Commit graph

206 commits

Author SHA1 Message Date
Patrik Lundin 382214ef2b
Make puppet-lint happy 2024-10-11 20:04:13 +02:00
Patrik Lundin 3e393a62f9
Add '' 2024-10-11 19:05:29 +02:00
Patrik Lundin a82798ead5
Add network reload support 2024-10-11 19:04:17 +02:00
Patrik Lundin fe428a9e74
Also include cidr suffix 2024-10-11 18:57:10 +02:00
Patrik Lundin b5d9682e01
This is a hash 2024-10-11 18:55:39 +02:00
Patrik Lundin 637e2ae307
Add address config for dummy interface 2024-10-11 18:52:53 +02:00
Patrik Lundin 1e8cad6ea0
Add dummy0 interface
The netplan version we have is too old to do this so handle it manually.
2024-10-11 18:45:54 +02:00
Patrik Lundin eb49f13c49
Fix backend name 2024-10-11 18:14:30 +02:00
Patrik Lundin 8227300a34
Enclose ipv6 addresses in [] 2024-10-11 14:00:23 +02:00
Patrik Lundin 4d7283e361
Allow haproxy to bind to ports 80/443
This way we can run haproxy as an unprivileged user and still use what
is normally considered privileged ports.
2024-10-11 13:49:04 +02:00
Patrik Lundin 1247c7f0be
Use hiera data for ip4/ip6 2024-10-11 12:03:24 +02:00
Patrik Lundin 7402f8cfc1
More tweaks 2024-10-11 11:51:36 +02:00
Patrik Lundin 5185b62431
Syntax fixes 2024-10-11 11:47:44 +02:00
Patrik Lundin 31d7a3c93a
puppet-lint fixes 2024-10-11 11:46:06 +02:00
Patrik Lundin ca9f7fbe50
Replace "." with ","
While here fix some variable usage and puppet-lint complaints
2024-10-11 11:42:12 +02:00
Patrik Lundin 88e3771f6e
Install certificate files 2024-10-11 11:38:58 +02:00
Patrik Lundin aa5788f34a
Make cache hosts a certbot sync client 2024-10-11 08:41:24 +02:00
Patrik Lundin c860812f2a
Apply certbot class to cs hosts 2024-10-11 08:38:29 +02:00
Patrik Lundin 894c416b22
Apply acmed class to cs hosts 2024-10-10 21:33:30 +02:00
Patrik Lundin 747059cd92
Missing " 2024-10-10 20:44:23 +02:00
Patrik Lundin ff6376b68d
Add basic varnish VCL for testing 2024-10-10 20:39:35 +02:00
Patrik Lundin 802e9a1389
Fix erb iteration 2024-10-10 15:45:58 +02:00
Patrik Lundin bacdb2c90a
Make sure customer conf dir is created 2024-10-10 15:31:54 +02:00
Patrik Lundin 170bdbc154
Missing $ 2024-10-10 15:29:50 +02:00
Patrik Lundin 26f583c41a
Fix manifest name 2024-10-10 15:28:23 +02:00
Patrik Lundin 4b1f93c08a
Add missing $ 2024-10-10 15:27:06 +02:00
Patrik Lundin cf51469fae
Apply cdn::cache to cache nodes 2024-10-10 15:25:12 +02:00
Patrik Lundin d0a19691aa
Initial cdn::cache manifest 2024-10-10 15:22:11 +02:00
Patrik Lundin b2de8d246b
Start installing docker on cache machines 2024-10-10 11:01:28 +02:00
Patrik Lundin 254a3f107e
Quote some variables to make shellcheck happy 2024-10-10 10:38:45 +02:00
Patrik Lundin 7001a3fab6
Remove trailing "/" in dir path 2024-10-10 10:36:00 +02:00
Patrik Lundin d38ef1b1ce
Remove bridges for now 2024-10-10 10:27:41 +02:00
Patrik Lundin 5d05e596c0
Cleanup ":" 2024-10-10 10:24:31 +02:00
Patrik Lundin 563886294b
Fix template 2024-10-10 10:23:55 +02:00
Patrik Lundin d78d8c22b1
Make sure we trust internal cdn CA 2024-10-10 10:19:00 +02:00
Patrik Lundin b44fb5ce43
Update key paths to reflect internal CA 2024-10-10 10:17:39 +02:00
Patrik Lundin 65fc0590b4
Add certbot deploy script for mosquitto 2024-10-10 10:13:04 +02:00
Patrik Lundin b9266ec0e7
Start requesting ACME certs from internal CA 2024-10-09 12:13:30 +02:00
Patrik Lundin 8f8c360c69
Use environment instead of instance 2024-10-09 11:59:51 +02:00
Patrik Lundin c09f81afbf
Fix type declaration
```
Error: Evaluation Error: Error while evaluating a Resource Statement, Class[Cdn::Ca_trust]:
  parameter 'ca_root_fp' entry 'test' entry 'url' expects a Hash value, got String
  parameter 'ca_root_fp' entry 'test' entry 'fp' expects a Hash value, got String on node internal-sto3-test-mqtt-1.cdn.sunet.se
```

