Compare commits
230 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 1156f3d72a | |||
| c7e5356444 | |||
| 93ab2bebc3 | |||
| 348f2dfca3 | |||
| 5221c15a66 | |||
| 1d49480010 | |||
| f63cf2f654 | |||
| 3d425bfcbd | |||
| e8c8f5c1d6 | |||
| ae85541f6b | |||
| 0c1fd63b7d | |||
| 797670b55d | |||
| 1204ee3314 | |||
| 75ddacb6b1 | |||
| 1532641640 | |||
| abb4a47703 | |||
| 857d51a934 | |||
| fd5163d6e6 | |||
| d67eba5860 | |||
| dacd2c6994 | |||
| 930341c05c | |||
| 47333237ee | |||
| 924631d705 | |||
| 384e301fd3 | |||
| d52949fc4f | |||
| fe20590ac6 | |||
| d9a2966ffd | |||
| 899e2cbf49 | |||
| bd5164fed3 | |||
| 30ec8c1bb1 | |||
| c419620838 | |||
| 9db714d02f | |||
| 4b8a9825c0 | |||
| 991c8a3029 | |||
| 152ffaa1d3 | |||
| 65046329f4 | |||
| d05cf628a8 | |||
| da1402691c | |||
| b5c7b310ee | |||
| 2ab2cd1399 | |||
| 8b01ddba9c | |||
| d1dd12a091 | |||
| 354e561380 | |||
| cbded220bb | |||
| 89697e85aa | |||
| 158ebaf7a0 | |||
| 02a2097955 | |||
| 658af2b6b6 | |||
| f3046f8fbb | |||
| f9ff44afec | |||
| 21a45c1b03 | |||
| 33f66c8dbc | |||
| b0934caf23 | |||
| 8e1622a158 | |||
| fe35baacfd | |||
| 6e3802ad57 | |||
| c8604baa4e | |||
| c69e8c487e | |||
| 0a86986edf | |||
| 2199e4e3c0 | |||
| f81b5753ff | |||
| e437629e12 | |||
| bc35270731 | |||
| c1a6191cab | |||
| 0d4652cfdf | |||
| 9b9f64ca95 | |||
| d7f0c9073f | |||
| e74dc624c3 | |||
| 7bd12c9880 | |||
| aa8ded5850 | |||
| 1d1c5621c0 | |||
| 0e11c03e9d | |||
| 7520fdddbd | |||
| d07751a151 | |||
| 9be3656d15 | |||
| 9b8556f487 | |||
| 5acc683374 | |||
| 8a1d62cd41 | |||
| b6a77afc7b | |||
| 2b1ea45e4e | |||
| 19caafbc43 | |||
| a4e78f645a | |||
| f6aa2fac62 | |||
| 2147cc434d | |||
| f63e6a953c | |||
| 38819ba2ab | |||
| 72c6fdb249 | |||
| dc70687860 | |||
| 17dbbd8d0c | |||
| 7efd6edea9 | |||
| 95e387d3ad | |||
| febd98d316 | |||
| 5aac7752cd | |||
| dcccc85264 | |||
| 14c98ea659 | |||
| 5f5a9f5f65 | |||
| 3c63d8e797 | |||
| ab617a9de1 | |||
| bc27902fd2 | |||
| f2046efebe | |||
| 0b7f07692c | |||
| bbf9944ef5 | |||
| 89383268f0 | |||
| bccdb99ef4 | |||
| aa63970dc1 | |||
| bafb524fd2 | |||
| 40ff5f7d92 | |||
| 17c16bfc33 | |||
| 6993ff0036 | |||
| 679a4203a9 | |||
| 93125d9d71 | |||
| b90c6468b3 | |||
| 027140fb7a | |||
| 44bd2d3d89 | |||
| 56df5695dc | |||
| f22556b39f | |||
| f0086944f9 | |||
| b846a49127 | |||
| 34e696e8c3 | |||
| a12fac20ab | |||
| 7af6130598 | |||
| 4857b72ce3 | |||
| 3ace70bcea | |||
| 6839fb8c5f | |||
| 3b907159f1 | |||
| d5262b0ef5 | |||
| 53dfa0ca75 | |||
| 396e64de1d | |||
| 803a0ac01d | |||
| 736f04143f | |||
| 82ed27cf56 | |||
| 5631f07e6e | |||
| 8eca497ea2 | |||
| 9b2ca85f59 | |||
| 548076728a | |||
| 570df81bd9 | |||
| 2d3f4414b7 | |||
| 3991b6408b | |||
| f5a9eaef4a | |||
| 4a95fbbd31 | |||
| 4db9faa551 | |||
| 8548ef0284 | |||
| 681f9e3eb8 | |||
| a431c50980 | |||
| d98b12bf81 | |||
| 59b181ed54 | |||
| 36ad19ffed | |||
| 1995ce9eac | |||
| a3ef535bfc | |||
| feddc4a3fb | |||
| eb462eb3a3 | |||
| 449c6b082e | |||
| 94aed2df9c | |||
| 0ff9b86782 | |||
| 7d70b99491 | |||
| c6530e34f6 | |||
| 5725d092b8 | |||
| 09f50c9940 | |||
| 62cac63f11 | |||
| 0fe05bb896 | |||
| dd82d63b41 | |||
| a901a0b868 | |||
| 1e316dc814 | |||
| 58acd83410 | |||
| cc0a9e132e | |||
| 67f831edaf | |||
| c9abc779a0 | |||
| 380bb7bcb5 | |||
| 1b5e6120e7 | |||
| 82ce3ed4d7 | |||
| 3adc343f68 | |||
| ca558d493b | |||
| cbbcfa3b9e | |||
| 6b0e0daecb | |||
| 846e2b71f8 | |||
| 6f7740e6a2 | |||
| abd2eb5c9b | |||
| b4c20fd7d6 | |||
| b7a22551b1 | |||
| e00a78e5fb | |||
| a143732b3b | |||
| 45f3cb39c7 | |||
| 2b36ee3efa | |||
| 56711212a7 | |||
| 4ab5fd6be3 | |||
| 42be771732 | |||
| 255cf38c67 | |||
| 9c23c0005a | |||
| 5e13f1a1e8 | |||
| 6944d67e04 | |||
| 965e334636 | |||
| d4163233f6 | |||
| 52b06dcd8e | |||
| 9d3ddb37df | |||
| 934f4be03c | |||
| 777fe1aef6 | |||
| 57b935b33e | |||
| da9d52e117 | |||
| 06545c6298 | |||
| 51eeb13793 | |||
| 721d14378a | |||
| aaf482c9b9 | |||
| 33ba0bb896 | |||
| 07c896b924 | |||
| 6822a39dc3 | |||
| b85f14ed89 | |||
| e3f34a7cc4 | |||
| c000244c5a | |||
| 76fc6b9fa1 | |||
| 902e55f655 | |||
| da3444e49f | |||
| b468f67103 | |||
| 9819ce7f4d | |||
| cc7165055d | |||
| 4bd3310ea8 | |||
| d7208c5e40 | |||
| 4b4272250a | |||
| 3dfe9b9b73 | |||
| de39515862 | |||
| 7aa7f33145 | |||
| a6a03b4d83 | |||
| 39aa6e114e | |||
| 40c4be6f6e | |||
| ae6547aea8 | |||
| 5e31af2ee2 | |||
| c5d63bd6f8 | |||
| f351cc8413 | |||
| fd5c3dbce2 | |||
| 49f405e0bc | |||
| 254c9f1358 |
@@ -35,10 +35,15 @@ mod 'puppet-vault', '4.1.0'
|
||||
mod 'puppet-dhcp', '6.1.0'
|
||||
mod 'puppet-keepalived', '3.6.0'
|
||||
mod 'puppet-extlib', '7.0.0'
|
||||
mod 'puppet-network', '2.2.0'
|
||||
mod 'puppet-kmod', '4.0.1'
|
||||
mod 'puppet-filemapper', '4.0.0'
|
||||
mod 'puppet-letsencrypt', '11.0.0'
|
||||
|
||||
# other
|
||||
mod 'ghoneycutt-puppet', '3.3.0'
|
||||
mod 'saz-sudo', '8.0.0'
|
||||
mod 'saz-ssh', '12.1.0'
|
||||
mod 'ghoneycutt-timezone', '4.0.0'
|
||||
mod 'dalen-puppetdbquery', '3.0.1'
|
||||
mod 'markt-galera', '3.1.0'
|
||||
@@ -46,6 +51,7 @@ mod 'kogitoapp-minio', '1.1.4'
|
||||
mod 'broadinstitute-certs', '3.0.1'
|
||||
mod 'stm-file_capability', '6.0.0'
|
||||
mod 'h0tw1r3-gitea', '3.2.0'
|
||||
mod 'rehan-mkdir', '2.0.0'
|
||||
|
||||
mod 'bind',
|
||||
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
# Group administration
|
||||
|
||||
This page exists to list all the locally managed groups, their gid's and what their general purpose is for.
