unkinben
528fbe4190
feat: implement dovecot backend server with postfix virtual mailbox integration
...
- create profiles::dovecot::backend class for IMAPS server configuration
- add virtual mailbox support to profiles::postfix::gateway with enable_dovecot parameter
- restructure common hieradata elements into mail.yaml
- add virtual mailbox and alias map templates with ERB generation
- add comprehensive type validation using Stdlib::Email, Stdlib::Fqdn, Stdlib::IP types
- configure vmail user (UID/GID 5000) with shared storage on /shared/apps/maildata
- update roles::infra::mail::backend to include both dovecot and postfix profiles
2025-11-02 11:53:02 +11:00
unkinben
78adef0eee
refactor: recreate profiles::postfix::gateway with parameterization and templates ( #416 )
...
- refactor profiles::postfix::gateway as parameterized class
- move base postfix parameters, transports, and virtuals to hiera for flexibility
- convert SMTP restrictions to arrays for better readability using join()
- add postscreen enable/disable boolean with conditional master.cf configuration
- add per-domain TLS policy maps (smtp_tls_policy_maps)
- convert alias_maps to array parameter for flexibility
- convert all postfix map files to ERB templates with parameter hashes
- add map parameters: sender_canonical_maps, sender_access_maps, relay_recipients_maps,
relay_domains_maps, recipient_canonical_maps, recipient_access_maps, postscreen_access_maps, helo_access_maps
- move default map data to hiera while keeping parameters as empty hashes by default
This approach balances flexibility with data-driven configuration, allowing
easy customization through parameters while keeping transport/virtual maps
and default map data in hiera for role-specific overrides.
Reviewed-on: #416
2025-11-01 17:26:00 +11:00
unkinben
81f289a185
feat: prepare for dovecot deployment ( #415 )
...
- add dovecot role
- import dovecot module via r10k
Reviewed-on: #415
2025-11-01 01:01:55 +11:00
unkinben
a2a8edb731
feat: implement comprehensive postfix gateway with eFa5 configuration ( #414 )
...
- add voxpupuli-postfix module to Puppetfile
- create profiles::postfix::gateway class with config based on efa5
- add master.cf entries for postscreen, smtpd, dnsblog, and tlsproxy services
- create postfix hash files: aliases, access controls, canonical maps
- configure TLS with system PKI certificates and strong cipher suites
- add transport and virtual alias mappings for mail routing
Reviewed-on: #414
2025-11-01 00:43:58 +11:00
unkinben
e129d1cf7a
feat: add mail::gateway role ( #413 )
...
- add a mail::gateway role, more to add later
- enables the build of hosts in this role immedately (config later)
Reviewed-on: #413
2025-10-19 19:09:51 +11:00
unkinben
e95a59b88a
feat: migrate puppetserver -> openvox-server ( #412 )
...
- enable openvox repo
- ensure puppetdb-termini and puppetserver are purged
- set openvox-server as the package to install
- set termini package to openvoxdb-termini
Reviewed-on: #412
2025-10-18 23:49:51 +11:00
unkinben
8bed80eac8
feat: migrate puppetdb -> openvoxdb ( #411 )
...
- ensure the puppetdb package is purged before openvoxdb
- ensure the openvoxdb package is installed
Reviewed-on: #411
2025-10-18 21:47:33 +11:00
unkinben
5ba483c68a
feat: add ZFS facts to prevent zpool disk changes ( #410 )
...
- add zfs_zpools and zfs_datasets facts to detect existing ZFS resources
- skip zpool creation when pools already exist
Reviewed-on: #410
2025-10-18 21:24:33 +11:00
unkinben
766233c3e5
fix: check if zfs-cache exists and isnt empty ( #409 )
...
- check the cache file exists, and isnt empty
- resolves idempotence for zpool-import-cache service
Reviewed-on: #409
2025-10-18 21:15:55 +11:00
unkinben
98b866fce7
feat: migrate puppet-agent to openvox ( #408 )
...
- change from puppet-agent to openvox-agent
- upgrade version from 7.34 to 7.36
- ensure workflow of: Yumrepo -> dnf-makecache -> Package
Reviewed-on: #408
2025-10-18 19:11:38 +11:00
unkinben
e724326d43
feat: allow access to runner certs ( #407 )
...
- allow access to runner certs, used for mtls auth to incus
Reviewed-on: #407
2025-10-17 22:46:45 +11:00
unkinben
d8b354558d
feat: add incus auto-client certificate trust ( #406 )
...
- add fact to export vault public cert from agents
- add fact to export list of trusted incus client certs
- add method for incus clients to export their client cert to be trusted
Reviewed-on: #406
2025-10-17 22:46:26 +11:00
unkinben
fac90c66db
feat: use vault certificates for incus ( #405 )
...
