Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 90ce015d43 | |||
| b9465cd78b | |||
| ce12303576 |
@@ -3,8 +3,3 @@
|
||||
detectors:
|
||||
FeatureEnvy:
|
||||
enabled: false
|
||||
TooManyStatements:
|
||||
enabled: false
|
||||
UncommunicativeVariableName:
|
||||
accept:
|
||||
- e
|
||||
|
||||
+38
-41
@@ -2,54 +2,53 @@ forge 'forge.puppetlabs.com'
|
||||
moduledir 'external_modules'
|
||||
|
||||
# puppetlabs
|
||||
mod 'puppetlabs-stdlib', '9.7.0'
|
||||
mod 'puppetlabs-inifile', '6.2.0'
|
||||
mod 'puppetlabs-concat', '9.1.0'
|
||||
mod 'puppetlabs-vcsrepo', '7.0.0'
|
||||
mod 'puppetlabs-yumrepo_core', '2.1.0'
|
||||
mod 'puppetlabs-apt', '10.0.1'
|
||||
mod 'puppetlabs-lvm', '3.0.1'
|
||||
mod 'puppetlabs-puppetdb', '7.14.0'
|
||||
mod 'puppetlabs-postgresql', '9.2.0'
|
||||
mod 'puppetlabs-firewall', '8.1.4'
|
||||
mod 'puppetlabs-accounts', '8.2.2'
|
||||
mod 'puppetlabs-mysql', '16.2.0'
|
||||
mod 'puppetlabs-stdlib', '9.1.0'
|
||||
mod 'puppetlabs-inifile', '6.0.0'
|
||||
mod 'puppetlabs-concat', '9.0.0'
|
||||
mod 'puppetlabs-vcsrepo', '6.1.0'
|
||||
mod 'puppetlabs-yumrepo_core', '2.0.0'
|
||||
mod 'puppetlabs-apt', '9.4.0'
|
||||
mod 'puppetlabs-lvm', '2.1.0'
|
||||
mod 'puppetlabs-puppetdb', '7.13.0'
|
||||
mod 'puppetlabs-postgresql', '9.1.0'
|
||||
mod 'puppetlabs-accounts', '8.1.0'
|
||||
mod 'puppetlabs-mysql', '15.0.0'
|
||||
mod 'puppetlabs-xinetd', '3.4.1'
|
||||
mod 'puppetlabs-haproxy', '8.2.0'
|
||||
mod 'puppetlabs-java', '11.1.0'
|
||||
mod 'puppetlabs-reboot', '5.1.0'
|
||||
mod 'puppetlabs-docker', '10.2.0'
|
||||
mod 'puppetlabs-haproxy', '8.0.0'
|
||||
mod 'puppetlabs-java', '10.1.2'
|
||||
mod 'puppetlabs-reboot', '5.0.0'
|
||||
mod 'puppetlabs-docker', '10.0.1'
|
||||
|
||||
# puppet
|
||||
mod 'puppet-python', '7.4.0'
|
||||
mod 'puppet-systemd', '8.1.0'
|
||||
mod 'puppet-yum', '7.2.0'
|
||||
mod 'puppet-archive', '7.1.0'
|
||||
mod 'puppet-chrony', '3.0.0'
|
||||
mod 'puppet-puppetboard', '11.0.0'
|
||||
mod 'puppet-nginx', '6.0.1'
|
||||
mod 'puppet-selinux', '5.0.0'
|
||||
mod 'puppet-prometheus', '16.0.0'
|
||||
mod 'puppet-grafana', '14.1.0'
|
||||
mod 'puppet-consul', '9.1.0'
|
||||
mod 'puppet-vault', '4.1.1'
|
||||
mod 'puppet-python', '7.0.0'
|
||||
mod 'puppet-systemd', '5.1.0'
|
||||
mod 'puppet-yum', '7.0.0'
|
||||
mod 'puppet-archive', '7.0.0'
|
||||
mod 'puppet-chrony', '2.6.0'
|
||||
mod 'puppet-puppetboard', '9.0.0'
|
||||
mod 'puppet-nginx', '5.0.0'
|
||||
mod 'puppet-selinux', '4.1.0'
|
||||
mod 'puppet-prometheus', '13.4.0'
|
||||
mod 'puppet-grafana', '13.1.0'
|
||||
mod 'puppet-consul', '8.0.0'
|
||||
mod 'puppet-vault', '4.1.0'
|
||||
mod 'puppet-dhcp', '6.1.0'
|
||||
mod 'puppet-keepalived', '5.1.0'
|
||||
mod 'puppet-extlib', '7.5.1'
|
||||
mod 'puppet-network', '2.2.1'
|
||||
mod 'puppet-kmod', '4.1.0'
|
||||
mod 'puppet-extlib', '7.0.0'
|
||||
mod 'puppet-network', '2.2.0'
|
||||
mod 'puppet-kmod', '4.0.1'
|
||||
mod 'puppet-filemapper', '4.0.0'
|
||||
mod 'puppet-letsencrypt', '11.1.0'
|
||||
mod 'puppet-rundeck', '9.2.0'
|
||||
mod 'puppet-redis', '11.1.0'
|
||||
mod 'puppet-nodejs', '11.0.0'
|
||||
mod 'puppet-letsencrypt', '11.0.0'
|
||||
mod 'puppet-rundeck', '9.1.0'
|
||||
mod 'puppet-redis', '11.0.0'
|
||||
mod 'puppet-ipset', '4.3.0'
|
||||
mod 'puppet-nftables', '4.0.0'
|
||||
|
||||
# other
|
||||
mod 'saz-sudo', '9.0.2'
|
||||
mod 'saz-ssh', '13.1.0'
|
||||
mod 'saz-limits', '5.0.0'
|
||||
mod 'ghoneycutt-timezone', '4.0.0'
|
||||
mod 'ghoneycutt-puppet', '3.3.0'
|
||||
mod 'saz-sudo', '8.0.0'
|
||||
mod 'saz-ssh', '12.1.0'
|
||||
mod 'ghoneycutt-timezone', '4.0.0'
|
||||
mod 'dalen-puppetdbquery', '3.0.1'
|
||||
mod 'markt-galera', '3.1.0'
|
||||
mod 'kogitoapp-minio', '1.1.4'
|
||||
@@ -58,8 +57,6 @@ mod 'stm-file_capability', '6.0.0'
|
||||
mod 'h0tw1r3-gitea', '3.2.0'
|
||||
mod 'rehan-mkdir', '2.0.0'
|
||||
mod 'tailoredautomation-patroni', '2.0.0'
|
||||
mod 'ssm-crypto_policies', '0.3.3'
|
||||
mod 'thias-sysctl', '1.0.8'
|
||||
|
||||
mod 'bind',
|
||||
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
||||
|
||||
+37
-20
@@ -135,20 +135,6 @@ lookup_options:
|
||||
keepalived::vrrp_instance:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::etcd::node::initial_cluster_token:
|
||||
convert_to: Sensitive
|
||||
sysctl::base::values:
|
||||
merge:
|
||||
strategy: deep
|
||||
limits::entries:
|
||||
merge:
|
||||
strategy: deep
|
||||
zfs::zpools:
|
||||
merge:
|
||||
strategy: deep
|
||||
zfs::datasets:
|
||||
merge:
|
||||
strategy: deep
|
||||
|
||||
facts_path: '/opt/puppetlabs/facter/facts.d'
|
||||
|
||||
@@ -157,8 +143,15 @@ hiera_include:
|
||||
- networking
|
||||
- ssh::server
|
||||
- profiles::accounts::rundeck
|
||||
- limits
|
||||
- sysctl::base
|
||||
- firewall::rules::in::exporters
|
||||
- firewall::rules::in::consul
|
||||
- firewall::rules::out::consul
|
||||
- firewall::rules::out::dns
|
||||
- firewall::rules::out::http
|
||||
- firewall::rules::out::https
|
||||
- firewall::rules::out::ntp
|
||||
- firewall::rules::out::puppet
|
||||
- firewall::rules::out::vault
|
||||
|
||||
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
||||
profiles::ntp::client::use_ntp: 'region'
|
||||
@@ -171,10 +164,6 @@ profiles::ntp::client::peers:
|
||||
profiles::base::puppet_servers:
|
||||
- 'prodinf01n01.main.unkin.net'
|
||||
|
||||
consul::install_method: 'package'
|
||||
consul::manage_repo: false
|
||||
consul::bin_dir: /usr/bin
|
||||
|
||||
profiles::dns::master::basedir: '/var/named/sources'
|
||||
profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
|
||||
profiles::dns::base::use_ns: 'region'
|
||||
@@ -361,3 +350,31 @@ profiles::ceph::client::mons:
|
||||
# aliases:
|
||||
# - prodinf01n22
|
||||
# - repos.main.unkin.net
|
||||
|
||||
firewall::enable: true
|
||||
firewall::ipset_queries:
|
||||
certbot: "enc_role=roles::infra::pki::certbot"
|
||||
cobbler: "enc_role=roles::infra::cobbler::server"
|
||||
consul: "enc_role=roles::infra::storage::consul"
|
||||
dhcp: "enc_role=roles::infra::dhcp::server"
|
||||
dns_master: "enc_role=roles::infra::dns::master"
|
||||
dns_resolver: "enc_role=roles::infra::dns::resolver"
|
||||
edgecache: "enc_role=roles::infra::storage::edgecache"
|
||||
gitea_runner: "enc_role=roles::infra::git::runner"
|
||||
gitea_server: "enc_role=roles::infra::git::gitea"
|
||||
glauth: "enc_role=roles::infra::auth::glauth"
|
||||
gonic: "enc_role=roles::apps::music::gonic"
|
||||
grafana: "enc_role=roles::infra::metrics::grafana"
|
||||
haproxy: "enc_role=roles::infra::halb::haproxy"
|
||||
jumphost: "enc_role=roles::infra::proxy::jumphost"
|
||||
ntp: "enc_role=roles::infra::ntp::server"
|
||||
prometheus: "enc_role=roles::infra::metrics::prometheus"
|
||||
puppetboard: "enc_role=roles::infra::puppetboard::server"
|
||||
puppetmaster: "enc_role=roles::infra::puppet::master"
|
||||
puppetdb_sql: "enc_role=roles::infra::puppetdb::sql"
|
||||
puppetdb_api: "enc_role=roles::infra::puppetdb::api"
|
||||
redis: "enc_role=roles::infra::db::redis"
|
||||
rundeck: "enc_role=roles::infra::automation::rundeck"
|
||||
sql_galera: "enc_role=roles::infra::sql::galera"
|
||||
sql_patroni: "enc_role=roles::infra::sql::patroni"
|
||||
vault: "enc_role=roles::infra::storage::vault"
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.70
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.71
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.72
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.73
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,15 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.74
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.74
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.64.254/24'
|
||||
@@ -1,15 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.75
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.75
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.65.254/24'
|
||||
@@ -1,15 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.76
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.76
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.66.254/24'
|
||||
@@ -1,15 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.77
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.77
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.67.254/24'
|
||||
@@ -1,15 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.78
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.78
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.68.254/24'
|
||||
@@ -1,15 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.79
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.79
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
docker::bip: '198.18.69.254/24'
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.80
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.81
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.14 # management loopback
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
mac: 00:16:3e:69:0f:3b
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.15 # management loopback
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
mac: 00:16:3e:55:46:bd
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.16 # management loopback
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
mac: 00:16:3e:6a:25:6b
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.17 # management loopback
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
mac: 00:16:3e:63:89:f2
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.18 # management loopback
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
mac: 00:16:3e:ca:e1:51
|
||||
@@ -1,18 +0,0 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.9 # management loopback
|
||||
networking_loopback1_ip: 198.18.22.9 # ceph-cluster loopback
|
||||
networking_loopback2_ip: 198.18.23.9 # ceph-public loopback
|
||||
networking_br10_ip: 198.18.25.254
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
mac: 70:b5:e8:38:e9:8d
|
||||
ipaddress: 198.18.15.9
|
||||
gateway: 198.18.15.254
|
||||
enp3s0:
|
||||
mac: 00:e0:4c:68:0f:5d
|
||||
ipaddress: 198.18.21.9
|
||||
|
||||
#zfs::zpools:
|
||||
# fastpool:
|
||||
# ensure: present
|
||||
# disk: /dev/nvme0n1
|
||||
@@ -1,13 +0,0 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.10 # management loopback
|
||||
networking_loopback1_ip: 198.18.22.10 # ceph-cluster loopback
|
||||
networking_loopback2_ip: 198.18.23.10 # ceph-public loopback
|
||||
networking_br10_ip: 198.18.26.254
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
mac: 70:b5:e8:38:e9:37
|
||||
ipaddress: 198.18.15.10
|
||||
gateway: 198.18.15.254
|
||||
enp3s0:
|
||||
mac: 00:e0:4c:68:0f:de
|
||||
ipaddress: 198.18.21.10
|
||||
@@ -1,13 +0,0 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.11 # management loopback
|
||||
networking_loopback1_ip: 198.18.22.11 # ceph-cluster loopback
|
||||
networking_loopback2_ip: 198.18.23.11 # ceph-public loopback
|
||||
networking_br10_ip: 198.18.27.254
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
mac: 70:b5:e8:38:e9:0f
|
||||
ipaddress: 198.18.15.11
|
||||
gateway: 198.18.15.254
|
||||
enp3s0:
|
||||
mac: 00:e0:4c:68:0f:55
|
||||
ipaddress: 198.18.21.11
|
||||
@@ -1,13 +0,0 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.12 # management loopback
|
||||
networking_loopback1_ip: 198.18.22.12 # ceph-cluster loopback
|
||||
