3 Commits

Author SHA1 Message Date
unkinben 90ce015d43 feat: add enable/disable flag to firewall::init 2024-11-16 11:50:35 +11:00
unkinben b9465cd78b feat: add firewall rules
- create classes for each class of in/out traffic
- use hier_include to add firewall rules to each role
2024-11-10 12:47:35 +11:00
unkinben ce12303576 feat: add firewall module
- add nftables/ipset modules
- add custom firewall module
2024-11-03 03:32:20 +11:00
142 changed files with 698 additions and 3096 deletions
-5
View File
@@ -3,8 +3,3 @@
detectors:
FeatureEnvy:
enabled: false
TooManyStatements:
enabled: false
UncommunicativeVariableName:
accept:
- e
+38 -41
View File
@@ -2,54 +2,53 @@ forge 'forge.puppetlabs.com'
moduledir 'external_modules'
# puppetlabs
mod 'puppetlabs-stdlib', '9.7.0'
mod 'puppetlabs-inifile', '6.2.0'
mod 'puppetlabs-concat', '9.1.0'
mod 'puppetlabs-vcsrepo', '7.0.0'
mod 'puppetlabs-yumrepo_core', '2.1.0'
mod 'puppetlabs-apt', '10.0.1'
mod 'puppetlabs-lvm', '3.0.1'
mod 'puppetlabs-puppetdb', '7.14.0'
mod 'puppetlabs-postgresql', '9.2.0'
mod 'puppetlabs-firewall', '8.1.4'
mod 'puppetlabs-accounts', '8.2.2'
mod 'puppetlabs-mysql', '16.2.0'
mod 'puppetlabs-stdlib', '9.1.0'
mod 'puppetlabs-inifile', '6.0.0'
mod 'puppetlabs-concat', '9.0.0'
mod 'puppetlabs-vcsrepo', '6.1.0'
mod 'puppetlabs-yumrepo_core', '2.0.0'
mod 'puppetlabs-apt', '9.4.0'
mod 'puppetlabs-lvm', '2.1.0'
mod 'puppetlabs-puppetdb', '7.13.0'
mod 'puppetlabs-postgresql', '9.1.0'
mod 'puppetlabs-accounts', '8.1.0'
mod 'puppetlabs-mysql', '15.0.0'
mod 'puppetlabs-xinetd', '3.4.1'
mod 'puppetlabs-haproxy', '8.2.0'
mod 'puppetlabs-java', '11.1.0'
mod 'puppetlabs-reboot', '5.1.0'
mod 'puppetlabs-docker', '10.2.0'
mod 'puppetlabs-haproxy', '8.0.0'
mod 'puppetlabs-java', '10.1.2'
mod 'puppetlabs-reboot', '5.0.0'
mod 'puppetlabs-docker', '10.0.1'
# puppet
mod 'puppet-python', '7.4.0'
mod 'puppet-systemd', '8.1.0'
mod 'puppet-yum', '7.2.0'
mod 'puppet-archive', '7.1.0'
mod 'puppet-chrony', '3.0.0'
mod 'puppet-puppetboard', '11.0.0'
mod 'puppet-nginx', '6.0.1'
mod 'puppet-selinux', '5.0.0'
mod 'puppet-prometheus', '16.0.0'
mod 'puppet-grafana', '14.1.0'
mod 'puppet-consul', '9.1.0'
mod 'puppet-vault', '4.1.1'
mod 'puppet-python', '7.0.0'
mod 'puppet-systemd', '5.1.0'
mod 'puppet-yum', '7.0.0'
mod 'puppet-archive', '7.0.0'
mod 'puppet-chrony', '2.6.0'
mod 'puppet-puppetboard', '9.0.0'
mod 'puppet-nginx', '5.0.0'
mod 'puppet-selinux', '4.1.0'
mod 'puppet-prometheus', '13.4.0'
mod 'puppet-grafana', '13.1.0'
mod 'puppet-consul', '8.0.0'
mod 'puppet-vault', '4.1.0'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '5.1.0'
mod 'puppet-extlib', '7.5.1'
mod 'puppet-network', '2.2.1'
mod 'puppet-kmod', '4.1.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.1.0'
mod 'puppet-rundeck', '9.2.0'
mod 'puppet-redis', '11.1.0'
mod 'puppet-nodejs', '11.0.0'
mod 'puppet-letsencrypt', '11.0.0'
mod 'puppet-rundeck', '9.1.0'
mod 'puppet-redis', '11.0.0'
mod 'puppet-ipset', '4.3.0'
mod 'puppet-nftables', '4.0.0'
# other
mod 'saz-sudo', '9.0.2'
mod 'saz-ssh', '13.1.0'
mod 'saz-limits', '5.0.0'
mod 'ghoneycutt-timezone', '4.0.0'
mod 'ghoneycutt-puppet', '3.3.0'
mod 'saz-sudo', '8.0.0'
mod 'saz-ssh', '12.1.0'
mod 'ghoneycutt-timezone', '4.0.0'
mod 'dalen-puppetdbquery', '3.0.1'
mod 'markt-galera', '3.1.0'
mod 'kogitoapp-minio', '1.1.4'
@@ -58,8 +57,6 @@ mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0'
mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'ssm-crypto_policies', '0.3.3'
mod 'thias-sysctl', '1.0.8'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+37 -20
View File
@@ -135,20 +135,6 @@ lookup_options:
keepalived::vrrp_instance:
merge:
strategy: deep
profiles::etcd::node::initial_cluster_token:
convert_to: Sensitive
sysctl::base::values:
merge:
strategy: deep
limits::entries:
merge:
strategy: deep
zfs::zpools:
merge:
strategy: deep
zfs::datasets:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
@@ -157,8 +143,15 @@ hiera_include:
- networking
- ssh::server
- profiles::accounts::rundeck
- limits
- sysctl::base
- firewall::rules::in::exporters
- firewall::rules::in::consul
- firewall::rules::out::consul
- firewall::rules::out::dns
- firewall::rules::out::http
- firewall::rules::out::https
- firewall::rules::out::ntp
- firewall::rules::out::puppet
- firewall::rules::out::vault
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
@@ -171,10 +164,6 @@ profiles::ntp::client::peers:
profiles::base::puppet_servers:
- 'prodinf01n01.main.unkin.net'
consul::install_method: 'package'
consul::manage_repo: false
consul::bin_dir: /usr/bin
profiles::dns::master::basedir: '/var/named/sources'
profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
profiles::dns::base::use_ns: 'region'
@@ -361,3 +350,31 @@ profiles::ceph::client::mons:
# aliases:
# - prodinf01n22
# - repos.main.unkin.net
firewall::enable: true
firewall::ipset_queries:
certbot: "enc_role=roles::infra::pki::certbot"
cobbler: "enc_role=roles::infra::cobbler::server"
consul: "enc_role=roles::infra::storage::consul"
dhcp: "enc_role=roles::infra::dhcp::server"
dns_master: "enc_role=roles::infra::dns::master"
dns_resolver: "enc_role=roles::infra::dns::resolver"
edgecache: "enc_role=roles::infra::storage::edgecache"
gitea_runner: "enc_role=roles::infra::git::runner"
gitea_server: "enc_role=roles::infra::git::gitea"
glauth: "enc_role=roles::infra::auth::glauth"
gonic: "enc_role=roles::apps::music::gonic"
grafana: "enc_role=roles::infra::metrics::grafana"
haproxy: "enc_role=roles::infra::halb::haproxy"
jumphost: "enc_role=roles::infra::proxy::jumphost"
ntp: "enc_role=roles::infra::ntp::server"
prometheus: "enc_role=roles::infra::metrics::prometheus"
puppetboard: "enc_role=roles::infra::puppetboard::server"
puppetmaster: "enc_role=roles::infra::puppet::master"
puppetdb_sql: "enc_role=roles::infra::puppetdb::sql"
puppetdb_api: "enc_role=roles::infra::puppetdb::api"
redis: "enc_role=roles::infra::db::redis"
rundeck: "enc_role=roles::infra::automation::rundeck"
sql_galera: "enc_role=roles::infra::sql::galera"
sql_patroni: "enc_role=roles::infra::sql::patroni"
vault: "enc_role=roles::infra::storage::vault"
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.70
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.71
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.72
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.73
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.74
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.74
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.64.254/24'
@@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.75
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.75
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.65.254/24'
@@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.76
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.76
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.66.254/24'
@@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.77
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.77
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.67.254/24'
@@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.78
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.78
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.68.254/24'
@@ -1,15 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.79
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.79
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
docker::bip: '198.18.69.254/24'
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.80
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.81
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,5 +0,0 @@
---
networking_loopback0_ip: 198.18.19.14 # management loopback
networking::interfaces:
eth0:
mac: 00:16:3e:69:0f:3b
@@ -1,5 +0,0 @@
---
networking_loopback0_ip: 198.18.19.15 # management loopback
networking::interfaces:
eth0:
mac: 00:16:3e:55:46:bd
@@ -1,5 +0,0 @@
---
networking_loopback0_ip: 198.18.19.16 # management loopback
networking::interfaces:
eth0:
mac: 00:16:3e:6a:25:6b
@@ -1,5 +0,0 @@
---
networking_loopback0_ip: 198.18.19.17 # management loopback
networking::interfaces:
eth0:
mac: 00:16:3e:63:89:f2
@@ -1,5 +0,0 @@
---
networking_loopback0_ip: 198.18.19.18 # management loopback
networking::interfaces:
eth0:
mac: 00:16:3e:ca:e1:51
@@ -1,18 +0,0 @@
---
networking_loopback0_ip: 198.18.19.9 # management loopback
networking_loopback1_ip: 198.18.22.9 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.9 # ceph-public loopback
networking_br10_ip: 198.18.25.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:8d
ipaddress: 198.18.15.9
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:5d
ipaddress: 198.18.21.9
#zfs::zpools:
# fastpool:
# ensure: present
# disk: /dev/nvme0n1
@@ -1,13 +0,0 @@
---
networking_loopback0_ip: 198.18.19.10 # management loopback
networking_loopback1_ip: 198.18.22.10 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.10 # ceph-public loopback
networking_br10_ip: 198.18.26.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:37
ipaddress: 198.18.15.10
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:de
ipaddress: 198.18.21.10
@@ -1,13 +0,0 @@
---
networking_loopback0_ip: 198.18.19.11 # management loopback
networking_loopback1_ip: 198.18.22.11 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.11 # ceph-public loopback
networking_br10_ip: 198.18.27.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:0f
ipaddress: 198.18.15.11
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:55
ipaddress: 198.18.21.11
@@ -1,13 +0,0 @@
---
networking_loopback0_ip: 198.18.19.12 # management loopback
networking_loopback1_ip: 198.18.22.12 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.12 # ceph-public loopback
networking_br10_ip: 198.18.28.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:4f:05:1e
ipaddress: 198.18.15.12
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:e5
ipaddress: 198.18.21.12
@@ -1,13 +0,0 @@
---
networking_loopback0_ip: 198.18.19.13 # management loopback
networking_loopback1_ip: 198.18.22.13 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.13 # ceph-public loopback
networking_br10_ip: 198.18.29.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:4f:04:b0
ipaddress: 198.18.15.13
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:36
ipaddress: 198.18.21.13
-21
View File
@@ -1,23 +1,2 @@
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
---
crypto_policies::policy: 'DEFAULT'
profiles::packages::include:
network-scripts: {}
profiles::yum::global::repos:
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
gpgcheck: false
mirrorlist: absent
-34
View File
@@ -1,36 +1,2 @@
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
---
crypto_policies::policy: 'DEFAULT:SHA1'
profiles::yum::global::repos:
baseos:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
extras:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
appstream:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
highavailability:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
crb:
name: crb
descr: crb repository
target: /etc/yum.repos.d/crb.repo
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el9
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+16 -6
View File
@@ -3,13 +3,16 @@
profiles::firewall::firewalld::ensure_package: 'absent'
profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::puppet_version: '7.34.0'
profiles::puppet::agent::puppet_version: '7.26.0'
hiera_include:
- profiles::almalinux::base
profiles::packages::include:
lzo: {}
firewalld:
ensure: absent
network-scripts: {}
policycoreutils: {}
unar: {}
xz: {}
@@ -38,6 +41,13 @@ profiles::yum::global::repos:
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
highavailability:
name: highavailability
descr: highavailability repository
@@ -56,12 +66,12 @@ profiles::yum::global::repos:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkinben:
name: unkinben
descr: unkinben repository
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
-4
View File
@@ -13,7 +13,3 @@ profiles::packages::include:
lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false
consul::install_method: 'url'
consul::manage_repo: false
consul::bin_dir: /usr/local/bin
-1
View File
@@ -1 +0,0 @@
profiles::jupyter::jupyterhub::ldap_bind_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJspN3e2WzA0uZaLgFZ0Ewqii9dY0tTgbirsW70M2VZtLY+s+C6HE8ZZUtpfnRsFwUUhOj7s25X9xVOZNTpZIGPyfx9MWlSyFw2RFuXSEwaydf1DcBbg8261YrTTysA4Jsa1L4DLsX55q+XJUyeUbimVQkIacVIvzTdnZCBKnVNUh3U2PNAmV7SOL2KH8Jpbfs/EQfBt8XuGMCg3I/4RDyoNERqthW6W2KiMX2Gmd8iQ5+W9udH0lEAMx415oyImmN+dEuThcx9FGMi8BWYtnxH96yWafpT5qltwW6EVzIGWuLhiD1LcWYc5RB8jc3DhbeouChpKsN6c4EHoKt3aWsTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC8jcnqilJgY1/AnHWHfX4bgDCi2a3Rj43Z0dgfB5HaHdpfked3Cx+u94r2S5+Cg3QogU1AIF04rjzOL+bD2HdaMfo=]
-74
View File
@@ -1,74 +0,0 @@
---
profiles::packages::include:
python3.12: {}
python3.12-pip: {}
hiera_include:
- docker
- profiles::nginx::simpleproxy
# manage docker
docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'jupyterhub.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- jupyterhub.service.consul
- jupyterhub.query.consul
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
profiles::nginx::simpleproxy::locations:
# authorised access from external
default:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Real-IP $remote_addr'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
- 'X-Scheme $scheme'
proxy_redirect: 'off'
proxy_http_version: '1.1'
proxy_buffering: 'off'
# additional altnames
profiles::pki::vault::alt_names:
- jupyterhub.service.consul
- jupyterhub.query.consul
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
jupyterhub:
service_name: 'jupyterhub'
tags:
- 'jupyterhub'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'jupyterhub_http_check'
name: 'jupyterhub HTTP Check'
http: "https://%{facts.networking.fqdn}"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jupyterhub
disposition: write
-32
View File
@@ -63,8 +63,6 @@ glauth::users:
- 20018
- 20023
- 20024
- 20025 # jupyterhub_admin
- 20026 # jupyterhub_user
loginshell: '/bin/bash'
homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
@@ -173,24 +171,6 @@ glauth::users:
loginshell: '/bin/bash'
homedir: '/home/margol'
passsha256: '31a66085fb7eaeb059e51d1376233db72b54f96a6c45947aafbb350c83e618ef'
sudobo:
user_name: 'sudobo'
givenname: 'Sudaporn'
sn: 'Obom'
mail: 'sudobo@users.main.unkin.net'
uidnumber: 20007
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
- 20026 # jupyterhub_user
loginshell: '/bin/bash'
homedir: '/home/sudobo'
passsha256: 'a326e049c2a615226877946220a978a0a8247c569be1adcd73539b09b14136d0'
glauth::services:
svc_jellyfin:
@@ -261,12 +241,6 @@ glauth::services:
uidnumber: 30009
primarygroup: 20001
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
svc_jupyterhub:
service_name: 'svc_jupyterhub'
mail: 'jupyterhub@service.main.unkin.net'
uidnumber: 30010
primarygroup: 20001
passsha256: '09db1e0c2498214da35f3f2ed46a90a7b90635c207f8725e7abf76b48345a39b'
glauth::groups:
users:
@@ -320,9 +294,3 @@ glauth::groups:
vault_admin:
group_name: 'vault_admin'
gidnumber: 20024
jupyterhub_admin:
group_name: 'jupyterhub_admin'
gidnumber: 20025
jupyterhub_user:
group_name: 'jupyterhub_user'
gidnumber: 20026
@@ -19,3 +19,8 @@ profiles::selinux::setenforce::mode: permissive
hiera_include:
- profiles::selinux::setenforce
- firewall::rules::in::cobbler
- firewall::rules::in::http
- firewall::rules::in::https
- firewall::rules::in::tftp
- firewall::rules::in::sshd
+4
View File
@@ -1,4 +1,8 @@
---
hiera_include:
- firewall::rules::in::dhcp
- firewall::rules::in::sshd
profiles::dhcp::server::ntpservers:
- ntp01.main.unkin.net
- ntp02.main.unkin.net
-26
View File
@@ -10,30 +10,6 @@ profiles::dns::resolver::acls:
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
- 198.18.18.0/24
- 198.18.19.0/24
- 198.18.20.0/24
- 198.18.21.0/24
- 198.18.22.0/24
- 198.18.23.0/24
acl-dmz:
addresses:
- 198.18.24.0/24
acl-common:
addresses:
- 198.18.25.0/24
- 198.18.26.0/24
- 198.18.27.0/24
- 198.18.28.0/24
- 198.18.29.0/24
acl-nomad-jobs:
addresses:
- 198.18.64.0/24
- 198.18.65.0/24
- 198.18.66.0/24
- 198.18.67.0/24
- 198.18.68.0/24
- 198.18.69.0/24
profiles::dns::resolver::zones:
8.10.10.in-addr.arpa-forward:
@@ -98,5 +74,3 @@ profiles::dns::resolver::views:
- 20.10.10.in-addr.arpa-forward
match_clients:
- acl-main.unkin.net
- acl-nomad-jobs
- acl-common
-2
View File
@@ -1,2 +0,0 @@
---
profiles::etcd::node::initial_cluster_token: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhLyXszXUU6Dkiw9bEJTH0RXGaV2751NzvLH94i7QHfNukvOslF/kaDOA+FwqG06xSKSKo24Qyj4ewYA3BzhN8XLf2E9uW2LuDrUoA6aXUP2tYPqiTw8zmmgsVV5t7Y5PeNcleV3KmfcJZJKp33yGCKtGF7ggvNvnied5slO6E1BDkcVnqO7sdyI0MqSvsvH4IvEmeiSWAcBRBnwVLIwfn10frIvUg0fH4uZR7DASfO/HstYWKAEacz4xYBv74TtVVtYHlPvnVwC20YIYDMrgBsm3XngyWIQvruQCgyIkRzHjUKCpp76HpyEqzdJdEdaywkODYNOT6ab1B5uUu9WaMjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBADXLPOqFHdnVgJW5+iXJYcgCDK1Eyr+RwvMA+3VszYALU5B6OCH5maplwC5aUgiQZ7ew==]
-62
View File
@@ -1,62 +0,0 @@
---
hiera_include:
- profiles::etcd::node
profiles::etcd::node::members_lookup: true
profiles::etcd::node::members_role: roles::infra::etcd::node
profiles::etcd::node::config:
data-dir: /data/etcd
client-cert-auth: false
client-transport-security:
cert-file: /etc/pki/tls/vault/certificate.crt
key-file: /etc/pki/tls/vault/private.key
client-cert-auth: false
