1 Commits

Author SHA1 Message Date
unkinben 22bd213509 feat: moved puppetdb profiles
- move puppetdb profiles to profiles::puppetdb namespace
- add profile to manage puppetdb api ssl certificates
2024-06-01 14:58:18 +10:00
195 changed files with 233 additions and 3838 deletions
-9
View File
@@ -18,7 +18,6 @@ mod 'puppetlabs-xinetd', '3.4.1'
mod 'puppetlabs-haproxy', '8.0.0'
mod 'puppetlabs-java', '10.1.2'
mod 'puppetlabs-reboot', '5.0.0'
mod 'puppetlabs-augeas_core', '1.5.0'
# puppet
mod 'puppet-python', '7.0.0'
@@ -36,17 +35,10 @@ mod 'puppet-vault', '4.1.0'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '3.6.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-filemapper', '4.0.0'
mod 'puppet-openldap', '8.0.0'
mod 'puppet-augeasproviders_shellvar', '6.0.1'
mod 'puppet-augeasproviders_core', '4.1.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
mod 'saz-sudo', '8.0.0'
mod 'saz-ssh', '12.1.0'
mod 'ghoneycutt-timezone', '4.0.0'
mod 'dalen-puppetdbquery', '3.0.1'
mod 'markt-galera', '3.1.0'
@@ -54,7 +46,6 @@ mod 'kogitoapp-minio', '1.1.4'
mod 'broadinstitute-certs', '3.0.1'
mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0'
mod 'rehan-mkdir', '2.0.0'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
-9
View File
@@ -1,9 +0,0 @@
# Group administration
This page exists to list all the locally managed groups, their gid's and what their general purpose is for.
## List of groups
| name | gid | purpose |
|-------------|-------------|-------------|
| admin | 10000 | admin group designed for system admins |
| media | 20000 | group permissions to manage media (*arrs) |
-60
View File
@@ -1,60 +0,0 @@
# managing ceph
Always refer back to the official documentation at https://docs.ceph.com/en/latest
## adding new cephfs
- create a erasure code profile which will allow you to customise the raid level
- raid5 with 3 disks? k=2,m=1
- raid5 with 6 disks? k=5,m=1
- raid6 with 4 disks? k=2,m=2, etc
- create osd pool using custom profile for data
- create osd pool using default replicated profile for metadata
- enable ec_overwrites for the data pool
- create the ceph fs volume using data/metadata pools
- set ceph fs settings
- specify minimum number of metadata servers (mds)
- set fs to be for bulk data
- set mds fast failover with standby reply
```
sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
sudo ceph osd pool create media_data 128 erasure ec_4_1
sudo ceph osd pool create media_metadata 32 replicated_rule
sudo ceph osd pool set media_data allow_ec_overwrites true
sudo ceph osd pool set media_data bulk true
sudo ceph fs new mediafs media_metadata media_data --force
sudo ceph fs set mediafs allow_standby_replay true
sudo ceph fs set mediafs max_mds 2
```
## creating authentication tokens
- this will create a client keyring named media
- this client will have the following capabilities:
- mon: read
- mds:
- read /
- read/write /media
- read/write /common
- osd: read/write to cephfs_data pool
```
sudo ceph auth get-or-create client.media \
mon 'allow r' \
mds 'allow r path=/, allow rw path=/media, allow rw path=/common' \
osd 'allow rw pool=cephfs_data'
```
## list the authentication tokens and permissions
ceph auth ls
## change the capabilities of a token
this will overwrite the current capabilities of a given client.user
sudo ceph auth caps client.media \
mon 'allow r' \
mds 'allow rw path=/' \
osd 'allow rw pool=media_data'
-31
View File
@@ -1,31 +0,0 @@
# add additional master
these steps are required when adding additional puppet masters, as the subject alternative names on the certificate will need to be changed. this requires the old certificate be revoked, cleaned up, and for a new certificate to be generated and signed.
