410 Commits

Author SHA1 Message Date
unkinben 23dd962d89 feat: allow specifying consul addr for exporters
- ensure frr/node exporter reachable on hosts with loopbacks
2025-08-09 17:08:38 +10:00
unkinben ac36d9627b feat: capture all journald logs (#377)
- create module class for journald clients
- ensure module class it used on all hosts
- use consul service address for insert/journald

Reviewed-on: #377
2025-08-09 15:11:47 +10:00
unkinben 198cee27c2 feat: enable https for vlstorage (#376)
- attempting to send to http:// fails as vlstorage is using tls
- enable tls on vlselect/vlinsert when writing to vlstorage
- add retention period to vlstorage

Reviewed-on: #376
2025-08-09 14:34:48 +10:00
unkinben f73d6f07ce fix: generate types as root (#375)
- larger permission issue that needs fixing
- reduce the number of failed runs

Reviewed-on: #375
2025-08-09 13:30:12 +10:00
unkinben 1c71229fd3 feat: add victorialogs module (#374)
- add module for victorialogs
- add hieradata for vl insert/select/storage
- manage packages, directories, services, etc
- manage exporting metrics

Reviewed-on: #374
2025-08-08 23:59:46 +10:00
unkinben d649195ccc fix: generate types needs to run more often (#373)
- seeing frequent errors in puppetboard about types missing
- change the puppet-generate-types timer from daily to per-minute

Reviewed-on: #373
2025-08-07 20:53:06 +10:00
unkinben fcd0bc4c74 feat: add victorialogs roles (#372)
- and hieradata
- empty roles currently

Reviewed-on: #372
2025-08-07 20:34:42 +10:00
unkinben a30ff81139 fix: reduce metadata lifetime (#371)
- metadata lifetime should be lowered to improve development speed

Reviewed-on: #371
2025-08-03 21:04:47 +10:00
unkinben bbed65b4b8 benvin/frr_exporter (#370)
Reviewed-on: #370
2025-08-03 20:14:19 +10:00
unkinben 75ca7a5685 feat: add frr_exporter class (#369)
- add frr exporter to all nodes running frr

Reviewed-on: #369
2025-08-03 16:15:29 +10:00
unkinben 53fabc923b feat: add nzbget_exporter (#368)
- add nzbget_exporter class
- add exporter to nzbget class

Reviewed-on: #368
2025-08-03 15:03:29 +10:00
unkinben 5a9241940f feat: export ceph metrics (#367)
- export cephmgr metrics
- will only be availabe from one host at a time

Reviewed-on: #367
2025-07-29 18:54:49 +10:00
unkinben df457306cc feat: add external grafana access (#366)
- enable access to grafana through haproxy
- ensure grafana cert created from letsencrypt
- enable user access to grafana

Reviewed-on: #366
2025-07-28 21:07:43 +10:00
unkinben 7fbb87b4b6 feat: add exportarr (#365)
- add exporters::exportarr
- deploy for radarr, sonarr and prowlarr

Reviewed-on: #365
2025-07-27 19:47:26 +10:00
unkinben fd902c1437 feat: create exporters module (#364)
- upgrade node_exporter, bring managed under exporters module
- upgrade postgres_exporter, bring managed under exporters module
- add flag to cleanup previous iterations of exporters from prometheus module
- fix issues with vmclusster: replication + dedup

Reviewed-on: #364
2025-07-27 13:28:41 +10:00
unkinben 0e64c9855a feat: add vmcluster module (#363)
- manage vmstorage package, service and environment file
- manage vmselect package, service and environment file
- manage vminsert package, service and environment file
- manage vmagent package, service and environment file
- manage options for vmstorage, vmselect, vminsert, vmagent role

Reviewed-on: #363
2025-07-26 18:17:20 +10:00
unkinben 3cfafbac44 feat: enable ceph on k8s nodes (#362)
- enable enough ceph/frr to join to cephfs
- notify sshd when restarting the network
- update ssh principals to include all ssh interfaces

Reviewed-on: #362
2025-07-19 20:30:46 +10:00
unkinben c5c40c3bfd chore: cleanup old physicals (#361)
- cleanup old nodes to redeploy them

Reviewed-on: #361
2025-07-15 22:34:46 +10:00
unkinben 98f1961a07 benvin/ceph_common (#360)
Reviewed-on: #360
2025-07-15 20:38:39 +10:00
unkinben eb1ada8ea5 fix: duplicate declatation (#359)
- only install ceph-common once

Reviewed-on: #359
2025-07-15 20:31:09 +10:00
unkinben ec3e42901a feat: add basic k8s node role (#358)
- update prodnxsr0001-8 to use networkd
- add basic k8s node role

Reviewed-on: #358
2025-07-15 20:18:17 +10:00
unkinben e905afcab0 chore: cleanup hieradata/nodes (#357)
- cleanup decommed nodes
- remove unneccessary node data

Reviewed-on: #357
2025-07-13 21:40:32 +10:00
unkinben de6e7d0ba9 feat: add vmagent role (#356)
- add vmagent role for vicmet

Reviewed-on: #356
2025-07-13 17:20:58 +10:00
unkinben 780a97dfe4 feat: add new cobbler master (#355)
- change cobbler.main.unkin.net to 2098

Reviewed-on: #355
2025-07-12 20:31:43 +10:00
unkinben 9aa6472e5b feat: ensure /etc/NetworkManager/conf.d exists (#354)
- required to create dns-none setting

Reviewed-on: #354
2025-07-12 14:19:22 +10:00
unkinben 80ab4e6889 chore: update cobbler for el9 (#353)
- update cobbler/cobbler-web package
- update path for ipxebins

Reviewed-on: #353
2025-07-12 14:19:14 +10:00
unkinben ccda327c7a gchore: cleanup old vms (#352)
- remove ntp01/ntp02
- remove old gitea
- remove mariadb galera vms

Reviewed-on: #352
2025-07-09 21:18:23 +10:00
unkinben acef1bde29 feat: move puppetca role (#351)
- move puppetca from vm to lxd

Reviewed-on: #351
2025-07-09 21:15:09 +10:00
unkinben 7d87e11e79 feat: add victoria metrics roles (#350)
- add vmstorage, vmselect and vminsert roles
- base roles, only adding packages
- preparation for standing up a vicmet cluster

Reviewed-on: #350
2025-07-08 20:34:46 +10:00
unkinben 40c57ede59 feat: add ci build task (#342)
- a ci workflow for build tests
- run pre-commit against all files

Reviewed-on: #342
2025-07-08 20:19:36 +10:00
unkinben be02d3d150 feat: migrate to external ntp (#349)
- removing ntp vms from proxmox
- redirect ntp to external time sources

Reviewed-on: #349
2025-07-07 20:27:02 +10:00
unkinben a550d48f21 fix: sort nameservers (#348)
- sort nameservers before creating glue records

Reviewed-on: #348
2025-07-06 20:09:19 +10:00
unkinben 2d9faf578f feat: add unkin.net domain (#347)
- manage the unkin.net domain
- ensure forwarding for unkin.net
- split domain from cname list and set zone correctly
- add fafflix to cnames list for haproxy2

Reviewed-on: #347
2025-07-06 20:02:20 +10:00
unkinben 2814a55df6 chore: hard-code git.unkin.net path (#346)
- dirty fix, set git.unkin.net in hosts file template
- avoid hairpint nat

Reviewed-on: #346
2025-07-06 16:43:07 +10:00
unkinben 73362a3bf9 feat: add stick tables for gitea (#345)
- stick tables are required for docker authentication

Reviewed-on: #345
2025-07-06 14:42:14 +10:00
unkinben 0063f68bc6 feat: enable external access to gitea (#344)
- add git.unkin.net to certbot
- export haproxy resources for gitea
- add be_gitea to haproxy, import the certbot cert
- update the ROOT_URL for gitea instances

Reviewed-on: #344
2025-07-06 13:47:56 +10:00
unkinben 372d99893a core: fix ROOT_URL (#343)
- root_url is used for docker authentication
- access to git.unkin.net is not yet ready

Reviewed-on: https://git.query.consul/unkin/puppet-prod/pulls/343
2025-07-06 13:20:27 +10:00
unkinben 620339f69d chore: cleanup hieradata/nodes (#341)
- remove all node hiera data for decommed hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/341
2025-07-06 12:23:22 +10:00
unkinben 2317d0af59 feat: expose gitea metrics (#340)
- add a gitea-metrics service to consul
- tag as metrics for victoria metrics
- check the /metrics endpoint (bypass nginx)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/340
2025-07-06 12:01:57 +10:00
unkinben cf0ff85b70 fix: manage git user (#339)
- prevent different gid/uid for git users when deploying cluster
- only add sudo conf when sudo_rules is a list

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/339
2025-07-06 11:27:35 +10:00
unkinben 359ce101f1 feat: add indexer for git (#338)
- reuse the database for the indexer

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/338
2025-07-05 17:12:38 +10:00
unkinben b6c959d368 feat: use redis for cache/queue (#337)
- use gitea redis cluster for queue/cache
- use redis+sentinel url (pass required for redis and sentinel)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/337
2025-07-05 16:42:01 +10:00
unkinben b976f2063a feat: deploy redis for git (#336)
- deploy redis/sentinel ha cluster for git
- update redis to 7 (required for almalinux 9)
- enable requirepass/masterauth

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/336
2025-07-05 15:51:28 +10:00
unkinben 93049707e7 benvin/gitea_cluster (#335)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/335
2025-07-05 14:49:56 +10:00
unkinben a9faa098ee benvin/grafana_postgres (#334)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/334
2025-07-01 19:07:24 +10:00
unkinben 61d912de30 feat: update password for grafana service account (#333)
- updated grafana password

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/333
2025-06-30 20:22:18 +10:00
unkinben 9bed18f78c fix: duplicate toml resources (#332)
- change resource name for puppetserver_gem
- ensure toml installed on all agents

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/332
2025-06-30 19:57:29 +10:00
unkinben aab3eaf9e7 feat: add grafana service to ldap (#331)
- add grafana service account for binding
- add grafana_user group
- add users to group

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/331
2025-06-30 19:17:56 +10:00
unkinben 33c8b226e0 feat: add puppetserver gem for toml (#330)
- require toml for puppetserver gem

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/330
2025-06-30 19:05:12 +10:00
unkinben 49ff7cc3ab feat: add toml puppet gem (#329)
- required for ldap support in grafana

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/329
2025-06-30 19:02:37 +10:00
unkinben d1e63ad18b feat: add shared pgsql instance (#328)
- add shared pgsql instance
- use patroni

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/328
2025-06-29 17:25:59 +10:00
unkinben 99b312669b benvin/dhcp_failover (#327)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/327
2025-06-29 13:36:16 +10:00
unkinben 715e88176b chore: confine incus facts to incus (#326)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/326
2025-06-28 21:24:08 +10:00
unkinben 1837506b6c feat: add incus facts (#325)
- incus container counts
- incus profile list
- allocated memory/cpu

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/325
2025-06-28 21:14:39 +10:00
unkinben 3bb2a5dbad fix: enable health check from haproxy2 (#324)
- tactical fix: enable dmz subnets container access to health url

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/324
2025-06-28 17:04:25 +10:00
unkinben 0ce6e95f2d chore: cleanup removed hosts (#323)
- remove 1018, 1031, 1032, 1033

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/323
2025-06-28 16:28:03 +10:00
unkinben 770fd643ac feat: add haproxy2 role (#322)
- add basic haproxy2 role
- add peers and resolvers
- add haproxy2+ metrics frontend

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/322
2025-06-28 16:20:06 +10:00
unkinben bd9e08dc24 feat: cleanup hieranodes settings (#321)
- migrate hieranodes values to roles yaml
- rename anycast ip keys to be similar

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/321
2025-06-21 23:16:34 +10:00
unkinben 62837bb22d feat: add zone to subnet facts (#320)
- add common and dmz zone fact information

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/320
2025-06-21 15:42:37 +10:00
unkinben ae57e0e81c feat: add openvox repos to reposync (#319)
- add el8/9/10 for openvox7/8

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/319
2025-06-19 06:06:41 +10:00
unkinben cb1d562cb0 feat: migrate pupeptdb sql to patroni (#318)
- change puppetdb::sql to using the patroni profile
- change puppetdb::api to use new patroni cluster
- remove references to puppetlabs-puppetdb managed database
- update consul rules to enable sessions

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/318
2025-06-19 05:52:32 +10:00
unkinben 26b908e5e7 feat: add node_pools (#317)
- change agentv2 to common node_pool
- set default node_pool to default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/317
2025-06-15 17:43:19 +10:00
unkinben a47c6155b8 feat: use fqdn in host_volumes (#316)
- fix hard-coded message

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/316
2025-06-15 17:34:03 +10:00
unkinben 1cbc1be808 feat: add host_volumes to nomad (#315)
- add puppet client certs
- add tls-ca-bundle

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/315
2025-06-14 19:37:50 +10:00
unkinben 60834ced00 feat: nomad cni additions (#314)
- add consul-cni package
- enable grpc for consul servers
- enable consul connect for consul servers
- set recursors for consul
- add ports to consul agent (grpc, dns, http for nomad)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/314
2025-06-14 18:47:24 +10:00
unkinben 890e9670f3 chore: update the consul service name (#313)
- update the name for the packagerepo service
- was copy/pasted from jupyterhub

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/313
2025-06-09 14:46:16 +10:00
unkinben a26daca28c feat: stop manage nginx repo (#312)
- use epel repo for nginx

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/312
2025-06-09 14:18:30 +10:00
unkinben 057c4ab747 feat: manage nginx resource ordering (#311)
- ensure the package is installed before creating directories
- ensure nginx is restarted when vhost config changes

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/311
2025-06-09 11:18:39 +10:00
unkinben 1fb46b5ab6 chore: use packagerepo for epel (#310)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/310
2025-06-09 10:24:56 +10:00
unkinben 66fdd7b615 feat: update incus image host to run on incus (#309)
- remove zfs
- remove some sysctl values
- remove memlocks from limits
- install iptables, required for creating bridges

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/309
2025-06-08 22:58:44 +10:00
unkinben f43d5f685b feat: update reposync repos (#308)
- remove almalinux 9.4
- add almalinux 9.6
- add epel 8 and 9
- update mssql
- add k8s 1.33

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/308
2025-06-01 18:20:10 +10:00
unkinben bb2f59621a feat: split reposync into two roles (#307)
- reposync and packagerepo web service
- change backing datastore to be cephfs /shared/app/packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/307
2025-06-01 11:33:44 +10:00
unkinben 1df11b8977 chore: migrate certbot webserver (#306)
- ausyd1nxvm1021 is decommed
- new source is ausyd1nxvm2057

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/306
2025-05-31 16:22:59 +10:00
unkinben 10f2dc7047 feat: cleanup removed hosts (#305)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/305
2025-05-31 14:26:16 +10:00
unkinben 1a904af2ee feat: change g10k to use a package (#304)
- the archive path is no longer valid
- produced a g10k rpm with rpmbuilder

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/304
2025-05-31 13:51:51 +10:00
unkinben ed1a4f6488 fix: missed address in consul service (#303)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/303
2025-05-30 23:27:44 +10:00
unkinben bdd833fa4e feat: create basic k8s roles to start deployment (#302)
- just create roles so can deploy hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/302
2025-05-30 23:21:02 +10:00
unkinben c10a3e49fa chore: add new user (#301)
- just jelly access

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/301
2025-05-28 19:46:45 +10:00
unkinben 3d5d40f381 chore: minor jellyfin updates (#300)
- add jellyfin to video group, for access to gpu
- install intel related gpu drivers
- export lxc jellyfin to haproxy

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/300
2025-05-27 19:55:55 +10:00
unkinben b3347f9226 chore: migrate media applications (#299)
- migrate media applications to new cephfs pool + incus
- enable exporting haproxy
- move ceph-client-setup to only apply to non-lxc hosts
- ensure unrar is installed for nzbget
- updated jellyfin use of data_dir
- set lxc instances for jellyfin to use /shared/apps/jellyfin

