diff options
author | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-06-12 16:34:11 +0200 |
---|---|---|
committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-06-12 16:34:11 +0200 |
commit | c35862d14de1f45374b24378768b9e39aff3cef0 (patch) | |
tree | 45d05575edc02a7b73847d690585c9a509f8603c /manifests | |
parent | See last commit for rationalle. (diff) | |
parent | Puppetdb change fact source. (diff) | |
download | profiles-c35862d14de1f45374b24378768b9e39aff3cef0.tar.gz profiles-c35862d14de1f45374b24378768b9e39aff3cef0.tar.xz |
Merge branch 'master' into puppetserver
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/container_registry.pp | 54 | ||||
-rw-r--r-- | manifests/dhcpd.pp | 22 | ||||
-rw-r--r-- | manifests/distribution_registry.pp | 79 | ||||
-rw-r--r-- | manifests/dns.pp | 10 | ||||
-rw-r--r-- | manifests/dns_zones.pp | 56 | ||||
-rw-r--r-- | manifests/jenkins.pp | 4 | ||||
-rw-r--r-- | manifests/mu4web.pp | 7 | ||||
-rw-r--r-- | manifests/publish_dns.pp | 11 | ||||
-rw-r--r-- | manifests/puppetdb.pp | 2 | ||||
-rw-r--r-- | manifests/repomaster.pp | 2 | ||||
-rw-r--r-- | manifests/transmission.pp | 32 | ||||
-rw-r--r-- | manifests/wireguard_peer.pp | 37 | ||||
-rw-r--r-- | manifests/wireguard_server.pp | 42 |
13 files changed, 197 insertions, 161 deletions
diff --git a/manifests/container_registry.pp b/manifests/container_registry.pp new file mode 100644 index 0000000..e7a57a7 --- /dev/null +++ b/manifests/container_registry.pp @@ -0,0 +1,54 @@ +# @summary Sets up a local container registry +# +# Note that this is more of a role. +class profiles::container_registry ( + String $server_name, + Enum['present', 'absent'] $ensure = 'present', +) { + include profiles::nginx + + $socket = '/run/distribution/distribution.sock' + class { 'profiles::distribution_registry': + http_addr => $socket, + http_net => 'unix', + } + + include ::profiles::certificate + letsencrypt::domain { $server_name: + cert_name => $profiles::certificate::cert_name, + } + + if $ensure == 'present' { + @@dns::record { "AAAA ${server_name}": + type => 'AAAA', + zone => "${facts['domain']}.", + key => $server_name.split('.')[0], + value => $facts['ipaddress6'], + } + } + + nginx::resource::server { $server_name: + ensure => $ensure, + ipv6_enable => true, + ipv6_listen_options => '', + use_default_location => false, + client_max_body_size => '0', + server_cfg_append => { + 'chunked_transfer_encoding' => 'on', + }, + * => letsencrypt::conf::nginx($server_name), + } + + if $facts['letsencrypt_directory'][$server_name] { + nginx::resource::location { "${server_name} /": + location => '/', + proxy => "http://unix:${socket}", + index_files => [], + ssl => true, + ssl_only => true, + server => $server_name, + } + } + + # TODO add user http to group distribution +} diff --git a/manifests/dhcpd.pp b/manifests/dhcpd.pp index 007f922..4b3e085 100644 --- a/manifests/dhcpd.pp +++ b/manifests/dhcpd.pp @@ -7,10 +7,10 @@ class profiles::dhcpd ( $menu_len = length($menu) class { 'dhcp': - service_ensure => running, - manage_service => false, - dnsdomain => [ - 'dynamic.adrift.space', + service_ensure => running, + manage_service => false, + dnsdomain => [ + 'adrift.space', '1.0.10.in-addr.arpa', ], dnssearchdomains => [ @@ -33,7 +33,7 @@ class profiles::dhcpd ( 'PXEClient.menu-prompt 0 "PXE"', "PXEClient.boot-menu 0 ${menu_len} \"${menu}\"", ], - # extra_config => [ + # extra_config => [ # 'allow booting', # 'allow bootp', # ], @@ -46,12 +46,12 @@ class profiles::dhcpd ( } dhcp::pool { 'pool': - network => '10.0.0.0', - mask => '255.255.254.0', - range => [ '10.0.1.10 10.0.1.250', ], - gateway => '10.0.0.1', - pxeserver => '10.0.0.40', - options => [ + network => '10.0.0.0', + mask => '255.255.254.0', + range => [ '10.0.1.10 10.0.1.250', ], + gateway => '10.0.0.1', + pxeserver => '10.0.0.40', + options => [ 'vendor-class-identifier "PXEClient"', ], parameters => [ diff --git a/manifests/distribution_registry.pp b/manifests/distribution_registry.pp