puppet-prod/hieradata/roles/infra/incus/node.yaml

---
hiera_include:
  - profiles::selinux::frr
  - frrouting
  - incus
  - zfs

profiles::packages::include:
  bridge-utils: {}
  cephadm: {}
  ceph-common: {}

profiles::pki::vault::alt_names:
  - incus.service.consul
  - incus.query.consul
  - "incus.service.%{facts.country}-%{facts.region}.consul"

profiles::pki::vault::ip_sans:
  - "%{hiera('networking_loopback0_ip')}"
  - "%{hiera('networking_loopback1_ip')}"
  - "%{hiera('networking_loopback2_ip')}"

profiles::ssh::sign::principals:
  - incus.service.consul
  - incus.query.consul
  - "incus.service.%{facts.country}-%{facts.region}.consul"
  - "%{hiera('networking_loopback0_ip')}"
  - "%{hiera('networking_loopback1_ip')}"
  - "%{hiera('networking_loopback2_ip')}"

profiles::accounts::root::sshkeys:
  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEEiTQnbnfgIb2FAvrUzKkznB/Jyq06YXhP3E+Y8SmwFSeLZZPdZhKEiWRv0aY3zBIUgGsKmBXtPd8HTvQn959E6fgs3jNBtBIo76sTaR6LpNhb07tUuQDvycFlv3WZRgRu1s3RifNn0Ozfd7JPJtqjo/FGz8URtypkvOto4NnzkgOSjm1qOS6OjetBL2u+tB/h9vRDWIdKyEWqHp81aNqT9wv9MHMGBUCVNC7/WTblCsmL2rPY289dU9E/Ja5bAbNN+Lp23e8lQ+RoSeWmVIM7VCans78hLPzb2RqwNgWMBR2eStmGtHbOF1QYo3luC2GfGR7ImMfxgrR9NTu56nSHIOO+GCpWZEneIPGyLrL5vWWwhODIAJNjG6qGFeLL4PcQBYabI3fmoyrUOaMohiovLYGYs+9NK8wPOpVIP6i6CBq6RzVCjmgGq8x12dK8JhAkcoTfEcPdQwSJU/LRBFfLtRgtu1nb9BdSmotb3ESTSrXt+RYiPgAxatSSrN00qs= ceph-9a4b6eac-31d1-11f0-a634-00e04c680f5d
profiles::accounts::sysadmin::sshkeys:
  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEEiTQnbnfgIb2FAvrUzKkznB/Jyq06YXhP3E+Y8SmwFSeLZZPdZhKEiWRv0aY3zBIUgGsKmBXtPd8HTvQn959E6fgs3jNBtBIo76sTaR6LpNhb07tUuQDvycFlv3WZRgRu1s3RifNn0Ozfd7JPJtqjo/FGz8URtypkvOto4NnzkgOSjm1qOS6OjetBL2u+tB/h9vRDWIdKyEWqHp81aNqT9wv9MHMGBUCVNC7/WTblCsmL2rPY289dU9E/Ja5bAbNN+Lp23e8lQ+RoSeWmVIM7VCans78hLPzb2RqwNgWMBR2eStmGtHbOF1QYo3luC2GfGR7ImMfxgrR9NTu56nSHIOO+GCpWZEneIPGyLrL5vWWwhODIAJNjG6qGFeLL4PcQBYabI3fmoyrUOaMohiovLYGYs+9NK8wPOpVIP6i6CBq6RzVCjmgGq8x12dK8JhAkcoTfEcPdQwSJU/LRBFfLtRgtu1nb9BdSmotb3ESTSrXt+RYiPgAxatSSrN00qs= ceph-9a4b6eac-31d1-11f0-a634-00e04c680f5d

# configure consul service
consul::services:
  incus:
    service_name: 'incus'
    tags:
      - 'incus'
      - 'container'
      - 'lxd'
    address: "%{hiera('networking_loopback0_ip')}"
    port: 8443
    checks:
      - id: 'incus_https_check'
        name: 'incus HTTPS Check'
        http: "https://%{hiera('networking_loopback0_ip')}:8443"
        method: 'GET'
        tls_skip_verify: true
        interval: '10s'
        timeout: '1s'
profiles::consul::client::node_rules:
  - resource: service
    segment: incus
    disposition: write

