From ce6b2f2a7037696d6cc0c1f1384210f7d8fc76c2 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 21:37:29 +0200 Subject: [PATCH 01/64] Implement puppetserver --- Puppetfile | 3 ++ README.md | 29 +++++++++++++ site/profiles/REFERENCE.md | 29 +++++++++++-- site/profiles/manifests/puppet.pp | 57 ++++++++++++++++++++++++++ site/profiles/manifests/puppetagent.pp | 18 -------- site/roles/manifests/voxpupuli.pp | 4 +- 6 files changed, 116 insertions(+), 24 deletions(-) create mode 100644 site/profiles/manifests/puppet.pp delete mode 100644 site/profiles/manifests/puppetagent.pp diff --git a/Puppetfile b/Puppetfile index 37924b6b..884fea8b 100644 --- a/Puppetfile +++ b/Puppetfile @@ -23,3 +23,6 @@ mod 'saz/sudo', '8.0.0' mod 'puppet/github_actions_runner', '1.1.0' mod 'puppet/nftables', '4.0.0' mod 'puppetlabs/docker', '10.0.1' +mod 'theforeman/puppetserver_foreman', '4.0.0' +mod 'theforeman/foreman', '25.2.1' +mod 'puppetlabs/puppetdb', '8.1.0' diff --git a/README.md b/README.md index f801eb87..e74fb92f 100644 --- a/README.md +++ b/README.md @@ -23,3 +23,32 @@ sed -i 's#remote:.*#remote: https://github.com/voxpupuli/controlrepo.git#' /etc/ r10k deploy environment production --puppetfile --verbose puppet apply /etc/puppetlabs/code/environments/production/manifests/site.pp --show_diff ``` + +## Hetzner Cloud cloud-init userdata: + +```yaml +#cloud-config +--- +package_reboot_if_required: true +package_upgrade: true +packages: +- git +- ca-certificates +repo_update: true +repo_upgrade: all +puppet: + install_type: aio + collection: puppet8 + cleanup: false + package_name: puppet-agent +runcmd: + - /opt/puppetlabs/puppet/bin/gem install --no-document r10k + - cd /root && git clone https://github.com/voxpupuli/controlrepo + - cd /root/controlrepo && /opt/puppetlabs/puppet/bin/r10k puppetfile install --verbose + - /opt/puppetlabs/puppet/bin/puppet apply /root/controlrepo/manifests/site.pp --modulepath /root/controlrepo/modules:/root/controlrepo/site --show_diff +``` + +## ToDos + +* setup csr_attributes (cloud-inits supports that as well) +* write the r10k config so we can do the initial provisioning into `/etc/puppetlabs/code/environments` and not `/root` diff --git a/site/profiles/REFERENCE.md b/site/profiles/REFERENCE.md index 2815e3c4..1dfd5943 100644 --- a/site/profiles/REFERENCE.md +++ b/site/profiles/REFERENCE.md @@ -20,7 +20,7 @@ * [`profiles::postgres_exporter`](#profiles--postgres_exporter): installs a postgres exporter * [`profiles::postgresql`](#profiles--postgresql): install latest postgresql with upstream repositories * [`profiles::prometheus`](#profiles--prometheus): install Prometheus -* [`profiles::puppetagent`](#profiles--puppetagent): profile to manage puppet agent + deps +* [`profiles::puppet`](#profiles--puppet): configure puppet agent and server * [`profiles::puppetcode`](#profiles--puppetcode): some resources to manage puppete code * [`profiles::puppetmodule`](#profiles--puppetmodule): configures puppetmodule.info * [`profiles::ssh`](#profiles--ssh): ssh profile to manage sshd + ssh keys @@ -325,9 +325,32 @@ Default value: `'13'` install Prometheus -### `profiles::puppetagent` +### `profiles::puppet` -profile to manage puppet agent + deps +configure puppet agent and server + +#### Parameters + +The following parameters are available in the `profiles::puppet` class: + +* [`server`](#-profiles--puppet--server) +* [`manage_msgpack`](#-profiles--puppet--manage_msgpack) + +##### `server` + +Data type: `Boolean` + +decide if the server should be configured as well + +Default value: `($trusted['pp_role'] == 'puppetserver'` + +##### `manage_msgpack` + +Data type: `Boolean` + +configure if we should install msgpack on the agent + +Default value: `($facts['os']['name'] != 'gentoo'` ### `profiles::puppetcode` diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp new file mode 100644 index 00000000..2ad46de3 --- /dev/null +++ b/site/profiles/manifests/puppet.pp @@ -0,0 +1,57 @@ +# @summary configure puppet agent and server +# +# @param server decide if the server should be configured as well +# @param manage_msgpack configure if we should install msgpack on the agent +# +# @author Tim Meusel +# +class profiles::puppet ( + Boolean $server = ($trusted['pp_role'] == 'puppetserver'), + Boolean $manage_msgpack = ($facts['os']['name'] != 'gentoo'), +) { + if $server { + $params = { + server => true, + server_reports => 'puppetdb,foreman', + server_storeconfigs => true, + server_foreman => true, + # don't create /etc/puppetlabs/code/environments/common + server_common_modules_path => [], + server_jvm_java_bin => '/usr/lib/jvm/jre-11/bin/java', + server_jvm_min_heap_size => '1G', + server_jvm_max_heap_size => '1G', + server_jvm_extra_args => ['-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger', '-XX:+UseParallelGC'], + server_multithreaded => true, + } + package { ['pgbadger', 'pg_activity']: + ensure => 'installed', + } + package { 'msgpack-server': + ensure => 'installed', + provider => 'puppetserver_gem', + name => 'msgpack', + require => [Package['make'],Package['gcc'],], + } + contain profiles::puppet::server_firewalling + } else { + $params = {} + } + class { 'puppet': + runmode => 'unmanaged', + unavailable_runmodes => ['cron', 'systemd.timer'], + * => $params, + } + if $manage_msgpack { + if $facts['os']['name'] == 'Archlinux' { + $provider = undef + $package = 'ruby-msgpack' + } else { + $provider = 'puppet_gem' + $package = 'msgpack' + } + package { $package: + ensure => 'installed', + provider => $provider, + } + } +} diff --git a/site/profiles/manifests/puppetagent.pp b/site/profiles/manifests/puppetagent.pp deleted file mode 100644 index c079a3fe..00000000 --- a/site/profiles/manifests/puppetagent.pp +++ /dev/null @@ -1,18 +0,0 @@ -# -# @summary profile to manage puppet agent + deps -# -# @author Tim Meusel -# -class profiles::puppetagent { - contain puppet - - # If this is an AIO setup, puppet uses a vendored ruby - # we don't care about the value of the fact, we only want to know if it is present - # msgpack will be used by the agent for connections to the server - if fact('aio_agent_version') { - package { 'msgpack': - ensure => 'present', - provider => 'puppet_gem', - } - } -} diff --git a/site/roles/manifests/voxpupuli.pp b/site/roles/manifests/voxpupuli.pp index 180b1b4a..45564517 100644 --- a/site/roles/manifests/voxpupuli.pp +++ b/site/roles/manifests/voxpupuli.pp @@ -6,7 +6,5 @@ class roles::voxpupuli { contain profiles::basics contain profiles::ssh - contain profiles::puppetagent - Class['profiles::basics'] - -> Class['profiles::puppetagent'] + contain profiles::puppet } From cd3856789ee0103b4d1c374ab1bd4ac2e0b650c6 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 21:48:03 +0200 Subject: [PATCH 02/64] README.md: explain dependency handling --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index e74fb92f..0aa2b99e 100644 --- a/README.md +++ b/README.md @@ -52,3 +52,9 @@ runcmd: * setup csr_attributes (cloud-inits supports that as well) * write the r10k config so we can do the initial provisioning into `/etc/puppetlabs/code/environments` and not `/root` + +## metadata.json and dependencies + +the `site/profiles/metadata.json` only tracks modules that are direct +dependencies to profiles. The `.fixtures.yml` can be autogenerated with the +`generate_fixtures` rake task. From 4fe5d69dfff46934e7ebbc08a92b8ee73720e57a Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 22:04:11 +0200 Subject: [PATCH 03/64] README.md: document csr_attributes --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 0aa2b99e..50814881 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,9 @@ puppet: collection: puppet8 cleanup: false package_name: puppet-agent + csr_attributes: + extension_requests: + pp_role: puppetserver runcmd: - /opt/puppetlabs/puppet/bin/gem install --no-document r10k - cd /root && git clone https://github.com/voxpupuli/controlrepo From 5deccbeb6f86aed5224624d0e67f9c92bc7c4208 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 22:06:54 +0200 Subject: [PATCH 04/64] profiles::base: pull in puppet agent/server --- site/profiles/manifests/base.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 64a11e74..0f8256ea 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -170,4 +170,7 @@ reject_with => false, out_all => true, } + + # configure puppet agent/server + contain profiles::puppet } From a64ba649fcb1c9a86e5420f4010dda88abbf5f08 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 22:07:04 +0200 Subject: [PATCH 05/64] hiera.yaml: Add role layere --- hiera.