new file mode 100644 index 0000000..dc7920c --- /dev/null +++ b/manifests/distribution_registry.pp @@ -0,0 +1,79 @@ +# @summary Manages the "distribution" container registry service +# +# https://github.com/distribution/distribution +# +# @param http_addr +# Address to listen to +# @param http_net +# If http_addr refers to an IP-address/port, or a unix socket +# @param registry_dir +# Container storage. +# @param htpasswd +# Location of htpasswd file +# TODO only have this if basic authentication is used. +# @param conf_file +# Path to configuration file. +# Does *not* move the configuration file, but is where the +# configuraion file is expected to be on the machine. +# @param ensure +# To allow decomissioning +class profiles::distribution_registry ( + String $http_addr, + Enum['tcp', 'unix'] $http_net = 'tcp', + String $registry_dir = '/var/lib/registry', + String $htpasswd = '/var/lib/distribution-registry/htpasswd', + String $conf_file = '/etc/distribution-registry/conf.yml', + Enum['present', 'absent'] $ensure = 'present', +) { + ensure_packages([ + 'distribution-registry', + ], { + 'ensure' => $ensure, + }) + + if $ensure == 'present' { + service { 'distribution-registry.service': + ensure => running, + } + + file { $conf_file: + content => to_yaml({ + 'version' => '0.1', + 'log' => { + 'fields' => { + 'service' => 'registry', + }, + }, + 'storage' => { + 'cache' => { + 'blobdescriptor' => 'inmemory', + }, + 'filesystem' => { + 'rootdirectory' => $registry_dir, + }, + }, + 'http' => { + 'addr' => $http_addr, + 'net' => $http_net, + }, + 'auth' => { + 'htpasswd' => { + 'realm' => 'basic-realm', + 'path' => $htpasswd, + }, + }, + 'health' => { + 'storagedriver' => { + 'enabled' => true, + 'interval' => '10s', + 'threshold' => 3, + }, + }, + }) + } + } else { + file { $conf_file: + ensure => absent, + } + } +} diff --git a/manifests/dns.pp b/manifests/dns.pp new file mode 100644 index 0000000..bd24bde --- /dev/null +++ b/manifests/dns.pp @@ -0,0 +1,10 @@ +# Simple profile for testing DNS module +class profiles::dns ( + Array[String] $realized_zones = [], +) { + include ::dns + + $realized_zones.each |$zone| { + Dns::Record <<| zone == $zone |>> + } +} diff --git a/manifests/dns_zones.pp b/manifests/dns_zones.pp deleted file mode 100644 index eea3dd6..0000000 --- a/manifests/dns_zones.pp +++ /dev/null @@ -1,56 +0,0 @@ -# Sets up our dns-server, assumes that all zone information comes from -# hiera. -class profiles::dns_zones ( - Hash $zones, - Hash $default = {}, - Optional[Hash] $views = undef, - Hash $view_defaults = {}, - String $default_view = '_GLOBAL_', - Hash $zonedata_default = {}, - Hash[String,Hash] $zonedata = {}, - Hash[String,Array[Hash]] $records = {}, -) { - - if $views != undef { - class { 'dns': - enable_views => true, - } - create_resources(dns::view, $views, $view_defaults) - } else { - include ::dns - } - - create_resources(dns::zone, $zones, $default) - - create_resources(dns_zone, $zonedata, $zonedata_default) - - $zonedata.each |$zone, $_| { - Dns_record <<| zone == $zone |>> - - # This breaks if views are used - # "rndc reload $zone IN $view" works, but then we have too loop - # somehow - exec { "reload ${zone}": - command => ['rndc' ,'reload', $zone], - path => ['/usr/bin', '/usr/sbin'], - refreshonly => true, - subscribe => Dns_zone[$zone], - } - } - - $records.each |$zone, $record_entries| { - $zone_hash = $record_entries.map |$d| { - $type = $d['type'] - $key = $d['key'] - $value = $d['value'] - ["${zone} ${type} ${key} ${value}", $d] - } - - create_resources(dns_record, Hash($zone_hash), { - 'zone' => $zone, - }) - - } - - -} diff --git a/manifests/jenkins.pp b/manifests/jenkins.pp index 22d1b7c..d15e41d 100644 --- a/manifests/jenkins.pp +++ b/manifests/jenkins.pp @@ -24,9 +24,9 @@ class profiles::jenkins ( * => letsencrypt::conf::nginx($server_name), } - @@dns_record { $server_name: + @@dns::record { $server_name: type => 'CNAME', - zone => $facts['domain'], + zone => "${facts['domain']}.", # TODO