Puppetfile

@@ -1,18 +1,28 @@
 forge 'forge.puppetlabs.com'
 moduledir 'external_modules'
 
-# Forge Modules
+# puppetlabs
 mod 'puppetlabs-stdlib', '9.1.0'
 mod 'puppetlabs-inifile', '6.0.0'
 mod 'puppetlabs-concat', '9.0.0'
-#mod 'eyp-eyplib', '0.1.24'
-#mod 'eyp-systemd', '3.1.0'
-mod 'puppet-systemd', '5.1.0'
-mod 'ghoneycutt-puppet', '3.3.0'
-mod 'puppet-archive', '7.0.0'
-mod 'puppet-chrony', '2.6.0'
 mod 'puppetlabs-vcsrepo', '6.1.0'
 mod 'puppetlabs-yumrepo_core', '2.0.0'
-mod 'puppet-yum', '7.0.0'
 mod 'puppetlabs-apt', '9.1.0'
 mod 'puppetlabs-lvm', '2.0.3'
+mod 'puppetlabs-puppetdb', '7.13.0'
+mod 'puppetlabs-postgresql', '9.1.0'
+mod 'puppetlabs-firewall', '6.0.0'
+mod 'puppetlabs-accounts', '8.1.0'
+
+# puppet
+mod 'puppet-python', '7.0.0'
+mod 'puppet-systemd', '5.1.0'
+mod 'puppet-yum', '7.0.0'
+mod 'puppet-archive', '7.0.0'
+mod 'puppet-chrony', '2.6.0'
+mod 'puppet-puppetboard', '9.0.0'
+mod 'puppet-nginx', '5.0.0'
+
+# other
+mod 'ghoneycutt-puppet', '3.3.0'
+mod 'saz-sudo', '8.0.0'

environment.conf

@@ -1,2 +1,3 @@
 manifest = manifests/site.pp
 modulepath = external_modules:site
+config_version = '/usr/bin/grep signature /etc/puppetlabs/code/environments/$environment/.g10k-deploy.json | /usr/bin/cut -d \" -f 4'

hieradata/common.yaml

@@ -3,6 +3,9 @@ profiles::base::ntp_servers:
   - 0.au.pool.ntp.org
   - 1.au.pool.ntp.org
 
+profiles::base::puppet_servers:
+  - 'prodinf01n01.main.unkin.net'
+
 profiles::base::packages::common:
   - ccze
   - curl
@@ -11,16 +14,17 @@ profiles::base::packages::common:
   - mtr
   - ncdu
   - neovim
-  - python3
   - screen
   - strace
-  - sudo
   - tmux
   - vim
   - vnstat
   - wget
   - zsh
 
+profiles::base::scripts::scripts:
+  puppet: puppetwrapper.py
+
 profiles::puppet::autosign::subnet_ranges:
   - '198.18.17.0/24'
 
@@ -30,9 +34,47 @@ profiles::puppet::autosign::domains:
 # profiles::puppet::autosign::nodes:
 #  - 'somenode.main.unkin.net'
 
-profiles::puppet::enc::enc_repo: https://git.unkin.net/unkinben/puppet-enc.git
+profiles::puppet::client::environment: 'develop'
+profiles::puppet::client::runinterval: 1800
+profiles::puppet::client::runtimeout: 3600
+profiles::puppet::client::show_diff: true
+profiles::puppet::client::usecacheonfailure: false
+
+profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git
+profiles::puppet::enc::release: '0.1'
+profiles::puppet::enc::force: true
 profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git
 profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'
 profiles::puppet::g10k::cfg_path: '/etc/puppetlabs/r10k/r10k.yaml'
 profiles::puppet::g10k::environments_path: '/etc/puppetlabs/code/environments'
 profiles::puppet::g10k::default_environment: 'develop'
+profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
+profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net
+puppetdb::master::config::create_puppet_service_resource: false
+#puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
+
+profiles::accounts::sysadmin::sshkeys:
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net
+
+
+profiles::base::hosts::additional_hosts:
+  - ip: 198.18.17.3
+    hostname: prodinf01n01.main.unkin.net
+    aliases:
+      - prodinf01n01
+      - puppet
+      - puppetmaster
+      - puppetca
+  - ip: 198.18.17.4
+    hostname: prodinf01n04.main.unkin.net
+    aliases:
+      - prodinf01n04
+      - puppetdb
+  - ip: 198.18.17.5
+    hostname: prodinf01n05.main.unkin.net
+    aliases:
+      - prodinf01n05
+  - ip: 198.18.17.6
+    hostname: prodinf01n06.main.unkin.net
+    aliases:
+      - prodinf01n06

