puppet-prod/hieradata/roles/infra/incus/node.yaml

---
hiera_include:
  - profiles::selinux::frr
  - frrouting
  - incus
  - zfs
  - profiles::ceph::node
  - profiles::ceph::client
  - profiles::storage::cephfsvols
  - exporters::frr_exporter

# FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
python::manage_dev_package: false

profiles::packages::include:
  bridge-utils: {}
  cephadm: {}
  ceph-common: {}

profiles::pki::vault::alt_names:
  - incus.service.consul
  - incus.query.consul
  - "incus.service.%{facts.country}-%{facts.region}.consul"

profiles::pki::vault::ip_sans:
  - "%{hiera('networking_loopback0_ip')}"
  - "%{hiera('networking_loopback1_ip')}"
  - "%{hiera('networking_loopback2_ip')}"

profiles::ssh::sign::principals:
  - incus.service.consul
  - incus.query.consul
  - "incus.service.%{facts.country}-%{facts.region}.consul"
  - "%{hiera('networking_loopback0_ip')}"
  - "%{facts.networking.interfaces.enp2s0.ip}"
  - "%{facts.networking.interfaces.enp3s0.ip}"

# configure consul service
consul::services:
  incus:
    service_name: 'incus'
    tags:
      - 'incus'
      - 'container'
      - 'lxd'
    address: "%{hiera('networking_loopback0_ip')}"
    port: 8443
    checks:
      - id: 'incus_https_check'
        name: 'incus HTTPS Check'
        http: "https://%{hiera('networking_loopback0_ip')}:8443"
        method: 'GET'
        tls_skip_verify: true
        interval: '10s'
        timeout: '1s'
  cephmgr:
    service_name: 'cephmgr'
    tags:
      - 'metrics'
      - 'metrics_scheme=http'
      - 'metrics_job=ceph'
    address: "%{hiera('networking_loopback2_ip')}"
    port: 9283
    checks:
      - id: 'cephmgr_metrics_http_check'
        name: 'cephmgr metrics HTTP Check'
        http: "http://%{hiera('networking_loopback2_ip')}:9283"
        method: 'GET'
        tls_skip_verify: true
        interval: '10s'
        timeout: '1s'
profiles::consul::client::node_rules:
  - resource: service
    segment: incus
    disposition: write
  - resource: service
    segment: cephmgr
    disposition: write
  - resource: service
    segment: frr_exporter
    disposition: write

# additional repos
profiles::yum::global::repos:
  ceph:
    name: ceph
    descr: ceph repository
    target: /etc/yum.repos.d/ceph.repo
    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
    gpgkey: https://download.ceph.com/keys/release.asc
    mirrorlist: absent
  ceph-noarch:
    name: ceph-noarch
    descr: ceph-noarch repository
    target: /etc/yum.repos.d/ceph-noarch.repo
    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
    gpgkey: https://download.ceph.com/keys/release.asc
    mirrorlist: absent
  frr-extras:
    name: frr-extras
    descr: frr-extras repository
    target: /etc/yum.repos.d/frr-extras.repo
    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
    mirrorlist: absent
  frr-stable:
    name: frr-stable
    descr: frr-stable repository
    target: /etc/yum.repos.d/frr-stable.repo
    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
    mirrorlist: absent
  zfs-kmod:
    name: zfs-kmod
    descr: zfs-kmod repository
    target: /etc/yum.repos.d/zfs-kmod.repo
    baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
    gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
    mirrorlist: absent

# dns
profiles::dns::base::primary_interface: loopback0

# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
  enp2s0:
    type: physical
    txqueuelen: 10000
    forwarding: true
  enp3s0:
    type: physical
    mtu: 1500
    txqueuelen: 10000
    forwarding: true
  loopback0:
    type: dummy
    ipaddress: "%{hiera('networking_loopback0_ip')}"
    netmask: 255.255.255.255
    mtu: 1500
  loopback1:
    type: dummy
    ipaddress: "%{hiera('networking_loopback1_ip')}"
    netmask: 255.255.255.255
    mtu: 1500
  loopback2:
    type: dummy
    ipaddress: "%{hiera('networking_loopback2_ip')}"
    netmask: 255.255.255.255
    mtu: 1500

exporters::node_exporter::addr: "%{hiera('networking_loopback0_ip')}"

