Compare commits
29 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 03094712d5 | |||
| 90504e5b02 | |||
| a7b793238a | |||
| 87a6c73578 | |||
| 3e0141bb1b | |||
| bb6f6cbd49 | |||
| 51d6c1e81d | |||
| 537a207779 | |||
| f322440d01 | |||
| ed947dee59 | |||
| a70b6492b0 | |||
| 3079f7d000 | |||
| 1b8f50786f | |||
| b05acb23f4 | |||
| 62f71e1feb | |||
| cdf9456456 | |||
| 2323ef7749 | |||
| 07b89ab737 | |||
| 9359b8902e | |||
| 1e3ce0ec1c | |||
| 496ed12a58 | |||
| e4166c6b14 | |||
| 78f4d2a88f | |||
| 762d980ea8 | |||
| 463abe4b9d | |||
| ecce93bedb | |||
| 9dcaafb8ba | |||
| a21c1b3697 | |||
| bc5bd11f5e |
@@ -60,6 +60,8 @@ mod 'rehan-mkdir', '2.0.0'
|
|||||||
mod 'tailoredautomation-patroni', '2.0.0'
|
mod 'tailoredautomation-patroni', '2.0.0'
|
||||||
mod 'ssm-crypto_policies', '0.3.3'
|
mod 'ssm-crypto_policies', '0.3.3'
|
||||||
mod 'thias-sysctl', '1.0.8'
|
mod 'thias-sysctl', '1.0.8'
|
||||||
|
mod 'openstack-ceph', '7.0.0'
|
||||||
|
|
||||||
|
|
||||||
mod 'bind',
|
mod 'bind',
|
||||||
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
||||||
|
|||||||
+11
-2
@@ -175,9 +175,18 @@ consul::install_method: 'package'
|
|||||||
consul::manage_repo: false
|
consul::manage_repo: false
|
||||||
consul::bin_dir: /usr/bin
|
consul::bin_dir: /usr/bin
|
||||||
|
|
||||||
|
vault::install_method: 'repo'
|
||||||
|
vault::manage_repo: false
|
||||||
|
vault::bin_dir: /usr/bin
|
||||||
|
vault::manage_service_file: true
|
||||||
|
vault::manage_config_dir: true
|
||||||
|
vault::disable_mlock: false
|
||||||
|
|
||||||
|
profiles::dns::base::nameservers:
|
||||||
|
- 198.18.19.16
|
||||||
profiles::dns::master::basedir: '/var/named/sources'
|
profiles::dns::master::basedir: '/var/named/sources'
|
||||||
profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
|
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
|
||||||
profiles::dns::base::use_ns: 'region'
|
#profiles::dns::base::use_ns: 'region'
|
||||||
profiles::consul::server::members_role: roles::infra::storage::consul
|
profiles::consul::server::members_role: roles::infra::storage::consul
|
||||||
profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
|
profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
|
||||||
profiles::consul::client::members_lookup: true
|
profiles::consul::client::members_lookup: true
|
||||||
|
|||||||
@@ -1,2 +1,9 @@
|
|||||||
---
|
---
|
||||||
timezone::timezone: 'Australia/Darwin'
|
timezone::timezone: 'Australia/Darwin'
|
||||||
|
profiles_dns_upstream_forwarder_unkin:
|
||||||
|
- 198.18.17.23
|
||||||
|
- 198.18.17.24
|
||||||
|
profiles_dns_upstream_forwarder_consul:
|
||||||
|
- 198.18.17.34
|
||||||
|
- 198.18.17.35
|
||||||
|
- 198.18.17.36
|
||||||
|
|||||||
@@ -1,52 +1 @@
|
|||||||
---
|
---
|
||||||
profiles::dns::resolver::zones:
|
|
||||||
main.unkin.net-forward:
|
|
||||||
domain: 'main.unkin.net'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.17.23
|
|
||||||
- 198.18.17.24
|
|
||||||
forward: 'only'
|
|
||||||
13.18.198.in-addr.arpa-forward:
|
|
||||||
domain: '13.18.198.in-addr.arpa'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.17.23
|
|
||||||
- 198.18.17.24
|
|
||||||
forward: 'only'
|
|
||||||
14.18.198.in-addr.arpa-forward:
|
|
||||||
domain: '14.18.198.in-addr.arpa'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.17.23
|
|
||||||
- 198.18.17.24
|
|
||||||
forward: 'only'
|
|
||||||
15.18.198.in-addr.arpa-forward:
|
|
||||||
domain: '15.18.198.in-addr.arpa'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.17.23
|
|
||||||
- 198.18.17.24
|
|
||||||
forward: 'only'
|
|
||||||
16.18.198.in-addr.arpa-forward:
|
|
||||||
domain: '16.18.198.in-addr.arpa'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.17.23
|
|
||||||
- 198.18.17.24
|
|
||||||
forward: 'only'
|
|
||||||
17.18.198.in-addr.arpa-forward:
|
|
||||||
domain: '17.18.198.in-addr.arpa'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.17.23
|
|
||||||
- 198.18.17.24
|
|
||||||
forward: 'only'
|
|
||||||
consul-forward:
|
|
||||||
domain: 'consul'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.17.34
|
|
||||||
- 198.18.17.35
|
|
||||||
- 198.18.17.36
|
|
||||||
forward: 'only'
|
|
||||||
|
|||||||
@@ -1,3 +1,7 @@
|
|||||||
---
|
---
|
||||||
timezone::timezone: 'Australia/Sydney'
|
timezone::timezone: 'Australia/Sydney'
|
||||||
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
|
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
|
||||||
|
profiles_dns_upstream_forwarder_unkin:
|
||||||
|
- 198.18.19.15
|
||||||
|
profiles_dns_upstream_forwarder_consul:
|
||||||
|
- 198.18.19.14
|
||||||
|
|||||||
@@ -1,52 +1 @@
|
|||||||
---
|
---
|
||||||
profiles::dns::resolver::zones:
|
|
||||||
main.unkin.net-forward:
|
|
||||||
domain: 'main.unkin.net'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.13.14
|
|
||||||
- 198.18.13.15
|
|
||||||
forward: 'only'
|
|
||||||
13.18.198.in-addr.arpa-forward:
|
|
||||||
domain: '13.18.198.in-addr.arpa'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.13.14
|
|
||||||
- 198.18.13.15
|
|
||||||
forward: 'only'
|
|
||||||
14.18.198.in-addr.arpa-forward:
|
|
||||||
domain: '14.18.198.in-addr.arpa'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.13.14
|
|
||||||
- 198.18.13.15
|
|
||||||
forward: 'only'
|
|
||||||
15.18.198.in-addr.arpa-forward:
|
|
||||||
domain: '15.18.198.in-addr.arpa'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.13.14
|
|
||||||
- 198.18.13.15
|
|
||||||
forward: 'only'
|
|
||||||
16.18.198.in-addr.arpa-forward:
|
|
||||||
domain: '16.18.198.in-addr.arpa'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.13.14
|
|
||||||
- 198.18.13.15
|
|
||||||
forward: 'only'
|
|
||||||
17.18.198.in-addr.arpa-forward:
|
|
||||||
domain: '17.18.198.in-addr.arpa'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.13.14
|
|
||||||
- 198.18.13.15
|
|
||||||
forward: 'only'
|
|
||||||
consul-forward:
|
|
||||||
domain: 'consul'
|
|
||||||
zone_type: 'forward'
|
|
||||||
forwarders:
|
|
||||||
- 198.18.13.19
|
|
||||||
- 198.18.13.20
|
|
||||||
- 198.18.13.21
|
|
||||||
forward: 'only'
|
|
||||||
|
|||||||
@@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
ipaddress: 198.18.13.82
|
||||||
|
networking::routes:
|
||||||
|
default:
|
||||||
|
gateway: 198.18.13.254
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
hiera_include:
|
||||||
|
- frrouting
|
||||||
|
|
||||||
|
# networking
|
||||||
|
profiles::consul::server::anycast_ip: 198.18.19.14
|
||||||
|
systemd::manage_networkd: true
|
||||||
|
systemd::manage_all_network_files: true
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
type: physical
|
||||||
|
forwarding: true
|
||||||
|
dhcp: true
|
||||||
|
anycast0:
|
||||||
|
type: dummy
|
||||||
|
ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
mtu: 1500
|
||||||
|
|
||||||
|
# frrouting
|
||||||
|
frrouting::ospfd_router_id: "%{facts.networking.ip}"
|
||||||
|
frrouting::ospfd_redistribute:
|
||||||
|
- connected
|
||||||
|
frrouting::ospfd_interfaces:
|
||||||
|
eth0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
anycast0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
frrouting::daemons:
|
||||||
|
ospfd: true
|
||||||
|
|
||||||
|
# additional repos
|
||||||
|
profiles::yum::global::repos:
|
||||||
|
frr-extras:
|
||||||
|
name: frr-extras
|
||||||
|
descr: frr-extras repository
|
||||||
|
target: /etc/yum.repos.d/frr-extras.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
|
frr-stable:
|
||||||
|
name: frr-stable
|
||||||
|
descr: frr-stable repository
|
||||||
|
target: /etc/yum.repos.d/frr-stable.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
hiera_include:
|
||||||
|
- frrouting
|
||||||
|
|
||||||
|
# networking
|
||||||
|
profiles::consul::server::anycast_ip: 198.18.19.14
|
||||||
|
systemd::manage_networkd: true
|
||||||
|
systemd::manage_all_network_files: true
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
type: physical
|
||||||
|
forwarding: true
|
||||||
|
dhcp: true
|
||||||
|
anycast0:
|
||||||
|
type: dummy
|
||||||
|
ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
mtu: 1500
|
||||||
|
|
||||||
|
# frrouting
|
||||||
|
frrouting::ospfd_router_id: "%{facts.networking.ip}"
|
||||||
|
frrouting::ospfd_redistribute:
|
||||||
|
- connected
|
||||||
|
frrouting::ospfd_interfaces:
|
||||||
|
eth0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
anycast0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
frrouting::daemons:
|
||||||
|
ospfd: true
|
||||||
|
|
||||||
|
# additional repos
|
||||||
|
profiles::yum::global::repos:
|
||||||
|
frr-extras:
|
||||||
|
name: frr-extras
|
||||||
|
descr: frr-extras repository
|
||||||
|
target: /etc/yum.repos.d/frr-extras.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
|
frr-stable:
|
||||||
|
name: frr-stable
|
||||||
|
descr: frr-stable repository
|
||||||
|
target: /etc/yum.repos.d/frr-stable.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
hiera_include:
|
||||||
|
- frrouting
|
||||||
|
|
||||||
|
# networking
|
||||||
|
profiles::consul::server::anycast_ip: 198.18.19.14
|
||||||
|
systemd::manage_networkd: true
|
||||||
|
systemd::manage_all_network_files: true
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
type: physical
|
||||||
|
forwarding: true
|
||||||
|
dhcp: true
|
||||||
|
anycast0:
|
||||||
|
type: dummy
|
||||||
|
ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
mtu: 1500
|
||||||
|
|
||||||
|
# frrouting
|
||||||
|
frrouting::ospfd_router_id: "%{facts.networking.ip}"
