unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

promote develop to master #6

Merged
unkinben merged 449 commits from develop into master 2024-06-01 14:48:48 +10:00
Conversation 0 Commits 449 Files Changed 291 +1230 -668
77 changed files with 1230 additions and 668 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit f6bf504416 - Show all commits

1
hieradata/common.eyaml
View File

@ -5,3 +5,4 @@ profiles::consul::client::secret_id_salt: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCC
profiles::consul::token::node_editor::secret_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAO8IIF2r18dFf0bVKEwjJUe1TmXHH0AIzsQHxkHwV7d37kvH1cY9rYw0TtdHn7GTxvotJG7GZbWvbunpBs1g2p2RPADiM6TMhbO8mJ0tAWLnMk7bQ221xu8Pc7KceqWmU17dmgNhVCohyfwJNqbA756TlHVgxGA0LtNrKoLOmgKGXAL1VYZoKEQnWq7xOpO+z3e1UfjoO6CvX/Od2hGYfUkHdro8mwRw4GFKzU7XeKFdAMUGpn5rVmY3xe+1ARXwGFaSrTHzk2n85pvwhPRlQ+OwqzyT19Qo2FNeAO6RoCRIFTtqbsjTWPUlseHIhw4Q5bHO1I0Mrlm5IHDESw/22IzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCEe9wD72qxnpeq5nCi/d7BgDCP29sDFObkFTabt2uZ/nF9MT1g+QOrrdFKgnG6ThnwH1hwpZPsSVgIs+yRQH8laB4=]
profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=]
profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAh4Ag95xgkIZHL0gP9OLnZauih0dB1/2l9Jzw8mP3OiIv7fw23otHYONlS3Emtj7oxW8MKcZGKDCzwCT6T2p+V5wx1n15wr2J+FmL24VbclJwrMPQ4AdgP359B9h21uoyo7Zdy7RuuvLfkU1fWXbs3SeWbi2HJs1Ed1/oI1jzr3OgwMbVtbyzd1VuAXeZ9bHQG3IA8z+w/k5m61th0HTyHjw7eldQulbohDuwv545z9axHEoHKCRT2a3ZwBufV2ST6Dm3g9GERzXE9Adp9DQC5adqM74wfsujOMLK2QFJSSIOj2uCs1CpEnrNrQ8zjP3fudM2z3l7KdSHZazEamCSxTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBY/Tn9tzEKYc5dxnzP2rP7gDBWKgVP3lf2T4Q0WPQt3ns0E6RUSO6OtBegb/5qDyohY2nsDeJTnMKOYzYt/J1PhnY=]
profiles::consul::server::acl_tokens_replication: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEzTIxbaAR/TZYnC671aBhiahsfwf3ieyeSHpD5hQm40sMEF/fXlEDijq9i2ykPikm94074j1Uo4HNzv/V9GTf0NSC/64t61jJ/Ya3QKa5f/36+DcRj3lcETsSIyhWwmU+E+zkY8I2r68MtXAuvSoMSMZdpgWSkPx/3FFgZlrsg//bzDu69jS9cx4UK582N3A6QN4Uy/qwYtJcm+2iTQlqqgGRWGqnSgTirxhegxPbJGWTDoAEpAL4/DyF5/hqcUn6mgoSfAsHF3loPHOqN30lG+9o0THWJ9B8Gf4W/1X2UWA/avmUnqBnumGoz0p7AYdNgpW+qLl2rk4lyGYa4kvQjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBD9KSLH3Pn/1EIzgVJM+8VOgDDpKWzHfSVsfUMyTD0XIRPGclTdmxqCnsdhKNqmUfSjkYIf2nI9rQtSK6n42TYuO4k=]

12
hieradata/common.yaml
View File

@ -87,9 +87,21 @@ lookup_options:
profiles::consul::client::node_rules:
merge:
strategy: deep
profiles::consul::prepared_query::rules:
merge:
strategy: deep
profiles::puppet::server::dns_alt_names:
merge:
strategy: deep
profiles::base::hosts::additional_hosts:
merge:
strategy: deep
postgresql_config_entries:
merge:
strategy: deep
profiles::yum::global::repos:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'

4
hieradata/country/au/region/drw1/infra/storage/consul.eyaml
View File

@ -1,4 +1,4 @@
---
profiles::consul::server::gossip_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEADwwYLK+fU0M/uLqQpRjHnIAyrt6yPEZSXpUX2jvOGVOA63X8LOYpLVfEGWMmkZ7BHRO0fgr847UUI/xI8otIuiOpgtW2E7QLWs806KUNXz+L8c7kSnQ1XAD5R81/5joDHl4AIxl5fAGryTXH1gfnpTMWh2yjFzU/KYuk2GhrU0M9ewCGJErQG4pT4u3ymGmkLjx6AiZ8r9xb4Eos2bhCCpFWfyb0kKcJqdKU9mzy508byNCfp8lr1DoKxEQrdqSSAQdepn6wCgBZtlAK/k63tOqM9dxyDaCsK8vLG9LlvuEwi3OL2lzTtc1mAcdYxahDo3uBX0/VcCswaXq3nPnu3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCUwXPoMh/dylvFwyRzAsnRgDDvh5CHrzJYdUXWGsauYlifOOukYokkwG3yqqtCByveMqVWfWsQukiDTixdqpCgfzw=]
profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=]
profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=]
#profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=]
#profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=]

5
hieradata/country/au/region/drw1/infra/storage/consul.yaml
View File

@ -1,4 +1,7 @@
---
profiles::consul::server::bootstrap_count: 3
profiles::consul::server::raft_multiplier: 10
profiles::consul::server::primary_datacenter: 'au-drw1'
profiles::consul::server::primary_datacenter: 'au-syd1'
profiles::consul::server::join_remote_regions: true
profiles::consul::server::remote_regions:
- syd1

4
hieradata/country/au/region/syd1/infra/sql/galera.yaml Normal file
View File

@ -0,0 +1,4 @@
---
profiles::sql::galera_member::cluster_name: au-syd1
profiles::sql::galera_member::galera_master: ausyd1nxvm1027.main.unkin.net
profiles::sql::galera_member::innodb_buffer_pool_size: 256M

3
hieradata/country/au/region/syd1/infra/storage/consul.yaml
View File

@ -2,3 +2,6 @@
profiles::consul::server::bootstrap_count: 3
profiles::consul::server::raft_multiplier: 10
profiles::consul::server::primary_datacenter: 'au-syd1'
profiles::consul::server::join_remote_regions: true
profiles::consul::server::remote_regions:
- drw1

2
hieradata/nodes/ausyd1nxvm1017.main.unkin.net.yaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::cobbler::params::is_cobbler_master: true

9
hieradata/os/AlmaLinux/AlmaLinux8.yaml
View File

@ -1,11 +1,2 @@
# hieradata/os/AlmaLinux/AlmaLinux8.yaml
---
profiles::yum::global::managed_repos:
- 'base'
- 'appstream'
- 'epel'
- 'powertools'
- 'highavailability'
- 'puppet7'
- 'yum.postgresql.org'
- 'unkin'

6
hieradata/os/AlmaLinux/AlmaLinux9.yaml
View File

@ -1,8 +1,2 @@
# hieradata/os/AlmaLinux/AlmaLinux9.yaml
---
profiles::yum::global::managed_repos:
- 'base'
- 'appstream'
- 'epel'
- 'puppet7'
- 'yum.postgresql.org'

