WIP: Implement puppetserver

Puppetfile

@@ -23,3 +23,11 @@ mod 'saz/sudo', '8.0.0'
 mod 'puppet/github_actions_runner', '1.1.0'
 mod 'puppet/nftables', '4.0.0'
 mod 'puppetlabs/docker', '10.0.1'
+mod 'theforeman/puppetserver_foreman', '4.0.0'
+mod 'theforeman/foreman', '25.2.1'
+mod 'theforeman/foreman_proxy', '26.1.0'
+mod 'theforeman/dns', '11.0.0'
+mod 'puppetlabs/puppetdb', '8.1.0'
+mod 'puppet/redis', '11.0.0'
+mod 'puppetlabs/apache', '12.1.0'
+mod 'richardc/datacat', '0.6.2'

README.md

@@ -23,3 +23,46 @@ sed -i 's#remote:.*#remote: https://github.com/voxpupuli/controlrepo.git#' /etc/
 r10k deploy environment production --puppetfile --verbose
 puppet apply /etc/puppetlabs/code/environments/production/manifests/site.pp --show_diff
 ```
+
+## Hetzner Cloud cloud-init userdata:
+
+```yaml
+#cloud-config
+---
+package_reboot_if_required: true
+package_upgrade: true
+packages:
+- git
+- ca-certificates
+repo_update: true
+repo_upgrade: all
+puppet:
+  install_type: aio
+  collection: puppet8
+  cleanup: false
+  package_name: puppet-agent
+  csr_attributes:
+    extension_requests:
+      pp_role: puppetserver
+runcmd:
+  - systemctl disable --now puppet
+  - /opt/puppetlabs/puppet/bin/gem install --no-document r10k toml
+  - cd /root && git clone https://github.com/voxpupuli/controlrepo
+  - cd /root/controlrepo && /opt/puppetlabs/puppet/bin/r10k puppetfile install --verbose
+  - /opt/puppetlabs/puppet/bin/puppet apply /root/controlrepo/manifests/site.pp --modulepath /root/controlrepo/modules:/root/controlrepo/site --show_diff --write_catalog_summary --hiera_config /root/controlrepo/hiera.yaml --summarize --graph --tags r10k,hacked_pluginsync
+  - /opt/puppetlabs/puppet/bin/r10k deploy environment --modules --verbose
+  - /opt/puppetlabs/puppet/bin/puppet apply /etc/puppetlabs/code/environments/production/manifests/site.pp --show_diff --environment production --write_catalog_summary --summarize --graph
+  - /opt/puppetlabs/puppet/bin/puppet agent -t
+  - /opt/puppetlabs/puppet/bin/puppet agent -t
+```
+
+## ToDos
+
+* setup csr_attributes (cloud-inits supports that as well)
+* write the r10k config so we can do the initial provisioning into `/etc/puppetlabs/code/environments` and not `/root`
+
+## metadata.json and dependencies
+
+the `site/profiles/metadata.json` only tracks modules that are direct
+dependencies to profiles. The `.fixtures.yml` can be autogenerated with the
+`generate_fixtures` rake task.

