3 Commits

Author SHA1 Message Date
unkinben 2924b7ad6f feat: manage openldap
- add modules, overlays, acccess rules, schemas
- manage syncrepl
- manage selinux
2024-06-30 20:14:28 +10:00
unkinben e6f243ef60 feat: add openldap role
- add basic openldap role
- manage certificates for openldap
2024-06-30 13:06:44 +10:00
unkinben 856a3901ac feat: add modules for openldap
- include dependencies for the puppet-openldap module
2024-06-30 12:57:33 +10:00
162 changed files with 401 additions and 5733 deletions
+5 -6
View File
@@ -18,7 +18,7 @@ mod 'puppetlabs-xinetd', '3.4.1'
mod 'puppetlabs-haproxy', '8.0.0'
mod 'puppetlabs-java', '10.1.2'
mod 'puppetlabs-reboot', '5.0.0'
mod 'puppetlabs-docker', '10.0.1'
mod 'puppetlabs-augeas_core', '1.5.0'
# puppet
mod 'puppet-python', '7.0.0'
@@ -34,14 +34,14 @@ mod 'puppet-grafana', '13.1.0'
mod 'puppet-consul', '8.0.0'
mod 'puppet-vault', '4.1.0'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '5.1.0'
mod 'puppet-keepalived', '3.6.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.0.0'
mod 'puppet-rundeck', '9.1.0'
mod 'puppet-redis', '11.0.0'
mod 'puppet-openldap', '8.0.0'
mod 'puppet-augeasproviders_shellvar', '6.0.1'
mod 'puppet-augeasproviders_core', '4.1.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
@@ -55,7 +55,6 @@ mod 'broadinstitute-certs', '3.0.1'
mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0'
mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+61 -81
View File
@@ -3,10 +3,16 @@ lookup_options:
hiera_classes:
merge:
strategy: deep
profiles::packages::include:
profiles::packages::install:
merge:
strategy: deep
profiles::packages::exclude:
profiles::packages::install_exclude:
merge:
strategy: deep
profiles::packages::remove:
merge:
strategy: deep
profiles::packages::remove_exclude:
merge:
strategy: deep
profiles::pki::vault::alt_names:
@@ -123,18 +129,6 @@ lookup_options:
profiles::ceph::client::keyrings:
merge:
strategy: deep
profiles::nginx::simpleproxy::locations:
merge:
strategy: deep
certbot::client::domains:
merge:
strategy: deep
keepalived::vrrp_script:
merge:
strategy: deep
keepalived::vrrp_instance:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
@@ -142,7 +136,6 @@ hiera_include:
- timezone
- networking
- ssh::server
- profiles::accounts::rundeck
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
@@ -173,70 +166,59 @@ profiles::consul::client::node_rules:
segment: ''
disposition: read
profiles::packages::include:
bash-completion: {}
bzip2: {}
ccze: {}
curl: {}
dstat: {}
expect: {}
gzip: {}
git: {}
htop: {}
inotify-tools: {}
iotop: {}
jq: {}
lz4: {}
mtr: {}
ncdu: {}
neovim: {}
p7zip: {}
pbzip2: {}
pigz: {}
pv: {}
python3.11: {}
rsync: {}
screen: {}
socat: {}
strace: {}
sysstat: {}
tar: {}
tmux: {}
traceroute: {}
unzip: {}
vim: {}
vnstat: {}
wget: {}
zsh: {}
zstd: {}
iwl100-firmware:
ensure: absent
iwl1000-firmware:
ensure: absent
iwl105-firmware:
ensure: absent
iwl135-firmware:
ensure: absent
iwl2000-firmware:
ensure: absent
iwl2030-firmware:
ensure: absent
iwl3160-firmware:
ensure: absent
iwl5000-firmware:
ensure: absent
iwl5150-firmware:
ensure: absent
iwl6000-firmware:
ensure: absent
iwl6000g2a-firmware:
ensure: absent
iwl6050-firmware:
ensure: absent
iwl7260-firmware:
ensure: absent
puppet7-release:
ensure: absent
profiles::packages::install:
- bash-completion
- bzip2
- ccze
- curl
- dstat
- expect
- gcc
- gzip
- git
- htop
- inotify-tools
- iotop
- jq
- lz4
- mtr
- ncdu
- neovim
- p7zip
- pbzip2
- pigz
- pv
- python3.11
- rsync
- screen
- socat
- strace
- sysstat
- tar
- tmux
- traceroute
- unzip
- vim
- vnstat
- wget
- zsh
- zstd
profiles::packages::remove:
- iwl100-firmware
- iwl1000-firmware
- iwl105-firmware
- iwl135-firmware
- iwl2000-firmware
- iwl2030-firmware
- iwl3160-firmware
- iwl5000-firmware
- iwl5150-firmware
- iwl6000-firmware
- iwl6000g2a-firmware
- iwl6050-firmware
- iwl7260-firmware
- puppet7-release
profiles::base::scripts::scripts:
puppet: puppetwrapper.py
@@ -305,8 +287,6 @@ sudo::configs:
profiles::accounts::sysadmin::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
profiles::accounts::rundeck::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD4F7VcorbGpyZzBFexz7c/o1JBscrl7hZU0UkWV7fq6YLizW0r6fOzD99hMwu1kdYCjPxbvuUSDEHfyBIp2EgLWU6wFVoufQqlMyOV85+ivQZUc1VNV+X9T+U4v3u/01hkAmlpXtbkwhMSR4Wi+tdABd04+D3CuMDM37mvnFmBBmi41X4Mr1rJhOQumn1XHQ7EYbsdw2mxfEVVeWpZIHz5BjNKSGzEIAYZbFt6s0Y7X3J5RT+Gjqmu043Tc8nNIUFlR9E10qd3Euf9RiBYxBx3z+yfOzJPBzWNBSHv1+PIbO5Mq+z5JaAfoFZO41L7nw+FjV6JJUCVLr6Vq+bCxyA7LW4Oq9ZahSrt/vrT0kTa0tA5U9bqK6e7pB//dm7PzoROtTq0XksV8RseA/fvIje20uaN1z9dynx+UcbszXu9pQ5GIg1o7b5DEi3OZHJwpgdudiCyEeR4+00G0z4PjpEMnTSMHAJ53WxtjzrPAOBnAmPE7hPu4coU+XrCWEXAvRMloJmca68e+zFX7VvFK82KVDuQ99vQ6w4X73IESKoLzyAVxpelwHaDG4fN+zqYfqubVQU1L5cUeYKxqm5r3Us6VvMaYs1ZMUmDGXHOq4FNhGUJYxSjkLvunM6qyAAJQCd6Pw/2TV3UQVerbouGOZaeBLvRguHWSbDrO99Zu+t87w== rundeck_runner
networking::interface_defaults:
ensure: present
-1
View File
@@ -1,3 +1,2 @@
---
timezone::timezone: 'Australia/Sydney'
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
@@ -1,31 +1,4 @@
---
hiera_include:
- keepalived
# keepalived
profiles::haproxy::dns::vrrp_ipaddr: '198.18.13.250'
profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
keepalived::vrrp_script:
check_haproxy:
script: '/usr/bin/killall -0 haproxy'
keepalived::vrrp_instance:
VI_250:
interface: 'eth0'
virtual_router_id: 250
auth_type: 'PASS'
auth_pass: 'quiiK7oo'
virtual_ipaddress: '198.18.13.250/32'
track_script:
- check_haproxy
# mappings
profiles::haproxy::mappings:
fe_http:
@@ -38,9 +11,6 @@ profiles::haproxy::mappings:
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
fe_https:
ensure: present
mappings:
@@ -51,9 +21,6 @@ profiles::haproxy::mappings:
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
profiles::haproxy::frontends:
fe_http:
@@ -63,15 +30,7 @@ profiles::haproxy::frontends:
fe_https:
options:
acl:
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -79,14 +38,6 @@ profiles::haproxy::frontends:
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
http-response:
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
- 'set-header X-Frame-Options DENY if acl_sonarr'
- 'set-header X-Frame-Options DENY if acl_radarr'
- 'set-header X-Frame-Options DENY if acl_lidarr'
- 'set-header X-Frame-Options DENY if acl_readarr'
- 'set-header X-Frame-Options DENY if acl_prowlarr'
- 'set-header X-Frame-Options DENY if acl_nzbget'
- 'set-header X-Frame-Options DENY if acl_jellyfin'
- 'set-header X-Frame-Options DENY if acl_fafflix'
- 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block'
@@ -128,7 +79,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
@@ -144,7 +95,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
@@ -160,7 +111,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
@@ -176,7 +127,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
@@ -189,38 +140,6 @@ profiles::haproxy::backends:
be_prowlarr:
description: Backend for au-syd1 prowlarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_nzbget:
description: Backend for au-syd1 nzbget
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_jellyfin:
description: Backend for au-syd1 jellyfin
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
@@ -237,30 +156,10 @@ profiles::haproxy::backends:
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem
# additional altnames
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- jellyfin.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
# letsencrypt certificates
certbot::client::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
@@ -268,5 +167,8 @@ certbot::client::domains:
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- fafflix.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
@@ -1,3 +1,2 @@
---
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=]
@@ -13,12 +13,3 @@ mysql::db:
- INSERT
- UPDATE
- DELETE
rundeck:
name: rundeck
user: rundeck
password: "%{alias('mysql::db::rundeck::pass')}"
grant:
- SELECT
- INSERT
- UPDATE
- DELETE
@@ -5,9 +5,3 @@ networking::interfaces:
networking::routes:
default:
gateway: 198.18.13.254
profiles::haproxy::dns::vrrp_master: true
keepalived::vrrp_instance:
VI_250:
state: 'MASTER'
priority: 101
@@ -5,8 +5,3 @@ networking::interfaces:
networking::routes:
default:
gateway: 198.18.13.254
keepalived::vrrp_instance:
VI_250:
state: 'BACKUP'
priority: 100
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.58
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.58
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.59
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.60
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.61
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.62
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.63
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.64
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.65
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.66
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.67
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.68
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.69
networking::routes:
default:
gateway: 198.18.13.254
+6 -7
View File
@@ -8,12 +8,12 @@ profiles::puppet::agent::puppet_version: '7.26.0'
hiera_include:
- profiles::almalinux::base
profiles::packages::include:
lzo: {}
network-scripts: {}