key should be $server_name local to domain name of host. key => 'jenkins', value => 'adrift.space.' diff --git a/manifests/mu4web.pp b/manifests/mu4web.pp index 1dc2e8b..81b5961 100644 --- a/manifests/mu4web.pp +++ b/manifests/mu4web.pp @@ -62,7 +62,7 @@ class profiles::mu4web ( key => 'mail', value => 'gandalf', type => 'CNAME', - zone => $facts['domain'], + zone => "${facts['domain']}.", } if $facts['letsencrypt_directory'][$server_name] { @@ -79,10 +79,7 @@ class profiles::mu4web ( ; "${server_name} - mu4web @gunicorn": location => '@gunicorn', - uwsgi => $wsgi_address, - # uwsgi_param => { - # 'APP_ENV' => 'local', - # } + proxy => "http://${wsgi_address}", } } } diff --git a/manifests/publish_dns.pp b/manifests/publish_dns.pp index df10854..f88292f 100644 --- a/manifests/publish_dns.pp +++ b/manifests/publish_dns.pp @@ -2,22 +2,21 @@ class profiles::publish_dns ( ) { if fact('ipaddress6') { - - @@dns_record { "AAAA automatic ${::fqdn}": + @@dns::record { "AAAA automatic ${::fqdn}": type => 'AAAA', - zone => $facts['domain'], + zone => "${$facts['domain']}.", key => $facts['hostname'], value => $facts['ipaddress6'], } - [$record, $zone] = dns_record::rev_record( + [$record, $zone] = dns::rev_record( $facts['networking']['ip6'], $facts['networking']['netmask6']) - @@dns_record { "PTR automatic ${::fqdn}": + @@dns::record { "PTR automatic ${::fqdn}": type => 'PTR', - zone => $zone, + zone => "${zone}.", key => $record, value => "${::fqdn}.", } diff --git a/manifests/puppetdb.pp b/manifests/puppetdb.pp index 7f6cc89..0136da6 100644 --- a/manifests/puppetdb.pp +++ b/manifests/puppetdb.pp @@ -8,7 +8,7 @@ class profiles::puppetdb { disable_ssl => false, # This sohuld in theory allow full access to the database, but it # doesn't seem to do that. See [AUTH] - certificate_whitelist => [ $::servername, ], + certificate_whitelist => [ $::facts['fqdn'], ], } # [AUTH] Innstead, in /etc/puppetlabs/puppetdb/conf.d/auth.conf diff --git a/manifests/repomaster.pp b/manifests/repomaster.pp index d87c5d5..96de977 100644 --- a/manifests/repomaster.pp +++ b/manifests/repomaster.pp @@ -33,7 +33,7 @@ class profiles::repomaster ( # value => $facts['ipaddress'], # } - @@dns_record { "${hostname} AAAA": + @@dns::record { "${hostname} AAAA": type => 'AAAA', zone => $dns_zone, key => $hostname, diff --git a/manifests/transmission.pp b/manifests/transmission.pp index d618b68..e381fb3 100644 --- a/manifests/transmission.pp +++ b/manifests/transmission.pp @@ -49,28 +49,22 @@ class profiles::transmission ( ensure => directory, } - # https://github.com/transmission/transmission/wiki/Editing-Configuration-File - file { '/var/lib/transmission/.config/transmission-daemon/settings.json': + augeas { 'Transmission configuration': + lens => 'json.lns', + incl => '/var/lib/transmission/.config/transmission-daemon/settings.json', + changes => [ + "set dict/entry['download-dir']/string /usr/net/", + "set dict/entry['rpc-username']/string hugo", + "set dict/entry['rpc-password']/string {eb43101d3b9aa02223466d7f98c5329c841c7967/Zr2tFpn", + "set dict/entry['rpc-whitelist']/string 127.0.0.1,::1", + "set dict/entry['rpc-port']/number ${transmission_port}", + "set dict/entry['rpc-url']/string ${transmission_url}/", + ], notify => Service['transmission'], - content => epp('profiles/transmission.json.epp', { - rpc_username => 'hugo', - # '{' + sha1(password + salt) - # But I don't know how I managed to generate it, since - # transmission rolls its own crypto - rpc_password => '{eb43101d3b9aa02223466d7f98c5329c841c7967/Zr2tFpn', - download_dir => '/usr/net/', - rpc_whitelist => ['127.0.0.1', '::1'], - rpc_port => $transmission_port, - rpc_url => "${transmission_url}/", - msg_level => case $msg_level { - 'None': { 0 } - 'Error': { 1 } - 'Info': { 2 } - 'Debug': { 3 } - }, - }), } + # https://github.com/transmission/transmission/wiki/Editing-Configuration-File + service { 'transmission': ensure => 'running', enable => true, diff --git a/manifests/wireguard_peer.pp