data/nodes/puppetserver.voxpupuli.org.yaml

@@ -0,0 +1,3 @@
+---
+profiles::puppet::server: true
+profiles::postgresql::version: '15'

data/roles/puppetserver.yaml

@@ -0,0 +1,3 @@
+---
+classes:
+  - profiles::puppet

hiera.yaml

@@ -10,5 +10,7 @@ defaults:
 hierarchy:
   - name: "Per-node data"
     path: "nodes/%{facts.networking.fqdn}.yaml"
+  - name: "Role data"
+    path: "roles/%{trusted.extensions.pp_role}.yaml"
   - name: "one file to rule them all"
     path: "global.yaml"

manifests/site.pp

@@ -1,16 +1,21 @@
+# hack pluginsync as file resource. only required for `puppet apply` usage
+# this works by accident with puppet agent, but only on the puppetserver
+# it breaks puppet agent on other systems, so we need to guard it
+if $trusted['authenticated'] == 'local' {
+  file { $settings::libdir:
+    ensure  => directory,
+    source  => 'puppet:///plugins', # lint:ignore:puppet_url_without_modules
+    recurse => true,
+    purge   => true,
+    backup  => false,
+    noop    => false,
+    tag     => 'hacked_pluginsync',
+  }
+}
+
 # include base profile that every node gets
 contain profiles::base
 
-## pluginsync
-file { $::settings::libdir: # lint:ignore:top_scope_facts
-  ensure  => directory,
-  source  => 'puppet:///plugins', # lint:ignore:puppet_url_without_modules
-  recurse => true,
-  purge   => true,
-  backup  => false,
-  noop    => false,
-}
-
 # include node specific profiles
 lookup('classes', Array[String[1]], 'unique', []).each |$c| {
   contain $c

site/profiles/.fixtures.yml

@@ -14,12 +14,16 @@ fixtures:
     inifile: https://github.com/puppetlabs/puppetlabs-inifile
     systemd: https://github.com/voxpupuli/puppet-systemd
     postgresql: https://github.com/puppetlabs/puppetlabs-postgresql
+    puppetdb: https://github.com/puppetlabs/puppetlabs-puppetdb.git
     prometheus: https://github.com/voxpupuli/puppet-prometheus.git
     borg: https://github.com/voxpupuli/puppet-borg.git
     puppet: https://github.com/theforeman/puppet-puppet
+    foreman: https://github.com/theforeman/puppet-foreman
+    foreman_proxy: https://github.com/theforeman/puppet-foreman_proxy
     extlib: https://github.com/voxpupuli/puppet-extlib.git
     nftables: https://github.com/voxpupuli/puppet-nftables.git
     docker: https://github.com/puppetlabs/puppetlabs-docker
+    redis: https://github.com/voxpupuli/puppet-redis.git
     archive: https://github.com/voxpupuli/puppet-archive
     concat: https://github.com/puppetlabs/puppetlabs-concat
     ssh_keys: https://github.com/puppetlabs/puppetlabs-sshkeys_core

site/profiles/REFERENCE.md

@@ -12,24 +12,29 @@
 * [`profiles::borg`](#profiles--borg): configures borg backups
 * [`profiles::certbot`](#profiles--certbot): configures the certbot foo. Doesn't create certificates!
 * [`profiles::docker`](#profiles--docker): installs docker
+* [`profiles::foreman`](#profiles--foreman): configure foreman + plugins
 * [`profiles::github_runners`](#profiles--github_runners): configures a self-hosted github runner
 * [`profiles::grafana`](#profiles--grafana): installs grafana to display stats from dropsonde about Vox Pupuli modules
+* [`profiles::nftables`](#profiles--nftables): configure certain nftable rules
 * [`profiles::nginx`](#profiles--nginx): multiple profiles requires nginx vhosts, this profile pulls in the nginx class/package/service setup
 * [`profiles::node_exporter`](#profiles--node_exporter): install node_exporter
 * [`profiles::postfix`](#profiles--postfix): installs postfix
 * [`profiles::postgres_exporter`](#profiles--postgres_exporter): installs a postgres exporter
 * [`profiles::postgresql`](#profiles--postgresql): install latest postgresql with upstream repositories
 * [`profiles::prometheus`](#profiles--prometheus): install Prometheus
-* [`profiles::puppetagent`](#profiles--puppetagent): profile to manage puppet agent + deps
-* [`profiles::puppetcode`](#profiles--puppetcode): some resources to manage puppete code
+* [`profiles::puppet`](#profiles--puppet): configure puppet agent and server
 * [`profiles::puppetmodule`](#profiles--puppetmodule): configures puppetmodule.info
+* [`profiles::redis`](#profiles--redis): configures redis on different platforms
 * [`profiles::ssh`](#profiles--ssh): ssh profile to manage sshd + ssh keys
 * [`profiles::ssh_keys`](#profiles--ssh_keys): configure keys from GitHubs in the authorized_keys file
 * [`profiles::vpt`](#profiles--vpt): this profile will, in the future, instal Vox Pupuli Tasks
 
 #### Private Classes
 
 * `profiles::github_runners::ruby`: install ruby for GitHub self hosted runners
+* `profiles::puppet::code`: some resources to manage puppete code
+* `profiles::puppet::db`: installs puppetdb *on a puppetserver that also runs foreman*
+* `profiles::puppet::server_firewalling`: manages nft rules on Puppetserver/PuppetDB
 
 ### Defined types
 
@@ -153,6 +158,14 @@ configures the certbot foo. Doesn't create certificates!