|
||||||
|
frrouting::ospfd_redistribute:
|
||||||
|
- connected
|
||||||
|
frrouting::ospfd_interfaces:
|
||||||
|
eth0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
anycast0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
frrouting::daemons:
|
||||||
|
ospfd: true
|
||||||
|
|
||||||
|
# additional repos
|
||||||
|
profiles::yum::global::repos:
|
||||||
|
frr-extras:
|
||||||
|
name: frr-extras
|
||||||
|
descr: frr-extras repository
|
||||||
|
target: /etc/yum.repos.d/frr-extras.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
|
frr-stable:
|
||||||
|
name: frr-stable
|
||||||
|
descr: frr-stable repository
|
||||||
|
target: /etc/yum.repos.d/frr-stable.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
hiera_include:
|
||||||
|
- frrouting
|
||||||
|
|
||||||
|
# networking
|
||||||
|
profiles::consul::server::anycast_ip: 198.18.19.14
|
||||||
|
systemd::manage_networkd: true
|
||||||
|
systemd::manage_all_network_files: true
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
type: physical
|
||||||
|
forwarding: true
|
||||||
|
dhcp: true
|
||||||
|
anycast0:
|
||||||
|
type: dummy
|
||||||
|
ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
mtu: 1500
|
||||||
|
|
||||||
|
# frrouting
|
||||||
|
frrouting::ospfd_router_id: "%{facts.networking.ip}"
|
||||||
|
frrouting::ospfd_redistribute:
|
||||||
|
- connected
|
||||||
|
frrouting::ospfd_interfaces:
|
||||||
|
eth0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
anycast0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
frrouting::daemons:
|
||||||
|
ospfd: true
|
||||||
|
|
||||||
|
# additional repos
|
||||||
|
profiles::yum::global::repos:
|
||||||
|
frr-extras:
|
||||||
|
name: frr-extras
|
||||||
|
descr: frr-extras repository
|
||||||
|
target: /etc/yum.repos.d/frr-extras.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
|
frr-stable:
|
||||||
|
name: frr-stable
|
||||||
|
descr: frr-stable repository
|
||||||
|
target: /etc/yum.repos.d/frr-stable.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
hiera_include:
|
||||||
|
- frrouting
|
||||||
|
|
||||||
|
# networking
|
||||||
|
profiles::consul::server::anycast_ip: 198.18.19.14
|
||||||
|
systemd::manage_networkd: true
|
||||||
|
systemd::manage_all_network_files: true
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
type: physical
|
||||||
|
forwarding: true
|
||||||
|
dhcp: true
|
||||||
|
anycast0:
|
||||||
|
type: dummy
|
||||||
|
ipaddress: "%{hiera('profiles::consul::server::anycast_ip')}"
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
mtu: 1500
|
||||||
|
|
||||||
|
# frrouting
|
||||||
|
frrouting::ospfd_router_id: "%{facts.networking.ip}"
|
||||||
|
frrouting::ospfd_redistribute:
|
||||||
|
- connected
|
||||||
|
frrouting::ospfd_interfaces:
|
||||||
|
eth0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
anycast0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
frrouting::daemons:
|
||||||
|
ospfd: true
|
||||||
|
|
||||||
|
# additional repos
|
||||||
|
profiles::yum::global::repos:
|
||||||
|
frr-extras:
|
||||||
|
name: frr-extras
|
||||||
|
descr: frr-extras repository
|
||||||
|
target: /etc/yum.repos.d/frr-extras.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
|
frr-stable:
|
||||||
|
name: frr-stable
|
||||||
|
descr: frr-stable repository
|
||||||
|
target: /etc/yum.repos.d/frr-stable.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
hiera_include:
|
||||||
|
- frrouting
|
||||||
|
|
||||||
|
# networking
|
||||||
|
dns_master_anycast_ip: 198.18.19.15
|
||||||
|
systemd::manage_networkd: true
|
||||||
|
systemd::manage_all_network_files: true
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
type: physical
|
||||||
|
forwarding: true
|
||||||
|
dhcp: true
|
||||||
|
anycast0:
|
||||||
|
type: dummy
|
||||||
|
ipaddress: "%{hiera('dns_master_anycast_ip')}"
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
mtu: 1500
|
||||||
|
|
||||||
|
# frrouting
|
||||||
|
frrouting::ospfd_router_id: "%{facts.networking.ip}"
|
||||||
|
frrouting::ospfd_redistribute:
|
||||||
|
- connected
|
||||||
|
frrouting::ospfd_interfaces:
|
||||||
|
eth0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
anycast0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
frrouting::daemons:
|
||||||
|
ospfd: true
|
||||||
|
|
||||||
|
# additional repos
|
||||||
|
profiles::yum::global::repos:
|
||||||
|
frr-extras:
|
||||||
|
name: frr-extras
|
||||||
|
descr: frr-extras repository
|
||||||
|
target: /etc/yum.repos.d/frr-extras.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
|
frr-stable:
|
||||||
|
name: frr-stable
|
||||||
|
descr: frr-stable repository
|
||||||
|
target: /etc/yum.repos.d/frr-stable.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
hiera_include:
|
||||||
|
- frrouting
|
||||||
|
|
||||||
|
# networking
|
||||||
|
dns_master_anycast_ip: 198.18.19.15
|
||||||
|
systemd::manage_networkd: true
|
||||||
|
systemd::manage_all_network_files: true
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
type: physical
|
||||||
|
forwarding: true
|
||||||
|
dhcp: true
|
||||||
|
anycast0:
|
||||||
|
type: dummy
|
||||||
|
ipaddress: "%{hiera('dns_master_anycast_ip')}"
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
mtu: 1500
|
||||||
|
|
||||||
|
# frrouting
|
||||||
|
frrouting::ospfd_router_id: "%{facts.networking.ip}"
|
||||||
|
frrouting::ospfd_redistribute:
|
||||||
|
- connected
|
||||||
|
frrouting::ospfd_interfaces:
|
||||||
|
eth0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
anycast0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
frrouting::daemons:
|
||||||
|
ospfd: true
|
||||||
|
|
||||||
|
# additional repos
|
||||||
|
profiles::yum::global::repos:
|
||||||
|
frr-extras:
|
||||||
|
name: frr-extras
|
||||||
|
descr: frr-extras repository
|
||||||
|
target: /etc/yum.repos.d/frr-extras.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
|
frr-stable:
|
||||||
|
name: frr-stable
|
||||||
|
descr: frr-stable repository
|
||||||
|
target: /etc/yum.repos.d/frr-stable.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
hiera_include:
|
||||||
|
- frrouting
|
||||||
|
|
||||||
|
# networking
|
||||||
|
dns_master_anycast_ip: 198.18.19.15
|
||||||
|
systemd::manage_networkd: true
|
||||||
|
systemd::manage_all_network_files: true
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
type: physical
|
||||||
|
forwarding: true
|
||||||
|
dhcp: true
|
||||||
|
anycast0:
|
||||||
|
type: dummy
|
||||||
|
ipaddress: "%{hiera('dns_master_anycast_ip')}"
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
mtu: 1500
|
||||||
|
|
||||||
|
# frrouting
|
||||||
|
frrouting::ospfd_router_id: "%{facts.networking.ip}"
|
||||||
|
frrouting::ospfd_redistribute:
|
||||||
|
- connected
|
||||||
|
frrouting::ospfd_interfaces:
|
||||||
|
eth0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
anycast0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
frrouting::daemons:
|
||||||
|
ospfd: true
|
||||||
|
|
||||||
|
# additional repos
|
||||||
|
profiles::yum::global::repos:
|
||||||
|
frr-extras:
|
||||||
|
name: frr-extras
|
||||||
|
descr: frr-extras repository
|
||||||
|
target: /etc/yum.repos.d/frr-extras.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
|
frr-stable:
|
||||||
|
name: frr-stable
|
||||||
|
descr: frr-stable repository
|
||||||
|
target: /etc/yum.repos.d/frr-stable.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
hiera_include:
|
||||||
|
- frrouting
|
||||||
|
|
||||||
|
# networking
|
||||||
|
dns_resolver_anycast_ip: 198.18.19.16
|
||||||
|
systemd::manage_networkd: true
|
||||||
|
systemd::manage_all_network_files: true
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
type: physical
|
||||||
|
forwarding: true
|
||||||
|
dhcp: true
|
||||||
|
anycast0:
|
||||||
|
type: dummy
|
||||||
|
ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
mtu: 1500
|
||||||
|
|
||||||
|
# frrouting
|
||||||
|
frrouting::ospfd_router_id: "%{facts.networking.ip}"
|
||||||
|
frrouting::ospfd_redistribute:
|
||||||
|
- connected
|
||||||
|
frrouting::ospfd_interfaces:
|
||||||
|
eth0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
anycast0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
frrouting::daemons:
|
||||||
|
ospfd: true
|
||||||
|
|
||||||
|
# additional repos
|
||||||
|
profiles::yum::global::repos:
|
||||||
|
frr-extras:
|
||||||
|
name: frr-extras
|
||||||
|
descr: frr-extras repository
|
||||||
|
target: /etc/yum.repos.d/frr-extras.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
|
frr-stable:
|
||||||
|
name: frr-stable
|
||||||
|
descr: frr-stable repository
|
||||||
|
target: /etc/yum.repos.d/frr-stable.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
hiera_include:
|
||||||
|
- frrouting
|
||||||
|
|
||||||
|
# networking
|
||||||
|
dns_resolver_anycast_ip: 198.18.19.16
|
||||||
|
systemd::manage_networkd: true
|
||||||
|
systemd::manage_all_network_files: true
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
type: physical
|
||||||
|
forwarding: true
|
||||||
|
dhcp: true
|
||||||
|
anycast0:
|
||||||
|
type: dummy
|
||||||
|
ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
mtu: 1500
|
||||||
|
|
||||||
|
# frrouting
|
||||||
|
frrouting::ospfd_router_id: "%{facts.networking.ip}"
|
||||||
|
frrouting::ospfd_redistribute:
|
||||||
|
- connected
|
||||||
|
frrouting::ospfd_interfaces:
|
||||||
|
eth0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
anycast0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