networking_loopback2_ip: 198.18.23.12 # ceph-public loopback
|
||||
networking_br10_ip: 198.18.28.254
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
mac: 70:b5:e8:4f:05:1e
|
||||
ipaddress: 198.18.15.12
|
||||
gateway: 198.18.15.254
|
||||
enp3s0:
|
||||
mac: 00:e0:4c:68:0f:e5
|
||||
ipaddress: 198.18.21.12
|
||||
@@ -1,13 +0,0 @@
|
||||
---
|
||||
networking_loopback0_ip: 198.18.19.13 # management loopback
|
||||
networking_loopback1_ip: 198.18.22.13 # ceph-cluster loopback
|
||||
networking_loopback2_ip: 198.18.23.13 # ceph-public loopback
|
||||
networking_br10_ip: 198.18.29.254
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
mac: 70:b5:e8:4f:04:b0
|
||||
ipaddress: 198.18.15.13
|
||||
gateway: 198.18.15.254
|
||||
enp3s0:
|
||||
mac: 00:e0:4c:68:0f:36
|
||||
ipaddress: 198.18.21.13
|
||||
@@ -1,23 +1,2 @@
|
||||
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
|
||||
---
|
||||
crypto_policies::policy: 'DEFAULT'
|
||||
|
||||
profiles::packages::include:
|
||||
network-scripts: {}
|
||||
|
||||
profiles::yum::global::repos:
|
||||
powertools:
|
||||
name: powertools
|
||||
descr: powertools repository
|
||||
target: /etc/yum.repos.d/powertools.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
unkin:
|
||||
name: unkin
|
||||
descr: unkin repository
|
||||
target: /etc/yum.repos.d/unkin.repo
|
||||
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8
|
||||
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
|
||||
gpgcheck: false
|
||||
mirrorlist: absent
|
||||
|
||||
@@ -1,36 +1,2 @@
|
||||
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
|
||||
---
|
||||
crypto_policies::policy: 'DEFAULT:SHA1'
|
||||
|
||||
profiles::yum::global::repos:
|
||||
baseos:
|
||||
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
|
||||
mirrorlist: absent
|
||||
extras:
|
||||
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
|
||||
mirrorlist: absent
|
||||
appstream:
|
||||
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
|
||||
mirrorlist: absent
|
||||
highavailability:
|
||||
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
|
||||
mirrorlist: absent
|
||||
crb:
|
||||
name: crb
|
||||
descr: crb repository
|
||||
target: /etc/yum.repos.d/crb.repo
|
||||
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
|
||||
mirrorlist: absent
|
||||
unkin:
|
||||
name: unkin
|
||||
descr: unkin repository
|
||||
target: /etc/yum.repos.d/unkin.repo
|
||||
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el9
|
||||
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
|
||||
gpgcheck: false
|
||||
mirrorlist: absent
|
||||
|
||||
@@ -3,13 +3,16 @@
|
||||
profiles::firewall::firewalld::ensure_package: 'absent'
|
||||
profiles::firewall::firewalld::ensure_service: 'stopped'
|
||||
profiles::firewall::firewalld::enable_service: false
|
||||
profiles::puppet::agent::puppet_version: '7.34.0'
|
||||
profiles::puppet::agent::puppet_version: '7.26.0'
|
||||
|
||||
hiera_include:
|
||||
- profiles::almalinux::base
|
||||
|
||||
profiles::packages::include:
|
||||
lzo: {}
|
||||
firewalld:
|
||||
ensure: absent
|
||||
network-scripts: {}
|
||||
policycoreutils: {}
|
||||
unar: {}
|
||||
xz: {}
|
||||
@@ -38,6 +41,13 @@ profiles::yum::global::repos:
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
powertools:
|
||||
name: powertools
|
||||
descr: powertools repository
|
||||
target: /etc/yum.repos.d/powertools.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
highavailability:
|
||||
name: highavailability
|
||||
descr: highavailability repository
|
||||
@@ -56,12 +66,12 @@ profiles::yum::global::repos:
|
||||
name: puppet
|
||||
descr: puppet repository
|
||||
target: /etc/yum.repos.d/puppet.repo
|
||||
baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
|
||||
gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
|
||||
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
|
||||
mirrorlist: absent
|
||||
unkinben:
|
||||
name: unkinben
|
||||
descr: unkinben repository
|
||||
unkin:
|
||||
name: unkin
|
||||
descr: unkin repository
|
||||
target: /etc/yum.repos.d/unkin.repo
|
||||
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
|
||||
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
|
||||
|
||||
@@ -13,7 +13,3 @@ profiles::packages::include:
|
||||
|
||||
lm-sensors::package: lm-sensors
|
||||
networking::nwmgr_dns_none: false
|
||||
|
||||
consul::install_method: 'url'
|
||||
consul::manage_repo: false
|
||||
consul::bin_dir: /usr/local/bin
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
profiles::jupyter::jupyterhub::ldap_bind_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJspN3e2WzA0uZaLgFZ0Ewqii9dY0tTgbirsW70M2VZtLY+s+C6HE8ZZUtpfnRsFwUUhOj7s25X9xVOZNTpZIGPyfx9MWlSyFw2RFuXSEwaydf1DcBbg8261YrTTysA4Jsa1L4DLsX55q+XJUyeUbimVQkIacVIvzTdnZCBKnVNUh3U2PNAmV7SOL2KH8Jpbfs/EQfBt8XuGMCg3I/4RDyoNERqthW6W2KiMX2Gmd8iQ5+W9udH0lEAMx415oyImmN+dEuThcx9FGMi8BWYtnxH96yWafpT5qltwW6EVzIGWuLhiD1LcWYc5RB8jc3DhbeouChpKsN6c4EHoKt3aWsTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC8jcnqilJgY1/AnHWHfX4bgDCi2a3Rj43Z0dgfB5HaHdpfked3Cx+u94r2S5+Cg3QogU1AIF04rjzOL+bD2HdaMfo=]
|
||||
@@ -1,74 +0,0 @@
|
||||
---
|
||||
profiles::packages::include:
|
||||
python3.12: {}
|
||||
python3.12-pip: {}
|
||||
|
||||
hiera_include:
|
||||
- docker
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage docker
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
docker::root_dir: /data/docker
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'jupyterhub.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- jupyterhub.service.consul
|
||||
- jupyterhub.query.consul
|
||||
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
# authorised access from external
|
||||
default:
|
||||
ensure: 'present'
|
||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
||||
ssl_only: true
|
||||
location: '/'
|
||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
||||
proxy_set_header:
|
||||
- 'Host $host'
|
||||
- 'X-Real-IP $remote_addr'
|
||||
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
||||
- 'X-Forwarded-Host $host'
|
||||
- 'X-Forwarded-Proto $scheme'
|
||||
- 'Upgrade $http_upgrade'
|
||||
- 'Connection $http_connection'
|
||||
- 'X-Scheme $scheme'
|
||||
proxy_redirect: 'off'
|
||||
proxy_http_version: '1.1'
|
||||
proxy_buffering: 'off'
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- jupyterhub.service.consul
|
||||
- jupyterhub.query.consul
|
||||
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
jupyterhub:
|
||||
service_name: 'jupyterhub'
|
||||
tags:
|
||||
- 'jupyterhub'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'jupyterhub_http_check'
|
||||
name: 'jupyterhub HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: jupyterhub
|
||||
disposition: write
|
||||
@@ -63,8 +63,6 @@ glauth::users:
|
||||
- 20018
|
||||
- 20023
|
||||
- 20024
|
||||
- 20025 # jupyterhub_admin
|
||||
- 20026 # jupyterhub_user
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/benvin'
|
||||
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
||||
@@ -173,24 +171,6 @@ glauth::users:
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/margol'
|
||||
passsha256: '31a66085fb7eaeb059e51d1376233db72b54f96a6c45947aafbb350c83e618ef'
|
||||
sudobo:
|
||||
user_name: 'sudobo'
|
||||
givenname: 'Sudaporn'
|
||||
sn: 'Obom'
|
||||
mail: 'sudobo@users.main.unkin.net'
|
||||
uidnumber: 20007
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010 # jelly
|
||||
- 20011 # sonarr
|
||||
- 20012 # radarr
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
- 20026 # jupyterhub_user
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/sudobo'
|
||||
passsha256: 'a326e049c2a615226877946220a978a0a8247c569be1adcd73539b09b14136d0'
|
||||
|
||||
glauth::services:
|
||||
svc_jellyfin:
|
||||
@@ -261,12 +241,6 @@ glauth::services:
|
||||
uidnumber: 30009
|
||||
primarygroup: 20001
|
||||
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
|
||||
svc_jupyterhub:
|
||||
service_name: 'svc_jupyterhub'
|
||||
mail: 'jupyterhub@service.main.unkin.net'
|
||||
uidnumber: 30010
|
||||
primarygroup: 20001
|
||||
passsha256: '09db1e0c2498214da35f3f2ed46a90a7b90635c207f8725e7abf76b48345a39b'
|
||||
|
||||
glauth::groups:
|
||||
users:
|
||||
@@ -320,9 +294,3 @@ glauth::groups:
|
||||
vault_admin:
|
||||
group_name: 'vault_admin'
|
||||
gidnumber: 20024
|
||||
jupyterhub_admin:
|
||||
group_name: 'jupyterhub_admin'
|
||||
gidnumber: 20025
|
||||
jupyterhub_user:
|
||||
group_name: 'jupyterhub_user'
|
||||
gidnumber: 20026
|
||||
|
||||
@@ -19,3 +19,8 @@ profiles::selinux::setenforce::mode: permissive
|
||||
|
||||
hiera_include:
|
||||
- profiles::selinux::setenforce
|
||||
- firewall::rules::in::cobbler
|
||||
- firewall::rules::in::http
|
||||
- firewall::rules::in::https
|
||||
- firewall::rules::in::tftp
|
||||
- firewall::rules::in::sshd
|
||||
|
||||
@@ -1,4 +1,8 @@
|
||||
---
|
||||
hiera_include:
|
||||
- firewall::rules::in::dhcp
|
||||
- firewall::rules::in::sshd
|
||||
|
||||
profiles::dhcp::server::ntpservers:
|
||||
- ntp01.main.unkin.net
|
||||
- ntp02.main.unkin.net
|
||||
|
||||
@@ -10,30 +10,6 @@ profiles::dns::resolver::acls:
|
||||
- 198.18.15.0/24
|
||||
- 198.18.16.0/24
|
||||
- 198.18.17.0/24
|
||||
- 198.18.18.0/24
|
||||
- 198.18.19.0/24
|
||||
- 198.18.20.0/24
|
||||
- 198.18.21.0/24
|
||||
- 198.18.22.0/24
|
||||
- 198.18.23.0/24
|
||||
acl-dmz:
|
||||
addresses:
|
||||
- 198.18.24.0/24
|
||||
acl-common:
|
||||
addresses:
|
||||
- 198.18.25.0/24
|
||||
- 198.18.26.0/24
|
||||
- 198.18.27.0/24
|
||||
- 198.18.28.0/24
|
||||
- 198.18.29.0/24
|
||||
acl-nomad-jobs:
|
||||
addresses:
|
||||
- 198.18.64.0/24
|
||||
- 198.18.65.0/24
|
||||
- 198.18.66.0/24
|
||||
- 198.18.67.0/24
|
||||
- 198.18.68.0/24
|
||||
- 198.18.69.0/24
|
||||
|
||||
profiles::dns::resolver::zones:
|
||||
8.10.10.in-addr.arpa-forward:
|
||||
@@ -98,5 +74,3 @@ profiles::dns::resolver::views:
|
||||
- 20.10.10.in-addr.arpa-forward
|
||||
match_clients:
|
||||
- acl-main.unkin.net
|
||||
- acl-nomad-jobs
|
||||
- acl-common
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
---
|
||||
profiles::etcd::node::initial_cluster_token: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhLyXszXUU6Dkiw9bEJTH0RXGaV2751NzvLH94i7QHfNukvOslF/kaDOA+FwqG06xSKSKo24Qyj4ewYA3BzhN8XLf2E9uW2LuDrUoA6aXUP2tYPqiTw8zmmgsVV5t7Y5PeNcleV3KmfcJZJKp33yGCKtGF7ggvNvnied5slO6E1BDkcVnqO7sdyI0MqSvsvH4IvEmeiSWAcBRBnwVLIwfn10frIvUg0fH4uZR7DASfO/HstYWKAEacz4xYBv74TtVVtYHlPvnVwC20YIYDMrgBsm3XngyWIQvruQCgyIkRzHjUKCpp76HpyEqzdJdEdaywkODYNOT6ab1B5uUu9WaMjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBADXLPOqFHdnVgJW5+iXJYcgCDK1Eyr+RwvMA+3VszYALU5B6OCH5maplwC5aUgiQZ7ew==]
|
||||
@@ -1,62 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::etcd::node
|
||||
|
||||
profiles::etcd::node::members_lookup: true
|
||||
profiles::etcd::node::members_role: roles::infra::etcd::node
|
||||
|
||||
profiles::etcd::node::config:
|
||||
data-dir: /data/etcd
|
||||
client-cert-auth: false
|
||||
client-transport-security:
|
||||
cert-file: /etc/pki/tls/vault/certificate.crt
|
||||
key-file: /etc/pki/tls/vault/private.key
|
||||
client-cert-auth: false
|
||||
auto-tls: false
|
||||
peer-transport-security:
|
||||
cert-file: /etc/pki/tls/vault/certificate.crt
|
||||
key-file: /etc/pki/tls/vault/private.key
|
||||
client-cert-auth: false
|
||||
auto-tls: false
|
||||