- replace default incus certificates with vault-generated ephemeral certificates
- configure incus service to restart on certificate changes
Reviewed-on: #405
2025-10-17 17:22:09 +11:00
unkinben
efbbb6bcb1
feat: moderate the k8s install ( #403 )
...
- only install a base config
- wait for 3 masters before deploying helm charts
- remove cluster-domain
- manage nginx ingres via rke2 helmconfig
Reviewed-on: #403
2025-10-12 17:50:24 +11:00
unkinben
16e654fdd7
feat: use openbao ( #404 )
...
- change vault role to use openbao
Reviewed-on: #404
2025-10-11 20:55:21 +11:00
unkinben
66d8815e16
fix: ensure nginx restarts on certificate changes ( #402 )
...
Add hasrestart => true to nginx service in simpleproxy profile to ensure
nginx performs a full restart (not reload) when certificate files change.
This is required because nginx reload does not pick up SSL certificate
changes from disk.
Reviewed-on: #402
2025-09-29 22:38:00 +10:00
unkinben
a9c959d924
fix: remove unicode from ceph-csi-yaml ( #400 )
...
Reviewed-on: #400
2025-09-21 00:41:06 +10:00
unkinben
b224cfb516
fix: cattle-system namespace ( #399 )
...
- cattle-system namespace is created earlier than helm
- leave namespaces.yaml to manage cattle-system namespace (required
before installing helm/rancher)
Reviewed-on: #399
2025-09-21 00:21:41 +10:00
unkinben
4c9204858e
feat: define node-token from puppet ( #398 )
...
- define the token on the bootstrap node too, so node-token is defined
for new clusters
Reviewed-on: #398
2025-09-20 22:25:56 +10:00
unkinben
571a9b25a7
fix: resolve rke2-server errors ( #397 )
...
- kubectl yaml files must not use underscores
- replace unicode hyphen with ascii hyphen
Reviewed-on: #397
2025-09-20 18:40:18 +10:00
unkinben
762f415d2d
feat: k8s helm rework ( #396 )
...
- remove helm-generated-yaml, replace with helm execs
- template/parameterise ceph csi
Reviewed-on: #396
2025-09-20 17:40:41 +10:00
unkinben
4e77fb7ee7
feat: manage rancher, purelb, cert-manager ( #395 )
...
This change will install rancher, purelb and cert-manager, then
configure a dmz and common ip pool to be used by loadbalancers. The
nginx ingres controller is configured to use 198.18.200.0 (common) and
announce the ip from all nodes so that it becomes an anycast ip in ospf.
- manage the install of rancher, purelb and cert-manager
- add rancher ingress routes
- add nginx externalip/loadBalancer
Reviewed-on: #395
2025-09-14 20:59:39 +10:00
unkinben
6e4bc9fbc7
feat: adding rke2 ( #394 )
...
- manage rke2 repos
- add rke2 module (init, params, install, config, service)
- split roles::infra::k8s::node -> control/compute roles
- moved common k8s config into k8s.yaml
- add bootstrap_node, manage server and token fields in rke2 config
- manage install of helm
- manage node attributes (from puppet facts)
- manage frr exclusions for service/cluster network
Reviewed-on: #394
2025-09-14 13:27:49 +10:00
unkinben
012e842d7d
feat: add cleanup to autopromoter ( #393 )
...
- ensure the autopromoter removes hardlinks/replicas for repos older
than the current promoted monthly
- this is to reduce MDS load for ceph, as hardlinks require memory
Reviewed-on: #393
2025-09-13 20:08:32 +10:00
unkinben
98a433d366
feat: mirror rke2 repo for rhel9 ( #392 )
...
- create rhel9 mirrors for rke2 1.33 and common
Reviewed-on: #392
2025-09-13 19:49:52 +10:00
unkinben
fcd1b049d6
feat: ensure frr_exporter can read ospf socket ( #391 )
...
- add execute permission to frr socket directory
Reviewed-on: #391
2025-09-13 15:08:32 +10:00
unkinben
938a6ac990
feat: update docs for puppet ( #390 )
...
- k8s / metallb / cilium created chaos
- broke puppet agent and servers
- adding issue/resolution here
Reviewed-on: #390
2025-09-13 12:57:44 +10:00
unkinben
0665873dc8
feat: update ospf source for learned routes ( #388 )
...
- enable changing the source address for learned ospf routes
- this enables the loopback0 interface to be used as a default src address
- ensure k8s nodes use loopback0 as default src
- ensure incus nodes use loopback0 as default src
Reviewed-on: #388
2025-09-07 16:09:21 +10:00
unkinben
ae4eb3a5eb
fix: set loopback0 as source for consul ( #387 )
...