frrouting::daemons:
|
||||||
|
ospfd: true
|
||||||
|
|
||||||
|
# additional repos
|
||||||
|
profiles::yum::global::repos:
|
||||||
|
frr-extras:
|
||||||
|
name: frr-extras
|
||||||
|
descr: frr-extras repository
|
||||||
|
target: /etc/yum.repos.d/frr-extras.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
|
frr-stable:
|
||||||
|
name: frr-stable
|
||||||
|
descr: frr-stable repository
|
||||||
|
target: /etc/yum.repos.d/frr-stable.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
hiera_include:
|
||||||
|
- frrouting
|
||||||
|
|
||||||
|
# networking
|
||||||
|
dns_resolver_anycast_ip: 198.18.19.16
|
||||||
|
systemd::manage_networkd: true
|
||||||
|
systemd::manage_all_network_files: true
|
||||||
|
networking::interfaces:
|
||||||
|
eth0:
|
||||||
|
type: physical
|
||||||
|
forwarding: true
|
||||||
|
dhcp: true
|
||||||
|
anycast0:
|
||||||
|
type: dummy
|
||||||
|
ipaddress: "%{hiera('dns_resolver_anycast_ip')}"
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
mtu: 1500
|
||||||
|
|
||||||
|
# frrouting
|
||||||
|
frrouting::ospfd_router_id: "%{facts.networking.ip}"
|
||||||
|
frrouting::ospfd_redistribute:
|
||||||
|
- connected
|
||||||
|
frrouting::ospfd_interfaces:
|
||||||
|
eth0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
anycast0:
|
||||||
|
area: 0.0.0.0
|
||||||
|
frrouting::daemons:
|
||||||
|
ospfd: true
|
||||||
|
|
||||||
|
# additional repos
|
||||||
|
profiles::yum::global::repos:
|
||||||
|
frr-extras:
|
||||||
|
name: frr-extras
|
||||||
|
descr: frr-extras repository
|
||||||
|
target: /etc/yum.repos.d/frr-extras.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
|
frr-stable:
|
||||||
|
name: frr-stable
|
||||||
|
descr: frr-stable repository
|
||||||
|
target: /etc/yum.repos.d/frr-stable.repo
|
||||||
|
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||||
|
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||||
|
mirrorlist: absent
|
||||||
@@ -9,6 +9,7 @@ hiera_include:
|
|||||||
- profiles::almalinux::base
|
- profiles::almalinux::base
|
||||||
|
|
||||||
profiles::packages::include:
|
profiles::packages::include:
|
||||||
|
crypto-policies-scripts: {}
|
||||||
lzo: {}
|
lzo: {}
|
||||||
policycoreutils: {}
|
policycoreutils: {}
|
||||||
unar: {}
|
unar: {}
|
||||||
|
|||||||
@@ -15,9 +15,7 @@ profiles::dhcp::server::pools:
|
|||||||
range:
|
range:
|
||||||
- '198.18.15.200 198.18.15.220'
|
- '198.18.15.200 198.18.15.220'
|
||||||
gateway: 198.18.15.254
|
gateway: 198.18.15.254
|
||||||
nameservers:
|
nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
- 198.18.13.12
|
|
||||||
- 198.18.13.13
|
|
||||||
domain_name: main.unkin.net
|
domain_name: main.unkin.net
|
||||||
pxeserver: 198.18.13.27
|
pxeserver: 198.18.13.27
|
||||||
syd1-test:
|
syd1-test:
|
||||||
@@ -26,9 +24,7 @@ profiles::dhcp::server::pools:
|
|||||||
range:
|
range:
|
||||||
- '198.18.16.200 198.18.16.220'
|
- '198.18.16.200 198.18.16.220'
|
||||||
gateway: 198.18.16.254
|
gateway: 198.18.16.254
|
||||||
nameservers:
|
nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
- 198.18.13.12
|
|
||||||
- 198.18.13.13
|
|
||||||
domain_name: main.unkin.net
|
domain_name: main.unkin.net
|
||||||
pxeserver: 198.18.13.27
|
pxeserver: 198.18.13.27
|
||||||
syd1-prod1:
|
syd1-prod1:
|
||||||
@@ -37,9 +33,7 @@ profiles::dhcp::server::pools:
|
|||||||
range:
|
range:
|
||||||
- '198.18.13.200 198.18.13.220'
|
- '198.18.13.200 198.18.13.220'
|
||||||
gateway: 198.18.13.254
|
gateway: 198.18.13.254
|
||||||
nameservers:
|
nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
- 198.18.13.12
|
|
||||||
- 198.18.13.13
|
|
||||||
domain_name: main.unkin.net
|
domain_name: main.unkin.net
|
||||||
pxeserver: 198.18.13.27
|
pxeserver: 198.18.13.27
|
||||||
syd1-prod2:
|
syd1-prod2:
|
||||||
@@ -48,9 +42,7 @@ profiles::dhcp::server::pools:
|
|||||||
range:
|
range:
|
||||||
- '198.18.14.200 198.18.14.220'
|
- '198.18.14.200 198.18.14.220'
|
||||||
gateway: 198.18.14.254
|
gateway: 198.18.14.254
|
||||||
nameservers:
|
nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
- 198.18.13.12
|
|
||||||
- 198.18.13.13
|
|
||||||
domain_name: main.unkin.net
|
domain_name: main.unkin.net
|
||||||
pxeserver: 198.18.13.27
|
pxeserver: 198.18.13.27
|
||||||
drw1-prod:
|
drw1-prod:
|
||||||
@@ -59,9 +51,7 @@ profiles::dhcp::server::pools:
|
|||||||
range:
|
range:
|
||||||
- '198.18.17.200 198.18.17.220'
|
- '198.18.17.200 198.18.17.220'
|
||||||
gateway: 198.18.17.1
|
gateway: 198.18.17.1
|
||||||
nameservers:
|
nameservers: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
- 198.18.17.7
|
|
||||||
- 198.18.17.8
|
|
||||||
domain_name: main.unkin.net
|
domain_name: main.unkin.net
|
||||||
pxeserver: 198.18.13.27
|
pxeserver: 198.18.13.27
|
||||||
|
|
||||||
|
|||||||
@@ -9,6 +9,14 @@ profiles::dns::master::acls:
|
|||||||
- 198.18.15.0/24
|
- 198.18.15.0/24
|
||||||
- 198.18.16.0/24
|
- 198.18.16.0/24
|
||||||
- 198.18.17.0/24
|
- 198.18.17.0/24
|
||||||
|
- 198.18.19.0/24
|
||||||
|
- 198.18.20.0/24
|
||||||
|
- 198.18.24.0/24
|
||||||
|
- 198.18.25.0/24
|
||||||
|
- 198.18.26.0/24
|
||||||
|
- 198.18.27.0/24
|
||||||
|
- 198.18.28.0/24
|
||||||
|
- 198.18.29.0/24
|
||||||
|
|
||||||
profiles::dns::master::zones:
|
profiles::dns::master::zones:
|
||||||
main.unkin.net:
|
main.unkin.net:
|
||||||
@@ -47,6 +55,72 @@ profiles::dns::master::zones:
|
|||||||
dynamic: false
|
dynamic: false
|
||||||
ns_notify: true
|
ns_notify: true
|
||||||
source: '/var/named/sources/17.18.198.in-addr.arpa.conf'
|
source: '/var/named/sources/17.18.198.in-addr.arpa.conf'
|
||||||
|
19.18.198.in-addr.arpa:
|
||||||
|
domain: '19.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'master'
|
||||||
|
dynamic: false
|
||||||
|
ns_notify: true
|
||||||
|
source: '/var/named/sources/19.18.198.in-addr.arpa.conf'
|
||||||
|
20.18.198.in-addr.arpa:
|
||||||
|
domain: '20.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'master'
|
||||||
|
dynamic: false
|
||||||
|
ns_notify: true
|
||||||
|
source: '/var/named/sources/20.18.198.in-addr.arpa.conf'
|
||||||
|
21.18.198.in-addr.arpa:
|
||||||
|
domain: '21.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'master'
|
||||||
|
dynamic: false
|
||||||
|
ns_notify: true
|
||||||
|
source: '/var/named/sources/21.18.198.in-addr.arpa.conf'
|
||||||
|
22.18.198.in-addr.arpa:
|
||||||
|
domain: '22.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'master'
|
||||||
|
dynamic: false
|
||||||
|
ns_notify: true
|
||||||
|
source: '/var/named/sources/22.18.198.in-addr.arpa.conf'
|
||||||
|
23.18.198.in-addr.arpa:
|
||||||
|
domain: '23.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'master'
|
||||||
|
dynamic: false
|
||||||
|
ns_notify: true
|
||||||
|
source: '/var/named/sources/23.18.198.in-addr.arpa.conf'
|
||||||
|
24.18.198.in-addr.arpa:
|
||||||
|
domain: '24.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'master'
|
||||||
|
dynamic: false
|
||||||
|
ns_notify: true
|
||||||
|
source: '/var/named/sources/24.18.198.in-addr.arpa.conf'
|
||||||
|
25.18.198.in-addr.arpa:
|
||||||
|
domain: '25.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'master'
|
||||||
|
dynamic: false
|
||||||
|
ns_notify: true
|
||||||
|
source: '/var/named/sources/25.18.198.in-addr.arpa.conf'
|
||||||
|
26.18.198.in-addr.arpa:
|
||||||
|
domain: '26.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'master'
|
||||||
|
dynamic: false
|
||||||
|
ns_notify: true
|
||||||
|
source: '/var/named/sources/26.18.198.in-addr.arpa.conf'
|
||||||
|
27.18.198.in-addr.arpa:
|
||||||
|
domain: '27.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'master'
|
||||||
|
dynamic: false
|
||||||
|
ns_notify: true
|
||||||
|
source: '/var/named/sources/27.18.198.in-addr.arpa.conf'
|
||||||
|
28.18.198.in-addr.arpa:
|
||||||
|
domain: '28.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'master'
|
||||||
|
dynamic: false
|
||||||
|
ns_notify: true
|
||||||
|
source: '/var/named/sources/28.18.198.in-addr.arpa.conf'
|
||||||
|
29.18.198.in-addr.arpa:
|
||||||
|
domain: '29.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'master'
|
||||||
|
dynamic: false
|
||||||
|
ns_notify: true
|
||||||
|
source: '/var/named/sources/29.18.198.in-addr.arpa.conf'
|
||||||
|
|
||||||
profiles::dns::master::views:
|
profiles::dns::master::views:
|
||||||
master-zones:
|
master-zones:
|
||||||
@@ -58,6 +132,17 @@ profiles::dns::master::views:
|
|||||||
- 15.18.198.in-addr.arpa
|
- 15.18.198.in-addr.arpa
|
||||||
- 16.18.198.in-addr.arpa
|
- 16.18.198.in-addr.arpa
|
||||||
- 17.18.198.in-addr.arpa
|
- 17.18.198.in-addr.arpa
|
||||||
|
- 19.18.198.in-addr.arpa
|
||||||
|
- 20.18.198.in-addr.arpa
|
||||||
|
- 21.18.198.in-addr.arpa
|
||||||
|
- 22.18.198.in-addr.arpa
|
||||||
|
- 23.18.198.in-addr.arpa
|
||||||
|
- 24.18.198.in-addr.arpa
|
||||||
|
- 25.18.198.in-addr.arpa
|
||||||
|
- 26.18.198.in-addr.arpa
|
||||||
|
- 27.18.198.in-addr.arpa
|
||||||
|
- 28.18.198.in-addr.arpa
|
||||||
|
- 29.18.198.in-addr.arpa
|
||||||
match_clients:
|
match_clients:
|
||||||
- acl-main.unkin.net
|
- acl-main.unkin.net
|
||||||
|
|
||||||
|
|||||||
@@ -78,6 +78,96 @@ profiles::dns::resolver::zones:
|
|||||||
- 10.10.16.32
|
- 10.10.16.32
|
||||||
- 10.10.16.33
|
- 10.10.16.33
|
||||||
forward: 'only'
|
forward: 'only'
|
||||||
|
main.unkin.net-forward:
|
||||||
|
domain: 'main.unkin.net'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
