171 Commits

Author SHA1 Message Date
unkinben 2924b7ad6f feat: manage openldap
- add modules, overlays, acccess rules, schemas
- manage syncrepl
- manage selinux
2024-06-30 20:14:28 +10:00
unkinben e6f243ef60 feat: add openldap role
- add basic openldap role
- manage certificates for openldap
2024-06-30 13:06:44 +10:00
unkinben 856a3901ac feat: add modules for openldap
- include dependencies for the puppet-openldap module
2024-06-30 12:57:33 +10:00
unkinben bc35270731 Merge pull request 'Adding hieradata/node/ausyd1nxvm1047.main.unkin.net.yaml' (#85) from autonode/ausyd1nxvm1047.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/85
2024-06-29 16:30:17 +10:00
unkinben c1a6191cab Adding hieradata/node/ausyd1nxvm1047.main.unkin.net.yaml 2024-06-29 14:41:25 +10:00
unkinben 0d4652cfdf Merge pull request 'Adding hieradata/node/ausyd1nxvm1046.main.unkin.net.yaml' (#84) from autonode/ausyd1nxvm1046.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/84
2024-06-29 01:57:05 +10:00
unkinben 9b9f64ca95 Merge pull request 'feat: haproxy for *arr stack' (#83) from neoloc/haproxy_backends into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/83
2024-06-29 01:56:52 +10:00
unkinben d7f0c9073f Adding hieradata/node/ausyd1nxvm1046.main.unkin.net.yaml 2024-06-29 01:23:09 +10:00
unkinben e74dc624c3 Merge pull request 'Adding hieradata/node/ausyd1nxvm1045.main.unkin.net.yaml' (#82) from autonode/ausyd1nxvm1045.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/82
2024-06-29 01:16:58 +10:00
unkinben 7bd12c9880 Adding hieradata/node/ausyd1nxvm1045.main.unkin.net.yaml 2024-06-29 01:13:45 +10:00
unkinben aa8ded5850 Merge pull request 'Adding hieradata/node/ausyd1nxvm1045.main.unkin.net.yaml' (#81) from autonode/ausyd1nxvm1045.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/81
2024-06-29 01:13:24 +10:00
unkinben 1d1c5621c0 Merge pull request 'Adding hieradata/node/ausyd1nxvm1044.main.unkin.net.yaml' (#80) from autonode/ausyd1nxvm1044.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/80
2024-06-29 01:13:01 +10:00
unkinben 0e11c03e9d Adding hieradata/node/ausyd1nxvm1045.main.unkin.net.yaml 2024-06-29 01:09:56 +10:00
unkinben 7520fdddbd Adding hieradata/node/ausyd1nxvm1044.main.unkin.net.yaml 2024-06-29 01:03:43 +10:00
unkinben d07751a151 feat: haproxy for *arr stack
- add additional backends
- set *arr's to export as a backend
- add *arr.main.unkin.net certificates
2024-06-28 22:46:50 +10:00
unkinben 9be3656d15 Merge pull request 'fear: deploy additional *arr stack apps' (#79) from neoloc/arr_stack into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/79
2024-06-27 23:57:23 +10:00
unkinben 9b8556f487 fear: deploy additional *arr stack apps
- cleanup hieradata entires for roles to remove some defaults
- add profiles::media::* classes to manage *arr stacks
2024-06-27 23:42:33 +10:00
unkinben 5acc683374 Merge pull request 'neoloc/arr_params' (#78) from neoloc/arr_params into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/78
2024-06-27 23:22:22 +10:00
unkinben 8a1d62cd41 chore: change media group to 20000
- found 10001 and simliar were already taken
2024-06-27 23:20:51 +10:00
unkinben b6a77afc7b chore: change all *arr's to use port 8000 locally 2024-06-27 23:19:45 +10:00
unkinben 2b1ea45e4e feat: add manage_group param to *arr stack
- change hieradata/role/apps/media/* to use correct namespaces
- add manage_group boolean to all *arr stack modules
2024-06-27 23:15:08 +10:00
unkinben 19caafbc43 Merge pull request 'chore: change media group to 20000' (#77) from neoloc/groups_20k into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/77
2024-06-27 22:27:37 +10:00
unkinben a4e78f645a chore: change media group to 20000
- found 10001 and simliar were already taken
2024-06-27 22:26:46 +10:00
unkinben f6aa2fac62 Merge pull request 'Adding hieradata/node/ausyd1nxvm1043.main.unkin.net.yaml' (#76) from autonode/ausyd1nxvm1043.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/76
2024-06-27 22:23:20 +10:00
unkinben 2147cc434d Adding hieradata/node/ausyd1nxvm1043.main.unkin.net.yaml 2024-06-27 22:22:39 +10:00
unkinben f63e6a953c Merge pull request 'chore: add ens19 to ausyd1nxvm1041' (#75) from neoloc/ausyd1nxvm1041 into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/75
2024-06-27 22:18:14 +10:00
unkinben 38819ba2ab chore: add ens19 to ausyd1nxvm1041 2024-06-27 22:17:50 +10:00
unkinben 72c6fdb249 Merge pull request 'Adding hieradata/node/ausyd1nxvm1042.main.unkin.net.yaml' (#74) from autonode/ausyd1nxvm1042.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/74
2024-06-27 22:16:35 +10:00
unkinben dc70687860 Adding hieradata/node/ausyd1nxvm1042.main.unkin.net.yaml 2024-06-27 22:15:55 +10:00
unkinben 17dbbd8d0c Merge pull request 'Revert "chore: cleanup yum repos"' (#73) from neoloc/revert_firstrun_cleanup into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/73
2024-06-27 22:12:15 +10:00
unkinben 7efd6edea9 Revert "chore: cleanup yum repos"
This reverts commit febd98d316.
2024-06-27 22:11:46 +10:00
unkinben 95e387d3ad Merge pull request 'chore: cleanup yum repos' (#72) from neoloc/firtsun_improvements into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/72
2024-06-27 22:00:21 +10:00
unkinben febd98d316 chore: cleanup yum repos
- cleanup yum repos on first run
2024-06-27 21:59:27 +10:00
unkinben 5aac7752cd Merge pull request 'feat: add media user to all media roles' (#71) from neoloc/media_management into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/71
2024-06-27 21:49:21 +10:00
unkinben dcccc85264 feat: add media user to all media roles
- change *arrs to use media as the group
2024-06-27 21:48:47 +10:00
unkinben 14c98ea659 Merge pull request 'neoloc/doc_updates' (#70) from neoloc/doc_updates into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/70
2024-06-27 21:38:38 +10:00
unkinben 5f5a9f5f65 Merge pull request 'feat: add prowlarr module' (#69) from neoloc/prowlarr into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/69
2024-06-27 21:34:30 +10:00
unkinben 3c63d8e797 Merge pull request 'feat: add readarr module' (#68) from neoloc/readarr into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/68
2024-06-27 21:34:17 +10:00
unkinben ab617a9de1 Merge pull request 'feat: add lidarr module' (#67) from neoloc/lidarr into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/67
2024-06-27 21:33:59 +10:00
unkinben bc27902fd2 Merge pull request 'chore: change to use sonarr::parmas' (#66) from neoloc/sonar_params into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/66
2024-06-27 21:33:34 +10:00
unkinben f2046efebe feat: add prowlarr module
- add media::prowlarr role
2024-06-27 21:32:13 +10:00
unkinben 0b7f07692c feat: add readarr module
- add media::readarr role
2024-06-27 21:21:18 +10:00
unkinben bbf9944ef5 feat: add lidarr module 2024-06-27 21:14:27 +10:00
unkinben 89383268f0 chore: change to use sonarr::parmas
- use sonarr::params class as it contains typing on params
2024-06-27 20:39:25 +10:00
unkinben bccdb99ef4 Merge pull request 'Adding hieradata/node/ausyd1nxvm1041.main.unkin.net.yaml' (#65) from autonode/ausyd1nxvm1041.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/65
2024-06-27 18:30:11 +10:00
unkinben aa63970dc1 Adding hieradata/node/ausyd1nxvm1041.main.unkin.net.yaml 2024-06-27 18:22:43 +10:00
unkinben bafb524fd2 Merge pull request 'neoloc/radarr' (#64) from neoloc/radarr into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/64
2024-06-26 23:07:34 +10:00
unkinben 40ff5f7d92 feat: deploy radarr
- manage ens19 nic on ausyd1nxvm1040
- manage cephfs storage
2024-06-26 22:57:36 +10:00
unkinben 17c16bfc33 feat: add radarr module 2024-06-26 22:57:27 +10:00
unkinben 6993ff0036 Merge pull request 'chore: duplicate resource' (#63) from neoloc/firstrun_motd_cache into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/63
2024-06-26 22:43:15 +10:00
unkinben 679a4203a9 chore: duplicate resource 2024-06-26 22:42:17 +10:00
unkinben 93125d9d71 Merge pull request 'chore: add facts/motd to firstrun' (#62) from neoloc/firstrun_motd into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/62
2024-06-26 22:37:48 +10:00
unkinben b90c6468b3 chore: add facts/motd to firstrun 2024-06-26 22:37:17 +10:00
unkinben 027140fb7a Merge pull request 'fix: sonar config empty line' (#61) from neoloc/sonarr_config into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/61
2024-06-26 00:00:21 +10:00
unkinben 44bd2d3d89 fix: sonar config empty line 2024-06-25 23:59:28 +10:00