hieradata/os/AlmaLinux/AlmaLinux8.yaml

@@ -6,3 +6,4 @@ profiles::yum::managed_repos:
   - 'appstream'
   - 'epel'
   - 'puppet7'
+  - 'yum.postgresql.org'

hieradata/os/AlmaLinux/AlmaLinux9.yaml

@@ -6,3 +6,4 @@ profiles::yum::managed_repos:
   - 'appstream'
   - 'epel'
   - 'puppet7'
+  - 'yum.postgresql.org'

hieradata/os/AlmaLinux/all_releases.yaml

@@ -1,4 +1,9 @@
 # hieradata/os/almalinux/all_releases.yaml
 ---
 profiles::yum::base::baseurl: http://almalinux.mirror.digitalpacific.com.au
-profiles::yum::epel::baseurl: http://epel.mirror.digitalpacific.com.au
+profiles::yum::epel::baseurl: http://mirror.aarnet.edu.au/pub/epel
+profiles::firewall::firewalld::ensure_package: 'absent'
+profiles::firewall::firewalld::ensure_service: 'stopped'
+profiles::firewall::firewalld::enable_service: false
+
+profiles::puppet::client::puppet_version: '7.26.0'

hieradata/os/Debian/Debian11.yaml

@@ -10,3 +10,5 @@ profiles::apt::components:
   - contrib
   - main
   - non-free
+
+profiles::puppet::client::puppet_version: '7.25.0-1bullseye'

hieradata/os/Debian/Debian12.yaml

@@ -11,3 +11,5 @@ profiles::apt::components:
   - main
   - non-free
   - non-free-firmware
+
+profiles::puppet::client::puppet_version: 'latest'

site/profiles/manifests/accounts/sysadmin.pp

@@ -0,0 +1,15 @@
+# create the sysadmin user
+class profiles::accounts::sysadmin(
+  Array[String] $sshkeys = [],
+){
+  profiles::base::account {'sysadmin':
+    username    => 'sysadmin',
+    uid         => 1000,
+    gid         => 1000,
+    groups      => ['wheel'],
+    sshkeys     => $sshkeys,
+    sudo_rules  => ['sysadmin ALL=(ALL) NOPASSWD:ALL'],
+    password    => '',
+    ignore_pass => true,
+  }
+}

site/profiles/manifests/base.pp

@@ -1,6 +1,7 @@
 # this is the base class, which will be used by all servers
 class profiles::base (
   Array  $ntp_servers,
+  Array  $puppet_servers,
 ) {
   class { 'chrony':
     servers => $ntp_servers,
@@ -8,6 +9,7 @@ class profiles::base (
   case $facts['os']['family'] {
     'RedHat': {
       include profiles::yum::global
+      include profiles::firewall::firewalld
     }
     'Debian': {
       include profiles::apt::global
@@ -17,8 +19,41 @@ class profiles::base (
     }
   }
 
+  # include the base packages profile
   class { 'profiles::base::packages':
     packages => hiera('profiles::base::packages::common'),
     ensure   => 'installed',
   }
+
+  # manage puppet clients
+  if ! member($puppet_servers, $trusted['certname']) {
+    include profiles::puppet::client
+  }
+
+  # include admin scripts
+  include profiles::base::scripts
+
+  # include admin scripts
+  include profiles::base::hosts
+
+  # include the python class
+  class { 'python':
+    manage_python_package => true,
+    manage_venv_package   => true,
+    manage_pip_package    => true,
+    use_epel              => false,
+  }
+
+  # all hosts will have sudo applied
+  class { 'sudo':
+    secure_path => '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/opt/puppetlabs/bin'
+  }
+
+  # default users
+  include profiles::accounts::sysadmin
+
+  # add a motd
+  include profiles::base::facts
+  include profiles::base::motd
+
 }