allowed-cn:
|
||||
max-wals: 5
|
||||
max-snapshots: 5
|
||||
snapshot-count: 10000
|
||||
heartbeat-interval: 100
|
||||
election-timeout: 1000
|
||||
cipher-suites: [
|
||||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
]
|
||||
tls-min-version: 'TLS1.2'
|
||||
tls-max-version: 'TLS1.3'
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- etcd.service.consul
|
||||
- etcd.query.consul
|
||||
- "etcd.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- etcd.query.consul
|
||||
- etcd.service.consul
|
||||
- etcd.service.%{facts.country}-%{facts.region}.consul
|
||||
|
||||
consul::services:
|
||||
etcd:
|
||||
service_name: 'etcd'
|
||||
tags:
|
||||
- 'etcd'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 2379
|
||||
checks:
|
||||
- id: 'etcd_http_health_check'
|
||||
name: 'ETCD HTTP Health Check'
|
||||
http: "https://%{facts.networking.ip}:2379/health"
|
||||
method: 'GET'
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
tls_skip_verify: true
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: etcd
|
||||
disposition: write
|
||||
@@ -5,7 +5,6 @@ hiera_include:
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
docker::root_dir: /data/docker
|
||||
|
||||
profiles::gitea::runner::home: /data/runner
|
||||
profiles::gitea::runner::version: '0.2.10'
|
||||
@@ -45,10 +44,3 @@ profiles::gitea::runner::config:
|
||||
force_rebuild: false
|
||||
host:
|
||||
workdir_parent: "%{hiera('profiles::gitea::runner::home')}/.cache/act"
|
||||
|
||||
# enable ip forwarding for docker containers
|
||||
sysctl::base::values:
|
||||
net.ipv4.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv6.conf.all.forwarding:
|
||||
value: '1'
|
||||
|
||||
@@ -1,125 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- incus
|
||||
- zfs
|
||||
|
||||
profiles::packages::include:
|
||||
bridge-utils: {}
|
||||
dnsmasq: {}
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- incus-images.service.consul
|
||||
- incus-images.query.consul
|
||||
- "incus-images.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- incus-images.service.consul
|
||||
- incus-images.query.consul
|
||||
- "incus-images.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
incus-images:
|
||||
service_name: 'incus-images'
|
||||
tags:
|
||||
- 'incus'
|
||||
- 'images'
|
||||
- 'container'
|
||||
- 'lxd'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 8443
|
||||
checks:
|
||||
- id: 'incus_https_check'
|
||||
name: 'incus HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:8443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: incus-images
|
||||
disposition: write
|
||||
|
||||
# additional repos
|
||||
profiles::yum::global::repos:
|
||||
zfs-kmod:
|
||||
name: zfs-kmod
|
||||
descr: zfs-kmod repository
|
||||
target: /etc/yum.repos.d/zfs-kmod.repo
|
||||
baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
|
||||
mirrorlist: absent
|
||||
|
||||
# zfs settings
|
||||
zfs::manage_repo: false
|
||||
zfs::zfs_arc_min: ~
|
||||
zfs::zfs_arc_max: 429496729 # 400MB
|
||||
zfs::zpools:
|
||||
fastpool:
|
||||
ensure: present
|
||||
disk: /dev/vdb
|
||||
ashift: 12
|
||||
zfs::datasets:
|
||||
fastpool:
|
||||
canmount: 'off'
|
||||
acltype: posix
|
||||
atime: 'off'
|
||||
relatime: 'off'
|
||||
compression: 'zstd'
|
||||
xattr: 'sa'
|
||||
fastpool/data:
|
||||
canmount: 'on'
|
||||
mountpoint: '/data'
|
||||
fastpool/data/incus:
|
||||
canmount: 'on'
|
||||
mountpoint: '/data/incus'
|
||||
|
||||
# manage incus
|
||||
incus::init: true
|
||||
incus::server_port: 8443
|
||||
incus::storage_images_volume: fastpool/imagestore
|
||||
|
||||
# add sysadmin to incus-admin group
|
||||
profiles::accounts::sysadmin::extra_groups:
|
||||
- incus-admin
|
||||
|
||||
# sysctl recommendations
|
||||
sysctl::base::values:
|
||||
fs.aio-max-nr:
|
||||
value: '524288'
|
||||
fs.inotify.max_queued_events:
|
||||
value: '1048576'
|
||||
fs.inotify.max_user_instances:
|
||||
value: '1048576'
|
||||
fs.inotify.max_user_watches:
|
||||
value: '1048576'
|
||||
kernel.dmesg_restrict:
|
||||
value: '1'
|
||||
kernel.keys.maxbytes:
|
||||
value: '2000000'
|
||||
kernel.keys.maxkeys:
|
||||
value: '2000'
|
||||
net.core.bpf_jit_limit:
|
||||
value: '1000000000'
|
||||
net.ipv4.neigh.default.gc_thresh3:
|
||||
value: '8192'
|
||||
net.ipv6.neigh.default.gc_thresh3:
|
||||
value: '8192'
|
||||
vm.max_map_count:
|
||||
value: '262144'
|
||||
net.ipv4.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv6.conf.all.forwarding:
|
||||
value: '1'
|
||||
|
||||
# limits.d recommendations
|
||||
limits::entries:
|
||||
'*/nofile':
|
||||
both: 1048576
|
||||
'root/nofile':
|
||||
both: 1048576
|
||||
'*/memlock':
|
||||
both: unlimited
|
||||
'root/memlock':
|
||||
both: unlimited
|
||||
@@ -1,220 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::selinux::frr
|
||||
- frrouting
|
||||
- incus
|
||||
- zfs
|
||||
|
||||
profiles::packages::include:
|
||||
bridge-utils: {}
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- incus.service.consul
|
||||
- incus.query.consul
|
||||
- "incus.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- incus.service.consul
|
||||
- incus.query.consul
|
||||
- "incus.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
incus:
|
||||
service_name: 'incus'
|
||||
tags:
|
||||
- 'incus'
|
||||
- 'container'
|
||||
- 'lxd'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 8443
|
||||
checks:
|
||||
- id: 'incus_https_check'
|
||||
name: 'incus HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:8443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: incus
|
||||
disposition: write
|
||||
|
||||
# additional repos
|
||||
profiles::yum::global::repos:
|
||||
frr-extras:
|
||||
name: frr-extras
|
||||
descr: frr-extras repository
|
||||
target: /etc/yum.repos.d/frr-extras.repo
|
||||
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||
mirrorlist: absent
|
||||
frr-stable:
|
||||
name: frr-stable
|
||||
descr: frr-stable repository
|
||||
target: /etc/yum.repos.d/frr-stable.repo
|
||||
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||
mirrorlist: absent
|
||||
zfs-kmod:
|
||||
name: zfs-kmod
|
||||
descr: zfs-kmod repository
|
||||
target: /etc/yum.repos.d/zfs-kmod.repo
|
||||
baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
|
||||
mirrorlist: absent
|
||||
|
||||
# networking
|
||||
systemd::manage_networkd: true
|
||||
systemd::manage_all_network_files: true
|
||||
#networking::use_networkd: true
|
||||
networking::interfaces:
|
||||
enp2s0:
|
||||
type: physical
|
||||
txqueuelen: 10000
|
||||
forwarding: true
|
||||
enp3s0:
|
||||
type: physical
|
||||
mtu: 9000
|
||||
txqueuelen: 10000
|
||||
forwarding: true
|
||||
loopback0:
|
||||
type: dummy
|
||||
ipaddress: "%{hiera('networking_loopback0_ip')}"
|
||||
netmask: 255.255.255.255
|
||||
mtu: 9000
|
||||
loopback1:
|
||||
type: dummy
|
||||
ipaddress: "%{hiera('networking_loopback1_ip')}"
|
||||
netmask: 255.255.255.255
|
||||
mtu: 9000
|
||||
loopback2:
|
||||
type: dummy
|
||||
ipaddress: "%{hiera('networking_loopback2_ip')}"
|
||||
netmask: 255.255.255.255
|
||||
mtu: 9000
|
||||
|
||||
# frrouting
|
||||
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::ospfd_redistribute:
|
||||
- connected
|
||||
frrouting::ospfd_interfaces:
|
||||
enp2s0:
|
||||
area: 0.0.0.0
|
||||
enp3s0:
|
||||
area: 0.0.0.0
|
||||
loopback0:
|
||||
area: 0.0.0.0
|
||||
loopback1:
|
||||
area: 0.0.0.0
|
||||
loopback2:
|
||||
area: 0.0.0.0
|
||||
brmplscore:
|
||||
area: 0.0.0.0
|
||||
frrouting::mpls_te_enabled: true
|
||||
frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::mpls_ldp_interfaces:
|
||||
- loopback0
|
||||
- enp2s0
|
||||
- enp3s0
|
||||
- brmplscore
|
||||
frrouting::daemons:
|
||||
ldpd: true
|
||||
ospfd: true
|
||||
|
||||
# add loopback interfaces to ssh list
|
||||
ssh::server::options:
|
||||
ListenAddress:
|
||||
- "%{hiera('networking_loopback0_ip')}"
|
||||
|
||||
# zfs settings
|
||||
zfs::manage_repo: false
|
||||
zfs::zfs_arc_min: ~
|
||||
zfs::zfs_arc_max: 4294967296 # 4GB
|
||||
zfs::zpools:
|
||||
fastpool:
|
||||
ensure: present
|
||||
disk: /dev/nvme1n1
|
||||
ashift: 12
|
||||
zfs::datasets:
|
||||
fastpool:
|
||||
canmount: 'off'
|
||||
acltype: posix
|
||||
atime: 'off'
|
||||
relatime: 'off'
|
||||
compression: 'zstd'
|
||||
xattr: 'sa'
|
||||
fastpool/data:
|
||||
canmount: 'on'
|
||||
mountpoint: '/data'
|
||||
fastpool/data/incus:
|
||||
canmount: 'on'
|
||||
mountpoint: '/data/incus'
|
||||
|
||||
# manage incus
|
||||
incus::init: true
|
||||
incus::bridge: br10
|
||||
incus::server_port: 8443
|
||||
incus::server_addr: "%{hiera('networking_loopback0_ip')}"
|
||||
|
||||
# add sysadmin to incus-admin group
|
||||
profiles::accounts::sysadmin::extra_groups:
|
||||
- incus-admin
|
||||
|
||||
# sysctl recommendations
|
||||
sysctl::base::values:
|
||||
fs.aio-max-nr:
|
||||
value: '524288'
|
||||
fs.inotify.max_queued_events:
|
||||
value: '1048576'
|
||||
fs.inotify.max_user_instances:
|
||||
value: '1048576'
|
||||
fs.inotify.max_user_watches:
|
||||
value: '1048576'
|
||||
kernel.dmesg_restrict:
|
||||
value: '1'
|
||||
kernel.keys.maxbytes:
|
||||
value: '2000000'
|
||||
kernel.keys.maxkeys:
|
||||
value: '2000'
|
||||
net.core.bpf_jit_limit:
|
||||
value: '1000000000'
|
||||
net.ipv4.neigh.default.gc_thresh3:
|
||||
value: '8192'
|
||||
net.ipv6.neigh.default.gc_thresh3:
|
||||
value: '8192'
|
||||
vm.max_map_count:
|
||||
value: '262144'
|
||||
net.ipv4.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv6.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv4.tcp_l3mdev_accept:
|
||||
value: '0'
|
||||
net.ipv4.conf.default.rp_filter:
|
||||
value: '0'
|
||||
net.ipv4.conf.all.rp_filter:
|
||||
value: '0'
|
||||
net.mpls.platform_labels:
|
||||
value: '1048575'
|
||||
net.mpls.conf.enp2s0.input:
|
||||
value: '1'
|
||||
net.mpls.conf.enp3s0.input:
|
||||
value: '1'
|
||||
net.mpls.conf.brmplscore.input:
|
||||
value: '1'
|
||||
net.mpls.conf.loopback0.input:
|
||||
value: '1'
|
||||
|
||||
# limits.d recommendations
|
||||
limits::entries:
|
||||
'*/nofile':
|
||||
both: 1048576
|
||||
'root/nofile':
|
||||
both: 1048576
|
||||
'*/memlock':
|
||||
both: unlimited
|
||||
'root/memlock':
|
||||
both: unlimited
|
||||
@@ -1,79 +0,0 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::selinux::frr
|
||||
- frrouting
|
||||
|
||||
# additional repos
|
||||
profiles::yum::global::repos:
|
||||
frr-extras:
|
||||
name: frr-extras
|
||||
descr: frr-extras repository
|
||||
target: /etc/yum.repos.d/frr-extras.repo
|
||||
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||
mirrorlist: absent
|
||||
frr-stable:
|
||||
name: frr-stable
|
||||
descr: frr-stable repository
|
||||
target: /etc/yum.repos.d/frr-stable.repo
|
||||
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||
mirrorlist: absent
|
||||
|
||||
# networking
|
||||
systemd::manage_networkd: true
|
||||
systemd::manage_all_network_files: true
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
dhcp: true
|
||||
type: physical
|
||||
mtu: 8000
|
||||
forwarding: true
|
||||
loopback0:
|
||||
type: dummy
|
||||
ipaddress: "%{hiera('networking_loopback0_ip')}"
|
||||
netmask: 255.255.255.255
|
||||
mtu: 8000
|
||||
|
||||
# frrouting
|
||||
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::ospfd_redistribute:
|
||||
- connected
|
||||
