230 Commits

Author SHA1 Message Date
unkinben 1156f3d72a feat: add exportarr metrics
- add class to manage the exportarr service
- add exportarr to each *arr application
2024-07-10 22:50:18 +10:00
unkinben c7e5356444 Merge pull request 'feat: rewrite for nzbget' (#107) from neoloc/nzbget_rewrite into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/107
2024-07-10 21:29:44 +10:00
unkinben 93ab2bebc3 feat: rewrite for nzbget
- required for consul health check to work
2024-07-10 21:26:53 +10:00
unkinben 348f2dfca3 Merge pull request 'fix: update ldap filter' (#106) from neoloc/ldap_filters into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/106
2024-07-10 20:54:38 +10:00
unkinben 5221c15a66 fix: update ldap filter
- update ldap filter for *arr's to match on user and group
2024-07-10 20:43:50 +10:00
unkinben 1d49480010 Merge pull request 'fix: create nginx cache dirs before nginx class' (#105) from neoloc/nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/105
2024-07-09 23:30:33 +10:00
unkinben f63cf2f654 fix: create nginx cache dirs before nginx class 2024-07-09 23:29:56 +10:00
unkinben 3d425bfcbd Merge pull request 'fix: simpleproxy create cachedirs' (#104) from neoloc/nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/104
2024-07-09 23:28:38 +10:00
unkinben e8c8f5c1d6 fix: simpleproxy create cachedirs
- ensure the '/var/cache/nginx' directory exists
2024-07-09 23:27:51 +10:00
unkinben ae85541f6b Merge pull request 'fix: change nzbget::manage_group to boolean' (#103) from neoloc/nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/103
2024-07-09 23:23:33 +10:00
unkinben 0c1fd63b7d fix: change nzbget::manage_group to boolean 2024-07-09 23:22:49 +10:00
unkinben 797670b55d Merge pull request 'feat: actually add nzbget profile' (#102) from neoloc/nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/102
2024-07-09 23:20:58 +10:00
unkinben 1204ee3314 feat: actually add nzbget profile 2024-07-09 23:20:12 +10:00
unkinben 75ddacb6b1 Merge pull request 'neoloc/nzbget' (#101) from neoloc/nzbget into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/101
2024-07-09 22:34:37 +10:00
unkinben 1532641640 feat: add nzbget to media platform
- add haproxy rules
- generate/distribute letsencrypt certificates
- manage access to cephfs
2024-07-09 22:32:54 +10:00
unkinben abb4a47703 chore: add ens19 to nzbget host
- required to access cephfs
2024-07-09 22:26:46 +10:00
unkinben 857d51a934 chore: add matsol to nzbget 2024-07-09 22:26:03 +10:00
unkinben fd5163d6e6 Merge branch 'develop' into neoloc/nzbget 2024-07-09 22:25:28 +10:00
unkinben d67eba5860 feat: add nzbget module/role
- add nzbget module
- add nzbget ldap user/group
2024-07-09 22:23:58 +10:00
unkinben dacd2c6994 Merge pull request 'chore: disable gpgcheck for unkin repo' (#100) from neoloc/gpgcheck_unkin_repo into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/100
2024-07-09 22:01:01 +10:00
unkinben 930341c05c Merge pull request 'Adding hieradata/node/ausyd1nxvm1048.main.unkin.net.yaml' (#99) from autonode/ausyd1nxvm1048.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/99
2024-07-09 22:00:47 +10:00
unkinben 47333237ee chore: disable gpgcheck for unkin repo 2024-07-09 21:18:02 +10:00
unkinben 924631d705 Adding hieradata/node/ausyd1nxvm1048.main.unkin.net.yaml 2024-07-09 20:54:51 +10:00
unkinben 384e301fd3 Merge pull request 'feat: add new users' (#98) from neoloc/moreusers into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/98
2024-07-09 19:22:26 +10:00
unkinben d52949fc4f feat: add new users
- matsol
2024-07-09 19:21:59 +10:00
unkinben fe20590ac6 Merge pull request 'neoloc/retrieve_certbot_certs' (#97) from neoloc/retrieve_certbot_certs into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/97
2024-07-08 23:27:21 +10:00
unkinben d9a2966ffd fix: certbot selinux and rsync
- fix rsync to use 755 permissions
- add rsync selinux booleans
2024-07-08 23:17:38 +10:00
unkinben 899e2cbf49 feat: haproxy updates
- use letsencrypt certificates
- add fafflix and jellyfin backends
2024-07-08 22:56:24 +10:00
unkinben bd5164fed3 feat: certbot reorg
- moved certbot into its own module
- added fact to list available certificates
- created systemd timer to rsync data to $data_dir/pub
- ensure the $data_dir/pub exists
- manage selinux for nginx
2024-07-08 22:33:11 +10:00
unkinben 30ec8c1bb1 feat: enable retrieval of certbot certs
- refactor certbot
- add nginx to certbot hosts
2024-07-07 22:30:40 +10:00
unkinben c419620838 Merge pull request 'feat: manage certbot' (#96) from neoloc/certbot into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/96
2024-07-07 21:45:18 +10:00
unkinben 9db714d02f feat: manage certbot
- add haproxy backend for be_letsencrypt
- manage the certbot role/profile
- create define to export certificate requests
2024-07-07 21:21:50 +10:00
unkinben 4b8a9825c0 Merge pull request 'feat: haproxy updates' (#95) from neoloc/haproxy_backend_httpchk into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/95
2024-07-07 16:56:25 +10:00
unkinben 991c8a3029 feat: haproxy updates
- add acls for all backends
- harden security of backends
- update http-check for all backends
2024-07-07 16:51:36 +10:00
unkinben 152ffaa1d3 Merge pull request 'feat: stop installing systemd exported by default' (#94) from neoloc/systemd_exporter_removal into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/94
2024-07-07 15:02:48 +10:00
unkinben 65046329f4 feat: stop installing systemd exported by default 2024-07-07 15:01:49 +10:00
unkinben d05cf628a8 Merge pull request 'fix: change service to socket' (#93) from neoloc/cobbler_socket into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/93
2024-07-06 23:40:20 +10:00
unkinben da1402691c fix: change service to socket
- ensure the tftpd.socket is running, which starts the service
2024-07-06 23:37:55 +10:00
unkinben b5c7b310ee Merge pull request 'neoloc/mediaproxy' (#92) from neoloc/mediaproxy into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/92
2024-07-06 23:24:49 +10:00
unkinben 2ab2cd1399 feat: deploy ldap-auth to all *arrs
- refactor sonarr locations to generalised locations
- set locations to be deep merged
- updated hiera_include statements for media and media subroles
- added eyaml entries for all ldap credentials
2024-07-06 22:50:10 +10:00
unkinben 8b01ddba9c fix: cleanup simpleproxy
- remove commented sections
- remove $server from locations
2024-07-06 22:09:16 +10:00
unkinben d1dd12a091 feat: add cache to simpleproxy 2024-07-06 22:05:55 +10:00
unkinben 354e561380 feat: add ldapauth for nginx
- add service, defaults and script
2024-07-06 22:02:00 +10:00
unkinben cbded220bb feat: add sonarr locations
- add authproxy
- add api and web
- add /consul/health for unauth access from consul
- update sonarr/consul check to use /consul/health
- change client body side to 20mb
2024-07-06 22:01:47 +10:00
unkinben 89697e85aa Merge pull request 'chore: update svc_sonarr credential' (#91) from neoloc/sonarr_auth into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/91
2024-07-06 18:32:43 +10:00
unkinben 158ebaf7a0 chore: update svc_sonarr credential 2024-07-06 18:32:25 +10:00
unkinben 02a2097955 feat: paramatise use_default_location
- allow the use of location blocks for simpleproxy
- add way to add locations in simpleproxy
2024-07-05 23:10:58 +10:00
unkinben 658af2b6b6 Merge pull request 'feat: manage jellyfin data migration_flag' (#90) from neoloc/jellyfin into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/90
2024-07-04 00:09:22 +10:00
unkinben f3046f8fbb feat: manage jellyfin data migration_flag 2024-07-03 22:49:54 +10:00
unkinben f9ff44afec Merge pull request 'feat: add rpmfusion to jellyfin hosts' (#89) from neoloc/rpmfusion into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/89
2024-07-03 21:28:11 +10:00
unkinben 21a45c1b03 feat: add rpmfusion to jellyfin hosts
- required for jellyfin packages
- additional dependencies also from rpmfusion
2024-07-03 21:27:05 +10:00
unkinben 33f66c8dbc Merge pull request 'feat: restart networking on network changes' (#88) from neoloc/network_restart into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/88
2024-07-03 20:37:05 +10:00
unkinben b0934caf23 feat: restart networking on network changes
- restart network on RedHat
- restart networking on debian
2024-07-03 20:35:58 +10:00
unkinben 8e1622a158 Merge pull request 'neoloc/glauth' (#87) from neoloc/glauth into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/87
2024-07-02 18:12:54 +10:00
unkinben fe35baacfd chore: cleanup glauth
- remove datavol, not required
- remove commented out systemd socket
2024-07-02 18:12:08 +10:00
unkinben 6e3802ad57 feat: add users/services/groups 2024-07-01 22:54:22 +10:00
unkinben c8604baa4e feat: add glauth role/profile classes
- role added to cobbler
- add role specific hieradata
2024-07-01 22:42:29 +10:00
unkinben c69e8c487e feat: create glauth module
- manage config directories, config file
- manage systemd service and socket
- manage users, service accounts and groups
- manage defaults for users, services and groups
- manage packages for role
2024-07-01 22:42:12 +10:00
unkinben 0a86986edf Merge pull request 'neoloc/jellyfin' (#86) from neoloc/jellyfin into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/86
2024-06-30 21:24:49 +10:00
unkinben 2199e4e3c0 feat: add jellyfin to haproxy 2024-06-30 00:02:44 +10:00
unkinben f81b5753ff feat: add jellyfin role/profile classes 2024-06-30 00:02:16 +10:00
unkinben e437629e12 feat: add jellyfin module 2024-06-30 00:01:38 +10:00
unkinben bc35270731 Merge pull request 'Adding hieradata/node/ausyd1nxvm1047.main.unkin.net.yaml' (#85) from autonode/ausyd1nxvm1047.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/85