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hiera.yaml b/hiera.yaml index 9c5d018a..d19bc03f 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -10,5 +10,7 @@ defaults: hierarchy: - name: "Per-node data" path: "nodes/%{facts.networking.fqdn}.yaml" + - name: "Role data" + path: "roles/%{trusted.extensions.pp_role}.yaml" - name: "one file to rule them all" path: "global.yaml" From 8aeda508f7a1532402531d29a6d9318765939bc5 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 22:24:22 +0200 Subject: [PATCH 06/64] add puppetserver yaml data --- data/nodes/puppetserver.voxpupuli.org.yaml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 data/nodes/puppetserver.voxpupuli.org.yaml diff --git a/data/nodes/puppetserver.voxpupuli.org.yaml b/data/nodes/puppetserver.voxpupuli.org.yaml new file mode 100644 index 00000000..c4439f9c --- /dev/null +++ b/data/nodes/puppetserver.voxpupuli.org.yaml @@ -0,0 +1,2 @@ +--- +profiles::puppet::server: true From 7453142924829e17f857d08dc819a731d5762f62 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 22:30:41 +0200 Subject: [PATCH 07/64] dont install gcc twice --- data/roles/puppetserver.yaml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 data/roles/puppetserver.yaml diff --git a/data/roles/puppetserver.yaml b/data/roles/puppetserver.yaml new file mode 100644 index 00000000..fa20baec --- /dev/null +++ b/data/roles/puppetserver.yaml @@ -0,0 +1,3 @@ +--- +classes: + - profiles::puppet From a0cdce3df88693646e64a217f985ce7821f327ad Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 22:33:29 +0200 Subject: [PATCH 08/64] add puppetserver firewalling --- site/profiles/REFERENCE.md | 5 +++ site/profiles/manifests/puppet.pp | 2 +- .../manifests/puppetserver_firewalling.pp | 38 +++++++++++++++++++ 3 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 site/profiles/manifests/puppetserver_firewalling.pp diff --git a/site/profiles/REFERENCE.md b/site/profiles/REFERENCE.md index 1dfd5943..76e393f5 100644 --- a/site/profiles/REFERENCE.md +++ b/site/profiles/REFERENCE.md @@ -23,6 +23,7 @@ * [`profiles::puppet`](#profiles--puppet): configure puppet agent and server * [`profiles::puppetcode`](#profiles--puppetcode): some resources to manage puppete code * [`profiles::puppetmodule`](#profiles--puppetmodule): configures puppetmodule.info +* [`profiles::puppetserver_firewalling`](#profiles--puppetserver_firewalling): manages nft rules on Puppetserver/PuppetDB * [`profiles::ssh`](#profiles--ssh): ssh profile to manage sshd + ssh keys * [`profiles::ssh_keys`](#profiles--ssh_keys): configure keys from GitHubs in the authorized_keys file * [`profiles::vpt`](#profiles--vpt): this profile will, in the future, instal Vox Pupuli Tasks @@ -405,6 +406,10 @@ the database user Default value: `'puppetmodule'` +### `profiles::puppetserver_firewalling` + +manages nft rules on Puppetserver/PuppetDB + ### `profiles::ssh` ssh profile to manage sshd + ssh keys diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index 2ad46de3..d3a353e1 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -32,7 +32,7 @@ name => 'msgpack', require => [Package['make'],Package['gcc'],], } - contain profiles::puppet::server_firewalling + contain profiles::puppetserver_firewalling } else { $params = {} } diff --git a/site/profiles/manifests/puppetserver_firewalling.pp b/site/profiles/manifests/puppetserver_firewalling.pp new file mode 100644 index 00000000..3db04e4e --- /dev/null +++ b/site/profiles/manifests/puppetserver_firewalling.pp @@ -0,0 +1,38 @@ +# +# @summary manages nft rules on Puppetserver/PuppetDB +# +# @author Tim Meusel +# +class profiles::puppetserver_firewalling { + nftables::simplerule { 'allow_puppet_4': + action => 'accept', + proto => 'tcp', + dport => 8140, + saddr => "${facts['networking']['ip']}/32", + } + nftables::simplerule { 'allow_puppet_6': + action => 'accept', + proto => 'tcp', + dport => 8140, + saddr => "${facts['networking']['ip6']}/128", + } + nftables::simplerule { 'allow_puppetdb_4': + action => 'accept', + proto => 'tcp', + dport => 8081, + saddr => "${facts['networking']['ip']}/32", + } + nftables::simplerule { 'allow_puppetdb_6': + action => 'accept', + proto => 'tcp', + dport => 8081, + saddr => "${facts['networking']['ip6']}/128", + } + # allow connections from the agent/curl to reach the PuppetDB via http/https + nftables::rule { 'default_out-puppetdbv6': + content => "tcp dport { 8080, 8081 } ip6 daddr ${facts['networking']['ip6']}/128 accept", + } + nftables::rule { 'default_out-puppetdbv4': + content => "tcp dport { 8080, 8081 } ip daddr ${facts['networking']['ip']}/32 accept", + } +} From 24c4649b068aa026cfd757f613d7da3af14b00a7 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 22:39:26 +0200 Subject: [PATCH 09/64] add nftables profile --- site/profiles/REFERENCE.md | 46 +++++++++++++++++++ site/profiles/manifests/nftables.pp | 26 +++++++++++ .../manifests/puppetserver_firewalling.pp | 1 + 3 files changed, 73 insertions(+) create mode 100644 site/profiles/manifests/nftables.pp diff --git a/site/profiles/REFERENCE.md b/site/profiles/REFERENCE.md index 76e393f5..f42ea778 100644 --- a/site/profiles/REFERENCE.md +++ b/site/profiles/REFERENCE.md @@ -14,6 +14,7 @@ * [`profiles::docker`](#profiles--docker): installs docker * [`profiles::github_runners`](#profiles--github_runners): configures a self-hosted github runner * [`profiles::grafana`](#profiles--grafana): installs grafana to display stats from dropsonde about Vox Pupuli modules +* [`profiles::nftables`](#profiles--nftables): configure certain nftable rules * [`profiles::nginx`](#profiles--nginx): multiple profiles requires nginx vhosts, this profile pulls in the nginx class/package/service setup * [`profiles::node_exporter`](#profiles--node_exporter): install node_exporter * [`profiles::postfix`](#profiles--postfix): installs postfix @@ -288,6 +289,51 @@ Data type: `String[1]` Default value: `$postgresql_user` +### `profiles::nftables` + +configure certain nftable rules + +#### Parameters + +The following parameters are available in the `profiles::nftables` class: + +* [`in_ssh`](#-profiles--nftables--in_ssh) +* [`icmp`](#-profiles--nftables--icmp) +* [`nat`](#-profiles--nftables--nat) +* [`out_all`](#-profiles--nftables--out_all) + +##### `in_ssh` + +Data type: `Boolean` + +allows incoming ssh connections + +Default value: `true` + +##### `icmp` + +Data type: `Boolean` + +allow all ICMP traffic + +Default value: `true` + +##### `nat` + +Data type: `Boolean` + +decide if the box should be allowed to handle NAT traffic + +Default value: `false` + +##### `out_all` + +Data type: `Boolean` + +Allow all outbound connections + +Default value: `false` + ### `profiles::nginx` multiple profiles requires nginx vhosts, this profile pulls in the nginx class/package/service setup diff --git a/site/profiles/manifests/nftables.pp b/site/profiles/manifests/nftables.pp new file mode 100644 index 00000000..75f34603 --- /dev/null +++ b/site/profiles/manifests/nftables.pp @@ -0,0 +1,26 @@ +# @summary configure certain nftable rules +# +# @param in_ssh allows incoming ssh connections +# @param icmp allow all ICMP traffic +# @param nat decide if the box should be allowed to handle NAT traffic +# @param out_all Allow all outbound connections +# +class profiles::nftables ( + Boolean $in_ssh = true, + Boolean $icmp = true, + Boolean $nat = false, + Boolean $out_all = false +) { + class { 'nftables': + in_ssh => $in_ssh, + in_icmp => $icmp, + out_icmp => $icmp, + in_out_conntrack => true, + inet_filter => true, + nat => $nat, + reject_with => false, + out_all => $out_all, + } + include nftables::rules::out::ssh + include nftables::rules::out::whois +} diff --git a/site/profiles/manifests/puppetserver_firewalling.pp b/site/profiles/manifests/puppetserver_firewalling.pp index 3db04e4e..4920080f 100644 --- a/site/profiles/manifests/puppetserver_firewalling.pp +++ b/site/profiles/manifests/puppetserver_firewalling.pp @@ -4,6 +4,7 @@ # @author Tim Meusel # class profiles::puppetserver_firewalling { + include profiles::nftables nftables::simplerule { 'allow_puppet_4': action => 'accept', proto => 'tcp', From 9512fe00261cad328c517e2ccc51091974a76315 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 22:42:20 +0200 Subject: [PATCH 10/64] fix puppetserver setup --- site/profiles/manifests/puppet.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index d3a353e1..3247b051 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -23,14 +23,15 @@ server_jvm_extra_args => ['-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger', '-XX:+UseParallelGC'], server_multithreaded => true, } - package { ['pgbadger', 'pg_activity']: + package { ['pgbadger', 'pg_activity', 'openjdk-11-jre-headless']: ensure => 'installed', + before => Class['puppet'], } package { 'msgpack-server': ensure => 'installed', provider => 'puppetserver_gem', name => 'msgpack', - require => [Package['make'],Package['gcc'],], + require => [Package['make'],Package['gcc'],Class['puppet']], } contain profiles::puppetserver_firewalling } else { From 0ab3a5e7125b113d6c74e4bce72671b41e2fbc4e Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 22:48:11 +0200 Subject: [PATCH 11/64] fix java 11 setup --- site/profiles/manifests/puppet.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index 3247b051..a9304b34 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -17,13 +17,14 @@ server_foreman => true, # don't create /etc/puppetlabs/code/environments/common server_common_modules_path => [], - server_jvm_java_bin => '/usr/lib/jvm/jre-11/bin/java', + server_jvm_java_bin => '/usr/lib/jvm/java-11-openjdk-amd64/bin/java', server_jvm_min_heap_size => '1G', server_jvm_max_heap_size => '1G', server_jvm_extra_args => ['-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger', '-XX:+UseParallelGC'], server_multithreaded => true, } - package { ['pgbadger', 'pg_activity', 'openjdk-11-jre-headless']: + #package { ['pgbadger', 'pg_activity', 'openjdk-11-jre-headless']: + package { ['openjdk-11-jre-headless']: ensure => 'installed', before => Class['puppet'], } From d27e3902ca834ed88a596f112d523085ef70a7a2 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 22:50:02 +0200 Subject: [PATCH 12/64] disable reports for now --- site/profiles/manifests/puppet.