 20022
|
||||
vault_access:
|
||||
group_name: 'vault_access'
|
||||
gidnumber: 20023
|
||||
media_access:
|
||||
group_name: 'media_access'
|
||||
gidnumber: 20024
|
||||
includegroups: [20010, 20011, 20012, 20013, 20014, 20016]
|
||||
media_admin:
|
||||
group_name: 'media_admin'
|
||||
gidnumber: 20025
|
||||
includegroups: [20024, 20015]
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -1,205 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::rundeck::server
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
hiera_exclude:
|
||||
- profiles::accounts::rundeck
|
||||
|
||||
profiles::packages::exclude:
|
||||
- jq
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::nginx::simpleproxy::proxy_port: 4440
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
nginx::client_max_body_size: 20M
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
rundeck:
|
||||
service_name: 'rundeck'
|
||||
tags:
|
||||
- 'automation'
|
||||
- 'rundeck'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'glauth_http_check'
|
||||
name: 'glauth HTTP Check'
|
||||
http: "http://%{facts.networking.fqdn}:4440"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: rundeck
|
||||
disposition: write
|
||||
|
||||
profiles::rundeck::server::mysql_backend: true
|
||||
profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
|
||||
profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
|
||||
profiles::rundeck::server::auth_config:
|
||||
file:
|
||||
auth_flag: 'sufficient'
|
||||
jaas_config:
|
||||
file: '/etc/rundeck/realm.properties'
|
||||
realm_config:
|
||||
admin_user: 'admin'
|
||||
admin_password: "%{hiera('rundeck_admin_pass')}"
|
||||
ldap:
|
||||
jaas_config:
|
||||
debug: 'true'
|
||||
providerUrl: 'ldap://ldap.service.consul:389'
|
||||
bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
bindPassword: "%{hiera('ldap_bindpass')}"
|
||||
authenticationMethod: 'simple'
|
||||
forceBindingLogin: 'true'
|
||||
userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
|
||||
userRdnAttribute: 'uid'
|
||||
userIdAttribute: 'uid'
|
||||
userPasswordAttribute: 'userPassword'
|
||||
userObjectClass: 'posixAccount'
|
||||
roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
|
||||
roleNameAttribute: 'uid'
|
||||
roleMemberAttribute: 'uniqueMember'
|
||||
roleObjectClass: 'groupOfUniqueNames'
|
||||
nestedGroups: 'true'
|
||||
|
||||
profiles::rundeck::server::key_storage_config:
|
||||
- type: 'db'
|
||||
path: 'keys'
|
||||
- type: 'vault-storage'
|
||||
path: 'vault'
|
||||
config:
|
||||
prefix: 'rundeck'
|
||||
address: https://vault.query.consul:8200
|
||||
storageBehaviour: 'vault'
|
||||
secretBackend: rundeck
|
||||
engineVersion: '2'
|
||||
authBackend: approle
|
||||
approleAuthMount: approle
|
||||
approleId: "%{hiera('vault::roleid')}"
|
||||
|
||||
profiles::rundeck::server::cli_projects:
|
||||
Self-Service:
|
||||
update_method: 'set'
|
||||
config:
|
||||
project.description: 'self-service tasks'
|
||||
project.disable.executions: 'false'
|
||||
Infrastructure:
|
||||
config:
|
||||
project.description: 'infrastructure management'
|
||||
project.disable.schedule: 'false'
|
||||
|
||||
profiles::rundeck::server::acl_policies:
|
||||
global_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Global Admin, all access'
|
||||
context:
|
||||
application: "rundeck"
|
||||
for:
|
||||
project:
|
||||
- allow: '*'
|
||||
resource:
|
||||
- allow: '*'
|
||||
storage:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_globaladmin']
|
||||
- description: 'Global Admin, all access'
|
||||
context:
|
||||
project: '.*'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_globaladmin']
|
||||
selfservice_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Admin, all access for Self-Service project'
|
||||
context:
|
||||
project: 'Self-Service'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_selfserice_admin']
|
||||
selfservice_user_policy:
|
||||
acl_policies:
|
||||
- description: 'Users can execute tasks but not edit for Self-Service project'
|
||||
context:
|
||||
project: 'Self-Service'
|
||||
for:
|
||||
resource:
|
||||
- allow: ['read']
|
||||
adhoc:
|
||||
- allow: ['run']
|
||||
job:
|
||||
- allow: ['read', 'run']
|
||||
node:
|
||||
- allow: ['read', 'run']
|
||||
by:
|
||||
- group: ['rundeck_selfserice_user']
|
||||
infrastructure_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Admin, all access for Infrastructure project'
|
||||
context:
|
||||
project: 'Infrastructure'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_infrastructure_admin']
|
||||
infrastructure_user_policy:
|
||||
acl_policies:
|
||||
- description: 'Users can execute tasks but not edit for Infrastructure project'
|
||||
context:
|
||||
project: 'Infrastructure'
|
||||
for:
|
||||
resource:
|
||||
- allow: ['read']
|
||||
adhoc:
|
||||
- allow: ['run']
|
||||
job:
|
||||
- allow: ['read', 'run']
|
||||
node:
|
||||
- allow: ['read', 'run']
|
||||
by:
|
||||
- group: ['rundeck_infrastructure_user']
|
||||
@@ -1,15 +1,15 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
cobbler: {}
|
||||
cobbler3.2-web: {}
|
||||
httpd: {}
|
||||
syslinux: {}
|
||||
dnf-plugins-core: {}
|
||||
debmirror: {}
|
||||
pykickstart: {}
|
||||
fence-agents: {}
|
||||
selinux-policy-devel: {}
|
||||
ipxe-bootimgs: {}
|
||||
profiles::packages::install:
|
||||
- cobbler
|
||||
- cobbler3.2-web
|
||||
- httpd
|
||||
- syslinux
|
||||
- dnf-plugins-core
|
||||
- debmirror
|
||||
- pykickstart
|
||||
- fence-agents
|
||||
- selinux-policy-devel
|
||||
- ipxe-bootimgs
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- cobbler.main.unkin.net
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
---
|
||||
redisha::masterauth: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAV8znsSGAbPpPUhAcyOIWFltVyAcx3yVcIvC+JFndkkuVBT1813GSURrXIreXSilvJEHlwRC03A9NhjWJSsHBIS12uUb+7ap95oh2JJ7OHmeWSVD1GDDRpTQAgDEOikAnioRNJfQ83jUa11nJrsavt46hSq8vDq+rZ2P8ugiNk59mNX5vgYthCPXcEJd7UmpLZhgxZ8+42l4TKo7QpqKRcIMteJXk1NvyYfYGnGTZhknuyHM3xPGauGjKzamMlTzD9dGnn2K0/Q7I4PUyT24ZEG3kNVyDlVHTYcKnIT5q8qvmJdDQfZwOETF3SrzcqhQ2nqFvmI19sCTsQVmveb/2ITBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9KML3vzwF4vGZdtiu++jmgDAWPZspCckgoXPkgNRMePov3pXSlKUAGxwmdsuIM75rJMxlSTiil2lzMMBWXmUofys=]
|
||||
@@ -1,67 +0,0 @@
|
||||
---
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- redis.main.unkin.net
|
||||
- redis.service.consul
|
||||
- redis.query.consul
|
||||
- "redis.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- redis.main.unkin.net
|
||||
- redis.service.consul
|
||||
- redis.query.consul
|
||||
|
||||
|
||||
hiera_include:
|
||||
- redisha
|
||||
|
||||
redisha::manage_repo: false
|
||||
redisha::redisha_members_lookup: true
|
||||
redisha::redisha_members_role: roles::infra::db::redis
|
||||
#redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
#redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
|
||||
redisha::sentinel::master_name: "%{facts.country}-%{facts.region}"
|
||||
redisha::sentinel::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
redisha::sentinel::auth_pass: "%{hiera('redisha::masterauth')}"
|
||||
redisha::tools::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
|
||||
sudo::configs:
|
||||
consul:
|
||||
priority: 20
|
||||
content: |
|
||||
consul ALL=(ALL) NOPASSWD: /usr/local/sbin/sentineladm info
|
||||
consul::services:
|
||||
redis-replica:
|
||||
service_name: "redis-replica-%{facts.environment}"
|
||||
tags:
|
||||
- 'redis'
|
||||
- 'redis-replica'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 6379
|
||||
checks:
|
||||
- id: 'redis-replica_tcp_check'
|
||||
name: 'Redis Replica TCP Check'
|
||||
tcp: "%{facts.networking.ip}:6379"
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
redis-master:
|
||||
service_name: "redis-master-%{facts.environment}"
|
||||
tags:
|
||||
- 'redis'
|
||||
- 'redis-master'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 6379
|
||||
checks:
|
||||
- id: 'redis-master_tcp_check'
|
||||
name: "Redis Master Check"
|
||||
args:
|
||||
- '/usr/local/bin/check_redis_master'
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: "redis-replica-%{facts.environment}"
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: "redis-master-%{facts.environment}"
|
||||
disposition: write
|
||||
@@ -33,6 +33,13 @@ profiles::dns::resolver::zones:
|
||||
- 10.10.16.32
|
||||
- 10.10.16.33
|
||||
forward: 'only'
|
||||
unkin.net-forward:
|
||||
domain: 'unkin.net'
|
||||
zone_type: 'forward'
|
||||
forwarders:
|
||||
- 10.10.16.32
|
||||
- 10.10.16.33
|
||||
forward: 'only'
|
||||
dmz.unkin.net-forward:
|
||||
domain: 'dmz.unkin.net'
|
||||
zone_type: 'forward'
|
||||
@@ -60,6 +67,7 @@ profiles::dns::resolver::views:
|
||||
recursion: true
|
||||
zones:
|
||||
- main.unkin.net-forward
|
||||
- unkin.net-forward
|
||||
- dmz.unkin.net-forward
|
||||
- network.unkin.net-forward
|
||||
- prod.unkin.net-forward
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
---
|
||||
droneci_server::rpc_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF8cEANj72ACYYdilP52Oz4EXVt+stx838tFVV4SFukoCTmN+kJ3GUUEM9x+oDvo17CsZhDzx5dX0JGo7N9MCLHsR4XKx3GSoAKvaSiD73TbzbdTNJgTIE1tRP9HNbJKizwWLo4lo+OUNtwnu0Z5dkMLYRHyvZ1hG24qmdXVn9DI06gVGQw9YXGmNy8AvA0BKnaHvUnE5XoLNVKZ4g1yvc/nkYpK6nLB+X4sZ96PRig7khiuFVvAfpg5c2iWnF13ljIajnG9uY12RyGaAGfH4l/d3UEyuHyQL4zzT8N7gGt8fvg7eNFx51TyEpVRFLyQ7dqq/lzn0moXVT35PQr9K3DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCGJ+rkxhqmyUUiIQLG7PnggDBPH9gyYAW5/XjDp5xd6GnuSt/WWOwOGxhg+1BoPzbV5o+Xufg5zyMVdYeI1MWD/u8=]
|
||||
@@ -1,25 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::base::datavol
|
||||
- docker
|
||||
- droneci::runner
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
droneci::runner::ports:
|
||||
- 3000:3000
|
||||
droneci::runner::volumes:
|
||||
- type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock
|
||||
- type=bind,source=/data,target=/data
|
||||
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
|
||||
droneci::runner::env_vars:
|
||||
DRONE_RPC_PROTO: https
|
||||
DRONE_RPC_HOST: droneci.query.consul
|
||||
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
|
||||
DRONE_RUNNER_CAPACITY: 2
|
||||
DRONE_RUNNER_NAME: "%{facts.networking.fqdn}"
|
||||
DRONE_RUNNER_VOLUMES: /etc/pki/tls/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
droneci_server::gitea_client_secret: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJLcMKV4EevB8V/vjex+Srq47pWLvPozjSb+vjS/crFpKq3/dgtkJ8WkqF98fPnXxkMowP/BpNexJBCmPtTR2pPTKHIYkXjxGax0g3P2gcgeT7wsNl24mnUJDWZs1/z8ibwUXv4Zg0nbKi+YdomjsvT3vl2IPI88TKZDkq6HBoturwqx2l/edC5IeAi8vgPRXF8hn2TVuslkmoNXoI28Qp10b2XNOCss6KUJ4rbOwpIgdOVFbXqi7CFjhGz/3uS9xK+2m3iuE/gXi8KSKfiQ+QcGuXL9Zy5PH5rrNg4mbrFiaFfTevsHInl1wwRmULilQ0kEY3NW4b/URXqBBuwcN/TBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDlv7tA+6OQwDuL7z3xGYZjgEBcEAj3TQ9R9TntxTyBa9mKFRXimFTDDxdZ2zD96qFNz+7ZZFGD6pFQNHSMC9AYlAue94UsIHJZaXwgAo5zc98Q]
|
||||
droneci_server::cookie_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKTWrB7Cca8RgFEeP46puzhVWOAiI6nB+m5+/sgz1qNnn6VgNh9Q6D26p9HISrMp4k60KVuGXrIbZYpkvKZmv4zHgK2et+50sr/F1anhDRX4rsmGWVV9n8VhaIJFAyQkW4de9YxV9LAgk0tWs1BgfXv4cV4+sDBv0OSVIFJDst3LUWpBR6lsiV9IifvNNUrdOHkdt5XjuL4JVmc0nkjetAg9HSvJ9VHYLIQagFHnTQp0FWluE1/ibGNc2kz7D4K7cPz2bBxRJWomckSUwgQK0NrGID4D13haZXhKXAO/8QpQOwPra8vD9FYrFenMeFLwdw43NzSr2g/W1ss5PekbWGjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBASshs2UwkGqK4ShFfXni7cgDCDCnEiqcfxIz4X/Bq71IpRKan3uQbHOewFqjNGqoR+1oWupjRxzNL39H9YF1a6i6s=]
|
||||
droneci_server::database_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASu4C45TYWZKgIoyqC3YdwYYXn+T+ruP6oIvhYFJ5dxeZ+6HtWbRMViErvpPuWYfgs5qt6Zj9eLz2hqimFCvKiAvzANeZ9hkhw/jkpmvG8iXpDFw6x8QKcPJteRo896KSLiGiVlZfRbgQCGAqiEMw6y6M9CvfCLzE/mZ9gOKjSJVKiioAnXU2fyq0Y0M6g0iLRw0VXl2BVc4ORCnVECARQPo48T3U+TT39q0ar4mRO1AFO0VA5iDJ6/EMPBcH3ekKO/1dB1UbV6VkD3s9BAHGyL5a5Wr6ztg/5Yl6VBCXmECZqpCx8jx8KDUoaj1R/+I83YQxbw9ch76j79haIK6+jzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAh6MmfbUELaWbSNZ9/Dev2gDD/E3G/uYJGXNGl1+PIVwGmi0z2BTXNqg7ax/b/uF5Xc9ZtBSPiSxR6BPRXN3GleNo=]
|
||||
droneci_server::postgres_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANpDnrpratpuYheXFrN4nwRTauPm9rZz2ubDyJlcxmah+kOWqsWIeEkv5GuATlymfAx5UuHPOv3dJPCSK+YuyQY+kGW/8uEFM68QrNi38NdRqEpdXuPBe5+AmWxcjYK3mdJ4maEwsbbxtYJmD8TF6kskS2P/KhnIzYR5PPHZTaYbEf/W5Da3l+J5WnFYpStuLq+86yZokBAygFPI+y/Ic+zJIdhpzVdLyGuqxGLXZq7nNMrjuNyFPKkCj1BBpuJTMCS4oPKCUTlm5hIIeeC2pFREI0CMTV5siZB8NphobPNn/ZbJrcs9q75LtIa47pkFYRbmV4WPctCwZXg6jtMleuzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDHJaChyidZq/5FN5n+ASJWgDCqUcR/DG9e8AD7fRmTb5BZM8XQ77a1hUJoaCycnMQ/5UyKmqU/7fLPrsxCf2vZU1M=]
|
||||
droneci_server::redis_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAYMoZlVXHC1qfkDptPy3PyWGrUs5y9M9AOv5Vn1AK6DYViixhjwPZUCfwTONmt7CiBuqmkDOpR5isWFiBo/+TMeMXlM9C/D+Svc9tpeHLpVaXAYeoz5um2InyBFkLWSaUaWSftF9U7O5Nv/OiLIsd7nn4T8Dd21rfUiRfUN/2HPLMCs+mW15Az9XNOcvfm+kPXDAcB+ukHde0vvtYTZEFWjMdwJjjE43DiCmAoLTcpvQxdlclojotBpFeBLZs/F21FDQ4hvBUvPBMuZ1o7ImSP5fuomYSFK8etbD7JO5gg5BN59lGl1ljyR83phv6wmmqlzB8wQl0pjEpni9o7fa9hTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCKJrkPA78qx3wAu1eroIjRgDA72N9U0YZf1MzACcGSOMU5RGO242RwlIKUrnuYcdC0dKkjLXtP+yVpSKkX5WxcsDQ=]
|
||||
@@ -1,79 +0,0 @@
|
||||
---
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- droneci.main.unkin.net
|
||||
- droneci.service.consul
|
||||
- droneci.query.consul
|
||||
- "droneci.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- droneci.main.unkin.net
|
||||
- droneci.service.consul
|
||||
- droneci.query.consul
|
||||
|
||||
hiera_include:
|
||||
- docker
|
||||
- profiles::sql::postgresdb
|
||||
- droneci
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
profiles::sql::postgresdb::dbname: droneci
|
||||
profiles::sql::postgresdb::dbuser: droneci
|
||||
profiles::sql::postgresdb::dbpass: "%{hiera('droneci_server::postgres_password')}"
|
||||
profiles::sql::postgresdb::members_lookup: true
|
||||
profiles::sql::postgresdb::members_role: roles::infra::droneci::server
|
||||
|
||||
droneci::ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
droneci::volumes:
|
||||
- type=bind,source=/var/lib/drone,target=/data
|
||||
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
|
||||
droneci::env_vars:
|
||||
DRONE_GITEA_SERVER: https://git.query.consul
|
||||
DRONE_GITEA_CLIENT_ID: dda67581-86df-4e65-88ae-1e505b849082
|
||||
DRONE_USER_CREATE: username:unkinben,admin:true
|
||||
DRONE_GITEA_CLIENT_SECRET: "%{hiera('droneci_server::gitea_client_secret')}"
|
||||
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
|
||||
DRONE_SERVER_HOST: droneci.query.consul
|
||||
DRONE_SERVER_PROTO: https
|
||||
DRONE_TLS_CERT: /etc/pki/tls/vault/certificate.crt
|
||||
DRONE_TLS_KEY: /etc/pki/tls/vault/private.key
|
||||
DRONE_COOKIE_SECRET: "%{hiera('droneci_server::cookie_secret')}"
|
||||
DRONE_COOKIE_TIMEOUT: 720h
|
||||
DRONE_HTTP_SSL_REDIRECT: true
|
||||
DRONE_HTTP_SSL_TEMPORARY_REDIRECT: true
|
||||
DRONE_HTTP_SSL_HOST: droneci.query.consul
|
||||
DRONE_LOGS_TEXT: true
|
||||
DRONE_LOGS_PRETTY: true
|
||||
DRONE_LOGS_COLOR: true
|
||||
DRONE_DATABASE_SECRET: "%{hiera('droneci_server::database_secret')}"
|
||||
DRONE_DATABASE_DRIVER: postgres
|
||||
DRONE_DATABASE_DATASOURCE: "postgres://droneci:%{hiera('droneci_server::postgres_password')}@master.patroni-prod.service.au-syd1.consul:5432/droneci?sslmode=disable"
|
||||
DRONE_REDIS_CONNECTION: "redis://%{hiera('droneci_server::redis_password')}@redis-master-prod.service.au-syd1.consul:6379/2"
|
||||
|
||||
consul::services:
|
||||
droneci:
|
||||
service_name: 'droneci'
|
||||
tags:
|
||||
- 'drone'
|
||||
- 'droneci'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'droneci_https_check'
|
||||
name: 'droneci HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: droneci
|
||||
disposition: write
|
||||
@@ -41,7 +41,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- "git.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 3000
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
nginx::client_max_body_size: 1024M
|
||||
nginx::client_max_body_size: 250M
|
||||
|
||||
profiles::gitea::init::root:
|
||||
APP_NAME: 'Gitea'
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
profiles::gitea::runner::registration_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOL/ug4IPhEW1n+Lq+SsMSEJUYsDDK2s0+oNF3unxcbH3QDqWo7kuYKkDWQ+W3otcxvuRlbC8+0W2fO2udhF7sSGrF93INsTCDqWlLnaaAgxlgNSXthA4OCJlI8DCLeD/Sr0TTCchUdpQrIpDo6Gh0EUjgRv5574q26or7c/vvtQ4nfLVQOqEV9UpsCgEYiQvXVcf55LEpgaDp4mFL0qCnfzDnGNbZ0GUo6552ka19IocqOqILPnZO0qDcEoLbQ90sP197+5Jw611i1Akx1C4lFP81bazFMpbdiEP0V4Ax+33LfZEb0KnXuMbKOF23vIwwwfpFJaSOAjA5YehA3xM2zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDPJHB2uL+VEyntgZocyoMXgDBJ1dnRWiJM77XomzbNdDUO+ktIHLOTL5do0m4CkXZ1s42KtaAwWL+/EGdxg80UMC8=]