2024-06-29 16:30:17 +10:00
unkinben c1a6191cab Adding hieradata/node/ausyd1nxvm1047.main.unkin.net.yaml 2024-06-29 14:41:25 +10:00
unkinben 0d4652cfdf Merge pull request 'Adding hieradata/node/ausyd1nxvm1046.main.unkin.net.yaml' (#84) from autonode/ausyd1nxvm1046.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/84
2024-06-29 01:57:05 +10:00
unkinben 9b9f64ca95 Merge pull request 'feat: haproxy for *arr stack' (#83) from neoloc/haproxy_backends into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/83
2024-06-29 01:56:52 +10:00
unkinben d7f0c9073f Adding hieradata/node/ausyd1nxvm1046.main.unkin.net.yaml 2024-06-29 01:23:09 +10:00
unkinben e74dc624c3 Merge pull request 'Adding hieradata/node/ausyd1nxvm1045.main.unkin.net.yaml' (#82) from autonode/ausyd1nxvm1045.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/82
2024-06-29 01:16:58 +10:00
unkinben 7bd12c9880 Adding hieradata/node/ausyd1nxvm1045.main.unkin.net.yaml 2024-06-29 01:13:45 +10:00
unkinben aa8ded5850 Merge pull request 'Adding hieradata/node/ausyd1nxvm1045.main.unkin.net.yaml' (#81) from autonode/ausyd1nxvm1045.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/81
2024-06-29 01:13:24 +10:00
unkinben 1d1c5621c0 Merge pull request 'Adding hieradata/node/ausyd1nxvm1044.main.unkin.net.yaml' (#80) from autonode/ausyd1nxvm1044.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/80
2024-06-29 01:13:01 +10:00
unkinben 0e11c03e9d Adding hieradata/node/ausyd1nxvm1045.main.unkin.net.yaml 2024-06-29 01:09:56 +10:00
unkinben 7520fdddbd Adding hieradata/node/ausyd1nxvm1044.main.unkin.net.yaml 2024-06-29 01:03:43 +10:00
unkinben d07751a151 feat: haproxy for *arr stack
- add additional backends
- set *arr's to export as a backend
- add *arr.main.unkin.net certificates
2024-06-28 22:46:50 +10:00
unkinben 9be3656d15 Merge pull request 'fear: deploy additional *arr stack apps' (#79) from neoloc/arr_stack into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/79
2024-06-27 23:57:23 +10:00
unkinben 9b8556f487 fear: deploy additional *arr stack apps
- cleanup hieradata entires for roles to remove some defaults
- add profiles::media::* classes to manage *arr stacks
2024-06-27 23:42:33 +10:00
unkinben 5acc683374 Merge pull request 'neoloc/arr_params' (#78) from neoloc/arr_params into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/78
2024-06-27 23:22:22 +10:00
unkinben 8a1d62cd41 chore: change media group to 20000
- found 10001 and simliar were already taken
2024-06-27 23:20:51 +10:00
unkinben b6a77afc7b chore: change all *arr's to use port 8000 locally 2024-06-27 23:19:45 +10:00
unkinben 2b1ea45e4e feat: add manage_group param to *arr stack
- change hieradata/role/apps/media/* to use correct namespaces
- add manage_group boolean to all *arr stack modules
2024-06-27 23:15:08 +10:00
unkinben 19caafbc43 Merge pull request 'chore: change media group to 20000' (#77) from neoloc/groups_20k into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/77
2024-06-27 22:27:37 +10:00
unkinben a4e78f645a chore: change media group to 20000
- found 10001 and simliar were already taken
2024-06-27 22:26:46 +10:00
unkinben f6aa2fac62 Merge pull request 'Adding hieradata/node/ausyd1nxvm1043.main.unkin.net.yaml' (#76) from autonode/ausyd1nxvm1043.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/76
2024-06-27 22:23:20 +10:00
unkinben 2147cc434d Adding hieradata/node/ausyd1nxvm1043.main.unkin.net.yaml 2024-06-27 22:22:39 +10:00
unkinben f63e6a953c Merge pull request 'chore: add ens19 to ausyd1nxvm1041' (#75) from neoloc/ausyd1nxvm1041 into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/75
2024-06-27 22:18:14 +10:00
unkinben 38819ba2ab chore: add ens19 to ausyd1nxvm1041 2024-06-27 22:17:50 +10:00
unkinben 72c6fdb249 Merge pull request 'Adding hieradata/node/ausyd1nxvm1042.main.unkin.net.yaml' (#74) from autonode/ausyd1nxvm1042.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/74
2024-06-27 22:16:35 +10:00
unkinben dc70687860 Adding hieradata/node/ausyd1nxvm1042.main.unkin.net.yaml 2024-06-27 22:15:55 +10:00
unkinben 17dbbd8d0c Merge pull request 'Revert "chore: cleanup yum repos"' (#73) from neoloc/revert_firstrun_cleanup into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/73
2024-06-27 22:12:15 +10:00
unkinben 7efd6edea9 Revert "chore: cleanup yum repos"
This reverts commit febd98d316.
2024-06-27 22:11:46 +10:00
unkinben 95e387d3ad Merge pull request 'chore: cleanup yum repos' (#72) from neoloc/firtsun_improvements into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/72
2024-06-27 22:00:21 +10:00
unkinben febd98d316 chore: cleanup yum repos
- cleanup yum repos on first run
2024-06-27 21:59:27 +10:00
unkinben 5aac7752cd Merge pull request 'feat: add media user to all media roles' (#71) from neoloc/media_management into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/71
2024-06-27 21:49:21 +10:00
unkinben dcccc85264 feat: add media user to all media roles
- change *arrs to use media as the group
2024-06-27 21:48:47 +10:00
unkinben 14c98ea659 Merge pull request 'neoloc/doc_updates' (#70) from neoloc/doc_updates into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/70
2024-06-27 21:38:38 +10:00
unkinben 5f5a9f5f65 Merge pull request 'feat: add prowlarr module' (#69) from neoloc/prowlarr into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/69
2024-06-27 21:34:30 +10:00
unkinben 3c63d8e797 Merge pull request 'feat: add readarr module' (#68) from neoloc/readarr into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/68
2024-06-27 21:34:17 +10:00
unkinben ab617a9de1 Merge pull request 'feat: add lidarr module' (#67) from neoloc/lidarr into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/67
2024-06-27 21:33:59 +10:00
unkinben bc27902fd2 Merge pull request 'chore: change to use sonarr::parmas' (#66) from neoloc/sonar_params into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/66
2024-06-27 21:33:34 +10:00
unkinben f2046efebe feat: add prowlarr module
- add media::prowlarr role
2024-06-27 21:32:13 +10:00
unkinben 0b7f07692c feat: add readarr module
- add media::readarr role
2024-06-27 21:21:18 +10:00
unkinben bbf9944ef5 feat: add lidarr module 2024-06-27 21:14:27 +10:00
unkinben 89383268f0 chore: change to use sonarr::parmas
- use sonarr::params class as it contains typing on params
2024-06-27 20:39:25 +10:00
unkinben bccdb99ef4 Merge pull request 'Adding hieradata/node/ausyd1nxvm1041.main.unkin.net.yaml' (#65) from autonode/ausyd1nxvm1041.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/65
2024-06-27 18:30:11 +10:00
unkinben aa63970dc1 Adding hieradata/node/ausyd1nxvm1041.main.unkin.net.yaml 2024-06-27 18:22:43 +10:00
unkinben bafb524fd2 Merge pull request 'neoloc/radarr' (#64) from neoloc/radarr into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/64
2024-06-26 23:07:34 +10:00
unkinben 40ff5f7d92 feat: deploy radarr
- manage ens19 nic on ausyd1nxvm1040
- manage cephfs storage
2024-06-26 22:57:36 +10:00
unkinben 17c16bfc33 feat: add radarr module 2024-06-26 22:57:27 +10:00
unkinben 6993ff0036 Merge pull request 'chore: duplicate resource' (#63) from neoloc/firstrun_motd_cache into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/63
2024-06-26 22:43:15 +10:00
unkinben 679a4203a9 chore: duplicate resource 2024-06-26 22:42:17 +10:00
unkinben 93125d9d71 Merge pull request 'chore: add facts/motd to firstrun' (#62) from neoloc/firstrun_motd into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/62
2024-06-26 22:37:48 +10:00
unkinben b90c6468b3 chore: add facts/motd to firstrun 2024-06-26 22:37:17 +10:00
unkinben 027140fb7a Merge pull request 'fix: sonar config empty line' (#61) from neoloc/sonarr_config into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/61
2024-06-26 00:00:21 +10:00
unkinben 44bd2d3d89 fix: sonar config empty line 2024-06-25 23:59:28 +10:00
unkinben 56df5695dc Merge pull request 'feat: manage sonarr configuration' (#60) from neoloc/sonarr_config into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/60
2024-06-25 23:47:36 +10:00
unkinben f22556b39f feat: manage sonarr configuration
- add config class to sonarr module
- update params to include unique group param
2024-06-25 23:45:29 +10:00
unkinben f0086944f9 Merge pull request 'Adding hieradata/node/ausyd1nxvm1040.main.unkin.net.yaml' (#59) from autonode/ausyd1nxvm1040.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/59
2024-06-25 22:42:21 +10:00
unkinben b846a49127 Adding hieradata/node/ausyd1nxvm1040.main.unkin.net.yaml 2024-06-25 22:40:57 +10:00
unkinben 34e696e8c3 Merge pull request 'chore: dont remove ens18 from ausyd1nxvm1021' (#57) from neoloc/ausyd1nxvm1021 into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/57
2024-06-23 17:54:21 +10:00
unkinben a12fac20ab chore: dont remove ens18 from ausyd1nxvm1021 2024-06-23 17:53:49 +10:00
unkinben 7af6130598 Merge pull request 'chore: fix ausyd1nxvm1021' (#56) from neoloc/ausyd1nxvm1021 into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/56
2024-06-23 17:50:42 +10:00
unkinben 4857b72ce3 chore: fix ausyd1nxvm1021
- change default interface from eth0 to ens18
2024-06-23 17:49:34 +10:00
unkinben 3ace70bcea Merge pull request 'neoloc/ausyd1nxvm1017' (#55) from neoloc/ausyd1nxvm1017 into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/55
2024-06-23 17:37:46 +10:00
unkinben 6839fb8c5f feat: networking defaults
- add interface/route defaults
- merge defaults into each interface/route
2024-06-23 17:34:23 +10:00
unkinben 3b907159f1 chore: change eth0 to ens18 2024-06-23 16:47:46 +10:00
unkinben d5262b0ef5 doc: update cephfs 2024-06-23 15:52:54 +10:00