13.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '13.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
14.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '14.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
15.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '15.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
16.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '16.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
17.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '17.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
19.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '19.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
20.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '20.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
21.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '21.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
22.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '22.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
23.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '23.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
24.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '24.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
25.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '25.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
26.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '26.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
27.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '27.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
28.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '28.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
29.18.198.in-addr.arpa-forward:
|
||||||
|
domain: '29.18.198.in-addr.arpa'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_unkin')}"
|
||||||
|
forward: 'only'
|
||||||
|
consul-forward:
|
||||||
|
domain: 'consul'
|
||||||
|
zone_type: 'forward'
|
||||||
|
forwarders: "%{alias('profiles_dns_upstream_forwarder_consul')}"
|
||||||
|
forward: 'only'
|
||||||
|
|
||||||
profiles::dns::resolver::views:
|
profiles::dns::resolver::views:
|
||||||
openforwarder:
|
openforwarder:
|
||||||
@@ -93,6 +183,17 @@ profiles::dns::resolver::views:
|
|||||||
- 15.18.198.in-addr.arpa-forward
|
- 15.18.198.in-addr.arpa-forward
|
||||||
- 16.18.198.in-addr.arpa-forward
|
- 16.18.198.in-addr.arpa-forward
|
||||||
- 17.18.198.in-addr.arpa-forward
|
- 17.18.198.in-addr.arpa-forward
|
||||||
|
- 19.18.198.in-addr.arpa-forward
|
||||||
|
- 20.18.198.in-addr.arpa-forward
|
||||||
|
- 21.18.198.in-addr.arpa-forward
|
||||||
|
- 22.18.198.in-addr.arpa-forward
|
||||||
|
- 23.18.198.in-addr.arpa-forward
|
||||||
|
- 24.18.198.in-addr.arpa-forward
|
||||||
|
- 25.18.198.in-addr.arpa-forward
|
||||||
|
- 26.18.198.in-addr.arpa-forward
|
||||||
|
- 27.18.198.in-addr.arpa-forward
|
||||||
|
- 28.18.198.in-addr.arpa-forward
|
||||||
|
- 29.18.198.in-addr.arpa-forward
|
||||||
- 8.10.10.in-addr.arpa-forward
|
- 8.10.10.in-addr.arpa-forward
|
||||||
- 16.10.10.in-addr.arpa-forward
|
- 16.10.10.in-addr.arpa-forward
|
||||||
- 20.10.10.in-addr.arpa-forward
|
- 20.10.10.in-addr.arpa-forward
|
||||||
@@ -100,3 +201,4 @@ profiles::dns::resolver::views:
|
|||||||
- acl-main.unkin.net
|
- acl-main.unkin.net
|
||||||
- acl-nomad-jobs
|
- acl-nomad-jobs
|
||||||
- acl-common
|
- acl-common
|
||||||
|
- acl-dmz
|
||||||
|
|||||||
@@ -4,6 +4,7 @@ hiera_include:
|
|||||||
- frrouting
|
- frrouting
|
||||||
- incus
|
- incus
|
||||||
- zfs
|
- zfs
|
||||||
|
- profiles::ceph::mon
|
||||||
|
|
||||||
profiles::packages::include:
|
profiles::packages::include:
|
||||||
bridge-utils: {}
|
bridge-utils: {}
|
||||||
@@ -13,10 +14,18 @@ profiles::pki::vault::alt_names:
|
|||||||
- incus.query.consul
|
- incus.query.consul
|
||||||
- "incus.service.%{facts.country}-%{facts.region}.consul"
|
- "incus.service.%{facts.country}-%{facts.region}.consul"
|
||||||
|
|
||||||
|
profiles::pki::vault::ip_sans:
|
||||||
|
- "%{hiera('networking_loopback0_ip')}"
|
||||||
|
- "%{hiera('networking_loopback1_ip')}"
|
||||||
|
- "%{hiera('networking_loopback2_ip')}"
|
||||||
|
|
||||||
profiles::ssh::sign::principals:
|
profiles::ssh::sign::principals:
|
||||||
- incus.service.consul
|
- incus.service.consul
|
||||||
- incus.query.consul
|
- incus.query.consul
|
||||||
- "incus.service.%{facts.country}-%{facts.region}.consul"
|
- "incus.service.%{facts.country}-%{facts.region}.consul"
|
||||||
|
- "%{hiera('networking_loopback0_ip')}"
|
||||||
|
- "%{hiera('networking_loopback1_ip')}"
|
||||||
|
- "%{hiera('networking_loopback2_ip')}"
|
||||||
|
|
||||||
# configure consul service
|
# configure consul service
|
||||||
consul::services:
|
consul::services:
|
||||||
@@ -26,12 +35,12 @@ consul::services:
|
|||||||
- 'incus'
|
- 'incus'
|
||||||
- 'container'
|
- 'container'
|
||||||
- 'lxd'
|
- 'lxd'
|
||||||
address: "%{facts.networking.ip}"
|
address: "%{hiera('networking_loopback0_ip')}"
|
||||||
port: 8443
|
port: 8443
|
||||||
checks:
|
checks:
|
||||||
- id: 'incus_https_check'
|
- id: 'incus_https_check'
|
||||||
name: 'incus HTTPS Check'
|
name: 'incus HTTPS Check'
|
||||||
http: "https://%{facts.networking.fqdn}:8443"
|
http: "https://%{hiera('networking_loopback0_ip')}:8443"
|
||||||
method: 'GET'
|
method: 'GET'
|
||||||
tls_skip_verify: true
|
tls_skip_verify: true
|
||||||
interval: '10s'
|
interval: '10s'
|
||||||
@@ -43,6 +52,20 @@ profiles::consul::client::node_rules:
|
|||||||
|
|
||||||
# additional repos
|
# additional repos
|
||||||
profiles::yum::global::repos:
|
profiles::yum::global::repos:
|
||||||
|
ceph:
|
||||||
|
name: ceph
|
||||||
|
descr: ceph repository
|
||||||
|
target: /etc/yum.repos.d/ceph.repo
|
||||||
|
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
|
||||||
|
gpgkey: https://download.ceph.com/keys/release.asc
|
||||||
|
mirrorlist: absent
|
||||||
|
ceph-noarch:
|
||||||
|
name: ceph-noarch
|
||||||
|
descr: ceph-noarch repository
|
||||||
|
target: /etc/yum.repos.d/ceph-noarch.repo
|
||||||
|
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
|
||||||
|
gpgkey: https://download.ceph.com/keys/release.asc
|
||||||
|
mirrorlist: absent
|
||||||
frr-extras:
|
frr-extras:
|
||||||
name: frr-extras
|
name: frr-extras
|
||||||
descr: frr-extras repository
|
descr: frr-extras repository
|
||||||
@@ -65,10 +88,12 @@ profiles::yum::global::repos:
|
|||||||
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
|
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
|
||||||
mirrorlist: absent
|
mirrorlist: absent
|
||||||
|
|
||||||
|
# dns
|
||||||
|
profiles::dns::base::primary_interface: loopback0
|
||||||
|
|
||||||
# networking
|
# networking
|
||||||
systemd::manage_networkd: true
|
systemd::manage_networkd: true
|
||||||
systemd::manage_all_network_files: true
|
systemd::manage_all_network_files: true
|
||||||
#networking::use_networkd: true
|
|
||||||
networking::interfaces:
|
networking::interfaces:
|
||||||
enp2s0:
|
enp2s0:
|
||||||
type: physical
|
type: physical
|
||||||
@@ -110,14 +135,13 @@ frrouting::ospfd_interfaces:
|
|||||||
area: 0.0.0.0
|
area: 0.0.0.0
|
||||||
loopback2:
|
loopback2:
|
||||||
area: 0.0.0.0
|
area: 0.0.0.0
|
||||||
frrouting::mpls_te_enabled: true
|
brcom1:
|
||||||
frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
|
area: 0.0.0.0
|
||||||
frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
|
brdmz1:
|
||||||
frrouting::mpls_ldp_interfaces:
|
area: 0.0.0.0
|
||||||
- enp2s0
|
brwan1:
|
||||||
- enp3s0
|
area: 0.0.0.0
|
||||||
frrouting::daemons:
|
frrouting::daemons:
|
||||||
ldpd: true
|
|
||||||
ospfd: true
|
ospfd: true
|
||||||
|
|
||||||
# add loopback interfaces to ssh list
|
# add loopback interfaces to ssh list
|
||||||
@@ -193,12 +217,6 @@ sysctl::base::values:
|
|||||||
value: '0'
|
value: '0'
|
||||||
net.ipv4.conf.all.rp_filter:
|
net.ipv4.conf.all.rp_filter:
|
||||||
value: '0'
|
value: '0'
|
||||||
net.mpls.platform_labels:
|
|
||||||
value: '1048575'
|
|
||||||
net.mpls.conf.enp2s0.input:
|
|
||||||
value: '1'
|
|
||||||
net.mpls.conf.enp3s0.input:
|
|
||||||
value: '1'
|
|
||||||
|
|
||||||
# limits.d recommendations
|
# limits.d recommendations
|
||||||
limits::entries:
|
limits::entries:
|
||||||
|
|||||||
@@ -0,0 +1,2 @@
|
|||||||
|