|
||||
|
||||
## List of groups
|
||||
| name | gid | purpose |
|
||||
|-------------|-------------|-------------|
|
||||
| admin | 10000 | admin group designed for system admins |
|
||||
| media | 20000 | group permissions to manage media (*arrs) |
|
||||
@@ -0,0 +1,60 @@
|
||||
# managing ceph
|
||||
|
||||
Always refer back to the official documentation at https://docs.ceph.com/en/latest
|
||||
|
||||
## adding new cephfs
|
||||
- create a erasure code profile which will allow you to customise the raid level
|
||||
- raid5 with 3 disks? k=2,m=1
|
||||
- raid5 with 6 disks? k=5,m=1
|
||||
- raid6 with 4 disks? k=2,m=2, etc
|
||||
- create osd pool using custom profile for data
|
||||
- create osd pool using default replicated profile for metadata
|
||||
- enable ec_overwrites for the data pool
|
||||
- create the ceph fs volume using data/metadata pools
|
||||
- set ceph fs settings
|
||||
- specify minimum number of metadata servers (mds)
|
||||
- set fs to be for bulk data
|
||||
- set mds fast failover with standby reply
|
||||
|
||||
|
||||
```
|
||||
sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
|
||||
sudo ceph osd pool create media_data 128 erasure ec_4_1
|
||||
sudo ceph osd pool create media_metadata 32 replicated_rule
|
||||
sudo ceph osd pool set media_data allow_ec_overwrites true
|
||||
sudo ceph osd pool set media_data bulk true
|
||||
sudo ceph fs new mediafs media_metadata media_data --force
|
||||
sudo ceph fs set mediafs allow_standby_replay true
|
||||
sudo ceph fs set mediafs max_mds 2
|
||||
```
|
||||
|
||||
## creating authentication tokens
|
||||
|
||||
- this will create a client keyring named media
|
||||
- this client will have the following capabilities:
|
||||
- mon: read
|
||||
- mds:
|
||||
- read /
|
||||
- read/write /media
|
||||
- read/write /common
|
||||
- osd: read/write to cephfs_data pool
|
||||
|
||||
```
|
||||
sudo ceph auth get-or-create client.media \
|
||||
mon 'allow r' \
|
||||
mds 'allow r path=/, allow rw path=/media, allow rw path=/common' \
|
||||
osd 'allow rw pool=cephfs_data'
|
||||
```
|
||||
|
||||
## list the authentication tokens and permissions
|
||||
|
||||
ceph auth ls
|
||||
|
||||
## change the capabilities of a token
|
||||
|
||||
this will overwrite the current capabilities of a given client.user
|
||||
|
||||
sudo ceph auth caps client.media \
|
||||
mon 'allow r' \
|
||||
mds 'allow rw path=/' \
|
||||
osd 'allow rw pool=media_data'
|
||||
@@ -0,0 +1,31 @@
|
||||
# add additional master
|
||||
|
||||
these steps are required when adding additional puppet masters, as the subject alternative names on the certificate will need to be changed. this requires the old certificate be revoked, cleaned up, and for a new certificate to be generated and signed.
|
||||
|
||||
## prepare a new node
|
||||
- deploy a new now, or identify a space with the base role
|
||||
- change the hosts class to roles::infra::puppet::master
|
||||
- apply puppet until there are no more changes
|
||||
|
||||
## revoke the current certificate on the puppet master
|
||||
|
||||
sudo puppetserver ca clean --certname ausyd1nxvm1023.main.unkin.net
|
||||
|
||||
## stop the new puppetserver and cleanup revoked certificates
|
||||
|
||||
sudo systemctl stop puppetserver
|
||||
sudo rm -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
|
||||
sudo rm -f /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem
|
||||
|
||||
## copy the current crl.pem, as puppetserver will overwrite it when starting
|
||||
|
||||
sudo cp /etc/puppetlabs/puppet/ssl/crl.pem /root/current_crl.pem
|
||||
|
||||
## request new puppet agent certificate
|
||||
|
||||
sudo puppet ssl bootstrap
|
||||
|
||||
## start the puppetserver service and move the crl.pem back in place
|
||||
|
||||
sudo systemctl start puppetserver
|
||||
sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
|
||||
@@ -0,0 +1,123 @@
|
||||
# PKI
|
||||
## root ca
|
||||
vault secrets enable -path=pki_root pki
|
||||
vault secrets tune -max-lease-ttl=87600h pki_root
|
||||
|
||||
vault write -field=certificate pki_root/root/generate/internal \
|
||||
common_name="unkin.net" \
|
||||
issuer_name="UNKIN_ROOTCA_2024" \
|
||||
ttl=87600h > unkinroot_2024_ca.crt
|
||||
|
||||
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
|
||||
|
||||
vault write pki_root/roles/2024-servers allow_any_name=true
|
||||
|
||||
vault write pki_root/config/urls \
|
||||
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
|
||||
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
|
||||
|
||||
## intermediate
|
||||
vault secrets enable -path=pki_int pki
|
||||
vault secrets tune -max-lease-ttl=43800h pki_int
|
||||
|
||||
vault write -format=json pki_int/intermediate/generate/internal \
|
||||
common_name="unkin.net Intermediate Authority" \
|
||||
issuer_name="UNKIN_VAULTCA_2024" \
|
||||
| jq -r '.data.csr' > pki_intermediate.csr
|
||||
|
||||
vault write -format=json pki_root/root/sign-intermediate \
|
||||
issuer_ref="UNKIN_ROOTCA_2024" \
|
||||
csr=@pki_intermediate.csr \
|
||||
format=pem_bundle ttl="43800h" \
|
||||
| jq -r '.data.certificate' > intermediate.cert.pem
|
||||
|
||||
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
|
||||
|
||||
## create role
|
||||
vault write pki_int/roles/servers_default \
|
||||
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
|
||||
allow_ip_sans=true \
|
||||
allowed_domains="unkin.net, *.unkin.net, localhost" \
|
||||
allow_subdomains=true \
|
||||
allow_glob_domains=true \
|
||||
allow_bare_domains=true \
|
||||
enforce_hostnames=true \
|
||||
allow_any_name=true \
|
||||
max_ttl="2160h" \
|
||||
key_bits=4096 \
|
||||
country="Australia"
|
||||
|
||||
## test generating a domain cert
|
||||
vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
|
||||
vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
|
||||
vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
|
||||
|
||||
## remove expired certificates
|
||||
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
|
||||
|
||||
# AUTH
|
||||
## enable approles
|
||||
vault auth enable approle
|
||||
|
||||
# CERTMANAGER
|
||||
## create certmanager policy and token, limit to puppetmaster
|
||||
cat <<EOF > certmanager.hcl
|
||||
path "pki_int/issue/*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
path "pki_int/renew/*" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
path "pki_int/cert/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
EOF
|
||||
|
||||
vault policy write certmanager certmanager.hcl
|
||||
|
||||
vault write auth/approle/role/certmanager \
|
||||
bind_secret_id=false \
|
||||
token_policies="certmanager" \
|
||||
token_ttl=30s \
|
||||
token_max_ttl=30s \
|
||||
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
|
||||
|
||||
## get the certmanager approle id
|
||||
vault read -field=role_id auth/approle/role/certmanager/role-id
|
||||
|
||||
|
||||
# SSH Hostkey Signing
|
||||
|
||||
## create ssh engine, key, set ttl
|
||||
vault secrets enable -path=ssh-host-signer ssh
|
||||
vault write ssh-host-signer/config/ca generate_signing_key=true
|
||||
vault secrets tune -max-lease-ttl=87600h ssh-host-signer
|
||||
|
||||
## create role
|
||||
vault write ssh-host-signer/roles/hostrole \
|
||||
key_type=ca \
|
||||
algorithm_signer=rsa-sha2-256 \
|
||||
ttl=87600h \
|
||||
allow_host_certificates=true \
|
||||
allowed_domains="unkin.net" \
|
||||
allow_subdomains=true \
|
||||
allow_baredomains=true
|
||||
|
||||
## create policy to use hostrole
|
||||
cat <<EOF > sshsign-host.hcl
|
||||
path "ssh-host-signer/sign/hostrole" {
|
||||
capabilities = ["create", "update"]
|
||||
}
|
||||
EOF
|
||||
|
||||
vault policy write sshsign-host-policy sshsign-host.hcl
|
||||
|
||||
vault write auth/approle/role/sshsign-host-role \
|
||||
bind_secret_id=false \
|
||||
token_policies="sshsign-host-policy" \
|
||||
token_ttl=30s \
|
||||
token_max_ttl=30s \
|
||||
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
|
||||
|
||||
## get the sshsign-host-role approle id
|
||||
vault read -field=role_id auth/approle/role/sshsign-host-role/role-id
|
||||
@@ -1,48 +0,0 @@
|
||||
# root ca
|
||||
vault secrets enable -path=pki_root pki
|
||||
|
||||
vault write -field=certificate pki_root/root/generate/internal \
|
||||
common_name="unkin.net" \
|
||||
issuer_name="unkinroot-2024" \
|
||||
ttl=87600h > unkinroot_2024_ca.crt
|
||||
|
||||
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
|
||||
|
||||
vault write pki_root/roles/2024-servers allow_any_name=true
|
||||
|
||||
vault write pki_root/config/urls \
|
||||
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
|
||||
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
|
||||
|
||||
# intermediate
|
||||
vault secrets enable -path=pki_int pki
|
||||
vault secrets tune -max-lease-ttl=43800h pki_int
|
||||
|
||||
vault write -format=json pki_int/intermediate/generate/internal \
|
||||
common_name="unkin.net Intermediate Authority" \
|
||||