# additional repos
profiles::yum::global::repos:
  ceph:
    name: ceph
    descr: ceph repository
    target: /etc/yum.repos.d/ceph.repo
    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
    gpgkey: https://download.ceph.com/keys/release.asc
    mirrorlist: absent
  ceph-noarch:
    name: ceph-noarch
    descr: ceph-noarch repository
    target: /etc/yum.repos.d/ceph-noarch.repo
    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
    gpgkey: https://download.ceph.com/keys/release.asc
    mirrorlist: absent
  frr-extras:
    name: frr-extras
    descr: frr-extras repository
    target: /etc/yum.repos.d/frr-extras.repo
    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
    mirrorlist: absent
  frr-stable:
    name: frr-stable
    descr: frr-stable repository
    target: /etc/yum.repos.d/frr-stable.repo
    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
    mirrorlist: absent
  zfs-kmod:
    name: zfs-kmod
    descr: zfs-kmod repository
    target: /etc/yum.repos.d/zfs-kmod.repo
    baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
    gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
    mirrorlist: absent

# dns
profiles::dns::base::primary_interface: loopback0

# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
  enp2s0:
    type: physical
    txqueuelen: 10000
    forwarding: true
  enp3s0:
    type: physical
    mtu: 9000
    txqueuelen: 10000
    forwarding: true
  loopback0:
    type: dummy
    ipaddress: "%{hiera('networking_loopback0_ip')}"
    netmask: 255.255.255.255
    mtu: 9000
  loopback1:
    type: dummy
    ipaddress: "%{hiera('networking_loopback1_ip')}"
    netmask: 255.255.255.255
    mtu: 9000
  loopback2:
    type: dummy
    ipaddress: "%{hiera('networking_loopback2_ip')}"
    netmask: 255.255.255.255
    mtu: 9000

# frrouting
frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
frrouting::ospfd_redistribute:
  - connected
frrouting::ospfd_interfaces:
  enp2s0:
    area: 0.0.0.0
  enp3s0:
    area: 0.0.0.0
  loopback0:
    area: 0.0.0.0
  loopback1:
    area: 0.0.0.0
  loopback2:
    area: 0.0.0.0
  brcom1:
    area: 0.0.0.0
  brdmz1:
    area: 0.0.0.0
  brwan1:
    area: 0.0.0.0
frrouting::daemons:
  ospfd: true

# add loopback interfaces to ssh list
ssh::server::options:
  ListenAddress:
    - "%{hiera('networking_loopback0_ip')}"
    - "%{hiera('networking_loopback1_ip')}"
    - "%{hiera('networking_loopback2_ip')}"

# zfs settings
zfs::manage_repo: false
zfs::zfs_arc_min: ~
zfs::zfs_arc_max: 4294967296 # 4GB
zfs::zpools:
  fastpool:
    ensure: present
    disk: /dev/nvme1n1
    ashift: 12
zfs::datasets:
  fastpool:
    canmount: 'off'
    acltype: posix
    atime: 'off'
    relatime: 'off'
    compression: 'zstd'
    xattr: 'sa'
  fastpool/data:
    canmount: 'on'
    mountpoint: '/data'
  fastpool/data/incus:
    canmount: 'on'
    mountpoint: '/data/incus'

# manage incus
incus::init: true
incus::bridge: br10
incus::server_port: 8443
incus::server_addr: "%{hiera('networking_loopback0_ip')}"

# add sysadmin to incus-admin group
profiles::accounts::sysadmin::extra_groups:
  - incus-admin

# sysctl recommendations
sysctl::base::values:
  fs.aio-max-nr:
    value: '524288'
  fs.inotify.max_queued_events:
    value: '1048576'
  fs.inotify.max_user_instances:
    value: '1048576'
  fs.inotify.max_user_watches:
    value: '1048576'
  kernel.dmesg_restrict:
    value: '1'
  kernel.keys.maxbytes:
    value: '2000000'
  kernel.keys.maxkeys:
    value: '2000'
  net.core.bpf_jit_limit:
    value: '1000000000'
  net.ipv4.neigh.default.gc_thresh3:
    value: '8192'
  net.ipv6.neigh.default.gc_thresh3:
    value: '8192'
  vm.max_map_count:
    value: '262144'
  net.ipv4.conf.all.forwarding:
    value: '1'
  net.ipv6.conf.all.forwarding:
    value: '1'
  net.ipv4.tcp_l3mdev_accept:
    value: '0'
  net.ipv4.conf.default.rp_filter:
    value: '0'
  net.ipv4.conf.all.rp_filter:
    value: '0'

# limits.d recommendations
limits::entries:
  '*/nofile':
    both: 1048576
  'root/nofile':
    both: 1048576
  '*/memlock':
    both: unlimited
  'root/memlock':
    both: unlimited