Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 2924b7ad6f | |||
| e6f243ef60 | |||
| 856a3901ac |
+5
-6
@@ -18,7 +18,7 @@ mod 'puppetlabs-xinetd', '3.4.1'
|
||||
mod 'puppetlabs-haproxy', '8.0.0'
|
||||
mod 'puppetlabs-java', '10.1.2'
|
||||
mod 'puppetlabs-reboot', '5.0.0'
|
||||
mod 'puppetlabs-docker', '10.0.1'
|
||||
mod 'puppetlabs-augeas_core', '1.5.0'
|
||||
|
||||
# puppet
|
||||
mod 'puppet-python', '7.0.0'
|
||||
@@ -34,14 +34,14 @@ mod 'puppet-grafana', '13.1.0'
|
||||
mod 'puppet-consul', '8.0.0'
|
||||
mod 'puppet-vault', '4.1.0'
|
||||
mod 'puppet-dhcp', '6.1.0'
|
||||
mod 'puppet-keepalived', '5.1.0'
|
||||
mod 'puppet-keepalived', '3.6.0'
|
||||
mod 'puppet-extlib', '7.0.0'
|
||||
mod 'puppet-network', '2.2.0'
|
||||
mod 'puppet-kmod', '4.0.1'
|
||||
mod 'puppet-filemapper', '4.0.0'
|
||||
mod 'puppet-letsencrypt', '11.0.0'
|
||||
mod 'puppet-rundeck', '9.1.0'
|
||||
mod 'puppet-redis', '11.0.0'
|
||||
mod 'puppet-openldap', '8.0.0'
|
||||
mod 'puppet-augeasproviders_shellvar', '6.0.1'
|
||||
mod 'puppet-augeasproviders_core', '4.1.0'
|
||||
|
||||
# other
|
||||
mod 'ghoneycutt-puppet', '3.3.0'
|
||||
@@ -55,7 +55,6 @@ mod 'broadinstitute-certs', '3.0.1'
|
||||
mod 'stm-file_capability', '6.0.0'
|
||||
mod 'h0tw1r3-gitea', '3.2.0'
|
||||
mod 'rehan-mkdir', '2.0.0'
|
||||
mod 'tailoredautomation-patroni', '2.0.0'
|
||||
|
||||
mod 'bind',
|
||||
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
||||
|
||||
+61
-81
@@ -3,10 +3,16 @@ lookup_options:
|
||||
hiera_classes:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::include:
|
||||
profiles::packages::install:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::exclude:
|
||||
profiles::packages::install_exclude:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::remove:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::packages::remove_exclude:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::pki::vault::alt_names:
|
||||
@@ -123,18 +129,6 @@ lookup_options:
|
||||
profiles::ceph::client::keyrings:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
merge:
|
||||
strategy: deep
|
||||
certbot::client::domains:
|
||||
merge:
|
||||
strategy: deep
|
||||
keepalived::vrrp_script:
|
||||
merge:
|
||||
strategy: deep
|
||||
keepalived::vrrp_instance:
|
||||
merge:
|
||||
strategy: deep
|
||||
|
||||
facts_path: '/opt/puppetlabs/facter/facts.d'
|
||||
|
||||
@@ -142,7 +136,6 @@ hiera_include:
|
||||
- timezone
|
||||
- networking
|
||||
- ssh::server
|
||||
- profiles::accounts::rundeck
|
||||
|
||||
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
||||
profiles::ntp::client::use_ntp: 'region'
|
||||
@@ -173,70 +166,59 @@ profiles::consul::client::node_rules:
|
||||
segment: ''
|
||||
disposition: read
|
||||
|
||||
profiles::packages::include:
|
||||
bash-completion: {}
|
||||
bzip2: {}
|
||||
ccze: {}
|
||||
curl: {}
|
||||
dstat: {}
|
||||
expect: {}
|
||||
gzip: {}
|
||||
git: {}
|
||||
htop: {}
|
||||
inotify-tools: {}
|
||||
iotop: {}
|
||||
jq: {}
|
||||
lz4: {}
|
||||
mtr: {}
|
||||
ncdu: {}
|
||||
neovim: {}
|
||||
p7zip: {}
|
||||
pbzip2: {}
|
||||
pigz: {}
|
||||
pv: {}
|
||||
python3.11: {}
|
||||
rsync: {}
|
||||
screen: {}
|
||||
socat: {}
|
||||
strace: {}
|
||||
sysstat: {}
|
||||
tar: {}
|
||||
tmux: {}
|
||||
traceroute: {}
|
||||
unzip: {}
|
||||
vim: {}
|
||||
vnstat: {}
|
||||
wget: {}
|
||||
zsh: {}
|
||||
zstd: {}
|
||||
iwl100-firmware:
|
||||
ensure: absent
|
||||
iwl1000-firmware:
|
||||
ensure: absent
|
||||
iwl105-firmware:
|
||||
ensure: absent
|
||||
iwl135-firmware:
|
||||
ensure: absent
|
||||
iwl2000-firmware:
|
||||
ensure: absent
|
||||
iwl2030-firmware:
|
||||
ensure: absent
|
||||
iwl3160-firmware:
|
||||
ensure: absent
|
||||
iwl5000-firmware:
|
||||
ensure: absent
|
||||
iwl5150-firmware:
|
||||
ensure: absent
|
||||
iwl6000-firmware:
|
||||
ensure: absent
|
||||
iwl6000g2a-firmware:
|
||||
ensure: absent
|
||||
iwl6050-firmware:
|
||||
ensure: absent
|
||||
iwl7260-firmware:
|
||||
ensure: absent
|
||||
puppet7-release:
|
||||
ensure: absent
|
||||
profiles::packages::install:
|
||||
- bash-completion
|
||||
- bzip2
|
||||
- ccze
|
||||
- curl
|
||||
- dstat
|
||||
- expect
|
||||
- gcc
|
||||
- gzip
|
||||
- git
|
||||
- htop
|
||||
- inotify-tools
|
||||
- iotop
|
||||
- jq
|
||||
- lz4
|
||||
- mtr
|
||||
- ncdu
|
||||
- neovim
|
||||
- p7zip
|
||||
- pbzip2
|
||||
- pigz
|
||||
- pv
|
||||
- python3.11
|
||||
- rsync
|
||||
- screen
|
||||
- socat
|
||||
- strace
|
||||
- sysstat
|
||||
- tar
|
||||
- tmux
|
||||
- traceroute
|
||||
- unzip
|
||||
- vim
|
||||
- vnstat
|
||||
- wget
|
||||
- zsh
|
||||
- zstd
|
||||
|
||||
profiles::packages::remove:
|
||||
- iwl100-firmware
|
||||
- iwl1000-firmware
|
||||
- iwl105-firmware
|
||||
- iwl135-firmware
|
||||
- iwl2000-firmware
|
||||
- iwl2030-firmware
|
||||
- iwl3160-firmware
|
||||
- iwl5000-firmware
|
||||
- iwl5150-firmware
|
||||
- iwl6000-firmware
|
||||
- iwl6000g2a-firmware
|
||||
- iwl6050-firmware
|
||||
- iwl7260-firmware
|
||||
- puppet7-release
|
||||
|
||||
profiles::base::scripts::scripts:
|
||||
puppet: puppetwrapper.py
|
||||
@@ -305,8 +287,6 @@ sudo::configs:
|
||||
|
||||
profiles::accounts::sysadmin::sshkeys:
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
|
||||
profiles::accounts::rundeck::sshkeys:
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD4F7VcorbGpyZzBFexz7c/o1JBscrl7hZU0UkWV7fq6YLizW0r6fOzD99hMwu1kdYCjPxbvuUSDEHfyBIp2EgLWU6wFVoufQqlMyOV85+ivQZUc1VNV+X9T+U4v3u/01hkAmlpXtbkwhMSR4Wi+tdABd04+D3CuMDM37mvnFmBBmi41X4Mr1rJhOQumn1XHQ7EYbsdw2mxfEVVeWpZIHz5BjNKSGzEIAYZbFt6s0Y7X3J5RT+Gjqmu043Tc8nNIUFlR9E10qd3Euf9RiBYxBx3z+yfOzJPBzWNBSHv1+PIbO5Mq+z5JaAfoFZO41L7nw+FjV6JJUCVLr6Vq+bCxyA7LW4Oq9ZahSrt/vrT0kTa0tA5U9bqK6e7pB//dm7PzoROtTq0XksV8RseA/fvIje20uaN1z9dynx+UcbszXu9pQ5GIg1o7b5DEi3OZHJwpgdudiCyEeR4+00G0z4PjpEMnTSMHAJ53WxtjzrPAOBnAmPE7hPu4coU+XrCWEXAvRMloJmca68e+zFX7VvFK82KVDuQ99vQ6w4X73IESKoLzyAVxpelwHaDG4fN+zqYfqubVQU1L5cUeYKxqm5r3Us6VvMaYs1ZMUmDGXHOq4FNhGUJYxSjkLvunM6qyAAJQCd6Pw/2TV3UQVerbouGOZaeBLvRguHWSbDrO99Zu+t87w== rundeck_runner
|
||||
|
||||
networking::interface_defaults:
|
||||
ensure: present
|
||||
|
||||
@@ -1,3 +1,2 @@
|
||||
---
|
||||
timezone::timezone: 'Australia/Sydney'
|
||||
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
|
||||
|
||||
@@ -1,31 +1,4 @@
|
||||
---
|
||||
hiera_include:
|
||||
- keepalived
|
||||
|
||||
# keepalived
|
||||
profiles::haproxy::dns::vrrp_ipaddr: '198.18.13.250'
|
||||
profiles::haproxy::dns::vrrp_cnames:
|
||||
- sonarr.main.unkin.net
|
||||
- radarr.main.unkin.net
|
||||
- lidarr.main.unkin.net
|
||||
- readarr.main.unkin.net
|
||||
- prowlarr.main.unkin.net
|
||||
- nzbget.main.unkin.net
|
||||
|
||||
keepalived::vrrp_script:
|
||||
check_haproxy:
|
||||
script: '/usr/bin/killall -0 haproxy'
|
||||
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
interface: 'eth0'
|
||||
virtual_router_id: 250
|
||||
auth_type: 'PASS'
|
||||
auth_pass: 'quiiK7oo'
|
||||
virtual_ipaddress: '198.18.13.250/32'
|
||||
track_script:
|
||||
- check_haproxy
|
||||
|
||||
# mappings
|
||||
profiles::haproxy::mappings:
|
||||
fe_http:
|
||||
@@ -38,9 +11,6 @@ profiles::haproxy::mappings:
|
||||
- 'lidarr.main.unkin.net be_lidarr'
|
||||
- 'readarr.main.unkin.net be_readarr'
|
||||
- 'prowlarr.main.unkin.net be_prowlarr'
|
||||
- 'nzbget.main.unkin.net be_nzbget'
|
||||
- 'jellyfin.main.unkin.net be_jellyfin'
|
||||
- 'fafflix.unkin.net be_jellyfin'
|
||||
fe_https:
|
||||
ensure: present
|
||||
mappings:
|
||||
@@ -51,9 +21,6 @@ profiles::haproxy::mappings:
|
||||
- 'lidarr.main.unkin.net be_lidarr'
|
||||
- 'readarr.main.unkin.net be_readarr'
|
||||
- 'prowlarr.main.unkin.net be_prowlarr'
|
||||
- 'nzbget.main.unkin.net be_nzbget'
|
||||
- 'jellyfin.main.unkin.net be_jellyfin'
|
||||
- 'fafflix.unkin.net be_jellyfin'
|
||||
|
||||
profiles::haproxy::frontends:
|
||||
fe_http:
|
||||
@@ -63,15 +30,7 @@ profiles::haproxy::frontends:
|
||||
fe_https:
|
||||
options:
|
||||
acl:
|
||||
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
|
||||
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
|
||||
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
|
||||
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
|
||||
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
|
||||
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
|
||||
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
|
||||
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
|
||||
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
|
||||
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
|
||||
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
||||
use_backend:
|
||||
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
||||
@@ -79,14 +38,6 @@ profiles::haproxy::frontends:
|
||||
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
|
||||
http-response:
|
||||
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
|
||||
- 'set-header X-Frame-Options DENY if acl_sonarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_radarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_lidarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_readarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_prowlarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_nzbget'
|
||||
- 'set-header X-Frame-Options DENY if acl_jellyfin'
|
||||
- 'set-header X-Frame-Options DENY if acl_fafflix'
|
||||
- 'set-header X-Content-Type-Options nosniff'
|
||||
- 'set-header X-XSS-Protection 1;mode=block'
|
||||
|
||||
@@ -128,7 +79,7 @@ profiles::haproxy::backends:
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
@@ -144,7 +95,7 @@ profiles::haproxy::backends:
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
@@ -160,7 +111,7 @@ profiles::haproxy::backends:
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
@@ -176,7 +127,7 @@ profiles::haproxy::backends:
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
@@ -189,38 +140,6 @@ profiles::haproxy::backends:
|
||||
be_prowlarr:
|
||||
description: Backend for au-syd1 prowlarr
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_nzbget:
|
||||
description: Backend for au-syd1 nzbget
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_jellyfin:
|
||||
description: Backend for au-syd1 jellyfin
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
@@ -237,30 +156,10 @@ profiles::haproxy::backends:
|
||||
|
||||
profiles::haproxy::certlist::enabled: true
|
||||
profiles::haproxy::certlist::certificates:
|
||||
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/vault/certificate.pem
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
- jellyfin.main.unkin.net
|
||||
|
||||
# additional cnames
|
||||
profiles::haproxy::dns::cnames:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
|
||||
# letsencrypt certificates
|
||||
certbot::client::domains:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
- sonarr.main.unkin.net
|
||||
@@ -268,5 +167,8 @@ certbot::client::domains:
|
||||
- lidarr.main.unkin.net
|
||||
- readarr.main.unkin.net
|
||||
- prowlarr.main.unkin.net
|
||||
- nzbget.main.unkin.net
|
||||
- fafflix.unkin.net
|
||||
|
||||
# additional cnames
|
||||
profiles::haproxy::dns::cnames:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
|
||||
@@ -1,3 +1,2 @@
|
||||
---
|
||||
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
|
||||
mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=]
|
||||
|
||||
@@ -13,12 +13,3 @@ mysql::db:
|
||||
- INSERT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
rundeck:
|
||||
name: rundeck
|
||||
user: rundeck
|
||||
password: "%{alias('mysql::db::rundeck::pass')}"
