unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

neoloc/grafana #37

Merged
unkinben merged 4 commits from neoloc/grafana into develop 2024-06-16 18:51:08 +10:00
Conversation 0 Commits 4 Files Changed 10 +983 -125
84 changed files with 983 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 0fe05bb896 - Show all commits

4
Puppetfile
View File

@ -35,10 +35,14 @@ mod 'puppet-vault', '4.1.0'
mod 'puppet-dhcp', '6.1.0'
mod 'puppet-keepalived', '3.6.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1'
mod 'puppet-filemapper', '4.0.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
mod 'saz-sudo', '8.0.0'
mod 'saz-ssh', '12.1.0'
mod 'ghoneycutt-timezone', '4.0.0'
mod 'dalen-puppetdbquery', '3.0.1'
mod 'markt-galera', '3.1.0'

111
hieradata/common.yaml
View File

@ -108,11 +108,22 @@ lookup_options:
profiles::nginx::simpleproxy::nginx_aliases:
merge:
strategy: deep
networking::interfaces:
merge:
strategy: deep
networking::routes:
merge:
strategy: deep
ssh::server::options:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'
hiera_classes:
hiera_include:
- timezone
- networking
- ssh::server
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
@ -215,6 +226,38 @@ puppetdbsql: puppetdbsql.service.au-syd1.consul
prometheus::node_exporter::export_scrape_job: true
prometheus::systemd_exporter::export_scrape_job: true
ssh::server::storeconfigs_enabled: false
ssh::server::options:
Protocol: '2'
ListenAddress:
- '127.0.0.1'
- '%{facts.networking.ip}'
SyslogFacility: 'AUTHPRIV'
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
HostCertificate: /etc/ssh/ssh_host_rsa_key-cert.pem
AuthorizedKeysFile: .ssh/authorized_keys
PermitRootLogin: no
PasswordAuthentication: no
ChallengeResponseAuthentication: no
PubkeyAuthentication: yes
GSSAPIAuthentication: yes
GSSAPICleanupCredentials: yes
UsePAM: yes
X11Forwarding: no
PrintMotd: no
AcceptEnv:
- LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
Subsystem: sftp /usr/libexec/openssh/sftp-server
profiles::ssh::knownhosts::lines:
- '@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1HD97vYxLTniE4qNpGuftUlvmkEXIuX8+7nbENv/IzsGUghEDRtyThjQ7ojNKIsQ7f8wXr0gMcI+fAPfrbcOMHCAoYMomikwL0b3h95SZI40q3CyM+0DMnwiVVDX6C1QxkO2Rv9cszSkCa85NotJhXiUuTBI9BFcRPy+mAhbpAru+bfypYofI0wW97XNTl8Jgwmni5MgutBIQAokFIn5ux8iWxndCH3AqDtmkwC5DfQeQ+wZx7rkwqJEpJffQzrjb1gIM6P9hDCVBBVPh/3o80IJ69rFWrJAZUb+JpG4cXJH0NcSW+wqc3JCT/x3q8VlHwOTXSlNNKtOJCRx73mB8e1XTTy2a9FgpKDDg5XQXWHAViJDz1RTRL9gRefMylRgKz4bXoTuY9kJWM8hPTyUejtukbJThlBJc3OmDxBZBF7F0iqB11pHexok43OCEiANodVa36eWu9/5X032Vm48fZ1/akDPY/NSy3wAn7kwut+A0/JAHFHASrq+1mt9YurkJegI+YHXO6eEWpBIpmI7ORHJbGL4MhkHrxYzVamuP8CkU7tXzsv138+wpOcRHNp9yJY4PT40BZkRf/O3O+jt3pj9Dj8rvgywF2W6hFzywh3Y78upOprRkQlQtHfsI8EyrYI8/hUw2u3H+3yPXh3YjWfqvWVG1BRLRHBV7m90uaw=='
profiles::base::groups::local:
admins:
ensure: present
@ -231,38 +274,34 @@ sudo::configs:
profiles::accounts::sysadmin::sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
profiles::base::hosts::additional_hosts:
- ip: 198.18.17.3
hostname: prodinf01n01.main.unkin.net
aliases:
- prodinf01n01
- puppet
- puppetmaster
- puppetca
- ip: 198.18.17.4
hostname: prodinf01n04.main.unkin.net
aliases:
- prodinf01n04
- ip: 198.18.17.5
hostname: prodinf01n05.main.unkin.net
aliases:
- prodinf01n05
- ip: 198.18.17.6
hostname: prodinf01n06.main.unkin.net
aliases:
- prodinf01n06
- ip: 198.18.17.9
hostname: prodinf01n09.main.unkin.net
aliases:
- prodinf01n09
- ntp01.main.unkin.net
- ip: 198.18.17.10
hostname: prodinf01n10.main.unkin.net
aliases:
- prodinf01n10
- ntp02.main.unkin.net
- ip: 198.18.17.22
hostname: prodinf01n22.main.unkin.net
aliases:
- prodinf01n22
- repos.main.unkin.net
networking::interfaces:
eth0:
ensure: present
family: inet
method: static
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
ensure: present
interface: eth0
netmask: 0.0.0.0
network: default
#profiles::base::hosts::additional_hosts:
# - ip: 198.18.17.9
# hostname: prodinf01n09.main.unkin.net
# aliases:
# - prodinf01n09
# - ntp01.main.unkin.net
# - ip: 198.18.17.10
# hostname: prodinf01n10.main.unkin.net
# aliases:
# - prodinf01n10
# - ntp02.main.unkin.net
# - ip: 198.18.17.22
# hostname: prodinf01n22.main.unkin.net
# aliases:
# - prodinf01n22
# - repos.main.unkin.net