|
||||
@@ -1,46 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- docker
|
||||
- profiles::gitea::runner
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
profiles::gitea::runner::home: /data/runner
|
||||
profiles::gitea::runner::version: '0.2.10'
|
||||
profiles::gitea::runner::source: "https://gitea.com/gitea/act_runner/releases/download/v%{hiera('profiles::gitea::runner::version')}/act_runner-%{hiera('profiles::gitea::runner::version')}-linux-amd64"
|
||||
profiles::gitea::runner::config:
|
||||
log:
|
||||
level: info
|
||||
runner:
|
||||
file: "%{hiera('profiles::gitea::runner::home')}/.runner"
|
||||
capacity: 2
|
||||
envs:
|
||||
A_TEST_ENV_NAME_1: a_test_env_value_1
|
||||
A_TEST_ENV_NAME_2: a_test_env_value_2
|
||||
env_file: .env
|
||||
timeout: 3h
|
||||
insecure: false
|
||||
fetch_timeout: 5s
|
||||
fetch_interval: 2s
|
||||
labels:
|
||||
- "almalinux-latest"
|
||||
- "almalinux-8:docker"
|
||||
- "almalinux-8.10:docker"
|
||||
cache:
|
||||
enabled: true
|
||||
dir: "%{hiera('profiles::gitea::runner::home')}/.cache/actcache"
|
||||
host: ""
|
||||
port: 0
|
||||
external_server: ""
|
||||
container:
|
||||
network: ""
|
||||
privileged: false
|
||||
options:
|
||||
workdir_parent: /workspace
|
||||
valid_volumes: []
|
||||
docker_host: ""
|
||||
force_pull: true
|
||||
force_rebuild: false
|
||||
host:
|
||||
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
|
||||
@@ -9,5 +9,4 @@ profiles::metrics::server::scrape_jobs:
|
||||
- puppetdb
|
||||
- systemd
|
||||
- haproxy
|
||||
- postgres
|
||||
profiles::metrics::server::localstorage: /data/prometheus
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
puppetserver: {}
|
||||
profiles::packages::install:
|
||||
- puppetserver
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
createrepo: {}
|
||||
profiles::packages::install:
|
||||
- createrepo
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- repos.main.unkin.net
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
profiles::sql::patroni::superuser_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAImaYEH6ktU6KYDu96OtuJu11FbmE+b9YwrkJiv72QfuVivR7lGfieRKcvkrq3IsNcwhhnl1lzyMZHteib7jLEIiaq59AZFiZyfF2E5bhNYfW4QcDJd4QOheU2awkZkl6oaoMUxgWOnqvihYVLDfoJ0lj6hBTFuqIzO/KU+AJ4NMO3+/+AK9+HB0u/8Iyuev4RQBkvaRAoszCcFCWTAZJTmhOgWe4xJIxfbh0/5k/dmT5WQ1JPEQK7hnVly9iToROZJDjuyndNHbrhCQUg4+DYMPS2fZVWvcESfxN8lJjBFPojj9ZbG5mLlq1e4A4KiZNwHfA1V4D88VWOkRg65XtZDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBzToImdK5/pk3UeZPyavjTgDCcYBzwY/g353Pbh0xr/we8KmvsQEtfxPDuPm4Kv4hsD5X0dHu2nGzBAZq5uWcE3RE=]
|
||||
profiles::sql::patroni::replication_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWyCj+7WfzpTcpBg6uQ5ykGmLZmb/avW3Pc+VWj9bGvxSQCA8LA6HJlEhhL3mrJSTGUyHLgeEebEup9AVHe2k2l/JHIvhyfx7LI+mNDp8u5p40pM6ZxTdIJFOZmOS/nGjAR6mTv6Ennhpw4sWSDYXU0mJPTHGAked2FXV1xsS0zpTY7hccJHuww5ixOw6jP8E1Pu0ex4LmefOXApowf0jZ2pARndlsXwZldahUHIF48XejclpgCK9rTrb4eQsOZr5ozcj0BBpWg/JKNkQt8mQU5l5/z0GDT08Op8g6MVdJuOWr92uPqjc8sydrz0QAx4l8t1KY2fMWK7BPKqSdcOxiDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDEZBNd56BHVGRVfHDPPwZHgDAZKnqicbF/MVKPi1PwwyHrXMW/fWqocgr1zWx6RXWgXICqjJdEFXwFerXXb39RSDg=]
|
||||
profiles::sql::patroni::postgres_exporter_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAL5brQt9CGFU7okDXZWF1jL1j+RbrQZhKfzGWyWl+SqRK6q+xH0LIzYQhOAji7tlDBzvFZpzglmzj0xDrAkQA46jg1DkR5+9Ozru9jL1nhg/6z/F54DlhAG7Ui0hjgSLal79VABLXa/cb9xJThx97b9xoOW+/vpfSKa4izFtkN9fliClFTVafxLlLLD/yABW99aq1OK+9MyCsppvs/rjWbXvjEKL+C0jawh4dBnc+tYJMHC/k5NIK0th4A/zSYVH5q6gFakpxrV2ubETIbVTDncC8zfRLhnrikZYNbCy5PuJb2a4vW1O0AOzUWqvqbRkWpYF7dJB9fzW/Tu8f8d10KTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAJS5PcA9aJvjGIfKSciLLpgDAU7xXGF+Sj+g1ABMvsenEmgXsdSKVU9ZYusIiGnPdFdN4EF9usi7g4SahochlG0NU=]
|
||||
@@ -1,28 +0,0 @@
|
||||
---
|
||||
profiles::yum::global::repos:
|
||||
postgresql-15:
|
||||
name: postgresql-15
|
||||
descr: postgresql-15 repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
postgresql-common:
|
||||
name: postgresql-common
|
||||
descr: postgresql-common repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
|
||||
profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
|
||||
profiles::sql::patroni::postgres_exporter_enabled: true
|
||||
profiles::sql::patroni::postgres_exporter_user: postgres_exporter
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service_prefix
|
||||
segment: "%{hiera('profiles::sql::patroni::cluster_name')}"
|
||||
disposition: write
|
||||
- resource: key_prefix
|
||||
segment: "service/%{hiera('profiles::sql::patroni::cluster_name')}"
|
||||
disposition: write
|
||||
- resource: session_prefix
|
||||
segment: ""
|
||||
disposition: write
|
||||
@@ -89,9 +89,3 @@ profiles::consul::prepared_query::rules:
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
droneci:
|
||||
ensure: 'present'
|
||||
service_name: 'droneci'
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
|
||||
@@ -125,12 +125,12 @@ profiles::edgecache::params::mirrors:
|
||||
ensure: present
|
||||
location: '~* ^/ceph/yum/.*/repodata/'
|
||||
rewrite_rules:
|
||||
- '^/ceph/yum/(.*)$ /rpm-18.2.2/$1 break'
|
||||
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
|
||||
proxy: http://158.69.68.124
|
||||
ceph_yum_data:
|
||||
ensure: present
|
||||
location: /ceph/yum
|
||||
proxy: http://158.69.68.124/rpm-18.2.2
|
||||
proxy: http://158.69.68.124/rpm-reef
|
||||
proxy_cache: cache
|
||||
proxy_cache_valid:
|
||||
- '200 302 1440h'
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
"%{hiera('lm-sensors::package')}": {}
|
||||
profiles::packages::install:
|
||||
- "%{hiera('lm-sensors::package')}"
|
||||
|
||||
@@ -1,24 +0,0 @@
|
||||
class droneci (
|
||||
Hash $env_vars = {},
|
||||
String $docker_image = 'drone/drone:2',
|
||||
Array[String] $ports = [],
|
||||
Array[String] $volumes = [],
|
||||
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci',
|
||||
) {
|
||||
|
||||
# Create the environment file from a template
|
||||
file { $env_file:
|
||||
ensure => file,
|
||||
content => template('droneci/droneci_env.erb'),
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
# Define the systemd service for Drone CI
|
||||
systemd::unit_file { 'droneci.service':
|
||||
ensure => present,
|
||||
content => template('droneci/droneci_service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => File[$env_file],
|
||||
}
|
||||
}
|
||||
@@ -1,24 +0,0 @@
|
||||
class droneci::runner (
|
||||
Hash $env_vars = {},
|
||||
String $docker_image = 'drone/drone-runner-docker:1',
|
||||
Array[String] $ports = [],
|
||||
Array[String] $volumes = [],
|
||||
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci_runner',
|
||||
) {
|
||||
|
||||
# Create the environment file from a template
|
||||
file { $env_file:
|
||||
ensure => file,
|
||||
content => template('droneci/droneci_env.erb'),
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
# Define the systemd service for Drone CI runner
|
||||
systemd::unit_file { 'droneci-runner.service':
|
||||
ensure => present,
|
||||
content => template('droneci/droneci_runner_service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => File[$env_file],
|
||||
}
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
<% @env_vars.each do |key, value| -%>
|
||||
<%= key.upcase %>=<%= value %>
|
||||
<% end -%>
|
||||
@@ -1,20 +0,0 @@
|
||||
[Unit]
|
||||
Description=Drone CI Runner
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/docker run --rm \
|
||||
--name=drone-runner \
|
||||
<% @ports.each do |port| -%>
|
||||
-p <%= port %> \
|
||||
<% end -%>
|
||||
<% @volumes.each do |volume| -%>
|
||||
--mount <%= volume %> \
|
||||
<% end -%>
|
||||
--env-file <%= @env_file %> \
|
||||
<%= @docker_image %>
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -1,20 +0,0 @@
|
||||
[Unit]
|
||||
Description=Drone CI Service
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/docker run --rm \
|
||||
--name=drone \
|
||||
<% @ports.each do |port| -%>
|
||||
-p <%= port %> \
|
||||
<% end -%>
|
||||
<% @volumes.each do |volume| -%>
|
||||
--mount <%= volume %> \
|
||||
<% end -%>
|
||||
--env-file <%= @env_file %> \
|
||||
<%= @docker_image %>