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index a9304b34..6b73a1f8 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -12,7 +12,7 @@ if $server { $params = { server => true, - server_reports => 'puppetdb,foreman', + #server_reports => 'puppetdb,foreman', server_storeconfigs => true, server_foreman => true, # don't create /etc/puppetlabs/code/environments/common From 50dd8c8194a49f1df30a1476947dd3236281f6cf Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:02:13 +0200 Subject: [PATCH 13/64] add redis profile --- Puppetfile | 1 + site/profiles/.fixtures.yml | 1 + site/profiles/REFERENCE.md | 5 +++++ site/profiles/manifests/redis.pp | 22 ++++++++++++++++++++++ site/profiles/metadata.json | 4 ++++ 5 files changed, 33 insertions(+) create mode 100644 site/profiles/manifests/redis.pp diff --git a/Puppetfile b/Puppetfile index 884fea8b..5643428f 100644 --- a/Puppetfile +++ b/Puppetfile @@ -26,3 +26,4 @@ mod 'puppetlabs/docker', '10.0.1' mod 'theforeman/puppetserver_foreman', '4.0.0' mod 'theforeman/foreman', '25.2.1' mod 'puppetlabs/puppetdb', '8.1.0' +mod 'puppet/redis', '11.0.0' diff --git a/site/profiles/.fixtures.yml b/site/profiles/.fixtures.yml index 314e69fe..27be8e1b 100644 --- a/site/profiles/.fixtures.yml +++ b/site/profiles/.fixtures.yml @@ -20,6 +20,7 @@ fixtures: extlib: https://github.com/voxpupuli/puppet-extlib.git nftables: https://github.com/voxpupuli/puppet-nftables.git docker: https://github.com/puppetlabs/puppetlabs-docker + redis: https://github.com/voxpupuli/puppet-redis.git archive: https://github.com/voxpupuli/puppet-archive concat: https://github.com/puppetlabs/puppetlabs-concat ssh_keys: https://github.com/puppetlabs/puppetlabs-sshkeys_core diff --git a/site/profiles/REFERENCE.md b/site/profiles/REFERENCE.md index f42ea778..337ee0e7 100644 --- a/site/profiles/REFERENCE.md +++ b/site/profiles/REFERENCE.md @@ -25,6 +25,7 @@ * [`profiles::puppetcode`](#profiles--puppetcode): some resources to manage puppete code * [`profiles::puppetmodule`](#profiles--puppetmodule): configures puppetmodule.info * [`profiles::puppetserver_firewalling`](#profiles--puppetserver_firewalling): manages nft rules on Puppetserver/PuppetDB +* [`profiles::redis`](#profiles--redis): configures redis on different platforms * [`profiles::ssh`](#profiles--ssh): ssh profile to manage sshd + ssh keys * [`profiles::ssh_keys`](#profiles--ssh_keys): configure keys from GitHubs in the authorized_keys file * [`profiles::vpt`](#profiles--vpt): this profile will, in the future, instal Vox Pupuli Tasks @@ -456,6 +457,10 @@ Default value: `'puppetmodule'` manages nft rules on Puppetserver/PuppetDB +### `profiles::redis` + +configures redis on different platforms + ### `profiles::ssh` ssh profile to manage sshd + ssh keys diff --git a/site/profiles/manifests/redis.pp b/site/profiles/manifests/redis.pp new file mode 100644 index 00000000..54301057 --- /dev/null +++ b/site/profiles/manifests/redis.pp @@ -0,0 +1,22 @@ +# +# @summary configures redis on different platforms +# +class profiles::redis { + if $facts['os']['name'] == 'Archlinux' { + fail('profiles::redis does not work on Archlinux, because puppet/redis does not support Archlinux') + } + # manage_repo pulls in the epel module, but that's broken on CentOS 8 + # https://github.com/voxpupuli/puppet-epel/issues/108 + elsif $facts['os']['family'] == 'RedHat' { + $params = { 'require' => Package['epel-release'], 'manage_repo' => false } + require profiles::centos + } elsif $facts['os']['family'] == 'Debian' { + $params = { 'redis_apt_repo' => true, 'manage_repo' => true } + } else { + $params = {} + } + class { 'redis': + * => $params, + } + contain redis +} diff --git a/site/profiles/metadata.json b/site/profiles/metadata.json index dc93cd08..62b5fc60 100644 --- a/site/profiles/metadata.json +++ b/site/profiles/metadata.json @@ -105,6 +105,10 @@ { "name": "puppetlabs/docker", "version_requirement": ">= 10.0.1 < 11.0.0" + }, + { + "name": "puppet/redis", + "version_requirement": ">= 9.0.0 < 10.0.0" } ] } From 33be0b6a88fdcb504cb14628279ecfbf638e14fd Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:04:48 +0200 Subject: [PATCH 14/64] postgresql: Add support for 15 --- site/profiles/REFERENCE.md | 2 +- site/profiles/manifests/postgresql.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profiles/REFERENCE.md b/site/profiles/REFERENCE.md index 337ee0e7..49136ef5 100644 --- a/site/profiles/REFERENCE.md +++ b/site/profiles/REFERENCE.md @@ -363,7 +363,7 @@ The following parameters are available in the `profiles::postgresql` class: ##### `version` -Data type: `Enum['11', '12', '13', '14']` +Data type: `Enum['11', '12', '13', '14', '15']` desired postgresql version diff --git a/site/profiles/manifests/postgresql.pp b/site/profiles/manifests/postgresql.pp index ae8ee370..ef1e1496 100644 --- a/site/profiles/manifests/postgresql.pp +++ b/site/profiles/manifests/postgresql.pp @@ -6,7 +6,7 @@ # @author Tim Meusel # class profiles::postgresql ( - Enum['11', '12', '13', '14'] $version = '13', + Enum['11', '12', '13', '14', '15'] $version = '13', ) { class { 'postgresql::globals': encoding => 'UTF-8', From 35086e86c96515cc005361b180a47098fefbf754 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:05:17 +0200 Subject: [PATCH 15/64] puppetserver: use postgresql 15 --- data/nodes/puppetserver.voxpupuli.org.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/data/nodes/puppetserver.voxpupuli.org.yaml b/data/nodes/puppetserver.voxpupuli.org.yaml index c4439f9c..3b8fdde2 100644 --- a/data/nodes/puppetserver.voxpupuli.org.yaml +++ b/data/nodes/puppetserver.voxpupuli.org.yaml @@ -1,2 +1,3 @@ --- profiles::puppet::server: true +profiles::postgresql::version: 15 From 21b741957812da4eef9b8f06bc61a79d9e6f597d Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:06:19 +0200 Subject: [PATCH 16/64] puppetserver: always install foreman --- site/profiles/manifests/puppet.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index 6b73a1f8..50b2611c 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -10,6 +10,7 @@ Boolean $manage_msgpack = ($facts['os']['name'] != 'gentoo'), ) { if $server { + require profiles::foreman $params = { server => true, #server_reports => 'puppetdb,foreman', From 7f36ed655a3216e433d1e4b02905812f58efbc01 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:08:38 +0200 Subject: [PATCH 17/64] add foreman profile --- site/profiles/manifests/foreman.pp | 58 ++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 site/profiles/manifests/foreman.pp diff --git a/site/profiles/manifests/foreman.pp b/site/profiles/manifests/foreman.pp new file mode 100644 index 00000000..f4e94a9f --- /dev/null +++ b/site/profiles/manifests/foreman.pp @@ -0,0 +1,58 @@ +# +# @summary configure foreman + plugins +# +# @see `cat /opt/puppetlabs/puppet/cache/foreman_cache_data/admin_password` provides the admin password +# +class profiles::foreman { + require profiles::redis + require profiles::postgresql + # this pulls in postgresql:12 as module + # https://github.com/theforeman/foreman-packaging/blob/61cdf829ea481294d8d00dc6162e3524875ebb2d/modulemd/modulemd-foreman-el8.yaml#L27-L28 + #class { 'foreman::repo': + # repo => '3.3', + #} + + foreman::repos { 'foreman': + repo => '3.7', + gpgcheck => true, + yum_repo_baseurl => 'https://deb.theforeman.org', + before => Class['foreman'], + } + + class { 'foreman': + logging_type => 'journald', + initial_admin_username => 'admin', + initial_admin_first_name => 'Vox', + initial_admin_last_name => 'Pupuli', + initial_admin_email => 'pmc@voxpupuli.org', + register_in_foreman => true, # is a foreman 3.1+ feature + rails_cache_store => { + 'type' => 'redis', + 'urls' => ['localhost:6379/0'], + 'options' => { + 'compress' => 'true', + 'namespace' => 'foreman', + }, + }, + } + ['rubygem-foreman_puppet', 'rubygem-puppetdb_foreman'].each |$package| { + package { $package: + ensure => 'installed', + require => Package['foreman-service'], + notify => Service['foreman'], + } + } + class { 'foreman_proxy': + register_in_foreman => true, # is a foreman 3.1+ feature + puppet => true, + puppetca => true, + tftp => false, + dhcp => false, + dns => false, + bmc => false, + realm => false, + } + # open http/https in firewall + include nftables::rules::http + include nftables::rules::https +} From cdb4e02ac47801d76d66feb549f6d48859af107c Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:10:11 +0200 Subject: [PATCH 18/64] fix datatype --- data/nodes/puppetserver.voxpupuli.org.