|
||||
grant:
|
||||
- SELECT
|
||||
- INSERT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
|
||||
@@ -5,9 +5,3 @@ networking::interfaces:
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
|
||||
profiles::haproxy::dns::vrrp_master: true
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
state: 'MASTER'
|
||||
priority: 101
|
||||
|
||||
@@ -5,8 +5,3 @@ networking::interfaces:
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
|
||||
keepalived::vrrp_instance:
|
||||
VI_250:
|
||||
state: 'BACKUP'
|
||||
priority: 100
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.58
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.58
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.59
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.60
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.61
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.62
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.63
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.64
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.65
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.66
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.67
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.68
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.69
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -8,12 +8,12 @@ profiles::puppet::agent::puppet_version: '7.26.0'
|
||||
hiera_include:
|
||||
- profiles::almalinux::base
|
||||
|
||||
profiles::packages::include:
|
||||
lzo: {}
|
||||
network-scripts: {}
|
||||
policycoreutils: {}
|
||||
unar: {}
|
||||
xz: {}
|
||||
profiles::packages::install:
|
||||
- lzo
|
||||
- network-scripts
|
||||
- policycoreutils
|
||||
- unar
|
||||
- xz
|
||||
|
||||
lm-sensors::package: lm_sensors
|
||||
|
||||
@@ -73,5 +73,4 @@ profiles::yum::global::repos:
|
||||
target: /etc/yum.repos.d/unkin.repo
|
||||
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
|
||||
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
|
||||
gpgcheck: false
|
||||
mirrorlist: absent
|
||||
|
||||
@@ -1,15 +1,15 @@
|
||||
# hieradata/os/debian/all_releases.yaml
|
||||
---
|
||||
profiles::apt::base::mirrorurl: http://edgecache.query.consul/debian/
|
||||
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
|
||||
profiles::apt::base::secureurl: http://security.debian.org/debian-security
|
||||
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
|
||||
profiles::apt::puppet7::repo: puppet7
|
||||
profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
|
||||
|
||||
profiles::packages::include:
|
||||
lzop: {}
|
||||
python3.11-venv: {}
|
||||
xz-utils: {}
|
||||
profiles::packages::install:
|
||||
- lzop
|
||||
- python3.11-venv
|
||||
- xz-utils
|
||||
|
||||
lm-sensors::package: lm-sensors
|
||||
networking::nwmgr_dns_none: false
|
||||
|
||||
@@ -1,7 +1,4 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
profiles::yum::global::repos:
|
||||
ceph-reef:
|
||||
name: ceph-reef
|
||||
@@ -21,81 +18,3 @@ profiles::base::groups::local:
|
||||
gid: 20000
|
||||
allowdupe: false
|
||||
forcelocal: true
|
||||
|
||||
ldap_host: 'ldap.service.consul'
|
||||
ldap_basedn: 'dc=main,dc=unkin,dc=net'
|
||||
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
# authentication proxy
|
||||
authproxy:
|
||||
ensure: 'present'
|
||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
||||
ssl_only: true
|
||||
internal: true
|
||||
location: '= /auth-proxy'
|
||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
|
||||
proxy_set_header:
|
||||
- 'Content-Length ""'
|
||||
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
|
||||
- 'X-Ldap-Starttls "false"'
|
||||
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
|
||||
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
|
||||
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
|
||||
- 'X-CookieName "nginxauth"'
|
||||
- 'Cookie nginxauth=$cookie_nginxauth'
|
||||
- "X-Ldap-Template %{lookup('ldap_template')}"
|
||||
- 'X-Ldap-Realm "Restricted"'
|
||||
proxy_cache: 'cache'
|
||||
proxy_cache_valid: '200 10m'
|
||||
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
|
||||
location_cfg_append:
|
||||
proxy_pass_request_body: 'off'
|
||||
# health checks by consul/haproxy
|
||||
arrstack_web_healthcheck:
|
||||
ensure: 'present'
|
||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
||||
ssl_only: true
|
||||
location: '/consul/health'
|
||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
||||
proxy_set_header:
|
||||
- 'Host $host'
|
||||
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
||||
- 'X-Forwarded-Host $host'
|
||||
- 'X-Forwarded-Proto $scheme'
|
||||
- 'Upgrade $http_upgrade'
|
||||
- 'Connection $http_connection'
|
||||
proxy_redirect: 'off'
|
||||
proxy_http_version: '1.1'
|
||||
location_allow:
|
||||
- 127.0.0.1
|
||||
- "%{facts.networking.ip}"
|
||||
- 198.18.13.25
|
||||
- 198.18.13.26
|
||||
location_deny:
|
||||
- all
|
||||
# authorised access from external
|
||||
arrstack_web_external:
|
||||
ensure: 'present'
|
||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
||||
ssl_only: true
|
||||
location: '/'
|
||||
auth_request: '/auth-proxy'
|
||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
||||
proxy_set_header:
|
||||
- 'Host $host'
|
||||
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
||||
- 'X-Forwarded-Host $host'
|
||||
- 'X-Forwarded-Proto $scheme'
|
||||
- 'Upgrade $http_upgrade'
|
||||
- 'Connection $http_connection'
|
||||
proxy_redirect: 'off'
|
||||
proxy_http_version: '1.1'
|
||||
# location for api, which should be accessible without authentication
|
||||
arrstack_api:
|
||||
ensure: 'present'
|
||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
||||
ssl_only: true
|
||||
location: '~ /api'
|
||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
||||
location_cfg_append:
|
||||
client_max_body_size: '20m'
|
||||
|
||||
@@ -1,63 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- jellyfin
|
||||
|
||||
# manage jellyfin
|
||||
jellyfin::params::service_enable: true
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- jellyfin.main.unkin.net
|
||||
- jellyfin.service.consul
|
||||
- jellyfin.query.consul
|
||||
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'jellyfin.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- jellyfin.main.unkin.net
|
||||
- jellyfin.service.consul
|
||||
- jellyfin.query.consul
|
||||
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8096
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
jellyfin:
|
||||
service_name: 'jellyfin'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'jellyfin'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'jellyfin_http_check'
|
||||
name: 'jellyfin HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: jellyfin
|
||||
disposition: write
|
||||
|
||||
profiles::yum::global::repos:
|
||||
rpmfusion-free:
|
||||
name: rpmfusion-free
|
||||
descr: rpmfusion-free repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
rpmfusion-nonfree:
|
||||
name: rpmfusion-nonfree
|
||||
descr: rpmfusion-nonfree repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
@@ -1,3 +1,2 @@
|
||||
---
|
||||
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEDEyk6fBBnrjZvfK8MnUVOTWxhFGtgY34/2CuIq55MoVLsk2ZgVrL7Kt+94bqFhwEB67kuNpMGXqTgW5ose2yWs5iVSJLECsf9C+tvGBGwaV35LNwP5S3aQmFagyTpZZz9QlGKC7818jlXz7vZWDtiUhy5TGMHeyS0fdjCveavtZR28A+ZrvWjJeLdN47mmvYwYfFnQBs3kSgkl5KyMVhFWSFOSLeHsuEzCVXHoQ1jQG+2TV5m18wV0RR/sOju2E+vsulqlDgCyifgoiry4GzJeKNrNDI2bifzHCAi6yZqHL/klyqbGTnKLlA4xKoXsHF+xEwcoq4S9JDLAdWeH1SDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCdvh4yn8knozcYhinybRq3gDAwTKv8VakQG7XK/mcEplwtoiKqLnj9IIGdIUh1zPi2Sg48ET5rfZyl0p7ddIYoHjU=]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
hiera_include:
|
||||
- lidarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage lidarr
|
||||
lidarr::params::user: lidarr
|
||||
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_lidarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=lidarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
lidarr:
|
||||
service_name: 'lidarr'
|
||||
@@ -45,7 +41,7 @@ consul::services:
|
||||
checks:
|
||||
- id: 'lidarr_http_check'
|
||||
name: 'Lidarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
---
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPomn4iZbT0JEysvDo7OgblpoQLFp9DzryY558UfVWQq6HDAkgoSC42cbgZGBPFclCgLaO/LfBrFpRXkafEVV33Vg2AmP/FiS9SmmwREc3t/ZTvENlDIgasY3pDIph0/i5u0S45mjyzzciBK0KY6cMZvPDVRvU+d0SyVnbSBlef6VmyZOhUk6ILpaYTGu+suVR/BAL/DTKsmmY7iTotTWN+IW/1cY3vprvBMJQVftaO1WSqKftmX29/PAsxbQo6AMpuQFx/dMcMe3d5JTB0mgzIhAFaKmSC8vJFqe21Nrr8F+PxJMSEl1saBJTwJc5RyPVm9ejVKfcPhDfWK5stNNvjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAo205Hvo/Z+rhnSGgkTS2YgDB7pTHdgnQz1UOK323DRljWcqx+SnCA7izyF1SNMlzlCck79Fr4zKh0qnbYsMZDWZU=]
|
||||
@@ -1,77 +0,0 @@
|
||||
---
|
||||
|
||||
hiera_include:
|
||||
- nzbget
|
||||
- profiles::media::nzbget
|
||||
- profiles::nginx::ldapauth
|
||||
|
||||
# manage nzbget
|
||||
nzbget::params::user: nzbget
|
||||
nzbget::params::group: media
|
||||
nzbget::params::manage_group: false
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- nzbget.main.unkin.net
|
||||
- nzbget.service.consul
|
||||
- nzbget.query.consul
|
||||
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'nzbget.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- nzbget.main.unkin.net
|
||||
- nzbget.service.consul
|
||||
- nzbget.query.consul
|
||||
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 6789
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_nzbget,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=nzbget_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
arrstack_web_healthcheck:
|
||||
location_cfg_append:
|
||||
rewrite: '/consul/health / break'
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
nzbget:
|
||||
service_name: 'nzbget'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'nzbget'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'nzbget_http_check'
|
||||
name: 'nzbget HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: nzbget
|
||||
disposition: write
|
||||
|
||||
profiles::yum::global::repos:
|
||||
rpmfusion-free:
|
||||
name: rpmfusion-free
|
||||
descr: rpmfusion-free repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
rpmfusion-nonfree:
|
||||
name: rpmfusion-nonfree
|
||||
descr: rpmfusion-nonfree repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
@@ -1,3 +1,2 @@
|
||||
---
|
||||
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhduPAqoZuq/xeRs4f/KX4r88evPMogQX79yofLAB5Qqdr48s2X0BAa1iiw0vMdL6Tf0uc794WJN5MP2Yp365Vk1yhwgqH92rt5hKPI+wBN5uak2iLgLzLWsp0HOx7d1ukDWBbj0lI6G5LiofsL3KJbbTnkovn06L4PRJXgn44+ynfywiCl2tPy2294DhfooeM6/Cy+t9lA6blzHLCOHtt/rBKmk1GT2y3YBCPhRfOumWXQWnv4Q+f6KkQkvpfPyAFYNiQxQYBv5bGwLnwiDk3xQnPM4FfcutVuAOKjsoeMa+K1KShDFyEfBxIER8JSpigj2/khstyihcVW0Xrod3uDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCRqqRwMThwn1F/6byFhTWxgDAfucfkFhmqxBv/u5H+wWnjvK5EH7eU/fECrajYPBW/cmsYjLgXlwrAzFGqWze3AZc=]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
hiera_include:
|
||||
- prowlarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage prowlarr
|
||||
prowlarr::params::user: prowlarr
|
||||
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_prowlarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=prowlarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
prowlarr:
|
||||
service_name: 'prowlarr'
|
||||
@@ -45,7 +41,7 @@ consul::services:
|
||||
checks:
|
||||
- id: 'prowlarr_http_check'
|
||||
name: 'Prowlarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
