Patrik Lundin
a82798ead5
Add network reload support
2024-10-11 19:04:17 +02:00
Patrik Lundin
fe428a9e74
Also include cidr suffix
2024-10-11 18:57:10 +02:00
Patrik Lundin
b5d9682e01
This is a hash
2024-10-11 18:55:39 +02:00
Patrik Lundin
637e2ae307
Add address config for dummy interface
2024-10-11 18:52:53 +02:00
Patrik Lundin
1e8cad6ea0
Add dummy0 interface
...
The netplan version we have is too old to do this so handle it manually.
2024-10-11 18:45:54 +02:00
Patrik Lundin
eb49f13c49
Fix backend name
2024-10-11 18:14:30 +02:00
Patrik Lundin
8227300a34
Enclose ipv6 addresses in []
2024-10-11 14:00:23 +02:00
Patrik Lundin
4d7283e361
Allow haproxy to bind to ports 80/443
...
This way we can run haproxy as an unprivileged user and still use what
is normally considered privileged ports.
2024-10-11 13:49:04 +02:00
Patrik Lundin
1247c7f0be
Use hiera data for ip4/ip6
2024-10-11 12:03:24 +02:00
Patrik Lundin
7402f8cfc1
More tweaks
2024-10-11 11:51:36 +02:00
Patrik Lundin
5185b62431
Syntax fixes
2024-10-11 11:47:44 +02:00
Patrik Lundin
31d7a3c93a
puppet-lint fixes
2024-10-11 11:46:06 +02:00
Patrik Lundin
ca9f7fbe50
Replace "." with ","
...
While here fix some variable usage and puppet-lint complaints
2024-10-11 11:42:12 +02:00
Patrik Lundin
88e3771f6e
Install certificate files
2024-10-11 11:38:58 +02:00
Patrik Lundin
aa5788f34a
Make cache hosts a certbot sync client
2024-10-11 08:41:24 +02:00
Patrik Lundin
c860812f2a
Apply certbot class to cs hosts
2024-10-11 08:38:29 +02:00
Patrik Lundin
894c416b22
Apply acmed class to cs hosts
2024-10-10 21:33:30 +02:00
Patrik Lundin
747059cd92
Missing "
2024-10-10 20:44:23 +02:00
Patrik Lundin
ff6376b68d
Add basic varnish VCL for testing
2024-10-10 20:39:35 +02:00
Patrik Lundin
802e9a1389
Fix erb iteration
2024-10-10 15:45:58 +02:00
Patrik Lundin
bacdb2c90a
Make sure customer conf dir is created
2024-10-10 15:31:54 +02:00
Patrik Lundin
170bdbc154
Missing $
2024-10-10 15:29:50 +02:00
Patrik Lundin
26f583c41a
Fix manifest name
2024-10-10 15:28:23 +02:00
Patrik Lundin
4b1f93c08a
Add missing $
2024-10-10 15:27:06 +02:00
Patrik Lundin
cf51469fae
Apply cdn::cache to cache nodes
2024-10-10 15:25:12 +02:00
Patrik Lundin
d0a19691aa
Initial cdn::cache manifest
2024-10-10 15:22:11 +02:00
Patrik Lundin
b2de8d246b
Start installing docker on cache machines
2024-10-10 11:01:28 +02:00
Patrik Lundin
254a3f107e
Quote some variables to make shellcheck happy
2024-10-10 10:38:45 +02:00
Patrik Lundin
7001a3fab6
Remove trailing "/" in dir path
2024-10-10 10:36:00 +02:00
Patrik Lundin
d38ef1b1ce
Remove bridges for now
2024-10-10 10:27:41 +02:00
Patrik Lundin
5d05e596c0
Cleanup ":"
2024-10-10 10:24:31 +02:00
Patrik Lundin
563886294b
Fix template
2024-10-10 10:23:55 +02:00
Patrik Lundin
d78d8c22b1
Make sure we trust internal cdn CA
2024-10-10 10:19:00 +02:00
Patrik Lundin
b44fb5ce43
Update key paths to reflect internal CA
2024-10-10 10:17:39 +02:00
Patrik Lundin
65fc0590b4
Add certbot deploy script for mosquitto
2024-10-10 10:13:04 +02:00
Patrik Lundin
b9266ec0e7
Start requesting ACME certs from internal CA
2024-10-09 12:13:30 +02:00
Patrik Lundin
8f8c360c69
Use environment instead of instance
2024-10-09 11:59:51 +02:00
Patrik Lundin
c09f81afbf
Fix type declaration
...
```
Error: Evaluation Error: Error while evaluating a Resource Statement, Class[Cdn::Ca_trust]:
parameter 'ca_root_fp' entry 'test' entry 'url' expects a Hash value, got String
parameter 'ca_root_fp' entry 'test' entry 'fp' expects a Hash value, got String on node internal-sto3-test-mqtt-1.cdn.sunet.se
```
Also rename variable now that it contains more than fingerprint
2024-10-09 11:53:52 +02:00
Patrik Lundin
1ef179cad2
Fix broken file declaration
...