1
hieradata/country/au/region/drw1/infra/puppet/master.eyaml
View File

@ -1,3 +1,4 @@
---
certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl]
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]

1
hieradata/country/au/region/syd1/infra/puppet/master.eyaml
View File

@ -1,3 +1,4 @@
---
certmanager::vault_token: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJuE+uzgQaBRUXBCigckEo1j+UxxbiUGrzdf/B9K7XPdVxZh6TzYLpBgNnyaT6vLo0boX4uRD/By0gT5R/2qcXD6d/j+fh517Ctk4d2uO64f0vH3PzyyOBalsNtcCdPiV3q/xGqzQSHhPiNkFEjDvMBz5p53UjfKA6gAiPrLklp4rN/NVyiLBw20NeIqbL25VdkQa13ViS0Gm/eUQu7a2xQ1dvQFWWfuLaQxO0dh8L0ynkfmWKIjaiD5412Z8hYURu0otxbqVDdIbEMx5xQsXnFKeN93yHmgs7a7M6fLdp9jh+G8B+IlK1W7/9v2+RT0/yI3ZgWHVTvDRhMHuPGBjfTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC5avtOPp9N65U1ILQENnvAgDBqI8XAjqbWIvXHqOEiKYdu+co0EEtsHR1v5xAeCmj/ZA6MLeKFlAVJbvpyCpzjons=]
sshsignhost::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAT86C/InXrgDtXCc9NFze91YMvjTNDqWgv4uzPFI48clOeQyD6x+vOHWP2yNp1OyNHcYLCiLyrv+rSIQyXlLnbeyZWV+7kXIon057Tp7l0BxWtd0hjQEcyWzqQQE7R264C8/qKRak81LIu6RshWZAchYo/BMPuOqVr0m+1zDwOV9JwZc3bpexzsl57CK5pesOrpfdvnd/xrOoEMR+P+C5PC6QLtQl3zkOD3N9kP6HqwbhWH5ZBPy88Kc+5kYM6QVpQSjFIIHK1SWsN0VZoxpkuFlFXB5KHDgZtg3kxrofzjQghl41zJBCDq9Z5oZ+2b1p/j/9jCASyp/ju68H5WXzbzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCf4Nqp6SAl/XjmhPDnTvVJgDCdDhxWaChhjJ3eRcW4NTFgf3zm7Bu65za0li26FKuKks00duF4zebfNw7ZUVsYtIU=]

7
hieradata/nodes/ausyd1nxvm1000.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.10
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1001.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.11
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1002.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.12
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1003.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.13
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1004.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.14
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1005.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.15
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1006.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.16
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1007.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.17
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1008.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.18
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1009.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.19
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1010.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.20
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1011.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.21
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1012.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.22
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1013.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.23
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1014.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.24
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1015.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.25
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1016.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.26
networking::routes:
default:
gateway: 198.18.13.254

6
hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml
View File

@ -1,2 +1,8 @@
---
profiles::cobbler::params::is_cobbler_master: true
networking::interfaces:
eth0:
ipaddress: 198.18.13.27
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1018.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.28
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1019.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.29
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1020.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.30
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1021.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.31
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1022.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.32
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1023.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.33
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1024.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.34
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1025.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.35
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1026.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.36
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1027.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.37
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1028.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.38
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1029.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.39
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1030.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.40
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1031.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.41
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1032.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.42
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1033.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.43
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1034.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.44
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1035.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.45
networking::routes:
default:
gateway: 198.18.13.254

12
hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml
View File

@ -5,5 +5,17 @@ profiles::puppet::server::dns_alt_names:
- puppetca.query.consul
- puppetca
profiles::ssh::sign::principals:
- puppetca.main.unkin.net
- puppetca.service.consul
- puppetca.query.consul
- puppetca
profiles::puppet::puppetca::is_puppetca: true
profiles::puppet::puppetca::allow_subject_alt_names: true
networking::interfaces:
eth0:
ipaddress: 198.18.13.46
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1037.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.47
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1038.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.48
networking::routes:
default:
gateway: 198.18.13.254

7
hieradata/nodes/ausyd1nxvm1039.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,7 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.49
networking::routes:
default:
gateway: 198.18.13.254

3
hieradata/nodes/prodinf01n01.main.unkin.net.yaml
View File

@ -7,3 +7,6 @@ profiles::puppet::server::dns_alt_names:
profiles::puppet::puppetca::is_puppetca: false
profiles::puppet::puppetca::allow_subject_alt_names: true
hiera_exclude:
- networking