@@ -54,12 +50,3 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: prowlarr
|
||||
disposition: write
|
||||
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
arrstack_web_external:
|
||||
location_satisfy: any
|
||||
location_allow:
|
||||
- 198.18.13.47
|
||||
- 198.18.13.50
|
||||
- 198.18.13.51
|
||||
- 198.18.13.52
|
||||
|
||||
@@ -1,3 +1,2 @@
|
||||
---
|
||||
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf6LbAXy3EsJqkf4KO8xikpXfSVIVOD2obnwZLPEiCfbC0iJyZ2Uc/RbHM9NnIpg8dgEnYGgaBM9HC+kFKYFP4skLsPQ0mpqOv13WbOAHOphhyBxWc/n4Eg4HqMAiHsC4qA9Sj5j4F29tNiMmpNM0eqDXD6YIrajV5IF+SKQQzZrNSrcDrzjqENaMnJWVc2gj7Zb9kPB1LdM5ZfljpPtfQHXHhh9ShTDKuWMx46nc+UYaRcJqHEns7OExwpsEAtA1SSunD81PTijJ6Bn1Y6cAsZoBot5YgFGaWtgQ4jvEqj7EbG8gDJuHMSwa9RzA9SMsVwEh2g1pko7wYbBR/arV7jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAhZlVaEdaLNh60gAY0KwEKgDAHPoXfFRq0I2K2J+NFgNFm/A00jYGVRfuPsX6VZfPaJ499dtMiJifrK3Kfk1oXpvk=]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
hiera_include:
|
||||
- radarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage radarr
|
||||
radarr::params::user: radarr
|
||||
@@ -28,13 +28,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_radarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=radarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
radarr:
|
||||
service_name: 'radarr'
|
||||
@@ -46,7 +42,7 @@ consul::services:
|
||||
checks:
|
||||
- id: 'radarr_http_check'
|
||||
name: 'radarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
|
||||
@@ -1,3 +1,2 @@
|
||||
---
|
||||
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcOegaqGEsivQAlhSYvaiVUij4QJ/kterSg+wX/7P/oWjSN1oSNAFfco6lg5fYUsR7HDKZ4IwYuO1Q/q8hOxYkqzYrH/MIAhZatfQxyxriKuekxqOMuXgwrWCzAexQL0Fb4s5gcHQ4fwy5OxsM1CxFXnSSm1eYNXl5IERd//c0dFoIcshiGlOCFsj8Ne9mookFTJQDZrxM4VMXaVb+Fl9mOyy1ppDBKHTP/1ise/6LIUi+9YngamAWLIrsur5KvR45kvRoxDNLfJZasAqhD/5QLceDdSxqKBDur57QzmoPo2lFdT4WlzphKOdyHZtYOYr7BPdbtCqkXTWdkXvqFlRxjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXhYe6zoRW7/OxVrZnAEoTgDDPFTz5S4nZWiwzjdT7Yd88Ii6I/v6ckaKTx0gd0pZKsVZkFYQBBhIfqFS2ho0UG3Y=]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
hiera_include:
|
||||
- readarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage readarr
|
||||
readarr::params::user: readarr
|
||||
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_readarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=readarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
readarr:
|
||||
service_name: 'readarr'
|
||||
@@ -45,7 +41,7 @@ consul::services:
|
||||
checks:
|
||||
- id: 'readarr_http_check'
|
||||
name: 'Readarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
|
||||
@@ -1,2 +1 @@
|
||||
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF5/sP43SJX/FB6cAS0GPqxC78JS7jSNKoUqWB/IXkv8uXYiClqk+Xw4nFx8EtknNn628DHBY3vCLQ59Xk89p0fyimP70m3BM6or5iRGdCqEAOzL399GbYX8WFHjyQRBmGdaLR5h2r5UnmjuPpDtV+fgsqxo4gNpXnuQ+46ZZPQce/dzHzux+4aEK4Q6UbD/ZZSQklD6zEUV+Agj6E9cQlJPBiHtTyUdXOYHYlJN1HhFPXu3C6KIz63YioVCah1n6T/rJtPQ07pVUfizIaJiPpzcUN91+ZWyyjUPo0bRGZtYKVs/uCAYXht4F5ttKQDaGa3wd4a5IdtacmEWQWFqk3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDtB/68xkjxK3nrNh0MilACgDDt85aBvSp/Oj9EY67eNPr+JcnQ7WfyuqAYAnmYqfbQI8MDtYAx7br0+inJXvQ1BvI=]
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
hiera_include:
|
||||
- sonarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage sonarr
|
||||
sonarr::params::user: sonarr
|
||||
@@ -27,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
sonarr:
|
||||
service_name: 'sonarr'
|
||||
@@ -45,7 +41,7 @@ consul::services:
|
||||
checks:
|
||||
- id: 'sonarr_http_check'
|
||||
name: 'Sonarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
policycoreutils: {}
|
||||
profiles::packages::install:
|
||||
- policycoreutils
|
||||
|
||||
puppetdb::master::config::create_puppet_service_resource: false
|
||||
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
|
||||
|
||||
@@ -1,251 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- glauth
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- ldap.main.unkin.net
|
||||
- ldap.service.consul
|
||||
- ldap.query.consul
|
||||
- "ldap.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
glauth::params::download_version: 2.3.2
|
||||
glauth::params::ldap_enabled: true
|
||||
glauth::params::ldaps_enabled: true
|
||||
glauth::params::basedn: 'dc=main,dc=unkin,dc=net'
|
||||
glauth::params::behaviors_ignorecapabilities: true
|
||||
glauth::params::ldap_tlscertpath: /etc/pki/tls/vault/certificate.crt
|
||||
glauth::params::ldap_tlskeypath: /etc/pki/tls/vault/private.key
|
||||
glauth::params::ldaps_cert: /etc/pki/tls/vault/certificate.crt
|
||||
glauth::params::ldaps_key: /etc/pki/tls/vault/private.key
|
||||
glauth::params::api_cert: /etc/pki/tls/vault/certificate.crt
|
||||
glauth::params::api_key: /etc/pki/tls/vault/private.key
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
ldap:
|
||||
service_name: 'ldap'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'ldap'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 636
|
||||
checks:
|
||||
- id: 'glauth_http_check'
|
||||
name: 'glauth HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:5555"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: ldap
|
||||
disposition: write
|
||||
|
||||
glauth::users:
|
||||
benvin:
|
||||
user_name: 'benvin'
|
||||
givenname: 'Ben'
|
||||
sn: 'Vincent'
|
||||
mail: 'benvin@users.main.unkin.net'
|
||||
uidnumber: 20000
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20025 # media_admin
|
||||
- 20017 # rundeck_access
|
||||
- 20018 # rundeck_globaladmin
|
||||
- 20023 # vault_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/benvin'
|
||||
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
||||
sshkeys:
|
||||
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
|
||||
matsol:
|
||||
user_name: 'matsol'
|
||||
givenname: 'Matt'
|
||||
sn: 'Solomon'
|
||||
mail: 'matsol@users.main.unkin.net'
|
||||
uidnumber: 20001
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20025 # media_admin
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/matsol'
|
||||
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
|
||||
seablo:
|
||||
user_name: 'seablo'
|
||||
givenname: 'Sean'
|
||||
sn: 'Bloomfield'
|
||||
mail: 'seablo@users.main.unkin.net'
|
||||
uidnumber: 20002
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/seablo'
|
||||
passsha256: '2db12484b2b5fdae7f3a1f9f870143c363af14bf2c31a415a9a7afcb02520df2'
|
||||
marbal:
|
||||
user_name: 'marbal'
|
||||
givenname: 'Mark'
|
||||
sn: 'Balch'
|
||||
mail: 'marbal@users.main.unkin.net'
|
||||
uidnumber: 20003
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/marbal'
|
||||
passsha256: 'cc20cee6269b9970a76549c66b51d0c543352796180d4122260a47f0f7a442a9'
|
||||
kelren:
|
||||
user_name: 'kelren'
|
||||
givenname: 'Kelly'
|
||||
sn: 'Rennie'
|
||||
mail: 'kelren@users.main.unkin.net'
|
||||
uidnumber: 20004
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/kelren'
|
||||
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
|
||||
ryadun:
|
||||
user_name: 'ryadun'
|
||||
givenname: 'Dunbar'
|
||||
sn: 'Ryan'
|
||||
mail: 'ryadun@users.main.unkin.net'
|
||||
uidnumber: 20005
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20024 # media_access
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/ryadun'
|
||||
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
|
||||
|
||||
glauth::services:
|
||||
svc_jellyfin:
|
||||
service_name: 'svc_jellyfin'
|
||||
mail: 'jellyfin@service.main.unkin.net'
|
||||
uidnumber: 30000
|
||||
primarygroup: 20001
|
||||
passsha256: '97f7b1eb24deb0a86e812d79c56f4901d39a24128dc9f6fde033e7195f7d0739'
|
||||
svc_sonarr:
|
||||
service_name: 'svc_sonarr'
|
||||
mail: 'sonarr@service.main.unkin.net'
|
||||
uidnumber: 30001
|
||||
primarygroup: 20001
|
||||
passsha256: '2c32d4cb831183cfbef15835cc76f99b401d0159621bc580e852253d4d8f8722'
|
||||
svc_radarr:
|
||||
service_name: 'svc_radarr'
|
||||
mail: 'radarr@service.main.unkin.net'
|
||||
uidnumber: 30002
|
||||
primarygroup: 20001
|
||||
passsha256: '805b0182d90c2b5b3ba43e50988447a0bff0115eb5fedd8eeae8eac00ba53025'
|
||||
svc_lidarr:
|
||||
service_name: 'svc_lidarr'
|
||||
mail: 'lidarr@service.main.unkin.net'
|
||||
uidnumber: 30003
|
||||
primarygroup: 20001
|
||||
passsha256: '6d04cd2a45784bacbd50e6714710b55805c7e9886665a6d7790e6d8712b67aff'
|
||||
svc_readarr:
|
||||
service_name: 'svc_readarr'
|
||||
mail: 'readarr@service.main.unkin.net'
|
||||
uidnumber: 30004
|
||||
primarygroup: 20001
|
||||
passsha256: '751f22fbd9c052b2cd0c1cb4be514d8710f1a51f84ce44f607ab3a5591162f8c'
|
||||
svc_prowlarr:
|
||||
service_name: 'svc_prowlarr'
|
||||
mail: 'prowlarr@service.main.unkin.net'
|
||||
uidnumber: 30005
|
||||
primarygroup: 20001
|
||||
passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043'
|
||||
svc_nzbget:
|
||||
service_name: 'svc_nzbget'
|
||||
mail: 'nzbget@service.main.unkin.net'
|
||||
uidnumber: 30006
|
||||
primarygroup: 20001
|
||||
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
|
||||
svc_nzbsubmit:
|
||||
service_name: 'svc_nzbsubmit'
|
||||
mail: 'nzbsubmit@service.main.unkin.net'
|
||||
uidnumber: 30007
|
||||
primarygroup: 20001
|
||||
othergroups:
|
||||
- 20016
|
||||
passsha256: '7af7e12fdc56e9050d16c167f4e34091ad3cf938283e13451b35f9b3d212bfa2'
|
||||
svc_rundeck:
|
||||
service_name: 'svc_rundeck'
|
||||
mail: 'rundeck@service.main.unkin.net'
|
||||
uidnumber: 30007
|
||||
primarygroup: 20001
|
||||
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
|
||||
svc_terraform:
|
||||
service_name: 'svc_terraform'
|
||||
mail: 'terraform@service.main.unkin.net'
|
||||
uidnumber: 30008
|
||||
primarygroup: 20001
|
||||
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
|
||||
svc_vault:
|
||||
service_name: 'svc_vault'
|
||||
mail: 'vault@service.main.unkin.net'
|
||||
uidnumber: 30009
|
||||
primarygroup: 20001
|
||||
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
|
||||
|
||||
glauth::groups:
|
||||
users:
|
||||
group_name: 'people'
|
||||
gidnumber: 20000
|
||||
services:
|
||||
group_name: 'services'
|
||||
gidnumber: 20001
|
||||
jellyfin_access:
|
||||
group_name: 'jellyfin_access'
|
||||
gidnumber: 20010
|
||||
sonarr_access:
|
||||
group_name: 'sonarr_access'
|
||||
gidnumber: 20011
|
||||
radarr_access:
|
||||
group_name: 'radarr_access'
|
||||
gidnumber: 20012
|
||||
lidarr_access:
|
||||
group_name: 'lidarr_access'
|
||||
gidnumber: 20013
|
||||
readarr_access:
|
||||
group_name: 'readarr_access'
|
||||
gidnumber: 20014
|
||||
prowlarr_access:
|
||||
group_name: 'prowlarr_access'
|
||||
gidnumber: 20015
|
||||
nzbget_access:
|
||||
group_name: 'nzbget_access'
|
||||
gidnumber: 20016
|
||||
rundeck_access:
|
||||
group_name: 'rundeck_access'
|
||||
gidnumber: 20017
|
||||
rundeck_globaladmin:
|
||||
group_name: 'rundeck_globaladmin'
|
||||
gidnumber: 20018
|
||||
rundeck_selfservice_admin:
|
||||
group_name: 'rundeck_selfservice_admin'
|
||||
gidnumber: 20019
|
||||
rundeck_selfservice_user:
|
||||
group_name: 'rundeck_selfservice_user'
|
||||
gidnumber: 20020
|
||||
rundeck_infrastructure_admin:
|
||||
group_name: 'rundeck_infrastructure_admin'
|
||||
gidnumber: 20021
|
||||
rundeck_infrastructure_user:
|
||||
group_name: 'rundeck_infrastructure_user'
|
||||
gidnumber: 20022
|
||||
vault_access:
|
||||
group_name: 'vault_access'
|
||||
gidnumber: 20023
|
||||
media_access:
|
||||
group_name: 'media_access'
|
||||
gidnumber: 20024
|
||||
includegroups: [20010, 20011, 20012, 20013, 20014, 20016]
|
||||
media_admin:
|
||||
group_name: 'media_admin'
|
||||
gidnumber: 20025
|
||||
includegroups: [20024, 20015]
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
