diff --git a/manifests/annex_web.pp b/manifests/annex_web.pp
index 8fdb66b8..b10e51fb 100644
--- a/manifests/annex_web.pp
+++ b/manifests/annex_web.pp
@@ -1,123 +1,123 @@
# Deployment of web-facing public Git-annex
class profile::annex_web {
- $annex_basepath = hiera('annex::basepath')
+ $annex_basepath = lookup('annex::basepath')
- $annex_vhost_name = hiera('annex::vhost::name')
- $annex_vhost_docroot = hiera('annex::vhost::docroot')
+ $annex_vhost_name = lookup('annex::vhost::name')
+ $annex_vhost_docroot = lookup('annex::vhost::docroot')
$annex_vhost_basic_auth_file = "${annex_basepath}/http_auth"
- $annex_vhost_basic_auth_content = hiera('annex::vhost::basic_auth_content')
- $annex_vhost_ssl_protocol = hiera('annex::vhost::ssl_protocol')
- $annex_vhost_ssl_honorcipherorder = hiera('annex::vhost::ssl_honorcipherorder')
- $annex_vhost_ssl_cipher = hiera('annex::vhost::ssl_cipher')
- $annex_vhost_hsts_header = hiera('annex::vhost::hsts_header')
+ $annex_vhost_basic_auth_content = lookup('annex::vhost::basic_auth_content')
+ $annex_vhost_ssl_protocol = lookup('annex::vhost::ssl_protocol')
+ $annex_vhost_ssl_honorcipherorder = lookup('annex::vhost::ssl_honorcipherorder')
+ $annex_vhost_ssl_cipher = lookup('annex::vhost::ssl_cipher')
+ $annex_vhost_hsts_header = lookup('annex::vhost::hsts_header')
include ::profile::ssl
include ::profile::apache::common
::apache::vhost {"${annex_vhost_name}_non-ssl":
servername => $annex_vhost_name,
port => '80',
docroot => $annex_vhost_docroot,
redirect_status => 'permanent',
redirect_dest => "https://${annex_vhost_name}/",
}
$ssl_cert_name = 'star_softwareheritage_org'
$ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name]
$ssl_chain = $::profile::ssl::chain_paths[$ssl_cert_name]
$ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name]
::apache::vhost {"${annex_vhost_name}_ssl":
servername => $annex_vhost_name,
port => '443',
ssl => true,
ssl_protocol => $annex_vhost_ssl_protocol,
ssl_honorcipherorder => $annex_vhost_ssl_honorcipherorder,
ssl_cipher => $annex_vhost_ssl_cipher,
ssl_cert => $ssl_cert,
ssl_chain => $ssl_chain,
ssl_key => $ssl_key,
headers => [$annex_vhost_hsts_header],
docroot => $annex_vhost_docroot,
directories => [{
'path' => $annex_vhost_docroot,
'require' => 'all granted',
'options' => ['Indexes', 'FollowSymLinks', 'MultiViews'],
},
{ # hide (annex) .git directory
'path' => '.*/\.git/?$',
'provider' => 'directorymatch',
'require' => 'all denied',
}],
require => [
File[$ssl_cert],
File[$ssl_chain],
File[$ssl_key],
],
}
file {"${annex_vhost_docroot}/public":
ensure => link,
target => "../annexroot/public",
require => File[$annex_vhost_docroot],
}
file {$annex_vhost_basic_auth_file:
ensure => present,
owner => 'root',
group => 'www-data',
mode => '0640',
content => '$annex_vhost_basic_auth_content',
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"annex http redirect on ${::fqdn}":
service_name => 'annex http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $annex_vhost_name,
http_vhost => $annex_vhost_name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"annex https on ${::fqdn}":
service_name => 'annex https',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $annex_vhost_name,
http_vhost => $annex_vhost_name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"annex https certificate ${::fqdn}":
service_name => 'annex https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $annex_vhost_name,
http_vhost => $annex_vhost_name,
http_ssl => true,
http_sni => true,
http_certificate => 60,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/manifests/apache/rewrite_domains.pp b/manifests/apache/rewrite_domains.pp
index 80add3db..992b3c95 100644
--- a/manifests/apache/rewrite_domains.pp
+++ b/manifests/apache/rewrite_domains.pp
@@ -1,46 +1,46 @@
# Simple apache domain rewriting
class profile::apache::rewrite_domains {
include ::profile::apache::common
include ::profile::ssl
- $ssl_protocol = hiera('apache::ssl_protocol')
- $ssl_honorcipherorder = hiera('apache::ssl_honorcipherorder')
- $ssl_cipher = hiera('apache::ssl_cipher')
- $hsts_header = hiera('apache::hsts_header')
+ $ssl_protocol = lookup('apache::ssl_protocol')
+ $ssl_honorcipherorder = lookup('apache::ssl_honorcipherorder')
+ $ssl_cipher = lookup('apache::ssl_cipher')
+ $hsts_header = lookup('apache::hsts_header')
- $rewrite_domains = hiera_hash('apache::rewrite_domains')
+ $rewrite_domains = lookup('apache::rewrite_domains', Hash, 'deep')
each($rewrite_domains) |$name, $data| {
$ssl_cert_name = $data['ssl_cert_name']
$ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name]
$ssl_chain = $::profile::ssl::chain_paths[$ssl_cert_name]
$ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name]
::apache::vhost {"${name}_non-ssl":
servername => $name,
port => '80',
docroot => '/var/www',
redirect_status => 'permanent',
redirect_dest => "https://${name}/",
}
::apache::vhost {"${name}_ssl":
servername => $name,
port => '443',
ssl => true,
ssl_protocol => $ssl_protocol,
ssl_honorcipherorder => $ssl_honorcipherorder,
ssl_cipher => $ssl_cipher,
ssl_cert => $ssl_cert,
ssl_chain => $ssl_chain,
ssl_key => $ssl_key,
headers => [$hsts_header],
docroot => '/var/www',
rewrites => [
{ rewrite_rule => $data['rewrites'], },
],
}
}
}
diff --git a/manifests/base.pp b/manifests/base.pp
index 821cd6b0..eab2464a 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,132 +1,132 @@
# Base configuration for Software Heritage servers
class profile::base {
class { '::ntp':
- servers => hiera('ntp::servers'),
+ servers => lookup('ntp::servers'),
}
class { '::postfix':
- relayhost => hiera('smtp::relayhost'),