- fix consul service checks for prodnxsr0001-0008
- ensure the loopback0 interface whats bound too
Reviewed-on: #387
2025-09-07 15:48:27 +10:00
unkinben
65fb52da55
chore: add user for jelly ( #385 )
...
Reviewed-on: #385
2025-09-04 20:09:43 +10:00
unkinben
d97cbfd570
chore: update src ips for arr stack ( #384 )
...
- allow the arr stack to reach prowlarr
Reviewed-on: #384
2025-08-31 18:52:47 +10:00
unkinben
8f5d102945
feat: enabling changing ip for consul client ( #383 )
...
- enable ability to set consul client bind/advertise ip
Reviewed-on: #383
2025-08-14 22:55:35 +10:00
unkinben
62aade77ff
feat: add ceph-dashboard to haproxy ( #382 )
...
- add profile to export haproxy backend
- add new cert for dashboard.ceph.unkin.net
- extend balancemember with ipaddress attribute
Reviewed-on: #382
2025-08-14 11:06:11 +10:00
unkinben
83bb3e1085
chore: increase client body size for s3 ( #381 )
...
- s3 clients send objects too large for the default body size
Reviewed-on: #381
2025-08-13 16:41:39 +10:00
unkinben
92728047e7
feat: add ceph rgw ( #380 )
...
- start managing ceph configuration file
- manage ceph-radosgw
- merge the ceph::conf and ceph::node profiles
- ensure the ceph repos exist
- mange nginx frontend and consul service
Reviewed-on: #380
2025-08-13 12:33:41 +10:00
unkinben
f4af5e7b64
chore: add rados gateway role ( #379 )
...
- just enough role to deploy some containers
Reviewed-on: #379
2025-08-10 19:31:39 +10:00
unkinben
308d97d783
feat: enable plugins for grafana ( #378 )
...
- add method to install plugins for grafana
- ensure victoriametrics-logs-datasource is installed
Reviewed-on: #378
2025-08-09 17:57:49 +10:00
unkinben
ac36d9627b
feat: capture all journald logs ( #377 )
...
- create module class for journald clients
- ensure module class it used on all hosts
- use consul service address for insert/journald
Reviewed-on: #377
2025-08-09 15:11:47 +10:00
unkinben
198cee27c2
feat: enable https for vlstorage ( #376 )
...
- attempting to send to http:// fails as vlstorage is using tls
- enable tls on vlselect/vlinsert when writing to vlstorage
- add retention period to vlstorage
Reviewed-on: #376
2025-08-09 14:34:48 +10:00
unkinben
f73d6f07ce
fix: generate types as root ( #375 )
...
- larger permission issue that needs fixing
- reduce the number of failed runs
Reviewed-on: #375
2025-08-09 13:30:12 +10:00
unkinben
1c71229fd3
feat: add victorialogs module ( #374 )
...
- add module for victorialogs
- add hieradata for vl insert/select/storage
- manage packages, directories, services, etc
- manage exporting metrics
Reviewed-on: #374
2025-08-08 23:59:46 +10:00
unkinben
d649195ccc
fix: generate types needs to run more often ( #373 )
...
- seeing frequent errors in puppetboard about types missing
- change the puppet-generate-types timer from daily to per-minute
Reviewed-on: #373
2025-08-07 20:53:06 +10:00
unkinben
fcd0bc4c74
feat: add victorialogs roles ( #372 )
...
- and hieradata
- empty roles currently
Reviewed-on: #372
2025-08-07 20:34:42 +10:00
unkinben
a30ff81139
fix: reduce metadata lifetime ( #371 )
...
- metadata lifetime should be lowered to improve development speed
Reviewed-on: #371
2025-08-03 21:04:47 +10:00
unkinben
bbed65b4b8
benvin/frr_exporter ( #370 )
...
Reviewed-on: #370
2025-08-03 20:14:19 +10:00
unkinben
75ca7a5685
feat: add frr_exporter class ( #369 )
...
- add frr exporter to all nodes running frr
Reviewed-on: #369
2025-08-03 16:15:29 +10:00
unkinben
53fabc923b
feat: add nzbget_exporter ( #368 )
...
- add nzbget_exporter class
- add exporter to nzbget class
Reviewed-on: #368
2025-08-03 15:03:29 +10:00
unkinben
5a9241940f
feat: export ceph metrics ( #367 )
...
- export cephmgr metrics
- will only be availabe from one host at a time
Reviewed-on: #367
2025-07-29 18:54:49 +10:00
unkinben
df457306cc
feat: add external grafana access ( #366 )
...