 
 installs docker
 
+### <a name="profiles--foreman"></a>`profiles::foreman`
+
+configure foreman + plugins
+
+* **See also**
+  * `cat
+    * /opt/puppetlabs/puppet/cache/foreman_cache_data/admin_password` provides the admin password
+
 ### <a name="profiles--github_runners"></a>`profiles::github_runners`
 
 configures a self-hosted github runner
@@ -287,6 +300,51 @@ Data type: `String[1]`
 
 Default value: `$postgresql_user`
 
+### <a name="profiles--nftables"></a>`profiles::nftables`
+
+configure certain nftable rules
+
+#### Parameters
+
+The following parameters are available in the `profiles::nftables` class:
+
+* [`in_ssh`](#-profiles--nftables--in_ssh)
+* [`icmp`](#-profiles--nftables--icmp)
+* [`nat`](#-profiles--nftables--nat)
+* [`out_all`](#-profiles--nftables--out_all)
+
+##### <a name="-profiles--nftables--in_ssh"></a>`in_ssh`
+
+Data type: `Boolean`
+
+allows incoming ssh connections
+
+Default value: `true`
+
+##### <a name="-profiles--nftables--icmp"></a>`icmp`
+
+Data type: `Boolean`
+
+allow all ICMP traffic
+
+Default value: `true`
+
+##### <a name="-profiles--nftables--nat"></a>`nat`
+
+Data type: `Boolean`
+
+decide if the box should be allowed to handle NAT traffic
+
+Default value: `false`
+
+##### <a name="-profiles--nftables--out_all"></a>`out_all`
+
+Data type: `Boolean`
+
+Allow all outbound connections
+
+Default value: `false`
+
 ### <a name="profiles--nginx"></a>`profiles::nginx`
 
 multiple profiles requires nginx vhosts, this profile pulls in the nginx class/package/service setup
@@ -315,7 +373,7 @@ The following parameters are available in the `profiles::postgresql` class:
 
 ##### <a name="-profiles--postgresql--version"></a>`version`
 
-Data type: `Enum['11', '12', '13', '14']`
+Data type: `Enum['11', '12', '13', '14', '15']`
 
 desired postgresql version
 
@@ -325,13 +383,32 @@ Default value: `'13'`
 
 install Prometheus
 
-### <a name="profiles--puppetagent"></a>`profiles::puppetagent`
+### <a name="profiles--puppet"></a>`profiles::puppet`
+
+configure puppet agent and server
+
+#### Parameters
+
+The following parameters are available in the `profiles::puppet` class:
+
+* [`server`](#-profiles--puppet--server)
+* [`manage_msgpack`](#-profiles--puppet--manage_msgpack)
+
+##### <a name="-profiles--puppet--server"></a>`server`
+
+Data type: `Boolean`
 
-profile to manage puppet agent + deps
+decide if the server should be configured as well
 
-### <a name="profiles--puppetcode"></a>`profiles::puppetcode`
+Default value: `($trusted['pp_role'] == 'puppetserver'`
 
-some resources to manage puppete code
+##### <a name="-profiles--puppet--manage_msgpack"></a>`manage_msgpack`
+
+Data type: `Boolean`
+
+configure if we should install msgpack on the agent
+
+Default value: `($facts['os']['name'] != 'gentoo'`
 
 ### <a name="profiles--puppetmodule"></a>`profiles::puppetmodule`
 
@@ -382,6 +459,10 @@ the database user
 
 Default value: `'puppetmodule'`
 
+### <a name="profiles--redis"></a>`profiles::redis`
+
+configures redis on different platforms