site/profiles/manifests/base/account.pp

@@ -0,0 +1,45 @@
+# a wrapper for puppetlabs-account and saz-sudo
+define profiles::base::account (
+  String $username,
+  Integer $uid,
+  Integer $gid = undef,
+  Boolean $manage_home = true,
+  Boolean $create_group = true,
+  Boolean $purge_sshkeys = true,
+  Boolean $system = false,
+  Boolean $locked = false,
+  String $password = '!!',
+  Boolean $ignore_pass = false,
+  Array[String] $groups = [],
+  Array[String] $sshkeys = [],
+  Array[String] $sudo_rules = [],
+  String $shell = '/usr/bin/bash',
+) {
+
+  # Set gid to uid if gid is undef
+  $final_gid = $gid ? {
+    undef   => $uid,
+    default => $gid,
+  }
+
+  # Manage user
+  accounts::user { $username:
+    uid                      => $uid,
+    gid                      => $final_gid,
+    shell                    => $shell,
+    groups                   => $groups,
+    sshkeys                  => $sshkeys,
+    system                   => $system,
+    locked                   => $locked,
+    password                 => $password,
+    create_group             => $create_group,
+    managehome               => $manage_home,
+    purge_sshkeys            => $purge_sshkeys,
+    ignore_password_if_empty => $ignore_pass,
+  }
+
+  # Manage sudo rules
+  sudo::conf { "${username}_sudo":
+    content => $sudo_rules,
+  }
+}

site/profiles/manifests/base/facts.pp

@@ -0,0 +1,29 @@
+# a class to define some global facts
+class profiles::base::facts {
+
+  # The path where external facts are stored
+  $facts_d_path = '/opt/puppetlabs/facter/facts.d'
+
+  # Ensure the directory exists
+  file { $facts_d_path:
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  # facts to create
+  $fact_list = [ 'enc_role', 'enc_env' ]
+
+  # Manage the external fact file with content from the template
+  $fact_list.each | String $item | {
+    file { "${facts_d_path}/${item}.txt":
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => template("profiles/base/facts/${item}.erb"),
+      require => File[$facts_d_path],
+    }
+  }
+}

site/profiles/manifests/base/hosts.pp

@@ -0,0 +1,30 @@
+# basic class to manage the /etc/hosts file from a template
+#
+# @param additional_hosts:
+#   An array of hashes with ip/hostname/aliases
+#   Aliases is an array in case there is a need for multiple aliases
+#
+#   class { 'profiles::base::hosts':
+#     additional_hosts => [
+#       { 'ip' => '192.168.0.10', 'hostname' => 'server1.example.com', 'aliases' => ['server1'] },
+#       { 'ip' => '192.168.0.11', 'hostname' => 'server2.example.com' },
+#       # ... and so on
+#     ],
+#   }
+#
+class profiles::base::hosts (
+  Array[Hash] $additional_hosts = []
+) {
+
+  $fqdn = $facts['networking']['fqdn']
+  $hostname = $facts['networking']['hostname']
+
+  # Ensure the file exists and manage its content
+  file { '/etc/hosts':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('profiles/base/hosts.erb'),
+  }
+}

site/profiles/manifests/base/motd.pp

@@ -0,0 +1,20 @@
+# set the motd
+class profiles::base::motd (
+  String  $enc_role   = pick($facts['enc_role'], 'undefined'),
+  String  $enc_env    = pick($facts['enc_env'], 'undefined'),
+  String  $fqdn       = $facts['networking']['fqdn'],
+  String  $addr       = $facts['networking']['ip'],
+  String  $nic        = $facts['networking']['primary'],
+  String  $os_name    = $facts['os']['name'],
+  String  $os_release = $facts['os']['release']['full'],
+) {
+
+  # Use the regsubst function to remove the 'roles::' prefix from the role name
+  $clean_role = regsubst($enc_role, '^roles::', '')
+
+  # Manage the content of the /etc/motd file
+  file { '/etc/motd':
+    ensure  => file,
+    content => template('profiles/base/motd/motd.erb'),
+  }
+}

site/profiles/manifests/base/scripts.pp

@@ -0,0 +1,26 @@
+# This class can be included directly in node definitions or other classes.
+# The preferred method for declaring the scripts is via Hiera.
+#
+# Here's an example Hiera configuration:
+#
+# profiles::base::scripts::scripts:
+#   script1: script1
+#   script2: script2
+#
+# This would deploy 'script1' and 'script2' to /usr/local/bin using their
+# respective ERB templates in the profiles/base/scripts directory.
+#
+class profiles::base::scripts (
+  Hash $scripts = {},
+) {
+  $scripts.each |$script_name, $template_name| {
+    file { "/usr/local/bin/${script_name}":
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0755',
+      content => template("profiles/base/scripts/${template_name}.erb"),
+    }
+  }
+}
+