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/nodes/puppetserver.voxpupuli.org.yaml b/data/nodes/puppetserver.voxpupuli.org.yaml index 3b8fdde2..bc1d08c2 100644 --- a/data/nodes/puppetserver.voxpupuli.org.yaml +++ b/data/nodes/puppetserver.voxpupuli.org.yaml @@ -1,3 +1,3 @@ --- profiles::puppet::server: true -profiles::postgresql::version: 15 +profiles::postgresql::version: '15' From c8cb258d8ebeb1ac90abce424ceb462eec83b937 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:11:21 +0200 Subject: [PATCH 19/64] add apache --- Puppetfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Puppetfile b/Puppetfile index 5643428f..62bad135 100644 --- a/Puppetfile +++ b/Puppetfile @@ -1,5 +1,6 @@ forge "https://forge.puppet.com" +<<<<<<< HEAD mod 'puppetlabs/inifile', '6.1.1' mod 'puppetlabs/stdlib', '9.6.0' mod 'puppetlabs/vcsrepo', '6.1.0' @@ -27,3 +28,4 @@ mod 'theforeman/puppetserver_foreman', '4.0.0' mod 'theforeman/foreman', '25.2.1' mod 'puppetlabs/puppetdb', '8.1.0' mod 'puppet/redis', '11.0.0' +mod 'puppetlabs/apache', '12.1.0' From 0c5bdbcabedaa2497aad1433250990fb1a32543c Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:14:10 +0200 Subject: [PATCH 20/64] add foreman deps --- Puppetfile | 2 +- site/profiles/.fixtures.yml | 2 ++ site/profiles/metadata.json | 8 ++++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Puppetfile b/Puppetfile index 62bad135..9422adb9 100644 --- a/Puppetfile +++ b/Puppetfile @@ -1,6 +1,5 @@ forge "https://forge.puppet.com" -<<<<<<< HEAD mod 'puppetlabs/inifile', '6.1.1' mod 'puppetlabs/stdlib', '9.6.0' mod 'puppetlabs/vcsrepo', '6.1.0' @@ -26,6 +25,7 @@ mod 'puppet/nftables', '4.0.0' mod 'puppetlabs/docker', '10.0.1' mod 'theforeman/puppetserver_foreman', '4.0.0' mod 'theforeman/foreman', '25.2.1' +mod 'theforeman/foreman_proxy', '26.1.0' mod 'puppetlabs/puppetdb', '8.1.0' mod 'puppet/redis', '11.0.0' mod 'puppetlabs/apache', '12.1.0' diff --git a/site/profiles/.fixtures.yml b/site/profiles/.fixtures.yml index 27be8e1b..887e3a9e 100644 --- a/site/profiles/.fixtures.yml +++ b/site/profiles/.fixtures.yml @@ -17,6 +17,8 @@ fixtures: prometheus: https://github.com/voxpupuli/puppet-prometheus.git borg: https://github.com/voxpupuli/puppet-borg.git puppet: https://github.com/theforeman/puppet-puppet + foreman: https://github.com/theforeman/puppet-foreman + foreman_proxy: https://github.com/theforeman/puppet-foreman_proxy extlib: https://github.com/voxpupuli/puppet-extlib.git nftables: https://github.com/voxpupuli/puppet-nftables.git docker: https://github.com/puppetlabs/puppetlabs-docker diff --git a/site/profiles/metadata.json b/site/profiles/metadata.json index 62b5fc60..ec5c0894 100644 --- a/site/profiles/metadata.json +++ b/site/profiles/metadata.json @@ -94,6 +94,14 @@ "name": "theforeman/puppet", "version_requirement": ">= 20.0.0 < 21.0.0" }, + { + "name": "theforeman/foreman", + "version_requirement": ">= 23.0.0 < 24.0.0" + }, + { + "name": "theforeman/foreman_proxy", + "version_requirement": ">= 25.0.0 < 26.0.0" + }, { "name": "puppet/extlib", "version_requirement": ">= 7.2.0 < 8.0.0" From aa7ecc5a4ed130f60e66195310a794229c052d8e Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:14:53 +0200 Subject: [PATCH 21/64] apply: enhance params --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 50814881..d2fd6c66 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ runcmd: - /opt/puppetlabs/puppet/bin/gem install --no-document r10k - cd /root && git clone https://github.com/voxpupuli/controlrepo - cd /root/controlrepo && /opt/puppetlabs/puppet/bin/r10k puppetfile install --verbose - - /opt/puppetlabs/puppet/bin/puppet apply /root/controlrepo/manifests/site.pp --modulepath /root/controlrepo/modules:/root/controlrepo/site --show_diff + - /opt/puppetlabs/puppet/bin/puppet apply /root/controlrepo/manifests/site.pp --modulepath /root/controlrepo/modules:/root/controlrepo/site --show_diff --write-catalog-summary --hiera_config /root/controlrepo/hiera.yaml ``` ## ToDos From 7104fa668caca56116253c2de580726ed2601e8a Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:15:59 +0200 Subject: [PATCH 22/64] add missing richardc/datacat dep --- Puppetfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Puppetfile b/Puppetfile index 9422adb9..dfe26c9e 100644 --- a/Puppetfile +++ b/Puppetfile @@ -29,3 +29,4 @@ mod 'theforeman/foreman_proxy', '26.1.0' mod 'puppetlabs/puppetdb', '8.1.0' mod 'puppet/redis', '11.0.0' mod 'puppetlabs/apache', '12.1.0' +mod 'richardc/datacat', '0.6.2' From 22f691a620db21bfd333cf782567976f375ce1c6 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:25:53 +0200 Subject: [PATCH 23/64] nftables: allow hkp --- site/profiles/manifests/nftables.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profiles/manifests/nftables.pp b/site/profiles/manifests/nftables.pp index 75f34603..2d9754c8 100644 --- a/site/profiles/manifests/nftables.pp +++ b/site/profiles/manifests/nftables.pp @@ -23,4 +23,5 @@ } include nftables::rules::out::ssh include nftables::rules::out::whois + include nftables::rules::out::hkp } From de4fbb41ea071d367b0b228e8027b4ff6037c2d5 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:27:06 +0200 Subject: [PATCH 24/64] foreman: set version --- site/profiles/manifests/foreman.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profiles/manifests/foreman.pp b/site/profiles/manifests/foreman.pp index f4e94a9f..d7ccada0 100644 --- a/site/profiles/manifests/foreman.pp +++ b/site/profiles/manifests/foreman.pp @@ -20,6 +20,7 @@ } class { 'foreman': + version => '3.7', logging_type => 'journald', initial_admin_username => 'admin', initial_admin_first_name => 'Vox', From 6e4a5a6e85885d0d8e13f7fd9be2f012ff898a04 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:29:46 +0200 Subject: [PATCH 25/64] fix ordering --- site/profiles/manifests/foreman.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profiles/manifests/foreman.pp b/site/profiles/manifests/foreman.pp index d7ccada0..39364980 100644 --- a/site/profiles/manifests/foreman.pp +++ b/site/profiles/manifests/foreman.pp @@ -6,6 +6,7 @@ class profiles::foreman { require profiles::redis require profiles::postgresql + require profiles::nftables # ensures hkp access is working to download the apt key # this pulls in postgresql:12 as module # https://github.com/theforeman/foreman-packaging/blob/61cdf829ea481294d8d00dc6162e3524875ebb2d/modulemd/modulemd-foreman-el8.yaml#L27-L28 #class { 'foreman::repo': From 661c87f14855129db85eac741885f21bef8e17d6 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:33:07 +0200 Subject: [PATCH 26/64] fix ordering --- site/profiles/manifests/foreman.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/manifests/foreman.pp b/site/profiles/manifests/foreman.pp index 39364980..1657424d 100644 --- a/site/profiles/manifests/foreman.pp +++ b/site/profiles/manifests/foreman.pp @@ -17,7 +17,7 @@ repo => '3.7', gpgcheck => true, yum_repo_baseurl => 'https://deb.theforeman.org', - before => Class['foreman'], + before => [Class['foreman'], Class['foreman_proxy'],], } class { 'foreman': From 7f605e64896fa944a94058b97a468f92d674532f Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:35:10 +0200 Subject: [PATCH 27/64] fix --- site/profiles/manifests/foreman.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/site/profiles/manifests/foreman.pp b/site/profiles/manifests/foreman.pp index 1657424d..d4915119 100644 --- a/site/profiles/manifests/foreman.pp +++ b/site/profiles/manifests/foreman.pp @@ -21,7 +21,6 @@ } class { 'foreman': - version => '3.7', logging_type => 'journald', initial_admin_username => 'admin', initial_admin_first_name => 'Vox', From 69efeaae9411f8a64e749f08753e0955ed0789a8 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 27 Jul 2023 23:40:21 +0200 Subject: [PATCH 28/64] fix debian family support --- site/profiles/manifests/foreman.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/site/profiles/manifests/foreman.pp b/site/profiles/manifests/foreman.pp index d4915119..d9ccf4b5 100644 --- a/site/profiles/manifests/foreman.pp +++ b/site/profiles/manifests/foreman.pp @@ -36,7 +36,11 @@ }, }, } - ['rubygem-foreman_puppet', 'rubygem-puppetdb_foreman'].each |$package| { + $packages = $facts['os']['family'] ? { + 'RedHat' => ['rubygem-foreman_puppet', 'rubygem-puppetdb_foreman'], + 'Debian' => ['ruby-foreman-puppet', 'ruby-puppetdb-foreman'], + } + $packages.each |$package| { package { $package: ensure => 'installed', require => Package['foreman-service'], From f58ef046a74d845b34d427ddb56b17b2e7b6d6fa Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 00:40:20 +0200 Subject: [PATCH 29/64] fix firewalling --- site/profiles/manifests/foreman.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profiles/manifests/foreman.pp b/site/profiles/manifests/foreman.pp index d9ccf4b5..b48faf66 100644 --- a/site/profiles/manifests/foreman.pp +++ b/site/profiles/manifests/foreman.pp @@ -58,6 +58,6 @@ realm => false, } # open http/https in firewall - include nftables::rules::http - include nftables::rules::https + require nftables::rules::http + require nftables::rules::https } From a11824aea8beb640538f631ed125dd7207979e64 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 01:02:43 +0200 Subject: [PATCH 30/64] fix msgpack --- site/profiles/manifests/puppet.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index 50b2611c..affc208d 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -55,6 +55,7 @@ package { $package: ensure => 'installed', provider => $provider, + require => Class['puppet'], } } } From db47e75826376d5381e0619cf95433291744d541 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 01:12:40 +0200 Subject: [PATCH 31/64] configure r10k --- site/profiles/manifests/puppet.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index affc208d..c2c70d5b 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -9,6 +9,7 @@ Boolean $server = ($trusted['pp_role'] == 'puppetserver'), Boolean $manage_msgpack = ($facts['os']['name'] != 'gentoo'), ) { + include profiles::puppetcode if $server { require profiles::foreman $params = { From e293417618c58b2ed0ce423c9db668607b8f0eff Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 01:13:46 +0200 Subject: [PATCH 32/64] r10k: bump version --- site/profiles/manifests/puppetcode.