- mydestination => hiera_array('smtp::mydestination'),
- mynetworks => hiera_array('smtp::mynetworks'),
- relay_destinations => hiera_hash('smtp::relay_destinations'),
- virtual_aliases => hiera_hash('smtp::virtual_aliases'),
+ relayhost => lookup('smtp::relayhost'),
+ mydestination => lookup('smtp::mydestination', Array, 'unique'),
+ mynetworks => lookup('smtp::mynetworks', Array, 'unique'),
+ relay_destinations => lookup('smtp::relay_destinations', Hash, 'deep'),
+ virtual_aliases => lookup('smtp::virtual_aliases', Hash, 'deep'),
}
exec {'newaliases':
path => ['/usr/bin', '/usr/sbin'],
refreshonly => true,
require => Package['postfix'],
}
- $mail_aliases = hiera_hash('smtp::mail_aliases')
+ $mail_aliases = lookup('smtp::mail_aliases', Hash, 'deep')
each($mail_aliases) |$alias, $recipients| {
mailalias {$alias:
ensure => present,
recipient => $recipients,
notify => Exec['newaliases'],
}
}
class { '::locales':
- default_locale => hiera('locales::default_locale'),
- locales => hiera('locales::installed_locales'),
+ default_locale => lookup('locales::default_locale'),
+ locales => lookup('locales::installed_locales'),
}
- $packages = hiera_array('packages')
+ $packages = lookup('packages', Array, 'unique')
package { $packages:
ensure => present,
}
- $users = hiera_hash('users')
- $groups = hiera_hash('groups')
+ $users = lookup('users', Hash, 'deep')
+ $groups = lookup('groups', Hash, 'deep')
each($groups) |$name, $data| {
group { $name:
ensure => 'present',
gid => $data['gid'],
}
}
each($users) |$name, $data| {
if $name == 'root' {
$home = '/root'
$mode = '0600'
} else {
$home = "/home/${name}"
$mode = '0644'
}
user { $name:
ensure => 'present',
uid => $data['uid'],
comment => $data['full_name'],
shell => $data['shell'],
groups => $data['groups'],
password => $data['password'],
require => Group[$data['groups']],
}
if ($data['shell'] == '/usr/bin/zsh') {
Package['zsh'] -> User[$name]
}
if (has_key($groups, $name)) {
Group[$name] -> User[$name]
}
file { $home:
ensure => 'directory',
mode => $mode,
owner => $name,
group => $name,
require => User[$name],
}
}
class { '::sudo':
config_file_replace => false,
purge => false,
}
::sudo::conf { 'local-env':
ensure => present,
content => 'Defaults env_keep += "GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL"',
priority => 10,
}
::sudo::conf { 'local-deploy':
ensure => present,
content => '%swhdeploy ALL = NOPASSWD: /usr/local/sbin/swh-puppet-master-deploy, /usr/local/sbin/swh-puppet-test, /usr/local/sbin/swh-puppet-apply, /usr/bin/apt-get update',
priority => 20,
}
class {'::timezone':
- timezone => hiera('timezone'),
+ timezone => lookup('timezone'),
}
- $bind_autogenerate = hiera('bind::autogenerate')
- $bind_key = hiera('bind::update_key')
+ $bind_autogenerate = lookup('bind::autogenerate')
+ $bind_key = lookup('bind::update_key')
each($bind_autogenerate) |$net| {
$ipaddr = ip_for_network($net)
if $ipaddr {
$reverse = reverse_ipv4($ipaddr)
$fqdn = $::swh_hostname['internal_fqdn']
@@resource_record { "${fqdn}/A":
type => 'A',
record => $fqdn,
data => $ipaddr,
keyfile => "/etc/bind/keys/${bind_key}",
}
@@resource_record { "${fqdn}/PTR":
type => 'PTR',
record => $reverse,
data => "${fqdn}.",
keyfile => "/etc/bind/keys/${bind_key}",
}
}
}
}
diff --git a/manifests/bind_server.pp b/manifests/bind_server.pp
index 1f8568fb..e3e58227 100644
--- a/manifests/bind_server.pp
+++ b/manifests/bind_server.pp
@@ -1,83 +1,83 @@
class profile::bind_server {
include ::profile::resolv_conf
- $forwarders = hiera('dns::forwarders')
- $zones = hiera('bind::zones')
- $default_zone_data = hiera('bind::zones::default_data')
- $clients = hiera('bind::clients')
- $resource_records = hiera('bind::resource_records')
- $default_rr_data = hiera('bind::resource_records::default_data')
- $update_key = hiera('bind::update_key')
+ $forwarders = lookup('dns::forwarders')
+ $zones = lookup('bind::zones')
+ $default_zone_data = lookup('bind::zones::default_data')
+ $clients = lookup('bind::clients')
+ $resource_records = lookup('bind::resource_records')
+ $default_rr_data = lookup('bind::resource_records::default_data')
+ $update_key = lookup('bind::update_key')
$zone_names = keys($zones)
class { '::bind':
forwarders => $forwarders,
dnssec => true,
}
Service['bind'] -> File['/etc/resolv.conf']
bind::view { 'private':
recursion => true,
zones => $zone_names,
match_clients => $clients,
}
bind::key { $update_key:
secret_bits => 512,
}
each($zones) |$zone, $data| {
$merged_data = merge($default_zone_data, $data)
bind::zone { $zone:
zone_type => $merged_data['zone_type'],
domain => $merged_data['domain'],
dynamic => $merged_data['dynamic'],
masters => $merged_data['masters'],
transfer_source => $merged_data['transfer_source'],
allow_updates => union(
any2array($merged_data['allow_updates']),
["key ${update_key}"],
),
update_policies => $merged_data['update_policies'],
allow_transfers => $merged_data['allow_transfers'],
dnssec => $merged_data['dnssec'],
key_directory => $merged_data['key_directory'],
ns_notify => $merged_data['ns_notify'],
also_notify => $merged_data['also_notify'],
allow_notify => $merged_data['allow_notify'],
forwarders => $merged_data['forwarders'],
forward => $merged_data['forward'],
source => $merged_data['source'],
}
}
each($resource_records) |$rr, $data| {
$merged_data = merge($default_rr_data, $data)
resource_record { $rr:
type => $merged_data['type'],
record => $merged_data['record'],
data => $merged_data['data'],
keyfile => "/etc/bind/keys/${update_key}",
}
# Generate PTR record from A record
if $merged_data['type'] == 'A' {
$ptr = reverse_ipv4($merged_data['data'])
$ptr_domain = join(values_at(split($ptr, '[.]'), '1-5'), '.')