site/profiles/manifests/firewall/firewalld.pp

@@ -0,0 +1,32 @@
+# Manages the firewalld package and service on RedHat-like distributions.
+#
+# @param ensure_package Determines the state of the firewalld package.
+#   Can be set to 'absent' to remove the package or 'installed' to ensure it's present.
+#
+# @param ensure_service Determines the state of the firewalld service.
+#   Can be set to 'stopped' to stop the service or 'running' to ensure it's active.
+#
+# @param enable_service A boolean that specifies whether to enable or disable the firewalld service on boot.
+#
+class profiles::firewall::firewalld (
+  Enum['absent', 'installed'] $ensure_package = 'installed',
+  Enum['stopped', 'running'] $ensure_service = 'running',
+  Boolean $enable_service = true,
+) {
+  # Ensure it only runs on RedHat like distributions
+  if $facts['os']['family'] == 'RedHat' {
+
+    # Manage the firewalld package
+    package { 'firewalld':
+      ensure => $ensure_package,
+    }
+
+    # Manage the firewalld service
+    service { 'firewalld':
+      ensure     => $ensure_service,
+      enable     => $enable_service,
+      hasrestart => true,
+      require    => Package['firewalld'],
+    }
+  }
+}

site/profiles/manifests/puppet/client.pp

@@ -0,0 +1,50 @@
+# Class: profiles::puppet::client
+#
+# This class manages Puppet client configuration and service.
+#
+# Parameters:
+#   vardir - Directory path for variable data.
+#   logdir - Directory path for logs.
+#   rundir - Directory path for run-time data.
+#   pidfile - File path for the PID file.
+#   codedir - Directory path for code data.
+#   dns_alt_names - Array of alternate DNS names for the server.
+#   server - Server's name.
+#
+# site/profile/manifests/puppet/client.pp
+class profiles::puppet::client (
+  String $dns_alt_names       = $trusted['certname'],
+  String $server              = 'puppetmaster',
+  String $ca_server           = 'puppetca',
+  String $environment         = 'develop',
+  Integer $runinterval        = 1800,
+  Integer $runtimeout         = 3600,
+  Boolean $show_diff          = true,
+  Boolean $usecacheonfailure  = false,
+  String $puppet_version      = 'latest',
+) {
+
+  # Ensure the puppet-agent package is installed and locked to a specific version
+  package { 'puppet-agent':
+    ensure => $puppet_version,
+  }
+
+  # Ensure the puppet service is running
+  service { 'puppet':
+    ensure     => 'running',
+    enable     => true,
+    hasrestart => true,
+    require    => Package['puppet-agent'],
+  }
+
+  # Assuming you want to manage puppet.conf with this profile
+  file { '/etc/puppetlabs/puppet/puppet.conf':
+    ensure  => 'present',
+    content => template('profiles/puppet/client/puppet.conf.erb'),
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    notify  => Service['puppet'],
+  }
+}
+

site/profiles/manifests/puppet/enc.pp

@@ -34,7 +34,9 @@
 # This is designed to work on Unix-like systems only.
 #
 class profiles::puppet::enc (
-  String $enc_repo,
+  String $repo,
+  String $release = 'master',
+  Boolean $force = false,
 ) {
 
   include profiles::git::git
@@ -42,7 +44,9 @@ class profiles::puppet::enc (
   vcsrepo { '/opt/puppetlabs/enc':
     ensure   => latest,
     provider => git,
-    source   => $enc_repo,
+    source   => $repo,
+    revision => $release,
+    force    => $force,
     require  => Package['git'],
   }
 