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/299
2025-05-25 20:27:17 +10:00
unkinben 1d23fef82e feat: update settings for ceph (#298)
- enable root logins via ssh with keys
- add ssh key for ceph to root user

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/298
2025-05-25 20:22:00 +10:00
unkinben c0aab1087e fix: readd to jellyfin_haproxy (#297)
- fix operator for jellyfin/haproxy

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/297
2025-05-24 21:10:56 +10:00
unkinben 596e498a00 feat: change media arr apps to hiera_include (#296)
- change profiles::media::* to be hiera_included
- this is required to enable it to be hiera_excluded on virtual == lxc

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/296
2025-05-24 20:23:56 +10:00
unkinben f6694599ef benvin/media_apps_incus (#295)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/295
2025-05-24 20:18:23 +10:00
unkinben 93cd02deec chore: update media roles for incus (#294)
- prevent incus roles from exporting haproxy endpoints (for now)
- incus doesnt need to mount cephfs

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/294
2025-05-24 18:59:46 +10:00
unkinben 520e8a34e0 feat: add a nomad agent v2 role (#293)
- excludes ceph (will be passed from incus)
- excludes frrouting (will use host-networking)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/293
2025-05-24 15:35:20 +10:00
unkinben 77d07672f8 chore: dont mount cephfs inside lxc (#292)
- lxc instances will have cephfs passed from the host
- skip cephfs mounting for lxc instances

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/292
2025-05-22 21:06:15 +10:00
unkinben 89a0f329d8 feat: update vault url (#291)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/291
2025-05-21 19:58:12 +10:00
unkinben 6dcc7343e0 feat: updated ceph ssh authorized_key (#290)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/290
2025-05-17 14:05:25 +10:00
unkinben e7d4c75192 feat: enable ssh access to enp3s0 (#289)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/289
2025-05-17 13:50:35 +10:00
unkinben d9e8637ad6 feat: manage more ceph requirements (#288)
- add ceph-common to provide utilities for managing ceph
- add root and sysadmin ssh keys for ceph deployments

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/288
2025-05-17 11:14:45 +10:00
unkinben 92f0ae64b9 feat: enable ssh on all loopbacks (#287)
- required for cephadm to manage roles

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/287
2025-05-16 07:05:31 +10:00
unkinben c1637d9f43 feat: add cephadm to incus hosts (#286)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/286
2025-05-16 05:56:28 +10:00
unkinben 1aabe21173 feat: manage mon loopback0 (#285)
- add frrouting
- set all ceph nodes to use ospf + loopback0 + networkd
- fix ceph repos for mons

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/285
2025-05-15 19:46:59 +10:00
unkinben 2f088c461f feat: add ceph roles (#284)
- add hieradata to manage ceph repo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/284
2025-05-15 19:29:53 +10:00
unkinben 90504e5b02 chore: use alias for nameservers (#283)
- use an alias for nameservers for dhcp ranges
- move aliased nameservers to region-wide hiera

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/283
2025-05-14 20:19:18 +10:00
unkinben a7b793238a fix: exclude docker0 interfaces (#282)
- docker0 is the same on many hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/282
2025-05-11 16:53:34 +10:00
unkinben 87a6c73578 neoloc/loopback_dns (#281)
- manage all interfaces in dns (except lo and anycast)
- move loopback0 anycast addresses to be anycast0

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/281
2025-05-11 16:36:04 +10:00
unkinben 3e0141bb1b feat: change to anycast resolver (#280)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/280
2025-05-11 11:39:00 +10:00
unkinben bb6f6cbd49 feat: anycast dnsmasters (#279)
- change dns masters on incus to anycast for bind
- change to networkd to support anycast/loopbacks

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/279
2025-05-10 23:00:03 +10:00
unkinben 51d6c1e81d fix: enable dns resolver access for dmz1 (#278)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/278
2025-05-10 06:57:05 +10:00
unkinben 537a207779 feat: update upstream ip for consul dns (#277)
- set bind resolvers to use consuls anycast address for forwarding

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/277
2025-05-09 22:10:35 +10:00
unkinben f322440d01 feat: setup anycast consul dns (#276)
- manage frrouting repo/ospf
- change to systemd-networkd
- enable ospf on incus nodes bridges

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/276
2025-05-09 22:07:42 +10:00
unkinben ed947dee59 fix: listen-addr -> listen-address (#275)
- listen-address is the correct option

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/275
2025-05-04 00:07:45 +10:00
unkinben a70b6492b0 feat: update consul/dnsmasq (#274)
- update params with bind/advertise addr
- update params with anycast ip option
- migrate dnsmasq config to template

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/274
2025-05-03 23:51:29 +10:00
unkinben 3079f7d000 feat: enable use of dhcp addresses in networkd (#273)
- change ipaddress to be optional
- add dhcp option

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/273
2025-05-03 23:51:17 +10:00
unkinben 1b8f50786f feat: ensure the vault audit_log exists (#272)
- without this, vault will not take a leadership role

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/272
2025-05-03 22:25:10 +10:00
unkinben b05acb23f4 feat: use custom cert for puppetdb access (#271)
- manually generated certificate using sudo puppetserver ca generate --certname puppetdbapi.query.consul
- saved certificate and private_key in eyaml

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/271
2025-05-03 12:41:23 +10:00
unkinben 62f71e1feb chore: change puppetboard python version (#270)
- change python version to follow python3_release fact
- this will follow os-release upgrades

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/270
2025-05-03 01:07:52 +10:00
unkinben cdf9456456 feat: update psql15 repos for roles (#269)
- update patroni to use packagerepo
- update puppetdb to use packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/269
2025-04-29 21:04:45 +10:00
unkinben 2323ef7749 feat: postgresql15/postgresql17 (#268)
- add postgresql15 and 17 to reposync

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/268
2025-04-28 21:39:45 +10:00
unkinben 07b89ab737 feat: enable terraform access to puppetca (#267)
- enable terraform to clean certificates

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/267
2025-04-28 18:46:58 +10:00
unkinben 9359b8902e feat: vault mlock (#266)
- enable mlock by default
- disable mlock on lxd/incus nodes (lxc doesnt support it)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/266
2025-04-26 22:43:20 +10:00
unkinben 1e3ce0ec1c feat: dont set gid/uid for sysadmin (#265)
- sysadmin doesnt need to be a specific uid/gid, the next available
  uid/gid is fine

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/265
2025-04-26 20:02:57 +10:00
unkinben 496ed12a58 feat: change vault to use package install (#264)
- vault 18.2 rpm produced by rpmbuilder repo
- ensure the /etc/vault directory is managed
- ensure service file is managed by puppet
- ensure package comes from unkin repo (not hashicorp)
- disable_mlock as unprivileged containers cannot use mlock

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/264
2025-04-26 18:40:31 +10:00
unkinben e4166c6b14 feat: lxc compatability with datavol (#263)
- lxc doesnt mount block devices, just check for mountpoint

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/263
2025-04-26 17:28:57 +10:00
unkinben 78f4d2a88f feat: cleanup mpls configuration (#262)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/262
2025-04-26 00:39:23 +10:00
unkinben 762d980ea8 feat: update dns resolver zone management (#261)
- move zones to common role path
- specify forwarders for each zone in region based hiera

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/261
2025-04-25 01:01:47 +10:00
unkinben 463abe4b9d feat: add reverse dns zones for incus (#260)
- add reverse dns zones for incus hosts
- update acls for openresolver

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/260
2025-04-24 23:48:34 +10:00
unkinben ecce93bedb feat: lxc cannot use chronyd (#259)
- ensure lxc nodes do not attempt to install chronyd
- ensure chrony is removed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/259
2025-04-24 23:18:45 +10:00
unkinben 9dcaafb8ba feat: lxc updates (#258)
- add virtual/lxc.yaml
- add crypto crypto-policies-scripts
- ensure ssh::server is managed

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/258
2025-04-24 23:03:01 +10:00
unkinben a21c1b3697 Adding hieradata/node/ausyd1nxvm1072.main.unkin.net.yaml (#257)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/257
2025-04-24 21:25:00 +10:00
unkinben bc5bd11f5e feat: disable cobbler cache (#256)
- this is required to resolve issues with terraform deploying cobbler
  settings

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/256
2025-04-24 21:18:59 +10:00
unkinben 2321186ad5 neoloc/mpls_ldp_frr (#255)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/255
2025-04-24 16:51:31 +10:00
unkinben c24babe309 feat: add incus image host (#254)
- add role
- add consul service + checks
- manage the datavol as zfs
- insure the incus fact exists before attempting to read it

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/254
2025-04-24 01:00:39 +10:00
unkinben bfda2b628b feat: enable ip forwarding for gitea runners (#253)
- required to enable docker containers reach git service

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/253
2025-04-21 18:40:17 +10:00
unkinben 278f8001b0 feat: add frr synced repo (#252)
- add frr repo to incus hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/252
2025-04-18 21:21:23 +10:00
unkinben 0fe44cf4e2 feat: add frr repos (#251)
- add frr/stable/el8
- add frr/stable/el9
- add frr/extras/el8
- add frr/extras/el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/251
2025-04-15 02:21:55 +10:00
unkinben 25b06cde22 feat: move bridge management to incus (#250)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/250
2025-04-15 00:04:14 +10:00
unkinben 8c76e71dc4 chore: set core.https_address for incus (#249)
- check the current config and update core.https_address if its wrong

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/249
2025-04-07 11:04:12 +10:00
unkinben 0e3dd4d7d0 feat: initialise barebones server (#248)
- manage incus servers init

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/248
2025-04-06 23:56:50 +10:00
unkinben 83d0b31753 fix: set default for use_networkd (#247)
- resolving issue where the systemd::manage_networkd is missing for most
  hosts, setting a default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/247
2025-04-06 19:24:39 +10:00
unkinben b6ea353cfb feat: update dns resolver acls (#246)
- add dmz acl
- add common acl
- add loopback/ceph/physical subnets to main acl

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/246
2025-04-06 16:44:16 +10:00
unkinben c225564bdb feat: continue incus implementation (#245)
- migrate to systemd-networkd
- setup dummy, bridge and static/ethernet interfaces
- manage sshd.service droping to start ssh after networking is online
- enable ip forewarding
- add fastpool/data/incus dataset
- enable ospf and frr
- add loopback0 as ssh listenaddress
- add loopback1/2 for ceph cluster/public traffic

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/245
2025-04-06 16:38:04 +10:00
unkinben 06666fe488 fix: resolve issue with baseos in el9 (#244)
- was not correctly provisioning the baseos repo for el9 incus hosts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/244
2025-04-02 21:02:08 +11:00
unkinben 9dc88e6db6 feat: deep merge zpools/datasets (#243)
- change prodnxsr0009 to use nvme0n1 as zfs device

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/243
2025-04-02 20:35:04 +11:00
unkinben d87983d8fc chore: add sysadmin user after first run (#242)
- enables extra_groups to function correctly

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/242
2025-04-02 20:27:11 +11:00
unkinben 95bc2716cf neoloc/incus_deploy (#241)
feat: deploy incus

- manage sysctl based on incus recommendations
- manage limits based on incus recommendations
- manage zpools and zfs datasets
- add incus hiera settings

feat: manage repo for zfs

- dont use zfs module to manage repo, use profiles::yum::global::repos

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/241
2025-03-31 23:14:05 +11:00
unkinben 978013f325 chore: set default nameservers (#240)
- if no nameservers are returned from puppetdb query, use default

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/240
2025-03-31 22:49:47 +11:00
unkinben 829b1b05fd feat: cleanup consul from url install (#239)
- set bind_dir to be /usr/bin for rhel, /usr/local/bin for debian
- remove url-installed consul from rhel

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/239
2025-03-30 18:40:09 +11:00
unkinben 6cb249ffbc fix: backtrack to 9.2.0 for postgresql (#238)
- no parameter named 'instance'
- no parameter named 'port'

downgrading due to incompatibilities between the latest version of puppetdb and postgresql

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/238
2025-03-30 17:51:33 +11:00
unkinben 427fe352b4 feat: debian package for consul not managed (#237)
- change debian hosts to use the url method to download consul

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/237
2025-03-30 17:13:54 +11:00
unkinben 45b061a053 feat: change almalinux9 to use packagerepo (#236)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/236
2025-03-30 17:05:03 +11:00
unkinben d39d25d3f1 feat: add almalinux 9.5 repos using mirrorlist (#235)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/235
2025-03-30 16:24:55 +11:00
unkinben 06b458cb0e feat: reposync for almalinux 9.4 (in vault) (#234)
- sync baseos, ha, appstream and crb repos

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/234
2025-03-30 12:31:09 +11:00
unkinben e3046563a2 chore: install consul from package (#233)
- upgrade to puppet-consul changed default install method to archive
- ensure package method is used
- dont manage the repo, consul is packaged by rpmbuilder

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/233
2025-03-30 02:04:13 +11:00
unkinben e025928d77 chore: set secretid for puppetboard (#232)
- manage the secret_key for puppetboard
- required since module upgrade

https://github.com/voxpupuli/puppetboard/issues/721

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/232
2025-03-30 01:53:25 +11:00
unkinben e3e8b3484d chore: enable extra groups (#231)
- enable adding extra groups to the sysadmin user

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/231
2025-03-30 01:20:59 +11:00
unkinben bdf420973d feat: add incus module (#230)
- add a basic incus module

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/230
2025-03-30 01:12:53 +11:00
unkinben 6a04701891 feat: add incus role (#229)
- add basic infra::incus role
- add autossl, consul and ssh-principals for incus

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/229
2025-03-30 00:56:04 +11:00
unkinben dd5a4646ff feat: update all modules (#228)
- update puppetlabs-* modules
- update puppet-* modules
- add limits and sysctl

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/228
2025-03-30 00:51:49 +11:00
unkinben 4e47745077 chore: setup unkin repo for el9 and el8 (#227)
- update the unkin repo definition for el8 and el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/227
2025-03-29 22:50:08 +11:00
unkinben 3a4e606459 chore: set yum/dnf metadata expiry (#226)
- set expiry to 1 day so that dnf frequently checks for updates from packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/226
2025-03-29 22:37:37 +11:00
unkinben d0eb4c078d feat: add zfs modules (#225)
- add zfs_core module to puppetfile (provides zfs/zpool provider)
- add module to manage zfs

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/225
2025-03-29 22:31:02 +11:00
unkinben b95bcbd10a feat: add zfs to reposync (#224)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/224
2025-03-29 20:08:31 +11:00
unkinben adc0cf2c09 neoloc/lxd_hosts (#223)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/223
2025-03-29 19:40:01 +11:00
unkinben 771b981d91 feat: enable nomad to manage sessions/services (#222)
- this is required to start patroni

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/222
2025-03-20 19:21:40 +11:00
unkinben e0c3a23424 fix: define missing .cache directory (#221)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/221
2025-03-13 21:48:47 +11:00
unkinben a309244713 feat: add nomad nodes (#220)
- change existing nodes to be nomad-agents

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/220
2025-03-13 21:23:40 +11:00
unkinben 8eb751e22f feat: change enc_* fact to read direct from cobbler (#219)
- change enc_role and enc_env to read direct from cobbler
- cleanup profiles::base::facts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/219
2025-03-12 23:09:15 +11:00
unkinben b981a6fb01 feat: enable nomad jobs to query dns (#218)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/218
2025-03-09 17:49:35 +11:00
unkinben 7c1d96bd22 feat: add k8s and docker repos (#217)
- add docker stable repos to packagerepo
- add k8s 1.32 to packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/217
2025-01-27 12:59:59 +11:00
unkinben 0222f5ec4a feat: update consul etcd check (#216)
- check the health api endpoint

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/216
2025-01-26 20:05:18 +11:00
unkinben afd3405c98 feat: add etcd module/role (#215)
- add etcd module
- add etcd role, profile and hieradata