if member($zone_names, $ptr_domain) {
resource_record { "${rr}+PTR":
type => 'PTR',
record => $ptr,
data => "${merged_data['record']}.",
keyfile => "/etc/bind/keys/${update_key}",
}
}
}
}
Resource_Record <<| |>>
Bind::Zone <| |> -> Resource_Record <| |>
}
diff --git a/manifests/ceph/base.pp b/manifests/ceph/base.pp
index 62681387..0535388b 100644
--- a/manifests/ceph/base.pp
+++ b/manifests/ceph/base.pp
@@ -1,18 +1,18 @@
# Base configuration for Ceph
class profile::ceph::base {
- $ceph_release = hiera('ceph::release')
+ $ceph_release = lookup('ceph::release')
- $ceph_fsid = hiera('ceph::fsid')
- $ceph_mon_initial_members = join(hiera('ceph::mon_initial_members'), ',')
- $ceph_mon_host = join(hiera('ceph::mon_host'), ',')
+ $ceph_fsid = lookup('ceph::fsid')
+ $ceph_mon_initial_members = join(lookup('ceph::mon_initial_members'), ',')
+ $ceph_mon_host = join(lookup('ceph::mon_host'), ',')
class {'::ceph::repo':
release => $ceph_release,
}
class {'::ceph':
fsid => $ceph_fsid,
mon_initial_members => $ceph_mon_initial_members,
mon_host => $ceph_mon_host,
}
}
diff --git a/manifests/ceph/mon.pp b/manifests/ceph/mon.pp
index 7cf39be3..9c517dc7 100644
--- a/manifests/ceph/mon.pp
+++ b/manifests/ceph/mon.pp
@@ -1,30 +1,30 @@
# Ceph Monitor profile
class profile::ceph::mon {
include profile::ceph::base
- $mon_secret = hiera('ceph::secrets::mon')
- $mgr_secret = hiera('ceph::secrets::mgr')
+ $mon_secret = lookup('ceph::secrets::mon')
+ $mgr_secret = lookup('ceph::secrets::mgr')
- $client_keys = hiera('ceph::keys')
+ $client_keys = lookup('ceph::keys')
::ceph::mon {$::hostname:
key => $mon_secret,
}
::ceph::mgr {$::hostname:
key => $mgr_secret,
inject_key => true,
}
::Ceph::Key {
inject => true,
inject_as_id => 'mon.',
inject_keyring => "/var/lib/ceph/mon/ceph-${::hostname}/keyring",
}
each($client_keys) |$name, $data| {
::ceph::key {"client.${name}":
* => $data,
}
}
}
diff --git a/manifests/ceph/osd.pp b/manifests/ceph/osd.pp
index 81fa6698..d9c0ecdc 100644
--- a/manifests/ceph/osd.pp
+++ b/manifests/ceph/osd.pp
@@ -1,10 +1,10 @@
# Ceph OSD profile
class profile::ceph::osd {
include profile::ceph::base
- $bootstrap_osd_secret = hiera('ceph::secrets::bootstrap_osd')
+ $bootstrap_osd_secret = lookup('ceph::secrets::bootstrap_osd')
::ceph::key {'client.bootstrap-osd':
keyring_path => '/var/lib/ceph/bootstrap-osd/ceph.keyring',
secret => $bootstrap_osd_secret,
}
}
diff --git a/manifests/dar/client.pp b/manifests/dar/client.pp
index 6d655f47..484b7f14 100644
--- a/manifests/dar/client.pp
+++ b/manifests/dar/client.pp
@@ -1,68 +1,68 @@
class profile::dar::client {
include ::dar
$dar_remote_hostname = $::swh_hostname['short']
$dar_backup_name = $::hostname
- $hierahour = hiera('dar::cron::hour')
+ $hierahour = lookup('dar::cron::hour')
if $hierahour == 'fqdn_rand' {
$hour = fqdn_rand(24, 'backup_hour')
} else {
$hour = $hierahour
}
- $hieraminute = hiera('dar::cron::minute')
+ $hieraminute = lookup('dar::cron::minute')
if $hieraminute == 'fqdn_rand' {
$minute = fqdn_rand(60, 'backup_minute')
} else {
$minute = $hieraminute
}
- $hieramonth = hiera('dar::cron::month')
+ $hieramonth = lookup('dar::cron::month')
if $hieramonth == 'fqdn_rand' {
$month = fqdn_rand(12, 'backup_month')
} else {
$month = $hieramonth
}
- $hieramonthday = hiera('dar::cron::monthday')
+ $hieramonthday = lookup('dar::cron::monthday')
if $hieramonthday == 'fqdn_rand' {
$monthday = fqdn_rand(31, 'backup_monthday')
} else {
$monthday = $hieramonthday
}
- $hieraweekday = hiera('dar::cron::weekday')
+ $hieraweekday = lookup('dar::cron::weekday')
if $hieraweekday == 'fqdn_rand' {
$weekday = fqdn_rand(31, 'backup_weekday')
} else {
$weekday = $hieraweekday
}
dar::backup { $dar_backup_name:
- backup_storage => hiera('dar::backup::storage'),
- keep_backups => hiera('dar::backup::num_backups'),
- backup_base => hiera('dar::backup::base'),
- backup_selection => hiera('dar::backup::select'),
- backup_exclusion => hiera_array('dar::backup::exclude'),
- backup_options => hiera('dar::backup::options'),
+ backup_storage => lookup('dar::backup::storage'),
+ keep_backups => lookup('dar::backup::num_backups'),
+ backup_base => lookup('dar::backup::base'),
+ backup_selection => lookup('dar::backup::select'),
+ backup_exclusion => lookup('dar::backup::exclude', Array, 'unique'),
+ backup_options => lookup('dar::backup::options'),
hour => $hour,
minute => $minute,
month => $month,
monthday => $monthday,
weekday => $weekday,
}
# Export a remote backup to the backup server
@@dar::remote_backup { "${dar_remote_hostname}.${dar_backup_name}":
- remote_backup_storage => hiera('dar::backup::storage'),
+ remote_backup_storage => lookup('dar::backup::storage'),