profiles::puppet::puppetdb_api::public_cert: ENC[PKCS7,MIIJrQYJKoZIhvcNAQcDoIIJnjCCCZoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEATUl7Aa6W6Q0gWWPet6fufBUtFUO7wCkED8w3NojkDYNR0Cine5+yWupy1FZ0d75mtdjI16DgZ9d2BhNlnbvPrZHuFSfBFj0s6lc0cYs1dpEUwPwPssmfNNfLe+73Fn0e43fguXisBYiE0Xn4x9UqGEIXXnwBqucIo4lkR0QAvhrmgEsNJKrxKV2isBZOnV40hrilnK3fLszGlfEfEuK1ZLrdtQV54Cl/Fpga8OOEk3Ji+WO/qC3WSQ+RWmc+si5L7w6raFLcHb3ZN96BHNVN2h2rBe85RRTg08LT+9Eyge3Fc0/+eoRmzTvnHMc4RptRfvopv5RGGyOma0mExmD6CzCCCG4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEB2t8I7YdvzPGIuGG1fUIViAgghAKhUoHO1UphPXu/KwYgo3xPSmWWF76B/ZKPd3SdzobYBsfK7CEhRiONU29W/wEzDdn7An2E16bIuecxT114z0i6OqQc3W92jBETWlpV1IRWs4DTb2QWjA4l74KdwRtltpeAKeFjSjuW2+L5UUOgGsaW4lxR0wP/uIqUT76/wQCoCAIw/i+YcIvIJDpeVPKSyaA6GFJbiT8CuG1SzD/1tb+XOxEf3WpeUwVNrPIO1ADjdi3cha6bJDa6Dvrtz8ornYwsfZ9cIlhDb6kmz938+EWpH5swCppfHcMncSd+R1zST6DzhN54+kvWGjvrN79m5+f0al/t3a85iZ6boLXSE8VkPLWZnlAt0ISdCtt0m7luxWWUN3AvmBmLZ5hhjnHUQC4RNCmu3BrjB7bN/nvInZQNcBlArhthiy/DpbdjLpF5kkUq+J+S7I898rG/B8lWrWjYsQvOUM/yiVbpCtsLJS9Pv1UjlkHcere6YgOq4gZKaESF19npV6SLU2MfC+Raefj1biE+haOOjpDdR+xQLAHmZqgOBUFMkYh1RH77zg2QPtz5aDLGypO/yVuJDcuSGV6qpoxc0uu7EmihfOg2cHF6FtSlStwFQYw3mG3oyuByv527lVRUjNHOx85bXeFccb96lyTzStAopLADo9nuOHjDxs6qzXj4h0y5w0ODh3Wyy/h4EXYaTrXuSB/FJJb1rvToC+XJ7ABxzt0rB8ySNtt+DFRssZQ5ZXWF6T88YKLcigKYGNTGmf92Iwpq6+hw0NEF1OWy7aHDzog6xORilgy6zcPTWkz2TUxzOuwN6Y0UeLlj+C4r+hl17/9aYhls6UJ+5xF+ZNcJmqEXqZ5HHykcYRwaWI0FF4tkbsto8Is2/aZVfeQc/2JZ+9IbLXlh1Km6hJxWJmw/S9RwTXVK7kGO/IlIoQiYTFYoeSU4RDPVUXZTBmGxuBmz37JPVMLXkL6tGUPwTz6pa+AMppT/qMLC8y2LhLm+eRsfz4w2ySc/kBR0FKsD0Z1h9h4zM+VtNnxaSYmxkFG77pX+bi/ToQqaydWblf0NPdw2t+uoULzkxxhX3wjZi8V9gGOhZ7s7YUKJFljZZYcl0MnDab+xGjD8DGiq/vHqTLXm8DYpVOxsryGIJ3zXf5KPvo8y6/wQAkKq6Vb4lraqkg9m5wGLxQDemE4h2OWgjcnWOXx/N9bcVO0xMyqrFo337wPoZ+hYQhwxzrfiQZ87nLe28OstaWS8OK6KoAx95LvMypaFURf+EoZkYO8wFiLmFBNAMMOkf/TJjmXoeDw46Qv1sZi57239pgzxz6RXEjd5TBURli7tSaniqKNarRY7ZoYymzYBv9Kyj6zQGgXxozhQsMsju9fTo2l+bXQ2siBljHnNkI+I3aO5Q6FLpM57h5xhA86ayJzfaKSbniMARGY2inG3qUfKafgQUvrYBxaIxSBAg7LfE2GRJx8gEioATFZpclrm+0fP3xaXW3I/wiyl/EPKIP2aPP8lqJam/KWXZ46nYdgrKIrg51tXp/YUcgR6geZYHIBWkAgofJeThKPz9ervLzu3dYS0FgMiRcyCOXfI4nttW/QCNl5a19UXXYpSgj0MOAKuSZYkHYgaSt7DNt3sZtWLtCZ1M/QFLSiqsfUAULVwUJpOCS4Ul0Bn9gu038xCBCkaQ8VnSHtvl6NsCUHDhk/JGq5pmZjrE5zTEnlMBUBoQ1sun/HwLAnoX24KV+3pzwul0eCLm2pBndWvgnHsEY7COiookx7mwvg93xuejN7zQk/NAJp4L3haT5ueVTcUcEsTPmsIDMn2xg2HSGLum6yG02XPMBYJlG/GHtu2kuvOV2UFqxkzje4FB3cNishelQ1VRDOBJodt8xmfKkgPciFChEOVe5OY7AbBvKIBab+kjbG78guGReqkmePFkEtsnL7KouiERojAVsGXtvqOT2dQvO7xLrozLk+kY/Xk6HkGedmc2PUEc/CSKPy73k2a154ByzwfOaAaTM1XCvo4Ff7hTA7VHUu3rWpHmd2LZbKN1nlGbrrX0Wk0jt72OsRWRzgKp+81jEkNh/hbD9xCjmIbzdloOmcJJbcyikmThVpFaUMaHowZmrBtQxE7pR2ARbhVvNXH3fZQnIpxMcHEPoKh12pOTlp+GIO8H1EsGZ6tOjXniBiy/szoa8Oi/eJp/Co8uRoDSyBc5t6ZD6ciLHOVG4c0nCdMHaouA/EXNe/EOzLg4fYk7cLBNGoaBUo8LbXv0Z2tkhtE1ctl8NBvZS3X80VchtmQg7lVlqZUEkcXEtoadrjRpiWL9EW68mzjTsejePMNBb6CCL4zGqQwCfA1zUVtlNJslguClQ2u0IlqPjBYsj3Xy+leg24YrHKB1zEu1/aGuVxCBlJMozQj//5OCTp+1iO0EExnGBYjZuk8UTYrUj9FZeu5GiRlBvky1HBE/fq4LPD7l/Gr0npAwKJofIglA2DZe9Sr4VmA8oi4vsmbpmtyPLVa/pfVXrl/w2dLH/Y2TI8MbPFMvjtAgdlK6endrxpb9EC2YeWrFibDXL9EsOAXo5droa6WyIDoVr7GBZ0Faa19uW2IZf0fw02tz0L1Bg/4RopeIZpbH0CKCwpqg5GNb7gKvKkXt9ugI84ZGnF5CgrqXH+lXXtMgHsEkUQ6vAJeKioLSMVla6Pu/BdztDKBVuKTEzV/lH/nbR2qhjlIEm+AntndtRNU3J6Aakje0keGjDV66paCnh/v7fha3SOPkgCV8OxrqMDAUl9/RxB907OF/Ethg4F/gsWfwDJLcAoS206rV6r+VZyurb3xx6HSLFzh+MMBgNlJhf]
|
||||||
|
profiles::puppet::puppetdb_api::private_cert: ENC[PKCS7,MIIOHQYJKoZIhvcNAQcDoIIODjCCDgoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAR7TO46Sg7DTeJmy+YMKpcKgcbbyDed4zHib7Jii2ltlFBMzFAJ49u986i13pSE0qaPIgydc94ILKc0oTwTWvstbiBJB2NYikswKHIJwKKSTzzbfCz1/eyfVKwKyp3DakdImdPClmjZIp/eQyWsLkZjxmJ5T9MVHSo3l8sNVY3WyGbKwEi0TwZabE9Op8cvFTifcBL5zDwKMrhwghAPEoVz8DALoMOko8Lp2K7yCo+LvyvY/Ib9CtIfbgpXQTo2NDbww29/KWHqw6PjzRdyuswUDdnCuLOaThUQkDopTZyhhJ9Y5z5/7Doo/zGYQLBkyThjtKkKwsPlq1eGkjFzY/ITCCDN4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEAvibroua3O2ot73run7uWKAggywIm7gZ/o/vc47kaCICTS2LtsHDmTe9HHqujdAdQLlBGvEhasKGDMr8s54aIbNUbLhD82Vuvwjl2GShqSg/IATfwzDPoqm982KrVZd/9kO61o3vBdtqZO1+InbY7iDbTqf45A7Ar3545aF+/y30WDamFyECwCePrQu1Y9bw6VhLTEVYO+A8zr8y0CYRKAtWNYcPpTP/3VO8/RKtMV+nWrUzS00zAp56lA7xeOzdeKdHzCkpKeaHrpSEN6YGrZmAhTdKBxHYiez9h3eZprEtqoAz0I5DL9Y54t74+pZxicFjQKYPxUGccqg0dIkFZUgE1dxuOkASspydJ890xC/SYJZxREeuF9SPCUkT4Szc814/JHzfqrHt5ZfdzQcBX0xjtEfwoud+Hc4MVerT4cmhyaJLP1/jEe8l3B3Cj4uVilbfAyxOAmAHZl4lcKawdzqUm1os6bsBzCwQU0usKYlW1vczvjvxHvq5z/+IQvCvvlPlUrVIlB7XaiIihkW4LbgZBKNaCWW8rihewX5FUTtvjveHzkGqXnzBBF8WfQmNvVtjKFGdkz3teOHShZOZO7fYo4rHGAV+KVz3kzSCZ8pgqAUsYYW5z/aViNnFuNdDz8xiq05DfUtD3GwbydH2mr5IN8bAFwufAidKEfuQeAusCuS5k6PRJyXK81ErqYMW/H+mSLVw9jCNOqqGGfiYdfcx8oNw+U1Vz/fDmQIQ+eT/JKDSOCbBYjrydC9WBzvgRngDoLQ/UXGCnIENqLJekvVJ0x9KTUhrzQyZVky+INyzp3i5UDyu2uLH55vJEI7qSmcM0Y8Eyj3Buc+0k739OQCC56IiQm/Aw6Uh+6Vi+/MfevcI5K0etMgTZ+dIhRAJAT5Jd4vRu4ge8M1HqEOQQj5lQfO+WtHcgwFyg1dGeQF6I6iy0JfMqXZVDsEkyCsDN6ZDaLcgMQN0FYWSsqy7tCzU9ZbvQ/pAHT/Ed1mNDWs+w0YzgcVv8+XCBGVzunpqcjbi08aKDYIKOIL5EBVOfDwGIeYjBuJhINQa49tNryXEkjZs+OxXDM4YvvksvwfNq4P4OLNJHoQ4DCEyqVbdqGGksRjNtU28Lu8y2M5eX6ehG8ismBMSgUy0SIbR5vTDVNjguo4HD7slVNYqERfMjlwHbnOLajoPl8nWIrhW3glWKBvJ1bQKWU81TRawlCAQ3k5DFnebFgoBagtqo0+Zoygt29Bz38wwqfF90jvfzVEM0sy4X+7FxZFYX2WTWKyZV3+16a7hWBjMbJeulU1chzs1V0/lPMXVEa+c3xcO8W2DyrX4wR27fUEfjPmug49tMhMSFOZXEOwzUMsXjz3K4XhEcC0mtYHDMT0EYtRX8pHe62RkMILuJGRHvw3Wwg2GzZRMpZfPQy8jLhkOhUSGc7z4XEWC/PdLmfGjBTZsZ6G2FfKlGLbSxOlgQlew2sZ+oNTHRrN+aMrkgyG11TheXDbE0y+Sxls+13DEYbMaflq5wjE2FlvD3b5X7/Pu4BizQI7Ski7jjb5qcqik8xoin2qGfhnY6H6PNSPz67J1RTxVZjHgUtZQKG56e+aKIv5FFyjFTgEPRqj3Yyrzh7+E6gt+LETh3vuJDUxKPLZskLD03xP6E/yiLbIu5DIYzK9+uuS/JGF3OibE93hgwp9uzDFirDzRbcuDVDxZyToSfH8P7m58lhp/FiKO3rpUqRqaC/GXz5xbekQ+yGuMKk6qEmiPj7B3pHm2Ic2tJIGTpTNCDNfsqefplUJXbKskiKRxOP04yCIn3XuHu8jUDhWZW848RWHgXfySdqEAFKrvsyamJKXz/1IGIdDzOgnAcd/wiudhZ41gDaCyA1DQYxU9T04106eD9aTZwj+mS9uZmfwHfROiBinC1ZAHsXfjLtwVZj3gpdUsieIqAiuAuMKle9yOMn3np4NEu5vjj/SOZeVWCvBfcPg8VB+uj6s7FtXRH5jdxkaB72PykYa8aTAbNKqcw/qlowv0k/vWnWa++fFFVfbg+VZ3a6oEW2YKvcVefQg/R4nEeTusmH/tnOl7SHLlJ4WLQ+U+v0GLeCY6zJKS6WweN+6SXIbkB9BLES2VpvxlYAmjqLlQuJBpcIuxL1SwCIkKUXdWjQqp6WzfS4XSxuxizZNL8xlEjXSJzFXvo+rPZXF37gHvmLHnjJkQdhctZUjyzDUfgLdR4FcMsp/U8qugWtbbemARFtrXHT9D3M/hVp0z/0ho80LB2chI1nOfY0u8GXgHtJfwZtoeyctud6JLo4zUxZy0zQMqIqgpytVNhjMPOIK5sWpKCKscPlg8+vANhPQHze7Wc8PXwC7jbSMH4QqqnGz+fPB/KKl+wz4jICe/vu7fNJRq0pehibPifXJtBDBH+i+s/U3ZX2WECKPYsF0DXq8Askisa3b97WPO7oWk8ghzE8ZXZs5CypkLpq+oPRg/WrsRJea+EWmkzKmBXtS23AQzhItNB0KFP18elLVmb6atYNs4lzv22ptifD+5wbYmk+/mAVgInqqixLPAy2uofCXvlXhIPd4vgkwpjar/lxcZWGtX7c7EUzDND1AyirMjcZyTaMsHEzYybT3S/8n8OgxVvyemLvgHnmZxmWnUBFUhItQ2Pt6iF2Dn68huo+0PE5K5qlKzoRPbfNLrNYImn4KxmLW5+bT2STe1j8aowyY3ROY1r+4BxHIbDknCb5aj6N4WR14SeUWSSPu23oK1VDLBlQUMiHHqfJwu0NiGhsI8Vl0Mp5Slp6FK0UvZz2O7C+x0HGaWVK9mMuP40BKHjEo7T97ZoXMN0uX4GmBQ3jEwXzsPpuPbZI5JnwwEyp5YX+IyYWJyCww2fntSQ/fS509b6mvG5isUMK3lpiogucROtJTA1KrODrocpTgUGvIwDUP/tosGT57lmXjTmHbTf6WjCHIUZsrbT5ycjYNJI0sn+dfx3Tba289CEeBEaX2FefnHX+o8HMLlRI4JmiD6faswCjC2IFMjDVfkJoie45Y+8Q9LSVZ8TkZey1QucNRrMIKpNLo4cPDCdUJIOPUDbfX4I1g0Qhk7T5WYX/JUtiaUgKiR5Gc/PHmV8oL8G9P+OSgg2Lc5XaN7/PevHCiBOLwAXsKbSCwL7oGmxyw90+sHIZr+ZyClNnfuXE3UrW7NXQI6mCxvQWKtJKn1trO17I6Cd00RMfC3uPy5/LIicubunfvDjp3BlaatxIrzDg3rVnFPX0dKzt/s4iuSyK3IT0le/x9OBLIp4EhdQdvd2HOFYxOtjxzbvWRzWrqGpBsLQLg7EG5adrqg69VOQMCT2pq0sCJp6hk4yGHbuz4hoX2PIeiI3l/Z0TwDGopGWW3uWRWxH/6bq1a6idgxHYhruUmR8aFpUKSsVyodiDV1PtK1zj5mKcZdeXx0THBYTEUWyo3RI9iLUnMcDYyPRTjCKoCm6pPS7yjIT7tq+MUi3iWo2XijY8AaV/K+WrnkcqoQH2cXsrBoH0sZMksdWwYBYz97+RKkx3FSxgdXJb1xxr0X21oPW1PhJq/zHSxe3OmxwYMPeZsGPaG8UngxTdfTQ3KPn+mN9NRXvlXkqudGJa/d/QMinCf/tp9eU1WX5xktqDgqBbPD391+6gcDsFgdidFdpLKf6yGLEovTwE9GrLX7srAC2dPOxviWekqng8H0N9RjHT06NVD9kAnnR/01ZkmmPzdP7vLX9imy0j/huTpN8i9XpFS6za4jdGt46Y5SfRKg/4qpwtE6meElgiOnTkP2uBI5cF4czaK1rYr1ZlwoneFzNHnBVFctAP7CD+w98hYexQ5RrdUYgFrMB5+88Y1IrI8Gd02RCEycPCoxdEFXqBVWmu2N/fuovgihTn9qf/mUxpQPsiUHjCgmV5w+ALs02oiRf08b8mTBAjy8utziFA6efpAppv98bQUfTs8lyNn7sH6OCoa4ZKeB51wqPXZBsKZ8Ja9VDZXjpCV+MB0b9XuSgOx2Y3UD/GJ/+eW7J6MiYFTHrhB1kRert5vRdF4M2KMoyYnVRFMBRqimnNBq6xrOvz4D6dSiquhFRtxlnb6dPCyRgHImsFbR/qdDukLB6DB+vfjzZQArLbkaMVF86hX1+9xP+BdZPsnVapY9u+DSZP7ZkEP/VftTl7uJZnqAWUis+jOncUizmzSIpV6cZO7SVdiQicHiRm6VSOmpBhniRKYN13Ct8B0g+JJeyMlx6OGALMLvcXKDXxJNvyYL9FuXyRvOygButRRjvLsEku+fl9ESD27r56ZNExf7w411cGbKQ+obhSnMsBM2qGBDR97VJyLGhbFX7SKl7CGOAWZF3TbOe4PU4Ty75qb8+U5R8amQ1FFQD4r65M=]
|
||||||
@@ -29,11 +29,11 @@ profiles::yum::global::repos:
|
|||||||
name: postgresql-15
|
name: postgresql-15
|
||||||
descr: postgresql-15 repository
|
descr: postgresql-15 repository
|
||||||
target: /etc/yum.repos.d/postgresql.repo
|
target: /etc/yum.repos.d/postgresql.repo
|
||||||
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os
|
||||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
|
||||||
postgresql-common:
|
postgresql-common:
|
||||||
name: postgresql-common
|
name: postgresql-common
|
||||||
descr: postgresql-common repository
|
descr: postgresql-common repository
|
||||||
target: /etc/yum.repos.d/postgresql.repo
|
target: /etc/yum.repos.d/postgresql.repo
|
||||||
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
|
||||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
|
||||||
|
|||||||
@@ -206,6 +206,20 @@ profiles::reposync::repos_list:
|
|||||||
release: 'rhel9'
|
release: 'rhel9'
|
||||||
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
|
||||||
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
postgresql_rhel8_15:
|
||||||
|
repository: '15'
|
||||||
|
description: 'PostgreSQL 15 RHEL 8'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel8'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-8-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
postgresql_rhel9_15:
|
||||||
|
repository: '15'
|
||||||
|
description: 'PostgreSQL 15 RHEL 9'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel9'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-9-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
postgresql_rhel8_16:
|
postgresql_rhel8_16:
|
||||||
repository: '16'
|
repository: '16'
|
||||||
description: 'PostgreSQL 16 RHEL 8'
|
description: 'PostgreSQL 16 RHEL 8'
|
||||||
@@ -220,6 +234,20 @@ profiles::reposync::repos_list:
|
|||||||
release: 'rhel9'
|
release: 'rhel9'
|
||||||
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
|
||||||
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
postgresql_rhel8_17:
|
||||||
|
repository: '17'
|
||||||
|
description: 'PostgreSQL 17 RHEL 8'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel8'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-8-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
|
postgresql_rhel9_17:
|
||||||
|
repository: '17'
|
||||||
|
description: 'PostgreSQL 17 RHEL 9'