auto-tls: false
peer-transport-security:
cert-file: /etc/pki/tls/vault/certificate.crt
key-file: /etc/pki/tls/vault/private.key
client-cert-auth: false
auto-tls: false
allowed-cn:
max-wals: 5
max-snapshots: 5
snapshot-count: 10000
heartbeat-interval: 100
election-timeout: 1000
cipher-suites: [
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
]
tls-min-version: 'TLS1.2'
tls-max-version: 'TLS1.3'
profiles::pki::vault::alt_names:
- etcd.service.consul
- etcd.query.consul
- "etcd.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- etcd.query.consul
- etcd.service.consul
- etcd.service.%{facts.country}-%{facts.region}.consul
consul::services:
etcd:
service_name: 'etcd'
tags:
- 'etcd'
address: "%{facts.networking.ip}"
port: 2379
checks:
- id: 'etcd_http_health_check'
name: 'ETCD HTTP Health Check'
http: "https://%{facts.networking.ip}:2379/health"
method: 'GET'
interval: '10s'
timeout: '1s'
tls_skip_verify: true
profiles::consul::client::node_rules:
- resource: service
segment: etcd
disposition: write
-8
View File
@@ -5,7 +5,6 @@ hiera_include:
docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
profiles::gitea::runner::home: /data/runner
profiles::gitea::runner::version: '0.2.10'
@@ -45,10 +44,3 @@ profiles::gitea::runner::config:
force_rebuild: false
host:
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
# enable ip forwarding for docker containers
sysctl::base::values:
net.ipv4.conf.all.forwarding:
value: '1'
net.ipv6.conf.all.forwarding:
value: '1'
-125
View File
@@ -1,125 +0,0 @@
---
hiera_include:
- incus
- zfs
profiles::packages::include:
bridge-utils: {}
dnsmasq: {}
profiles::pki::vault::alt_names:
- incus-images.service.consul
- incus-images.query.consul
- "incus-images.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- incus-images.service.consul
- incus-images.query.consul
- "incus-images.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
incus-images:
service_name: 'incus-images'
tags:
- 'incus'
- 'images'
- 'container'
- 'lxd'
address: "%{facts.networking.ip}"
port: 8443
checks:
- id: 'incus_https_check'
name: 'incus HTTPS Check'
http: "https://%{facts.networking.fqdn}:8443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: incus-images
disposition: write
# additional repos
profiles::yum::global::repos:
zfs-kmod:
name: zfs-kmod
descr: zfs-kmod repository
target: /etc/yum.repos.d/zfs-kmod.repo
baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
mirrorlist: absent
# zfs settings
zfs::manage_repo: false
zfs::zfs_arc_min: ~
zfs::zfs_arc_max: 429496729 # 400MB
zfs::zpools:
fastpool:
ensure: present
disk: /dev/vdb
ashift: 12
zfs::datasets:
fastpool:
canmount: 'off'
acltype: posix
atime: 'off'
relatime: 'off'
compression: 'zstd'
xattr: 'sa'
fastpool/data:
canmount: 'on'
mountpoint: '/data'
fastpool/data/incus:
canmount: 'on'
mountpoint: '/data/incus'
# manage incus
incus::init: true
incus::server_port: 8443
incus::storage_images_volume: fastpool/imagestore
# add sysadmin to incus-admin group
profiles::accounts::sysadmin::extra_groups:
- incus-admin
# sysctl recommendations
sysctl::base::values:
fs.aio-max-nr:
value: '524288'
fs.inotify.max_queued_events:
value: '1048576'
fs.inotify.max_user_instances:
value: '1048576'
fs.inotify.max_user_watches:
value: '1048576'
kernel.dmesg_restrict:
value: '1'
kernel.keys.maxbytes:
value: '2000000'
kernel.keys.maxkeys:
value: '2000'
net.core.bpf_jit_limit:
value: '1000000000'
net.ipv4.neigh.default.gc_thresh3:
value: '8192'
net.ipv6.neigh.default.gc_thresh3:
value: '8192'
vm.max_map_count:
value: '262144'
net.ipv4.conf.all.forwarding:
value: '1'
net.ipv6.conf.all.forwarding:
value: '1'
# limits.d recommendations
limits::entries:
'*/nofile':
both: 1048576
'root/nofile':
both: 1048576
'*/memlock':
both: unlimited
'root/memlock':
both: unlimited
-220
View File
@@ -1,220 +0,0 @@
---
hiera_include:
- profiles::selinux::frr
- frrouting
- incus
- zfs
profiles::packages::include:
bridge-utils: {}
profiles::pki::vault::alt_names:
- incus.service.consul
- incus.query.consul
- "incus.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- incus.service.consul
- incus.query.consul
- "incus.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
incus:
service_name: 'incus'
tags:
- 'incus'
- 'container'
- 'lxd'
address: "%{facts.networking.ip}"
port: 8443
checks:
- id: 'incus_https_check'
name: 'incus HTTPS Check'
http: "https://%{facts.networking.fqdn}:8443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: incus
disposition: write
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
zfs-kmod:
name: zfs-kmod
descr: zfs-kmod repository
target: /etc/yum.repos.d/zfs-kmod.repo
baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
mirrorlist: absent
# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
#networking::use_networkd: true
networking::interfaces:
enp2s0:
type: physical
txqueuelen: 10000
forwarding: true
enp3s0:
type: physical
mtu: 9000
txqueuelen: 10000
forwarding: true
loopback0:
type: dummy
ipaddress: "%{hiera('networking_loopback0_ip')}"
netmask: 255.255.255.255
mtu: 9000
loopback1:
type: dummy
ipaddress: "%{hiera('networking_loopback1_ip')}"
netmask: 255.255.255.255
mtu: 9000
loopback2:
type: dummy
ipaddress: "%{hiera('networking_loopback2_ip')}"
netmask: 255.255.255.255
mtu: 9000
# frrouting
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
enp2s0:
area: 0.0.0.0
enp3s0:
area: 0.0.0.0
loopback0:
area: 0.0.0.0
loopback1:
area: 0.0.0.0
loopback2:
area: 0.0.0.0
brmplscore:
area: 0.0.0.0
frrouting::mpls_te_enabled: true
frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
frrouting::mpls_ldp_interfaces:
- loopback0
- enp2s0
- enp3s0
- brmplscore
frrouting::daemons:
ldpd: true
ospfd: true
# add loopback interfaces to ssh list
ssh::server::options:
ListenAddress:
- "%{hiera('networking_loopback0_ip')}"
# zfs settings
zfs::manage_repo: false
zfs::zfs_arc_min: ~
zfs::zfs_arc_max: 4294967296 # 4GB
zfs::zpools:
fastpool:
ensure: present
disk: /dev/nvme1n1
ashift: 12
zfs::datasets:
fastpool:
canmount: 'off'
acltype: posix
atime: 'off'
relatime: 'off'
compression: 'zstd'
xattr: 'sa'
fastpool/data:
canmount: 'on'
mountpoint: '/data'
fastpool/data/incus:
canmount: 'on'
mountpoint: '/data/incus'
# manage incus
incus::init: true
incus::bridge: br10
incus::server_port: 8443
incus::server_addr: "%{hiera('networking_loopback0_ip')}"
# add sysadmin to incus-admin group
profiles::accounts::sysadmin::extra_groups:
- incus-admin
# sysctl recommendations
sysctl::base::values:
fs.aio-max-nr:
value: '524288'
fs.inotify.max_queued_events:
value: '1048576'
fs.inotify.max_user_instances:
value: '1048576'
fs.inotify.max_user_watches:
value: '1048576'
kernel.dmesg_restrict:
value: '1'
kernel.keys.maxbytes:
value: '2000000'
kernel.keys.maxkeys:
value: '2000'
net.core.bpf_jit_limit:
value: '1000000000'
net.ipv4.neigh.default.gc_thresh3:
value: '8192'
net.ipv6.neigh.default.gc_thresh3:
value: '8192'
vm.max_map_count:
value: '262144'
net.ipv4.conf.all.forwarding:
value: '1'
net.ipv6.conf.all.forwarding:
value: '1'
net.ipv4.tcp_l3mdev_accept:
value: '0'
net.ipv4.conf.default.rp_filter:
value: '0'
net.ipv4.conf.all.rp_filter:
value: '0'
net.mpls.platform_labels:
value: '1048575'
net.mpls.conf.enp2s0.input:
value: '1'
net.mpls.conf.enp3s0.input:
value: '1'
net.mpls.conf.brmplscore.input:
value: '1'
net.mpls.conf.loopback0.input:
value: '1'
# limits.d recommendations
limits::entries:
'*/nofile':
both: 1048576
'root/nofile':
both: 1048576
'*/memlock':
both: unlimited
'root/memlock':
both: unlimited
-79
View File
@@ -1,79 +0,0 @@
---
hiera_include:
- profiles::selinux::frr
- frrouting
# additional repos
profiles::yum::global::repos:
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
dhcp: true
type: physical
mtu: 8000
forwarding: true
loopback0:
type: dummy
ipaddress: "%{hiera('networking_loopback0_ip')}"
netmask: 255.255.255.255
mtu: 8000
# frrouting
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
loopback0:
area: 0.0.0.0
frrouting::mpls_te_enabled: true
frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
frrouting::mpls_ldp_interfaces:
- eth0
- loopback0
frrouting::daemons:
ldpd: true
ospfd: true
# add loopback interfaces to ssh list
ssh::server::options:
ListenAddress:
- "%{hiera('networking_loopback0_ip')}"
# sysctl recommendations
sysctl::base::values:
net.ipv4.conf.all.forwarding:
value: '1'
net.ipv6.conf.all.forwarding:
value: '1'
net.ipv4.tcp_l3mdev_accept:
value: '0'
net.ipv4.conf.default.rp_filter:
value: '0'
net.ipv4.conf.all.rp_filter:
value: '0'
net.mpls.platform_labels:
value: '1048575'
net.mpls.conf.eth0.input:
value: '1'
net.mpls.conf.loopback0.input:
value: '1'
-2
View File
@@ -1,2 +0,0 @@
---
ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEzl2zX8ok6iURymPLbvkFE/dZhunzwisNCsLE5Tx6Pmil0PNx7iFULHXxWU6HMVOxzJmgcnTY+NsRnoTMSpXHGeC3wmD525T4xO4wvG/l9apzmPs1NTI4hcyYCj4NkAKyo249xXEodU4uM2AZp3ZgLBLf2cZpOe0/SPngWSq0kC4pJMnxWH+YsQ/O/1EMxpjSgMMna4YcMtcW2M0+wRhASNSTV7icsiAp6F/cInZuP44ASviHmM6+aMEhygBariOT80kaHZZI+aP6vqSd9lChXCV5qjRzeoEBIKOzT2ZBj41RTsF75J8UYFPwY7dp584tDpiIedUSR9IRCJe4d0uTjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCau9oXJiYiCGgvxZl62EsagDDgX2cU3+3QCkImEGS1oBahkPl3fYHKynbRi0ZQW1CoW0UFRzY8FmWmGkowns9OsIM=]
-72
View File
@@ -1,72 +0,0 @@
---
hiera_include:
- docker
- docker::networks
- frrouting
- profiles::nomad::node
docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
docker::ip_forward: true
docker::ip_masq: false
docker::iptables: false
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
ens19:
passive: true
docker0:
area: 0.0.0.1
profiles::yum::global::repos:
ceph-reef:
name: ceph-reef
descr: ceph reef repository
target: /etc/yum.repos.d/ceph-reef.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
gpgcheck: 0,
mirrorlist: absent
profiles::ceph::client::keyrings:
nomad:
key: "%{hiera('ceph::key::media')}"
profiles::packages::include:
nomad: {}
cni-plugins: {}
profiles::nomad::node::client: true
# additional altnames
profiles::pki::vault::alt_names:
- client.global.nomad
- client.au-syd1.nomad
- nomad-client.service.consul
- nomad-client.query.consul
- "nomad-client.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
profiles::consul::client::node_rules:
- resource: service
segment: nomad-client
disposition: write
- resource: agent_prefix
segment: ''
disposition: read
- resource: node_prefix
segment: ''
disposition: write
- resource: service_prefix
segment: ''
disposition: write
- resource: key_prefix
segment: "nomad"
disposition: write
- resource: session_prefix
segment: ""
disposition: write
-34
View File
@@ -1,34 +0,0 @@
---
hiera_include:
- profiles::nomad::node
profiles::packages::include:
nomad: {}
profiles::nomad::node::server: true
# additional altnames
profiles::pki::vault::alt_names:
- client.global.nomad
- client.au-syd1.nomad
- server.global.nomad
- server.au-syd1.nomad
- nomad.service.consul
- nomad.query.consul
- "nomad.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
profiles::consul::client::node_rules:
- resource: service
segment: nomad
disposition: write
- resource: agent_prefix
segment: ''
disposition: read
- resource: node_prefix
segment: ''
disposition: write
- resource: service_prefix
segment: ''
disposition: write
+2
View File
@@ -2,6 +2,8 @@
hiera_include:
- certbot
- profiles::pki::puppetcerts
- firewall::rules::in::sshd
- firewall::rules::in::https
certbot::domains:
- au-syd1-pve.main.unkin.net
-29
View File
@@ -1,29 +0,0 @@
profiles::pki::vault::alt_names:
- jumphost.service.consul
- jumphost.query.consul
- "jumphost.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- jumphost.query.consul
- jumphost.service.consul
- jumphost.service.%{facts.country}-%{facts.region}.consul
consul::services:
jumphost:
service_name: 'jumphost'
tags:
- 'jumphost'
- 'proxy'
- 'ssh'
address: "%{facts.networking.ip}"
port: 22
checks:
- id: 'ssh_tcp_check'
name: 'SSH TCP Check'
tcp: "%{facts.networking.ip}:22"
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jumphost
disposition: write
+1 -8
View File
@@ -5,13 +5,6 @@ profiles::puppet::autosign::subnet_ranges:
- '198.18.15.0/24'
- '198.18.16.0/24'
- '198.18.17.0/24'
- '198.18.20.0/24'
- '198.18.24.0/24'
- '198.18.25.0/24'
- '198.18.26.0/24'
- '198.18.27.0/24'
- '198.18.28.0/24'
- '198.18.29.0/24'
profiles::puppet::autosign::domains:
- '*.main.unkin.net'
@@ -26,7 +19,7 @@ profiles::puppet::cobbler_enc::packages:
- 'requests'
- 'PyYAML'
profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkin/puppet-r10k.git
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkinben/puppet-r10k.git
profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
@@ -1 +0,0 @@
profiles::puppet::puppetboard::secret_key: ENC[PKCS7,MIIB+wYJKoZIhvcNAQcDoIIB7DCCAegCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoCr9JTtrnMaVjJlEpA0NYNt/QAgTGiEmS3kPn2oJ80Ay7fUl79pop95uLQIfw6C3e8WGUhxYt31wmzent4Bfbced7uF/tjhP2cniKPmZGuf/tmVrGIHIh4T4g0Wz2K0DIU/dGWUlgE03ICRxXlAy0atjUuAp02ehj7bzLuMf+vZbghm8vnOoDCTKjeZNAJEkDvBkIzwUu9JiM9Gn6BzoLLGdEERqs/LR832vjjNmF7KUEH/Ntt47wbLdfCzawsZsBNLggEb1HNGu0aSb0qBXYBPRq6w1L/RU8gX2dCqGRbhDZymihebaOcwU1AtbLEBdHTYQpga+c4bcTz9rJplLtjCBvQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAdSjLEaZPK47TY7LDCB7b4CBkOTvHbi4nb+pB/Kng+Z3N9ocZPZdGbV6WzMNGxsxmhWXoi+XKEzEvfB10UhQwDcvZXd2W9hhiRkakq7+S0uLWzCX1jNMH2LXZAzoiyGM4FFvGpx7Z64OhmVrOJuKnxD+3zK6PZqvMb3g7CjZeAr5vyhcT/zO75krhJuYp11ZFpLCRcuASf0ru+Jq5OKD4+ZI/g==]
+9
View File
@@ -37,3 +37,12 @@ profiles::consul::client::node_rules:
- resource: service
segment: puppetdbapi
disposition: write
hiera_include:
- firewall::rules::in::sshd
- firewall::rules::in::puppetdbapi
firewall::rules::in::exporters::ports:
- 9100
- 9558
- 9635
+93 -207
View File
@@ -2,161 +2,110 @@
profiles::packages::include:
createrepo: {}
profiles::ssh::sign::principals:
- packagerepo.service.consul
- packagerepo.query.consul
- "packagerepo.service.%{facts.country}-%{facts.region}.consul"
# additional altnames
profiles::pki::vault::alt_names:
- packagerepo.main.unkin.net
- packagerepo.service.consul
- packagerepo.query.consul
- "packagerepo.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
jupyterhub:
service_name: 'packagerepo'
tags:
- 'packagerepo'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'packagerepo_http_check'
name: 'packagerepo HTTP Check'
http: "https://%{facts.networking.fqdn}"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: packagerepo
disposition: write
- repos.main.unkin.net
profiles::reposync::webserver::nginx_listen_mode: both
profiles::reposync::webserver::nginx_cert_type: vault
profiles::reposync::repos_list:
almalinux_9_5_baseos:
repository: 'baseos'
description: 'AlmaLinux 9.5 BaseOS'
almalinux_8_9_baseos:
repository: 'BaseOS'
description: 'AlmaLinux 8.9 - BaseOS'
osname: 'almalinux'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_appstream:
repository: 'appstream'
description: 'AlmaLinux 9.5 AppStream'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/baseos
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_appstream:
repository: 'AppStream'
description: 'AlmaLinux 8.9 - AppStream'
osname: 'almalinux'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_crb:
repository: 'crb'
description: 'AlmaLinux 9.5 CRB'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/appstream
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_highavailability:
repository: 'HighAvailability'
description: 'AlmaLinux 8.9 - HighAvailability'
osname: 'almalinux'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_ha:
repository: 'ha'
description: 'AlmaLinux 9.5 HighAvailability'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/ha
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_powertools:
repository: 'PowerTools'
description: 'AlmaLinux 8.9 - PowerTools'
osname: 'almalinux'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_5_extras:
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/powertools
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
almalinux_8_9_extras:
repository: 'extras'
description: 'AlmaLinux 9.5 extras'
description: 'AlmaLinux 8.9 - extras'
osname: 'almalinux'
release: '9.5'
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras'
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_baseos:
repository: 'baseos'
description: 'AlmaLinux 9.4 BaseOS'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_appstream:
repository: 'appstream'
description: 'AlmaLinux 9.4 AppStream'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_crb:
repository: 'crb'
description: 'AlmaLinux 9.4 CRB'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_ha:
repository: 'ha'
description: 'AlmaLinux 9.4 HighAvailability'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
almalinux_9_4_extras:
repository: 'extras'
description: 'AlmaLinux 9.4 extras'
osname: 'almalinux'
release: '9.4'
baseurl: 'https://vault.almalinux.org/9.4/extras/x86_64/os/'
gpgkey: 'https://vault.almalinux.org/9.4/extras/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
docker_stable_el8:
repository: 'stable'
description: 'Docker CE Stable EL8'
osname: 'docker'
release: 'el8'
baseurl: 'https://download.docker.com/linux/centos/8/x86_64/stable/'
gpgkey: 'https://download.docker.com/linux/centos/gpg'
docker_stable_el9:
repository: 'stable'
description: 'Docker CE Stable EL9'
osname: 'docker'
release: 'el9'
baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/'
gpgkey: 'https://download.docker.com/linux/centos/gpg'
frr_stable_el8:
repository: 'stable'
description: 'FRR Stable EL8'