profiles::openldap::params::rootpw: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMPu8Asw6L7+k8SRXbPqw62B3ldiE5f2CaDSQbhrOc2u2ULdKvOVpWZnr5cKekl4L8un3zRCiNgY7IG008011jh7oXtTqEGJB2hD/ANHlRawoduft798rRKkDuFqET1rw+komuM7ACJsxXGPO9jB7HjycoJHr4+2yV4o3DlazR0+Ha8kPs8U4C/G/UEWQYOsrP964UZ2CgsHSdozgWj304fVJZ/fWqfOSgipKi2GjNK+TD7g9H12ouGaOjTeOsFBo33QWrikYi6MBFE42p3BLoaBX6Gk6KBzmkhYT7Hyvc/ASP65MpDbXffKp2kcqq++VIb7WhsRydaudRP9wyEJOjzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBVYwJ47CXR2LGgbZOOrd7cgDBCgqTmI4Y5G7x8ZNxEm9WzVY1E7SiKrSnKWF3ntekOhL8ABOk8Y0uODE2HYE+jkJw=]
|
||||
@@ -0,0 +1,22 @@
|
||||
---
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- ldap.main.unkin.net
|
||||
- ldap.service.consul
|
||||
- ldap.query.consul
|
||||
- "ldap.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
openldap::server::manage_epel: false
|
||||
profiles::openldap::params::data_path: '/data/ldap/main.unkin.net'
|
||||
profiles::openldap::params::database: 'dc=main,dc=unkin,dc=net'
|
||||
profiles::openldap::params::rootdn: "cn=admin,%{hiera('profiles::openldap::params::database')}"
|
||||
profiles::openldap::params::ldap_server:
|
||||
- rid: 1
|
||||
provider: ldap://ausyd1nxvm1044.main.unkin.net
|
||||
searchbase: "%{hiera('profiles::openldap::params::database')}"
|
||||
- rid: 2
|
||||
provider: ldap://ausyd1nxvm1045.main.unkin.net
|
||||
searchbase: "%{hiera('profiles::openldap::params::database')}"
|
||||
- rid: 3
|
||||
provider: ldap://ausyd1nxvm1046.main.unkin.net
|
||||
searchbase: "%{hiera('profiles::openldap::params::database')}"
|
||||
File diff suppressed because one or more lines are too long
@@ -1,205 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::rundeck::server
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
hiera_exclude:
|
||||
- profiles::accounts::rundeck
|
||||
|
||||
profiles::packages::exclude:
|
||||
- jq
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::nginx::simpleproxy::proxy_port: 4440
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
nginx::client_max_body_size: 20M
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
rundeck:
|
||||
service_name: 'rundeck'
|
||||
tags:
|
||||
- 'automation'
|
||||
- 'rundeck'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'glauth_http_check'
|
||||
name: 'glauth HTTP Check'
|
||||
http: "http://%{facts.networking.fqdn}:4440"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: rundeck
|
||||
disposition: write
|
||||
|
||||
profiles::rundeck::server::mysql_backend: true
|
||||
profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
|
||||
profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
|
||||
profiles::rundeck::server::auth_config:
|
||||
file:
|
||||
auth_flag: 'sufficient'
|
||||
jaas_config:
|
||||
file: '/etc/rundeck/realm.properties'
|
||||
realm_config:
|
||||
admin_user: 'admin'
|
||||
admin_password: "%{hiera('rundeck_admin_pass')}"
|
||||
ldap:
|
||||
jaas_config:
|
||||
debug: 'true'
|
||||
providerUrl: 'ldap://ldap.service.consul:389'
|
||||
bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
bindPassword: "%{hiera('ldap_bindpass')}"
|
||||
authenticationMethod: 'simple'
|
||||
forceBindingLogin: 'true'
|
||||
userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
|
||||
userRdnAttribute: 'uid'
|
||||
userIdAttribute: 'uid'
|
||||
userPasswordAttribute: 'userPassword'
|
||||
userObjectClass: 'posixAccount'
|
||||
roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
|
||||
roleNameAttribute: 'uid'
|
||||
roleMemberAttribute: 'uniqueMember'
|
||||
roleObjectClass: 'groupOfUniqueNames'
|
||||
nestedGroups: 'true'
|
||||
|
||||
profiles::rundeck::server::key_storage_config:
|
||||
- type: 'db'
|
||||
path: 'keys'
|
||||
- type: 'vault-storage'
|
||||
path: 'vault'
|
||||
config:
|
||||
prefix: 'rundeck'
|
||||
address: https://vault.query.consul:8200
|
||||
storageBehaviour: 'vault'
|
||||
secretBackend: rundeck
|
||||
engineVersion: '2'
|
||||
authBackend: approle
|
||||
approleAuthMount: approle
|
||||
approleId: "%{hiera('vault::roleid')}"
|
||||
|
||||
profiles::rundeck::server::cli_projects:
|
||||
Self-Service:
|
||||
update_method: 'set'
|
||||
config:
|
||||
project.description: 'self-service tasks'
|
||||
project.disable.executions: 'false'
|
||||
Infrastructure:
|
||||
config:
|
||||
project.description: 'infrastructure management'
|
||||
project.disable.schedule: 'false'
|
||||
|
||||
profiles::rundeck::server::acl_policies:
|
||||
global_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Global Admin, all access'
|
||||
context:
|
||||
application: "rundeck"
|
||||
for:
|
||||
project:
|
||||
- allow: '*'
|
||||
resource:
|
||||
- allow: '*'
|
||||
storage:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_globaladmin']
|
||||
- description: 'Global Admin, all access'
|
||||
context:
|
||||
project: '.*'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_globaladmin']
|
||||
selfservice_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Admin, all access for Self-Service project'
|
||||
context:
|
||||
project: 'Self-Service'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_selfserice_admin']
|
||||
selfservice_user_policy:
|
||||
acl_policies:
|
||||
- description: 'Users can execute tasks but not edit for Self-Service project'
|
||||
context:
|
||||
project: 'Self-Service'
|
||||
for:
|
||||
resource:
|
||||
- allow: ['read']
|
||||
adhoc:
|
||||
- allow: ['run']
|
||||
job:
|
||||
- allow: ['read', 'run']
|
||||
node:
|
||||
- allow: ['read', 'run']
|
||||
by:
|
||||
- group: ['rundeck_selfserice_user']
|
||||
infrastructure_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Admin, all access for Infrastructure project'
|
||||
context:
|
||||
project: 'Infrastructure'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_infrastructure_admin']
|
||||
infrastructure_user_policy:
|
||||
acl_policies:
|
||||
- description: 'Users can execute tasks but not edit for Infrastructure project'
|
||||
context:
|
||||
project: 'Infrastructure'
|
||||
for:
|
||||
resource:
|
||||
- allow: ['read']
|
||||
adhoc:
|
||||
- allow: ['run']
|
||||
job:
|
||||
- allow: ['read', 'run']
|
||||
node:
|
||||
- allow: ['read', 'run']
|
||||
by:
|
||||
- group: ['rundeck_infrastructure_user']
|
||||
@@ -1,15 +1,15 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
cobbler: {}
|
||||
cobbler3.2-web: {}
|
||||
httpd: {}
|
||||
syslinux: {}
|
||||
dnf-plugins-core: {}
|
||||
debmirror: {}
|
||||
pykickstart: {}
|
||||
fence-agents: {}
|
||||
selinux-policy-devel: {}
|
||||
ipxe-bootimgs: {}
|
||||
profiles::packages::install:
|
||||
- cobbler
|
||||
- cobbler3.2-web
|
||||
- httpd
|
||||
- syslinux
|
||||
- dnf-plugins-core
|
||||
- debmirror
|
||||
- pykickstart
|
||||
- fence-agents
|
||||
- selinux-policy-devel
|
||||
- ipxe-bootimgs
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- cobbler.main.unkin.net
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
---
|
||||
redisha::masterauth: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAV8znsSGAbPpPUhAcyOIWFltVyAcx3yVcIvC+JFndkkuVBT1813GSURrXIreXSilvJEHlwRC03A9NhjWJSsHBIS12uUb+7ap95oh2JJ7OHmeWSVD1GDDRpTQAgDEOikAnioRNJfQ83jUa11nJrsavt46hSq8vDq+rZ2P8ugiNk59mNX5vgYthCPXcEJd7UmpLZhgxZ8+42l4TKo7QpqKRcIMteJXk1NvyYfYGnGTZhknuyHM3xPGauGjKzamMlTzD9dGnn2K0/Q7I4PUyT24ZEG3kNVyDlVHTYcKnIT5q8qvmJdDQfZwOETF3SrzcqhQ2nqFvmI19sCTsQVmveb/2ITBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9KML3vzwF4vGZdtiu++jmgDAWPZspCckgoXPkgNRMePov3pXSlKUAGxwmdsuIM75rJMxlSTiil2lzMMBWXmUofys=]
|
||||
@@ -1,67 +0,0 @@
|
||||
---
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- redis.main.unkin.net
|
||||
- redis.service.consul
|
||||
- redis.query.consul
|
||||
- "redis.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- redis.main.unkin.net
|
||||
- redis.service.consul
|
||||
- redis.query.consul
|
||||
|
||||
|
||||
hiera_include:
|
||||
- redisha
|
||||
|
||||
redisha::manage_repo: false
|
||||
redisha::redisha_members_lookup: true
|
||||
redisha::redisha_members_role: roles::infra::db::redis
|
||||
#redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
#redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
|
||||
redisha::sentinel::master_name: "%{facts.country}-%{facts.region}"
|
||||
redisha::sentinel::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
redisha::sentinel::auth_pass: "%{hiera('redisha::masterauth')}"
|
||||
redisha::tools::requirepass: "%{hiera('redisha::masterauth')}"
|
||||
|
||||
sudo::configs:
|
||||
consul:
|
||||
priority: 20
|
||||
content: |
|
||||
consul ALL=(ALL) NOPASSWD: /usr/local/sbin/sentineladm info
|
||||
consul::services:
|
||||
redis-replica:
|
||||
service_name: "redis-replica-%{facts.environment}"
|
||||
tags:
|
||||
- 'redis'
|
||||
- 'redis-replica'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 6379
|
||||
checks:
|
||||
- id: 'redis-replica_tcp_check'
|
||||
name: 'Redis Replica TCP Check'
|
||||
tcp: "%{facts.networking.ip}:6379"
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
redis-master:
|
||||
service_name: "redis-master-%{facts.environment}"
|
||||
tags:
|
||||
- 'redis'
|
||||
- 'redis-master'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 6379
|
||||
checks:
|
||||
- id: 'redis-master_tcp_check'
|
||||
name: "Redis Master Check"
|
||||
args:
|
||||
- '/usr/local/bin/check_redis_master'
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: "redis-replica-%{facts.environment}"
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: "redis-master-%{facts.environment}"
|
||||
disposition: write
|
||||
@@ -33,6 +33,13 @@ profiles::dns::resolver::zones:
|
||||
- 10.10.16.32
|
||||
- 10.10.16.33
|
||||
forward: 'only'
|
||||
unkin.net-forward:
|
||||
domain: 'unkin.net'
|
||||
zone_type: 'forward'
|
||||
forwarders:
|
||||
- 10.10.16.32
|
||||
- 10.10.16.33
|
||||
forward: 'only'
|
||||
dmz.unkin.net-forward:
|
||||
domain: 'dmz.unkin.net'
|
||||
zone_type: 'forward'
|
||||
@@ -60,6 +67,7 @@ profiles::dns::resolver::views:
|
||||
recursion: true
|
||||
zones:
|
||||
- main.unkin.net-forward
|
||||
- unkin.net-forward
|
||||
- dmz.unkin.net-forward
|
||||
- network.unkin.net-forward
|
||||
- prod.unkin.net-forward
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
---
|
||||
droneci_server::rpc_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF8cEANj72ACYYdilP52Oz4EXVt+stx838tFVV4SFukoCTmN+kJ3GUUEM9x+oDvo17CsZhDzx5dX0JGo7N9MCLHsR4XKx3GSoAKvaSiD73TbzbdTNJgTIE1tRP9HNbJKizwWLo4lo+OUNtwnu0Z5dkMLYRHyvZ1hG24qmdXVn9DI06gVGQw9YXGmNy8AvA0BKnaHvUnE5XoLNVKZ4g1yvc/nkYpK6nLB+X4sZ96PRig7khiuFVvAfpg5c2iWnF13ljIajnG9uY12RyGaAGfH4l/d3UEyuHyQL4zzT8N7gGt8fvg7eNFx51TyEpVRFLyQ7dqq/lzn0moXVT35PQr9K3DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCGJ+rkxhqmyUUiIQLG7PnggDBPH9gyYAW5/XjDp5xd6GnuSt/WWOwOGxhg+1BoPzbV5o+Xufg5zyMVdYeI1MWD/u8=]
|
||||
@@ -1,25 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::base::datavol
|
||||
- docker
|
||||
- droneci::runner
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
droneci::runner::ports:
|
||||
- 3000:3000
|
||||
droneci::runner::volumes:
|
||||
- type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock
|
||||
- type=bind,source=/data,target=/data
|
||||
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
|
||||
droneci::runner::env_vars:
|
||||
DRONE_RPC_PROTO: https
|
||||
DRONE_RPC_HOST: droneci.query.consul
|
||||
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
|
||||
DRONE_RUNNER_CAPACITY: 2
|
||||
DRONE_RUNNER_NAME: "%{facts.networking.fqdn}"
|
||||
DRONE_RUNNER_VOLUMES: /etc/pki/tls/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