54
hieradata/os/AlmaLinux/all_releases.yaml
View File

@ -1,9 +1,5 @@
# hieradata/os/almalinux/all_releases.yaml
---
profiles::yum::base::baseurl: https://repos.main.unkin.net/almalinux
profiles::yum::epel::baseurl: https://repos.main.unkin.net/epel
profiles::yum::unkin::baseurl: https://repos.main.unkin.net/unkin
profiles::yum::ovirt::baseurl: https://repos.main.unkin.net/centos
profiles::firewall::firewalld::ensure_package: 'absent'
profiles::firewall::firewalld::ensure_service: 'stopped'
profiles::firewall::firewalld::enable_service: false
@ -12,5 +8,55 @@ profiles::puppet::agent::puppet_version: '7.26.0'
profiles::packages::install:
- lzo
- xz
- policycoreutils
lm-sensors::package: lm_sensors
profiles::yum::global::repos:
baseos:
name: baseos
descr: baseos repository
target: /etc/yum.repos.d/baseos.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/BaseOS/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
extras:
name: extras
descr: extras repository
target: /etc/yum.repos.d/extras.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/extras/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
appstream:
name: appstream
descr: appstream repository
target: /etc/yum.repos.d/appstream.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/AppStream/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
powertools:
name: powertools
descr: powertools repository
target: /etc/yum.repos.d/powertools.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/PowerTools/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
highavailability:
name: highavailability
descr: highavailability repository
target: /etc/yum.repos.d/highavailability.repo
baseurl: https://edgecache.query.consul/almalinux/%{facts.os.release.full}/HighAvailability/%{facts.os.architecture}/os
gpgkey: http://edgecache.query.consul/almalinux/RPM-GPG-KEY-AlmaLinux-%{facts.os.release.major}
epel:
name: epel
descr: epel repository
target: /etc/yum.repos.d/epel.repo
baseurl: https://edgecache.query.consul/epel/%{facts.os.release.major}/Everything/%{facts.os.architecture}
gpgkey: http://edgecache.query.consul/epel/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
puppet:
name: puppet
descr: puppet repository
target: /etc/yum.repos.d/puppet.repo
baseurl: https://yum.puppet.com/puppet7/el/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
unkin:
name: unkin
descr: unkin repository
target: /etc/yum.repos.d/unkin.repo
baseurl: https://repos.main.unkin.net/unkin/%{facts.os.release.major}/%{facts.os.architecture}/os

2
hieradata/roles/infra/cobbler/server.eyaml
View File

@ -1,2 +1,2 @@
---
profiles::cobbler::server::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=]
profiles::cobbler::params::default_password_crypted: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJidO18dSzKXgDEvFhigrDmiMTW+D7obTCZVAvl0JzQ6nqRdnh6Xa+j+yc7YzYtCg9VH60vfcutHFGhJptlMbTQq3vSUoF9ylgTutaW/to4T8jb8gBqK1n7b+devEQh4soJtOdAPSidCX4aqsP9dK3I8IijNWMABz59usGbY6oWedmC4865PBcxyIu3phWynNULTXPBEAqdXAutkh4N3P1ydFk3eARCVS3uWo7zaXVsu4vIkjYRDCUyFXBWb12L/NmQ2EhGwckPwgX/rcKRL9r49GxQTLBHJ5MoHQanwoiRw+5Tz3qLW69z+hk91VpnpkZgANc081rmhdyp6qmuIAVDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBiDUwXVJ6mmwzt4YAxg3+qgDDWm5mlWEgsZqCHwG0n94v7oqCBqY2WQdTJAM3TtKlX2nOPlLEmfLrwqtsS2r3QzLo=]

6
hieradata/roles/infra/cobbler/server.yaml
View File

@ -14,4 +14,8 @@ profiles::packages::install:
profiles::pki::vault::alt_names:
- cobbler.main.unkin.net
profiles::cobbler::server::service_cname: 'cobbler.main.unkin.net'
profiles::cobbler::params::service_cname: 'cobbler.main.unkin.net'
profiles::selinux::setenforce::mode: permissive
hiera_classes:
- profiles::selinux::setenforce

26
hieradata/country/au/region/drw1/infra/dhcp/server.yaml → hieradata/roles/infra/dhcp/server.yaml
View File

@ -16,10 +16,10 @@ profiles::dhcp::server::pools:
- '198.18.15.200 198.18.15.220'
gateway: 198.18.15.254
nameservers:
- 198.18.17.7
- 198.18.17.8
- 198.18.13.12
- 198.18.13.13
domain_name: main.unkin.net
pxeserver: 198.18.17.48
pxeserver: 198.18.13.27
syd1-test:
network: 198.18.16.0
mask: 255.255.255.0
@ -27,10 +27,10 @@ profiles::dhcp::server::pools:
- '198.18.16.200 198.18.16.220'
gateway: 198.18.16.254
nameservers:
- 198.18.17.7
- 198.18.17.8
- 198.18.13.12
- 198.18.13.13
domain_name: main.unkin.net
pxeserver: 198.18.17.48
pxeserver: 198.18.13.27
syd1-prod1:
network: 198.18.13.0
mask: 255.255.255.0
@ -38,10 +38,10 @@ profiles::dhcp::server::pools:
- '198.18.13.200 198.18.13.220'
gateway: 198.18.13.254
nameservers:
- 198.18.17.7
- 198.18.17.8
- 198.18.13.12
- 198.18.13.13
domain_name: main.unkin.net
pxeserver: 198.18.17.48
pxeserver: 198.18.13.27
syd1-prod2:
network: 198.18.14.0
mask: 255.255.255.0
@ -49,10 +49,10 @@ profiles::dhcp::server::pools:
- '198.18.14.200 198.18.14.220'
gateway: 198.18.14.254
nameservers:
- 198.18.17.7
- 198.18.17.8
- 198.18.13.12
- 198.18.13.13
domain_name: main.unkin.net
pxeserver: 198.18.17.48
pxeserver: 198.18.13.27
drw1-prod:
network: 198.18.17.0
mask: 255.255.255.0
@ -63,7 +63,7 @@ profiles::dhcp::server::pools:
- 198.18.17.7
- 198.18.17.8
domain_name: main.unkin.net
pxeserver: 198.18.17.48
pxeserver: 198.18.13.27
# UFI 64-bit
profiles::dhcp::server::classes:

58
hieradata/roles/infra/ovirt/engine.yaml
View File

@ -1,10 +1,50 @@
---
profiles::yum::global::managed_repos:
- 'virt-advanced-virtualization'
- 'storage-ceph-pacific'
- 'cloud-openstack-xena'
- 'messaging-rabbitmq-38'
- 'nfv-openvswitch-2'
- 'opstools-collectd-5'
- 'storage-gluster-10'
- 'virt-ovirt-45'
profiles::yum::global::repos:
centos_8_advanced_virtualization:
name: 'virt-advanced-virtualization'
descr: 'CentOS Advanced Virtualization'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_ceph_pacific:
name: 'storage-ceph-pacific'
descr: 'CentOS Ceph Pacific'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
centos_8_rabbitmq_38:
name: 'messaging-rabbitmq-38'
descr: 'CentOS RabbitMQ 38'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
centos_8_nfv_openvswitch:
name: 'nfv-openvswitch-2'
descr: 'CentOS NFV OpenvSwitch'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
centos_8_openstack_xena:
name: 'cloud-openstack-xena'
descr: 'CentOS OpenStack Xena'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
centos_8_opstools:
name: 'opstools-collectd-5'
descr: 'CentOS OpsTools - collectd'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
centos_8_ovirt45:
name: 'virt-ovirt-45'
descr: 'CentOS oVirt 4.5'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_stream_gluster10:
name: 'storage-gluster-10'
descr: 'CentOS oVirt 4.5 - Glusterfs 10'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'