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/215
2025-01-26 20:00:20 +11:00
unkinben ab7ce3bbfa Adding hieradata/node/ausyd1nxvm1071.main.unkin.net.yaml (#214)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/214
2025-01-25 20:15:20 +11:00
unkinben 4a85c5feff Adding hieradata/node/ausyd1nxvm1070.main.unkin.net.yaml (#213)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/213
2025-01-25 20:15:05 +11:00
unkinben 6134b4664b Adding hieradata/node/ausyd1nxvm1069.main.unkin.net.yaml (#212)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/212
2025-01-05 12:51:57 +11:00
unkinben e061a72996 Adding hieradata/node/ausyd1nxvm1067.main.unkin.net.yaml (#211)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/211
2025-01-05 12:51:46 +11:00
unkinben eaa15e92dc Adding hieradata/node/ausyd1nxvm1068.main.unkin.net.yaml (#210)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/210
2025-01-05 12:51:37 +11:00
unkinben a5a193d9eb feat: update jupyterlab container (#209)
- change to packer created alma9 instance
- change docker root to use /data volume

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/209
2025-01-04 14:10:44 +11:00
unkinben 4400456519 feat: add frrouting module (#208)
- add frrouting module
- enable ospf daemon on nomad agents
- enable docker volumes

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/208
2024-12-27 23:39:03 +11:00
unkinben d37fb5d7e1 neoloc/nomad_agent (#207)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/207
2024-12-26 20:23:27 +11:00
unkinben 022a564dc0 feat: add nomad agent role (#206)
- add nomad agent role
- mount cephfs volume nomadfs to /shared/nomad
- manage docker volume path to be /shared/nomad

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/206
2024-12-26 20:20:51 +11:00
unkinben 48e1fb8e30 Adding hieradata/node/ausyd1nxvm1062.main.unkin.net.yaml (#204)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/204
2024-12-23 17:28:47 +11:00
unkinben 561d74e9d9 Adding hieradata/node/ausyd1nxvm1063.main.unkin.net.yaml (#205)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/205
2024-12-23 17:28:37 +11:00
unkinben 281fdb33d4 Adding hieradata/node/ausyd1nxvm1064.main.unkin.net.yaml (#203)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/203
2024-12-23 17:28:09 +11:00
unkinben 1c04366eec Adding hieradata/node/ausyd1nxvm1066.main.unkin.net.yaml (#202)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/202
2024-12-23 17:27:59 +11:00
unkinben 86d3b61439 Adding hieradata/node/ausyd1nxvm1065.main.unkin.net.yaml (#201)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/201
2024-12-23 17:27:49 +11:00
unkinben 6ebf5c03a5 feat: add nomad profile/role (#200)
- add basic consul manage nomad servers

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/200
2024-12-22 22:35:31 +11:00
unkinben c97db0f0aa Adding hieradata/node/ausyd1nxvm1061.main.unkin.net.yaml (#198)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/198
2024-12-10 22:15:10 +11:00
unkinben 46b4fdf632 neoloc/sysadmin_early (#197)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/197
2024-12-09 22:12:01 +11:00
unkinben aaf81d0a6c feat: create sysadmin on firstrun (#196)
- prevent packages from using uid 1000

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/196
2024-12-09 21:51:37 +11:00
unkinben afbc15ff40 feat: import crypto-policices earlier (#195)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/195
2024-12-08 22:50:25 +11:00
unkinben 64248a45c2 feat: ensure crypto-policices are managed before yumrepos (#194)
- ensure crypto_policies are set before creating yum yumrepos
- ensure that they rpmdb is rebuilt after upgrading to el9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/194
2024-12-08 20:30:08 +11:00
unkinben c7fb1f0cec neoloc/crypto_policices_el8 (#193)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/193
2024-12-08 19:54:15 +11:00
unkinben dbccaea24b feat: add crypto_policies (#192)
- ensure DEFAULT is used for EL8
- ensure DEFAULT:SHA1 is used for EL9, until issues with crypto are resolved for EL9

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/192
2024-12-08 19:47:59 +11:00
unkinben b244327c34 neoloc/alma9 (#191)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/191
2024-12-08 19:22:58 +11:00
unkinben 90bcdd1f51 neoloc/alma9 (#190)
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/190
2024-12-08 19:16:54 +11:00
unkinben ec926dfe0a feat: enable network manager on el9 (#189)
- el9 doesnt have the network-scripts scripts

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/189
2024-12-08 19:11:54 +11:00
unkinben 40af30d0ff chore: change packagerepo vhost name (#188)
- ensure http endpoint works for packagerepo.service.consul