droneci_server::gitea_client_secret: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJLcMKV4EevB8V/vjex+Srq47pWLvPozjSb+vjS/crFpKq3/dgtkJ8WkqF98fPnXxkMowP/BpNexJBCmPtTR2pPTKHIYkXjxGax0g3P2gcgeT7wsNl24mnUJDWZs1/z8ibwUXv4Zg0nbKi+YdomjsvT3vl2IPI88TKZDkq6HBoturwqx2l/edC5IeAi8vgPRXF8hn2TVuslkmoNXoI28Qp10b2XNOCss6KUJ4rbOwpIgdOVFbXqi7CFjhGz/3uS9xK+2m3iuE/gXi8KSKfiQ+QcGuXL9Zy5PH5rrNg4mbrFiaFfTevsHInl1wwRmULilQ0kEY3NW4b/URXqBBuwcN/TBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDlv7tA+6OQwDuL7z3xGYZjgEBcEAj3TQ9R9TntxTyBa9mKFRXimFTDDxdZ2zD96qFNz+7ZZFGD6pFQNHSMC9AYlAue94UsIHJZaXwgAo5zc98Q]
|
||||
droneci_server::cookie_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKTWrB7Cca8RgFEeP46puzhVWOAiI6nB+m5+/sgz1qNnn6VgNh9Q6D26p9HISrMp4k60KVuGXrIbZYpkvKZmv4zHgK2et+50sr/F1anhDRX4rsmGWVV9n8VhaIJFAyQkW4de9YxV9LAgk0tWs1BgfXv4cV4+sDBv0OSVIFJDst3LUWpBR6lsiV9IifvNNUrdOHkdt5XjuL4JVmc0nkjetAg9HSvJ9VHYLIQagFHnTQp0FWluE1/ibGNc2kz7D4K7cPz2bBxRJWomckSUwgQK0NrGID4D13haZXhKXAO/8QpQOwPra8vD9FYrFenMeFLwdw43NzSr2g/W1ss5PekbWGjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBASshs2UwkGqK4ShFfXni7cgDCDCnEiqcfxIz4X/Bq71IpRKan3uQbHOewFqjNGqoR+1oWupjRxzNL39H9YF1a6i6s=]
|
||||
droneci_server::database_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASu4C45TYWZKgIoyqC3YdwYYXn+T+ruP6oIvhYFJ5dxeZ+6HtWbRMViErvpPuWYfgs5qt6Zj9eLz2hqimFCvKiAvzANeZ9hkhw/jkpmvG8iXpDFw6x8QKcPJteRo896KSLiGiVlZfRbgQCGAqiEMw6y6M9CvfCLzE/mZ9gOKjSJVKiioAnXU2fyq0Y0M6g0iLRw0VXl2BVc4ORCnVECARQPo48T3U+TT39q0ar4mRO1AFO0VA5iDJ6/EMPBcH3ekKO/1dB1UbV6VkD3s9BAHGyL5a5Wr6ztg/5Yl6VBCXmECZqpCx8jx8KDUoaj1R/+I83YQxbw9ch76j79haIK6+jzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAh6MmfbUELaWbSNZ9/Dev2gDD/E3G/uYJGXNGl1+PIVwGmi0z2BTXNqg7ax/b/uF5Xc9ZtBSPiSxR6BPRXN3GleNo=]
|
||||
droneci_server::postgres_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANpDnrpratpuYheXFrN4nwRTauPm9rZz2ubDyJlcxmah+kOWqsWIeEkv5GuATlymfAx5UuHPOv3dJPCSK+YuyQY+kGW/8uEFM68QrNi38NdRqEpdXuPBe5+AmWxcjYK3mdJ4maEwsbbxtYJmD8TF6kskS2P/KhnIzYR5PPHZTaYbEf/W5Da3l+J5WnFYpStuLq+86yZokBAygFPI+y/Ic+zJIdhpzVdLyGuqxGLXZq7nNMrjuNyFPKkCj1BBpuJTMCS4oPKCUTlm5hIIeeC2pFREI0CMTV5siZB8NphobPNn/ZbJrcs9q75LtIa47pkFYRbmV4WPctCwZXg6jtMleuzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDHJaChyidZq/5FN5n+ASJWgDCqUcR/DG9e8AD7fRmTb5BZM8XQ77a1hUJoaCycnMQ/5UyKmqU/7fLPrsxCf2vZU1M=]
|
||||
droneci_server::redis_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAYMoZlVXHC1qfkDptPy3PyWGrUs5y9M9AOv5Vn1AK6DYViixhjwPZUCfwTONmt7CiBuqmkDOpR5isWFiBo/+TMeMXlM9C/D+Svc9tpeHLpVaXAYeoz5um2InyBFkLWSaUaWSftF9U7O5Nv/OiLIsd7nn4T8Dd21rfUiRfUN/2HPLMCs+mW15Az9XNOcvfm+kPXDAcB+ukHde0vvtYTZEFWjMdwJjjE43DiCmAoLTcpvQxdlclojotBpFeBLZs/F21FDQ4hvBUvPBMuZ1o7ImSP5fuomYSFK8etbD7JO5gg5BN59lGl1ljyR83phv6wmmqlzB8wQl0pjEpni9o7fa9hTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCKJrkPA78qx3wAu1eroIjRgDA72N9U0YZf1MzACcGSOMU5RGO242RwlIKUrnuYcdC0dKkjLXtP+yVpSKkX5WxcsDQ=]
|
||||
@@ -1,79 +0,0 @@
|
||||
---
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- droneci.main.unkin.net
|
||||
- droneci.service.consul
|
||||
- droneci.query.consul
|
||||
- "droneci.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- droneci.main.unkin.net
|
||||
- droneci.service.consul
|
||||
- droneci.query.consul
|
||||
|
||||
hiera_include:
|
||||
- docker
|
||||
- profiles::sql::postgresdb
|
||||
- droneci
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
profiles::sql::postgresdb::dbname: droneci
|
||||
profiles::sql::postgresdb::dbuser: droneci
|
||||
profiles::sql::postgresdb::dbpass: "%{hiera('droneci_server::postgres_password')}"
|
||||
profiles::sql::postgresdb::members_lookup: true
|
||||
profiles::sql::postgresdb::members_role: roles::infra::droneci::server
|
||||
|
||||
droneci::ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
droneci::volumes:
|
||||
- type=bind,source=/var/lib/drone,target=/data
|
||||
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
|
||||
droneci::env_vars:
|
||||
DRONE_GITEA_SERVER: https://git.query.consul
|
||||
DRONE_GITEA_CLIENT_ID: dda67581-86df-4e65-88ae-1e505b849082
|
||||
DRONE_USER_CREATE: username:unkinben,admin:true
|
||||
DRONE_GITEA_CLIENT_SECRET: "%{hiera('droneci_server::gitea_client_secret')}"
|
||||
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
|
||||
DRONE_SERVER_HOST: droneci.query.consul
|
||||
DRONE_SERVER_PROTO: https
|
||||
DRONE_TLS_CERT: /etc/pki/tls/vault/certificate.crt
|
||||
DRONE_TLS_KEY: /etc/pki/tls/vault/private.key
|
||||
DRONE_COOKIE_SECRET: "%{hiera('droneci_server::cookie_secret')}"
|
||||
DRONE_COOKIE_TIMEOUT: 720h
|
||||
DRONE_HTTP_SSL_REDIRECT: true
|
||||
DRONE_HTTP_SSL_TEMPORARY_REDIRECT: true
|
||||
DRONE_HTTP_SSL_HOST: droneci.query.consul
|
||||
DRONE_LOGS_TEXT: true
|
||||
DRONE_LOGS_PRETTY: true
|
||||
DRONE_LOGS_COLOR: true
|
||||
DRONE_DATABASE_SECRET: "%{hiera('droneci_server::database_secret')}"
|
||||
DRONE_DATABASE_DRIVER: postgres
|
||||
DRONE_DATABASE_DATASOURCE: "postgres://droneci:%{hiera('droneci_server::postgres_password')}@master.patroni-prod.service.au-syd1.consul:5432/droneci?sslmode=disable"
|
||||
DRONE_REDIS_CONNECTION: "redis://%{hiera('droneci_server::redis_password')}@redis-master-prod.service.au-syd1.consul:6379/2"
|
||||
|
||||
consul::services:
|
||||
droneci:
|
||||
service_name: 'droneci'
|
||||
tags:
|
||||
- 'drone'
|
||||
- 'droneci'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'droneci_https_check'
|
||||
name: 'droneci HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: droneci
|
||||
disposition: write
|
||||
@@ -41,7 +41,7 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- "git.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 3000
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
nginx::client_max_body_size: 1024M
|
||||
nginx::client_max_body_size: 250M
|
||||
|
||||
profiles::gitea::init::root:
|
||||
APP_NAME: 'Gitea'
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
profiles::gitea::runner::registration_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOL/ug4IPhEW1n+Lq+SsMSEJUYsDDK2s0+oNF3unxcbH3QDqWo7kuYKkDWQ+W3otcxvuRlbC8+0W2fO2udhF7sSGrF93INsTCDqWlLnaaAgxlgNSXthA4OCJlI8DCLeD/Sr0TTCchUdpQrIpDo6Gh0EUjgRv5574q26or7c/vvtQ4nfLVQOqEV9UpsCgEYiQvXVcf55LEpgaDp4mFL0qCnfzDnGNbZ0GUo6552ka19IocqOqILPnZO0qDcEoLbQ90sP197+5Jw611i1Akx1C4lFP81bazFMpbdiEP0V4Ax+33LfZEb0KnXuMbKOF23vIwwwfpFJaSOAjA5YehA3xM2zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDPJHB2uL+VEyntgZocyoMXgDBJ1dnRWiJM77XomzbNdDUO+ktIHLOTL5do0m4CkXZ1s42KtaAwWL+/EGdxg80UMC8=]
|
||||
@@ -1,46 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- docker
|
||||
- profiles::gitea::runner
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
profiles::gitea::runner::home: /data/runner
|
||||
profiles::gitea::runner::version: '0.2.10'
|
||||
profiles::gitea::runner::source: "https://gitea.com/gitea/act_runner/releases/download/v%{hiera('profiles::gitea::runner::version')}/act_runner-%{hiera('profiles::gitea::runner::version')}-linux-amd64"
|
||||
profiles::gitea::runner::config:
|
||||
log:
|
||||
level: info
|
||||
runner:
|
||||
file: "%{hiera('profiles::gitea::runner::home')}/.runner"
|
||||
capacity: 2
|
||||
envs:
|
||||
A_TEST_ENV_NAME_1: a_test_env_value_1
|
||||
A_TEST_ENV_NAME_2: a_test_env_value_2
|
||||
env_file: .env
|
||||
timeout: 3h
|
||||
insecure: false
|
||||
fetch_timeout: 5s
|
||||
fetch_interval: 2s
|
||||
labels:
|
||||
- "almalinux-latest"
|
||||
- "almalinux-8:docker"
|
||||
- "almalinux-8.10:docker"
|
||||
cache:
|
||||
enabled: true
|
||||
dir: "%{hiera('profiles::gitea::runner::home')}/.cache/actcache"
|
||||
host: ""
|
||||
port: 0
|
||||
external_server: ""
|
||||
container:
|
||||
network: ""
|
||||
privileged: false
|
||||
options:
|
||||
workdir_parent: /workspace
|
||||
valid_volumes: []
|
||||
docker_host: ""
|
||||
force_pull: true
|
||||
force_rebuild: false
|
||||
host:
|
||||
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
|
||||
@@ -53,8 +53,6 @@ profiles::haproxy::frontends:
|
||||
options:
|
||||
acl:
|
||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||
use_backend:
|
||||
- 'be_letsencrypt if acl-letsencrypt'
|
||||
http-request:
|
||||
- 'set-header X-Forwarded-Proto https'
|
||||
- 'set-header X-Real-IP %[src]'
|
||||
@@ -70,8 +68,6 @@ profiles::haproxy::frontends:
|
||||
options:
|
||||
acl:
|
||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||
use_backend:
|
||||
- 'be_letsencrypt if acl-letsencrypt'
|
||||
http-request:
|
||||
- 'set-header X-Forwarded-Proto https'
|
||||
- 'set-header X-Real-IP %[src]'
|
||||
|
||||
@@ -9,5 +9,4 @@ profiles::metrics::server::scrape_jobs:
|
||||
- puppetdb
|
||||
- systemd
|
||||
- haproxy
|
||||
- postgres
|
||||
profiles::metrics::server::localstorage: /data/prometheus
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
---
|
||||
certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
|
||||
@@ -1,15 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- certbot
|
||||
- profiles::pki::puppetcerts
|
||||
|
||||
certbot::domains:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
- sonarr.main.unkin.net
|
||||
- radarr.main.unkin.net
|
||||
- lidarr.main.unkin.net
|
||||
- readarr.main.unkin.net
|
||||
- prowlarr.main.unkin.net
|
||||
- nzbget.main.unkin.net
|
||||
- fafflix.unkin.net
|
||||
@@ -1,3 +1,3 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
puppetserver: {}
|
||||
profiles::packages::install:
|
||||
- puppetserver
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
createrepo: {}
|
||||
profiles::packages::install:
|
||||
- createrepo
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- repos.main.unkin.net
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
profiles::sql::patroni::superuser_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAImaYEH6ktU6KYDu96OtuJu11FbmE+b9YwrkJiv72QfuVivR7lGfieRKcvkrq3IsNcwhhnl1lzyMZHteib7jLEIiaq59AZFiZyfF2E5bhNYfW4QcDJd4QOheU2awkZkl6oaoMUxgWOnqvihYVLDfoJ0lj6hBTFuqIzO/KU+AJ4NMO3+/+AK9+HB0u/8Iyuev4RQBkvaRAoszCcFCWTAZJTmhOgWe4xJIxfbh0/5k/dmT5WQ1JPEQK7hnVly9iToROZJDjuyndNHbrhCQUg4+DYMPS2fZVWvcESfxN8lJjBFPojj9ZbG5mLlq1e4A4KiZNwHfA1V4D88VWOkRg65XtZDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBzToImdK5/pk3UeZPyavjTgDCcYBzwY/g353Pbh0xr/we8KmvsQEtfxPDuPm4Kv4hsD5X0dHu2nGzBAZq5uWcE3RE=]
|
||||
profiles::sql::patroni::replication_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWyCj+7WfzpTcpBg6uQ5ykGmLZmb/avW3Pc+VWj9bGvxSQCA8LA6HJlEhhL3mrJSTGUyHLgeEebEup9AVHe2k2l/JHIvhyfx7LI+mNDp8u5p40pM6ZxTdIJFOZmOS/nGjAR6mTv6Ennhpw4sWSDYXU0mJPTHGAked2FXV1xsS0zpTY7hccJHuww5ixOw6jP8E1Pu0ex4LmefOXApowf0jZ2pARndlsXwZldahUHIF48XejclpgCK9rTrb4eQsOZr5ozcj0BBpWg/JKNkQt8mQU5l5/z0GDT08Op8g6MVdJuOWr92uPqjc8sydrz0QAx4l8t1KY2fMWK7BPKqSdcOxiDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDEZBNd56BHVGRVfHDPPwZHgDAZKnqicbF/MVKPi1PwwyHrXMW/fWqocgr1zWx6RXWgXICqjJdEFXwFerXXb39RSDg=]
|
||||
profiles::sql::patroni::postgres_exporter_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAL5brQt9CGFU7okDXZWF1jL1j+RbrQZhKfzGWyWl+SqRK6q+xH0LIzYQhOAji7tlDBzvFZpzglmzj0xDrAkQA46jg1DkR5+9Ozru9jL1nhg/6z/F54DlhAG7Ui0hjgSLal79VABLXa/cb9xJThx97b9xoOW+/vpfSKa4izFtkN9fliClFTVafxLlLLD/yABW99aq1OK+9MyCsppvs/rjWbXvjEKL+C0jawh4dBnc+tYJMHC/k5NIK0th4A/zSYVH5q6gFakpxrV2ubETIbVTDncC8zfRLhnrikZYNbCy5PuJb2a4vW1O0AOzUWqvqbRkWpYF7dJB9fzW/Tu8f8d10KTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAJS5PcA9aJvjGIfKSciLLpgDAU7xXGF+Sj+g1ABMvsenEmgXsdSKVU9ZYusIiGnPdFdN4EF9usi7g4SahochlG0NU=]
|
||||
@@ -1,28 +0,0 @@
|
||||
---
|
||||
profiles::yum::global::repos:
|
||||
postgresql-15:
|
||||
name: postgresql-15
|
||||
descr: postgresql-15 repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
postgresql-common:
|
||||
name: postgresql-common
|
||||