59
hieradata/roles/infra/ovirt/node.yaml
View File

@ -1,17 +1,58 @@
---
profiles::firewall::firewalld::ensure_package: 'installed'
profiles::firewall::firewalld::ensure_service: 'running'
profiles::yum::global::managed_repos:
- 'virt-advanced-virtualization'
- 'storage-ceph-pacific'
- 'cloud-openstack-xena'
- 'messaging-rabbitmq-38'
- 'nfv-openvswitch-2'
- 'opstools-collectd-5'
- 'storage-gluster-10'
- 'virt-ovirt-45'
sudo::purge_ignore:
- '50_vdsm'
- '50_vdsm_hook_ovirt_provider_ovn_hook'
- '60_ovirt-ha'
profiles::yum::global::repos:
centos_8_advanced_virtualization:
name: 'virt-advanced-virtualization'
descr: 'CentOS Advanced Virtualization'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/advancedvirt-common
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_ceph_pacific:
name: 'storage-ceph-pacific'
descr: 'CentOS Ceph Pacific'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/ceph-pacific
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'
centos_8_rabbitmq_38:
name: 'messaging-rabbitmq-38'
descr: 'CentOS RabbitMQ 38'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/messaging/x86_64/rabbitmq-38
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Messaging'
centos_8_nfv_openvswitch:
name: 'nfv-openvswitch-2'
descr: 'CentOS NFV OpenvSwitch'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/nfv/x86_64/openvswitch-2
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-NFV'
centos_8_openstack_xena:
name: 'cloud-openstack-xena'
descr: 'CentOS OpenStack Xena'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/cloud/x86_64/openstack-xena
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Cloud'
centos_8_opstools:
name: 'opstools-collectd-5'
descr: 'CentOS OpsTools - collectd'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/opstools/x86_64/collectd-5
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-OpsTools'
centos_8_ovirt45:
name: 'virt-ovirt-45'
descr: 'CentOS oVirt 4.5'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/virt/x86_64/ovirt-45
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Virtualization'
centos_8_stream_gluster10:
name: 'storage-gluster-10'
descr: 'CentOS oVirt 4.5 - Glusterfs 10'
target: /etc/yum.repos.d/ovirt.repo
baseurl: https://edgecache.query.consul/centos/8-stream/storage/x86_64/gluster-10
gpgkey: 'https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage'

4
hieradata/roles/infra/puppetdb/sql.yaml Normal file
View File

@ -0,0 +1,4 @@
---
postgresql_config_entries:
max_connections: 300
shared_buffers: '256MB'

22
hieradata/roles/infra/sql/galera.yaml
View File

@ -1,11 +1,27 @@
---
profiles::sql::galera_member::cluster_name: galera01
profiles::sql::galera_member::galera_master: prodinf01n29.main.unkin.net
profiles::sql::galera_member::configure_firewall: false
profiles::sql::galera_member::wsrep_sst_method: rsync
profiles::sql::galera_member::galera_members_lookup: true
profiles::sql::galera_member::galera_members_role: roles::infra::sql::galera
profiles::sql::galera_member::datadir: /data/mariadb
profiles::sql::galera_member::innodb_buffer_pool_size: 256M
profiles::sql::galera_member::innodb_file_per_table: 1
profiles::sql::galera_member::package_name: mariadb-galera-server
consul::services:
mariadb:
service_name: "mariadb-%{facts.environment}"
tags:
- 'database'
- 'mariadb'
address: "%{facts.networking.ip}"
port: 3306
checks:
- id: 'mariadb_tcp_check'
name: 'MariaDB TCP Check'
tcp: "%{facts.networking.ip}:3306"
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: "mariadb-%{facts.environment}"
disposition: write

27
hieradata/roles/infra/storage/consul.yaml
View File

@ -18,6 +18,7 @@ profiles::consul::server::acl:
tokens:
initial_management: "%{alias('profiles::consul::server::acl_tokens_initial_management')}"
default: "%{alias('profiles::consul::server::acl_tokens_default')}"
replication: "%{alias('profiles::consul::server::acl_tokens_replication')}"
# additional altnames
profiles::pki::vault::alt_names:
@ -32,3 +33,29 @@ profiles::nginx::simpleproxy::nginx_aliases:
- consul.main.unkin.net
profiles::nginx::simpleproxy::proxy_port: 8500
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::consul::prepared_query::rules:
vault:
ensure: 'present'
service_name: 'vault'
service_failover_n: 3
service_only_passing: true
ttl: 10
puppet:
ensure: 'present'
service_name: 'puppet'
service_failover_n: 3
service_only_passing: true
ttl: 10
puppetca:
ensure: 'present'
service_name: 'puppetca'
service_failover_n: 3
service_only_passing: true
ttl: 10
edgecache:
ensure: 'present'
service_name: 'edgecache'
service_failover_n: 3
service_only_passing: true
ttl: 10

120
hieradata/roles/infra/storage/edgecache.yaml Normal file
View File

@ -0,0 +1,120 @@
---
consul::services:
edgecache:
service_name: 'edgecache'
tags:
- 'cache'
- 'edge'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'edgecache_https_check'
name: 'EdgeCache HTTPS Check'
http: "https://%{facts.networking.fqdn}"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: edgecache
disposition: write
# additional altnames
profiles::pki::vault::alt_names:
- edgecache.service.consul
- edgecache.query.consul
profiles::edgecache::params::nginx_resolvers_enable: true
profiles::edgecache::params::nginx_resolvers_ipv4only: true
profiles::edgecache::params::nginx_listen_mode: both
profiles::edgecache::params::nginx_cert_type: vault
profiles::edgecache::params::nginx_aliases:
- edgecache.service.consul
- edgecache.query.consul
profiles::edgecache::params::directories:
/data/edgecache: { owner: root, group: root }
/data/edgecache/pub: { owner: nginx, group: nginx }
/data/edgecache/pub/centos: { owner: nginx, group: nginx }
/data/edgecache/pub/almalinux: { owner: nginx, group: nginx }
/data/edgecache/pub/debian: { owner: nginx, group: nginx }
/data/edgecache/pub/epel: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx }
/data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx }
profiles::edgecache::params::mirrors:
debian:
ensure: present
location: /debian
proxy: http://mirror.gsl.icu
debian_pool:
ensure: present
location: /debian/pool
proxy: http://mirror.gsl.icu
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
centos_repodata:
ensure: present
location: '~* ^/centos/.*/repodata/'
proxy: http://gsl-syd.mm.fcix.net
centos_data:
ensure: present
location: /centos
proxy: http://gsl-syd.mm.fcix.net
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
almalinux_repodata:
ensure: present
location: '~* ^/almalinux/.*/repodata/'
proxy: http://gsl-syd.mm.fcix.net
almalinux_data:
ensure: present
location: /almalinux
proxy: http://gsl-syd.mm.fcix.net
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
epel_repodata:
ensure: present
location: '~* ^/epel/.*/repodata/'
proxy: http://gsl-syd.mm.fcix.net
epel_data:
ensure: present
location: /epel
proxy: http://gsl-syd.mm.fcix.net
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
postgres_yum_repodata:
ensure: present
location: '~* ^/postgres/yum/.*/repodata/'
rewrite_rules:
- '^/postgres/yum/(.*)$ /pub/repos/yum/$1 break'
proxy: https://download.postgresql.org
postgres_yum_data:
ensure: present
location: /postgres/yum
proxy: https://download.postgresql.org/pub/repos/yum
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'
postgres_apt:
ensure: present
location: /postgres/apt
proxy: https://download.postgresql.org/pub/repos/apt
postgres_apt_pool:
ensure: present
location: /postgres/apt/pool
proxy: https://download.postgresql.org/pub/repos/apt/pool
proxy_cache: cache
proxy_cache_valid:
- '200 302 1440h'
- '404 1m'

8
modules/libs/lib/facter/cobbler_data_dir_exists.rb Normal file
View File

@ -0,0 +1,8 @@
# frozen_string_literal: true
Facter.add('cobbler_data_dir_exists') do
confine enc_role: 'roles::infra::cobbler::server'
setcode do
File.exist?('/data/cobbler')
end
end

8
modules/libs/lib/facter/cobbler_var_www_exists.rb Normal file
View File

@ -0,0 +1,8 @@
# frozen_string_literal: true
Facter.add('cobbler_var_www_exists') do
confine enc_role: 'roles::infra::cobbler::server'
setcode do
File.exist?('/var/www/cobbler')
end
end

8
modules/libs/lib/facter/cobbler_var_www_islink.rb Normal file
View File

@ -0,0 +1,8 @@
# frozen_string_literal: true
Facter.add('cobbler_var_www_islink') do
confine enc_role: 'roles::infra::cobbler::server'
setcode do
File.exist?('/var/www/cobbler') and File.symlink?('/var/www/cobbler')
end
end