unkinben 56df5695dc Merge pull request 'feat: manage sonarr configuration' (#60) from neoloc/sonarr_config into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/60
2024-06-25 23:47:36 +10:00
unkinben f22556b39f feat: manage sonarr configuration
- add config class to sonarr module
- update params to include unique group param
2024-06-25 23:45:29 +10:00
unkinben f0086944f9 Merge pull request 'Adding hieradata/node/ausyd1nxvm1040.main.unkin.net.yaml' (#59) from autonode/ausyd1nxvm1040.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/59
2024-06-25 22:42:21 +10:00
unkinben b846a49127 Adding hieradata/node/ausyd1nxvm1040.main.unkin.net.yaml 2024-06-25 22:40:57 +10:00
unkinben 34e696e8c3 Merge pull request 'chore: dont remove ens18 from ausyd1nxvm1021' (#57) from neoloc/ausyd1nxvm1021 into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/57
2024-06-23 17:54:21 +10:00
unkinben a12fac20ab chore: dont remove ens18 from ausyd1nxvm1021 2024-06-23 17:53:49 +10:00
unkinben 7af6130598 Merge pull request 'chore: fix ausyd1nxvm1021' (#56) from neoloc/ausyd1nxvm1021 into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/56
2024-06-23 17:50:42 +10:00
unkinben 4857b72ce3 chore: fix ausyd1nxvm1021
- change default interface from eth0 to ens18
2024-06-23 17:49:34 +10:00
unkinben 3ace70bcea Merge pull request 'neoloc/ausyd1nxvm1017' (#55) from neoloc/ausyd1nxvm1017 into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/55
2024-06-23 17:37:46 +10:00
unkinben 6839fb8c5f feat: networking defaults
- add interface/route defaults
- merge defaults into each interface/route
2024-06-23 17:34:23 +10:00
unkinben 3b907159f1 chore: change eth0 to ens18 2024-06-23 16:47:46 +10:00
unkinben d5262b0ef5 doc: update cephfs 2024-06-23 15:52:54 +10:00
unkinben 53dfa0ca75 doc: rename documents to README.md 2024-06-23 15:47:57 +10:00
unkinben 396e64de1d doc: add cephfs base documentation 2024-06-23 15:47:20 +10:00
unkinben 803a0ac01d Merge pull request 'neoloc/cephfs' (#54) from neoloc/cephfs into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/54
2024-06-23 15:34:04 +10:00
unkinben 736f04143f chore: manage ens19 interface on ausyd1nxvm1037
- add storage interface
2024-06-23 15:33:40 +10:00
unkinben 82ed27cf56 feat: add sonarr profile
- add cephfs secret for mounting mediafs
- add ceph-reef repo for apps::media roles
- add the shared cephfs mediafs mount
2024-06-23 15:33:40 +10:00
unkinben 5631f07e6e feat: add cephfs shared volume define
- add ceph class to manage ceph client configuration/packages
- add cephfs define for mounting volumes
- add ceph keyring define to manage secrets used to mount cephfs
2024-06-23 15:33:33 +10:00
unkinben 8eca497ea2 feat: add mkdir module
- add module to manage mkdir -p in puppet module
2024-06-23 14:59:48 +10:00
unkinben 9b2ca85f59 Merge pull request 'feat: swap networkmanager for network service' (#53) from neoloc/disable_networkmanager into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/53
2024-06-23 14:26:51 +10:00
unkinben 548076728a feat: swap networkmanager for network service 2024-06-22 16:31:03 +10:00
unkinben 570df81bd9 Merge pull request 'fix: unar package not available on debian' (#51) from neoloc/unar_debian into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/51
2024-06-22 00:48:16 +10:00
unkinben 2d3f4414b7 fix: unar package not available on debian 2024-06-22 00:47:36 +10:00
unkinben 3991b6408b Merge pull request 'fix: proxmox ceph services use different network' (#50) from neoloc/ceph_consul_fix_ip into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/50
2024-06-22 00:46:28 +10:00
unkinben f5a9eaef4a fix: proxmox ceph services use different network
- set the consul services for ceph mon, mds, mgr and osd to report the ceph
  cluster interface
2024-06-22 00:45:17 +10:00
unkinben 4a95fbbd31 Merge pull request 'chore: include profiles::defaults in all roles' (#49) from neoloc/default_profile into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/49
2024-06-21 22:58:30 +10:00
unkinben 4db9faa551 chore: include profiles::defaults in all roles 2024-06-21 22:57:47 +10:00
unkinben 8548ef0284 Merge pull request 'neoloc/sonarr_deploy' (#48) from neoloc/sonarr_deploy into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/48
2024-06-21 22:53:06 +10:00
unkinben 681f9e3eb8 feat: deploy sonarr
- add required hieradata/role data to deploy sonarr
- add nginx simpleproxy
- add consul service/query
- add vault certificates
2024-06-21 22:51:40 +10:00
unkinben a431c50980 Merge pull request 'chore: add media managemnet roles' (#44) from neoloc/media_roles into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/44
2024-06-21 20:50:04 +10:00
unkinben d98b12bf81 chore: add media managemnet roles
- add radarr, lidarr, nzbget
2024-06-21 20:49:28 +10:00
unkinben 59b181ed54 Merge pull request 'feat: add ceph mirror to edgecache' (#43) from neoloc/ceph_mirror into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/43
2024-06-21 20:44:08 +10:00
unkinben 36ad19ffed feat: add ceph mirror to edgecache
- add ceph reef apt and rpm repository to edgecache
- add the centos storage sig gpg
2024-06-21 20:38:54 +10:00
unkinben 1995ce9eac Merge pull request 'fix: ceph consul check script' (#42) from neoloc/ceph_consul into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/42
2024-06-19 22:39:03 +10:00
unkinben a3ef535bfc fix: ceph consul check script
- add permissions to write ceph-* services to consul
- change from `script` to `args` array
2024-06-19 22:36:04 +10:00
unkinben feddc4a3fb Merge pull request 'fix: update check script to use pgrep' (#41) from neoloc/ceph_facts into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/41
2024-06-18 21:34:05 +10:00
unkinben eb462eb3a3 fix: update check script to use pgrep 2024-06-18 21:33:38 +10:00
unkinben 449c6b082e Merge pull request 'feat: add pveceph consul services' (#40) from neoloc/ceph_facts into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/40
2024-06-18 21:33:04 +10:00
unkinben 94aed2df9c feat: add pveceph consul services
- refacter the pveceph facts
- define consul services for osd, mgr, mds and mons
2024-06-18 21:14:57 +10:00
unkinben 0ff9b86782 Merge pull request 'chore: change ssh to listen to vmbr1' (#39) from neoloc/proxmox_ips into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/39
2024-06-17 21:55:18 +10:00
unkinben 7d70b99491 chore: change ssh to listen to vmbr1
- changed enp3s0 from static interface to bridge member
- added bridge vmbr1, with enp3s0 as member
2024-06-17 21:54:26 +10:00
unkinben c6530e34f6 Merge pull request 'feat: add haproxy exporter' (#38) from neoloc/haproxy_exporter into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/38
2024-06-17 21:36:31 +10:00
unkinben 5725d092b8 feat: add haproxy exporter
- add admin socket for exporter
2024-06-16 20:56:23 +10:00
unkinben 09f50c9940 Merge pull request 'neoloc/grafana' (#37) from neoloc/grafana into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/37
2024-06-16 18:51:07 +10:00
unkinben 62cac63f11 feat: add database generation to grafana
- ensure a database, user and credential is created for each grafana node
- ensure all databases for a region are included in a mariadb cluster
- refine params with stdlib types
2024-06-16 18:49:59 +10:00
unkinben 0fe05bb896 Merge branch 'develop' into neoloc/grafana 2024-06-16 00:39:45 +10:00
unkinben dd82d63b41 Merge pull request 'feat: puppetserver dropins' (#36) from neoloc/puppetmaster_restart_fixes into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/36
2024-06-16 00:15:43 +10:00
unkinben a901a0b868 feat: puppetserver dropins
- change ExecStartPost for crl.pem to two commands
- run `puppet generate types` after starting puppet
2024-06-16 00:11:56 +10:00
unkinben 1e316dc814 Merge pull request 'feat: manage latest crl for puppet' (#35) from neoloc/puppetmaster_restart_fixes into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/35
2024-06-15 23:36:20 +10:00
unkinben 58acd83410 feat: manage latest crl for puppet
- ensure the latest crl.pem exists on each no-ca puppetserver
- ensure the latest crl.pem is used after each start of puppetserver
2024-06-15 23:32:50 +10:00
unkinben cc0a9e132e Merge pull request 'fix: yumrepo purging' (#34) from neoloc/yumresources into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/34
2024-06-14 23:57:54 +10:00
unkinben 67f831edaf fix: yumrepo purging 2024-06-14 23:55:31 +10:00
unkinben c9abc779a0 Merge pull request 'fix: yumrepo purge after deploy' (#33) from neoloc/yumresources into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/33
2024-06-14 23:32:41 +10:00
unkinben 380bb7bcb5 fix: yumrepo purge after deploy