11
hieradata/os/AlmaLinux/all_releases.yaml
View File

@ -19,44 +19,53 @@ profiles::yum::global::repos:
target: /etc/yum.repos.d/baseos.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
extras:
name: extras
descr: extras repository
target: /etc/yum.repos.d/extras.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
appstream:
name: appstream
descr: appstream repository
target: /etc/yum.repos.d/appstream.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
highavailability:
name: highavailability
descr: highavailability repository
target: /etc/yum.repos.d/highavailability.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
mirrorlist: absent
epel:
name: epel
descr: epel repository
target: /etc/yum.repos.d/epel.repo
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
mirrorlist: absent
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
mirrorlist: absent
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
mirrorlist: absent

3
hieradata/os/Debian/all_releases.yaml
View File

@ -1,6 +1,6 @@
# hieradata/os/debian/all_releases.yaml
---
profiles::apt::base::mirrorurl: http://repos.main.unkin.net/debian
profiles::apt::base::mirrorurl: https://edgecache.query.consul/debian/
profiles::apt::base::secureurl: http://security.debian.org/debian-security
profiles::apt::puppet7::mirror: http://apt.puppetlabs.com
profiles::apt::puppet7::repo: puppet7
@ -12,3 +12,4 @@ profiles::packages::install:
- xz-utils
lm-sensors::package: lm-sensors
networking::nwmgr_dns_none: false

2
hieradata/roles/infra/cobbler/server.yaml
View File

@ -17,5 +17,5 @@ profiles::pki::vault::alt_names:
profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
profiles::selinux::setenforce::mode: permissive
hiera_classes:
hiera_include:
- profiles::selinux::setenforce

2
hieradata/roles/infra/git/gitea.eyaml
View File

@ -1,3 +1,3 @@
---
profiles::gitea::init::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
profiles::gitea::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=]

45
hieradata/roles/infra/git/gitea.yaml
View File

@ -6,6 +6,11 @@ profiles::pki::vault::alt_names:
- git.query.consul
- "git.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- git.main.unkin.net
- git.service.consul
- git.query.consul
consul::services:
git:
service_name: 'git'
@ -37,3 +42,43 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 3000
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 250M
profiles::gitea::init::root:
APP_NAME: 'Gitea'
RUN_USER: 'git'
RUN_MODE: 'prod'
profiles::gitea::init::repository:
ROOT: '/data/gitea/repos'
FORCE_PRIVATE: false
MAX_CREATION_LIMIT: -1
DISABLE_HTTP_GIT: false
DEFAULT_BRANCH: 'main'
DEFAULT_PRIVATE: 'last'
profiles::gitea::init::ui:
SHOW_USER_EMAIL: false
profiles::gitea::init::server:
PROTOCOL: 'http'
DOMAIN: 'git.query.consul'
ROOT_URL: 'https://git.query.consul'
HTTP_ADDR: '0.0.0.0'
HTTP_PORT: 3000
START_SSH_SERVER: false
SSH_DOMAIN: 'git.query.consul'
SSH_PORT: 2222
SSH_LISTEN_HOST: '0.0.0.0'
OFFLINE_MODE: true
APP_DATA_PATH: '/data/gitea'
SSH_LISTEN_PORT: 22
LFS_START_SERVER: true
profiles::gitea::init::database:
DB_TYPE: 'mysql'
HOST: 'mariadb-prod.service.au-syd1.consul:3306'
NAME: 'gitea'
USER: 'gitea'
PASSWD: "%{hiera('profiles::gitea::mysql_pass')}"
SSL_MODE: 'disable'
LOG_SQL: false
profiles::gitea::init::lfs:
PATH: '/data/gitea/lfs'
profiles::gitea::init::session:
PROVIDER: db

21
hieradata/roles/infra/ntp/server.yaml
View File

@ -12,3 +12,24 @@ profiles::ntp::server::peers:
- '1.au.pool.ntp.org'
- '2.au.pool.ntp.org'
- '3.au.pool.ntp.org'
consul::services:
ntp:
service_name: 'ntp'
tags:
- 'ntp'
- 'time'
- 'sync'
address: "%{facts.networking.ip}"
port: 123
checks:
- id: ntp_check
name: "NTP Service Check"
args:
- '/usr/local/bin/check_ntp.sh'
interval: '15s'
timeout: '5s'
profiles::consul::client::node_rules:
- resource: service
segment: ntp
disposition: write

14
hieradata/roles/infra/proxmox.yaml
View File

@ -5,3 +5,17 @@ sudo::configs:
content: |
ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*
hiera_exclude:
- networking
# proxmox tools use root to authenticate against each other
ssh::server::options:
PermitRootLogin: yes
AcceptEnv:
- LANG LC_*
- LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- LC_IDENTIFICATION LC_ALL LANGUAGE
- XMODIFIERS
ListenAddress:
- "%{facts.networking.interfaces.enp3s0.ip}"

12
hieradata/roles/infra/puppet/master.yaml
View File

@ -37,6 +37,14 @@ profiles::helpers::certmanager::vault_config:
output_path: '/tmp/certmanager'
role_id: "%{lookup('certmanager::role_id')}"
profiles::helpers::sshsignhost::vault_config:
addr: 'https://vault.service.consul:8200'
mount_point: 'ssh-host-signer'
approle_path: 'approle'
role_name: 'hostrole'
output_path: '/tmp/sshsignhost'
role_id: "%{lookup('sshsignhost::role_id')}"
profiles::puppet::server::agent_server: 'puppet.query.consul'
profiles::puppet::server::report_server: 'puppet.query.consul'
profiles::puppet::server::ca_server: 'puppetca.query.consul'
@ -50,6 +58,10 @@ profiles::puppet::server::dns_alt_names:
- puppetmaster
- puppet
profiles::ssh::sign::principals:
- puppet.service.consul
- puppet.query.consul
consul::services:
puppet:
service_name: 'puppet'