Also rename variable now that it contains more than fingerprint
2024-10-09 11:53:52 +02:00
Patrik Lundin 1ef179cad2
Fix broken file declaration
While here make puppet-lint happy
2024-10-09 11:50:34 +02:00
Patrik Lundin 1dcc58d991
Apply trust class to mqtt 2024-10-09 11:47:53 +02:00
Patrik Lundin ab3c08c5e1
Add class for setting up trust of internal CA 2024-10-09 11:46:28 +02:00
Patrik Lundin d1b0694e44
Also set --admin-provisioner=admin
Without this the commands will hang for input to select a provisioner.
This is needed now that we have enabled a second (the ACME) provisioner
on init.
2024-10-08 21:45:17 +02:00
Patrik Lundin 22a2029cf9
Enable ACME provisioner at init 2024-10-08 16:50:46 +02:00
Patrik Lundin 6354f6faaa
Test opening port 80 for certbot operation 2024-10-08 16:38:11 +02:00
Patrik Lundin fe04d862e3
Move script to correct location 2024-10-08 14:12:48 +02:00
Patrik Lundin 8d4d1841c4
Bootstrap step client 2024-10-08 14:09:44 +02:00
Patrik Lundin 44001514de
Missing "," 2024-10-08 13:42:14 +02:00
Patrik Lundin a4a5a44647
Install step-cli from deb 2024-10-08 13:40:54 +02:00
Patrik Lundin 1cfbc3e908
Make puppet-lint happy with indent 2024-10-08 13:36:21 +02:00
Patrik Lundin 49ff235bc4
Download step client deb file 2024-10-08 13:33:32 +02:00
Patrik Lundin aca8dd1b22
Add file to correct location 2024-10-08 13:12:54 +02:00
Patrik Lundin d9db9fee72
Add init script for setting provisioner file
This is to deal with the problem that it makes sense to have a separate
passsword for encryption keys and the admin provisioner. It is currently
not possible to control this via the docker env flags so add this
workaround for now.
2024-10-08 12:35:41 +02:00
Patrik Lundin d1c863c7cb
Expose the step-ca port 2024-10-08 10:09:20 +02:00
Patrik Lundin d46d54a6a6
Enable compose file 2024-10-08 10:04:32 +02:00
Patrik Lundin 1803d1c69a
Add initial compose file for step-ca 2024-10-08 10:02:48 +02:00
Patrik Lundin 828f9a899d
Fix templates for passwords 2024-10-08 09:51:08 +02:00
Patrik Lundin f247388664
Trust maria
Copied from cnaas-ops
2024-10-08 09:41:09 +02:00
Patrik Lundin 9379ba58e2
Handle undef ca_secrets more gracefully 2024-10-08 09:39:09 +02:00
Patrik Lundin 61a4ec13e3
Start setting up step-ca files 2024-10-08 09:36:04 +02:00
Patrik Lundin e02160a311
Initial cdn::ca class 2024-10-07 08:35:00 +02:00
Patrik Lundin 9f05f40714
Install docker on ca machines 2024-10-06 15:37:33 +02:00
Patrik Lundin 49106049ff
Start using cdn.conf template 2024-10-06 14:51:55 +02:00
Patrik Lundin e5ce5dd1cd
Start managing cdn.conf 2024-10-06 14:50:07 +02:00
Patrik Lundin 40036c3c32
Fix variable usage 2024-10-06 14:44:32 +02:00
Patrik Lundin 52469c754d
Correct path 2024-10-06 14:32:17 +02:00
Patrik Lundin 4b90469531
Missing $ 2024-10-06 14:30:51 +02:00
Patrik Lundin 0c5e2604b6
Add missing clients parameter 2024-10-06 14:29:48 +02:00
Patrik Lundin 7352a20143
Start managing mqtt ACL
Include sample comsos-rules entry for testing out template
2024-10-06 14:26:10 +02:00
Patrik Lundin 2099c4d691
Fix class name 2024-10-04 17:43:31 +02:00
Patrik Lundin c638772941
Apply mqtt class 2024-10-04 17:41:59 +02:00
Patrik Lundin 152179a5c1
Initial commit for mqtt management 2024-10-04 17:33:49 +02:00
Patrik Lundin 895264bc4f
Trust kano
Copied from platform-ops
2024-10-04 17:18:09 +02:00
Patrik Lundin febde032ee
Update to new key standard 2024-10-04 17:16:23 +02:00
Patrik Lundin 571af24060
Make seccomp file readable by runner 2024-10-04 09:22:05 +02:00
Patrik Lundin 05ee26e7c2
Make docker_certs available to runner 2024-10-03 21:04:17 +02:00
Patrik Lundin 48d3b890d0
Use owner/group matching runner compose file 2024-10-03 20:57:28 +02:00
Patrik Lundin d1d72ad80a
Try to access map correctly 2024-10-03 20:42:39 +02:00
Patrik Lundin 25a18fd58b
Remove extra dot 2024-10-03 20:15:39 +02:00
Patrik Lundin 32e4a99cef
Add initial forgejo runner config 2024-10-03 20:12:59 +02:00
Patrik Lundin 3883bb53b2
Trust jocar key 2024-10-03 15:56:30 +02:00
Patrik Lundin dc180c10b0
Fix so systemd file is named sunet-cdn-l4lb
Not sunet-sunet-cdn-l4lb
2024-08-20 12:38:06 +02:00
Patrik Lundin dd0493f869
Fix volume declarations
Did not expect to create anonymous volumes, see
https://stackoverflow.com/questions/46166304/docker-compose-volumes-without-colon
for more details. Now the host directories should be mounted. While here
try setting :ro to the paths we are not expecting to modify. The
/lib/modules :ro flag is based on
3cbd8258eb/cilium-lb.yaml (L143-L145)
2024-08-20 12:31:42 +02:00
Patrik Lundin 79f2018d1b
Fix path to template 2024-08-20 12:10:29 +02:00
Patrik Lundin 4755886ea9
Move manifest to expected location 2024-08-20 12:06:35 +02:00
Patrik Lundin f4cd10a970
Add mifr key, imported from platform-ops
Need to trust commits to puppet-sunet stable branch
2024-08-20 12:00:57 +02:00
Patrik Lundin 9991bef58d
Assign new cdn::l4lb class to machine 2024-08-20 11:27:26 +02:00
Patrik Lundin 6057c62f47
Initial commit of running cilium l4lb via compose 2024-08-20 11:25:15 +02:00
Patrik Lundin b014b4fdcc
Add sunet::dockerhost2 to cdn-prod-l4lb
While here fix indentation.
2024-08-15 09:21:02 +02:00
Patrik Lundin ac83234433
Merge remote-tracking branch 'multiverse/main' 2024-07-05 10:59:29 +02:00
Patrik Lundin 94a65a31e0
Fix problems with outdated sunet puppet modules
Problem seen:
```
Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Unknown variable: '::osfamily'. (file: /etc/puppet/cosmos-modules/augeas/manifests/params.pp, line: 7, column: 8) on node example-1.sunet.se
```