|
||||||
|
osname: 'postgresql'
|
||||||
|
release: 'rhel9'
|
||||||
|
baseurl: 'https://download.postgresql.org/pub/repos/yum/17/redhat/rhel-9-x86_64/'
|
||||||
|
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||||
zfs_dkms_rhel8:
|
zfs_dkms_rhel8:
|
||||||
repository: 'dkms'
|
repository: 'dkms'
|
||||||
description: 'ZFS DKMS RHEL 8'
|
description: 'ZFS DKMS RHEL 8'
|
||||||
|
|||||||
@@ -4,14 +4,14 @@ profiles::yum::global::repos:
|
|||||||
name: postgresql-15
|
name: postgresql-15
|
||||||
descr: postgresql-15 repository
|
descr: postgresql-15 repository
|
||||||
target: /etc/yum.repos.d/postgresql.repo
|
target: /etc/yum.repos.d/postgresql.repo
|
||||||
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os
|
||||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/15-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
|
||||||
postgresql-common:
|
postgresql-common:
|
||||||
name: postgresql-common
|
name: postgresql-common
|
||||||
descr: postgresql-common repository
|
descr: postgresql-common repository
|
||||||
target: /etc/yum.repos.d/postgresql.repo
|
target: /etc/yum.repos.d/postgresql.repo
|
||||||
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
baseurl: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os
|
||||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
gpgkey: https://packagerepo.service.consul/postgresql/rhel%{facts.os.release.major}/common-daily/%{facts.os.architecture}/os/PGDG-RPM-GPG-KEY-RHEL
|
||||||
|
|
||||||
profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
|
profiles::sql::patroni::cluster_name: "patroni-%{facts.environment}"
|
||||||
profiles::sql::patroni::postgres_exporter_enabled: true
|
profiles::sql::patroni::postgres_exporter_enabled: true
|
||||||
|
|||||||
@@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
profiles::packages::include:
|
||||||
|
chrony:
|
||||||
|
ensure: absent
|
||||||
|
|
||||||
|
# disable mlock for vault nodes on lxd/incus
|
||||||
|
vault::disable_mlock: true
|
||||||
@@ -12,7 +12,7 @@ class SubnetAttributes
|
|||||||
'198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' },
|
'198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' },
|
||||||
'198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' },
|
'198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' },
|
||||||
'198.18.19.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # loopbacks
|
'198.18.19.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # loopbacks
|
||||||
'198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # MPLS CORE BLOCKS
|
'198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # transit blocks
|
||||||
'198.18.21.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # physical network 2.5gbe
|
'198.18.21.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # physical network 2.5gbe
|
||||||
'198.18.22.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph cluster
|
'198.18.22.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph cluster
|
||||||
'198.18.23.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph public
|
'198.18.23.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph public
|
||||||
|
|||||||
@@ -1,10 +1,11 @@
|
|||||||
# manage static interfaces
|
# manage static interfaces
|
||||||
define networking::static (
|
define networking::static (
|
||||||
String $type,
|
String $type,
|
||||||
Stdlib::IP::Address $ipaddress,
|
|
||||||
Stdlib::IP::Address $netmask = '255.255.255.0',
|
Stdlib::IP::Address $netmask = '255.255.255.0',
|
||||||
Integer[100-9200] $mtu = 1500,
|
Integer[100-9200] $mtu = 1500,
|
||||||
|
Boolean $dhcp = false,
|
||||||
Optional[Boolean] $forwarding = false,
|
Optional[Boolean] $forwarding = false,
|
||||||
|
Optional[Stdlib::IP::Address] $ipaddress = undef,
|
||||||
Optional[Stdlib::IP::Address] $gateway = undef,
|
Optional[Stdlib::IP::Address] $gateway = undef,
|
||||||
Optional[Array[Stdlib::IP::Address]] $dns = undef,
|
Optional[Array[Stdlib::IP::Address]] $dns = undef,
|
||||||
Optional[Array[Stdlib::Fqdn]] $domains = undef,
|
Optional[Array[Stdlib::Fqdn]] $domains = undef,
|
||||||
|
|||||||
@@ -2,6 +2,9 @@
|
|||||||
Name=<%= @title %>
|
Name=<%= @title %>
|
||||||
|
|
||||||
[Network]
|
[Network]
|
||||||
|
<% if @dhcp == true -%>
|
||||||
|
DHCP=yes
|
||||||
|
<% else -%>
|
||||||
<% if @ipaddress && @netmask -%>
|
<% if @ipaddress && @netmask -%>
|
||||||
Address=<%= @ipaddress %>/<%= IPAddr.new(@netmask).to_i.to_s(2).count('1') %>
|
Address=<%= @ipaddress %>/<%= IPAddr.new(@netmask).to_i.to_s(2).count('1') %>
|
||||||
<% end -%>
|
<% end -%>
|
||||||
@@ -14,6 +17,7 @@ DNS=<%= Array(@dns).join(' ') %>
|
|||||||
<% if @domains -%>
|
<% if @domains -%>
|
||||||
Domains=<%= Array(@domains).join(' ') %>
|
Domains=<%= Array(@domains).join(' ') %>
|
||||||
<% end -%>
|
<% end -%>
|
||||||
|
<% end -%>
|
||||||
<% if @bridge and @bridge != true -%>
|
<% if @bridge and @bridge != true -%>
|
||||||
Bridge=<%= @bridge %>
|
Bridge=<%= @bridge %>
|
||||||
<% end -%>
|
<% end -%>
|
||||||
|
|||||||
@@ -15,8 +15,6 @@ class profiles::accounts::sysadmin(
|
|||||||
|
|
||||||
profiles::base::account {'sysadmin':
|
profiles::base::account {'sysadmin':
|
||||||
username => 'sysadmin',
|
username => 'sysadmin',
|
||||||
uid => 1000,
|
|
||||||
gid => 1000,
|
|
||||||
groups => $groups,
|
groups => $groups,
|
||||||
sshkeys => $sshkeys,
|
sshkeys => $sshkeys,
|
||||||
sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
|
sudo_rules => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
|
||||||
|
|||||||
@@ -28,7 +28,9 @@ class profiles::base (
|
|||||||
include profiles::base::groups
|
include profiles::base::groups
|
||||||
include profiles::base::root
|
include profiles::base::root
|
||||||
include profiles::accounts::sysadmin
|
include profiles::accounts::sysadmin
|
||||||
include profiles::ntp::client
|
if $facts['virtual'] != 'lxc' {
|
||||||
|
include profiles::ntp::client
|
||||||
|
}
|
||||||
include profiles::dns::base
|
include profiles::dns::base
|
||||||
include profiles::pki::vault
|
include profiles::pki::vault
|
||||||
include profiles::ssh::sign
|
include profiles::ssh::sign
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
# a wrapper for puppetlabs-account and saz-sudo
|
# a wrapper for puppetlabs-account and saz-sudo
|
||||||
define profiles::base::account (
|
define profiles::base::account (
|
||||||
String $username,
|
String $username,
|
||||||
Integer $uid,
|
Optional[Integer] $uid = undef,
|
||||||
Integer $gid = undef,
|
Optional[Integer] $gid = undef,
|
||||||
Boolean $manage_home = true,
|
Boolean $manage_home = true,
|
||||||
Boolean $create_group = true,
|
Boolean $create_group = true,
|
||||||
Boolean $purge_sshkeys = true,
|
Boolean $purge_sshkeys = true,
|
||||||
|
|||||||
@@ -2,6 +2,9 @@
|
|||||||
#
|
#
|
||||||
# This class manages the creation of a logical volume using the `lvm::volume` definition.
|
# This class manages the creation of a logical volume using the `lvm::volume` definition.
|
||||||
#
|
#
|
||||||
|
# For LXC hosts, this is replaced with a mount added from the host os. This class will simply check the
|
||||||
|
# mountpoint exists.
|
||||||
|
#
|
||||||
# Parameters:
|
# Parameters:
|
||||||
# $ensure - Ensure whether the logical volume is present or not. Defaults to 'present'.
|
# $ensure - Ensure whether the logical volume is present or not. Defaults to 'present'.
|
||||||
# $vg - Volume group name. No default.
|
# $vg - Volume group name. No default.
|
||||||
@@ -25,33 +28,48 @@ class profiles::base::datavol (
|
|||||||
]] $mount_options = ['noatime', 'nodiratime'],
|
]] $mount_options = ['noatime', 'nodiratime'],
|
||||||
) {
|
) {
|
||||||
|
|
||||||
# Ensure the physical volume exists
|
if $facts['virtual'] != 'lxc' {
|
||||||
physical_volume { $pv:
|
|
||||||
ensure => $ensure,
|
|
||||||
before => Volume_group[$vg],
|
|
||||||
}
|
|
||||||
|
|
||||||
# Ensure the volume group exists
|
# Ensure the physical volume exists
|
||||||
volume_group { $vg:
|
physical_volume { $pv:
|
||||||
ensure => $ensure,
|
ensure => $ensure,
|
||||||
physical_volumes => [$pv],
|
before => Volume_group[$vg],
|
||||||
before => Logical_volume[$lv],
|
}
|
||||||
}
|
|
||||||
|
|
||||||
# Ensure the logical volume exists
|
# Ensure the volume group exists
|
||||||
logical_volume { $lv:
|
volume_group { $vg:
|
||||||
ensure => $ensure,
|
ensure => $ensure,
|
||||||
volume_group => $vg,
|
physical_volumes => [$pv],
|
||||||
size => $size,
|
before => Logical_volume[$lv],
|
||||||
before => Filesystem["/dev/${vg}/${lv}"],
|
}
|
||||||
}
|
|
||||||
|
|
||||||
# Ensure the filesystem is created on the logical volume
|
# Ensure the logical volume exists
|
||||||
filesystem { "/dev/${vg}/${lv}":
|
logical_volume { $lv:
|
||||||
ensure => $ensure,
|
ensure => $ensure,
|
||||||
fs_type => $fstype,
|
volume_group => $vg,
|
||||||
require => Logical_volume[$lv],
|
size => $size,
|
||||||
before => Mount[$mount],
|
before => Filesystem["/dev/${vg}/${lv}"],
|
||||||
|
}
|
||||||
|
|
||||||
|
# Ensure the filesystem is created on the logical volume
|
||||||
|
filesystem { "/dev/${vg}/${lv}":
|
||||||
|
ensure => $ensure,
|
||||||
|
fs_type => $fstype,
|
||||||
|
require => Logical_volume[$lv],
|
||||||
|
before => Mount[$mount],
|
||||||
|
}
|
||||||
|
|
||||||
|
# Ensure the logical volume is mounted at the desired location
|
||||||
|
mount { $mount:
|
||||||
|
ensure => $mountstate,
|
||||||
|
device => "/dev/${vg}/${lv}",