- enable access to grafana through haproxy
- ensure grafana cert created from letsencrypt
- enable user access to grafana
Reviewed-on: #366
2025-07-28 21:07:43 +10:00
unkinben
7fbb87b4b6
feat: add exportarr ( #365 )
...
- add exporters::exportarr
- deploy for radarr, sonarr and prowlarr
Reviewed-on: #365
2025-07-27 19:47:26 +10:00
unkinben
fd902c1437
feat: create exporters module ( #364 )
...
- upgrade node_exporter, bring managed under exporters module
- upgrade postgres_exporter, bring managed under exporters module
- add flag to cleanup previous iterations of exporters from prometheus module
- fix issues with vmclusster: replication + dedup
Reviewed-on: #364
2025-07-27 13:28:41 +10:00
unkinben
0e64c9855a
feat: add vmcluster module ( #363 )
...
- manage vmstorage package, service and environment file
- manage vmselect package, service and environment file
- manage vminsert package, service and environment file
- manage vmagent package, service and environment file
- manage options for vmstorage, vmselect, vminsert, vmagent role
Reviewed-on: #363
2025-07-26 18:17:20 +10:00
unkinben
3cfafbac44
feat: enable ceph on k8s nodes ( #362 )
...
- enable enough ceph/frr to join to cephfs
- notify sshd when restarting the network
- update ssh principals to include all ssh interfaces
Reviewed-on: #362
2025-07-19 20:30:46 +10:00
unkinben
c5c40c3bfd
chore: cleanup old physicals ( #361 )
...
- cleanup old nodes to redeploy them
Reviewed-on: #361
2025-07-15 22:34:46 +10:00
unkinben
98f1961a07
benvin/ceph_common ( #360 )
...
Reviewed-on: #360
2025-07-15 20:38:39 +10:00
unkinben
eb1ada8ea5
fix: duplicate declatation ( #359 )
...
- only install ceph-common once
Reviewed-on: #359
2025-07-15 20:31:09 +10:00
unkinben
ec3e42901a
feat: add basic k8s node role ( #358 )
...
- update prodnxsr0001-8 to use networkd
- add basic k8s node role
Reviewed-on: #358
2025-07-15 20:18:17 +10:00
unkinben
e905afcab0
chore: cleanup hieradata/nodes ( #357 )
...
- cleanup decommed nodes
- remove unneccessary node data
Reviewed-on: #357
2025-07-13 21:40:32 +10:00
unkinben
de6e7d0ba9
feat: add vmagent role ( #356 )
...
- add vmagent role for vicmet
Reviewed-on: #356
2025-07-13 17:20:58 +10:00
unkinben
780a97dfe4
feat: add new cobbler master ( #355 )
...
- change cobbler.main.unkin.net to 2098
Reviewed-on: #355
2025-07-12 20:31:43 +10:00
unkinben
9aa6472e5b
feat: ensure /etc/NetworkManager/conf.d exists ( #354 )
...
- required to create dns-none setting
Reviewed-on: #354
2025-07-12 14:19:22 +10:00
unkinben
80ab4e6889
chore: update cobbler for el9 ( #353 )
...
- update cobbler/cobbler-web package
- update path for ipxebins
Reviewed-on: #353
2025-07-12 14:19:14 +10:00
unkinben
ccda327c7a
gchore: cleanup old vms ( #352 )
...
- remove ntp01/ntp02
- remove old gitea
- remove mariadb galera vms
Reviewed-on: #352
2025-07-09 21:18:23 +10:00
unkinben
acef1bde29
feat: move puppetca role ( #351 )
...
- move puppetca from vm to lxd
Reviewed-on: #351
2025-07-09 21:15:09 +10:00
unkinben
7d87e11e79
feat: add victoria metrics roles ( #350 )
...
- add vmstorage, vmselect and vminsert roles
- base roles, only adding packages
- preparation for standing up a vicmet cluster
Reviewed-on: #350
2025-07-08 20:34:46 +10:00
unkinben
40c57ede59
feat: add ci build task ( #342 )
...
- a ci workflow for build tests
- run pre-commit against all files
Reviewed-on: #342
2025-07-08 20:19:36 +10:00
unkinben
be02d3d150
feat: migrate to external ntp ( #349 )
...
- removing ntp vms from proxmox
- redirect ntp to external time sources
Reviewed-on: #349
2025-07-07 20:27:02 +10:00
unkinben
a550d48f21
fix: sort nameservers ( #348 )
...
- sort nameservers before creating glue records
Reviewed-on: #348
2025-07-06 20:09:19 +10:00
unkinben
2d9faf578f
feat: add unkin.net domain ( #347 )
...