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -6,12 +6,7 @@ define glauth::obj::service (
|
||||
Integer $primarygroup,
|
||||
String $passsha256,
|
||||
Stdlib::Absolutepath $config_path,
|
||||
Optional[Array[Integer]] $othergroups = [],
|
||||
) {
|
||||
$formatted_othergroups = $othergroups.empty ? {
|
||||
true => '[]',
|
||||
false => "[${othergroups.join(', ')}]",
|
||||
}
|
||||
concat::fragment { "glauth_service_${service_name}":
|
||||
target => $config_path,
|
||||
content => epp('glauth/obj/service.epp', {
|
||||
@@ -20,7 +15,6 @@ define glauth::obj::service (
|
||||
'uidnumber' => $uidnumber,
|
||||
'primarygroup' => $primarygroup,
|
||||
'passsha256' => $passsha256,
|
||||
'othergroups' => $formatted_othergroups,
|
||||
}),
|
||||
order => '80',
|
||||
}
|
||||
|
||||
@@ -20,7 +20,20 @@ define glauth::obj::user (
|
||||
}
|
||||
concat::fragment { "glauth_user_${user_name}":
|
||||
target => $config_path,
|
||||
content => template('glauth/obj/user.erb'),
|
||||
content => epp('glauth/obj/user.epp', {
|
||||
'name' => $user_name,
|
||||
'givenname' => $givenname,
|
||||
'sn' => $sn,
|
||||
'mail' => $mail,
|
||||
'uidnumber' => $uidnumber,
|
||||
'primarygroup' => $primarygroup,
|
||||
'loginshell' => $loginshell,
|
||||
'homedir' => $homedir,
|
||||
'passsha256' => $passsha256,
|
||||
'sshkeys' => $sshkeys,
|
||||
'passappsha256' => $passappsha256,
|
||||
'othergroups' => $formatted_othergroups,
|
||||
}),
|
||||
order => '70',
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
[[groups]]
|
||||
name = "<%= $name %>"
|
||||
gidnumber = <%= $gidnumber %>
|
||||
<% if $includegroups.length > 0 { %>includegroups = [<%= $includegroups.join(', ') %>]<% } %>
|
||||
<% if $includegroups.length > 0 { %>includegroups = [<% $includegroups.each |Integer $group| { %><%= $group %>, <% } %>]<% } %>
|
||||
|
||||
|
||||
@@ -4,5 +4,4 @@
|
||||
uidnumber = <%= $uidnumber %>
|
||||
primarygroup = <%= $primarygroup %>
|
||||
passsha256 = "<%= $passsha256 %>"
|
||||
othergroups = <%= $othergroups %>
|
||||
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
[[users]]
|
||||
name = "<%= $name %>"
|
||||
<% if $givenname != '' { %>givenname = "<%= $givenname %>"<% } %>
|
||||
<% if $sn != '' { %>sn = "<%= $sn %>"<% } %>
|
||||
mail = "<%= $mail %>"
|
||||
uidnumber = <%= $uidnumber %>
|
||||
primarygroup = <%= $primarygroup %>
|
||||
<% if $loginshell != '' { %>loginShell = "<%= $loginshell %>"<% } %>
|
||||
<% if $homedir != '' { %>homeDir = "<%= $homedir %>"<% } %>
|
||||
passsha256 = "<%= $passsha256 %>"
|
||||
<% if $sshkeys.length > 0 { %>sshkeys = [<% $sshkeys.each |String $key| { %>"<%= $key %>", <% } %>]<% } %>
|
||||
<% if $passappsha256.length > 0 { %>passappsha256 = [<% $passappsha256.each |String $pass| { %>"<%= $pass %>", <% } %>]<% } %>
|
||||
othergroups = <%= $othergroups %>
|
||||
|
||||
@@ -1,26 +0,0 @@
|
||||
[[users]]
|
||||
name = "<%= @user_name %>"
|
||||
<% if @givenname != '' -%>
|
||||
givenname = "<%= @givenname %>"
|
||||
<% end -%>
|
||||
<% if @sn != '' -%>
|
||||
sn = "<%= @sn %>"
|
||||
<% end -%>
|
||||
mail = "<%= @mail %>"
|
||||
uidnumber = <%= @uidnumber %>
|
||||
primarygroup = <%= @primarygroup %>
|
||||
<% if @loginshell != '' -%>
|
||||
loginShell = "<%= @loginshell %>"
|
||||
<% end -%>
|
||||
<% if @homedir != '' -%>
|
||||
homeDir = "<%= @homedir %>"
|
||||
<% end -%>
|
||||
passsha256 = "<%= @passsha256 %>"
|
||||
<% if @sshkeys.length > 0 -%>
|
||||
sshkeys = [<%= @sshkeys.map { |key| "\"#{key}\"" }.join(', ') %>]
|
||||
<% end -%>
|
||||
<% if @passappsha256.length > 0 -%>
|
||||
passappsha256 = [<%= @passappsha256.map { |pass| "\"#{pass}\"" }.join(', ') %>]
|
||||
<% end -%>
|
||||
othergroups = <%= @formatted_othergroups %>
|
||||
|
||||
@@ -1,12 +0,0 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
Facter.add(:psql_is_slave) do
|
||||
confine enc_role: 'roles::infra::sql::patroni'
|
||||
setcode do
|
||||
# Command to check if PostgreSQL is in recovery mode
|
||||
command = 'sudo -iu postgres psql -tAc "select pg_is_in_recovery()"'
|
||||
|
||||
# Execute the command and map the output to a boolean value
|
||||
{ 't' => true, 'f' => false }[Facter::Core::Execution.execute(command, on_fail: nil)]
|
||||
end
|
||||
end
|
||||
@@ -8,6 +8,4 @@ class nzbget::params (
|
||||
Boolean $manage_group = true,
|
||||
Stdlib::Host $bind_address = '127.0.0.1',
|
||||
Stdlib::Port $port = 6789,
|
||||
Boolean $service_enable = true,
|
||||
String $service_name = 'nzbget',
|
||||
) { }
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
# manage RedisHA
|
||||
class redisha (
|
||||
Boolean $manage_repo = $redisha::params::manage_repo,
|
||||
Boolean $redisha_members_lookup = $redisha::params::redisha_members_lookup,
|
||||
Optional[String] $redisha_members_role = $redisha::params::redisha_members_role,
|
||||
Array $redisha_servers = $redisha::params::redisha_servers,
|
||||
) inherits redisha::params {
|
||||
|
||||
include redisha::redis
|
||||
include redisha::sentinel
|
||||
include redisha::tools
|
||||
|
||||
Class['redisha::redis'] -> Class['redisha::sentinel'] -> Class['redisha::tools']
|
||||
}
|
||||
@@ -1,25 +0,0 @@
|
||||
class redisha::params (
|
||||
Boolean $redisha_members_lookup = false,
|
||||
Optional[String] $redisha_members_role = undef,
|
||||
Array $redisha_servers = [],
|
||||
|
||||
# both
|
||||
Stdlib::Host $redis_host = $facts['networking']['ip'],
|
||||
Stdlib::Port $redis_port = 6379,
|
||||
Optional[String] $requirepass = undef,
|
||||
|
||||
# redis
|
||||
Optional[String] $dnf_module_stream = '6',
|
||||
Integer[1] $databases = 16,
|
||||
Optional[Variant[String, Sensitive[String], Deferred]] $masterauth = $redisha::params::requirepass,
|
||||
|
||||
# sentinel
|
||||
String[1] $master_name = 'mymaster',
|
||||
Optional[Variant[String, Sensitive[String]]] $auth_pass = $redisha::params::requirepass,
|
||||
Integer[1] $quorum = 2,
|
||||
Enum['yes', 'no'] $sentinel_resolve_hostnames = 'yes',
|
||||
Enum['yes', 'no'] $sentinel_announce_hostnames = 'yes',
|
||||
Stdlib::Host $sentinel_announce_ip = $facts['networking']['ip'],
|
||||
Array[Stdlib::IP::Address] $sentinel_bind = [$facts['networking']['ip']],
|
||||
Stdlib::Port $sentinel_port = 26379,
|
||||
){}
|
||||
@@ -1,59 +0,0 @@
|
||||
class redisha::redis (
|
||||
Boolean $manage_repo = $redisha::manage_repo,
|
||||
Boolean $redisha_members_lookup = $redisha::redisha_members_lookup,
|
||||
Optional[String] $redisha_members_role = $redisha::redisha_members_role,
|
||||
Array $redisha_servers = $redisha::redisha_servers,
|
||||
Stdlib::Host $redis_host = $redisha::params::redis_host,
|
||||
Stdlib::Port $redis_port = $redisha::params::redis_port,
|
||||
Optional[String] $requirepass = $redisha::params::requirepass,
|
||||
Optional[String] $dnf_module_stream = $redisha::params::dnf_module_stream,
|
||||
Integer[1] $databases = $redisha::params::databases,
|
||||
Optional[Variant[String, Sensitive[String], Deferred]] $masterauth = $redisha::params::masterauth,
|
||||
) inherits redisha::params {
|
||||
|
||||
# if lookup is enabled
|
||||
if $redisha_members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($redisha_members_role == undef) {
|
||||
fail("redisha_members_role must be provided for ${title} when redisha_members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $redisha_servers
|
||||
}
|
||||
|
||||
|
||||
if length($servers_array) >= 3 {
|
||||
|
||||
# check if this is the master_node
|
||||
if $servers_array[0] == $::facts['networking']['fqdn'] {
|
||||
class { 'redis':
|
||||
bind => $redis_host,
|
||||
port => $redis_port,
|
||||
databases => $databases,
|
||||
requirepass => $requirepass,
|
||||
masterauth => $masterauth,
|
||||
dnf_module_stream => $dnf_module_stream,
|
||||
ulimit_managed => false,
|
||||
}
|
||||
}else{
|
||||
class { 'redis':
|
||||
bind => $redis_host,
|
||||
port => $redis_port,
|
||||
databases => $databases,
|
||||
requirepass => $requirepass,
|
||||
masterauth => $masterauth,
|
||||
dnf_module_stream => $dnf_module_stream,
|
||||
ulimit_managed => false,
|
||||
replicaof => "${servers_array[0]} ${redis_port}",
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
@@ -1,49 +0,0 @@
|
||||
class redisha::sentinel (
|
||||
Boolean $redisha_members_lookup = $redisha::redisha_members_lookup,
|
||||