unkinben 53dfa0ca75 doc: rename documents to README.md 2024-06-23 15:47:57 +10:00
unkinben 396e64de1d doc: add cephfs base documentation 2024-06-23 15:47:20 +10:00
unkinben 803a0ac01d Merge pull request 'neoloc/cephfs' (#54) from neoloc/cephfs into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/54
2024-06-23 15:34:04 +10:00
unkinben 736f04143f chore: manage ens19 interface on ausyd1nxvm1037
- add storage interface
2024-06-23 15:33:40 +10:00
unkinben 82ed27cf56 feat: add sonarr profile
- add cephfs secret for mounting mediafs
- add ceph-reef repo for apps::media roles
- add the shared cephfs mediafs mount
2024-06-23 15:33:40 +10:00
unkinben 5631f07e6e feat: add cephfs shared volume define
- add ceph class to manage ceph client configuration/packages
- add cephfs define for mounting volumes
- add ceph keyring define to manage secrets used to mount cephfs
2024-06-23 15:33:33 +10:00
unkinben 8eca497ea2 feat: add mkdir module
- add module to manage mkdir -p in puppet module
2024-06-23 14:59:48 +10:00
unkinben 9b2ca85f59 Merge pull request 'feat: swap networkmanager for network service' (#53) from neoloc/disable_networkmanager into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/53
2024-06-23 14:26:51 +10:00
unkinben 548076728a feat: swap networkmanager for network service 2024-06-22 16:31:03 +10:00
unkinben 570df81bd9 Merge pull request 'fix: unar package not available on debian' (#51) from neoloc/unar_debian into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/51
2024-06-22 00:48:16 +10:00
unkinben 2d3f4414b7 fix: unar package not available on debian 2024-06-22 00:47:36 +10:00
unkinben 3991b6408b Merge pull request 'fix: proxmox ceph services use different network' (#50) from neoloc/ceph_consul_fix_ip into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/50
2024-06-22 00:46:28 +10:00
unkinben f5a9eaef4a fix: proxmox ceph services use different network
- set the consul services for ceph mon, mds, mgr and osd to report the ceph
  cluster interface
2024-06-22 00:45:17 +10:00
unkinben 4a95fbbd31 Merge pull request 'chore: include profiles::defaults in all roles' (#49) from neoloc/default_profile into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/49
2024-06-21 22:58:30 +10:00
unkinben 4db9faa551 chore: include profiles::defaults in all roles 2024-06-21 22:57:47 +10:00
unkinben 8548ef0284 Merge pull request 'neoloc/sonarr_deploy' (#48) from neoloc/sonarr_deploy into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/48
2024-06-21 22:53:06 +10:00
unkinben 681f9e3eb8 feat: deploy sonarr
- add required hieradata/role data to deploy sonarr
- add nginx simpleproxy
- add consul service/query
- add vault certificates
2024-06-21 22:51:40 +10:00
unkinben a431c50980 Merge pull request 'chore: add media managemnet roles' (#44) from neoloc/media_roles into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/44
2024-06-21 20:50:04 +10:00
unkinben d98b12bf81 chore: add media managemnet roles
- add radarr, lidarr, nzbget
2024-06-21 20:49:28 +10:00
unkinben 59b181ed54 Merge pull request 'feat: add ceph mirror to edgecache' (#43) from neoloc/ceph_mirror into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/43
2024-06-21 20:44:08 +10:00
unkinben 36ad19ffed feat: add ceph mirror to edgecache
- add ceph reef apt and rpm repository to edgecache
- add the centos storage sig gpg
2024-06-21 20:38:54 +10:00
unkinben 1995ce9eac Merge pull request 'fix: ceph consul check script' (#42) from neoloc/ceph_consul into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/42
2024-06-19 22:39:03 +10:00
unkinben a3ef535bfc fix: ceph consul check script
- add permissions to write ceph-* services to consul
- change from `script` to `args` array
2024-06-19 22:36:04 +10:00
unkinben feddc4a3fb Merge pull request 'fix: update check script to use pgrep' (#41) from neoloc/ceph_facts into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/41
2024-06-18 21:34:05 +10:00
unkinben eb462eb3a3 fix: update check script to use pgrep 2024-06-18 21:33:38 +10:00
unkinben 449c6b082e Merge pull request 'feat: add pveceph consul services' (#40) from neoloc/ceph_facts into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/40
2024-06-18 21:33:04 +10:00
unkinben 94aed2df9c feat: add pveceph consul services
- refacter the pveceph facts
- define consul services for osd, mgr, mds and mons
2024-06-18 21:14:57 +10:00
unkinben 0ff9b86782 Merge pull request 'chore: change ssh to listen to vmbr1' (#39) from neoloc/proxmox_ips into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/39
2024-06-17 21:55:18 +10:00
unkinben 7d70b99491 chore: change ssh to listen to vmbr1
- changed enp3s0 from static interface to bridge member
- added bridge vmbr1, with enp3s0 as member
2024-06-17 21:54:26 +10:00
unkinben c6530e34f6 Merge pull request 'feat: add haproxy exporter' (#38) from neoloc/haproxy_exporter into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/38
2024-06-17 21:36:31 +10:00
unkinben 5725d092b8 feat: add haproxy exporter
- add admin socket for exporter
2024-06-16 20:56:23 +10:00
unkinben 09f50c9940 Merge pull request 'neoloc/grafana' (#37) from neoloc/grafana into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/37
2024-06-16 18:51:07 +10:00
unkinben 62cac63f11 feat: add database generation to grafana
- ensure a database, user and credential is created for each grafana node
- ensure all databases for a region are included in a mariadb cluster
- refine params with stdlib types
2024-06-16 18:49:59 +10:00
unkinben 0fe05bb896 Merge branch 'develop' into neoloc/grafana 2024-06-16 00:39:45 +10:00
unkinben dd82d63b41 Merge pull request 'feat: puppetserver dropins' (#36) from neoloc/puppetmaster_restart_fixes into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/36
2024-06-16 00:15:43 +10:00
unkinben a901a0b868 feat: puppetserver dropins
- change ExecStartPost for crl.pem to two commands
- run `puppet generate types` after starting puppet
2024-06-16 00:11:56 +10:00
unkinben 1e316dc814 Merge pull request 'feat: manage latest crl for puppet' (#35) from neoloc/puppetmaster_restart_fixes into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/35
2024-06-15 23:36:20 +10:00
unkinben 58acd83410 feat: manage latest crl for puppet
- ensure the latest crl.pem exists on each no-ca puppetserver
- ensure the latest crl.pem is used after each start of puppetserver
2024-06-15 23:32:50 +10:00
unkinben cc0a9e132e Merge pull request 'fix: yumrepo purging' (#34) from neoloc/yumresources into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/34
2024-06-14 23:57:54 +10:00
unkinben 67f831edaf fix: yumrepo purging 2024-06-14 23:55:31 +10:00
unkinben c9abc779a0 Merge pull request 'fix: yumrepo purge after deploy' (#33) from neoloc/yumresources into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/33
2024-06-14 23:32:41 +10:00
unkinben 380bb7bcb5 fix: yumrepo purge after deploy
- ensure the resources resource for yumrepo runs after deploying yumrepo resources
- rm all almalinux*.repo files before attempting to create yumrepo
  resources
2024-06-14 23:21:14 +10:00
unkinben 1b5e6120e7 Merge pull request 'feat: ensure tftpd started on cobbler' (#32) from neoloc/tftpservice into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/32
2024-06-14 23:13:21 +10:00
unkinben 82ce3ed4d7 feat: ensure tftpd started on cobbler 2024-06-14 23:11:49 +10:00
unkinben 3adc343f68 Merge pull request 'chore: add ssh principals' (#31) from neoloc/puppetca_ssh_principal into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/31
2024-06-11 20:31:30 +10:00
unkinben ca558d493b Merge pull request 'chore: cleanup old enc class' (#30) from neoloc/cleanup_enc into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/30
2024-06-11 20:31:08 +10:00
unkinben cbbcfa3b9e chore: cleanup old enc class 2024-06-11 20:29:21 +10:00
unkinben 6b0e0daecb chore: add ssh principals
- add ssh principals for consul service addresses
2024-06-11 20:20:12 +10:00
unkinben 846e2b71f8 Merge pull request 'fix: add cluster ip to sshd ListenAddress' (#29) from neoloc/proxmox_ssh_ip into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/29
2024-06-11 20:06:35 +10:00
unkinben 6f7740e6a2 fix: add cluster ip to sshd ListenAddress
- ensure cluster communication over ssh can function
2024-06-11 20:02:04 +10:00
unkinben abd2eb5c9b adding hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml 2024-06-10 22:18:16 +10:00
unkinben b4c20fd7d6 feat: add sonarr module 2024-06-10 22:13:43 +10:00
unkinben b7a22551b1 feat: add sonar role 2024-06-10 21:21:20 +10:00
unkinben e00a78e5fb Merge pull request 'fix: resolve vncproxy issue' (#28) from neoloc/proxmox_ssh into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/28
2024-06-10 13:02:18 +10:00
unkinben a143732b3b fix: resolve vncproxy issue
https://forum.proxmox.com/threads/lc_pve_ticket-not-set-vnc-proxy-without-password-is-forbiddentask-error-failed-to-run-vncproxy.98192/
2024-06-10 13:01:45 +10:00
unkinben 45f3cb39c7 Merge pull request 'fix: proxmox root ssh' (#27) from neoloc/proxmox_ssh into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/27
2024-06-10 12:07:43 +10:00
unkinben 2b36ee3efa fix: proxmox root ssh
- allow proxmox hosts to accept root logins
2024-06-10 12:07:08 +10:00
unkinben 56711212a7 Merge pull request 'Adding hieradata/node/ausyd1nxvm1039.main.unkin.net.yaml' (#26) from autonode/ausyd1nxvm1039.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/26
2024-06-10 11:58:06 +10:00
unkinben 4ab5fd6be3 Adding hieradata/node/ausyd1nxvm1039.main.unkin.net.yaml 2024-06-10 11:57:51 +10:00
unkinben 42be771732 Merge pull request 'Adding hieradata/node/ausyd1nxvm1038.main.unkin.net.yaml' (#25) from autonode/ausyd1nxvm1038.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/25
