From 00edd627df3a093aaccab05219cb3f814fdf9c7c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 5 Jul 2025 11:15:59 +1000 Subject: [PATCH 1/2] feat: move pg_hba to hieradata - remove hardcoded pg_hba - move pg_hba to hieradata --- hieradata/roles/infra/puppetdb/sql.yaml | 8 ++++++++ hieradata/roles/infra/sql/shared.yaml | 10 ++++++++++ site/profiles/manifests/sql/patroni.pp | 10 ---------- 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/hieradata/roles/infra/puppetdb/sql.yaml b/hieradata/roles/infra/puppetdb/sql.yaml index e7aacdb..85c69a7 100644 --- a/hieradata/roles/infra/puppetdb/sql.yaml +++ b/hieradata/roles/infra/puppetdb/sql.yaml @@ -15,6 +15,14 @@ profiles::sql::patroni::cluster_name: "patroni-puppetdb-%{facts.environment}" profiles::sql::patroni::postgres_exporter_enabled: true profiles::sql::patroni::postgres_exporter_user: postgres_exporter profiles::sql::patroni::pgsql_version: "17" +patroni::bootstrap_pg_hba: + - 'local all postgres ident' + - 'host all all 0.0.0.0/0 md5' + - 'host replication repl 0.0.0.0/0 md5' +patroni::pgsql_pg_hba: + - 'local all postgres ident' + - 'host all all 0.0.0.0/0 md5' + - 'host replication repl 0.0.0.0/0 md5' # FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package python::manage_dev_package: false diff --git a/hieradata/roles/infra/sql/shared.yaml b/hieradata/roles/infra/sql/shared.yaml index 455d871..7a124be 100644 --- a/hieradata/roles/infra/sql/shared.yaml +++ b/hieradata/roles/infra/sql/shared.yaml @@ -15,6 +15,16 @@ profiles::sql::patroni::cluster_name: "patroni-shared-%{facts.environment}" profiles::sql::patroni::postgres_exporter_enabled: true profiles::sql::patroni::postgres_exporter_user: postgres_exporter profiles::sql::patroni::pgsql_version: "17" +patroni::bootstrap_pg_hba: + - 'local all postgres ident' + - 'host all all 0.0.0.0/0 md5' + - 'host gitea gitea 0.0.0.0/0 scram-sha-256' + - 'host replication repl 0.0.0.0/0 md5' +patroni::pgsql_pg_hba: + - 'local all postgres ident' + - 'host all all 0.0.0.0/0 md5' + - 'host gitea gitea 0.0.0.0/0 scram-sha-256' + - 'host replication repl 0.0.0.0/0 md5' python::manage_dev_package: false diff --git a/site/profiles/manifests/sql/patroni.pp b/site/profiles/manifests/sql/patroni.pp index 07bcfa7..079bd3d 100644 --- a/site/profiles/manifests/sql/patroni.pp +++ b/site/profiles/manifests/sql/patroni.pp @@ -64,16 +64,6 @@ class profiles::sql::patroni ( pgsql_parameters => { 'max_connections' => 5000, }, - bootstrap_pg_hba => [ - 'local all postgres ident', - 'host all all 0.0.0.0/0 md5', - 'host replication repl 0.0.0.0/0 md5', - ], - pgsql_pg_hba => [ - 'local all postgres ident', - 'host all all 0.0.0.0/0 md5', - 'host replication repl 0.0.0.0/0 md5', - ], superuser_username => $superuser_username, superuser_password => $superuser_password, replication_username => $replication_username, -- 2.47.3 From 8c7d37f10fa94bd5447d64eaeb2f5a301dbb6ea4 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 5 Jul 2025 11:18:20 +1000 Subject: [PATCH 2/2] feat: add git server role - add role for gitea cluster - provision new postgresql database on shared-prod cluster --- hieradata/roles/infra/git/server.eyaml | 2 + hieradata/roles/infra/git/server.yaml | 101 +++++++++++++++++++++++ site/roles/manifests/infra/git/server.pp | 11 +++ 3 files changed, 114 insertions(+) create mode 100644 hieradata/roles/infra/git/server.eyaml create mode 100644 hieradata/roles/infra/git/server.yaml create mode 100644 site/roles/manifests/infra/git/server.pp diff --git a/hieradata/roles/infra/git/server.eyaml b/hieradata/roles/infra/git/server.eyaml new file mode 100644 index 0000000..8a4c66c --- /dev/null +++ b/hieradata/roles/infra/git/server.eyaml @@ -0,0 +1,2 @@ +--- +profiles::sql::postgresdb::dbpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhg1qvPHyqM3QXINxU8v0AX2e4rbfaHym0VGH3U1qoJTODYynHwhGDWzVhD9sZPej9VtqdRR1oi+PAD4VSZxFOON3y2HaPJ8nJMDLN3FeKhTK6nCNte00w8EeKXma+0fcur+wKQTSOem/yBBXt2wCxqGk1vdoHod/92wNDljUV0evrChhgjjiEc+WdScrwSl8SSxFzdRa76iahYikZC0aTZViWQwN1XoEuZW/EszmxgEfEwSygvon31JKuyfZTzZazCoUmPq9dvhNvhLbStT4USMopDYuiwrpHKdEzDe1r1Q/FOL5iDIrULAoSHRnBsqWTJ8a+HkSS2DsvOiAnQJjCDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAPcCq5Ob9rpxiqcVSBztk4gDCPmuAGDBAeUgFHheDJN6Eu+OSn9zA8kuHw0AVtPou1JERPjDIQ9QA0RQOtZATpybE=] diff --git a/hieradata/roles/infra/git/server.yaml b/hieradata/roles/infra/git/server.yaml new file mode 100644 index 0000000..355080b --- /dev/null +++ b/hieradata/roles/infra/git/server.yaml @@ -0,0 +1,101 @@ +--- +hiera_include: + - profiles::sql::postgresdb + - profiles::nginx::simpleproxy + - gitea + +# additional altnames +profiles::pki::vault::alt_names: + - git.unkin.net + - git.main.unkin.net + - git.service.consul + - git.query.consul + - "git.service.%{facts.country}-%{facts.region}.consul" + +profiles::ssh::sign::principals: + - git.unkin.net + - git.main.unkin.net + - git.service.consul + - git.query.consul + +consul::services: + git: + service_name: 'git' + address: "%{facts.networking.ip}" + port: 443 + checks: + - id: 'gitea_https_check' + name: 'Gitea HTTPS Check' + http: "https://%{facts.networking.fqdn}:443" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: git + disposition: write + +# manage a simple nginx reverse proxy +profiles::nginx::simpleproxy::nginx_vhost: 'git.query.consul' +profiles::nginx::simpleproxy::nginx_aliases: + - git.unkin.net + - git.main.unkin.net + - git.service.consul + - git.query.consul + - "git.service.%{facts.country}-%{facts.region}.consul" + +profiles::nginx::simpleproxy::proxy_port: 3000 +profiles::nginx::simpleproxy::proxy_path: '/' +nginx::client_max_body_size: 1024M + +profiles::sql::postgresdb::cluster_name: "patroni-shared-%{facts.environment}" +profiles::sql::postgresdb::dbname: gitea +profiles::sql::postgresdb::dbuser: gitea + +gitea::ensure: '1.22.4' +gitea::checksum: 'd549104f55067e6fb156e7ba060c9af488f36e12d5e747db7563fcc99eaf8532' +gitea::custom_configuration: + '': + APP_NAME: 'Gitea' + RUN_USER: 'git' + RUN_MODE: 'prod' + repository: + ROOT: '/shared/apps/gitea/repos' + FORCE_PRIVATE: false + MAX_CREATION_LIMIT: -1 + DISABLE_HTTP_GIT: false + DEFAULT_BRANCH: 'main' + DEFAULT_PRIVATE: 'last' + ui: + SHOW_USER_EMAIL: false + server: + PROTOCOL: 'http' + DOMAIN: 'git.unkin.net' + ROOT_URL: 'https://git.unkin.net' + HTTP_ADDR: '0.0.0.0' + HTTP_PORT: 3000 + START_SSH_SERVER: false + SSH_DOMAIN: 'git.unkin.net' + SSH_PORT: 2222 + SSH_LISTEN_HOST: '0.0.0.0' + OFFLINE_MODE: true + APP_DATA_PATH: '/shared/apps/gitea' + SSH_LISTEN_PORT: 22 + LFS_START_SERVER: true + database: + DB_TYPE: 'postgres' + HOST: "master.%{hiera('profiles::sql::postgresdb::cluster_name')}.service.%{facts.country}-%{facts.region}.consul:5432" + NAME: "%{hiera('profiles::sql::postgresdb::dbname')}" + USER: "%{hiera('profiles::sql::postgresdb::dbuser')}" + PASSWD: "%{hiera('profiles::sql::postgresdb::dbpass')}" + SSL_MODE: 'disable' + LOG_SQL: false + lfs: + PATH: '/shared/apps/gitea/lfs' + session: + PROVIDER: db + metrics: + ENABLED: true + ENABLED_ISSUE_BY_REPOSITORY: true + ENABLED_ISSUE_BY_LABEL: true diff --git a/site/roles/manifests/infra/git/server.pp b/site/roles/manifests/infra/git/server.pp new file mode 100644 index 0000000..489fb12 --- /dev/null +++ b/site/roles/manifests/infra/git/server.pp @@ -0,0 +1,11 @@ +# a role to deploy the gitea +class roles::infra::git::server { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + } +} -- 2.47.3