- ensure the resources resource for yumrepo runs after deploying yumrepo resources
- rm all almalinux*.repo files before attempting to create yumrepo
  resources
2024-06-14 23:21:14 +10:00
unkinben 1b5e6120e7 Merge pull request 'feat: ensure tftpd started on cobbler' (#32) from neoloc/tftpservice into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/32
2024-06-14 23:13:21 +10:00
unkinben 82ce3ed4d7 feat: ensure tftpd started on cobbler 2024-06-14 23:11:49 +10:00
unkinben 3adc343f68 Merge pull request 'chore: add ssh principals' (#31) from neoloc/puppetca_ssh_principal into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/31
2024-06-11 20:31:30 +10:00
unkinben ca558d493b Merge pull request 'chore: cleanup old enc class' (#30) from neoloc/cleanup_enc into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/30
2024-06-11 20:31:08 +10:00
unkinben cbbcfa3b9e chore: cleanup old enc class 2024-06-11 20:29:21 +10:00
unkinben 6b0e0daecb chore: add ssh principals
- add ssh principals for consul service addresses
2024-06-11 20:20:12 +10:00
unkinben 846e2b71f8 Merge pull request 'fix: add cluster ip to sshd ListenAddress' (#29) from neoloc/proxmox_ssh_ip into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/29
2024-06-11 20:06:35 +10:00
unkinben 6f7740e6a2 fix: add cluster ip to sshd ListenAddress
- ensure cluster communication over ssh can function
2024-06-11 20:02:04 +10:00
unkinben abd2eb5c9b adding hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml 2024-06-10 22:18:16 +10:00
unkinben b4c20fd7d6 feat: add sonarr module 2024-06-10 22:13:43 +10:00
unkinben b7a22551b1 feat: add sonar role 2024-06-10 21:21:20 +10:00
unkinben e00a78e5fb Merge pull request 'fix: resolve vncproxy issue' (#28) from neoloc/proxmox_ssh into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/28
2024-06-10 13:02:18 +10:00
unkinben a143732b3b fix: resolve vncproxy issue
https://forum.proxmox.com/threads/lc_pve_ticket-not-set-vnc-proxy-without-password-is-forbiddentask-error-failed-to-run-vncproxy.98192/
2024-06-10 13:01:45 +10:00
unkinben 45f3cb39c7 Merge pull request 'fix: proxmox root ssh' (#27) from neoloc/proxmox_ssh into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/27
2024-06-10 12:07:43 +10:00
unkinben 2b36ee3efa fix: proxmox root ssh
- allow proxmox hosts to accept root logins
2024-06-10 12:07:08 +10:00
unkinben 56711212a7 Merge pull request 'Adding hieradata/node/ausyd1nxvm1039.main.unkin.net.yaml' (#26) from autonode/ausyd1nxvm1039.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/26
2024-06-10 11:58:06 +10:00
unkinben 4ab5fd6be3 Adding hieradata/node/ausyd1nxvm1039.main.unkin.net.yaml 2024-06-10 11:57:51 +10:00
unkinben 42be771732 Merge pull request 'Adding hieradata/node/ausyd1nxvm1038.main.unkin.net.yaml' (#25) from autonode/ausyd1nxvm1038.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/25
2024-06-10 11:54:28 +10:00
unkinben 255cf38c67 Adding hieradata/node/ausyd1nxvm1038.main.unkin.net.yaml 2024-06-10 11:51:29 +10:00
unkinben 9c23c0005a Merge pull request 'adding hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml' (#24) from autonode/ausyd1nxvm1037.main.unkin.net into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/24
2024-06-10 11:51:04 +10:00
unkinben 5e13f1a1e8 adding hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml 2024-06-10 11:50:15 +10:00
unkinben 6944d67e04 Merge pull request 'neoloc/sshsign_hostkeys' (#23) from neoloc/sshsign_hostkeys into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/23
2024-06-09 20:39:46 +10:00
unkinben 965e334636 Merge branch 'develop' into neoloc/sshsign_hostkeys 2024-06-09 20:39:27 +10:00
unkinben d4163233f6 Merge branch 'develop' into neoloc/sshsign_hostkeys 2024-06-09 20:38:25 +10:00
unkinben 52b06dcd8e feat: manage ssh known hosts
- disable use of stored configs for ssh-known-hosts
- manage the /etc/ssh/ssh_known_hosts content
2024-06-09 20:26:34 +10:00
unkinben 9d3ddb37df Merge pull request 'fix: dont manage loopback' (#22) from neoloc/networking_loopback into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/22
2024-06-09 09:07:29 +10:00
unkinben 934f4be03c fix: dont manage loopback
- dont manage the lo interface
- cleanup /etc/hosts records
2024-06-09 09:06:54 +10:00
unkinben 777fe1aef6 feat: manage ssh server
- add ssh module
- include the ssh::server class
- manage sshd settings
2024-06-08 17:20:56 +10:00
unkinben 57b935b33e Merge pull request 'neoloc/networking' (#21) from neoloc/networking into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/21
2024-06-08 17:08:51 +10:00
unkinben da9d52e117 chore: set per-node interface/gateway details 2024-06-08 17:07:58 +10:00
unkinben 06545c6298 feat: change hiera_include, hiera_exclude
- change hiera_classes to hiera_include
- add method to remove classes from hiera_include through hiera_exclude
2024-06-08 17:07:58 +10:00
unkinben 51eeb13793 feat: add networking module
- manage interfaces and routes
- set default params for hosts
- add params class to networking module
- set defaults for debian
2024-06-08 17:07:51 +10:00
unkinben 721d14378a Merge pull request 'feat: manage the facts soft limit' (#20) from neoloc/puppet_fact_soft_limit into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/20
2024-06-08 13:58:39 +10:00
unkinben aaf482c9b9 feat: manage the facts soft limit
- set the facts soft limit for agents and servers
- prevent warnings about reaching the default 2048 soft limit
2024-06-08 13:56:53 +10:00
unkinben 33ba0bb896 feat: networking required modules
- add networking, kmod and filemapper plugins
2024-06-07 22:12:26 +10:00
unkinben 07c896b924 Merge pull request 'fix: make ntp check script executable' (#19) from neoloc/consul_ntp_script into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/19
2024-06-03 20:24:55 +10:00
unkinben 6822a39dc3 fix: make ntp check script executable 2024-06-03 20:23:23 +10:00
unkinben b85f14ed89 Merge pull request 'chore: update apt mirror url' (#18) from neoloc/debian_repository into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/18
2024-06-03 20:19:55 +10:00
unkinben e3f34a7cc4 chore: update apt mirror url
- change apt mirror url to use edgecache service
2024-06-03 20:19:12 +10:00
unkinben c000244c5a Merge pull request 'fix: add missing check script' (#17) from neoloc/ntp_consul_checkscript into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/17
2024-06-02 19:32:37 +10:00
unkinben 76fc6b9fa1 fix: add missing check script 2024-06-02 19:32:02 +10:00
unkinben 902e55f655 Merge pull request 'feat: create ntp consul service' (#16) from neoloc/ntp_consul_service into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/16
2024-06-02 19:27:09 +10:00
unkinben da3444e49f feat: create ntp consul service
- create consul policy for ntp servers
- add consul service check and check script
2024-06-02 19:23:39 +10:00
unkinben b468f67103 feat: sign ssh host keys
- manage python script/venv to sign ssh host certificates
- add approle_id to puppetmaster eyaml files
- add class to sign ssh-rsa host keys
- add facts to check if the current principals match the desired principals
2024-06-01 22:51:42 +10:00
unkinben 9819ce7f4d Merge pull request 'ferat: change to gitea hosted package repo' (#8) from neoloc/unkinrepo into develop
Reviewed-on: https://git.service.au-syd1.consul/unkinben/puppet-prod/pulls/8
2024-06-01 18:39:55 +10:00
unkinben cc7165055d Merge pull request 'feat: refacter gitea profile' (#7) from neoloc/gitea_refactor into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/7
2024-06-01 17:28:28 +10:00
unkinben 4bd3310ea8 feat: refacter gitea profile
- move more data to hiera
- change how the custom_configuration is made
2024-06-01 17:16:37 +10:00
unkinben d7208c5e40 Merge branch 'develop' into neoloc/doc_updates 2024-06-01 15:00:52 +10:00
unkinben 4b4272250a Merge branch 'develop' into neoloc/grafana 2024-06-01 14:47:06 +10:00
unkinben 3dfe9b9b73 Merge pull request 'feat: puppetdb sql updates' (#5) from neoloc/puppetdb_sql into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/5
2024-06-01 14:36:27 +10:00
unkinben de39515862 ferat: change to gitea hosted package repo 2024-06-01 14:05:14 +10:00
unkinben 7aa7f33145 feat: add ssh host key signing 2024-05-25 16:46:13 +10:00
unkinben a6a03b4d83 chore: update headings 2024-05-25 16:45:58 +10:00
unkinben 39aa6e114e feat: puppetdb sql updates
- add consul support
- enable local script checks in consul agents
- add a test DB/User for consult to verify the psql instance is running
- manage the postgresql repo and gpg key