- manage the unkin.net domain
- ensure forwarding for unkin.net
- split domain from cname list and set zone correctly
- add fafflix to cnames list for haproxy2
Reviewed-on: #347
2025-07-06 20:02:20 +10:00
unkinben
2814a55df6
chore: hard-code git.unkin.net path ( #346 )
...
- dirty fix, set git.unkin.net in hosts file template
- avoid hairpint nat
Reviewed-on: #346
2025-07-06 16:43:07 +10:00
unkinben
73362a3bf9
feat: add stick tables for gitea ( #345 )
...
- stick tables are required for docker authentication
Reviewed-on: #345
2025-07-06 14:42:14 +10:00
unkinben
0063f68bc6
feat: enable external access to gitea ( #344 )
...
- add git.unkin.net to certbot
- export haproxy resources for gitea
- add be_gitea to haproxy, import the certbot cert
- update the ROOT_URL for gitea instances
Reviewed-on: #344
2025-07-06 13:47:56 +10:00
unkinben
372d99893a
core: fix ROOT_URL ( #343 )
...
- root_url is used for docker authentication
- access to git.unkin.net is not yet ready
Reviewed-on: https://git.query.consul/unkin/puppet-prod/pulls/343
2025-07-06 13:20:27 +10:00
unkinben
620339f69d
chore: cleanup hieradata/nodes ( #341 )
...
- remove all node hiera data for decommed hosts
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/341
2025-07-06 12:23:22 +10:00
unkinben
2317d0af59
feat: expose gitea metrics ( #340 )
...
- add a gitea-metrics service to consul
- tag as metrics for victoria metrics
- check the /metrics endpoint (bypass nginx)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/340
2025-07-06 12:01:57 +10:00
unkinben
cf0ff85b70
fix: manage git user ( #339 )
...
- prevent different gid/uid for git users when deploying cluster
- only add sudo conf when sudo_rules is a list
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/339
2025-07-06 11:27:35 +10:00
unkinben
359ce101f1
feat: add indexer for git ( #338 )
...
- reuse the database for the indexer
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/338
2025-07-05 17:12:38 +10:00
unkinben
b6c959d368
feat: use redis for cache/queue ( #337 )
...
- use gitea redis cluster for queue/cache
- use redis+sentinel url (pass required for redis and sentinel)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/337
2025-07-05 16:42:01 +10:00
unkinben
b976f2063a
feat: deploy redis for git ( #336 )
...
- deploy redis/sentinel ha cluster for git
- update redis to 7 (required for almalinux 9)
- enable requirepass/masterauth
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/336
2025-07-05 15:51:28 +10:00
unkinben
93049707e7
benvin/gitea_cluster ( #335 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/335
2025-07-05 14:49:56 +10:00
unkinben
a9faa098ee
benvin/grafana_postgres ( #334 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/334
2025-07-01 19:07:24 +10:00
unkinben
61d912de30
feat: update password for grafana service account ( #333 )
...
- updated grafana password
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/333
2025-06-30 20:22:18 +10:00
unkinben
9bed18f78c
fix: duplicate toml resources ( #332 )
...
- change resource name for puppetserver_gem
- ensure toml installed on all agents
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/332
2025-06-30 19:57:29 +10:00
unkinben
aab3eaf9e7
feat: add grafana service to ldap ( #331 )
...
- add grafana service account for binding
- add grafana_user group
- add users to group
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/331
2025-06-30 19:17:56 +10:00
unkinben
33c8b226e0
feat: add puppetserver gem for toml ( #330 )
...
- require toml for puppetserver gem
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/330
2025-06-30 19:05:12 +10:00
unkinben
49ff7cc3ab
feat: add toml puppet gem ( #329 )
...
- required for ldap support in grafana
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/329
2025-06-30 19:02:37 +10:00
unkinben
d1e63ad18b
feat: add shared pgsql instance ( #328 )
...
- add shared pgsql instance
- use patroni
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/328
2025-06-29 17:25:59 +10:00
unkinben
99b312669b
benvin/dhcp_failover ( #327 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/327
2025-06-29 13:36:16 +10:00
unkinben
715e88176b
chore: confine incus facts to incus ( #326 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/326
2025-06-28 21:24:08 +10:00
unkinben
1837506b6c
feat: add incus facts ( #325 )
...
- incus container counts
- incus profile list
- allocated memory/cpu
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/325
2025-06-28 21:14:39 +10:00
unkinben
3bb2a5dbad
fix: enable health check from haproxy2 ( #324 )
...
- tactical fix: enable dmz subnets container access to health url
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/324
2025-06-28 17:04:25 +10:00
unkinben
0ce6e95f2d
chore: cleanup removed hosts ( #323 )
...
