Compare commits
171 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 2924b7ad6f | |||
| e6f243ef60 | |||
| 856a3901ac | |||
| bc35270731 | |||
| c1a6191cab | |||
| 0d4652cfdf | |||
| 9b9f64ca95 | |||
| d7f0c9073f | |||
| e74dc624c3 | |||
| 7bd12c9880 | |||
| aa8ded5850 | |||
| 1d1c5621c0 | |||
| 0e11c03e9d | |||
| 7520fdddbd | |||
| d07751a151 | |||
| 9be3656d15 | |||
| 9b8556f487 | |||
| 5acc683374 | |||
| 8a1d62cd41 | |||
| b6a77afc7b | |||
| 2b1ea45e4e | |||
| 19caafbc43 | |||
| a4e78f645a | |||
| f6aa2fac62 | |||
| 2147cc434d | |||
| f63e6a953c | |||
| 38819ba2ab | |||
| 72c6fdb249 | |||
| dc70687860 | |||
| 17dbbd8d0c | |||
| 7efd6edea9 | |||
| 95e387d3ad | |||
| febd98d316 | |||
| 5aac7752cd | |||
| dcccc85264 | |||
| 14c98ea659 | |||
| 5f5a9f5f65 | |||
| 3c63d8e797 | |||
| ab617a9de1 | |||
| bc27902fd2 | |||
| f2046efebe | |||
| 0b7f07692c | |||
| bbf9944ef5 | |||
| 89383268f0 | |||
| bccdb99ef4 | |||
| aa63970dc1 | |||
| bafb524fd2 | |||
| 40ff5f7d92 | |||
| 17c16bfc33 | |||
| 6993ff0036 | |||
| 679a4203a9 | |||
| 93125d9d71 | |||
| b90c6468b3 | |||
| 027140fb7a | |||
| 44bd2d3d89 | |||
| 56df5695dc | |||
| f22556b39f | |||
| f0086944f9 | |||
| b846a49127 | |||
| 34e696e8c3 | |||
| a12fac20ab | |||
| 7af6130598 | |||
| 4857b72ce3 | |||
| 3ace70bcea | |||
| 6839fb8c5f | |||
| 3b907159f1 | |||
| d5262b0ef5 | |||
| 53dfa0ca75 | |||
| 396e64de1d | |||
| 803a0ac01d | |||
| 736f04143f | |||
| 82ed27cf56 | |||
| 5631f07e6e | |||
| 8eca497ea2 | |||
| 9b2ca85f59 | |||
| 548076728a | |||
| 570df81bd9 | |||
| 2d3f4414b7 | |||
| 3991b6408b | |||
| f5a9eaef4a | |||
| 4a95fbbd31 | |||
| 4db9faa551 | |||
| 8548ef0284 | |||
| 681f9e3eb8 | |||
| a431c50980 | |||
| d98b12bf81 | |||
| 59b181ed54 | |||
| 36ad19ffed | |||
| 1995ce9eac | |||
| a3ef535bfc | |||
| feddc4a3fb | |||
| eb462eb3a3 | |||
| 449c6b082e | |||
| 94aed2df9c | |||
| 0ff9b86782 | |||
| 7d70b99491 | |||
| c6530e34f6 | |||
| 5725d092b8 | |||
| 09f50c9940 | |||
| 62cac63f11 | |||
| 0fe05bb896 | |||
| dd82d63b41 | |||
| a901a0b868 | |||
| 1e316dc814 | |||
| 58acd83410 | |||
| cc0a9e132e | |||
| 67f831edaf | |||
| c9abc779a0 | |||
| 380bb7bcb5 | |||
| 1b5e6120e7 | |||
| 82ce3ed4d7 | |||
| 3adc343f68 | |||
| ca558d493b | |||
| cbbcfa3b9e | |||
| 6b0e0daecb | |||
| 846e2b71f8 | |||
| 6f7740e6a2 | |||
| abd2eb5c9b | |||
| b4c20fd7d6 | |||
| b7a22551b1 | |||
| e00a78e5fb | |||
| a143732b3b | |||
| 45f3cb39c7 | |||
| 2b36ee3efa | |||
| 56711212a7 | |||
| 4ab5fd6be3 | |||
| 42be771732 | |||
| 255cf38c67 | |||
| 9c23c0005a | |||
| 5e13f1a1e8 | |||
| 6944d67e04 | |||
| 965e334636 | |||
| d4163233f6 | |||
| 52b06dcd8e | |||
| 9d3ddb37df | |||
| 934f4be03c | |||
| 777fe1aef6 | |||
| 57b935b33e | |||
| da9d52e117 | |||
| 06545c6298 | |||
| 51eeb13793 | |||
| 721d14378a | |||
| aaf482c9b9 | |||
| 33ba0bb896 | |||
| 07c896b924 | |||
| 6822a39dc3 | |||
| b85f14ed89 | |||
| e3f34a7cc4 | |||
| c000244c5a | |||
| 76fc6b9fa1 | |||
| 902e55f655 | |||
| da3444e49f | |||
| b468f67103 | |||
| 9819ce7f4d | |||
| cc7165055d | |||
| 4bd3310ea8 | |||
| d7208c5e40 | |||
| 4b4272250a | |||
| 3dfe9b9b73 | |||
| de39515862 | |||
| 7aa7f33145 | |||
| a6a03b4d83 | |||
| 39aa6e114e | |||
| 40c4be6f6e | |||
| ae6547aea8 | |||
| 5e31af2ee2 | |||
| c5d63bd6f8 | |||
| f351cc8413 | |||
| fd5c3dbce2 | |||
| 49f405e0bc | |||
| 254c9f1358 |
@@ -18,6 +18,7 @@ mod 'puppetlabs-xinetd', '3.4.1'
|
||||
mod 'puppetlabs-haproxy', '8.0.0'
|
||||
mod 'puppetlabs-java', '10.1.2'
|
||||
mod 'puppetlabs-reboot', '5.0.0'
|
||||
mod 'puppetlabs-augeas_core', '1.5.0'
|
||||
|
||||
# puppet
|
||||
mod 'puppet-python', '7.0.0'
|
||||
@@ -35,10 +36,17 @@ mod 'puppet-vault', '4.1.0'
|
||||
mod 'puppet-dhcp', '6.1.0'
|
||||
mod 'puppet-keepalived', '3.6.0'
|
||||
mod 'puppet-extlib', '7.0.0'
|
||||
mod 'puppet-network', '2.2.0'
|
||||
mod 'puppet-kmod', '4.0.1'
|
||||
mod 'puppet-filemapper', '4.0.0'
|
||||
mod 'puppet-openldap', '8.0.0'
|
||||
mod 'puppet-augeasproviders_shellvar', '6.0.1'
|
||||
mod 'puppet-augeasproviders_core', '4.1.0'
|
||||
|
||||
# other
|
||||
mod 'ghoneycutt-puppet', '3.3.0'
|
||||
mod 'saz-sudo', '8.0.0'
|
||||
mod 'saz-ssh', '12.1.0'
|
||||
mod 'ghoneycutt-timezone', '4.0.0'
|
||||
mod 'dalen-puppetdbquery', '3.0.1'
|
||||
mod 'markt-galera', '3.1.0'
|
||||
@@ -46,6 +54,7 @@ mod 'kogitoapp-minio', '1.1.4'
|
||||
mod 'broadinstitute-certs', '3.0.1'
|
||||
mod 'stm-file_capability', '6.0.0'
|
||||
mod 'h0tw1r3-gitea', '3.2.0'
|
||||
mod 'rehan-mkdir', '2.0.0'
|
||||
|
||||
mod 'bind',
|
||||
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
# Group administration
|
||||
|
||||
This page exists to list all the locally managed groups, their gid's and what their general purpose is for.