Optional[String] $redisha_members_role = $redisha::redisha_members_role,
|
||||
Array $redisha_servers = $redisha::redisha_servers,
|
||||
Stdlib::Port $redis_port = $redisha::params::redis_port,
|
||||
Optional[String] $requirepass = $redisha::params::requirepass,
|
||||
String[1] $master_name = $redisha::params::master_name,
|
||||
Optional[Variant[String, Sensitive[String]]] $auth_pass = $redisha::params::auth_pass,
|
||||
Integer[1] $quorum = $redisha::params::quorum,
|
||||
Enum['yes', 'no'] $sentinel_resolve_hostnames = $redisha::params::sentinel_resolve_hostnames,
|
||||
Enum['yes', 'no'] $sentinel_announce_hostnames = $redisha::params::sentinel_announce_hostnames,
|
||||
Stdlib::Host $sentinel_announce_ip = $redisha::params::sentinel_announce_ip,
|
||||
Array[Stdlib::IP::Address] $sentinel_bind = $redisha::params::sentinel_bind,
|
||||
Stdlib::Port $sentinel_port = $redisha::params::sentinel_port,
|
||||
) inherits redisha::params {
|
||||
|
||||
# if lookup is enabled
|
||||
if $redisha_members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($redisha_members_role == undef) {
|
||||
fail("redisha_members_role must be provided for ${title} when redisha_members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${redisha_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $redisha_servers
|
||||
}
|
||||
|
||||
if length($servers_array) >= 3 {
|
||||
|
||||
class { 'redis::sentinel':
|
||||
master_name => $master_name,
|
||||
redis_host => $servers_array[0],
|
||||
redis_port => $redis_port,
|
||||
requirepass => $requirepass,
|
||||
auth_pass => $auth_pass,
|
||||
quorum => $quorum,
|
||||
sentinel_resolve_hostnames => $sentinel_resolve_hostnames,
|
||||
sentinel_announce_ip => $sentinel_announce_ip,
|
||||
sentinel_announce_hostnames => $sentinel_announce_hostnames,
|
||||
sentinel_port => $sentinel_port,
|
||||
sentinel_bind => $sentinel_bind,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,35 +0,0 @@
|
||||
class redisha::tools (
|
||||
Stdlib::Host $redis_host = $redisha::params::redis_host,
|
||||
Stdlib::Port $redis_port = $redisha::params::redis_port,
|
||||
Stdlib::Port $sentinel_port = $redisha::params::sentinel_port,
|
||||
Optional[String] $requirepass = $redisha::params::requirepass,
|
||||
) inherits redisha::params {
|
||||
|
||||
# add command to automate redis-cli commands against redis
|
||||
file {'/usr/local/sbin/redisadm':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0700',
|
||||
content => template('redisha/redisadm.erb'),
|
||||
}
|
||||
|
||||
# add command to automate redis-cli commands against sentinel
|
||||
file {'/usr/local/sbin/sentineladm':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0700',
|
||||
content => template('redisha/sentineladm.erb'),
|
||||
}
|
||||
|
||||
# add command to check if current host is the redis master
|
||||
file {'/usr/local/bin/check_redis_master':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
content => template('redisha/check_redis_master.erb'),
|
||||
}
|
||||
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
#!/usr/bin/bash
|
||||
sudo /usr/local/sbin/sentineladm info | grep -q <%= @facts['networking']['fqdn'] %>
|
||||
@@ -1,9 +0,0 @@
|
||||
#!/usr/bin/bash
|
||||
REDIS_HOST=<%= @redis_host %>
|
||||
REDIS_PORT=<%= @redis_port %>
|
||||
|
||||
if [ $# -gt 0 ]; then
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" "$@"
|
||||
else
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT"
|
||||
fi
|
||||
@@ -1,9 +0,0 @@
|
||||
#!/usr/bin/bash
|
||||
REDIS_HOST=<%= @redis_host %>
|
||||
SENTINEL_PORT=<%= @sentinel_port %>
|
||||
|
||||
if [ $# -gt 0 ]; then
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$SENTINEL_PORT" "$@"
|
||||
else
|
||||
REDISCLI_AUTH=<%= @requirepass %> redis-cli -h "$REDIS_HOST" -p "$SENTINEL_PORT"
|
||||
fi
|
||||
@@ -1,14 +0,0 @@
|
||||
# create the rundeck user
|
||||
class profiles::accounts::rundeck (
|
||||
Array[String] $sshkeys = [],
|
||||
){
|
||||
profiles::base::account {'rundeck':
|
||||
username => 'rundeck',
|
||||
uid => 1100,
|
||||
gid => 1100,
|
||||
groups => ['adm', 'admins', 'systemd-journal'],
|
||||
sshkeys => $sshkeys,
|
||||
require => Group['admins'],
|
||||
system => true,
|
||||
}
|
||||
}
|
||||
@@ -1,7 +1,5 @@
|
||||
# profiles::firstrun::packages
|
||||
class profiles::firstrun::packages (
|
||||
Hash $manage = lookup('profiles::packages::include'),
|
||||
) {
|
||||
class profiles::firstrun::packages {
|
||||
# include the correct package repositories, define the install_packages exec
|
||||
case $facts['os']['family'] {
|
||||
'RedHat': {
|
||||
@@ -17,13 +15,8 @@ class profiles::firstrun::packages (
|
||||
}
|
||||
}
|
||||
|
||||
# filter out packages with 'ensure' set to 'absent'
|
||||
$packages_to_install = $manage.filter |$package, $options| {
|
||||
!($options['ensure'] and $options['ensure'] == 'absent')
|
||||
}
|
||||
|
||||
# get all the packages to install, and convert into a space separated list
|
||||
$packages = $packages_to_install.keys
|
||||
$packages = hiera_array('profiles::packages::install', [])
|
||||
$package_list = $packages.join(' ')
|
||||
|
||||
# install all the packages
|
||||
|
||||
@@ -1,73 +0,0 @@
|
||||
# profiles::gitea::init
|
||||
class profiles::gitea::runner (
|
||||
String $registration_token,
|
||||
Stdlib::HTTPSUrl $source,
|
||||
String $user = 'runner',
|
||||
String $group = 'runner',
|
||||
Stdlib::Absolutepath $home = '/data/runner',
|
||||
Hash $config = {},
|
||||
Stdlib::HTTPSUrl $instance = 'https://git.query.consul',
|
||||
String $version = '0.2.10',
|
||||
) {
|
||||
|
||||
group { $group:
|
||||
ensure => 'present',
|
||||
}
|
||||
|
||||
user { $user:
|
||||
ensure => 'present',
|
||||
home => $home,
|
||||
managehome => true,
|
||||
forcelocal => true,
|
||||
groups => ['docker'],
|
||||
gid => $group,
|
||||
require => Group[$group],
|
||||
}
|
||||
|
||||
file { "${home}/config.yaml":
|
||||
ensure => file,
|
||||
content => to_yaml($config),
|
||||
owner => $user,
|
||||
group => $group,
|
||||
require => User[$user],
|
||||
}
|
||||
|
||||
archive { '/usr/local/bin/act_runner':
|
||||
ensure => present,
|
||||
extract => false,
|
||||
source => $source,
|
||||
creates => '/usr/local/bin/act_runner',
|
||||
cleanup => true,
|
||||
}
|
||||
|
||||
file { '/usr/local/bin/act_runner':
|
||||
ensure => 'file',
|
||||
mode => '0755',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
require => Archive['/usr/local/bin/act_runner'],
|
||||
}
|
||||
|
||||
exec {'register_act_runner':
|
||||
command => "/usr/local/bin/act_runner register \
|
||||
--no-interactive \
|
||||
--instance ${instance} \
|
||||
--token ${registration_token} \
|
||||
--name ${facts['networking']['hostname']} \
|
||||
--config ${home}/config.yaml",
|
||||
creates => "${home}/.runner",
|
||||
cwd => $home,
|
||||
user => $user,
|
||||
group => $group,
|
||||
require => [
|
||||
File['/usr/local/bin/act_runner'],
|
||||
File["${home}/config.yaml"],
|
||||
],
|
||||
}
|
||||
|
||||
systemd::unit_file {'act_runner.service':
|
||||
enable => true,
|
||||
active => true,
|
||||
content => template('profiles/gitea/act_runner.service.erb'),
|
||||
}
|
||||
}
|
||||
@@ -1,8 +1,5 @@
|
||||
# profiles::haproxy::dns
|
||||
class profiles::haproxy::dns (
|
||||
Stdlib::IP::Address $vrrp_ipaddr,
|
||||
Boolean $vrrp_master = false,
|
||||
Array[Stdlib::Fqdn] $vrrp_cnames = [],
|
||||
Array[Stdlib::Fqdn] $cnames = [],
|
||||
Integer $order = 10,
|
||||
){
|
||||
@@ -27,25 +24,4 @@ class profiles::haproxy::dns (
|
||||
order => $order,
|
||||
}
|
||||
}
|
||||
|
||||
# export a/cnames for haproxy applications
|
||||
if $vrrp_master {
|
||||
profiles::dns::record { "${facts['networking']['fqdn']}_vrrp_${location_environment}-halb-vrrp":
|
||||
value => $vrrp_ipaddr,
|
||||
type => 'A',
|
||||
record => "${location_environment}-halb-vrrp",
|
||||
zone => $::facts['networking']['domain'],
|
||||
order => $order,
|
||||
}
|
||||
|
||||
$vrrp_cnames.each |$cname| {
|
||||
profiles::dns::record { "${::facts['networking']['fqdn']}_${cname}_CNAME":
|
||||
value => "${location_environment}-halb-vrrp",
|
||||
type => 'CNAME',
|
||||
record => "${cname}.",
|
||||
zone => $::facts['networking']['domain'],
|
||||
order => $order,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,7 +6,6 @@ class profiles::media::jellyfin (