- remove 1018, 1031, 1032, 1033
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/323
2025-06-28 16:28:03 +10:00
unkinben
770fd643ac
feat: add haproxy2 role ( #322 )
...
- add basic haproxy2 role
- add peers and resolvers
- add haproxy2+ metrics frontend
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/322
2025-06-28 16:20:06 +10:00
unkinben
bd9e08dc24
feat: cleanup hieranodes settings ( #321 )
...
- migrate hieranodes values to roles yaml
- rename anycast ip keys to be similar
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/321
2025-06-21 23:16:34 +10:00
unkinben
62837bb22d
feat: add zone to subnet facts ( #320 )
...
- add common and dmz zone fact information
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/320
2025-06-21 15:42:37 +10:00
unkinben
ae57e0e81c
feat: add openvox repos to reposync ( #319 )
...
- add el8/9/10 for openvox7/8
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/319
2025-06-19 06:06:41 +10:00
unkinben
cb1d562cb0
feat: migrate pupeptdb sql to patroni ( #318 )
...
- change puppetdb::sql to using the patroni profile
- change puppetdb::api to use new patroni cluster
- remove references to puppetlabs-puppetdb managed database
- update consul rules to enable sessions
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/318
2025-06-19 05:52:32 +10:00
unkinben
26b908e5e7
feat: add node_pools ( #317 )
...
- change agentv2 to common node_pool
- set default node_pool to default
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/317
2025-06-15 17:43:19 +10:00
unkinben
a47c6155b8
feat: use fqdn in host_volumes ( #316 )
...
- fix hard-coded message
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/316
2025-06-15 17:34:03 +10:00
unkinben
1cbc1be808
feat: add host_volumes to nomad ( #315 )
...
- add puppet client certs
- add tls-ca-bundle
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/315
2025-06-14 19:37:50 +10:00
unkinben
60834ced00
feat: nomad cni additions ( #314 )
...
- add consul-cni package
- enable grpc for consul servers
- enable consul connect for consul servers
- set recursors for consul
- add ports to consul agent (grpc, dns, http for nomad)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/314
2025-06-14 18:47:24 +10:00
unkinben
890e9670f3
chore: update the consul service name ( #313 )
...
- update the name for the packagerepo service
- was copy/pasted from jupyterhub
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/313
2025-06-09 14:46:16 +10:00
unkinben
a26daca28c
feat: stop manage nginx repo ( #312 )
...
- use epel repo for nginx
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/312
2025-06-09 14:18:30 +10:00
unkinben
057c4ab747
feat: manage nginx resource ordering ( #311 )
...
- ensure the package is installed before creating directories
- ensure nginx is restarted when vhost config changes
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/311
2025-06-09 11:18:39 +10:00
unkinben
1fb46b5ab6
chore: use packagerepo for epel ( #310 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/310
2025-06-09 10:24:56 +10:00
unkinben
66fdd7b615
feat: update incus image host to run on incus ( #309 )
...
- remove zfs
- remove some sysctl values
- remove memlocks from limits
- install iptables, required for creating bridges
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/309
2025-06-08 22:58:44 +10:00
unkinben
f43d5f685b
feat: update reposync repos ( #308 )
...
- remove almalinux 9.4
- add almalinux 9.6
- add epel 8 and 9
- update mssql
- add k8s 1.33
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/308
2025-06-01 18:20:10 +10:00
unkinben
bb2f59621a
feat: split reposync into two roles ( #307 )
...
- reposync and packagerepo web service
- change backing datastore to be cephfs /shared/app/packagerepo
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/307
2025-06-01 11:33:44 +10:00
unkinben
1df11b8977
chore: migrate certbot webserver ( #306 )
...
- ausyd1nxvm1021 is decommed
- new source is ausyd1nxvm2057
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/306
2025-05-31 16:22:59 +10:00
unkinben
10f2dc7047
feat: cleanup removed hosts ( #305 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/305
2025-05-31 14:26:16 +10:00
unkinben
1a904af2ee
feat: change g10k to use a package ( #304 )
...
- the archive path is no longer valid
- produced a g10k rpm with rpmbuilder
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/304
2025-05-31 13:51:51 +10:00
unkinben
ed1a4f6488
fix: missed address in consul service ( #303 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/303
2025-05-30 23:27:44 +10:00
unkinben
bdd833fa4e
feat: create basic k8s roles to start deployment ( #302 )
...
- just create roles so can deploy hosts
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/302
2025-05-30 23:21:02 +10:00
unkinben
c10a3e49fa
chore: add new user ( #301 )
...
- just jelly access
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/301
2025-05-28 19:46:45 +10:00
unkinben
3d5d40f381
chore: minor jellyfin updates ( #300 )
...