8
modules/libs/lib/facter/firstrun.rb Normal file
View File

@ -0,0 +1,8 @@
# frozen_string_literal: true
Facter.add(:firstrun) do
confine kernel: 'Linux'
setcode do
File.exist?('/root/.cache/puppet_firstrun_complete') ? false : true
end
end

9
modules/libs/lib/facter/nameservers.rb Normal file
View File

@ -0,0 +1,9 @@
# frozen_string_literal: true
Facter.add(:nameservers) do
confine kernel: 'Linux'
setcode do
nameservers = File.readlines('/etc/resolv.conf').grep(/^nameserver\s+(\S+)/) { Regexp.last_match(1) }
nameservers
end
end

7
site/profiles/manifests/base.pp
View File

@ -3,6 +3,11 @@ class profiles::base (
Array $puppet_servers,
) {
# run a limited set of classes on the first run aimed at bootstrapping the new node
if $facts['firstrun'] {
include profiles::firstrun::init
}else{
# install the vault ca first
include profiles::pki::vaultca
@ -57,5 +62,5 @@ class profiles::base (
Class['profiles::pki::vaultca']
-> Class['profiles::base::repos']
-> Class['profiles::packages']
}
}

77
site/profiles/manifests/cobbler/config.pp Normal file
View File

@ -0,0 +1,77 @@
# profiles::cobbler::config
class profiles::cobbler::config {
include profiles::cobbler::params
$default_password_crypted = $profiles::cobbler::params::default_password_crypted
$httpd_ssl_certificate = $profiles::cobbler::params::httpd_ssl_certificate
$httpd_ssl_privatekey = $profiles::cobbler::params::httpd_ssl_privatekey
$pxe_just_once = $profiles::cobbler::params::pxe_just_once
$is_cobbler_master = $profiles::cobbler::params::is_cobbler_master
$service_cname = $profiles::cobbler::params::service_cname
$next_server = $profiles::cobbler::params::next_server
$server = $profiles::cobbler::params::server
# manage the cobbler settings file
file { '/etc/cobbler/settings.yaml':
ensure => 'file',
content => template('profiles/cobbler/settings.yaml.erb'),
group => 'apache',
owner => 'root',
mode => '0640',
require => Package['cobbler'],
notify => Service['cobblerd'],
}
# manage the debmirror config to meet cobbler requirements
file { '/etc/debmirror.conf':
ensure => 'file',
content => template('profiles/cobbler/debmirror.conf.erb'),
group => 'root',
owner => 'root',
mode => '0644',
require => Package['debmirror'],
}
# manage the httpd ssl configuration
file { '/etc/httpd/conf.d/ssl.conf':
ensure => 'file',
content => template('profiles/cobbler/httpd_ssl.conf.erb'),
group => 'root',
owner => 'root',
mode => '0644',
require => Package['httpd'],
notify => Service['httpd'],
}
# fix permissions in /var/lib/cobbler/web.ss
file {'/var/lib/cobbler/web.ss':
ensure => 'file',
group => 'root',
owner => 'apache',
mode => '0660',
require => Package['cobbler'],
notify => Service['cobblerd'],
}
# manage the main ipxe menu script
file { '/var/lib/tftpboot/main.ipxe':
ensure => 'file',
content => template('profiles/cobbler/main.ipxe.erb'),
owner => 'root',
group => 'root',
mode => '0644',
require => Package['cobbler'],
}
# export cnames for cobbler
if $is_cobbler_master {
profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME":
value => $::facts['networking']['hostname'],
type => 'CNAME',
record => "${service_cname}.",
zone => $::facts['networking']['domain'],
order => 10,
}
}
}

17
site/profiles/manifests/cobbler/init.pp Normal file
View File

@ -0,0 +1,17 @@
# profiles::cobbler::init
class profiles::cobbler::init (
) {
# wait for enc_role to be populated, needed for hieradata to match
if $facts['enc_role'] == 'roles::infra::cobbler::server' {
include profiles::cobbler::config
include profiles::cobbler::install
include profiles::cobbler::ipxebins
include profiles::cobbler::selinux
include profiles::cobbler::service
Class['profiles::cobbler::install']
-> Class['profiles::cobbler::config']
-> Class['profiles::cobbler::ipxebins']
-> Class['profiles::cobbler::selinux']
}
}

34
site/profiles/manifests/cobbler/install.pp Normal file
View File

@ -0,0 +1,34 @@
# profiles::cobbler::install
class profiles::cobbler::install {
include profiles::cobbler::params
$packages = $profiles::cobbler::params::packages
ensure_packages($packages, { ensure => 'present' })
# move the /var/www/cobbler directory to /data/cobbler
if ! $facts['cobbler_var_www_islink'] and ! $facts['cobbler_data_exists'] {
exec {'move_cobbler_data':
command => 'mv /var/www/cobbler /data/cobbler',
onlyif => 'test -d /var/www/cobbler',
path => ['/bin', '/usr/bin'],
before => Service['cobblerd'],
}
file { '/var/www/cobbler':
ensure => 'link',
target => '/data/cobbler',
require => Exec['move_cobbler_data'],
before => Service['httpd'],
notify => Service['httpd'],
}
}
if ! $facts['cobbler_var_www_exists'] and $facts['cobbler_data_exists'] {
file { '/var/www/cobbler':
ensure => 'link',
target => '/data/cobbler',
before => Service['httpd'],
notify => Service['httpd'],
}
}
}

2
site/profiles/manifests/cobbler/ipxebins.pp
View File

@ -1,6 +1,8 @@
# profiles::cobbler::ipxebins
class profiles::cobbler::ipxebins {
include profiles::cobbler::params
# download the custom undionly.kpxe file
# https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1
exec { 'download_undionly_kpxe':

25
site/profiles/manifests/cobbler/params.pp Normal file
View File

@ -0,0 +1,25 @@
# profiles::cobbler::params
class profiles::cobbler::params (
Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt',
Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key',
Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot',
Stdlib::Fqdn $service_cname = $facts['networking']['fqdn'],
String $default_password_crypted = 'changeme',
String $server = $::facts['networking']['ip'],
String $next_server = $::facts['networking']['ip'],
Boolean $pxe_just_once = true,
Boolean $is_cobbler_master = false,
Array $packages = [
'cobbler',
'cobbler3.2-web',
'httpd',
'syslinux',
'dnf-plugins-core',
'debmirror',
'pykickstart',
'fence-agents',
'selinux-policy-devel',
'ipxe-bootimgs',
]
){
}

48
site/profiles/manifests/cobbler/selinux.pp Normal file
View File

@ -0,0 +1,48 @@
# profiles::cobbler::selinux
class profiles::cobbler::selinux inherits profiles::cobbler::params {
include profiles::cobbler::params
$tftpboot_path = $profiles::cobbler::params::tftpboot_path
# manage selinux requirements for cobbler
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
$enable_sebooleans = [
'httpd_can_network_connect_cobbler',
'httpd_serve_cobbler_files',
'cobbler_can_network_connect'
]
$enable_sebooleans.each |$bool| {
selboolean { $bool:
value => on,
persistent => true,
}
}
selinux::fcontext { $tftpboot_path:
ensure => 'present',
seltype => 'cobbler_var_lib_t',
pathspec => "${tftpboot_path}(/.*)?",
}
selinux::fcontext { '/data/cobbler':
ensure => 'present',
seltype => 'cobbler_var_lib_t',
pathspec => '/data/cobbler(/.*)?',
}
exec { "restorecon_${tftpboot_path}":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${tftpboot_path}",
refreshonly => true,
subscribe => Selinux::Fcontext[$tftpboot_path],
}
exec { 'restorecon_/data/cobbler':
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => 'restorecon -Rv /data/cobbler',
refreshonly => true,
subscribe => Selinux::Fcontext['/data/cobbler'],
}
}
}