|
||||
Stdlib::Absolutepath $cache_dir = '/data/jellyfin/var/cache',
|
||||
Stdlib::Absolutepath $config_dir = '/data/jellyfin/etc',
|
||||
Stdlib::Absolutepath $log_dir = '/data/jellyfin/var/log',
|
||||
Stdlib::Absolutepath $ffmpeg_path = '/usr/local/bin/ffmpeg',
|
||||
Stdlib::Absolutepath $sysconfig_file = '/etc/sysconfig/jellyfin',
|
||||
Stdlib::Absolutepath $migration_flag = '/etc/sysconfig/jellyfin_migration_done',
|
||||
String $service_name = 'jellyfin',
|
||||
|
||||
@@ -0,0 +1,239 @@
|
||||
# Class: profiles::metrics::exportarr
|
||||
#
|
||||
# This module manages exportarr for Prometheus metrics.
|
||||
#
|
||||
# @param arch
|
||||
# Architecture (amd64 or i386)
|
||||
#
|
||||
# @param bin_dir
|
||||
# Directory where binaries are located
|
||||
#
|
||||
# @param config_mode
|
||||
# The permissions of the configuration files
|
||||
#
|
||||
# @param download_extension
|
||||
# Extension for the release binary archive
|
||||
#
|
||||
# @param download_url
|
||||
# Complete URL where the release binary archive can be downloaded
|
||||
#
|
||||
# @param download_url_base
|
||||
# Base URL for the binary archive
|
||||
#
|
||||
# @param extra_groups
|
||||
# Extra groups to add the binary user to
|
||||
#
|
||||
# @param extra_options
|
||||
# Extra options added to the startup command
|
||||
#
|
||||
# @param env_vars
|
||||
# The environment variables to pass to the daemon
|
||||
#
|
||||
# @param group
|
||||
# Group under which the binary is running
|
||||
#
|
||||
# @param init_style
|
||||
# Service startup scripts style (e.g. rc, upstart or systemd)
|
||||
#
|
||||
# @param install_method
|
||||
# Installation method: url or package (only url is supported currently)
|
||||
#
|
||||
# @param manage_group
|
||||
# Whether to create a group or rely on external code for that
|
||||
#
|
||||
# @param manage_service
|
||||
# Should Puppet manage the service? (default true)
|
||||
#
|
||||
# @param manage_user
|
||||
# Whether to create user or rely on external code for that
|
||||
#
|
||||
# @param os
|
||||
# Operating system (linux is the only one supported)
|
||||
#
|
||||
# @param package_ensure
|
||||
# If package, then use this for package ensure (default 'latest')
|
||||
#
|
||||
# @param package_name
|
||||
# The binary package name - not available yet
|
||||
#
|
||||
# @param purge_config_dir
|
||||
# Purge config files no longer generated by Puppet
|
||||
#
|
||||
# @param restart_on_change
|
||||
# Should Puppet restart the service on configuration change? (default true)
|
||||
#
|
||||
# @param service_enable
|
||||
# Whether to enable the service from Puppet (default true)
|
||||
#
|
||||
# @param service_ensure
|
||||
# State ensured for the service (default 'running')
|
||||
#
|
||||
# @param service_name
|
||||
# Name of the exportarr service (default 'exportarr')
|
||||
#
|
||||
# @param user
|
||||
# User which runs the service
|
||||
#
|
||||
# @param version
|
||||
# The binary release version
|
||||
#
|
||||
# @param export_scrape_job
|
||||
# Whether to export a `prometheus::scrape_job` to PuppetDB for
|
||||
# collecting on your Prometheus server.
|
||||
#
|
||||
# @param scrape_job_name
|
||||
# The name of the scrape job. When configuring Prometheus with this
|
||||
# Puppet module, the jobs to be collected are configured with
|
||||
# `prometheus::collect_scrape_jobs`.
|
||||
#
|
||||
# @param scrape_port
|
||||
# The port to use in the scrape job. This won't normally need to be
|
||||
# changed unless you run the exporter with a non-default port by
|
||||
# overriding `extra_options`.
|
||||
#
|
||||
# @param scrape_job_labels
|
||||
# Labels to configure on the scrape job. If not set, the
|
||||
# `prometheus::daemon` default (`{ 'alias' => $scrape_host }`) will
|
||||
# be used.
|
||||
#
|
||||
# @param proxy_server
|
||||
# Optional proxy server, with port number if needed, e.g., https://example.com:8080
|
||||
#
|
||||
# @param proxy_type
|
||||
# Optional proxy server type (none|http|https|ftp)
|
||||
#
|
||||
# @param app
|
||||
# Application name (e.g., sonarr, radarr, or lidarr)
|
||||
#
|
||||
# @param config_path
|
||||
# Path to Sonarr, Radarr, or Lidarr's config.xml (advanced)
|
||||
#
|
||||
# @param api_key
|
||||
# API Key for Sonarr, Radarr, or Lidarr
|
||||
#
|
||||
# @param api_key_file
|
||||
# API Key file location for Sonarr, Radarr, or Lidarr
|
||||
#
|
||||
# @param interface
|
||||
# The interface IP Exportarr will listen on
|
||||
#
|
||||
# @param enable_additional_metrics
|
||||
# Set to true to enable gathering of additional metrics (slow)
|
||||
|
||||
class profiles::metrics::exportarr (
|
||||
Optional[Stdlib::HTTPSUrl] $download_url = undef,
|
||||
Array[String[1]] $extra_groups = [],
|
||||
String[1] $group = 'exportarr',
|
||||
String[1] $package_ensure = 'latest',
|
||||
String[1] $package_name = 'exportarr',
|
||||
String[1] $user = 'exportarr',
|
||||
String[1] $version = '2.0.1',
|
||||
Boolean $purge_config_dir = true,
|
||||
Boolean $restart_on_change = true,
|
||||
Boolean $service_enable = true,
|
||||
String[1] $service_ensure = 'running',
|
||||
String[1] $service_name = 'exportarr',
|
||||
Prometheus::Initstyle $init_style = $facts['service_provider'],
|
||||
Prometheus::Install $install_method = 'url',
|
||||
Boolean $manage_group = true,
|
||||
Boolean $manage_service = true,
|
||||
Boolean $manage_user = true,
|
||||
String[1] $os = downcase($facts['kernel']),
|
||||
Optional[String[1]] $extra_options = undef,
|
||||
Hash[String, Scalar] $env_vars = {},
|
||||
String $download_extension = 'tar.gz',
|
||||
Stdlib::HTTPSUrl $download_url_base = 'https://github.com/onedr0p/exportarr/releases',
|
||||
String[1] $config_mode = '0640',
|
||||
String[1] $arch = $facts['os']['architecture'],
|
||||
Stdlib::Absolutepath $bin_dir = '/usr/local/bin',
|
||||
Boolean $export_scrape_job = false,
|
||||
Stdlib::Port $scrape_port = 9707,
|
||||
Stdlib::Port $app_port = 8000,
|
||||
Stdlib::Host $app_addr = '127.0.0.1',
|
||||
String[1] $scrape_job_name = 'exportarr',
|
||||
Optional[Hash] $scrape_job_labels = undef,
|
||||
Optional[String[1]] $proxy_server = undef,
|
||||
Optional[Enum['none', 'http', 'https', 'ftp']] $proxy_type = undef,
|
||||
String[1] $app = 'sonarr',
|
||||
Optional[Stdlib::Absolutepath] $config_path = undef,
|
||||
String[1] $api_key = '',
|
||||
Optional[Stdlib::Absolutepath] $api_key_file = undef,
|
||||
Optional[Stdlib::IP::Address::V4] $interface = undef,
|
||||
Boolean $enable_additional_metrics = false,
|
||||
) {
|
||||
|
||||
$real_arch = $arch ? {
|
||||
'x86_64' => 'amd64',
|
||||
'i386' => '386',
|
||||
'aarch64' => 'arm64',
|
||||
'armv7l' => 'armv7',
|
||||
'armv6l' => 'armv6',
|
||||
'armv5l' => 'armv5',
|
||||
default => $arch,
|
||||
}
|
||||
# Construct the real download URL if not provided
|
||||
$real_download_url = pick(
|
||||
$download_url,
|
||||
"${download_url_base}/download/v${version}/${package_name}_${version}_${os}_${real_arch}.${download_extension}"
|
||||
)
|
||||
|
||||
# Determine if the service should be notified
|
||||
$notify_service = $restart_on_change ? {
|
||||
true => Service[$service_name],
|
||||
default => undef,
|
||||
}
|
||||
|
||||
# Define the startup options
|
||||
$startup_options = [
|
||||
$app,
|
||||
"--port ${scrape_port}",
|
||||
"--url http://${app_addr}:${app_port}",
|
||||
"--api-key ${api_key}",
|
||||
$extra_options,
|
||||
]
|
||||
|
||||
# Add advanced options if provided
|
||||
unless $config_path == undef {
|
||||
$startup_options = concat($startup_options, ["--config ${config_path}"])
|
||||
}
|
||||
unless $api_key_file == undef {
|
||||
$startup_options = concat($startup_options, ["--api-key-file ${api_key_file}"])
|
||||
}
|
||||
unless $interface == undef {
|
||||
$startup_options = concat($startup_options, ["--interface ${interface}"])
|
||||
}
|
||||
if $enable_additional_metrics {
|
||||
$startup_options = concat($startup_options, ['--enable-additional-metrics'])
|
||||
}
|
||||
|
||||
prometheus::daemon { $service_name:
|
||||
install_method => $install_method,
|
||||
version => $version,
|
||||
download_extension => $download_extension,
|
||||
os => $os,
|
||||
arch => $arch,
|
||||
real_download_url => $real_download_url,
|
||||
bin_dir => $bin_dir,
|
||||
notify_service => $notify_service,
|
||||
package_name => $package_name,
|
||||
package_ensure => $package_ensure,
|
||||
manage_user => $manage_user,
|
||||
user => $user,
|
||||
extra_groups => $extra_groups,
|
||||
group => $group,
|
||||
manage_group => $manage_group,
|
||||
purge => $purge_config_dir,
|
||||
options => join($startup_options, ' '),
|
||||
env_vars => $env_vars,
|
||||
init_style => $init_style,
|
||||
service_ensure => $service_ensure,
|
||||
service_enable => $service_enable,
|
||||
manage_service => $manage_service,
|
||||
export_scrape_job => $export_scrape_job,
|
||||
scrape_port => $scrape_port,
|
||||
scrape_job_name => $scrape_job_name,
|
||||
scrape_job_labels => $scrape_job_labels,
|
||||
proxy_server => $proxy_server,
|
||||
proxy_type => $proxy_type,
|
||||
}
|
||||
}
|
||||
@@ -1,19 +1,23 @@
|
||||
# This class manages the installation of packages for the base profile
|
||||
#
|
||||
# Parameters:
|
||||