frrouting::ospfd_interfaces:
|
||||
eth0:
|
||||
area: 0.0.0.0
|
||||
loopback0:
|
||||
area: 0.0.0.0
|
||||
frrouting::mpls_te_enabled: true
|
||||
frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
|
||||
frrouting::mpls_ldp_interfaces:
|
||||
- eth0
|
||||
- loopback0
|
||||
frrouting::daemons:
|
||||
ldpd: true
|
||||
ospfd: true
|
||||
|
||||
# add loopback interfaces to ssh list
|
||||
ssh::server::options:
|
||||
ListenAddress:
|
||||
- "%{hiera('networking_loopback0_ip')}"
|
||||
|
||||
# sysctl recommendations
|
||||
sysctl::base::values:
|
||||
net.ipv4.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv6.conf.all.forwarding:
|
||||
value: '1'
|
||||
net.ipv4.tcp_l3mdev_accept:
|
||||
value: '0'
|
||||
net.ipv4.conf.default.rp_filter:
|
||||
value: '0'
|
||||
net.ipv4.conf.all.rp_filter:
|
||||
value: '0'
|
||||
net.mpls.platform_labels:
|
||||
value: '1048575'
|
||||
net.mpls.conf.eth0.input:
|
||||
value: '1'
|
||||
net.mpls.conf.loopback0.input:
|
||||
value: '1'
|
||||
@@ -1,2 +0,0 @@
|
||||
---
|
||||
ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEzl2zX8ok6iURymPLbvkFE/dZhunzwisNCsLE5Tx6Pmil0PNx7iFULHXxWU6HMVOxzJmgcnTY+NsRnoTMSpXHGeC3wmD525T4xO4wvG/l9apzmPs1NTI4hcyYCj4NkAKyo249xXEodU4uM2AZp3ZgLBLf2cZpOe0/SPngWSq0kC4pJMnxWH+YsQ/O/1EMxpjSgMMna4YcMtcW2M0+wRhASNSTV7icsiAp6F/cInZuP44ASviHmM6+aMEhygBariOT80kaHZZI+aP6vqSd9lChXCV5qjRzeoEBIKOzT2ZBj41RTsF75J8UYFPwY7dp584tDpiIedUSR9IRCJe4d0uTjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCau9oXJiYiCGgvxZl62EsagDDgX2cU3+3QCkImEGS1oBahkPl3fYHKynbRi0ZQW1CoW0UFRzY8FmWmGkowns9OsIM=]
|
||||
@@ -1,72 +0,0 @@
|
||||
---
|
||||
|
||||
hiera_include:
|
||||
- docker
|
||||
- docker::networks
|
||||
- frrouting
|
||||
- profiles::nomad::node
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
docker::root_dir: /data/docker
|
||||
docker::ip_forward: true
|
||||
docker::ip_masq: false
|
||||
docker::iptables: false
|
||||
|
||||
frrouting::ospfd_redistribute:
|
||||
- connected
|
||||
frrouting::ospfd_interfaces:
|
||||
eth0:
|
||||
area: 0.0.0.0
|
||||
ens19:
|
||||
passive: true
|
||||
docker0:
|
||||
area: 0.0.0.1
|
||||
|
||||
profiles::yum::global::repos:
|
||||
ceph-reef:
|
||||
name: ceph-reef
|
||||
descr: ceph reef repository
|
||||
target: /etc/yum.repos.d/ceph-reef.repo
|
||||
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgcheck: 0,
|
||||
mirrorlist: absent
|
||||
|
||||
profiles::ceph::client::keyrings:
|
||||
nomad:
|
||||
key: "%{hiera('ceph::key::media')}"
|
||||
|
||||
profiles::packages::include:
|
||||
nomad: {}
|
||||
cni-plugins: {}
|
||||
|
||||
profiles::nomad::node::client: true
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- client.global.nomad
|
||||
- client.au-syd1.nomad
|
||||
- nomad-client.service.consul
|
||||
- nomad-client.query.consul
|
||||
- "nomad-client.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: nomad-client
|
||||
disposition: write
|
||||
- resource: agent_prefix
|
||||
segment: ''
|
||||
disposition: read
|
||||
- resource: node_prefix
|
||||
segment: ''
|
||||
disposition: write
|
||||
- resource: service_prefix
|
||||
segment: ''
|
||||
disposition: write
|
||||
- resource: key_prefix
|
||||
segment: "nomad"
|
||||
disposition: write
|
||||
- resource: session_prefix
|
||||
segment: ""
|
||||
disposition: write
|
||||
@@ -1,34 +0,0 @@
|
||||
---
|
||||
|
||||
hiera_include:
|
||||
- profiles::nomad::node
|
||||
|
||||
profiles::packages::include:
|
||||
nomad: {}
|
||||
|
||||
profiles::nomad::node::server: true
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- client.global.nomad
|
||||
- client.au-syd1.nomad
|
||||
- server.global.nomad
|
||||
- server.au-syd1.nomad
|
||||
- nomad.service.consul
|
||||
- nomad.query.consul
|
||||
- "nomad.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: nomad
|
||||
disposition: write
|
||||
- resource: agent_prefix
|
||||
segment: ''
|
||||
disposition: read
|
||||
- resource: node_prefix
|
||||
segment: ''
|
||||
disposition: write
|
||||
- resource: service_prefix
|
||||
segment: ''
|
||||
disposition: write
|
||||
@@ -2,6 +2,8 @@
|
||||
hiera_include:
|
||||
- certbot
|
||||
- profiles::pki::puppetcerts
|
||||
- firewall::rules::in::sshd
|
||||
- firewall::rules::in::https
|
||||
|
||||
certbot::domains:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
profiles::pki::vault::alt_names:
|
||||
- jumphost.service.consul
|
||||
- jumphost.query.consul
|
||||
- "jumphost.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- jumphost.query.consul
|
||||
- jumphost.service.consul
|
||||
- jumphost.service.%{facts.country}-%{facts.region}.consul
|
||||
|
||||
consul::services:
|
||||
jumphost:
|
||||
service_name: 'jumphost'
|
||||
tags:
|
||||
- 'jumphost'
|
||||
- 'proxy'
|
||||
- 'ssh'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 22
|
||||
checks:
|
||||
- id: 'ssh_tcp_check'
|
||||
name: 'SSH TCP Check'
|
||||
tcp: "%{facts.networking.ip}:22"
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: jumphost
|
||||
disposition: write
|
||||
@@ -5,13 +5,6 @@ profiles::puppet::autosign::subnet_ranges:
|
||||
- '198.18.15.0/24'
|
||||
- '198.18.16.0/24'
|
||||
- '198.18.17.0/24'
|
||||
- '198.18.20.0/24'
|
||||
- '198.18.24.0/24'
|
||||
- '198.18.25.0/24'
|
||||
- '198.18.26.0/24'
|
||||
- '198.18.27.0/24'
|
||||
- '198.18.28.0/24'
|
||||
- '198.18.29.0/24'
|
||||
|
||||
profiles::puppet::autosign::domains:
|
||||
- '*.main.unkin.net'
|
||||
@@ -26,7 +19,7 @@ profiles::puppet::cobbler_enc::packages:
|
||||
- 'requests'
|
||||
- 'PyYAML'
|
||||
profiles::puppet::enc::repo: https://git.service.au-syd1.consul/unkinben/puppet-enc.git
|
||||
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkin/puppet-r10k.git
|
||||
profiles::puppet::r10k::r10k_repo: https://git.service.au-syd1.consul/unkinben/puppet-r10k.git
|
||||
profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
|
||||
profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
|
||||
profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
profiles::puppet::puppetboard::secret_key: ENC[PKCS7,MIIB+wYJKoZIhvcNAQcDoIIB7DCCAegCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAoCr9JTtrnMaVjJlEpA0NYNt/QAgTGiEmS3kPn2oJ80Ay7fUl79pop95uLQIfw6C3e8WGUhxYt31wmzent4Bfbced7uF/tjhP2cniKPmZGuf/tmVrGIHIh4T4g0Wz2K0DIU/dGWUlgE03ICRxXlAy0atjUuAp02ehj7bzLuMf+vZbghm8vnOoDCTKjeZNAJEkDvBkIzwUu9JiM9Gn6BzoLLGdEERqs/LR832vjjNmF7KUEH/Ntt47wbLdfCzawsZsBNLggEb1HNGu0aSb0qBXYBPRq6w1L/RU8gX2dCqGRbhDZymihebaOcwU1AtbLEBdHTYQpga+c4bcTz9rJplLtjCBvQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAdSjLEaZPK47TY7LDCB7b4CBkOTvHbi4nb+pB/Kng+Z3N9ocZPZdGbV6WzMNGxsxmhWXoi+XKEzEvfB10UhQwDcvZXd2W9hhiRkakq7+S0uLWzCX1jNMH2LXZAzoiyGM4FFvGpx7Z64OhmVrOJuKnxD+3zK6PZqvMb3g7CjZeAr5vyhcT/zO75krhJuYp11ZFpLCRcuASf0ru+Jq5OKD4+ZI/g==]
|
||||
@@ -37,3 +37,12 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: puppetdbapi
|
||||
disposition: write
|
||||
|
||||
hiera_include:
|
||||
- firewall::rules::in::sshd
|
||||
- firewall::rules::in::puppetdbapi
|
||||
|
||||
firewall::rules::in::exporters::ports:
|
||||
- 9100
|
||||
- 9558
|
||||
- 9635
|
||||
|
||||
@@ -2,161 +2,110 @@
|
||||
profiles::packages::include:
|
||||
createrepo: {}
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- packagerepo.service.consul
|
||||
- packagerepo.query.consul
|
||||
- "packagerepo.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- packagerepo.main.unkin.net
|
||||
- packagerepo.service.consul
|
||||
- packagerepo.query.consul
|
||||
- "packagerepo.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
jupyterhub:
|
||||
service_name: 'packagerepo'
|
||||
tags:
|
||||
- 'packagerepo'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'packagerepo_http_check'
|
||||
name: 'packagerepo HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: packagerepo
|
||||
disposition: write
|
||||
- repos.main.unkin.net
|
||||
|
||||
profiles::reposync::webserver::nginx_listen_mode: both
|
||||
profiles::reposync::webserver::nginx_cert_type: vault
|
||||
profiles::reposync::repos_list:
|
||||
almalinux_9_5_baseos:
|
||||
repository: 'baseos'
|
||||
description: 'AlmaLinux 9.5 BaseOS'
|
||||
almalinux_8_9_baseos:
|
||||
repository: 'BaseOS'
|
||||
description: 'AlmaLinux 8.9 - BaseOS'
|
||||
osname: 'almalinux'
|
||||
release: '9.5'
|
||||
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/baseos'
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_5_appstream:
|
||||
repository: 'appstream'
|
||||
description: 'AlmaLinux 9.5 AppStream'
|
||||
release: '8.9'
|
||||
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/baseos
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
|
||||
almalinux_8_9_appstream:
|
||||
repository: 'AppStream'
|
||||
description: 'AlmaLinux 8.9 - AppStream'
|
||||
osname: 'almalinux'
|
||||
release: '9.5'
|
||||
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/appstream'
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_5_crb:
|
||||
repository: 'crb'
|
||||
description: 'AlmaLinux 9.5 CRB'
|
||||
release: '8.9'
|
||||
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/appstream
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
|
||||
almalinux_8_9_highavailability:
|
||||
repository: 'HighAvailability'
|
||||
description: 'AlmaLinux 8.9 - HighAvailability'
|
||||
osname: 'almalinux'
|
||||
release: '9.5'
|
||||
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/crb'
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_5_ha:
|
||||
repository: 'ha'
|
||||
description: 'AlmaLinux 9.5 HighAvailability'
|
||||
release: '8.9'
|
||||
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/ha
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
|
||||
almalinux_8_9_powertools:
|
||||
repository: 'PowerTools'
|
||||
description: 'AlmaLinux 8.9 - PowerTools'
|
||||
osname: 'almalinux'
|
||||
release: '9.5'
|
||||
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/highavailability'
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_5_extras:
|
||||
release: '8.9'
|
||||
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/powertools
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
|
||||
almalinux_8_9_extras:
|
||||
repository: 'extras'
|
||||
description: 'AlmaLinux 9.5 extras'
|
||||
description: 'AlmaLinux 8.9 - extras'
|
||||
osname: 'almalinux'
|
||||
release: '9.5'
|
||||
mirrorlist: 'https://mirrors.almalinux.org/mirrorlist/9.5/extras'
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_4_baseos:
|
||||
repository: 'baseos'
|
||||
description: 'AlmaLinux 9.4 BaseOS'
|
||||
osname: 'almalinux'
|
||||
release: '9.4'
|
||||
baseurl: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/'
|
||||
gpgkey: 'https://vault.almalinux.org/9.4/BaseOS/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_4_appstream:
|
||||
repository: 'appstream'
|
||||
description: 'AlmaLinux 9.4 AppStream'
|
||||
osname: 'almalinux'
|
||||
release: '9.4'
|
||||
baseurl: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/'
|
||||
gpgkey: 'https://vault.almalinux.org/9.4/AppStream/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_4_crb:
|
||||
repository: 'crb'
|
||||
description: 'AlmaLinux 9.4 CRB'
|
||||
osname: 'almalinux'
|
||||
release: '9.4'
|
||||
baseurl: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/'
|
||||
gpgkey: 'https://vault.almalinux.org/9.4/CRB/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_4_ha:
|
||||
repository: 'ha'
|
||||
description: 'AlmaLinux 9.4 HighAvailability'
|
||||
osname: 'almalinux'
|
||||
release: '9.4'
|
||||
baseurl: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/'
|
||||
gpgkey: 'https://vault.almalinux.org/9.4/HighAvailability/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
|
||||
almalinux_9_4_extras:
|
||||
repository: 'extras'
|
||||
description: 'AlmaLinux 9.4 extras'
|
||||
osname: 'almalinux'
|
||||
release: '9.4'
|
||||
baseurl: 'https://vault.almalinux.org/9.4/extras/x86_64/os/'
|
||||
gpgkey: 'https://vault.almalinux.org/9.4/extras/x86_64/os/RPM-GPG-KEY-AlmaLinux-9'
|
||||
docker_stable_el8:
|
||||
repository: 'stable'
|
||||
description: 'Docker CE Stable EL8'
|
||||
osname: 'docker'
|
||||
release: 'el8'
|
||||
baseurl: 'https://download.docker.com/linux/centos/8/x86_64/stable/'
|
||||
gpgkey: 'https://download.docker.com/linux/centos/gpg'
|
||||
docker_stable_el9:
|
||||
repository: 'stable'
|
||||
description: 'Docker CE Stable EL9'
|
||||
osname: 'docker'
|
||||
release: 'el9'
|
||||
baseurl: 'https://download.docker.com/linux/centos/9/x86_64/stable/'
|
||||
gpgkey: 'https://download.docker.com/linux/centos/gpg'
|
||||
frr_stable_el8:
|
||||
repository: 'stable'
|
||||
description: 'FRR Stable EL8'
|
||||
osname: 'frr'
|
||||
release: 'el8'
|
||||
baseurl: 'https://rpm.frrouting.org/repo/el8/frr/'
|
||||
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||
frr_extras_el8:
|
||||
repository: 'extras'
|
||||
description: 'FRR Extras EL8'
|
||||
osname: 'frr'
|
||||
release: 'el8'
|
||||
baseurl: 'https://rpm.frrouting.org/repo/el8/extras/'
|
||||
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||
frr_stable_el9:
|
||||
repository: 'stable'
|
||||
description: 'FRR Stable EL9'
|
||||
osname: 'frr'
|
||||
release: 'el9'
|
||||
baseurl: 'https://rpm.frrouting.org/repo/el9/frr/'
|
||||
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||
frr_extras_el9:
|
||||
repository: 'extras'
|
||||
description: 'FRR Extras el9'
|
||||
osname: 'frr'
|
||||
release: 'el9'
|
||||
baseurl: 'https://rpm.frrouting.org/repo/el9/extras/'
|
||||
gpgkey: 'https://packagerepo.service.consul/frr/gpg/RPM-GPG-KEY-FRR'
|
||||
k8s_1.32:
|
||||
repository: '1.32'
|
||||
description: 'Kubernetes 1.32'
|
||||
osname: 'k8s'
|
||||
release: '1.32'
|
||||
baseurl: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/'
|
||||
gpgkey: 'https://pkgs.k8s.io/core:/stable:/v1.32/rpm/repodata/repomd.xml.key'
|
||||
release: '8.9'
|
||||
mirrorlist: https://mirrors.almalinux.org/mirrorlist/8.9/extras
|
||||
gpgkey: 'http://mirror.aarnet.edu.au/pub/almalinux/RPM-GPG-KEY-AlmaLinux'
|
||||
centos_8_advanced_virtualization:
|
||||
repository: 'virt-advanced-virtualization'
|
||||
description: 'CentOS Advanced Virtualization'
|
||||
osname: 'centos'
|
||||
release: '8' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=virt-advanced-virtualization' # Assuming 'stream' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
|
||||
centos_8_ceph_pacific:
|
||||
repository: 'storage-ceph-pacific'
|
||||
description: 'CentOS Ceph Pacific'
|
||||
osname: 'centos'
|
||||
release: '8' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=storage-ceph-pacific' # Assuming '8' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
|
||||
centos_8_rabbitmq_38:
|
||||
repository: 'messaging-rabbitmq-38'
|
||||
description: 'CentOS RabbitMQ 38'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Specified based on the repository name
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=messaging-rabbitmq-38' # Assuming '8' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
|
||||
centos_8_nfv_openvswitch:
|
||||
repository: 'nfv-openvswitch-2'
|
||||
description: 'CentOS NFV OpenvSwitch'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=nfv-openvswitch-2' # Assuming 'stream' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
|
||||
centos_8_openstack_xena:
|
||||
repository: 'cloud-openstack-xena'
|
||||
description: 'CentOS OpenStack Xena'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Directly taken from the provided mirrorlist
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=cloud-openstack-xena' # Assuming 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
|
||||
centos_8_opstools:
|
||||
repository: 'opstools-collectd-5'
|
||||
description: 'CentOS OpsTools - collectd'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?arch=x86_64&release=8-stream&repo=opstools-collectd-5' # Assuming 'stream' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
|
||||
centos_8_ovirt45:
|
||||
repository: 'virt-ovirt-45'
|
||||
description: 'CentOS oVirt 4.5'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=virt-ovirt-45' # Assuming 'stream' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
|
||||
centos_8_stream_gluster10:
|
||||
repository: 'storage-gluster-10'
|
||||
description: 'CentOS oVirt 4.5 - Glusterfs 10'
|
||||
osname: 'centos'
|
||||
release: '8-stream' # Assumed static value for demonstration
|
||||
mirrorlist: 'http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=storage-gluster-10' # Assuming 'stream' and 'x86_64'
|
||||
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
|
||||
epel_8_everything:
|
||||
repository: 'Everything'
|
||||
description: 'EPEL 8 Everything'
|
||||
osname: 'epel'
|
||||
release: '8'
|
||||
mirrorlist: 'https://mirrors.fedoraproject.org/mirrorlist?repo=epel-8&arch=x86_64'
|
||||
gpgkey: 'https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8'
|
||||
mariadb_11_2_el8:
|
||||
repository: 'el8'
|
||||
description: 'MariaDB 11.2'
|
||||
@@ -171,27 +120,6 @@ profiles::reposync::repos_list:
|
||||
release: 'el'
|
||||
baseurl: 'https://yum.puppet.com/puppet7/el/8/x86_64/'
|
||||
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
|
||||
puppet7_el9:
|
||||
repository: '9'
|
||||
description: 'Puppet 7 EL9'
|
||||
osname: 'puppet7'
|
||||
release: 'el'
|
||||
baseurl: 'https://yum.puppet.com/puppet7/el/9/x86_64/'
|
||||
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
|
||||
puppet8_el8:
|
||||
repository: '8'
|
||||
description: 'Puppet 8 EL8'
|
||||
osname: 'puppet8'
|
||||
release: 'el'
|
||||
baseurl: 'https://yum.puppet.com/puppet8/el/8/x86_64/'
|
||||
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
|
||||
puppet8_el9:
|
||||
repository: '9'
|
||||
description: 'Puppet 8 EL9'
|
||||
osname: 'puppet8'
|
||||
release: 'el'
|
||||
baseurl: 'https://yum.puppet.com/puppet8/el/9/x86_64/'
|
||||
gpgkey: 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406'
|
||||
postgresql_rhel8_common:
|
||||
repository: 'common'
|
||||
description: 'PostgreSQL Common RHEL 8'
|
||||
@@ -199,13 +127,6 @@ profiles::reposync::repos_list:
|
||||
release: 'rhel8'
|
||||
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-8-x86_64/'
|
||||
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||
postgresql_rhel9_common:
|
||||
repository: 'common'
|
||||
description: 'PostgreSQL Common RHEL 9'
|
||||
osname: 'postgresql'
|
||||
release: 'rhel9'
|
||||
baseurl: 'https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/'
|
||||
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||
postgresql_rhel8_16:
|
||||
repository: '16'
|
||||
description: 'PostgreSQL 16 RHEL 8'
|
||||
@@ -213,38 +134,3 @@ profiles::reposync::repos_list:
|
||||
release: 'rhel8'
|
||||
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-8-x86_64/'
|
||||
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||
postgresql_rhel9_16:
|
||||
repository: '16'
|
||||
description: 'PostgreSQL 16 RHEL 9'
|
||||
osname: 'postgresql'
|
||||
release: 'rhel9'
|
||||
baseurl: 'https://download.postgresql.org/pub/repos/yum/16/redhat/rhel-9-x86_64/'
|
||||
gpgkey: 'https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL'
|
||||
zfs_dkms_rhel8:
|
||||
repository: 'dkms'
|
||||
description: 'ZFS DKMS RHEL 8'
|
||||
osname: 'zfs'
|
||||
release: 'rhel8'
|
||||
baseurl: 'http://download.zfsonlinux.org/epel/8/x86_64/'
|
||||
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
|
||||
zfs_kmod_rhel8:
|
||||
repository: 'kmod'
|
||||
description: 'ZFS KMOD RHEL 8'
|
||||
osname: 'zfs'
|
||||
release: 'rhel8'
|
||||
baseurl: 'http://download.zfsonlinux.org/epel/8/kmod/x86_64/'
|
||||
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2013'
|
||||
zfs_dkms_rhel9:
|
||||
repository: 'dkms'
|
||||
description: 'ZFS DKMS RHEL 9'
|
||||
osname: 'zfs'
|
||||
release: 'rhel9'
|
||||
baseurl: 'http://download.zfsonlinux.org/epel/9/x86_64/'
|
||||
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'
|
||||
zfs_kmod_rhel9:
|
||||
repository: 'kmod'
|
||||
description: 'ZFS KMOD RHEL 9'
|
||||
osname: 'zfs'
|
||||
release: 'rhel9'
|
||||
baseurl: 'http://download.zfsonlinux.org/epel/9/kmod/x86_64/'
|
||||
gpgkey: 'https://packagerepo.service.consul/zfs/gpg/RPM-GPG-KEY-openzfs-2022'
|
||||
|
||||
@@ -1,4 +1,13 @@
|
||||
---
|
||||
hiera_include:
|
||||
- firewall::rules::in::consul
|
||||
- firewall::rules::in::dns
|
||||
- firewall::rules::in::http
|
||||
- firewall::rules::in::https
|
||||
- firewall::rules::in::sshd
|
||||
|
||||
firewall::rules::in::consul::is_server: true
|
||||
|
||||
profiles::consul::server::members_lookup: true
|
||||
profiles::consul::server::data_dir: /data/consul
|
||||
profiles::consul::server::addresses:
|
||||
|
||||
@@ -1,4 +1,10 @@
|
||||
---
|
||||
hiera_include:
|
||||
- firewall::rules::in::sshd
|
||||
- firewall::rules::in::vault
|
||||
|
||||
firewall::rules::in::ssh::ipset: jumphost
|
||||
|
||||
profiles::vault::server::members_role: roles::infra::storage::vault
|
||||
profiles::vault::server::members_lookup: true
|
||||
profiles::vault::server::data_dir: /data/vault
|
||||
|
||||
@@ -1,110 +0,0 @@
|
||||
# manage etcd
|
||||
class etcd (
|
||||
Boolean $manage_user = true,
|
||||
Boolean $manage_group = true,
|
||||
Boolean $manage_package = true,
|
||||
Boolean $manage_service = true,
|
||||
String[1] $package_name = 'etcd',
|
||||
String[1] $user = 'etcd',
|
||||
String[1] $group = 'etcd',
|
||||
Stdlib::Absolutepath $config_path = '/etc/etcd',
|
||||
Stdlib::Absolutepath $config_file = "${config_path}/etcd.yaml",
|
||||
Hash $config = { 'data-dir' => '/var/lib/etcd' },
|
||||
Integer $max_open_files = 40000,
|
||||
) {
|
||||
if downcase($facts['kernel']) != 'linux' {
|
||||
fail("Module etcd only supports Linux, not ${facts['kernel']}")
|
||||
}
|
||||
if $facts['service_provider'] != 'systemd' {
|
||||
fail('Module etcd only supported on systems using systemd')
|
||||
}
|
||||
if ! $config['data-dir'] {
|
||||
fail('Module etcd requires data-dir be specified in config Hash')
|
||||
}
|
||||
|
||||
if $manage_package {
|
||||
package { $package_name:
|
||||
ensure => installed,
|
||||
}
|
||||
}
|
||||
|
||||
if $manage_user {
|
||||
user { 'etcd':
|
||||
ensure => 'present',
|
||||
name => $user,
|
||||
forcelocal => true,
|
||||
shell => '/bin/false',
|
||||
gid => $group,
|
||||
home => $config['data-dir'],
|
||||
managehome => false,
|
||||
system => true,
|
||||
before => Systemd::Unit_file['etcd.service'],
|
||||
}
|
||||
}
|
||||
if $manage_group {
|
||||
group { 'etcd':
|
||||
ensure => 'present',
|
||||
name => $group,
|
||||
forcelocal => true,
|
||||
system => true,
|
||||
before => Systemd::Unit_file['etcd.service'],
|
||||
}
|
||||
}
|
||||
|
||||