policycoreutils: {}
unar: {}
xz: {}
profiles::packages::install:
- lzo
- network-scripts
- policycoreutils
- unar
- xz
lm-sensors::package: lm_sensors
@@ -73,5 +73,4 @@ profiles::yum::global::repos:
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+5 -5
View File
@@ -1,15 +1,15 @@
# hieradata/os/debian/all_releases.yaml
---
profiles::apt::base::mirrorurl: http://edgecache.query.consul/debian/
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
profiles::apt::base::secureurl: http://security.debian.org/debian-security
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
profiles::apt::puppet7::repo: puppet7
profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
profiles::packages::include:
lzop: {}
python3.11-venv: {}
xz-utils: {}
profiles::packages::install:
- lzop
- python3.11-venv
- xz-utils
lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false
-81
View File
@@ -1,7 +1,4 @@
---
hiera_include:
- profiles::nginx::simpleproxy
profiles::yum::global::repos:
ceph-reef:
name: ceph-reef
@@ -21,81 +18,3 @@ profiles::base::groups::local:
gid: 20000
allowdupe: false
forcelocal: true
ldap_host: 'ldap.service.consul'
ldap_basedn: 'dc=main,dc=unkin,dc=net'
profiles::nginx::simpleproxy::locations:
# authentication proxy
authproxy:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
internal: true
location: '= /auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
proxy_set_header:
- 'Content-Length ""'
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
- 'X-Ldap-Starttls "false"'
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
- 'X-CookieName "nginxauth"'
- 'Cookie nginxauth=$cookie_nginxauth'
- "X-Ldap-Template %{lookup('ldap_template')}"
- 'X-Ldap-Realm "Restricted"'
proxy_cache: 'cache'
proxy_cache_valid: '200 10m'
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
location_cfg_append:
proxy_pass_request_body: 'off'
# health checks by consul/haproxy
arrstack_web_healthcheck:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/consul/health'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
location_allow:
- 127.0.0.1
- "%{facts.networking.ip}"
- 198.18.13.25
- 198.18.13.26
location_deny:
- all
# authorised access from external
arrstack_web_external:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
auth_request: '/auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
# location for api, which should be accessible without authentication
arrstack_api:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '~ /api'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
location_cfg_append:
client_max_body_size: '20m'
-63
View File
@@ -1,63 +0,0 @@
---
hiera_include:
- jellyfin
# manage jellyfin
jellyfin::params::service_enable: true
# additional altnames
profiles::pki::vault::alt_names:
- jellyfin.main.unkin.net
- jellyfin.service.consul
- jellyfin.query.consul
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'jellyfin.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- jellyfin.main.unkin.net
- jellyfin.service.consul
- jellyfin.query.consul
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8096
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
jellyfin:
service_name: 'jellyfin'
tags:
- 'media'
- 'jellyfin'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'jellyfin_http_check'
name: 'jellyfin HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jellyfin
disposition: write
profiles::yum::global::repos:
rpmfusion-free:
name: rpmfusion-free
descr: rpmfusion-free repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
mirrorlist: absent
rpmfusion-nonfree:
name: rpmfusion-nonfree
descr: rpmfusion-nonfree repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
-1
View File
@@ -1,3 +1,2 @@
---
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEDEyk6fBBnrjZvfK8MnUVOTWxhFGtgY34/2CuIq55MoVLsk2ZgVrL7Kt+94bqFhwEB67kuNpMGXqTgW5ose2yWs5iVSJLECsf9C+tvGBGwaV35LNwP5S3aQmFagyTpZZz9QlGKC7818jlXz7vZWDtiUhy5TGMHeyS0fdjCveavtZR28A+ZrvWjJeLdN47mmvYwYfFnQBs3kSgkl5KyMVhFWSFOSLeHsuEzCVXHoQ1jQG+2TV5m18wV0RR/sOju2E+vsulqlDgCyifgoiry4GzJeKNrNDI2bifzHCAi6yZqHL/klyqbGTnKLlA4xKoXsHF+xEwcoq4S9JDLAdWeH1SDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCdvh4yn8knozcYhinybRq3gDAwTKv8VakQG7XK/mcEplwtoiKqLnj9IIGdIUh1zPi2Sg48ET5rfZyl0p7ddIYoHjU=]
+3 -7
View File
@@ -1,7 +1,7 @@
---
hiera_include:
- lidarr
- profiles::nginx::ldapauth
- profiles::nginx::simpleproxy
# manage lidarr
lidarr::params::user: lidarr
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_lidarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=lidarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
lidarr:
service_name: 'lidarr'
@@ -45,7 +41,7 @@ consul::services:
checks:
- id: 'lidarr_http_check'
name: 'Lidarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
-2
View File
@@ -1,2 +0,0 @@
---
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPomn4iZbT0JEysvDo7OgblpoQLFp9DzryY558UfVWQq6HDAkgoSC42cbgZGBPFclCgLaO/LfBrFpRXkafEVV33Vg2AmP/FiS9SmmwREc3t/ZTvENlDIgasY3pDIph0/i5u0S45mjyzzciBK0KY6cMZvPDVRvU+d0SyVnbSBlef6VmyZOhUk6ILpaYTGu+suVR/BAL/DTKsmmY7iTotTWN+IW/1cY3vprvBMJQVftaO1WSqKftmX29/PAsxbQo6AMpuQFx/dMcMe3d5JTB0mgzIhAFaKmSC8vJFqe21Nrr8F+PxJMSEl1saBJTwJc5RyPVm9ejVKfcPhDfWK5stNNvjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAo205Hvo/Z+rhnSGgkTS2YgDB7pTHdgnQz1UOK323DRljWcqx+SnCA7izyF1SNMlzlCck79Fr4zKh0qnbYsMZDWZU=]
-77
View File
@@ -1,77 +0,0 @@
---
hiera_include:
- nzbget
- profiles::media::nzbget
- profiles::nginx::ldapauth
# manage nzbget
nzbget::params::user: nzbget
nzbget::params::group: media
nzbget::params::manage_group: false
# additional altnames
profiles::pki::vault::alt_names:
- nzbget.main.unkin.net
- nzbget.service.consul
- nzbget.query.consul
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'nzbget.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- nzbget.main.unkin.net
- nzbget.service.consul
- nzbget.query.consul
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 6789
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_nzbget,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=nzbget_access,ou=groups,dc=main,dc=unkin,dc=net))'
profiles::nginx::simpleproxy::locations:
arrstack_web_healthcheck:
location_cfg_append:
rewrite: '/consul/health / break'
# configure consul service
consul::services:
nzbget:
service_name: 'nzbget'
tags:
- 'media'
- 'nzbget'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'nzbget_http_check'
name: 'nzbget HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: nzbget
disposition: write
profiles::yum::global::repos:
rpmfusion-free:
name: rpmfusion-free
descr: rpmfusion-free repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
mirrorlist: absent
rpmfusion-nonfree:
name: rpmfusion-nonfree
descr: rpmfusion-nonfree repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
@@ -1,3 +1,2 @@
---
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhduPAqoZuq/xeRs4f/KX4r88evPMogQX79yofLAB5Qqdr48s2X0BAa1iiw0vMdL6Tf0uc794WJN5MP2Yp365Vk1yhwgqH92rt5hKPI+wBN5uak2iLgLzLWsp0HOx7d1ukDWBbj0lI6G5LiofsL3KJbbTnkovn06L4PRJXgn44+ynfywiCl2tPy2294DhfooeM6/Cy+t9lA6blzHLCOHtt/rBKmk1GT2y3YBCPhRfOumWXQWnv4Q+f6KkQkvpfPyAFYNiQxQYBv5bGwLnwiDk3xQnPM4FfcutVuAOKjsoeMa+K1KShDFyEfBxIER8JSpigj2/khstyihcVW0Xrod3uDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCRqqRwMThwn1F/6byFhTWxgDAfucfkFhmqxBv/u5H+wWnjvK5EH7eU/fECrajYPBW/cmsYjLgXlwrAzFGqWze3AZc=]
+3 -16
View File
@@ -1,7 +1,7 @@
---
hiera_include:
- prowlarr
- profiles::nginx::ldapauth
- profiles::nginx::simpleproxy
# manage prowlarr
prowlarr::params::user: prowlarr
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_prowlarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=prowlarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
prowlarr:
service_name: 'prowlarr'
@@ -45,7 +41,7 @@ consul::services:
checks:
- id: 'prowlarr_http_check'
name: 'Prowlarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
@@ -54,12 +50,3 @@ profiles::consul::client::node_rules:
- resource: service
segment: prowlarr
disposition: write
profiles::nginx::simpleproxy::locations:
arrstack_web_external:
location_satisfy: any
location_allow:
- 198.18.13.47
- 198.18.13.50
- 198.18.13.51
- 198.18.13.52
-1
View File
@@ -1,3 +1,2 @@
---
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf6LbAXy3EsJqkf4KO8xikpXfSVIVOD2obnwZLPEiCfbC0iJyZ2Uc/RbHM9NnIpg8dgEnYGgaBM9HC+kFKYFP4skLsPQ0mpqOv13WbOAHOphhyBxWc/n4Eg4HqMAiHsC4qA9Sj5j4F29tNiMmpNM0eqDXD6YIrajV5IF+SKQQzZrNSrcDrzjqENaMnJWVc2gj7Zb9kPB1LdM5ZfljpPtfQHXHhh9ShTDKuWMx46nc+UYaRcJqHEns7OExwpsEAtA1SSunD81PTijJ6Bn1Y6cAsZoBot5YgFGaWtgQ4jvEqj7EbG8gDJuHMSwa9RzA9SMsVwEh2g1pko7wYbBR/arV7jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAhZlVaEdaLNh60gAY0KwEKgDAHPoXfFRq0I2K2J+NFgNFm/A00jYGVRfuPsX6VZfPaJ499dtMiJifrK3Kfk1oXpvk=]
+3 -7
View File
@@ -1,7 +1,7 @@
---
hiera_include:
- radarr
- profiles::nginx::ldapauth
- profiles::nginx::simpleproxy
# manage radarr
radarr::params::user: radarr
@@ -28,13 +28,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_radarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=radarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
radarr:
service_name: 'radarr'
@@ -46,7 +42,7 @@ consul::services:
checks:
- id: 'radarr_http_check'
name: 'radarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
-1
View File
@@ -1,3 +1,2 @@
---
