Commit graph

235 commits

Author SHA1 Message Date
Patrik Lundin 2ad7073858
Fix name 2024-10-29 14:23:34 +01:00
Patrik Lundin 0b3e9c48ff
Add nftables rule for ip6tnl packets 2024-10-29 14:21:34 +01:00
Patrik Lundin bd055b1ac8
Run puppet-lint 2024-10-29 08:30:49 +01:00
Patrik Lundin c4b9bef3c5
Set net.ipv4.vs.sloppy_tcp=1
Needed if taking over packets for a connection that was established via
another node.
2024-10-29 08:29:21 +01:00
Patrik Lundin c93846d03b
Use @ 2024-10-28 13:35:55 +01:00
Patrik Lundin c7b74c27fc
Use fact that exists 2024-10-28 13:34:59 +01:00
Patrik Lundin 6a8671fa3e
Add import filters for bgp 2024-10-28 13:26:13 +01:00
Patrik Lundin 7dc787cb68
Less indentation 2024-10-28 13:22:53 +01:00
Patrik Lundin af96f5e985
Manage bird.conf on l4lb machines
Currently just add basic template
2024-10-28 13:18:59 +01:00
Patrik Lundin fb956e4198
Add basic dummy0 interface 2024-10-25 15:28:03 +02:00
Patrik Lundin 5d60c2dd02
Move template to correct location 2024-10-25 15:23:49 +02:00
Patrik Lundin e2d550bf29
Start managing bird2
Also give dummy-interface support to sunet-l4lb-namespace tool, used
to hold IPv4/IPv6 service addresses that should be announced via BGP.
2024-10-25 15:19:21 +02:00
Patrik Lundin d632aaca5c
Update script to use new conf path 2024-10-22 17:12:56 +02:00
Patrik Lundin 4856be3f06
Rework dir layout to match other hosts 2024-10-22 17:11:58 +02:00
Patrik Lundin f588078b75
Add namespace management files 2024-10-22 17:06:29 +02:00
Patrik Lundin 74c0bf76a1
Fix type name 2024-10-22 15:23:03 +02:00
Patrik Lundin 1ddf93c330
Disable cilium by default
We will go for IPVS for now which can deal with the l4lb hosts being
multihomed.
2024-10-22 15:20:09 +02:00
Patrik Lundin 272be292ad
Revert "Test chrony branch"
This reverts commit c15070dd28.
2024-10-22 14:22:39 +02:00
Patrik Lundin 19c864cb77
Manage ntp with sunet::server again 2024-10-18 15:23:26 +02:00
Patrik Lundin c15070dd28
Test chrony branch 2024-10-18 15:21:48 +02:00
Patrik Lundin 7286dec3ff
Make sure X-Forwarded-Proto is set
Needed to cache http and https responses separately via Vary header
2024-10-15 16:29:31 +02:00
Patrik Lundin ad66745a90
Missing " 2024-10-13 14:32:42 +02:00
Patrik Lundin 4f2428575c
Fix name 2024-10-13 14:31:23 +02:00
Patrik Lundin b018c81f81
cache: initial rules to allow traffic from l4lb 2024-10-13 14:28:50 +02:00
Patrik Lundin 37ad05ca6b
Missing [ 2024-10-11 22:12:05 +02:00
Patrik Lundin ca7fbbe945
Combine networkctl reload command 2024-10-11 22:10:50 +02:00
Patrik Lundin d289ffa656
Add config for ipip interface
Supplying an empty .network file is weird but without it the tunl0
interface is left in a DOWN state even with Independent=true.

Maybe this is related to "tunl0" being automatically created when the
"ipip" kernel module is loaded.
2024-10-11 22:05:11 +02:00
Patrik Lundin cb50714f4f
Rename remaining file 2024-10-11 22:00:37 +02:00
Patrik Lundin 44c73b78ae
Prefix files with numbers as recommended by docs
See "systemd.netdev" docs.
2024-10-11 21:57:59 +02:00
Patrik Lundin 382214ef2b
Make puppet-lint happy 2024-10-11 20:04:13 +02:00
Patrik Lundin 3e393a62f9
Add '' 2024-10-11 19:05:29 +02:00
Patrik Lundin a82798ead5
Add network reload support 2024-10-11 19:04:17 +02:00
Patrik Lundin fe428a9e74
Also include cidr suffix 2024-10-11 18:57:10 +02:00
Patrik Lundin b5d9682e01
This is a hash 2024-10-11 18:55:39 +02:00
Patrik Lundin 637e2ae307
Add address config for dummy interface 2024-10-11 18:52:53 +02:00
Patrik Lundin 1e8cad6ea0
Add dummy0 interface
The netplan version we have is too old to do this so handle it manually.