b/manifests/wireguard_peer.pp index d00bb23..51df0d8 100644 --- a/manifests/wireguard_peer.pp +++ b/manifests/wireguard_peer.pp @@ -1,55 +1,34 @@ class profiles::wireguard_peer ( - Sensitive[String] $private_key, + Variant[String,Sensitive[String]] $private_key, Array[Hash] $peers, + String $ifname = 'wg0', ) { include ::profiles::wireguard - - # ithryn $ - # [root@ithryn hugo]# ip link add dev wg0 type wireguard - # [root@ithryn hugo]# ip addr add 10.0.10.2/24 dev wg0 - # [root@ithryn hugo]# ip addr add fdc9:281f:04d7:9ee9::2/64 dev wg0 - # [root@ithryn hugo]# wg set wg0 listen-port 51902 private-key peer_B.key - # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= - # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= allowed-ips 10.0.10.0/24,[THAT IPV6 ADDRESS]/64 - # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= endpoint gandalf.adrift.space:51781 - # [root@ithryn hugo]# ip link set wg0 up - # - - # ip addr add 10.0.0.45/23 dev wg0 - # ip addr add 10.0.0.0/23 via 10.0.0.45 dev wg0 - # [root@gandalf manifests]# iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o br0 -j MASQUERADE - - networking::networkd_instance { 'wg0': + networking::networkd_instance { $ifname: type => 'netdev', content => { 'NetDev' => { - 'Name' => 'wg0', + 'Name' => $ifname, 'Kind' => 'wireguard', - 'Description' => 'WireGuard tunnal wg0' + 'Description' => "WireGuard tunnel ${ifname}" }, 'WireGuard' => { - 'ListenPort' => $profiles::wireguard::port, 'PrivateKey' => $private_key, }, 'WireGuardPeer' => $peers, } } - networking::networkd_instance { 'wg0-network': + networking::networkd_instance { "${ifname}-network": type => 'network', content => { 'Match' => { - 'Name' => 'wg0', + 'Name' => $ifname, }, 'Network' => { - 'Address' => '10.0.10.2/24', + 'Address' => '2001:9b1:eff:a600:22cf:30ff:fe45:629e/128', }, - 'Route' => { - 'Destination' => '10.0.0.0/23', - 'Source' => '10.0.10.2', - 'Gateway' => '10.0.10.1', - } } } } diff --git a/manifests/wireguard_server.pp b/manifests/wireguard_server.pp index 9eee2d2..1f604a2 100644 --- a/manifests/wireguard_server.pp +++ b/manifests/wireguard_server.pp @@ -1,37 +1,17 @@ -# TODO -# - Allow access over IPv4 -# - Allow forwarding IPv6 addresses -# -# - Possibly merge this and wireguard_peer -# - manage keys -# - allow accesss for phones class profiles::wireguard_server ( - Sensitive[String] $private_key, + Variant[String,Sensitive[String]] $private_key, Array[Hash] $peers, + String $ifname = 'wg0', ) { include ::profiles::wireguard - # gandalf $ - # ip link add dev wg0 type wireguard - # ip addr add 10.0.10.1/24 dev wg0 - # [root@gandalf profiles]# ip addr add fdc9:281f:04df:9ee9::1/64 dev wg0 - # wg set wg0 listen-port 51871 private-key ~/peer_A.key - # ## wg set wg0 peer CONTENTS_OF<peer_B.pub> - # ip link set wg0 up - # wg set wg0 peer 87Erkb8rXeSd162eBEXuuKUft/frF2iqdPdrMTStNVM= \ - # allowed-ips 10.0.10.0/24,fdc9:281f:4d7:9ee9::/64 - - # på B - # wg set wg0 peer <> endpoint gandalf.adrift.space:51871 - - - networking::networkd_instance { 'wg0': + networking::networkd_instance { $ifname: type => 'netdev', content => { 'NetDev' => { - 'Name' => 'wg0', + 'Name' => $ifname, 'Kind' => 'wireguard', - 'Description' => 'Wireguard tunnel wg0', + 'Description' => "Wireguard tunnel ${ifname}", }, 'WireGuard' => { 'ListenPort' => $profiles::wireguard::port, @@ -41,14 +21,14 @@ class profiles::wireguard_server ( } } - networking::networkd_instance { 'wg0-network': + networking::networkd_instance { "${ifname}-network": type => 'network', content => { 'Match' => { - 'Name' => 'wg0', + 'Name' => $ifname, }, - 'Network' => { - 'Address' => '10.0.10.1/24', + 'Route' => { + 'Destination' => '2001:9b1:eff:a600:22cf:30ff:fe45:629e/128', } } } @@ -58,8 +38,8 @@ class profiles::wireguard_server ( chain => 'POSTROUTING', jump => 'MASQUERADE', outiface => 'br0', - #iniface => 'wg0', - #source => '10.0.10.0/24', + proto => 'all', + provider => 'ip6tables', } # -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA) |