unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: unkin:neoloc/mpls_mpbgp_rr
Branches Tags
unkin:develop
unkin:benvin/artifactapi_repos
unkin:benvin/hiera_data_hash
unkin:benvin/openbao_audit_devices
unkin:benvin/backend_dovecot
unkin:benvin/exporter_ip_loopback
unkin:benvin/k8s_control
unkin:neoloc/k8s
unkin:neoloc/ceph
unkin:neoloc/mpls_mpbgp_rr
unkin:neoloc/firewall
unkin:neoloc/includegroups
unkin:neoloc/exportarr
unkin:neoloc/authproxy
unkin:neoloc/openldap
unkin:neoloc/puppetdb_ssl
unkin:master
...
pull from: unkin:develop
Branches Tags
unkin:benvin/artifactapi_repos
unkin:develop
unkin:benvin/hiera_data_hash
unkin:benvin/openbao_audit_devices
unkin:benvin/backend_dovecot
unkin:benvin/exporter_ip_loopback
unkin:benvin/k8s_control
unkin:neoloc/k8s
unkin:neoloc/ceph
unkin:neoloc/mpls_mpbgp_rr
unkin:neoloc/firewall
unkin:neoloc/includegroups
unkin:neoloc/exportarr
unkin:neoloc/authproxy
unkin:neoloc/openldap
unkin:neoloc/puppetdb_ssl
unkin:master

175 Commits
neoloc/mpl ... develop

Author SHA1 Message Date
Ben Vincent
6f51bffeaa core: bump radowgw client_max_body_size (#433) 
Reviewed-on: #433
 2026-01-07 23:27:09 +11:00
Ben Vincent
57870658b5 feat: act runner updates (#432) 
saving artifacts are breaking in some actions as the runner will switch
between different git hosts. using haproxy will ensure the same backend
is always hit via stick-tables and cookies

- ensure runners use haproxy to reach git

we now package act_runner now, lets use the rpm

- change installation method to rpm instead of curl + untar
- add capability to versionlock act_runner
- fix paths to act_runner
- remove manually installed act_runner

Reviewed-on: #432
 2026-01-03 21:51:47 +11:00
Ben Vincent
f8caa71f34 fix: increase artifact upload size for git (#431) 
- rpmbuilder artifacts can be very large
- increase 1Gb limit to 5GB

Reviewed-on: #431
 2025-12-30 22:52:43 +11:00
Ben Vincent
a2c56c9e46 chore: add almalinux 9.7 repositories (#430) 
- ensure almalinux 9.7 is synced

Reviewed-on: #430
 2025-12-30 22:48:54 +11:00
Ben Vincent
40d8e924ee feat: enable managing root password (#429) 
- update root password in common.eyaml
- add missing param to the accounts::root manifest
- remove if block as undef sshkeys has same effect

Reviewed-on: #429
 2025-12-28 20:12:12 +11:00
Ben Vincent
0aec795aec feat: manage externaldns bind (#428) 
- add module to manage externaldns bind for k8s
- add infra::dns::externaldns role
- add 198.18.19.20 as anycast for k8s external-dns service

Reviewed-on: #428
 2025-11-22 23:25:55 +11:00
Ben Vincent
9854403b02 feat: add syslog listener for vlinsert (#427) 
- enable syslog capture via vlinsert
- add syslog.service.consul service

Reviewed-on: #427
 2025-11-20 23:47:10 +11:00
Ben Vincent
6400c89853 feat: add vmcluster static targets (#426) 
- add ability to list static targets for vmagent to scrape
- add vyos router to be scraped

Reviewed-on: #426
 2025-11-20 20:19:53 +11:00
Ben Vincent
9eff241003 feat: add SMTP submission listener and enhance stalwart configuration (#425) 
- add SMTP submission listener on port 587 with TLS requirement
- configure HAProxy frontend/backend for submission with send-proxy-v2 support
- add send-proxy-v2 support to all listeners
- add dynamic HAProxy node discovery for proxy trusted networks
- use service hostname instead of node FQDN for autoconfig/autodiscover
- remove redundant IMAP/IMAPS/SMTP alt-names from TLS certificates
- update VRRP CNAME configuration to use mail.main.unkin.net

Reviewed-on: #425
 2025-11-09 18:48:06 +11:00
Ben Vincent
35614060bd chore: replace stalwart S3 keys (#424) 
- update stalwart S3 AK/SK after migrating to new zonegroup

Reviewed-on: #424
 2025-11-08 22:56:24 +11:00
Ben Vincent
1b0fd10fd7 fix: remove . from end of vrrp_cnames (#423) 
- autoconfig/autodiscovery should not end with a dot

Reviewed-on: #423
 2025-11-08 21:38:10 +11:00
Ben Vincent
2c9fb3d86a chore: add stalwart required tls alt names (#422) 
- add alt-names for service addresses stalwart is expected to reply too

Reviewed-on: #422
 2025-11-08 21:28:41 +11:00
Ben Vincent
559c453906 chore: change transport for main.unkin.net (#421) 
- ensure main.unkin.net mail is delivered to stalwart load-balancer addr

Reviewed-on: #421
 2025-11-08 21:10:11 +11:00
Ben Vincent
5b0365c096 feat: manage haproxy for stalwart (#420) 
- add frontends for imap, imaps and smtp
- add backends for webadmin, imap, imaps and smtp

Reviewed-on: #420
 2025-11-08 21:07:43 +11:00
Ben Vincent
1e7dfb9d9d feat: manage additional ceph sections (#419) 
- ensure mons configuration are managed in code
- ensure radowgw configuration are managed in code

Reviewed-on: #419
 2025-11-08 19:19:44 +11:00
Ben Vincent
9dd74013ea feat: create stalwart module (#418) 
- add stalwart module
- add psql database on the shared patroni instance
- add ceph-rgw credentials to eyaml
- ensure psql pass and s3 access key are converted to sensitive

Reviewed-on: #418
 2025-11-08 19:09:30 +11:00
Ben Vincent
92a48b4113 feat: ensure latest openbao package (#417) 
- stop version locking openbao, use latest

Reviewed-on: #417
 2025-11-06 20:01:37 +11:00
Ben Vincent
78adef0eee refactor: recreate profiles::postfix::gateway with parameterization and templates (#416) 
- refactor profiles::postfix::gateway as parameterized class
- move base postfix parameters, transports, and virtuals to hiera for flexibility
- convert SMTP restrictions to arrays for better readability using join()
- add postscreen enable/disable boolean with conditional master.cf configuration
- add per-domain TLS policy maps (smtp_tls_policy_maps)
- convert alias_maps to array parameter for flexibility
- convert all postfix map files to ERB templates with parameter hashes
- add map parameters: sender_canonical_maps, sender_access_maps, relay_recipients_maps,
  relay_domains_maps, recipient_canonical_maps, recipient_access_maps, postscreen_access_maps, helo_access_maps
- move default map data to hiera while keeping parameters as empty hashes by default

This approach balances flexibility with data-driven configuration, allowing
easy customization through parameters while keeping transport/virtual maps
and default map data in hiera for role-specific overrides.

Reviewed-on: #416
 2025-11-01 17:26:00 +11:00
Ben Vincent
81f289a185 feat: prepare for dovecot deployment (#415) 
- add dovecot role
- import dovecot module via r10k

Reviewed-on: #415
 2025-11-01 01:01:55 +11:00
Ben Vincent
a2a8edb731 feat: implement comprehensive postfix gateway with eFa5 configuration (#414) 
- add voxpupuli-postfix module to Puppetfile
- create profiles::postfix::gateway class with config based on efa5
- add master.cf entries for postscreen, smtpd, dnsblog, and tlsproxy services
- create postfix hash files: aliases, access controls, canonical maps
- configure TLS with system PKI certificates and strong cipher suites
- add transport and virtual alias mappings for mail routing

Reviewed-on: #414
 2025-11-01 00:43:58 +11:00
Ben Vincent
e129d1cf7a feat: add mail::gateway role (#413) 
- add a mail::gateway role, more to add later
- enables the build of hosts in this role immedately (config later)

Reviewed-on: #413
 2025-10-19 19:09:51 +11:00
Ben Vincent
e95a59b88a feat: migrate puppetserver -> openvox-server (#412) 
- enable openvox repo
- ensure puppetdb-termini and puppetserver are purged
- set openvox-server as the package to install
- set termini package to openvoxdb-termini

Reviewed-on: #412
 2025-10-18 23:49:51 +11:00
Ben Vincent
8bed80eac8 feat: migrate puppetdb -> openvoxdb (#411) 
- ensure the puppetdb package is purged before openvoxdb
- ensure the openvoxdb package is installed

Reviewed-on: #411
 2025-10-18 21:47:33 +11:00
Ben Vincent
5ba483c68a feat: add ZFS facts to prevent zpool disk changes (#410) 
- add zfs_zpools and zfs_datasets facts to detect existing ZFS resources
- skip zpool creation when pools already exist

Reviewed-on: #410
 2025-10-18 21:24:33 +11:00
Ben Vincent
766233c3e5 fix: check if zfs-cache exists and isnt empty (#409) 
- check the cache file exists, and isnt empty
- resolves idempotence for zpool-import-cache service