mkdir::p { $config_path: }
|
||||
mkdir::p { $config['data-dir']: }
|
||||
|
||||
file { $config_file:
|
||||
ensure => 'file',
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => '0600',
|
||||
content => to_yaml($config),
|
||||
notify => Systemd::Unit_file['etcd.service'],
|
||||
require => Mkdir::P[$config_path],
|
||||
}
|
||||
|
||||
file { 'etcd-data-dir':
|
||||
ensure => 'directory',
|
||||
path => $config['data-dir'],
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => '0700',
|
||||
notify => Systemd::Unit_file['etcd.service'],
|
||||
require => Mkdir::P[$config['data-dir']],
|
||||
}
|
||||
|
||||
file { 'etcd-data-dir-wal.tmp':
|
||||
ensure => 'directory',
|
||||
path => "${config['data-dir']}/wal.tmp",
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => '0700',
|
||||
notify => Systemd::Unit_file['etcd.service'],
|
||||
require => File['etcd-data-dir'],
|
||||
}
|
||||
|
||||
if $config['wal-dir'] {
|
||||
mkdir::p { $config['wal-dir']: }
|
||||
file { 'etcd-wal-dir':
|
||||
ensure => 'directory',
|
||||
path => $config['wal-dir'],
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => '0700',
|
||||
notify => Systemd::Unit_file['etcd.service'],
|
||||
require => Mkdir::P[$config['wal-dir']],
|
||||
}
|
||||
}
|
||||
|
||||
if $manage_service {
|
||||
include ::systemd
|
||||
|
||||
systemd::unit_file { 'etcd.service':
|
||||
content => template('etcd/etcd.service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
require => Package[$package_name],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,17 +0,0 @@
|
||||
# DO NOT EDIT: This file is being managed by Puppet.
|
||||
[Unit]
|
||||
Description=etcd key-value store
|
||||
Documentation=https://github.com/etcd-io/etcd
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
User=<%= @user %>
|
||||
Group=<%= @group %>
|
||||
Type=notify
|
||||
ExecStart=/usr/bin/etcd --config-file <%= @config_file %>
|
||||
Restart=always
|
||||
RestartSec=10s
|
||||
LimitNOFILE=<%= @max_open_files %>
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,29 @@
|
||||
# manage the firewall
|
||||
class firewall (
|
||||
Boolean $enable = false,
|
||||
Hash $ipset_queries = {},
|
||||
){
|
||||
|
||||
if $enable {
|
||||
$ipset_queries.each |$ipset, $query| {
|
||||
$ips = sort(query_nodes($query, 'networking.ip'))
|
||||
|
||||
nftables::set{$ipset:
|
||||
type => 'ipv4_addr',
|
||||
flags => ['dynamic'],
|
||||
elements => $ips,
|
||||
}
|
||||
}
|
||||
|
||||
class {'nftables':
|
||||
in_ssh => false,
|
||||
in_icmp => true,
|
||||
out_ntp => false,
|
||||
out_dns => false,
|
||||
out_http => false,
|
||||
out_https => false,
|
||||
out_icmp => true,
|
||||
out_all => false,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
class firewall::rules::in::cobbler (
|
||||
Array[Stdlib::Port] $ports = [25150,25151],
|
||||
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
$protocols.each |$proto| {
|
||||
nftables::rule { "default_in-cobbler_${proto}_${port}":
|
||||
content => "${proto} dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,39 @@
|
||||
class firewall::rules::in::consul (
|
||||
Boolean $is_server = false,
|
||||
) {
|
||||
|
||||
# serf traffic (lan and wan)
|
||||
nftables::rule { 'default_in-consul_udp_8301':
|
||||
content => 'udp dport 8301 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_tcp_8301':
|
||||
content => 'tcp dport 8301 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_udp_8302':
|
||||
content => 'udp dport 8302 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_tcp_8302':
|
||||
content => 'tcp dport 8302 accept',
|
||||
}
|
||||
|
||||
if $is_server {
|
||||
# dns interface
|
||||
nftables::rule { 'default_in-consul_udp_8600':
|
||||
content => 'udp dport 8600 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_tcp_8600':
|
||||
content => 'tcp dport 8600 accept',
|
||||
}
|
||||
|
||||
# communication with servers
|
||||
nftables::rule { 'default_in-consul_tcp_8300':
|
||||
content => 'tcp dport 8300 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_tcp_8500':
|
||||
content => 'tcp dport 8500 accept',
|
||||
}
|
||||
nftables::rule { 'default_in-consul_tcp_8503':
|
||||
content => 'tcp dport 8503 accept',
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
class firewall::rules::in::dhcp {
|
||||
nftables::rule { 'default_in-dhcp':
|
||||
content => 'udp sport {67, 68} udp dport {67, 68} accept';
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
class firewall::rules::in::dns (
|
||||
Array[Stdlib::Port] $ports = [53],
|
||||
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||
Optional[String] $ipset = undef,
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
$protocols.each |$proto| {
|
||||
if $ipset != '' {
|
||||
$rule = "${proto} dport ${port} ip saddr @${ipset} accept"
|
||||
}else{
|
||||
$rule = "${proto} dport ${port} accept"
|
||||
}
|
||||
nftables::rule { "default_in-dns_${proto}_${port}":
|
||||
content => $rule,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
# 9100: node_exporter
|
||||
# 9558: sysstemd_exporter
|
||||
class firewall::rules::in::exporters (
|
||||
Array[Stdlib::Port] $ports = [9100,9558],
|
||||
String $ipset = 'prometheus',
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-metrics_exporter_tcp_${port}":
|
||||
content => "tcp dport ${port} ip saddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::http (
|
||||
Array[Stdlib::Port] $ports = [80],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-http_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::https (
|
||||
Array[Stdlib::Port] $ports = [443],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-https_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::mysql (
|
||||
Array[Stdlib::Port] $ports = [3306],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-mysql_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::ntp (
|
||||
Array[Stdlib::Port] $ports = [123],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-ntp_${port}":
|
||||
content => "udp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::postgres (
|
||||
Array[Stdlib::Port] $ports = [5432],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-postgres_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::puppetdbapi (
|
||||
Array[Stdlib::Port] $ports = [8080,8081],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-puppetdbapi_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
class firewall::rules::in::sshd (
|
||||
Array[Stdlib::Port] $ports = [22],
|
||||
Optional[String] $ipset = undef,
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
if $ipset != '' {
|
||||
$rule = "tcp dport ${port} ip saddr @${ipset} accept"
|
||||
}else{
|
||||
$rule = "tcp dport ${port} accept"
|
||||
}
|
||||
nftables::rule { "default_in-sshd_tcp_${port}":
|
||||
content => $rule,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
class firewall::rules::in::tftp (
|
||||
Array[Stdlib::Port] $ports = [69],
|
||||
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
$protocols.each |$proto| {
|
||||
nftables::rule { "default_in-tftp_${proto}_${port}":
|
||||
content => "${proto} dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::vault (
|
||||
Array[Stdlib::Port] $ports = [8200, 8201],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-vaultserver_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
class firewall::rules::out::ceph_client (
|
||||
Array[Stdlib::Port,1] $ports = [3300, 6789],
|
||||
) {
|
||||
nftables::rule {
|
||||
'default_out-ceph_client':
|
||||
content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,29 @@
|
||||
class firewall::rules::out::consul (
|
||||
String $ipset = 'consul',
|
||||
) {
|
||||
|
||||
# serf traffic (lan and wan)
|
||||
nftables::rule { 'default_out-consul_udp_8301':
|
||||
content => 'udp dport 8301 accept',
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8301':
|
||||
content => 'tcp dport 8301 accept',
|
||||
}
|
||||
nftables::rule { 'default_out-consul_udp_8302':
|
||||
content => 'udp dport 8302 accept',
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8302':
|
||||
content => 'tcp dport 8302 accept',
|
||||
}
|
||||
|
||||
# communication with servers
|
||||
nftables::rule { 'default_out-consul_tcp_8300':
|
||||
content => "tcp dport 8300 ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8500':
|
||||
content => "tcp dport 8500 ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8503':
|
||||
content => "tcp dport 8503 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
class firewall::rules::out::dhcp {
|
||||
nftables::rule { 'default_out-dhcpc':
|
||||
content => 'udp sport {67, 68} udp dport {67, 68} accept';
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
class firewall::rules::out::dns (
|
||||
String $ipset = 'dns_resolver',
|
||||
) {
|
||||
|
||||
nftables::rule { 'default_out-dns_udp_53':
|
||||
content => "udp dport 53 ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { 'default_out-dns_tcp_53':
|
||||
content => "tcp dport 53 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::out::http (
|
||||
Array[Stdlib::Port] $ports = [80],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-http_tcp_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::out::https (
|
||||
Array[Stdlib::Port] $ports = [443],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-https_tcp_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
class firewall::rules::out::mysql (
|
||||
String $ipset = 'sql_galera',
|
||||
){
|
||||
nftables::rule { 'default_out-mysql_tcp_3306':
|
||||
content => "tcp dport 3306 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
class firewall::rules::out::ntp (
|
||||
String $ipset = 'ntp',
|
||||
Array[Stdlib::Port] $ports = [123],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-ntp_udp_${port}":
|
||||
content => "udp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
class firewall::rules::out::postgres (
|
||||
String $ipset = 'sql_galera',
|
||||
){
|
||||
nftables::rule { 'default_out-postgres_tcp_5432':
|
||||
content => "tcp dport 5432 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
class firewall::rules::out::puppet (
|
||||
String $ipset = 'puppetmaster',
|
||||
Array[Stdlib::Port] $ports = [8140],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-puppet_${port}":
|
||||
content => "tcp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
class firewall::rules::out::vault (
|
||||
String $ipset = 'vault',
|
||||
Array[Stdlib::Port] $ports = [8200],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-vault_${port}":
|
||||
content => "tcp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,89 +0,0 @@
|
||||
class frrouting (
|
||||
Boolean $manage_package = true,
|
||||
Boolean $manage_config = true,
|
||||
Boolean $manage_service = true,
|
||||
String $package_name = 'frr',
|
||||
String $service_name = 'frr',
|
||||
Hash $daemons = {},
|
||||
Hash $ospfd_interfaces = {},
|
||||
String $ospfd_router_id = $facts['networking']['ip'],
|
||||
Array[String] $ospfd_redistribute = [],
|
||||
Array[String] $ospfd_networks = [],
|
||||
Boolean $ospfd_default_originate_always = false,
|
||||
Boolean $mpls_te_enabled = false,
|
||||
Optional[String] $mpls_ldp_router_id = undef,
|
||||
Optional[String] $mpls_ldp_transport_addr = undef,
|
||||
Array[String] $mpls_ldp_interfaces = [],
|
||||
) {
|