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/manifests/puppetcode.pp b/site/profiles/manifests/puppetcode.pp index d889f748..2b1a9b5d 100644 --- a/site/profiles/manifests/puppetcode.pp +++ b/site/profiles/manifests/puppetcode.pp @@ -32,7 +32,7 @@ $deploy = { 'generate_types' => true } # we hardcode this and update it from time to time. # agent runs faster compared to ensure latest - $version = '3.14.2' + $version = '3.16.0' } class { 'r10k': pool_size => $facts['processors']['count']*2, From 2605ba3b43b867d20559e45ff933b187b9c3b1f2 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 01:20:45 +0200 Subject: [PATCH 33/64] r10k: fix url --- site/profiles/manifests/puppetcode.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/manifests/puppetcode.pp b/site/profiles/manifests/puppetcode.pp index 2b1a9b5d..a567cddb 100644 --- a/site/profiles/manifests/puppetcode.pp +++ b/site/profiles/manifests/puppetcode.pp @@ -38,7 +38,7 @@ pool_size => $facts['processors']['count']*2, sources => { 'puppet' => { - 'remote' => 'git@github.com:voxpupuli/controlrepo.git', + 'remote' => 'https://github.com/voxpupuli/controlrepo.git', 'basedir' => '/etc/puppetlabs/code/environments', }, }, From fac5473c03fe4433cf70d540b5d2e50b0ccc91e5 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 13:04:29 +0200 Subject: [PATCH 34/64] disable puppet after bootstrap --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d2fd6c66..fabc72be 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ puppet: extension_requests: pp_role: puppetserver runcmd: + - systemctl disable --now puppet - /opt/puppetlabs/puppet/bin/gem install --no-document r10k - cd /root && git clone https://github.com/voxpupuli/controlrepo - cd /root/controlrepo && /opt/puppetlabs/puppet/bin/r10k puppetfile install --verbose From c911607ca9c8adbc4c20665faf3f5408d6b8e549 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 13:24:32 +0200 Subject: [PATCH 35/64] site/profiles/manifests/puppetcode.pp r10k: exclude_spec --- README.md | 3 ++- site/profiles/manifests/puppetcode.pp | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index fabc72be..67e4cb65 100644 --- a/README.md +++ b/README.md @@ -46,10 +46,11 @@ puppet: pp_role: puppetserver runcmd: - systemctl disable --now puppet - - /opt/puppetlabs/puppet/bin/gem install --no-document r10k + - /opt/puppetlabs/puppet/bin/gem install --no-document r10k toml - cd /root && git clone https://github.com/voxpupuli/controlrepo - cd /root/controlrepo && /opt/puppetlabs/puppet/bin/r10k puppetfile install --verbose - /opt/puppetlabs/puppet/bin/puppet apply /root/controlrepo/manifests/site.pp --modulepath /root/controlrepo/modules:/root/controlrepo/site --show_diff --write-catalog-summary --hiera_config /root/controlrepo/hiera.yaml + - /opt/puppetlabs/puppet/bin/r10k deploy environment --modules --verbose ``` ## ToDos diff --git a/site/profiles/manifests/puppetcode.pp b/site/profiles/manifests/puppetcode.pp index a567cddb..6df87174 100644 --- a/site/profiles/manifests/puppetcode.pp +++ b/site/profiles/manifests/puppetcode.pp @@ -26,10 +26,10 @@ }, } if $facts['os']['name'] == 'Archlinux' { - $deploy = { 'generate_types' => true, 'puppet_path' => '/usr/bin/puppet' } + $deploy = { 'generate_types' => true, 'exclude_spec' => true, 'puppet_path' => '/usr/bin/puppet' } $version = 'installed' } else { - $deploy = { 'generate_types' => true } + $deploy = { 'generate_types' => true, 'exclude_spec' => true, } # we hardcode this and update it from time to time. # agent runs faster compared to ensure latest $version = '3.16.0' From 878cbfa62f4f5ce0a2af43f64ac5db7f821f478d Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 13:41:50 +0200 Subject: [PATCH 36/64] fix pluginsync --- manifests/site.pp | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/manifests/site.pp b/manifests/site.pp index 02cd7bc1..a4fdb7d9 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1,16 +1,20 @@ +# hack pluginsync as file resource. only required for `puppet apply` usage +# this works by accident with puppet agent, but only on the puppetserver +# it breaks puppet agent on other systems, so we need to guard it +if $trusted['authenticated'] == 'local' { + file { $settings::libdir: + ensure => directory, + source => 'puppet:///plugins', # lint:ignore:puppet_url_without_modules + recurse => true, + purge => true, + backup => false, + noop => false, + } +} + # include base profile that every node gets contain profiles::base -## pluginsync -file { $::settings::libdir: # lint:ignore:top_scope_facts - ensure => directory, - source => 'puppet:///plugins', # lint:ignore:puppet_url_without_modules - recurse => true, - purge => true, - backup => false, - noop => false, -} - # include node specific profiles lookup('classes', Array[String[1]], 'unique', []).each |$c| { contain $c From 436cbab54442d5b2e8af4674c158f5e17803a35d Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 14:02:57 +0200 Subject: [PATCH 37/64] site.pp: add tag --- manifests/site.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/site.pp b/manifests/site.pp index a4fdb7d9..adc7ed40 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -9,6 +9,7 @@ purge => true, backup => false, noop => false, + tags => 'hacked_pluginsync', } } From e36eec23998bcbf2bbc654519fb1658227b4de08 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 14:07:46 +0200 Subject: [PATCH 38/64] fix typo --- manifests/site.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/site.pp b/manifests/site.pp index adc7ed40..dc380a02 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -9,7 +9,7 @@ purge => true, backup => false, noop => false, - tags => 'hacked_pluginsync', + tag => 'hacked_pluginsync', } } From b7032472ebbb4b5a7a265d1604ed211b04f07855 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 14:25:12 +0200 Subject: [PATCH 39/64] run apt update before package installation --- site/profiles/manifests/base.pp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 0f8256ea..af8658f6 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -27,6 +27,14 @@ package { 'snapd': ensure => 'absent', } + # do an apt update daily, don't log it, run it before packages + class { 'apt': + update => { + frequency => 'daily', + loglevel => 'debug', + }, + } + Class['apt::update'] -> Package <| provider == 'apt' |> # https://www.sshaudit.com/hardening_guides.html class { 'ssh': storeconfigs_enabled => false, From 1562053a1bbf0941b99249f8824791a2060e96b5 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 15:30:17 +0200 Subject: [PATCH 40/64] fix --- site/profiles/manifests/puppet.pp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index c2c70d5b..cd399d9d 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -19,14 +19,12 @@ server_foreman => true, # don't create /etc/puppetlabs/code/environments/common server_common_modules_path => [], - server_jvm_java_bin => '/usr/lib/jvm/java-11-openjdk-amd64/bin/java', server_jvm_min_heap_size => '1G', server_jvm_max_heap_size => '1G', server_jvm_extra_args => ['-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger', '-XX:+UseParallelGC'], server_multithreaded => true, } - #package { ['pgbadger', 'pg_activity', 'openjdk-11-jre-headless']: - package { ['openjdk-11-jre-headless']: + package { ['pgbadger', 'pg_activity',]: ensure => 'installed', before => Class['puppet'], } From d4b48b3e3ed6bac2fdd960273fde613930d481cc Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 15:50:30 +0200 Subject: [PATCH 41/64] foo --- site/profiles/manifests/foreman.pp | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/site/profiles/manifests/foreman.pp b/site/profiles/manifests/foreman.pp index b48faf66..2c5150eb 100644 --- a/site/profiles/manifests/foreman.pp +++ b/site/profiles/manifests/foreman.pp @@ -13,11 +13,14 @@ # repo => '3.3', #} - foreman::repos { 'foreman': - repo => '3.7', - gpgcheck => true, - yum_repo_baseurl => 'https://deb.theforeman.org', - before => [Class['foreman'], Class['foreman_proxy'],], + #foreman::repos { 'foreman': + # repo => '3.7', + # gpgcheck => true, + # yum_repo_baseurl => 'https://deb.theforeman.org', + # before => [Class['foreman'], Class['foreman_proxy'],], + #} + class { 'foreman::repo': + repo => '3.7', } class { 'foreman': From 5a675ad2b04e3462662371dd7230e0f332c02250 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 16:07:39 +0200 Subject: [PATCH 42/64] reorder pg packages --- site/profiles/manifests/postgresql.pp | 8 ++++++++ site/profiles/manifests/puppet.pp | 4 ---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/site/profiles/manifests/postgresql.pp b/site/profiles/manifests/postgresql.pp index ef1e1496..39b8f564 100644 --- a/site/profiles/manifests/postgresql.pp +++ b/site/profiles/manifests/postgresql.pp @@ -28,4 +28,12 @@ require => File['/srv/pg_dumps'], } contain dbbackup + $activity = $facts['os']['family'] ? { + 'RedHat' => 'pg_activity', + 'Debian' => 'pg-activity', + default => undef, + } + package { ['pgbadger', $activity,]: + ensure => 'installed', + } } diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index cd399d9d..f391e97f 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -24,10 +24,6 @@ server_jvm_extra_args => ['-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger', '-XX:+UseParallelGC'], server_multithreaded => true, } - package { ['pgbadger', 