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcOegaqGEsivQAlhSYvaiVUij4QJ/kterSg+wX/7P/oWjSN1oSNAFfco6lg5fYUsR7HDKZ4IwYuO1Q/q8hOxYkqzYrH/MIAhZatfQxyxriKuekxqOMuXgwrWCzAexQL0Fb4s5gcHQ4fwy5OxsM1CxFXnSSm1eYNXl5IERd//c0dFoIcshiGlOCFsj8Ne9mookFTJQDZrxM4VMXaVb+Fl9mOyy1ppDBKHTP/1ise/6LIUi+9YngamAWLIrsur5KvR45kvRoxDNLfJZasAqhD/5QLceDdSxqKBDur57QzmoPo2lFdT4WlzphKOdyHZtYOYr7BPdbtCqkXTWdkXvqFlRxjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXhYe6zoRW7/OxVrZnAEoTgDDPFTz5S4nZWiwzjdT7Yd88Ii6I/v6ckaKTx0gd0pZKsVZkFYQBBhIfqFS2ho0UG3Y=]
+3 -7
View File
@@ -1,7 +1,7 @@
---
hiera_include:
- readarr
- profiles::nginx::ldapauth
- profiles::nginx::simpleproxy
# manage readarr
readarr::params::user: readarr
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_readarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=readarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
readarr:
service_name: 'readarr'
@@ -45,7 +41,7 @@ consul::services:
checks:
- id: 'readarr_http_check'
name: 'Readarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
-1
View File
@@ -1,2 +1 @@
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF5/sP43SJX/FB6cAS0GPqxC78JS7jSNKoUqWB/IXkv8uXYiClqk+Xw4nFx8EtknNn628DHBY3vCLQ59Xk89p0fyimP70m3BM6or5iRGdCqEAOzL399GbYX8WFHjyQRBmGdaLR5h2r5UnmjuPpDtV+fgsqxo4gNpXnuQ+46ZZPQce/dzHzux+4aEK4Q6UbD/ZZSQklD6zEUV+Agj6E9cQlJPBiHtTyUdXOYHYlJN1HhFPXu3C6KIz63YioVCah1n6T/rJtPQ07pVUfizIaJiPpzcUN91+ZWyyjUPo0bRGZtYKVs/uCAYXht4F5ttKQDaGa3wd4a5IdtacmEWQWFqk3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDtB/68xkjxK3nrNh0MilACgDDt85aBvSp/Oj9EY67eNPr+JcnQ7WfyuqAYAnmYqfbQI8MDtYAx7br0+inJXvQ1BvI=]
+3 -7
View File
@@ -1,7 +1,7 @@
---
hiera_include:
- sonarr
- profiles::nginx::ldapauth
- profiles::nginx::simpleproxy
# manage sonarr
sonarr::params::user: sonarr
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
sonarr:
service_name: 'sonarr'
@@ -45,7 +41,7 @@ consul::services:
checks:
- id: 'sonarr_http_check'
name: 'Sonarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
+2 -2
View File
@@ -1,6 +1,6 @@
---
profiles::packages::include:
policycoreutils: {}
profiles::packages::install:
- policycoreutils
puppetdb::master::config::create_puppet_service_resource: false
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
-251
View File
@@ -1,251 +0,0 @@
---
hiera_include:
- glauth
# additional altnames
profiles::pki::vault::alt_names:
- ldap.main.unkin.net
- ldap.service.consul
- ldap.query.consul
- "ldap.service.%{facts.country}-%{facts.region}.consul"
glauth::params::download_version: 2.3.2
glauth::params::ldap_enabled: true
glauth::params::ldaps_enabled: true
glauth::params::basedn: 'dc=main,dc=unkin,dc=net'
glauth::params::behaviors_ignorecapabilities: true
glauth::params::ldap_tlscertpath: /etc/pki/tls/vault/certificate.crt
glauth::params::ldap_tlskeypath: /etc/pki/tls/vault/private.key
glauth::params::ldaps_cert: /etc/pki/tls/vault/certificate.crt
glauth::params::ldaps_key: /etc/pki/tls/vault/private.key
glauth::params::api_cert: /etc/pki/tls/vault/certificate.crt
glauth::params::api_key: /etc/pki/tls/vault/private.key
# configure consul service
consul::services:
ldap:
service_name: 'ldap'
tags:
- 'media'
- 'ldap'
address: "%{facts.networking.ip}"
port: 636
checks:
- id: 'glauth_http_check'
name: 'glauth HTTP Check'
http: "https://%{facts.networking.fqdn}:5555"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: ldap
disposition: write
glauth::users:
benvin:
user_name: 'benvin'
givenname: 'Ben'
sn: 'Vincent'
mail: 'benvin@users.main.unkin.net'
uidnumber: 20000
primarygroup: 20000
othergroups:
- 20025 # media_admin
- 20017 # rundeck_access
- 20018 # rundeck_globaladmin
- 20023 # vault_access
loginshell: '/bin/bash'
homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
sshkeys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
matsol:
user_name: 'matsol'
givenname: 'Matt'
sn: 'Solomon'
mail: 'matsol@users.main.unkin.net'
uidnumber: 20001
primarygroup: 20000
othergroups:
- 20025 # media_admin
loginshell: '/bin/bash'
homedir: '/home/matsol'
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
seablo:
user_name: 'seablo'
givenname: 'Sean'
sn: 'Bloomfield'
mail: 'seablo@users.main.unkin.net'
uidnumber: 20002
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/seablo'
passsha256: '2db12484b2b5fdae7f3a1f9f870143c363af14bf2c31a415a9a7afcb02520df2'
marbal:
user_name: 'marbal'
givenname: 'Mark'
sn: 'Balch'
mail: 'marbal@users.main.unkin.net'
uidnumber: 20003
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/marbal'
passsha256: 'cc20cee6269b9970a76549c66b51d0c543352796180d4122260a47f0f7a442a9'
kelren:
user_name: 'kelren'
givenname: 'Kelly'
sn: 'Rennie'
mail: 'kelren@users.main.unkin.net'
uidnumber: 20004
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/kelren'
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
ryadun:
user_name: 'ryadun'
givenname: 'Dunbar'
sn: 'Ryan'
mail: 'ryadun@users.main.unkin.net'
uidnumber: 20005
primarygroup: 20000
othergroups:
- 20024 # media_access
loginshell: '/bin/bash'
homedir: '/home/ryadun'
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
glauth::services:
svc_jellyfin:
service_name: 'svc_jellyfin'
mail: 'jellyfin@service.main.unkin.net'
uidnumber: 30000
primarygroup: 20001
passsha256: '97f7b1eb24deb0a86e812d79c56f4901d39a24128dc9f6fde033e7195f7d0739'
svc_sonarr:
service_name: 'svc_sonarr'
mail: 'sonarr@service.main.unkin.net'
uidnumber: 30001
primarygroup: 20001
passsha256: '2c32d4cb831183cfbef15835cc76f99b401d0159621bc580e852253d4d8f8722'
svc_radarr:
service_name: 'svc_radarr'
mail: 'radarr@service.main.unkin.net'
uidnumber: 30002
primarygroup: 20001
passsha256: '805b0182d90c2b5b3ba43e50988447a0bff0115eb5fedd8eeae8eac00ba53025'
svc_lidarr:
service_name: 'svc_lidarr'
mail: 'lidarr@service.main.unkin.net'
uidnumber: 30003
primarygroup: 20001
passsha256: '6d04cd2a45784bacbd50e6714710b55805c7e9886665a6d7790e6d8712b67aff'
svc_readarr:
service_name: 'svc_readarr'
mail: 'readarr@service.main.unkin.net'
uidnumber: 30004
primarygroup: 20001
passsha256: '751f22fbd9c052b2cd0c1cb4be514d8710f1a51f84ce44f607ab3a5591162f8c'
svc_prowlarr:
service_name: 'svc_prowlarr'
mail: 'prowlarr@service.main.unkin.net'
uidnumber: 30005
primarygroup: 20001
passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043'
svc_nzbget:
service_name: 'svc_nzbget'
mail: 'nzbget@service.main.unkin.net'
uidnumber: 30006
primarygroup: 20001
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
svc_nzbsubmit:
service_name: 'svc_nzbsubmit'
mail: 'nzbsubmit@service.main.unkin.net'
uidnumber: 30007
primarygroup: 20001
othergroups:
- 20016
passsha256: '7af7e12fdc56e9050d16c167f4e34091ad3cf938283e13451b35f9b3d212bfa2'
svc_rundeck:
service_name: 'svc_rundeck'
mail: 'rundeck@service.main.unkin.net'
uidnumber: 30007
primarygroup: 20001
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
svc_terraform:
service_name: 'svc_terraform'
mail: 'terraform@service.main.unkin.net'
uidnumber: 30008
primarygroup: 20001
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
svc_vault:
service_name: 'svc_vault'
mail: 'vault@service.main.unkin.net'
uidnumber: 30009
primarygroup: 20001
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
glauth::groups:
users:
group_name: 'people'
gidnumber: 20000
services:
group_name: 'services'
gidnumber: 20001
jellyfin_access:
group_name: 'jellyfin_access'
gidnumber: 20010
sonarr_access:
group_name: 'sonarr_access'
gidnumber: 20011
radarr_access:
group_name: 'radarr_access'
gidnumber: 20012
lidarr_access:
group_name: 'lidarr_access'
gidnumber: 20013
readarr_access:
group_name: 'readarr_access'
gidnumber: 20014
prowlarr_access:
group_name: 'prowlarr_access'
gidnumber: 20015
nzbget_access:
group_name: 'nzbget_access'
gidnumber: 20016
rundeck_access:
group_name: 'rundeck_access'
gidnumber: 20017
rundeck_globaladmin:
group_name: 'rundeck_globaladmin'
gidnumber: 20018
rundeck_selfservice_admin:
group_name: 'rundeck_selfservice_admin'
gidnumber: 20019
rundeck_selfservice_user:
group_name: 'rundeck_selfservice_user'
gidnumber: 20020
rundeck_infrastructure_admin:
group_name: 'rundeck_infrastructure_admin'
gidnumber: 20021
rundeck_infrastructure_user:
group_name: 'rundeck_infrastructure_user'
gidnumber: 20022
vault_access:
group_name: 'vault_access'
gidnumber: 20023
media_access:
group_name: 'media_access'
gidnumber: 20024
includegroups: [20010, 20011, 20012, 20013, 20014, 20016]
media_admin:
group_name: 'media_admin'
gidnumber: 20025
includegroups: [20024, 20015]
@@ -0,0 +1,2 @@
---
profiles::openldap::params::rootpw: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMPu8Asw6L7+k8SRXbPqw62B3ldiE5f2CaDSQbhrOc2u2ULdKvOVpWZnr5cKekl4L8un3zRCiNgY7IG008011jh7oXtTqEGJB2hD/ANHlRawoduft798rRKkDuFqET1rw+komuM7ACJsxXGPO9jB7HjycoJHr4+2yV4o3DlazR0+Ha8kPs8U4C/G/UEWQYOsrP964UZ2CgsHSdozgWj304fVJZ/fWqfOSgipKi2GjNK+TD7g9H12ouGaOjTeOsFBo33QWrikYi6MBFE42p3BLoaBX6Gk6KBzmkhYT7Hyvc/ASP65MpDbXffKp2kcqq++VIb7WhsRydaudRP9wyEJOjzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBVYwJ47CXR2LGgbZOOrd7cgDBCgqTmI4Y5G7x8ZNxEm9WzVY1E7SiKrSnKWF3ntekOhL8ABOk8Y0uODE2HYE+jkJw=]
+22
View File
@@ -0,0 +1,22 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- ldap.main.unkin.net
- ldap.service.consul
- ldap.query.consul
- "ldap.service.%{facts.country}-%{facts.region}.consul"
openldap::server::manage_epel: false
profiles::openldap::params::data_path: '/data/ldap/main.unkin.net'