site/profiles/manifests/puppet/puppetboard.pp

@@ -0,0 +1,123 @@
+# Class: profiles::puppet::puppetboard
+#
+# This class manages the Puppetboard, a web interface to PuppetDB.
+#
+class profiles::puppet::puppetboard (
+  String  $python_version       = '3.6',
+  Boolean $manage_virtualenv    = false,
+  Integer $reports_count        = 40,
+  Boolean $offline_mode         = true,
+  String  $default_environment  = '*',
+  String  $puppetdb_host        = lookup('profiles::puppet::puppetdb::puppetdb_host'),
+  Stdlib::AbsolutePath $basedir = '/opt/puppetboard',
+  Stdlib::Absolutepath $virtualenv_dir  = "${basedir}/venv",
+  Stdlib::Absolutepath $settings_file   = "${basedir}/settings.py",
+  String  $user                 = 'puppetboard',
+  String  $group                = 'puppetboard',
+  String  $gunicorn_bind        = '127.0.0.1:8080',
+  String  $gunicorn_bind_prefix = 'http://',
+  Integer $gunicorn_workers     = 1,
+  Integer $gunicorn_threads     = 4,
+  String  $nginx_vhost          = 'puppetboard.main.unkin.net',
+  Integer $nginx_port           = 80,
+  #String[1] $secret_key         = "${fqdn_rand_string(32)}",
+) {
+
+  # store puppet-agents ssl settings/certname
+  $ssl_dir = $::settings::ssldir
+  $puppetboard_certname = $trusted['certname']
+
+  # setup the puppetboard venv
+  class { 'puppetboard':
+    python_version      => $python_version,
+    manage_virtualenv   => $manage_virtualenv,
+    reports_count       => $reports_count,
+    offline_mode        => $offline_mode,
+    basedir             => $basedir,
+    virtualenv_dir      => $virtualenv_dir,
+    settings_file       => $settings_file,
+    #secret_key         => $secret_key,
+    default_environment => $default_environment,
+    puppetdb_host       => $puppetdb_host,
+    puppetdb_port       => 8081,
+    puppetdb_key        => "${basedir}/ssl/${puppetboard_certname}.pem",
+    puppetdb_ssl_verify => "${ssl_dir}/certs/ca.pem",
+    puppetdb_cert       => "${ssl_dir}/certs/${puppetboard_certname}.pem",
+    user                => $user,
+    group               => $group,
+    notify              => Service['puppetboard.service'],
+  }
+
+  # install gunicorn
+  python::pip { 'puppetboard_gunicorn':
+    ensure     => 'latest',
+    pkgname    => 'gunicorn',
+    virtualenv => $virtualenv_dir,
+    require    => Class['puppetboard'],
+  }
+
+  # create ssl dir for puppetboard
+  file { "${basedir}/ssl":
+    ensure  => directory,
+    owner   => $user,
+    group   => $group,
+    mode    => '0750',
+    require => Class['puppetboard'],
+  }
+
+  # copy the ssl certs for puppetboard
+  file { "${basedir}/ssl/${puppetboard_certname}.pem":
+    ensure  => present,
+    owner   => $user,
+    group   => $group,
+    mode    => '0750',
+    source  => "${ssl_dir}/private_keys/${puppetboard_certname}.pem",
+    require => File["${basedir}/ssl"],
+    notify  => Service['puppetboard.service'],
+  }
+
+  # create script to start service
+  file { "${virtualenv_dir}/bin/start_puppetboard":
+    ensure  => file,
+    owner   => $user,
+    group   => $group,
+    mode    => '0755',
+    content => template('profiles/puppet/puppetboard/start_puppetboard.erb'),
+    require => Class['puppetboard'],
+    notify  => Service['puppetboard.service'],
+  }
+
+  # create systemd service unit
+  systemd::unit_file { 'puppetboard.service':
+    content => template('profiles/puppet/puppetboard/puppetboard.service.erb'),
+    active  => true,
+    enable  => true,
+    require => File["${virtualenv_dir}/bin/start_puppetboard"],
+  }
+
+  # ensure the nginx service is managed
+  class { 'nginx': }
+
+  # create the nginx vhost
+  nginx::resource::server { $nginx_vhost:
+      listen_port           => $nginx_port,
+      server_name           => [$nginx_vhost],
+      proxy                 => "${gunicorn_bind_prefix}${gunicorn_bind}",
+      proxy_set_header      => [
+          'Host $http_host',
+          'X-Real-IP $remote_addr',
+          'X-Scheme $scheme',
+      ],
+      proxy_pass_header     => ['Server'],
+      proxy_redirect        => 'off',
+      proxy_connect_timeout => '10s',
+      proxy_read_timeout    => '10s',
+  }
+
+  # service static files from nginx for performance
+  nginx::resource::location { "${nginx_vhost}_static":
+      location       => '/static',
+      server         => $nginx_vhost,
+      location_alias => "${virtualenv_dir}/lib/python${python_version}/site-packages/puppetboard/static",
+  }
+}