2024-05-22 22:05:54 +10:00
unkinben 40c4be6f6e doc: add additional puppetmasters 2024-05-04 16:14:13 +10:00
unkinben ae6547aea8 chore: update certmanager cidr's 2024-05-03 21:44:51 +10:00
unkinben 5e31af2ee2 Doc: fix default server certificate role 2024-04-27 22:12:18 +10:00
unkinben c5d63bd6f8 Doc: add certmanager documentation 2024-04-27 22:11:06 +10:00
unkinben f351cc8413 chore: add glob domains
- allow generation of hostnames like prod* without a domain
2024-02-25 22:42:22 +11:00
unkinben fd5c3dbce2 Doc updates:
- updated issuer names
- updated max-leas-ttl for root/int ca
2024-02-25 22:06:56 +11:00
unkinben 49f405e0bc Documentation:
- update vault docs
2024-02-18 18:19:32 +11:00
unkinben 254c9f1358 feat: configure grafana
- create grafana class
- configure database with db export, and db parameters
2023-12-11 21:46:53 +11:00
190 changed files with 3832 additions and 182 deletions
+9
View File
@@ -18,6 +18,7 @@ mod 'puppetlabs-xinetd', '3.4.1'
mod 'puppetlabs-haproxy', '8.0.0'
mod 'puppetlabs-java', '10.1.2'
mod 'puppetlabs-reboot', '5.0.0'
mod 'puppetlabs-augeas_core', '1.5.0'
# puppet
mod 'puppet-python', '7.0.0'
@@ -35,10 +36,17 @@ mod 'puppet-vault', '4.1.0'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '3.6.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-filemapper', '4.0.0'
mod 'puppet-openldap', '8.0.0'
mod 'puppet-augeasproviders_shellvar', '6.0.1'
mod 'puppet-augeasproviders_core', '4.1.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
mod 'saz-sudo', '8.0.0'
mod 'saz-ssh', '12.1.0'
mod 'ghoneycutt-timezone', '4.0.0'
mod 'dalen-puppetdbquery', '3.0.1'
mod 'markt-galera', '3.1.0'
@@ -46,6 +54,7 @@ mod 'kogitoapp-minio', '1.1.4'
mod 'broadinstitute-certs', '3.0.1'
mod 'stm-file_capability', '6.0.0'
mod 'h0tw1r3-gitea', '3.2.0'
mod 'rehan-mkdir', '2.0.0'
mod 'bind',
:git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
+9
View File
@@ -0,0 +1,9 @@
# Group administration
This page exists to list all the locally managed groups, their gid's and what their general purpose is for.
## List of groups
| name | gid | purpose |
|-------------|-------------|-------------|
| admin | 10000 | admin group designed for system admins |
| media | 20000 | group permissions to manage media (*arrs) |
+60
View File
@@ -0,0 +1,60 @@
# managing ceph
Always refer back to the official documentation at https://docs.ceph.com/en/latest
## adding new cephfs
- create a erasure code profile which will allow you to customise the raid level
- raid5 with 3 disks? k=2,m=1
- raid5 with 6 disks? k=5,m=1
- raid6 with 4 disks? k=2,m=2, etc
- create osd pool using custom profile for data
- create osd pool using default replicated profile for metadata
- enable ec_overwrites for the data pool
- create the ceph fs volume using data/metadata pools
- set ceph fs settings
- specify minimum number of metadata servers (mds)
- set fs to be for bulk data
- set mds fast failover with standby reply
```
sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
sudo ceph osd pool create media_data 128 erasure ec_4_1
sudo ceph osd pool create media_metadata 32 replicated_rule
sudo ceph osd pool set media_data allow_ec_overwrites true
sudo ceph osd pool set media_data bulk true
sudo ceph fs new mediafs media_metadata media_data --force
sudo ceph fs set mediafs allow_standby_replay true
sudo ceph fs set mediafs max_mds 2
```
## creating authentication tokens
- this will create a client keyring named media
- this client will have the following capabilities:
- mon: read
- mds:
- read /
- read/write /media
- read/write /common
- osd: read/write to cephfs_data pool
```
sudo ceph auth get-or-create client.media \
mon 'allow r' \
mds 'allow r path=/, allow rw path=/media, allow rw path=/common' \
osd 'allow rw pool=cephfs_data'
```
## list the authentication tokens and permissions
ceph auth ls
## change the capabilities of a token
this will overwrite the current capabilities of a given client.user
sudo ceph auth caps client.media \
mon 'allow r' \
mds 'allow rw path=/' \
osd 'allow rw pool=media_data'
+31
View File
@@ -0,0 +1,31 @@
# add additional master
these steps are required when adding additional puppet masters, as the subject alternative names on the certificate will need to be changed. this requires the old certificate be revoked, cleaned up, and for a new certificate to be generated and signed.
## prepare a new node
- deploy a new now, or identify a space with the base role
- change the hosts class to roles::infra::puppet::master
- apply puppet until there are no more changes
## revoke the current certificate on the puppet master
sudo puppetserver ca clean --certname ausyd1nxvm1023.main.unkin.net
## stop the new puppetserver and cleanup revoked certificates
sudo systemctl stop puppetserver
sudo rm -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
sudo rm -f /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem
## copy the current crl.pem, as puppetserver will overwrite it when starting
sudo cp /etc/puppetlabs/puppet/ssl/crl.pem /root/current_crl.pem
## request new puppet agent certificate
sudo puppet ssl bootstrap
## start the puppetserver service and move the crl.pem back in place
sudo systemctl start puppetserver
sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
+123
View File
@@ -0,0 +1,123 @@
# PKI
## root ca
vault secrets enable -path=pki_root pki
vault secrets tune -max-lease-ttl=87600h pki_root
vault write -field=certificate pki_root/root/generate/internal \
common_name="unkin.net" \
issuer_name="UNKIN_ROOTCA_2024" \
ttl=87600h > unkinroot_2024_ca.crt
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
vault write pki_root/roles/2024-servers allow_any_name=true
vault write pki_root/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
## intermediate
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write -format=json pki_int/intermediate/generate/internal \
common_name="unkin.net Intermediate Authority" \
issuer_name="UNKIN_VAULTCA_2024" \
| jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki_root/root/sign-intermediate \
issuer_ref="UNKIN_ROOTCA_2024" \
csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
## create role
vault write pki_int/roles/servers_default \
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
allow_ip_sans=true \
allowed_domains="unkin.net, *.unkin.net, localhost" \
allow_subdomains=true \
allow_glob_domains=true \
allow_bare_domains=true \
enforce_hostnames=true \
allow_any_name=true \
max_ttl="2160h" \
key_bits=4096 \
country="Australia"
## test generating a domain cert
vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
## remove expired certificates
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
# AUTH
## enable approles
vault auth enable approle
# CERTMANAGER
## create certmanager policy and token, limit to puppetmaster
cat <<EOF > certmanager.hcl
path "pki_int/issue/*" {
capabilities = ["create", "update", "read"]
}
path "pki_int/renew/*" {
capabilities = ["update"]
}
path "pki_int/cert/*" {
capabilities = ["read"]
}
EOF
vault policy write certmanager certmanager.hcl
vault write auth/approle/role/certmanager \
bind_secret_id=false \
token_policies="certmanager" \
token_ttl=30s \
token_max_ttl=30s \
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
## get the certmanager approle id
vault read -field=role_id auth/approle/role/certmanager/role-id
# SSH Hostkey Signing
## create ssh engine, key, set ttl
vault secrets enable -path=ssh-host-signer ssh
vault write ssh-host-signer/config/ca generate_signing_key=true
vault secrets tune -max-lease-ttl=87600h ssh-host-signer
## create role
vault write ssh-host-signer/roles/hostrole \
key_type=ca \
algorithm_signer=rsa-sha2-256 \
ttl=87600h \
allow_host_certificates=true \
allowed_domains="unkin.net" \
allow_subdomains=true \
allow_baredomains=true
## create policy to use hostrole
cat <<EOF > sshsign-host.hcl
path "ssh-host-signer/sign/hostrole" {
capabilities = ["create", "update"]
}
EOF
vault policy write sshsign-host-policy sshsign-host.hcl
vault write auth/approle/role/sshsign-host-role \
bind_secret_id=false \
token_policies="sshsign-host-policy" \
token_ttl=30s \
token_max_ttl=30s \
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
## get the sshsign-host-role approle id
vault read -field=role_id auth/approle/role/sshsign-host-role/role-id
-48
View File
@@ -1,48 +0,0 @@
# root ca
vault secrets enable -path=pki_root pki
vault write -field=certificate pki_root/root/generate/internal \
common_name="unkin.net" \
issuer_name="unkinroot-2024" \
ttl=87600h > unkinroot_2024_ca.crt