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/188
2024-12-08 17:05:38 +11:00
unkinben bac90b5459 Merge pull request 'fix: permissions for cobbler files' (#187) from neoloc/cobbler_perms into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/187
2024-12-08 08:37:36 +11:00
unkinben 41aab65f85 fix: permissions for cobbler files
- ensure idempotency for /var/lib/cobbler/web.ss
2024-12-08 08:36:35 +11:00
unkinben c023cfe4dc Merge pull request 'feat: upgrade puppet agent' (#186) from neoloc/puppet_updates into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/186
2024-12-08 00:11:30 +11:00
unkinben cffb6a54fc feat: upgrade puppet agent
- move all almalinux hosts to 7.34
2024-12-08 00:09:40 +11:00
unkinben fd7ced66ce Merge pull request 'feat: edgecache updates' (#185) from neoloc/edgecache_pki into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/185
2024-12-07 23:51:57 +11:00
unkinben 766f124b2c feat: edgecache updates
- update metadatacache size
- increase cache age from 60d to 365d
- subscribe nginx service to ssl certs
2024-12-07 23:50:45 +11:00
unkinben 4de772436b Merge pull request 'feat: update puppet repo' (#184) from neoloc/almalinuxrepo into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/184
2024-12-07 23:32:48 +11:00
unkinben 75f865c26c feat: update puppet repo
- move puppet repo to packagerepo
2024-12-07 23:31:40 +11:00
unkinben 2fdc709a17 Merge pull request 'feat: update repos' (#183) from neoloc/almalinuxrepo into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/183
2024-12-01 00:33:10 +11:00
unkinben ba3a9e374a feat: update repos
- add unkin
- rename unkin -> unkinben
2024-12-01 00:30:58 +11:00
unkinben a28ef09f28 Merge pull request 'feat: enable root_dir for docker' (#182) from neoloc/docker_root into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/182
2024-12-01 00:27:04 +11:00
unkinben 52fff0ccea feat: enable root_dir for docker
- move docker root_dir to /data/docker for runners
2024-11-30 23:11:24 +11:00
unkinben f097cf2550 Merge pull request 'chore: migrate puppet-r10k' (#181) from neoloc/r10k_adjustment into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/181
2024-11-17 19:27:43 +11:00
unkinben 58d31c5c9a chore: migrate puppet-r10k
- moved puppet-r10k the unkin organisation
- ensure branch is set to follow origin/master
2024-11-17 19:26:27 +11:00
unkinben 92d6697175 Merge pull request 'fix: fix release name' (#180) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/180
2024-11-16 22:36:02 +11:00
unkinben d3f471f3ed fix: fix release name
- fix release name for postgresql repos
2024-11-16 22:35:23 +11:00
unkinben ab1f4300a9 Merge pull request 'fix: ensure reposync directories exist' (#179) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/179
2024-11-16 22:32:47 +11:00
unkinben 845b91b497 fix: ensure reposync directories exist 2024-11-16 22:32:15 +11:00
unkinben 8f0b3e615c Merge pull request 'feat: add el9 puppet/posgresql repos' (#178) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/178
2024-11-16 22:25:48 +11:00
unkinben 8679a0b904 feat: add el9 puppet/posgresql repos
- will upgrade to el9 soon, so need to store these repos
2024-11-16 22:25:06 +11:00
unkinben 16ba54ee0a Merge pull request 'feat: update packagerepo' (#176) from neoloc/reposync_sydney into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/176
2024-11-16 22:02:46 +11:00
unkinben 4b3553b75c Merge pull request 'Adding hieradata/node/ausyd1nxvm1060.main.unkin.net.yaml' (#177) from autonode/ausyd1nxvm1060.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/177
2024-11-16 21:44:57 +11:00
unkinben abdb3ec8cb feat: update packagerepo
- remove almalinux/centos/epel repos
- manage consul service `packagerepo`
- manage ssh principals
- update vault alt-names
2024-11-16 21:43:11 +11:00
unkinben c0623b64f7 Adding hieradata/node/ausyd1nxvm1060.main.unkin.net.yaml 2024-11-16 21:36:58 +11:00
unkinben d286e2d816 Merge pull request 'feat: add sudaporn account' (#175) from neoloc/addying into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/175
2024-11-16 20:24:14 +11:00
unkinben 71b29d5e88 feat: add sudaporn account
- enable access to media
- enable access to jupyter
2024-11-16 20:23:01 +11:00
unkinben 6493f392b8 Merge pull request 'neoloc/jupyterhub' (#174) from neoloc/jupyterhub into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/174
2024-11-16 20:20:16 +11:00
unkinben 8586e9eb32 feat: enable web-sockets
- change simpleproxy config for jupyter::hub role to use websockets
2024-11-16 20:15:03 +11:00
unkinben 92a9655a50 feat: jupyterhub updates
- always pull containers when starting new instance
- enable access to terminal
2024-11-16 19:54:19 +11:00
unkinben 42ad972697 feat: add ldap configuration
- add group members to jupyterhub_user
- add svc_jupyterhub user for ldap binding
- paramatarise all ldap fields required
- manage the notebook data directory
2024-11-16 19:20:20 +11:00
unkinben 61f5f1ce1f feat: add docker settings
- list docker network and image
- fix ldap_admin setting to be a list of users
2024-11-10 20:26:18 +11:00
unkinben 926d3d29d0 fix: enable docker for jupyterhub
- install/manage docker
2024-11-10 20:21:51 +11:00
unkinben c6bdae5790 Merge pull request 'feat: add jupyterhub role' (#173) from neoloc/jupyterhub into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/173
2024-11-10 19:14:49 +11:00
unkinben 159d66af18 feat: add jupyterhub role
- add nodejs module to use npm package provider
- add jupyterhub role
- add class to configure the jupyterhub instance
- add ldap groups
- add nginx simpleproxy
2024-11-10 19:09:50 +11:00
unkinben c728c1a5e0 Merge pull request 'feat: add service data' (#172) from neoloc/jumphost into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/172
2024-10-27 14:03:28 +11:00
unkinben 4fec931fb1 feat: add service data
- add pki certificates
- add consul service
- add ssh principals
2024-10-27 13:26:07 +11:00
unkinben 76b4c8c930 Merge pull request 'feat: add jumphost role' (#171) from neoloc/jumphost into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/171
2024-10-27 13:18:50 +11:00
unkinben 0455965525 feat: add jumphost role
- add role for ssh proxy/jumphost
2024-10-27 13:15:28 +11:00
unkinben 4e68900259 Merge pull request 'feat: ensure vault restarts with ssl cert' (#170) from neoloc/vault_reload into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/170
2024-10-27 13:10:51 +11:00
unkinben ca87702466 feat: ensure vault restarts with ssl cert
- ensure the vault service resource subscribes to the ssl crt/key
- update unseal script to retry unseal process until it completes
2024-10-27 12:59:36 +11:00
unkinben 09a448ea52 Merge pull request 'feat: add vault admin group' (#166) from neoloc/vault_global_admin into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/166
2024-10-21 19:41:31 +11:00
unkinben 1db8847833 feat: add vault admin group
- group will be assigned global admin rights
2024-10-21 19:40:52 +11:00
unkinben 6d919580e1 Merge pull request 'neoloc/adduser' (#165) from neoloc/adduser into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/165
2024-10-20 13:14:50 +11:00
unkinben 5549275ecc chore: add new user
- add margol as standard media user
2024-10-20 13:12:36 +11:00
unkinben 7acfea8547 fix: correct given/sn fields
- fix ryadun's given/sn fields
2024-10-20 13:12:02 +11:00
unkinben 318e816568 Merge pull request 'feat: update certbot module' (#164) from neoloc/restart_nginx into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/164
2024-10-07 13:42:57 +11:00
unkinben 2ef4fb0bf8 feat: update certbot module
- update documentation
- add option to notify services
- set haproxy role to notify the haproxy service
2024-10-07 13:40:53 +11:00
unkinben 2013641720 Merge pull request 'feat: restart nginx on ssl change' (#163) from neoloc/restart_nginx into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/163
2024-09-27 21:51:15 +10:00
unkinben 4bf4b42fdf feat: restart nginx on ssl change
- manage nginx service from simpleproxy class
- ensure nginx restarts when ssl certificates are changed
2024-09-27 21:46:46 +10:00
unkinben 933427e861 Merge pull request 'neoloc/terraformsvc' (#162) from neoloc/terraformsvc into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/162
2024-09-23 22:14:27 +10:00
unkinben 4a0760516f feat: add vault service account
- used by vault to bind to ldap
2024-09-23 22:13:48 +10:00
unkinben 10b57abffc feat: add terraform service account
- add terraform service account
2024-09-23 22:08:52 +10:00
unkinben 5b4bb95ffe Merge pull request 'feat: add vault access group' (#161) from neoloc/vaultaccess into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/161
2024-09-20 23:24:44 +10:00
unkinben e09819284d feat: add vault access group
- add vault_access group
2024-09-20 23:17:35 +10:00
unkinben addfa02e08 Merge pull request 'feat: enable larger uploads to gitea' (#160) from neoloc/gitea_client_send into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/160
2024-09-08 01:44:04 +10:00
unkinben 93b9629c5c feat: enable larger uploads to gitea
- change client body max size to 1GB
2024-09-08 01:43:22 +10:00
unkinben 9dea399377 Merge pull request 'neoloc/gitearunner' (#159) from neoloc/gitearunner into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/159
2024-09-07 21:38:29 +10:00
unkinben 0210d849c7 feat: add gitea runner role
- ensure docker is configured
- create runner user/group
- deploy config.yaml from hiera hash
- install runner from url
- register the runner with the gitea instance
- manage the act_runner service
2024-09-07 17:59:02 +10:00
unkinben 42d8047043 fix: comments in gitea role
- was copy of puppetboard, missed updating the comment
2024-09-03 22:34:48 +10:00
unkinben c0b94c181f Merge pull request 'feat: confine fact to patroni' (#158) from neoloc/patroni_facts into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/158
2024-09-03 22:19:18 +10:00
unkinben 265400db91 feat: confine fact to patroni 2024-09-03 22:18:53 +10:00
unkinben ccf4ef27f7 Merge pull request 'feat: psql changes on master only' (#157) from neoloc/patroni_grant_on_master into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/157
2024-09-03 22:15:47 +10:00
unkinben afda425fab feat: psql changes on master only
- add fact to detect if a psql host is a slave
- only import users/db/grants on master
2024-09-03 22:13:50 +10:00
unkinben 69c298e162 Merge pull request 'feat: remove masterauth redis' (#156) from neoloc/redis_masterauth into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/156
2024-09-03 21:29:58 +10:00
unkinben 1ad2b806b4 feat: remove masterauth redis
- removed requirepass previously, also need to remove masterauth
2024-09-03 21:29:18 +10:00
unkinben dc58084cc9 Merge pull request 'Adding hieradata/node/ausyd1nxvm1059.main.unkin.net.yaml' (#155) from autonode/ausyd1nxvm1059.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/155
2024-09-01 00:18:34 +10:00
unkinben 938db9880b Adding hieradata/node/ausyd1nxvm1059.main.unkin.net.yaml 2024-09-01 00:17:59 +10:00
unkinben ecbea24ba8 Merge pull request 'fix: updated client secret' (#154) from neoloc/droneci_client_id into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/154
2024-08-31 23:01:39 +10:00
unkinben bcb9beae5f fix: updated client secret 2024-08-31 23:00:58 +10:00
unkinben e1e604516d Merge pull request 'feat: add droneci runner' (#153) from neoloc/runner into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/153
2024-08-27 22:02:00 +10:00
unkinben 0bed8ba4f4 Merge branch 'develop' into neoloc/runner 2024-08-27 22:01:24 +10:00
unkinben 5471adae32 Merge pull request 'feat: add droneadmin' (#152) from neoloc/droneadmin into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/152
2024-08-25 15:03:15 +10:00
unkinben 91d9a073d6 feat: add droneadmin
- add environment variable to assign primary admin
2024-08-25 14:58:56 +10:00
unkinben ec7814e2a9 Merge pull request 'Adding hieradata/node/ausyd1nxvm1058.main.unkin.net.yaml' (#151) from autonode/ausyd1nxvm1058.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/151
2024-08-25 14:28:20 +10:00
unkinben 71c134dc1a Merge pull request 'Adding hieradata/node/ausyd1nxvm1057.main.unkin.net.yaml' (#150) from autonode/ausyd1nxvm1057.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/150
2024-08-25 14:28:06 +10:00
unkinben cb803d885e Merge pull request 'feat: droneci for organisation' (#149) from neoloc/droneci_org into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/149
2024-08-25 14:25:25 +10:00
unkinben 90eabac007 feat: droneci for organisation
- change from personal account to organisation
2024-08-25 14:24:45 +10:00
unkinben d79a5de17b feat: add droneci runner
- ensure /data and docker are available
- add droneci runner configuration
2024-08-25 02:14:35 +10:00
unkinben 0f755b231f Merge pull request 'neoloc/droneci' (#148) from neoloc/droneci into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/148
2024-08-25 00:01:27 +10:00
unkinben 2912cbb68b feat: add droneci runner
- add runner role
2024-08-25 00:00:48 +10:00
unkinben 3d1ba79325 Adding hieradata/node/ausyd1nxvm1058.main.unkin.net.yaml 2024-08-24 23:36:52 +10:00
unkinben c33b58ead6 Adding hieradata/node/ausyd1nxvm1057.main.unkin.net.yaml 2024-08-24 23:30:37 +10:00
unkinben 9f937b2869 Merge pull request 'Adding hieradata/node/ausyd1nxvm1056.main.unkin.net.yaml' (#147) from autonode/ausyd1nxvm1056.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/147
2024-08-24 12:37:44 +10:00
unkinben 8660bec810 Merge pull request 'Adding hieradata/node/ausyd1nxvm1055.main.unkin.net.yaml' (#146) from autonode/ausyd1nxvm1055.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/146
2024-08-24 12:37:34 +10:00
unkinben f30325b3e9 Merge pull request 'Adding hieradata/node/ausyd1nxvm1054.main.unkin.net.yaml' (#145) from autonode/ausyd1nxvm1054.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/145
2024-08-24 12:37:25 +10:00
unkinben 76c1c93c02 Merge pull request 'Adding hieradata/node/ausyd1nxvm1053.main.unkin.net.yaml' (#144) from autonode/ausyd1nxvm1053.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/144
2024-08-24 12:37:16 +10:00
unkinben 4577997506 Merge pull request 'Adding hieradata/node/ausyd1nxvm1052.main.unkin.net.yaml' (#143) from autonode/ausyd1nxvm1052.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/143
2024-08-24 12:36:50 +10:00
unkinben 6326e820a9 Merge pull request 'chore: add new user' (#142) from neoloc/ryadun into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/142
2024-08-24 12:36:09 +10:00
unkinben 757f3042ed chore: add new user
- add ryadun
2024-08-24 12:35:34 +10:00
unkinben 5d36a4053b feat: add droneci module
- add droneci module for server
- add droneci/server role
- add consul query for droneci service
- manage certificates, ssh principals, consul services/checks
2024-08-24 00:34:15 +10:00
unkinben 8fad79f2bc feat: manage database/user/grants for patroni
- add defines for exporting/collecting psql objects for patroni
- add generic profile for managing patroni psql databases for an app
2024-08-24 00:33:18 +10:00
unkinben 68c569b282 feat: add docker module
- update puppet file with docker module
2024-08-24 00:28:39 +10:00
unkinben 975adc31d7 Merge pull request 'feat: remove requirepass' (#141) from neoloc/remove_requirepass into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/141
2024-08-23 23:28:30 +10:00
unkinben 8a8cc0ae1b feat: remove requirepass
- required for droneci
2024-08-23 23:18:02 +10:00
unkinben 70a9edd118 Adding hieradata/node/ausyd1nxvm1056.main.unkin.net.yaml 2024-08-16 22:13:16 +10:00
unkinben 348d8889ed Adding hieradata/node/ausyd1nxvm1055.main.unkin.net.yaml 2024-08-16 22:11:47 +10:00
unkinben 1a2023f4ff Merge pull request 'feat: add patroni/psql cluster' (#140) from neoloc/patroni into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/140
2024-08-10 23:40:29 +10:00
unkinben 35834f8f5a feat: add patroni/psql cluster
- add patroni puppet module
- add patroni role and hieradata
- add sql/patroni class that utilised consul
2024-08-10 22:34:43 +10:00
unkinben 4347faf153 Merge pull request 'neoloc/redis' (#139) from neoloc/redis into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/139
2024-08-10 18:47:17 +10:00
unkinben 5c731fef34 feat: deploy redisha cluster
- manage pki and ssh principals
- manage redis/sentinel with redisha module
- add consul checks to manage redis-replica/redis-master services
- manage sudo rules for consul checks
2024-08-10 17:39:30 +10:00
unkinben b7fc6a1993 feat: create redisha module
- manage redis/sentinel clusters
- ensure ulimit_managed is false
- dynamically find servers in role to identify master
- add redisadm and sentineladm commands
- add script to check if the current host in the master
2024-08-10 17:39:24 +10:00
unkinben afe2a2afb7 Adding hieradata/node/ausyd1nxvm1054.main.unkin.net.yaml 2024-08-10 14:13:59 +10:00
unkinben c76ce3bf10 Adding hieradata/node/ausyd1nxvm1053.main.unkin.net.yaml 2024-08-10 14:13:51 +10:00
unkinben af989a19c3 Adding hieradata/node/ausyd1nxvm1052.main.unkin.net.yaml 2024-08-10 14:11:47 +10:00
unkinben 4d08e30733 Merge pull request 'fix: also fix repodata' (#138) from neoloc/cephreef into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/138
2024-08-10 13:36:30 +10:00
unkinben e2873a492a fix: also fix repodata 2024-08-10 13:36:04 +10:00
unkinben 90af895a34 Merge pull request 'fix: ceph-reef 18.2.4 not on el8' (#137) from neoloc/cephreef into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/137
2024-08-10 13:30:54 +10:00
unkinben 52e3d5b20b fix: ceph-reef 18.2.4 not on el8
- force repo to use 18.2.2
2024-08-10 13:30:16 +10:00
unkinben aadd0275ac feat: add puppet-redis module 2024-08-08 19:28:50 +10:00