This way we run modules installed from upstream apt packages instead.
Solution to delete keys to use local pacakges from pahol.

While here fix pylint issue with not importing platform module at
beginning of file.
2024-07-04 14:42:34 +02:00
Patrik Lundin 3d0413b450
Disable ntpd management for now
The current ntp puppet manifest does not support 24.04, and we need to
figure out if the future means timesyncd or chrony.
2024-07-04 13:32:23 +02:00
Patrik Lundin 74fb420946
Add initial cosmos-rules 2024-07-04 08:48:58 +02:00
Patrik Lundin c417b1e296
Trust pahol key
Needed for puppet module
2024-07-03 17:27:23 +02:00
Patrik Lundin 4aa5e530f9
Trust jocar key
Needed for some puppet modules
2024-07-03 17:23:43 +02:00
Patrik Lundin 0b82213811
Add my GPG key 2024-07-03 15:56:09 +02:00
Patrik Lundin a49e9cfd24
Add init.pp
Based on geteduroam-ops
2024-07-03 14:48:52 +02:00
Patrik Lundin aa88795ee0
sunet-fleetlock: also handle ReadTimeout
Turns out this was not caught by ConnectionError.
2024-07-03 14:13:22 +02:00
Patrik Lundin 01768129f0
fleetlock: configurable lock/unlock timeout
While we already support setting a healthcheck timeout it probably
makes sense to be able to control how long we wait for a
fleetlock_lock() or fleetlock_unlock() call. This becomes important if
only running cosmos once a night or something like that. In that case we
you probably want to give a physical machine more than than 1 minute to
complete a reboot etc.

This can now be controlled by setting fleetlock_lock_timeout and
fleetlock_unlock_timeout in /etc/run-cosmos-fleetlock-conf. Keep in mind
that while it can make sense to increase the time for taking a lock,
releasing a lock should always be fast (either you have it and release
it, or you dont have it and it is a no-op) so setting a long unlock
timeout should probably never be done.

Since we also potentially wait the unlock timeout at boot (if the
fleetlock server is broken etc) that is another reason to keep it
short. The default 1m is probably OK for most uses.
2024-07-03 13:27:52 +02:00