'pg_activity',]: - ensure => 'installed', - before => Class['puppet'], - } package { 'msgpack-server': ensure => 'installed', provider => 'puppetserver_gem', From b5e74fed191ac0729f72f864978e1ef8089f74dd Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 16:09:25 +0200 Subject: [PATCH 43/64] reorder collector --- manifests/site.pp | 5 +++++ site/profiles/manifests/base.pp | 1 - 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/manifests/site.pp b/manifests/site.pp index dc380a02..61e3d61c 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -13,6 +13,11 @@ } } +# ensure update runs before installing packages +if $facts['os']['family'] == 'Debian' { + Class['apt::update'] -> Package <| provider == 'apt' |> +} + # include base profile that every node gets contain profiles::base diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index af8658f6..16c0a23c 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -34,7 +34,6 @@ loglevel => 'debug', }, } - Class['apt::update'] -> Package <| provider == 'apt' |> # https://www.sshaudit.com/hardening_guides.html class { 'ssh': storeconfigs_enabled => false, From 77e020d67653becea811f414d6f5028e4eb8d99d Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 16:37:04 +0200 Subject: [PATCH 44/64] add puppetdb --- site/profiles/manifests/puppet.pp | 3 ++- site/profiles/manifests/puppetdb.pp | 13 +++++++++++++ site/profiles/metadata.json | 4 ++++ 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 site/profiles/manifests/puppetdb.pp diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index f391e97f..3f6ea88d 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -12,6 +12,7 @@ include profiles::puppetcode if $server { require profiles::foreman + include profiles::puppetdb $params = { server => true, #server_reports => 'puppetdb,foreman', @@ -21,7 +22,7 @@ server_common_modules_path => [], server_jvm_min_heap_size => '1G', server_jvm_max_heap_size => '1G', - server_jvm_extra_args => ['-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger', '-XX:+UseParallelGC'], + #server_jvm_extra_args => ['-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger', '-XX:+UseParallelGC'], server_multithreaded => true, } package { 'msgpack-server': diff --git a/site/profiles/manifests/puppetdb.pp b/site/profiles/manifests/puppetdb.pp new file mode 100644 index 00000000..e55f3140 --- /dev/null +++ b/site/profiles/manifests/puppetdb.pp @@ -0,0 +1,13 @@ +# +# @summary installs puppetdb +# +class profiles::puppetdb { + require profiles::postgresql + class { 'puppetdb': + manage_dbserver => false, + } + contain puppetdb + class { 'puppetdb::master::config': + } + contain puppetdb::master::config +} diff --git a/site/profiles/metadata.json b/site/profiles/metadata.json index ec5c0894..34324ce6 100644 --- a/site/profiles/metadata.json +++ b/site/profiles/metadata.json @@ -82,6 +82,10 @@ "name": "puppetlabs/postgresql", "version_requirement": ">= 8.0.0 < 10.0.0" }, + { + "name": "puppetlabs/puppetdb", + "version_requirement": ">= 7.13.0 < 8.0.0" + }, { "name": "puppet/prometheus", "version_requirement": ">= 12.3.0 < 13.0.0" From 707196e9ef2943ae4a51cdeb44d4a13531615fe8 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 16:38:56 +0200 Subject: [PATCH 45/64] foo --- site/profiles/manifests/puppetdb.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profiles/manifests/puppetdb.pp b/site/profiles/manifests/puppetdb.pp index e55f3140..49a3bec8 100644 --- a/site/profiles/manifests/puppetdb.pp +++ b/site/profiles/manifests/puppetdb.pp @@ -5,6 +5,7 @@ require profiles::postgresql class { 'puppetdb': manage_dbserver => false, + manage_firewall => false, } contain puppetdb class { 'puppetdb::master::config': From 432fae10a12e63a25360ac3d12804bd4912f4dd6 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 16:44:46 +0200 Subject: [PATCH 46/64] foo --- site/profiles/manifests/puppet.pp | 2 +- site/profiles/manifests/puppetdb.pp | 17 ++++++++++------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index 3f6ea88d..6fdb168b 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -15,7 +15,7 @@ include profiles::puppetdb $params = { server => true, - #server_reports => 'puppetdb,foreman', + server_reports => 'puppetdb,foreman', server_storeconfigs => true, server_foreman => true, # don't create /etc/puppetlabs/code/environments/common diff --git a/site/profiles/manifests/puppetdb.pp b/site/profiles/manifests/puppetdb.pp index 49a3bec8..13fa229a 100644 --- a/site/profiles/manifests/puppetdb.pp +++ b/site/profiles/manifests/puppetdb.pp @@ -3,12 +3,15 @@ # class profiles::puppetdb { require profiles::postgresql - class { 'puppetdb': - manage_dbserver => false, - manage_firewall => false, + #class { 'puppetdb': + # manage_dbserver => false, + # manage_firewall => false, + #} + #contain puppetdb + #class { 'puppetdb::master::config': + #} + #contain puppetdb::master::config + class { 'puppet::server::puppetdb': + server => 'puppetserver.voxpupuli.org', } - contain puppetdb - class { 'puppetdb::master::config': - } - contain puppetdb::master::config } From 4938eb4bdf164ce4717671e464b3aae1c35a9558 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 16:49:48 +0200 Subject: [PATCH 47/64] foo --- site/profiles/manifests/puppetdb.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/site/profiles/manifests/puppetdb.pp b/site/profiles/manifests/puppetdb.pp index 13fa229a..17da0952 100644 --- a/site/profiles/manifests/puppetdb.pp +++ b/site/profiles/manifests/puppetdb.pp @@ -11,7 +11,12 @@ #class { 'puppetdb::master::config': #} #contain puppetdb::master::config + class { 'puppetdb::server': + manage_firewall => false, + } + contain puppetdb::server class { 'puppet::server::puppetdb': server => 'puppetserver.voxpupuli.org', } + contain puppet::server::puppetdb } From 78eaa1fa18f9e8647c288e580d8f04353fe0f06b Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 17:04:59 +0200 Subject: [PATCH 48/64] foo --- site/profiles/manifests/puppetdb.pp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/site/profiles/manifests/puppetdb.pp b/site/profiles/manifests/puppetdb.pp index 17da0952..cf6079ee 100644 --- a/site/profiles/manifests/puppetdb.pp +++ b/site/profiles/manifests/puppetdb.pp @@ -3,18 +3,18 @@ # class profiles::puppetdb { require profiles::postgresql - #class { 'puppetdb': - # manage_dbserver => false, - # manage_firewall => false, - #} - #contain puppetdb + class { 'puppetdb': + manage_dbserver => false, + manage_firewall => false, + } + contain puppetdb #class { 'puppetdb::master::config': #} #contain puppetdb::master::config - class { 'puppetdb::server': - manage_firewall => false, - } - contain puppetdb::server + #class { 'puppetdb::server': + # manage_firewall => false, + #} + #contain puppetdb::server class { 'puppet::server::puppetdb': server => 'puppetserver.voxpupuli.org', } From 287f6510fc53545eab6ac36dc6f6ef3aa7d384a0 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 17:07:41 +0200 Subject: [PATCH 49/64] foo --- site/profiles/manifests/puppetdb.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/site/profiles/manifests/puppetdb.pp b/site/profiles/manifests/puppetdb.pp index cf6079ee..a7aedb2a 100644 --- a/site/profiles/manifests/puppetdb.pp +++ b/site/profiles/manifests/puppetdb.pp @@ -3,6 +3,12 @@ # class profiles::puppetdb { require profiles::postgresql + include postgresql::server::contrib + postgresql::server::extension { 'pg_trgm': + database => 'puppetdb', + require => Postgresql::Server::Db['puppetdb'], + before => Service['puppetdb'], + } class { 'puppetdb': manage_dbserver => false, manage_firewall => false, From cefeea59855b9556b083d98746614f925b001404 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 18:46:56 +0200 Subject: [PATCH 50/64] enhance cloud-init --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 67e4cb65..7ae63792 100644 --- a/README.md +++ b/README.md @@ -49,8 +49,11 @@ runcmd: - /opt/puppetlabs/puppet/bin/gem install --no-document r10k toml - cd /root && git clone https://github.com/voxpupuli/controlrepo - cd /root/controlrepo && /opt/puppetlabs/puppet/bin/r10k puppetfile install --verbose - - /opt/puppetlabs/puppet/bin/puppet apply /root/controlrepo/manifests/site.pp --modulepath /root/controlrepo/modules:/root/controlrepo/site --show_diff --write-catalog-summary --hiera_config /root/controlrepo/hiera.yaml + - /opt/puppetlabs/puppet/bin/puppet apply /root/controlrepo/manifests/site.pp --modulepath /root/controlrepo/modules:/root/controlrepo/site --show_diff --write-catalog-summary --hiera_config /root/controlrepo/hiera.yaml --summarize --graph --tags r10k,hacked_pluginsync - /opt/puppetlabs/puppet/bin/r10k deploy environment --modules --verbose + - /opt/puppetlabs/puppet/bin/puppet apply /etc/puppetlabs/code/environments/production/manifests/site.pp --show_diff --environment production --write-catalog-summary --summarize --graph + - /opt/puppetlabs/puppet/bin/puppet agent -t + - /opt/puppetlabs/puppet/bin/puppet agent -t ``` ## ToDos From 3d002f5c38712a776719d800cabb47bdd83f2ea5 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 18:50:57 +0200 Subject: [PATCH 51/64] cleanup --- site/profiles/REFERENCE.md | 22 ++++++++++--------- site/profiles/manifests/puppet.pp | 4 ++-- .../{puppetcode.pp => puppet/code.pp} | 4 +++- .../manifests/{puppetdb.pp => puppet/db.pp} | 16 ++++++-------- .../server_firewalling.pp} | 2 ++ 5 files changed, 