issuer_name="unkin-dot-net-intermediate" \
|
||||
| jq -r '.data.csr' > pki_intermediate.csr
|
||||
|
||||
vault write -format=json pki_root/root/sign-intermediate \
|
||||
issuer_ref="unkinroot-2024" \
|
||||
csr=@pki_intermediate.csr \
|
||||
format=pem_bundle ttl="43800h" \
|
||||
| jq -r '.data.certificate' > intermediate.cert.pem
|
||||
|
||||
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
|
||||
|
||||
# create role
|
||||
vault write pki_int/roles/unkin-dot-net \
|
||||
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
|
||||
allowed_domains="unkin.net" \
|
||||
allow_subdomains=true \
|
||||
max_ttl="2160h"
|
||||
|
||||
# test generating a domain cert
|
||||
vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
|
||||
vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
|
||||
vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
|
||||
|
||||
|
||||
# remove expired certificates
|
||||
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
|
||||
+100
-36
@@ -108,11 +108,43 @@ lookup_options:
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
merge:
|
||||
strategy: deep
|
||||
networking::interfaces:
|
||||
merge:
|
||||
strategy: deep
|
||||
networking::interface_defaults:
|
||||
merge:
|
||||
strategy: deep
|
||||
networking::routes:
|
||||
merge:
|
||||
strategy: deep
|
||||
networking::route_defaults:
|
||||
merge:
|
||||
strategy: deep
|
||||
ssh::server::options:
|
||||
merge:
|
||||
strategy: deep
|
||||
mysql::db:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::ceph::client::keyrings:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
merge:
|
||||
strategy: deep
|
||||
certbot::client::domains:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::metrics::exportarr:
|
||||
merge:
|
||||
strategy: deep
|
||||
|
||||
facts_path: '/opt/puppetlabs/facter/facts.d'
|
||||
|
||||
hiera_classes:
|
||||
hiera_include:
|
||||
- timezone
|
||||
- networking
|
||||
- ssh::server
|
||||
|
||||
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
||||
profiles::ntp::client::use_ntp: 'region'
|
||||
@@ -150,6 +182,7 @@ profiles::packages::install:
|
||||
- curl
|
||||
- dstat
|
||||
- expect
|
||||
- gcc
|
||||
- gzip
|
||||
- git
|
||||
- htop
|
||||
@@ -170,6 +203,7 @@ profiles::packages::install:
|
||||
- socat
|
||||
- strace
|
||||
- sysstat
|
||||
- tar
|
||||
- tmux
|
||||
- traceroute
|
||||
- unzip
|
||||
@@ -215,6 +249,38 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
|
||||
prometheus::node_exporter::export_scrape_job: true
|
||||
prometheus::systemd_exporter::export_scrape_job: true
|
||||
|
||||
ssh::server::storeconfigs_enabled: false
|
||||
ssh::server::options:
|
||||
Protocol: '2'
|
||||
ListenAddress:
|
||||
- '127.0.0.1'
|
||||
- '%{facts.networking.ip}'
|
||||
SyslogFacility: 'AUTHPRIV'
|
||||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
HostCertificate: /etc/ssh/ssh_host_rsa_key-cert.pem
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
PermitRootLogin: no
|
||||
PasswordAuthentication: no
|
||||
ChallengeResponseAuthentication: no
|
||||
PubkeyAuthentication: yes
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: yes
|
||||
UsePAM: yes
|
||||
X11Forwarding: no
|
||||
PrintMotd: no
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
Subsystem: sftp /usr/libexec/openssh/sftp-server
|
||||
|
||||
profiles::ssh::knownhosts::lines:
|
||||
- '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1HD97vYxLTniE4qNpGuftUlvmkEXIuX8+7nbENv/IzsGUghEDRtyThjQ7ojNKIsQ7f8wXr0gMcI+fAPfrbcOMHCAoYMomikwL0b3h95SZI40q3CyM+0DMnwiVVDX6C1QxkO2Rv9cszSkCa85NotJhXiUuTBI9BFcRPy+mAhbpAru+bfypYofI0wW97XNTl8Jgwmni5MgutBIQAokFIn5ux8iWxndCH3AqDtmkwC5DfQeQ+wZx7rkwqJEpJffQzrjb1gIM6P9hDCVBBVPh/3o80IJ69rFWrJAZUb+JpG4cXJH0NcSW+wqc3JCT/x3q8VlHwOTXSlNNKtOJCRx73mB8e1XTTy2a9FgpKDDg5XQXWHAViJDz1RTRL9gRefMylRgKz4bXoTuY9kJWM8hPTyUejtukbJThlBJc3OmDxBZBF7F0iqB11pHexok43OCEiANodVa36eWu9/5X032Vm48fZ1/akDPY/NSy3wAn7kwut+A0/JAHFHASrq+1mt9YurkJegI+YHXO6eEWpBIpmI7ORHJbGL4MhkHrxYzVamuP8CkU7tXzsv138+wpOcRHNp9yJY4PT40BZkRf/O3O+jt3pj9Dj8rvgywF2W6hFzywh3Y78upOprRkQlQtHfsI8EyrYI8/hUw2u3H+3yPXh3YjWfqvWVG1BRLRHBV7m90uaw=='
|
||||
|
||||
profiles::base::groups::local:
|
||||
admins:
|
||||
ensure: present
|
||||
@@ -231,38 +297,36 @@ sudo::configs:
|
||||
profiles::accounts::sysadmin::sshkeys:
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
|
||||
|
||||
profiles::base::hosts::additional_hosts:
|
||||
- ip: 198.18.17.3
|
||||
hostname: prodinf01n01.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n01
|
||||
- puppet
|
||||
- puppetmaster
|
||||
- puppetca
|
||||
- ip: 198.18.17.4
|
||||
hostname: prodinf01n04.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n04
|
||||
- ip: 198.18.17.5
|
||||
hostname: prodinf01n05.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n05
|
||||
- ip: 198.18.17.6
|
||||
hostname: prodinf01n06.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n06
|
||||
- ip: 198.18.17.9
|
||||
hostname: prodinf01n09.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n09
|
||||
- ntp01.main.unkin.net
|
||||
- ip: 198.18.17.10
|
||||
hostname: prodinf01n10.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n10
|
||||
- ntp02.main.unkin.net
|
||||
- ip: 198.18.17.22
|
||||
hostname: prodinf01n22.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n22
|
||||
- repos.main.unkin.net
|
||||
networking::interface_defaults:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::route_defaults:
|
||||
ensure: present
|
||||
interface: eth0
|
||||
netmask: 0.0.0.0
|
||||
network: default
|
||||
|
||||
profiles::ceph::client::fsid: 7f7f00cb-95de-498c-8dcc-14b54e4e9ca8
|
||||
profiles::ceph::client::mons:
|
||||
- 10.18.15.1
|
||||
- 10.18.15.2
|
||||
- 10.18.15.3
|
||||
#profiles::base::hosts::additional_hosts:
|
||||
# - ip: 198.18.17.9
|
||||
# hostname: prodinf01n09.main.unkin.net
|
||||
# aliases:
|
||||
# - prodinf01n09
|
||||
# - ntp01.main.unkin.net
|
||||
# - ip: 198.18.17.10
|
||||
# hostname: prodinf01n10.main.unkin.net
|
||||
# aliases:
|
||||
# - prodinf01n10
|
||||
# - ntp02.main.unkin.net
|
||||
# - ip: 198.18.17.22
|
||||
# hostname: prodinf01n22.main.unkin.net
|
||||
# aliases:
|
||||
# - prodinf01n22
|
||||
# - repos.main.unkin.net
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
---
|
||||
certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl]
|
||||
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
||||
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
|
||||
|
||||
@@ -1,2 +1,3 @@
|
||||
---
|
||||
timezone::timezone: 'Australia/Sydney'
|
||||
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
|
||||
|
||||
@@ -6,11 +6,27 @@ profiles::haproxy::mappings:
|
||||
mappings:
|
||||
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
||||
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
||||
- 'sonarr.main.unkin.net be_sonarr'
|
||||
- 'radarr.main.unkin.net be_radarr'
|
||||
- 'lidarr.main.unkin.net be_lidarr'
|
||||
- 'readarr.main.unkin.net be_readarr'
|
||||
- 'prowlarr.main.unkin.net be_prowlarr'
|
||||
- 'nzbget.main.unkin.net be_nzbget'
|
||||
- 'jellyfin.main.unkin.net be_jellyfin'
|
||||
- 'fafflix.unkin.net be_jellyfin'
|
||||
fe_https:
|
||||
ensure: present
|
||||
mappings:
|
||||
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
||||
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
||||
- 'sonarr.main.unkin.net be_sonarr'
|
||||
- 'radarr.main.unkin.net be_radarr'
|
||||
- 'lidarr.main.unkin.net be_lidarr'
|
||||
- 'readarr.main.unkin.net be_readarr'
|
||||
- 'prowlarr.main.unkin.net be_prowlarr'
|
||||
- 'nzbget.main.unkin.net be_nzbget'
|
||||
- 'jellyfin.main.unkin.net be_jellyfin'
|
||||
- 'fafflix.unkin.net be_jellyfin'
|
||||
|
||||
profiles::haproxy::frontends:
|
||||
fe_http:
|
||||
@@ -20,7 +36,15 @@ profiles::haproxy::frontends:
|
||||
fe_https:
|
||||
options:
|
||||
acl:
|
||||
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
|
||||
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
|
||||
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
|
||||
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
|
||||
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
|
||||
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
|
||||
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
|
||||
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
|
||||
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
|
||||
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
|
||||
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
||||
use_backend:
|
||||
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
||||
@@ -28,6 +52,14 @@ profiles::haproxy::frontends:
|
||||
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
|
||||
http-response:
|
||||
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
|
||||
- 'set-header X-Frame-Options DENY if acl_sonarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_radarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_lidarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_readarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_prowlarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_nzbget'
