--- hiera_include: - profiles::selinux::frr - frrouting - incus - zfs - profiles::ceph::node - profiles::ceph::client - profiles::ceph::dashboard - profiles::storage::cephfsvols - exporters::frr_exporter # FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package python::manage_dev_package: false profiles::packages::include: bridge-utils: {} cephadm: {} ceph-common: {} profiles::pki::vault::alt_names: - incus.service.consul - incus.query.consul - "incus.service.%{facts.country}-%{facts.region}.consul" profiles::pki::vault::ip_sans: - "%{hiera('networking_loopback0_ip')}" - "%{hiera('networking_loopback1_ip')}" - "%{hiera('networking_loopback2_ip')}" profiles::ssh::sign::principals: - incus.service.consul - incus.query.consul - "incus.service.%{facts.country}-%{facts.region}.consul" - "%{hiera('networking_loopback0_ip')}" - "%{facts.networking.interfaces.enp2s0.ip}" - "%{facts.networking.interfaces.enp3s0.ip}" # configure consul service profiles::consul::client::host_addr: "%{hiera('networking_loopback0_ip')}" consul::services: incus: service_name: 'incus' tags: - 'incus' - 'container' - 'lxd' address: "%{hiera('networking_loopback0_ip')}" port: 8443 checks: - id: 'incus_https_check' name: 'incus HTTPS Check' http: "https://%{hiera('networking_loopback0_ip')}:8443" method: 'GET' tls_skip_verify: true interval: '10s' timeout: '1s' cephmgr: service_name: 'cephmgr' tags: - 'metrics' - 'metrics_scheme=http' - 'metrics_job=ceph' address: "%{hiera('networking_loopback2_ip')}" port: 9283 checks: - id: 'cephmgr_metrics_http_check' name: 'cephmgr metrics HTTP Check' http: "http://%{hiera('networking_loopback2_ip')}:9283" method: 'GET' tls_skip_verify: true interval: '10s' timeout: '1s' profiles::consul::client::node_rules: - resource: service segment: incus disposition: write - resource: service segment: cephmgr disposition: write - resource: service segment: frr_exporter disposition: write # additional repos profiles::yum::global::repos: ceph: name: ceph descr: ceph repository target: /etc/yum.repos.d/ceph.repo baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture} gpgkey: https://download.ceph.com/keys/release.asc mirrorlist: absent ceph-noarch: name: ceph-noarch descr: ceph-noarch repository target: /etc/yum.repos.d/ceph-noarch.repo baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch gpgkey: https://download.ceph.com/keys/release.asc mirrorlist: absent frr-extras: name: frr-extras descr: frr-extras repository target: /etc/yum.repos.d/frr-extras.repo baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR mirrorlist: absent frr-stable: name: frr-stable descr: frr-stable repository target: /etc/yum.repos.d/frr-stable.repo baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR mirrorlist: absent zfs-kmod: name: zfs-kmod descr: zfs-kmod repository target: /etc/yum.repos.d/zfs-kmod.repo baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022 mirrorlist: absent # dns profiles::dns::base::primary_interface: loopback0 # dashboard/haproxy profiles::ceph::dashboard::ipaddress: "%{hiera('networking_loopback0_ip')}" # networking systemd::manage_networkd: true systemd::manage_all_network_files: true networking::interfaces: enp2s0: type: physical txqueuelen: 10000 forwarding: true enp3s0: type: physical mtu: 1500 txqueuelen: 10000 forwarding: true loopback0: type: dummy ipaddress: "%{hiera('networking_loopback0_ip')}" netmask: 