osname: 'frr'
release: 'el8'
baseurl: 'https://rpm.frrouting.org/repo/el8/frr/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_extras_el8:
repository: 'extras'
description: 'FRR Extras EL8'
osname: 'frr'
release: 'el8'
baseurl: 'https://rpm.frrouting.org/repo/el8/extras/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_stable_el9:
repository: 'stable'
description: 'FRR Stable EL9'
osname: 'frr'
release: 'el9'
baseurl: 'https://rpm.frrouting.org/repo/el9/frr/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
frr_extras_el9:
repository: 'extras'
description: 'FRR Extras el9'
osname: 'frr'
release: 'el9'
baseurl: 'https://rpm.frrouting.org/repo/el9/extras/'
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
k8s_1.32:
repository: '1.32'
description: 'Kubernetes 1.32'
osname: 'k8s'
release: '1.32'
baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/'
gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/repodata/repomd.xml.key'
release: '8.9'
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/extras
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
centos_8_advanced_virtualization:
repository: 'virt-advanced-virtualization'
description: 'CentOS Advanced Virtualization'
osname: 'centos'
release: '8' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=virt-advanced-virtualization' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_ceph_pacific:
repository: 'storage-ceph-pacific'
description: 'CentOS Ceph Pacific'
osname: 'centos'
release: '8' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=storage-ceph-pacific' # Assuming '8' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
centos_8_rabbitmq_38:
repository: 'messaging-rabbitmq-38'
description: 'CentOS RabbitMQ 38'
osname: 'centos'
release: '8-stream' # Specified based on the repository name
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=messaging-rabbitmq-38' # Assuming '8' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
centos_8_nfv_openvswitch:
repository: 'nfv-openvswitch-2'
description: 'CentOS NFV OpenvSwitch'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=nfv-openvswitch-2' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
centos_8_openstack_xena:
repository: 'cloud-openstack-xena'
description: 'CentOS OpenStack Xena'
osname: 'centos'
release: '8-stream' # Directly taken from the provided mirrorlist
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=cloud-openstack-xena' # Assuming 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
centos_8_opstools:
repository: 'opstools-collectd-5'
description: 'CentOS OpsTools - collectd'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?arch=x86_64&release=8-stream&repo=opstools-collectd-5' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
centos_8_ovirt45:
repository: 'virt-ovirt-45'
description: 'CentOS oVirt 4.5'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=virt-ovirt-45' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_stream_gluster10:
repository: 'storage-gluster-10'
description: 'CentOS oVirt 4.5 - Glusterfs 10'
osname: 'centos'
release: '8-stream' # Assumed static value for demonstration
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=storage-gluster-10' # Assuming 'stream' and 'x86_64'
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
epel_8_everything:
repository: 'Everything'
description: 'EPEL 8 Everything'
osname: 'epel'
release: '8'
mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64'
gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8'
mariadb_11_2_el8:
repository: 'el8'
description: 'MariaDB 11.2'
@@ -171,27 +120,6 @@ profiles::reposync::repos_list:
release: 'el'
baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
puppet7_el9:
repository: '9'
description: 'Puppet 7 EL9'
osname: 'puppet7'
release: 'el'
baseurl: 'https://yum.puppet.com/puppet7/el/9/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
puppet8_el8:
repository: '8'
description: 'Puppet 8 EL8'
osname: 'puppet8'
release: 'el'
baseurl: 'https://yum.puppet.com/puppet8/el/8/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
puppet8_el9:
repository: '9'
description: 'Puppet 8 EL9'
osname: 'puppet8'
release: 'el'
baseurl: 'https://yum.puppet.com/puppet8/el/9/x86_64/'
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
postgresql_rhel8_common:
repository: 'common'
description: 'PostgreSQL Common RHEL 8'
@@ -199,13 +127,6 @@ profiles::reposync::repos_list:
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_common:
repository: 'common'
description: 'PostgreSQL Common RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel8_16:
repository: '16'
description: 'PostgreSQL 16 RHEL 8'
@@ -213,38 +134,3 @@ profiles::reposync::repos_list:
release: 'rhel8'
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
postgresql_rhel9_16:
repository: '16'
description: 'PostgreSQL 16 RHEL 9'
osname: 'postgresql'
release: 'rhel9'
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
zfs_dkms_rhel8:
repository: 'dkms'
description: 'ZFS DKMS RHEL 8'
osname: 'zfs'
release: 'rhel8'
baseurl: 'http://download.zfsonlinux.org/epel/8/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
zfs_kmod_rhel8:
repository: 'kmod'
description: 'ZFS KMOD RHEL 8'
osname: 'zfs'
release: 'rhel8'
baseurl: 'http://download.zfsonlinux.org/epel/8/kmod/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
zfs_dkms_rhel9:
repository: 'dkms'
description: 'ZFS DKMS RHEL 9'
osname: 'zfs'
release: 'rhel9'
baseurl: 'http://download.zfsonlinux.org/epel/9/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'
zfs_kmod_rhel9:
repository: 'kmod'
description: 'ZFS KMOD RHEL 9'
osname: 'zfs'
release: 'rhel9'
baseurl: 'http://download.zfsonlinux.org/epel/9/kmod/x86_64/'
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'
@@ -1,4 +1,13 @@
---
hiera_include:
- firewall::rules::in::consul
- firewall::rules::in::dns
- firewall::rules::in::http
- firewall::rules::in::https
- firewall::rules::in::sshd
firewall::rules::in::consul::is_server: true
profiles::consul::server::members_lookup: true
profiles::consul::server::data_dir: /data/consul
profiles::consul::server::addresses:
+6
View File
@@ -1,4 +1,10 @@
---
hiera_include:
- firewall::rules::in::sshd
- firewall::rules::in::vault
firewall::rules::in::ssh::ipset: jumphost
profiles::vault::server::members_role: roles::infra::storage::vault
profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault
-110
View File
@@ -1,110 +0,0 @@
# manage etcd
class etcd (
Boolean $manage_user = true,
Boolean $manage_group = true,
Boolean $manage_package = true,
Boolean $manage_service = true,
String[1] $package_name = 'etcd',
String[1] $user = 'etcd',
String[1] $group = 'etcd',
Stdlib::Absolutepath $config_path = '/etc/etcd',
Stdlib::Absolutepath $config_file = "${config_path}/etcd.yaml",
Hash $config = { 'data-dir' => '/var/lib/etcd' },
Integer $max_open_files = 40000,
) {
if downcase($facts['kernel']) != 'linux' {
fail("Module etcd only supports Linux, not ${facts['kernel']}")
}
if $facts['service_provider'] != 'systemd' {
fail('Module etcd only supported on systems using systemd')
}
if ! $config['data-dir'] {
fail('Module etcd requires data-dir be specified in config Hash')
}
if $manage_package {
package { $package_name:
ensure => installed,
}
}
if $manage_user {
user { 'etcd':
ensure => 'present',
name => $user,
forcelocal => true,
shell => '/bin/false',
gid => $group,
home => $config['data-dir'],
managehome => false,
system => true,
before => Systemd::Unit_file['etcd.service'],
}
}
if $manage_group {
group { 'etcd':
ensure => 'present',
name => $group,
forcelocal => true,
system => true,
before => Systemd::Unit_file['etcd.service'],
}
}
mkdir::p { $config_path: }
mkdir::p { $config['data-dir']: }
file { $config_file:
ensure => 'file',
owner => $user,
group => $group,
mode => '0600',
content => to_yaml($config),
notify => Systemd::Unit_file['etcd.service'],
require => Mkdir::P[$config_path],
}
file { 'etcd-data-dir':
ensure => 'directory',
path => $config['data-dir'],
owner => $user,
group => $group,
mode => '0700',
notify => Systemd::Unit_file['etcd.service'],
require => Mkdir::P[$config['data-dir']],
}
file { 'etcd-data-dir-wal.tmp':
ensure => 'directory',
path => "${config['data-dir']}/wal.tmp",
owner => $user,
group => $group,
mode => '0700',
notify => Systemd::Unit_file['etcd.service'],
require => File['etcd-data-dir'],
}
if $config['wal-dir'] {
mkdir::p { $config['wal-dir']: }
file { 'etcd-wal-dir':
ensure => 'directory',
path => $config['wal-dir'],
owner => $user,
group => $group,
mode => '0700',
notify => Systemd::Unit_file['etcd.service'],
require => Mkdir::P[$config['wal-dir']],
}
}
if $manage_service {
include ::systemd
systemd::unit_file { 'etcd.service':