1
hieradata/roles/infra/puppetdb/sql.eyaml Normal file
View File

@ -0,0 +1 @@
profiles::puppet::puppetdb_sql::consul_test_db_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAes6pfgtxctlXpsD+P5bahGP46nbXdPE3EiwdWPSiFP0MKfzFKbhlfOMydhz09fXHEa5mpOY3YHxN9W0tNmbs6mMvHIKKvNog6yowv7JnsQ+D89+c3JEdbi+DPwk6wVnKQEgnSn5uzoOHJVOd7hhtX85n1VTw9iTtSPGZprh11A3VII8dkUaPu6jc35rDGV6tgPvxaYy2vVH/b7wGP+kEe9WjoYU7Qw3odrY2yloGbQ3zXGh7ZXvK9iswKIuCLAMPoaUyJpzVooV7VqD4k/zEHhRgf88RMtww//9P8OHPJ9JPM2q3zHyZzoqRfOP723AP9z2V7OyhEoUNw5npaA6TpzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBJevTZmH+Qm1mxwNxHdOzHgCAelk9abLhQkUO29O5d2PP04OTTlmK51BxHb203jqZSFQ==]

35
hieradata/roles/infra/puppetdb/sql.yaml
View File

@ -2,3 +2,38 @@
postgresql_config_entries:
max_connections: 300
shared_buffers: '256MB'
consul::services:
puppetdbsql:
service_name: 'puppetdbsql'
tags:
- 'puppet'
- 'puppetdb'
- 'database'
address: "%{facts.networking.ip}"
port: 5432
checks:
- id: 'psql-check'
name: 'PostgreSQL Health Check'
args:
- '/usr/local/bin/check_consul_postgresql'
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: puppetdbsql
disposition: write
profiles::yum::global::repos:
postgresql-15:
name: postgresql-15
descr: postgresql-15 repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/15/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL
postgresql-common:
name: postgresql-common
descr: postgresql-common repository
target: /etc/yum.repos.d/postgresql.repo
baseurl: https://edgecache.query.consul/postgres/yum/common/redhat/rhel-%{facts.os.release.full}-%{facts.os.architecture}
gpgkey: https://edgecache.query.consul/postgres/yum/keys/PGDG-RPM-GPG-KEY-RHEL

6
hieradata/roles/infra/storage/consul.yaml
View File

@ -77,3 +77,9 @@ profiles::consul::prepared_query::rules:
service_failover_n: 3
service_only_passing: true
ttl: 10
ntp:
ensure: 'present'
service_name: 'ntp'
service_failover_n: 3
service_only_passing: true
ttl: 10

10
modules/libs/lib/facter/sshd_host_cert_exists.rb Normal file
View File

@ -0,0 +1,10 @@
# frozen_string_literal: true
# lib/facter/sshd_host_cert_exists.rb
require 'puppet'
Facter.add('sshd_host_cert_exists') do
setcode do
File.exist?('/etc/ssh/ssh_host_rsa_key-cert.pem')
end
end

15
modules/libs/lib/facter/sshd_host_principals.rb Normal file
View File

@ -0,0 +1,15 @@
# frozen_string_literal: true
# lib/facter/sshd_host_principals.rb
require 'puppet'
Facter.add('sshd_host_principals') do
setcode do
principals_file = '/etc/ssh/host_principals'
if File.exist?(principals_file)
File.read(principals_file).split("\n")
else
[]
end
end
end

35
modules/networking/manifests/init.pp Normal file
View File

@ -0,0 +1,35 @@
# unkin networking module
class networking (
Hash $interfaces = {},
Hash $routes = {},
){
include network
include networking::params
$interfaces.each | $interface, $data | {
network_config {$interface:
* => $data,
}
}
$routes.each | $route, $data | {
network_route {$route:
* => $data,
}
}
# prevent DNS from being overwritten by networkmanager
if $networking::params::nwmgr_dns_none {
file {'/etc/NetworkManager/conf.d/dns_none.conf':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0655',
content => "[main]\ndns=none",
}
}else{
file {'/etc/NetworkManager/conf.d/dns_none.conf':
ensure => 'absent',
}
}
}

6
modules/networking/manifests/params.pp Normal file
View File

@ -0,0 +1,6 @@
# networking params
class networking::params (
Boolean $nwmgr_dns_none = true,
Boolean $nwmgr_service_running = true,
){
}

6
site/profiles/manifests/base.pp
View File

@ -32,6 +32,8 @@ class profiles::base (
include profiles::ntp::client
include profiles::dns::base
include profiles::pki::vault
include profiles::ssh::sign
include profiles::ssh::knownhosts
include profiles::cloudinit::init
include profiles::metrics::default
include profiles::helpers::node_lookup
@ -56,7 +58,9 @@ class profiles::base (
}
# include classes from hiera
lookup('hiera_classes', Array[String], 'unique').include
$hiera_include = lookup('hiera_include', Array[String], 'unique', [])
$hiera_exclude = lookup('hiera_exclude', Array[String], 'unique', [])
($hiera_include - $hiera_exclude).include
# specifc ordering constraints
Class['profiles::pki::vaultca']