|
||||
|
||||
## List of groups
|
||||
| name | gid | purpose |
|
||||
|-------------|-------------|-------------|
|
||||
| admin | 10000 | admin group designed for system admins |
|
||||
| media | 20000 | group permissions to manage media (*arrs) |
|
||||
@@ -0,0 +1,60 @@
|
||||
# managing ceph
|
||||
|
||||
Always refer back to the official documentation at https://docs.ceph.com/en/latest
|
||||
|
||||
## adding new cephfs
|
||||
- create a erasure code profile which will allow you to customise the raid level
|
||||
- raid5 with 3 disks? k=2,m=1
|
||||
- raid5 with 6 disks? k=5,m=1
|
||||
- raid6 with 4 disks? k=2,m=2, etc
|
||||
- create osd pool using custom profile for data
|
||||
- create osd pool using default replicated profile for metadata
|
||||
- enable ec_overwrites for the data pool
|
||||
- create the ceph fs volume using data/metadata pools
|
||||
- set ceph fs settings
|
||||
- specify minimum number of metadata servers (mds)
|
||||
- set fs to be for bulk data
|
||||
- set mds fast failover with standby reply
|
||||
|
||||
|
||||
```
|
||||
sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
|
||||
sudo ceph osd pool create media_data 128 erasure ec_4_1
|
||||
sudo ceph osd pool create media_metadata 32 replicated_rule
|
||||
sudo ceph osd pool set media_data allow_ec_overwrites true
|
||||
sudo ceph osd pool set media_data bulk true
|
||||
sudo ceph fs new mediafs media_metadata media_data --force
|
||||
sudo ceph fs set mediafs allow_standby_replay true
|
||||
sudo ceph fs set mediafs max_mds 2
|
||||
```
|
||||
|
||||
## creating authentication tokens
|
||||
|
||||
- this will create a client keyring named media
|
||||
- this client will have the following capabilities:
|
||||
- mon: read
|
||||
- mds:
|
||||
- read /
|
||||
- read/write /media
|
||||
- read/write /common
|
||||
- osd: read/write to cephfs_data pool
|
||||
|
||||
```
|
||||
sudo ceph auth get-or-create client.media \
|
||||
mon 'allow r' \
|
||||
mds 'allow r path=/, allow rw path=/media, allow rw path=/common' \
|
||||
osd 'allow rw pool=cephfs_data'
|
||||
```
|
||||
|
||||
## list the authentication tokens and permissions
|
||||
|
||||
ceph auth ls
|
||||
|
||||
## change the capabilities of a token
|
||||
|
||||
this will overwrite the current capabilities of a given client.user
|
||||
|
||||
sudo ceph auth caps client.media \
|
||||
mon 'allow r' \
|
||||
mds 'allow rw path=/' \
|
||||
osd 'allow rw pool=media_data'
|
||||
@@ -0,0 +1,31 @@
|
||||
# add additional master
|
||||
|
||||
these steps are required when adding additional puppet masters, as the subject alternative names on the certificate will need to be changed. this requires the old certificate be revoked, cleaned up, and for a new certificate to be generated and signed.
|
||||
|
||||
## prepare a new node
|
||||
- deploy a new now, or identify a space with the base role
|
||||
- change the hosts class to roles::infra::puppet::master
|
||||
- apply puppet until there are no more changes
|
||||
|
||||
## revoke the current certificate on the puppet master
|
||||
|
||||
sudo puppetserver ca clean --certname ausyd1nxvm1023.main.unkin.net
|
||||
|
||||
## stop the new puppetserver and cleanup revoked certificates
|
||||
|
||||
sudo systemctl stop puppetserver
|
||||
sudo rm -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
|
||||
sudo rm -f /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem
|
||||
|
||||
## copy the current crl.pem, as puppetserver will overwrite it when starting
|
||||
|
||||
sudo cp /etc/puppetlabs/puppet/ssl/crl.pem /root/current_crl.pem
|
||||
|
||||
## request new puppet agent certificate
|
||||
|
||||
sudo puppet ssl bootstrap
|
||||
|
||||
## start the puppetserver service and move the crl.pem back in place
|
||||
|
||||
sudo systemctl start puppetserver
|
||||
sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
|
||||
@@ -0,0 +1,123 @@
|
||||
# PKI
|
||||
## root ca
|
||||
vault secrets enable -path=pki_root pki
|
||||
vault secrets tune -max-lease-ttl=87600h pki_root
|
||||
|
||||
vault write -field=certificate pki_root/root/generate/internal \
|
||||
common_name="unkin.net" \
|
||||
issuer_name="UNKIN_ROOTCA_2024" \
|
||||
ttl=87600h > unkinroot_2024_ca.crt
|
||||
|
||||
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
|
||||
|
||||
vault write pki_root/roles/2024-servers allow_any_name=true
|
||||
|
||||
vault write pki_root/config/urls \
|
||||
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
|
||||
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
|
||||
|
||||
## intermediate
|
||||
vault secrets enable -path=pki_int pki
|
||||
vault secrets tune -max-lease-ttl=43800h pki_int
|
||||
|
||||
vault write -format=json pki_int/intermediate/generate/internal \
|
||||
common_name="unkin.net Intermediate Authority" \
|
||||
issuer_name="UNKIN_VAULTCA_2024" \
|
||||
| jq -r '.data.csr' > pki_intermediate.csr
|
||||
|
||||
vault write -format=json pki_root/root/sign-intermediate \
|
||||
issuer_ref="UNKIN_ROOTCA_2024" \
|
||||
csr=@pki_intermediate.csr \
|
||||
format=pem_bundle ttl="43800h" \
|
||||
| jq -r '.data.certificate' > intermediate.cert.pem
|
||||
|
||||
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
|
||||
|
||||
## create role
|
||||
vault write pki_int/roles/servers_default \
|
||||
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
|
||||
allow_ip_sans=true \
|
||||
allowed_domains="unkin.net, *.unkin.net, localhost" \
|
||||
allow_subdomains=true \
|
||||
allow_glob_domains=true \
|
||||
allow_bare_domains=true \
|
||||
enforce_hostnames=true \
|
||||
allow_any_name=true \
|
||||
max_ttl="2160h" \
|
||||
key_bits=4096 \
|
||||
country="Australia"
|
||||
|
||||
## test generating a domain cert
|
||||
vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
|
||||
vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
|
||||
vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
|
||||
|
||||
## remove expired certificates
|
||||
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
|
||||
|
||||
# AUTH
|
||||
## enable approles
|
||||
vault auth enable approle
|
||||
|
||||
# CERTMANAGER
|
||||
## create certmanager policy and token, limit to puppetmaster
|
||||
cat <<EOF > certmanager.hcl
|
||||
path "pki_int/issue/*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
path "pki_int/renew/*" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
path "pki_int/cert/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
EOF
|
||||
|
||||
vault policy write certmanager certmanager.hcl
|
||||
|
||||
vault write auth/approle/role/certmanager \
|
||||
bind_secret_id=false \
|
||||
token_policies="certmanager" \
|
||||
token_ttl=30s \
|
||||
token_max_ttl=30s \
|
||||
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
|
||||
|
||||
## get the certmanager approle id
|
||||
vault read -field=role_id auth/approle/role/certmanager/role-id
|
||||
|
||||
|
||||
# SSH Hostkey Signing
|
||||
|
||||
## create ssh engine, key, set ttl
|
||||
vault secrets enable -path=ssh-host-signer ssh
|
||||
vault write ssh-host-signer/config/ca generate_signing_key=true
|
||||
vault secrets tune -max-lease-ttl=87600h ssh-host-signer
|
||||
|
||||
## create role
|
||||
vault write ssh-host-signer/roles/hostrole \
|
||||
key_type=ca \
|
||||
algorithm_signer=rsa-sha2-256 \
|
||||
ttl=87600h \
|
||||
allow_host_certificates=true \
|
||||
allowed_domains="unkin.net" \
|
||||
allow_subdomains=true \