site/profiles/manifests/puppet/puppetdb_api.pp

@@ -0,0 +1,16 @@
+# configure the puppetdb api service
+class profiles::puppet::puppetdb_api (
+  String $postgres_host = lookup('profiles::puppet::puppetdb::postgres_host'),
+  String $listen_address = $facts['networking']['ip'],
+) {
+
+  class { 'puppetdb::server':
+    database_host      => $postgres_host,
+    manage_firewall    => false,
+    ssl_listen_address => $listen_address,
+    listen_address     => $listen_address,
+  }
+
+  contain ::puppetdb::server
+
+}

site/profiles/manifests/puppet/puppetdb_sql.pp

@@ -0,0 +1,27 @@
+# configure the puppetdb sql service
+class profiles::puppet::puppetdb_sql (
+  String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
+  String $listen_address = $facts['networking']['ip'],
+) {
+
+  # disable the postgresql dnf module for el8+
+  if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] >= '8' {
+    # based on https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/dnfmodule.pp
+    package { 'postgresql dnf module':
+        ensure   => 'disabled',
+        name     => 'postgresql',
+        provider => 'dnfmodule',
+        before   => Class['puppetdb::database::postgresql'],
+    }
+  }
+
+  # Install and configure PostgreSQL for PuppetDB
+  class { 'puppetdb::database::postgresql':
+    listen_addresses => $listen_address,
+    postgres_version => '15',
+    puppetdb_server  => $puppetdb_host,
+  }
+
+  contain ::puppetdb::database::postgresql
+
+}

site/profiles/manifests/puppet/puppetmaster.pp

@@ -22,19 +22,26 @@
 #
 # Limitations:
 # This is designed to work on Unix-like systems.
-class profiles::puppet::puppetmaster {
+class profiles::puppet::puppetmaster (
+  String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
+) {
   include profiles::puppet::r10k
   include profiles::puppet::g10k
   include profiles::puppet::enc
   include profiles::puppet::autosign
 
+  class { 'puppetdb::master::config':
+    puppetdb_server     => $puppetdb_host,
+    manage_storeconfigs => false,
+  }
+
   class { 'profiles::puppet::server':
-    vardir              => '/opt/puppetlabs/server/data/puppetserver',
-    logdir              => '/var/log/puppetlabs/puppetserver',
-    rundir              => '/var/run/puppetlabs/puppetserver',
-    pidfile             => '/var/run/puppetlabs/puppetserver/puppetserver.pid',
-    codedir             => '/etc/puppetlabs/code',
-    dns_alt_names       => [
+    vardir               => '/opt/puppetlabs/server/data/puppetserver',
+    logdir               => '/var/log/puppetlabs/puppetserver',
+    rundir               => '/var/run/puppetlabs/puppetserver',
+    pidfile              => '/var/run/puppetlabs/puppetserver/puppetserver.pid',
+    codedir              => '/etc/puppetlabs/code',
+    dns_alt_names        => [
       'prodinf01n01.main.unkin.net',
       'puppet.main.unkin.net',
       'puppetca.main.unkin.net',
@@ -43,11 +50,15 @@ class profiles::puppet::puppetmaster {
       'puppetca',
       'puppetmaster',
     ],
-    server              => 'prodinf01n01.main.unkin.net',
-    node_terminus       => 'exec',
-    external_nodes      => '/opt/puppetlabs/bin/enc',
-    autosign            => '/etc/puppetlabs/puppet/autosign.conf',
-    default_manifest    => '/etc/puppetlabs/code/environments/develop/manifests',
-    default_environment => 'develop',
+    server               => 'prodinf01n01.main.unkin.net',
+    node_terminus        => 'exec',
+    external_nodes       => '/opt/puppetlabs/bin/enc',
+    autosign             => '/etc/puppetlabs/puppet/autosign.conf',
+    default_manifest     => '/etc/puppetlabs/code/environments/develop/manifests',
+    default_environment  => 'develop',
+    storeconfigs         => true,
+    storeconfigs_backend => 'puppetdb',
+    reports              => 'puppetdb',
+    usecacheonfailure    => false,
   }
 }