## prepare a new node
- deploy a new now, or identify a space with the base role
- change the hosts class to roles::infra::puppet::master
- apply puppet until there are no more changes
## revoke the current certificate on the puppet master
sudo puppetserver ca clean --certname ausyd1nxvm1023.main.unkin.net
## stop the new puppetserver and cleanup revoked certificates
sudo systemctl stop puppetserver
sudo rm -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
sudo rm -f /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem
## copy the current crl.pem, as puppetserver will overwrite it when starting
sudo cp /etc/puppetlabs/puppet/ssl/crl.pem /root/current_crl.pem
## request new puppet agent certificate
sudo puppet ssl bootstrap
## start the puppetserver service and move the crl.pem back in place
sudo systemctl start puppetserver
sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
-123
View File
@@ -1,123 +0,0 @@
# PKI
## root ca
vault secrets enable -path=pki_root pki
vault secrets tune -max-lease-ttl=87600h pki_root
vault write -field=certificate pki_root/root/generate/internal \
common_name="unkin.net" \
issuer_name="UNKIN_ROOTCA_2024" \
ttl=87600h > unkinroot_2024_ca.crt
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
vault write pki_root/roles/2024-servers allow_any_name=true
vault write pki_root/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
## intermediate
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write -format=json pki_int/intermediate/generate/internal \
common_name="unkin.net Intermediate Authority" \
issuer_name="UNKIN_VAULTCA_2024" \
| jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki_root/root/sign-intermediate \
issuer_ref="UNKIN_ROOTCA_2024" \
csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
## create role
vault write pki_int/roles/servers_default \
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
allow_ip_sans=true \
allowed_domains="unkin.net, *.unkin.net, localhost" \
allow_subdomains=true \
allow_glob_domains=true \
allow_bare_domains=true \
enforce_hostnames=true \
allow_any_name=true \
max_ttl="2160h" \
key_bits=4096 \
country="Australia"
## test generating a domain cert
vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
## remove expired certificates
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
# AUTH
## enable approles
vault auth enable approle
# CERTMANAGER
## create certmanager policy and token, limit to puppetmaster
cat <<EOF > certmanager.hcl
path "pki_int/issue/*" {
capabilities = ["create", "update", "read"]
}
path "pki_int/renew/*" {
capabilities = ["update"]
}
path "pki_int/cert/*" {
capabilities = ["read"]
}
EOF
vault policy write certmanager certmanager.hcl
vault write auth/approle/role/certmanager \
bind_secret_id=false \
token_policies="certmanager" \
token_ttl=30s \
token_max_ttl=30s \
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
## get the certmanager approle id
vault read -field=role_id auth/approle/role/certmanager/role-id
# SSH Hostkey Signing
## create ssh engine, key, set ttl
vault secrets enable -path=ssh-host-signer ssh
vault write ssh-host-signer/config/ca generate_signing_key=true
vault secrets tune -max-lease-ttl=87600h ssh-host-signer
## create role
vault write ssh-host-signer/roles/hostrole \
key_type=ca \
algorithm_signer=rsa-sha2-256 \
ttl=87600h \
allow_host_certificates=true \
allowed_domains="unkin.net" \
allow_subdomains=true \
allow_baredomains=true
## create policy to use hostrole
cat <<EOF > sshsign-host.hcl
path "ssh-host-signer/sign/hostrole" {
capabilities = ["create", "update"]
}
EOF
vault policy write sshsign-host-policy sshsign-host.hcl
vault write auth/approle/role/sshsign-host-role \
bind_secret_id=false \
token_policies="sshsign-host-policy" \
token_ttl=30s \
token_max_ttl=30s \
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
## get the sshsign-host-role approle id
vault read -field=role_id auth/approle/role/sshsign-host-role/role-id
+48
View File
@@ -0,0 +1,48 @@
# root ca
vault secrets enable -path=pki_root pki
vault write -field=certificate pki_root/root/generate/internal \
common_name="unkin.net" \
issuer_name="unkinroot-2024" \
ttl=87600h > unkinroot_2024_ca.crt
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
vault write pki_root/roles/2024-servers allow_any_name=true
vault write pki_root/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
# intermediate
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write -format=json pki_int/intermediate/generate/internal \
common_name="unkin.net Intermediate Authority" \
issuer_name="unkin-dot-net-intermediate" \
| jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki_root/root/sign-intermediate \
issuer_ref="unkinroot-2024" \
csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
# create role
vault write pki_int/roles/unkin-dot-net \
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
allowed_domains="unkin.net" \
allow_subdomains=true \
max_ttl="2160h"
# test generating a domain cert
vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
# remove expired certificates
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
+36 -91
View File
@@ -108,34 +108,11 @@ lookup_options:
profiles::nginx::simpleproxy::nginx_aliases:
merge:
strategy: deep
networking::interfaces:
merge:
strategy: deep
networking::interface_defaults:
merge:
strategy: deep
networking::routes:
merge:
strategy: deep
networking::route_defaults:
merge:
strategy: deep
ssh::server::options:
merge:
strategy: deep
mysql::db:
merge:
strategy: deep
profiles::ceph::client::keyrings:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
hiera_include:
hiera_classes:
- timezone
- networking
- ssh::server
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
@@ -173,7 +150,6 @@ profiles::packages::install:
- curl
- dstat
- expect
- gcc
- gzip
- git
- htop
@@ -194,7 +170,6 @@ profiles::packages::install:
- socat
- strace
- sysstat
- tar
- tmux
- traceroute
- unzip
@@ -240,38 +215,6 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
prometheus::node_exporter::export_scrape_job: true
prometheus::systemd_exporter::export_scrape_job: true
ssh::server::storeconfigs_enabled: false
ssh::server::options:
Protocol: '2'
ListenAddress:
- '127.0.0.1'
- '%{facts.networking.ip}'
SyslogFacility: 'AUTHPRIV'
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
HostCertificate: /etc/ssh/ssh_host_rsa_key-cert.pem
AuthorizedKeysFile: .ssh/authorized_keys
PermitRootLogin: no
PasswordAuthentication: no
ChallengeResponseAuthentication: no
PubkeyAuthentication: yes
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: yes
UsePAM: yes
X11Forwarding: no
PrintMotd: no
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: sftp /usr/libexec/openssh/sftp-server
profiles::ssh::knownhosts::lines:
- '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1HD97vYxLTniE4qNpGuftUlvmkEXIuX8+7nbENv/IzsGUghEDRtyThjQ7ojNKIsQ7f8wXr0gMcI+fAPfrbcOMHCAoYMomikwL0b3h95SZI40q3CyM+0DMnwiVVDX6C1QxkO2Rv9cszSkCa85NotJhXiUuTBI9BFcRPy+mAhbpAru+bfypYofI0wW97XNTl8Jgwmni5MgutBIQAokFIn5ux8iWxndCH3AqDtmkwC5DfQeQ+wZx7rkwqJEpJffQzrjb1gIM6P9hDCVBBVPh/3o80IJ69rFWrJAZUb+JpG4cXJH0NcSW+wqc3JCT/x3q8VlHwOTXSlNNKtOJCRx73mB8e1XTTy2a9FgpKDDg5XQXWHAViJDz1RTRL9gRefMylRgKz4bXoTuY9kJWM8hPTyUejtukbJThlBJc3OmDxBZBF7F0iqB11pHexok43OCEiANodVa36eWu9/5X032Vm48fZ1/akDPY/NSy3wAn7kwut+A0/JAHFHASrq+1mt9YurkJegI+YHXO6eEWpBIpmI7ORHJbGL4MhkHrxYzVamuP8CkU7tXzsv138+wpOcRHNp9yJY4PT40BZkRf/O3O+jt3pj9Dj8rvgywF2W6hFzywh3Y78upOprRkQlQtHfsI8EyrYI8/hUw2u3H+3yPXh3YjWfqvWVG1BRLRHBV7m90uaw=='
profiles::base::groups::local:
admins:
ensure: present
@@ -288,36 +231,38 @@ sudo::configs:
profiles::accounts::sysadmin::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
networking::interface_defaults:
ensure: present
family: inet
method: static
netmask: 255.255.255.0
onboot: true
networking::route_defaults:
ensure: present
interface: eth0
netmask: 0.0.0.0
network: default
profiles::ceph::client::fsid: 7f7f00cb-95de-498c-8dcc-14b54e4e9ca8
profiles::ceph::client::mons:
- 10.18.15.1
- 10.18.15.2
- 10.18.15.3
#profiles::base::hosts::additional_hosts:
# - ip: 198.18.17.9
# hostname: prodinf01n09.main.unkin.net
# aliases:
# - prodinf01n09
# - ntp01.main.unkin.net
# - ip: 198.18.17.10
# hostname: prodinf01n10.main.unkin.net
# aliases:
# - prodinf01n10
# - ntp02.main.unkin.net
# - ip: 198.18.17.22
# hostname: prodinf01n22.main.unkin.net
# aliases:
# - prodinf01n22
# - repos.main.unkin.net
profiles::base::hosts::additional_hosts:
- ip: 198.18.17.3
hostname: prodinf01n01.main.unkin.net
aliases:
- prodinf01n01
- puppet
- puppetmaster
- puppetca
- ip: 198.18.17.4
hostname: prodinf01n04.main.unkin.net
aliases:
- prodinf01n04
- ip: 198.18.17.5
hostname: prodinf01n05.main.unkin.net
aliases:
- prodinf01n05
- ip: 198.18.17.6
hostname: prodinf01n06.main.unkin.net
aliases:
- prodinf01n06
- ip: 198.18.17.9
hostname: prodinf01n09.main.unkin.net
aliases:
- prodinf01n09
- ntp01.main.unkin.net
- ip: 198.18.17.10
hostname: prodinf01n10.main.unkin.net
aliases:
- prodinf01n10
- ntp02.main.unkin.net
- ip: 198.18.17.22
hostname: prodinf01n22.main.unkin.net
aliases:
- prodinf01n22
- repos.main.unkin.net
@@ -1,4 +1,3 @@
---
certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl]
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
@@ -6,21 +6,11 @@ profiles::haproxy::mappings:
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
fe_https:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
profiles::haproxy::frontends:
fe_http:
@@ -73,86 +63,6 @@ profiles::haproxy::backends:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_sonarr:
description: Backend for au-syd1 sonarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_radarr:
description: Backend for au-syd1 radarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_lidarr:
description: Backend for au-syd1 lidarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_readarr:
description: Backend for au-syd1 readarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_prowlarr:
description: Backend for au-syd1 prowlarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
@@ -162,11 +72,6 @@ profiles::haproxy::certlist::certificates:
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
@@ -1,4 +1,3 @@
---
certmanager::vault_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
@@ -1,2 +0,0 @@
---
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
@@ -2,14 +2,3 @@
profiles::sql::galera_member::cluster_name: au-syd1
profiles::sql::galera_member::galera_master: ausyd1nxvm1027.main.unkin.net
profiles::sql::galera_member::innodb_buffer_pool_size: 256M
mysql::db:
grafana:
name: grafana
user: grafana
password: "%{alias('mysql::db::grafana::pass')}"
grant:
- SELECT
- INSERT
- UPDATE
- DELETE
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.10