|
||||
- 'set-header X-Frame-Options DENY if acl_jellyfin'
|
||||
- 'set-header X-Frame-Options DENY if acl_fafflix'
|
||||
- 'set-header X-Content-Type-Options nosniff'
|
||||
- 'set-header X-XSS-Protection 1;mode=block'
|
||||
|
||||
@@ -63,17 +95,151 @@ profiles::haproxy::backends:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_sonarr:
|
||||
description: Backend for au-syd1 sonarr
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_radarr:
|
||||
description: Backend for au-syd1 radarr
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_lidarr:
|
||||
description: Backend for au-syd1 lidarr
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_readarr:
|
||||
description: Backend for au-syd1 readarr
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_prowlarr:
|
||||
description: Backend for au-syd1 prowlarr
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_nzbget:
|
||||
description: Backend for au-syd1 nzbget
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_jellyfin:
|
||||
description: Backend for au-syd1 jellyfin
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
|
||||
profiles::haproxy::certlist::enabled: true
|
||||
profiles::haproxy::certlist::certificates:
|
||||
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/vault/certificate.pem
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
- jellyfin.main.unkin.net
|
||||
|
||||
# additional cnames
|
||||
profiles::haproxy::dns::cnames:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
|
||||
# letsencrypt certificates
|
||||
certbot::client::domains:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
- sonarr.main.unkin.net
|
||||
- radarr.main.unkin.net
|
||||
- lidarr.main.unkin.net
|
||||
- readarr.main.unkin.net
|
||||
- prowlarr.main.unkin.net
|
||||
- nzbget.main.unkin.net
|
||||
- fafflix.unkin.net
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
---
|
||||
certmanager::vault_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
||||
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
||||
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
|
||||
@@ -2,3 +2,14 @@
|
||||
profiles::sql::galera_member::cluster_name: au-syd1
|
||||
profiles::sql::galera_member::galera_master: ausyd1nxvm1027.main.unkin.net
|
||||
profiles::sql::galera_member::innodb_buffer_pool_size: 256M
|
||||
|
||||
mysql::db:
|
||||
grafana:
|
||||
name: grafana
|
||||
user: grafana
|
||||
password: "%{alias('mysql::db::grafana::pass')}"
|
||||
grant:
|
||||
- SELECT
|
||||
- INSERT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.10
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.11
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.12
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.13
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.14
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.15
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.16
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.17
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.18
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.19
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.20
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.21
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.22
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.23
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.24
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.25
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.26
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,2 +1,11 @@
|
||||
---
|
||||
profiles::cobbler::params::is_cobbler_master: true
|
||||
networking::interfaces:
|
||||
ens18:
|
||||
ipaddress: 198.18.13.27
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
interface: ens18
|
||||
|
||||
profiles::almalinux::base::remove_ens18: false
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.28
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.29
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.30
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,10 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
ens18:
|
||||
ipaddress: 198.18.13.31
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
interface: ens18
|
||||
|
||||
profiles::almalinux::base::remove_ens18: false
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.32
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.33
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.34
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.35
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.36
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.37
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.38
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.39
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.40
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.41
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.42
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.43
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.44
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.45
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -5,5 +5,17 @@ profiles::puppet::server::dns_alt_names:
|
||||
- puppetca.query.consul
|
||||
- puppetca
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- puppetca.main.unkin.net
|
||||
- puppetca.service.consul
|
||||
- puppetca.query.consul
|
||||
- puppetca
|
||||
|
||||
profiles::puppet::puppetca::is_puppetca: true
|
||||
profiles::puppet::puppetca::allow_subject_alt_names: true
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.46
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.47
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.47
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.48
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.49
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.50
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.50
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.51
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.51
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.52
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.52
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.53
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.53
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.54
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.55
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.56
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.57
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.57
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.58
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.58
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -7,3 +7,6 @@ profiles::puppet::server::dns_alt_names:
|
||||
|
||||
profiles::puppet::puppetca::is_puppetca: false
|
||||
profiles::puppet::puppetca::allow_subject_alt_names: true
|
||||
|
||||
hiera_exclude:
|
||||
- networking
|
||||
|
||||
@@ -5,10 +5,15 @@ profiles::firewall::firewalld::ensure_service: 'stopped'
|
||||
profiles::firewall::firewalld::enable_service: false
|
||||
profiles::puppet::agent::puppet_version: '7.26.0'
|
||||
|
||||
hiera_include:
|
||||
- profiles::almalinux::base
|
||||
|
||||
profiles::packages::install:
|
||||
- lzo
|
||||
- xz
|
||||
- network-scripts
|
||||
- policycoreutils
|
||||
- unar
|
||||
- xz
|
||||
|
||||
lm-sensors::package: lm_sensors
|
||||
|
||||
@@ -19,44 +24,54 @@ profiles::yum::global::repos:
|
||||
target: /etc/yum.repos.d/baseos.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
extras:
|
||||
name: extras
|
||||
descr: extras repository
|
||||
target: /etc/yum.repos.d/extras.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
appstream:
|
||||
name: appstream
|
||||
descr: appstream repository
|
||||
target: /etc/yum.repos.d/appstream.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
powertools:
|
||||
name: powertools
|
||||
descr: powertools repository
|
||||
target: /etc/yum.repos.d/powertools.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
highavailability:
|
||||
name: highavailability
|
||||
descr: highavailability repository
|
||||
target: /etc/yum.repos.d/highavailability.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
epel:
|
||||
name: epel
|
||||
descr: epel repository
|
||||
target: /etc/yum.repos.d/epel.repo
|
||||
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
|
||||
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
puppet:
|
||||
name: puppet
|
||||
descr: puppet repository
|
||||
target: /etc/yum.repos.d/puppet.repo
|
||||
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
|
||||
mirrorlist: absent
|
||||
unkin:
|
||||
name: unkin
|
||||
descr: unkin repository
|
||||
target: /etc/yum.repos.d/unkin.repo
|
||||
baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os
|
||||
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