Reviewed-on: #409
 2025-10-18 21:15:55 +11:00
Ben Vincent
98b866fce7 feat: migrate puppet-agent to openvox (#408) 
- change from puppet-agent to openvox-agent
- upgrade version from 7.34 to 7.36
- ensure workflow of: Yumrepo -> dnf-makecache -> Package

Reviewed-on: #408
 2025-10-18 19:11:38 +11:00
Ben Vincent
e724326d43 feat: allow access to runner certs (#407) 
- allow access to runner certs, used for mtls auth to incus

Reviewed-on: #407
 2025-10-17 22:46:45 +11:00
Ben Vincent
d8b354558d feat: add incus auto-client certificate trust (#406) 
- add fact to export vault public cert from agents
- add fact to export list of trusted incus client certs
- add method for incus clients to export their client cert to be trusted

Reviewed-on: #406
 2025-10-17 22:46:26 +11:00
Ben Vincent
fac90c66db feat: use vault certificates for incus (#405) 
- replace default incus certificates with vault-generated ephemeral certificates
- configure incus service to restart on certificate changes

Reviewed-on: #405
 2025-10-17 17:22:09 +11:00
Ben Vincent
efbbb6bcb1 feat: moderate the k8s install (#403) 
- only install a base config
- wait for 3 masters before deploying helm charts
- remove cluster-domain
- manage nginx ingres via rke2 helmconfig

Reviewed-on: #403
 2025-10-12 17:50:24 +11:00
Ben Vincent
16e654fdd7 feat: use openbao (#404) 
- change vault role to use openbao

Reviewed-on: #404
 2025-10-11 20:55:21 +11:00
Ben Vincent
66d8815e16 fix: ensure nginx restarts on certificate changes (#402) 
Add hasrestart => true to nginx service in simpleproxy profile to ensure
nginx performs a full restart (not reload) when certificate files change.
This is required because nginx reload does not pick up SSL certificate
changes from disk.

Reviewed-on: #402
 2025-09-29 22:38:00 +10:00
Ben Vincent
a9c959d924 fix: remove unicode from ceph-csi-yaml (#400) 
Reviewed-on: #400
 2025-09-21 00:41:06 +10:00
Ben Vincent
b224cfb516 fix: cattle-system namespace (#399) 
- cattle-system namespace is created earlier than helm
- leave namespaces.yaml to manage cattle-system namespace (required
  before installing helm/rancher)

Reviewed-on: #399
 2025-09-21 00:21:41 +10:00
Ben Vincent
4c9204858e feat: define node-token from puppet (#398) 
- define the token on the bootstrap node too, so node-token is defined
  for new clusters

Reviewed-on: #398
 2025-09-20 22:25:56 +10:00
Ben Vincent
571a9b25a7 fix: resolve rke2-server errors (#397) 
- kubectl yaml files must not use underscores
- replace unicode hyphen with ascii hyphen

Reviewed-on: #397
 2025-09-20 18:40:18 +10:00
Ben Vincent
762f415d2d feat: k8s helm rework (#396) 
- remove helm-generated-yaml, replace with helm execs
- template/parameterise ceph csi

Reviewed-on: #396
 2025-09-20 17:40:41 +10:00
Ben Vincent
4e77fb7ee7 feat: manage rancher, purelb, cert-manager (#395) 
This change will install rancher, purelb and cert-manager, then
configure a dmz and common ip pool to be used by loadbalancers. The
nginx ingres controller is configured to use 198.18.200.0 (common) and
announce the ip from all nodes so that it becomes an anycast ip in ospf.

- manage the install of rancher, purelb and cert-manager
- add rancher ingress routes
- add nginx externalip/loadBalancer

Reviewed-on: #395
 2025-09-14 20:59:39 +10:00
Ben Vincent
6e4bc9fbc7 feat: adding rke2 (#394) 
- manage rke2 repos
- add rke2 module (init, params, install, config, service)
- split roles::infra::k8s::node -> control/compute roles
- moved common k8s config into k8s.yaml
- add bootstrap_node, manage server and token fields in rke2 config
- manage install of helm
- manage node attributes (from puppet facts)
- manage frr exclusions for service/cluster network

Reviewed-on: #394
 2025-09-14 13:27:49 +10:00
Ben Vincent
012e842d7d feat: add cleanup to autopromoter (#393) 
- ensure the autopromoter removes hardlinks/replicas for repos older
  than the current promoted monthly
- this is to reduce MDS load for ceph, as hardlinks require memory

Reviewed-on: #393
 2025-09-13 20:08:32 +10:00
Ben Vincent
98a433d366 feat: mirror rke2 repo for rhel9 (#392) 
- create rhel9 mirrors for rke2 1.33 and common

Reviewed-on: #392
 2025-09-13 19:49:52 +10:00
Ben Vincent
fcd1b049d6 feat: ensure frr_exporter can read ospf socket (#391) 
- add execute permission to frr socket directory

Reviewed-on: #391
 2025-09-13 15:08:32 +10:00
Ben Vincent
938a6ac990 feat: update docs for puppet (#390) 
- k8s / metallb / cilium created chaos
- broke puppet agent and servers
- adding issue/resolution here

Reviewed-on: #390
 2025-09-13 12:57:44 +10:00
Ben Vincent
0665873dc8 feat: update ospf source for learned routes (#388) 
- enable changing the source address for learned ospf routes
- this enables the loopback0 interface to be used as a default src address
- ensure k8s nodes use loopback0 as default src
- ensure incus nodes use loopback0 as default src

Reviewed-on: #388
 2025-09-07 16:09:21 +10:00
Ben Vincent
ae4eb3a5eb fix: set loopback0 as source for consul (#387) 
- fix consul service checks for prodnxsr0001-0008
- ensure the loopback0 interface whats bound too

Reviewed-on: #387
 2025-09-07 15:48:27 +10:00
Ben Vincent
65fb52da55 chore: add user for jelly (#385) 
Reviewed-on: #385
 2025-09-04 20:09:43 +10:00
Ben Vincent
d97cbfd570 chore: update src ips for arr stack (#384) 
- allow the arr stack to reach prowlarr

Reviewed-on: #384
 2025-08-31 18:52:47 +10:00
Ben Vincent
8f5d102945 feat: enabling changing ip for consul client (#383) 
- enable ability to set consul client bind/advertise ip

Reviewed-on: #383
 2025-08-14 22:55:35 +10:00
Ben Vincent
62aade77ff feat: add ceph-dashboard to haproxy (#382) 
- add profile to export haproxy backend
- add new cert for dashboard.ceph.unkin.net
- extend balancemember with ipaddress attribute

Reviewed-on: #382
 2025-08-14 11:06:11 +10:00
Ben Vincent
83bb3e1085 chore: increase client body size for s3 (#381) 
- s3 clients send objects too large for the default body size

Reviewed-on: #381
 2025-08-13 16:41:39 +10:00
Ben Vincent
92728047e7 feat: add ceph rgw (#380) 
- start managing ceph configuration file
- manage ceph-radosgw
- merge the ceph::conf and ceph::node profiles
- ensure the ceph repos exist
- mange nginx frontend and consul service

Reviewed-on: #380
 2025-08-13 12:33:41 +10:00
Ben Vincent
f4af5e7b64 chore: add rados gateway role (#379) 
- just enough role to deploy some containers

Reviewed-on: #379
 2025-08-10 19:31:39 +10:00
Ben Vincent
308d97d783 feat: enable plugins for grafana (#378) 
- add method to install plugins for grafana
- ensure victoriametrics-logs-datasource is installed

Reviewed-on: #378
 2025-08-09 17:57:49 +10:00
Ben Vincent
ac36d9627b feat: capture all journald logs (#377) 
- create module class for journald clients
- ensure module class it used on all hosts
- use consul service address for insert/journald

Reviewed-on: #377
 2025-08-09 15:11:47 +10:00
Ben Vincent
198cee27c2 feat: enable https for vlstorage (#376) 
- attempting to send to http:// fails as vlstorage is using tls
- enable tls on vlselect/vlinsert when writing to vlstorage
- add retention period to vlstorage

Reviewed-on: #376
 2025-08-09 14:34:48 +10:00
Ben Vincent
f73d6f07ce fix: generate types as root (#375) 
- larger permission issue that needs fixing
- reduce the number of failed runs

Reviewed-on: #375
 2025-08-09 13:30:12 +10:00
Ben Vincent
1c71229fd3 feat: add victorialogs module (#374) 
- add module for victorialogs
- add hieradata for vl insert/select/storage
- manage packages, directories, services, etc
- manage exporting metrics

Reviewed-on: #374
 2025-08-08 23:59:46 +10:00
Ben Vincent
d649195ccc fix: generate types needs to run more often (#373) 
- seeing frequent errors in puppetboard about types missing
- change the puppet-generate-types timer from daily to per-minute

Reviewed-on: #373
 2025-08-07 20:53:06 +10:00
Ben Vincent
fcd0bc4c74 feat: add victorialogs roles (#372) 
- and hieradata
- empty roles currently

Reviewed-on: #372
 2025-08-07 20:34:42 +10:00
Ben Vincent
a30ff81139 fix: reduce metadata lifetime (#371) 
- metadata lifetime should be lowered to improve development speed