2024-10-11 18:45:54 +02:00
Patrik Lundin eb49f13c49
Fix backend name 2024-10-11 18:14:30 +02:00
Patrik Lundin 8227300a34
Enclose ipv6 addresses in [] 2024-10-11 14:00:23 +02:00
Patrik Lundin 4d7283e361
Allow haproxy to bind to ports 80/443
This way we can run haproxy as an unprivileged user and still use what
is normally considered privileged ports.
2024-10-11 13:49:04 +02:00
Patrik Lundin 1247c7f0be
Use hiera data for ip4/ip6 2024-10-11 12:03:24 +02:00
Patrik Lundin 7402f8cfc1
More tweaks 2024-10-11 11:51:36 +02:00
Patrik Lundin 5185b62431
Syntax fixes 2024-10-11 11:47:44 +02:00
Patrik Lundin 31d7a3c93a
puppet-lint fixes 2024-10-11 11:46:06 +02:00
Patrik Lundin ca9f7fbe50
Replace "." with ","
While here fix some variable usage and puppet-lint complaints
2024-10-11 11:42:12 +02:00
Patrik Lundin 88e3771f6e
Install certificate files 2024-10-11 11:38:58 +02:00
Patrik Lundin aa5788f34a
Make cache hosts a certbot sync client 2024-10-11 08:41:24 +02:00
Patrik Lundin c860812f2a
Apply certbot class to cs hosts 2024-10-11 08:38:29 +02:00
Patrik Lundin 894c416b22
Apply acmed class to cs hosts 2024-10-10 21:33:30 +02:00
Patrik Lundin 747059cd92
Missing " 2024-10-10 20:44:23 +02:00
Patrik Lundin ff6376b68d
Add basic varnish VCL for testing 2024-10-10 20:39:35 +02:00
Patrik Lundin 802e9a1389
Fix erb iteration 2024-10-10 15:45:58 +02:00
Patrik Lundin bacdb2c90a
Make sure customer conf dir is created 2024-10-10 15:31:54 +02:00
Patrik Lundin 170bdbc154
Missing $ 2024-10-10 15:29:50 +02:00
Patrik Lundin 26f583c41a
Fix manifest name 2024-10-10 15:28:23 +02:00
Patrik Lundin 4b1f93c08a
Add missing $ 2024-10-10 15:27:06 +02:00
Patrik Lundin cf51469fae
Apply cdn::cache to cache nodes 2024-10-10 15:25:12 +02:00
Patrik Lundin d0a19691aa
Initial cdn::cache manifest 2024-10-10 15:22:11 +02:00
Patrik Lundin b2de8d246b
Start installing docker on cache machines 2024-10-10 11:01:28 +02:00
Patrik Lundin 254a3f107e
Quote some variables to make shellcheck happy 2024-10-10 10:38:45 +02:00
Patrik Lundin 7001a3fab6
Remove trailing "/" in dir path 2024-10-10 10:36:00 +02:00
Patrik Lundin d38ef1b1ce
Remove bridges for now 2024-10-10 10:27:41 +02:00
Patrik Lundin 5d05e596c0
Cleanup ":" 2024-10-10 10:24:31 +02:00
Patrik Lundin 563886294b
Fix template 2024-10-10 10:23:55 +02:00
Patrik Lundin d78d8c22b1
Make sure we trust internal cdn CA 2024-10-10 10:19:00 +02:00
Patrik Lundin b44fb5ce43
Update key paths to reflect internal CA 2024-10-10 10:17:39 +02:00
Patrik Lundin 65fc0590b4
Add certbot deploy script for mosquitto 2024-10-10 10:13:04 +02:00
Patrik Lundin b9266ec0e7
Start requesting ACME certs from internal CA 2024-10-09 12:13:30 +02:00
Patrik Lundin 8f8c360c69
Use environment instead of instance 2024-10-09 11:59:51 +02:00
Patrik Lundin c09f81afbf
Fix type declaration
```
Error: Evaluation Error: Error while evaluating a Resource Statement, Class[Cdn::Ca_trust]:
  parameter 'ca_root_fp' entry 'test' entry 'url' expects a Hash value, got String
  parameter 'ca_root_fp' entry 'test' entry 'fp' expects a Hash value, got String on node internal-sto3-test-mqtt-1.cdn.sunet.se
```

Also rename variable now that it contains more than fingerprint
2024-10-09 11:53:52 +02:00
Patrik Lundin 1ef179cad2
Fix broken file declaration
While here make puppet-lint happy
2024-10-09 11:50:34 +02:00
Patrik Lundin 1dcc58d991
Apply trust class to mqtt 2024-10-09 11:47:53 +02:00
Patrik Lundin ab3c08c5e1
Add class for setting up trust of internal CA 2024-10-09 11:46:28 +02:00
Patrik Lundin d1b0694e44
Also set --admin-provisioner=admin
Without this the commands will hang for input to select a provisioner.