site/profiles/manifests/puppet/r10k.pp

@@ -52,7 +52,7 @@ class profiles::puppet::r10k (
     group   => 'root',
     mode    => '0755',
     content => "#!/bin/bash\n(
-      cd /etc/puppetlabls/r10k
+      cd /etc/puppetlabs/r10k
       git reset --hard master
       git clean -fd
       git pull\n)",

site/profiles/manifests/puppet/server.pp

@@ -27,6 +27,10 @@ class profiles::puppet::server (
   String $autosign,
   String $default_manifest,
   String $default_environment,
+  Boolean $storeconfigs,
+  String $storeconfigs_backend,
+  String $reports,
+  Boolean $usecacheonfailure,
 ) {
 
   file { '/etc/puppetlabs/puppet/puppet.conf':
@@ -35,18 +39,22 @@ class profiles::puppet::server (
     group   => 'root',
     mode    => '0644',
     content => epp('profiles/puppet/server/puppet.conf.epp', {
-      'vardir'              => $vardir,
-      'logdir'              => $logdir,
-      'rundir'              => $rundir,
-      'pidfile'             => $pidfile,
-      'codedir'             => $codedir,
-      'dns_alt_names'       => join($dns_alt_names, ','),
-      'server'              => $server,
-      'node_terminus'       => $node_terminus,
-      'external_nodes'      => $external_nodes,
-      'autosign'            => $autosign,
-      'default_manifest'    => $default_manifest,
-      'default_environment' => $default_environment,
+      'vardir'               => $vardir,
+      'logdir'               => $logdir,
+      'rundir'               => $rundir,
+      'pidfile'              => $pidfile,
+      'codedir'              => $codedir,
+      'dns_alt_names'        => join($dns_alt_names, ','),
+      'server'               => $server,
+      'node_terminus'        => $node_terminus,
+      'external_nodes'       => $external_nodes,
+      'autosign'             => $autosign,
+      'default_manifest'     => $default_manifest,
+      'default_environment'  => $default_environment,
+      'storeconfigs'         => $storeconfigs,
+      'storeconfigs_backend' => $storeconfigs_backend,
+      'reports'              => $reports,
+      'usecacheonfailure'    => $usecacheonfailure,
     }),
     notify  => Service['puppetserver'],
   }

site/profiles/templates/base/facts/enc_env.erb

@@ -0,0 +1 @@
+enc_env=<%= @enc_env %>

site/profiles/templates/base/facts/enc_role.erb

@@ -0,0 +1 @@
+enc_role=<%= @enc_role[0] %>

site/profiles/templates/base/hosts.erb

@@ -0,0 +1,15 @@
+# /etc/hosts file managed by Puppet
+
+# The following lines are desirable for IPv4 capable hosts
+127.0.0.1 <%= @fqdn %> <%= @hostname %>
+127.0.0.1 localhost.localdomain localhost
+127.0.0.1 localhost4.localdomain4 localhost4
+
+# The following lines are desirable for IPv6 capable hosts
+::1 <%= @fqdn %> <%= @hostname %>
+::1 localhost.localdomain localhost
+::1 localhost6.localdomain6 localhost6
+
+<% @additional_hosts.each do |host| -%>
+<%= host['ip'] %>  <%= host['hostname'] %>  <%= host['aliases'].join(' ') if host['aliases'] %>
+<% end -%>

site/profiles/templates/base/motd/motd.erb

@@ -0,0 +1,13 @@
+<%
+# calculate padding for the longest word
+max_length = ['fqdn:', 'os:', 'role:', 'branch:', 'addr:', 'nic:'].max_by(&:length).length
+# helper lambda to right-align text
+align = ->(word) { word.ljust(max_length) }
+%>
+<%= align.call('fqdn:') %> <%= @fqdn %>
+<%= align.call('os:') %> <%= @os_name %> <%= @os_release %>
+<%= align.call('role:') %> <%= @clean_role %>
+<%= align.call('branch:') %> <%= @enc_env %>
+<%= align.call('addr:') %> <%= @addr %>
+<%= align.call('nic:') %> <%= @nic %>
+