119
site/profiles/manifests/cobbler/server.pp
View File

@ -1,119 +0,0 @@
# profiles::cobbler::server
class profiles::cobbler::server (
Stdlib::Fqdn $service_cname,
String $default_password_crypted,
Stdlib::Absolutepath $httpd_ssl_certificate = '/etc/pki/tls/vault/certificate.crt',
Stdlib::Absolutepath $httpd_ssl_privatekey = '/etc/pki/tls/vault/private.key',
Stdlib::Absolutepath $tftpboot_path = '/var/lib/tftpboot/boot',
String $server = $::facts['networking']['ip'],
String $next_server = $::facts['networking']['ip'],
Boolean $pxe_just_once = true,
) {
include profiles::cobbler::ipxebins
# manage the cobbler settings file
file { '/etc/cobbler/settings.yaml':
ensure => 'file',
content => template('profiles/cobbler/settings.yaml.erb'),
group => 'apache',
owner => 'root',
mode => '0640',
require => Package['cobbler'],
notify => Service['cobblerd'],
}
# fix permissions in /var/lib/cobbler/web.ss
file {'/var/lib/cobbler/web.ss':
ensure => 'file',
group => 'root',
owner => 'apache',
mode => '0660',
require => Package['cobbler'],
notify => Service['cobblerd'],
}
# manage the debmirror config to meet cobbler requirements
file { '/etc/debmirror.conf':
ensure => 'file',
content => template('profiles/cobbler/debmirror.conf.erb'),
group => 'root',
owner => 'root',
mode => '0644',
require => Package['debmirror'],
}
# manage the httpd ssl configuration
file { '/etc/httpd/conf.d/ssl.conf':
ensure => 'file',
content => template('profiles/cobbler/httpd_ssl.conf.erb'),
group => 'root',
owner => 'root',
mode => '0644',
require => Package['httpd'],
notify => Service['httpd'],
}
# manage the main ipxe menu script
file { '/var/lib/tftpboot/main.ipxe':
ensure => 'file',
content => template('profiles/cobbler/main.ipxe.erb'),
owner => 'root',
group => 'root',
mode => '0644',
require => Package['cobbler'],
}
# ensure cobblerd is running
service {'cobblerd':
ensure => 'running',
enable => true,
require => File['/etc/cobbler/settings.yaml'],
}
# ensure httpd is running
service {'httpd':
ensure => 'running',
enable => true,
require => File['/etc/httpd/conf.d/ssl.conf'],
}
# export cnames for cobbler
profiles::dns::record { "${::facts['networking']['fqdn']}_${service_cname}_CNAME":
value => $::facts['networking']['hostname'],
type => 'CNAME',
record => "${service_cname}.",
zone => $::facts['networking']['domain'],
order => 10,
}
# manage selinux requirements for cobbler
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
$enable_sebooleans = [
'httpd_can_network_connect_cobbler',
'httpd_serve_cobbler_files',
'cobbler_can_network_connect'
]
$enable_sebooleans.each |$bool| {
selboolean { $bool:
value => on,
persistent => true,
}
}
selinux::fcontext { $tftpboot_path:
ensure => 'present',
seltype => 'cobbler_var_lib_t',
pathspec => "${tftpboot_path}(/.*)?",
}
exec { "restorecon_${tftpboot_path}":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${tftpboot_path}",
refreshonly => true,
subscribe => Selinux::Fcontext[$tftpboot_path],
}
}
}

17
site/profiles/manifests/cobbler/service.pp Normal file
View File

@ -0,0 +1,17 @@
# profiles::cobbler::service
class profiles::cobbler::service inherits profiles::cobbler::params {
# ensure cobblerd is running
service {'cobblerd':
ensure => 'running',
enable => true,
require => File['/etc/cobbler/settings.yaml'],
}
# ensure httpd is running
service {'httpd':
ensure => 'running',
enable => true,
require => File['/etc/httpd/conf.d/ssl.conf'],
}
}

14
site/profiles/manifests/consul/prepared_query.pp Normal file
View File

@ -0,0 +1,14 @@
# profile::consul::prepared_query
class profiles::consul::prepared_query (
String $root_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
Hash $rules = {},
) {
$rules.each | $rule, $data | {
consul_prepared_query { $rule:
acl_api_token => $root_api_token,
hostname => $facts['networking']['ip'],
* => $data,
}
}
}

21
site/profiles/manifests/consul/server.pp
View File

@ -43,6 +43,8 @@ class profiles::consul::server (
Stdlib::Absolutepath $bin_dir = '/usr/bin',
Boolean $disable_remote_exec = true,
Boolean $disable_update_check = true,
Boolean $join_remote_regions = false,
Array[String] $remote_regions = [],
) {
# wait for all attributes to be ready
@ -62,6 +64,21 @@ class profiles::consul::server (
# if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
if $join_remote_regions {
# get all nodes in the members_role for each other region
$region_to_servers = $remote_regions.reduce({}) |$memo, $region| {
$servers = sort(query_nodes("enc_role='${members_role}' and region='${region}'", 'networking.fqdn'))
$memo + { $region => $servers }
}
# sort and flatten the regions into a single array of fqdns
$remote_servers_array = sort(flatten($region_to_servers.values))
} else {
# else just send an empty array
$remote_servers_array = []
}
# else use provided array from params
}else{
$servers_array = $consul_servers
@ -97,7 +114,8 @@ class profiles::consul::server (
'performance' => { 'raft_multiplier' => $raft_multiplier },
'bind_addr' => $::facts['networking']['ip'],
'advertise_addr' => $::facts['networking']['ip'],
'retry_join' => $servers_array
'retry_join' => $servers_array,
'retry_join_wan' => $remote_servers_array,
},
}
}
@ -109,6 +127,7 @@ class profiles::consul::server (
include profiles::nginx::simpleproxy
include profiles::consul::policies
include profiles::consul::tokens
include profiles::consul::prepared_query
# get the dns port from the $ports hash, otherwise use the default
$dns_port = pick($ports['dns'], 8600)

7
site/profiles/manifests/defaults.pp
View File

@ -9,6 +9,8 @@ class profiles::defaults {
Package {
ensure => present,
require => Class['profiles::base::repos']
}
File {
@ -29,6 +31,11 @@ class profiles::defaults {
}
Yumrepo {
ensure => 'present',
enabled => 1,
gpgcheck => 1,
mirrorlist => 'absent',
require => Class['profiles::pki::vaultca'],
notify => Exec['dnf_makecache'],
}
}

2
site/profiles/manifests/dhcp/server.pp
View File

@ -13,6 +13,7 @@ class profiles::dhcp::server (
Hash $classes = {},
){
if $facts['enc_role'] == 'roles::infra::dhcp::server' {
class { 'dhcp':
service_ensure => running,
interfaces => $interfaces,
@ -35,3 +36,4 @@ class profiles::dhcp::server (
}
}
}
}

12
site/profiles/manifests/edgecache/init.pp Normal file
View File

@ -0,0 +1,12 @@
# profiles::edgecache::init
class profiles::edgecache::init {
if $facts['enc_role'] == 'roles::infra::storage::edgecache' {
include profiles::edgecache::nginx
include profiles::edgecache::selinux
Class['profiles::edgecache::nginx']
-> Class['profiles::edgecache::selinux']
}
}