unkinben 390a5a58c7 Merge pull request 'chore: add account' (#136) from neoloc/kelly into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/136
2024-08-08 19:01:44 +10:00
unkinben 403e3eeb1b chore: add account 2024-08-08 19:01:18 +10:00
unkinben 352878e27c Merge pull request 'chore: prevent empty lines' (#135) from neoloc/glauth_templates into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/135
2024-08-07 22:53:10 +10:00
unkinben 0cad88cdad chore: prevent empty lines
- prevent empty lines when user features are not enabled
- change epp to erb template for user objects
2024-08-07 22:51:13 +10:00
unkinben 859fc0d909 Merge pull request 'chore: add two new users' (#134) from neoloc/more_users into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/134
2024-08-07 22:19:41 +10:00
unkinben a5baed8cd9 chore: add two new users
- add marbal and seablo
2024-08-07 22:19:08 +10:00
unkinben 44707910aa Merge pull request 'fix: require vault-unseal.service' (#133) from neoloc/vault_unseal_fix into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/133
2024-08-07 22:12:12 +10:00
unkinben dafac3d5ab fix: require vault-unseal.service
- wrong service name specified
2024-08-07 22:05:50 +10:00
unkinben 3ce2ec3754 Merge pull request 'feat: auto-unseal vault every hour' (#132) from neoloc/vault_unseal_check into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/132
2024-08-06 22:51:54 +10:00
unkinben 7863d54275 feat: auto-unseal vault every hour
- add cron job to run vault unsealing service hourly
2024-08-06 22:51:16 +10:00
unkinben 988e7c2a32 Merge pull request 'feat: auto restart puppetdb' (#131) from neoloc/puppetdb_restart into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/131
2024-08-06 22:47:02 +10:00
unkinben 0c44654a47 feat: auto restart puppetdb
- found several times the puppetdb service locks up after a week of active time
- restart the puppetdb nightly to prevent lock ups
2024-08-06 22:43:07 +10:00
unkinben 20ee6fa19e Merge pull request 'feat: add rundeck runner user' (#130) from neoloc/rundeck_user into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/130
2024-08-06 22:36:54 +10:00
unkinben c846cc4e21 feat: add rundeck runner user
- add rundeck account on all hosts except rundeck
- add rundeck ssh private/public key to rundeck server
2024-08-06 22:33:32 +10:00
unkinben 8e0f26e726 Merge pull request 'Adding hieradata/node/ausyd1nxvm1050.main.unkin.net.yaml' (#124) from autonode/ausyd1nxvm1050.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/124
2024-08-01 22:41:27 +10:00
unkinben 4579e268f0 Merge pull request 'feat: add gonic role' (#125) from neoloc/gonic into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/125
2024-08-01 22:41:20 +10:00
unkinben f1e1828a4a Merge pull request 'Adding hieradata/node/ausyd1nxvm1051.main.unkin.net.yaml' (#123) from autonode/ausyd1nxvm1051.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/123
2024-08-01 22:40:59 +10:00
unkinben 2ae8dbc0ac feat: add gonic role
- basic role only
2024-08-01 22:38:32 +10:00
unkinben 4338dfe27f Adding hieradata/node/ausyd1nxvm1051.main.unkin.net.yaml 2024-08-01 22:35:03 +10:00
unkinben 66cb1e356d Adding hieradata/node/ausyd1nxvm1050.main.unkin.net.yaml 2024-08-01 22:33:26 +10:00
unkinben 2bda41712a Merge pull request 'fix: change debian repos to http' (#122) from neoloc/http_debian_apt into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/122
2024-07-31 21:51:44 +10:00
unkinben d3daac3b71 fix: change debian repos to http
- until https issues are resolved with https
2024-07-31 21:51:04 +10:00
unkinben eb32a216f5 Merge pull request 'neoloc/rundeck' (#121) from neoloc/rundeck into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/121
2024-07-28 02:05:20 +10:00
unkinben 5354c99b1e feat: add rundeck profile
- export mysql user for each rundeck server
- ensure the jdbc driver for mariadb is available
- exclude jq from default packages (managed by rundeck)
- add groups for admin/user for each project in rundeck
- add consul service
- add vault certificates
- add ssh principals
- add nginx simpleproxy
2024-07-28 01:51:41 +10:00
unkinben 6a3123e12e Merge pull request 'feat: change packages to Hash' (#120) from neoloc/packages_hash into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/120
2024-07-27 16:29:48 +10:00
unkinben 26ffe17ee1 feat: add database
- add database for rundeck
2024-07-27 13:06:14 +10:00
unkinben cb5bb0798f feat: add rundeck to ldap
- add service account for rundeck
- add rundeck_access group
2024-07-27 13:06:14 +10:00
unkinben 08241692ee feat: add rundeck
- add puppet-rundeck module
- add rundeck role
2024-07-27 13:06:14 +10:00
unkinben 76989e45c4 feat: change packages to Hash
- change from multiple arrays for managing packages to a hash
- change to ensure_packages to prevent duplicate resource conflicts
2024-07-27 13:05:54 +10:00
unkinben cc01259a64 feat: change packages to Hash
- change from multiple arrays for managing packages to a hash
- change to ensure_packages to prevent duplicate resource conflicts
2024-07-27 13:01:06 +10:00
unkinben b5148fc2a0 Merge pull request 'fix: generate_types cahnges' (#119) from neoloc/puppetserver_startup into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/119
2024-07-27 00:17:46 +10:00
unkinben ab44bfc430 fix: generate_types cahnges
- this command will always fail, remove the systemd dropin
- create script that will run and exit with 0
- create systemd service/timer to run script daily
2024-07-27 00:13:25 +10:00
unkinben 4c38232ceb Merge pull request 'Adding hieradata/node/ausyd1nxvm1049.main.unkin.net.yaml' (#118) from autonode/ausyd1nxvm1049.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/118
2024-07-26 23:46:51 +10:00
unkinben 20686e04f4 Adding hieradata/node/ausyd1nxvm1049.main.unkin.net.yaml 2024-07-26 23:27:10 +10:00
unkinben 480eced404 Merge pull request 'feat: add vrrp to halb' (#116) from neoloc/keepalived into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/116
2024-07-14 22:07:34 +10:00
unkinben 946922fdb9 feat: add vrrp to halb
- update keepalived module to 5.1.0
- add keepalived::vrrp::* to be deep merged in hiera
- add vrrp dns configuration
- add vrrp instance/script to halb in syd1
2024-07-13 20:15:13 +10:00
unkinben 1570bbd8f2 Merge pull request 'feat: ensure *arr can access prowlarr' (#115) from neoloc/prowlarr_auth into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/115
2024-07-13 16:58:42 +10:00
unkinben 319c3b6d67 feat: ensure *arr can access prowlarr 2024-07-13 16:55:21 +10:00
unkinben e2f571649e Merge pull request 'feat: add param for ffmpeg' (#114) from neoloc/ffpmeg_path into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/114
2024-07-12 18:17:16 +10:00
unkinben 0fb11b22cf feat: add param for ffmpeg
- add param to jellyfin class to specify the path to ffmpeg
- update templates to use location
2024-07-11 22:41:08 +10:00
unkinben 01fc6aacd7 Merge pull request 'fix: remove unkin.net from internal dns' (#113) from neoloc/bind_static_dns into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/113
2024-07-11 22:31:29 +10:00
unkinben 73c7dbd56c fix: remove unkin.net from internal dns
- unkin.net is entirely hosted externally
2024-07-11 22:30:44 +10:00
unkinben 3ed692cc77 Merge pull request 'feat: manage the nzbget service' (#112) from neoloc/nzbget_group_media into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/112
2024-07-11 22:27:44 +10:00
unkinben ec92a6d3df feat: manage the nzbget service 2024-07-11 21:39:34 +10:00
unkinben bbd6cdb228 Merge pull request 'feat: add rpmfusion to nzbget' (#110) from neoloc/rpmfusion_nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/110
2024-07-11 21:28:56 +10:00
unkinben 2cbba808c3 feat: add rpmfusion to nzbget 2024-07-11 21:24:35 +10:00
unkinben df9f31e0f7 Merge pull request 'feat: add othergroups support for services' (#109) from neoloc/nzbget_client into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/109
2024-07-11 20:00:10 +10:00
unkinben 95a0b543fd feat: add othergroups support for services
- extend glauth::obj::service to allow othergroups
2024-07-11 19:59:26 +10:00
unkinben 90d123f4d0 Merge pull request 'chore: add service account to submit nzbs' (#108) from neoloc/nzbget_client into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/108
2024-07-11 19:56:51 +10:00
unkinben 3dc8fb03fa chore: add service account to submit nzbs 2024-07-11 19:56:17 +10:00
unkinben c7e5356444 Merge pull request 'feat: rewrite for nzbget' (#107) from neoloc/nzbget_rewrite into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/107
2024-07-10 21:29:44 +10:00
unkinben 93ab2bebc3 feat: rewrite for nzbget
- required for consul health check to work
2024-07-10 21:26:53 +10:00
unkinben 348f2dfca3 Merge pull request 'fix: update ldap filter' (#106) from neoloc/ldap_filters into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/106
2024-07-10 20:54:38 +10:00
unkinben 5221c15a66 fix: update ldap filter
- update ldap filter for *arr's to match on user and group
2024-07-10 20:43:50 +10:00
unkinben 1d49480010 Merge pull request 'fix: create nginx cache dirs before nginx class' (#105) from neoloc/nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/105
2024-07-09 23:30:33 +10:00
unkinben f63cf2f654 fix: create nginx cache dirs before nginx class 2024-07-09 23:29:56 +10:00
unkinben 3d425bfcbd Merge pull request 'fix: simpleproxy create cachedirs' (#104) from neoloc/nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/104
2024-07-09 23:28:38 +10:00
unkinben e8c8f5c1d6 fix: simpleproxy create cachedirs
- ensure the '/var/cache/nginx' directory exists
2024-07-09 23:27:51 +10:00
unkinben ae85541f6b Merge pull request 'fix: change nzbget::manage_group to boolean' (#103) from neoloc/nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/103
2024-07-09 23:23:33 +10:00
unkinben 0c1fd63b7d fix: change nzbget::manage_group to boolean 2024-07-09 23:22:49 +10:00
unkinben 797670b55d Merge pull request 'feat: actually add nzbget profile' (#102) from neoloc/nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/102
2024-07-09 23:20:58 +10:00
unkinben 1204ee3314 feat: actually add nzbget profile 2024-07-09 23:20:12 +10:00
unkinben 75ddacb6b1 Merge pull request 'neoloc/nzbget' (#101) from neoloc/nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/101
2024-07-09 22:34:37 +10:00
unkinben 1532641640 feat: add nzbget to media platform
- add haproxy rules
- generate/distribute letsencrypt certificates
- manage access to cephfs
2024-07-09 22:32:54 +10:00
unkinben abb4a47703 chore: add ens19 to nzbget host
- required to access cephfs
2024-07-09 22:26:46 +10:00
unkinben 857d51a934 chore: add matsol to nzbget 2024-07-09 22:26:03 +10:00
unkinben fd5163d6e6 Merge branch 'develop' into neoloc/nzbget 2024-07-09 22:25:28 +10:00
unkinben d67eba5860 feat: add nzbget module/role
- add nzbget module
- add nzbget ldap user/group
2024-07-09 22:23:58 +10:00
unkinben dacd2c6994 Merge pull request 'chore: disable gpgcheck for unkin repo' (#100) from neoloc/gpgcheck_unkin_repo into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/100
2024-07-09 22:01:01 +10:00
unkinben 930341c05c Merge pull request 'Adding hieradata/node/ausyd1nxvm1048.main.unkin.net.yaml' (#99) from autonode/ausyd1nxvm1048.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/99
2024-07-09 22:00:47 +10:00
unkinben 47333237ee chore: disable gpgcheck for unkin repo 2024-07-09 21:18:02 +10:00
unkinben 924631d705 Adding hieradata/node/ausyd1nxvm1048.main.unkin.net.yaml 2024-07-09 20:54:51 +10:00
unkinben 384e301fd3 Merge pull request 'feat: add new users' (#98) from neoloc/moreusers into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/98
2024-07-09 19:22:26 +10:00
unkinben d52949fc4f feat: add new users
- matsol
2024-07-09 19:21:59 +10:00
unkinben fe20590ac6 Merge pull request 'neoloc/retrieve_certbot_certs' (#97) from neoloc/retrieve_certbot_certs into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/97
2024-07-08 23:27:21 +10:00
unkinben d9a2966ffd fix: certbot selinux and rsync
- fix rsync to use 755 permissions
- add rsync selinux booleans
2024-07-08 23:17:38 +10:00
unkinben 899e2cbf49 feat: haproxy updates
- use letsencrypt certificates
- add fafflix and jellyfin backends
2024-07-08 22:56:24 +10:00
unkinben bd5164fed3 feat: certbot reorg
- moved certbot into its own module
- added fact to list available certificates
- created systemd timer to rsync data to $data_dir/pub
- ensure the $data_dir/pub exists
- manage selinux for nginx
2024-07-08 22:33:11 +10:00
unkinben 30ec8c1bb1 feat: enable retrieval of certbot certs
- refactor certbot
- add nginx to certbot hosts
2024-07-07 22:30:40 +10:00
unkinben c419620838 Merge pull request 'feat: manage certbot' (#96) from neoloc/certbot into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/96
2024-07-07 21:45:18 +10:00
unkinben 9db714d02f feat: manage certbot
- add haproxy backend for be_letsencrypt
- manage the certbot role/profile
- create define to export certificate requests
2024-07-07 21:21:50 +10:00
unkinben 4b8a9825c0 Merge pull request 'feat: haproxy updates' (#95) from neoloc/haproxy_backend_httpchk into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/95
2024-07-07 16:56:25 +10:00
unkinben 991c8a3029 feat: haproxy updates
- add acls for all backends
- harden security of backends
- update http-check for all backends
2024-07-07 16:51:36 +10:00
unkinben 152ffaa1d3 Merge pull request 'feat: stop installing systemd exported by default' (#94) from neoloc/systemd_exporter_removal into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/94
2024-07-07 15:02:48 +10:00
unkinben 65046329f4 feat: stop installing systemd exported by default 2024-07-07 15:01:49 +10:00
unkinben d05cf628a8 Merge pull request 'fix: change service to socket' (#93) from neoloc/cobbler_socket into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/93
2024-07-06 23:40:20 +10:00
unkinben da1402691c fix: change service to socket
- ensure the tftpd.socket is running, which starts the service
2024-07-06 23:37:55 +10:00
unkinben b5c7b310ee Merge pull request 'neoloc/mediaproxy' (#92) from neoloc/mediaproxy into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/92
2024-07-06 23:24:49 +10:00
unkinben 2ab2cd1399 feat: deploy ldap-auth to all *arrs
- refactor sonarr locations to generalised locations
- set locations to be deep merged
- updated hiera_include statements for media and media subroles
- added eyaml entries for all ldap credentials
2024-07-06 22:50:10 +10:00
unkinben 8b01ddba9c fix: cleanup simpleproxy
- remove commented sections
- remove $server from locations
2024-07-06 22:09:16 +10:00
unkinben d1dd12a091 feat: add cache to simpleproxy 2024-07-06 22:05:55 +10:00
unkinben 354e561380 feat: add ldapauth for nginx
- add service, defaults and script
2024-07-06 22:02:00 +10:00
unkinben cbded220bb feat: add sonarr locations
- add authproxy
- add api and web
- add /consul/health for unauth access from consul
- update sonarr/consul check to use /consul/health
- change client body side to 20mb
2024-07-06 22:01:47 +10:00
unkinben 89697e85aa Merge pull request 'chore: update svc_sonarr credential' (#91) from neoloc/sonarr_auth into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/91
2024-07-06 18:32:43 +10:00
unkinben 158ebaf7a0 chore: update svc_sonarr credential 2024-07-06 18:32:25 +10:00
unkinben 02a2097955 feat: paramatise use_default_location
- allow the use of location blocks for simpleproxy
- add way to add locations in simpleproxy
2024-07-05 23:10:58 +10:00
unkinben 658af2b6b6 Merge pull request 'feat: manage jellyfin data migration_flag' (#90) from neoloc/jellyfin into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/90
2024-07-04 00:09:22 +10:00
unkinben f3046f8fbb feat: manage jellyfin data migration_flag 2024-07-03 22:49:54 +10:00
unkinben f9ff44afec Merge pull request 'feat: add rpmfusion to jellyfin hosts' (#89) from neoloc/rpmfusion into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/89
2024-07-03 21:28:11 +10:00
unkinben 21a45c1b03 feat: add rpmfusion to jellyfin hosts
- required for jellyfin packages
- additional dependencies also from rpmfusion
2024-07-03 21:27:05 +10:00
unkinben 33f66c8dbc Merge pull request 'feat: restart networking on network changes' (#88) from neoloc/network_restart into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/88
2024-07-03 20:37:05 +10:00
unkinben b0934caf23 feat: restart networking on network changes
- restart network on RedHat
- restart networking on debian
2024-07-03 20:35:58 +10:00
unkinben 8e1622a158 Merge pull request 'neoloc/glauth' (#87) from neoloc/glauth into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/87
2024-07-02 18:12:54 +10:00
unkinben fe35baacfd chore: cleanup glauth
- remove datavol, not required
- remove commented out systemd socket
2024-07-02 18:12:08 +10:00
unkinben 6e3802ad57 feat: add users/services/groups 2024-07-01 22:54:22 +10:00
unkinben c8604baa4e feat: add glauth role/profile classes
- role added to cobbler
- add role specific hieradata
2024-07-01 22:42:29 +10:00
unkinben c69e8c487e feat: create glauth module
- manage config directories, config file
- manage systemd service and socket
- manage users, service accounts and groups
- manage defaults for users, services and groups
- manage packages for role
2024-07-01 22:42:12 +10:00
unkinben 0a86986edf Merge pull request 'neoloc/jellyfin' (#86) from neoloc/jellyfin into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/86
2024-06-30 21:24:49 +10:00
unkinben 2199e4e3c0 feat: add jellyfin to haproxy 2024-06-30 00:02:44 +10:00
unkinben f81b5753ff feat: add jellyfin role/profile classes 2024-06-30 00:02:16 +10:00
unkinben e437629e12 feat: add jellyfin module 2024-06-30 00:01:38 +10:00
419 changed files with 13316 additions and 1357 deletions
+24
View File