|
||||
allow_baredomains=true
|
||||
|
||||
## create policy to use hostrole
|
||||
cat <<EOF > sshsign-host.hcl
|
||||
path "ssh-host-signer/sign/hostrole" {
|
||||
capabilities = ["create", "update"]
|
||||
}
|
||||
EOF
|
||||
|
||||
vault policy write sshsign-host-policy sshsign-host.hcl
|
||||
|
||||
vault write auth/approle/role/sshsign-host-role \
|
||||
bind_secret_id=false \
|
||||
token_policies="sshsign-host-policy" \
|
||||
token_ttl=30s \
|
||||
token_max_ttl=30s \
|
||||
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
|
||||
|
||||
## get the sshsign-host-role approle id
|
||||
vault read -field=role_id auth/approle/role/sshsign-host-role/role-id
|
||||
@@ -1,48 +0,0 @@
|
||||
# root ca
|
||||
vault secrets enable -path=pki_root pki
|
||||
|
||||
vault write -field=certificate pki_root/root/generate/internal \
|
||||
common_name="unkin.net" \
|
||||
issuer_name="unkinroot-2024" \
|
||||
ttl=87600h > unkinroot_2024_ca.crt
|
||||
|
||||
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
|
||||
|
||||
vault write pki_root/roles/2024-servers allow_any_name=true
|
||||
|
||||
vault write pki_root/config/urls \
|
||||
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
|
||||
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
|
||||
|
||||
# intermediate
|
||||
vault secrets enable -path=pki_int pki
|
||||
vault secrets tune -max-lease-ttl=43800h pki_int
|
||||
|
||||
vault write -format=json pki_int/intermediate/generate/internal \
|
||||
common_name="unkin.net Intermediate Authority" \
|
||||
issuer_name="unkin-dot-net-intermediate" \
|
||||
| jq -r '.data.csr' > pki_intermediate.csr
|
||||
|
||||
vault write -format=json pki_root/root/sign-intermediate \
|
||||
issuer_ref="unkinroot-2024" \
|
||||
csr=@pki_intermediate.csr \
|
||||
format=pem_bundle ttl="43800h" \
|
||||
| jq -r '.data.certificate' > intermediate.cert.pem
|
||||
|
||||
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
|
||||
|
||||
# create role
|
||||
vault write pki_int/roles/unkin-dot-net \
|
||||
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
|
||||
allowed_domains="unkin.net" \
|
||||
allow_subdomains=true \
|
||||
max_ttl="2160h"
|
||||
|
||||
# test generating a domain cert
|
||||
vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
|
||||
vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
|
||||
vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
|
||||
|
||||
|
||||
# remove expired certificates
|
||||
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
|
||||
+91
-36
@@ -108,11 +108,34 @@ lookup_options:
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
merge:
|
||||
strategy: deep
|
||||
networking::interfaces:
|
||||
merge:
|
||||
strategy: deep
|
||||
networking::interface_defaults:
|
||||
merge:
|
||||
strategy: deep
|
||||
networking::routes:
|
||||
merge:
|
||||
strategy: deep
|
||||
networking::route_defaults:
|
||||
merge:
|
||||
strategy: deep
|
||||
ssh::server::options:
|
||||
merge:
|
||||
strategy: deep
|
||||
mysql::db:
|
||||
merge:
|
||||
strategy: deep
|
||||
profiles::ceph::client::keyrings:
|
||||
merge:
|
||||
strategy: deep
|
||||
|
||||
facts_path: '/opt/puppetlabs/facter/facts.d'
|
||||
|
||||
hiera_classes:
|
||||
hiera_include:
|
||||
- timezone
|
||||
- networking
|
||||
- ssh::server
|
||||
|
||||
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
||||
profiles::ntp::client::use_ntp: 'region'
|
||||
@@ -150,6 +173,7 @@ profiles::packages::install:
|
||||
- curl
|
||||
- dstat
|
||||
- expect
|
||||
- gcc
|
||||
- gzip
|
||||
- git
|
||||
- htop
|
||||
@@ -170,6 +194,7 @@ profiles::packages::install:
|
||||
- socat
|
||||
- strace
|
||||
- sysstat
|
||||
- tar
|
||||
- tmux
|
||||
- traceroute
|
||||
- unzip
|
||||
@@ -215,6 +240,38 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
|
||||
prometheus::node_exporter::export_scrape_job: true
|
||||
prometheus::systemd_exporter::export_scrape_job: true
|
||||
|
||||
ssh::server::storeconfigs_enabled: false
|
||||
ssh::server::options:
|
||||
Protocol: '2'
|
||||
ListenAddress:
|
||||
- '127.0.0.1'
|
||||
- '%{facts.networking.ip}'
|
||||
SyslogFacility: 'AUTHPRIV'
|
||||
HostKey:
|
||||
- /etc/ssh/ssh_host_rsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ed25519_key
|
||||
HostCertificate: /etc/ssh/ssh_host_rsa_key-cert.pem
|
||||
AuthorizedKeysFile: .ssh/authorized_keys
|
||||
PermitRootLogin: no
|
||||
PasswordAuthentication: no
|
||||
ChallengeResponseAuthentication: no
|
||||
PubkeyAuthentication: yes
|
||||
GSSAPIAuthentication: yes
|
||||
GSSAPICleanupCredentials: yes
|
||||
UsePAM: yes
|
||||
X11Forwarding: no
|
||||
PrintMotd: no
|
||||
AcceptEnv:
|
||||
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
Subsystem: sftp /usr/libexec/openssh/sftp-server
|
||||
|
||||
profiles::ssh::knownhosts::lines:
|
||||
- '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1HD97vYxLTniE4qNpGuftUlvmkEXIuX8+7nbENv/IzsGUghEDRtyThjQ7ojNKIsQ7f8wXr0gMcI+fAPfrbcOMHCAoYMomikwL0b3h95SZI40q3CyM+0DMnwiVVDX6C1QxkO2Rv9cszSkCa85NotJhXiUuTBI9BFcRPy+mAhbpAru+bfypYofI0wW97XNTl8Jgwmni5MgutBIQAokFIn5ux8iWxndCH3AqDtmkwC5DfQeQ+wZx7rkwqJEpJffQzrjb1gIM6P9hDCVBBVPh/3o80IJ69rFWrJAZUb+JpG4cXJH0NcSW+wqc3JCT/x3q8VlHwOTXSlNNKtOJCRx73mB8e1XTTy2a9FgpKDDg5XQXWHAViJDz1RTRL9gRefMylRgKz4bXoTuY9kJWM8hPTyUejtukbJThlBJc3OmDxBZBF7F0iqB11pHexok43OCEiANodVa36eWu9/5X032Vm48fZ1/akDPY/NSy3wAn7kwut+A0/JAHFHASrq+1mt9YurkJegI+YHXO6eEWpBIpmI7ORHJbGL4MhkHrxYzVamuP8CkU7tXzsv138+wpOcRHNp9yJY4PT40BZkRf/O3O+jt3pj9Dj8rvgywF2W6hFzywh3Y78upOprRkQlQtHfsI8EyrYI8/hUw2u3H+3yPXh3YjWfqvWVG1BRLRHBV7m90uaw=='
|
||||
|
||||
profiles::base::groups::local:
|
||||
admins:
|
||||
ensure: present
|
||||
@@ -231,38 +288,36 @@ sudo::configs:
|
||||
profiles::accounts::sysadmin::sshkeys:
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
|
||||
|
||||
profiles::base::hosts::additional_hosts:
|
||||
- ip: 198.18.17.3
|
||||
hostname: prodinf01n01.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n01
|
||||
- puppet
|
||||
- puppetmaster
|
||||
- puppetca
|
||||
- ip: 198.18.17.4
|
||||
hostname: prodinf01n04.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n04
|
||||
- ip: 198.18.17.5
|
||||
hostname: prodinf01n05.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n05
|
||||
- ip: 198.18.17.6
|
||||
hostname: prodinf01n06.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n06
|
||||
- ip: 198.18.17.9
|
||||
hostname: prodinf01n09.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n09
|
||||
- ntp01.main.unkin.net
|
||||
- ip: 198.18.17.10
|
||||
hostname: prodinf01n10.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n10
|
||||
- ntp02.main.unkin.net
|
||||
- ip: 198.18.17.22
|
||||
hostname: prodinf01n22.main.unkin.net
|
||||
aliases:
|
||||
- prodinf01n22
|
||||
- repos.main.unkin.net
|
||||
networking::interface_defaults:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::route_defaults:
|
||||
ensure: present
|
||||
interface: eth0
|
||||
netmask: 0.0.0.0
|
||||
network: default
|
||||
|
||||
profiles::ceph::client::fsid: 7f7f00cb-95de-498c-8dcc-14b54e4e9ca8
|
||||
profiles::ceph::client::mons:
|
||||
- 10.18.15.1
|
||||
- 10.18.15.2
|
||||
- 10.18.15.3
|
||||
#profiles::base::hosts::additional_hosts:
|
||||
# - ip: 198.18.17.9
|
||||
# hostname: prodinf01n09.main.unkin.net
|
||||
# aliases:
|
||||
# - prodinf01n09
|
||||
# - ntp01.main.unkin.net
|
||||
# - ip: 198.18.17.10
|
||||
# hostname: prodinf01n10.main.unkin.net
|