# - $include: A hash of package names to be managed
|
||||
# - $exclude: An array of package names to be removed from managed hash
|
||||
# - $install: An array of package names to be installed
|
||||
# - $remove: An array of package names to be removed
|
||||
#
|
||||
class profiles::packages (
|
||||
Hash $include = {},
|
||||
Array[String] $exclude = [],
|
||||
Array $install = [],
|
||||
Array $install_exclude = [],
|
||||
Array $remove = [],
|
||||
Array $remove_exclude = [],
|
||||
) {
|
||||
|
||||
# Filter the include hash to remove the packages listed in exclude
|
||||
$filtered_include = filter($include) |$key, $value| {
|
||||
!($key in $exclude)
|
||||
}
|
||||
# Filter out excluded packages
|
||||
$install_real = $install.filter |$item| { !$install_exclude.any |$exclude_item| { $exclude_item == $item } }
|
||||
$remove_real = $remove.filter |$item| { !$remove_exclude.any |$exclude_item| { $exclude_item == $item } }
|
||||
|
||||
# Manage packages
|
||||
ensure_packages($filtered_include)
|
||||
# Ensure packages to install are installed
|
||||
ensure_packages($install_real, {'ensure' => 'present'})
|
||||
|
||||
# Ensure packages to remove are absent
|
||||
ensure_packages($remove_real, {'ensure' => 'absent'})
|
||||
}
|
||||
|
||||
@@ -24,19 +24,6 @@ class profiles::puppet::puppetdb_api (
|
||||
|
||||
contain ::puppetdb::server
|
||||
|
||||
# generate the minute for the cron job using fqdn_rand
|
||||
$random_minute = fqdn_rand(60)
|
||||
|
||||
# create cron task to restart the puppetdb service daily at 3am
|
||||
cron { 'restart_puppetdb':
|
||||
ensure => 'present',
|
||||
user => 'root',
|
||||
command => '/bin/systemctl restart puppetdb',
|
||||
minute => $random_minute,
|
||||
hour => '3',
|
||||
require => Service['puppetdb'],
|
||||
}
|
||||
|
||||
class { 'prometheus::puppetdb_exporter':
|
||||
puppetdb_url => "http://${listen_address}:8080/pdb/query",
|
||||
export_scrape_job => true,
|
||||
|
||||
@@ -71,55 +71,14 @@ class profiles::puppet::server (
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
}
|
||||
|
||||
# generate puppet types when restarting
|
||||
systemd::manage_dropin { 'generate_types.conf':
|
||||
ensure => absent,
|
||||
unit => 'puppetserver.service',
|
||||
service_entry => {
|
||||
'ExecStartPost' => [
|
||||
"/opt/puppetlabs/bin/puppet generate types --environmentpath ${codedir}/environments",
|
||||
],
|
||||
},
|
||||
}
|
||||
|
||||
file { '/usr/local/bin/puppet_generate_types.sh':
|
||||
ensure => file,
|
||||
mode => '0755',
|
||||
content => @("EOF")
|
||||
#!/bin/bash
|
||||
sudo -u puppet /opt/puppetlabs/bin/puppet generate types --environmentpath ${codedir}/environments
|
||||
exit 0
|
||||
| EOF
|
||||
}
|
||||
|
||||
$_timer = @(EOT)
|
||||
[Unit]
|
||||
Description=puppet-generate-types timer
|
||||
[Timer]
|
||||
OnCalendar=daily
|
||||
Persistent=true
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
EOT
|
||||
|
||||
$_service = @(EOT)
|
||||
[Unit]
|
||||
Description=puppet-generate-types service
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/local/bin/puppet_generate_types.sh
|
||||
User=root
|
||||
Group=root
|
||||
PermissionsStartOnly=false
|
||||
PrivateTmp=no
|
||||
EOT
|
||||
|
||||
systemd::timer { 'puppet-generate-types.timer':
|
||||
timer_content => $_timer,
|
||||
service_content => $_service,
|
||||
active => true,
|
||||
enable => true,
|
||||
require => File['/usr/local/bin/puppet_generate_types.sh'],
|
||||
}
|
||||
# generate puppet types when restarting
|
||||
systemd::manage_dropin { 'generate_types.conf':
|
||||
ensure => present,
|
||||
unit => 'puppetserver.service',
|
||||
service_entry => {
|
||||
'ExecStartPost' => [
|
||||
"/opt/puppetlabs/bin/puppet generate types --environmentpath ${codedir}/environments",
|
||||
],
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,105 +0,0 @@
|
||||
# profiles::rundeck::server
|
||||
class profiles::rundeck::server (
|
||||
Struct[{
|
||||
Optional['file'] => Hash[String, Any],
|
||||
Optional['ldap'] => Hash[String, Any],
|
||||
Optional['pam'] => Hash[String, Any]
|
||||
}] $auth_config = {},
|
||||
Array[Hash] $key_storage_config = [],
|
||||
Hash $acl_policies = {},
|
||||
Hash $cli_projects = {},
|
||||
String $cli_user = 'admin',
|
||||
String $cli_password = lookup('rundeck_admin_pass'),
|
||||
Boolean $mysql_backend = true,
|
||||
String $mysql_user = 'rundeck',
|
||||
String $mysql_name = 'rundeck',
|
||||
String $mysql_pass = fqdn_rand_string(16),
|
||||
Stdlib::Host $mysql_host = '127.0.0.1',
|
||||
Stdlib::Port $mysql_port = 3306,
|
||||
Stdlib::Absolutepath $extra_libs_dir = '/var/lib/rundeck/lib',
|
||||
Stdlib::Absolutepath $jdbc_driver_dest = "${extra_libs_dir}/mariadb-java-client-3.4.1.jar",
|
||||
Stdlib::HTTPSUrl $jdbc_driver_url = 'https://dlm.mariadb.com/3852266/Connectors/java/connector-java-3.4.1/mariadb-java-client-3.4.1.jar',
|
||||
Stdlib::HTTPSUrl $grails_server_url = "https://${facts['networking']['fqdn']}:4440",
|
||||
String $jvm_args = '-Xmx1024m -Xms256m -server -Drundeck.jetty.connector.forwarded=true',
|
||||
){
|
||||
|
||||
# when using mysql backend
|
||||
if $mysql_backend {
|
||||
|
||||
# export a mariadb user
|
||||
@@mysql_user { "${mysql_user}@${facts['networking']['fqdn']}":
|
||||
ensure => present,
|
||||
password_hash => mysql::password($mysql_pass),
|
||||
tag => $facts['region'],
|
||||
}
|
||||
|
||||
# export a mariadb permission
|
||||
@@mysql_grant { "${mysql_user}@${facts['networking']['fqdn']}/${mysql_name}.*":
|
||||
ensure => present,
|
||||
table => "${mysql_name}.*",
|
||||
user => "${mysql_user}@${facts['networking']['fqdn']}",
|
||||
privileges => ['ALL'],
|
||||
tag => $facts['region'],
|
||||
}
|
||||
|
||||
# create the missing /var/lib/rundeck/lib directory
|
||||
mkdir::p {$extra_libs_dir:}
|
||||
file {$extra_libs_dir:
|
||||
ensure => directory,
|
||||
owner => 'rundeck',
|
||||
group => 'rundeck',
|
||||
mode => '0755',
|
||||
require => Package['rundeck'],
|
||||
before => Service['rundeckd'],
|
||||
}
|
||||
|
||||
# download the jdbc driver, place in /var/lib/rundeck/lib
|
||||
archive { $jdbc_driver_dest:
|
||||
ensure => present,
|
||||
source => $jdbc_driver_url,
|
||||
extract => false,
|
||||
user => 'rundeck',
|
||||
group => 'rundeck',
|
||||
require => File[$extra_libs_dir],
|
||||
before => Service['rundeckd'],
|
||||
}
|
||||
|
||||
$database_config = {
|
||||
'url' => "jdbc:mysql://${mysql_host}:${mysql_port}/${mysql_name}",
|
||||
'username' => $mysql_user,
|
||||
'password' => $mysql_pass,
|
||||
'driverClassName' => 'org.mariadb.jdbc.Driver',
|
||||
}
|
||||
}else{
|
||||
$database_config = {}
|
||||
}
|
||||
|
||||
class { 'rundeck':
|
||||
grails_server_url => $grails_server_url,
|
||||
auth_config => $auth_config,
|
||||
key_storage_config => $key_storage_config,
|
||||
database_config => $database_config,
|
||||
cli_user => $cli_user,
|
||||
cli_password => $cli_password,
|
||||
jvm_args => $jvm_args,
|
||||
}
|
||||
|
||||
create_resources('rundeck::config::aclpolicyfile', $acl_policies)
|
||||
create_resources('rundeck::config::project', $cli_projects)
|
||||
|
||||
# create rundeck runner ssh key
|
||||
file {'/var/lib/rundeck/.ssh/rundeck_id_rsa':
|
||||
ensure => 'file',
|
||||
owner => 'rundeck',
|
||||
group => 'rundeck',
|
||||
mode => '0600',
|
||||
content => lookup('rundeck::ssh::private_key'),
|
||||
}
|
||||
file {'/var/lib/rundeck/.ssh/rundeck_id_rsa.pub':
|
||||
ensure => 'file',
|
||||
owner => 'rundeck',
|
||||
group => 'rundeck',
|
||||
mode => '0644',
|
||||
content => lookup('profiles::accounts::rundeck::sshkeys'),
|
||||
}
|
||||
}
|
||||
@@ -1,108 +0,0 @@
|
||||
# profiles::sql::patroni
|
||||
class profiles::sql::patroni (
|
||||
String $cluster_name,
|
||||
String $superuser_password,
|
||||
String $replication_password,
|
||||
String $superuser_username = 'postgres',
|
||||
String $replication_username = 'repl',
|
||||
String $pgsql_version = '15',
|
||||
Stdlib::Absolutepath $pgsql_data_base = '/data/pgsql',
|
||||
Stdlib::Absolutepath $pgsql_data_dir = "${pgsql_data_base}/${pgsql_version}/data",
|
||||
Boolean $use_consul = true,
|
||||
String $consul_host = 'localhost',
|
||||
Stdlib::Port $consul_port = 8500,
|
||||
Enum['http','https'] $consul_scheme = 'http',
|
||||
Variant[Undef,String] $consul_token = undef,
|
||||
Boolean $consul_verify = false,
|
||||
Boolean $consul_register_service = true,
|
||||
String $consul_service_check_interval = '5s',
|
||||
String $consul_cacert = '/etc/pki/ca-trust/source/anchors/vaultcaroot.pem',
|
||||
Boolean $postgres_exporter_enabled = false,
|
||||
Optional[String] $postgres_exporter_user = undef,
|
||||
Optional[String] $postgres_exporter_pass = undef,
|
||||
){
|
||||
|
||||
# disable the postgresql dnf module for el8+
|
||||
if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] >= '8' {
|
||||
# based on https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/dnfmodule.pp
|
||||
package { 'postgresql dnf module':
|
||||
ensure => 'disabled',
|
||||
name => 'postgresql',
|
||||
provider => 'dnfmodule',
|
||||
before => Class['patroni'],
|
||||
}
|
||||
}
|
||||
|
||||
# prepare data path
|
||||
mkdir::p {$pgsql_data_dir:}
|
||||
file {$pgsql_data_dir:
|
||||
ensure => 'directory',
|