profiles::openldap::params::database: 'dc=main,dc=unkin,dc=net'
profiles::openldap::params::rootdn: "cn=admin,%{hiera('profiles::openldap::params::database')}"
profiles::openldap::params::ldap_server:
- rid: 1
provider: ldap://ausyd1nxvm1044.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"
- rid: 2
provider: ldap://ausyd1nxvm1045.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"
- rid: 3
provider: ldap://ausyd1nxvm1046.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"
File diff suppressed because one or more lines are too long
@@ -1,205 +0,0 @@
---
hiera_include:
- profiles::rundeck::server
- profiles::nginx::simpleproxy
hiera_exclude:
- profiles::accounts::rundeck
profiles::packages::exclude:
- jq
profiles::ssh::sign::principals:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 4440
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 20M
# additional altnames
profiles::pki::vault::alt_names:
- rundeck.main.unkin.net
- rundeck.service.consul
- rundeck.query.consul
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
rundeck:
service_name: 'rundeck'
tags:
- 'automation'
- 'rundeck'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'glauth_http_check'
name: 'glauth HTTP Check'
http: "http://%{facts.networking.fqdn}:4440"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: rundeck
disposition: write
profiles::rundeck::server::mysql_backend: true
profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
profiles::rundeck::server::auth_config:
file:
auth_flag: 'sufficient'
jaas_config:
file: '/etc/rundeck/realm.properties'
realm_config:
admin_user: 'admin'
admin_password: "%{hiera('rundeck_admin_pass')}"
ldap:
jaas_config:
debug: 'true'
providerUrl: 'ldap://ldap.service.consul:389'
bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
bindPassword: "%{hiera('ldap_bindpass')}"
authenticationMethod: 'simple'
forceBindingLogin: 'true'
userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
userRdnAttribute: 'uid'
userIdAttribute: 'uid'
userPasswordAttribute: 'userPassword'
userObjectClass: 'posixAccount'
roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
roleNameAttribute: 'uid'
roleMemberAttribute: 'uniqueMember'
roleObjectClass: 'groupOfUniqueNames'
nestedGroups: 'true'
profiles::rundeck::server::key_storage_config:
- type: 'db'
path: 'keys'
- type: 'vault-storage'
path: 'vault'
config:
prefix: 'rundeck'
address: https://vault.query.consul:8200
storageBehaviour: 'vault'
secretBackend: rundeck
engineVersion: '2'
authBackend: approle
approleAuthMount: approle
approleId: "%{hiera('vault::roleid')}"
profiles::rundeck::server::cli_projects:
Self-Service:
update_method: 'set'
config:
project.description: 'self-service tasks'
project.disable.executions: 'false'
Infrastructure:
config:
project.description: 'infrastructure management'
project.disable.schedule: 'false'
profiles::rundeck::server::acl_policies:
global_admin_policy:
acl_policies:
- description: 'Global Admin, all access'
context:
application: "rundeck"
for:
project:
- allow: '*'
resource:
- allow: '*'
storage:
- allow: '*'
by:
- group: ['rundeck_globaladmin']
- description: 'Global Admin, all access'
context:
project: '.*'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_globaladmin']
selfservice_admin_policy:
acl_policies:
- description: 'Admin, all access for Self-Service project'
context:
project: 'Self-Service'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_selfserice_admin']
selfservice_user_policy:
acl_policies:
- description: 'Users can execute tasks but not edit for Self-Service project'
context:
project: 'Self-Service'
for:
resource:
- allow: ['read']
adhoc:
- allow: ['run']
job:
- allow: ['read', 'run']
node:
- allow: ['read', 'run']
by:
- group: ['rundeck_selfserice_user']
infrastructure_admin_policy:
acl_policies:
- description: 'Admin, all access for Infrastructure project'
context:
project: 'Infrastructure'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
- group: ['rundeck_infrastructure_admin']
infrastructure_user_policy:
acl_policies:
- description: 'Users can execute tasks but not edit for Infrastructure project'
context:
project: 'Infrastructure'
for:
resource:
- allow: ['read']
adhoc:
- allow: ['run']
job:
- allow: ['read', 'run']
node:
- allow: ['read', 'run']
by:
- group: ['rundeck_infrastructure_user']
+11 -11
View File
@@ -1,15 +1,15 @@
---
profiles::packages::include:
cobbler: {}
cobbler3.2-web: {}
httpd: {}
syslinux: {}
dnf-plugins-core: {}
debmirror: {}
pykickstart: {}
fence-agents: {}
selinux-policy-devel: {}
ipxe-bootimgs: {}
profiles::packages::install:
- cobbler
- cobbler3.2-web
- httpd
- syslinux
- dnf-plugins-core
- debmirror
- pykickstart
- fence-agents
- selinux-policy-devel
- ipxe-bootimgs
profiles::pki::vault::alt_names:
- cobbler.main.unkin.net
-2
View File
@@ -1,2 +0,0 @@
---
redisha::masterauth: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAV8znsSGAbPpPUhAcyOIWFltVyAcx3yVcIvC+JFndkkuVBT1813GSURrXIreXSilvJEHlwRC03A9NhjWJSsHBIS12uUb+7ap95oh2JJ7OHmeWSVD1GDDRpTQAgDEOikAnioRNJfQ83jUa11nJrsavt46hSq8vDq+rZ2P8ugiNk59mNX5vgYthCPXcEJd7UmpLZhgxZ8+42l4TKo7QpqKRcIMteJXk1NvyYfYGnGTZhknuyHM3xPGauGjKzamMlTzD9dGnn2K0/Q7I4PUyT24ZEG3kNVyDlVHTYcKnIT5q8qvmJdDQfZwOETF3SrzcqhQ2nqFvmI19sCTsQVmveb/2ITBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9KML3vzwF4vGZdtiu++jmgDAWPZspCckgoXPkgNRMePov3pXSlKUAGxwmdsuIM75rJMxlSTiil2lzMMBWXmUofys=]
-67
View File
@@ -1,67 +0,0 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- redis.main.unkin.net
- redis.service.consul
- redis.query.consul
- "redis.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- redis.main.unkin.net
- redis.service.consul
- redis.query.consul
hiera_include:
- redisha
redisha::manage_repo: false
redisha::redisha_members_lookup: true
redisha::redisha_members_role: roles::infra::db::redis
#redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
#redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
redisha::sentinel::master_name: "%{facts.country}-%{facts.region}"
redisha::sentinel::requirepass: "%{hiera('redisha::masterauth')}"
redisha::sentinel::auth_pass: "%{hiera('redisha::masterauth')}"
redisha::tools::requirepass: "%{hiera('redisha::masterauth')}"
sudo::configs:
consul:
priority: 20
content: |
consul ALL=(ALL) NOPASSWD: /usr/local/sbin/sentineladm info
consul::services:
redis-replica:
service_name: "redis-replica-%{facts.environment}"
tags:
- 'redis'
- 'redis-replica'
address: "%{facts.networking.ip}"
port: 6379
checks:
- id: 'redis-replica_tcp_check'
name: 'Redis Replica TCP Check'
tcp: "%{facts.networking.ip}:6379"
interval: '10s'
timeout: '1s'
redis-master:
service_name: "redis-master-%{facts.environment}"
tags:
- 'redis'
- 'redis-master'
address: "%{facts.networking.ip}"
port: 6379
checks:
- id: 'redis-master_tcp_check'
name: "Redis Master Check"
args:
- '/usr/local/bin/check_redis_master'
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: "redis-replica-%{facts.environment}"
disposition: write
- resource: service
segment: "redis-master-%{facts.environment}"
disposition: write
+8
View File
@@ -33,6 +33,13 @@ profiles::dns::resolver::zones:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
unkin.net-forward:
domain: 'unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
dmz.unkin.net-forward:
domain: 'dmz.unkin.net'
zone_type: 'forward'
@@ -60,6 +67,7 @@ profiles::dns::resolver::views:
recursion: true
zones:
- main.unkin.net-forward
- unkin.net-forward
- dmz.unkin.net-forward
- network.unkin.net-forward
- prod.unkin.net-forward
-2
View File
@@ -1,2 +0,0 @@
---
droneci_server::rpc_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF8cEANj72ACYYdilP52Oz4EXVt+stx838tFVV4SFukoCTmN+kJ3GUUEM9x+oDvo17CsZhDzx5dX0JGo7N9MCLHsR4XKx3GSoAKvaSiD73TbzbdTNJgTIE1tRP9HNbJKizwWLo4lo+OUNtwnu0Z5dkMLYRHyvZ1hG24qmdXVn9DI06gVGQw9YXGmNy8AvA0BKnaHvUnE5XoLNVKZ4g1yvc/nkYpK6nLB+X4sZ96PRig7khiuFVvAfpg5c2iWnF13ljIajnG9uY12RyGaAGfH4l/d3UEyuHyQL4zzT8N7gGt8fvg7eNFx51TyEpVRFLyQ7dqq/lzn0moXVT35PQr9K3DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCGJ+rkxhqmyUUiIQLG7PnggDBPH9gyYAW5/XjDp5xd6GnuSt/WWOwOGxhg+1BoPzbV5o+Xufg5zyMVdYeI1MWD/u8=]
-25
View File
@@ -1,25 +0,0 @@
---
hiera_include:
- profiles::base::datavol
- docker
- droneci::runner
docker::version: latest
docker::curl_ensure: false
droneci::runner::ports:
- 3000:3000
droneci::runner::volumes:
- type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock
- type=bind,source=/data,target=/data
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
droneci::runner::env_vars:
DRONE_RPC_PROTO: https
DRONE_RPC_HOST: droneci.query.consul
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: "%{facts.networking.fqdn}"
DRONE_RUNNER_VOLUMES: /etc/pki/tls/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt
@@ -1,6 +0,0 @@
---
droneci_server::gitea_client_secret: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJLcMKV4EevB8V/vjex+Srq47pWLvPozjSb+vjS/crFpKq3/dgtkJ8WkqF98fPnXxkMowP/BpNexJBCmPtTR2pPTKHIYkXjxGax0g3P2gcgeT7wsNl24mnUJDWZs1/z8ibwUXv4Zg0nbKi+YdomjsvT3vl2IPI88TKZDkq6HBoturwqx2l/edC5IeAi8vgPRXF8hn2TVuslkmoNXoI28Qp10b2XNOCss6KUJ4rbOwpIgdOVFbXqi7CFjhGz/3uS9xK+2m3iuE/gXi8KSKfiQ+QcGuXL9Zy5PH5rrNg4mbrFiaFfTevsHInl1wwRmULilQ0kEY3NW4b/URXqBBuwcN/TBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDlv7tA+6OQwDuL7z3xGYZjgEBcEAj3TQ9R9TntxTyBa9mKFRXimFTDDxdZ2zD96qFNz+7ZZFGD6pFQNHSMC9AYlAue94UsIHJZaXwgAo5zc98Q]