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
vault write pki_root/roles/2024-servers allow_any_name=true
vault write pki_root/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
# intermediate
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write -format=json pki_int/intermediate/generate/internal \
common_name="unkin.net Intermediate Authority" \
issuer_name="unkin-dot-net-intermediate" \
| jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki_root/root/sign-intermediate \
issuer_ref="unkinroot-2024" \
csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
# create role
vault write pki_int/roles/unkin-dot-net \
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
allowed_domains="unkin.net" \
allow_subdomains=true \
max_ttl="2160h"
# test generating a domain cert
vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
# remove expired certificates
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
+91 -36
View File
@@ -108,11 +108,34 @@ lookup_options:
profiles::nginx::simpleproxy::nginx_aliases:
merge:
strategy: deep
networking::interfaces:
merge:
strategy: deep
networking::interface_defaults:
merge:
strategy: deep
networking::routes:
merge:
strategy: deep
networking::route_defaults:
merge:
strategy: deep
ssh::server::options:
merge:
strategy: deep
mysql::db:
merge:
strategy: deep
profiles::ceph::client::keyrings:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
hiera_classes:
hiera_include:
- timezone
- networking
- ssh::server
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
@@ -150,6 +173,7 @@ profiles::packages::install:
- curl
- dstat
- expect
- gcc
- gzip
- git
- htop
@@ -170,6 +194,7 @@ profiles::packages::install:
- socat
- strace
- sysstat
- tar
- tmux
- traceroute
- unzip
@@ -215,6 +240,38 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
prometheus::node_exporter::export_scrape_job: true
prometheus::systemd_exporter::export_scrape_job: true
ssh::server::storeconfigs_enabled: false
ssh::server::options:
Protocol: '2'
ListenAddress:
- '127.0.0.1'
- '%{facts.networking.ip}'
SyslogFacility: 'AUTHPRIV'
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
HostCertificate: /etc/ssh/ssh_host_rsa_key-cert.pem
AuthorizedKeysFile: .ssh/authorized_keys
PermitRootLogin: no
PasswordAuthentication: no
ChallengeResponseAuthentication: no
PubkeyAuthentication: yes
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: yes
UsePAM: yes
X11Forwarding: no
PrintMotd: no
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: sftp /usr/libexec/openssh/sftp-server
profiles::ssh::knownhosts::lines:
- '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1HD97vYxLTniE4qNpGuftUlvmkEXIuX8+7nbENv/IzsGUghEDRtyThjQ7ojNKIsQ7f8wXr0gMcI+fAPfrbcOMHCAoYMomikwL0b3h95SZI40q3CyM+0DMnwiVVDX6C1QxkO2Rv9cszSkCa85NotJhXiUuTBI9BFcRPy+mAhbpAru+bfypYofI0wW97XNTl8Jgwmni5MgutBIQAokFIn5ux8iWxndCH3AqDtmkwC5DfQeQ+wZx7rkwqJEpJffQzrjb1gIM6P9hDCVBBVPh/3o80IJ69rFWrJAZUb+JpG4cXJH0NcSW+wqc3JCT/x3q8VlHwOTXSlNNKtOJCRx73mB8e1XTTy2a9FgpKDDg5XQXWHAViJDz1RTRL9gRefMylRgKz4bXoTuY9kJWM8hPTyUejtukbJThlBJc3OmDxBZBF7F0iqB11pHexok43OCEiANodVa36eWu9/5X032Vm48fZ1/akDPY/NSy3wAn7kwut+A0/JAHFHASrq+1mt9YurkJegI+YHXO6eEWpBIpmI7ORHJbGL4MhkHrxYzVamuP8CkU7tXzsv138+wpOcRHNp9yJY4PT40BZkRf/O3O+jt3pj9Dj8rvgywF2W6hFzywh3Y78upOprRkQlQtHfsI8EyrYI8/hUw2u3H+3yPXh3YjWfqvWVG1BRLRHBV7m90uaw=='
profiles::base::groups::local:
admins:
ensure: present
@@ -231,38 +288,36 @@ sudo::configs:
profiles::accounts::sysadmin::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
profiles::base::hosts::additional_hosts:
- ip: 198.18.17.3
hostname: prodinf01n01.main.unkin.net
aliases:
- prodinf01n01
- puppet
- puppetmaster
- puppetca
- ip: 198.18.17.4
hostname: prodinf01n04.main.unkin.net
aliases:
- prodinf01n04
- ip: 198.18.17.5
hostname: prodinf01n05.main.unkin.net
aliases:
- prodinf01n05
- ip: 198.18.17.6
hostname: prodinf01n06.main.unkin.net
aliases:
- prodinf01n06
- ip: 198.18.17.9
hostname: prodinf01n09.main.unkin.net
aliases:
- prodinf01n09
- ntp01.main.unkin.net
- ip: 198.18.17.10
hostname: prodinf01n10.main.unkin.net
aliases:
- prodinf01n10
- ntp02.main.unkin.net
- ip: 198.18.17.22
hostname: prodinf01n22.main.unkin.net
aliases:
- prodinf01n22
- repos.main.unkin.net
networking::interface_defaults:
ensure: present
family: inet
method: static
netmask: 255.255.255.0
onboot: true
networking::route_defaults:
ensure: present
interface: eth0
netmask: 0.0.0.0
network: default
profiles::ceph::client::fsid: 7f7f00cb-95de-498c-8dcc-14b54e4e9ca8
profiles::ceph::client::mons:
- 10.18.15.1
- 10.18.15.2
- 10.18.15.3
#profiles::base::hosts::additional_hosts:
# - ip: 198.18.17.9
# hostname: prodinf01n09.main.unkin.net
# aliases:
# - prodinf01n09
# - ntp01.main.unkin.net
# - ip: 198.18.17.10
# hostname: prodinf01n10.main.unkin.net
# aliases:
# - prodinf01n10
# - ntp02.main.unkin.net
# - ip: 198.18.17.22
# hostname: prodinf01n22.main.unkin.net
# aliases:
# - prodinf01n22
# - repos.main.unkin.net
@@ -1,3 +1,4 @@
---
certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl]
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
@@ -6,11 +6,21 @@ profiles::haproxy::mappings:
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
fe_https:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
- 'sonarr.main.unkin.net be_sonarr'
- 'radarr.main.unkin.net be_radarr'
- 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
profiles::haproxy::frontends:
fe_http:
@@ -63,6 +73,86 @@ profiles::haproxy::backends:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_sonarr:
description: Backend for au-syd1 sonarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_radarr:
description: Backend for au-syd1 radarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_lidarr:
description: Backend for au-syd1 lidarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_readarr:
description: Backend for au-syd1 readarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_prowlarr:
description: Backend for au-syd1 prowlarr
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
@@ -72,6 +162,11 @@ profiles::haproxy::certlist::certificates:
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
@@ -1,3 +1,4 @@
---
certmanager::vault_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]
@@ -0,0 +1,2 @@
---
mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
@@ -2,3 +2,14 @@
profiles::sql::galera_member::cluster_name: au-syd1
profiles::sql::galera_member::galera_master: ausyd1nxvm1027.main.unkin.net
profiles::sql::galera_member::innodb_buffer_pool_size: 256M
mysql::db:
grafana:
name: grafana
user: grafana
password: "%{alias('mysql::db::grafana::pass')}"
grant:
- SELECT
- INSERT
- UPDATE
- DELETE
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.10
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.11
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.12
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.13
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.14
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.15
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.16
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.17
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.18
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.19
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.20
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.21
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.22
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.23
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.24
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.25
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.26
networking::routes:
default:
gateway: 198.18.13.254
@@ -1,2 +1,11 @@
---
profiles::cobbler::params::is_cobbler_master: true
networking::interfaces:
ens18:
ipaddress: 198.18.13.27
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.28
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.29
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.30
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,10 @@
---
networking::interfaces:
ens18:
ipaddress: 198.18.13.31
networking::routes:
default:
gateway: 198.18.13.254
interface: ens18
profiles::almalinux::base::remove_ens18: false
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.32
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.33
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.34
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.35
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.36
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.37