descr: postgresql-common repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
|
||||
profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
|
||||
profiles::sql::patroni::postgres_exporter_enabled: true
|
||||
profiles::sql::patroni::postgres_exporter_user: postgres_exporter
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service_prefix
|
||||
segment: "%{hiera('profiles::sql::patroni::cluster_name')}"
|
||||
disposition: write
|
||||
- resource: key_prefix
|
||||
segment: "service/%{hiera('profiles::sql::patroni::cluster_name')}"
|
||||
disposition: write
|
||||
- resource: session_prefix
|
||||
segment: ""
|
||||
disposition: write
|
||||
@@ -89,9 +89,3 @@ profiles::consul::prepared_query::rules:
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
droneci:
|
||||
ensure: 'present'
|
||||
service_name: 'droneci'
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
|
||||
@@ -125,12 +125,12 @@ profiles::edgecache::params::mirrors:
|
||||
ensure: present
|
||||
location: '~* ^/ceph/yum/.*/repodata/'
|
||||
rewrite_rules:
|
||||
- '^/ceph/yum/(.*)$ /rpm-18.2.2/$1 break'
|
||||
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
|
||||
proxy: http://158.69.68.124
|
||||
ceph_yum_data:
|
||||
ensure: present
|
||||
location: /ceph/yum
|
||||
proxy: http://158.69.68.124/rpm-18.2.2
|
||||
proxy: http://158.69.68.124/rpm-reef
|
||||
proxy_cache: cache
|
||||
proxy_cache_valid:
|
||||
- '200 302 1440h'
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
"%{hiera('lm-sensors::package')}": {}
|
||||
profiles::packages::install:
|
||||
- "%{hiera('lm-sensors::package')}"
|
||||
|
||||
@@ -1,18 +0,0 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
Facter.add(:certbot_available_certs) do
|
||||
confine enc_role: 'roles::infra::pki::certbot'
|
||||
setcode do
|
||||
certs_dir = '/etc/letsencrypt/live'
|
||||
available_certs = []
|
||||
|
||||
if Dir.exist?(certs_dir)
|
||||
Dir.children(certs_dir).each do |entry|
|
||||
fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
|
||||
available_certs << entry if File.exist?(fullchain_pem)
|
||||
end
|
||||
end
|
||||
|
||||
available_certs.join(',')
|
||||
end
|
||||
end
|
||||
@@ -1,15 +0,0 @@
|
||||
# certbot::cert
|
||||
define certbot::cert (
|
||||
Stdlib::Fqdn $domain,
|
||||
Array $additional_args = ['--http-01-port=8888'],
|
||||
Boolean $manage_cron = true,
|
||||
) {
|
||||
|
||||
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
||||
|
||||
@@letsencrypt::certonly { $domain:
|
||||
additional_args => $additional_args,
|
||||
manage_cron => $manage_cron,
|
||||
tag => $location_environment,
|
||||
}
|
||||
}
|
||||
@@ -1,23 +0,0 @@
|
||||
class certbot::client (
|
||||
Array[Stdlib::Fqdn] $domains,
|
||||
Stdlib::Fqdn $webserver,
|
||||
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
|
||||
) {
|
||||
|
||||
mkdir::p {$data_dir:}
|
||||
file { $data_dir:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
$domains.each |$domain| {
|
||||
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
|
||||
domain => $domain,
|
||||
destination => "${data_dir}/${domain}",
|
||||
webserver => $webserver,
|
||||
require => File[$data_dir],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,51 +0,0 @@
|
||||
define certbot::client::cert (
|
||||
Stdlib::Fqdn $domain,
|
||||
Stdlib::Fqdn $webserver,
|
||||
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
|
||||
) {
|
||||
|
||||
file { $destination:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
$cert_ready_nodes = puppetdb_query("
|
||||
facts {
|
||||
name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
|
||||
}"
|
||||
)
|
||||
|
||||
# Define the certificate files
|
||||
$cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
|
||||
|
||||
if !empty($cert_ready_nodes) {
|
||||
$files_to_create = $cert_files.reduce({}) |$acc, $file| {
|
||||
$acc + {
|
||||
"${destination}/${file}" => {
|
||||
ensure => 'file',
|
||||
source => "https://${webserver}/${domain}/${file}",
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
notify => Exec["concat_${domain}_certs"],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
create_resources(file, $files_to_create)
|
||||
|
||||
exec { "concat_${domain}_certs":
|
||||
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
|
||||
path => ['/bin', '/usr/bin'],
|
||||
refreshonly => true,
|
||||
require => [
|
||||
File["${destination}/fullchain.pem"],
|
||||
File["${destination}/privkey.pem"],
|
||||
],
|
||||
}
|
||||
} else {
|
||||
notify { 'Certificates are not yet ready on the generator server.': }
|
||||
}
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
# certbot::haproxy
|
||||
class certbot::haproxy {
|
||||
# export haproxy balancemember
|
||||
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
|
||||
service => 'be_letsencrypt',
|
||||
ports => [8888],
|
||||
options => []
|
||||
}
|
||||
}
|
||||
@@ -1,19 +0,0 @@
|
||||
# certbot::init
|
||||
class certbot (
|
||||
String $contact,
|
||||
Array[Stdlib::Fqdn] $domains = [],
|
||||
Stdlib::Absolutepath $data_root = '/var/www',
|
||||
Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
|
||||
Array[Stdlib::Host] $nginx_aliases = [],
|
||||
Stdlib::Port $nginx_port = 80,
|
||||
Stdlib::Port $nginx_ssl_port = 443,
|
||||
Enum['http','https','both'] $nginx_listen_mode = 'https',
|
||||
Enum['puppet', 'vault'] $nginx_cert_type = 'puppet',
|
||||
) {
|
||||
|
||||
include certbot::nginx
|
||||
include certbot::selinux
|
||||
include certbot::haproxy
|
||||
include certbot::letsencrypt
|
||||
|
||||
}
|
||||
@@ -1,37 +0,0 @@
|
||||
# certbot::letsencrypt
|
||||
class certbot::letsencrypt (
|
||||
String $contact = $certbot::contact,
|
||||
Array[Stdlib::Fqdn] $domains = $certbot::domains,
|
||||
Stdlib::Absolutepath $data_root = $certbot::data_root,
|
||||
) {
|
||||
|
||||
class { 'letsencrypt':
|
||||
configure_epel => false,
|
||||
package_ensure => 'latest',
|
||||
email => $contact,
|
||||
}
|
||||
|
||||
# set location_environment
|
||||
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
||||
|
||||
# collect exported resources
|
||||
Letsencrypt::Certonly <<| tag == $location_environment |>>
|
||||
|
||||
# statically defined certificate
|
||||
$domains.each | $domain | {
|
||||
certbot::cert {$domain:
|
||||
domain => $domain,
|
||||
require => Class['letsencrypt'],
|
||||
}
|
||||
}
|
||||
|
||||
systemd::timer { 'certbot-syncer.timer':
|
||||
timer_content => epp('certbot/certbot-syncer.timer.epp'),
|
||||
service_content => epp('certbot/certbot-syncer.service.epp', {
|
||||
'data_root' => $data_root,
|
||||
}),
|
||||
active => true,
|
||||
enable => true,
|
||||
require => Class['letsencrypt'],
|
||||
}
|
||||
}
|
||||
@@ -1,91 +0,0 @@
|
||||
# certbot::nginx
|
||||
class certbot::nginx (
|
||||
Stdlib::Absolutepath $data_root = $certbot::data_root,
|
||||
Stdlib::Fqdn $nginx_vhost = $certbot::nginx_vhost,
|
||||
Array[Stdlib::Host] $nginx_aliases = $certbot::nginx_aliases,
|
||||
Stdlib::Port $nginx_port = $certbot::nginx_port,
|
||||
Stdlib::Port $nginx_ssl_port = $certbot::nginx_ssl_port,
|
||||
Enum['http','https','both'] $nginx_listen_mode = $certbot::nginx_listen_mode,
|
||||
Enum['puppet', 'vault'] $nginx_cert_type = $certbot::nginx_cert_type,
|
||||
) {
|
||||
|
||||
# select the certificates to use based on cert type
|
||||
case $nginx_cert_type {
|
||||
'puppet': {
|
||||
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
|
||||
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
|
||||
}
|
||||
'vault': {
|
||||
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
|
||||
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
|
||||
}
|
||||
default: {
|
||||
# enum param prevents this ever being reached
|
||||
}
|
||||
}
|
||||
|
||||
# set variables based on the listen_mode
|
||||
case $nginx_listen_mode {
|
||||
'http': {
|
||||
$enable_ssl = false
|
||||
$ssl_cert = undef
|
||||
$ssl_key = undef
|
||||
$listen_port = $nginx_port
|
||||
$listen_ssl_port = undef
|
||||
$extras_hash = {}
|
||||
}
|
||||
'https': {
|
||||
$enable_ssl = true
|
||||
$ssl_cert = $selected_ssl_cert
|
||||
$ssl_key = $selected_ssl_key
|
||||
$listen_port = $nginx_ssl_port
|
||||
$listen_ssl_port = $nginx_ssl_port
|
||||
$extras_hash = {
|
||||
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
||||
}
|
||||
}
|
||||
'both': {
|
||||
$enable_ssl = true
|
||||
$ssl_cert = $selected_ssl_cert
|
||||
$ssl_key = $selected_ssl_key
|
||||
$listen_port = $nginx_port
|
||||
$listen_ssl_port = $nginx_ssl_port
|
||||
$extras_hash = {
|
||||
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
||||
}
|
||||
}
|
||||
default: {
|
||||
# enum param prevents this ever being reached
|
||||
}
|
||||
}
|
||||
|
||||
mkdir::p {"${data_root}/pub":}
|
||||
|
||||
# set the server_names
|
||||
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
|
||||
|
||||
# define the default parameters for the nginx server
|
||||
$defaults = {
|
||||
'listen_port' => $listen_port,
|
||||
'server_name' => $server_names,
|
||||
'use_default_location' => true,
|
||||
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
|
||||
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
|
||||
'www_root' => "${data_root}/pub",
|
||||
'autoindex' => 'on',
|
||||
'ssl' => $enable_ssl,
|
||||
'ssl_cert' => $ssl_cert,
|
||||
'ssl_key' => $ssl_key,
|
||||
'ssl_port' => $listen_ssl_port,
|
||||
}
|
||||
|
||||
# merge the hashes conditionally
|
||||
$nginx_parameters = merge($defaults, $extras_hash)
|
||||
|
||||
# manage the nginx class
|
||||
include nginx
|
||||
|
||||
# create the nginx vhost with the merged parameters
|
||||
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
|
||||
|
||||
}
|
||||
@@ -1,40 +0,0 @@
|
||||
# certbot::selinux
|
||||
class certbot::selinux (
|
||||
Stdlib::Absolutepath $data_root = $certbot::data_root,
|
||||
) {
|
||||
|
||||
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
|
||||
|
||||
# set httpd_sys_content_t to all files under the www_root
|
||||
selinux::fcontext { "${data_root}/pub":
|
||||
ensure => 'present',
|
||||
seltype => 'httpd_sys_content_t',
|
||||
pathspec => "${data_root}/pub(/.*)?",
|
||||
}
|
||||
|
||||
# make sure we can connect to other hosts
|
||||
selboolean { 'httpd_can_network_connect':
|
||||
persistent => true,
|
||||
value => 'on',
|
||||
}
|
||||
selboolean { 'rsync_client':
|
||||
persistent => true,
|
||||
value => 'on',
|
||||
}
|
||||
selboolean { 'rsync_export_all_ro':
|
||||
persistent => true,
|
||||
value => 'on',
|
||||
}
|
||||
selboolean { 'rsync_full_access':
|
||||
persistent => true,
|
||||
value => 'on',
|
||||
}
|
||||
|
||||
exec { "restorecon_${data_root}/pub":
|
||||
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
||||
command => "restorecon -Rv ${data_root}/pub",
|
||||
refreshonly => true,
|
||||
subscribe => Selinux::Fcontext["${data_root}/pub"],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
[Unit]
|
||||
Description=certbot-syncer service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
|
||||
User=root
|
||||
Group=root
|
||||
@@ -1,9 +0,0 @@
|
||||
[Unit]
|
||||
Description=certbot-syncer timer
|
||||
|
||||
[Timer]
|
||||
OnCalendar=hourly
|
||||
Persistent=true
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
@@ -1,24 +0,0 @@
|
||||
class droneci (
|
||||
Hash $env_vars = {},
|
||||
String $docker_image = 'drone/drone:2',
|
||||
Array[String] $ports = [],
|
||||
Array[String] $volumes = [],
|
||||
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci',
|
||||
) {
|
||||
|
||||
# Create the environment file from a template
|
||||
file { $env_file:
|
||||
ensure => file,
|
||||
content => template('droneci/droneci_env.erb'),