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.11
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.12
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.13
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.14
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.15
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.16
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.17
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.18
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.19
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.20
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.21
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.22
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.23
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.24
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.25
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.26
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,11 +1,2 @@
---
profiles::cobbler::params::is_cobbler_master: true
networking::interfaces:
ens18:
ipaddress: 198.18.13.27
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.28
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.29
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.30
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,10 +0,0 @@
---
networking::interfaces:
ens18:
ipaddress: 198.18.13.31
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.32
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.33
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.34
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.35
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.36
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.37
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.38
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.39
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.40
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.41
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.42
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.43
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.44
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.45
networking::routes:
default:
gateway: 198.18.13.254
@@ -5,17 +5,5 @@ profiles::puppet::server::dns_alt_names:
- puppetca.query.consul
- puppetca
profiles::ssh::sign::principals:
- puppetca.main.unkin.net
- puppetca.service.consul
- puppetca.query.consul
- puppetca
profiles::puppet::puppetca::is_puppetca: true
profiles::puppet::puppetca::allow_subject_alt_names: true
networking::interfaces:
eth0:
ipaddress: 198.18.13.46
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.47
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.47
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.48
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.49
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.50
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.50
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.51
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.51
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.52
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.52
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.53
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.53
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.54
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.55
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,7 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.56
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.57
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.57
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -7,6 +7,3 @@ profiles::puppet::server::dns_alt_names:
profiles::puppet::puppetca::is_puppetca: false
profiles::puppet::puppetca::allow_subject_alt_names: true
hiera_exclude:
- networking
+2 -16
View File
@@ -5,15 +5,10 @@ profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::puppet_version: '7.26.0'
hiera_include:
- profiles::almalinux::base
profiles::packages::install:
- lzo
- network-scripts
- policycoreutils
- unar
- xz
- policycoreutils
lm-sensors::package: lm_sensors
@@ -24,53 +19,44 @@ profiles::yum::global::repos:
target: /etc/yum.repos.d/baseos.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
extras:
name: extras
descr: extras repository
target: /etc/yum.repos.d/extras.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
appstream:
name: appstream
descr: appstream repository
target: /etc/yum.repos.d/appstream.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
highavailability:
name: highavailability
descr: highavailability repository
target: /etc/yum.repos.d/highavailability.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
epel:
name: epel
descr: epel repository
target: /etc/yum.repos.d/epel.repo
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
mirrorlist: absent
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
mirrorlist: absent
baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os
+1 -2
View File
@@ -1,6 +1,6 @@
# hieradata/os/debian/all_releases.yaml
---
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian
profiles::apt::base::secureurl: http://security.debian.org/debian-security
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
profiles::apt::puppet7::repo: puppet7