129
site/profiles/manifests/edgecache/nginx.pp Normal file
View File

@ -0,0 +1,129 @@
# profiles::edgecache::nginx
class profiles::edgecache::nginx {
include profiles::edgecache::params
$data_root = $profiles::edgecache::params::data_root
$nginx_vhost = $profiles::edgecache::params::nginx_vhost
$nginx_aliases = $profiles::edgecache::params::nginx_aliases
$nginx_port = $profiles::edgecache::params::nginx_port
$nginx_ssl_port = $profiles::edgecache::params::nginx_ssl_port
$nginx_listen_mode = $profiles::edgecache::params::nginx_listen_mode
$nginx_cert_type = $profiles::edgecache::params::nginx_cert_type
$nginx_resolvers_enable = $profiles::edgecache::params::nginx_resolvers_enable
$nginx_resolvers_ipv4only = $profiles::edgecache::params::nginx_resolvers_ipv4only
# select the certificates to use based on cert type
case $nginx_cert_type {
'puppet': {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
# enum param prevents this ever being reached
}
}
# set variables based on the listen_mode
case $nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_ssl_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
'both': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
# enum param prevents this ever being reached
}
}
if $nginx_resolvers_ipv4only and $nginx_resolvers_enable {
$resolvers = $facts['nameservers'].join(' ')
file { '/etc/nginx/conf.d/resolvers.conf':
ensure => file,
content => "resolver ${resolvers} ipv4=on;\n",
}
}
# set the server_names
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
# define the default parameters for the nginx server
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
'www_root' => "${data_root}/pub",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
}
# ensure the requires directories exist
$profiles::edgecache::params::directories.each |$name,$data| {
file { $name:
ensure => 'directory',
before => Class['nginx'],
mode => '0775',
* => $data,
}
}
# merge the hashes conditionally
$nginx_parameters = merge($defaults, $extras_hash)
# manage the nginx class
class { 'nginx':
proxy_cache_path => {
"${data_root}/cache" => 'cache:128m',
},
proxy_cache_levels => '1:2',
proxy_cache_keys_zone => 'cache:128m',
proxy_cache_max_size => '30000m',
proxy_cache_inactive => '60d',
proxy_temp_path => "${data_root}/cache_tmp",
}
# create the nginx vhost with the merged parameters
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
# create location mirrors
$profiles::edgecache::params::mirrors.each |$name, $data| {
nginx::resource::location { "${nginx_vhost}_${name}":
server => $nginx_vhost,
ssl => true,
ssl_only => false,
* => $data,
}
}
}

15
site/profiles/manifests/edgecache/params.pp Normal file
View File

@ -0,0 +1,15 @@
# profiles::edgecache::params
class profiles::edgecache::params (
Stdlib::Absolutepath $data_root = '/data/edgecache',
Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
Array[Stdlib::Host] $nginx_aliases = [],
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Enum['http','https','both'] $nginx_listen_mode = 'http',
Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
Boolean $nginx_resolvers_enable = false,
Boolean $nginx_resolvers_ipv4only = false,
Hash $directories = {},
Hash $mirrors = {},
){
}

56
site/profiles/manifests/edgecache/selinux.pp Normal file
View File

@ -0,0 +1,56 @@
# profiles::edgecache::selinux
class profiles::edgecache::selinux {
include profiles::edgecache::params
$data_root = $profiles::edgecache::params::data_root
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
# set httpd_sys_content_t to all files under the www_root
selinux::fcontext { "${data_root}/pub":
ensure => 'present',
seltype => 'httpd_sys_content_t',
pathspec => "${data_root}/pub(/.*)?",
}
# set httpd_sys_rw_content_t to all files under the cache_root
selinux::fcontext { "${data_root}/cache":
ensure => 'present',
seltype => 'httpd_sys_rw_content_t',
pathspec => "${data_root}/cache(/.*)?",
}
selinux::fcontext { "${data_root}/cache_tmp":
ensure => 'present',
seltype => 'httpd_sys_rw_content_t',
pathspec => "${data_root}/cache_tmp(/.*)?",
}
# make sure we can connect to other hosts
selboolean { 'httpd_can_network_connect':
persistent => true,
value => 'on',
}
exec { "restorecon_${data_root}/pub":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${data_root}/pub",
refreshonly => true,
subscribe => Selinux::Fcontext["${data_root}/pub"],
}
exec { "restorecon_${data_root}/cache":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${data_root}/cache",
refreshonly => true,
subscribe => Selinux::Fcontext["${data_root}/cache"],
}
exec { "restorecon_${data_root}/cache_tmp":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${data_root}/cache_tmp",
refreshonly => true,
subscribe => Selinux::Fcontext["${data_root}/cache_tmp"],
}
}
}

19
site/profiles/manifests/firstrun/complete.pp Normal file
View File

@ -0,0 +1,19 @@
# profiles::firstrun::complete
class profiles::firstrun::complete {
file { '/root/.cache':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0750',
}
file {'/root/.cache/puppet_firstrun_complete':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0750',
content => 'firstrun completed',
require => File['/root/.cache'],
}
}

20
site/profiles/manifests/firstrun/init.pp Normal file
View File

@ -0,0 +1,20 @@
# profiles::firstrun::init
class profiles::firstrun::init {
# include the required CA certificates
include profiles::pki::vaultca
# fast install packages on the first run
include profiles::base::repos
include profiles::firstrun::packages
# mark the firstrun as done
include profiles::firstrun::complete
Class['profiles::defaults']
-> Class['profiles::pki::vaultca']
-> Class['profiles::base::repos']
-> Class['profiles::firstrun::packages']
-> Class['profiles::firstrun::complete']
}

27
site/profiles/manifests/firstrun/packages.pp Normal file
View File

@ -0,0 +1,27 @@
# profiles::firstrun::packages
class profiles::firstrun::packages {
# include the correct package repositories, define the install_packages exec
case $facts['os']['family'] {
'RedHat': {
include profiles::yum::global
$install_command = 'dnf install -y'
}
'Debian': {
include profiles::apt::global
$install_command = 'apt-get install -y'
}
default: {
fail("Unsupported OS family ${facts['os']['family']}")
}
}
# get all the packages to install, and convert into a space separated list
$packages = hiera_array('profiles::packages::install', [])
$package_list = $packages.join(' ')
# install all the packages
exec { 'install_packages':
command => "${install_command} ${package_list}",
path => ['/bin', '/usr/bin'],
}
}

2
site/profiles/manifests/puppet/agent.pp
View File

@ -19,7 +19,7 @@ class profiles::puppet::agent (
# Ensure the puppet-agent package is installed and locked to a specific version
package { 'puppet-agent':
ensure => $puppet_version,
require => Class['profiles::yum::puppet7'],
require => Yumrepo['puppet'],
}
# versionlock puppet-agent

8
site/profiles/manifests/puppet/puppetdb_sql.pp
View File

@ -24,4 +24,12 @@ class profiles::puppet::puppetdb_sql (
contain ::puppetdb::database::postgresql
# create the postgresql::server::config_entry resources
$pg_config_entries = lookup('postgresql_config_entries', Hash[String, Data], 'hash', {})
$pg_config_entries.each |String $key, Data $value| {
postgresql::server::config_entry { $key:
ensure => 'present',
value => $value,
}
}
}

6
site/profiles/manifests/sql/galera_member.pp
View File

@ -47,7 +47,7 @@ class profiles::sql::galera_member (
}
# if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(query_nodes("enc_role='${galera_members_role}'", 'networking.fqdn'))
$servers_array = sort(query_nodes("enc_role='${galera_members_role}' and region='${facts['region']}'", 'networking.fqdn'))
# else use provided array from params
}else{
@ -103,7 +103,8 @@ class profiles::sql::galera_member (
'binlog_format' => 'ROW',
'default-storage-engine' => 'innodb',
'query_cache_size' => '0',
'query_cache_type' => '0'
'query_cache_type' => '0',
'bind-address' => $local_ip,
}
}
$default_override_options_galera = {
@ -211,4 +212,5 @@ class profiles::sql::galera_member (
}else{
notice("${title} requires the servers_array to have 3 or more, currently it is ${length($servers_array)}.")
}
}