content => template('etcd/etcd.service.erb'),
enable => true,
active => true,
require => Package[$package_name],
}
}
}
-17
View File
@@ -1,17 +0,0 @@
# DO NOT EDIT: This file is being managed by Puppet.
[Unit]
Description=etcd key-value store
Documentation=https://github.com/etcd-io/etcd
After=network.target
[Service]
User=<%= @user %>
Group=<%= @group %>
Type=notify
ExecStart=/usr/bin/etcd --config-file <%= @config_file %>
Restart=always
RestartSec=10s
LimitNOFILE=<%= @max_open_files %>
[Install]
WantedBy=multi-user.target
+29
View File
@@ -0,0 +1,29 @@
# manage the firewall
class firewall (
Boolean $enable = false,
Hash $ipset_queries = {},
){
if $enable {
$ipset_queries.each |$ipset, $query| {
$ips = sort(query_nodes($query, 'networking.ip'))
nftables::set{$ipset:
type => 'ipv4_addr',
flags => ['dynamic'],
elements => $ips,
}
}
class {'nftables':
in_ssh => false,
in_icmp => true,
out_ntp => false,
out_dns => false,
out_http => false,
out_https => false,
out_icmp => true,
out_all => false,
}
}
}
@@ -0,0 +1,13 @@
class firewall::rules::in::cobbler (
Array[Stdlib::Port] $ports = [25150,25151],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
) {
$ports.each |$port| {
$protocols.each |$proto| {
nftables::rule { "default_in-cobbler_${proto}_${port}":
content => "${proto} dport ${port} accept",
}
}
}
}
@@ -0,0 +1,39 @@
class firewall::rules::in::consul (
Boolean $is_server = false,
) {
# serf traffic (lan and wan)
nftables::rule { 'default_in-consul_udp_8301':
content => 'udp dport 8301 accept',
}
nftables::rule { 'default_in-consul_tcp_8301':
content => 'tcp dport 8301 accept',
}
nftables::rule { 'default_in-consul_udp_8302':
content => 'udp dport 8302 accept',
}
nftables::rule { 'default_in-consul_tcp_8302':
content => 'tcp dport 8302 accept',
}
if $is_server {
# dns interface
nftables::rule { 'default_in-consul_udp_8600':
content => 'udp dport 8600 accept',
}
nftables::rule { 'default_in-consul_tcp_8600':
content => 'tcp dport 8600 accept',
}
# communication with servers
nftables::rule { 'default_in-consul_tcp_8300':
content => 'tcp dport 8300 accept',
}
nftables::rule { 'default_in-consul_tcp_8500':
content => 'tcp dport 8500 accept',
}
nftables::rule { 'default_in-consul_tcp_8503':
content => 'tcp dport 8503 accept',
}
}
}
@@ -0,0 +1,5 @@
class firewall::rules::in::dhcp {
nftables::rule { 'default_in-dhcp':
content => 'udp sport {67, 68} udp dport {67, 68} accept';
}
}
@@ -0,0 +1,19 @@
class firewall::rules::in::dns (
Array[Stdlib::Port] $ports = [53],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
Optional[String] $ipset = undef,
) {
$ports.each |$port| {
$protocols.each |$proto| {
if $ipset != '' {
$rule = "${proto} dport ${port} ip saddr @${ipset} accept"
}else{
$rule = "${proto} dport ${port} accept"
}
nftables::rule { "default_in-dns_${proto}_${port}":
content => $rule,
}
}
}
}
@@ -0,0 +1,13 @@
# 9100: node_exporter
# 9558: sysstemd_exporter
class firewall::rules::in::exporters (
Array[Stdlib::Port] $ports = [9100,9558],
String $ipset = 'prometheus',
) {
$ports.each |$port| {
nftables::rule { "default_in-metrics_exporter_tcp_${port}":
content => "tcp dport ${port} ip saddr @${ipset} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::http (
Array[Stdlib::Port] $ports = [80],
) {
$ports.each |$port| {
nftables::rule { "default_in-http_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::https (
Array[Stdlib::Port] $ports = [443],
) {
$ports.each |$port| {
nftables::rule { "default_in-https_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::mysql (
Array[Stdlib::Port] $ports = [3306],
) {
$ports.each |$port| {
nftables::rule { "default_in-mysql_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::ntp (
Array[Stdlib::Port] $ports = [123],
) {
$ports.each |$port| {
nftables::rule { "default_in-ntp_${port}":
content => "udp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::postgres (
Array[Stdlib::Port] $ports = [5432],
) {
$ports.each |$port| {
nftables::rule { "default_in-postgres_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::puppetdbapi (
Array[Stdlib::Port] $ports = [8080,8081],
) {
$ports.each |$port| {
nftables::rule { "default_in-puppetdbapi_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,16 @@
class firewall::rules::in::sshd (
Array[Stdlib::Port] $ports = [22],
Optional[String] $ipset = undef,
) {
$ports.each |$port| {
if $ipset != '' {
$rule = "tcp dport ${port} ip saddr @${ipset} accept"
}else{
$rule = "tcp dport ${port} accept"
}
nftables::rule { "default_in-sshd_tcp_${port}":
content => $rule,
}
}
}
@@ -0,0 +1,13 @@
class firewall::rules::in::tftp (
Array[Stdlib::Port] $ports = [69],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
) {
$ports.each |$port| {
$protocols.each |$proto| {
nftables::rule { "default_in-tftp_${proto}_${port}":
content => "${proto} dport ${port} accept",
}
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::vault (
Array[Stdlib::Port] $ports = [8200, 8201],
) {
$ports.each |$port| {
nftables::rule { "default_in-vaultserver_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,8 @@
class firewall::rules::out::ceph_client (
Array[Stdlib::Port,1] $ports = [3300, 6789],
) {
nftables::rule {
'default_out-ceph_client':
content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept",
}
}
@@ -0,0 +1,29 @@
class firewall::rules::out::consul (
String $ipset = 'consul',
) {
# serf traffic (lan and wan)
nftables::rule { 'default_out-consul_udp_8301':
content => 'udp dport 8301 accept',
}
nftables::rule { 'default_out-consul_tcp_8301':
content => 'tcp dport 8301 accept',
}
nftables::rule { 'default_out-consul_udp_8302':
content => 'udp dport 8302 accept',
}
nftables::rule { 'default_out-consul_tcp_8302':
content => 'tcp dport 8302 accept',
}
# communication with servers
nftables::rule { 'default_out-consul_tcp_8300':
content => "tcp dport 8300 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-consul_tcp_8500':
content => "tcp dport 8500 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-consul_tcp_8503':
content => "tcp dport 8503 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,5 @@
class firewall::rules::out::dhcp {
nftables::rule { 'default_out-dhcpc':
content => 'udp sport {67, 68} udp dport {67, 68} accept';
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::dns (
String $ipset = 'dns_resolver',
) {
nftables::rule { 'default_out-dns_udp_53':
content => "udp dport 53 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-dns_tcp_53':
content => "tcp dport 53 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,10 @@
class firewall::rules::out::http (
Array[Stdlib::Port] $ports = [80],
) {
$ports.each |$port| {
nftables::rule { "default_out-http_tcp_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::out::https (
Array[Stdlib::Port] $ports = [443],
) {
$ports.each |$port| {
nftables::rule { "default_out-https_tcp_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,7 @@
class firewall::rules::out::mysql (
String $ipset = 'sql_galera',
){
nftables::rule { 'default_out-mysql_tcp_3306':
content => "tcp dport 3306 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::ntp (
String $ipset = 'ntp',
Array[Stdlib::Port] $ports = [123],
) {
$ports.each |$port| {
nftables::rule { "default_out-ntp_udp_${port}":
content => "udp dport ${port} ip daddr @${ipset} accept",
}
}
}
@@ -0,0 +1,7 @@
class firewall::rules::out::postgres (
String $ipset = 'sql_galera',
){
nftables::rule { 'default_out-postgres_tcp_5432':
content => "tcp dport 5432 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::puppet (
String $ipset = 'puppetmaster',
Array[Stdlib::Port] $ports = [8140],
) {
$ports.each |$port| {
nftables::rule { "default_out-puppet_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::vault (
String $ipset = 'vault',
Array[Stdlib::Port] $ports = [8200],
) {
$ports.each |$port| {
nftables::rule { "default_out-vault_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}
-89
View File
@@ -1,89 +0,0 @@
class frrouting (
Boolean $manage_package = true,
Boolean $manage_config = true,
Boolean $manage_service = true,
String $package_name = 'frr',
String $service_name = 'frr',
Hash $daemons = {},
Hash $ospfd_interfaces = {},
String $ospfd_router_id = $facts['networking']['ip'],
Array[String] $ospfd_redistribute = [],
Array[String] $ospfd_networks = [],
Boolean $ospfd_default_originate_always = false,
Boolean $mpls_te_enabled = false,
Optional[String] $mpls_ldp_router_id = undef,
Optional[String] $mpls_ldp_transport_addr = undef,
Array[String] $mpls_ldp_interfaces = [],
) {
$daemons_defaults = {
'bgpd' => false,
'ospfd' => true,
'ospf6d' => false,
'ldpd' => false,
'ripd' => false,
'ripngd' => false,
'isisd' => false,
'pimd' => false,
'pim6d' => false,
'nhrpd' => false,