@@ -12,4 +12,3 @@ profiles::packages::install:
- xz-utils
lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false
-2
View File
@@ -1,2 +0,0 @@
---
ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEBANgP2ifU7NbuMs+kWpeg1tchR5IMD7Z7kMpRBejgCMHludTYGf/BzxTe36YjpwLsuUd658QK5vE4EYpM1MuzqfuNiWJa5ec1IR/AgWQUMZcpjEDEqpHTb2qygmpc+jb3vW1EMBleZL2Z4GrgJ00gWO/EvukBSPgyxBsFe4Bb/L3aK6xiucG3JA9A7qA6cS4Oz5pf8dfC0FBjsc+XN7++bJN5pWUgMcEDgiyCy3bkL2gWfPKOWfabTRwuC3qd6SihZMg/tY8uoDfYoI8jHkjU07/mhC6AD930wgcFG+xJwNAX7FxLvLyJ8iN/648LVoZFuszYiTwPib1CszksdYBjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBSGXrbrl4FisZN5FT1hfmrgDBnV2SVfCJIYYyZ9+Vo1ykNmzUypJdJ+4llyXA7FOuH90xVZvLZMjNMhVCxP48CiYI=]
-20
View File
@@ -1,20 +0,0 @@
---
profiles::yum::global::repos:
ceph-reef:
name: ceph-reef
descr: ceph reef repository
target: /etc/yum.repos.d/ceph-reef.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
gpgcheck: 0,
mirrorlist: absent
profiles::ceph::client::keyrings:
media:
key: "%{hiera('ceph::key::media')}"
profiles::base::groups::local:
media:
ensure: present
gid: 20000
allowdupe: false
forcelocal: true
-2
View File
@@ -1,2 +0,0 @@
---
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
-52
View File
@@ -1,52 +0,0 @@
---
hiera_include:
- lidarr
- profiles::nginx::simpleproxy
# manage lidarr
lidarr::params::user: lidarr
lidarr::params::group: media
lidarr::params::manage_group: false
lidarr::params::archive_version: 2.3.3
lidarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- lidarr.main.unkin.net
- lidarr.service.consul
- lidarr.query.consul
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'lidarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- lidarr.main.unkin.net
- lidarr.service.consul
- lidarr.query.consul
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
lidarr:
service_name: 'lidarr'
tags:
- 'media'
- 'lidarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'lidarr_http_check'
name: 'Lidarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: lidarr
disposition: write
@@ -1,2 +0,0 @@
---
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
-52
View File
@@ -1,52 +0,0 @@
---
hiera_include:
- prowlarr
- profiles::nginx::simpleproxy
# manage prowlarr
prowlarr::params::user: prowlarr
prowlarr::params::group: media
prowlarr::params::manage_group: false
prowlarr::params::archive_version: 1.19.0
prowlarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- prowlarr.main.unkin.net
- prowlarr.service.consul
- prowlarr.query.consul
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'prowlarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- prowlarr.main.unkin.net
- prowlarr.service.consul
- prowlarr.query.consul
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
prowlarr:
service_name: 'prowlarr'
tags:
- 'media'
- 'prowlarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'prowlarr_http_check'
name: 'Prowlarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: prowlarr
disposition: write
-2
View File
@@ -1,2 +0,0 @@
---
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
-53
View File
@@ -1,53 +0,0 @@
---
hiera_include:
- radarr
- profiles::nginx::simpleproxy
# manage radarr
radarr::params::user: radarr
radarr::params::group: media
radarr::params::manage_group: false
radarr::params::archive_version: 5.7.0
radarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- radarr.main.unkin.net
- radarr.service.consul
- radarr.query.consul
- "radarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'radarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- radarr.main.unkin.net
- radarr.service.consul
- radarr.query.consul
- "radarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
radarr:
service_name: 'radarr'
tags:
- 'media'
- 'radarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'radarr_http_check'
name: 'radarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: radarr
disposition: write
-2
View File
@@ -1,2 +0,0 @@
---
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
-52
View File
@@ -1,52 +0,0 @@
---
hiera_include:
- readarr
- profiles::nginx::simpleproxy
# manage readarr
readarr::params::user: readarr
readarr::params::group: media
readarr::params::manage_group: false
readarr::params::archive_version: 0.3.28
readarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- readarr.main.unkin.net
- readarr.service.consul
- readarr.query.consul
- "readarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'readarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- readarr.main.unkin.net
- readarr.service.consul
- readarr.query.consul
- "readarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
readarr:
service_name: 'readarr'
tags:
- 'media'
- 'readarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'readarr_http_check'
name: 'Readarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: readarr
disposition: write
-1
View File
@@ -1 +0,0 @@
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
-52
View File
@@ -1,52 +0,0 @@
---
hiera_include:
- sonarr
- profiles::nginx::simpleproxy
# manage sonarr
sonarr::params::user: sonarr
sonarr::params::group: media
sonarr::params::manage_group: false
sonarr::params::archive_version: 4.0.5
sonarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- sonarr.main.unkin.net
- sonarr.service.consul
- sonarr.query.consul
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'sonarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- sonarr.main.unkin.net