remote_backup_host => $dar_remote_hostname,
remote_backup_name => $dar_backup_name,
- local_backup_storage => hiera('dar_server::backup::storage'),
- hour => hiera('dar_server::cron::hour'),
- minute => hiera('dar_server::cron::minute'),
- month => hiera('dar_server::cron::month'),
- monthday => hiera('dar_server::cron::monthday'),
- weekday => hiera('dar_server::cron::weekday'),
+ local_backup_storage => lookup('dar_server::backup::storage'),
+ hour => lookup('dar_server::cron::hour'),
+ minute => lookup('dar_server::cron::minute'),
+ month => lookup('dar_server::cron::month'),
+ monthday => lookup('dar_server::cron::monthday'),
+ weekday => lookup('dar_server::cron::weekday'),
}
}
diff --git a/manifests/debian_repository.pp b/manifests/debian_repository.pp
index c4ce2f43..a241d1c1 100644
--- a/manifests/debian_repository.pp
+++ b/manifests/debian_repository.pp
@@ -1,118 +1,118 @@
# Debian repository configuration
class profile::debian_repository {
$packages = ['reprepro']
package {$packages:
ensure => installed,
}
- $repository_basepath = hiera('debian_repository::basepath')
+ $repository_basepath = lookup('debian_repository::basepath')
- $repository_vhost_name = hiera('debian_repository::vhost::name')
- $repository_vhost_aliases = hiera('debian_repository::vhost::aliases')
- $repository_vhost_docroot = hiera('debian_repository::vhost::docroot')
- $repository_vhost_docroot_owner = hiera('debian_repository::vhost::docroot_owner')
- $repository_vhost_docroot_group = hiera('debian_repository::vhost::docroot_group')
- $repository_vhost_docroot_mode = hiera('debian_repository::vhost::docroot_mode')
- $repository_vhost_ssl_protocol = hiera('debian_repository::vhost::ssl_protocol')
- $repository_vhost_ssl_honorcipherorder = hiera('debian_repository::vhost::ssl_honorcipherorder')
- $repository_vhost_ssl_cipher = hiera('debian_repository::vhost::ssl_cipher')
- $repository_vhost_hsts_header = hiera('debian_repository::vhost::hsts_header')
+ $repository_vhost_name = lookup('debian_repository::vhost::name')
+ $repository_vhost_aliases = lookup('debian_repository::vhost::aliases')
+ $repository_vhost_docroot = lookup('debian_repository::vhost::docroot')
+ $repository_vhost_docroot_owner = lookup('debian_repository::vhost::docroot_owner')
+ $repository_vhost_docroot_group = lookup('debian_repository::vhost::docroot_group')
+ $repository_vhost_docroot_mode = lookup('debian_repository::vhost::docroot_mode')
+ $repository_vhost_ssl_protocol = lookup('debian_repository::vhost::ssl_protocol')
+ $repository_vhost_ssl_honorcipherorder = lookup('debian_repository::vhost::ssl_honorcipherorder')
+ $repository_vhost_ssl_cipher = lookup('debian_repository::vhost::ssl_cipher')
+ $repository_vhost_hsts_header = lookup('debian_repository::vhost::hsts_header')
include ::profile::ssl
include ::profile::apache::common
::apache::vhost {"${repository_vhost_name}_non-ssl":
servername => $repository_vhost_name,
serveraliases => $repository_vhost_aliases,
port => '80',
docroot => $repository_vhost_docroot,
manage_docroot => false, # will be managed by the SSL resource
redirect_status => 'permanent',
redirect_dest => "https://${repository_vhost_name}/",
}
$ssl_cert_name = 'star_softwareheritage_org'
$ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name]
$ssl_chain = $::profile::ssl::chain_paths[$ssl_cert_name]
$ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name]
::apache::vhost {"${repository_vhost_name}_ssl":
servername => $repository_vhost_name,
port => '443',
ssl => true,
ssl_protocol => $repository_vhost_ssl_protocol,
ssl_honorcipherorder => $repository_vhost_ssl_honorcipherorder,
ssl_cipher => $repository_vhost_ssl_cipher,
ssl_cert => $ssl_cert,
ssl_chain => $ssl_chain,
ssl_key => $ssl_key,
headers => [$repository_vhost_hsts_header],
docroot => $repository_vhost_docroot,
docroot_owner => $repository_vhost_docroot_owner,
docroot_group => $repository_vhost_docroot_group,
docroot_mode => $repository_vhost_docroot_mode,
directories => [
{
path => $repository_vhost_docroot,
require => 'all granted',
options => ['Indexes', 'FollowSymLinks', 'MultiViews'],
},
],
require => [
File[$ssl_cert],
File[$ssl_chain],
File[$ssl_key],
],
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"debian repository http redirect on ${::fqdn}":
service_name => 'debian repository http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $repository_vhost_name,
http_vhost => $repository_vhost_name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"debian repository https on ${::fqdn}":
service_name => 'debian repository https',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $repository_vhost_name,