@@ -0,0 +1,24 @@
name: Build
on:
pull_request:
jobs:
precommit:
runs-on: almalinux-8
container:
image: git.unkin.net/unkin/almalinux9-actionsdind:latest
options: --privileged
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install requirements
run: |
dnf groupinstall -y "Development Tools" -y
dnf install rubygems ruby-devel gcc make redhat-rpm-config glibc-headers glibc-devel -y
- name: Pre-Commit All Files
run: |
uvx pre-commit run --all-files
+5
View File
@@ -3,3 +3,8 @@
detectors:
FeatureEnvy:
enabled: false
TooManyStatements:
enabled: false
UncommunicativeVariableName:
accept:
- e
+3
View File
@@ -8,3 +8,6 @@ Style/Documentation:
Layout/LineLength:
Max: 140
Metrics/BlockNesting:
Max: 4
+43 -34
View File
@@ -2,48 +2,54 @@ forge 'forge.puppetlabs.com'
moduledir 'external_modules'
# puppetlabs
mod 'puppetlabs-stdlib', '9.1.0'
mod 'puppetlabs-inifile', '6.0.0'
mod 'puppetlabs-concat', '9.0.0'
mod 'puppetlabs-vcsrepo', '6.1.0'
mod 'puppetlabs-yumrepo_core', '2.0.0'
mod 'puppetlabs-apt', '9.4.0'
mod 'puppetlabs-lvm', '2.1.0'
mod 'puppetlabs-puppetdb', '7.13.0'
mod 'puppetlabs-postgresql', '9.1.0'
mod 'puppetlabs-firewall', '6.0.0'
mod 'puppetlabs-accounts', '8.1.0'
mod 'puppetlabs-mysql', '15.0.0'
mod 'puppetlabs-stdlib', '9.7.0'
mod 'puppetlabs-inifile', '6.2.0'
mod 'puppetlabs-concat', '9.1.0'
mod 'puppetlabs-vcsrepo', '7.0.0'
mod 'puppetlabs-yumrepo_core', '2.1.0'
mod 'puppetlabs-apt', '10.0.1'
mod 'puppetlabs-lvm', '3.0.1'
mod 'puppetlabs-puppetdb', '7.14.0'
mod 'puppetlabs-postgresql', '9.2.0'
mod 'puppetlabs-firewall', '8.1.4'
mod 'puppetlabs-accounts', '8.2.2'
mod 'puppetlabs-mysql', '16.2.0'
mod 'puppetlabs-xinetd', '3.4.1'
mod 'puppetlabs-haproxy', '8.0.0'
mod 'puppetlabs-java', '10.1.2'
mod 'puppetlabs-reboot', '5.0.0'
mod 'puppetlabs-haproxy', '8.2.0'
mod 'puppetlabs-java', '11.1.0'
mod 'puppetlabs-reboot', '5.1.0'
mod 'puppetlabs-docker', '10.2.0'
# puppet
mod 'puppet-python', '7.0.0'
mod 'puppet-systemd', '5.1.0'
mod 'puppet-yum', '7.0.0'
mod 'puppet-archive', '7.0.0'
mod 'puppet-chrony', '2.6.0'
mod 'puppet-puppetboard', '9.0.0'
mod 'puppet-nginx', '5.0.0'
mod 'puppet-selinux', '4.1.0'
mod 'puppet-prometheus', '13.4.0'
mod 'puppet-grafana', '13.1.0'
mod 'puppet-consul', '8.0.0'
mod 'puppet-vault', '4.1.0'
mod 'puppet-python', '7.4.0'
mod 'puppet-systemd', '8.1.0'
mod 'puppet-yum', '7.2.0'
mod 'puppet-archive', '7.1.0'
mod 'puppet-chrony', '3.0.0'
mod 'puppet-puppetboard', '11.0.0'
mod 'puppet-nginx', '6.0.1'
mod 'puppet-selinux', '5.0.0'
mod 'puppet-prometheus', '16.0.0'
mod 'puppet-grafana', '14.1.0'
mod 'puppet-consul', '9.1.0'
mod 'puppet-vault', '4.1.1'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '3.6.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-keepalived', '5.1.0'
mod 'puppet-extlib', '7.5.1'
mod 'puppet-network', '2.2.1'
mod 'puppet-kmod', '4.1.0'
mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.1.0'
mod 'puppet-rundeck', '9.2.0'
mod 'puppet-redis', '11.1.0'
mod 'puppet-nodejs', '11.0.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
mod 'saz-sudo', '8.0.0'
mod 'saz-ssh', '12.1.0'
mod 'saz-sudo', '9.0.2'
mod 'saz-ssh', '13.1.0'
mod 'saz-limits', '5.0.0'
mod 'ghoneycutt-timezone', '4.0.0'
mod 'ghoneycutt-puppet', '3.3.0'
mod 'dalen-puppetdbquery', '3.0.1'
mod 'markt-galera', '3.1.0'
mod 'kogitoapp-minio', '1.1.4'
@@ -51,6 +57,9 @@ mod 'broadinstitute-certs', '3.0.1'
mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0'
mod 'rehan-mkdir', '2.0.0'
mod 'tailoredautomation-patroni', '2.0.0'
mod 'ssm-crypto_policies', '0.3.3'
mod 'thias-sysctl', '1.0.8'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+133 -70
View File
@@ -3,16 +3,10 @@ lookup_options:
hiera_classes:
merge:
strategy: deep
profiles::packages::install:
profiles::packages::include:
merge:
strategy: deep
profiles::packages::install_exclude:
merge:
strategy: deep
profiles::packages::remove:
merge:
strategy: deep
profiles::packages::remove_exclude:
profiles::packages::exclude:
merge:
strategy: deep
profiles::pki::vault::alt_names:
@@ -42,6 +36,12 @@ lookup_options:
profiles::haproxy::server::listeners:
merge:
strategy: deep
profiles::accounts::root::sshkeys:
merge:
strategy: deep
profiles::accounts::sysadmin::sshkeys:
merge:
strategy: deep
haproxy::backend:
merge:
strategy: deep
@@ -129,6 +129,32 @@ lookup_options:
profiles::ceph::client::keyrings:
merge:
strategy: deep
profiles::nginx::simpleproxy::locations:
merge:
strategy: deep
certbot::client::domains:
merge:
strategy: deep
keepalived::vrrp_script:
merge:
strategy: deep
keepalived::vrrp_instance:
merge:
strategy: deep
profiles::etcd::node::initial_cluster_token:
convert_to: Sensitive
sysctl::base::values:
merge:
strategy: deep
limits::entries:
merge:
strategy: deep
zfs::zpools:
merge:
strategy: deep
zfs::datasets:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
@@ -136,21 +162,36 @@ hiera_include:
- timezone
- networking
- ssh::server
- profiles::accounts::rundeck
- limits
- sysctl::base
- exporters::node_exporter
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
profiles::ntp::client::peers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
- 0.au.pool.ntp.org
- 1.au.pool.ntp.org
- 2.au.pool.ntp.org
- 3.au.pool.ntp.org
profiles::base::puppet_servers:
- 'prodinf01n01.main.unkin.net'
consul::install_method: 'package'
consul::manage_repo: false
consul::bin_dir: /usr/bin
vault::install_method: 'repo'
vault::manage_repo: false
vault::bin_dir: /usr/bin
vault::manage_service_file: true
vault::manage_config_dir: true
vault::disable_mlock: false
profiles::dns::base::nameservers:
- 198.18.19.16
profiles::dns::master::basedir: '/var/named/sources'
profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
profiles::dns::base::use_ns: 'region'
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
#profiles::dns::base::use_ns: 'region'
profiles::consul::server::members_role: roles::infra::storage::consul
profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
profiles::consul::client::members_lookup: true
@@ -165,60 +206,74 @@ profiles::consul::client::node_rules:
- resource: node
segment: ''
disposition: read
- resource: service
segment: node_exporter
disposition: write
profiles::packages::install:
- bash-completion
- bzip2
- ccze
- curl
- dstat
- expect
- gcc
- gzip
- git
- htop
- inotify-tools
- iotop
- jq
- lz4
- mtr
- ncdu
- neovim
- p7zip
- pbzip2
- pigz
- pv
- python3.11
- rsync
- screen
- socat
- strace
- sysstat
- tar
- tmux
- traceroute
- unzip
- vim
- vnstat
- wget
- zsh
- zstd
profiles::packages::remove:
- iwl100-firmware
- iwl1000-firmware
- iwl105-firmware
- iwl135-firmware
- iwl2000-firmware
- iwl2030-firmware
- iwl3160-firmware
- iwl5000-firmware
- iwl5150-firmware
- iwl6000-firmware
- iwl6000g2a-firmware
- iwl6050-firmware
- iwl7260-firmware
- puppet7-release
profiles::packages::include:
bash-completion: {}
bzip2: {}
ccze: {}
curl: {}
dstat: {}
expect: {}
gzip: {}
git: {}
htop: {}
inotify-tools: {}
iotop: {}
jq: {}
lz4: {}
mtr: {}
ncdu: {}
neovim: {}
p7zip: {}
pbzip2: {}
pigz: {}
pv: {}
python3.11: {}
rsync: {}
screen: {}
socat: {}
strace: {}
sysstat: {}
tar: {}
tmux: {}
traceroute: {}
unzip: {}
vim: {}
vnstat: {}
wget: {}
zsh: {}
zstd: {}
iwl100-firmware:
ensure: absent
iwl1000-firmware:
ensure: absent
iwl105-firmware:
ensure: absent
iwl135-firmware:
ensure: absent
iwl2000-firmware:
ensure: absent
iwl2030-firmware:
ensure: absent
iwl3160-firmware:
ensure: absent
iwl5000-firmware:
ensure: absent
iwl5150-firmware:
ensure: absent
iwl6000-firmware:
ensure: absent
iwl6000g2a-firmware:
ensure: absent
iwl6050-firmware:
ensure: absent
iwl7260-firmware:
ensure: absent
puppet7-release:
ensure: absent
profiles::base::scripts::scripts:
puppet: puppetwrapper.py
@@ -237,7 +292,8 @@ profiles::puppet::client::dns_alt_names:
puppetdbapi: puppetdbapi.query.consul
puppetdbsql: puppetdbsql.service.au-syd1.consul
prometheus::node_exporter::export_scrape_job: true
exporters::node_exporter::enable: true
exporters::node_exporter::cleanup_old_node_exporter: true
prometheus::systemd_exporter::export_scrape_job: true
ssh::server::storeconfigs_enabled: false
@@ -287,6 +343,8 @@ sudo::configs:
profiles::accounts::sysadmin::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
profiles::accounts::rundeck::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD4F7VcorbGpyZzBFexz7c/o1JBscrl7hZU0UkWV7fq6YLizW0r6fOzD99hMwu1kdYCjPxbvuUSDEHfyBIp2EgLWU6wFVoufQqlMyOV85+ivQZUc1VNV+X9T+U4v3u/01hkAmlpXtbkwhMSR4Wi+tdABd04+D3CuMDM37mvnFmBBmi41X4Mr1rJhOQumn1XHQ7EYbsdw2mxfEVVeWpZIHz5BjNKSGzEIAYZbFt6s0Y7X3J5RT+Gjqmu043Tc8nNIUFlR9E10qd3Euf9RiBYxBx3z+yfOzJPBzWNBSHv1+PIbO5Mq+z5JaAfoFZO41L7nw+FjV6JJUCVLr6Vq+bCxyA7LW4Oq9ZahSrt/vrT0kTa0tA5U9bqK6e7pB//dm7PzoROtTq0XksV8RseA/fvIje20uaN1z9dynx+UcbszXu9pQ5GIg1o7b5DEi3OZHJwpgdudiCyEeR4+00G0z4PjpEMnTSMHAJ53WxtjzrPAOBnAmPE7hPu4coU+XrCWEXAvRMloJmca68e+zFX7VvFK82KVDuQ99vQ6w4X73IESKoLzyAVxpelwHaDG4fN+zqYfqubVQU1L5cUeYKxqm5r3Us6VvMaYs1ZMUmDGXHOq4FNhGUJYxSjkLvunM6qyAAJQCd6Pw/2TV3UQVerbouGOZaeBLvRguHWSbDrO99Zu+t87w== rundeck_runner
networking::interface_defaults:
ensure: present
@@ -300,6 +358,11 @@ networking::route_defaults:
netmask: 0.0.0.0
network: default
# logging:
victorialogs::client::journald::enable: true
victorialogs::client::journald::inserturl: https://vlinsert.service.consul:9428/insert/journald
# FIXME these are for the proxmox ceph cluster
profiles::ceph::client::fsid: 7f7f00cb-95de-498c-8dcc-14b54e4e9ca8
profiles::ceph::client::mons:
- 10.18.15.1
+7
View File
@@ -1,2 +1,9 @@
---
timezone::timezone: 'Australia/Darwin'
profiles_dns_upstream_forwarder_unkin:
- 198.18.17.23
- 198.18.17.24
profiles_dns_upstream_forwarder_consul:
- 198.18.17.34
- 198.18.17.35
- 198.18.17.36
@@ -1,52 +1 @@
---
profiles::dns::resolver::zones:
main.unkin.net-forward:
domain: 'main.unkin.net'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
consul-forward:
domain: 'consul'
zone_type: 'forward'
forwarders:
- 198.18.17.34
- 198.18.17.35
- 198.18.17.36
forward: 'only'
+5
View File
@@ -1,2 +1,7 @@
---
timezone::timezone: 'Australia/Sydney'
certbot::client::webserver: ausyd1nxvm2057.main.unkin.net
profiles_dns_upstream_forwarder_unkin:
- 198.18.19.15
profiles_dns_upstream_forwarder_consul:
- 198.18.19.14
@@ -1,52 +1 @@
---
profiles::dns::resolver::zones:
main.unkin.net-forward:
domain: 'main.unkin.net'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.13.14
- 198.18.13.15
forward: 'only'
consul-forward:
domain: 'consul'
zone_type: 'forward'
forwarders:
- 198.18.13.19
- 198.18.13.20
- 198.18.13.21
forward: 'only'
@@ -1,4 +1,31 @@
---
hiera_include:
- keepalived
# keepalived
profiles::haproxy::dns::ipaddr: '198.18.13.250'
profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
keepalived::vrrp_script:
check_haproxy:
script: '/usr/bin/killall -0 haproxy'
keepalived::vrrp_instance:
VI_250:
interface: 'eth0'
virtual_router_id: 250
auth_type: 'PASS'
auth_pass: 'quiiK7oo'
virtual_ipaddress: '198.18.13.250/32'
track_script:
- check_haproxy
# mappings
profiles::haproxy::mappings:
fe_http:
@@ -11,6 +38,9 @@ profiles::haproxy::mappings:
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
fe_https:
ensure: present
mappings:
@@ -21,6 +51,9 @@ profiles::haproxy::mappings:
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
profiles::haproxy::frontends:
fe_http:
@@ -30,7 +63,15 @@ profiles::haproxy::frontends:
fe_https:
options:
acl:
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -38,6 +79,14 @@ profiles::haproxy::frontends:
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
http-response:
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
- 'set-header X-Frame-Options DENY if acl_sonarr'
- 'set-header X-Frame-Options DENY if acl_radarr'
- 'set-header X-Frame-Options DENY if acl_lidarr'
- 'set-header X-Frame-Options DENY if acl_readarr'
- 'set-header X-Frame-Options DENY if acl_prowlarr'
- 'set-header X-Frame-Options DENY if acl_nzbget'
- 'set-header X-Frame-Options DENY if acl_jellyfin'
- 'set-header X-Frame-Options DENY if acl_fafflix'
- 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block'
@@ -79,7 +128,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
@@ -95,7 +144,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
@@ -111,7 +160,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
@@ -127,7 +176,7 @@ profiles::haproxy::backends:
options:
balance: roundrobin
option:
- httpchk GET /
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
@@ -140,6 +189,38 @@ profiles::haproxy::backends:
be_prowlarr:
description: Backend for au-syd1 prowlarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_nzbget:
description: Backend for au-syd1 nzbget
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_jellyfin:
description: Backend for au-syd1 jellyfin
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
@@ -156,10 +237,31 @@ profiles::haproxy::backends:
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem
# additional altnames
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- jellyfin.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
# letsencrypt certificates
certbot::client::service: haproxy
certbot::client::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
@@ -167,8 +269,5 @@ profiles::pki::vault::alt_names:
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- nzbget.main.unkin.net
- fafflix.unkin.net
@@ -0,0 +1,305 @@
---
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- git.unkin.net
- fafflix.unkin.net
- grafana.unkin.net
profiles::haproxy::mappings:
fe_http:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
- 'git.unkin.net be_gitea'
- 'grafana.unkin.net be_grafana'
fe_https:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
- 'git.unkin.net be_gitea'
- 'grafana.unkin.net be_grafana'
profiles::haproxy::frontends:
fe_http:
options:
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]"
fe_https:
options:
acl:
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
- 'acl_gitea req.hdr(host) -i git.unkin.net'
- 'acl_grafana req.hdr(host) -i grafana.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
http-request:
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
http-response:
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
- 'set-header X-Frame-Options DENY if acl_sonarr'
- 'set-header X-Frame-Options DENY if acl_radarr'
- 'set-header X-Frame-Options DENY if acl_lidarr'
- 'set-header X-Frame-Options DENY if acl_readarr'
- 'set-header X-Frame-Options DENY if acl_prowlarr'
- 'set-header X-Frame-Options DENY if acl_nzbget'
- 'set-header X-Frame-Options DENY if acl_jellyfin'
- 'set-header X-Frame-Options DENY if acl_fafflix'
- 'set-header X-Frame-Options DENY if acl_gitea'
- 'set-header X-Frame-Options DENY if acl_grafana'
- 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block'
profiles::haproxy::backends:
be_ausyd1pve_web:
description: Backend for au-syd1 pve cluster (Web)
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_ausyd1pve_api:
description: Backend for au-syd1 pve cluster (API only)
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_sonarr:
description: Backend for au-syd1 sonarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_radarr:
description: Backend for au-syd1 radarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_lidarr:
description: Backend for au-syd1 lidarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_readarr:
description: Backend for au-syd1 readarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_prowlarr:
description: Backend for au-syd1 prowlarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_nzbget:
description: Backend for au-syd1 nzbget
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_jellyfin:
description: Backend for au-syd1 jellyfin
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_gitea:
description: Backend for gitea cluster
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
be_grafana:
description: Backend for grafana nodes
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m'
stick: 'on src'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem
# additional altnames
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- jellyfin.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
# letsencrypt certificates
certbot::client::service: haproxy
certbot::client::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- fafflix.unkin.net
- git.unkin.net
- grafana.unkin.net
@@ -1,2 +1,3 @@
---
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=]
@@ -13,3 +13,12 @@ mysql::db:
- INSERT
- UPDATE
- DELETE
rundeck:
name: rundeck
user: rundeck
password: "%{alias('mysql::db::rundeck::pass')}"
grant:
- SELECT
- INSERT
- UPDATE
- DELETE
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.10
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.11
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.12
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.13
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.14
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.15
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.16
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.17
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.18
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.19
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.20
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.21
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.22
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.23
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.24
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.25
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.26
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,11 +0,0 @@
---
profiles::cobbler::params::is_cobbler_master: true
networking::interfaces:
ens18:
ipaddress: 198.18.13.27