7
site/profiles/manifests/cobbler/service.pp
View File

@ -14,4 +14,11 @@ class profiles::cobbler::service inherits profiles::cobbler::params {
enable => true,
require => File['/etc/httpd/conf.d/ssl.conf'],
}
# ensure tftp is running
service {'tftp':
ensure => 'running',
enable => true,
require => Package['cobbler'],
}
}

17
site/profiles/manifests/consul/client.pp
View File

@ -36,14 +36,15 @@ class profiles::consul::client (
# deploy the consul agent
class { 'consul':
config_hash => {
'data_dir' => $data_dir,
'datacenter' => $consul_cluster,
'log_level' => 'INFO',
'node_name' => $facts['networking']['fqdn'],
'retry_join' => $servers_array,
'bind_addr' => $::facts['networking']['ip'],
'advertise_addr' => $::facts['networking']['ip'],
'acl' => {
'data_dir' => $data_dir,
'datacenter' => $consul_cluster,
'log_level' => 'INFO',
'node_name' => $facts['networking']['fqdn'],
'retry_join' => $servers_array,
'bind_addr' => $::facts['networking']['ip'],
'advertise_addr' => $::facts['networking']['ip'],
'enable_script_checks' => true,
'acl' => {
tokens => {
default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")
}

1
site/profiles/manifests/defaults.pp
View File

@ -34,7 +34,6 @@ class profiles::defaults {
ensure => 'present',
enabled => 1,
gpgcheck => 1,
mirrorlist => 'absent',
require => Class['profiles::pki::vaultca'],
notify => Exec['dnf_makecache'],
}

57
site/profiles/manifests/gitea/init.pp
View File

@ -1,7 +1,13 @@
# profiles::gitea::init
class profiles::gitea::init (
String $mysql_pass = '',
String $lfs_jwt_secret = '',
Hash $root = {},
Hash $server = {},
Hash $database = {},
Hash $repository = {},
Hash $session = {},
Hash $lfs = {},
Hash $ui = {},
) {
include profiles::nginx::simpleproxy
@ -10,46 +16,13 @@ class profiles::gitea::init (
ensure => '1.22.0',
checksum => 'a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d',
custom_configuration => {
'' => {
'APP_NAME' => 'Gitea',
'RUN_USER' => 'git',
'RUN_MODE' => 'prod',
},
'repository' => {
'ROOT' => '/data/gitea/repos',
'FORCE_PRIVATE' => false,
'MAX_CREATION_LIMIT' => -1,
'DISABLE_HTTP_GIT' => false,
'DEFAULT_BRANCH' => 'main',
'DEFAULT_PRIVATE' => 'last',
},
'ui' => {
'SHOW_USER_EMAIL' => false,
},
'server' => {
'PROTOCOL' => 'http',
'DOMAIN' => 'git.query.consul',
'ROOT_URL' => 'https://git.query.consul',
'HTTP_ADDR' => '0.0.0.0',
'HTTP_PORT' => 3000,
'START_SSH_SERVER' => false,
'SSH_DOMAIN' => 'git.query.consul',
'SSH_PORT' => 2222,
'SSH_LISTEN_HOST' => '0.0.0.0',
'OFFLINE_MODE' => true,
'APP_DATA_PATH' => '/var/lib/gitea/data',
'SSH_LISTEN_PORT' => 22,
},
'database' => {
'DB_TYPE' => 'mysql',
'HOST' => 'mariadb-prod.service.au-syd1.consul:3306',
'NAME' => 'gitea',
'USER' => 'gitea',
'PASSWD' => Sensitive($mysql_pass),
'SSL_MODE' => 'disable',
'PATH' => '/var/lib/gitea/data/gitea.db',
'LOG_SQL' => false,
},
}
'' => $root,
server => $server,
database => $database,
repository => $repository,
session => $session,
lfs => $lfs,
ui => $ui,
},
}
}

77
site/profiles/manifests/helpers/sshsignhost.pp Normal file
View File

@ -0,0 +1,77 @@
# profiles::helpers::sshsignhost
#
# wrapper class for python, pip and venv
class profiles::helpers::sshsignhost (
String $script_name = 'sshsignhost',
Stdlib::AbsolutePath $base_path = "/opt/${script_name}",
Stdlib::AbsolutePath $venv_path = "${base_path}/venv",
Stdlib::AbsolutePath $config_path = "${base_path}/config.yaml",
Hash $vault_config = {},
String $owner = 'root',
String $group = 'root',
Boolean $systempkgs = false,
String $version = 'system',
Array[String[1]] $packages = ['requests', 'pyyaml'],
){
if $::facts['python3_version'] {
$python_version = $version ? {
'system' => $::facts['python3_version'],
default => $version,
}
# ensure the base_path exists
file { $base_path:
ensure => directory,
mode => '0755',
owner => $owner,
group => $group,
}
# create a venv
python::pyvenv { $venv_path :
ensure => present,
version => $python_version,
systempkgs => $systempkgs,
venv_dir => $venv_path,
owner => $owner,
group => $group,
require => File[$base_path],
}
# install the required pip packages
$packages.each |String $package| {
python::pip { "${venv_path}_${package}":
ensure => present,
pkgname => $package,
virtualenv => $venv_path,
}
}
# create the script from a template
file { "${base_path}/${script_name}":
ensure => file,
mode => '0755',
content => template("profiles/helpers/${script_name}.erb"),
require => Python::Pyvenv[$venv_path],
}
# create the config from a template
file { $config_path:
ensure => file,
mode => '0660',
owner => 'puppet',
group => 'root',
content => Sensitive(template("profiles/helpers/${script_name}_config.yaml.erb")),
require => Python::Pyvenv[$venv_path],
}
# create symbolic link in $PATH
file { "/usr/local/bin/${script_name}":
ensure => 'link',
target => "${base_path}/${script_name}",
require => File["${base_path}/${script_name}"],
}
}
}