site/profiles/templates/base/scripts/puppetwrapper.py.erb

@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+
+import sys
+import subprocess
+
+def main():
+    # If "-E" is in the arguments, modify the following argument
+    args = sys.argv[1:]
+    if "-E" in args:
+        index = args.index("-E")
+        if index + 1 < len(args):  # Check if there's another argument after "-E"
+            environment_value = args[index + 1]
+            # Replace \ and - with _
+            modified_environment_value = environment_value.replace("\\", "_").replace("-", "_").replace("/","_")
+            args[index + 1] = modified_environment_value
+
+    # Construct the full puppet command with the modified args
+    command = ["/opt/puppetlabs/bin/puppet"] + args
+    subprocess.run(command)
+
+if __name__ == "__main__":
+    main()

site/profiles/templates/puppet/client/puppet.conf.erb

@@ -0,0 +1,13 @@
+[main]
+dns_alt_names = <%= @dns_alt_names %>
+
+[agent]
+server = <%= @server %>
+ca_server = <%= @ca_server %>
+environment = <%= @environment %>
+report = true
+report_server = <%= @server %>
+runinterval = <%= @runinterval %>
+runtimeout = <%= @runtimeout %>
+show_diff = <%= @show_diff %>
+usecacheonfailure = <%= @usecacheonfailure %>

site/profiles/templates/puppet/puppetboard/puppetboard.service.erb

@@ -0,0 +1,12 @@
+[Unit]
+Description=puppetboard daemon
+After=network.target
+[Service]
+Type=simple
+User=<%= @user %>
+Group=<%= @group %>
+Environment="PUPPETBOARD_SETTINGS=<%= @settings_file %>"
+ExecStart=<%= @virtualenv_dir %>/bin/start_puppetboard
+PrivateTmp=true
+[Install]
+WantedBy=multi-user.target

site/profiles/templates/puppet/puppetboard/start_puppetboard.erb

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+<%= @virtualenv_dir %>/bin/gunicorn \
+    --workers <%= @gunicorn_workers %> \
+    --threads <%= @gunicorn_threads %> \
+    --config <%= @settings_file %> \
+    --bind <%= @gunicorn_bind %> \
+    puppetboard.app:app

site/profiles/templates/puppet/server/puppet.conf.epp

@@ -17,3 +17,7 @@ external_nodes = <%= $external_nodes %>
 autosign = <%= $autosign %>
 default_manifest = <%= $default_manifest %>
 default_environment = <%= $default_environment %>
+storeconfigs = <%= $storeconfigs %>
+storeconfigs_backend = <%= $storeconfigs_backend %>
+reports = <%= $reports %>
+usecacheonfailure = <%= $usecacheonfailure %>

site/roles/manifests/ceph/mds.pp

@@ -0,0 +1,6 @@
+# a role to deploy the ceph mds
+# work in progress
+class roles::ceph::mds {
+    include profiles::defaults
+    include profiles::base
+}

site/roles/manifests/ceph/mon.pp

@@ -0,0 +1,6 @@
+# a role to deploy the ceph mon
+# work in progress
+class roles::ceph::mon {
+    include profiles::defaults
+    include profiles::base
+}

site/roles/manifests/ceph/osd.pp

@@ -0,0 +1,6 @@
+# a role to deploy the ceph osd
+# work in progress
+class roles::ceph::osd {
+    include profiles::defaults
+    include profiles::base
+}

site/roles/manifests/puppet/puppetboard.pp

@@ -0,0 +1,6 @@
+# a role to deploy the puppetboard
+class roles::puppet::puppetboard {
+    include profiles::defaults
+    include profiles::base
+    include profiles::puppet::puppetboard
+  }

site/roles/manifests/puppet/puppetdb.pp

@@ -0,0 +1,7 @@
+# a role to deploy the puppetdb
+# work in progress
+class roles::puppet::puppetdb {
+    include profiles::defaults
+    include profiles::base
+    include profiles::puppet::puppetdb
+  }

site/roles/manifests/puppet/puppetdb_api.pp

@@ -0,0 +1,6 @@
+# a role to deploy the puppetdb api service
+class roles::puppet::puppetdb_api {
+    include profiles::defaults
+    include profiles::base
+    include profiles::puppet::puppetdb_api
+  }

site/roles/manifests/puppet/puppetdb_sql.pp

@@ -0,0 +1,6 @@
+# a role to deploy the puppetdb postgresql service
+class roles::puppet::puppetdb_sql {
+    include profiles::defaults
+    include profiles::base
+    include profiles::puppet::puppetdb_sql
+  }