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
# Define the systemd service for Drone CI
|
||||
systemd::unit_file { 'droneci.service':
|
||||
ensure => present,
|
||||
content => template('droneci/droneci_service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => File[$env_file],
|
||||
}
|
||||
}
|
||||
@@ -1,24 +0,0 @@
|
||||
class droneci::runner (
|
||||
Hash $env_vars = {},
|
||||
String $docker_image = 'drone/drone-runner-docker:1',
|
||||
Array[String] $ports = [],
|
||||
Array[String] $volumes = [],
|
||||
Stdlib::Absolutepath $env_file = '/etc/sysconfig/droneci_runner',
|
||||
) {
|
||||
|
||||
# Create the environment file from a template
|
||||
file { $env_file:
|
||||
ensure => file,
|
||||
content => template('droneci/droneci_env.erb'),
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
# Define the systemd service for Drone CI runner
|
||||
systemd::unit_file { 'droneci-runner.service':
|
||||
ensure => present,
|
||||
content => template('droneci/droneci_runner_service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => File[$env_file],
|
||||
}
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
<% @env_vars.each do |key, value| -%>
|
||||
<%= key.upcase %>=<%= value %>
|
||||
<% end -%>
|
||||
@@ -1,20 +0,0 @@
|
||||
[Unit]
|
||||
Description=Drone CI Runner
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/docker run --rm \
|
||||
--name=drone-runner \
|
||||
<% @ports.each do |port| -%>
|
||||
-p <%= port %> \
|
||||
<% end -%>
|
||||
<% @volumes.each do |volume| -%>
|
||||
--mount <%= volume %> \
|
||||
<% end -%>
|
||||
--env-file <%= @env_file %> \
|
||||
<%= @docker_image %>
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -1,20 +0,0 @@
|
||||
[Unit]
|
||||
Description=Drone CI Service
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/docker run --rm \
|
||||
--name=drone \
|
||||
<% @ports.each do |port| -%>
|
||||
-p <%= port %> \
|
||||
<% end -%>
|
||||
<% @volumes.each do |volume| -%>
|
||||
--mount <%= volume %> \
|
||||
<% end -%>
|
||||
--env-file <%= @env_file %> \
|
||||
<%= @docker_image %>
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -1,155 +0,0 @@
|
||||
# configure glauth
|
||||
class glauth::config (
|
||||
Boolean $debug = $glauth::debug,
|
||||
Boolean $syslog = $glauth::syslog,
|
||||
Boolean $structuredlog = $glauth::structuredlog,
|
||||
Boolean $watchconfig = $glauth::watchconfig,
|
||||
|
||||
Boolean $ldap_enabled = $glauth::ldap_enabled,
|
||||
Stdlib::IP::Address $ldap_address = $glauth::ldap_address,
|
||||
Stdlib::Port $ldap_port = $glauth::ldap_port,
|
||||
Boolean $ldap_tls = $glauth::ldap_tls,
|
||||
Stdlib::Absolutepath $ldap_tlscertpath = $glauth::ldap_tlscertpath,
|
||||
Stdlib::Absolutepath $ldap_tlskeypath = $glauth::ldap_tlskeypath,
|
||||
|
||||
Boolean $ldaps_enabled = $glauth::ldaps_enabled,
|
||||
Stdlib::IP::Address $ldaps_address = $glauth::ldaps_address,
|
||||
Stdlib::Port $ldaps_port = $glauth::ldaps_port,
|
||||
Stdlib::Absolutepath $ldaps_cert = $glauth::ldaps_cert,
|
||||
Stdlib::Absolutepath $ldaps_key = $glauth::ldaps_key,
|
||||
|
||||
String $backend_datastore = $glauth::backend_datastore,
|
||||
String $backend_basedn = $glauth::backend_basedn,
|
||||
String $backend_nameformat = $glauth::backend_nameformat,
|
||||
String $backend_groupformat = $glauth::backend_groupformat,
|
||||
Boolean $backend_anonymousdse = $glauth::backend_anonymousdse,
|
||||
String $backend_sshkeyattr = $glauth::backend_sshkeyattr,
|
||||
|
||||
Boolean $behaviors_ignorecapabilities = $glauth::behaviors_ignorecapabilities,
|
||||
Boolean $behaviors_limitfailedbinds = $glauth::behaviors_limitfailedbinds,
|
||||
Integer $behaviors_numberoffailedbinds = $glauth::behaviors_numberoffailedbinds,
|
||||
Integer $behaviors_periodoffailedbinds = $glauth::behaviors_periodoffailedbinds,
|
||||
Integer $behaviors_blockfailedbindsfor = $glauth::behaviors_blockfailedbindsfor,
|
||||
Integer $behaviors_prunesourcetableevery = $glauth::behaviors_prunesourcetableevery,
|
||||
Integer $behaviors_prunesourcesolderthan = $glauth::behaviors_prunesourcesolderthan,
|
||||
|
||||
Boolean $api_enabled = $glauth::api_enabled,
|
||||
Boolean $api_internals = $glauth::api_internals,
|
||||
Boolean $api_tls = $glauth::api_tls,
|
||||
Stdlib::IP::Address $api_address = $glauth::api_address,
|
||||
Stdlib::Port $api_port = $glauth::api_port,
|
||||
Stdlib::Absolutepath $api_cert = $glauth::api_cert,
|
||||
Stdlib::Absolutepath $api_key = $glauth::api_key,
|
||||
|
||||
String $user = $glauth::user,
|
||||
String $group = $glauth::group,
|
||||
Stdlib::Absolutepath $bin_dir = $glauth::bin_dir,
|
||||
Stdlib::Absolutepath $bin_path = $glauth::bin_path,
|
||||
Stdlib::Absolutepath $config_dir = $glauth::config_dir,
|
||||
Stdlib::Absolutepath $config_path = $glauth::config_path,
|
||||
Boolean $manage_defaults = $glauth::manage_defaults,
|
||||
) {
|
||||
|
||||
mkdir::p {$config_dir:}
|
||||
file { [ $config_dir ]:
|
||||
ensure => directory,
|
||||
owner => $user,
|
||||
group => $group,
|
||||
}
|
||||
|
||||
concat { $config_path:
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => '0644',
|
||||
require => File[$config_dir],
|
||||
}
|
||||
|
||||
if $manage_defaults {
|
||||
Glauth::Obj::User {
|
||||
config_path => $config_path,
|
||||
}
|
||||
Glauth::Obj::Service {
|
||||
config_path => $config_path,
|
||||
}
|
||||
Glauth::Obj::Group {
|
||||
config_path => $config_path,
|
||||
}
|
||||
}
|
||||
|
||||
concat::fragment { 'glauth_general':
|
||||
target => $config_path,
|
||||
content => epp('glauth/general.epp', {
|
||||
'debug' => $debug,
|
||||
'syslog' => $syslog,
|
||||
'structuredlog' => $structuredlog,
|
||||
'watchconfig' => $watchconfig,
|
||||
}),
|
||||
order => 10,
|
||||
}
|
||||
|
||||
concat::fragment { 'glauth_ldap':
|
||||
target => $config_path,
|
||||
content => epp('glauth/ldap.epp', {
|
||||
'ldap_enabled' => $ldap_enabled,
|
||||
'ldap_address' => $ldap_address,
|
||||
'ldap_port' => $ldap_port,
|
||||
'ldap_tls' => $ldap_tls,
|
||||
'ldap_tlscertpath' => $ldap_tlscertpath,
|
||||
'ldap_tlskeypath' => $ldap_tlskeypath,
|
||||
}),
|
||||
order => 20,
|
||||
}
|
||||
|
||||
concat::fragment { 'glauth_ldaps':
|
||||
target => $config_path,
|
||||
content => epp('glauth/ldaps.epp', {
|
||||
'ldaps_enabled' => $ldaps_enabled,
|
||||
'ldaps_address' => $ldaps_address,
|
||||
'ldaps_port' => $ldaps_port,
|
||||
'ldaps_cert' => $ldaps_cert,
|
||||
'ldaps_key' => $ldaps_key,
|
||||
}),
|
||||
order => 30,
|
||||
}
|
||||
|
||||
concat::fragment { 'glauth_backend':
|
||||
target => $config_path,
|
||||
content => epp('glauth/backend.epp', {
|
||||
'backend_datastore' => $backend_datastore,
|
||||
'backend_basedn' => $backend_basedn,
|
||||
'backend_nameformat' => $backend_nameformat,
|
||||
'backend_groupformat' => $backend_groupformat,
|
||||
'backend_anonymousdse' => $backend_anonymousdse,
|
||||
'backend_sshkeyattr' => $backend_sshkeyattr,
|
||||
}),
|
||||
order => 40,
|
||||
}
|
||||
|
||||
concat::fragment { 'glauth_behaviors':
|
||||
target => $config_path,
|
||||
content => epp('glauth/behaviors.epp', {
|
||||
'ignorecapabilities' => $behaviors_ignorecapabilities,
|
||||
'limitfailedbinds' => $behaviors_limitfailedbinds,
|
||||
'numberoffailedbinds' => $behaviors_numberoffailedbinds,
|
||||
'periodoffailedbinds' => $behaviors_periodoffailedbinds,
|
||||
'blockfailedbindsfor' => $behaviors_blockfailedbindsfor,
|
||||
'prunesourcetableevery' => $behaviors_prunesourcetableevery,
|
||||
'prunesourcesolderthan' => $behaviors_prunesourcesolderthan,
|
||||
}),
|
||||
order => 50,
|
||||
}
|
||||
|
||||
concat::fragment { 'glauth_api':
|
||||
target => $config_path,
|
||||
content => epp('glauth/api.epp', {
|
||||
'api_enabled' => $api_enabled,
|
||||
'api_internals' => $api_internals,
|
||||
'api_tls' => $api_tls,
|
||||
'api_address' => $api_address,
|
||||
'api_port' => $api_port,
|
||||
'api_cert' => $api_cert,
|
||||
'api_key' => $api_key,
|
||||
}),
|
||||
order => 60,
|
||||
}
|
||||
}
|
||||
@@ -1,64 +0,0 @@
|
||||
# glauth inititalisation class
|
||||
class glauth (
|
||||
Boolean $debug = $glauth::params::debug,
|
||||
Boolean $syslog = $glauth::params::syslog,
|
||||
Boolean $structuredlog = $glauth::params::structuredlog,
|
||||
Boolean $watchconfig = $glauth::params::watchconfig,
|
||||
Array $packages = $glauth::params::packages,
|
||||
|
||||
Boolean $ldap_enabled = $glauth::params::ldap_enabled,
|
||||
Stdlib::IP::Address $ldap_address = $glauth::params::ldap_address,
|
||||
Stdlib::Port $ldap_port = $glauth::params::ldap_port,
|
||||
Boolean $ldap_tls = $glauth::params::ldap_tls,
|
||||
Stdlib::Absolutepath $ldap_tlscertpath = $glauth::params::ldap_tlscertpath,
|
||||
Stdlib::Absolutepath $ldap_tlskeypath = $glauth::params::ldap_tlskeypath,
|
||||
|
||||
Boolean $ldaps_enabled = $glauth::params::ldaps_enabled,
|
||||
Stdlib::IP::Address $ldaps_address = $glauth::params::ldaps_address,
|
||||
Stdlib::Port $ldaps_port = $glauth::params::ldaps_port,
|
||||
Stdlib::Absolutepath $ldaps_cert = $glauth::params::ldaps_cert,
|
||||
Stdlib::Absolutepath $ldaps_key = $glauth::params::ldaps_key,
|
||||
|
||||
String $backend_datastore = $glauth::params::backend_datastore,
|
||||
String $backend_basedn = $glauth::params::backend_basedn,
|
||||
String $backend_nameformat = $glauth::params::backend_nameformat,
|
||||
String $backend_groupformat = $glauth::params::backend_groupformat,
|
||||
Boolean $backend_anonymousdse = $glauth::params::backend_anonymousdse,
|
||||
String $backend_sshkeyattr = $glauth::params::backend_sshkeyattr,
|
||||
|
||||
Boolean $behaviors_ignorecapabilities = $glauth::params::behaviors_ignorecapabilities,
|
||||
Boolean $behaviors_limitfailedbinds = $glauth::params::behaviors_limitfailedbinds,
|
||||
Integer $behaviors_numberoffailedbinds = $glauth::params::behaviors_numberoffailedbinds,
|
||||
Integer $behaviors_periodoffailedbinds = $glauth::params::behaviors_periodoffailedbinds,
|
||||
Integer $behaviors_blockfailedbindsfor = $glauth::params::behaviors_blockfailedbindsfor,
|
||||
Integer $behaviors_prunesourcetableevery = $glauth::params::behaviors_prunesourcetableevery,
|
||||
Integer $behaviors_prunesourcesolderthan = $glauth::params::behaviors_prunesourcesolderthan,
|
||||
|
||||
Boolean $api_enabled = $glauth::params::api_enabled,
|
||||
Boolean $api_internals = $glauth::params::api_internals,
|
||||
Boolean $api_tls = $glauth::params::api_tls,
|
||||
Stdlib::IP::Address $api_address = $glauth::params::api_address,
|
||||
Stdlib::Port $api_port = $glauth::params::api_port,
|
||||
Stdlib::Absolutepath $api_cert = $glauth::params::api_cert,
|
||||
Stdlib::Absolutepath $api_key = $glauth::params::api_key,
|
||||
|
||||
String $user = $glauth::params::user,
|
||||
String $group = $glauth::params::group,
|
||||
Stdlib::Absolutepath $bin_dir = $glauth::params::bin_dir,
|
||||
Stdlib::Absolutepath $bin_path = $glauth::params::bin_path,
|
||||
Stdlib::Absolutepath $config_dir = $glauth::params::config_dir,
|
||||
Stdlib::Absolutepath $config_path = $glauth::params::config_path,
|
||||
Boolean $service_enable = $glauth::params::service_enable,
|
||||
String $service_name = $glauth::params::service_name,
|
||||
String $download_version = $glauth::params::download_version,
|
||||
String $download_url = $glauth::params::download_url,
|
||||
Boolean $manage_defaults = $glauth::params::manage_defaults,
|
||||
|
||||
) inherits glauth::params {
|
||||
|
||||
include glauth::install
|
||||
include glauth::config
|
||||
include glauth::service
|
||||
|
||||
Class['glauth::install'] -> Class['glauth::config'] -> Class['glauth::service']