92
site/profiles/manifests/yum/base.pp
View File

@ -1,92 +0,0 @@
# Class: profiles::yum::base
#
# This class manages the 'base', extras' and 'appstream' yum
# repositories for a system, based on the provided list of managed repositories.
#
# Parameters:
# -----------
# - $managed_repos: An array containing the names of the repositories to be
# managed. This can include 'base', 'extras',
# and 'appstream'.
#
# - $baseurl: The base URL for the yum repositories. This should be the root
# URL of your yum mirror server.
#
# Actions:
# --------
# - Sets up the 'base', extras', and 'appstream' yum repositories
# as specified in the $managed_repos parameter, all using the provided baseurl.
#
# - Each repo configuration includes the baseurl parameterized with the OS
# release version and architecture, and specifies the GPG key.
#
# Example usage:
# --------------
# To use this class with the default parameters:
# class { 'profiles::yum::base':
# managed_repos => ['base', 'extras', 'appstream'],
# baseurl => 'http://mylocalmirror.com/yum',
# }
#
class profiles::yum::base (
Array[String] $managed_repos,
String $baseurl,
Enum[
'daily',
'weekly',
'monthly'
] $snapshot = 'daily',
) {
$release = $facts['os']['release']['full']
$basearch = $facts['os']['architecture']
if 'base' in $managed_repos {
yumrepo { 'base':
name => 'base',
descr => 'base repository',
target => '/etc/yum.repos.d/base.repo',
baseurl => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/BaseOS-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
}
}
if 'extras' in $managed_repos {
yumrepo { 'extras':
name => 'extras',
descr => 'extras repository',
target => '/etc/yum.repos.d/extras.repo',
baseurl => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/extras-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
}
}
if 'appstream' in $managed_repos {
yumrepo { 'appstream':
name => 'appstream',
descr => 'appstream repository',
target => '/etc/yum.repos.d/appstream.repo',
baseurl => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/AppStream-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
}
}
if 'powertools' in $managed_repos {
yumrepo { 'powertools':
name => 'powertools',
descr => 'powertools repository',
target => '/etc/yum.repos.d/powertools.repo',
baseurl => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/PowerTools-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
}
}
if 'highavailability' in $managed_repos {
yumrepo { 'highavailability':
name => 'highavailability',
descr => 'highavailability repository',
target => '/etc/yum.repos.d/highavailability.repo',
baseurl => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/HighAvailability-${snapshot}/${basearch}/os/RPM-GPG-KEY-${facts['os']['name']}",
}
}
}

48
site/profiles/manifests/yum/epel.pp
View File

@ -1,48 +0,0 @@
# Class: profiles::yum::epel
#
# This class manages the EPEL yum repository for the system.
#
# Parameters:
# -----------
# - $baseurl: The base URL for the EPEL yum repository. This should be the root
# URL of your EPEL mirror server.
#
# Actions:
# --------
# - Checks the OS release version.
#
# - If the release version is 7, 8, or 9, it sets up the 'epel' yum repository
#
# - If the release version is not supported, it raises an error.
#
# Example usage:
# --------------
# To use this class with the default parameters:
# include profiles::yum::epel
#
# To specify a custom base URL:
# class { 'profiles::yum::epel':
# baseurl => 'http://mylocalmirror.com/yum',
# }
class profiles::yum::epel (
Array[String] $managed_repos,
String $baseurl,
Enum[
'daily',
'weekly',
'monthly'
] $snapshot = 'daily',
) {
$release = $facts['os']['release']['major']
$basearch = $facts['os']['architecture']
if 'epel' in $managed_repos {
yumrepo { 'epel':
name => 'epel',
descr => 'epel repository',
target => '/etc/yum.repos.d/epel.repo',
baseurl => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/${release}/Everything-${snapshot}/${basearch}/os/RPM-GPG-KEY-EPEL-${release}",
}
}
}

103
site/profiles/manifests/yum/global.pp
View File

@ -1,47 +1,6 @@
# Class: profiles::yum::global
#
# This class manages global YUM configurations and optionally includes the
# base and EPEL yum repository profiles based on the content of the
# $managed_repos parameter, which is an array of repository names.
#
# Parameters:
# -----------
# - $managed_repos: An array of repository names that the Puppet agent should
# manage. This parameter is mandatory and the class will
# fail if it is not provided via hieradata.
# Example: ['base', 'updates', 'extras', 'appstream']
#
# Actions:
# --------
# - Configures global YUM settings, including keeping the kernel development
# packages and cleaning old kernels.
#
# - Establishes default parameters for any YUM repositories managed by Puppet.
# This includes the repository file location, the repository description,
# and enabling the repository and GPG checks.
#
# - Depending on the content of the $managed_repos parameter, it includes the
# profiles::yum::base and/or profiles::yum::epel classes.
#
# - Manages all .repo files under /etc/yum.repos.d. All the repositories listed
# in $managed_repos will have their corresponding .repo files preserved. Any
# .repo file that is not listed in $managed_repos will be removed.
#
# - Creates and maintains a /etc/yum.repos.d/.managed file that lists all the
# .repo files that should be managed by Puppet.
#
# Example usage:
# --------------
# To use this class, include the class and configure hieradata:
# include profiles::yum::global
#
# profiles::yum::managed_repos:
# - 'base'
# - 'extras'
# - 'appstream'
#
class profiles::yum::global (
Array[String] $managed_repos,
Hash $repos = {},
Boolean $purge = true,
){
class { 'yum':
@ -52,54 +11,34 @@ class profiles::yum::global (
},
}
Yumrepo {
ensure => 'present',
enabled => 1,
gpgcheck => 1,
mirrorlist => 'absent',
}
# purge all yum repos not defined by puppet
resources { 'yumrepo':
purge => $purge,
}
# Generate the content for the .managed file
$managed_file_content = $managed_repos.map |$repo_name| { "${repo_name}.repo" }.join("\n")
# download all gpg keys if a repo defines it
$repos.each |$name, $repo| {
if $repo['gpgkey'] {
$key_url = $repo['gpgkey']
$key_file = "/etc/pki/rpm-gpg/${name}-gpg-key"
# Create the .managed file
file { '/etc/yum.repos.d/.managed':
ensure => file,
content => $managed_file_content,
exec { "download_gpg_key_${name}":
command => "curl -s -o ${key_file} ${key_url} && rpm --import ${key_file}",
path => ['/bin', 'usr/bin'],
creates => $key_file,
before => Yumrepo[$name],
}
}
}
# Setup base repos
class { 'profiles::yum::base':
managed_repos => $managed_repos,
require => Class['profiles::pki::vaultca'],
}
# create repos
create_resources('yumrepo', $repos)
# Setup epel if included in managed_repos
class { 'profiles::yum::epel':
managed_repos => $managed_repos,
require => Class['profiles::pki::vaultca'],
}
# Setup puppet7 if included in managed_repos
class { 'profiles::yum::puppet7':
managed_repos => $managed_repos,
require => Class['profiles::pki::vaultca'],
}
# Setup unkin repo if included in managed_repos
class { 'profiles::yum::unkin':
managed_repos => $managed_repos,
require => Class['profiles::pki::vaultca'],
}
# Setup ovirt repo if included in managed_repos
class { 'profiles::yum::ovirt':
managed_repos => $managed_repos,
require => Class['profiles::pki::vaultca'],
# makecache if changes made to repos
exec {'dnf_makecache':
command => 'dnf makecache -q',
path => ['/usr/bin', '/bin'],
refreshonly => true,
}
# setup dnf-autoupdate

25
site/profiles/manifests/yum/mariadb.pp
View File

@ -1,25 +0,0 @@
# Class: profiles::yum::mariadb
#
# This class manages the mariadb yum repository for the system.
#
class profiles::yum::mariadb (
String $baseurl = 'https://repos.main.unkin.net',
String $version = '11.2',
Enum[
'daily',
'weekly',
'monthly'
] $snapshot = 'daily',
) {
$release = $facts['os']['release']['major']
$basearch = $facts['os']['architecture']
yumrepo { 'mariadb':
name => 'mariadb',
descr => 'mariadb repository',
target => '/etc/yum.repos.d/mariadb.repo',
baseurl => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/",
gpgkey => "${baseurl}/mariadb/${version}/el${release}-${snapshot}/${basearch}/os/RPM-GPG-KEY-MariaDB",
require => Class['profiles::pki::vaultca'],
}
}