Reviewed-on: #371
 2025-08-03 21:04:47 +10:00
Ben Vincent
bbed65b4b8 benvin/frr_exporter (#370) 
Reviewed-on: #370
 2025-08-03 20:14:19 +10:00
Ben Vincent
75ca7a5685 feat: add frr_exporter class (#369) 
- add frr exporter to all nodes running frr

Reviewed-on: #369
 2025-08-03 16:15:29 +10:00
Ben Vincent
53fabc923b feat: add nzbget_exporter (#368) 
- add nzbget_exporter class
- add exporter to nzbget class

Reviewed-on: #368
 2025-08-03 15:03:29 +10:00
Ben Vincent
5a9241940f feat: export ceph metrics (#367) 
- export cephmgr metrics
- will only be availabe from one host at a time

Reviewed-on: #367
 2025-07-29 18:54:49 +10:00
Ben Vincent
df457306cc feat: add external grafana access (#366) 
- enable access to grafana through haproxy
- ensure grafana cert created from letsencrypt
- enable user access to grafana

Reviewed-on: #366
 2025-07-28 21:07:43 +10:00
Ben Vincent
7fbb87b4b6 feat: add exportarr (#365) 
- add exporters::exportarr
- deploy for radarr, sonarr and prowlarr

Reviewed-on: #365
 2025-07-27 19:47:26 +10:00
Ben Vincent
fd902c1437 feat: create exporters module (#364) 
- upgrade node_exporter, bring managed under exporters module
- upgrade postgres_exporter, bring managed under exporters module
- add flag to cleanup previous iterations of exporters from prometheus module
- fix issues with vmclusster: replication + dedup

Reviewed-on: #364
 2025-07-27 13:28:41 +10:00
Ben Vincent
0e64c9855a feat: add vmcluster module (#363) 
- manage vmstorage package, service and environment file
- manage vmselect package, service and environment file
- manage vminsert package, service and environment file
- manage vmagent package, service and environment file
- manage options for vmstorage, vmselect, vminsert, vmagent role

Reviewed-on: #363
 2025-07-26 18:17:20 +10:00
Ben Vincent
3cfafbac44 feat: enable ceph on k8s nodes (#362) 
- enable enough ceph/frr to join to cephfs
- notify sshd when restarting the network
- update ssh principals to include all ssh interfaces

Reviewed-on: #362
 2025-07-19 20:30:46 +10:00
Ben Vincent
c5c40c3bfd chore: cleanup old physicals (#361) 
- cleanup old nodes to redeploy them

Reviewed-on: #361
 2025-07-15 22:34:46 +10:00
Ben Vincent
98f1961a07 benvin/ceph_common (#360) 
Reviewed-on: #360
 2025-07-15 20:38:39 +10:00
Ben Vincent
eb1ada8ea5 fix: duplicate declatation (#359) 
- only install ceph-common once

Reviewed-on: #359
 2025-07-15 20:31:09 +10:00
Ben Vincent
ec3e42901a feat: add basic k8s node role (#358) 
- update prodnxsr0001-8 to use networkd
- add basic k8s node role

Reviewed-on: #358
 2025-07-15 20:18:17 +10:00
Ben Vincent
e905afcab0 chore: cleanup hieradata/nodes (#357) 
- cleanup decommed nodes
- remove unneccessary node data

Reviewed-on: #357
 2025-07-13 21:40:32 +10:00
Ben Vincent
de6e7d0ba9 feat: add vmagent role (#356) 
- add vmagent role for vicmet

Reviewed-on: #356
 2025-07-13 17:20:58 +10:00
Ben Vincent
780a97dfe4 feat: add new cobbler master (#355) 
- change cobbler.main.unkin.net to 2098

Reviewed-on: #355
 2025-07-12 20:31:43 +10:00
Ben Vincent
9aa6472e5b feat: ensure /etc/NetworkManager/conf.d exists (#354) 
- required to create dns-none setting

Reviewed-on: #354
 2025-07-12 14:19:22 +10:00
Ben Vincent
80ab4e6889 chore: update cobbler for el9 (#353) 
- update cobbler/cobbler-web package
- update path for ipxebins

Reviewed-on: #353
 2025-07-12 14:19:14 +10:00
Ben Vincent
ccda327c7a gchore: cleanup old vms (#352) 
- remove ntp01/ntp02
- remove old gitea
- remove mariadb galera vms

Reviewed-on: #352
 2025-07-09 21:18:23 +10:00
Ben Vincent
acef1bde29 feat: move puppetca role (#351) 
- move puppetca from vm to lxd

Reviewed-on: #351
 2025-07-09 21:15:09 +10:00
Ben Vincent
7d87e11e79 feat: add victoria metrics roles (#350) 
- add vmstorage, vmselect and vminsert roles
- base roles, only adding packages
- preparation for standing up a vicmet cluster

Reviewed-on: #350
 2025-07-08 20:34:46 +10:00
Ben Vincent
40c57ede59 feat: add ci build task (#342) 
- a ci workflow for build tests
- run pre-commit against all files

Reviewed-on: #342
 2025-07-08 20:19:36 +10:00
Ben Vincent
be02d3d150 feat: migrate to external ntp (#349) 
- removing ntp vms from proxmox
- redirect ntp to external time sources

Reviewed-on: #349
 2025-07-07 20:27:02 +10:00
Ben Vincent
a550d48f21 fix: sort nameservers (#348) 
- sort nameservers before creating glue records

Reviewed-on: #348
 2025-07-06 20:09:19 +10:00
Ben Vincent
2d9faf578f feat: add unkin.net domain (#347) 
- manage the unkin.net domain
- ensure forwarding for unkin.net
- split domain from cname list and set zone correctly
- add fafflix to cnames list for haproxy2

Reviewed-on: #347
 2025-07-06 20:02:20 +10:00
Ben Vincent
2814a55df6 chore: hard-code git.unkin.net path (#346) 
- dirty fix, set git.unkin.net in hosts file template
- avoid hairpint nat

Reviewed-on: #346
 2025-07-06 16:43:07 +10:00
Ben Vincent
73362a3bf9 feat: add stick tables for gitea (#345) 
- stick tables are required for docker authentication

Reviewed-on: #345
 2025-07-06 14:42:14 +10:00
Ben Vincent
0063f68bc6 feat: enable external access to gitea (#344) 
- add git.unkin.net to certbot
- export haproxy resources for gitea
- add be_gitea to haproxy, import the certbot cert
- update the ROOT_URL for gitea instances

Reviewed-on: #344
 2025-07-06 13:47:56 +10:00
Ben Vincent
372d99893a core: fix ROOT_URL (#343) 
- root_url is used for docker authentication
- access to git.unkin.net is not yet ready

Reviewed-on: https://git.query.consul/unkin/puppet-prod/pulls/343
 2025-07-06 13:20:27 +10:00
Ben Vincent
620339f69d chore: cleanup hieradata/nodes (#341) 
- remove all node hiera data for decommed hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/341
 2025-07-06 12:23:22 +10:00
Ben Vincent
2317d0af59 feat: expose gitea metrics (#340) 
- add a gitea-metrics service to consul
- tag as metrics for victoria metrics
- check the /metrics endpoint (bypass nginx)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/340
 2025-07-06 12:01:57 +10:00
Ben Vincent
cf0ff85b70 fix: manage git user (#339) 
- prevent different gid/uid for git users when deploying cluster
- only add sudo conf when sudo_rules is a list

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/339
 2025-07-06 11:27:35 +10:00
Ben Vincent
359ce101f1 feat: add indexer for git (#338) 
- reuse the database for the indexer

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/338
 2025-07-05 17:12:38 +10:00
Ben Vincent
b6c959d368 feat: use redis for cache/queue (#337) 
- use gitea redis cluster for queue/cache
- use redis+sentinel url (pass required for redis and sentinel)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/337
 2025-07-05 16:42:01 +10:00
Ben Vincent
b976f2063a feat: deploy redis for git (#336) 
- deploy redis/sentinel ha cluster for git
- update redis to 7 (required for almalinux 9)
- enable requirepass/masterauth

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/336
 2025-07-05 15:51:28 +10:00
Ben Vincent
93049707e7 benvin/gitea_cluster (#335) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/335
 2025-07-05 14:49:56 +10:00
Ben Vincent
a9faa098ee benvin/grafana_postgres (#334) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/334
 2025-07-01 19:07:24 +10:00
Ben Vincent
61d912de30 feat: update password for grafana service account (#333) 
- updated grafana password

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/333
 2025-06-30 20:22:18 +10:00
Ben Vincent
9bed18f78c fix: duplicate toml resources (#332) 
- change resource name for puppetserver_gem
- ensure toml installed on all agents

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/332
 2025-06-30 19:57:29 +10:00
Ben Vincent
aab3eaf9e7 feat: add grafana service to ldap (#331) 
- add grafana service account for binding
- add grafana_user group
- add users to group

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/331
 2025-06-30 19:17:56 +10:00
Ben Vincent
33c8b226e0 feat: add puppetserver gem for toml (#330) 
- require toml for puppetserver gem

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/330
 2025-06-30 19:05:12 +10:00
Ben Vincent
49ff7cc3ab feat: add toml puppet gem (#329) 
- required for ldap support in grafana