|
||||
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
|
||||
gpgcheck: false
|
||||
mirrorlist: absent
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# hieradata/os/debian/all_releases.yaml
|
||||
---
|
||||
profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian
|
||||
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
|
||||
profiles::apt::base::secureurl: http://security.debian.org/debian-security
|
||||
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
|
||||
profiles::apt::puppet7::repo: puppet7
|
||||
@@ -12,3 +12,4 @@ profiles::packages::install:
|
||||
- xz-utils
|
||||
|
||||
lm-sensors::package: lm-sensors
|
||||
networking::nwmgr_dns_none: false
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEBANgP2ifU7NbuMs+kWpeg1tchR5IMD7Z7kMpRBejgCMHludTYGf/BzxTe36YjpwLsuUd658QK5vE4EYpM1MuzqfuNiWJa5ec1IR/AgWQUMZcpjEDEqpHTb2qygmpc+jb3vW1EMBleZL2Z4GrgJ00gWO/EvukBSPgyxBsFe4Bb/L3aK6xiucG3JA9A7qA6cS4Oz5pf8dfC0FBjsc+XN7++bJN5pWUgMcEDgiyCy3bkL2gWfPKOWfabTRwuC3qd6SihZMg/tY8uoDfYoI8jHkjU07/mhC6AD930wgcFG+xJwNAX7FxLvLyJ8iN/648LVoZFuszYiTwPib1CszksdYBjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBSGXrbrl4FisZN5FT1hfmrgDBnV2SVfCJIYYyZ9+Vo1ykNmzUypJdJ+4llyXA7FOuH90xVZvLZMjNMhVCxP48CiYI=]
|
||||
@@ -0,0 +1,101 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
profiles::yum::global::repos:
|
||||
ceph-reef:
|
||||
name: ceph-reef
|
||||
descr: ceph reef repository
|
||||
target: /etc/yum.repos.d/ceph-reef.repo
|
||||
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgcheck: 0,
|
||||
mirrorlist: absent
|
||||
|
||||
profiles::ceph::client::keyrings:
|
||||
media:
|
||||
key: "%{hiera('ceph::key::media')}"
|
||||
|
||||
profiles::base::groups::local:
|
||||
media:
|
||||
ensure: present
|
||||
gid: 20000
|
||||
allowdupe: false
|
||||
forcelocal: true
|
||||
|
||||
ldap_host: 'ldap.service.consul'
|
||||
ldap_basedn: 'dc=main,dc=unkin,dc=net'
|
||||
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
# authentication proxy
|
||||
authproxy:
|
||||
ensure: 'present'
|
||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
||||
ssl_only: true
|
||||
internal: true
|
||||
location: '= /auth-proxy'
|
||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
|
||||
proxy_set_header:
|
||||
- 'Content-Length ""'
|
||||
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
|
||||
- 'X-Ldap-Starttls "false"'
|
||||
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
|
||||
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
|
||||
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
|
||||
- 'X-CookieName "nginxauth"'
|
||||
- 'Cookie nginxauth=$cookie_nginxauth'
|
||||
- "X-Ldap-Template %{lookup('ldap_template')}"
|
||||
- 'X-Ldap-Realm "Restricted"'
|
||||
proxy_cache: 'cache'
|
||||
proxy_cache_valid: '200 10m'
|
||||
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
|
||||
location_cfg_append:
|
||||
proxy_pass_request_body: 'off'
|
||||
# health checks by consul/haproxy
|
||||
arrstack_web_healthcheck:
|
||||
ensure: 'present'
|
||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
||||
ssl_only: true
|
||||
location: '/consul/health'
|
||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
||||
proxy_set_header:
|
||||
- 'Host $host'
|
||||
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
||||
- 'X-Forwarded-Host $host'
|
||||
- 'X-Forwarded-Proto $scheme'
|
||||
- 'Upgrade $http_upgrade'
|
||||
- 'Connection $http_connection'
|
||||
proxy_redirect: 'off'
|
||||
proxy_http_version: '1.1'
|
||||
location_allow:
|
||||
- 127.0.0.1
|
||||
- "%{facts.networking.ip}"
|
||||
- 198.18.13.25
|
||||
- 198.18.13.26
|
||||
location_deny:
|
||||
- all
|
||||
# authorised access from external
|
||||
arrstack_web_external:
|
||||
ensure: 'present'
|
||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
||||
ssl_only: true
|
||||
location: '/'
|
||||
auth_request: '/auth-proxy'
|
||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
||||
proxy_set_header:
|
||||
- 'Host $host'
|
||||
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
||||
- 'X-Forwarded-Host $host'
|
||||
- 'X-Forwarded-Proto $scheme'
|
||||
- 'Upgrade $http_upgrade'
|
||||
- 'Connection $http_connection'
|
||||
proxy_redirect: 'off'
|
||||
proxy_http_version: '1.1'
|
||||
# location for api, which should be accessible without authentication
|
||||
arrstack_api:
|
||||
ensure: 'present'
|
||||
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
||||
ssl_only: true
|
||||
location: '~ /api'
|
||||
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
||||
location_cfg_append:
|
||||
client_max_body_size: '20m'
|
||||
@@ -0,0 +1,63 @@
|
||||
---
|
||||
hiera_include:
|
||||
- jellyfin
|
||||
|
||||
# manage jellyfin
|
||||
jellyfin::params::service_enable: true
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- jellyfin.main.unkin.net
|
||||
- jellyfin.service.consul
|
||||
- jellyfin.query.consul
|
||||
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'jellyfin.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- jellyfin.main.unkin.net
|
||||
- jellyfin.service.consul
|
||||
- jellyfin.query.consul
|
||||
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8096
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
jellyfin:
|
||||
service_name: 'jellyfin'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'jellyfin'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'jellyfin_http_check'
|
||||
name: 'jellyfin HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: jellyfin
|
||||
disposition: write
|
||||
|
||||
profiles::yum::global::repos:
|
||||
rpmfusion-free:
|
||||
name: rpmfusion-free
|
||||
descr: rpmfusion-free repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
rpmfusion-nonfree:
|
||||
name: rpmfusion-nonfree
|
||||
descr: rpmfusion-nonfree repository
|
||||
target: /etc/yum.repos.d/rpmfusion.repo
|
||||
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEDEyk6fBBnrjZvfK8MnUVOTWxhFGtgY34/2CuIq55MoVLsk2ZgVrL7Kt+94bqFhwEB67kuNpMGXqTgW5ose2yWs5iVSJLECsf9C+tvGBGwaV35LNwP5S3aQmFagyTpZZz9QlGKC7818jlXz7vZWDtiUhy5TGMHeyS0fdjCveavtZR28A+ZrvWjJeLdN47mmvYwYfFnQBs3kSgkl5KyMVhFWSFOSLeHsuEzCVXHoQ1jQG+2TV5m18wV0RR/sOju2E+vsulqlDgCyifgoiry4GzJeKNrNDI2bifzHCAi6yZqHL/klyqbGTnKLlA4xKoXsHF+xEwcoq4S9JDLAdWeH1SDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCdvh4yn8knozcYhinybRq3gDAwTKv8VakQG7XK/mcEplwtoiKqLnj9IIGdIUh1zPi2Sg48ET5rfZyl0p7ddIYoHjU=]
|
||||
@@ -0,0 +1,65 @@
|
||||
---
|
||||
hiera_include:
|
||||
- lidarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::metrics::exportarr
|
||||
|
||||
# manage lidarr
|
||||
lidarr::params::user: lidarr
|
||||
lidarr::params::group: media
|
||||
lidarr::params::manage_group: false
|
||||
lidarr::params::archive_version: 2.3.3
|
||||
lidarr::params::port: 8000
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- lidarr.main.unkin.net
|
||||
- lidarr.service.consul
|
||||
- lidarr.query.consul
|
||||
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'lidarr.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- lidarr.main.unkin.net
|
||||
- lidarr.service.consul
|
||||
- lidarr.query.consul
|
||||
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_lidarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=lidarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
lidarr:
|
||||
service_name: 'lidarr'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'lidarr'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'lidarr_http_check'
|
||||
name: 'Lidarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: lidarr
|
||||
disposition: write
|
||||
|
||||
profiles::metrics::exportarr:
|
||||
app: 'lidarr'
|
||||
config_path: '/opt/lidarr/config.xml'
|
||||
api_key: "%{hiera('lidarr::api_key')}"
|
||||
version: '2.0.1'
|
||||
app_port: "%hiera('lidarr::params::port')"
|
||||
enable_additional_metrics: true
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPomn4iZbT0JEysvDo7OgblpoQLFp9DzryY558UfVWQq6HDAkgoSC42cbgZGBPFclCgLaO/LfBrFpRXkafEVV33Vg2AmP/FiS9SmmwREc3t/ZTvENlDIgasY3pDIph0/i5u0S45mjyzzciBK0KY6cMZvPDVRvU+d0SyVnbSBlef6VmyZOhUk6ILpaYTGu+suVR/BAL/DTKsmmY7iTotTWN+IW/1cY3vprvBMJQVftaO1WSqKftmX29/PAsxbQo6AMpuQFx/dMcMe3d5JTB0mgzIhAFaKmSC8vJFqe21Nrr8F+PxJMSEl1saBJTwJc5RyPVm9ejVKfcPhDfWK5stNNvjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAo205Hvo/Z+rhnSGgkTS2YgDB7pTHdgnQz1UOK323DRljWcqx+SnCA7izyF1SNMlzlCck79Fr4zKh0qnbYsMZDWZU=]
|
||||
@@ -0,0 +1,61 @@
|
||||
---
|
||||
|
||||
hiera_include:
|
||||
- nzbget
|
||||
- profiles::media::nzbget
|
||||
- profiles::nginx::ldapauth
|
||||
|
||||
# manage nzbget
|
||||
nzbget::params::user: nzbget
|
||||
nzbget::params::group: media
|
||||
nzbget::params::manage_group: false
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- nzbget.main.unkin.net
|
||||
- nzbget.service.consul
|
||||
- nzbget.query.consul
|
||||
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'nzbget.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- nzbget.main.unkin.net
|
||||