- add jellyfin to video group, for access to gpu
- install intel related gpu drivers
- export lxc jellyfin to haproxy
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/300
2025-05-27 19:55:55 +10:00
unkinben
b3347f9226
chore: migrate media applications ( #299 )
...
- migrate media applications to new cephfs pool + incus
- enable exporting haproxy
- move ceph-client-setup to only apply to non-lxc hosts
- ensure unrar is installed for nzbget
- updated jellyfin use of data_dir
- set lxc instances for jellyfin to use /shared/apps/jellyfin
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/299
2025-05-25 20:27:17 +10:00
unkinben
1d23fef82e
feat: update settings for ceph ( #298 )
...
- enable root logins via ssh with keys
- add ssh key for ceph to root user
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/298
2025-05-25 20:22:00 +10:00
unkinben
c0aab1087e
fix: readd to jellyfin_haproxy ( #297 )
...
- fix operator for jellyfin/haproxy
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/297
2025-05-24 21:10:56 +10:00
unkinben
596e498a00
feat: change media arr apps to hiera_include ( #296 )
...
- change profiles::media::* to be hiera_included
- this is required to enable it to be hiera_excluded on virtual == lxc
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/296
2025-05-24 20:23:56 +10:00
unkinben
f6694599ef
benvin/media_apps_incus ( #295 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/295
2025-05-24 20:18:23 +10:00
unkinben
93cd02deec
chore: update media roles for incus ( #294 )
...
- prevent incus roles from exporting haproxy endpoints (for now)
- incus doesnt need to mount cephfs
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/294
2025-05-24 18:59:46 +10:00
unkinben
520e8a34e0
feat: add a nomad agent v2 role ( #293 )
...
- excludes ceph (will be passed from incus)
- excludes frrouting (will use host-networking)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/293
2025-05-24 15:35:20 +10:00
unkinben
77d07672f8
chore: dont mount cephfs inside lxc ( #292 )
...
- lxc instances will have cephfs passed from the host
- skip cephfs mounting for lxc instances
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/292
2025-05-22 21:06:15 +10:00
unkinben
89a0f329d8
feat: update vault url ( #291 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/291
2025-05-21 19:58:12 +10:00
unkinben
6dcc7343e0
feat: updated ceph ssh authorized_key ( #290 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/290
2025-05-17 14:05:25 +10:00
unkinben
e7d4c75192
feat: enable ssh access to enp3s0 ( #289 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/289
2025-05-17 13:50:35 +10:00
unkinben
d9e8637ad6
feat: manage more ceph requirements ( #288 )
...
- add ceph-common to provide utilities for managing ceph
- add root and sysadmin ssh keys for ceph deployments
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/288
2025-05-17 11:14:45 +10:00
unkinben
92f0ae64b9
feat: enable ssh on all loopbacks ( #287 )
...
- required for cephadm to manage roles
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/287
2025-05-16 07:05:31 +10:00
unkinben
c1637d9f43
feat: add cephadm to incus hosts ( #286 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/286
2025-05-16 05:56:28 +10:00
unkinben
1aabe21173
feat: manage mon loopback0 ( #285 )
...
- add frrouting
- set all ceph nodes to use ospf + loopback0 + networkd
- fix ceph repos for mons
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/285
2025-05-15 19:46:59 +10:00
unkinben
2f088c461f
feat: add ceph roles ( #284 )
...
- add hieradata to manage ceph repo
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/284
2025-05-15 19:29:53 +10:00
unkinben
90504e5b02
chore: use alias for nameservers ( #283 )
...
- use an alias for nameservers for dhcp ranges
- move aliased nameservers to region-wide hiera
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/283
2025-05-14 20:19:18 +10:00
unkinben
a7b793238a
fix: exclude docker0 interfaces ( #282 )
...
- docker0 is the same on many hosts
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/282
2025-05-11 16:53:34 +10:00
unkinben
87a6c73578
neoloc/loopback_dns ( #281 )
...
- manage all interfaces in dns (except lo and anycast)
- move loopback0 anycast addresses to be anycast0
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/281
2025-05-11 16:36:04 +10:00
unkinben
3e0141bb1b
feat: change to anycast resolver ( #280 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/280
2025-05-11 11:39:00 +10:00
unkinben
bb6f6cbd49
feat: anycast dnsmasters ( #279 )
...
- change dns masters on incus to anycast for bind
- change to networkd to support anycast/loopbacks
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/279
2025-05-10 23:00:03 +10:00
unkinben
51d6c1e81d
fix: enable dns resolver access for dmz1 ( #278 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/278
2025-05-10 06:57:05 +10:00
unkinben
537a207779
feat: update upstream ip for consul dns ( #277 )
...