48
site/profiles/manifests/yum/ovirt.pp
View File

@ -1,48 +0,0 @@
# Class: profiles::yum::ovirt
class profiles::yum::ovirt (
Array[String] $managed_repos,
String $baseurl,
Enum[
'daily',
'weekly',
'monthly'
] $snapshot = 'daily',
) {
$release = $facts['os']['release']['major']
$basearch = $facts['os']['architecture']
$centos_nonstream = [
'virt-advanced-virtualization',
'storage-ceph-pacific'
]
$centos_stream = [
'cloud-openstack-xena',
'messaging-rabbitmq-38',
'nfv-openvswitch-2',
'opstools-collectd-5',
'storage-gluster-10',
'virt-ovirt-45'
]
$centos_nonstream.each |$name| {
if $name in $managed_repos {
yumrepo { $name:
name => $name,
descr => $name,
target => '/etc/yum.repos.d/ovirt.repo',
baseurl => "${baseurl}/${release}/${name}-20240311/${basearch}/os/",
gpgcheck => false,
}
}
}
$centos_stream.each |$name| {
if $name in $managed_repos {
yumrepo { $name:
name => $name,
descr => $name,
target => '/etc/yum.repos.d/ovirt.repo',
baseurl => "${baseurl}/${release}-stream/${name}-20240311/${basearch}/os/",
gpgcheck => false,
}
}
}
}

48
site/profiles/manifests/yum/puppet7.pp
View File

@ -1,48 +0,0 @@
# Class: profiles::yum::epel
#
# This class manages the puppet7 yum repository for the system.
#
# Parameters:
# -----------
# - $baseurl: The base URL for the puppet7 yum repository. This should be the root
# URL of your puppet7 mirror server.
#
# Actions:
# --------
# - Checks the OS release version.
#
# - If the release version is 7, 8, or 9, it sets up the 'puppet7' yum repository
# and installs the puppet7 release RPM from the provided baseurl.
#
# - If the release version is not supported, it raises an error.
#
# - The repo configuration includes the baseurl parameterized with the OS
# release version and architecture, and specifies the GPG key.
#
# Example usage:
# --------------
# To use this class with the default parameters:
# include profiles::yum::puppet7
#
# To specify a custom base URL:
# class { 'profiles::yum::puppet7':
# baseurl => 'http://mylocalmirror.com/yum',
# }
class profiles::yum::puppet7 (
Array[String] $managed_repos,
String $baseurl = 'http://repos.main.unkin.net/puppet7',
) {
$releasever = $facts['os']['release']['major']
$basearch = $facts['os']['architecture']
if 'puppet7' in $managed_repos {
yumrepo { 'puppet7':
name => 'puppet7',
descr => 'puppet7 repository',
target => '/etc/yum.repos.d/puppet7.repo',
baseurl => "${baseurl}/el/${releasever}-daily/${basearch}/os/",
gpgkey => 'https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406',
#gpgkey => "${baseurl}/el/${releasever}-daily/${basearch}/os/RPM-GPG-KEY-puppet",
}
}
}

23
site/profiles/manifests/yum/unkin.pp
View File

@ -1,23 +0,0 @@
# Class: profiles::yum::unkin
class profiles::yum::unkin (
Array[String] $managed_repos,
String $baseurl,
Enum[
'daily',
'weekly',
'monthly'
] $snapshot = 'daily',
) {
$release = $facts['os']['release']['major']
$basearch = $facts['os']['architecture']
if 'unkin' in $managed_repos {
yumrepo { 'unkin':
name => 'unkin',
descr => 'unkin repository',
target => '/etc/yum.repos.d/unkin.repo',
baseurl => "${baseurl}/${::facts['os']['release']['major']}/${basearch}/os/",
gpgcheck => false,
}
}
}

5
site/roles/manifests/base.pp
View File

@ -1,6 +1,11 @@
# a role to deploy the base system
# work in progress
class roles::base {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}

6
site/roles/manifests/infra/cobbler/server.pp
View File

@ -1,7 +1,11 @@
# cobbler server profile
class roles::infra::cobbler::server {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::base
include profiles::base::datavol
include profiles::cobbler::server
include profiles::cobbler::init
}
}

6
site/roles/manifests/infra/db/redis.pp
View File

@ -1,6 +1,10 @@
# a role to deploy a redis node
class roles::infra::db::redis {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}

5
site/roles/manifests/infra/dhcp/server.pp
View File

@ -1,6 +1,11 @@
# dhcp server profile
class roles::infra::dhcp::server {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::dhcp::server
}
}

5
site/roles/manifests/infra/dns/master.pp
View File

@ -2,7 +2,12 @@
# defines a dns server with master-only zones
#
class roles::infra::dns::master {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::dns::master
}
}

5
site/roles/manifests/infra/dns/resolver.pp
View File

@ -2,7 +2,12 @@
# defines a dns server with forward-only zones
#
class roles::infra::dns::resolver {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::dns::resolver
}
}

5
site/roles/manifests/infra/halb/haproxy.pp
View File

@ -1,6 +1,11 @@
# a role to deploy a haproxy node
class roles::infra::halb::haproxy {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::haproxy::server
}
}

5
site/roles/manifests/infra/metrics/grafana.pp
View File

@ -1,5 +1,10 @@
# a role to deploy a grafana service
class roles::infra::metrics::grafana {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}

5
site/roles/manifests/infra/metrics/prometheus.pp
View File

@ -1,7 +1,12 @@
# a role to deploy a prometheus server
class roles::infra::metrics::prometheus {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::metrics::server
}
}

5
site/roles/manifests/infra/ntp/server.pp
View File

@ -1,6 +1,11 @@
# a role to deploy a ntp server
class roles::infra::ntp::server {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::ntp::server
}
}

5
site/roles/manifests/infra/ovirt/engine.pp
View File

@ -1,5 +1,10 @@
# role to manage ovirt management engine nodes
class roles::infra::ovirt::engine {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}

5
site/roles/manifests/infra/ovirt/node.pp
View File

@ -1,6 +1,11 @@
# role to manage ovirt hypervisor nodes
class roles::infra::ovirt::node {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::ovirt::node
}
}

5
site/roles/manifests/infra/proxmox/node.pp
View File

@ -1,6 +1,11 @@
# manage the installation of a proxmox node
class roles::infra::proxmox::node {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::proxmox::init
}
}

5
site/roles/manifests/infra/puppet/master.pp
View File

@ -1,7 +1,12 @@
# a role to deploy the puppetmaster
# work in progress
class roles::infra::puppet::master {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::puppet::puppetmaster
}
}

5
site/roles/manifests/infra/puppetboard/server.pp
View File

@ -1,6 +1,11 @@
# a role to deploy the puppetboard
class roles::infra::puppetboard::server {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::puppet::puppetboard
}
}

5
site/roles/manifests/infra/puppetdb/api.pp
View File

@ -1,6 +1,11 @@
# a role to deploy the puppetdb api service
class roles::infra::puppetdb::api {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::puppet::puppetdb_api
}
}

5
site/roles/manifests/infra/puppetdb/sql.pp
View File

@ -1,6 +1,11 @@
# a role to deploy the puppetdb postgresql service
class roles::infra::puppetdb::sql {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::puppet::puppetdb_sql
}
}

5
site/roles/manifests/infra/reposync/syncer.pp
View File

@ -1,7 +1,12 @@
# a role to deploy a packagerepo
class roles::infra::reposync::syncer {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::reposync::syncer
}
}

8
site/roles/manifests/infra/sql/galera.pp
View File

@ -1,7 +1,15 @@
# a role to deploy a mariadb galera node
class roles::infra::sql::galera {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
if $facts['enc_role'] == 'roles::infra::sql::galera' {
include profiles::sql::galera_member
}
}
}

6
site/roles/manifests/infra/storage/consul.pp
View File

@ -1,8 +1,12 @@
# a role to deploy a consul node
class roles::infra::storage::consul {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::consul::server
}
}

12
site/roles/manifests/infra/storage/edgecache.pp Normal file
View File

@ -0,0 +1,12 @@
# a role to deploy an edgecache
class roles::infra::storage::edgecache {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::edgecache::init
}
}

5
site/roles/manifests/infra/storage/minio.pp
View File

@ -1,6 +1,11 @@
# a role to deploy a minio node
class roles::infra::storage::minio {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::minio::server
}
}

5
site/roles/manifests/infra/storage/vault.pp
View File

@ -1,7 +1,12 @@
# a role to deploy a vault node
class roles::infra::storage::vault {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::vault::server
}
}