droneci_server::cookie_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKTWrB7Cca8RgFEeP46puzhVWOAiI6nB+m5+/sgz1qNnn6VgNh9Q6D26p9HISrMp4k60KVuGXrIbZYpkvKZmv4zHgK2et+50sr/F1anhDRX4rsmGWVV9n8VhaIJFAyQkW4de9YxV9LAgk0tWs1BgfXv4cV4+sDBv0OSVIFJDst3LUWpBR6lsiV9IifvNNUrdOHkdt5XjuL4JVmc0nkjetAg9HSvJ9VHYLIQagFHnTQp0FWluE1/ibGNc2kz7D4K7cPz2bBxRJWomckSUwgQK0NrGID4D13haZXhKXAO/8QpQOwPra8vD9FYrFenMeFLwdw43NzSr2g/W1ss5PekbWGjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBASshs2UwkGqK4ShFfXni7cgDCDCnEiqcfxIz4X/Bq71IpRKan3uQbHOewFqjNGqoR+1oWupjRxzNL39H9YF1a6i6s=]
droneci_server::database_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASu4C45TYWZKgIoyqC3YdwYYXn+T+ruP6oIvhYFJ5dxeZ+6HtWbRMViErvpPuWYfgs5qt6Zj9eLz2hqimFCvKiAvzANeZ9hkhw/jkpmvG8iXpDFw6x8QKcPJteRo896KSLiGiVlZfRbgQCGAqiEMw6y6M9CvfCLzE/mZ9gOKjSJVKiioAnXU2fyq0Y0M6g0iLRw0VXl2BVc4ORCnVECARQPo48T3U+TT39q0ar4mRO1AFO0VA5iDJ6/EMPBcH3ekKO/1dB1UbV6VkD3s9BAHGyL5a5Wr6ztg/5Yl6VBCXmECZqpCx8jx8KDUoaj1R/+I83YQxbw9ch76j79haIK6+jzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAh6MmfbUELaWbSNZ9/Dev2gDD/E3G/uYJGXNGl1+PIVwGmi0z2BTXNqg7ax/b/uF5Xc9ZtBSPiSxR6BPRXN3GleNo=]
droneci_server::postgres_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANpDnrpratpuYheXFrN4nwRTauPm9rZz2ubDyJlcxmah+kOWqsWIeEkv5GuATlymfAx5UuHPOv3dJPCSK+YuyQY+kGW/8uEFM68QrNi38NdRqEpdXuPBe5+AmWxcjYK3mdJ4maEwsbbxtYJmD8TF6kskS2P/KhnIzYR5PPHZTaYbEf/W5Da3l+J5WnFYpStuLq+86yZokBAygFPI+y/Ic+zJIdhpzVdLyGuqxGLXZq7nNMrjuNyFPKkCj1BBpuJTMCS4oPKCUTlm5hIIeeC2pFREI0CMTV5siZB8NphobPNn/ZbJrcs9q75LtIa47pkFYRbmV4WPctCwZXg6jtMleuzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDHJaChyidZq/5FN5n+ASJWgDCqUcR/DG9e8AD7fRmTb5BZM8XQ77a1hUJoaCycnMQ/5UyKmqU/7fLPrsxCf2vZU1M=]
droneci_server::redis_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAYMoZlVXHC1qfkDptPy3PyWGrUs5y9M9AOv5Vn1AK6DYViixhjwPZUCfwTONmt7CiBuqmkDOpR5isWFiBo/+TMeMXlM9C/D+Svc9tpeHLpVaXAYeoz5um2InyBFkLWSaUaWSftF9U7O5Nv/OiLIsd7nn4T8Dd21rfUiRfUN/2HPLMCs+mW15Az9XNOcvfm+kPXDAcB+ukHde0vvtYTZEFWjMdwJjjE43DiCmAoLTcpvQxdlclojotBpFeBLZs/F21FDQ4hvBUvPBMuZ1o7ImSP5fuomYSFK8etbD7JO5gg5BN59lGl1ljyR83phv6wmmqlzB8wQl0pjEpni9o7fa9hTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCKJrkPA78qx3wAu1eroIjRgDA72N9U0YZf1MzACcGSOMU5RGO242RwlIKUrnuYcdC0dKkjLXtP+yVpSKkX5WxcsDQ=]
-79
View File
@@ -1,79 +0,0 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- droneci.main.unkin.net
- droneci.service.consul
- droneci.query.consul
- "droneci.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- droneci.main.unkin.net
- droneci.service.consul
- droneci.query.consul
hiera_include:
- docker
- profiles::sql::postgresdb
- droneci
docker::version: latest
docker::curl_ensure: false
profiles::sql::postgresdb::dbname: droneci
profiles::sql::postgresdb::dbuser: droneci
profiles::sql::postgresdb::dbpass: "%{hiera('droneci_server::postgres_password')}"
profiles::sql::postgresdb::members_lookup: true
profiles::sql::postgresdb::members_role: roles::infra::droneci::server
droneci::ports:
- 80:80
- 443:443
droneci::volumes:
- type=bind,source=/var/lib/drone,target=/data
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
droneci::env_vars:
DRONE_GITEA_SERVER: https://git.query.consul
DRONE_GITEA_CLIENT_ID: dda67581-86df-4e65-88ae-1e505b849082
DRONE_USER_CREATE: username:unkinben,admin:true
DRONE_GITEA_CLIENT_SECRET: "%{hiera('droneci_server::gitea_client_secret')}"
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
DRONE_SERVER_HOST: droneci.query.consul
DRONE_SERVER_PROTO: https
DRONE_TLS_CERT: /etc/pki/tls/vault/certificate.crt
DRONE_TLS_KEY: /etc/pki/tls/vault/private.key
DRONE_COOKIE_SECRET: "%{hiera('droneci_server::cookie_secret')}"
DRONE_COOKIE_TIMEOUT: 720h
DRONE_HTTP_SSL_REDIRECT: true
DRONE_HTTP_SSL_TEMPORARY_REDIRECT: true
DRONE_HTTP_SSL_HOST: droneci.query.consul
DRONE_LOGS_TEXT: true
DRONE_LOGS_PRETTY: true
DRONE_LOGS_COLOR: true
DRONE_DATABASE_SECRET: "%{hiera('droneci_server::database_secret')}"
DRONE_DATABASE_DRIVER: postgres
DRONE_DATABASE_DATASOURCE: "postgres://droneci:%{hiera('droneci_server::postgres_password')}@master.patroni-prod.service.au-syd1.consul:5432/droneci?sslmode=disable"
DRONE_REDIS_CONNECTION: "redis://%{hiera('droneci_server::redis_password')}@redis-master-prod.service.au-syd1.consul:6379/2"
consul::services:
droneci:
service_name: 'droneci'
tags:
- 'drone'
- 'droneci'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'droneci_https_check'
name: 'droneci HTTPS Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: droneci
disposition: write
+1 -1
View File
@@ -41,7 +41,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
- "git.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 3000
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 1024M
nginx::client_max_body_size: 250M
profiles::gitea::init::root:
APP_NAME: 'Gitea'
-1
View File
@@ -1 +0,0 @@
profiles::gitea::runner::registration_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOL/ug4IPhEW1n+Lq+SsMSEJUYsDDK2s0+oNF3unxcbH3QDqWo7kuYKkDWQ+W3otcxvuRlbC8+0W2fO2udhF7sSGrF93INsTCDqWlLnaaAgxlgNSXthA4OCJlI8DCLeD/Sr0TTCchUdpQrIpDo6Gh0EUjgRv5574q26or7c/vvtQ4nfLVQOqEV9UpsCgEYiQvXVcf55LEpgaDp4mFL0qCnfzDnGNbZ0GUo6552ka19IocqOqILPnZO0qDcEoLbQ90sP197+5Jw611i1Akx1C4lFP81bazFMpbdiEP0V4Ax+33LfZEb0KnXuMbKOF23vIwwwfpFJaSOAjA5YehA3xM2zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDPJHB2uL+VEyntgZocyoMXgDBJ1dnRWiJM77XomzbNdDUO+ktIHLOTL5do0m4CkXZ1s42KtaAwWL+/EGdxg80UMC8=]
-46
View File
@@ -1,46 +0,0 @@
---
hiera_include:
- docker
- profiles::gitea::runner
docker::version: latest
docker::curl_ensure: false
profiles::gitea::runner::home: /data/runner
profiles::gitea::runner::version: '0.2.10'
profiles::gitea::runner::source: "https://gitea.com/gitea/act_runner/releases/download/v%{hiera('profiles::gitea::runner::version')}/act_runner-%{hiera('profiles::gitea::runner::version')}-linux-amd64"
profiles::gitea::runner::config:
log:
level: info
runner:
file: "%{hiera('profiles::gitea::runner::home')}/.runner"
capacity: 2
envs:
A_TEST_ENV_NAME_1: a_test_env_value_1
A_TEST_ENV_NAME_2: a_test_env_value_2
env_file: .env
timeout: 3h
insecure: false
fetch_timeout: 5s
fetch_interval: 2s
labels:
- "almalinux-latest"
- "almalinux-8:docker"
- "almalinux-8.10:docker"
cache:
enabled: true
dir: "%{hiera('profiles::gitea::runner::home')}/.cache/actcache"
host: ""
port: 0
external_server: ""
container:
network: ""
privileged: false
options:
workdir_parent: /workspace
valid_volumes: []
docker_host: ""
force_pull: true
force_rebuild: false
host:
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
-4
View File
@@ -53,8 +53,6 @@ profiles::haproxy::frontends:
options:
acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
use_backend:
- 'be_letsencrypt if acl-letsencrypt'
http-request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
@@ -70,8 +68,6 @@ profiles::haproxy::frontends:
options:
acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
use_backend:
- 'be_letsencrypt if acl-letsencrypt'
http-request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
@@ -9,5 +9,4 @@ profiles::metrics::server::scrape_jobs:
- puppetdb
- systemd
- haproxy
- postgres
profiles::metrics::server::localstorage: /data/prometheus
-2
View File
@@ -1,2 +0,0 @@
---
certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
-15
View File
@@ -1,15 +0,0 @@
---
hiera_include:
- certbot
- profiles::pki::puppetcerts
certbot::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- fafflix.unkin.net
+2 -2
View File
@@ -1,3 +1,3 @@
---
profiles::packages::include:
puppetserver: {}
profiles::packages::install:
- puppetserver
+2 -2
View File
@@ -1,6 +1,6 @@
---
profiles::packages::include:
createrepo: {}
profiles::packages::install:
- createrepo
profiles::pki::vault::alt_names:
- repos.main.unkin.net
-4
View File
@@ -1,4 +0,0 @@
---
profiles::sql::patroni::superuser_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAImaYEH6ktU6KYDu96OtuJu11FbmE+b9YwrkJiv72QfuVivR7lGfieRKcvkrq3IsNcwhhnl1lzyMZHteib7jLEIiaq59AZFiZyfF2E5bhNYfW4QcDJd4QOheU2awkZkl6oaoMUxgWOnqvihYVLDfoJ0lj6hBTFuqIzO/KU+AJ4NMO3+/+AK9+HB0u/8Iyuev4RQBkvaRAoszCcFCWTAZJTmhOgWe4xJIxfbh0/5k/dmT5WQ1JPEQK7hnVly9iToROZJDjuyndNHbrhCQUg4+DYMPS2fZVWvcESfxN8lJjBFPojj9ZbG5mLlq1e4A4KiZNwHfA1V4D88VWOkRg65XtZDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBzToImdK5/pk3UeZPyavjTgDCcYBzwY/g353Pbh0xr/we8KmvsQEtfxPDuPm4Kv4hsD5X0dHu2nGzBAZq5uWcE3RE=]
profiles::sql::patroni::replication_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWyCj+7WfzpTcpBg6uQ5ykGmLZmb/avW3Pc+VWj9bGvxSQCA8LA6HJlEhhL3mrJSTGUyHLgeEebEup9AVHe2k2l/JHIvhyfx7LI+mNDp8u5p40pM6ZxTdIJFOZmOS/nGjAR6mTv6Ennhpw4sWSDYXU0mJPTHGAked2FXV1xsS0zpTY7hccJHuww5ixOw6jP8E1Pu0ex4LmefOXApowf0jZ2pARndlsXwZldahUHIF48XejclpgCK9rTrb4eQsOZr5ozcj0BBpWg/JKNkQt8mQU5l5/z0GDT08Op8g6MVdJuOWr92uPqjc8sydrz0QAx4l8t1KY2fMWK7BPKqSdcOxiDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDEZBNd56BHVGRVfHDPPwZHgDAZKnqicbF/MVKPi1PwwyHrXMW/fWqocgr1zWx6RXWgXICqjJdEFXwFerXXb39RSDg=]
profiles::sql::patroni::postgres_exporter_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAL5brQt9CGFU7okDXZWF1jL1j+RbrQZhKfzGWyWl+SqRK6q+xH0LIzYQhOAji7tlDBzvFZpzglmzj0xDrAkQA46jg1DkR5+9Ozru9jL1nhg/6z/F54DlhAG7Ui0hjgSLal79VABLXa/cb9xJThx97b9xoOW+/vpfSKa4izFtkN9fliClFTVafxLlLLD/yABW99aq1OK+9MyCsppvs/rjWbXvjEKL+C0jawh4dBnc+tYJMHC/k5NIK0th4A/zSYVH5q6gFakpxrV2ubETIbVTDncC8zfRLhnrikZYNbCy5PuJb2a4vW1O0AOzUWqvqbRkWpYF7dJB9fzW/Tu8f8d10KTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAJS5PcA9aJvjGIfKSciLLpgDAU7xXGF+Sj+g1ABMvsenEmgXsdSKVU9ZYusIiGnPdFdN4EF9usi7g4SahochlG0NU=]