# frrouting
exporters::frr_exporter::enable: true
exporters::frr_exporter::addr: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_redistribute:
  - connected
frrouting::ospfd_interfaces:
  enp2s0:
    area: 0.0.0.0
  enp3s0:
    area: 0.0.0.0
  loopback0:
    area: 0.0.0.0
  loopback1:
    area: 0.0.0.0
  loopback2:
    area: 0.0.0.0
  brcom1:
    area: 0.0.0.0
  brdmz1:
    area: 0.0.0.0
  brwan1:
    area: 0.0.0.0
frrouting::daemons:
  ospfd: true

# add loopback interfaces to ssh list
ssh::server::options:
  ListenAddress:
    - "%{hiera('networking_loopback0_ip')}"
    - "%{facts.networking.interfaces.enp2s0.ip}"
    - "%{facts.networking.interfaces.enp3s0.ip}"

# zfs settings
zfs::manage_repo: false
zfs::zfs_arc_min: ~
zfs::zfs_arc_max: 4294967296 # 4GB
zfs::zpools:
  fastpool:
    ensure: present
    disk: /dev/nvme1n1
    ashift: 12
zfs::datasets:
  fastpool:
    canmount: 'off'
    acltype: posix
    atime: 'off'
    relatime: 'off'
    compression: 'zstd'
    xattr: 'sa'
  fastpool/data:
    canmount: 'on'
    mountpoint: '/data'
  fastpool/data/incus:
    canmount: 'on'
    mountpoint: '/data/incus'

# manage incus
incus::init: true
incus::bridge: br10
incus::server_port: 8443
incus::server_addr: "%{hiera('networking_loopback0_ip')}"

# add sysadmin to incus-admin group
profiles::accounts::sysadmin::extra_groups:
  - incus-admin

# manage cephfs mounts
profiles::ceph::client::manage_ceph_conf: false
profiles::ceph::client::manage_ceph_package: false
profiles::ceph::client::manage_ceph_paths: false
profiles::ceph::client::fsid: 'de96a98f-3d23-465a-a899-86d3d67edab8'
profiles::ceph::client::mons:
  - 198.18.23.9
  - 198.18.23.10
  - 198.18.23.11
  - 198.18.23.12
  - 198.18.23.13
profiles::ceph::client::keyrings:
  media:
    key: "%{hiera('ceph::key::media')}"
  apps:
    key: "%{hiera('ceph::key::apps')}"

profiles::storage::cephfsvols::volumes:
  cephfsvol_media:
    mount: "/shared/media"
    keyring: "/etc/ceph/ceph.client.media.keyring"
    cephfs_name: "media"
    cephfs_fs: "mediafs"
    cephfs_mon: "%{alias('profiles::ceph::client::mons')}"
    require: "Profiles::Ceph::Keyring[media]"
  cephfsvol_apps:
    mount: "/shared/apps"
    keyring: "/etc/ceph/ceph.client.apps.keyring"
    cephfs_name: "apps"
    cephfs_fs: "appfs"
    cephfs_mon: "%{alias('profiles::ceph::client::mons')}"
    require: "Profiles::Ceph::Keyring[apps]"

# sysctl recommendations
sysctl::base::values:
  fs.aio-max-nr:
    value: '524288'
  fs.inotify.max_queued_events:
    value: '1048576'
  fs.inotify.max_user_instances:
    value: '1048576'
  fs.inotify.max_user_watches:
    value: '1048576'
  kernel.dmesg_restrict:
    value: '1'
  kernel.keys.maxbytes:
    value: '2000000'
  kernel.keys.maxkeys:
    value: '2000'
  net.core.bpf_jit_limit:
    value: '1000000000'
  net.ipv4.neigh.default.gc_thresh3:
    value: '8192'
  net.ipv6.neigh.default.gc_thresh3:
    value: '8192'
  vm.max_map_count:
    value: '262144'
  net.ipv4.conf.all.forwarding:
    value: '1'
  net.ipv6.conf.all.forwarding:
    value: '1'
  net.ipv4.tcp_l3mdev_accept:
    value: '0'
  net.ipv4.conf.default.rp_filter:
    value: '0'
  net.ipv4.conf.all.rp_filter:
    value: '0'

# limits.d recommendations
limits::entries:
  '*/nofile':
    both: 1048576
  'root/nofile':
    both: 1048576
  '*/memlock':
    both: unlimited
  'root/memlock':
    both: unlimited