http_vhost => $repository_vhost_name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"debian repository https certificate ${::fqdn}":
service_name => 'debian repository https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $repository_vhost_name,
http_vhost => $repository_vhost_name,
http_ssl => true,
http_sni => true,
http_certificate => 60,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/manifests/desktop.pp b/manifests/desktop.pp
index f79fe971..e85925a7 100644
--- a/manifests/desktop.pp
+++ b/manifests/desktop.pp
@@ -1,9 +1,9 @@
class profile::desktop {
- $packages = hiera_array('packages::desktop')
+ $packages = lookup('packages::desktop', Array, 'unique')
package { $packages:
ensure => present,
}
include ::profile::desktop::printers
}
diff --git a/manifests/desktop/printers.pp b/manifests/desktop/printers.pp
index fea3d507..12ad0ae0 100644
--- a/manifests/desktop/printers.pp
+++ b/manifests/desktop/printers.pp
@@ -1,87 +1,87 @@
class profile::desktop::printers {
- $printers = hiera_hash('desktop::printers')
- $default_printer = hiera('desktop::printers::default')
- $cups_usernames = hiera_hash('desktop::printers::cups_usernames')
+ $printers = lookup('desktop::printers', Hash, 'deep')
+ $default_printer = lookup('desktop::printers::default')
+ $cups_usernames = lookup('desktop::printers::cups_usernames', Hash, 'deep')
- $ppd_dir = hiera('desktop::printers::ppd_dir')
+ $ppd_dir = lookup('desktop::printers::ppd_dir')
$ppd_file = "${ppd_dir}/MFP.ppd"
$ppd_auth_filter = "${ppd_dir}/MFP_auth_filter"
class {'::cups':
default_printer => $default_printer,
}
each($printers) |$printer, $params| {
printer {$printer:
ensure => present,
uri => $params['uri'],
description => $params['description'],
ppd => $params['ppd'],
location => $params['location'],
ppd_options => $params['ppd_options'],
shared => false,
require => File[$params['ppd']],
}
}
Printer[$default_printer] -> Exec['default_printer']
each ($cups_usernames) |$user, $cups_user| {
file {"/home/${user}/.cups":
ensure => directory,
owner => $user,
group => $user,
mode => '0640',
}
file {"/home/${user}/.cups/client.conf":
ensure => present,
owner => $user,
group => $user,
mode => '0640',
}
file_line {"cups_username_${user}":
path => "/home/${user}/.cups/client.conf",
line => "User ${cups_user}",
match => '^User ',
}
}
file {$ppd_dir:
ensure => directory,
owner => root,
group => root,
mode => '0644',
require => Package['cups'],
}
# Template uses $ppd_auth_filter
file {"${ppd_dir}/MFP_Paris.ppd":
ensure => present,
owner => root,
group => root,
mode => '0644',
content => template('profile/desktop/printers/MFP_Paris.ppd.erb'),
require => [
File[$ppd_dir],
File[$ppd_auth_filter],
],
}
file {$ppd_auth_filter:
ensure => present,
owner => root,
group => root,
mode => '0755',
source => 'puppet:///modules/profile/desktop/printers/MFP_auth_filter',
require => [
File[$ppd_dir],
],
}
service {'cups-browsed':
ensure => stopped,
enable => false,
}
}
diff --git a/manifests/devel.pp b/manifests/devel.pp
index 9a7ddd24..2bf0d1e7 100644
--- a/manifests/devel.pp
+++ b/manifests/devel.pp
@@ -1,13 +1,13 @@
# profile for the workstation of a Software Heritage developer
class profile::devel {
- $packages = hiera_array('packages::devel')
+ $packages = lookup('packages::devel', Array, 'unique')
package { $packages:
ensure => present,
}
include ::profile::devel::debian
include ::profile::devel::postgres
include ::profile::devel::python
include ::profile::devel::broker
}
diff --git a/manifests/devel/broker.pp b/manifests/devel/broker.pp
index 1eba1ec8..0fa9b273 100644
--- a/manifests/devel/broker.pp
+++ b/manifests/devel/broker.pp
@@ -1,7 +1,7 @@
class profile::devel::broker {
- $packages = hiera_array('packages::devel::broker')
+ $packages = lookup('packages::devel::broker', Array, 'unique')
package { $packages:
ensure => present,
}
}
diff --git a/manifests/devel/debian.pp b/manifests/devel/debian.pp
index e3aa183f..d9b4fd92 100644
--- a/manifests/devel/debian.pp
+++ b/manifests/devel/debian.pp
@@ -1,7 +1,7 @@
class profile::devel::debian {
- $packages = hiera_array('packages::devel::debian')
+ $packages = lookup('packages::devel::debian', Array, 'unique')
package { $packages:
ensure => present,
}
}
diff --git a/manifests/devel/postgres.pp b/manifests/devel/postgres.pp
index c18b4bda..cc7bac4e 100644
--- a/manifests/devel/postgres.pp
+++ b/manifests/devel/postgres.pp
@@ -1,13 +1,13 @@
class profile::devel::postgres {
- $packages = hiera_array('packages::devel::postgres')
+ $packages = lookup('packages::devel::postgres', Array, 'unique')
package { $packages:
ensure => present,
}
file { '/etc/postgresql-common/pg_service.conf':