2024-06-10 11:54:28 +10:00
unkinben 255cf38c67 Adding hieradata/node/ausyd1nxvm1038.main.unkin.net.yaml 2024-06-10 11:51:29 +10:00
unkinben 9c23c0005a Merge pull request 'adding hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml' (#24) from autonode/ausyd1nxvm1037.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/24
2024-06-10 11:51:04 +10:00
unkinben 5e13f1a1e8 adding hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml 2024-06-10 11:50:15 +10:00
unkinben 6944d67e04 Merge pull request 'neoloc/sshsign_hostkeys' (#23) from neoloc/sshsign_hostkeys into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/23
2024-06-09 20:39:46 +10:00
unkinben 965e334636 Merge branch 'develop' into neoloc/sshsign_hostkeys 2024-06-09 20:39:27 +10:00
unkinben d4163233f6 Merge branch 'develop' into neoloc/sshsign_hostkeys 2024-06-09 20:38:25 +10:00
unkinben 52b06dcd8e feat: manage ssh known hosts
- disable use of stored configs for ssh-known-hosts
- manage the /etc/ssh/ssh_known_hosts content
2024-06-09 20:26:34 +10:00
unkinben 9d3ddb37df Merge pull request 'fix: dont manage loopback' (#22) from neoloc/networking_loopback into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/22
2024-06-09 09:07:29 +10:00
unkinben 934f4be03c fix: dont manage loopback
- dont manage the lo interface
- cleanup /etc/hosts records
2024-06-09 09:06:54 +10:00
unkinben 777fe1aef6 feat: manage ssh server
- add ssh module
- include the ssh::server class
- manage sshd settings
2024-06-08 17:20:56 +10:00
unkinben 57b935b33e Merge pull request 'neoloc/networking' (#21) from neoloc/networking into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/21
2024-06-08 17:08:51 +10:00
unkinben da9d52e117 chore: set per-node interface/gateway details 2024-06-08 17:07:58 +10:00
unkinben 06545c6298 feat: change hiera_include, hiera_exclude
- change hiera_classes to hiera_include
- add method to remove classes from hiera_include through hiera_exclude
2024-06-08 17:07:58 +10:00
unkinben 51eeb13793 feat: add networking module
- manage interfaces and routes
- set default params for hosts
- add params class to networking module
- set defaults for debian
2024-06-08 17:07:51 +10:00
unkinben 721d14378a Merge pull request 'feat: manage the facts soft limit' (#20) from neoloc/puppet_fact_soft_limit into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/20
2024-06-08 13:58:39 +10:00
unkinben aaf482c9b9 feat: manage the facts soft limit
- set the facts soft limit for agents and servers
- prevent warnings about reaching the default 2048 soft limit
2024-06-08 13:56:53 +10:00
unkinben 33ba0bb896 feat: networking required modules
- add networking, kmod and filemapper plugins
2024-06-07 22:12:26 +10:00
unkinben 07c896b924 Merge pull request 'fix: make ntp check script executable' (#19) from neoloc/consul_ntp_script into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/19
2024-06-03 20:24:55 +10:00
unkinben 6822a39dc3 fix: make ntp check script executable 2024-06-03 20:23:23 +10:00
unkinben b85f14ed89 Merge pull request 'chore: update apt mirror url' (#18) from neoloc/debian_repository into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/18
2024-06-03 20:19:55 +10:00
unkinben e3f34a7cc4 chore: update apt mirror url
- change apt mirror url to use edgecache service
2024-06-03 20:19:12 +10:00
unkinben c000244c5a Merge pull request 'fix: add missing check script' (#17) from neoloc/ntp_consul_checkscript into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/17
2024-06-02 19:32:37 +10:00
unkinben 76fc6b9fa1 fix: add missing check script 2024-06-02 19:32:02 +10:00
unkinben 902e55f655 Merge pull request 'feat: create ntp consul service' (#16) from neoloc/ntp_consul_service into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/16
2024-06-02 19:27:09 +10:00
unkinben da3444e49f feat: create ntp consul service
- create consul policy for ntp servers
- add consul service check and check script
2024-06-02 19:23:39 +10:00
unkinben b468f67103 feat: sign ssh host keys
- manage python script/venv to sign ssh host certificates
- add approle_id to puppetmaster eyaml files
- add class to sign ssh-rsa host keys
- add facts to check if the current principals match the desired principals
2024-06-01 22:51:42 +10:00
unkinben 9819ce7f4d Merge pull request 'ferat: change to gitea hosted package repo' (#8) from neoloc/unkinrepo into develop
Reviewed-on: https://git.service.au-syd1.consul/unkinben/puppet-prod/pulls/8
2024-06-01 18:39:55 +10:00
unkinben cc7165055d Merge pull request 'feat: refacter gitea profile' (#7) from neoloc/gitea_refactor into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/7
2024-06-01 17:28:28 +10:00
unkinben 4bd3310ea8 feat: refacter gitea profile
- move more data to hiera
- change how the custom_configuration is made
2024-06-01 17:16:37 +10:00
unkinben d7208c5e40 Merge branch 'develop' into neoloc/doc_updates 2024-06-01 15:00:52 +10:00
unkinben 4b4272250a Merge branch 'develop' into neoloc/grafana 2024-06-01 14:47:06 +10:00
unkinben 3dfe9b9b73 Merge pull request 'feat: puppetdb sql updates' (#5) from neoloc/puppetdb_sql into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/5
2024-06-01 14:36:27 +10:00
unkinben de39515862 ferat: change to gitea hosted package repo 2024-06-01 14:05:14 +10:00
unkinben 7aa7f33145 feat: add ssh host key signing 2024-05-25 16:46:13 +10:00
unkinben a6a03b4d83 chore: update headings 2024-05-25 16:45:58 +10:00
unkinben 39aa6e114e feat: puppetdb sql updates
- add consul support
- enable local script checks in consul agents
- add a test DB/User for consult to verify the psql instance is running
- manage the postgresql repo and gpg key
2024-05-22 22:05:54 +10:00
unkinben 40c4be6f6e doc: add additional puppetmasters 2024-05-04 16:14:13 +10:00
unkinben ae6547aea8 chore: update certmanager cidr's 2024-05-03 21:44:51 +10:00
unkinben 5e31af2ee2 Doc: fix default server certificate role 2024-04-27 22:12:18 +10:00
unkinben c5d63bd6f8 Doc: add certmanager documentation 2024-04-27 22:11:06 +10:00
unkinben f351cc8413 chore: add glob domains
- allow generation of hostnames like prod* without a domain
2024-02-25 22:42:22 +11:00
unkinben fd5c3dbce2 Doc updates:
- updated issuer names
- updated max-leas-ttl for root/int ca
2024-02-25 22:06:56 +11:00
unkinben 49f405e0bc Documentation:
- update vault docs
2024-02-18 18:19:32 +11:00
unkinben 254c9f1358 feat: configure grafana
- create grafana class
- configure database with db export, and db parameters
2023-12-11 21:46:53 +11:00
249 changed files with 7815 additions and 188 deletions
+6
View File
@@ -35,10 +35,15 @@ mod 'puppet-vault', '4.1.0'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '3.6.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.0.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
mod 'saz-sudo', '8.0.0'
mod 'saz-ssh', '12.1.0'
mod 'ghoneycutt-timezone', '4.0.0'
mod 'dalen-puppetdbquery', '3.0.1'
mod 'markt-galera', '3.1.0'
@@ -46,6 +51,7 @@ mod 'kogitoapp-minio', '1.1.4'
mod 'broadinstitute-certs', '3.0.1'
mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0'
mod 'rehan-mkdir', '2.0.0'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+9
View File
@@ -0,0 +1,9 @@
# Group administration
This page exists to list all the locally managed groups, their gid's and what their general purpose is for.
## List of groups
| name | gid | purpose |
|-------------|-------------|-------------|
| admin | 10000 | admin group designed for system admins |
| media | 20000 | group permissions to manage media (*arrs) |
+60
View File
@@ -0,0 +1,60 @@
# managing ceph
Always refer back to the official documentation at https://docs.ceph.com/en/latest
## adding new cephfs
- create a erasure code profile which will allow you to customise the raid level
- raid5 with 3 disks? k=2,m=1
- raid5 with 6 disks? k=5,m=1
- raid6 with 4 disks? k=2,m=2, etc
- create osd pool using custom profile for data
- create osd pool using default replicated profile for metadata
- enable ec_overwrites for the data pool
- create the ceph fs volume using data/metadata pools
- set ceph fs settings
- specify minimum number of metadata servers (mds)
- set fs to be for bulk data
- set mds fast failover with standby reply
```
sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
sudo ceph osd pool create media_data 128 erasure ec_4_1
sudo ceph osd pool create media_metadata 32 replicated_rule
sudo ceph osd pool set media_data allow_ec_overwrites true
sudo ceph osd pool set media_data bulk true
sudo ceph fs new mediafs media_metadata media_data --force
sudo ceph fs set mediafs allow_standby_replay true
sudo ceph fs set mediafs max_mds 2
```
## creating authentication tokens
- this will create a client keyring named media
- this client will have the following capabilities:
- mon: read
- mds:
- read /
- read/write /media
- read/write /common
- osd: read/write to cephfs_data pool
```
sudo ceph auth get-or-create client.media \
mon 'allow r' \
mds 'allow r path=/, allow rw path=/media, allow rw path=/common' \
osd 'allow rw pool=cephfs_data'
```
## list the authentication tokens and permissions
ceph auth ls
## change the capabilities of a token
this will overwrite the current capabilities of a given client.user
sudo ceph auth caps client.media \
mon 'allow r' \
mds 'allow rw path=/' \
osd 'allow rw pool=media_data'
+31
View File
@@ -0,0 +1,31 @@
# add additional master
these steps are required when adding additional puppet masters, as the subject alternative names on the certificate will need to be changed. this requires the old certificate be revoked, cleaned up, and for a new certificate to be generated and signed.