-28
View File
@@ -1,28 +0,0 @@
---
profiles::yum::global::repos:
postgresql-15:
name: postgresql-15
descr: postgresql-15 repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
postgresql-common:
name: postgresql-common
descr: postgresql-common repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
profiles::sql::patroni::postgres_exporter_enabled: true
profiles::sql::patroni::postgres_exporter_user: postgres_exporter
profiles::consul::client::node_rules:
- resource: service_prefix
segment: "%{hiera('profiles::sql::patroni::cluster_name')}"
disposition: write
- resource: key_prefix
segment: "service/%{hiera('profiles::sql::patroni::cluster_name')}"
disposition: write
- resource: session_prefix
segment: ""
disposition: write
@@ -89,9 +89,3 @@ profiles::consul::prepared_query::rules:
service_failover_n: 3
service_only_passing: true
ttl: 10
droneci:
ensure: 'present'
service_name: 'droneci'
service_failover_n: 3
service_only_passing: true
ttl: 10
+2 -2
View File
@@ -125,12 +125,12 @@ profiles::edgecache::params::mirrors:
ensure: present
location: '~* ^/ceph/yum/.*/repodata/'
rewrite_rules:
- '^/ceph/yum/(.*)$ /rpm-18.2.2/$1 break'
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
proxy: http://158.69.68.124
ceph_yum_data:
ensure: present
location: /ceph/yum
proxy: http://158.69.68.124/rpm-18.2.2
proxy: http://158.69.68.124/rpm-reef
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
+2 -2
View File
@@ -1,3 +1,3 @@
---
profiles::packages::include:
"%{hiera('lm-sensors::package')}": {}
profiles::packages::install:
- "%{hiera('lm-sensors::package')}"
@@ -1,18 +0,0 @@
# frozen_string_literal: true
Facter.add(:certbot_available_certs) do
confine enc_role: 'roles::infra::pki::certbot'
setcode do
certs_dir = '/etc/letsencrypt/live'
available_certs = []
if Dir.exist?(certs_dir)
Dir.children(certs_dir).each do |entry|
fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
available_certs << entry if File.exist?(fullchain_pem)
end
end
available_certs.join(',')
end
end
-15
View File
@@ -1,15 +0,0 @@
# certbot::cert
define certbot::cert (
Stdlib::Fqdn $domain,
Array $additional_args = ['--http-01-port=8888'],
Boolean $manage_cron = true,
) {
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
@@letsencrypt::certonly { $domain:
additional_args => $additional_args,
manage_cron => $manage_cron,
tag => $location_environment,
}
}
-23
View File
@@ -1,23 +0,0 @@
class certbot::client (
Array[Stdlib::Fqdn] $domains,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
) {
mkdir::p {$data_dir:}
file { $data_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
$domains.each |$domain| {
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
domain => $domain,
destination => "${data_dir}/${domain}",
webserver => $webserver,
require => File[$data_dir],
}
}
}
-51
View File
@@ -1,51 +0,0 @@
define certbot::client::cert (
Stdlib::Fqdn $domain,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
) {
file { $destination:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
$cert_ready_nodes = puppetdb_query("
facts {
name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
}"
)
# Define the certificate files
$cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
if !empty($cert_ready_nodes) {
$files_to_create = $cert_files.reduce({}) |$acc, $file| {
$acc + {
"${destination}/${file}" => {
ensure => 'file',
source => "https://${webserver}/${domain}/${file}",
owner => 'root',
group => 'root',
mode => '0644',
notify => Exec["concat_${domain}_certs"],
}
}
}
create_resources(file, $files_to_create)
exec { "concat_${domain}_certs":
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
path => ['/bin', '/usr/bin'],
refreshonly => true,
require => [
File["${destination}/fullchain.pem"],
File["${destination}/privkey.pem"],
],
}
} else {
notify { 'Certificates are not yet ready on the generator server.': }
}
}
-9
View File
@@ -1,9 +0,0 @@
# certbot::haproxy
class certbot::haproxy {
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
service => 'be_letsencrypt',
ports => [8888],
options => []
}
}
-19
View File
@@ -1,19 +0,0 @@
# certbot::init
class certbot (
String $contact,
Array[Stdlib::Fqdn] $domains = [],
Stdlib::Absolutepath $data_root = '/var/www',
Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
Array[Stdlib::Host] $nginx_aliases = [],
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Enum['http','https','both'] $nginx_listen_mode = 'https',
Enum['puppet', 'vault'] $nginx_cert_type = 'puppet',
) {
include certbot::nginx
include certbot::selinux
include certbot::haproxy
include certbot::letsencrypt
}
-37
View File
@@ -1,37 +0,0 @@
# certbot::letsencrypt
class certbot::letsencrypt (
String $contact = $certbot::contact,
Array[Stdlib::Fqdn] $domains = $certbot::domains,
Stdlib::Absolutepath $data_root = $certbot::data_root,
) {
class { 'letsencrypt':
configure_epel => false,
package_ensure => 'latest',
email => $contact,
}
# set location_environment
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
# collect exported resources
Letsencrypt::Certonly <<| tag == $location_environment |>>
# statically defined certificate
$domains.each | $domain | {
certbot::cert {$domain:
domain => $domain,
require => Class['letsencrypt'],
}
}
systemd::timer { 'certbot-syncer.timer':
timer_content => epp('certbot/certbot-syncer.timer.epp'),
service_content => epp('certbot/certbot-syncer.service.epp', {
'data_root' => $data_root,
}),
active => true,
enable => true,
require => Class['letsencrypt'],
}
}
-91
View File
@@ -1,91 +0,0 @@
# certbot::nginx
class certbot::nginx (
Stdlib::Absolutepath $data_root = $certbot::data_root,
Stdlib::Fqdn $nginx_vhost = $certbot::nginx_vhost,
Array[Stdlib::Host] $nginx_aliases = $certbot::nginx_aliases,
Stdlib::Port $nginx_port = $certbot::nginx_port,
Stdlib::Port $nginx_ssl_port = $certbot::nginx_ssl_port,
Enum['http','https','both'] $nginx_listen_mode = $certbot::nginx_listen_mode,
Enum['puppet', 'vault'] $nginx_cert_type = $certbot::nginx_cert_type,
) {
# select the certificates to use based on cert type
case $nginx_cert_type {
'puppet': {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
# enum param prevents this ever being reached
}
}
# set variables based on the listen_mode
case $nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_ssl_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
'both': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
# enum param prevents this ever being reached
}
}
mkdir::p {"${data_root}/pub":}
# set the server_names
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
# define the default parameters for the nginx server
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
'www_root' => "${data_root}/pub",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
}
# merge the hashes conditionally
$nginx_parameters = merge($defaults, $extras_hash)
# manage the nginx class
include nginx
# create the nginx vhost with the merged parameters
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
}
-40
View File
@@ -1,40 +0,0 @@
# certbot::selinux
class certbot::selinux (
Stdlib::Absolutepath $data_root = $certbot::data_root,
) {
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
# set httpd_sys_content_t to all files under the www_root
selinux::fcontext { "${data_root}/pub":
ensure => 'present',
seltype => 'httpd_sys_content_t',
pathspec => "${data_root}/pub(/.*)?",
}
# make sure we can connect to other hosts
selboolean { 'httpd_can_network_connect':
persistent => true,
value => 'on',
}
selboolean { 'rsync_client':
persistent => true,
value => 'on',
}
selboolean { 'rsync_export_all_ro':
persistent => true,
value => 'on',
}
selboolean { 'rsync_full_access':
persistent => true,
value => 'on',
}
exec { "restorecon_${data_root}/pub":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${data_root}/pub",
refreshonly => true,
subscribe => Selinux::Fcontext["${data_root}/pub"],
}
}
}
@@ -1,8 +0,0 @@
[Unit]
Description=certbot-syncer service
[Service]
Type=oneshot
ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
User=root
Group=root
@@ -1,9 +0,0 @@
[Unit]
Description=certbot-syncer timer
[Timer]
OnCalendar=hourly
Persistent=true
[Install]
WantedBy=timers.target
-24
View File
@@ -1,24 +0,0 @@
class droneci (
Hash $env_vars = {},
String $docker_image = 'drone/drone:2',
Array[String] $ports = [],
Array[String] $volumes = [],
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci',
) {
# Create the environment file from a template
file { $env_file:
ensure => file,
content => template('droneci/droneci_env.erb'),
mode => '0644',
}
# Define the systemd service for Drone CI
systemd::unit_file { 'droneci.service':
ensure => present,
content => template('droneci/droneci_service.erb'),
enable => true,
active => true,
subscribe => File[$env_file],
}
}
-24
View File
@@ -1,24 +0,0 @@
class droneci::runner (
Hash $env_vars = {},
String $docker_image = 'drone/drone-runner-docker:1',
Array[String] $ports = [],
Array[String] $volumes = [],
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci_runner',
) {