ensure => file,
content => template('profile/postgres/pg_service.conf.erb'),
require => Package[$packages],
}
}
diff --git a/manifests/devel/python.pp b/manifests/devel/python.pp
index a4d08982..f767e3e5 100644
--- a/manifests/devel/python.pp
+++ b/manifests/devel/python.pp
@@ -1,7 +1,7 @@
class profile::devel::python {
- $packages = hiera_array('packages::devel::python')
+ $packages = lookup('packages::devel::python', Array, 'unique')
package { $packages:
ensure => present,
}
}
diff --git a/manifests/docs_web.pp b/manifests/docs_web.pp
index 686e0f6d..b931c78a 100644
--- a/manifests/docs_web.pp
+++ b/manifests/docs_web.pp
@@ -1,106 +1,106 @@
# Deployment of web-facing static documentation
class profile::docs_web {
- $docs_basepath = hiera('docs::basepath')
+ $docs_basepath = lookup('docs::basepath')
- $docs_vhost_name = hiera('docs::vhost::name')
- $docs_vhost_docroot = hiera('docs::vhost::docroot')
- $docs_vhost_docroot_group = hiera('docs::vhost::docroot_group')
- $docs_vhost_docroot_mode = hiera('docs::vhost::docroot_mode')
- $docs_vhost_ssl_protocol = hiera('docs::vhost::ssl_protocol')
- $docs_vhost_ssl_honorcipherorder = hiera('docs::vhost::ssl_honorcipherorder')
- $docs_vhost_ssl_cipher = hiera('docs::vhost::ssl_cipher')
- $docs_vhost_hsts_header = hiera('docs::vhost::hsts_header')
+ $docs_vhost_name = lookup('docs::vhost::name')
+ $docs_vhost_docroot = lookup('docs::vhost::docroot')
+ $docs_vhost_docroot_group = lookup('docs::vhost::docroot_group')
+ $docs_vhost_docroot_mode = lookup('docs::vhost::docroot_mode')
+ $docs_vhost_ssl_protocol = lookup('docs::vhost::ssl_protocol')
+ $docs_vhost_ssl_honorcipherorder = lookup('docs::vhost::ssl_honorcipherorder')
+ $docs_vhost_ssl_cipher = lookup('docs::vhost::ssl_cipher')
+ $docs_vhost_hsts_header = lookup('docs::vhost::hsts_header')
include ::profile::ssl
include ::profile::apache::common
::apache::vhost {"${docs_vhost_name}_non-ssl":
servername => $docs_vhost_name,
port => '80',
docroot => $docs_vhost_docroot,
manage_docroot => false, # will be managed by the SSL resource
redirect_status => 'permanent',
redirect_dest => "https://${docs_vhost_name}/",
}
$ssl_cert_name = 'star_softwareheritage_org'
$ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name]
$ssl_chain = $::profile::ssl::chain_paths[$ssl_cert_name]
$ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name]
::apache::vhost {"${docs_vhost_name}_ssl":
servername => $docs_vhost_name,
port => '443',
ssl => true,
ssl_protocol => $docs_vhost_ssl_protocol,
ssl_honorcipherorder => $docs_vhost_ssl_honorcipherorder,
ssl_cipher => $docs_vhost_ssl_cipher,
ssl_cert => $ssl_cert,
ssl_chain => $ssl_chain,
ssl_key => $ssl_key,
headers => [$docs_vhost_hsts_header],
docroot => $docs_vhost_docroot,
docroot_group => $docs_vhost_docroot_group,
docroot_mode => $docs_vhost_docroot_mode,
directories => [{
'path' => $docs_vhost_docroot,
'require' => 'all granted',
'options' => ['Indexes', 'FollowSymLinks', 'MultiViews'],
}],
require => [
File[$ssl_cert],
File[$ssl_chain],
File[$ssl_key],
],
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"docs http redirect on ${::fqdn}":
service_name => 'docs http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $docs_vhost_name,
http_vhost => $docs_vhost_name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"docs https on ${::fqdn}":
service_name => 'docs https',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $docs_vhost_name,
http_vhost => $docs_vhost_name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"docs https certificate ${::fqdn}":
service_name => 'docs https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $docs_vhost_name,
http_vhost => $docs_vhost_name,
http_ssl => true,
http_sni => true,
http_certificate => 60,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/manifests/hitch.pp b/manifests/hitch.pp
index e0402cca..f9e3cd47 100644
--- a/manifests/hitch.pp
+++ b/manifests/hitch.pp
@@ -1,46 +1,46 @@
# Support for hitch TLS termination proxy
class profile::hitch {
- $frontend = hiera('hitch::frontend')
- $proxy_support = hiera('hitch::proxy_support')
- $http2_support = hiera('hitch::http2_support')
+ $frontend = lookup('hitch::frontend')
+ $proxy_support = lookup('hitch::proxy_support')
+ $http2_support = lookup('hitch::http2_support')
$ocsp_dir = '/var/lib/hitch'
if $proxy_support {
- $varnish_proxy_port = hiera('varnish::proxy_port')
+ $varnish_proxy_port = lookup('varnish::proxy_port')
$backend = "[::1]:${varnish_proxy_port}"
$write_proxy_v2 = 'on'
} else {
- $apache_http_port = hiera('apache::http_port')
+ $apache_http_port = lookup('apache::http_port')
$backend = "[::1]:${apache_http_port}"