## prepare a new node
- deploy a new now, or identify a space with the base role
- change the hosts class to roles::infra::puppet::master
- apply puppet until there are no more changes
## revoke the current certificate on the puppet master
sudo puppetserver ca clean --certname ausyd1nxvm1023.main.unkin.net
## stop the new puppetserver and cleanup revoked certificates
sudo systemctl stop puppetserver
sudo rm -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
sudo rm -f /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem
## copy the current crl.pem, as puppetserver will overwrite it when starting
sudo cp /etc/puppetlabs/puppet/ssl/crl.pem /root/current_crl.pem
## request new puppet agent certificate
sudo puppet ssl bootstrap
## start the puppetserver service and move the crl.pem back in place
sudo systemctl start puppetserver
sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
+123
View File
@@ -0,0 +1,123 @@
# PKI
## root ca
vault secrets enable -path=pki_root pki
vault secrets tune -max-lease-ttl=87600h pki_root
vault write -field=certificate pki_root/root/generate/internal \
common_name="unkin.net" \
issuer_name="UNKIN_ROOTCA_2024" \
ttl=87600h > unkinroot_2024_ca.crt
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
vault write pki_root/roles/2024-servers allow_any_name=true
vault write pki_root/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
## intermediate
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write -format=json pki_int/intermediate/generate/internal \
common_name="unkin.net Intermediate Authority" \
issuer_name="UNKIN_VAULTCA_2024" \
| jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki_root/root/sign-intermediate \
issuer_ref="UNKIN_ROOTCA_2024" \
csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
## create role
vault write pki_int/roles/servers_default \
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
allow_ip_sans=true \
allowed_domains="unkin.net, *.unkin.net, localhost" \
allow_subdomains=true \
allow_glob_domains=true \
allow_bare_domains=true \
enforce_hostnames=true \
allow_any_name=true \
max_ttl="2160h" \
key_bits=4096 \
country="Australia"
## test generating a domain cert
vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
## remove expired certificates
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
# AUTH
## enable approles
vault auth enable approle
# CERTMANAGER
## create certmanager policy and token, limit to puppetmaster
cat <<EOF > certmanager.hcl
path "pki_int/issue/*" {
capabilities = ["create", "update", "read"]
}
path "pki_int/renew/*" {
capabilities = ["update"]
}
path "pki_int/cert/*" {
capabilities = ["read"]
}
EOF
vault policy write certmanager certmanager.hcl
vault write auth/approle/role/certmanager \
bind_secret_id=false \
token_policies="certmanager" \
token_ttl=30s \
token_max_ttl=30s \
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
## get the certmanager approle id
vault read -field=role_id auth/approle/role/certmanager/role-id
# SSH Hostkey Signing
## create ssh engine, key, set ttl
vault secrets enable -path=ssh-host-signer ssh
vault write ssh-host-signer/config/ca generate_signing_key=true
vault secrets tune -max-lease-ttl=87600h ssh-host-signer
## create role
vault write ssh-host-signer/roles/hostrole \
key_type=ca \
algorithm_signer=rsa-sha2-256 \
ttl=87600h \
allow_host_certificates=true \
allowed_domains="unkin.net" \
allow_subdomains=true \
allow_baredomains=true
## create policy to use hostrole
cat <<EOF > sshsign-host.hcl
path "ssh-host-signer/sign/hostrole" {
capabilities = ["create", "update"]
}
EOF
vault policy write sshsign-host-policy sshsign-host.hcl
vault write auth/approle/role/sshsign-host-role \
bind_secret_id=false \
token_policies="sshsign-host-policy" \
token_ttl=30s \
token_max_ttl=30s \
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
## get the sshsign-host-role approle id
vault read -field=role_id auth/approle/role/sshsign-host-role/role-id
-48
View File
@@ -1,48 +0,0 @@
# root ca
vault secrets enable -path=pki_root pki
vault write -field=certificate pki_root/root/generate/internal \
common_name="unkin.net" \
issuer_name="unkinroot-2024" \
ttl=87600h > unkinroot_2024_ca.crt
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
vault write pki_root/roles/2024-servers allow_any_name=true
vault write pki_root/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
# intermediate
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write -format=json pki_int/intermediate/generate/internal \
common_name="unkin.net Intermediate Authority" \
issuer_name="unkin-dot-net-intermediate" \
| jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki_root/root/sign-intermediate \
issuer_ref="unkinroot-2024" \
csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
# create role
vault write pki_int/roles/unkin-dot-net \
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
allowed_domains="unkin.net" \
allow_subdomains=true \
max_ttl="2160h"
# test generating a domain cert
vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
# remove expired certificates
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
+100 -36
View File
@@ -108,11 +108,43 @@ lookup_options:
profiles::nginx::simpleproxy::nginx_aliases:
merge:
strategy: deep
networking::interfaces:
merge:
strategy: deep
networking::interface_defaults:
merge:
strategy: deep
networking::routes:
merge:
strategy: deep
networking::route_defaults:
merge:
strategy: deep
ssh::server::options:
merge:
strategy: deep
mysql::db:
merge:
strategy: deep
profiles::ceph::client::keyrings:
merge:
strategy: deep
profiles::nginx::simpleproxy::locations:
merge:
strategy: deep
certbot::client::domains:
merge:
strategy: deep
profiles::metrics::exportarr:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
hiera_classes:
hiera_include:
- timezone
- networking
- ssh::server
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
@@ -150,6 +182,7 @@ profiles::packages::install:
- curl
- dstat
- expect
- gcc
- gzip
- git
- htop
@@ -170,6 +203,7 @@ profiles::packages::install:
- socat
- strace
- sysstat
- tar
- tmux
- traceroute
- unzip
@@ -215,6 +249,38 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
prometheus::node_exporter::export_scrape_job: true
prometheus::systemd_exporter::export_scrape_job: true
ssh::server::storeconfigs_enabled: false
ssh::server::options:
Protocol: '2'
ListenAddress:
- '127.0.0.1'
- '%{facts.networking.ip}'
SyslogFacility: 'AUTHPRIV'
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
HostCertificate: /etc/ssh/ssh_host_rsa_key-cert.pem
AuthorizedKeysFile: .ssh/authorized_keys
PermitRootLogin: no
PasswordAuthentication: no
ChallengeResponseAuthentication: no
PubkeyAuthentication: yes
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: yes
UsePAM: yes
X11Forwarding: no
PrintMotd: no
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: sftp /usr/libexec/openssh/sftp-server
profiles::ssh::knownhosts::lines:
- '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1HD97vYxLTniE4qNpGuftUlvmkEXIuX8+7nbENv/IzsGUghEDRtyThjQ7ojNKIsQ7f8wXr0gMcI+fAPfrbcOMHCAoYMomikwL0b3h95SZI40q3CyM+0DMnwiVVDX6C1QxkO2Rv9cszSkCa85NotJhXiUuTBI9BFcRPy+mAhbpAru+bfypYofI0wW97XNTl8Jgwmni5MgutBIQAokFIn5ux8iWxndCH3AqDtmkwC5DfQeQ+wZx7rkwqJEpJffQzrjb1gIM6P9hDCVBBVPh/3o80IJ69rFWrJAZUb+JpG4cXJH0NcSW+wqc3JCT/x3q8VlHwOTXSlNNKtOJCRx73mB8e1XTTy2a9FgpKDDg5XQXWHAViJDz1RTRL9gRefMylRgKz4bXoTuY9kJWM8hPTyUejtukbJThlBJc3OmDxBZBF7F0iqB11pHexok43OCEiANodVa36eWu9/5X032Vm48fZ1/akDPY/NSy3wAn7kwut+A0/JAHFHASrq+1mt9YurkJegI+YHXO6eEWpBIpmI7ORHJbGL4MhkHrxYzVamuP8CkU7tXzsv138+wpOcRHNp9yJY4PT40BZkRf/O3O+jt3pj9Dj8rvgywF2W6hFzywh3Y78upOprRkQlQtHfsI8EyrYI8/hUw2u3H+3yPXh3YjWfqvWVG1BRLRHBV7m90uaw=='
profiles::base::groups::local:
admins:
ensure: present
@@ -231,38 +297,36 @@ sudo::configs:
profiles::accounts::sysadmin::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
profiles::base::hosts::additional_hosts:
- ip: 198.18.17.3
hostname: prodinf01n01.main.unkin.net
aliases:
- prodinf01n01
- puppet
- puppetmaster
- puppetca
- ip: 198.18.17.4
hostname: prodinf01n04.main.unkin.net
aliases:
- prodinf01n04
- ip: 198.18.17.5
hostname: prodinf01n05.main.unkin.net
aliases:
- prodinf01n05
- ip: 198.18.17.6
hostname: prodinf01n06.main.unkin.net
aliases:
- prodinf01n06
- ip: 198.18.17.9
hostname: prodinf01n09.main.unkin.net
aliases:
- prodinf01n09
- ntp01.main.unkin.net
- ip: 198.18.17.10
hostname: prodinf01n10.main.unkin.net
aliases:
- prodinf01n10
- ntp02.main.unkin.net
- ip: 198.18.17.22
hostname: prodinf01n22.main.unkin.net
aliases:
- prodinf01n22
- repos.main.unkin.net
networking::interface_defaults:
ensure: present
family: inet
method: static
netmask: 255.255.255.0
onboot: true
networking::route_defaults:
ensure: present
interface: eth0
netmask: 0.0.0.0
network: default
profiles::ceph::client::fsid: 7f7f00cb-95de-498c-8dcc-14b54e4e9ca8
profiles::ceph::client::mons:
- 10.18.15.1
- 10.18.15.2
- 10.18.15.3
#profiles::base::hosts::additional_hosts:
# - ip: 198.18.17.9
# hostname: prodinf01n09.main.unkin.net
# aliases:
# - prodinf01n09
# - ntp01.main.unkin.net
# - ip: 198.18.17.10
# hostname: prodinf01n10.main.unkin.net
# aliases:
# - prodinf01n10
# - ntp02.main.unkin.net
# - ip: 198.18.17.22
# hostname: prodinf01n22.main.unkin.net
# aliases:
# - prodinf01n22
# - repos.main.unkin.net
@@ -1,3 +1,4 @@
---
certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl]
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
+1
View File
@@ -1,2 +1,3 @@
---
timezone::timezone: 'Australia/Sydney'
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
@@ -6,11 +6,27 @@ profiles::haproxy::mappings:
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
fe_https:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
profiles::haproxy::frontends:
fe_http:
@@ -20,7 +36,15 @@ profiles::haproxy::frontends:
fe_https:
options:
acl:
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -28,6 +52,14 @@ profiles::haproxy::frontends:
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
http-response:
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
- 'set-header X-Frame-Options DENY if acl_sonarr'
- 'set-header X-Frame-Options DENY if acl_radarr'
- 'set-header X-Frame-Options DENY if acl_lidarr'
- 'set-header X-Frame-Options DENY if acl_readarr'
- 'set-header X-Frame-Options DENY if acl_prowlarr'
- 'set-header X-Frame-Options DENY if acl_nzbget'
- 'set-header X-Frame-Options DENY if acl_jellyfin'
- 'set-header X-Frame-Options DENY if acl_fafflix'
- 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block'
@@ -63,17 +95,151 @@ profiles::haproxy::backends:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_sonarr:
description: Backend for au-syd1 sonarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_radarr:
description: Backend for au-syd1 radarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_lidarr:
description: Backend for au-syd1 lidarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_readarr:
description: Backend for au-syd1 readarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_prowlarr:
description: Backend for au-syd1 prowlarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_nzbget:
description: Backend for au-syd1 nzbget
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_jellyfin:
description: Backend for au-syd1 jellyfin
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem
# additional altnames
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- jellyfin.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