- nzbget.service.consul
|
||||
- nzbget.query.consul
|
||||
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 6789
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_nzbget,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=nzbget_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
profiles::nginx::simpleproxy::locations:
|
||||
arrstack_web_healthcheck:
|
||||
location_cfg_append:
|
||||
rewrite: '/consul/health / break'
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
nzbget:
|
||||
service_name: 'nzbget'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'nzbget'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'nzbget_http_check'
|
||||
name: 'nzbget HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: nzbget
|
||||
disposition: write
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhduPAqoZuq/xeRs4f/KX4r88evPMogQX79yofLAB5Qqdr48s2X0BAa1iiw0vMdL6Tf0uc794WJN5MP2Yp365Vk1yhwgqH92rt5hKPI+wBN5uak2iLgLzLWsp0HOx7d1ukDWBbj0lI6G5LiofsL3KJbbTnkovn06L4PRJXgn44+ynfywiCl2tPy2294DhfooeM6/Cy+t9lA6blzHLCOHtt/rBKmk1GT2y3YBCPhRfOumWXQWnv4Q+f6KkQkvpfPyAFYNiQxQYBv5bGwLnwiDk3xQnPM4FfcutVuAOKjsoeMa+K1KShDFyEfBxIER8JSpigj2/khstyihcVW0Xrod3uDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCRqqRwMThwn1F/6byFhTWxgDAfucfkFhmqxBv/u5H+wWnjvK5EH7eU/fECrajYPBW/cmsYjLgXlwrAzFGqWze3AZc=]
|
||||
@@ -0,0 +1,65 @@
|
||||
---
|
||||
hiera_include:
|
||||
- prowlarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::metrics::exportarr
|
||||
|
||||
# manage prowlarr
|
||||
prowlarr::params::user: prowlarr
|
||||
prowlarr::params::group: media
|
||||
prowlarr::params::manage_group: false
|
||||
prowlarr::params::archive_version: 1.19.0
|
||||
prowlarr::params::port: 8000
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- prowlarr.main.unkin.net
|
||||
- prowlarr.service.consul
|
||||
- prowlarr.query.consul
|
||||
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'prowlarr.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- prowlarr.main.unkin.net
|
||||
- prowlarr.service.consul
|
||||
- prowlarr.query.consul
|
||||
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_prowlarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=prowlarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
prowlarr:
|
||||
service_name: 'prowlarr'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'prowlarr'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'prowlarr_http_check'
|
||||
name: 'Prowlarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: prowlarr
|
||||
disposition: write
|
||||
|
||||
profiles::metrics::exportarr:
|
||||
app: 'prowlarr'
|
||||
config_path: '/opt/prowlarr/config.xml'
|
||||
api_key: "%{hiera('prowlarr::api_key')}"
|
||||
version: '2.0.1'
|
||||
app_port: "%hiera('prowlarr::params::port')"
|
||||
enable_additional_metrics: true
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf6LbAXy3EsJqkf4KO8xikpXfSVIVOD2obnwZLPEiCfbC0iJyZ2Uc/RbHM9NnIpg8dgEnYGgaBM9HC+kFKYFP4skLsPQ0mpqOv13WbOAHOphhyBxWc/n4Eg4HqMAiHsC4qA9Sj5j4F29tNiMmpNM0eqDXD6YIrajV5IF+SKQQzZrNSrcDrzjqENaMnJWVc2gj7Zb9kPB1LdM5ZfljpPtfQHXHhh9ShTDKuWMx46nc+UYaRcJqHEns7OExwpsEAtA1SSunD81PTijJ6Bn1Y6cAsZoBot5YgFGaWtgQ4jvEqj7EbG8gDJuHMSwa9RzA9SMsVwEh2g1pko7wYbBR/arV7jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAhZlVaEdaLNh60gAY0KwEKgDAHPoXfFRq0I2K2J+NFgNFm/A00jYGVRfuPsX6VZfPaJ499dtMiJifrK3Kfk1oXpvk=]
|
||||
@@ -0,0 +1,66 @@
|
||||
---
|
||||
hiera_include:
|
||||
- radarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::metrics::exportarr
|
||||
|
||||
# manage radarr
|
||||
radarr::params::user: radarr
|
||||
radarr::params::group: media
|
||||
radarr::params::manage_group: false
|
||||
radarr::params::archive_version: 5.7.0
|
||||
radarr::params::port: 8000
|
||||
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- radarr.main.unkin.net
|
||||
- radarr.service.consul
|
||||
- radarr.query.consul
|
||||
- "radarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'radarr.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- radarr.main.unkin.net
|
||||
- radarr.service.consul
|
||||
- radarr.query.consul
|
||||
- "radarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_radarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=radarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
radarr:
|
||||
service_name: 'radarr'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'radarr'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'radarr_http_check'
|
||||
name: 'radarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: radarr
|
||||
disposition: write
|
||||
|
||||
profiles::metrics::exportarr:
|
||||
app: 'radarr'
|
||||
config_path: '/opt/radarr/config.xml'
|
||||
api_key: "%{hiera('radarr::api_key')}"
|
||||
version: '2.0.1'
|
||||
app_port: "%hiera('radarr::params::port')"
|
||||
enable_additional_metrics: true
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcOegaqGEsivQAlhSYvaiVUij4QJ/kterSg+wX/7P/oWjSN1oSNAFfco6lg5fYUsR7HDKZ4IwYuO1Q/q8hOxYkqzYrH/MIAhZatfQxyxriKuekxqOMuXgwrWCzAexQL0Fb4s5gcHQ4fwy5OxsM1CxFXnSSm1eYNXl5IERd//c0dFoIcshiGlOCFsj8Ne9mookFTJQDZrxM4VMXaVb+Fl9mOyy1ppDBKHTP/1ise/6LIUi+9YngamAWLIrsur5KvR45kvRoxDNLfJZasAqhD/5QLceDdSxqKBDur57QzmoPo2lFdT4WlzphKOdyHZtYOYr7BPdbtCqkXTWdkXvqFlRxjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXhYe6zoRW7/OxVrZnAEoTgDDPFTz5S4nZWiwzjdT7Yd88Ii6I/v6ckaKTx0gd0pZKsVZkFYQBBhIfqFS2ho0UG3Y=]
|
||||
@@ -0,0 +1,65 @@
|
||||
---
|
||||
hiera_include:
|
||||
- readarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::metrics::exportarr
|
||||
|
||||
# manage readarr
|
||||
readarr::params::user: readarr
|
||||
readarr::params::group: media
|
||||
readarr::params::manage_group: false
|
||||
readarr::params::archive_version: 0.3.28
|
||||
readarr::params::port: 8000
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- readarr.main.unkin.net
|
||||
- readarr.service.consul
|
||||
- readarr.query.consul
|
||||
- "readarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'readarr.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- readarr.main.unkin.net
|
||||
- readarr.service.consul
|
||||
- readarr.query.consul
|
||||
- "readarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_readarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=readarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
readarr:
|
||||
service_name: 'readarr'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'readarr'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'readarr_http_check'
|
||||
name: 'Readarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: readarr
|
||||
disposition: write
|
||||
|
||||
profiles::metrics::exportarr:
|
||||
app: 'readarr'
|
||||
config_path: '/opt/readarr/config.xml'
|
||||
api_key: "%{hiera('readarr::api_key')}"
|
||||
version: '2.0.1'
|
||||
app_port: "%hiera('readarr::params::port')"
|
||||
enable_additional_metrics: true
|
||||
@@ -0,0 +1,2 @@
|
||||
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
|
||||
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF5/sP43SJX/FB6cAS0GPqxC78JS7jSNKoUqWB/IXkv8uXYiClqk+Xw4nFx8EtknNn628DHBY3vCLQ59Xk89p0fyimP70m3BM6or5iRGdCqEAOzL399GbYX8WFHjyQRBmGdaLR5h2r5UnmjuPpDtV+fgsqxo4gNpXnuQ+46ZZPQce/dzHzux+4aEK4Q6UbD/ZZSQklD6zEUV+Agj6E9cQlJPBiHtTyUdXOYHYlJN1HhFPXu3C6KIz63YioVCah1n6T/rJtPQ07pVUfizIaJiPpzcUN91+ZWyyjUPo0bRGZtYKVs/uCAYXht4F5ttKQDaGa3wd4a5IdtacmEWQWFqk3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDtB/68xkjxK3nrNh0MilACgDDt85aBvSp/Oj9EY67eNPr+JcnQ7WfyuqAYAnmYqfbQI8MDtYAx7br0+inJXvQ1BvI=]
|
||||
@@ -0,0 +1,57 @@
|
||||
---
|
||||
hiera_include:
|
||||
- sonarr
|
||||
- profiles::nginx::ldapauth
|
||||
- profiles::metrics::exportarr
|
||||
|
||||
# manage sonarr
|
||||
sonarr::params::user: sonarr
|
||||
sonarr::params::group: media
|
||||
sonarr::params::manage_group: false
|
||||
sonarr::params::archive_version: 4.0.5
|
||||
sonarr::params::port: 8000
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- sonarr.main.unkin.net
|
||||
- sonarr.service.consul
|
||||
- sonarr.query.consul
|
||||
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'sonarr.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- sonarr.main.unkin.net
|
||||
- sonarr.service.consul
|
||||
- sonarr.query.consul
|
||||
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
profiles::nginx::simpleproxy::use_default_location: false
|
||||
nginx::client_max_body_size: 20M
|
||||
|
||||
ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
ldap_template: '(&(uid=%(username)s)(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
sonarr:
|
||||
service_name: 'sonarr'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'sonarr'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'sonarr_http_check'
|
||||
name: 'Sonarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: sonarr
|
||||
disposition: write
|
||||
@@ -0,0 +1,157 @@
|
||||
---
|
||||
hiera_include:
|
||||
- glauth
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- ldap.main.unkin.net
|
||||
- ldap.service.consul
|
||||
- ldap.query.consul
|
||||