|
||||||
|
fstype => $fstype,
|
||||||
|
options => $mount_options.join(','),
|
||||||
|
require => [
|
||||||
|
Filesystem["/dev/${vg}/${lv}"],
|
||||||
|
File[$mount]
|
||||||
|
],
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Ensure the mountpath exists
|
# Ensure the mountpath exists
|
||||||
@@ -62,12 +80,4 @@ class profiles::base::datavol (
|
|||||||
mode => '0755',
|
mode => '0755',
|
||||||
}
|
}
|
||||||
|
|
||||||
# Ensure the logical volume is mounted at the desired location
|
|
||||||
mount { $mount:
|
|
||||||
ensure => $mountstate,
|
|
||||||
device => "/dev/${vg}/${lv}",
|
|
||||||
fstype => $fstype,
|
|
||||||
options => $mount_options.join(','),
|
|
||||||
require => Filesystem["/dev/${vg}/${lv}"],
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,62 @@
|
|||||||
|
class profiles::ceph::mon (
|
||||||
|
Boolean $members_lookup = true,
|
||||||
|
String $members_role = 'roles::infra::incus::node',
|
||||||
|
String $master = 'prodnxsr0009.main.unkin.net',
|
||||||
|
){
|
||||||
|
|
||||||
|
$admin_key = 'AQAN/iRooIyMCRAAynGdDgfEZX79YycRZcp6tw=='
|
||||||
|
$mon_key = 'AQAa/iRo37CdIhAAERhnXqDVs1BaMcVVIBc3Ew=='
|
||||||
|
$bootstrap_osd_key = 'AQAo/iRoZx0wFxAAhVVQ0BkfBpIeL6l1kdLBIw=='
|
||||||
|
$fsid = 'FBDBD9F1-9606-42D2-9C93-0E9A73BBF2C2'
|
||||||
|
|
||||||
|
# if lookup is enabled
|
||||||
|
if $members_lookup {
|
||||||
|
|
||||||
|
# check that the role is also set
|
||||||
|
unless !($members_role == undef) {
|
||||||
|
fail("members_role must be provided for ${title} when members_lookup is True")
|
||||||
|
}
|
||||||
|
|
||||||
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.hostname'))
|
||||||
|
$servers_ip = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.interfaces.loopback2.ip'))
|
||||||
|
}
|
||||||
|
|
||||||
|
if length($servers_array) >= 3 {
|
||||||
|
|
||||||
|
$servers_hostname_string = join($servers_array, ',')
|
||||||
|
$servers_ip_string = join($servers_ip, ',')
|
||||||
|
|
||||||
|
class { 'ceph':
|
||||||
|
fsid => $fsid,
|
||||||
|
mon_initial_members => $servers_hostname_string,
|
||||||
|
mon_host => $servers_ip_string,
|
||||||
|
cluster_network => '198.18.22.0/24',
|
||||||
|
public_network => '198.18.23.0/24',
|
||||||
|
public_addr => "%{hiera('networking_loopback2_ip')}",
|
||||||
|
}
|
||||||
|
|
||||||
|
ceph::mon { $facts['networking']['hostname']:
|
||||||
|
key => $mon_key,
|
||||||
|
public_addr => $facts['networking']['interfaces']['loopback2']['ip'],
|
||||||
|
}
|
||||||
|
|
||||||
|
Ceph::Key {
|
||||||
|
inject => true,
|
||||||
|
inject_as_id => 'mon.',
|
||||||
|
inject_keyring => "/var/lib/ceph/mon/ceph-${facts['networking']['hostname']}/keyring",
|
||||||
|
}
|
||||||
|
|
||||||
|
ceph::key { 'client.admin':
|
||||||
|
secret => $admin_key,
|
||||||
|
cap_mon => 'allow *',
|
||||||
|
cap_osd => 'allow *',
|
||||||
|
cap_mds => 'allow',
|
||||||
|
}
|
||||||
|
|
||||||
|
ceph::key { 'client.bootstrap-osd':
|
||||||
|
secret => $bootstrap_osd_key,
|
||||||
|
cap_mon => 'allow profile bootstrap-osd',
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -11,6 +11,7 @@ class profiles::cobbler::config {
|
|||||||
$service_cname = $profiles::cobbler::params::service_cname
|
$service_cname = $profiles::cobbler::params::service_cname
|
||||||
$next_server = $profiles::cobbler::params::next_server
|
$next_server = $profiles::cobbler::params::next_server
|
||||||
$server = $profiles::cobbler::params::server
|
$server = $profiles::cobbler::params::server
|
||||||
|
$cache_enabled = $profiles::cobbler::params::cache_enabled
|
||||||
|
|
||||||
# manage the cobbler settings file
|
# manage the cobbler settings file
|
||||||
file { '/etc/cobbler/settings.yaml':
|
file { '/etc/cobbler/settings.yaml':
|
||||||
|
|||||||
@@ -9,6 +9,7 @@ class profiles::cobbler::params (
|
|||||||
String $next_server = $::facts['networking']['ip'],
|
String $next_server = $::facts['networking']['ip'],
|
||||||
Boolean $pxe_just_once = true,
|
Boolean $pxe_just_once = true,
|
||||||
Boolean $is_cobbler_master = false,
|
Boolean $is_cobbler_master = false,
|
||||||
|
Boolean $cache_enabled = false,
|
||||||
Array $packages = [
|
Array $packages = [
|
||||||
'cobbler',
|
'cobbler',
|
||||||
'cobbler3.2-web',
|
'cobbler3.2-web',
|
||||||
|
|||||||
@@ -45,6 +45,9 @@ class profiles::consul::server (
|
|||||||
Boolean $disable_update_check = true,
|
Boolean $disable_update_check = true,
|
||||||
Boolean $join_remote_regions = false,
|
Boolean $join_remote_regions = false,
|
||||||
Array[String] $remote_regions = [],
|
Array[String] $remote_regions = [],
|
||||||
|
Stdlib::IP::Address $bind_addr = $facts['networking']['ip'],
|
||||||
|
Stdlib::IP::Address $advertise_addr = $facts['networking']['ip'],
|
||||||
|
Optional[Stdlib::IP::Address] $anycast_ip = undef,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
# wait for all attributes to be ready
|
# wait for all attributes to be ready
|
||||||
@@ -112,8 +115,8 @@ class profiles::consul::server (
|
|||||||
'ui' => $enable_ui,
|
'ui' => $enable_ui,
|
||||||
'ui_config' => { 'enabled' => $enable_ui_config },
|
'ui_config' => { 'enabled' => $enable_ui_config },
|
||||||
'performance' => { 'raft_multiplier' => $raft_multiplier },
|
'performance' => { 'raft_multiplier' => $raft_multiplier },
|
||||||
'bind_addr' => $::facts['networking']['ip'],
|
'bind_addr' => $bind_addr,
|
||||||
'advertise_addr' => $::facts['networking']['ip'],
|
'advertise_addr' => $advertise_addr,
|
||||||
'retry_join' => $servers_array,
|
'retry_join' => $servers_array,
|
||||||
'retry_join_wan' => $remote_servers_array,
|
'retry_join_wan' => $remote_servers_array,
|
||||||
},
|
},
|
||||||
@@ -143,7 +146,7 @@ class profiles::consul::server (
|
|||||||
owner => 'root',
|
owner => 'root',
|
||||||
group => 'root',
|
group => 'root',
|
||||||
mode => '0644',
|
mode => '0644',
|
||||||
content => "server=/${domain}/${::facts['networking']['ip']}#${dns_port}\n",
|
content => template('profiles/consul/dnsmasq.conf.erb'),
|
||||||
require => Package['dnsmasq'],
|
require => Package['dnsmasq'],
|
||||||
notify => Service['dnsmasq'],
|
notify => Service['dnsmasq'],
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,13 +1,14 @@
|
|||||||
# profiles::dns::base
|
# profiles::dns::base
|
||||||
class profiles::dns::base (
|
class profiles::dns::base (
|
||||||
String $ns_role = undef,
|
|
||||||
Array $search = [],
|
Array $search = [],
|
||||||
Array $nameservers = ['198.18.13.12', '198.18.13.13'],
|
Array $nameservers = ['198.18.13.12', '198.18.13.13'],
|
||||||
Enum[
|
Optional[Enum[
|
||||||
'all',
|
'all',
|
||||||
'region',
|
'region',
|
||||||
'country'
|
'country'
|
||||||
] $use_ns = 'all',
|
]] $use_ns = undef,
|
||||||
|
String $primary_interface = $facts['networking']['primary'],
|
||||||
|
Optional[String] $ns_role = undef,
|
||||||
){
|
){
|
||||||
|
|
||||||
# install bind_utils
|
# install bind_utils
|
||||||
@@ -43,6 +44,24 @@ class profiles::dns::base (
|
|||||||
}
|
}
|
||||||
|
|
||||||
# export dns records for client
|
# export dns records for client
|
||||||
profiles::dns::client {"${facts['networking']['fqdn']}-default":}
|
$facts['networking']['interfaces'].each | $interface, $data | {
|
||||||
|
|
||||||
|
# exclude those without ipv4 address, lo, docker0 and anycast addresses
|
||||||
|
if $data['ip'] and $interface != 'lo' and $interface != 'docker0' and $interface !~ /^anycast[0-9]$/ {
|
||||||
|
|
||||||
|
# use defaults for the primary_interface
|
||||||
|
if $interface == $primary_interface {
|
||||||
|
profiles::dns::client {"${facts['networking']['fqdn']}-${interface}":
|
||||||
|
interface => $interface,
|
||||||
|
}
|
||||||
|
|
||||||
|
# update secondary interfaces
|
||||||
|
}else{
|
||||||
|
profiles::dns::client {"${facts['networking']['fqdn']}-${interface}":
|
||||||
|
interface => $interface,
|
||||||
|
hostname => "${facts['networking']['hostname']}-${interface}",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,30 +1,31 @@
|
|||||||
# profiles::dns::client
|
# profiles::dns::client
|
||||||
define profiles::dns::client (
|
define profiles::dns::client (
|
||||||
Boolean $forward = true,
|
Boolean $forward = true,
|
||||||
Boolean $reverse = true,
|
Boolean $reverse = true,
|
||||||
Integer $order = 10,
|
Integer $order = 10,
|
||||||
|
String $interface = $facts['networking']['primary'],
|
||||||
|
Stdlib::Fqdn $hostname = $facts['networking']['hostname'],
|
||||||
|
Stdlib::Fqdn $domain = $facts['networking']['domain'],
|
||||||
){
|
){
|
||||||
|
|
||||||
$intf = $facts['networking']['primary']
|
$last_octet = regsubst($facts['networking']['interfaces'][$interface]['ip'], '^.*\.', '')
|
||||||
$fqdn = $facts['networking']['fqdn']
|
|
||||||
$last_octet = regsubst($::facts['networking']['ip'], '^.*\.', '')
|
|
||||||
|
|
||||||
if $forward {
|
if $forward {
|
||||||
profiles::dns::record { "${fqdn}_${intf}_A":
|
profiles::dns::record { "${title}_A":
|
||||||
value => $::facts['networking']['ip'],
|
value => $facts['networking']['interfaces'][$interface]['ip'],
|
||||||
type => 'A',
|
type => 'A',
|
||||||
record => $::facts['networking']['hostname'],
|
record => $hostname,
|
||||||
zone => $::facts['networking']['domain'],
|
zone => $domain,
|
||||||
order => $order,
|
order => $order,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if $reverse {
|
if $reverse {
|
||||||
profiles::dns::record { "${fqdn}_${intf}_PTR":
|
profiles::dns::record { "${title}_PTR":