'eigrpd' => false,
'sharpd' => false,
'pbrd' => false,
'bfdd' => false,
'fabricd' => false,
'vrrpd' => false,
'pathd' => false,
'staticd' => false,
}
$daemons_merged = merge($daemons_defaults, $daemons)
if $manage_package {
package { $package_name:
ensure => installed,
}
}
if $manage_config {
file { '/etc/frr/frr.conf':
ensure => file,
content => template('frrouting/frr.conf.erb'),
notify => Service[$service_name],
}
file { '/etc/frr/daemons':
ensure => file,
content => template('frrouting/daemons.erb'),
notify => Service[$service_name],
}
}
if $manage_service {
service { $service_name:
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
}
}
if $mpls_ldp_router_id and $mpls_ldp_transport_addr and !empty($mpls_ldp_interfaces) {
file { '/etc/modules-load.d/mpls_ldp_modules.conf':
ensure => file,
content => @(EOT/L),
# Load MPLS Kernel Modules
mpls_router
mpls_iptunnel
| EOT
}
['mpls_router', 'mpls_iptunnel'].each |$mod| {
exec { "load_${mod}":
command => "/sbin/modprobe ${mod}",
unless => "/sbin/lsmod | /bin/grep -q ^${mod}",
path => ['/sbin', '/bin', '/usr/sbin', '/usr/bin'],
}
}
}
}
-29
View File
@@ -1,29 +0,0 @@
# THIS FILE IS MANAGED BY PUPPET
<% @daemons_merged.each do |daemon, status| -%>
<% if status -%>
<%= daemon %>=yes
<% else -%>
<%= daemon %>=no
<% end -%>
<% end -%>
vtysh_enable=yes
zebra_options=" -A 127.0.0.1 -s 90000000"
bgpd_options=" -A 127.0.0.1"
ospfd_options=" -A 127.0.0.1"
ospf6d_options=" -A ::1"
ldpd_options=" -A 127.0.0.1"
ripd_options=" -A 127.0.0.1"
ripngd_options=" -A ::1"
isisd_options=" -A 127.0.0.1"
pimd_options=" -A 127.0.0.1"
pim6d_options=" -A ::1"
nhrpd_options=" -A 127.0.0.1"
eigrpd_options=" -A 127.0.0.1"
sharpd_options=" -A 127.0.0.1"
pbrd_options=" -A 127.0.0.1"
staticd_options="-A 127.0.0.1"
bfdd_options=" -A 127.0.0.1"
fabricd_options="-A 127.0.0.1"
vrrpd_options=" -A 127.0.0.1"
pathd_options=" -A 127.0.0.1"
-48
View File
@@ -1,48 +0,0 @@
# THIS FILE IS MANAGED BY PUPPET
frr defaults traditional
hostname <%= @hostname %>
no ipv6 forwarding
<% @ospfd_interfaces.each do |iface, params| -%>
interface <%= iface %>
<% if params['area'] -%>
ip ospf area <%= params['area'] %>
<% end -%>
<% if params['passive'] == true -%>
ip ospf passive
<% end -%>
<% if @mpls_ldp_interfaces and @mpls_ldp_interfaces.include?(iface) -%>
mpls enable
<% end -%>
exit
<% end -%>
router ospf
ospf router-id <%= @ospfd_router_id %>
log-adjacency-changes detail
<% @ospfd_redistribute.each do |type| -%>
redistribute <%= type %>
<% end -%>
<% @ospfd_networks.each do |network| -%>
network <%= network %>
<% end -%>
<% if @ospfd_default_originate_always -%>
default-information originate always
<% end -%>
<% if @mpls_te_enabled -%>
capability opaque
mpls-te on
mpls-te router-address <%= @ospfd_router_id %>
mpls-te inter-as area 0.0.0.0
<% end -%>
exit
<% if @mpls_ldp_router_id and @mpls_ldp_transport_addr and @mpls_ldp_interfaces.any? -%>
mpls ldp
router-id <%= @mpls_ldp_router_id %>
address-family ipv4
discovery transport-address <%= @mpls_ldp_transport_addr %>
<% @mpls_ldp_interfaces.each do |iface| -%>
interface <%= iface %>
exit
<% end -%>
exit-address-family
exit
<% end -%>
-18
View File
@@ -1,18 +0,0 @@
# frozen_string_literal: true
require 'yaml'
Facter.add(:incus) do
setcode do
# Check if the 'incus' executable exists
incus_path = Facter::Util::Resolution.which('incus')
next {} unless incus_path # Return an empty fact if incus isn't found
# Run the `incus info` command using the found path
incus_output = Facter::Core::Execution.execute("#{incus_path} info")
next {} if incus_output.empty? # Return an empty fact if there's no output
# Parse the output as YAML and return it
YAML.safe_load(incus_output, permitted_classes: [Symbol, Time, Date])
end
end
-57
View File
@@ -1,57 +0,0 @@
# manage incus clusters
class incus::cluster (
Boolean $members_lookup = false,
String $members_role = undef,
String $master = undef,
Array $servers = [],
Stdlib::Fqdn $server_fqdn = $facts['networking']['fqdn'],
Stdlib::Port $server_port = 8443,
){
# check that the master is named
unless !($master == undef) {
fail("master must be provided for ${title}")
}
# if lookup is enabled
if $members_lookup {
# check that the role is also set
unless !($members_role == undef) {
fail("members_role must be provided for ${title} when members_lookup is True")
}
# if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
# else use provided array from params
}else{
$servers_array = $servers
}
# if its not an empty array. Give puppetdb a chance to be populated with data.
if length($servers_array) >= 3 {
# check if this is the master_node
if $master == $trusted['certname'] {
$master_bool = true
}else{
$master_bool = false
}
# find bootstrap status for servers
$bootstrap_array = puppetdb_query("inventory[certname, facts] { facts.enc_role = '${members_role}' }").map |$node| {
{
'fqdn' => $node['certname'],
'ip' => $node['facts']['networking']['ip'],
'clustered' => $node['facts']['incus']['environment']['server_clustered'],
'certificate' => $node['facts']['incus']['environment']['certificate'],
}
}
# determine if the cluster is bootstrapped
$cluster_bootstrapped = $bootstrap_array.any |$server| {
$server['fqdn'] == $master and $server['clustered'] == true
}
}
}
-77
View File
@@ -1,77 +0,0 @@
class incus (
Array[String] $packages = [
'incus',
'incus-tools',
'incus-client'
],
Boolean $cluster = false,
Boolean $init = true,
String $bridge = 'incusbr0',
Stdlib::Port $server_port = 8443,
Stdlib::IP::Address $server_addr = $facts['networking']['ip'],
Optional[String] $storage_images_volume = undef,
) {
package { $packages:
ensure => installed,
}
service { 'incus':
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
}
file_line { 'subuid_root':
ensure => present,
path => '/etc/subuid',
line => 'root:1000000:1000000000',
match => '^root:',
notify => Service['incus'],
}
file_line { 'subgid_root':
ensure => present,
path => '/etc/subgid',
line => 'root:1000000:1000000000',
match => '^root:',
notify => Service['incus'],
}
if $init {
file {'/root/incus.preseed.yaml':
ensure => file,
owner => root,
group => root,
content => template('incus/join_preseed.yaml.erb')
}
exec { 'initiate_incus':
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized',
refreshonly => true,
creates => '/root/.incus_initialized',
subscribe => File['/root/incus.preseed.yaml'],
}
}
if $facts['incus'] and $facts['incus']['config'] {
# set core.https_address
if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {
exec { 'incus_config_set_core_https_address':
path => ['/bin', '/usr/bin'],
command => "incus config set core.https_address ${server_addr}:${server_port}",
}
}
# set storage.images_volume # path to store images
if $storage_images_volume {
if $facts['incus']['config']['storage.images_volume'] != $storage_images_volume {
exec { 'incus_config_set_storage_images_volume':
path => ['/bin', '/usr/bin'],
command => "incus config set storage.images_volume ${storage_images_volume}",
}
}
}
}
}
@@ -1,18 +0,0 @@
config:
core.https_address: <%= @server_fqdn %>:<%= @server_port %>
networks: []
storage_pools: []
storage_volumes: []
profiles:
- config: {}
description: ""
devices:
eth0:
name: eth0
nictype: bridged
parent: <%= @bridge %>
type: nic
name: default
project: default
projects: []
cluster: null
@@ -1,74 +0,0 @@
# frozen_string_literal: true
require 'facter'
require 'yaml'
require 'net/http'
require 'uri'
require 'fileutils'
# CobblerENC module: Fetches ENC data from Cobbler, caches it, and provides structured facts.
module CobblerENC
CACHE_FILE = '/var/cache/puppet_enc.yaml'
CACHE_TTL = 7 * 24 * 60 * 60 # 7 days in seconds
@enc_data = nil # In-memory cache for the ENC response
def self.read_cache
return {} unless File.exist?(CACHE_FILE)
cache_data = YAML.safe_load(File.read(CACHE_FILE)) || {}
timestamp = cache_data.fetch('timestamp', 0)
return cache_data if Time.now.to_i - timestamp < CACHE_TTL
{}
end
def self.write_cache(enc_data)
FileUtils.mkdir_p(File.dirname(CACHE_FILE))
cache_data = enc_data.merge({ 'timestamp' => Time.now.to_i })
File.write(CACHE_FILE, cache_data.to_yaml)
end
def self.fetch_from_cobbler
uri = URI("http://cobbler.main.unkin.net/cblr/svc/op/puppet/hostname/#{Facter.value(:fqdn) || Facter.value(:hostname)}")
response = Net::HTTP.get_response(uri)
raise "Failed to fetch ENC data. HTTP #{response.code}" unless response.is_a?(Net::HTTPSuccess)
YAML.safe_load(response.body) || {}
end
def self.retrieve_enc_data
return @enc_data if @enc_data
@enc_data = fetch_from_cobbler
write_cache(@enc_data)
@enc_data
end
def self.fetch_enc_data
retrieve_enc_data
rescue StandardError => e
Facter.warn("Error retrieving Cobbler ENC data: #{e.message}")
@enc_data = read_cache
return @enc_data unless @enc_data.empty?