||||
# aliases:
|
||||
# - prodinf01n10
|
||||
# - ntp02.main.unkin.net
|
||||
# - ip: 198.18.17.22
|
||||
# hostname: prodinf01n22.main.unkin.net
|
||||
# aliases:
|
||||
# - prodinf01n22
|
||||
# - repos.main.unkin.net
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
---
|
||||
certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl]
|
||||
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
||||
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
|
||||
|
||||
@@ -6,11 +6,21 @@ profiles::haproxy::mappings:
|
||||
mappings:
|
||||
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
||||
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
||||
- 'sonarr.main.unkin.net be_sonarr'
|
||||
- 'radarr.main.unkin.net be_radarr'
|
||||
- 'lidarr.main.unkin.net be_lidarr'
|
||||
- 'readarr.main.unkin.net be_readarr'
|
||||
- 'prowlarr.main.unkin.net be_prowlarr'
|
||||
fe_https:
|
||||
ensure: present
|
||||
mappings:
|
||||
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
||||
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
||||
- 'sonarr.main.unkin.net be_sonarr'
|
||||
- 'radarr.main.unkin.net be_radarr'
|
||||
- 'lidarr.main.unkin.net be_lidarr'
|
||||
- 'readarr.main.unkin.net be_readarr'
|
||||
- 'prowlarr.main.unkin.net be_prowlarr'
|
||||
|
||||
profiles::haproxy::frontends:
|
||||
fe_http:
|
||||
@@ -63,6 +73,86 @@ profiles::haproxy::backends:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_sonarr:
|
||||
description: Backend for au-syd1 sonarr
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_radarr:
|
||||
description: Backend for au-syd1 radarr
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_lidarr:
|
||||
description: Backend for au-syd1 lidarr
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_readarr:
|
||||
description: Backend for au-syd1 readarr
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
be_prowlarr:
|
||||
description: Backend for au-syd1 prowlarr
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
|
||||
profiles::haproxy::certlist::enabled: true
|
||||
profiles::haproxy::certlist::certificates:
|
||||
@@ -72,6 +162,11 @@ profiles::haproxy::certlist::certificates:
|
||||
profiles::pki::vault::alt_names:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
- sonarr.main.unkin.net
|
||||
- radarr.main.unkin.net
|
||||
- lidarr.main.unkin.net
|
||||
- readarr.main.unkin.net
|
||||
- prowlarr.main.unkin.net
|
||||
|
||||
# additional cnames
|
||||
profiles::haproxy::dns::cnames:
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
---
|
||||
certmanager::vault_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
||||
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
|
||||
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
|
||||
@@ -2,3 +2,14 @@
|
||||
profiles::sql::galera_member::cluster_name: au-syd1
|
||||
profiles::sql::galera_member::galera_master: ausyd1nxvm1027.main.unkin.net
|
||||
profiles::sql::galera_member::innodb_buffer_pool_size: 256M
|
||||
|
||||
mysql::db:
|
||||
grafana:
|
||||
name: grafana
|
||||
user: grafana
|
||||
password: "%{alias('mysql::db::grafana::pass')}"
|
||||
grant:
|
||||
- SELECT
|
||||
- INSERT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.10
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.11
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.12
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.13
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.14
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.15
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.16
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.17
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.18
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.19
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.20
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.21
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.22
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.23
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.24
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.25
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.26
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -1,2 +1,11 @@
|
||||
---
|
||||
profiles::cobbler::params::is_cobbler_master: true
|
||||
networking::interfaces:
|
||||
ens18:
|
||||
ipaddress: 198.18.13.27
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
interface: ens18
|
||||
|
||||
profiles::almalinux::base::remove_ens18: false
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.28
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.29
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.30
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,10 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
ens18:
|
||||
ipaddress: 198.18.13.31
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
interface: ens18
|
||||
|
||||
profiles::almalinux::base::remove_ens18: false
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.32
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.33
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.34
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.35
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.36
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.37
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.38
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.39
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.40
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.41
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.42
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.43
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.44
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.45
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -5,5 +5,17 @@ profiles::puppet::server::dns_alt_names:
|
||||
- puppetca.query.consul
|
||||
- puppetca
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- puppetca.main.unkin.net
|
||||
- puppetca.service.consul
|
||||
- puppetca.query.consul
|
||||
- puppetca
|
||||
|
||||
profiles::puppet::puppetca::is_puppetca: true
|
||||
profiles::puppet::puppetca::allow_subject_alt_names: true
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.46
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.47
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.47
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.48
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.49
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.50
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.50
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.51
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.51
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.52
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.52
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.53
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.53
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.54
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.55
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.56
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
ipaddress: 198.18.13.57
|
||||
ens19:
|
||||
ensure: present
|
||||
family: inet
|
||||
method: static
|
||||
ipaddress: 10.18.15.57
|
||||
netmask: 255.255.255.0
|
||||
onboot: true
|
||||
networking::routes:
|
||||
default:
|
||||
gateway: 198.18.13.254
|
||||
@@ -7,3 +7,6 @@ profiles::puppet::server::dns_alt_names:
|
||||
|
||||
profiles::puppet::puppetca::is_puppetca: false
|
||||
profiles::puppet::puppetca::allow_subject_alt_names: true
|
||||
|
||||
hiera_exclude:
|
||||
- networking
|
||||
|
||||
@@ -5,10 +5,15 @@ profiles::firewall::firewalld::ensure_service: 'stopped'
|
||||
profiles::firewall::firewalld::enable_service: false
|
||||
profiles::puppet::agent::puppet_version: '7.26.0'
|
||||
|
||||
hiera_include:
|
||||
- profiles::almalinux::base
|
||||
|
||||
profiles::packages::install:
|
||||
- lzo
|
||||
- xz
|
||||
- network-scripts
|
||||
- policycoreutils
|
||||
- unar
|
||||
- xz
|
||||
|
||||
lm-sensors::package: lm_sensors
|
||||
|
||||
@@ -19,44 +24,53 @@ profiles::yum::global::repos:
|
||||
target: /etc/yum.repos.d/baseos.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
extras:
|
||||
name: extras
|
||||
descr: extras repository
|
||||
target: /etc/yum.repos.d/extras.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
appstream:
|
||||
name: appstream
|
||||
descr: appstream repository
|
||||
target: /etc/yum.repos.d/appstream.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
powertools:
|
||||
name: powertools
|
||||
descr: powertools repository
|
||||
target: /etc/yum.repos.d/powertools.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
highavailability:
|
||||
name: highavailability
|
||||
descr: highavailability repository
|
||||
target: /etc/yum.repos.d/highavailability.repo
|
||||
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
|
||||
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
epel:
|
||||
name: epel
|
||||
descr: epel repository
|
||||
target: /etc/yum.repos.d/epel.repo
|
||||
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
|
||||
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
|
||||
mirrorlist: absent
|
||||
puppet:
|
||||
name: puppet
|
||||
descr: puppet repository
|
||||
target: /etc/yum.repos.d/puppet.repo
|
||||
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
|
||||
mirrorlist: absent
|
||||
unkin:
|
||||
name: unkin
|
||||
descr: unkin repository
|
||||
target: /etc/yum.repos.d/unkin.repo
|
||||
baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os
|
||||
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
|
||||
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
|
||||
mirrorlist: absent
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# hieradata/os/debian/all_releases.yaml
|
||||
---
|
||||
profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian
|
||||
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
|
||||
profiles::apt::base::secureurl: http://security.debian.org/debian-security
|
||||
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
|
||||
profiles::apt::puppet7::repo: puppet7
|
||||
@@ -12,3 +12,4 @@ profiles::packages::install:
|
||||
- xz-utils
|
||||
|
||||
lm-sensors::package: lm-sensors
|
||||
networking::nwmgr_dns_none: false
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEBANgP2ifU7NbuMs+kWpeg1tchR5IMD7Z7kMpRBejgCMHludTYGf/BzxTe36YjpwLsuUd658QK5vE4EYpM1MuzqfuNiWJa5ec1IR/AgWQUMZcpjEDEqpHTb2qygmpc+jb3vW1EMBleZL2Z4GrgJ00gWO/EvukBSPgyxBsFe4Bb/L3aK6xiucG3JA9A7qA6cS4Oz5pf8dfC0FBjsc+XN7++bJN5pWUgMcEDgiyCy3bkL2gWfPKOWfabTRwuC3qd6SihZMg/tY8uoDfYoI8jHkjU07/mhC6AD930wgcFG+xJwNAX7FxLvLyJ8iN/648LVoZFuszYiTwPib1CszksdYBjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBSGXrbrl4FisZN5FT1hfmrgDBnV2SVfCJIYYyZ9+Vo1ykNmzUypJdJ+4llyXA7FOuH90xVZvLZMjNMhVCxP48CiYI=]
|
||||
@@ -0,0 +1,20 @@
|
||||
---
|
||||
profiles::yum::global::repos:
|
||||
ceph-reef:
|
||||
name: ceph-reef
|
||||
descr: ceph reef repository
|
||||
target: /etc/yum.repos.d/ceph-reef.repo
|
||||
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
|
||||
gpgcheck: 0,
|
||||
mirrorlist: absent
|
||||
|
||||
profiles::ceph::client::keyrings:
|
||||
media:
|
||||
key: "%{hiera('ceph::key::media')}"
|
||||
|
||||
profiles::base::groups::local:
|
||||
media:
|
||||
ensure: present
|
||||
gid: 20000
|
||||
allowdupe: false
|
||||
forcelocal: true
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
|
||||
@@ -0,0 +1,52 @@
|
||||
---
|
||||
hiera_include:
|
||||
- lidarr
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage lidarr
|
||||
lidarr::params::user: lidarr
|
||||
lidarr::params::group: media
|
||||
lidarr::params::manage_group: false
|
||||
lidarr::params::archive_version: 2.3.3
|
||||
lidarr::params::port: 8000
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- lidarr.main.unkin.net
|
||||
- lidarr.service.consul
|
||||
- lidarr.query.consul
|
||||
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'lidarr.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- lidarr.main.unkin.net
|
||||
- lidarr.service.consul
|
||||
- lidarr.query.consul
|
||||
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
lidarr:
|
||||
service_name: 'lidarr'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'lidarr'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'lidarr_http_check'
|
||||
name: 'Lidarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: lidarr
|
||||
disposition: write
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
|
||||
@@ -0,0 +1,52 @@
|
||||
---
|
||||
hiera_include:
|
||||
- prowlarr
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage prowlarr
|
||||
prowlarr::params::user: prowlarr
|
||||
prowlarr::params::group: media
|
||||
prowlarr::params::manage_group: false
|
||||
prowlarr::params::archive_version: 1.19.0
|
||||
prowlarr::params::port: 8000
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- prowlarr.main.unkin.net
|
||||
- prowlarr.service.consul
|
||||
- prowlarr.query.consul
|
||||
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'prowlarr.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- prowlarr.main.unkin.net
|
||||
- prowlarr.service.consul
|
||||
- prowlarr.query.consul
|
||||
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
prowlarr:
|
||||
service_name: 'prowlarr'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'prowlarr'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'prowlarr_http_check'
|
||||
name: 'Prowlarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: prowlarr
|
||||
disposition: write
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
|
||||
@@ -0,0 +1,53 @@
|
||||
---
|
||||
hiera_include:
|
||||
- radarr
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage radarr
|
||||
radarr::params::user: radarr
|
||||
radarr::params::group: media
|
||||
radarr::params::manage_group: false
|
||||
radarr::params::archive_version: 5.7.0
|
||||
radarr::params::port: 8000
|
||||
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- radarr.main.unkin.net
|
||||
- radarr.service.consul
|
||||
- radarr.query.consul
|
||||
- "radarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'radarr.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- radarr.main.unkin.net
|
||||
- radarr.service.consul
|
||||
- radarr.query.consul
|
||||
- "radarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
radarr:
|
||||
service_name: 'radarr'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'radarr'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'radarr_http_check'
|
||||
name: 'radarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: radarr
|
||||
disposition: write
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
|
||||
@@ -0,0 +1,52 @@
|
||||
---
|
||||
hiera_include:
|
||||
- readarr