- "ldap.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
glauth::params::download_version: 2.3.2
|
||||
glauth::params::ldap_enabled: true
|
||||
glauth::params::ldaps_enabled: true
|
||||
glauth::params::basedn: 'dc=main,dc=unkin,dc=net'
|
||||
glauth::params::behaviors_ignorecapabilities: true
|
||||
glauth::params::ldap_tlscertpath: /etc/pki/tls/vault/certificate.crt
|
||||
glauth::params::ldap_tlskeypath: /etc/pki/tls/vault/private.key
|
||||
glauth::params::ldaps_cert: /etc/pki/tls/vault/certificate.crt
|
||||
glauth::params::ldaps_key: /etc/pki/tls/vault/private.key
|
||||
glauth::params::api_cert: /etc/pki/tls/vault/certificate.crt
|
||||
glauth::params::api_key: /etc/pki/tls/vault/private.key
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
ldap:
|
||||
service_name: 'ldap'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'ldap'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 636
|
||||
checks:
|
||||
- id: 'glauth_http_check'
|
||||
name: 'glauth HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:5555"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: ldap
|
||||
disposition: write
|
||||
|
||||
glauth::users:
|
||||
benvin:
|
||||
user_name: 'benvin'
|
||||
givenname: 'Ben'
|
||||
sn: 'Vincent'
|
||||
mail: 'benvin@users.main.unkin.net'
|
||||
uidnumber: 20000
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010
|
||||
- 20011
|
||||
- 20012
|
||||
- 20013
|
||||
- 20014
|
||||
- 20015
|
||||
- 20016
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/benvin'
|
||||
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
||||
sshkeys:
|
||||
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
|
||||
matsol:
|
||||
user_name: 'matsol'
|
||||
givenname: 'Matt'
|
||||
sn: 'Solomon'
|
||||
mail: 'matsol@users.main.unkin.net'
|
||||
uidnumber: 20001
|
||||
primarygroup: 20000
|
||||
othergroups:
|
||||
- 20010
|
||||
- 20011
|
||||
- 20012
|
||||
- 20013
|
||||
- 20014
|
||||
- 20015
|
||||
- 20016
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/matsol'
|
||||
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
|
||||
|
||||
glauth::services:
|
||||
svc_jellyfin:
|
||||
service_name: 'svc_jellyfin'
|
||||
mail: 'jellyfin@service.main.unkin.net'
|
||||
uidnumber: 30000
|
||||
primarygroup: 20001
|
||||
passsha256: '97f7b1eb24deb0a86e812d79c56f4901d39a24128dc9f6fde033e7195f7d0739'
|
||||
svc_sonarr:
|
||||
service_name: 'svc_sonarr'
|
||||
mail: 'sonarr@service.main.unkin.net'
|
||||
uidnumber: 30001
|
||||
primarygroup: 20001
|
||||
passsha256: '2c32d4cb831183cfbef15835cc76f99b401d0159621bc580e852253d4d8f8722'
|
||||
svc_radarr:
|
||||
service_name: 'svc_radarr'
|
||||
mail: 'radarr@service.main.unkin.net'
|
||||
uidnumber: 30002
|
||||
primarygroup: 20001
|
||||
passsha256: '805b0182d90c2b5b3ba43e50988447a0bff0115eb5fedd8eeae8eac00ba53025'
|
||||
svc_lidarr:
|
||||
service_name: 'svc_lidarr'
|
||||
mail: 'lidarr@service.main.unkin.net'
|
||||
uidnumber: 30003
|
||||
primarygroup: 20001
|
||||
passsha256: '6d04cd2a45784bacbd50e6714710b55805c7e9886665a6d7790e6d8712b67aff'
|
||||
svc_readarr:
|
||||
service_name: 'svc_readarr'
|
||||
mail: 'readarr@service.main.unkin.net'
|
||||
uidnumber: 30004
|
||||
primarygroup: 20001
|
||||
passsha256: '751f22fbd9c052b2cd0c1cb4be514d8710f1a51f84ce44f607ab3a5591162f8c'
|
||||
svc_prowlarr:
|
||||
service_name: 'svc_prowlarr'
|
||||
mail: 'prowlarr@service.main.unkin.net'
|
||||
uidnumber: 30005
|
||||
primarygroup: 20001
|
||||
passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043'
|
||||
svc_nzbget:
|
||||
service_name: 'svc_nzbget'
|
||||
mail: 'nzbget@service.main.unkin.net'
|
||||
uidnumber: 30006
|
||||
primarygroup: 20001
|
||||
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
|
||||
|
||||
glauth::groups:
|
||||
users:
|
||||
group_name: 'people'
|
||||
gidnumber: 20000
|
||||
services:
|
||||
group_name: 'services'
|
||||
gidnumber: 20001
|
||||
jellyfin_access:
|
||||
group_name: 'jellyfin_access'
|
||||
gidnumber: 20010
|
||||
sonarr_access:
|
||||
group_name: 'sonarr_access'
|
||||
gidnumber: 20011
|
||||
radarr_access:
|
||||
group_name: 'radarr_access'
|
||||
gidnumber: 20012
|
||||
lidarr_access:
|
||||
group_name: 'lidarr_access'
|
||||
gidnumber: 20013
|
||||
readarr_access:
|
||||
group_name: 'readarr_access'
|
||||
gidnumber: 20014
|
||||
prowlarr_access:
|
||||
group_name: 'prowlarr_access'
|
||||
gidnumber: 20015
|
||||
nzbget_access:
|
||||
group_name: 'nzbget_access'
|
||||
gidnumber: 20016
|
||||
@@ -17,5 +17,5 @@ profiles::pki::vault::alt_names:
|
||||
profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
|
||||
profiles::selinux::setenforce::mode: permissive
|
||||
|
||||
hiera_classes:
|
||||
hiera_include:
|
||||
- profiles::selinux::setenforce
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
---
|
||||
profiles::gitea::init::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
|
||||
profiles::gitea::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
|
||||
profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=]
|
||||
|
||||
@@ -6,6 +6,11 @@ profiles::pki::vault::alt_names:
|
||||
- git.query.consul
|
||||
- "git.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- git.main.unkin.net
|
||||
- git.service.consul
|
||||
- git.query.consul
|
||||
|
||||
consul::services:
|
||||
git:
|
||||
service_name: 'git'
|
||||
@@ -37,3 +42,43 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
||||
profiles::nginx::simpleproxy::proxy_port: 3000
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
nginx::client_max_body_size: 250M
|
||||
|
||||
profiles::gitea::init::root:
|
||||
APP_NAME: 'Gitea'
|
||||
RUN_USER: 'git'
|
||||
RUN_MODE: 'prod'
|
||||
profiles::gitea::init::repository:
|
||||
ROOT: '/data/gitea/repos'
|
||||
FORCE_PRIVATE: false
|
||||
MAX_CREATION_LIMIT: -1
|
||||
DISABLE_HTTP_GIT: false
|
||||
DEFAULT_BRANCH: 'main'
|
||||
DEFAULT_PRIVATE: 'last'
|
||||
profiles::gitea::init::ui:
|
||||
SHOW_USER_EMAIL: false
|
||||
profiles::gitea::init::server:
|
||||
PROTOCOL: 'http'
|
||||
DOMAIN: 'git.query.consul'
|
||||
ROOT_URL: 'https://git.query.consul'
|
||||
HTTP_ADDR: '0.0.0.0'
|
||||
HTTP_PORT: 3000
|
||||
START_SSH_SERVER: false
|
||||
SSH_DOMAIN: 'git.query.consul'
|
||||
SSH_PORT: 2222
|
||||
SSH_LISTEN_HOST: '0.0.0.0'
|
||||
OFFLINE_MODE: true
|
||||
APP_DATA_PATH: '/data/gitea'
|
||||
SSH_LISTEN_PORT: 22
|
||||
LFS_START_SERVER: true
|
||||
profiles::gitea::init::database:
|
||||
DB_TYPE: 'mysql'
|
||||
HOST: 'mariadb-prod.service.au-syd1.consul:3306'
|
||||
NAME: 'gitea'
|
||||
USER: 'gitea'
|
||||
PASSWD: "%{hiera('profiles::gitea::mysql_pass')}"
|
||||
SSL_MODE: 'disable'
|
||||
LOG_SQL: false
|
||||
profiles::gitea::init::lfs:
|
||||
PATH: '/data/gitea/lfs'
|
||||
profiles::gitea::init::session:
|
||||
PROVIDER: db
|
||||
|
||||
@@ -15,6 +15,7 @@ profiles::haproxy::server::globals:
|
||||
stats:
|
||||
- timeout 30s
|
||||
- socket /var/lib/haproxy/stats
|
||||
- socket /var/lib/haproxy/admin.sock mode 660 level admin
|
||||
ca-base: /etc/ssl/certs
|
||||
crt-base: /etc/ssl/private
|
||||
ssl-default-bind-ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
@@ -52,6 +53,8 @@ profiles::haproxy::frontends:
|
||||
options:
|
||||
acl:
|
||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||
use_backend:
|
||||
- 'be_letsencrypt if acl-letsencrypt'
|
||||
http-request:
|
||||
- 'set-header X-Forwarded-Proto https'
|
||||
- 'set-header X-Real-IP %[src]'
|
||||
@@ -67,6 +70,8 @@ profiles::haproxy::frontends:
|
||||
options:
|
||||
acl:
|
||||
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
|
||||
use_backend:
|
||||
- 'be_letsencrypt if acl-letsencrypt'
|
||||
http-request:
|
||||
- 'set-header X-Forwarded-Proto https'
|
||||
- 'set-header X-Real-IP %[src]'
|
||||
@@ -89,3 +94,6 @@ profiles::haproxy::backends:
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
|
||||
prometheus::haproxy_exporter::cnf_scrape_uri: unix:/var/lib/haproxy/stats
|
||||
prometheus::haproxy_exporter::export_scrape_job: true
|
||||
|
||||
@@ -0,0 +1,49 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
profiles::metrics::grafana::mysql_host: "mariadb-%{facts.environment}.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::metrics::grafana::mysql_port: 3306
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- grafana.main.unkin.net
|
||||
- grafana.service.consul
|
||||
- grafana.query.consul
|
||||
- "grafana.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- grafana.main.unkin.net
|
||||
- grafana.service.consul
|
||||
- grafana.query.consul
|
||||
|
||||
consul::services:
|
||||
grafana:
|
||||
service_name: 'grafana'
|
||||
tags:
|
||||
- 'grafana'
|
||||
- 'metrics'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'Grafana_https_check'
|
||||
name: 'Grafana HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: grafana
|
||||
disposition: write
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'grafana.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- grafana.main.unkin.net