# Create the environment file from a template
file { $env_file:
ensure => file,
content => template('droneci/droneci_env.erb'),
mode => '0644',
}
# Define the systemd service for Drone CI runner
systemd::unit_file { 'droneci-runner.service':
ensure => present,
content => template('droneci/droneci_runner_service.erb'),
enable => true,
active => true,
subscribe => File[$env_file],
}
}
@@ -1,3 +0,0 @@
<% @env_vars.each do |key, value| -%>
<%= key.upcase %>=<%= value %>
<% end -%>
@@ -1,20 +0,0 @@
[Unit]
Description=Drone CI Runner
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/docker run --rm \
--name=drone-runner \
<% @ports.each do |port| -%>
-p <%= port %> \
<% end -%>
<% @volumes.each do |volume| -%>
--mount <%= volume %> \
<% end -%>
--env-file <%= @env_file %> \
<%= @docker_image %>
Restart=always
[Install]
WantedBy=multi-user.target
@@ -1,20 +0,0 @@
[Unit]
Description=Drone CI Service
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/docker run --rm \
--name=drone \
<% @ports.each do |port| -%>
-p <%= port %> \
<% end -%>
<% @volumes.each do |volume| -%>
--mount <%= volume %> \
<% end -%>
--env-file <%= @env_file %> \
<%= @docker_image %>
Restart=always
[Install]
WantedBy=multi-user.target
-155
View File
@@ -1,155 +0,0 @@
# configure glauth
class glauth::config (
Boolean $debug = $glauth::debug,
Boolean $syslog = $glauth::syslog,
Boolean $structuredlog = $glauth::structuredlog,
Boolean $watchconfig = $glauth::watchconfig,
Boolean $ldap_enabled = $glauth::ldap_enabled,
Stdlib::IP::Address $ldap_address = $glauth::ldap_address,
Stdlib::Port $ldap_port = $glauth::ldap_port,
Boolean $ldap_tls = $glauth::ldap_tls,
Stdlib::Absolutepath $ldap_tlscertpath = $glauth::ldap_tlscertpath,
Stdlib::Absolutepath $ldap_tlskeypath = $glauth::ldap_tlskeypath,
Boolean $ldaps_enabled = $glauth::ldaps_enabled,
Stdlib::IP::Address $ldaps_address = $glauth::ldaps_address,
Stdlib::Port $ldaps_port = $glauth::ldaps_port,
Stdlib::Absolutepath $ldaps_cert = $glauth::ldaps_cert,
Stdlib::Absolutepath $ldaps_key = $glauth::ldaps_key,
String $backend_datastore = $glauth::backend_datastore,
String $backend_basedn = $glauth::backend_basedn,
String $backend_nameformat = $glauth::backend_nameformat,
String $backend_groupformat = $glauth::backend_groupformat,
Boolean $backend_anonymousdse = $glauth::backend_anonymousdse,
String $backend_sshkeyattr = $glauth::backend_sshkeyattr,
Boolean $behaviors_ignorecapabilities = $glauth::behaviors_ignorecapabilities,
Boolean $behaviors_limitfailedbinds = $glauth::behaviors_limitfailedbinds,
Integer $behaviors_numberoffailedbinds = $glauth::behaviors_numberoffailedbinds,
Integer $behaviors_periodoffailedbinds = $glauth::behaviors_periodoffailedbinds,
Integer $behaviors_blockfailedbindsfor = $glauth::behaviors_blockfailedbindsfor,
Integer $behaviors_prunesourcetableevery = $glauth::behaviors_prunesourcetableevery,
Integer $behaviors_prunesourcesolderthan = $glauth::behaviors_prunesourcesolderthan,
Boolean $api_enabled = $glauth::api_enabled,
Boolean $api_internals = $glauth::api_internals,
Boolean $api_tls = $glauth::api_tls,
Stdlib::IP::Address $api_address = $glauth::api_address,
Stdlib::Port $api_port = $glauth::api_port,
Stdlib::Absolutepath $api_cert = $glauth::api_cert,
Stdlib::Absolutepath $api_key = $glauth::api_key,
String $user = $glauth::user,
String $group = $glauth::group,
Stdlib::Absolutepath $bin_dir = $glauth::bin_dir,
Stdlib::Absolutepath $bin_path = $glauth::bin_path,
Stdlib::Absolutepath $config_dir = $glauth::config_dir,
Stdlib::Absolutepath $config_path = $glauth::config_path,
Boolean $manage_defaults = $glauth::manage_defaults,
) {
mkdir::p {$config_dir:}
file { [ $config_dir ]:
ensure => directory,
owner => $user,
group => $group,
}
concat { $config_path:
owner => $user,
group => $group,
mode => '0644',
require => File[$config_dir],
}
if $manage_defaults {
Glauth::Obj::User {
config_path => $config_path,
}
Glauth::Obj::Service {
config_path => $config_path,
}
Glauth::Obj::Group {
config_path => $config_path,
}
}
concat::fragment { 'glauth_general':
target => $config_path,
content => epp('glauth/general.epp', {
'debug' => $debug,
'syslog' => $syslog,
'structuredlog' => $structuredlog,
'watchconfig' => $watchconfig,
}),
order => 10,
}
concat::fragment { 'glauth_ldap':
target => $config_path,
content => epp('glauth/ldap.epp', {
'ldap_enabled' => $ldap_enabled,
'ldap_address' => $ldap_address,
'ldap_port' => $ldap_port,
'ldap_tls' => $ldap_tls,
'ldap_tlscertpath' => $ldap_tlscertpath,
'ldap_tlskeypath' => $ldap_tlskeypath,
}),
order => 20,
}
concat::fragment { 'glauth_ldaps':
target => $config_path,
content => epp('glauth/ldaps.epp', {
'ldaps_enabled' => $ldaps_enabled,
'ldaps_address' => $ldaps_address,
'ldaps_port' => $ldaps_port,
'ldaps_cert' => $ldaps_cert,
'ldaps_key' => $ldaps_key,
}),
order => 30,
}
concat::fragment { 'glauth_backend':
target => $config_path,
content => epp('glauth/backend.epp', {
'backend_datastore' => $backend_datastore,
'backend_basedn' => $backend_basedn,
'backend_nameformat' => $backend_nameformat,
'backend_groupformat' => $backend_groupformat,
'backend_anonymousdse' => $backend_anonymousdse,
'backend_sshkeyattr' => $backend_sshkeyattr,
}),
order => 40,
}
concat::fragment { 'glauth_behaviors':
target => $config_path,
content => epp('glauth/behaviors.epp', {
'ignorecapabilities' => $behaviors_ignorecapabilities,
'limitfailedbinds' => $behaviors_limitfailedbinds,
'numberoffailedbinds' => $behaviors_numberoffailedbinds,
'periodoffailedbinds' => $behaviors_periodoffailedbinds,
'blockfailedbindsfor' => $behaviors_blockfailedbindsfor,
'prunesourcetableevery' => $behaviors_prunesourcetableevery,
'prunesourcesolderthan' => $behaviors_prunesourcesolderthan,
}),
order => 50,
}
concat::fragment { 'glauth_api':
target => $config_path,
content => epp('glauth/api.epp', {
'api_enabled' => $api_enabled,
'api_internals' => $api_internals,
'api_tls' => $api_tls,
'api_address' => $api_address,
'api_port' => $api_port,
'api_cert' => $api_cert,
'api_key' => $api_key,
}),
order => 60,
}
}
-64
View File
@@ -1,64 +0,0 @@
# glauth inititalisation class
class glauth (
Boolean $debug = $glauth::params::debug,
Boolean $syslog = $glauth::params::syslog,
Boolean $structuredlog = $glauth::params::structuredlog,
Boolean $watchconfig = $glauth::params::watchconfig,
Array $packages = $glauth::params::packages,
Boolean $ldap_enabled = $glauth::params::ldap_enabled,
Stdlib::IP::Address $ldap_address = $glauth::params::ldap_address,
Stdlib::Port $ldap_port = $glauth::params::ldap_port,
Boolean $ldap_tls = $glauth::params::ldap_tls,
Stdlib::Absolutepath $ldap_tlscertpath = $glauth::params::ldap_tlscertpath,
Stdlib::Absolutepath $ldap_tlskeypath = $glauth::params::ldap_tlskeypath,
Boolean $ldaps_enabled = $glauth::params::ldaps_enabled,
Stdlib::IP::Address $ldaps_address = $glauth::params::ldaps_address,
Stdlib::Port $ldaps_port = $glauth::params::ldaps_port,
Stdlib::Absolutepath $ldaps_cert = $glauth::params::ldaps_cert,
Stdlib::Absolutepath $ldaps_key = $glauth::params::ldaps_key,
String $backend_datastore = $glauth::params::backend_datastore,
String $backend_basedn = $glauth::params::backend_basedn,
String $backend_nameformat = $glauth::params::backend_nameformat,
String $backend_groupformat = $glauth::params::backend_groupformat,
Boolean $backend_anonymousdse = $glauth::params::backend_anonymousdse,
String $backend_sshkeyattr = $glauth::params::backend_sshkeyattr,
Boolean $behaviors_ignorecapabilities = $glauth::params::behaviors_ignorecapabilities,
Boolean $behaviors_limitfailedbinds = $glauth::params::behaviors_limitfailedbinds,
Integer $behaviors_numberoffailedbinds = $glauth::params::behaviors_numberoffailedbinds,
Integer $behaviors_periodoffailedbinds = $glauth::params::behaviors_periodoffailedbinds,
Integer $behaviors_blockfailedbindsfor = $glauth::params::behaviors_blockfailedbindsfor,
Integer $behaviors_prunesourcetableevery = $glauth::params::behaviors_prunesourcetableevery,
Integer $behaviors_prunesourcesolderthan = $glauth::params::behaviors_prunesourcesolderthan,
Boolean $api_enabled = $glauth::params::api_enabled,
Boolean $api_internals = $glauth::params::api_internals,
Boolean $api_tls = $glauth::params::api_tls,
Stdlib::IP::Address $api_address = $glauth::params::api_address,
Stdlib::Port $api_port = $glauth::params::api_port,
Stdlib::Absolutepath $api_cert = $glauth::params::api_cert,
Stdlib::Absolutepath $api_key = $glauth::params::api_key,
String $user = $glauth::params::user,
String $group = $glauth::params::group,
Stdlib::Absolutepath $bin_dir = $glauth::params::bin_dir,
Stdlib::Absolutepath $bin_path = $glauth::params::bin_path,
Stdlib::Absolutepath $config_dir = $glauth::params::config_dir,
Stdlib::Absolutepath $config_path = $glauth::params::config_path,
Boolean $service_enable = $glauth::params::service_enable,
String $service_name = $glauth::params::service_name,
String $download_version = $glauth::params::download_version,
String $download_url = $glauth::params::download_url,
Boolean $manage_defaults = $glauth::params::manage_defaults,
) inherits glauth::params {
include glauth::install
include glauth::config
include glauth::service
Class['glauth::install'] -> Class['glauth::config'] -> Class['glauth::service']
}
-45
View File
@@ -1,45 +0,0 @@