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage readarr
|
||||
readarr::params::user: readarr
|
||||
readarr::params::group: media
|
||||
readarr::params::manage_group: false
|
||||
readarr::params::archive_version: 0.3.28
|
||||
readarr::params::port: 8000
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- readarr.main.unkin.net
|
||||
- readarr.service.consul
|
||||
- readarr.query.consul
|
||||
- "readarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'readarr.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- readarr.main.unkin.net
|
||||
- readarr.service.consul
|
||||
- readarr.query.consul
|
||||
- "readarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
readarr:
|
||||
service_name: 'readarr'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'readarr'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'readarr_http_check'
|
||||
name: 'Readarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: readarr
|
||||
disposition: write
|
||||
@@ -0,0 +1 @@
|
||||
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
|
||||
@@ -0,0 +1,52 @@
|
||||
---
|
||||
hiera_include:
|
||||
- sonarr
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
# manage sonarr
|
||||
sonarr::params::user: sonarr
|
||||
sonarr::params::group: media
|
||||
sonarr::params::manage_group: false
|
||||
sonarr::params::archive_version: 4.0.5
|
||||
sonarr::params::port: 8000
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- sonarr.main.unkin.net
|
||||
- sonarr.service.consul
|
||||
- sonarr.query.consul
|
||||
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'sonarr.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- sonarr.main.unkin.net
|
||||
- sonarr.service.consul
|
||||
- sonarr.query.consul
|
||||
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8000
|
||||
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
|
||||
# configure consul service
|
||||
nginx::client_max_body_size: 10M
|
||||
consul::services:
|
||||
sonarr:
|
||||
service_name: 'sonarr'
|
||||
tags:
|
||||
- 'media'
|
||||
- 'sonarr'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'sonarr_http_check'
|
||||
name: 'Sonarr HTTP Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: sonarr
|
||||
disposition: write
|
||||
@@ -0,0 +1,2 @@
|
||||
---
|
||||
profiles::openldap::params::rootpw: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMPu8Asw6L7+k8SRXbPqw62B3ldiE5f2CaDSQbhrOc2u2ULdKvOVpWZnr5cKekl4L8un3zRCiNgY7IG008011jh7oXtTqEGJB2hD/ANHlRawoduft798rRKkDuFqET1rw+komuM7ACJsxXGPO9jB7HjycoJHr4+2yV4o3DlazR0+Ha8kPs8U4C/G/UEWQYOsrP964UZ2CgsHSdozgWj304fVJZ/fWqfOSgipKi2GjNK+TD7g9H12ouGaOjTeOsFBo33QWrikYi6MBFE42p3BLoaBX6Gk6KBzmkhYT7Hyvc/ASP65MpDbXffKp2kcqq++VIb7WhsRydaudRP9wyEJOjzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBVYwJ47CXR2LGgbZOOrd7cgDBCgqTmI4Y5G7x8ZNxEm9WzVY1E7SiKrSnKWF3ntekOhL8ABOk8Y0uODE2HYE+jkJw=]
|
||||
@@ -0,0 +1,22 @@
|
||||
---
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- ldap.main.unkin.net
|
||||
- ldap.service.consul
|
||||
- ldap.query.consul
|
||||
- "ldap.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
openldap::server::manage_epel: false
|
||||
profiles::openldap::params::data_path: '/data/ldap/main.unkin.net'
|
||||
profiles::openldap::params::database: 'dc=main,dc=unkin,dc=net'
|
||||
profiles::openldap::params::rootdn: "cn=admin,%{hiera('profiles::openldap::params::database')}"
|
||||
profiles::openldap::params::ldap_server:
|
||||
- rid: 1
|
||||
provider: ldap://ausyd1nxvm1044.main.unkin.net
|
||||
searchbase: "%{hiera('profiles::openldap::params::database')}"
|
||||
- rid: 2
|
||||
provider: ldap://ausyd1nxvm1045.main.unkin.net
|
||||
searchbase: "%{hiera('profiles::openldap::params::database')}"
|
||||
- rid: 3
|
||||
provider: ldap://ausyd1nxvm1046.main.unkin.net
|
||||
searchbase: "%{hiera('profiles::openldap::params::database')}"
|
||||
@@ -17,5 +17,5 @@ profiles::pki::vault::alt_names:
|
||||
profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
|
||||
profiles::selinux::setenforce::mode: permissive
|
||||
|
||||
hiera_classes:
|
||||
hiera_include:
|
||||
- profiles::selinux::setenforce
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
---
|
||||
profiles::gitea::init::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
|
||||
profiles::gitea::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
|
||||
profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=]
|
||||
|
||||
@@ -6,6 +6,11 @@ profiles::pki::vault::alt_names:
|
||||
- git.query.consul
|
||||
- "git.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- git.main.unkin.net
|
||||
- git.service.consul
|
||||
- git.query.consul
|
||||
|
||||
consul::services:
|
||||
git:
|
||||
service_name: 'git'
|
||||
@@ -37,3 +42,43 @@ profiles::nginx::simpleproxy::nginx_aliases:
|
||||
profiles::nginx::simpleproxy::proxy_port: 3000
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
nginx::client_max_body_size: 250M
|
||||
|
||||
profiles::gitea::init::root:
|
||||
APP_NAME: 'Gitea'
|
||||
RUN_USER: 'git'
|
||||
RUN_MODE: 'prod'
|
||||
profiles::gitea::init::repository:
|
||||
ROOT: '/data/gitea/repos'
|
||||
FORCE_PRIVATE: false
|
||||
MAX_CREATION_LIMIT: -1
|
||||
DISABLE_HTTP_GIT: false
|
||||
DEFAULT_BRANCH: 'main'
|
||||
DEFAULT_PRIVATE: 'last'
|
||||
profiles::gitea::init::ui:
|
||||
SHOW_USER_EMAIL: false
|
||||
profiles::gitea::init::server:
|
||||
PROTOCOL: 'http'
|
||||
DOMAIN: 'git.query.consul'
|
||||
ROOT_URL: 'https://git.query.consul'
|
||||
HTTP_ADDR: '0.0.0.0'
|
||||
HTTP_PORT: 3000
|
||||
START_SSH_SERVER: false
|
||||
SSH_DOMAIN: 'git.query.consul'
|
||||
SSH_PORT: 2222
|
||||
SSH_LISTEN_HOST: '0.0.0.0'
|
||||
OFFLINE_MODE: true
|
||||
APP_DATA_PATH: '/data/gitea'
|
||||
SSH_LISTEN_PORT: 22
|
||||
LFS_START_SERVER: true
|
||||
profiles::gitea::init::database:
|
||||
DB_TYPE: 'mysql'
|
||||
HOST: 'mariadb-prod.service.au-syd1.consul:3306'
|
||||
NAME: 'gitea'
|
||||
USER: 'gitea'
|
||||
PASSWD: "%{hiera('profiles::gitea::mysql_pass')}"
|
||||
SSL_MODE: 'disable'
|
||||
LOG_SQL: false
|
||||
profiles::gitea::init::lfs:
|
||||
PATH: '/data/gitea/lfs'
|
||||
profiles::gitea::init::session:
|
||||
PROVIDER: db
|
||||
|
||||
@@ -15,6 +15,7 @@ profiles::haproxy::server::globals:
|
||||
stats:
|
||||
- timeout 30s
|
||||
- socket /var/lib/haproxy/stats
|
||||
- socket /var/lib/haproxy/admin.sock mode 660 level admin
|
||||
ca-base: /etc/ssl/certs
|
||||
crt-base: /etc/ssl/private
|
||||
ssl-default-bind-ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
@@ -89,3 +90,6 @@ profiles::haproxy::backends:
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
|
||||
prometheus::haproxy_exporter::cnf_scrape_uri: unix:/var/lib/haproxy/stats
|
||||
prometheus::haproxy_exporter::export_scrape_job: true
|
||||
|
||||
@@ -0,0 +1,49 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
profiles::metrics::grafana::mysql_host: "mariadb-%{facts.environment}.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::metrics::grafana::mysql_port: 3306
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- grafana.main.unkin.net
|
||||
- grafana.service.consul
|
||||
- grafana.query.consul
|
||||
- "grafana.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- grafana.main.unkin.net
|
||||
- grafana.service.consul
|
||||
- grafana.query.consul
|
||||
|
||||
consul::services:
|
||||
grafana:
|
||||
service_name: 'grafana'
|
||||
tags:
|
||||
- 'grafana'
|
||||
- 'metrics'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'Grafana_https_check'