|
||||
- grafana.service.consul
|
||||
- grafana.query.consul
|
||||
- "grafana.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8080
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
@@ -8,4 +8,5 @@ profiles::metrics::server::scrape_jobs:
|
||||
- bind
|
||||
- puppetdb
|
||||
- systemd
|
||||
- haproxy
|
||||
profiles::metrics::server::localstorage: /data/prometheus
|
||||
|
||||
@@ -12,3 +12,24 @@ profiles::ntp::server::peers:
|
||||
- '1.au.pool.ntp.org'
|
||||
- '2.au.pool.ntp.org'
|
||||
- '3.au.pool.ntp.org'
|
||||
|
||||
consul::services:
|
||||
ntp:
|
||||
service_name: 'ntp'
|
||||
tags:
|
||||
- 'ntp'
|
||||
- 'time'
|
||||
- 'sync'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 123
|
||||
checks:
|
||||
- id: ntp_check
|
||||
name: "NTP Service Check"
|
||||
args:
|
||||
- '/usr/local/bin/check_ntp.sh'
|
||||
interval: '15s'
|
||||
timeout: '5s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: ntp
|
||||
disposition: write
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
|
||||
@@ -0,0 +1,15 @@
|
||||
---
|
||||
hiera_include:
|
||||
- certbot
|
||||
- profiles::pki::puppetcerts
|
||||
|
||||
certbot::domains:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
- sonarr.main.unkin.net
|
||||
- radarr.main.unkin.net
|
||||
- lidarr.main.unkin.net
|
||||
- readarr.main.unkin.net
|
||||
- prowlarr.main.unkin.net
|
||||
- nzbget.main.unkin.net
|
||||
- fafflix.unkin.net
|
||||
@@ -5,3 +5,31 @@ sudo::configs:
|
||||
content: |
|
||||
ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
|
||||
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*
|
||||
|
||||
hiera_exclude:
|
||||
- networking
|
||||
|
||||
# proxmox tools use root to authenticate against each other
|
||||
ssh::server::options:
|
||||
PermitRootLogin: yes
|
||||
AcceptEnv:
|
||||
- LANG LC_*
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
ListenAddress:
|
||||
- "%{facts.networking.interfaces.vmbr1.ip}"
|
||||
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: ceph-mon
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: ceph-mds
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: ceph-mgr
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: ceph-osd
|
||||
disposition: write
|
||||
|
||||
@@ -37,6 +37,14 @@ profiles::helpers::certmanager::vault_config:
|
||||
output_path: '/tmp/certmanager'
|
||||
role_id: "%{lookup('certmanager::role_id')}"
|
||||
|
||||
profiles::helpers::sshsignhost::vault_config:
|
||||
addr: 'https://vault.service.consul:8200'
|
||||
mount_point: 'ssh-host-signer'
|
||||
approle_path: 'approle'
|
||||
role_name: 'hostrole'
|
||||
output_path: '/tmp/sshsignhost'
|
||||
role_id: "%{lookup('sshsignhost::role_id')}"
|
||||
|
||||
profiles::puppet::server::agent_server: 'puppet.query.consul'
|
||||
profiles::puppet::server::report_server: 'puppet.query.consul'
|
||||
profiles::puppet::server::ca_server: 'puppetca.query.consul'
|
||||
@@ -50,6 +58,10 @@ profiles::puppet::server::dns_alt_names:
|
||||
- puppetmaster
|
||||
- puppet
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- puppet.service.consul
|
||||
- puppet.query.consul
|
||||
|
||||
consul::services:
|
||||
puppet:
|
||||
service_name: 'puppet'
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==]
|
||||
@@ -2,3 +2,38 @@
|
||||
postgresql_config_entries:
|
||||
max_connections: 300
|
||||
shared_buffers: '256MB'
|
||||
|
||||
consul::services:
|
||||
puppetdbsql:
|
||||
service_name: 'puppetdbsql'
|
||||
tags:
|
||||
- 'puppet'
|
||||
- 'puppetdb'
|
||||
- 'database'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 5432
|
||||
checks:
|
||||
- id: 'psql-check'
|
||||
name: 'PostgreSQL Health Check'
|
||||
args:
|
||||
- '/usr/local/bin/check_consul_postgresql'
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: puppetdbsql
|
||||
disposition: write
|
||||
|
||||
profiles::yum::global::repos:
|
||||
postgresql-15:
|
||||
name: postgresql-15
|
||||
descr: postgresql-15 repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
postgresql-common:
|
||||
name: postgresql-common
|
||||
descr: postgresql-common repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
|
||||
@@ -77,3 +77,15 @@ profiles::consul::prepared_query::rules:
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
ntp:
|
||||
ensure: 'present'
|
||||
service_name: 'ntp'
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
grafana:
|
||||
ensure: 'present'
|
||||
service_name: 'grafana'
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
|
||||
@@ -42,6 +42,9 @@ profiles::edgecache::params::directories:
|
||||
/data/edgecache/pub/postgres: { owner: nginx, group: nginx }
|
||||
/data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx }
|
||||
/data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx }
|
||||
/data/edgecache/pub/ceph: { owner: nginx, group: nginx }
|
||||
/data/edgecache/pub/ceph/apt: { owner: nginx, group: nginx }
|
||||
/data/edgecache/pub/ceph/yum: { owner: nginx, group: nginx }
|
||||
|
||||
profiles::edgecache::params::mirrors:
|
||||
debian:
|
||||
@@ -118,3 +121,29 @@ profiles::edgecache::params::mirrors:
|
||||
proxy_cache_valid:
|
||||
- '200 302 1440h'
|
||||
- '404 1m'
|
||||
ceph_yum_repodata:
|
||||
ensure: present
|
||||
location: '~* ^/ceph/yum/.*/repodata/'
|
||||
rewrite_rules:
|
||||
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
|
||||
proxy: http://158.69.68.124
|
||||
ceph_yum_data:
|
||||
ensure: present
|
||||
location: /ceph/yum
|
||||
proxy: http://158.69.68.124/rpm-reef
|
||||
proxy_cache: cache
|
||||
proxy_cache_valid:
|
||||
- '200 302 1440h'
|
||||
- '404 1m'
|
||||
ceph_apt:
|
||||
ensure: present
|
||||
location: /ceph/apt
|
||||
proxy: http://158.69.68.124/debian-reef
|
||||
ceph_apt_pool:
|
||||
ensure: present
|
||||
location: /ceph/apt/pool
|
||||
proxy: http://158.69.68.124/debian-reef/pool
|
||||
proxy_cache: cache
|
||||
proxy_cache_valid:
|
||||
- '200 302 1440h'
|
||||
- '404 1m'
|
||||
|
||||
@@ -0,0 +1,18 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
Facter.add(:certbot_available_certs) do
|
||||
confine enc_role: 'roles::infra::pki::certbot'
|
||||
setcode do
|
||||
certs_dir = '/etc/letsencrypt/live'
|
||||
available_certs = []
|
||||
|
||||
if Dir.exist?(certs_dir)
|
||||
Dir.children(certs_dir).each do |entry|
|
||||
fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
|
||||
available_certs << entry if File.exist?(fullchain_pem)
|
||||
end
|
||||
end
|
||||
|
||||
available_certs.join(',')
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,15 @@
|
||||
# certbot::cert
|
||||
define certbot::cert (
|
||||
Stdlib::Fqdn $domain,
|
||||
Array $additional_args = ['--http-01-port=8888'],
|
||||
Boolean $manage_cron = true,
|
||||
) {
|
||||
|
||||
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
||||
|
||||
@@letsencrypt::certonly { $domain:
|
||||
additional_args => $additional_args,
|
||||
manage_cron => $manage_cron,
|
||||
tag => $location_environment,
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,23 @@
|
||||
class certbot::client (
|
||||
Array[Stdlib::Fqdn] $domains,
|
||||
Stdlib::Fqdn $webserver,
|
||||
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
|
||||
) {
|
||||
|
||||
mkdir::p {$data_dir:}
|
||||
file { $data_dir:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
$domains.each |$domain| {
|
||||
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
|
||||
domain => $domain,
|
||||
destination => "${data_dir}/${domain}",
|
||||
webserver => $webserver,
|
||||
require => File[$data_dir],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,51 @@
|
||||
define certbot::client::cert (
|
||||
Stdlib::Fqdn $domain,
|
||||
Stdlib::Fqdn $webserver,
|
||||
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
|
||||
) {
|
||||
|
||||
file { $destination:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
$cert_ready_nodes = puppetdb_query("
|
||||
facts {
|
||||
name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
|
||||
}"
|
||||
)
|
||||
|
||||
# Define the certificate files
|
||||
$cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
|
||||
|
||||
if !empty($cert_ready_nodes) {
|
||||
$files_to_create = $cert_files.reduce({}) |$acc, $file| {
|
||||
$acc + {
|
||||
"${destination}/${file}" => {
|
||||
ensure => 'file',
|
||||
source => "https://${webserver}/${domain}/${file}",
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
notify => Exec["concat_${domain}_certs"],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
create_resources(file, $files_to_create)
|
||||
|
||||
exec { "concat_${domain}_certs":
|
||||
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
|
||||
path => ['/bin', '/usr/bin'],
|
||||
refreshonly => true,
|
||||
require => [
|
||||
File["${destination}/fullchain.pem"],
|
||||
File["${destination}/privkey.pem"],
|
||||
],
|
||||
}
|
||||
} else {
|
||||
notify { 'Certificates are not yet ready on the generator server.': }
|
||||
}
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user