# install the glauth directories and binary
class glauth::install (
String $user = $glauth::user,
String $group = $glauth::group,
Stdlib::Absolutepath $bin_dir = $glauth::bin_dir,
Stdlib::Absolutepath $bin_path = $glauth::bin_path,
Stdlib::Absolutepath $config_dir = $glauth::config_path,
Stdlib::Absolutepath $config_path = $glauth::config_path,
String $download_url = $glauth::download_url,
Array $packages = $glauth::packages,
){
user { $user:
ensure => present,
system => true,
gid => $group,
require => Group[$group],
}
group { $group:
ensure => present,
system => true,
}
ensure_resources('package', $packages => {ensure => 'present'})
archive { 'glauth':
ensure => present,
url => $download_url,
extract => false,
path => $bin_path,
creates => $bin_path,
cleanup => false,
extract_path => $bin_dir,
user => 'root',
group => 'root',
}
file{ $bin_path:
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
require => Archive['glauth'],
}
}
-17
View File
@@ -1,17 +0,0 @@
# define a group object
define glauth::obj::group (
String $group_name,
Integer $gidnumber,
Stdlib::Absolutepath $config_path,
Optional[Array[Integer]] $includegroups = [],
) {
concat::fragment { "glauth_group_${group_name}":
target => $config_path,
content => epp('glauth/obj/group.epp', {
'name' => $group_name,
'gidnumber' => $gidnumber,
'includegroups' => $includegroups,
}),
order => '90',
}
}
-27
View File
@@ -1,27 +0,0 @@
# define a service object
define glauth::obj::service (
String $service_name,
String $mail,
Integer $uidnumber,
Integer $primarygroup,
String $passsha256,
Stdlib::Absolutepath $config_path,
Optional[Array[Integer]] $othergroups = [],
) {
$formatted_othergroups = $othergroups.empty ? {
true => '[]',
false => "[${othergroups.join(', ')}]",
}
concat::fragment { "glauth_service_${service_name}":
target => $config_path,
content => epp('glauth/obj/service.epp', {
'name' => $service_name,
'mail' => $mail,
'uidnumber' => $uidnumber,
'primarygroup' => $primarygroup,
'passsha256' => $passsha256,
'othergroups' => $formatted_othergroups,
}),
order => '80',
}
}
-26
View File
@@ -1,26 +0,0 @@
# define a user object
define glauth::obj::user (
String $user_name,
String $mail,
Integer $uidnumber,
Integer $primarygroup,
String $passsha256,
Stdlib::Absolutepath $config_path,
String $givenname = '',
String $sn = '',
String $loginshell = '',
String $homedir = '',
Optional[Array[String]] $sshkeys = [],
Optional[Array[String]] $passappsha256 = [],
Optional[Array[Integer]] $othergroups = [],
) {
$formatted_othergroups = $othergroups.empty ? {
true => '[]',
false => "[${othergroups.join(', ')}]",
}
concat::fragment { "glauth_user_${user_name}":
target => $config_path,
content => template('glauth/obj/user.erb'),
order => '70',
}
}
-58
View File
@@ -1,58 +0,0 @@
# params class for glauth
class glauth::params (
Boolean $debug = true,
Boolean $syslog = true,
Boolean $structuredlog = true,
Boolean $watchconfig = true,
Array $packages = [
'openldap-clients',
],
Boolean $ldap_enabled = true,
Stdlib::IP::Address $ldap_address = '0.0.0.0',
Stdlib::Port $ldap_port = 389,
Boolean $ldap_tls = false,
Stdlib::Absolutepath $ldap_tlscertpath = '/etc/glauth/glauth.crt',
Stdlib::Absolutepath $ldap_tlskeypath = '/etc/glauth/glauth.key',
Boolean $ldaps_enabled = false,
Stdlib::IP::Address $ldaps_address = '0.0.0.0',
Stdlib::Port $ldaps_port = 636,
Stdlib::Absolutepath $ldaps_cert = '/etc/glauth/glauth.crt',
Stdlib::Absolutepath $ldaps_key = '/etc/glauth/glauth.key',
String $backend_datastore = 'config',
String $backend_basedn = 'dc=main,dc=unkin,dc=net',
String $backend_nameformat = 'cn',
String $backend_groupformat = 'ou',
Boolean $backend_anonymousdse = true,
String $backend_sshkeyattr = 'sshPublicKey',
Boolean $behaviors_ignorecapabilities = true,
Boolean $behaviors_limitfailedbinds = true,
Integer $behaviors_numberoffailedbinds = 3,
Integer $behaviors_periodoffailedbinds = 10,
Integer $behaviors_blockfailedbindsfor = 60,
Integer $behaviors_prunesourcetableevery = 600,
Integer $behaviors_prunesourcesolderthan = 600,
Boolean $api_enabled = true,
Boolean $api_internals = true,
Boolean $api_tls = true,
Stdlib::IP::Address $api_address = '0.0.0.0',
Stdlib::Port $api_port = 5555,
Stdlib::Absolutepath $api_cert = '/etc/glauth/cert.pem',
Stdlib::Absolutepath $api_key = '/etc/glauth/key.pem',
String $user = 'glauth',
String $group = 'glauth',
Stdlib::Absolutepath $bin_dir = '/usr/local/bin',
Stdlib::Absolutepath $bin_path = "${bin_dir}/glauth",
Stdlib::Absolutepath $config_dir = '/etc/glauth',
Stdlib::Absolutepath $config_path = "${config_dir}/glauth.conf",
Boolean $service_enable = true,
String $service_name = 'glauth',
String $download_version = '2.3.2',
String $download_url = "https://git.query.consul/api/packages/unkinben/generic/glauth/${download_version}/glauth-linux-amd64",
Boolean $manage_defaults = true,
){}
-30
View File
@@ -1,30 +0,0 @@
# manage the glauth service/socket
class glauth::service (
$service_enable = $glauth::service_enable,
$service_name = $glauth::service_name,
$user = $glauth::user,
$group = $glauth::group,
$config_path = $glauth::config_path,
$bin_path = $glauth::bin_path,
$ldap_port = $glauth::ldap_port,
$ldaps_port = $glauth::ldaps_port,
$api_port = $glauth::api_port,
){
if $service_enable {
include ::systemd
systemd::unit_file { "${service_name}.service":
content => epp('glauth/systemd.service.epp', {
'bin_path' => $bin_path,
'config_path' => $config_path,
'user' => $user,
'group' => $group,
'service_name' => $service_name,
}),
enable => true,
active => true,
subscribe => Concat[$config_path],
# should also subscribe to tls certs
}
}
}
-10
View File
@@ -1,10 +0,0 @@
#################
# API configuration.
[api]
enabled = <%= $api_enabled %>
internals = <%= $api_internals %>
tls = <%= $api_tls %>
listen = "<%= $api_address %>:<%= $api_port %>"
cert = "<%= $api_cert %>"
key = "<%= $api_key %>"
-10
View File
@@ -1,10 +0,0 @@
#################
# The backend section controls the data store.
[backend]
datastore = "<%= $backend_datastore %>"
baseDN = "<%= $backend_basedn %>"
nameformat = "<%= $backend_nameformat %>"
groupformat = "<%= $backend_groupformat %>"
anonymousdse = <%= $backend_anonymousdse %>
sshkeyattr = "<%= $backend_sshkeyattr %>"
-11
View File
@@ -1,11 +0,0 @@
#################
# Behaviors configuration.
[behaviors]
IgnoreCapabilities = <%= $ignorecapabilities %>
LimitFailedBinds = <%= $limitfailedbinds %>
NumberOfFailedBinds = <%= $numberoffailedbinds %>
PeriodOfFailedBinds = <%= $periodoffailedbinds %>
BlockFailedBindsFor = <%= $blockfailedbindsfor %>
PruneSourceTableEvery = <%= $prunesourcetableevery %>
PruneSourcesOlderThan = <%= $prunesourcesolderthan %>
-7
View File
@@ -1,7 +0,0 @@
#################
# General configuration.
debug = <%= $debug %>
syslog = <%= $syslog %>
structuredlog = <%= $structuredlog %>
watchconfig = <%= $watchconfig %>
-9
View File
@@ -1,9 +0,0 @@
#################
# Server configuration.
[ldap]
enabled = <%= $ldap_enabled %>
listen = "<%= $ldap_address %>:<%= $ldap_port %>"
tls = <%= $ldap_tls %>
tlsCertPath = "<%= $ldap_tlscertpath %>"
tlsKeyPath = "<%= $ldap_tlskeypath %>"
-8
View File
@@ -1,8 +0,0 @@
#################
# Server configuration.
[ldaps]
enabled = <%= $ldaps_enabled %>
listen = "<%= $ldaps_address %>:<%= $ldaps_port %>"
cert = "<%= $ldaps_cert %>"
key = "<%= $ldaps_key %>"
-5
View File
@@ -1,5 +0,0 @@
[[groups]]
name = "<%= $name %>"
gidnumber = <%= $gidnumber %>
<% if $includegroups.length > 0 { %>includegroups = [<%= $includegroups.join(', ') %>]<% } %>
-8
View File
@@ -1,8 +0,0 @@
[[users]]
name = "<%= $name %>"
mail = "<%= $mail %>"
uidnumber = <%= $uidnumber %>
primarygroup = <%= $primarygroup %>
passsha256 = "<%= $passsha256 %>"
othergroups = <%= $othergroups %>
-26
View File
@@ -1,26 +0,0 @@
[[users]]
name = "<%= @user_name %>"
<% if @givenname != '' -%>
givenname = "<%= @givenname %>"
<% end -%>
<% if @sn != '' -%>
sn = "<%= @sn %>"
<% end -%>
mail = "<%= @mail %>"
uidnumber = <%= @uidnumber %>
primarygroup = <%= @primarygroup %>
<% if @loginshell != '' -%>
loginShell = "<%= @loginshell %>"
<% end -%>
<% if @homedir != '' -%>
homeDir = "<%= @homedir %>"
<% end -%>
passsha256 = "<%= @passsha256 %>"
<% if @sshkeys.length > 0 -%>
sshkeys = [<%= @sshkeys.map { |key| "\"#{key}\"" }.join(', ') %>]
<% end -%>
<% if @passappsha256.length > 0 -%>
passappsha256 = [<%= @passappsha256.map { |pass| "\"#{pass}\"" }.join(', ') %>]
<% end -%>
othergroups = <%= @formatted_othergroups %>
@@ -1,14 +0,0 @@
[Unit]
Description=GLAuth Service
After=network.target
[Service]
User=<%= $user %>
Group=<%= $group %>
ExecStart=<%= $bin_path %> -c <%= $config_path %>
Restart=always
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
Also=<%= $service_name %>.socket
@@ -1,11 +0,0 @@
[Unit]
Description=GLAuth Socket
[Socket]
ListenStream=<%= $ldap_port %>
ListenStream=<%= $ldaps_port %>
ListenStream=<%= $api_port %>
NoDelay=true
[Install]
WantedBy=sockets.target
-11
View File
@@ -1,11 +0,0 @@
# manage jellyfin
class jellyfin (
$packages = $jellyfin::params::packages,
$service_enable = $jellyfin::params::service_enable,
) inherits jellyfin::params {
include jellyfin::install
include jellyfin::service
Class['jellyfin::install'] -> Class['jellyfin::service']
}

Some files were not shown because too many files have changed in this diff Show More