While here make puppet-lint happy
2024-10-09 11:50:34 +02:00
Patrik Lundin
1dcc58d991
Apply trust class to mqtt
2024-10-09 11:47:53 +02:00
Patrik Lundin
ab3c08c5e1
Add class for setting up trust of internal CA
2024-10-09 11:46:28 +02:00
Patrik Lundin
d1b0694e44
Also set --admin-provisioner=admin
...
Without this the commands will hang for input to select a provisioner.
This is needed now that we have enabled a second (the ACME) provisioner
on init.
2024-10-08 21:45:17 +02:00
Patrik Lundin
22a2029cf9
Enable ACME provisioner at init
2024-10-08 16:50:46 +02:00
Patrik Lundin
6354f6faaa
Test opening port 80 for certbot operation
2024-10-08 16:38:11 +02:00
Patrik Lundin
fe04d862e3
Move script to correct location
2024-10-08 14:12:48 +02:00
Patrik Lundin
8d4d1841c4
Bootstrap step client
2024-10-08 14:09:44 +02:00
Patrik Lundin
44001514de
Missing ","
2024-10-08 13:42:14 +02:00
Patrik Lundin
a4a5a44647
Install step-cli from deb
2024-10-08 13:40:54 +02:00
Patrik Lundin
1cfbc3e908
Make puppet-lint happy with indent
2024-10-08 13:36:21 +02:00
Patrik Lundin
49ff235bc4
Download step client deb file
2024-10-08 13:33:32 +02:00
Patrik Lundin
aca8dd1b22
Add file to correct location
2024-10-08 13:12:54 +02:00
Patrik Lundin
d9db9fee72
Add init script for setting provisioner file
...
This is to deal with the problem that it makes sense to have a separate
passsword for encryption keys and the admin provisioner. It is currently
not possible to control this via the docker env flags so add this
workaround for now.
2024-10-08 12:35:41 +02:00
Patrik Lundin
d1c863c7cb
Expose the step-ca port
2024-10-08 10:09:20 +02:00
Patrik Lundin
d46d54a6a6
Enable compose file
2024-10-08 10:04:32 +02:00
Patrik Lundin
1803d1c69a
Add initial compose file for step-ca
2024-10-08 10:02:48 +02:00
Patrik Lundin
828f9a899d
Fix templates for passwords
2024-10-08 09:51:08 +02:00
Patrik Lundin
f247388664
Trust maria
...
Copied from cnaas-ops
2024-10-08 09:41:09 +02:00
Patrik Lundin
9379ba58e2
Handle undef ca_secrets more gracefully
2024-10-08 09:39:09 +02:00
Patrik Lundin
61a4ec13e3
Start setting up step-ca files
2024-10-08 09:36:04 +02:00
Patrik Lundin
e02160a311
Initial cdn::ca class
2024-10-07 08:35:00 +02:00
Patrik Lundin
9f05f40714
Install docker on ca machines
2024-10-06 15:37:33 +02:00
Patrik Lundin
49106049ff
Start using cdn.conf template
2024-10-06 14:51:55 +02:00
Patrik Lundin
e5ce5dd1cd
Start managing cdn.conf
2024-10-06 14:50:07 +02:00
Patrik Lundin
40036c3c32
Fix variable usage
2024-10-06 14:44:32 +02:00
Patrik Lundin
52469c754d
Correct path
2024-10-06 14:32:17 +02:00
Patrik Lundin
4b90469531
Missing $
2024-10-06 14:30:51 +02:00
Patrik Lundin
0c5e2604b6
Add missing clients parameter
2024-10-06 14:29:48 +02:00
Patrik Lundin
7352a20143
Start managing mqtt ACL
...
Include sample comsos-rules entry for testing out template
2024-10-06 14:26:10 +02:00
Patrik Lundin
2099c4d691
Fix class name
2024-10-04 17:43:31 +02:00
Patrik Lundin
c638772941
Apply mqtt class
2024-10-04 17:41:59 +02:00
Patrik Lundin
152179a5c1
Initial commit for mqtt management
2024-10-04 17:33:49 +02:00
Patrik Lundin
895264bc4f
Trust kano
...
Copied from platform-ops
2024-10-04 17:18:09 +02:00
Patrik Lundin
febde032ee
Update to new key standard
2024-10-04 17:16:23 +02:00
Patrik Lundin
571af24060
Make seccomp file readable by runner
2024-10-04 09:22:05 +02:00
Patrik Lundin
05ee26e7c2
Make docker_certs available to runner
2024-10-03 21:04:17 +02:00
Patrik Lundin
48d3b890d0
Use owner/group matching runner compose file
2024-10-03 20:57:28 +02:00
Patrik Lundin
d1d72ad80a
Try to access map correctly
2024-10-03 20:42:39 +02:00
Patrik Lundin
25a18fd58b
Remove extra dot
2024-10-03 20:15:39 +02:00
Patrik Lundin
32e4a99cef
Add initial forgejo runner config
2024-10-03 20:12:59 +02:00
Patrik Lundin
3883bb53b2
Trust jocar key
2024-10-03 15:56:30 +02:00
Patrik Lundin
dc180c10b0
Fix so systemd file is named sunet-cdn-l4lb
...