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/329
 2025-06-30 19:02:37 +10:00
Ben Vincent
d1e63ad18b feat: add shared pgsql instance (#328) 
- add shared pgsql instance
- use patroni

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/328
 2025-06-29 17:25:59 +10:00
Ben Vincent
99b312669b benvin/dhcp_failover (#327) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/327
 2025-06-29 13:36:16 +10:00
Ben Vincent
715e88176b chore: confine incus facts to incus (#326) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/326
 2025-06-28 21:24:08 +10:00
Ben Vincent
1837506b6c feat: add incus facts (#325) 
- incus container counts
- incus profile list
- allocated memory/cpu

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/325
 2025-06-28 21:14:39 +10:00
Ben Vincent
3bb2a5dbad fix: enable health check from haproxy2 (#324) 
- tactical fix: enable dmz subnets container access to health url

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/324
 2025-06-28 17:04:25 +10:00
Ben Vincent
0ce6e95f2d chore: cleanup removed hosts (#323) 
- remove 1018, 1031, 1032, 1033

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/323
 2025-06-28 16:28:03 +10:00
Ben Vincent
770fd643ac feat: add haproxy2 role (#322) 
- add basic haproxy2 role
- add peers and resolvers
- add haproxy2+ metrics frontend

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/322
 2025-06-28 16:20:06 +10:00
Ben Vincent
bd9e08dc24 feat: cleanup hieranodes settings (#321) 
- migrate hieranodes values to roles yaml
- rename anycast ip keys to be similar

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/321
 2025-06-21 23:16:34 +10:00
Ben Vincent
62837bb22d feat: add zone to subnet facts (#320) 
- add common and dmz zone fact information

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/320
 2025-06-21 15:42:37 +10:00
Ben Vincent
ae57e0e81c feat: add openvox repos to reposync (#319) 
- add el8/9/10 for openvox7/8

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/319
 2025-06-19 06:06:41 +10:00
Ben Vincent
cb1d562cb0 feat: migrate pupeptdb sql to patroni (#318) 
- change puppetdb::sql to using the patroni profile
- change puppetdb::api to use new patroni cluster
- remove references to puppetlabs-puppetdb managed database
- update consul rules to enable sessions

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/318
 2025-06-19 05:52:32 +10:00
Ben Vincent
26b908e5e7 feat: add node_pools (#317) 
- change agentv2 to common node_pool
- set default node_pool to default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/317
 2025-06-15 17:43:19 +10:00
Ben Vincent
a47c6155b8 feat: use fqdn in host_volumes (#316) 
- fix hard-coded message

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/316
 2025-06-15 17:34:03 +10:00
Ben Vincent
1cbc1be808 feat: add host_volumes to nomad (#315) 
- add puppet client certs
- add tls-ca-bundle

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/315
 2025-06-14 19:37:50 +10:00
Ben Vincent
60834ced00 feat: nomad cni additions (#314) 
- add consul-cni package
- enable grpc for consul servers
- enable consul connect for consul servers
- set recursors for consul
- add ports to consul agent (grpc, dns, http for nomad)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/314
 2025-06-14 18:47:24 +10:00
Ben Vincent
890e9670f3 chore: update the consul service name (#313) 
- update the name for the packagerepo service
- was copy/pasted from jupyterhub

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/313
 2025-06-09 14:46:16 +10:00
Ben Vincent
a26daca28c feat: stop manage nginx repo (#312) 
- use epel repo for nginx

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/312
 2025-06-09 14:18:30 +10:00
Ben Vincent
057c4ab747 feat: manage nginx resource ordering (#311) 
- ensure the package is installed before creating directories
- ensure nginx is restarted when vhost config changes

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/311
 2025-06-09 11:18:39 +10:00
Ben Vincent
1fb46b5ab6 chore: use packagerepo for epel (#310) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/310
 2025-06-09 10:24:56 +10:00
Ben Vincent
66fdd7b615 feat: update incus image host to run on incus (#309) 
- remove zfs
- remove some sysctl values
- remove memlocks from limits
- install iptables, required for creating bridges

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/309
 2025-06-08 22:58:44 +10:00
Ben Vincent
f43d5f685b feat: update reposync repos (#308) 
- remove almalinux 9.4
- add almalinux 9.6
- add epel 8 and 9
- update mssql
- add k8s 1.33

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/308
 2025-06-01 18:20:10 +10:00
Ben Vincent
bb2f59621a feat: split reposync into two roles (#307) 
- reposync and packagerepo web service
- change backing datastore to be cephfs /shared/app/packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/307
 2025-06-01 11:33:44 +10:00
Ben Vincent
1df11b8977 chore: migrate certbot webserver (#306) 
- ausyd1nxvm1021 is decommed
- new source is ausyd1nxvm2057

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/306
 2025-05-31 16:22:59 +10:00
Ben Vincent
10f2dc7047 feat: cleanup removed hosts (#305) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/305
 2025-05-31 14:26:16 +10:00
Ben Vincent
1a904af2ee feat: change g10k to use a package (#304) 
- the archive path is no longer valid
- produced a g10k rpm with rpmbuilder

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/304
 2025-05-31 13:51:51 +10:00
Ben Vincent
ed1a4f6488 fix: missed address in consul service (#303) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/303
 2025-05-30 23:27:44 +10:00
Ben Vincent
bdd833fa4e feat: create basic k8s roles to start deployment (#302) 
- just create roles so can deploy hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/302
 2025-05-30 23:21:02 +10:00
Ben Vincent
c10a3e49fa chore: add new user (#301) 
- just jelly access

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/301
 2025-05-28 19:46:45 +10:00
Ben Vincent
3d5d40f381 chore: minor jellyfin updates (#300) 
- add jellyfin to video group, for access to gpu
- install intel related gpu drivers
- export lxc jellyfin to haproxy

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/300
 2025-05-27 19:55:55 +10:00
Ben Vincent
b3347f9226 chore: migrate media applications (#299) 
- migrate media applications to new cephfs pool + incus
- enable exporting haproxy
- move ceph-client-setup to only apply to non-lxc hosts
- ensure unrar is installed for nzbget
- updated jellyfin use of data_dir
- set lxc instances for jellyfin to use /shared/apps/jellyfin

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/299
 2025-05-25 20:27:17 +10:00
Ben Vincent
1d23fef82e feat: update settings for ceph (#298) 
- enable root logins via ssh with keys
- add ssh key for ceph to root user

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/298
 2025-05-25 20:22:00 +10:00
Ben Vincent
c0aab1087e fix: readd to jellyfin_haproxy (#297) 
- fix operator for jellyfin/haproxy

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/297
 2025-05-24 21:10:56 +10:00
Ben Vincent
596e498a00 feat: change media arr apps to hiera_include (#296) 
- change profiles::media::* to be hiera_included
- this is required to enable it to be hiera_excluded on virtual == lxc

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/296
 2025-05-24 20:23:56 +10:00
Ben Vincent
f6694599ef benvin/media_apps_incus (#295) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/295
 2025-05-24 20:18:23 +10:00
Ben Vincent
93cd02deec chore: update media roles for incus (#294) 
- prevent incus roles from exporting haproxy endpoints (for now)
- incus doesnt need to mount cephfs

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/294
 2025-05-24 18:59:46 +10:00
Ben Vincent
520e8a34e0 feat: add a nomad agent v2 role (#293) 
- excludes ceph (will be passed from incus)
- excludes frrouting (will use host-networking)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/293
 2025-05-24 15:35:20 +10:00
Ben Vincent
77d07672f8 chore: dont mount cephfs inside lxc (#292) 
- lxc instances will have cephfs passed from the host
- skip cephfs mounting for lxc instances

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/292
 2025-05-22 21:06:15 +10:00
Ben Vincent
89a0f329d8 feat: update vault url (#291) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/291
 2025-05-21 19:58:12 +10:00
Ben Vincent
6dcc7343e0 feat: updated ceph ssh authorized_key (#290) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/290
 2025-05-17 14:05:25 +10:00
Ben Vincent
e7d4c75192 feat: enable ssh access to enp3s0 (#289) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/289
 2025-05-17 13:50:35 +10:00
Ben Vincent
d9e8637ad6 feat: manage more ceph requirements (#288) 
- add ceph-common to provide utilities for managing ceph
- add root and sysadmin ssh keys for ceph deployments

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/288
 2025-05-17 11:14:45 +10:00
Ben Vincent
92f0ae64b9 feat: enable ssh on all loopbacks (#287) 
- required for cephadm to manage roles

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/287
 2025-05-16 07:05:31 +10:00
Ben Vincent
c1637d9f43 feat: add cephadm to incus hosts (#286) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/286
 2025-05-16 05:56:28 +10:00
Ben Vincent
1aabe21173 feat: manage mon loopback0 (#285) 
- add frrouting
- set all ceph nodes to use ospf + loopback0 + networkd
- fix ceph repos for mons

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/285
 2025-05-15 19:46:59 +10:00
Ben Vincent
2f088c461f feat: add ceph roles (#284) 
- add hieradata to manage ceph repo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/284
 2025-05-15 19:29:53 +10:00
Ben Vincent
90504e5b02 chore: use alias for nameservers (#283) 
- use an alias for nameservers for dhcp ranges
- move aliased nameservers to region-wide hiera