raise 'No cached ENC data available and Cobbler is down.'
end
def self.enc_role
fetch_enc_data.fetch('classes', {}).keys.first || raise('ENC Role not found in Cobbler ENC response')
end
def self.enc_env
fetch_enc_data.fetch('environment', nil) || raise('ENC Environment not found in Cobbler ENC response')
end
end
Facter.add('enc_role') do
setcode { CobblerENC.enc_role }
end
Facter.add('enc_env') do
setcode { CobblerENC.enc_env }
end
+13
View File
@@ -0,0 +1,13 @@
# frozen_string_literal: true
Facter.add('enc_env') do
setcode do
require 'yaml'
# Check if the YAML file exists
if File.exist?('/root/.cache/custom_facts.yaml')
data = YAML.load_file('/root/.cache/custom_facts.yaml')
# Use safe navigation to return 'enc_env' or nil
data&.dig('enc_env')
end
end
end
+13
View File
@@ -0,0 +1,13 @@
# frozen_string_literal: true
Facter.add('enc_role') do
setcode do
require 'yaml'
# Check if the YAML file exists
if File.exist?('/root/.cache/custom_facts.yaml')
data = YAML.load_file('/root/.cache/custom_facts.yaml')
# Use safe navigation to return 'enc_role' or nil
data&.dig('enc_role')
end
end
end
+1 -12
View File
@@ -10,18 +10,7 @@ class SubnetAttributes
'198.18.15.0/24' => { environment: 'prod', region: 'syd1', country: 'au' },
'198.18.16.0/24' => { environment: 'test', region: 'syd1', country: 'au' },
'198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' },
'198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' },
'198.18.19.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # loopbacks
'198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # MPLS CORE BLOCKS
'198.18.21.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # physical network 2.5gbe
'198.18.22.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph cluster
'198.18.23.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph public
'198.18.24.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # dmz 1
'198.18.25.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0009
'198.18.26.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0010
'198.18.27.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0011
'198.18.28.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0012
'198.18.29.0/24' => { environment: 'prod', region: 'syd1', country: 'au' } # common node0013
'198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' }
}.freeze
# Default attributes if no subnet matches, also defined as a constant
-22
View File
@@ -1,22 +0,0 @@
# manage bridges and bridge slaves
define networking::bridge (
String $type,
Optional[Stdlib::IP::Address] $ipaddress,
Optional[Stdlib::IP::Address] $netmask = undef,
Optional[Stdlib::IP::Address] $gateway = undef,
Optional[Boolean] $nocarrier = undef,
Boolean $bridge = true,
Integer[100-9200] $mtu = 1500,
Optional[Boolean] $forwarding = false,
) {
include systemd
systemd::network { "${title}.netdev":
content => template('networking/bridge.netdev.erb'),
}
# Use shared template, it will detect bridge=true and skip Address/DNS/etc
systemd::network { "${title}.network":
content => template('networking/networkd-network.erb'),
}
}
-18
View File
@@ -1,18 +0,0 @@
# manage dummy/loopback interfaces
define networking::dummy (
String $type,
Stdlib::IP::Address $ipaddress,
Stdlib::IP::Address $netmask,
Integer[100-9200] $mtu = 1500,
Optional[Boolean] $forwarding = false,
) {
include systemd
systemd::network { "${title}.netdev":
content => template('networking/dummy.netdev.erb'),
}
systemd::network { "${title}.network":
content => template('networking/networkd-network.erb'),
}
}
+17 -50
View File
@@ -4,67 +4,34 @@ class networking (
Hash $interface_defaults = {},
Hash $routes = {},
Hash $route_defaults = {},
Boolean $use_networkd = lookup('systemd::manage_networkd', undef, undef, false),
){
include network
include networking::params
if $use_networkd {
include systemd
service { 'NetworkManager':
ensure => 'stopped',
enable => false,
# manage interfaces
$interfaces.each | $interface, $data | {
$merged_data = merge($interface_defaults, $data)
network_config { $interface:
* => $merged_data,
notify => Exec['networking_reload_network'],
}
}
$interfaces.each |String $iface, Hash $data| {
$type = $data['type']
#$params = $data.filter |$key, $value| { $key != 'type' }
case $type {
'bridge': { networking::bridge { $iface: * => $data } }
'dummy': { networking::dummy { $iface: * => $data } }
'static': { networking::static { $iface: * => $data } }
'physical': { networking::static { $iface: * => $data } }
default: {
fail("Unsupported interface type '${type}' for interface '${iface}'")
}
}
}
}else{
# manage interfaces
$interfaces.each | $interface, $data | {
$merged_data = merge($interface_defaults, $data)
network_config { $interface:
* => $merged_data,
notify => Exec['networking_reload_network'],
}
}
# manage routes
$routes.each | $route, $data | {
$merged_data = merge($route_defaults, $data)
network_route { $route:
* => $merged_data,
notify => Exec['networking_reload_network'],
}
# manage routes
$routes.each | $route, $data | {
$merged_data = merge($route_defaults, $data)
network_route { $route:
* => $merged_data,
notify => Exec['networking_reload_network'],
}
}
# determine which networking service to restart
$restart_command = $use_networkd ? {
true => '/usr/bin/systemctl restart systemd-networkd',
default => $facts['os']['family'] ? {
'RedHat' => $facts['os']['release']['major'] ? {
'8' => '/usr/bin/systemctl restart network',
'9' => '/usr/bin/systemctl restart NetworkManager',
default => fail('Unsupported RedHat OS release for networking restart'),
},
'Debian' => '/usr/bin/systemctl restart networking',
default => fail('Unsupported OS in networking-restart-command'),
}
$restart_command = $facts['os']['family'] ? {
'RedHat' => '/usr/bin/systemctl restart network',
'Debian' => '/usr/bin/systemctl restart networking',
default => fail('Unsupported OS in networking-restart-command'),
}
# restart network/networking only if $restart_networking boolean is true
-27
View File
@@ -1,27 +0,0 @@
# manage static interfaces
define networking::static (
String $type,
Stdlib::IP::Address $netmask = '255.255.255.0',
Integer[100-9200] $mtu = 1500,
Boolean $dhcp = false,
Optional[Boolean] $forwarding = false,
Optional[Stdlib::IP::Address] $ipaddress = undef,
Optional[Stdlib::IP::Address] $gateway = undef,
Optional[Array[Stdlib::IP::Address]] $dns = undef,
Optional[Array[Stdlib::Fqdn]] $domains = undef,
Optional[Integer[0-4096]] $vlan = undef,
Optional[Variant[Boolean,String]] $bridge = undef,
Optional[Integer[0-4294967294]] $txqueuelen = undef,
Optional[Stdlib::MAC] $mac = undef,
) {
include systemd
systemd::network { "${title}.network":
content => template('networking/networkd-network.erb'),
}
#if $type == 'physical' and $mac {
# systemd::network { "${title}.link":
# content => template('networking/networkd-link.erb'),
# }
#}
}
@@ -1,3 +0,0 @@
[NetDev]
Name=<%= @title %>
Kind=bridge
@@ -1,3 +0,0 @@
[NetDev]
Name=<%= @title %>
Kind=dummy
@@ -1,8 +0,0 @@
[Match]
MACAddress=<%= @mac %>
[Link]
MTUBytes=<%= @mtu %>
<% if @txqueuelen and @txqueuelen >= 1 -%>
TransmitQueueLength=<%= @txqueuelen %>
<% end -%>
@@ -1,41 +0,0 @@
[Match]
Name=<%= @title %>
[Network]
<% if @dhcp == true -%>
DHCP=yes
<% else -%>
<% if @ipaddress && @netmask -%>
Address=<%= @ipaddress %>/<%= IPAddr.new(@netmask).to_i.to_s(2).count('1') %>
<% end -%>
<% if @gateway -%>
Gateway=<%= @gateway %>
<% end -%>
<% if @dns -%>
DNS=<%= Array(@dns).join(' ') %>
<% end -%>
<% if @domains -%>
Domains=<%= Array(@domains).join(' ') %>
<% end -%>
<% end -%>
<% if @bridge and @bridge != true -%>
Bridge=<%= @bridge %>
<% end -%>
<% if @vlan -%>
VLAN=<%= @vlan %>
<% end -%>
<% if @nocarrier and @nocarrier == true -%>
ConfigureWithoutCarrier=true
DuplicateAddressDetection=none
RequiredForOnline=no-carrier
<% end -%>
<% if @type == 'dummy' -%>
LinkLocalAddressing=no
ActivationPolicy=always-up
<% end -%>
<% if @forwarding and @forwarding == true -%>
IPForward=true
<% end -%>
[Link]
MTUBytes=<%= @mtu %>
@@ -1,14 +0,0 @@
# frozen_string_literal: true
Facter.add('zfs_zpool_cache_present') do
confine kernel: 'Linux'
setcode do
File.exist?('/etc/zfs/zpool.cache')
end
end
Facter.add('zfs_zpool_cache_present') do
setcode do
false
end
end

Some files were not shown because too many files have changed in this diff Show More