||||
|
||||
$daemons_defaults = {
|
||||
'bgpd' => false,
|
||||
'ospfd' => true,
|
||||
'ospf6d' => false,
|
||||
'ldpd' => false,
|
||||
'ripd' => false,
|
||||
'ripngd' => false,
|
||||
'isisd' => false,
|
||||
'pimd' => false,
|
||||
'pim6d' => false,
|
||||
'nhrpd' => false,
|
||||
'eigrpd' => false,
|
||||
'sharpd' => false,
|
||||
'pbrd' => false,
|
||||
'bfdd' => false,
|
||||
'fabricd' => false,
|
||||
'vrrpd' => false,
|
||||
'pathd' => false,
|
||||
'staticd' => false,
|
||||
}
|
||||
|
||||
$daemons_merged = merge($daemons_defaults, $daemons)
|
||||
|
||||
if $manage_package {
|
||||
package { $package_name:
|
||||
ensure => installed,
|
||||
}
|
||||
}
|
||||
|
||||
if $manage_config {
|
||||
file { '/etc/frr/frr.conf':
|
||||
ensure => file,
|
||||
content => template('frrouting/frr.conf.erb'),
|
||||
notify => Service[$service_name],
|
||||
}
|
||||
|
||||
file { '/etc/frr/daemons':
|
||||
ensure => file,
|
||||
content => template('frrouting/daemons.erb'),
|
||||
notify => Service[$service_name],
|
||||
}
|
||||
}
|
||||
|
||||
if $manage_service {
|
||||
service { $service_name:
|
||||
ensure => running,
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
}
|
||||
}
|
||||
|
||||
if $mpls_ldp_router_id and $mpls_ldp_transport_addr and !empty($mpls_ldp_interfaces) {
|
||||
file { '/etc/modules-load.d/mpls_ldp_modules.conf':
|
||||
ensure => file,
|
||||
content => @(EOT/L),
|
||||
# Load MPLS Kernel Modules
|
||||
mpls_router
|
||||
mpls_iptunnel
|
||||
| EOT
|
||||
}
|
||||
|
||||
['mpls_router', 'mpls_iptunnel'].each |$mod| {
|
||||
exec { "load_${mod}":
|
||||
command => "/sbin/modprobe ${mod}",
|
||||
unless => "/sbin/lsmod | /bin/grep -q ^${mod}",
|
||||
path => ['/sbin', '/bin', '/usr/sbin', '/usr/bin'],
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,29 +0,0 @@
|
||||
# THIS FILE IS MANAGED BY PUPPET
|
||||
<% @daemons_merged.each do |daemon, status| -%>
|
||||
<% if status -%>
|
||||
<%= daemon %>=yes
|
||||
<% else -%>
|
||||
<%= daemon %>=no
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
vtysh_enable=yes
|
||||
zebra_options=" -A 127.0.0.1 -s 90000000"
|
||||
bgpd_options=" -A 127.0.0.1"
|
||||
ospfd_options=" -A 127.0.0.1"
|
||||
ospf6d_options=" -A ::1"
|
||||
ldpd_options=" -A 127.0.0.1"
|
||||
ripd_options=" -A 127.0.0.1"
|
||||
ripngd_options=" -A ::1"
|
||||
isisd_options=" -A 127.0.0.1"
|
||||
pimd_options=" -A 127.0.0.1"
|
||||
pim6d_options=" -A ::1"
|
||||
nhrpd_options=" -A 127.0.0.1"
|
||||
eigrpd_options=" -A 127.0.0.1"
|
||||
sharpd_options=" -A 127.0.0.1"
|
||||
pbrd_options=" -A 127.0.0.1"
|
||||
staticd_options="-A 127.0.0.1"
|
||||
bfdd_options=" -A 127.0.0.1"
|
||||
fabricd_options="-A 127.0.0.1"
|
||||
vrrpd_options=" -A 127.0.0.1"
|
||||
pathd_options=" -A 127.0.0.1"
|
||||
@@ -1,48 +0,0 @@
|
||||
# THIS FILE IS MANAGED BY PUPPET
|
||||
frr defaults traditional
|
||||
hostname <%= @hostname %>
|
||||
no ipv6 forwarding
|
||||
<% @ospfd_interfaces.each do |iface, params| -%>
|
||||
interface <%= iface %>
|
||||
<% if params['area'] -%>
|
||||
ip ospf area <%= params['area'] %>
|
||||
<% end -%>
|
||||
<% if params['passive'] == true -%>
|
||||
ip ospf passive
|
||||
<% end -%>
|
||||
<% if @mpls_ldp_interfaces and @mpls_ldp_interfaces.include?(iface) -%>
|
||||
mpls enable
|
||||
<% end -%>
|
||||
exit
|
||||
<% end -%>
|
||||
router ospf
|
||||
ospf router-id <%= @ospfd_router_id %>
|
||||
log-adjacency-changes detail
|
||||
<% @ospfd_redistribute.each do |type| -%>
|
||||
redistribute <%= type %>
|
||||
<% end -%>
|
||||
<% @ospfd_networks.each do |network| -%>
|
||||
network <%= network %>
|
||||
<% end -%>
|
||||
<% if @ospfd_default_originate_always -%>
|
||||
default-information originate always
|
||||
<% end -%>
|
||||
<% if @mpls_te_enabled -%>
|
||||
capability opaque
|
||||
mpls-te on
|
||||
mpls-te router-address <%= @ospfd_router_id %>
|
||||
mpls-te inter-as area 0.0.0.0
|
||||
<% end -%>
|
||||
exit
|
||||
<% if @mpls_ldp_router_id and @mpls_ldp_transport_addr and @mpls_ldp_interfaces.any? -%>
|
||||
mpls ldp
|
||||
router-id <%= @mpls_ldp_router_id %>
|
||||
address-family ipv4
|
||||
discovery transport-address <%= @mpls_ldp_transport_addr %>
|
||||
<% @mpls_ldp_interfaces.each do |iface| -%>
|
||||
interface <%= iface %>
|
||||
exit
|
||||
<% end -%>
|
||||
exit-address-family
|
||||
exit
|
||||
<% end -%>
|
||||
@@ -1,18 +0,0 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
require 'yaml'
|
||||
|
||||
Facter.add(:incus) do
|
||||
setcode do
|
||||
# Check if the 'incus' executable exists
|
||||
incus_path = Facter::Util::Resolution.which('incus')
|
||||
next {} unless incus_path # Return an empty fact if incus isn't found
|
||||
|
||||
# Run the `incus info` command using the found path
|
||||
incus_output = Facter::Core::Execution.execute("#{incus_path} info")
|
||||
next {} if incus_output.empty? # Return an empty fact if there's no output
|
||||
|
||||
# Parse the output as YAML and return it
|
||||
YAML.safe_load(incus_output, permitted_classes: [Symbol, Time, Date])
|
||||
end
|
||||
end
|
||||
@@ -1,57 +0,0 @@
|
||||
# manage incus clusters
|
||||
class incus::cluster (
|
||||
Boolean $members_lookup = false,
|
||||
String $members_role = undef,
|
||||
String $master = undef,
|
||||
Array $servers = [],
|
||||
Stdlib::Fqdn $server_fqdn = $facts['networking']['fqdn'],
|
||||
Stdlib::Port $server_port = 8443,
|
||||
){
|
||||
|
||||
# check that the master is named
|
||||
unless !($master == undef) {
|
||||
fail("master must be provided for ${title}")
|
||||
}
|
||||
|
||||
# if lookup is enabled
|
||||
if $members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($members_role == undef) {
|
||||
fail("members_role must be provided for ${title} when members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $servers
|
||||
}
|
||||
|
||||
# if its not an empty array. Give puppetdb a chance to be populated with data.
|
||||
if length($servers_array) >= 3 {
|
||||
|
||||
# check if this is the master_node
|
||||
if $master == $trusted['certname'] {
|
||||
$master_bool = true
|
||||
}else{
|
||||
$master_bool = false
|
||||
}
|
||||
|
||||
# find bootstrap status for servers
|
||||
$bootstrap_array = puppetdb_query("inventory[certname, facts] { facts.enc_role = '${members_role}' }").map |$node| {
|
||||
{
|
||||
'fqdn' => $node['certname'],
|
||||
'ip' => $node['facts']['networking']['ip'],
|
||||
'clustered' => $node['facts']['incus']['environment']['server_clustered'],
|
||||
'certificate' => $node['facts']['incus']['environment']['certificate'],
|
||||
}
|
||||
}
|
||||
|
||||
# determine if the cluster is bootstrapped
|
||||
$cluster_bootstrapped = $bootstrap_array.any |$server| {
|
||||
$server['fqdn'] == $master and $server['clustered'] == true
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,77 +0,0 @@
|
||||
class incus (
|
||||
Array[String] $packages = [
|
||||
'incus',
|
||||
'incus-tools',
|
||||
'incus-client'
|
||||
],
|
||||
Boolean $cluster = false,
|
||||
Boolean $init = true,
|
||||
String $bridge = 'incusbr0',
|
||||
Stdlib::Port $server_port = 8443,
|
||||
Stdlib::IP::Address $server_addr = $facts['networking']['ip'],
|
||||
Optional[String] $storage_images_volume = undef,
|
||||
) {
|
||||
|
||||
package { $packages:
|
||||
ensure => installed,
|
||||
}
|
||||
|
||||
service { 'incus':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
}
|
||||
|
||||
file_line { 'subuid_root':
|
||||
ensure => present,
|
||||
path => '/etc/subuid',
|
||||
line => 'root:1000000:1000000000',
|
||||
match => '^root:',
|
||||
notify => Service['incus'],
|
||||
}
|
||||
|
||||
file_line { 'subgid_root':
|
||||
ensure => present,
|
||||
path => '/etc/subgid',
|
||||
line => 'root:1000000:1000000000',
|
||||
match => '^root:',
|
||||
notify => Service['incus'],
|
||||
}
|
||||
|
||||
if $init {
|
||||
file {'/root/incus.preseed.yaml':
|
||||
ensure => file,
|
||||
owner => root,
|
||||
group => root,
|
||||
content => template('incus/join_preseed.yaml.erb')
|
||||
}
|
||||
|
||||
exec { 'initiate_incus':
|
||||
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
||||
command => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized',
|
||||
refreshonly => true,
|
||||
creates => '/root/.incus_initialized',
|
||||
subscribe => File['/root/incus.preseed.yaml'],
|
||||
}
|
||||
}
|
||||
|
||||
if $facts['incus'] and $facts['incus']['config'] {
|
||||
# set core.https_address
|
||||
if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {
|
||||
exec { 'incus_config_set_core_https_address':
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "incus config set core.https_address ${server_addr}:${server_port}",
|
||||
}
|
||||
}
|
||||
# set storage.images_volume # path to store images
|
||||
if $storage_images_volume {
|
||||
if $facts['incus']['config']['storage.images_volume'] != $storage_images_volume {
|
||||
exec { 'incus_config_set_storage_images_volume':
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "incus config set storage.images_volume ${storage_images_volume}",
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
config:
|
||||
core.https_address: <%= @server_fqdn %>:<%= @server_port %>
|
||||
networks: []
|
||||
storage_pools: []
|
||||
storage_volumes: []
|
||||
profiles:
|
||||
- config: {}
|
||||
description: ""
|
||||
devices:
|
||||
eth0:
|
||||
name: eth0
|
||||
nictype: bridged
|
||||
parent: <%= @bridge %>
|
||||
type: nic
|
||||
name: default
|
||||
project: default
|
||||
projects: []
|
||||
cluster: null
|
||||
@@ -1,74 +0,0 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
require 'facter'
|
||||
require 'yaml'
|
||||
require 'net/http'
|
||||
require 'uri'
|
||||
require 'fileutils'
|
||||
|
||||
# CobblerENC module: Fetches ENC data from Cobbler, caches it, and provides structured facts.
|
||||
module CobblerENC
|
||||
CACHE_FILE = '/var/cache/puppet_enc.yaml'
|
||||
CACHE_TTL = 7 * 24 * 60 * 60 # 7 days in seconds
|
||||
@enc_data = nil # In-memory cache for the ENC response
|
||||
|
||||
def self.read_cache
|
||||
return {} unless File.exist?(CACHE_FILE)
|
||||
|
||||
cache_data = YAML.safe_load(File.read(CACHE_FILE)) || {}
|
||||
timestamp = cache_data.fetch('timestamp', 0)
|
||||
|
||||
return cache_data if Time.now.to_i - timestamp < CACHE_TTL
|
||||
|
||||
{}
|
||||
end
|
||||
|
||||
def self.write_cache(enc_data)
|
||||
FileUtils.mkdir_p(File.dirname(CACHE_FILE))
|
||||
cache_data = enc_data.merge({ 'timestamp' => Time.now.to_i })
|
||||
File.write(CACHE_FILE, cache_data.to_yaml)
|
||||
end
|
||||
|
||||
def self.fetch_from_cobbler
|
||||
uri = URI("http://cobbler.main.unkin.net/cblr/svc/op/puppet/hostname/#{Facter.value(:fqdn) || Facter.value(:hostname)}")
|
||||
response = Net::HTTP.get_response(uri)
|
||||
|
||||
raise "Failed to fetch ENC data. HTTP #{response.code}" unless response.is_a?(Net::HTTPSuccess)
|
||||
|
||||
YAML.safe_load(response.body) || {}
|
||||
end
|
||||
|
||||
def self.retrieve_enc_data
|
||||
return @enc_data if @enc_data
|
||||
|
||||
@enc_data = fetch_from_cobbler
|
||||
write_cache(@enc_data)
|
||||
@enc_data
|
||||
end
|
||||
|
||||
def self.fetch_enc_data
|
||||
retrieve_enc_data
|
||||
rescue StandardError => e
|
||||
Facter.warn("Error retrieving Cobbler ENC data: #{e.message}")
|
||||
@enc_data = read_cache
|
||||
return @enc_data unless @enc_data.empty?