26 insertions(+), 22 deletions(-) rename site/profiles/manifests/{puppetcode.pp => puppet/code.pp} (95%) rename site/profiles/manifests/{puppetdb.pp => puppet/db.pp} (66%) rename site/profiles/manifests/{puppetserver_firewalling.pp => puppet/server_firewalling.pp} (97%) diff --git a/site/profiles/REFERENCE.md b/site/profiles/REFERENCE.md index 49136ef5..6a671b23 100644 --- a/site/profiles/REFERENCE.md +++ b/site/profiles/REFERENCE.md @@ -12,6 +12,7 @@ * [`profiles::borg`](#profiles--borg): configures borg backups * [`profiles::certbot`](#profiles--certbot): configures the certbot foo. Doesn't create certificates! * [`profiles::docker`](#profiles--docker): installs docker +* [`profiles::foreman`](#profiles--foreman): configure foreman + plugins * [`profiles::github_runners`](#profiles--github_runners): configures a self-hosted github runner * [`profiles::grafana`](#profiles--grafana): installs grafana to display stats from dropsonde about Vox Pupuli modules * [`profiles::nftables`](#profiles--nftables): configure certain nftable rules @@ -22,9 +23,7 @@ * [`profiles::postgresql`](#profiles--postgresql): install latest postgresql with upstream repositories * [`profiles::prometheus`](#profiles--prometheus): install Prometheus * [`profiles::puppet`](#profiles--puppet): configure puppet agent and server -* [`profiles::puppetcode`](#profiles--puppetcode): some resources to manage puppete code * [`profiles::puppetmodule`](#profiles--puppetmodule): configures puppetmodule.info -* [`profiles::puppetserver_firewalling`](#profiles--puppetserver_firewalling): manages nft rules on Puppetserver/PuppetDB * [`profiles::redis`](#profiles--redis): configures redis on different platforms * [`profiles::ssh`](#profiles--ssh): ssh profile to manage sshd + ssh keys * [`profiles::ssh_keys`](#profiles--ssh_keys): configure keys from GitHubs in the authorized_keys file @@ -33,6 +32,9 @@ #### Private Classes * `profiles::github_runners::ruby`: install ruby for GitHub self hosted runners +* `profiles::puppet::code`: some resources to manage puppete code +* `profiles::puppet::db`: installs puppetdb *on a puppetserver that also runs foreman* +* `profiles::puppetserver_firewalling`: manages nft rules on Puppetserver/PuppetDB ### Defined types @@ -156,6 +158,14 @@ configures the certbot foo. Doesn't create certificates! installs docker +### `profiles::foreman` + +configure foreman + plugins + +* **See also** + * `cat + * /opt/puppetlabs/puppet/cache/foreman_cache_data/admin_password` provides the admin password + ### `profiles::github_runners` configures a self-hosted github runner @@ -400,10 +410,6 @@ configure if we should install msgpack on the agent Default value: `($facts['os']['name'] != 'gentoo'` -### `profiles::puppetcode` - -some resources to manage puppete code - ### `profiles::puppetmodule` configures puppetmodule.info @@ -453,10 +459,6 @@ the database user Default value: `'puppetmodule'` -### `profiles::puppetserver_firewalling` - -manages nft rules on Puppetserver/PuppetDB - ### `profiles::redis` configures redis on different platforms diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index 6fdb168b..40d21622 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -9,10 +9,10 @@ Boolean $server = ($trusted['pp_role'] == 'puppetserver'), Boolean $manage_msgpack = ($facts['os']['name'] != 'gentoo'), ) { - include profiles::puppetcode + include profiles::puppet::code if $server { require profiles::foreman - include profiles::puppetdb + include profiles::puppet::db $params = { server => true, server_reports => 'puppetdb,foreman', diff --git a/site/profiles/manifests/puppetcode.pp b/site/profiles/manifests/puppet/code.pp similarity index 95% rename from site/profiles/manifests/puppetcode.pp rename to site/profiles/manifests/puppet/code.pp index 6df87174..32cef404 100644 --- a/site/profiles/manifests/puppetcode.pp +++ b/site/profiles/manifests/puppet/code.pp @@ -3,7 +3,9 @@ # # @author Tim Meusel # -class profiles::puppetcode { +# @api private +class profiles::puppet::code { + assert_private() ssh_keygen { 'root_github': type => 'ed25519', filename => '/root/.ssh/id_ed25519_github', diff --git a/site/profiles/manifests/puppetdb.pp b/site/profiles/manifests/puppet/db.pp similarity index 66% rename from site/profiles/manifests/puppetdb.pp rename to site/profiles/manifests/puppet/db.pp index a7aedb2a..0ade9d68 100644 --- a/site/profiles/manifests/puppetdb.pp +++ b/site/profiles/manifests/puppet/db.pp @@ -1,7 +1,12 @@ # -# @summary installs puppetdb +# @summary installs puppetdb *on a puppetserver that also runs foreman* # -class profiles::puppetdb { +# @api private +# +# @author Tim Meusel +# +class profiles::puppet::db { + assert_private() require profiles::postgresql include postgresql::server::contrib postgresql::server::extension { 'pg_trgm': @@ -14,13 +19,6 @@ manage_firewall => false, } contain puppetdb - #class { 'puppetdb::master::config': - #} - #contain puppetdb::master::config - #class { 'puppetdb::server': - # manage_firewall => false, - #} - #contain puppetdb::server class { 'puppet::server::puppetdb': server => 'puppetserver.voxpupuli.org', } diff --git a/site/profiles/manifests/puppetserver_firewalling.pp b/site/profiles/manifests/puppet/server_firewalling.pp similarity index 97% rename from site/profiles/manifests/puppetserver_firewalling.pp rename to site/profiles/manifests/puppet/server_firewalling.pp index 4920080f..2b0273ec 100644 --- a/site/profiles/manifests/puppetserver_firewalling.pp +++ b/site/profiles/manifests/puppet/server_firewalling.pp @@ -3,7 +3,9 @@ # # @author Tim Meusel # +# @api private class profiles::puppetserver_firewalling { + assert_private() include profiles::nftables nftables::simplerule { 'allow_puppet_4': action => 'accept', From ea1626e08e1e7e595632a472bea06c9c66654e03 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 18:51:20 +0200 Subject: [PATCH 52/64] cleanup --- site/profiles/REFERENCE.md | 2 +- site/profiles/manifests/puppet/server_firewalling.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profiles/REFERENCE.md b/site/profiles/REFERENCE.md index 6a671b23..53a599be 100644 --- a/site/profiles/REFERENCE.md +++ b/site/profiles/REFERENCE.md @@ -34,7 +34,7 @@ * `profiles::github_runners::ruby`: install ruby for GitHub self hosted runners * `profiles::puppet::code`: some resources to manage puppete code * `profiles::puppet::db`: installs puppetdb *on a puppetserver that also runs foreman* -* `profiles::puppetserver_firewalling`: manages nft rules on Puppetserver/PuppetDB +* `profiles::puppet::server_firewalling`: manages nft rules on Puppetserver/PuppetDB ### Defined types diff --git a/site/profiles/manifests/puppet/server_firewalling.pp b/site/profiles/manifests/puppet/server_firewalling.pp index 2b0273ec..58b579fe 100644 --- a/site/profiles/manifests/puppet/server_firewalling.pp +++ b/site/profiles/manifests/puppet/server_firewalling.pp @@ -4,7 +4,7 @@ # @author Tim Meusel # # @api private -class profiles::puppetserver_firewalling { +class profiles::puppet::server_firewalling { assert_private() include profiles::nftables nftables::simplerule { 'allow_puppet_4': From 422ac947f3821802fd7113f35f6881b36f3d4490 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 18:52:13 +0200 Subject: [PATCH 53/64] .fixtures.yml: remove legacy yardoc dependency --- site/profiles/.fixtures.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profiles/.fixtures.yml b/site/profiles/.fixtures.yml index 887e3a9e..fe2a594e 100644 --- a/site/profiles/.fixtures.yml +++ b/site/profiles/.fixtures.yml @@ -14,6 +14,7 @@ fixtures: inifile: https://github.com/puppetlabs/puppetlabs-inifile systemd: https://github.com/voxpupuli/puppet-systemd postgresql: https://github.com/puppetlabs/puppetlabs-postgresql + puppetdb: https://github.com/puppetlabs/puppetlabs-puppetdb.git prometheus: https://github.com/voxpupuli/puppet-prometheus.git borg: https://github.com/voxpupuli/puppet-borg.git puppet: https://github.com/theforeman/puppet-puppet From 5cc65b9e9d7f6fc639aa95b519012056d36c6fff Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 28 Jul 2023 22:45:27 +0200 Subject: [PATCH 54/64] fix typo --- site/profiles/manifests/puppet.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/manifests/puppet.pp b/site/profiles/manifests/puppet.pp index 40d21622..cf73e2ab 100644 --- a/site/profiles/manifests/puppet.pp +++ b/site/profiles/manifests/puppet.pp @@ -31,7 +31,7 @@ name => 'msgpack', require => [Package['make'],Package['gcc'],Class['puppet']], } - contain profiles::puppetserver_firewalling + contain profiles::puppet::server_firewalling } else { $params = {} } From 69095d70cea81dbc35a59695a8f116b309ccec85 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 29 Jul 2023 18:59:10 +0200 Subject: [PATCH 55/64] metadata.json: Allow newest versions --- site/profiles/metadata.