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.38
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.39
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.40
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.41
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.42
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.43
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.44
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.45
networking::routes:
default:
gateway: 198.18.13.254
@@ -5,5 +5,17 @@ profiles::puppet::server::dns_alt_names:
- puppetca.query.consul
- puppetca
profiles::ssh::sign::principals:
- puppetca.main.unkin.net
- puppetca.service.consul
- puppetca.query.consul
- puppetca
profiles::puppet::puppetca::is_puppetca: true
profiles::puppet::puppetca::allow_subject_alt_names: true
networking::interfaces:
eth0:
ipaddress: 198.18.13.46
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.47
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.47
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.48
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.49
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.50
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.50
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.51
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.51
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.52
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.52
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.53
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.53
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.54
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.55
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.56
networking::routes:
default:
gateway: 198.18.13.254
@@ -0,0 +1,14 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.57
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.57
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
@@ -7,3 +7,6 @@ profiles::puppet::server::dns_alt_names:
profiles::puppet::puppetca::is_puppetca: false
profiles::puppet::puppetca::allow_subject_alt_names: true
hiera_exclude:
- networking
+16 -2
View File
@@ -5,10 +5,15 @@ profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
profiles::puppet::agent::puppet_version: '7.26.0'
hiera_include:
- profiles::almalinux::base
profiles::packages::install:
- lzo
- xz
- network-scripts
- policycoreutils
- unar
- xz
lm-sensors::package: lm_sensors
@@ -19,44 +24,53 @@ profiles::yum::global::repos:
target: /etc/yum.repos.d/baseos.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
extras:
name: extras
descr: extras repository
target: /etc/yum.repos.d/extras.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
appstream:
name: appstream
descr: appstream repository
target: /etc/yum.repos.d/appstream.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
highavailability:
name: highavailability
descr: highavailability repository
target: /etc/yum.repos.d/highavailability.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
epel:
name: epel
descr: epel repository
target: /etc/yum.repos.d/epel.repo
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
mirrorlist: absent
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
mirrorlist: absent
+2 -1
View File
@@ -1,6 +1,6 @@
# hieradata/os/debian/all_releases.yaml
---
profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
profiles::apt::base::secureurl: http://security.debian.org/debian-security
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
profiles::apt::puppet7::repo: puppet7
@@ -12,3 +12,4 @@ profiles::packages::install:
- xz-utils
lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false
+2
View File
@@ -0,0 +1,2 @@
---
ceph::key::media: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEBANgP2ifU7NbuMs+kWpeg1tchR5IMD7Z7kMpRBejgCMHludTYGf/BzxTe36YjpwLsuUd658QK5vE4EYpM1MuzqfuNiWJa5ec1IR/AgWQUMZcpjEDEqpHTb2qygmpc+jb3vW1EMBleZL2Z4GrgJ00gWO/EvukBSPgyxBsFe4Bb/L3aK6xiucG3JA9A7qA6cS4Oz5pf8dfC0FBjsc+XN7++bJN5pWUgMcEDgiyCy3bkL2gWfPKOWfabTRwuC3qd6SihZMg/tY8uoDfYoI8jHkjU07/mhC6AD930wgcFG+xJwNAX7FxLvLyJ8iN/648LVoZFuszYiTwPib1CszksdYBjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBSGXrbrl4FisZN5FT1hfmrgDBnV2SVfCJIYYyZ9+Vo1ykNmzUypJdJ+4llyXA7FOuH90xVZvLZMjNMhVCxP48CiYI=]
+20
View File
@@ -0,0 +1,20 @@
---
profiles::yum::global::repos:
ceph-reef:
name: ceph-reef
descr: ceph reef repository
target: /etc/yum.repos.d/ceph-reef.repo
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
gpgcheck: 0,
mirrorlist: absent
profiles::ceph::client::keyrings:
media:
key: "%{hiera('ceph::key::media')}"
profiles::base::groups::local:
media:
ensure: present
gid: 20000
allowdupe: false
forcelocal: true
+2
View File
@@ -0,0 +1,2 @@
---
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
+52
View File
@@ -0,0 +1,52 @@
---
hiera_include:
- lidarr
- profiles::nginx::simpleproxy
# manage lidarr
lidarr::params::user: lidarr
lidarr::params::group: media
lidarr::params::manage_group: false
lidarr::params::archive_version: 2.3.3
lidarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- lidarr.main.unkin.net
- lidarr.service.consul
- lidarr.query.consul
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'lidarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- lidarr.main.unkin.net
- lidarr.service.consul
- lidarr.query.consul
- "lidarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
lidarr:
service_name: 'lidarr'
tags:
- 'media'
- 'lidarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'lidarr_http_check'
name: 'Lidarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: lidarr
disposition: write
@@ -0,0 +1,2 @@
---
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
+52
View File
@@ -0,0 +1,52 @@
---
hiera_include:
- prowlarr
- profiles::nginx::simpleproxy
# manage prowlarr
prowlarr::params::user: prowlarr
prowlarr::params::group: media
prowlarr::params::manage_group: false
prowlarr::params::archive_version: 1.19.0
prowlarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- prowlarr.main.unkin.net
- prowlarr.service.consul
- prowlarr.query.consul
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'prowlarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- prowlarr.main.unkin.net
- prowlarr.service.consul
- prowlarr.query.consul
- "prowlarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
prowlarr:
service_name: 'prowlarr'
tags:
- 'media'
- 'prowlarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'prowlarr_http_check'
name: 'Prowlarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: prowlarr
disposition: write
+2
View File
@@ -0,0 +1,2 @@
---
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
+53
View File
@@ -0,0 +1,53 @@
---
hiera_include:
- radarr
- profiles::nginx::simpleproxy
# manage radarr
radarr::params::user: radarr
radarr::params::group: media
radarr::params::manage_group: false
radarr::params::archive_version: 5.7.0
radarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- radarr.main.unkin.net
- radarr.service.consul
- radarr.query.consul
- "radarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'radarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- radarr.main.unkin.net
- radarr.service.consul
- radarr.query.consul
- "radarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
radarr:
service_name: 'radarr'
tags:
- 'media'
- 'radarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'radarr_http_check'
name: 'radarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: radarr
disposition: write
+2
View File
@@ -0,0 +1,2 @@
---
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
+52
View File
@@ -0,0 +1,52 @@
---
hiera_include:
- readarr
- profiles::nginx::simpleproxy
# manage readarr
readarr::params::user: readarr
readarr::params::group: media
readarr::params::manage_group: false
readarr::params::archive_version: 0.3.28
readarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- readarr.main.unkin.net
- readarr.service.consul
- readarr.query.consul
- "readarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'readarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- readarr.main.unkin.net
- readarr.service.consul
- readarr.query.consul
- "readarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
readarr:
service_name: 'readarr'
tags:
- 'media'
- 'readarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'readarr_http_check'
name: 'Readarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: readarr
disposition: write
+1
View File
@@ -0,0 +1 @@
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