|
||||
}
|
||||
@@ -1,45 +0,0 @@
|
||||
# install the glauth directories and binary
|
||||
class glauth::install (
|
||||
String $user = $glauth::user,
|
||||
String $group = $glauth::group,
|
||||
Stdlib::Absolutepath $bin_dir = $glauth::bin_dir,
|
||||
Stdlib::Absolutepath $bin_path = $glauth::bin_path,
|
||||
Stdlib::Absolutepath $config_dir = $glauth::config_path,
|
||||
Stdlib::Absolutepath $config_path = $glauth::config_path,
|
||||
String $download_url = $glauth::download_url,
|
||||
Array $packages = $glauth::packages,
|
||||
){
|
||||
user { $user:
|
||||
ensure => present,
|
||||
system => true,
|
||||
gid => $group,
|
||||
require => Group[$group],
|
||||
}
|
||||
|
||||
group { $group:
|
||||
ensure => present,
|
||||
system => true,
|
||||
}
|
||||
|
||||
ensure_resources('package', $packages => {ensure => 'present'})
|
||||
|
||||
archive { 'glauth':
|
||||
ensure => present,
|
||||
url => $download_url,
|
||||
extract => false,
|
||||
path => $bin_path,
|
||||
creates => $bin_path,
|
||||
cleanup => false,
|
||||
extract_path => $bin_dir,
|
||||
user => 'root',
|
||||
group => 'root',
|
||||
}
|
||||
|
||||
file{ $bin_path:
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
require => Archive['glauth'],
|
||||
}
|
||||
}
|
||||
@@ -1,17 +0,0 @@
|
||||
# define a group object
|
||||
define glauth::obj::group (
|
||||
String $group_name,
|
||||
Integer $gidnumber,
|
||||
Stdlib::Absolutepath $config_path,
|
||||
Optional[Array[Integer]] $includegroups = [],
|
||||
) {
|
||||
concat::fragment { "glauth_group_${group_name}":
|
||||
target => $config_path,
|
||||
content => epp('glauth/obj/group.epp', {
|
||||
'name' => $group_name,
|
||||
'gidnumber' => $gidnumber,
|
||||
'includegroups' => $includegroups,
|
||||
}),
|
||||
order => '90',
|
||||
}
|
||||
}
|
||||
@@ -1,27 +0,0 @@
|
||||
# define a service object
|
||||
define glauth::obj::service (
|
||||
String $service_name,
|
||||
String $mail,
|
||||
Integer $uidnumber,
|
||||
Integer $primarygroup,
|
||||
String $passsha256,
|
||||
Stdlib::Absolutepath $config_path,
|
||||
Optional[Array[Integer]] $othergroups = [],
|
||||
) {
|
||||
$formatted_othergroups = $othergroups.empty ? {
|
||||
true => '[]',
|
||||
false => "[${othergroups.join(', ')}]",
|
||||
}
|
||||
concat::fragment { "glauth_service_${service_name}":
|
||||
target => $config_path,
|
||||
content => epp('glauth/obj/service.epp', {
|
||||
'name' => $service_name,
|
||||
'mail' => $mail,
|
||||
'uidnumber' => $uidnumber,
|
||||
'primarygroup' => $primarygroup,
|
||||
'passsha256' => $passsha256,
|
||||
'othergroups' => $formatted_othergroups,
|
||||
}),
|
||||
order => '80',
|
||||
}
|
||||
}
|
||||
@@ -1,26 +0,0 @@
|
||||
# define a user object
|
||||
define glauth::obj::user (
|
||||
String $user_name,
|
||||
String $mail,
|
||||
Integer $uidnumber,
|
||||
Integer $primarygroup,
|
||||
String $passsha256,
|
||||
Stdlib::Absolutepath $config_path,
|
||||
String $givenname = '',
|
||||
String $sn = '',
|
||||
String $loginshell = '',
|
||||
String $homedir = '',
|
||||
Optional[Array[String]] $sshkeys = [],
|
||||
Optional[Array[String]] $passappsha256 = [],
|
||||
Optional[Array[Integer]] $othergroups = [],
|
||||
) {
|
||||
$formatted_othergroups = $othergroups.empty ? {
|
||||
true => '[]',
|
||||
false => "[${othergroups.join(', ')}]",
|
||||
}
|
||||
concat::fragment { "glauth_user_${user_name}":
|
||||
target => $config_path,
|
||||
content => template('glauth/obj/user.erb'),
|
||||
order => '70',
|
||||
}
|
||||
}
|
||||
@@ -1,58 +0,0 @@
|
||||
# params class for glauth
|
||||
class glauth::params (
|
||||
Boolean $debug = true,
|
||||
Boolean $syslog = true,
|
||||
Boolean $structuredlog = true,
|
||||
Boolean $watchconfig = true,
|
||||
Array $packages = [
|
||||
'openldap-clients',
|
||||
],
|
||||
|
||||
Boolean $ldap_enabled = true,
|
||||
Stdlib::IP::Address $ldap_address = '0.0.0.0',
|
||||
Stdlib::Port $ldap_port = 389,
|
||||
Boolean $ldap_tls = false,
|
||||
Stdlib::Absolutepath $ldap_tlscertpath = '/etc/glauth/glauth.crt',
|
||||
Stdlib::Absolutepath $ldap_tlskeypath = '/etc/glauth/glauth.key',
|
||||
|
||||
Boolean $ldaps_enabled = false,
|
||||
Stdlib::IP::Address $ldaps_address = '0.0.0.0',
|
||||
Stdlib::Port $ldaps_port = 636,
|
||||
Stdlib::Absolutepath $ldaps_cert = '/etc/glauth/glauth.crt',
|
||||
Stdlib::Absolutepath $ldaps_key = '/etc/glauth/glauth.key',
|
||||
|
||||
String $backend_datastore = 'config',
|
||||
String $backend_basedn = 'dc=main,dc=unkin,dc=net',
|
||||
String $backend_nameformat = 'cn',
|
||||
String $backend_groupformat = 'ou',
|
||||
Boolean $backend_anonymousdse = true,
|
||||
String $backend_sshkeyattr = 'sshPublicKey',
|
||||
|
||||
Boolean $behaviors_ignorecapabilities = true,
|
||||
Boolean $behaviors_limitfailedbinds = true,
|
||||
Integer $behaviors_numberoffailedbinds = 3,
|
||||
Integer $behaviors_periodoffailedbinds = 10,
|
||||
Integer $behaviors_blockfailedbindsfor = 60,
|
||||
Integer $behaviors_prunesourcetableevery = 600,
|
||||
Integer $behaviors_prunesourcesolderthan = 600,
|
||||
|
||||
Boolean $api_enabled = true,
|
||||
Boolean $api_internals = true,
|
||||
Boolean $api_tls = true,
|
||||
Stdlib::IP::Address $api_address = '0.0.0.0',
|
||||
Stdlib::Port $api_port = 5555,
|
||||
Stdlib::Absolutepath $api_cert = '/etc/glauth/cert.pem',
|
||||
Stdlib::Absolutepath $api_key = '/etc/glauth/key.pem',
|
||||
|
||||
String $user = 'glauth',
|
||||
String $group = 'glauth',
|
||||
Stdlib::Absolutepath $bin_dir = '/usr/local/bin',
|
||||
Stdlib::Absolutepath $bin_path = "${bin_dir}/glauth",
|
||||
Stdlib::Absolutepath $config_dir = '/etc/glauth',
|
||||
Stdlib::Absolutepath $config_path = "${config_dir}/glauth.conf",
|
||||
Boolean $service_enable = true,
|
||||
String $service_name = 'glauth',
|
||||
String $download_version = '2.3.2',
|
||||
String $download_url = "https://git.query.consul/api/packages/unkinben/generic/glauth/${download_version}/glauth-linux-amd64",
|
||||
Boolean $manage_defaults = true,
|
||||
){}
|
||||
@@ -1,30 +0,0 @@
|
||||
# manage the glauth service/socket
|
||||
class glauth::service (
|
||||
$service_enable = $glauth::service_enable,
|
||||
$service_name = $glauth::service_name,
|
||||
$user = $glauth::user,
|
||||
$group = $glauth::group,
|
||||
$config_path = $glauth::config_path,
|
||||
$bin_path = $glauth::bin_path,
|
||||
$ldap_port = $glauth::ldap_port,
|
||||
$ldaps_port = $glauth::ldaps_port,
|
||||
$api_port = $glauth::api_port,
|
||||
){
|
||||
if $service_enable {
|
||||
include ::systemd
|
||||
|
||||
systemd::unit_file { "${service_name}.service":
|
||||
content => epp('glauth/systemd.service.epp', {
|
||||
'bin_path' => $bin_path,
|
||||
'config_path' => $config_path,
|
||||
'user' => $user,
|
||||
'group' => $group,
|
||||
'service_name' => $service_name,
|
||||
}),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => Concat[$config_path],
|
||||
# should also subscribe to tls certs
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,10 +0,0 @@
|
||||
#################
|
||||
# API configuration.
|
||||
[api]
|
||||
enabled = <%= $api_enabled %>
|
||||
internals = <%= $api_internals %>
|
||||
tls = <%= $api_tls %>
|
||||
listen = "<%= $api_address %>:<%= $api_port %>"
|
||||
cert = "<%= $api_cert %>"
|
||||
key = "<%= $api_key %>"
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
#################
|
||||
# The backend section controls the data store.
|
||||
[backend]
|
||||
datastore = "<%= $backend_datastore %>"
|
||||
baseDN = "<%= $backend_basedn %>"
|
||||
nameformat = "<%= $backend_nameformat %>"
|
||||
groupformat = "<%= $backend_groupformat %>"
|
||||
anonymousdse = <%= $backend_anonymousdse %>
|
||||
sshkeyattr = "<%= $backend_sshkeyattr %>"
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
#################
|
||||
# Behaviors configuration.
|
||||
[behaviors]
|
||||
IgnoreCapabilities = <%= $ignorecapabilities %>
|
||||
LimitFailedBinds = <%= $limitfailedbinds %>
|
||||
NumberOfFailedBinds = <%= $numberoffailedbinds %>
|
||||
PeriodOfFailedBinds = <%= $periodoffailedbinds %>
|
||||
BlockFailedBindsFor = <%= $blockfailedbindsfor %>
|
||||
PruneSourceTableEvery = <%= $prunesourcetableevery %>
|
||||
PruneSourcesOlderThan = <%= $prunesourcesolderthan %>
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
#################
|
||||
# General configuration.
|
||||
debug = <%= $debug %>
|
||||
syslog = <%= $syslog %>
|
||||
structuredlog = <%= $structuredlog %>
|
||||
watchconfig = <%= $watchconfig %>
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
#################
|
||||
# Server configuration.
|
||||
[ldap]
|
||||
enabled = <%= $ldap_enabled %>
|
||||
listen = "<%= $ldap_address %>:<%= $ldap_port %>"
|
||||
tls = <%= $ldap_tls %>
|
||||
tlsCertPath = "<%= $ldap_tlscertpath %>"
|
||||
tlsKeyPath = "<%= $ldap_tlskeypath %>"
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
#################
|
||||
# Server configuration.
|
||||
[ldaps]
|
||||
enabled = <%= $ldaps_enabled %>
|
||||
listen = "<%= $ldaps_address %>:<%= $ldaps_port %>"
|
||||
cert = "<%= $ldaps_cert %>"
|
||||
key = "<%= $ldaps_key %>"
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
[[groups]]
|
||||
name = "<%= $name %>"
|
||||
gidnumber = <%= $gidnumber %>
|
||||
<% if $includegroups.length > 0 { %>includegroups = [<%= $includegroups.join(', ') %>]<% } %>
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
[[users]]
|
||||
name = "<%= $name %>"
|
||||
mail = "<%= $mail %>"
|
||||
uidnumber = <%= $uidnumber %>
|
||||
primarygroup = <%= $primarygroup %>
|
||||
passsha256 = "<%= $passsha256 %>"
|
||||
othergroups = <%= $othergroups %>
|
||||
|
||||
@@ -1,26 +0,0 @@
|
||||
[[users]]
|
||||
name = "<%= @user_name %>"
|
||||
<% if @givenname != '' -%>
|
||||
givenname = "<%= @givenname %>"
|
||||
<% end -%>
|
||||
<% if @sn != '' -%>
|
||||
sn = "<%= @sn %>"
|
||||
<% end -%>
|
||||
mail = "<%= @mail %>"
|
||||
uidnumber = <%= @uidnumber %>
|
||||
primarygroup = <%= @primarygroup %>
|
||||
<% if @loginshell != '' -%>
|
||||
loginShell = "<%= @loginshell %>"
|
||||
<% end -%>
|
||||
<% if @homedir != '' -%>
|
||||
homeDir = "<%= @homedir %>"
|
||||
<% end -%>
|
||||
passsha256 = "<%= @passsha256 %>"
|
||||
<% if @sshkeys.length > 0 -%>
|
||||
sshkeys = [<%= @sshkeys.map { |key| "\"#{key}\"" }.join(', ') %>]
|
||||
<% end -%>
|
||||
<% if @passappsha256.length > 0 -%>
|
||||
passappsha256 = [<%= @passappsha256.map { |pass| "\"#{pass}\"" }.join(', ') %>]
|
||||
<% end -%>
|
||||
othergroups = <%= @formatted_othergroups %>
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
[Unit]
|
||||
Description=GLAuth Service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
User=<%= $user %>
|
||||
Group=<%= $group %>
|
||||
ExecStart=<%= $bin_path %> -c <%= $config_path %>
|
||||
Restart=always
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Also=<%= $service_name %>.socket
|
||||
@@ -1,11 +0,0 @@
|
||||
[Unit]
|
||||
Description=GLAuth Socket
|
||||
|
||||
[Socket]
|
||||
ListenStream=<%= $ldap_port %>
|
||||
ListenStream=<%= $ldaps_port %>
|
||||
ListenStream=<%= $api_port %>
|
||||
NoDelay=true
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
@@ -1,11 +0,0 @@
|
||||
# manage jellyfin
|
||||
class jellyfin (
|
||||
$packages = $jellyfin::params::packages,
|
||||
$service_enable = $jellyfin::params::service_enable,
|
||||
) inherits jellyfin::params {
|
||||
|
||||
include jellyfin::install
|
||||
include jellyfin::service
|
||||
|
||||
Class['jellyfin::install'] -> Class['jellyfin::service']
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user