8
site/profiles/manifests/ntp/server.pp
View File

@ -35,5 +35,13 @@ class profiles::ntp::server (
queryhosts => $allowquery,
}
}
file {'/usr/local/bin/check_ntp.sh':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0755',
content => template('profiles/ntp/check_ntp.sh.erb'),
}
}
}

1
site/profiles/manifests/puppet/client.pp
View File

@ -12,6 +12,7 @@ class profiles::puppet::client (
Integer $runtimeout = 3600,
Boolean $show_diff = true,
Boolean $usecacheonfailure = false,
Integer $facts_soft_limit = 4096,
) {
# dont manage puppet.conf if this is a puppetmaster

29
site/profiles/manifests/puppet/enc.pp
View File

@ -10,32 +10,12 @@ class profiles::puppet::enc (
Boolean $force = false,
) {
vcsrepo { '/opt/puppetlabs/enc':
ensure => latest,
provider => git,
source => $repo,
revision => $release,
force => $force,
require => Package['git'],
}
file { '/opt/puppetlabs/bin/enc':
ensure => link,
target => '/opt/puppetlabs/enc/enc.py',
require => Vcsrepo['/opt/puppetlabs/enc'],
ensure => absent,
}
file { '/opt/puppetlabs/bin/puppet-enc':
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
content => "#!/bin/bash\n(
cd /opt/puppetlabs/enc/
git reset --hard master
git clean -fd
git pull\n)",
require => Package['git'],
ensure => absent,
}
$_timer = @(EOT)
@ -63,8 +43,7 @@ class profiles::puppet::enc (
systemd::timer { 'puppet-enc.timer':
timer_content => $_timer,
service_content => $_service,
active => true,
enable => true,
require => File['/opt/puppetlabs/bin/puppet-enc'],
active => false,
enable => false,
}
}

26
site/profiles/manifests/puppet/puppetca.pp
View File

@ -21,16 +21,40 @@ class profiles::puppet::puppetca (
# manage the crl file
if $is_puppetca {
# export the puppet crl.pem
@@file { '/etc/puppetlabs/puppet/ssl/crl.pem':
@@file { '/etc/puppetlabs/puppet/ssl/crl.pem.latest':
ensure => file,
content => file('/etc/puppetlabs/puppet/ssl/crl.pem'),
tag => 'crl_pem_export',
}
systemd::manage_dropin { 'copy_crl.conf':
ensure => absent,
unit => 'puppetserver.service',
}
}else{
# import the puppet crl.pem
File <<| tag == 'crl_pem_export' |>> {
require => Service['puppetserver'],
}
# copy latest to active location
file { '/etc/puppetlabs/puppet/ssl/crl.pem':
ensure => file,
owner => 'puppet',
group => 'puppet',
source => '/etc/puppetlabs/puppet/ssl/crl.pem.latest',
require => File['/etc/puppetlabs/puppet/ssl/crl.pem.latest'],
}
# copy the latest crl when restarting
systemd::manage_dropin { 'copy_crl.conf':
ensure => present,
unit => 'puppetserver.service',
service_entry => {
'ExecStartPost' => [
'/usr/bin/sleep 2',
'/bin/cp /etc/puppetlabs/puppet/ssl/crl.pem.latest /etc/puppetlabs/puppet/ssl/crl.pem',
],
},
require => File['/etc/puppetlabs/puppet/ssl/crl.pem'],
}
}
# register the PuppetCA service with consul

24
site/profiles/manifests/puppet/puppetdb_sql.pp
View File

@ -2,6 +2,7 @@
class profiles::puppet::puppetdb_sql (
String $puppetdb_host = lookup('puppetdbsql'),
String $listen_address = $facts['networking']['ip'],
String $consul_test_db_pass = '',
) {
# disable the postgresql dnf module for el8+
@ -17,9 +18,11 @@ class profiles::puppet::puppetdb_sql (
# Install and configure PostgreSQL for PuppetDB
class { 'puppetdb::database::postgresql':
listen_addresses => $listen_address,
postgres_version => '15',
puppetdb_server => $puppetdb_host,
listen_addresses => $listen_address,
postgres_version => '15',
puppetdb_server => $puppetdb_host,
manage_package_repo => false,
require => [ Yumrepo['postgresql-15'],Yumrepo['postgresql-common'] ],
}
contain ::puppetdb::database::postgresql
@ -32,4 +35,19 @@ class profiles::puppet::puppetdb_sql (
value => $value,
}
}
# create consul database + user to test the host is responsive
postgresql::server::db { 'consul_test_db':
user => 'consul_test_user',
password => postgresql::postgresql_password('consul_test_user', Sensitive($consul_test_db_pass) ),
}
file { '/usr/local/bin/check_consul_postgresql':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0755',
content => template('profiles/puppetdb/check_consul_postgresql.erb'),
before => Class['profiles::consul::client'],
}
}