This is needed now that we have enabled a second (the ACME) provisioner
on init.
2024-10-08 21:45:17 +02:00
Patrik Lundin 22a2029cf9
Enable ACME provisioner at init 2024-10-08 16:50:46 +02:00
Patrik Lundin 6354f6faaa
Test opening port 80 for certbot operation 2024-10-08 16:38:11 +02:00
Patrik Lundin fe04d862e3
Move script to correct location 2024-10-08 14:12:48 +02:00
Patrik Lundin 8d4d1841c4
Bootstrap step client 2024-10-08 14:09:44 +02:00
Patrik Lundin 44001514de
Missing "," 2024-10-08 13:42:14 +02:00
Patrik Lundin a4a5a44647
Install step-cli from deb 2024-10-08 13:40:54 +02:00
Patrik Lundin 1cfbc3e908
Make puppet-lint happy with indent 2024-10-08 13:36:21 +02:00
Patrik Lundin 49ff235bc4
Download step client deb file 2024-10-08 13:33:32 +02:00
Patrik Lundin aca8dd1b22
Add file to correct location 2024-10-08 13:12:54 +02:00
Patrik Lundin d9db9fee72
Add init script for setting provisioner file
This is to deal with the problem that it makes sense to have a separate
passsword for encryption keys and the admin provisioner. It is currently
not possible to control this via the docker env flags so add this
workaround for now.
2024-10-08 12:35:41 +02:00
Patrik Lundin d1c863c7cb
Expose the step-ca port 2024-10-08 10:09:20 +02:00
Patrik Lundin d46d54a6a6
Enable compose file 2024-10-08 10:04:32 +02:00
Patrik Lundin 1803d1c69a
Add initial compose file for step-ca 2024-10-08 10:02:48 +02:00
Patrik Lundin 828f9a899d
Fix templates for passwords 2024-10-08 09:51:08 +02:00
Patrik Lundin f247388664
Trust maria
Copied from cnaas-ops
2024-10-08 09:41:09 +02:00
Patrik Lundin 9379ba58e2
Handle undef ca_secrets more gracefully 2024-10-08 09:39:09 +02:00
Patrik Lundin 61a4ec13e3
Start setting up step-ca files 2024-10-08 09:36:04 +02:00
Patrik Lundin e02160a311
Initial cdn::ca class 2024-10-07 08:35:00 +02:00
Patrik Lundin 9f05f40714
Install docker on ca machines 2024-10-06 15:37:33 +02:00
Patrik Lundin 49106049ff
Start using cdn.conf template 2024-10-06 14:51:55 +02:00
Patrik Lundin e5ce5dd1cd
Start managing cdn.conf 2024-10-06 14:50:07 +02:00
Patrik Lundin 40036c3c32
Fix variable usage 2024-10-06 14:44:32 +02:00
Patrik Lundin 52469c754d
Correct path 2024-10-06 14:32:17 +02:00
Patrik Lundin 4b90469531
Missing $ 2024-10-06 14:30:51 +02:00
Patrik Lundin 0c5e2604b6
Add missing clients parameter 2024-10-06 14:29:48 +02:00
Patrik Lundin 7352a20143
Start managing mqtt ACL
Include sample comsos-rules entry for testing out template
2024-10-06 14:26:10 +02:00
Patrik Lundin 2099c4d691
Fix class name 2024-10-04 17:43:31 +02:00