+52
View File
@@ -0,0 +1,52 @@
---
hiera_include:
- sonarr
- profiles::nginx::simpleproxy
# manage sonarr
sonarr::params::user: sonarr
sonarr::params::group: media
sonarr::params::manage_group: false
sonarr::params::archive_version: 4.0.5
sonarr::params::port: 8000
# additional altnames
profiles::pki::vault::alt_names:
- sonarr.main.unkin.net
- sonarr.service.consul
- sonarr.query.consul
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'sonarr.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- sonarr.main.unkin.net
- sonarr.service.consul
- sonarr.query.consul
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
# configure consul service
nginx::client_max_body_size: 10M
consul::services:
sonarr:
service_name: 'sonarr'
tags:
- 'media'
- 'sonarr'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'sonarr_http_check'
name: 'Sonarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: sonarr
disposition: write
@@ -0,0 +1,2 @@
---
profiles::openldap::params::rootpw: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMPu8Asw6L7+k8SRXbPqw62B3ldiE5f2CaDSQbhrOc2u2ULdKvOVpWZnr5cKekl4L8un3zRCiNgY7IG008011jh7oXtTqEGJB2hD/ANHlRawoduft798rRKkDuFqET1rw+komuM7ACJsxXGPO9jB7HjycoJHr4+2yV4o3DlazR0+Ha8kPs8U4C/G/UEWQYOsrP964UZ2CgsHSdozgWj304fVJZ/fWqfOSgipKi2GjNK+TD7g9H12ouGaOjTeOsFBo33QWrikYi6MBFE42p3BLoaBX6Gk6KBzmkhYT7Hyvc/ASP65MpDbXffKp2kcqq++VIb7WhsRydaudRP9wyEJOjzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBVYwJ47CXR2LGgbZOOrd7cgDBCgqTmI4Y5G7x8ZNxEm9WzVY1E7SiKrSnKWF3ntekOhL8ABOk8Y0uODE2HYE+jkJw=]
+22
View File
@@ -0,0 +1,22 @@
---
# additional altnames
profiles::pki::vault::alt_names:
- ldap.main.unkin.net
- ldap.service.consul
- ldap.query.consul
- "ldap.service.%{facts.country}-%{facts.region}.consul"
openldap::server::manage_epel: false
profiles::openldap::params::data_path: '/data/ldap/main.unkin.net'
profiles::openldap::params::database: 'dc=main,dc=unkin,dc=net'
profiles::openldap::params::rootdn: "cn=admin,%{hiera('profiles::openldap::params::database')}"
profiles::openldap::params::ldap_server:
- rid: 1
provider: ldap://ausyd1nxvm1044.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"
- rid: 2
provider: ldap://ausyd1nxvm1045.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"
- rid: 3
provider: ldap://ausyd1nxvm1046.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"
+1 -1
View File
@@ -17,5 +17,5 @@ profiles::pki::vault::alt_names:
profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
profiles::selinux::setenforce::mode: permissive
hiera_classes:
hiera_include:
- profiles::selinux::setenforce
+1 -1
View File
@@ -1,3 +1,3 @@
---
profiles::gitea::init::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
profiles::gitea::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=]
+45
View File
@@ -6,6 +6,11 @@ profiles::pki::vault::alt_names:
- git.query.consul
- "git.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- git.main.unkin.net
- git.service.consul
- git.query.consul
consul::services:
git:
service_name: 'git'
@@ -37,3 +42,43 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 3000
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 250M
profiles::gitea::init::root:
APP_NAME: 'Gitea'
RUN_USER: 'git'
RUN_MODE: 'prod'
profiles::gitea::init::repository:
ROOT: '/data/gitea/repos'
FORCE_PRIVATE: false
MAX_CREATION_LIMIT: -1
DISABLE_HTTP_GIT: false
DEFAULT_BRANCH: 'main'
DEFAULT_PRIVATE: 'last'
profiles::gitea::init::ui:
SHOW_USER_EMAIL: false
profiles::gitea::init::server:
PROTOCOL: 'http'
DOMAIN: 'git.query.consul'
ROOT_URL: 'https://git.query.consul'
HTTP_ADDR: '0.0.0.0'
HTTP_PORT: 3000
START_SSH_SERVER: false
SSH_DOMAIN: 'git.query.consul'
SSH_PORT: 2222
SSH_LISTEN_HOST: '0.0.0.0'
OFFLINE_MODE: true
APP_DATA_PATH: '/data/gitea'
SSH_LISTEN_PORT: 22
LFS_START_SERVER: true
profiles::gitea::init::database:
DB_TYPE: 'mysql'
HOST: 'mariadb-prod.service.au-syd1.consul:3306'
NAME: 'gitea'
USER: 'gitea'
PASSWD: "%{hiera('profiles::gitea::mysql_pass')}"
SSL_MODE: 'disable'
LOG_SQL: false
profiles::gitea::init::lfs:
PATH: '/data/gitea/lfs'
profiles::gitea::init::session:
PROVIDER: db
+4
View File
@@ -15,6 +15,7 @@ profiles::haproxy::server::globals:
stats:
- timeout 30s
- socket /var/lib/haproxy/stats
- socket /var/lib/haproxy/admin.sock mode 660 level admin
ca-base: /etc/ssl/certs
crt-base: /etc/ssl/private
ssl-default-bind-ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
@@ -89,3 +90,6 @@ profiles::haproxy::backends:
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
prometheus::haproxy_exporter::cnf_scrape_uri: unix:/var/lib/haproxy/stats
prometheus::haproxy_exporter::export_scrape_job: true
@@ -0,0 +1,49 @@
---
hiera_include:
- profiles::nginx::simpleproxy
profiles::metrics::grafana::mysql_host: "mariadb-%{facts.environment}.service.%{facts.country}-%{facts.region}.consul"
profiles::metrics::grafana::mysql_port: 3306
# additional altnames
profiles::pki::vault::alt_names:
- grafana.main.unkin.net
- grafana.service.consul
- grafana.query.consul
- "grafana.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- grafana.main.unkin.net
- grafana.service.consul
- grafana.query.consul
consul::services:
grafana:
service_name: 'grafana'
tags:
- 'grafana'
- 'metrics'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'Grafana_https_check'
name: 'Grafana HTTPS Check'
http: "https://%{facts.networking.fqdn}:443"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: grafana
disposition: write
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'grafana.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- grafana.main.unkin.net
- grafana.service.consul
- grafana.query.consul
- "grafana.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 8080
profiles::nginx::simpleproxy::proxy_path: '/'
@@ -8,4 +8,5 @@ profiles::metrics::server::scrape_jobs:
- bind
- puppetdb
- systemd
- haproxy
profiles::metrics::server::localstorage: /data/prometheus
+21
View File
@@ -12,3 +12,24 @@ profiles::ntp::server::peers:
- '1.au.pool.ntp.org'
- '2.au.pool.ntp.org'
- '3.au.pool.ntp.org'
consul::services:
ntp:
service_name: 'ntp'
tags:
- 'ntp'
- 'time'
- 'sync'
address: "%{facts.networking.ip}"
port: 123
checks:
- id: ntp_check
name: "NTP Service Check"
args:
- '/usr/local/bin/check_ntp.sh'
interval: '15s'
timeout: '5s'
profiles::consul::client::node_rules:
- resource: service
segment: ntp
disposition: write
+28
View File
@@ -5,3 +5,31 @@ sudo::configs:
content: |
ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*
hiera_exclude:
- networking
# proxmox tools use root to authenticate against each other
ssh::server::options:
PermitRootLogin: yes
AcceptEnv:
- LANG LC_*
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
ListenAddress:
- "%{facts.networking.interfaces.vmbr1.ip}"
profiles::consul::client::node_rules:
- resource: service
segment: ceph-mon
disposition: write
- resource: service
segment: ceph-mds
disposition: write
- resource: service
segment: ceph-mgr
disposition: write
- resource: service
segment: ceph-osd
disposition: write
+12
View File
@@ -37,6 +37,14 @@ profiles::helpers::certmanager::vault_config:
output_path: '/tmp/certmanager'
role_id: "%{lookup('certmanager::role_id')}"
profiles::helpers::sshsignhost::vault_config:
addr: 'https://vault.service.consul:8200'
mount_point: 'ssh-host-signer'
approle_path: 'approle'
role_name: 'hostrole'
output_path: '/tmp/sshsignhost'
role_id: "%{lookup('sshsignhost::role_id')}"
profiles::puppet::server::agent_server: 'puppet.query.consul'
profiles::puppet::server::report_server: 'puppet.query.consul'
profiles::puppet::server::ca_server: 'puppetca.query.consul'
@@ -50,6 +58,10 @@ profiles::puppet::server::dns_alt_names:
- puppetmaster
- puppet
profiles::ssh::sign::principals:
- puppet.service.consul
- puppet.query.consul
consul::services:
puppet:
service_name: 'puppet'
+1
View File
@@ -0,0 +1 @@
profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==]
+35
View File
@@ -2,3 +2,38 @@
postgresql_config_entries:
max_connections: 300
shared_buffers: '256MB'
consul::services:
puppetdbsql:
service_name: 'puppetdbsql'
tags:
- 'puppet'
- 'puppetdb'
- 'database'
address: "%{facts.networking.ip}"
port: 5432
checks:
- id: 'psql-check'
name: 'PostgreSQL Health Check'
args:
- '/usr/local/bin/check_consul_postgresql'
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: puppetdbsql
disposition: write
profiles::yum::global::repos:
postgresql-15:
name: postgresql-15
descr: postgresql-15 repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
postgresql-common:
name: postgresql-common