# letsencrypt certificates
certbot::client::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- fafflix.unkin.net
@@ -1,3 +1,4 @@
---
certmanager::vault_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
@@ -0,0 +1,2 @@
---
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
@@ -2,3 +2,14 @@
profiles::sql::galera_member::cluster_name: au-syd1
profiles::sql::galera_member::galera_master: ausyd1nxvm1027.main.unkin.net
profiles::sql::galera_member::innodb_buffer_pool_size: 256M
mysql::db:
grafana:
name: grafana
user: grafana
password: "%{alias('mysql::db::grafana::pass')}"
grant:
- SELECT
- INSERT
- UPDATE
- DELETE
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.10
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.11
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.12
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.13
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.14
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.15
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.16
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.17
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.18
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.19
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.20
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.21
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.22
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.23
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.24
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.25
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.26
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,2 +1,11 @@
---
profiles::cobbler::params::is_cobbler_master: true
networking::interfaces:
ens18:
ipaddress: 198.18.13.27
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.28
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.29
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.30
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,10 @@
---
networking::interfaces:
ens18:
ipaddress: 198.18.13.31
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.32
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.33
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.34
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.35
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.36
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.37
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.38
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.39
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.40
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.41
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.42
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.43
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.44
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.45
networking::routes:
default:
gateway: 198.18.13.254
@@ -5,5 +5,17 @@ profiles::puppet::server::dns_alt_names:
- puppetca.query.consul
- puppetca
profiles::ssh::sign::principals:
- puppetca.main.unkin.net
- puppetca.service.consul
- puppetca.query.consul
- puppetca
profiles::puppet::puppetca::is_puppetca: true
profiles::puppet::puppetca::allow_subject_alt_names: true
networking::interfaces:
eth0:
ipaddress: 198.18.13.46
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.47
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.47
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.48
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.49
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.50
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.50
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.51
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.51
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.52
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.52
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.53
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.53
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.54
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.55
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.56
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.57
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.57
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.58
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.58
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -7,3 +7,6 @@ profiles::puppet::server::dns_alt_names:
profiles::puppet::puppetca::is_puppetca: false
profiles::puppet::puppetca::allow_subject_alt_names: true
hiera_exclude:
- networking
+17 -2
View File
@@ -5,10 +5,15 @@ profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::puppet_version: '7.26.0'
hiera_include:
- profiles::almalinux::base
profiles::packages::install:
- lzo
- xz
- network-scripts
- policycoreutils
- unar
- xz
lm-sensors::package: lm_sensors
@@ -19,44 +24,54 @@ profiles::yum::global::repos:
target: /etc/yum.repos.d/baseos.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
extras:
name: extras
descr: extras repository
target: /etc/yum.repos.d/extras.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
appstream:
name: appstream
descr: appstream repository
target: /etc/yum.repos.d/appstream.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
highavailability:
name: highavailability
descr: highavailability repository
target: /etc/yum.repos.d/highavailability.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
epel:
name: epel
descr: epel repository
target: /etc/yum.repos.d/epel.repo
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
mirrorlist: absent
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
gpgcheck: false
mirrorlist: absent
+2 -1
View File
@@ -1,6 +1,6 @@
# hieradata/os/debian/all_releases.yaml
---
profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
profiles::apt::base::secureurl: http://security.debian.org/debian-security
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
profiles::apt::puppet7::repo: puppet7
@@ -12,3 +12,4 @@ profiles::packages::install:
- xz-utils
lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false
+2
View File
@@ -0,0 +1,2 @@
---
ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEBANgP2ifU7NbuMs+kWpeg1tchR5IMD7Z7kMpRBejgCMHludTYGf/BzxTe36YjpwLsuUd658QK5vE4EYpM1MuzqfuNiWJa5ec1IR/AgWQUMZcpjEDEqpHTb2qygmpc+jb3vW1EMBleZL2Z4GrgJ00gWO/EvukBSPgyxBsFe4Bb/L3aK6xiucG3JA9A7qA6cS4Oz5pf8dfC0FBjsc+XN7++bJN5pWUgMcEDgiyCy3bkL2gWfPKOWfabTRwuC3qd6SihZMg/tY8uoDfYoI8jHkjU07/mhC6AD930wgcFG+xJwNAX7FxLvLyJ8iN/648LVoZFuszYiTwPib1CszksdYBjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBSGXrbrl4FisZN5FT1hfmrgDBnV2SVfCJIYYyZ9+Vo1ykNmzUypJdJ+4llyXA7FOuH90xVZvLZMjNMhVCxP48CiYI=]
+101
View File
@@ -0,0 +1,101 @@
---
hiera_include:
- profiles::nginx::simpleproxy
profiles::yum::global::repos:
ceph-reef:
name: ceph-reef
descr: ceph reef repository
target: /etc/yum.repos.d/ceph-reef.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
gpgcheck: 0,
mirrorlist: absent
profiles::ceph::client::keyrings:
media:
key: "%{hiera('ceph::key::media')}"
profiles::base::groups::local:
media:
ensure: present
gid: 20000
allowdupe: false
forcelocal: true
ldap_host: 'ldap.service.consul'
ldap_basedn: 'dc=main,dc=unkin,dc=net'
profiles::nginx::simpleproxy::locations:
# authentication proxy
authproxy:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
internal: true
location: '= /auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
proxy_set_header:
- 'Content-Length ""'
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
- 'X-Ldap-Starttls "false"'
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
- 'X-CookieName "nginxauth"'
- 'Cookie nginxauth=$cookie_nginxauth'
- "X-Ldap-Template %{lookup('ldap_template')}"
- 'X-Ldap-Realm "Restricted"'
proxy_cache: 'cache'
proxy_cache_valid: '200 10m'
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
location_cfg_append:
proxy_pass_request_body: 'off'
# health checks by consul/haproxy
arrstack_web_healthcheck:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/consul/health'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
location_allow:
- 127.0.0.1
- "%{facts.networking.ip}"
- 198.18.13.25
- 198.18.13.26
location_deny:
- all
# authorised access from external
arrstack_web_external:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
auth_request: '/auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
# location for api, which should be accessible without authentication
arrstack_api:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '~ /api'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
location_cfg_append:
client_max_body_size: '20m'
+63
View File
@@ -0,0 +1,63 @@
---
hiera_include:
- jellyfin
# manage jellyfin
jellyfin::params::service_enable: true
# additional altnames
profiles::pki::vault::alt_names:
- jellyfin.main.unkin.net
- jellyfin.service.consul
- jellyfin.query.consul
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'jellyfin.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- jellyfin.main.unkin.net
- jellyfin.service.consul
- jellyfin.query.consul
- "jellyfin.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8096
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
jellyfin:
service_name: 'jellyfin'
tags:
- 'media'
- 'jellyfin'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'jellyfin_http_check'
name: 'jellyfin HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: jellyfin
disposition: write
profiles::yum::global::repos:
rpmfusion-free:
name: rpmfusion-free
descr: rpmfusion-free repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
mirrorlist: absent
rpmfusion-nonfree:
name: rpmfusion-nonfree
descr: rpmfusion-nonfree repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
+3
View File
@@ -0,0 +1,3 @@
---
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEDEyk6fBBnrjZvfK8MnUVOTWxhFGtgY34/2CuIq55MoVLsk2ZgVrL7Kt+94bqFhwEB67kuNpMGXqTgW5ose2yWs5iVSJLECsf9C+tvGBGwaV35LNwP5S3aQmFagyTpZZz9QlGKC7818jlXz7vZWDtiUhy5TGMHeyS0fdjCveavtZR28A+ZrvWjJeLdN47mmvYwYfFnQBs3kSgkl5KyMVhFWSFOSLeHsuEzCVXHoQ1jQG+2TV5m18wV0RR/sOju2E+vsulqlDgCyifgoiry4GzJeKNrNDI2bifzHCAi6yZqHL/klyqbGTnKLlA4xKoXsHF+xEwcoq4S9JDLAdWeH1SDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCdvh4yn8knozcYhinybRq3gDAwTKv8VakQG7XK/mcEplwtoiKqLnj9IIGdIUh1zPi2Sg48ET5rfZyl0p7ddIYoHjU=]
+65
View File
@@ -0,0 +1,65 @@
---
hiera_include:
- lidarr
- profiles::nginx::ldapauth
- profiles::metrics::exportarr
# manage lidarr
lidarr::params::user: lidarr
lidarr::params::group: media
lidarr::params::manage_group: false
lidarr::params::archive_version: 2.3.3
lidarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- lidarr.main.unkin.net
- lidarr.service.consul
- lidarr.query.consul
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'lidarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- lidarr.main.unkin.net
- lidarr.service.consul
- lidarr.query.consul
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_lidarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=lidarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
consul::services:
lidarr:
service_name: 'lidarr'
tags:
- 'media'
- 'lidarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'lidarr_http_check'
name: 'Lidarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: lidarr
disposition: write
profiles::metrics::exportarr:
app: 'lidarr'
config_path: '/opt/lidarr/config.xml'
api_key: "%{hiera('lidarr::api_key')}"
version: '2.0.1'
app_port: "%hiera('lidarr::params::port')"