|
||||
|
||||
raise 'No cached ENC data available and Cobbler is down.'
|
||||
end
|
||||
|
||||
def self.enc_role
|
||||
fetch_enc_data.fetch('classes', {}).keys.first || raise('ENC Role not found in Cobbler ENC response')
|
||||
end
|
||||
|
||||
def self.enc_env
|
||||
fetch_enc_data.fetch('environment', nil) || raise('ENC Environment not found in Cobbler ENC response')
|
||||
end
|
||||
end
|
||||
|
||||
Facter.add('enc_role') do
|
||||
setcode { CobblerENC.enc_role }
|
||||
end
|
||||
|
||||
Facter.add('enc_env') do
|
||||
setcode { CobblerENC.enc_env }
|
||||
end
|
||||
@@ -0,0 +1,13 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
Facter.add('enc_env') do
|
||||
setcode do
|
||||
require 'yaml'
|
||||
# Check if the YAML file exists
|
||||
if File.exist?('/root/.cache/custom_facts.yaml')
|
||||
data = YAML.load_file('/root/.cache/custom_facts.yaml')
|
||||
# Use safe navigation to return 'enc_env' or nil
|
||||
data&.dig('enc_env')
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,13 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
Facter.add('enc_role') do
|
||||
setcode do
|
||||
require 'yaml'
|
||||
# Check if the YAML file exists
|
||||
if File.exist?('/root/.cache/custom_facts.yaml')
|
||||
data = YAML.load_file('/root/.cache/custom_facts.yaml')
|
||||
# Use safe navigation to return 'enc_role' or nil
|
||||
data&.dig('enc_role')
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -10,18 +10,7 @@ class SubnetAttributes
|
||||
'198.18.15.0/24' => { environment: 'prod', region: 'syd1', country: 'au' },
|
||||
'198.18.16.0/24' => { environment: 'test', region: 'syd1', country: 'au' },
|
||||
'198.18.17.0/24' => { environment: 'prod', region: 'drw1', country: 'au' },
|
||||
'198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' },
|
||||
'198.18.19.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # loopbacks
|
||||
'198.18.20.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # MPLS CORE BLOCKS
|
||||
'198.18.21.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # physical network 2.5gbe
|
||||
'198.18.22.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph cluster
|
||||
'198.18.23.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # ceph public
|
||||
'198.18.24.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # dmz 1
|
||||
'198.18.25.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0009
|
||||
'198.18.26.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0010
|
||||
'198.18.27.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0011
|
||||
'198.18.28.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0012
|
||||
'198.18.29.0/24' => { environment: 'prod', region: 'syd1', country: 'au' } # common node0013
|
||||
'198.18.18.0/24' => { environment: 'test', region: 'drw1', country: 'au' }
|
||||
}.freeze
|
||||
|
||||
# Default attributes if no subnet matches, also defined as a constant
|
||||
|
||||
@@ -1,22 +0,0 @@
|
||||
# manage bridges and bridge slaves
|
||||
define networking::bridge (
|
||||
String $type,
|
||||
Optional[Stdlib::IP::Address] $ipaddress,
|
||||
Optional[Stdlib::IP::Address] $netmask = undef,
|
||||
Optional[Stdlib::IP::Address] $gateway = undef,
|
||||
Optional[Boolean] $nocarrier = undef,
|
||||
Boolean $bridge = true,
|
||||
Integer[100-9200] $mtu = 1500,
|
||||
Optional[Boolean] $forwarding = false,
|
||||
) {
|
||||
include systemd
|
||||
|
||||
systemd::network { "${title}.netdev":
|
||||
content => template('networking/bridge.netdev.erb'),
|
||||
}
|
||||
|
||||
# Use shared template, it will detect bridge=true and skip Address/DNS/etc
|
||||
systemd::network { "${title}.network":
|
||||
content => template('networking/networkd-network.erb'),
|
||||
}
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
# manage dummy/loopback interfaces
|
||||
define networking::dummy (
|
||||
String $type,
|
||||
Stdlib::IP::Address $ipaddress,
|
||||
Stdlib::IP::Address $netmask,
|
||||
Integer[100-9200] $mtu = 1500,
|
||||
Optional[Boolean] $forwarding = false,
|
||||
) {
|
||||
include systemd
|
||||
|
||||
systemd::network { "${title}.netdev":
|
||||
content => template('networking/dummy.netdev.erb'),
|
||||
}
|
||||
|
||||
systemd::network { "${title}.network":
|
||||
content => template('networking/networkd-network.erb'),
|
||||
}
|
||||
}
|
||||
@@ -4,67 +4,34 @@ class networking (
|
||||
Hash $interface_defaults = {},
|
||||
Hash $routes = {},
|
||||
Hash $route_defaults = {},
|
||||
Boolean $use_networkd = lookup('systemd::manage_networkd', undef, undef, false),
|
||||
){
|
||||
|
||||
include network
|
||||
include networking::params
|
||||
|
||||
if $use_networkd {
|
||||
|
||||
include systemd
|
||||
|
||||
service { 'NetworkManager':
|
||||
ensure => 'stopped',
|
||||
enable => false,
|
||||
# manage interfaces
|
||||
$interfaces.each | $interface, $data | {
|
||||
$merged_data = merge($interface_defaults, $data)
|
||||
network_config { $interface:
|
||||
* => $merged_data,
|
||||
notify => Exec['networking_reload_network'],
|
||||
}
|
||||
}
|
||||
|
||||
$interfaces.each |String $iface, Hash $data| {
|
||||
$type = $data['type']
|
||||
#$params = $data.filter |$key, $value| { $key != 'type' }
|
||||
|
||||
case $type {
|
||||
'bridge': { networking::bridge { $iface: * => $data } }
|
||||
'dummy': { networking::dummy { $iface: * => $data } }
|
||||
'static': { networking::static { $iface: * => $data } }
|
||||
'physical': { networking::static { $iface: * => $data } }
|
||||
default: {
|
||||
fail("Unsupported interface type '${type}' for interface '${iface}'")
|
||||
}
|
||||
}
|
||||
}
|
||||
}else{
|
||||
# manage interfaces
|
||||
$interfaces.each | $interface, $data | {
|
||||
$merged_data = merge($interface_defaults, $data)
|
||||
network_config { $interface:
|
||||
* => $merged_data,
|
||||
notify => Exec['networking_reload_network'],
|
||||
}
|
||||
}
|
||||
|
||||
# manage routes
|
||||
$routes.each | $route, $data | {
|
||||
$merged_data = merge($route_defaults, $data)
|
||||
network_route { $route:
|
||||
* => $merged_data,
|
||||
notify => Exec['networking_reload_network'],
|
||||
}
|
||||
# manage routes
|
||||
$routes.each | $route, $data | {
|
||||
$merged_data = merge($route_defaults, $data)
|
||||
network_route { $route:
|
||||
* => $merged_data,
|
||||
notify => Exec['networking_reload_network'],
|
||||
}
|
||||
}
|
||||
|
||||
# determine which networking service to restart
|
||||
$restart_command = $use_networkd ? {
|
||||
true => '/usr/bin/systemctl restart systemd-networkd',
|
||||
default => $facts['os']['family'] ? {
|
||||
'RedHat' => $facts['os']['release']['major'] ? {
|
||||
'8' => '/usr/bin/systemctl restart network',
|
||||
'9' => '/usr/bin/systemctl restart NetworkManager',
|
||||
default => fail('Unsupported RedHat OS release for networking restart'),
|
||||
},
|
||||
'Debian' => '/usr/bin/systemctl restart networking',
|
||||
default => fail('Unsupported OS in networking-restart-command'),
|
||||
}
|
||||
$restart_command = $facts['os']['family'] ? {
|
||||
'RedHat' => '/usr/bin/systemctl restart network',
|
||||
'Debian' => '/usr/bin/systemctl restart networking',
|
||||
default => fail('Unsupported OS in networking-restart-command'),
|
||||
}
|
||||
|
||||
# restart network/networking only if $restart_networking boolean is true
|
||||
|
||||
@@ -1,27 +0,0 @@
|
||||
# manage static interfaces
|
||||
define networking::static (
|
||||
String $type,
|
||||
Stdlib::IP::Address $netmask = '255.255.255.0',
|
||||
Integer[100-9200] $mtu = 1500,
|
||||
Boolean $dhcp = false,
|
||||
Optional[Boolean] $forwarding = false,
|
||||
Optional[Stdlib::IP::Address] $ipaddress = undef,
|
||||
Optional[Stdlib::IP::Address] $gateway = undef,
|
||||
Optional[Array[Stdlib::IP::Address]] $dns = undef,
|
||||
Optional[Array[Stdlib::Fqdn]] $domains = undef,
|
||||
Optional[Integer[0-4096]] $vlan = undef,
|
||||
Optional[Variant[Boolean,String]] $bridge = undef,
|
||||
Optional[Integer[0-4294967294]] $txqueuelen = undef,
|
||||
Optional[Stdlib::MAC] $mac = undef,
|
||||
) {
|
||||
include systemd
|
||||
|
||||
systemd::network { "${title}.network":
|
||||
content => template('networking/networkd-network.erb'),
|
||||
}
|
||||
#if $type == 'physical' and $mac {
|
||||
# systemd::network { "${title}.link":
|
||||
# content => template('networking/networkd-link.erb'),
|
||||
# }
|
||||
#}
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
[NetDev]
|
||||
Name=<%= @title %>
|
||||
Kind=bridge
|
||||
@@ -1,3 +0,0 @@
|
||||
[NetDev]
|
||||
Name=<%= @title %>
|
||||
Kind=dummy
|
||||
@@ -1,8 +0,0 @@
|
||||
[Match]
|
||||
MACAddress=<%= @mac %>
|
||||
|
||||
[Link]
|
||||
MTUBytes=<%= @mtu %>
|
||||
<% if @txqueuelen and @txqueuelen >= 1 -%>
|
||||
TransmitQueueLength=<%= @txqueuelen %>
|
||||
<% end -%>
|
||||
@@ -1,41 +0,0 @@
|
||||
[Match]
|
||||
Name=<%= @title %>
|
||||
|
||||
[Network]
|
||||
<% if @dhcp == true -%>
|
||||
DHCP=yes
|
||||
<% else -%>
|
||||
<% if @ipaddress && @netmask -%>
|
||||
Address=<%= @ipaddress %>/<%= IPAddr.new(@netmask).to_i.to_s(2).count('1') %>
|
||||
<% end -%>
|
||||
<% if @gateway -%>
|
||||
Gateway=<%= @gateway %>
|
||||
<% end -%>
|
||||
<% if @dns -%>
|
||||
DNS=<%= Array(@dns).join(' ') %>
|
||||
<% end -%>
|
||||
<% if @domains -%>
|
||||
Domains=<%= Array(@domains).join(' ') %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
<% if @bridge and @bridge != true -%>
|
||||
Bridge=<%= @bridge %>
|
||||
<% end -%>
|
||||
<% if @vlan -%>
|
||||
VLAN=<%= @vlan %>
|
||||
<% end -%>
|
||||
<% if @nocarrier and @nocarrier == true -%>
|
||||
ConfigureWithoutCarrier=true
|
||||
DuplicateAddressDetection=none
|
||||
RequiredForOnline=no-carrier
|
||||
<% end -%>
|
||||
<% if @type == 'dummy' -%>
|
||||
LinkLocalAddressing=no
|
||||
ActivationPolicy=always-up
|
||||
<% end -%>
|
||||
<% if @forwarding and @forwarding == true -%>
|
||||
IPForward=true
|
||||
<% end -%>
|
||||
|
||||
[Link]
|
||||
MTUBytes=<%= @mtu %>
|
||||
@@ -1,14 +0,0 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
Facter.add('zfs_zpool_cache_present') do
|
||||
confine kernel: 'Linux'
|
||||
setcode do
|
||||
File.exist?('/etc/zfs/zpool.cache')
|
||||
end
|
||||
end
|
||||
|
||||
Facter.add('zfs_zpool_cache_present') do
|
||||
setcode do
|
||||
false
|
||||
end
|
||||
end
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user