||||
owner => 'postgres',
|
||||
group => 'postgres',
|
||||
mode => '0700',
|
||||
require => Class['patroni'],
|
||||
}
|
||||
|
||||
# manage patroni
|
||||
class { 'patroni':
|
||||
scope => $cluster_name,
|
||||
use_consul => $use_consul,
|
||||
consul_host => $consul_host,
|
||||
consul_port => $consul_port,
|
||||
consul_scheme => $consul_scheme,
|
||||
consul_token => $consul_token,
|
||||
consul_verify => $consul_verify,
|
||||
consul_register_service => $consul_register_service,
|
||||
consul_service_check_interval => $consul_service_check_interval,
|
||||
consul_cacert => $consul_cacert,
|
||||
manage_python => false,
|
||||
pgsql_connect_address => "${facts['networking']['fqdn']}:5432",
|
||||
restapi_connect_address => "${facts['networking']['fqdn']}:8008",
|
||||
postgresql_version => $pgsql_version,
|
||||
pgsql_data_dir => $pgsql_data_dir,
|
||||
pgsql_pgpass_path => '/var/lib/pgsql/pgpass',
|
||||
pgsql_parameters => {
|
||||
'max_connections' => 5000,
|
||||
},
|
||||
bootstrap_pg_hba => [
|
||||
'local all postgres ident',
|
||||
'host all all 0.0.0.0/0 md5',
|
||||
'host replication repl 0.0.0.0/0 md5',
|
||||
],
|
||||
pgsql_pg_hba => [
|
||||
'local all postgres ident',
|
||||
'host all all 0.0.0.0/0 md5',
|
||||
'host replication repl 0.0.0.0/0 md5',
|
||||
],
|
||||
superuser_username => $superuser_username,
|
||||
superuser_password => $superuser_password,
|
||||
replication_username => $replication_username,
|
||||
replication_password => $replication_password,
|
||||
require => [
|
||||
Yumrepo["postgresql-${pgsql_version}"],
|
||||
Yumrepo['postgresql-common']
|
||||
],
|
||||
}
|
||||
|
||||
$connect_settings = {
|
||||
|
||||
}
|
||||
|
||||
# only apply changes to DBs/Users/Grants on master
|
||||
if ! $facts['psql_is_slave'] {
|
||||
# collect exported resources
|
||||
$tag = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
||||
Profiles::Sql::Postgres::Db <<| tag == $tag |>> {}
|
||||
Profiles::Sql::Postgres::User <<| tag == $tag |>> {}
|
||||
Profiles::Sql::Postgres::Grant <<| tag == $tag |>> {}
|
||||
}
|
||||
|
||||
if $postgres_exporter_enabled {
|
||||
class { 'prometheus::postgres_exporter':
|
||||
postgres_user => $postgres_exporter_user,
|
||||
postgres_pass => $postgres_exporter_pass,
|
||||
data_source_uri => "${facts['networking']['ip']}:5432/postgres?sslmode=disable",
|
||||
export_scrape_job => true,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
define profiles::sql::postgres::db (
|
||||
String $dbname,
|
||||
) {
|
||||
postgresql_psql { "create_database_${dbname}":
|
||||
command => "CREATE DATABASE \"${dbname}\"",
|
||||
unless => "SELECT 1 FROM pg_database WHERE datname = '${dbname}'",
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,38 +0,0 @@
|
||||
define profiles::sql::postgres::grant (
|
||||
String $username,
|
||||
Enum['SCHEMA', 'DATABASE'] $type = 'DATABASE',
|
||||
Optional[String] $dbname = undef,
|
||||
Optional[String] $schema = undef,
|
||||
String $privilege = 'ALL PRIVILEGES',
|
||||
) {
|
||||
# Validate parameters based on type
|
||||
if $type == 'DATABASE' and $dbname == undef {
|
||||
fail('The dbname parameter must be provided when type is DATABASE')
|
||||
}
|
||||
|
||||
if $type == 'SCHEMA' and ($dbname == undef or $schema == undef) {
|
||||
fail('Both dbname and schema parameters must be provided when type is SCHEMA')
|
||||
}
|
||||
|
||||
# Determine the appropriate SQL command and unless condition
|
||||
$command = $type ? {
|
||||
'DATABASE' => "GRANT ${privilege} ON DATABASE ${dbname} TO ${username}",
|
||||
'SCHEMA' => "GRANT ${privilege} ON SCHEMA ${schema} TO ${username}",
|
||||
}
|
||||
|
||||
$unless = $type ? {
|
||||
'DATABASE' => "SELECT 1 FROM pg_roles r WHERE r.rolname='${username}' AND has_database_privilege('${username}', '${dbname}', 'CONNECT')", # lint:ignore:140chars
|
||||
'SCHEMA' => "SELECT 1 FROM pg_namespace n JOIN pg_roles r ON r.oid = n.nspowner WHERE nspname = '${schema}' AND r.rolname = '${username}'", # lint:ignore:140chars
|
||||
}
|
||||
# Ensure the db parameter is set correctly when type is SCHEMA
|
||||
$effective_dbname = $type ? {
|
||||
'SCHEMA' => $dbname,
|
||||
'DATABASE' => $dbname,
|
||||
}
|
||||
|
||||
postgresql_psql { "grant_${privilege}_on_${type}_${effective_dbname}_${schema}_to_${username}":
|
||||
command => $command,
|
||||
unless => $unless,
|
||||
db => $effective_dbname,
|
||||
}
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
define profiles::sql::postgres::user (
|
||||
String $username,
|
||||
String $password,
|
||||
) {
|
||||
postgresql_psql { "create_user_${username}":
|
||||
command => "CREATE USER \"${username}\" WITH ENCRYPTED PASSWORD '${password}'",
|
||||
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
|
||||
}
|
||||
}
|
||||
@@ -1,61 +0,0 @@
|
||||
class profiles::sql::postgresdb (
|
||||
String $dbname,
|
||||
String $dbuser,
|
||||
String $dbpass,
|
||||
Boolean $create_host_users = false,
|
||||
Boolean $members_lookup = false,
|
||||
String $members_role = undef,
|
||||
Array $servers = [],
|
||||
){
|
||||
|
||||
# if lookup is enabled
|
||||
if $members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($members_role == undef) {
|
||||
fail("members_role must be provided for ${title} when members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $servers
|
||||
}
|
||||
|
||||
$tag = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
||||
|
||||
# only export from the first server in a cluster
|
||||
if $servers_array[0] == $facts['networking']['fqdn'] {
|
||||
|
||||
# manage the postgres db
|
||||
@@profiles::sql::postgres::db { "${facts['networking']['fqdn']}_db_${dbname}":
|
||||
dbname => $dbname,
|
||||
tag => $tag,
|
||||
}
|
||||
|
||||
@@profiles::sql::postgres::user { "${facts['networking']['fqdn']}_role_${dbuser}":
|
||||
username => $dbuser,
|
||||
password => $dbpass,
|
||||
tag => $tag,
|
||||
}
|
||||
|
||||
@@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_db_${dbuser}_${dbuser}}":
|
||||
dbname => $dbname,
|
||||
username => $dbuser,
|
||||
type => 'DATABASE',
|
||||
privilege => 'ALL PRIVILEGES',
|
||||
tag => $tag,
|
||||
}
|
||||
|
||||
@@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_schema_${dbuser}_${dbuser}}":
|
||||
dbname => $dbname,
|
||||
username => $dbuser,
|
||||
type => 'SCHEMA',
|
||||
schema => 'public',
|
||||
privilege => 'ALL PRIVILEGES',
|
||||
tag => $tag,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -34,14 +34,4 @@ class profiles::vault::unseal (
|
||||
require => File['/usr/local/bin/vault-unseal.sh'],
|
||||
subscribe => [Service['vault'],File['/etc/vault/unseal_keys']],
|
||||
}
|
||||
|
||||
# restart the vault-unseal service hourly to ensure vault is unsealled
|
||||
cron { 'restart_vault_unseal':
|
||||
ensure => 'present',
|
||||
user => 'root',
|
||||
command => '/bin/systemctl restart vault-unseal',
|
||||
minute => fqdn_rand(60),
|
||||
hour => '*',
|
||||
require => Service['vault-unseal.service'],
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
[Unit]
|
||||
Description=Gitea Actions runner
|
||||
Documentation=https://gitea.com/gitea/act_runner
|
||||
After=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/act_runner daemon --config <%= @home %>/config.yaml
|
||||
ExecReload=/bin/kill -s HUP $MAINPID
|
||||
WorkingDirectory=<%= @home %>
|
||||
TimeoutSec=0
|
||||
RestartSec=10
|
||||
Restart=always
|
||||
User=<%= @user %>
|
||||
Group=<%= @group %>
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -24,7 +24,7 @@ JELLYFIN_CACHE_DIR="<%= @cache_dir %>"
|
||||
JELLYFIN_WEB_OPT="--webdir=/usr/share/jellyfin-web"
|
||||
|
||||
# [OPTIONAL] ffmpeg binary paths, overriding the UI-configured values
|
||||
JELLYFIN_FFMPEG_OPT="--ffmpeg=<% @ffmpeg_path %>"
|
||||
#JELLYFIN_FFMPEG_OPT="--ffmpeg=/usr/bin/ffmpeg"
|
||||
|
||||
# [OPTIONAL] run Jellyfin as a headless service
|
||||
#JELLYFIN_SERVICE_OPT="--service"
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
# gonic server profile
|
||||
class roles::apps::music::gonic {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
@@ -1,10 +0,0 @@
|
||||
# a role to deploy rundeck
|
||||
class roles::infra::automation::rundeck {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
@@ -1,10 +0,0 @@
|
||||
# a role to deploy droneci
|
||||
class roles::infra::droneci::runner {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
@@ -1,10 +0,0 @@
|
||||
# a role to deploy droneci
|
||||
class roles::infra::droneci::server {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
}
|
||||
}
|
||||
@@ -1,4 +1,4 @@
|
||||
# a role to deploy the gitea
|
||||
# a role to deploy the puppetboard
|
||||
class roles::infra::git::gitea {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
# a role to deploy the gitea runner
|
||||
class roles::infra::git::runner {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
}
|
||||
}
|
||||
@@ -1,12 +0,0 @@
|
||||
# a role to deploy a postgresql/patroni node
|
||||
class roles::infra::sql::patroni {
|
||||
if $facts['firstrun'] {
|
||||
include profiles::defaults
|
||||
include profiles::firstrun::init
|
||||
}else{
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::sql::patroni
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user