- sonarr.service.consul
- sonarr.query.consul
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
sonarr:
service_name: 'sonarr'
tags:
- 'media'
- 'sonarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'sonarr_http_check'
name: 'Sonarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: sonarr
disposition: write
-1
View File
@@ -3,4 +3,3 @@ profiles::packages::install:
- policycoreutils
puppetdb::master::config::create_puppet_service_resource: false
#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
@@ -1,2 +0,0 @@
---
profiles::openldap::params::rootpw: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMPu8Asw6L7+k8SRXbPqw62B3ldiE5f2CaDSQbhrOc2u2ULdKvOVpWZnr5cKekl4L8un3zRCiNgY7IG008011jh7oXtTqEGJB2hD/ANHlRawoduft798rRKkDuFqET1rw+komuM7ACJsxXGPO9jB7HjycoJHr4+2yV4o3DlazR0+Ha8kPs8U4C/G/UEWQYOsrP964UZ2CgsHSdozgWj304fVJZ/fWqfOSgipKi2GjNK+TD7g9H12ouGaOjTeOsFBo33QWrikYi6MBFE42p3BLoaBX6Gk6KBzmkhYT7Hyvc/ASP65MpDbXffKp2kcqq++VIb7WhsRydaudRP9wyEJOjzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBVYwJ47CXR2LGgbZOOrd7cgDBCgqTmI4Y5G7x8ZNxEm9WzVY1E7SiKrSnKWF3ntekOhL8ABOk8Y0uODE2HYE+jkJw=]
-22
View File
@@ -1,22 +0,0 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- ldap.main.unkin.net
- ldap.service.consul
- ldap.query.consul
- "ldap.service.%{facts.country}-%{facts.region}.consul"
openldap::server::manage_epel: false
profiles::openldap::params::data_path: '/data/ldap/main.unkin.net'
profiles::openldap::params::database: 'dc=main,dc=unkin,dc=net'
profiles::openldap::params::rootdn: "cn=admin,%{hiera('profiles::openldap::params::database')}"
profiles::openldap::params::ldap_server:
- rid: 1
provider: ldap://ausyd1nxvm1044.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"
- rid: 2
provider: ldap://ausyd1nxvm1045.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"
- rid: 3
provider: ldap://ausyd1nxvm1046.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"
+1 -1
View File
@@ -17,5 +17,5 @@ profiles::pki::vault::alt_names:
profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
profiles::selinux::setenforce::mode: permissive
hiera_include:
hiera_classes:
- profiles::selinux::setenforce
+1 -1
View File
@@ -1,3 +1,3 @@
---
profiles::gitea::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
profiles::gitea::init::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=]
-45
View File
@@ -6,11 +6,6 @@ profiles::pki::vault::alt_names:
- git.query.consul
- "git.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- git.main.unkin.net
- git.service.consul
- git.query.consul
consul::services:
git:
service_name: 'git'
@@ -42,43 +37,3 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 3000
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 250M
profiles::gitea::init::root:
APP_NAME: 'Gitea'
RUN_USER: 'git'
RUN_MODE: 'prod'
profiles::gitea::init::repository:
ROOT: '/data/gitea/repos'
FORCE_PRIVATE: false
MAX_CREATION_LIMIT: -1
DISABLE_HTTP_GIT: false
DEFAULT_BRANCH: 'main'
DEFAULT_PRIVATE: 'last'
profiles::gitea::init::ui:
SHOW_USER_EMAIL: false
profiles::gitea::init::server:
PROTOCOL: 'http'
DOMAIN: 'git.query.consul'
ROOT_URL: 'https://git.query.consul'
HTTP_ADDR: '0.0.0.0'
HTTP_PORT: 3000
START_SSH_SERVER: false
SSH_DOMAIN: 'git.query.consul'
SSH_PORT: 2222
SSH_LISTEN_HOST: '0.0.0.0'
OFFLINE_MODE: true
APP_DATA_PATH: '/data/gitea'
SSH_LISTEN_PORT: 22
LFS_START_SERVER: true
profiles::gitea::init::database:
DB_TYPE: 'mysql'
HOST: 'mariadb-prod.service.au-syd1.consul:3306'
NAME: 'gitea'
USER: 'gitea'
PASSWD: "%{hiera('profiles::gitea::mysql_pass')}"
SSL_MODE: 'disable'
LOG_SQL: false
profiles::gitea::init::lfs:
PATH: '/data/gitea/lfs'
profiles::gitea::init::session:
PROVIDER: db
-4
View File
@@ -15,7 +15,6 @@ profiles::haproxy::server::globals:
stats:
- timeout 30s
- socket /var/lib/haproxy/stats
- socket /var/lib/haproxy/admin.sock mode 660 level admin
ca-base: /etc/ssl/certs
crt-base: /etc/ssl/private
ssl-default-bind-ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
@@ -90,6 +89,3 @@ profiles::haproxy::backends:
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
prometheus::haproxy_exporter::cnf_scrape_uri: unix:/var/lib/haproxy/stats
prometheus::haproxy_exporter::export_scrape_job: true
@@ -1,49 +0,0 @@
---
hiera_include:
- profiles::nginx::simpleproxy
profiles::metrics::grafana::mysql_host: "mariadb-%{facts.environment}.service.%{facts.country}-%{facts.region}.consul"
profiles::metrics::grafana::mysql_port: 3306
# additional altnames
profiles::pki::vault::alt_names:
- grafana.main.unkin.net
- grafana.service.consul
- grafana.query.consul
- "grafana.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- grafana.main.unkin.net
- grafana.service.consul
- grafana.query.consul
consul::services:
grafana:
service_name: 'grafana'
tags:
- 'grafana'
- 'metrics'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'Grafana_https_check'
name: 'Grafana HTTPS Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: grafana
disposition: write
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'grafana.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- grafana.main.unkin.net
- grafana.service.consul
- grafana.query.consul
- "grafana.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8080
profiles::nginx::simpleproxy::proxy_path: '/'
@@ -8,5 +8,4 @@ profiles::metrics::server::scrape_jobs:
- bind
- puppetdb
- systemd
- haproxy
profiles::metrics::server::localstorage: /data/prometheus
-21
View File
@@ -12,24 +12,3 @@ profiles::ntp::server::peers:
- '1.au.pool.ntp.org'
- '2.au.pool.ntp.org'
- '3.au.pool.ntp.org'
consul::services:
ntp:
service_name: 'ntp'
tags:
- 'ntp'
- 'time'
- 'sync'
address: "%{facts.networking.ip}"
port: 123
checks:
- id: ntp_check
name: "NTP Service Check"
args:
- '/usr/local/bin/check_ntp.sh'
interval: '15s'
timeout: '5s'
profiles::consul::client::node_rules:
- resource: service
segment: ntp
disposition: write
-28
View File
@@ -5,31 +5,3 @@ sudo::configs:
content: |
ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*
hiera_exclude:
- networking
# proxmox tools use root to authenticate against each other
ssh::server::options:
PermitRootLogin: yes
AcceptEnv:
- LANG LC_*
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
ListenAddress:
- "%{facts.networking.interfaces.vmbr1.ip}"
profiles::consul::client::node_rules:
- resource: service
segment: ceph-mon
disposition: write
- resource: service
segment: ceph-mds
disposition: write
- resource: service
segment: ceph-mgr
disposition: write
- resource: service
segment: ceph-osd
disposition: write
-12
View File
@@ -37,14 +37,6 @@ profiles::helpers::certmanager::vault_config:
output_path: '/tmp/certmanager'
role_id: "%{lookup('certmanager::role_id')}"
profiles::helpers::sshsignhost::vault_config:
addr: 'https://vault.service.consul:8200'
mount_point: 'ssh-host-signer'
approle_path: 'approle'
role_name: 'hostrole'
output_path: '/tmp/sshsignhost'
role_id: "%{lookup('sshsignhost::role_id')}"
profiles::puppet::server::agent_server: 'puppet.query.consul'
profiles::puppet::server::report_server: 'puppet.query.consul'
profiles::puppet::server::ca_server: 'puppetca.query.consul'
@@ -58,10 +50,6 @@ profiles::puppet::server::dns_alt_names:
- puppetmaster
- puppet
profiles::ssh::sign::principals:
- puppet.service.consul
- puppet.query.consul
consul::services:
puppet:
service_name: 'puppet'
+2 -2
View File
@@ -1,6 +1,6 @@
---
profiles::puppet::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java
profiles::puppet::puppetdb_api::java_args:
profiles::puppetdb::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java
profiles::puppetdb::puppetdb_api::java_args:
'-Xmx': '2048m'
'-Xms': '256m'
-1
View File
@@ -1 +0,0 @@
profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==]
-35
View File
@@ -2,38 +2,3 @@
postgresql_config_entries:
max_connections: 300
shared_buffers: '256MB'
consul::services:
puppetdbsql:
service_name: 'puppetdbsql'
tags:
- 'puppet'
- 'puppetdb'
- 'database'
address: "%{facts.networking.ip}"
port: 5432
checks:
- id: 'psql-check'
name: 'PostgreSQL Health Check'
args:
- '/usr/local/bin/check_consul_postgresql'
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: puppetdbsql
disposition: write
profiles::yum::global::repos:
postgresql-15:
name: postgresql-15
descr: postgresql-15 repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
postgresql-common:
name: postgresql-common
descr: postgresql-common repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
-12
View File
@@ -77,15 +77,3 @@ profiles::consul::prepared_query::rules:
service_failover_n: 3
service_only_passing: true
ttl: 10
ntp:
ensure: 'present'
service_name: 'ntp'
service_failover_n: 3
service_only_passing: true
ttl: 10
grafana:
ensure: 'present'
service_name: 'grafana'
service_failover_n: 3
service_only_passing: true
ttl: 10
@@ -42,9 +42,6 @@ profiles::edgecache::params::directories:
/data/edgecache/pub/postgres: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx }
/data/edgecache/pub/ceph: { owner: nginx, group: nginx }
/data/edgecache/pub/ceph/apt: { owner: nginx, group: nginx }
/data/edgecache/pub/ceph/yum: { owner: nginx, group: nginx }
profiles::edgecache::params::mirrors:
debian:
@@ -121,29 +118,3 @@ profiles::edgecache::params::mirrors:
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
ceph_yum_repodata:
ensure: present
location: '~* ^/ceph/yum/.*/repodata/'
rewrite_rules:
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
proxy: http://158.69.68.124
ceph_yum_data:
ensure: present
location: /ceph/yum
proxy: http://158.69.68.124/rpm-reef
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
ceph_apt:
ensure: present
location: /ceph/apt
proxy: http://158.69.68.124/debian-reef
ceph_apt_pool:
ensure: present
location: /ceph/apt/pool
proxy: http://158.69.68.124/debian-reef/pool
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
-10
View File
@@ -1,10 +0,0 @@
# frozen_string_literal: true
require 'facter'
Facter.add('is_pveceph_mds') do
confine enc_role: 'roles::infra::proxmox::node'
setcode do
system('pgrep -x ceph-mds > /dev/null 2>&1')
end
end
-10
View File
@@ -1,10 +0,0 @@
# frozen_string_literal: true
require 'facter'
Facter.add('is_pveceph_osd') do
confine enc_role: 'roles::infra::proxmox::node'
setcode do
system('pgrep -x ceph-osd > /dev/null 2>&1')
end
end
@@ -1,10 +0,0 @@
# frozen_string_literal: true
# lib/facter/sshd_host_cert_exists.rb
require 'puppet'
Facter.add('sshd_host_cert_exists') do
setcode do
File.exist?('/etc/ssh/ssh_host_rsa_key-cert.pem')
end
end
@@ -1,15 +0,0 @@
# frozen_string_literal: true
# lib/facter/sshd_host_principals.rb
require 'puppet'
Facter.add('sshd_host_principals') do
setcode do
principals_file = '/etc/ssh/host_principals'
if File.exist?(principals_file)