enable_additional_metrics: true
+2
View File
@@ -0,0 +1,2 @@
---
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPomn4iZbT0JEysvDo7OgblpoQLFp9DzryY558UfVWQq6HDAkgoSC42cbgZGBPFclCgLaO/LfBrFpRXkafEVV33Vg2AmP/FiS9SmmwREc3t/ZTvENlDIgasY3pDIph0/i5u0S45mjyzzciBK0KY6cMZvPDVRvU+d0SyVnbSBlef6VmyZOhUk6ILpaYTGu+suVR/BAL/DTKsmmY7iTotTWN+IW/1cY3vprvBMJQVftaO1WSqKftmX29/PAsxbQo6AMpuQFx/dMcMe3d5JTB0mgzIhAFaKmSC8vJFqe21Nrr8F+PxJMSEl1saBJTwJc5RyPVm9ejVKfcPhDfWK5stNNvjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAo205Hvo/Z+rhnSGgkTS2YgDB7pTHdgnQz1UOK323DRljWcqx+SnCA7izyF1SNMlzlCck79Fr4zKh0qnbYsMZDWZU=]
+61
View File
@@ -0,0 +1,61 @@
---
hiera_include:
- nzbget
- profiles::media::nzbget
- profiles::nginx::ldapauth
# manage nzbget
nzbget::params::user: nzbget
nzbget::params::group: media
nzbget::params::manage_group: false
# additional altnames
profiles::pki::vault::alt_names:
- nzbget.main.unkin.net
- nzbget.service.consul
- nzbget.query.consul
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'nzbget.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- nzbget.main.unkin.net
- nzbget.service.consul
- nzbget.query.consul
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 6789
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_nzbget,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=nzbget_access,ou=groups,dc=main,dc=unkin,dc=net))'
profiles::nginx::simpleproxy::locations:
arrstack_web_healthcheck:
location_cfg_append:
rewrite: '/consul/health / break'
# configure consul service
consul::services:
nzbget:
service_name: 'nzbget'
tags:
- 'media'
- 'nzbget'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'nzbget_http_check'
name: 'nzbget HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: nzbget
disposition: write
@@ -0,0 +1,3 @@
---
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhduPAqoZuq/xeRs4f/KX4r88evPMogQX79yofLAB5Qqdr48s2X0BAa1iiw0vMdL6Tf0uc794WJN5MP2Yp365Vk1yhwgqH92rt5hKPI+wBN5uak2iLgLzLWsp0HOx7d1ukDWBbj0lI6G5LiofsL3KJbbTnkovn06L4PRJXgn44+ynfywiCl2tPy2294DhfooeM6/Cy+t9lA6blzHLCOHtt/rBKmk1GT2y3YBCPhRfOumWXQWnv4Q+f6KkQkvpfPyAFYNiQxQYBv5bGwLnwiDk3xQnPM4FfcutVuAOKjsoeMa+K1KShDFyEfBxIER8JSpigj2/khstyihcVW0Xrod3uDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCRqqRwMThwn1F/6byFhTWxgDAfucfkFhmqxBv/u5H+wWnjvK5EH7eU/fECrajYPBW/cmsYjLgXlwrAzFGqWze3AZc=]
+65
View File
@@ -0,0 +1,65 @@
---
hiera_include:
- prowlarr
- profiles::nginx::ldapauth
- profiles::metrics::exportarr
# manage prowlarr
prowlarr::params::user: prowlarr
prowlarr::params::group: media
prowlarr::params::manage_group: false
prowlarr::params::archive_version: 1.19.0
prowlarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- prowlarr.main.unkin.net
- prowlarr.service.consul
- prowlarr.query.consul
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'prowlarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- prowlarr.main.unkin.net
- prowlarr.service.consul
- prowlarr.query.consul
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_prowlarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=prowlarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
consul::services:
prowlarr:
service_name: 'prowlarr'
tags:
- 'media'
- 'prowlarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'prowlarr_http_check'
name: 'Prowlarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: prowlarr
disposition: write
profiles::metrics::exportarr:
app: 'prowlarr'
config_path: '/opt/prowlarr/config.xml'
api_key: "%{hiera('prowlarr::api_key')}"
version: '2.0.1'
app_port: "%hiera('prowlarr::params::port')"
enable_additional_metrics: true
+3
View File
@@ -0,0 +1,3 @@
---
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf6LbAXy3EsJqkf4KO8xikpXfSVIVOD2obnwZLPEiCfbC0iJyZ2Uc/RbHM9NnIpg8dgEnYGgaBM9HC+kFKYFP4skLsPQ0mpqOv13WbOAHOphhyBxWc/n4Eg4HqMAiHsC4qA9Sj5j4F29tNiMmpNM0eqDXD6YIrajV5IF+SKQQzZrNSrcDrzjqENaMnJWVc2gj7Zb9kPB1LdM5ZfljpPtfQHXHhh9ShTDKuWMx46nc+UYaRcJqHEns7OExwpsEAtA1SSunD81PTijJ6Bn1Y6cAsZoBot5YgFGaWtgQ4jvEqj7EbG8gDJuHMSwa9RzA9SMsVwEh2g1pko7wYbBR/arV7jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAhZlVaEdaLNh60gAY0KwEKgDAHPoXfFRq0I2K2J+NFgNFm/A00jYGVRfuPsX6VZfPaJ499dtMiJifrK3Kfk1oXpvk=]
+66
View File
@@ -0,0 +1,66 @@
---
hiera_include:
- radarr
- profiles::nginx::ldapauth
- profiles::metrics::exportarr
# manage radarr
radarr::params::user: radarr
radarr::params::group: media
radarr::params::manage_group: false
radarr::params::archive_version: 5.7.0
radarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- radarr.main.unkin.net
- radarr.service.consul
- radarr.query.consul
- "radarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'radarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- radarr.main.unkin.net
- radarr.service.consul
- radarr.query.consul
- "radarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_radarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=radarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
consul::services:
radarr:
service_name: 'radarr'
tags:
- 'media'
- 'radarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'radarr_http_check'
name: 'radarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: radarr
disposition: write
profiles::metrics::exportarr:
app: 'radarr'
config_path: '/opt/radarr/config.xml'
api_key: "%{hiera('radarr::api_key')}"
version: '2.0.1'
app_port: "%hiera('radarr::params::port')"
enable_additional_metrics: true
+3
View File
@@ -0,0 +1,3 @@
---
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcOegaqGEsivQAlhSYvaiVUij4QJ/kterSg+wX/7P/oWjSN1oSNAFfco6lg5fYUsR7HDKZ4IwYuO1Q/q8hOxYkqzYrH/MIAhZatfQxyxriKuekxqOMuXgwrWCzAexQL0Fb4s5gcHQ4fwy5OxsM1CxFXnSSm1eYNXl5IERd//c0dFoIcshiGlOCFsj8Ne9mookFTJQDZrxM4VMXaVb+Fl9mOyy1ppDBKHTP/1ise/6LIUi+9YngamAWLIrsur5KvR45kvRoxDNLfJZasAqhD/5QLceDdSxqKBDur57QzmoPo2lFdT4WlzphKOdyHZtYOYr7BPdbtCqkXTWdkXvqFlRxjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXhYe6zoRW7/OxVrZnAEoTgDDPFTz5S4nZWiwzjdT7Yd88Ii6I/v6ckaKTx0gd0pZKsVZkFYQBBhIfqFS2ho0UG3Y=]
+65
View File
@@ -0,0 +1,65 @@
---
hiera_include:
- readarr
- profiles::nginx::ldapauth
- profiles::metrics::exportarr
# manage readarr
readarr::params::user: readarr
readarr::params::group: media
readarr::params::manage_group: false
readarr::params::archive_version: 0.3.28
readarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- readarr.main.unkin.net
- readarr.service.consul
- readarr.query.consul
- "readarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'readarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- readarr.main.unkin.net
- readarr.service.consul
- readarr.query.consul
- "readarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_readarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=readarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
consul::services:
readarr:
service_name: 'readarr'
tags:
- 'media'
- 'readarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'readarr_http_check'
name: 'Readarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: readarr
disposition: write
profiles::metrics::exportarr:
app: 'readarr'
config_path: '/opt/readarr/config.xml'
api_key: "%{hiera('readarr::api_key')}"
version: '2.0.1'
app_port: "%hiera('readarr::params::port')"
enable_additional_metrics: true
+2
View File
@@ -0,0 +1,2 @@
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF5/sP43SJX/FB6cAS0GPqxC78JS7jSNKoUqWB/IXkv8uXYiClqk+Xw4nFx8EtknNn628DHBY3vCLQ59Xk89p0fyimP70m3BM6or5iRGdCqEAOzL399GbYX8WFHjyQRBmGdaLR5h2r5UnmjuPpDtV+fgsqxo4gNpXnuQ+46ZZPQce/dzHzux+4aEK4Q6UbD/ZZSQklD6zEUV+Agj6E9cQlJPBiHtTyUdXOYHYlJN1HhFPXu3C6KIz63YioVCah1n6T/rJtPQ07pVUfizIaJiPpzcUN91+ZWyyjUPo0bRGZtYKVs/uCAYXht4F5ttKQDaGa3wd4a5IdtacmEWQWFqk3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDtB/68xkjxK3nrNh0MilACgDDt85aBvSp/Oj9EY67eNPr+JcnQ7WfyuqAYAnmYqfbQI8MDtYAx7br0+inJXvQ1BvI=]
+57
View File
@@ -0,0 +1,57 @@
---
hiera_include:
- sonarr
- profiles::nginx::ldapauth
- profiles::metrics::exportarr
# manage sonarr
sonarr::params::user: sonarr
sonarr::params::group: media
sonarr::params::manage_group: false
sonarr::params::archive_version: 4.0.5
sonarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- sonarr.main.unkin.net
- sonarr.service.consul
- sonarr.query.consul
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'sonarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- sonarr.main.unkin.net
- sonarr.service.consul
- sonarr.query.consul
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service
consul::services:
sonarr:
service_name: 'sonarr'
tags:
- 'media'
- 'sonarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'sonarr_http_check'
name: 'Sonarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: sonarr
disposition: write
+157
View File
@@ -0,0 +1,157 @@
---
hiera_include:
- glauth
# additional altnames
profiles::pki::vault::alt_names:
- ldap.main.unkin.net
- ldap.service.consul
- ldap.query.consul
- "ldap.service.%{facts.country}-%{facts.region}.consul"
glauth::params::download_version: 2.3.2
glauth::params::ldap_enabled: true
glauth::params::ldaps_enabled: true
glauth::params::basedn: 'dc=main,dc=unkin,dc=net'
glauth::params::behaviors_ignorecapabilities: true
glauth::params::ldap_tlscertpath: /etc/pki/tls/vault/certificate.crt
glauth::params::ldap_tlskeypath: /etc/pki/tls/vault/private.key
glauth::params::ldaps_cert: /etc/pki/tls/vault/certificate.crt
glauth::params::ldaps_key: /etc/pki/tls/vault/private.key
glauth::params::api_cert: /etc/pki/tls/vault/certificate.crt
glauth::params::api_key: /etc/pki/tls/vault/private.key
# configure consul service
consul::services:
ldap:
service_name: 'ldap'
tags:
- 'media'
- 'ldap'
address: "%{facts.networking.ip}"
port: 636
checks:
- id: 'glauth_http_check'
name: 'glauth HTTP Check'
http: "https://%{facts.networking.fqdn}:5555"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: ldap
disposition: write
glauth::users:
benvin:
user_name: 'benvin'
givenname: 'Ben'
sn: 'Vincent'
mail: 'benvin@users.main.unkin.net'
uidnumber: 20000
primarygroup: 20000
othergroups:
- 20010
- 20011
- 20012
- 20013
- 20014
- 20015
- 20016
loginshell: '/bin/bash'
homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
sshkeys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
matsol:
user_name: 'matsol'
givenname: 'Matt'
sn: 'Solomon'
mail: 'matsol@users.main.unkin.net'
uidnumber: 20001
primarygroup: 20000
othergroups:
- 20010
- 20011
- 20012
- 20013
- 20014
- 20015
- 20016
loginshell: '/bin/bash'
homedir: '/home/matsol'
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
glauth::services:
svc_jellyfin:
service_name: 'svc_jellyfin'
mail: 'jellyfin@service.main.unkin.net'
uidnumber: 30000
primarygroup: 20001
passsha256: '97f7b1eb24deb0a86e812d79c56f4901d39a24128dc9f6fde033e7195f7d0739'
svc_sonarr:
service_name: 'svc_sonarr'
mail: 'sonarr@service.main.unkin.net'
uidnumber: 30001
primarygroup: 20001
passsha256: '2c32d4cb831183cfbef15835cc76f99b401d0159621bc580e852253d4d8f8722'
svc_radarr:
service_name: 'svc_radarr'
mail: 'radarr@service.main.unkin.net'
uidnumber: 30002
primarygroup: 20001
passsha256: '805b0182d90c2b5b3ba43e50988447a0bff0115eb5fedd8eeae8eac00ba53025'
svc_lidarr:
service_name: 'svc_lidarr'
mail: 'lidarr@service.main.unkin.net'
uidnumber: 30003
primarygroup: 20001
passsha256: '6d04cd2a45784bacbd50e6714710b55805c7e9886665a6d7790e6d8712b67aff'
svc_readarr:
service_name: 'svc_readarr'
mail: 'readarr@service.main.unkin.net'
uidnumber: 30004
primarygroup: 20001
passsha256: '751f22fbd9c052b2cd0c1cb4be514d8710f1a51f84ce44f607ab3a5591162f8c'
svc_prowlarr:
service_name: 'svc_prowlarr'