1
site/profiles/manifests/puppet/puppetmaster.pp
View File

@ -15,6 +15,7 @@ class profiles::puppet::puppetmaster (
include profiles::puppet::autosign
include profiles::puppet::gems
include profiles::helpers::certmanager
include profiles::helpers::sshsignhost
include profiles::puppet::server
include profiles::puppet::puppetca
include profiles::puppet::eyaml

12
site/profiles/manifests/puppet/server.pp
View File

@ -28,6 +28,7 @@ class profiles::puppet::server (
Integer $runinterval = 1800,
Integer $runtimeout = 3600,
Boolean $show_diff = true,
Integer $facts_soft_limit = 4096,
) {
file { '/etc/puppetlabs/puppet/puppet.conf':
@ -59,6 +60,7 @@ class profiles::puppet::server (
'storeconfigs_backend' => $storeconfigs_backend,
'reports' => $reports,
'usecacheonfailure' => $usecacheonfailure,
'facts_soft_limit' => $facts_soft_limit,
}),
notify => Service['puppetserver'],
}
@ -69,4 +71,14 @@ class profiles::puppet::server (
hasstatus => true,
hasrestart => true,
}
# generate puppet types when restarting
systemd::manage_dropin { 'generate_types.conf':
ensure => present,
unit => 'puppetserver.service',
service_entry => {
'ExecStartPost' => [
"/opt/puppetlabs/bin/puppet generate types --environmentpath ${codedir}/environments",
],
},
}
}

12
site/profiles/manifests/ssh/knownhosts.pp Normal file
View File

@ -0,0 +1,12 @@
# manage known hosts
class profiles::ssh::knownhosts (
Array $lines = [],
) {
file {'/etc/ssh/ssh_known_hosts':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0644',
content => template('profiles/ssh/ssh_known_hosts.erb'),
}
}

84
site/profiles/manifests/ssh/sign.pp Normal file
View File

@ -0,0 +1,84 @@
# profiles::ssh::sign
class profiles::ssh::sign (
Optional[Array[Stdlib::Host]] $principals = [],
){
# validate and prepare additional alt_names, if any
$default_principals = [
$::facts['networking']['hostname'],
$::facts['networking']['fqdn'],
$::facts['networking']['ip'],
]
$effective_principals = $principals ? {
[] => $default_principals,
default => concat($default_principals, $principals),
}
# path for the principals file
$principals_file = '/etc/ssh/host_principals'
# alt_names_file contents
$principals_file_content = $effective_principals
# manage the alt names file
file { $principals_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => join($principals_file_content, "\n"),
}
# compare the sorted arrays of principals from disk (fact) vs what is intended (this run)
$principals_match = sort($::facts['sshd_host_principals']) == sort($principals_file_content)
# only renew signed certificate if doesnt exist or the principals have changed
if ! $::facts['sshd_host_cert_exists'] or ! $principals_match {
$common_name = $::facts['networking']['fqdn']
$valid_hours = '87600h'
# prepare alt_names and ip_sans arguments conditionally
$principals_string = $effective_principals.empty() ? {
true => '',
default => join($effective_principals, ','),
}
# sshsignhost arguments
$cmd = '/usr/local/bin/sshsignhost'
$principals_arg = '--valid_principals'
$ttl_arg = '--ttl'
$public_key_arg = '--public_key'
# call the script with generate(), capturing json output
$json_output = generate(
$cmd,
$principals_arg,
$principals_string,
$ttl_arg,
$valid_hours,
$public_key_arg,
"${facts['ssh']['rsa']['type']} ${facts['ssh']['rsa']['key']}",
'--json'
)
$signed_data = parsejson($json_output)
# manage the signed hostkey file
file { '/etc/ssh/ssh_host_rsa_key-cert.pem':
ensure => file,
content => $signed_data['signed_key'],
owner => 'root',
group => 'root',
mode => '0644',
}
}else{
# manage the signed hostkey file
file { '/etc/ssh/ssh_host_rsa_key-cert.pem':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
}
}
}

14
site/profiles/manifests/yum/global.pp
View File

@ -16,6 +16,13 @@ class profiles::yum::global (
purge => $purge,
}
#exec {'purge_almalinux_default_repos':
# command => 'rm -f /etc/yum.repos.d/almalinux*.repo',
# path => ['/bin', '/usr/bin'],
# onlyif => 'find /etc/yum.repos.d/ -type f -name *almalinux* | grep .',
# before => Resources['yumrepo'],
#}
# download all gpg keys if a repo defines it
$repos.each |$name, $repo| {
if $repo['gpgkey'] {
@ -29,11 +36,12 @@ class profiles::yum::global (
before => Yumrepo[$name],
}
}
# create the repo
yumrepo { $name:
* => $repo,
}
}
# create repos
create_resources('yumrepo', $repos)
# makecache if changes made to repos
exec {'dnf_makecache':
command => 'dnf makecache -q',