- set bind resolvers to use consuls anycast address for forwarding
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/277
2025-05-09 22:10:35 +10:00
unkinben
f322440d01
feat: setup anycast consul dns ( #276 )
...
- manage frrouting repo/ospf
- change to systemd-networkd
- enable ospf on incus nodes bridges
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/276
2025-05-09 22:07:42 +10:00
unkinben
ed947dee59
fix: listen-addr -> listen-address ( #275 )
...
- listen-address is the correct option
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/275
2025-05-04 00:07:45 +10:00
unkinben
a70b6492b0
feat: update consul/dnsmasq ( #274 )
...
- update params with bind/advertise addr
- update params with anycast ip option
- migrate dnsmasq config to template
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/274
2025-05-03 23:51:29 +10:00
unkinben
3079f7d000
feat: enable use of dhcp addresses in networkd ( #273 )
...
- change ipaddress to be optional
- add dhcp option
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/273
2025-05-03 23:51:17 +10:00
unkinben
1b8f50786f
feat: ensure the vault audit_log exists ( #272 )
...
- without this, vault will not take a leadership role
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/272
2025-05-03 22:25:10 +10:00
unkinben
b05acb23f4
feat: use custom cert for puppetdb access ( #271 )
...
- manually generated certificate using sudo puppetserver ca generate --certname puppetdbapi.query.consul
- saved certificate and private_key in eyaml
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/271
2025-05-03 12:41:23 +10:00
unkinben
62f71e1feb
chore: change puppetboard python version ( #270 )
...
- change python version to follow python3_release fact
- this will follow os-release upgrades
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/270
2025-05-03 01:07:52 +10:00
unkinben
cdf9456456
feat: update psql15 repos for roles ( #269 )
...
- update patroni to use packagerepo
- update puppetdb to use packagerepo
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/269
2025-04-29 21:04:45 +10:00
unkinben
2323ef7749
feat: postgresql15/postgresql17 ( #268 )
...
- add postgresql15 and 17 to reposync
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/268
2025-04-28 21:39:45 +10:00
unkinben
07b89ab737
feat: enable terraform access to puppetca ( #267 )
...
- enable terraform to clean certificates
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/267
2025-04-28 18:46:58 +10:00
unkinben
9359b8902e
feat: vault mlock ( #266 )
...
- enable mlock by default
- disable mlock on lxd/incus nodes (lxc doesnt support it)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/266
2025-04-26 22:43:20 +10:00
unkinben
1e3ce0ec1c
feat: dont set gid/uid for sysadmin ( #265 )
...
- sysadmin doesnt need to be a specific uid/gid, the next available
uid/gid is fine
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/265
2025-04-26 20:02:57 +10:00
unkinben
496ed12a58
feat: change vault to use package install ( #264 )
...
- vault 18.2 rpm produced by rpmbuilder repo
- ensure the /etc/vault directory is managed
- ensure service file is managed by puppet
- ensure package comes from unkin repo (not hashicorp)
- disable_mlock as unprivileged containers cannot use mlock
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/264
2025-04-26 18:40:31 +10:00
unkinben
e4166c6b14
feat: lxc compatability with datavol ( #263 )
...
- lxc doesnt mount block devices, just check for mountpoint
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/263
2025-04-26 17:28:57 +10:00
unkinben
78f4d2a88f
feat: cleanup mpls configuration ( #262 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/262
2025-04-26 00:39:23 +10:00
unkinben
762d980ea8
feat: update dns resolver zone management ( #261 )
...
- move zones to common role path
- specify forwarders for each zone in region based hiera
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/261
2025-04-25 01:01:47 +10:00
unkinben
463abe4b9d
feat: add reverse dns zones for incus ( #260 )
...
- add reverse dns zones for incus hosts
- update acls for openresolver
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/260
2025-04-24 23:48:34 +10:00
unkinben
ecce93bedb
feat: lxc cannot use chronyd ( #259 )
...
- ensure lxc nodes do not attempt to install chronyd
- ensure chrony is removed
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/259
2025-04-24 23:18:45 +10:00
unkinben
9dcaafb8ba
feat: lxc updates ( #258 )
...
- add virtual/lxc.yaml
- add crypto crypto-policies-scripts
- ensure ssh::server is managed
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/258
2025-04-24 23:03:01 +10:00
unkinben
a21c1b3697
Adding hieradata/node/ausyd1nxvm1072.main.unkin.net.yaml ( #257 )
...
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/257
2025-04-24 21:25:00 +10:00
unkinben
bc5bd11f5e
feat: disable cobbler cache ( #256 )
...
- this is required to resolve issues with terraform deploying cobbler
settings
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/256
2025-04-24 21:18:59 +10:00