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/283
 2025-05-14 20:19:18 +10:00
Ben Vincent
a7b793238a fix: exclude docker0 interfaces (#282) 
- docker0 is the same on many hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/282
 2025-05-11 16:53:34 +10:00
Ben Vincent
87a6c73578 neoloc/loopback_dns (#281) 
- manage all interfaces in dns (except lo and anycast)
- move loopback0 anycast addresses to be anycast0

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/281
 2025-05-11 16:36:04 +10:00
Ben Vincent
3e0141bb1b feat: change to anycast resolver (#280) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/280
 2025-05-11 11:39:00 +10:00
Ben Vincent
bb6f6cbd49 feat: anycast dnsmasters (#279) 
- change dns masters on incus to anycast for bind
- change to networkd to support anycast/loopbacks

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/279
 2025-05-10 23:00:03 +10:00
Ben Vincent
51d6c1e81d fix: enable dns resolver access for dmz1 (#278) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/278
 2025-05-10 06:57:05 +10:00
Ben Vincent
537a207779 feat: update upstream ip for consul dns (#277) 
- set bind resolvers to use consuls anycast address for forwarding

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/277
 2025-05-09 22:10:35 +10:00
Ben Vincent
f322440d01 feat: setup anycast consul dns (#276) 
- manage frrouting repo/ospf
- change to systemd-networkd
- enable ospf on incus nodes bridges

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/276
 2025-05-09 22:07:42 +10:00
Ben Vincent
ed947dee59 fix: listen-addr -> listen-address (#275) 
- listen-address is the correct option

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/275
 2025-05-04 00:07:45 +10:00
Ben Vincent
a70b6492b0 feat: update consul/dnsmasq (#274) 
- update params with bind/advertise addr
- update params with anycast ip option
- migrate dnsmasq config to template

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/274
 2025-05-03 23:51:29 +10:00
Ben Vincent
3079f7d000 feat: enable use of dhcp addresses in networkd (#273) 
- change ipaddress to be optional
- add dhcp option

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/273
 2025-05-03 23:51:17 +10:00
Ben Vincent
1b8f50786f feat: ensure the vault audit_log exists (#272) 
- without this, vault will not take a leadership role

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/272
 2025-05-03 22:25:10 +10:00
Ben Vincent
b05acb23f4 feat: use custom cert for puppetdb access (#271) 
- manually generated certificate using sudo puppetserver ca generate --certname puppetdbapi.query.consul
- saved certificate and private_key in eyaml

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/271
 2025-05-03 12:41:23 +10:00
Ben Vincent
62f71e1feb chore: change puppetboard python version (#270) 
- change python version to follow python3_release fact
- this will follow os-release upgrades

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/270
 2025-05-03 01:07:52 +10:00
Ben Vincent
cdf9456456 feat: update psql15 repos for roles (#269) 
- update patroni to use packagerepo
- update puppetdb to use packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/269
 2025-04-29 21:04:45 +10:00
Ben Vincent
2323ef7749 feat: postgresql15/postgresql17 (#268) 
- add postgresql15 and 17 to reposync

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/268
 2025-04-28 21:39:45 +10:00
Ben Vincent
07b89ab737 feat: enable terraform access to puppetca (#267) 
- enable terraform to clean certificates

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/267
 2025-04-28 18:46:58 +10:00
Ben Vincent
9359b8902e feat: vault mlock (#266) 
- enable mlock by default
- disable mlock on lxd/incus nodes (lxc doesnt support it)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/266
 2025-04-26 22:43:20 +10:00
Ben Vincent
1e3ce0ec1c feat: dont set gid/uid for sysadmin (#265) 
- sysadmin doesnt need to be a specific uid/gid, the next available
  uid/gid is fine

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/265
 2025-04-26 20:02:57 +10:00
Ben Vincent
496ed12a58 feat: change vault to use package install (#264) 
- vault 18.2 rpm produced by rpmbuilder repo
- ensure the /etc/vault directory is managed
- ensure service file is managed by puppet
- ensure package comes from unkin repo (not hashicorp)
- disable_mlock as unprivileged containers cannot use mlock

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/264
 2025-04-26 18:40:31 +10:00
Ben Vincent
e4166c6b14 feat: lxc compatability with datavol (#263) 
- lxc doesnt mount block devices, just check for mountpoint

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/263
 2025-04-26 17:28:57 +10:00
Ben Vincent
78f4d2a88f feat: cleanup mpls configuration (#262) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/262
 2025-04-26 00:39:23 +10:00
Ben Vincent
762d980ea8 feat: update dns resolver zone management (#261) 
- move zones to common role path
- specify forwarders for each zone in region based hiera

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/261
 2025-04-25 01:01:47 +10:00
Ben Vincent
463abe4b9d feat: add reverse dns zones for incus (#260) 
- add reverse dns zones for incus hosts
- update acls for openresolver

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/260
 2025-04-24 23:48:34 +10:00
Ben Vincent
ecce93bedb feat: lxc cannot use chronyd (#259) 
- ensure lxc nodes do not attempt to install chronyd
- ensure chrony is removed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/259
 2025-04-24 23:18:45 +10:00
Ben Vincent
9dcaafb8ba feat: lxc updates (#258) 
- add virtual/lxc.yaml
- add crypto crypto-policies-scripts
- ensure ssh::server is managed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/258
 2025-04-24 23:03:01 +10:00
Ben Vincent
a21c1b3697 Adding hieradata/node/ausyd1nxvm1072.main.unkin.net.yaml (#257) 
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/257
 2025-04-24 21:25:00 +10:00
Ben Vincent
bc5bd11f5e feat: disable cobbler cache (#256) 
- this is required to resolve issues with terraform deploying cobbler
  settings

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/256
 2025-04-24 21:18:59 +10:00
361 changed files with 8823 additions and 1550 deletions
Show Stats Expand all files Collapse all files

24
.gitea/workflows/build.yaml Normal file
View File

@ -0,0 +1,24 @@
name: Build
on:
pull_request:
jobs:
precommit:
runs-on: almalinux-8
container:
image: git.unkin.net/unkin/almalinux9-actionsdind:latest
options: --privileged
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install requirements
run: |
dnf groupinstall -y "Development Tools" -y
dnf install rubygems ruby-devel gcc make redhat-rpm-config glibc-headers glibc-devel -y
- name: Pre-Commit All Files
run: |
uvx pre-commit run --all-files

3
.rubocop.yml
View File

@ -8,3 +8,6 @@ Style/Documentation:
Layout/LineLength:
Max: 140
Metrics/BlockNesting:
Max: 4

4
Puppetfile
View File

@ -19,6 +19,7 @@ mod 'puppetlabs-haproxy', '8.2.0'
mod 'puppetlabs-java', '11.1.0'
mod 'puppetlabs-reboot', '5.1.0'
mod 'puppetlabs-docker', '10.2.0'
mod 'puppetlabs-mailalias_core', '1.2.0'
# puppet
mod 'puppet-python', '7.4.0'
@ -43,6 +44,8 @@ mod 'puppet-letsencrypt', '11.1.0'
mod 'puppet-rundeck', '9.2.0'
mod 'puppet-redis', '11.1.0'
mod 'puppet-nodejs', '11.0.0'
mod 'puppet-postfix', '5.1.0'
mod 'puppet-alternatives', '6.0.0'
# other
mod 'saz-sudo', '9.0.2'
@ -60,6 +63,7 @@ mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'ssm-crypto_policies', '0.3.3'
mod 'thias-sysctl', '1.0.8'
mod 'cirrax-dovecot', '1.3.3'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',

18
doc/puppet/README.md
View File

@ -29,3 +29,21 @@ these steps are required when adding additional puppet masters, as the subject a
sudo systemctl start puppetserver
sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
## troubleshooting
### Issue 1:
[sysadmin@ausyd1nxvm2056 ~]$ sudo puppet agent -t
Error: The CRL issued by 'CN=Puppet CA: prodinf01n01.main.unkin.net' is missing
Find another puppetserver that IS working, copy the `/etc/puppetlabs/puppet/ssl/crl.pem` to this host, run puppet again.
### Issue 2:
[sysadmin@ausyd1nxvm2097 ~]$ sudo puppet agent -t
Error: Failed to parse CA certificates as PEM
The puppet-agents CA cert `/etc/puppetlabs/puppet/ssl/certs/ca.pem` is empty or missing. Grab it from any other host. Run puppet again.