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.28
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.29
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.30
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,10 +0,0 @@
---
networking::interfaces:
ens18:
ipaddress: 198.18.13.31
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.32
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.33
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.34
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.35
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.36
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.37
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.38
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.39
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.40
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.41
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.42
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.43
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.44
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.45
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.47
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.47
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.48
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.49
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.50
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.50
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.51
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.51
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.52
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.52
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.53
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.53
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.54
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.55
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.56
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.57
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.57
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -13,9 +13,3 @@ profiles::ssh::sign::principals:
profiles::puppet::puppetca::is_puppetca: true
profiles::puppet::puppetca::allow_subject_alt_names: true
networking::interfaces:
eth0:
ipaddress: 198.18.13.46
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,2 @@
---
profiles::cobbler::params::is_cobbler_master: true
@@ -1,12 +0,0 @@
---
profiles::puppet::server::dns_alt_names:
- puppetca.main.unkin.net
- puppetca.service.consul
- puppetca.query.consul
- puppetca
profiles::puppet::puppetca::is_puppetca: false
profiles::puppet::puppetca::allow_subject_alt_names: true
hiera_exclude:
- networking
@@ -1,5 +1,13 @@
---
profiles::proxmox::params::pve_clusterinit_master: true
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.1 # management loopback
networking_loopback1_ip: 198.18.22.1 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.1 # ceph-public loopback
networking_1000_ip: 198.18.15.1 # 1gbe network
networking_2500_ip: 198.18.21.1 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:c3:60
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:50
@@ -1,4 +1,13 @@
---
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.2 # management loopback
networking_loopback1_ip: 198.18.22.2 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.2 # ceph-public loopback
networking_1000_ip: 198.18.15.2 # 1gbe network
networking_2500_ip: 198.18.21.2 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:74:b6:08
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:08:43
@@ -1,4 +1,13 @@
---
profiles::proxmox::params::pve_ceph_mon: true
profiles::proxmox::params::pve_ceph_mgr: true
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.3 # management loopback
networking_loopback1_ip: 198.18.22.3 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.3 # ceph-public loopback
networking_1000_ip: 198.18.15.3 # 1gbe network
networking_2500_ip: 198.18.21.3 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: b8:85:84:a3:25:c5
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:07:82
@@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.4 # management loopback
networking_loopback1_ip: 198.18.22.4 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.4 # ceph-public loopback
networking_1000_ip: 198.18.15.4 # 1gbe network
networking_2500_ip: 198.18.21.4 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:d5:00
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:43
@@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.5 # management loopback
networking_loopback1_ip: 198.18.22.5 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.5 # ceph-public loopback
networking_1000_ip: 198.18.15.5 # 1gbe network
networking_2500_ip: 198.18.21.5 # 2.5gbe network
networking_1000_iface: enp1s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: 54:bf:64:a0:08:64
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:07:79
@@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.6 # management loopback
networking_loopback1_ip: 198.18.22.6 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.6 # ceph-public loopback
networking_1000_ip: 198.18.15.6 # 1gbe network
networking_2500_ip: 198.18.21.6 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:10:8d
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:53
@@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.7 # management loopback
networking_loopback1_ip: 198.18.22.7 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.7 # ceph-public loopback
networking_1000_ip: 198.18.15.7 # 1gbe network
networking_2500_ip: 198.18.21.7 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:74:b4:27
"%{hiera('networking_2500_iface')}":
mac: 00:ac:d0:00:00:5b
@@ -1,2 +1,13 @@
---
profiles::proxmox::params::pve_ceph_osd: true
networking_loopback0_ip: 198.18.19.8 # management loopback
networking_loopback1_ip: 198.18.22.8 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.8 # ceph-public loopback
networking_1000_ip: 198.18.15.8 # 1gbe network
networking_2500_ip: 198.18.21.8 # 2.5gbe network
networking_1000_iface: enp2s0
networking_2500_iface: enp3s0
networking::interfaces:
"%{hiera('networking_1000_iface')}":
mac: d8:9e:f3:75:06:18
"%{hiera('networking_2500_iface')}":
mac: 00:e0:4c:68:08:4b
@@ -0,0 +1,18 @@
---
networking_loopback0_ip: 198.18.19.9 # management loopback
networking_loopback1_ip: 198.18.22.9 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.9 # ceph-public loopback
networking_br10_ip: 198.18.25.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:8d
ipaddress: 198.18.15.9
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:5d
ipaddress: 198.18.21.9
#zfs::zpools:
# fastpool:
# ensure: present
# disk: /dev/nvme0n1
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.10 # management loopback
networking_loopback1_ip: 198.18.22.10 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.10 # ceph-public loopback
networking_br10_ip: 198.18.26.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:37
ipaddress: 198.18.15.10
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:de
ipaddress: 198.18.21.10
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.11 # management loopback
networking_loopback1_ip: 198.18.22.11 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.11 # ceph-public loopback
networking_br10_ip: 198.18.27.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:38:e9:0f
ipaddress: 198.18.15.11
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:55
ipaddress: 198.18.21.11
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.12 # management loopback
networking_loopback1_ip: 198.18.22.12 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.12 # ceph-public loopback
networking_br10_ip: 198.18.28.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:4f:05:1e
ipaddress: 198.18.15.12
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:e5
ipaddress: 198.18.21.12
@@ -0,0 +1,13 @@
---
networking_loopback0_ip: 198.18.19.13 # management loopback
networking_loopback1_ip: 198.18.22.13 # ceph-cluster loopback
networking_loopback2_ip: 198.18.23.13 # ceph-public loopback
networking_br10_ip: 198.18.29.254
networking::interfaces:
enp2s0:
mac: 70:b5:e8:4f:04:b0
ipaddress: 198.18.15.13
gateway: 198.18.15.254
enp3s0:
mac: 00:e0:4c:68:0f:36
ipaddress: 198.18.21.13
+21
View File
@@ -1,2 +1,23 @@
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
---
crypto_policies::policy: 'DEFAULT'
profiles::packages::include:
network-scripts: {}
profiles::yum::global::repos:
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el8
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+34
View File
@@ -1,2 +1,36 @@
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
---
crypto_policies::policy: 'DEFAULT:SHA1'
profiles::yum::global::repos:
baseos:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/baseos-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
extras:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/extras-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
appstream:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/appstream-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
highavailability:
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/ha-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
crb:
name: crb
descr: crb repository
target: /etc/yum.repos.d/crb.repo
baseurl: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/almalinux/%{facts.os.release.full}/crb-daily/%{facts.os.architecture}/os//RPM-GPG-KEY-AlmaLinux-9
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkin/rpm/almalinux/el9
gpgkey: https://git.query.consul/api/packages/unkin/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+15 -21
View File
@@ -3,17 +3,17 @@
profiles::firewall::firewalld::ensure_package: 'absent'
profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::puppet_version: '7.26.0'
profiles::puppet::agent::puppet_version: '7.34.0'
hiera_include:
- profiles::almalinux::base
profiles::packages::install:
- lzo
- network-scripts
- policycoreutils
- unar
- xz
profiles::packages::include:
crypto-policies-scripts: {}
lzo: {}
policycoreutils: {}
unar: {}
xz: {}
lm-sensors::package: lm_sensors
@@ -39,13 +39,6 @@ profiles::yum::global::repos:
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
highavailability:
name: highavailability
descr: highavailability repository
@@ -57,20 +50,21 @@ profiles::yum::global::repos:
name: epel
descr: epel repository
target: /etc/yum.repos.d/epel.repo
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
baseurl: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
mirrorlist: absent
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
unkinben:
name: unkinben
descr: unkinben repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+9 -5
View File
@@ -1,15 +1,19 @@
# hieradata/os/debian/all_releases.yaml
---
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
profiles::apt::base::mirrorurl: http://edgecache.query.consul/debian/
profiles::apt::base::secureurl: http://security.debian.org/debian-security
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
profiles::apt::puppet7::repo: puppet7
profiles::pki::vaultca::ca_cert-path: /usr/local/share/ca-certificates/
profiles::packages::install:
- lzop
- python3.11-venv
- xz-utils
profiles::packages::include:
lzop: {}
python3.11-venv: {}
xz-utils: {}
lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false
consul::install_method: 'url'
consul::manage_repo: false
consul::bin_dir: /usr/local/bin
+1
View File
@@ -0,0 +1 @@
profiles::jupyter::jupyterhub::ldap_bind_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJspN3e2WzA0uZaLgFZ0Ewqii9dY0tTgbirsW70M2VZtLY+s+C6HE8ZZUtpfnRsFwUUhOj7s25X9xVOZNTpZIGPyfx9MWlSyFw2RFuXSEwaydf1DcBbg8261YrTTysA4Jsa1L4DLsX55q+XJUyeUbimVQkIacVIvzTdnZCBKnVNUh3U2PNAmV7SOL2KH8Jpbfs/EQfBt8XuGMCg3I/4RDyoNERqthW6W2KiMX2Gmd8iQ5+W9udH0lEAMx415oyImmN+dEuThcx9FGMi8BWYtnxH96yWafpT5qltwW6EVzIGWuLhiD1LcWYc5RB8jc3DhbeouChpKsN6c4EHoKt3aWsTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC8jcnqilJgY1/AnHWHfX4bgDCi2a3Rj43Z0dgfB5HaHdpfked3Cx+u94r2S5+Cg3QogU1AIF04rjzOL+bD2HdaMfo=]
+74
View File
@@ -0,0 +1,74 @@
---
profiles::packages::include:
python3.12: {}
python3.12-pip: {}
hiera_include:
- docker
- profiles::nginx::simpleproxy
# manage docker
docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'jupyterhub.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- jupyterhub.service.consul
- jupyterhub.query.consul
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
profiles::nginx::simpleproxy::locations:
# authorised access from external
default:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Real-IP $remote_addr'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
- 'X-Scheme $scheme'
proxy_redirect: 'off'
proxy_http_version: '1.1'
proxy_buffering: 'off'
# additional altnames
profiles::pki::vault::alt_names:
- jupyterhub.service.consul
- jupyterhub.query.consul
- "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
# configure consul service
consul::services:
jupyterhub:
service_name: 'jupyterhub'
tags:
- 'jupyterhub'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'jupyterhub_http_check'
name: 'jupyterhub HTTP Check'
http: "https://%{facts.networking.fqdn}"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jupyterhub
disposition: write
+80
View File
@@ -1,4 +1,7 @@
---
hiera_include:
- profiles::nginx::simpleproxy
profiles::yum::global::repos:
ceph-reef:
name: ceph-reef
@@ -18,3 +21,80 @@ profiles::base::groups::local:
gid: 20000
allowdupe: false
forcelocal: true
ldap_host: 'ldap.service.consul'
ldap_basedn: 'dc=main,dc=unkin,dc=net'
profiles::nginx::simpleproxy::locations:
# authentication proxy
authproxy:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
internal: true
location: '= /auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
proxy_set_header:
- 'Content-Length ""'
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
- 'X-Ldap-Starttls "false"'
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
- 'X-CookieName "nginxauth"'
- 'Cookie nginxauth=$cookie_nginxauth'
- "X-Ldap-Template %{lookup('ldap_template')}"
- 'X-Ldap-Realm "Restricted"'
proxy_cache: 'cache'
proxy_cache_valid: '200 10m'
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
location_cfg_append:
proxy_pass_request_body: 'off'
# health checks by consul/haproxy
arrstack_web_healthcheck:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/consul/health'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
location_allow:
- 127.0.0.1
- "%{facts.networking.ip}"
- 198.18.24.0/24
location_deny:
- all
# authorised access from external
arrstack_web_external:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
auth_request: '/auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
# location for api, which should be accessible without authentication
arrstack_api:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '~ /api'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
location_cfg_append:
client_max_body_size: '20m'
+77
View File
@@ -0,0 +1,77 @@
---
hiera_include:
- jellyfin
profiles::packages::include:
intel-media-driver: {}
libva-intel-driver: {}
libva-intel-hybrid-driver: {}
intel-mediasdk: {}
# manage jellyfin
jellyfin::params::service_enable: true
# additional altnames
profiles::pki::vault::alt_names:
- jellyfin.main.unkin.net
- jellyfin.service.consul
- jellyfin.query.consul
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'jellyfin.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- jellyfin.main.unkin.net
- jellyfin.service.consul
- jellyfin.query.consul
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8096
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
jellyfin:
service_name: 'jellyfin'
tags:
- 'media'
- 'jellyfin'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'jellyfin_http_check'
name: 'jellyfin HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jellyfin
disposition: write
profiles::yum::global::repos:
rpmfusion-free:
name: rpmfusion-free
descr: rpmfusion-free repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
mirrorlist: absent
rpmfusion-nonfree:
name: rpmfusion-nonfree
descr: rpmfusion-nonfree repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
unkinben:
name: unkinben
descr: unkinben repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el8
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+1
View File
@@ -1,2 +1,3 @@
---
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEDEyk6fBBnrjZvfK8MnUVOTWxhFGtgY34/2CuIq55MoVLsk2ZgVrL7Kt+94bqFhwEB67kuNpMGXqTgW5ose2yWs5iVSJLECsf9C+tvGBGwaV35LNwP5S3aQmFagyTpZZz9QlGKC7818jlXz7vZWDtiUhy5TGMHeyS0fdjCveavtZR28A+ZrvWjJeLdN47mmvYwYfFnQBs3kSgkl5KyMVhFWSFOSLeHsuEzCVXHoQ1jQG+2TV5m18wV0RR/sOju2E+vsulqlDgCyifgoiry4GzJeKNrNDI2bifzHCAi6yZqHL/klyqbGTnKLlA4xKoXsHF+xEwcoq4S9JDLAdWeH1SDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCdvh4yn8knozcYhinybRq3gDAwTKv8VakQG7XK/mcEplwtoiKqLnj9IIGdIUh1zPi2Sg48ET5rfZyl0p7ddIYoHjU=]
+8 -3
View File
@@ -1,7 +1,8 @@
---
hiera_include:
- lidarr
- profiles::nginx::simpleproxy
- profiles::nginx::ldapauth
- profiles::media::lidarr
# manage lidarr
lidarr::params::user: lidarr
@@ -27,9 +28,13 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_lidarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=lidarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
lidarr:
service_name: 'lidarr'
@@ -41,7 +46,7 @@ consul::services:
checks:
- id: 'lidarr_http_check'
name: 'Lidarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
+2
View File
@@ -0,0 +1,2 @@
---