$write_proxy_v2 = 'off'
}
if $http2_support {
$alpn_protos = 'h2,http/1.1'
} else {
$alpn_protos = undef
}
class {'::hitch':
frontend => $frontend,
backend => $backend,
write_proxy_v2 => $write_proxy_v2,
alpn_protos => $alpn_protos,
require => File[$ocsp_dir],
}
file {$ocsp_dir:
ensure => directory,
mode => '0700',
owner => $::hitch::user,
group => $::hitch::group,
notify => Service[$::hitch::service_name],
}
# Provide virtual resources for each possible hitch TLS certificate
# Users can realize the resource using
# realize(::Profile::Hitch::Ssl_Cert[$cert_name])
- $ssl_certs = keys(hiera('ssl'))
+ $ssl_certs = keys(lookup('ssl'))
@::profile::hitch::ssl_cert {$ssl_certs:}
}
diff --git a/manifests/icinga2.pp b/manifests/icinga2.pp
index 10c980e6..6f2bc5a2 100644
--- a/manifests/icinga2.pp
+++ b/manifests/icinga2.pp
@@ -1,12 +1,12 @@
# Icinga2 configuration
class profile::icinga2 {
- $icinga2_role = hiera('icinga2::role')
+ $icinga2_role = lookup('icinga2::role')
include profile::icinga2::apt_config
case $icinga2_role {
'agent': { include profile::icinga2::agent }
'master': { include profile::icinga2::master }
default: { fail("Unknown icinga2::role: ${icinga2_role}") }
}
}
diff --git a/manifests/icinga2/agent.pp b/manifests/icinga2/agent.pp
index 8d6f2bca..f4143998 100644
--- a/manifests/icinga2/agent.pp
+++ b/manifests/icinga2/agent.pp
@@ -1,77 +1,77 @@
# Icinga2 agent configuration
class profile::icinga2::agent {
- $features = hiera('icinga2::features')
- $icinga2_network = hiera('icinga2::network')
- $hiera_host_vars = hiera_hash('icinga2::host::vars')
+ $features = lookup('icinga2::features')
+ $icinga2_network = lookup('icinga2::network')
+ $hiera_host_vars = lookup('icinga2::host::vars', Hash, 'deep')
- $parent_zone = hiera('icinga2::parent_zone')
- $parent_endpoints = hiera('icinga2::parent_endpoints')
+ $parent_zone = lookup('icinga2::parent_zone')
+ $parent_endpoints = lookup('icinga2::parent_endpoints')
include profile::icinga2::objects::agent_checks
$check_mounts = $::mounts.filter |$mount| {
$mount !~ /^\/srv\/containers/
}
$local_host_vars = {
disks => hash(flatten(
$check_mounts.map |$mount| {
["disk ${mount}", {disk_partitions => $mount}]
},
)),
plugins => keys($profile::icinga2::objects::agent_checks::plugins),
}
class {'::icinga2':
confd => true,
features => $features,
}
class { '::icinga2::feature::api':
accept_config => true,
accept_commands => true,
zones => {
'ZoneName' => {
endpoints => ['NodeName'],
parent => $parent_zone,
},
},
}
create_resources('::icinga2::object::endpoint', $parent_endpoints)
::icinga2::object::zone {$parent_zone:
endpoints => keys($parent_endpoints),
}
@@::icinga2::object::endpoint {$::fqdn:
target => "/etc/icinga2/zones.d/${parent_zone}/${::fqdn}.conf",
}
@@::icinga2::object::zone {$::fqdn:
endpoints => [$::fqdn],
parent => $parent_zone,
target => "/etc/icinga2/zones.d/${parent_zone}/${::fqdn}.conf",
}
@@::icinga2::object::host {$::fqdn:
address => ip_for_network($icinga2_network),
display_name => $::fqdn,
check_command => 'hostalive',
vars => deep_merge($local_host_vars, $hiera_host_vars),
target => "/etc/icinga2/zones.d/${parent_zone}/${::fqdn}.conf",
}
icinga2::object::zone { 'global-templates':
global => true,
}
file {['/etc/icinga2/conf.d']:
ensure => directory,
owner => 'nagios',
group => 'nagios',
mode => '0755',
purge => true,
recurse => true,
tag => 'icinga2::config::file',
}
}
diff --git a/manifests/icinga2/apt_config.pp b/manifests/icinga2/apt_config.pp
index 1704704d..580c3fe1 100644
--- a/manifests/icinga2/apt_config.pp
+++ b/manifests/icinga2/apt_config.pp
@@ -1,20 +1,20 @@
# Icinga2 APT configuration
class profile::icinga2::apt_config {
- $mirror = hiera('icinga2::apt_config::mirror')
- $keyid = hiera('icinga2::apt_config::keyid')
- $key = hiera('icinga2::apt_config::key')
+ $mirror = lookup('icinga2::apt_config::mirror')
+ $keyid = lookup('icinga2::apt_config::keyid')
+ $key = lookup('icinga2::apt_config::key')
apt::source { 'icinga-stable-release':
location => $mirror,
release => "icinga-${::lsbdistcodename}",
repos => 'main',
key => {
id => $keyid,
content => $key,
},
include => {
src => false,
deb => true,
},
}
}
diff --git a/manifests/icinga2/icingaweb2.pp b/manifests/icinga2/icingaweb2.pp
index a47841ac..39d9f316 100644
--- a/manifests/icinga2/icingaweb2.pp
+++ b/manifests/icinga2/icingaweb2.pp
@@ -1,62 +1,62 @@
# Icinga web 2 configuration
class profile::icinga2::icingaweb2 {
- $icinga2_db_username = hiera('icinga2::master::db::username')
- $icinga2_db_password = hiera('icinga2::master::db::password')
- $icinga2_db_database = hiera('icinga2::master::db::database')
-