File.read(principals_file).split("\n")
else
[]
end
end
end
-27
View File
@@ -1,27 +0,0 @@
class lidarr::config (
$user = $lidarr::params::user,
$group = $lidarr::params::group,
$base_path = $lidarr::params::base_path,
$bind_address = $lidarr::bind_address,
$port = $lidarr::port,
$ssl_port = $lidarr::ssl_port,
$enable_ssl = $lidarr::enable_ssl,
$launch_browser = $lidarr::launch_browser,
$api_key = $lidarr::api_key,
$authentication_method = $lidarr::authentication_method,
$authentication_required = $lidarr::authentication_required,
$branch = $lidarr::branch,
$log_level = $lidarr::log_level,
$ssl_cert_path = $lidarr::ssl_cert_path,
$ssl_cert_password = $lidarr::ssl_cert_password,
$url_base = $lidarr::url_base,
$instance_name = $lidarr::instance_name,
) {
file { "${base_path}/config.xml":
ensure => file,
content => template('lidarr/lidarr_config.xml.erb'),
owner => $user,
group => $group,
mode => '0644',
}
}
-37
View File
@@ -1,37 +0,0 @@
# manage lidarr
class lidarr (
$packages = $lidarr::params::packages,
$user = $lidarr::params::user,
$group = $lidarr::params::group,
$manage_group = $lidarr::params::manage_group,
$base_path = $lidarr::params::base_path,
$install_path = $lidarr::params::install_path,
$config_folder = $lidarr::params::config_folder,
$app_folder = $lidarr::params::app_folder,
$archive_name = $lidarr::params::archive_name,
$archive_url = $lidarr::params::archive_url,
$executable = $lidarr::params::executable,
$service_enable = $lidarr::params::service_enable,
$service_name = $lidarr::params::service_name,
$bind_address = $lidarr::params::bind_address,
$port = $lidarr::params::port,
$ssl_port = $lidarr::params::ssl_port,
$enable_ssl = $lidarr::params::enable_ssl,
$launch_browser = $lidarr::params::launch_browser,
$api_key = $lidarr::params::api_key,
$authentication_method = $lidarr::params::authentication_method,
$authentication_required = $lidarr::params::authentication_required,
$branch = $lidarr::params::branch,
$log_level = $lidarr::params::log_level,
$ssl_cert_path = $lidarr::params::ssl_cert_path,
$ssl_cert_password = $lidarr::params::ssl_cert_password,
$url_base = $lidarr::params::url_base,
$instance_name = $lidarr::params::instance_name,
) inherits lidarr::params {
include lidarr::install
include lidarr::config
include lidarr::service
Class['lidarr::install'] -> Class['lidarr::config'] -> Class['lidarr::service']
}
-61
View File
@@ -1,61 +0,0 @@
# instsall lidarr
class lidarr::install (
$packages = $lidarr::packages,
$user = $lidarr::user,
$group = $lidarr::group,
$manage_group = $lidarr::manage_group,
$base_path = $lidarr::base_path,
$install_path = $lidarr::install_path,
$config_folder = $lidarr::config_folder,
$app_folder = $lidarr::app_folder,
$archive_name = $lidarr::archive_name,
$archive_url = $lidarr::archive_url,
$executable = $lidarr::executable,
) {
$_packages = $packages ? {
Array => true,
default => false,
}
if $_packages {
ensure_packages($packages, {ensure => 'installed'})
}
if $manage_group {
group { $group:
ensure => present,
}
}
user { $user:
ensure => present,
shell => '/sbin/nologin',
groups => $group,
managehome => true,
}
file { [ $base_path, $install_path, $config_folder, $app_folder ]:
ensure => directory,
owner => $user,
group => $group,
}
archive { $archive_name:
path => "/tmp/${archive_name}",
source => "${archive_url}${archive_name}",
extract => true,
extract_path => $install_path,
creates => "${install_path}/${executable}",
cleanup => true,
require => File[$install_path],
user => $user,
group => $group,
notify => Exec['move_lidarr_files'],
}
exec { 'move_lidarr_files':
command => "/usr/bin/mv ${install_path}/Lidarr/* ${install_path}",
creates => "${install_path}/${executable}",
}
}
-50
View File
@@ -1,50 +0,0 @@
# lidarr params
class lidarr::params (
Array[String] $packages = [
'mediainfo',
'libzen',
'libmediainfo',
'gettext',
'sqlite.x86_64',
'par2cmdline',
'python3-feedparser',
'python3-configobj',
'python3-cheetah',
'python3-dbus',
'libxslt-devel',
'libchromaprint',
],
String $user = 'lidarr',
String $group = 'lidarr',
Boolean $manage_group = true,
Stdlib::Absolutepath $base_path = '/opt/lidarr',
Stdlib::Absolutepath $install_path = '/opt/lidarr/bin',
Stdlib::Absolutepath $config_folder = '/home/lidarr/.config',
Stdlib::Absolutepath $app_folder = '/home/lidarr/.config/Lidarr',
String $archive_version = '2.3.3',
String $archive_name = 'Lidarr.master.linux-core-x64.tar.gz',
Stdlib::HTTPUrl $archive_url = "https://git.query.consul/api/packages/unkinben/generic/lidarr/${archive_version}/",
String $executable = 'Lidarr/Lidarr',
String $service_name = 'lidarr',
Boolean $service_enable = true,
# params for the configuration file
Stdlib::Host $bind_address = '127.0.0.1',
Stdlib::Port $port = 8686,
Stdlib::Port $ssl_port = 9696,
Boolean $enable_ssl = false,
Boolean $launch_browser = true,
String $api_key = '32-digit-random-string-goes-here',
Enum[
'Forms',
'Basic',
'External'
] $authentication_method = 'External',
Enum['Enabled', 'Disabled'] $authentication_required = 'Enabled',
String $branch = 'main',
Enum['debug', 'info', 'warn', 'error', 'fatal'] $log_level = 'info',
Optional[String] $ssl_cert_path = undef,
Optional[String] $ssl_cert_password = undef,
Optional[String] $url_base = undef,
String $instance_name = 'lidarr',
) { }

Some files were not shown because too many files have changed in this diff Show More