Not sunet-sunet-cdn-l4lb
2024-08-20 12:38:06 +02:00
Patrik Lundin
dd0493f869
Fix volume declarations
...
Did not expect to create anonymous volumes, see
https://stackoverflow.com/questions/46166304/docker-compose-volumes-without-colon
for more details. Now the host directories should be mounted. While here
try setting :ro to the paths we are not expecting to modify. The
/lib/modules :ro flag is based on
3cbd8258eb/cilium-lb.yaml (L143-L145)
2024-08-20 12:31:42 +02:00
Patrik Lundin
79f2018d1b
Fix path to template
2024-08-20 12:10:29 +02:00
Patrik Lundin
4755886ea9
Move manifest to expected location
2024-08-20 12:06:35 +02:00
Patrik Lundin
f4cd10a970
Add mifr key, imported from platform-ops
...
Need to trust commits to puppet-sunet stable branch
2024-08-20 12:00:57 +02:00
Patrik Lundin
9991bef58d
Assign new cdn::l4lb class to machine
2024-08-20 11:27:26 +02:00
Patrik Lundin
6057c62f47
Initial commit of running cilium l4lb via compose
2024-08-20 11:25:15 +02:00
Patrik Lundin
b014b4fdcc
Add sunet::dockerhost2 to cdn-prod-l4lb
...
While here fix indentation.
2024-08-15 09:21:02 +02:00
Patrik Lundin
ac83234433
Merge remote-tracking branch 'multiverse/main'
2024-07-05 10:59:29 +02:00
Patrik Lundin
94a65a31e0
Fix problems with outdated sunet puppet modules
...
Problem seen:
```
Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Unknown variable: '::osfamily'. (file: /etc/puppet/cosmos-modules/augeas/manifests/params.pp, line: 7, column: 8) on node example-1.sunet.se
```
This way we run modules installed from upstream apt packages instead.
Solution to delete keys to use local pacakges from pahol.
While here fix pylint issue with not importing platform module at
beginning of file.
2024-07-04 14:42:34 +02:00
Patrik Lundin
3d0413b450
Disable ntpd management for now
...
The current ntp puppet manifest does not support 24.04, and we need to
figure out if the future means timesyncd or chrony.
2024-07-04 13:32:23 +02:00
Patrik Lundin
74fb420946
Add initial cosmos-rules
2024-07-04 08:48:58 +02:00
Patrik Lundin
c417b1e296
Trust pahol key
...
Needed for puppet module
2024-07-03 17:27:23 +02:00
Patrik Lundin
4aa5e530f9
Trust jocar key
...
Needed for some puppet modules
2024-07-03 17:23:43 +02:00
Patrik Lundin
0b82213811
Add my GPG key
2024-07-03 15:56:09 +02:00
Patrik Lundin
a49e9cfd24
Add init.pp
...
Based on geteduroam-ops
2024-07-03 14:48:52 +02:00
Patrik Lundin
aa88795ee0
sunet-fleetlock: also handle ReadTimeout
...
Turns out this was not caught by ConnectionError.
2024-07-03 14:13:22 +02:00
Patrik Lundin
01768129f0
fleetlock: configurable lock/unlock timeout
...
While we already support setting a healthcheck timeout it probably
makes sense to be able to control how long we wait for a
fleetlock_lock() or fleetlock_unlock() call. This becomes important if
only running cosmos once a night or something like that. In that case we
you probably want to give a physical machine more than than 1 minute to
complete a reboot etc.
This can now be controlled by setting fleetlock_lock_timeout and
fleetlock_unlock_timeout in /etc/run-cosmos-fleetlock-conf. Keep in mind
that while it can make sense to increase the time for taking a lock,
releasing a lock should always be fast (either you have it and release
it, or you dont have it and it is a no-op) so setting a long unlock
timeout should probably never be done.
Since we also potentially wait the unlock timeout at boot (if the
fleetlock server is broken etc) that is another reason to keep it
short. The default 1m is probably OK for most uses.
2024-07-03 13:27:52 +02:00
Patrik Lundin
dfda322939
Add setup_cosmos_modules
2024-07-01 11:16:15 +02:00
Patrik Holmqvist
4231b4ac1d
Migrate from legacy fact
...
This did not work on modern puppet in ubuntu24:
Warning: Interpolation failed with '::lsbdistcodename', but compilation continuing;
New syntax inspiration from:
https://www.puppet.com/docs/puppet/8/hiera_config_yaml_5#configuring_hiera
2024-06-19 14:07:13 +02:00