2
hieradata/common.eyaml
View File

@ -1,6 +1,6 @@
---
profiles::accounts::sysadmin::password: ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoS7GyofFaXBNTWU+GtSiz4eCX/9j/sh3fDDRgOgNv1qpcQ87ZlTTenbHo9lxeURxKQ2HVVt7IsrBo/SC/WgipAKnliRkkIvo7nfAs+i+kEE8wakjAs0DcB4mhqtIZRuBkLG2Nay//DcG6cltVkbKEEKmKLMkDFZgTWreOZal8nDljpVe1S8QwtwP4/6hKTef5xsOnrisxuffWTXvwYJhj/VXrjdoH7EhtHGLybzEalglkVHEGft/WrrD/0bwJpmR0RegWI4HTsSvGiHgvf5DZJx8fXPZNPnicGtlfA9ccQPuVo17bY4Qf/WIc1A8Ssv4kHSbNIYJKRymI3UFb0Z4wzBsBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBBxDLb6pCGbittkcX6asd/gEBmMcUNupDjSECq5H09YA70eVwWWe0fBqxTxrr2cXCXtRKFvOk8SJmL0xHAWodaLN9+krTWHJcWbAK8JXEPC7rn]
profiles::accounts::root::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAM79PRxeAZHrDcSm4eSFqU94/LjuSbdUmJWivX/Pa8GumoW2e/PT9nGHW3p98zHthMgCglk52PECQ+TBKjxr+9dTyNK5ePG6ZJEqSHNRqsPGm+kfQj/hlTmq8vOBaFM5GapD1iTHs5JFbGngI56swKBEVXW9+Z37BjQb2xJuyLsu5Bo/tA0BaOKuCtjq1a6E38bOX+nJ+YF1uZgV9ofAEh1YvkcTmnEWYXFRPWd7AaNcWn03V2pfhGqxc+xydak620I47P+FE+qIY72+aQ6tmLU3X9vyA1HLF2Tv572l4a2i+YIk6nAgQdi+hQKznqNL9M9YV+s1AcmcKLT7cfLrjsjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCMWrdCWBQgtW3NOEpERwP+gBA3KDiqe4pQq6DwRfsEXQNZ]
profiles::accounts::root::password: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAIgzGQLoHrm7JSnWG4vdAtxSuETmnqbV7kUsQS8WCRUwFGenDFkps+OGMnOGEHLzMJzXihLfgfdWwTAI4fp48M+zhTMo9TQkdzZqtbFk3+RjV2jDF0wfe4kVUIpReOq+EkaDSkoRSG8V6hWvszhDHUrJBC9eDhomL0f3xNAWxmy5EIX/uMEvg9Ux5YX+E6k2pEIKnHNoVIaWDojlofSIzIqTSS7l3jQtJhs3YqBzLL1DsoF1kdn+Rwl5kcsKkhV+vzl76wEbpYVZW8lu4bFfP6QHMLPcep2tuUDMCDvARRXD7YyZcAtS7aMuqll+BLAszpWxAA7EU2hgvdr6t2uyVCTCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ4D5oDoyE6LPdjpVtGPoJD4BwfnQ9ORjYFPvHQmt+lgU4jMqh6BhqP0VN3lqVfUpOmiVMIqkO/cYtlwVLKEg36TPCHBSpqvhuahSF5saCVr8JY3xWOAmTSgnNjQOPlGrPnYWYbuRLxVRsU+KUkpAzR0c6VN0wYi6bI85Pcv8yHF3UYA==]
profiles::consul::client::secret_id_salt: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAS7pNFRX4onccFaR87zB/eFFORuF22j6xqjyeAqqjgEduYhkt6w5kkz+YfUoHUesU0Q6F2p6HrCSZ8yAsx5M25NCiud9P4hIpjKmOZ4zCNO7uhATh4AQDYw3BrdRwfO+c6jOl5wOiNLCfDBJ0sFT3akCvcuPS1xIoRJq4Gyn+uCbOsMbvSl25ld2xKt1/cqs8gc1d8mkpjwWto7t+qZSUFMCehTbehH3G4a3Q5rvfBoNwv42Wbs676BDcCurDaAzHNqE7pDbOWhGuVOBl+q+BU0Ri/CRkGcTViN9fr8Dc9SveVC6EPsMbw+05/8/NlfzQse3KAwQ34nR9tR2PQw5qEzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB7LywscQtF7cG2nomfEsu9gDDVqJBFP1jAX2eGZ2crYS5gnBcsRwhc0HNo2/WWdhZprMW+vEJOOGXDelI53NxA3o0=]
profiles::consul::token::node_editor::secret_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAO8IIF2r18dFf0bVKEwjJUe1TmXHH0AIzsQHxkHwV7d37kvH1cY9rYw0TtdHn7GTxvotJG7GZbWvbunpBs1g2p2RPADiM6TMhbO8mJ0tAWLnMk7bQ221xu8Pc7KceqWmU17dmgNhVCohyfwJNqbA756TlHVgxGA0LtNrKoLOmgKGXAL1VYZoKEQnWq7xOpO+z3e1UfjoO6CvX/Od2hGYfUkHdro8mwRw4GFKzU7XeKFdAMUGpn5rVmY3xe+1ARXwGFaSrTHzk2n85pvwhPRlQ+OwqzyT19Qo2FNeAO6RoCRIFTtqbsjTWPUlseHIhw4Q5bHO1I0Mrlm5IHDESw/22IzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCEe9wD72qxnpeq5nCi/d7BgDCP29sDFObkFTabt2uZ/nF9MT1g+QOrrdFKgnG6ThnwH1hwpZPsSVgIs+yRQH8laB4=]
profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=]

130
hieradata/common.yaml
View File

@ -36,6 +36,12 @@ lookup_options:
profiles::haproxy::server::listeners:
merge:
strategy: deep
profiles::accounts::root::sshkeys:
merge:
strategy: deep
profiles::accounts::sysadmin::sshkeys:
merge:
strategy: deep
haproxy::backend:
merge:
strategy: deep
@ -123,6 +129,9 @@ lookup_options:
profiles::ceph::client::keyrings:
merge:
strategy: deep
profiles::ceph::conf::config:
merge:
strategy: deep
profiles::nginx::simpleproxy::locations:
merge:
strategy: deep
@ -149,6 +158,24 @@ lookup_options:
zfs::datasets:
merge:
strategy: deep
rke2::config_hash:
merge:
strategy: deep
postfix::configs:
merge:
strategy: deep
postfix::maps:
merge:
strategy: deep
postfix::virtuals:
merge:
strategy: deep
stalwart::postgresql_password:
convert_to: Sensitive
stalwart::s3_secret_key:
convert_to: Sensitive
stalwart::fallback_admin_password:
convert_to: Sensitive
facts_path: '/opt/puppetlabs/facter/facts.d'
@ -159,25 +186,30 @@ hiera_include:
- profiles::accounts::rundeck
- limits
- sysctl::base
- exporters::node_exporter
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
profiles::ntp::client::peers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
profiles::base::puppet_servers:
- 'prodinf01n01.main.unkin.net'
- 0.au.pool.ntp.org
- 1.au.pool.ntp.org
- 2.au.pool.ntp.org
- 3.au.pool.ntp.org
consul::install_method: 'package'
consul::manage_repo: false
consul::bin_dir: /usr/bin
vault::install_method: 'repo'
vault::manage_repo: false
vault::bin_dir: /usr/bin
vault::manage_service_file: true
vault::manage_config_dir: true
vault::disable_mlock: false
profiles::dns::base::nameservers:
- 198.18.19.16
profiles::dns::master::basedir: '/var/named/sources'
profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
profiles::dns::base::use_ns: 'region'
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
#profiles::dns::base::use_ns: 'region'
profiles::consul::server::members_role: roles::infra::storage::consul
profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
profiles::consul::client::members_lookup: true
@ -192,6 +224,9 @@ profiles::consul::client::node_rules:
- resource: node
segment: ''
disposition: read
- resource: service
segment: node_exporter
disposition: write
profiles::packages::include:
bash-completion: {}
@ -275,7 +310,8 @@ profiles::puppet::client::dns_alt_names:
puppetdbapi: puppetdbapi.query.consul
puppetdbsql: puppetdbsql.service.au-syd1.consul
prometheus::node_exporter::export_scrape_job: true
exporters::node_exporter::enable: true
exporters::node_exporter::cleanup_old_node_exporter: true
prometheus::systemd_exporter::export_scrape_job: true
ssh::server::storeconfigs_enabled: false
@ -340,11 +376,81 @@ networking::route_defaults:
netmask: 0.0.0.0
network: default
# logging:
victorialogs::client::journald::enable: true
victorialogs::client::journald::inserturl: https://vlinsert.service.consul:9428/insert/journald
# FIXME these are for the proxmox ceph cluster
profiles::ceph::client::fsid: 7f7f00cb-95de-498c-8dcc-14b54e4e9ca8
profiles::ceph::client::mons:
- 10.18.15.1
- 10.18.15.2
- 10.18.15.3
profiles::ceph::conf::config:
global:
auth_client_required: 'cephx'
auth_cluster_required: 'cephx'
auth_service_required: 'cephx'
fsid: 'de96a98f-3d23-465a-a899-86d3d67edab8'
mon_allow_pool_delete: true
mon_initial_members: 'prodnxsr0009,prodnxsr0010,prodnxsr0011,prodnxsr0012,prodnxsr0013'
mon_host: '198.18.23.9,198.18.23.10,198.18.23.11,198.18.23.12,198.18.23.13'
ms_bind_ipv4: true
ms_bind_ipv6: false
osd_crush_chooseleaf_type: 1
osd_pool_default_min_size: 2
osd_pool_default_size: 3
osd_pool_default_pg_num: 128
public_network: >
198.18.23.1/32,198.18.23.2/32,198.18.23.3/32,198.18.23.4/32,
198.18.23.5/32,198.18.23.6/32,198.18.23.7/32,198.18.23.8/32,
198.18.23.9/32,198.18.23.10/32,198.18.23.11/32,198.18.23.12/32,
198.18.23.13/32
client.rgw.ausyd1nxvm2115:
rgw_realm: unkin
rgw_zonegroup: au
rgw_zone: syd1
client.rgw.ausyd1nxvm2116:
rgw_realm: unkin
rgw_zonegroup: au
rgw_zone: syd1
client.rgw.ausyd1nxvm2117:
rgw_realm: unkin
rgw_zonegroup: au
rgw_zone: syd1
client.rgw.ausyd1nxvm2118:
rgw_realm: unkin
rgw_zonegroup: au
rgw_zone: syd1
client.rgw.ausyd1nxvm2119:
rgw_realm: unkin
rgw_zonegroup: au
rgw_zone: syd1
mds:
keyring: /var/lib/ceph/mds/ceph-$id/keyring
mds_standby_replay: true
mds.prodnxsr0009-1:
host: prodnxsr0009
mds.prodnxsr0009-2:
host: prodnxsr0009
mds.prodnxsr0010-1:
host: prodnxsr0010
mds.prodnxsr0010-2:
host: prodnxsr0010
mds.prodnxsr0011-1:
host: prodnxsr0011
mds.prodnxsr0011-2:
host: prodnxsr0011
mds.prodnxsr0012-1:
host: prodnxsr0012
mds.prodnxsr0012-2:
host: prodnxsr0012
mds.prodnxsr0013-1:
host: prodnxsr0013
mds.prodnxsr0013-2:
host: prodnxsr0013
#profiles::base::hosts::additional_hosts:
# - ip: 198.18.17.9
# hostname: prodinf01n09.main.unkin.net