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPomn4iZbT0JEysvDo7OgblpoQLFp9DzryY558UfVWQq6HDAkgoSC42cbgZGBPFclCgLaO/LfBrFpRXkafEVV33Vg2AmP/FiS9SmmwREc3t/ZTvENlDIgasY3pDIph0/i5u0S45mjyzzciBK0KY6cMZvPDVRvU+d0SyVnbSBlef6VmyZOhUk6ILpaYTGu+suVR/BAL/DTKsmmY7iTotTWN+IW/1cY3vprvBMJQVftaO1WSqKftmX29/PAsxbQo6AMpuQFx/dMcMe3d5JTB0mgzIhAFaKmSC8vJFqe21Nrr8F+PxJMSEl1saBJTwJc5RyPVm9ejVKfcPhDfWK5stNNvjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAo205Hvo/Z+rhnSGgkTS2YgDB7pTHdgnQz1UOK323DRljWcqx+SnCA7izyF1SNMlzlCck79Fr4zKh0qnbYsMZDWZU=]
+87
View File
@@ -0,0 +1,87 @@
---
hiera_include:
- nzbget
- profiles::media::nzbget
- profiles::nginx::ldapauth
- exporters::nzbget_exporter
profiles::packages::include:
unrar: {}
# manage nzbget
nzbget::params::user: nzbget
nzbget::params::group: media
nzbget::params::manage_group: false
# nzbget_exporter
exporters::nzbget_exporter::enable: true
# additional altnames
profiles::pki::vault::alt_names:
- nzbget.main.unkin.net
- nzbget.service.consul
- nzbget.query.consul
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'nzbget.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- nzbget.main.unkin.net
- nzbget.service.consul
- nzbget.query.consul
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 6789
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_nzbget,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=nzbget_access,ou=groups,dc=main,dc=unkin,dc=net))'
profiles::nginx::simpleproxy::locations:
arrstack_web_healthcheck:
location_cfg_append:
rewrite: '/consul/health / break'
# configure consul service
consul::services:
nzbget:
service_name: 'nzbget'
tags:
- 'media'
- 'nzbget'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'nzbget_http_check'
name: 'nzbget HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: nzbget
disposition: write
- resource: service
segment: nzbget_exporter
disposition: write
profiles::yum::global::repos:
rpmfusion-free:
name: rpmfusion-free
descr: rpmfusion-free repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
mirrorlist: absent
rpmfusion-nonfree:
name: rpmfusion-nonfree
descr: rpmfusion-nonfree repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
@@ -1,2 +1,3 @@
---
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhduPAqoZuq/xeRs4f/KX4r88evPMogQX79yofLAB5Qqdr48s2X0BAa1iiw0vMdL6Tf0uc794WJN5MP2Yp365Vk1yhwgqH92rt5hKPI+wBN5uak2iLgLzLWsp0HOx7d1ukDWBbj0lI6G5LiofsL3KJbbTnkovn06L4PRJXgn44+ynfywiCl2tPy2294DhfooeM6/Cy+t9lA6blzHLCOHtt/rBKmk1GT2y3YBCPhRfOumWXQWnv4Q+f6KkQkvpfPyAFYNiQxQYBv5bGwLnwiDk3xQnPM4FfcutVuAOKjsoeMa+K1KShDFyEfBxIER8JSpigj2/khstyihcVW0Xrod3uDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCRqqRwMThwn1F/6byFhTWxgDAfucfkFhmqxBv/u5H+wWnjvK5EH7eU/fECrajYPBW/cmsYjLgXlwrAzFGqWze3AZc=]
+27 -3
View File
@@ -1,7 +1,9 @@
---
hiera_include:
- prowlarr
- profiles::nginx::simpleproxy
- profiles::nginx::ldapauth
- profiles::media::prowlarr
- exporters::exportarr
# manage prowlarr
prowlarr::params::user: prowlarr
@@ -10,6 +12,12 @@ prowlarr::params::manage_group: false
prowlarr::params::archive_version: 1.19.0
prowlarr::params::port: 8000
# exportarr
exporters::exportarr::enable: true
exporters::exportarr::app: prowlarr
exporters::exportarr::api_key: "%{hiera('prowlarr::api_key')}"
exporters::exportarr::backfill: true
# additional altnames
profiles::pki::vault::alt_names:
- prowlarr.main.unkin.net
@@ -27,9 +35,13 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_prowlarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=prowlarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
prowlarr:
service_name: 'prowlarr'
@@ -41,7 +53,7 @@ consul::services:
checks:
- id: 'prowlarr_http_check'
name: 'Prowlarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
@@ -50,3 +62,15 @@ profiles::consul::client::node_rules:
- resource: service
segment: prowlarr
disposition: write
- resource: service
segment: exportarr
disposition: write
profiles::nginx::simpleproxy::locations:
arrstack_web_external:
location_satisfy: any
location_allow:
- 198.18.13.47
- 198.18.13.50
- 198.18.13.51
- 198.18.13.52
+1
View File
@@ -1,2 +1,3 @@
---
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf6LbAXy3EsJqkf4KO8xikpXfSVIVOD2obnwZLPEiCfbC0iJyZ2Uc/RbHM9NnIpg8dgEnYGgaBM9HC+kFKYFP4skLsPQ0mpqOv13WbOAHOphhyBxWc/n4Eg4HqMAiHsC4qA9Sj5j4F29tNiMmpNM0eqDXD6YIrajV5IF+SKQQzZrNSrcDrzjqENaMnJWVc2gj7Zb9kPB1LdM5ZfljpPtfQHXHhh9ShTDKuWMx46nc+UYaRcJqHEns7OExwpsEAtA1SSunD81PTijJ6Bn1Y6cAsZoBot5YgFGaWtgQ4jvEqj7EbG8gDJuHMSwa9RzA9SMsVwEh2g1pko7wYbBR/arV7jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAhZlVaEdaLNh60gAY0KwEKgDAHPoXfFRq0I2K2J+NFgNFm/A00jYGVRfuPsX6VZfPaJ499dtMiJifrK3Kfk1oXpvk=]
+16 -3
View File
@@ -1,7 +1,9 @@
---
hiera_include:
- radarr
- profiles::nginx::simpleproxy
- profiles::nginx::ldapauth
- profiles::media::radarr
- exporters::exportarr
# manage radarr
radarr::params::user: radarr
@@ -10,6 +12,10 @@ radarr::params::manage_group: false
radarr::params::archive_version: 5.7.0
radarr::params::port: 8000
# exportarr
exporters::exportarr::enable: true
exporters::exportarr::app: radarr
exporters::exportarr::api_key: "%{hiera('radarr::api_key')}"
# additional altnames
profiles::pki::vault::alt_names:
@@ -28,9 +34,13 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_radarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=radarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
radarr:
service_name: 'radarr'
@@ -42,7 +52,7 @@ consul::services:
checks:
- id: 'radarr_http_check'
name: 'radarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
@@ -51,3 +61,6 @@ profiles::consul::client::node_rules:
- resource: service
segment: radarr
disposition: write
- resource: service
segment: exportarr
disposition: write
+1
View File
@@ -1,2 +1,3 @@
---
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcOegaqGEsivQAlhSYvaiVUij4QJ/kterSg+wX/7P/oWjSN1oSNAFfco6lg5fYUsR7HDKZ4IwYuO1Q/q8hOxYkqzYrH/MIAhZatfQxyxriKuekxqOMuXgwrWCzAexQL0Fb4s5gcHQ4fwy5OxsM1CxFXnSSm1eYNXl5IERd//c0dFoIcshiGlOCFsj8Ne9mookFTJQDZrxM4VMXaVb+Fl9mOyy1ppDBKHTP/1ise/6LIUi+9YngamAWLIrsur5KvR45kvRoxDNLfJZasAqhD/5QLceDdSxqKBDur57QzmoPo2lFdT4WlzphKOdyHZtYOYr7BPdbtCqkXTWdkXvqFlRxjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXhYe6zoRW7/OxVrZnAEoTgDDPFTz5S4nZWiwzjdT7Yd88Ii6I/v6ckaKTx0gd0pZKsVZkFYQBBhIfqFS2ho0UG3Y=]
+8 -3
View File
@@ -1,7 +1,8 @@
---
hiera_include:
- readarr
- profiles::nginx::simpleproxy
- profiles::nginx::ldapauth
- profiles::media::readarr
# manage readarr
readarr::params::user: readarr
@@ -27,9 +28,13 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_readarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=readarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
readarr:
service_name: 'readarr'
@@ -41,7 +46,7 @@ consul::services:
checks:
- id: 'readarr_http_check'
name: 'Readarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
+1
View File
@@ -1 +1,2 @@
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF5/sP43SJX/FB6cAS0GPqxC78JS7jSNKoUqWB/IXkv8uXYiClqk+Xw4nFx8EtknNn628DHBY3vCLQ59Xk89p0fyimP70m3BM6or5iRGdCqEAOzL399GbYX8WFHjyQRBmGdaLR5h2r5UnmjuPpDtV+fgsqxo4gNpXnuQ+46ZZPQce/dzHzux+4aEK4Q6UbD/ZZSQklD6zEUV+Agj6E9cQlJPBiHtTyUdXOYHYlJN1HhFPXu3C6KIz63YioVCah1n6T/rJtPQ07pVUfizIaJiPpzcUN91+ZWyyjUPo0bRGZtYKVs/uCAYXht4F5ttKQDaGa3wd4a5IdtacmEWQWFqk3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDtB/68xkjxK3nrNh0MilACgDDt85aBvSp/Oj9EY67eNPr+JcnQ7WfyuqAYAnmYqfbQI8MDtYAx7br0+inJXvQ1BvI=]
+17 -3
View File
@@ -1,7 +1,9 @@
---
hiera_include:
- sonarr
- profiles::nginx::simpleproxy
- profiles::nginx::ldapauth
- profiles::media::sonarr
- exporters::exportarr
# manage sonarr
sonarr::params::user: sonarr
@@ -10,6 +12,11 @@ sonarr::params::manage_group: false
sonarr::params::archive_version: 4.0.5
sonarr::params::port: 8000
# exportarr
exporters::exportarr::enable: true
exporters::exportarr::app: sonarr
exporters::exportarr::api_key: "%{hiera('sonarr::api_key')}"
# additional altnames
profiles::pki::vault::alt_names:
- sonarr.main.unkin.net
@@ -27,9 +34,13 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
sonarr:
service_name: 'sonarr'
@@ -41,7 +52,7 @@ consul::services:
checks:
- id: 'sonarr_http_check'
name: 'Sonarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
@@ -50,3 +61,6 @@ profiles::consul::client::node_rules:
- resource: service
segment: sonarr
disposition: write
- resource: service
segment: exportarr
disposition: write
+60
View File
@@ -0,0 +1,60 @@
---
hiera_include:
- frrouting
# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
loopback0:
type: dummy
ipaddress: "%{hiera('networking_loopback0_ip')}" # ceph public network
netmask: 255.255.255.255
mtu: 1500
# frrouting
frrouting::ospfd_router_id: "%{facts.networking.ip}"
frrouting::ospfd_redistribute:
- connected
frrouting::ospfd_interfaces:
eth0:
area: 0.0.0.0
loopback0:
area: 0.0.0.0
frrouting::daemons:
ospfd: true
# additional repos
profiles::yum::global::repos:
ceph:
name: ceph
descr: ceph repository
target: /etc/yum.repos.d/ceph.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download.ceph.com/keys/release.asc
mirrorlist: absent
ceph-noarch:
name: ceph-noarch
descr: ceph-noarch repository
target: /etc/yum.repos.d/ceph-noarch.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
gpgkey: https://download.ceph.com/keys/release.asc
mirrorlist: absent
frr-extras:
name: frr-extras
descr: frr-extras repository
target: /etc/yum.repos.d/frr-extras.repo
baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
frr-stable:
name: frr-stable
descr: frr-stable repository
target: /etc/yum.repos.d/frr-stable.repo
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
mirrorlist: absent
View File
+2 -2
View File
@@ -1,6 +1,6 @@
---
profiles::packages::install:
- policycoreutils
profiles::packages::include:
policycoreutils: {}
puppetdb::master::config::create_puppet_service_resource: false
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
+357
View File
@@ -0,0 +1,357 @@
---
hiera_include:
- glauth
# additional altnames
profiles::pki::vault::alt_names:
- ldap.main.unkin.net
- ldap.service.consul
- ldap.query.consul
- "ldap.service.%{facts.country}-%{facts.region}.consul"
glauth::params::download_version: 2.3.2
glauth::params::ldap_enabled: true
glauth::params::ldaps_enabled: true
glauth::params::basedn: 'dc=main,dc=unkin,dc=net'
glauth::params::behaviors_ignorecapabilities: true
glauth::params::ldap_tlscertpath: /etc/pki/tls/vault/certificate.crt
glauth::params::ldap_tlskeypath: /etc/pki/tls/vault/private.key
glauth::params::ldaps_cert: /etc/pki/tls/vault/certificate.crt
glauth::params::ldaps_key: /etc/pki/tls/vault/private.key
glauth::params::api_cert: /etc/pki/tls/vault/certificate.crt
glauth::params::api_key: /etc/pki/tls/vault/private.key
# configure consul service
consul::services:
ldap:
service_name: 'ldap'
tags:
- 'media'
- 'ldap'
address: "%{facts.networking.ip}"
port: 636
checks:
- id: 'glauth_http_check'
name: 'glauth HTTP Check'
http: "https://%{facts.networking.fqdn}:5555"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: ldap
disposition: write
glauth::users:
benvin:
user_name: 'benvin'
givenname: 'Ben'
sn: 'Vincent'
mail: 'benvin@users.main.unkin.net'
uidnumber: 20000
primarygroup: 20000
othergroups:
- 20010
- 20011
- 20012
- 20013
- 20014
- 20015
- 20016
- 20017
- 20018
- 20023
- 20024
- 20025 # jupyterhub_admin
- 20026 # jupyterhub_user
- 20027 # grafana_user
loginshell: '/bin/bash'
homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
sshkeys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
matsol:
user_name: 'matsol'
givenname: 'Matt'
sn: 'Solomon'
mail: 'matsol@users.main.unkin.net'
uidnumber: 20001
primarygroup: 20000
othergroups:
- 20010
- 20011
- 20012
- 20013
- 20014
- 20015
- 20016
- 20027 # grafana user
loginshell: '/bin/bash'
homedir: '/home/matsol'
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
seablo:
user_name: 'seablo'
givenname: 'Sean'
sn: 'Bloomfield'
mail: 'seablo@users.main.unkin.net'
uidnumber: 20002
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
- 20027 # grafana user
loginshell: '/bin/bash'
homedir: '/home/seablo'
passsha256: '2db12484b2b5fdae7f3a1f9f870143c363af14bf2c31a415a9a7afcb02520df2'
marbal:
user_name: 'marbal'
givenname: 'Mark'
sn: 'Balch'
mail: 'marbal@users.main.unkin.net'
uidnumber: 20003
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
- 20027 # grafana user
loginshell: '/bin/bash'
homedir: '/home/marbal'
passsha256: 'cc20cee6269b9970a76549c66b51d0c543352796180d4122260a47f0f7a442a9'
kelren:
user_name: 'kelren'
givenname: 'Kelly'
sn: 'Rennie'
mail: 'kelren@users.main.unkin.net'
uidnumber: 20004
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
- 20027 # grafana user
loginshell: '/bin/bash'
homedir: '/home/kelren'
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
ryadun:
user_name: 'ryadun'
givenname: 'Ryan'
sn: 'Dunbar'
mail: 'ryadun@users.main.unkin.net'
uidnumber: 20005
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
- 20027 # grafana user
loginshell: '/bin/bash'
homedir: '/home/ryadun'
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
margol:
user_name: 'margol'
givenname: 'Maree'
sn: 'Goldsworthy'
mail: 'margol@users.main.unkin.net'
uidnumber: 20006
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
- 20027 # grafana user
loginshell: '/bin/bash'
homedir: '/home/margol'
passsha256: '31a66085fb7eaeb059e51d1376233db72b54f96a6c45947aafbb350c83e618ef'
sudobo:
user_name: 'sudobo'
givenname: 'Sudaporn'
sn: 'Obom'
mail: 'sudobo@users.main.unkin.net'
uidnumber: 20007
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
- 20026 # jupyterhub_user
- 20027 # grafana user
loginshell: '/bin/bash'
homedir: '/home/sudobo'
passsha256: 'a326e049c2a615226877946220a978a0a8247c569be1adcd73539b09b14136d0'
waewak:
user_name: 'waewak'
givenname: 'Waew'
sn: 'Wakul'
mail: 'waewak@users.main.unkin.net'
uidnumber: 20008
primarygroup: 20000
othergroups:
- 20010 # jelly
loginshell: '/bin/bash'
homedir: '/home/waewak'
passsha256: 'd9bb99634215fe031c3bdca94149a165192fe8384ecaa238a19354c2f760a811'
glauth::services:
svc_jellyfin:
service_name: 'svc_jellyfin'
mail: 'jellyfin@service.main.unkin.net'
uidnumber: 30000
primarygroup: 20001
passsha256: '97f7b1eb24deb0a86e812d79c56f4901d39a24128dc9f6fde033e7195f7d0739'
svc_sonarr:
service_name: 'svc_sonarr'
mail: 'sonarr@service.main.unkin.net'
uidnumber: 30001
primarygroup: 20001
passsha256: '2c32d4cb831183cfbef15835cc76f99b401d0159621bc580e852253d4d8f8722'
svc_radarr:
service_name: 'svc_radarr'
mail: 'radarr@service.main.unkin.net'
uidnumber: 30002
primarygroup: 20001
passsha256: '805b0182d90c2b5b3ba43e50988447a0bff0115eb5fedd8eeae8eac00ba53025'
svc_lidarr:
service_name: 'svc_lidarr'
mail: 'lidarr@service.main.unkin.net'
uidnumber: 30003
primarygroup: 20001
passsha256: '6d04cd2a45784bacbd50e6714710b55805c7e9886665a6d7790e6d8712b67aff'
svc_readarr:
service_name: 'svc_readarr'
mail: 'readarr@service.main.unkin.net'
uidnumber: 30004
primarygroup: 20001
passsha256: '751f22fbd9c052b2cd0c1cb4be514d8710f1a51f84ce44f607ab3a5591162f8c'
svc_prowlarr:
service_name: 'svc_prowlarr'
mail: 'prowlarr@service.main.unkin.net'
uidnumber: 30005
primarygroup: 20001
passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043'
svc_nzbget:
service_name: 'svc_nzbget'
mail: 'nzbget@service.main.unkin.net'
uidnumber: 30006
primarygroup: 20001
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
svc_nzbsubmit:
service_name: 'svc_nzbsubmit'
mail: 'nzbsubmit@service.main.unkin.net'
uidnumber: 30007
primarygroup: 20001
othergroups:
- 20016
passsha256: '7af7e12fdc56e9050d16c167f4e34091ad3cf938283e13451b35f9b3d212bfa2'
svc_rundeck:
service_name: 'svc_rundeck'
mail: 'rundeck@service.main.unkin.net'
uidnumber: 30007
primarygroup: 20001
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
svc_terraform:
service_name: 'svc_terraform'
mail: 'terraform@service.main.unkin.net'
uidnumber: 30008
primarygroup: 20001
passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
svc_vault:
service_name: 'svc_vault'
mail: 'vault@service.main.unkin.net'
uidnumber: 30009
primarygroup: 20001
passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
svc_jupyterhub:
service_name: 'svc_jupyterhub'
mail: 'jupyterhub@service.main.unkin.net'
uidnumber: 30010
primarygroup: 20001
passsha256: '09db1e0c2498214da35f3f2ed46a90a7b90635c207f8725e7abf76b48345a39b'
svc_grafana:
service_name: 'svc_grafana'
mail: 'grafana@service.main.unkin.net'
uidnumber: 30011
primarygroup: 20001
passsha256: '1ca9db29c964011d7e535a5c1a5ea2caa6a4c674bd7242974d9f95b24f49f98a'
glauth::groups:
users:
group_name: 'people'
gidnumber: 20000
services:
group_name: 'services'
gidnumber: 20001
jellyfin_access:
group_name: 'jellyfin_access'
gidnumber: 20010
sonarr_access:
group_name: 'sonarr_access'
gidnumber: 20011
radarr_access:
group_name: 'radarr_access'
gidnumber: 20012
lidarr_access:
group_name: 'lidarr_access'
gidnumber: 20013
readarr_access:
group_name: 'readarr_access'
gidnumber: 20014
prowlarr_access:
group_name: 'prowlarr_access'
gidnumber: 20015
nzbget_access:
group_name: 'nzbget_access'
gidnumber: 20016
rundeck_access:
group_name: 'rundeck_access'
gidnumber: 20017
rundeck_globaladmin:
group_name: 'rundeck_globaladmin'
gidnumber: 20018
rundeck_selfservice_admin:
group_name: 'rundeck_selfservice_admin'
gidnumber: 20019
rundeck_selfservice_user:
group_name: 'rundeck_selfservice_user'
gidnumber: 20020
rundeck_infrastructure_admin:
group_name: 'rundeck_infrastructure_admin'
gidnumber: 20021
rundeck_infrastructure_user:
group_name: 'rundeck_infrastructure_user'
gidnumber: 20022
vault_access:
group_name: 'vault_access'
gidnumber: 20023
vault_admin:
group_name: 'vault_admin'
gidnumber: 20024
jupyterhub_admin:
group_name: 'jupyterhub_admin'
gidnumber: 20025
jupyterhub_user:
group_name: 'jupyterhub_user'
gidnumber: 20026
grafana_user:
group_name: 'grafana_user'
gidnumber: 20027

Some files were not shown because too many files have changed in this diff Show More