255.255.255.255 mtu: 1500 loopback1: type: dummy ipaddress: "%{hiera('networking_loopback1_ip')}" netmask: 255.255.255.255 mtu: 1500 loopback2: type: dummy ipaddress: "%{hiera('networking_loopback2_ip')}" netmask: 255.255.255.255 mtu: 1500 # frrouting exporters::frr_exporter::enable: true frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}" frrouting::ospf_preferred_source_enable: true frrouting::ospf_preferred_source: "%{hiera('networking_loopback0_ip')}" frrouting::ospfd_redistribute: - connected frrouting::ospfd_interfaces: enp2s0: area: 0.0.0.0 enp3s0: area: 0.0.0.0 loopback0: area: 0.0.0.0 loopback1: area: 0.0.0.0 loopback2: area: 0.0.0.0 brcom1: area: 0.0.0.0 brdmz1: area: 0.0.0.0 brwan1: area: 0.0.0.0 frrouting::daemons: ospfd: true # add loopback interfaces to ssh list ssh::server::options: ListenAddress: - "%{hiera('networking_loopback0_ip')}" - "%{facts.networking.interfaces.enp2s0.ip}" - "%{facts.networking.interfaces.enp3s0.ip}" # zfs settings zfs::manage_repo: false zfs::zfs_arc_min: ~ zfs::zfs_arc_max: 4294967296 # 4GB zfs::zpools: fastpool: ensure: present disk: /dev/nvme1n1 ashift: 12 zfs::datasets: fastpool: canmount: 'off' acltype: posix atime: 'off' relatime: 'off' compression: 'zstd' xattr: 'sa' fastpool/data: canmount: 'on' mountpoint: '/data' fastpool/data/incus: canmount: 'on' mountpoint: '/data/incus' # manage incus incus::init: true incus::bridge: br10 incus::server_port: 8443 incus::server_addr: "%{hiera('networking_loopback0_ip')}" # add sysadmin to incus-admin group profiles::accounts::sysadmin::extra_groups: - incus-admin # manage cephfs mounts profiles::ceph::client::manage_ceph_conf: false profiles::ceph::client::manage_ceph_package: false profiles::ceph::client::manage_ceph_paths: false profiles::ceph::client::fsid: 'de96a98f-3d23-465a-a899-86d3d67edab8' profiles::ceph::client::mons: - 198.18.23.9 - 198.18.23.10 - 198.18.23.11 - 198.18.23.12 - 198.18.23.13 profiles::ceph::client::keyrings: media: key: "%{hiera('ceph::key::media')}" apps: key: "%{hiera('ceph::key::apps')}" profiles::storage::cephfsvols::volumes: cephfsvol_media: mount: "/shared/media" keyring: "/etc/ceph/ceph.client.media.keyring" cephfs_name: "media" cephfs_fs: "mediafs" cephfs_mon: "%{alias('profiles::ceph::client::mons')}" require: "Profiles::Ceph::Keyring[media]" cephfsvol_apps: mount: "/shared/apps" keyring: "/etc/ceph/ceph.client.apps.keyring" cephfs_name: "apps" cephfs_fs: "appfs" cephfs_mon: "%{alias('profiles::ceph::client::mons')}" require: "Profiles::Ceph::Keyring[apps]" # sysctl recommendations sysctl::base::values: fs.aio-max-nr: value: '524288' fs.inotify.max_queued_events: value: '1048576' fs.inotify.max_user_instances: value: '1048576' fs.inotify.max_user_watches: value: '1048576' kernel.dmesg_restrict: value: '1' kernel.keys.maxbytes: value: '2000000' kernel.keys.maxkeys: value: '2000' net.core.bpf_jit_limit: value: '1000000000' net.ipv4.neigh.default.gc_thresh3: value: '8192' net.ipv6.neigh.default.gc_thresh3: value: '8192' vm.max_map_count: value: '262144' net.ipv4.conf.all.forwarding: value: '1' net.ipv6.conf.all.forwarding: value: '1' net.ipv4.tcp_l3mdev_accept: value: '0' net.ipv4.conf.default.rp_filter: value: '0' net.ipv4.conf.all.rp_filter: value: '0' # limits.d recommendations limits::entries: '*/nofile': both: 1048576 'root/nofile': both: 1048576 '*/memlock': both: unlimited 'root/memlock': both: unlimited