mail: 'prowlarr@service.main.unkin.net'
uidnumber: 30005
primarygroup: 20001
passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043'
svc_nzbget:
service_name: 'svc_nzbget'
mail: 'nzbget@service.main.unkin.net'
uidnumber: 30006
primarygroup: 20001
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
glauth::groups:
users:
group_name: 'people'
gidnumber: 20000
services:
group_name: 'services'
gidnumber: 20001
jellyfin_access:
group_name: 'jellyfin_access'
gidnumber: 20010
sonarr_access:
group_name: 'sonarr_access'
gidnumber: 20011
radarr_access:
group_name: 'radarr_access'
gidnumber: 20012
lidarr_access:
group_name: 'lidarr_access'
gidnumber: 20013
readarr_access:
group_name: 'readarr_access'
gidnumber: 20014
prowlarr_access:
group_name: 'prowlarr_access'
gidnumber: 20015
nzbget_access:
group_name: 'nzbget_access'
gidnumber: 20016
+1 -1
View File
@@ -17,5 +17,5 @@ profiles::pki::vault::alt_names:
profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
profiles::selinux::setenforce::mode: permissive
hiera_classes:
hiera_include:
- profiles::selinux::setenforce
+1 -1
View File
@@ -1,3 +1,3 @@
---
profiles::gitea::init::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
profiles::gitea::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=]
+45
View File
@@ -6,6 +6,11 @@ profiles::pki::vault::alt_names:
- git.query.consul
- "git.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- git.main.unkin.net
- git.service.consul
- git.query.consul
consul::services:
git:
service_name: 'git'
@@ -37,3 +42,43 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 3000
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 250M
profiles::gitea::init::root:
APP_NAME: 'Gitea'
RUN_USER: 'git'
RUN_MODE: 'prod'
profiles::gitea::init::repository:
ROOT: '/data/gitea/repos'
FORCE_PRIVATE: false
MAX_CREATION_LIMIT: -1
DISABLE_HTTP_GIT: false
DEFAULT_BRANCH: 'main'
DEFAULT_PRIVATE: 'last'
profiles::gitea::init::ui:
SHOW_USER_EMAIL: false
profiles::gitea::init::server:
PROTOCOL: 'http'
DOMAIN: 'git.query.consul'
ROOT_URL: 'https://git.query.consul'
HTTP_ADDR: '0.0.0.0'
HTTP_PORT: 3000
START_SSH_SERVER: false
SSH_DOMAIN: 'git.query.consul'
SSH_PORT: 2222
SSH_LISTEN_HOST: '0.0.0.0'
OFFLINE_MODE: true
APP_DATA_PATH: '/data/gitea'
SSH_LISTEN_PORT: 22
LFS_START_SERVER: true
profiles::gitea::init::database:
DB_TYPE: 'mysql'
HOST: 'mariadb-prod.service.au-syd1.consul:3306'
NAME: 'gitea'
USER: 'gitea'
PASSWD: "%{hiera('profiles::gitea::mysql_pass')}"
SSL_MODE: 'disable'
LOG_SQL: false
profiles::gitea::init::lfs:
PATH: '/data/gitea/lfs'
profiles::gitea::init::session:
PROVIDER: db
+8
View File
@@ -15,6 +15,7 @@ profiles::haproxy::server::globals:
stats:
- timeout 30s
- socket /var/lib/haproxy/stats
- socket /var/lib/haproxy/admin.sock mode 660 level admin
ca-base: /etc/ssl/certs
crt-base: /etc/ssl/private
ssl-default-bind-ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
@@ -52,6 +53,8 @@ profiles::haproxy::frontends:
options:
acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
use_backend:
- 'be_letsencrypt if acl-letsencrypt'
http-request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
@@ -67,6 +70,8 @@ profiles::haproxy::frontends:
options:
acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
use_backend:
- 'be_letsencrypt if acl-letsencrypt'
http-request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
@@ -89,3 +94,6 @@ profiles::haproxy::backends:
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
prometheus::haproxy_exporter::cnf_scrape_uri: unix:/var/lib/haproxy/stats
prometheus::haproxy_exporter::export_scrape_job: true
@@ -0,0 +1,49 @@
---
hiera_include:
- profiles::nginx::simpleproxy
profiles::metrics::grafana::mysql_host: "mariadb-%{facts.environment}.service.%{facts.country}-%{facts.region}.consul"
profiles::metrics::grafana::mysql_port: 3306
# additional altnames
profiles::pki::vault::alt_names:
- grafana.main.unkin.net
- grafana.service.consul
- grafana.query.consul
- "grafana.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- grafana.main.unkin.net
- grafana.service.consul
- grafana.query.consul
consul::services:
grafana:
service_name: 'grafana'
tags:
- 'grafana'
- 'metrics'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'Grafana_https_check'
name: 'Grafana HTTPS Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: grafana
disposition: write
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'grafana.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- grafana.main.unkin.net
- grafana.service.consul
- grafana.query.consul
- "grafana.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8080
profiles::nginx::simpleproxy::proxy_path: '/'
@@ -8,4 +8,5 @@ profiles::metrics::server::scrape_jobs:
- bind
- puppetdb
- systemd
- haproxy
profiles::metrics::server::localstorage: /data/prometheus
+21
View File
@@ -12,3 +12,24 @@ profiles::ntp::server::peers:
- '1.au.pool.ntp.org'
- '2.au.pool.ntp.org'
- '3.au.pool.ntp.org'
consul::services:
ntp:
service_name: 'ntp'
tags:
- 'ntp'
- 'time'
- 'sync'
address: "%{facts.networking.ip}"
port: 123
checks:
- id: ntp_check
name: "NTP Service Check"
args:
- '/usr/local/bin/check_ntp.sh'
interval: '15s'
timeout: '5s'
profiles::consul::client::node_rules:
- resource: service
segment: ntp
disposition: write
+2
View File
@@ -0,0 +1,2 @@
---
certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
+15
View File
@@ -0,0 +1,15 @@
---
hiera_include:
- certbot
- profiles::pki::puppetcerts
certbot::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- fafflix.unkin.net
+28
View File
@@ -5,3 +5,31 @@ sudo::configs:
content: |
ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*
hiera_exclude:
- networking
# proxmox tools use root to authenticate against each other
ssh::server::options:
PermitRootLogin: yes
AcceptEnv:
- LANG LC_*
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
ListenAddress:
- "%{facts.networking.interfaces.vmbr1.ip}"
profiles::consul::client::node_rules:
- resource: service
segment: ceph-mon
disposition: write
- resource: service
segment: ceph-mds
disposition: write
- resource: service
segment: ceph-mgr
disposition: write
- resource: service
segment: ceph-osd
disposition: write
+12
View File
@@ -37,6 +37,14 @@ profiles::helpers::certmanager::vault_config:
output_path: '/tmp/certmanager'
role_id: "%{lookup('certmanager::role_id')}"
profiles::helpers::sshsignhost::vault_config:
addr: 'https://vault.service.consul:8200'
mount_point: 'ssh-host-signer'
approle_path: 'approle'
role_name: 'hostrole'
output_path: '/tmp/sshsignhost'
role_id: "%{lookup('sshsignhost::role_id')}"
profiles::puppet::server::agent_server: 'puppet.query.consul'
profiles::puppet::server::report_server: 'puppet.query.consul'
profiles::puppet::server::ca_server: 'puppetca.query.consul'
@@ -50,6 +58,10 @@ profiles::puppet::server::dns_alt_names:
- puppetmaster
- puppet
profiles::ssh::sign::principals:
- puppet.service.consul
- puppet.query.consul
consul::services:
puppet:
service_name: 'puppet'
+1
View File
@@ -0,0 +1 @@
profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==]
+35
View File
@@ -2,3 +2,38 @@
postgresql_config_entries:
max_connections: 300
shared_buffers: '256MB'
consul::services:
puppetdbsql:
service_name: 'puppetdbsql'
tags:
- 'puppet'
- 'puppetdb'
- 'database'
address: "%{facts.networking.ip}"
port: 5432
checks:
- id: 'psql-check'
name: 'PostgreSQL Health Check'
args:
- '/usr/local/bin/check_consul_postgresql'
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: puppetdbsql
disposition: write
profiles::yum::global::repos:
postgresql-15:
name: postgresql-15
descr: postgresql-15 repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
postgresql-common:
name: postgresql-common
descr: postgresql-common repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
+12
View File
@@ -77,3 +77,15 @@ profiles::consul::prepared_query::rules:
service_failover_n: 3
service_only_passing: true
ttl: 10
ntp:
ensure: 'present'
service_name: 'ntp'
service_failover_n: 3
service_only_passing: true
ttl: 10
grafana:
ensure: 'present'
service_name: 'grafana'
service_failover_n: 3
service_only_passing: true
ttl: 10
@@ -42,6 +42,9 @@ profiles::edgecache::params::directories:
/data/edgecache/pub/postgres: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx }
/data/edgecache/pub/ceph: { owner: nginx, group: nginx }
/data/edgecache/pub/ceph/apt: { owner: nginx, group: nginx }
/data/edgecache/pub/ceph/yum: { owner: nginx, group: nginx }
profiles::edgecache::params::mirrors:
debian:
@@ -118,3 +121,29 @@ profiles::edgecache::params::mirrors:
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
ceph_yum_repodata:
ensure: present
location: '~* ^/ceph/yum/.*/repodata/'
rewrite_rules:
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
proxy: http://158.69.68.124
ceph_yum_data:
ensure: present
location: /ceph/yum
proxy: http://158.69.68.124/rpm-reef
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
ceph_apt:
ensure: present
location: /ceph/apt
proxy: http://158.69.68.124/debian-reef
ceph_apt_pool:
ensure: present
location: /ceph/apt/pool
proxy: http://158.69.68.124/debian-reef/pool
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
@@ -0,0 +1,18 @@
# frozen_string_literal: true
Facter.add(:certbot_available_certs) do
confine enc_role: 'roles::infra::pki::certbot'
setcode do
certs_dir = '/etc/letsencrypt/live'
available_certs = []
if Dir.exist?(certs_dir)
Dir.children(certs_dir).each do |entry|
fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
available_certs << entry if File.exist?(fullchain_pem)
end
end
available_certs.join(',')
end
end
+15
View File
@@ -0,0 +1,15 @@
# certbot::cert
define certbot::cert (
Stdlib::Fqdn $domain,
Array $additional_args = ['--http-01-port=8888'],
Boolean $manage_cron = true,
) {
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
@@letsencrypt::certonly { $domain:
additional_args => $additional_args,
manage_cron => $manage_cron,
tag => $location_environment,
}
}
+23
View File
@@ -0,0 +1,23 @@
class certbot::client (
Array[Stdlib::Fqdn] $domains,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
) {
mkdir::p {$data_dir:}
file { $data_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
$domains.each |$domain| {
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
domain => $domain,
destination => "${data_dir}/${domain}",
webserver => $webserver,
require => File[$data_dir],
}
}
}
+51
View File
@@ -0,0 +1,51 @@
define certbot::client::cert (
Stdlib::Fqdn $domain,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
) {
file { $destination:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
$cert_ready_nodes = puppetdb_query("
facts {
name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
}"
)
# Define the certificate files
$cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
if !empty($cert_ready_nodes) {
$files_to_create = $cert_files.reduce({}) |$acc, $file| {
$acc + {
"${destination}/${file}" => {
ensure => 'file',
source => "https://${webserver}/${domain}/${file}",
owner => 'root',
group => 'root',
mode => '0644',
notify => Exec["concat_${domain}_certs"],
}
}
}
create_resources(file, $files_to_create)
exec { "concat_${domain}_certs":
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
path => ['/bin', '/usr/bin'],
refreshonly => true,
require => [
File["${destination}/fullchain.pem"],
File["${destination}/privkey.pem"],
],
}
} else {
notify { 'Certificates are not yet ready on the generator server.': }
}
}

Some files were not shown because too many files have changed in this diff Show More