|
||||
name: 'Grafana HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: grafana
|
||||
disposition: write
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'grafana.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- grafana.main.unkin.net
|
||||
- grafana.service.consul
|
||||
- grafana.query.consul
|
||||
- "grafana.service.%{facts.country}-%{facts.region}.consul"
|
||||
profiles::nginx::simpleproxy::proxy_port: 8080
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
@@ -8,4 +8,5 @@ profiles::metrics::server::scrape_jobs:
|
||||
- bind
|
||||
- puppetdb
|
||||
- systemd
|
||||
- haproxy
|
||||
profiles::metrics::server::localstorage: /data/prometheus
|
||||
|
||||
@@ -12,3 +12,24 @@ profiles::ntp::server::peers:
|
||||
- '1.au.pool.ntp.org'
|
||||
- '2.au.pool.ntp.org'
|
||||
- '3.au.pool.ntp.org'
|
||||
|
||||
consul::services:
|
||||
ntp:
|
||||
service_name: 'ntp'
|
||||
tags:
|
||||
- 'ntp'
|
||||
- 'time'
|
||||
- 'sync'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 123
|
||||
checks:
|
||||
- id: ntp_check
|
||||
name: "NTP Service Check"
|
||||
args:
|
||||
- '/usr/local/bin/check_ntp.sh'
|
||||
interval: '15s'
|
||||
timeout: '5s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: ntp
|
||||
disposition: write
|
||||
|
||||
@@ -5,3 +5,31 @@ sudo::configs:
|
||||
content: |
|
||||
ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
|
||||
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*
|
||||
|
||||
hiera_exclude:
|
||||
- networking
|
||||
|
||||
# proxmox tools use root to authenticate against each other
|
||||
ssh::server::options:
|
||||
PermitRootLogin: yes
|
||||
AcceptEnv:
|
||||
- LANG LC_*
|
||||
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
- LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
- XMODIFIERS
|
||||
ListenAddress:
|
||||
- "%{facts.networking.interfaces.vmbr1.ip}"
|
||||
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: ceph-mon
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: ceph-mds
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: ceph-mgr
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: ceph-osd
|
||||
disposition: write
|
||||
|
||||
@@ -37,6 +37,14 @@ profiles::helpers::certmanager::vault_config:
|
||||
output_path: '/tmp/certmanager'
|
||||
role_id: "%{lookup('certmanager::role_id')}"
|
||||
|
||||
profiles::helpers::sshsignhost::vault_config:
|
||||
addr: 'https://vault.service.consul:8200'
|
||||
mount_point: 'ssh-host-signer'
|
||||
approle_path: 'approle'
|
||||
role_name: 'hostrole'
|
||||
output_path: '/tmp/sshsignhost'
|
||||
role_id: "%{lookup('sshsignhost::role_id')}"
|
||||
|
||||
profiles::puppet::server::agent_server: 'puppet.query.consul'
|
||||
profiles::puppet::server::report_server: 'puppet.query.consul'
|
||||
profiles::puppet::server::ca_server: 'puppetca.query.consul'
|
||||
@@ -50,6 +58,10 @@ profiles::puppet::server::dns_alt_names:
|
||||
- puppetmaster
|
||||
- puppet
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- puppet.service.consul
|
||||
- puppet.query.consul
|
||||
|
||||
consul::services:
|
||||
puppet:
|
||||
service_name: 'puppet'
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==]
|
||||
@@ -2,3 +2,38 @@
|
||||
postgresql_config_entries:
|
||||
max_connections: 300
|
||||
shared_buffers: '256MB'
|
||||
|
||||
consul::services:
|
||||
puppetdbsql:
|
||||
service_name: 'puppetdbsql'
|
||||
tags:
|
||||
- 'puppet'
|
||||
- 'puppetdb'
|
||||
- 'database'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 5432
|
||||
checks:
|
||||
- id: 'psql-check'
|
||||
name: 'PostgreSQL Health Check'
|
||||
args:
|
||||
- '/usr/local/bin/check_consul_postgresql'
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: puppetdbsql
|
||||
disposition: write
|
||||
|
||||
profiles::yum::global::repos:
|
||||
postgresql-15:
|
||||
name: postgresql-15
|
||||
descr: postgresql-15 repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
postgresql-common:
|
||||
name: postgresql-common
|
||||
descr: postgresql-common repository
|
||||
target: /etc/yum.repos.d/postgresql.repo
|
||||
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
|
||||
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
|
||||
|
||||
@@ -77,3 +77,15 @@ profiles::consul::prepared_query::rules:
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
ntp:
|
||||
ensure: 'present'
|
||||
service_name: 'ntp'
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
grafana:
|
||||
ensure: 'present'
|
||||
service_name: 'grafana'
|
||||
service_failover_n: 3
|
||||
service_only_passing: true
|
||||
ttl: 10
|
||||
|
||||
@@ -42,6 +42,9 @@ profiles::edgecache::params::directories:
|
||||
/data/edgecache/pub/postgres: { owner: nginx, group: nginx }
|
||||
/data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx }
|
||||
/data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx }
|
||||
/data/edgecache/pub/ceph: { owner: nginx, group: nginx }
|
||||
/data/edgecache/pub/ceph/apt: { owner: nginx, group: nginx }
|
||||
/data/edgecache/pub/ceph/yum: { owner: nginx, group: nginx }
|
||||
|
||||
profiles::edgecache::params::mirrors:
|
||||
debian:
|
||||
@@ -118,3 +121,29 @@ profiles::edgecache::params::mirrors:
|
||||
proxy_cache_valid:
|
||||
- '200 302 1440h'
|
||||
- '404 1m'
|
||||
ceph_yum_repodata:
|
||||
ensure: present
|
||||
location: '~* ^/ceph/yum/.*/repodata/'
|
||||
rewrite_rules:
|
||||
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
|
||||
proxy: http://158.69.68.124
|
||||
ceph_yum_data:
|
||||
ensure: present
|
||||
location: /ceph/yum
|
||||
proxy: http://158.69.68.124/rpm-reef
|
||||
proxy_cache: cache
|
||||
proxy_cache_valid:
|
||||
- '200 302 1440h'
|
||||
- '404 1m'
|
||||
ceph_apt:
|
||||
ensure: present
|
||||
location: /ceph/apt
|
||||
proxy: http://158.69.68.124/debian-reef
|
||||
ceph_apt_pool:
|
||||
ensure: present
|
||||
location: /ceph/apt/pool
|
||||
proxy: http://158.69.68.124/debian-reef/pool
|
||||
proxy_cache: cache
|
||||
proxy_cache_valid:
|
||||
- '200 302 1440h'
|
||||
- '404 1m'
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
require 'facter'
|
||||
|
||||
Facter.add('is_pveceph_mds') do
|
||||
confine enc_role: 'roles::infra::proxmox::node'
|
||||
setcode do
|
||||
system('pgrep -x ceph-mds > /dev/null 2>&1')
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,10 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
require 'facter'
|
||||
|
||||
Facter.add('is_pveceph_osd') do
|
||||
confine enc_role: 'roles::infra::proxmox::node'
|
||||
setcode do
|
||||
system('pgrep -x ceph-osd > /dev/null 2>&1')
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,10 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
# lib/facter/sshd_host_cert_exists.rb
|
||||
require 'puppet'
|
||||
|
||||
Facter.add('sshd_host_cert_exists') do
|
||||
setcode do
|
||||
File.exist?('/etc/ssh/ssh_host_rsa_key-cert.pem')
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,15 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
# lib/facter/sshd_host_principals.rb
|
||||
require 'puppet'
|
||||
|
||||
Facter.add('sshd_host_principals') do
|
||||
setcode do
|
||||
principals_file = '/etc/ssh/host_principals'
|
||||
if File.exist?(principals_file)
|
||||
File.read(principals_file).split("\n")
|
||||
else
|
||||
[]
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,27 @@
|
||||
class lidarr::config (
|
||||
$user = $lidarr::params::user,