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/site/profiles/metadata.json b/site/profiles/metadata.json index 34324ce6..610cc50e 100644 --- a/site/profiles/metadata.json +++ b/site/profiles/metadata.json @@ -32,11 +32,11 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">= 8.1.0 < 9.0.0" + "version_requirement": ">= 9.2.0 < 10.0.0" }, { "name": "puppet/nginx", - "version_requirement": ">= 4.2.0 < 5.0.0" + "version_requirement": ">= 4.2.0 < 6.0.0" }, { "name": "puppet/ferm", @@ -44,7 +44,7 @@ }, { "name": "saz/ssh", - "version_requirement": ">= 10.0.0 < 11.0.0" + "version_requirement": ">= 10.0.0 < 12.0.0" }, { "name": "puppet/ssh_keygen", @@ -52,11 +52,11 @@ }, { "name": "puppet/r10k", - "version_requirement": ">= 10.1.1 < 11.0.0" + "version_requirement": ">= 10.1.1 < 12.0.0" }, { "name": "puppet/grafana", - "version_requirement": ">= 10.0.1 < 12.0.0" + "version_requirement": ">= 10.0.1 < 14.0.0" }, { "name": "puppet/letsencrypt", @@ -80,7 +80,7 @@ }, { "name": "puppetlabs/postgresql", - "version_requirement": ">= 8.0.0 < 10.0.0" + "version_requirement": ">= 8.0.0 < 14.0.0" }, { "name": "puppetlabs/puppetdb", From 18527424ed02b4da4c8f874aa537acb38be957d0 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 29 Jul 2023 20:03:25 +0200 Subject: [PATCH 56/64] enhance tests --- manifests/site.pp | 5 ----- site/profiles/manifests/base.pp | 3 +++ site/profiles/manifests/grafana.pp | 1 + .../spec/classes/{puppetcode_spec.rb => puppet_spec.rb} | 2 +- 4 files changed, 5 insertions(+), 6 deletions(-) rename site/profiles/spec/classes/{puppetcode_spec.rb => puppet_spec.rb} (93%) diff --git a/manifests/site.pp b/manifests/site.pp index 61e3d61c..dc380a02 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -13,11 +13,6 @@ } } -# ensure update runs before installing packages -if $facts['os']['family'] == 'Debian' { - Class['apt::update'] -> Package <| provider == 'apt' |> -} - # include base profile that every node gets contain profiles::base diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 16c0a23c..164245d7 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -34,6 +34,9 @@ loglevel => 'debug', }, } + # ensure update runs before installing packages + Class['apt::update'] -> Package <| provider == 'apt' |> + # https://www.sshaudit.com/hardening_guides.html class { 'ssh': storeconfigs_enabled => false, diff --git a/site/profiles/manifests/grafana.pp b/site/profiles/manifests/grafana.pp index fddaf1e9..2c813107 100644 --- a/site/profiles/manifests/grafana.pp +++ b/site/profiles/manifests/grafana.pp @@ -15,6 +15,7 @@ String[1] $postgresql_user = 'grafana', String[1] $postgresql_database = $postgresql_user, ) { + require profiles::base $domain = "grafana.${facts['networking']['fqdn']}" require profiles::nginx require profiles::certbot diff --git a/site/profiles/spec/classes/puppetcode_spec.rb b/site/profiles/spec/classes/puppet_spec.rb similarity index 93% rename from site/profiles/spec/classes/puppetcode_spec.rb rename to site/profiles/spec/classes/puppet_spec.rb index 7dbb591e..eed470d5 100644 --- a/site/profiles/spec/classes/puppetcode_spec.rb +++ b/site/profiles/spec/classes/puppet_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -describe 'profiles::puppetcode' do +describe 'profiles::puppet' do on_supported_os.each do |os, os_facts| context "on #{os}" do let :facts do From b8ccdfa213cd932a465651f41a0b793017da5f3a Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 29 Jul 2023 20:07:27 +0200 Subject: [PATCH 57/64] foo --- Rakefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Rakefile b/Rakefile index 034ba783..d8557015 100644 --- a/Rakefile +++ b/Rakefile @@ -8,7 +8,7 @@ end desc 'Run metadata-json-deps' task :metadata_deps do - files = FileList['site/*/metadata.json'] + files = FileList['site/profiles/metadata.json'] # pull modules if they do not exist already Rake::Task['r10k:install'].invoke if files.count <= 2 files = FileList['site/profiles/metadata.json'] From 707b24dcc7d8f65ec372eec6d320abe939fb495f Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sun, 30 Jul 2023 20:00:37 +0200 Subject: [PATCH 58/64] allowo newest versions --- site/profiles/metadata.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profiles/metadata.json b/site/profiles/metadata.json index 610cc50e..c70a0ff5 100644 --- a/site/profiles/metadata.json +++ b/site/profiles/metadata.json @@ -76,7 +76,7 @@ }, { "name": "puppet/systemd", - "version_requirement": ">= 3.8.0 < 5.0.0" + "version_requirement": ">= 3.8.0 < 6.0.0" }, { "name": "puppetlabs/postgresql", @@ -88,7 +88,7 @@ }, { "name": "puppet/prometheus", - "version_requirement": ">= 12.3.0 < 13.0.0" + "version_requirement": ">= 12.3.0 < 14.0.0" }, { "name": "puppet/borg", From 7a408b6d7d49c3c508642119e29d39aa61166adb Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sun, 30 Jul 2023 20:08:25 +0200 Subject: [PATCH 59/64] foo --- Rakefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Rakefile b/Rakefile index d8557015..034ba783 100644 --- a/Rakefile +++ b/Rakefile @@ -8,7 +8,7 @@ end desc 'Run metadata-json-deps' task :metadata_deps do - files = FileList['site/profiles/metadata.json'] + files = FileList['site/*/metadata.json'] # pull modules if they do not exist already Rake::Task['r10k:install'].invoke if files.count <= 2 files = FileList['site/profiles/metadata.json'] From 60b2c8c0373ee985e5e28c93b6dfc5fb8582c68f Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 26 Oct 2023 21:44:11 +0200 Subject: [PATCH 60/64] make puppetdb setup more dynamic --- site/profiles/manifests/puppet/db.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profiles/manifests/puppet/db.pp b/site/profiles/manifests/puppet/db.pp index 0ade9d68..2b1fb026 100644 --- a/site/profiles/manifests/puppet/db.pp +++ b/site/profiles/manifests/puppet/db.pp @@ -20,7 +20,7 @@ } contain puppetdb class { 'puppet::server::puppetdb': - server => 'puppetserver.voxpupuli.org', + server => $facts['networking']['fqdn'], } contain puppet::server::puppetdb } From 34aafc7c24e5f2641b5ab9e65c6c435a23df0d47 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 6 Sep 2024 16:10:43 +0200 Subject: [PATCH 61/64] nftables --- site/profiles/manifests/base.pp | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index 164245d7..047490a9 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -172,14 +172,7 @@ } } - class { 'nftables': - in_ssh => true, - in_icmp => true, - out_icmp => true, - in_out_conntrack => true, - reject_with => false, - out_all => true, - } + include profiles::nftables # configure puppet agent/server contain profiles::puppet From 3c047325bd506bb22830390818038085efd46c32 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 6 Sep 2024 16:12:20 +0200 Subject: [PATCH 62/64] add foremandns --- Puppetfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Puppetfile b/Puppetfile index dfe26c9e..2bb1e20d 100644 --- a/Puppetfile +++ b/Puppetfile @@ -26,6 +26,7 @@ mod 'puppetlabs/docker', '10.0.1' mod 'theforeman/puppetserver_foreman', '4.0.0' mod 'theforeman/foreman', '25.2.1' mod 'theforeman/foreman_proxy', '26.1.0' +mod 'theforeman/dns', '11.0.0' mod 'puppetlabs/puppetdb', '8.1.0' mod 'puppet/redis', '11.0.0' mod 'puppetlabs/apache', '12.1.0' From 67a5849868daf505dc9589e77d5609b6b8ea3326 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 6 Sep 2024 16:24:44 +0200 Subject: [PATCH 63/64] foreman 3.11 --- site/profiles/manifests/foreman.pp | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/site/profiles/manifests/foreman.pp b/site/profiles/manifests/foreman.pp index 2c5150eb..7454725b 100644 --- a/site/profiles/manifests/foreman.pp +++ b/site/profiles/manifests/foreman.pp @@ -7,20 +7,9 @@ require profiles::redis require profiles::postgresql require profiles::nftables # ensures hkp access is working to download the apt key - # this pulls in postgresql:12 as module - # https://github.com/theforeman/foreman-packaging/blob/61cdf829ea481294d8d00dc6162e3524875ebb2d/modulemd/modulemd-foreman-el8.yaml#L27-L28 - #class { 'foreman::repo': - # repo => '3.3', - #} - #foreman::repos { 'foreman': - # repo => '3.7', - # gpgcheck => true, - # yum_repo_baseurl => 'https://deb.theforeman.org', - # before => [Class['foreman'], Class['foreman_proxy'],], - #} class { 'foreman::repo': - repo => '3.7', + repo => '3.11', } class { 'foreman': From 231f0ba46d78b5be32329f5df963ecab966c80e3 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 13 Sep 2024 17:45:44 +0200 Subject: [PATCH 64/64] README.md: fix documentation --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7ae63792..2b470483 100644 --- a/README.md +++ b/README.md @@ -49,9 +49,9 @@ runcmd: - /opt/puppetlabs/puppet/bin/gem install --no-document r10k toml - cd /root && git clone https://github.com/voxpupuli/controlrepo - cd /root/controlrepo && /opt/puppetlabs/puppet/bin/r10k puppetfile install --verbose - - /opt/puppetlabs/puppet/bin/puppet apply /root/controlrepo/manifests/site.pp --modulepath /root/controlrepo/modules:/root/controlrepo/site --show_diff --write-catalog-summary --hiera_config /root/controlrepo/hiera.yaml --summarize --graph --tags r10k,hacked_pluginsync + - /opt/puppetlabs/puppet/bin/puppet apply /root/controlrepo/manifests/site.pp --modulepath /root/controlrepo/modules:/root/controlrepo/site --show_diff --write_catalog_summary --hiera_config /root/controlrepo/hiera.yaml --summarize --graph --tags r10k,hacked_pluginsync - /opt/puppetlabs/puppet/bin/r10k deploy environment --modules --verbose - - /opt/puppetlabs/puppet/bin/puppet apply /etc/puppetlabs/code/environments/production/manifests/site.pp --show_diff --environment production --write-catalog-summary --summarize --graph + - /opt/puppetlabs/puppet/bin/puppet apply /etc/puppetlabs/code/environments/production/manifests/site.pp --show_diff --environment production --write_catalog_summary --summarize --graph - /opt/puppetlabs/puppet/bin/puppet agent -t - /opt/puppetlabs/puppet/bin/puppet agent -t ```