+
 ### <a name="profiles--ssh"></a>`profiles::ssh`
 
 ssh profile to manage sshd + ssh keys

site/profiles/manifests/base.pp

@@ -27,6 +27,16 @@
   package { 'snapd':
     ensure => 'absent',
   }
+  # do an apt update daily, don't log it, run it before packages
+  class { 'apt':
+    update => {
+      frequency => 'daily',
+      loglevel  => 'debug',
+    },
+  }
+  # ensure update runs before installing packages
+  Class['apt::update'] -> Package <| provider == 'apt' |>
+
   # https://www.sshaudit.com/hardening_guides.html
   class { 'ssh':
     storeconfigs_enabled => false,
@@ -162,12 +172,8 @@
     }
   }
 
-  class { 'nftables':
-    in_ssh           => true,
-    in_icmp          => true,
-    out_icmp         => true,
-    in_out_conntrack => true,
-    reject_with      => false,
-    out_all          => true,
-  }
+  include profiles::nftables
+
+  # configure puppet agent/server
+  contain profiles::puppet
 }

site/profiles/manifests/foreman.pp

@@ -0,0 +1,55 @@
+#
+# @summary configure foreman + plugins
+#
+# @see `cat /opt/puppetlabs/puppet/cache/foreman_cache_data/admin_password` provides the admin password
+#
+class profiles::foreman {
+  require profiles::redis
+  require profiles::postgresql
+  require profiles::nftables # ensures hkp access is working to download the apt key
+
+  class { 'foreman::repo':
+    repo => '3.11',
+  }
+
+  class { 'foreman':
+    logging_type             => 'journald',
+    initial_admin_username   => 'admin',
+    initial_admin_first_name => 'Vox',
+    initial_admin_last_name  => 'Pupuli',
+    initial_admin_email      => 'pmc@voxpupuli.org',
+    register_in_foreman      => true, # is a foreman 3.1+ feature
+    rails_cache_store        => {
+      'type'    => 'redis',
+      'urls'    => ['localhost:6379/0'],
+      'options' => {
+        'compress'  => 'true',
+        'namespace' => 'foreman',
+      },
+    },
+  }
+  $packages = $facts['os']['family'] ? {
+    'RedHat' => ['rubygem-foreman_puppet', 'rubygem-puppetdb_foreman'],
+    'Debian' => ['ruby-foreman-puppet', 'ruby-puppetdb-foreman'],
+  }
+  $packages.each |$package| {
+    package { $package:
+      ensure  => 'installed',
+      require => Package['foreman-service'],
+      notify  => Service['foreman'],
+    }
+  }
+  class { 'foreman_proxy':
+    register_in_foreman => true, # is a foreman 3.1+ feature
+    puppet              => true,
+    puppetca            => true,
+    tftp                => false,
+    dhcp                => false,
+    dns                 => false,
+    bmc                 => false,
+    realm               => false,
+  }
+  # open http/https in firewall
+  require nftables::rules::http
+  require nftables::rules::https
+}

site/profiles/manifests/grafana.pp

@@ -15,6 +15,7 @@
   String[1] $postgresql_user = 'grafana',
   String[1] $postgresql_database = $postgresql_user,
 ) {
+  require profiles::base
   $domain = "grafana.${facts['networking']['fqdn']}"
   require profiles::nginx
   require profiles::certbot