|
||||
$group = $lidarr::params::group,
|
||||
$base_path = $lidarr::params::base_path,
|
||||
$bind_address = $lidarr::bind_address,
|
||||
$port = $lidarr::port,
|
||||
$ssl_port = $lidarr::ssl_port,
|
||||
$enable_ssl = $lidarr::enable_ssl,
|
||||
$launch_browser = $lidarr::launch_browser,
|
||||
$api_key = $lidarr::api_key,
|
||||
$authentication_method = $lidarr::authentication_method,
|
||||
$authentication_required = $lidarr::authentication_required,
|
||||
$branch = $lidarr::branch,
|
||||
$log_level = $lidarr::log_level,
|
||||
$ssl_cert_path = $lidarr::ssl_cert_path,
|
||||
$ssl_cert_password = $lidarr::ssl_cert_password,
|
||||
$url_base = $lidarr::url_base,
|
||||
$instance_name = $lidarr::instance_name,
|
||||
) {
|
||||
file { "${base_path}/config.xml":
|
||||
ensure => file,
|
||||
content => template('lidarr/lidarr_config.xml.erb'),
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => '0644',
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,37 @@
|
||||
# manage lidarr
|
||||
class lidarr (
|
||||
$packages = $lidarr::params::packages,
|
||||
$user = $lidarr::params::user,
|
||||
$group = $lidarr::params::group,
|
||||
$manage_group = $lidarr::params::manage_group,
|
||||
$base_path = $lidarr::params::base_path,
|
||||
$install_path = $lidarr::params::install_path,
|
||||
$config_folder = $lidarr::params::config_folder,
|
||||
$app_folder = $lidarr::params::app_folder,
|
||||
$archive_name = $lidarr::params::archive_name,
|
||||
$archive_url = $lidarr::params::archive_url,
|
||||
$executable = $lidarr::params::executable,
|
||||
$service_enable = $lidarr::params::service_enable,
|
||||
$service_name = $lidarr::params::service_name,
|
||||
$bind_address = $lidarr::params::bind_address,
|
||||
$port = $lidarr::params::port,
|
||||
$ssl_port = $lidarr::params::ssl_port,
|
||||
$enable_ssl = $lidarr::params::enable_ssl,
|
||||
$launch_browser = $lidarr::params::launch_browser,
|
||||
$api_key = $lidarr::params::api_key,
|
||||
$authentication_method = $lidarr::params::authentication_method,
|
||||
$authentication_required = $lidarr::params::authentication_required,
|
||||
$branch = $lidarr::params::branch,
|
||||
$log_level = $lidarr::params::log_level,
|
||||
$ssl_cert_path = $lidarr::params::ssl_cert_path,
|
||||
$ssl_cert_password = $lidarr::params::ssl_cert_password,
|
||||
$url_base = $lidarr::params::url_base,
|
||||
$instance_name = $lidarr::params::instance_name,
|
||||
) inherits lidarr::params {
|
||||
|
||||
include lidarr::install
|
||||
include lidarr::config
|
||||
include lidarr::service
|
||||
|
||||
Class['lidarr::install'] -> Class['lidarr::config'] -> Class['lidarr::service']
|
||||
}
|
||||
@@ -0,0 +1,61 @@
|
||||
# instsall lidarr
|
||||
class lidarr::install (
|
||||
$packages = $lidarr::packages,
|
||||
$user = $lidarr::user,
|
||||
$group = $lidarr::group,
|
||||
$manage_group = $lidarr::manage_group,
|
||||
$base_path = $lidarr::base_path,
|
||||
$install_path = $lidarr::install_path,
|
||||
$config_folder = $lidarr::config_folder,
|
||||
$app_folder = $lidarr::app_folder,
|
||||
$archive_name = $lidarr::archive_name,
|
||||
$archive_url = $lidarr::archive_url,
|
||||
$executable = $lidarr::executable,
|
||||
) {
|
||||
|
||||
$_packages = $packages ? {
|
||||
Array => true,
|
||||
default => false,
|
||||
}
|
||||
|
||||
if $_packages {
|
||||
ensure_packages($packages, {ensure => 'installed'})
|
||||
}
|
||||
|
||||
if $manage_group {
|
||||
group { $group:
|
||||
ensure => present,
|
||||
}
|
||||
}
|
||||
|
||||
user { $user:
|
||||
ensure => present,
|
||||
shell => '/sbin/nologin',
|
||||
groups => $group,
|
||||
managehome => true,
|
||||
}
|
||||
|
||||
file { [ $base_path, $install_path, $config_folder, $app_folder ]:
|
||||
ensure => directory,
|
||||
owner => $user,
|
||||
group => $group,
|
||||
}
|
||||
|
||||
archive { $archive_name:
|
||||
path => "/tmp/${archive_name}",
|
||||
source => "${archive_url}${archive_name}",
|
||||
extract => true,
|
||||
extract_path => $install_path,
|
||||
creates => "${install_path}/${executable}",
|
||||
cleanup => true,
|
||||
require => File[$install_path],
|
||||
user => $user,
|
||||
group => $group,
|
||||
notify => Exec['move_lidarr_files'],
|
||||
}
|
||||
|
||||
exec { 'move_lidarr_files':
|
||||
command => "/usr/bin/mv ${install_path}/Lidarr/* ${install_path}",
|
||||
creates => "${install_path}/${executable}",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,50 @@
|
||||
# lidarr params
|
||||
class lidarr::params (
|
||||
Array[String] $packages = [
|
||||
'mediainfo',
|
||||
'libzen',
|
||||
'libmediainfo',
|
||||
'gettext',
|
||||
'sqlite.x86_64',
|
||||
'par2cmdline',
|
||||
'python3-feedparser',
|
||||
'python3-configobj',
|
||||
'python3-cheetah',
|
||||
'python3-dbus',
|
||||
'libxslt-devel',
|
||||
'libchromaprint',
|
||||
],
|
||||
String $user = 'lidarr',
|
||||
String $group = 'lidarr',
|
||||
Boolean $manage_group = true,
|
||||
Stdlib::Absolutepath $base_path = '/opt/lidarr',
|
||||
Stdlib::Absolutepath $install_path = '/opt/lidarr/bin',
|
||||
Stdlib::Absolutepath $config_folder = '/home/lidarr/.config',
|
||||
Stdlib::Absolutepath $app_folder = '/home/lidarr/.config/Lidarr',
|
||||
String $archive_version = '2.3.3',
|
||||
String $archive_name = 'Lidarr.master.linux-core-x64.tar.gz',
|
||||
Stdlib::HTTPUrl $archive_url = "https://git.query.consul/api/packages/unkinben/generic/lidarr/${archive_version}/",
|
||||
String $executable = 'Lidarr/Lidarr',
|
||||
String $service_name = 'lidarr',
|
||||
Boolean $service_enable = true,
|
||||
|
||||
# params for the configuration file
|
||||
Stdlib::Host $bind_address = '127.0.0.1',
|
||||
Stdlib::Port $port = 8686,
|
||||
Stdlib::Port $ssl_port = 9696,
|
||||
Boolean $enable_ssl = false,
|
||||
Boolean $launch_browser = true,
|
||||
String $api_key = '32-digit-random-string-goes-here',
|
||||
Enum[
|
||||
'Forms',
|
||||
'Basic',
|
||||
'External'
|
||||
] $authentication_method = 'External',
|
||||
Enum['Enabled', 'Disabled'] $authentication_required = 'Enabled',
|
||||
String $branch = 'main',
|
||||
Enum['debug', 'info', 'warn', 'error', 'fatal'] $log_level = 'info',
|
||||
Optional[String] $ssl_cert_path = undef,
|
||||
Optional[String] $ssl_cert_password = undef,
|
||||
Optional[String] $url_base = undef,
|
||||
String $instance_name = 'lidarr',
|
||||
) { }
|
||||
@@ -0,0 +1,21 @@
|
||||
# manage lidarr service
|
||||
class lidarr::service (
|
||||
$service_enable = $lidarr::service_enable,
|
||||
$service_name = $lidarr::service_name,
|
||||
$user = $lidarr::user,
|
||||
$group = $lidarr::user,
|
||||
$install_path = $lidarr::install_path,
|
||||
$executable = $lidarr::executable,
|
||||
$base_path = $lidarr::base_path,
|
||||
) {
|
||||
if $service_enable {
|
||||
include ::systemd
|
||||
|
||||
systemd::unit_file { "${service_name}.service":
|
||||
content => template('lidarr/lidarr.service.erb'),
|
||||
enable => true,
|
||||
active => true,
|
||||
subscribe => File["${base_path}/config.xml"],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=<%= @service_name %> Daemon
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
User=<%= @user %>
|
||||
Group=<%= @group %>
|
||||
Type=simple
|
||||
ExecStart=<%= @install_path %>/<%= @executable %> -nobrowser -data=<%= @base_path %>
|
||||
KillMode=process
|
||||
Restart=on-failure
|
||||
TimeoutStopSec=20
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user