|
||||||
value => "${::facts['networking']['fqdn']}.",
|
value => "${hostname}.${domain}.",
|
||||||
type => 'PTR',
|
type => 'PTR',
|
||||||
record => $last_octet,
|
record => $last_octet,
|
||||||
zone => $::facts['arpa'][$intf]['zone'],
|
zone => $facts['arpa'][$interface]['zone'],
|
||||||
order => $order,
|
order => $order,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3,7 +3,7 @@
|
|||||||
# This class manages the Puppetboard, a web interface to PuppetDB.
|
# This class manages the Puppetboard, a web interface to PuppetDB.
|
||||||
#
|
#
|
||||||
class profiles::puppet::puppetboard (
|
class profiles::puppet::puppetboard (
|
||||||
String $python_version = '3.6',
|
String $python_version = $facts['python3_release'],
|
||||||
Boolean $manage_virtualenv = false,
|
Boolean $manage_virtualenv = false,
|
||||||
Integer $reports_count = 40,
|
Integer $reports_count = 40,
|
||||||
Boolean $offline_mode = true,
|
Boolean $offline_mode = true,
|
||||||
|
|||||||
@@ -1,5 +1,7 @@
|
|||||||
# configure the puppetdb api service
|
# configure the puppetdb api service
|
||||||
class profiles::puppet::puppetdb_api (
|
class profiles::puppet::puppetdb_api (
|
||||||
|
String $private_cert,
|
||||||
|
String $public_cert,
|
||||||
String $postgres_host = lookup('puppetdbsql'),
|
String $postgres_host = lookup('puppetdbsql'),
|
||||||
String $listen_address = $facts['networking']['ip'],
|
String $listen_address = $facts['networking']['ip'],
|
||||||
Stdlib::Absolutepath $java_bin = '/usr/bin/java',
|
Stdlib::Absolutepath $java_bin = '/usr/bin/java',
|
||||||
@@ -24,6 +26,24 @@ class profiles::puppet::puppetdb_api (
|
|||||||
|
|
||||||
contain ::puppetdb::server
|
contain ::puppetdb::server
|
||||||
|
|
||||||
|
file { '/etc/puppetlabs/puppetdb/ssl/private.pem':
|
||||||
|
ensure => 'file',
|
||||||
|
content => Sensitive($private_cert),
|
||||||
|
owner => 'puppetdb',
|
||||||
|
group => 'puppetdb',
|
||||||
|
mode => '0600',
|
||||||
|
notify => Service['puppetdb'],
|
||||||
|
}
|
||||||
|
|
||||||
|
file { '/etc/puppetlabs/puppetdb/ssl/public.pem':
|
||||||
|
ensure => 'file',
|
||||||
|
content => $public_cert,
|
||||||
|
owner => 'puppetdb',
|
||||||
|
group => 'puppetdb',
|
||||||
|
mode => '0600',
|
||||||
|
notify => Service['puppetdb'],
|
||||||
|
}
|
||||||
|
|
||||||
# generate the minute for the cron job using fqdn_rand
|
# generate the minute for the cron job using fqdn_rand
|
||||||
$random_minute = fqdn_rand(60)
|
$random_minute = fqdn_rand(60)
|
||||||
|
|
||||||
|
|||||||
@@ -65,6 +65,15 @@ class profiles::puppet::server (
|
|||||||
notify => Service['puppetserver'],
|
notify => Service['puppetserver'],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
file { '/etc/puppetlabs/puppetserver/conf.d/auth.conf':
|
||||||
|
ensure => 'file',
|
||||||
|
content => template('profiles/puppet/server/auth.conf.erb'),
|
||||||
|
group => 'root',
|
||||||
|
owner => 'root',
|
||||||
|
mode => '0644',
|
||||||
|
notify => Service['puppetserver'],
|
||||||
|
}
|
||||||
|
|
||||||
service { 'puppetserver':
|
service { 'puppetserver':
|
||||||
ensure => running,
|
ensure => running,
|
||||||
enable => true,
|
enable => true,
|
||||||
|
|||||||
@@ -2,6 +2,8 @@
|
|||||||
# saz-ssh manages the service, this is just some additional stuff
|
# saz-ssh manages the service, this is just some additional stuff
|
||||||
class profiles::ssh::service {
|
class profiles::ssh::service {
|
||||||
|
|
||||||
|
include ssh::server
|
||||||
|
|
||||||
# set sshd to start
|
# set sshd to start
|
||||||
systemd::manage_dropin { 'after-network-online.conf':
|
systemd::manage_dropin { 'after-network-online.conf':
|
||||||
ensure => present,
|
ensure => present,
|
||||||
|
|||||||
@@ -6,10 +6,6 @@ class profiles::vault::server (
|
|||||||
Undef
|
Undef
|
||||||
] $members_role = undef,
|
] $members_role = undef,
|
||||||
Array $vault_servers = [],
|
Array $vault_servers = [],
|
||||||
Enum[
|
|
||||||
'archive',
|
|
||||||
'repo'
|
|
||||||
] $install_method = 'archive',
|
|
||||||
Boolean $tls_disable = false,
|
Boolean $tls_disable = false,
|
||||||
Stdlib::Port $client_port = 8200,
|
Stdlib::Port $client_port = 8200,
|
||||||
Stdlib::Port $cluster_port = 8201,
|
Stdlib::Port $cluster_port = 8201,
|
||||||
@@ -19,6 +15,7 @@ class profiles::vault::server (
|
|||||||
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
|
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
|
||||||
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
|
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
|
||||||
Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt',
|
Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt',
|
||||||
|
Stdlib::Absolutepath $audit_log = '/var/log/vault_audit.log',
|
||||||
){
|
){
|
||||||
|
|
||||||
# set a datacentre/cluster name
|
# set a datacentre/cluster name
|
||||||
@@ -56,7 +53,6 @@ class profiles::vault::server (
|
|||||||
|
|
||||||
class { 'vault':
|
class { 'vault':
|
||||||
manage_service => false,
|
manage_service => false,
|
||||||
install_method => $install_method,
|
|
||||||
manage_storage_dir => $manage_storage_dir,
|
manage_storage_dir => $manage_storage_dir,
|
||||||
enable_ui => true,
|
enable_ui => true,
|
||||||
storage => {
|
storage => {
|
||||||
@@ -90,6 +86,14 @@ class profiles::vault::server (
|
|||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# ensure the vault audit log exists
|
||||||
|
file { $audit_log:
|
||||||
|
ensure => 'file',
|
||||||
|
owner => 'vault',
|
||||||
|
group => 'vault',
|
||||||
|
mode => '0600',
|
||||||
|
}
|
||||||
|
|
||||||
service { 'vault':
|
service { 'vault':
|
||||||
ensure => true,
|
ensure => true,
|
||||||
enable => true,
|
enable => true,
|
||||||
|
|||||||
@@ -59,7 +59,7 @@ build_reporting_ignorelist: []
|
|||||||
# use cases like writing out large numbers of records. There is a known issue with cache and remote XMLRPC API calls.
|
# use cases like writing out large numbers of records. There is a known issue with cache and remote XMLRPC API calls.
|
||||||
# If you will use Cobbler with config management or infrastructure-as-code tools such as Terraform, it is recommended
|
# If you will use Cobbler with config management or infrastructure-as-code tools such as Terraform, it is recommended
|
||||||
# to disable by setting to false.
|
# to disable by setting to false.
|
||||||
cache_enabled: true
|
cache_enabled: <%= @cache_enabled %>
|
||||||
|
|
||||||
# Cheetah-language autoinstall templates can import Python modules. While this is a useful feature, it is not safe to
|
# Cheetah-language autoinstall templates can import Python modules. While this is a useful feature, it is not safe to
|
||||||
# allow them to import anything they want. This whitelists which modules can be imported through Cheetah. Users can
|
# allow them to import anything they want. This whitelists which modules can be imported through Cheetah. Users can
|
||||||
|
|||||||
@@ -0,0 +1,6 @@
|
|||||||
|
server=/<%= @domain %>/<%= @bind_addr %>#<%= @dns_port %>
|
||||||
|
<% if @anycast_ip -%>
|
||||||
|
listen-address=<%= @anycast_ip %>
|
||||||
|
<% else -%>
|
||||||
|
listen-address=<%= @bind_addr %>
|
||||||
|
<% end -%>
|
||||||
@@ -0,0 +1,266 @@
|
|||||||
|
authorization: {
|
||||||
|
version: 1
|
||||||
|
rules: [
|
||||||
|
{
|
||||||
|
# Allow nodes to retrieve their own catalog
|
||||||
|
match-request: {
|
||||||
|
path: "^/puppet/v3/catalog/([^/]+)$"
|
||||||
|
type: regex
|
||||||
|
method: [get, post]
|
||||||
|
}
|
||||||
|
allow: "$1"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs v3 catalog from agents"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow services to retrieve catalogs on behalf of others
|
||||||
|
match-request: {
|
||||||
|
path: "^/puppet/v4/catalog/?$"
|
||||||
|
type: regex
|
||||||
|
method: post
|
||||||
|
}
|
||||||
|
deny: "*"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs v4 catalog for services"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow nodes to retrieve the certificate they requested earlier
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet-ca/v1/certificate/"
|
||||||
|
type: path
|
||||||
|
method: get
|
||||||
|
}
|
||||||
|
allow-unauthenticated: true
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs certificate"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow all nodes to access the certificate revocation list
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet-ca/v1/certificate_revocation_list/ca"
|
||||||
|
type: path
|
||||||
|
method: get
|
||||||
|
}
|
||||||
|
allow-unauthenticated: true
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs crl"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow nodes to request a new certificate
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet-ca/v1/certificate_request"
|
||||||
|
type: path
|
||||||
|
method: [get, put]
|
||||||
|
}
|
||||||
|
allow-unauthenticated: true
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs csr"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow the CA CLI to access the certificate_status endpoint
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet-ca/v1/certificate_status"
|
||||||
|
type: path
|
||||||
|
method: [get, put, delete]
|
||||||
|
}
|
||||||
|
allow: [
|
||||||
|
{
|
||||||
|
extensions: {
|
||||||
|
pp_cli_auth: "true"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
terraform
|
||||||
|
]
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs cert status"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
match-request: {
|
||||||
|
path: "^/puppet-ca/v1/certificate_revocation_list$"
|
||||||
|
type: regex
|
||||||
|
method: put
|
||||||
|
}
|
||||||
|
allow: {
|
||||||
|
extensions: {
|
||||||
|
pp_cli_auth: "true"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs CRL update"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow the CA CLI to access the certificate_statuses endpoint
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet-ca/v1/certificate_statuses"
|
||||||
|
type: path
|
||||||
|
method: get
|
||||||
|
}
|
||||||
|
allow: {
|
||||||
|
extensions: {
|
||||||
|
pp_cli_auth: "true"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs cert statuses"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow authenticated access to the CA expirations endpoint
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet-ca/v1/expirations"
|
||||||
|
type: path
|
||||||
|
method: get
|
||||||
|
}
|
||||||
|
allow: "*"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs CA cert and CRL expirations"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow the CA CLI to access the certificate clean endpoint
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet-ca/v1/clean"
|
||||||
|
type: path
|
||||||
|
method: put
|
||||||
|
}
|
||||||
|
allow: {
|
||||||
|
extensions: {
|
||||||
|
pp_cli_auth: "true"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs cert clean"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow unauthenticated access to the status service endpoint
|
||||||
|
match-request: {
|
||||||
|
path: "/status/v1/services"
|
||||||
|
type: path
|
||||||
|
method: get
|
||||||
|
}
|
||||||
|
allow-unauthenticated: true
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs status service - full"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
match-request: {
|
||||||
|
path: "/status/v1/simple"
|
||||||
|
type: path
|
||||||
|
method: get
|
||||||
|
}
|
||||||
|
allow-unauthenticated: true
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs status service - simple"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet/v3/environments"
|
||||||
|
type: path
|
||||||
|
method: get
|
||||||
|
}
|
||||||
|
allow: "*"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs environments"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow nodes to access all file_bucket_files. Note that access for
|
||||||
|
# the 'delete' method is forbidden by Puppet regardless of the
|
||||||
|
# configuration of this rule.
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet/v3/file_bucket_file"
|
||||||
|
type: path
|
||||||
|
method: [get, head, post, put]
|
||||||
|
}
|
||||||
|
allow: "*"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs file bucket file"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow nodes to access all file_content. Note that access for the
|
||||||
|
# 'delete' method is forbidden by Puppet regardless of the
|
||||||
|
# configuration of this rule.
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet/v3/file_content"
|
||||||
|
type: path
|
||||||
|
method: [get, post]
|
||||||
|
}
|
||||||
|
allow: "*"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs file content"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow nodes to access all file_metadata. Note that access for the
|
||||||
|
# 'delete' method is forbidden by Puppet regardless of the
|
||||||
|
# configuration of this rule.
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet/v3/file_metadata"
|
||||||
|
type: path
|
||||||
|
method: [get, post]
|
||||||
|
}
|
||||||
|
allow: "*"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs file metadata"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow nodes to retrieve only their own node definition
|
||||||
|
match-request: {
|
||||||
|
path: "^/puppet/v3/node/([^/]+)$"
|
||||||
|
type: regex
|
||||||
|
method: get
|
||||||
|
}
|
||||||
|
allow: "$1"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs node"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow nodes to store only their own reports
|
||||||
|
match-request: {
|
||||||
|
path: "^/puppet/v3/report/([^/]+)$"
|
||||||
|
type: regex
|
||||||
|
method: put
|
||||||
|
}
|
||||||
|
allow: "$1"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs report"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Allow nodes to update their own facts
|
||||||
|
match-request: {
|
||||||
|
path: "^/puppet/v3/facts/([^/]+)$"
|
||||||
|
type: regex
|
||||||
|
method: put
|
||||||
|
}
|
||||||
|
allow: "$1"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs facts"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet/v3/static_file_content"
|
||||||
|
type: path
|
||||||
|
method: get
|
||||||
|
}
|
||||||
|
allow: "*"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppetlabs static file content"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
match-request: {
|
||||||
|
path: "/puppet/v3/tasks"
|
||||||
|
type: path
|
||||||
|
}
|
||||||
|
allow: "*"
|
||||||
|
sort-order: 500
|
||||||
|
name: "puppet tasks information"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
# Deny everything else. This ACL is not strictly
|
||||||
|
# necessary, but illustrates the default policy
|
||||||
|
match-request: {
|
||||||
|
path: "/"
|
||||||
|
type: path
|
||||||
|
}
|
||||||
|
deny: "*"
|
||||||
|
sort-order: 999
|
||||||
|
name: "puppetlabs deny all"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
# a role to deploy the ceph mds
|
|
||||||
# work in progress
|
|
||||||
class roles::ceph::mds {
|
|
||||||
include profiles::defaults
|
|
||||||
include profiles::base
|
|
||||||
}
|
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
# a role to deploy the ceph mon
|
|
||||||
# work in progress
|
|
||||||
class roles::ceph::mon {
|
|
||||||
include profiles::defaults
|
|
||||||
include profiles::base
|
|
||||||
}
|
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
# a role to deploy the ceph osd
|
|
||||||
# work in progress
|
|
||||||
class roles::ceph::osd {
|
|
||||||
include profiles::defaults
|
|
||||||
include profiles::base
|
|
||||||
}
|
|
||||||
Reference in New Issue
Block a user