83
site/profiles/templates/helpers/sshsignhost.erb Normal file
View File

@ -0,0 +1,83 @@
#!<%= @venv_path %>/bin/python
import argparse
import requests
import json
import yaml
# remove this after certs are generated everywhere
requests.packages.urllib3.disable_warnings()
def load_config(config_path):
with open(config_path, 'r') as file:
config = yaml.safe_load(file)
return config['vault']
def authenticate_approle(vault_config):
url = f"{vault_config['addr']}/v1/auth/{vault_config['approle_path']}/login"
payload = {
"role_id": vault_config['role_id'],
}
response = requests.post(url, json=payload, verify=False)
if response.status_code == 200:
auth_response = response.json()
return auth_response['auth']['client_token']
else:
print(f"Error authenticating with AppRole: {response.text}")
return None
def sign_ssh_certificate(vault_config, public_key, valid_principals, ttl):
# Authenticate using AppRole and get a token
client_token = authenticate_approle(vault_config)
if not client_token:
print("Failed to authenticate with Vault using AppRole.")
return None
# Prepare the SSH certificate signing request
url = f"{vault_config['addr']}/v1/{vault_config['mount_point']}/sign/{vault_config['role_name']}"
headers = {'X-Vault-Token': client_token}
payload = {
"cert_type": "host",
"public_key": public_key,
"valid_principals": valid_principals,
"ttl": ttl
}
# Request the SSH certificate signing
response = requests.post(url, headers=headers, json=payload, verify=False)
if response.status_code == 200:
return response.json()
else:
print(f"Error requesting certificate: {response.text}")
return None
def main(config_file):
config = load_config(config_file)
parser = argparse.ArgumentParser(description='Sign SSH host certificate using Vault.')
parser.add_argument('--public_key', required=True, help='SSH public key as a string')
parser.add_argument('--valid_principals', required=True, help='Comma-separated list of valid principals')
parser.add_argument('--ttl', default='87600h', help='Time-to-live for the certificate (default: 87600h)')
parser.add_argument('--json', action='store_true', help='Output the resulting certificate as JSON')
args = parser.parse_args()
# Load configuration
config = load_config(config_file)
# Sign SSH certificate
response = sign_ssh_certificate(config, args.public_key, args.valid_principals, args.ttl)
if response and 'data' in response and 'signed_key' in response['data']:
if args.json:
output = {
'signed_key': response['data']['signed_key'],
}
print(json.dumps(output))
else:
print(response['data']['signed_key'])
else:
print("Error: The response does not contain the expected data.")
exit(1)
if __name__ == "__main__":
config_file = '<%= @config_path %>'
main(config_file)

7
site/profiles/templates/helpers/sshsignhost_config.yaml.erb Normal file
View File

@ -0,0 +1,7 @@
vault:
addr: '<%= @vault_config['addr'] %>'
role_id: '<%= @vault_config['role_id'] %>'
approle_path: '<%= @vault_config['approle_path'] %>'
mount_point: '<%= @vault_config['mount_point'] %>'
role_name: '<%= @vault_config['role_name'] %>'
output_path: '<%= @vault_config['output_path'] %>'

8
site/profiles/templates/ntp/check_ntp.sh.erb Normal file
View File

@ -0,0 +1,8 @@
#!/usr/bin/bash
# Check if ntpd or chronyd is running
if pgrep ntpd > /dev/null || pgrep chronyd > /dev/null; then
exit 0
else
exit 2
fi

1
site/profiles/templates/puppet/client/puppet.conf.erb
View File

@ -11,3 +11,4 @@ runinterval = <%= @runinterval %>
runtimeout = <%= @runtimeout %>
show_diff = <%= @show_diff %>
usecacheonfailure = <%= @usecacheonfailure %>
number_of_facts_soft_limit = <%= @facts_soft_limit %>

1
site/profiles/templates/puppet/server/puppet.conf.epp
View File

@ -17,6 +17,7 @@ report_server = <%= $report_server %>
runinterval = <%= $runinterval %>
runtimeout = <%= $runtimeout %>
show_diff = <%= $show_diff %>
number_of_facts_soft_limit = <%= $facts_soft_limit %>
[master]
node_terminus = <%= $node_terminus %>

2
site/profiles/templates/puppetdb/check_consul_postgresql.erb Normal file
View File

@ -0,0 +1,2 @@
#!/usr/bin/bash
PGPASSWORD=<%= @consul_test_db_pass %> /usr/bin/psql -U consul_test_user -d consul_test_db -h <%= @facts['networking']['ip'] %> -p 5432 -c "SELECT 1"

4
site/profiles/templates/ssh/ssh_known_hosts.erb Normal file
View File

@ -0,0 +1,4 @@
# this file is managed by puppet
<% @lines.each do |line| -%>
<%= line %>
<% end -%>

4
site/roles/manifests/infra/puppetdb/sql.pp
View File

@ -6,6 +6,8 @@ class roles::infra::puppetdb::sql {
}else{
include profiles::defaults
include profiles::base
include profiles::puppet::puppetdb_sql
if $facts['enc_role'] == 'roles::infra::puppetdb::sql' {
include profiles::puppet::puppetdb_sql
}
}
}