descr: postgresql-common repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
+12
View File
@@ -77,3 +77,15 @@ profiles::consul::prepared_query::rules:
service_failover_n: 3
service_only_passing: true
ttl: 10
ntp:
ensure: 'present'
service_name: 'ntp'
service_failover_n: 3
service_only_passing: true
ttl: 10
grafana:
ensure: 'present'
service_name: 'grafana'
service_failover_n: 3
service_only_passing: true
ttl: 10
@@ -42,6 +42,9 @@ profiles::edgecache::params::directories:
/data/edgecache/pub/postgres: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx }
/data/edgecache/pub/ceph: { owner: nginx, group: nginx }
/data/edgecache/pub/ceph/apt: { owner: nginx, group: nginx }
/data/edgecache/pub/ceph/yum: { owner: nginx, group: nginx }
profiles::edgecache::params::mirrors:
debian:
@@ -118,3 +121,29 @@ profiles::edgecache::params::mirrors:
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
ceph_yum_repodata:
ensure: present
location: '~* ^/ceph/yum/.*/repodata/'
rewrite_rules:
- '^/ceph/yum/(.*)$ /rpm-reef/$1 break'
proxy: http://158.69.68.124
ceph_yum_data:
ensure: present
location: /ceph/yum
proxy: http://158.69.68.124/rpm-reef
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
ceph_apt:
ensure: present
location: /ceph/apt
proxy: http://158.69.68.124/debian-reef
ceph_apt_pool:
ensure: present
location: /ceph/apt/pool
proxy: http://158.69.68.124/debian-reef/pool
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
+10
View File
@@ -0,0 +1,10 @@
# frozen_string_literal: true
require 'facter'
Facter.add('is_pveceph_mds') do
confine enc_role: 'roles::infra::proxmox::node'
setcode do
system('pgrep -x ceph-mds > /dev/null 2>&1')
end
end
+10
View File
@@ -0,0 +1,10 @@
# frozen_string_literal: true
require 'facter'
Facter.add('is_pveceph_osd') do
confine enc_role: 'roles::infra::proxmox::node'
setcode do
system('pgrep -x ceph-osd > /dev/null 2>&1')
end
end
@@ -0,0 +1,10 @@
# frozen_string_literal: true
# lib/facter/sshd_host_cert_exists.rb
require 'puppet'
Facter.add('sshd_host_cert_exists') do
setcode do
File.exist?('/etc/ssh/ssh_host_rsa_key-cert.pem')
end
end
@@ -0,0 +1,15 @@
# frozen_string_literal: true
# lib/facter/sshd_host_principals.rb
require 'puppet'
Facter.add('sshd_host_principals') do
setcode do
principals_file = '/etc/ssh/host_principals'
if File.exist?(principals_file)
File.read(principals_file).split("\n")
else
[]
end
end
end
+27
View File
@@ -0,0 +1,27 @@
class lidarr::config (
$user = $lidarr::params::user,
$group = $lidarr::params::group,
$base_path = $lidarr::params::base_path,
$bind_address = $lidarr::bind_address,
$port = $lidarr::port,
$ssl_port = $lidarr::ssl_port,
$enable_ssl = $lidarr::enable_ssl,
$launch_browser = $lidarr::launch_browser,
$api_key = $lidarr::api_key,
$authentication_method = $lidarr::authentication_method,
$authentication_required = $lidarr::authentication_required,
$branch = $lidarr::branch,
$log_level = $lidarr::log_level,
$ssl_cert_path = $lidarr::ssl_cert_path,
$ssl_cert_password = $lidarr::ssl_cert_password,
$url_base = $lidarr::url_base,
$instance_name = $lidarr::instance_name,
) {
file { "${base_path}/config.xml":
ensure => file,
content => template('lidarr/lidarr_config.xml.erb'),
owner => $user,
group => $group,
mode => '0644',
}
}
+37
View File
@@ -0,0 +1,37 @@
# manage lidarr
class lidarr (
$packages = $lidarr::params::packages,
$user = $lidarr::params::user,
$group = $lidarr::params::group,
$manage_group = $lidarr::params::manage_group,
$base_path = $lidarr::params::base_path,
$install_path = $lidarr::params::install_path,
$config_folder = $lidarr::params::config_folder,
$app_folder = $lidarr::params::app_folder,
$archive_name = $lidarr::params::archive_name,
$archive_url = $lidarr::params::archive_url,
$executable = $lidarr::params::executable,
$service_enable = $lidarr::params::service_enable,
$service_name = $lidarr::params::service_name,
$bind_address = $lidarr::params::bind_address,
$port = $lidarr::params::port,
$ssl_port = $lidarr::params::ssl_port,
$enable_ssl = $lidarr::params::enable_ssl,
$launch_browser = $lidarr::params::launch_browser,
$api_key = $lidarr::params::api_key,
$authentication_method = $lidarr::params::authentication_method,
$authentication_required = $lidarr::params::authentication_required,
$branch = $lidarr::params::branch,
$log_level = $lidarr::params::log_level,
$ssl_cert_path = $lidarr::params::ssl_cert_path,
$ssl_cert_password = $lidarr::params::ssl_cert_password,
$url_base = $lidarr::params::url_base,
$instance_name = $lidarr::params::instance_name,
) inherits lidarr::params {
include lidarr::install
include lidarr::config
include lidarr::service
Class['lidarr::install'] -> Class['lidarr::config'] -> Class['lidarr::service']
}
+61
View File
@@ -0,0 +1,61 @@
# instsall lidarr
class lidarr::install (
$packages = $lidarr::packages,
$user = $lidarr::user,
$group = $lidarr::group,
$manage_group = $lidarr::manage_group,
$base_path = $lidarr::base_path,
$install_path = $lidarr::install_path,
$config_folder = $lidarr::config_folder,
$app_folder = $lidarr::app_folder,
$archive_name = $lidarr::archive_name,
$archive_url = $lidarr::archive_url,
$executable = $lidarr::executable,
) {
$_packages = $packages ? {
Array => true,
default => false,
}
if $_packages {
ensure_packages($packages, {ensure => 'installed'})
}
if $manage_group {
group { $group:
ensure => present,
}
}
user { $user:
ensure => present,
shell => '/sbin/nologin',
groups => $group,
managehome => true,
}
file { [ $base_path, $install_path, $config_folder, $app_folder ]:
ensure => directory,
owner => $user,
group => $group,
}
archive { $archive_name:
path => "/tmp/${archive_name}",
source => "${archive_url}${archive_name}",
extract => true,
extract_path => $install_path,
creates => "${install_path}/${executable}",
cleanup => true,
require => File[$install_path],
user => $user,
group => $group,
notify => Exec['move_lidarr_files'],
}
exec { 'move_lidarr_files':
command => "/usr/bin/mv ${install_path}/Lidarr/* ${install_path}",
creates => "${install_path}/${executable}",
}
}
+50
View File
@@ -0,0 +1,50 @@
# lidarr params
class lidarr::params (
Array[String] $packages = [
'mediainfo',
'libzen',
'libmediainfo',
'gettext',
'sqlite.x86_64',
'par2cmdline',
'python3-feedparser',
'python3-configobj',
'python3-cheetah',
'python3-dbus',
'libxslt-devel',
'libchromaprint',
],
String $user = 'lidarr',
String $group = 'lidarr',
Boolean $manage_group = true,
Stdlib::Absolutepath $base_path = '/opt/lidarr',
Stdlib::Absolutepath $install_path = '/opt/lidarr/bin',
Stdlib::Absolutepath $config_folder = '/home/lidarr/.config',
Stdlib::Absolutepath $app_folder = '/home/lidarr/.config/Lidarr',
String $archive_version = '2.3.3',
String $archive_name = 'Lidarr.master.linux-core-x64.tar.gz',
Stdlib::HTTPUrl $archive_url = "https://git.query.consul/api/packages/unkinben/generic/lidarr/${archive_version}/",
String $executable = 'Lidarr/Lidarr',
String $service_name = 'lidarr',
Boolean $service_enable = true,
# params for the configuration file
Stdlib::Host $bind_address = '127.0.0.1',
Stdlib::Port $port = 8686,
Stdlib::Port $ssl_port = 9696,
Boolean $enable_ssl = false,
Boolean $launch_browser = true,
String $api_key = '32-digit-random-string-goes-here',
Enum[
'Forms',
'Basic',
'External'
] $authentication_method = 'External',
Enum['Enabled', 'Disabled'] $authentication_required = 'Enabled',
String $branch = 'main',
Enum['debug', 'info', 'warn', 'error', 'fatal'] $log_level = 'info',
Optional[String] $ssl_cert_path = undef,
Optional[String] $ssl_cert_password = undef,
Optional[String] $url_base = undef,
String $instance_name = 'lidarr',
) { }
+21
View File
@@ -0,0 +1,21 @@
# manage lidarr service
class lidarr::service (
$service_enable = $lidarr::service_enable,
$service_name = $lidarr::service_name,
$user = $lidarr::user,
$group = $lidarr::user,
$install_path = $lidarr::install_path,
$executable = $lidarr::executable,
$base_path = $lidarr::base_path,
) {
if $service_enable {
include ::systemd
systemd::unit_file { "${service_name}.service":
content => template('lidarr/lidarr.service.erb'),
enable => true,
active => true,
subscribe => File["${base_path}/config.xml"],
}
}
}
@@ -0,0 +1,14 @@
[Unit]
Description=<%= @service_name %> Daemon
After=syslog.target network.target
[Service]
User=<%= @user %>
Group=<%= @group %>
Type=simple
ExecStart=<%= @install_path %>/<%= @executable %> -nobrowser -data=<%= @base_path %>
KillMode=process
Restart=on-failure
TimeoutStopSec=20
[Install]
WantedBy=multi-user.target

Some files were not shown because too many files have changed in this diff Show More