7
hieradata/country/au/region/drw1.yaml
View File

@ -1,2 +1,9 @@
---
timezone::timezone: 'Australia/Darwin'
profiles_dns_upstream_forwarder_unkin:
- 198.18.17.23
- 198.18.17.24
profiles_dns_upstream_forwarder_consul:
- 198.18.17.34
- 198.18.17.35
- 198.18.17.36

51
hieradata/country/au/region/drw1/infra/dns/resolver.yaml
View File

@ -1,52 +1 @@
---
profiles::dns::resolver::zones:
main.unkin.net-forward:
domain: 'main.unkin.net'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
consul-forward:
domain: 'consul'
zone_type: 'forward'
forwarders:
- 198.18.17.34
- 198.18.17.35
- 198.18.17.36
forward: 'only'

8
hieradata/country/au/region/syd1.yaml
View File

@ -1,3 +1,9 @@
---
timezone::timezone: 'Australia/Sydney'
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
certbot::client::webserver: ausyd1nxvm2057.main.unkin.net
profiles_dns_upstream_forwarder_unkin:
- 198.18.19.15
profiles_dns_upstream_forwarder_consul:
- 198.18.19.14
profiles_dns_upstream_forwarder_k8s:
- 198.18.19.20

51
hieradata/country/au/region/syd1/infra/dns/resolver.yaml
View File

@ -1,52 +1 @@
---
profiles::dns::resolver::zones:
main.unkin.net-forward:
domain: 'main.unkin.net'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
consul-forward:
domain: 'consul'
zone_type: 'forward'
forwarders:
- 198.18.13.19
- 198.18.13.20
- 198.18.13.21
forward: 'only'

2
hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
View File

@ -3,7 +3,7 @@ hiera_include:
- keepalived
# keepalived
profiles::haproxy::dns::vrrp_ipaddr: '198.18.13.250'
profiles::haproxy::dns::ipaddr: '198.18.13.250'
profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net
- radarr.main.unkin.net

424
hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml Normal file
View File

@ -0,0 +1,424 @@
---
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- git.unkin.net
- fafflix.unkin.net
- grafana.unkin.net
- dashboard.ceph.unkin.net
- mail-webadmin.main.unkin.net
- mail-in.main.unkin.net
- mail.main.unkin.net
- autoconfig.main.unkin.net
- autodiscover.main.unkin.net
profiles::haproxy::mappings:
fe_http:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
- 'git.unkin.net be_gitea'
- 'grafana.unkin.net be_grafana'
- 'dashboard.ceph.unkin.net be_ceph_dashboard'
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
fe_https:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
- 'git.unkin.net be_gitea'
- 'grafana.unkin.net be_grafana'
- 'dashboard.ceph.unkin.net be_ceph_dashboard'
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
profiles::haproxy::frontends:
fe_http:
options:
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]"
fe_https:
options:
acl:
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
- 'acl_gitea req.hdr(host) -i git.unkin.net'
- 'acl_grafana req.hdr(host) -i grafana.unkin.net'
- 'acl_ceph_dashboard req.hdr(host) -i dashboard.ceph.unkin.net'
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
http-request:
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
http-response:
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
- 'set-header X-Frame-Options DENY if acl_sonarr'
- 'set-header X-Frame-Options DENY if acl_radarr'
- 'set-header X-Frame-Options DENY if acl_lidarr'
- 'set-header X-Frame-Options DENY if acl_readarr'
- 'set-header X-Frame-Options DENY if acl_prowlarr'
- 'set-header X-Frame-Options DENY if acl_nzbget'
- 'set-header X-Frame-Options DENY if acl_jellyfin'
- 'set-header X-Frame-Options DENY if acl_fafflix'
- 'set-header X-Frame-Options DENY if acl_gitea'
- 'set-header X-Frame-Options DENY if acl_grafana'
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
- 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block'
profiles::haproxy::backends:
be_ausyd1pve_web:
description: Backend for au-syd1 pve cluster (Web)
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_ausyd1pve_api:
description: Backend for au-syd1 pve cluster (API only)
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_sonarr:
description: Backend for au-syd1 sonarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_radarr:
description: Backend for au-syd1 radarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_lidarr:
description: Backend for au-syd1 lidarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_readarr:
description: Backend for au-syd1 readarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_prowlarr:
description: Backend for au-syd1 prowlarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_nzbget:
description: Backend for au-syd1 nzbget
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_jellyfin:
description: Backend for au-syd1 jellyfin
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_gitea:
description: Backend for gitea cluster
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
be_grafana:
description: Backend for grafana nodes
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
be_ceph_dashboard:
description: Backend for Ceph Dashboard from Mgr instances
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-check:
- expect status 200
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 9443 }
redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m'
be_stalwart_webadmin:
description: Backend for Stalwart Webadmin
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-check:
- expect status 200
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 9443 }
redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m'
be_stalwart_imap:
description: Backend for Stalwart IMAP (STARTTLS)
collect_exported: false
options:
mode: tcp
balance: roundrobin
option:
- tcp-check
- prefer-last-server
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
tcp-check:
- connect port 143 send-proxy
- expect string "* OK"
- send "A001 STARTTLS\r\n"
- expect rstring "A001 (OK|2.0.0)"
be_stalwart_imaps:
description: Backend for Stalwart IMAPS (implicit TLS)
collect_exported: false
options:
mode: tcp
balance: roundrobin
option:
- tcp-check
- prefer-last-server
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
tcp-check:
- connect ssl send-proxy
- expect string "* OK"
be_stalwart_smtp:
description: Backend for Stalwart SMTP
collect_exported: false
options:
mode: tcp
balance: roundrobin
option:
- tcp-check
- prefer-last-server
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
tcp-check:
- connect port 25 send-proxy
- expect string "220 "
be_stalwart_submission:
description: Backend for Stalwart SMTP Submission
collect_exported: false
options:
mode: tcp
balance: roundrobin
option:
- tcp-check
- prefer-last-server
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
tcp-check:
- connect port 587 send-proxy
- expect string "220 "
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem
# additional altnames
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- jellyfin.main.unkin.net
- mail-webadmin.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
# letsencrypt certificates
certbot::client::service: haproxy
certbot::client::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- fafflix.unkin.net
- git.unkin.net
- grafana.unkin.net
- dashboard.ceph.unkin.net

7
hieradata/nodes/ausyd1nxvm1000.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.10
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1001.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.11
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1002.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.12
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1003.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.13
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1004.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.14
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1005.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.15
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1006.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.16
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1007.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.17
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1008.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.18
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1009.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.19
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1010.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.20
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1011.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.21
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1012.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.22
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1013.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.23
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1014.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.24
networking::routes:
default:
gateway: 198.18.13.254

13
hieradata/nodes/ausyd1nxvm1015.main.unkin.net.yaml
View File

@ -1,13 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.25
networking::routes:
default:
gateway: 198.18.13.254
profiles::haproxy::dns::vrrp_master: true
keepalived::vrrp_instance:
VI_250:
state: 'MASTER'
priority: 101

12
hieradata/nodes/ausyd1nxvm1016.main.unkin.net.yaml
View File

@ -1,12 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.26
networking::routes:
default:
gateway: 198.18.13.254
keepalived::vrrp_instance:
VI_250:
state: 'BACKUP'
priority: 100

11
hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml
View File

@ -1,11 +0,0 @@
---
profiles::cobbler::params::is_cobbler_master: true
networking::interfaces:
ens18:
ipaddress: 198.18.13.27
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false

7
hieradata/nodes/ausyd1nxvm1018.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.28
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1019.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.29
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1020.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.30
networking::routes:
default:
gateway: 198.18.13.254

10
hieradata/nodes/ausyd1nxvm1021.main.unkin.net.yaml
View File

@ -1,10 +0,0 @@
---
networking::interfaces:
ens18:
ipaddress: 198.18.13.31
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false

7
hieradata/nodes/ausyd1nxvm1022.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.32
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1023.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.33
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1024.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.34
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1025.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.35
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1026.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.36
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1027.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.37
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1028.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.38
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1029.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.39
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1030.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.40
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1031.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.41
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1032.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.42
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1033.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.43
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1034.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.44
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1035.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.45
networking::routes:
default:
gateway: 198.18.13.254

14
hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml
View File

@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.47
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.47
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1038.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.48
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1039.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.49
networking::routes:
default:
gateway: 198.18.13.254

14
hieradata/nodes/ausyd1nxvm1040.main.unkin.net.yaml
View File

@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.50
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.50
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254

14
hieradata/nodes/ausyd1nxvm1041.main.unkin.net.yaml
View File

@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.51
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.51
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254

14
hieradata/nodes/ausyd1nxvm1042.main.unkin.net.yaml
View File

@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.52
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.52
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254

14
hieradata/nodes/ausyd1nxvm1043.main.unkin.net.yaml
View File

@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.53
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.53
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1044.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.54
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1045.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.55
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1046.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.56
networking::routes:
default:
gateway: 198.18.13.254

14
hieradata/nodes/ausyd1nxvm1047.main.unkin.net.yaml
View File

@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.57
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.57
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254

14
hieradata/nodes/ausyd1nxvm1048.main.unkin.net.yaml
View File

@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.58
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.58
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1049.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.59
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1050.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.60
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1051.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.61
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1052.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.62
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1053.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.63
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1054.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.64
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1055.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.65
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1056.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.66
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1057.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.67
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1058.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.68
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1059.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.69
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1060.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.70
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1061.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.71
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1062.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.72
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1063.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.73
networking::routes:
default:
gateway: 198.18.13.254

15
hieradata/nodes/ausyd1nxvm1064.main.unkin.net.yaml
View File

@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.74
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.74
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.64.254/24'

15
hieradata/nodes/ausyd1nxvm1065.main.unkin.net.yaml
View File

@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.75
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.75
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.65.254/24'

15
hieradata/nodes/ausyd1nxvm1066.main.unkin.net.yaml
View File

@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.76
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.76
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.66.254/24'

15
hieradata/nodes/ausyd1nxvm1067.main.unkin.net.yaml
View File

@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.77
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.77
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.67.254/24'

15
hieradata/nodes/ausyd1nxvm1068.main.unkin.net.yaml
View File

@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.78
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.78
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.68.254/24'

15
hieradata/nodes/ausyd1nxvm1069.main.unkin.net.yaml
View File

@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.79
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.79
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.69.254/24'

7
hieradata/nodes/ausyd1nxvm1070.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.80
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1071.main.unkin.net.yaml
View File

@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.81
networking::routes:
default:
gateway: 198.18.13.254

6
hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml → hieradata/nodes/ausyd1nxvm2097.main.unkin.net.yaml
View File

@ -13,9 +13,3 @@ profiles::ssh::sign::principals:
profiles::puppet::puppetca::is_puppetca: true
profiles::puppet::puppetca::allow_subject_alt_names: true
networking::interfaces:
eth0:
ipaddress: 198.18.13.46
networking::routes:
default:
gateway: 198.18.13.254

2
hieradata/nodes/ausyd1nxvm2098.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::cobbler::params::is_cobbler_master: true

12
hieradata/nodes/prodinf01n01.main.unkin.net.yaml
View File

@ -1,12 +0,0 @@
---
profiles::puppet::server::dns_alt_names:
- puppetca.main.unkin.net
- puppetca.service.consul
- puppetca.query.consul
- puppetca
profiles::puppet::puppetca::is_puppetca: false
profiles::puppet::puppetca::allow_subject_alt_names: true
hiera_exclude:
- networking

16
hieradata/nodes/prodnxsr0001.main.unkin.net.yaml
View File

@ -1,5 +1,13 @@
---
profiles::proxmox::params::pve_clusterinit_master: true
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.1 # management loopback
networking_loopback1_ip: 198.18.22.1 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.1 # ceph-public loopback
networking_1000_ip: 198.18.15.1 # 1gbe network
networking_2500_ip: 198.18.21.1 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:c3:60
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:50

15
hieradata/nodes/prodnxsr0002.main.unkin.net.yaml
View File

@ -1,4 +1,13 @@
---
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.2 # management loopback
networking_loopback1_ip: 198.18.22.2 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.2 # ceph-public loopback
networking_1000_ip: 198.18.15.2 # 1gbe network
networking_2500_ip: 198.18.21.2 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:74:b6:08
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:08:43

15
hieradata/nodes/prodnxsr0003.main.unkin.net.yaml
View File

@ -1,4 +1,13 @@
---
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.3 # management loopback
networking_loopback1_ip: 198.18.22.3 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.3 # ceph-public loopback
networking_1000_ip: 198.18.15.3 # 1gbe network
networking_2500_ip: 198.18.21.3 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: b8:85:84:a3:25:c5
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:07:82

13
hieradata/nodes/prodnxsr0004.main.unkin.net.yaml
View File

@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.4 # management loopback
networking_loopback1_ip: 198.18.22.4 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.4 # ceph-public loopback
networking_1000_ip: 198.18.15.4 # 1gbe network
networking_2500_ip: 198.18.21.4 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:d5:00
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:43

13
hieradata/nodes/prodnxsr0005.main.unkin.net.yaml
View File

@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.5 # management loopback
networking_loopback1_ip: 198.18.22.5 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.5 # ceph-public loopback
networking_1000_ip: 198.18.15.5 # 1gbe network
networking_2500_ip: 198.18.21.5 # 2.5gbe network
networking_1000_iface: enp1s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: 54:bf:64:a0:08:64
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:07:79

13
hieradata/nodes/prodnxsr0006.main.unkin.net.yaml
View File

@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.6 # management loopback
networking_loopback1_ip: 198.18.22.6 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.6 # ceph-public loopback
networking_1000_ip: 198.18.15.6 # 1gbe network
networking_2500_ip: 198.18.21.6 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:10:8d
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:53

13
hieradata/nodes/prodnxsr0007.main.unkin.net.yaml
View File

@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.7 # management loopback
networking_loopback1_ip: 198.18.22.7 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.7 # ceph-public loopback
networking_1000_ip: 198.18.15.7 # 1gbe network
networking_2500_ip: 198.18.21.7 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:74:b4:27
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:5b

13
hieradata/nodes/prodnxsr0008.main.unkin.net.yaml
View File

@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.8 # management loopback
networking_loopback1_ip: 198.18.22.8 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.8 # ceph-public loopback
networking_1000_ip: 198.18.15.8 # 1gbe network
networking_2500_ip: 198.18.21.8 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:06:18
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:08:4b

15
hieradata/os/AlmaLinux/all_releases.yaml
View File

@ -3,12 +3,14 @@
profiles::firewall::firewalld::ensure_package: 'absent'
profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::puppet_version: '7.34.0'
profiles::puppet::agent::version: '7.37.2'
profiles::puppet::agent::openvox_enable: true
hiera_include:
- profiles::almalinux::base
profiles::packages::include:
crypto-policies-scripts: {}
lzo: {}
policycoreutils: {}
unar: {}
@ -49,15 +51,8 @@ profiles::yum::global::repos:
name: epel
descr: epel repository
target: /etc/yum.repos.d/epel.repo
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
mirrorlist: absent
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
baseurl: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
mirrorlist: absent
unkinben:
name: unkinben

2
hieradata/os/Debian/Debian11.yaml
View File

@ -11,4 +11,4 @@ profiles::apt::components:
- main
- non-free
profiles::puppet::agent::puppet_version: '7.25.0-1bullseye'
profiles::puppet::agent::version: '7.25.0-1bullseye'

2
hieradata/os/Debian/Debian12.yaml
View File

@ -12,4 +12,4 @@ profiles::apt::components:
- non-free
- non-free-firmware
profiles::puppet::agent::puppet_version: 'latest'
profiles::puppet::agent::version: 'latest'

3
hieradata/roles/apps/media.yaml
View File

@ -69,8 +69,7 @@ profiles::nginx::simpleproxy::locations:
location_allow:
- 127.0.0.1
- "%{facts.networking.ip}"
- 198.18.13.25
- 198.18.13.26
- 198.18.24.0/24
location_deny:
- all
# authorised access from external

14
hieradata/roles/apps/media/jellyfin.yaml
View File

@ -2,6 +2,12 @@
hiera_include:
- jellyfin
profiles::packages::include:
intel-media-driver: {}
libva-intel-driver: {}
libva-intel-hybrid-driver: {}
intel-mediasdk: {}
# manage jellyfin
jellyfin::params::service_enable: true
@ -61,3 +67,11 @@ profiles::yum::global::repos:
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
unkinben:
name: unkinben
descr: unkinben repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el8
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
gpgcheck: false
mirrorlist: absent

1
hieradata/roles/apps/media/lidarr.yaml
View File

@ -2,6 +2,7 @@
hiera_include:
- lidarr
- profiles::nginx::ldapauth
- profiles::media::lidarr
# manage lidarr
lidarr::params::user: lidarr

Some files were not shown because too many files have changed in this diff Show More