- $icingaweb2_db_username = hiera('icinga2::icingaweb2::db::username')
- $icingaweb2_db_password = hiera('icinga2::icingaweb2::db::password')
- $icingaweb2_db_database = hiera('icinga2::icingaweb2::db::database')
- $icingaweb2_protected_customvars = hiera('icinga2::icingaweb2::protected_customvars')
+ $icinga2_db_username = lookup('icinga2::master::db::username')
+ $icinga2_db_password = lookup('icinga2::master::db::password')
+ $icinga2_db_database = lookup('icinga2::master::db::database')
+
+ $icingaweb2_db_username = lookup('icinga2::icingaweb2::db::username')
+ $icingaweb2_db_password = lookup('icinga2::icingaweb2::db::password')
+ $icingaweb2_db_database = lookup('icinga2::icingaweb2::db::database')
+ $icingaweb2_protected_customvars = lookup('icinga2::icingaweb2::protected_customvars')
include profile::icinga2::apt_config
include profile::icinga2::icingaweb2::vhost
class {'::icingaweb2':
manage_repo => false,
manage_package => true,
import_schema => true,
db_type => 'pgsql',
db_host => 'localhost',
db_port => 5432,
db_username => $icingaweb2_db_username,
db_password => $icingaweb2_db_password,
require => Postgresql::Server::Db[$icingaweb2_db_database],
}
# Icingaweb2 modules
::postgresql::server::db {$icingaweb2_db_database:
user => $icingaweb2_db_username,
password => postgresql_password($icingaweb2_db_username, $icingaweb2_db_password),
}
class {'::icingaweb2::module::monitoring':
ido_type => 'pgsql',
ido_host => 'localhost',
ido_port => 5432,
ido_db_name => $icinga2_db_database,
ido_db_username => $icinga2_db_username,
ido_db_password => $icinga2_db_password,
protected_customvars => join($icingaweb2_protected_customvars, ', '),
commandtransports => {
icinga2 => {
transport => 'local',
path => '/var/run/icinga2/cmd/icinga2.cmd',
}
}
}
include ::icingaweb2::module::doc
# Icingaweb2 permissions
::icingaweb2::config::role {'guest':
users => 'guest',
permissions => 'module/monitoring',
}
::icingaweb2::config::role {'icinga':
users => 'icinga',
permissions => '*',
}
}
diff --git a/manifests/icinga2/icingaweb2/vhost.pp b/manifests/icinga2/icingaweb2/vhost.pp
index e9ad015a..816ef53c 100644
--- a/manifests/icinga2/icingaweb2/vhost.pp
+++ b/manifests/icinga2/icingaweb2/vhost.pp
@@ -1,122 +1,122 @@
# Apache virtual host for icingaweb2
class profile::icinga2::icingaweb2::vhost {
include ::profile::ssl
include ::profile::apache::common
include ::apache::mod::php
- $icingaweb2_vhost_name = hiera('icinga2::icingaweb2::vhost::name')
- $icingaweb2_vhost_aliases = hiera('icinga2::icingaweb2::vhost::aliases')
+ $icingaweb2_vhost_name = lookup('icinga2::icingaweb2::vhost::name')
+ $icingaweb2_vhost_aliases = lookup('icinga2::icingaweb2::vhost::aliases')
$icingaweb2_vhost_docroot = '/usr/share/icingaweb2/public'
- $icingaweb2_vhost_ssl_protocol = hiera('icinga2::icingaweb2::vhost::ssl_protocol')
- $icingaweb2_vhost_ssl_honorcipherorder = hiera('icinga2::icingaweb2::vhost::ssl_honorcipherorder')
- $icingaweb2_vhost_ssl_cipher = hiera('icinga2::icingaweb2::vhost::ssl_cipher')
- $icingaweb2_vhost_hsts_header = hiera('icinga2::icingaweb2::vhost::hsts_header')
+ $icingaweb2_vhost_ssl_protocol = lookup('icinga2::icingaweb2::vhost::ssl_protocol')
+ $icingaweb2_vhost_ssl_honorcipherorder = lookup('icinga2::icingaweb2::vhost::ssl_honorcipherorder')
+ $icingaweb2_vhost_ssl_cipher = lookup('icinga2::icingaweb2::vhost::ssl_cipher')
+ $icingaweb2_vhost_hsts_header = lookup('icinga2::icingaweb2::vhost::hsts_header')
::apache::vhost {"${icingaweb2_vhost_name}_non-ssl":
servername => $icingaweb2_vhost_name,
serveraliases => $icingaweb2_vhost_aliases,
port => '80',
docroot => $icingaweb2_vhost_docroot,
manage_docroot => false, # will be managed by the SSL resource
redirect_status => 'permanent',
redirect_dest => "https://${icingaweb2_vhost_name}/",
}
$ssl_cert_name = 'star_softwareheritage_org'
$ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name]
$ssl_chain = $::profile::ssl::chain_paths[$ssl_cert_name]
$ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name]
::apache::vhost {"${icingaweb2_vhost_name}_ssl":
servername => $icingaweb2_vhost_name,
port => '443',
ssl => true,
ssl_protocol => $icingaweb2_vhost_ssl_protocol,
ssl_honorcipherorder => $icingaweb2_vhost_ssl_honorcipherorder,
ssl_cipher => $icingaweb2_vhost_ssl_cipher,
ssl_cert => $ssl_cert,
ssl_chain => $ssl_chain,
ssl_key => $ssl_key,
headers => [$icingaweb2_vhost_hsts_header],
docroot => $icingaweb2_vhost_docroot,
manage_docroot => false,
directories => [
{
path => $icingaweb2_vhost_docroot,
require => 'all granted',
options => ['SymlinksIfOwnerMatch'],
setenv => ['ICINGAWEB_CONFIGDIR "/etc/icingaweb2"'],
allow_override => ['None'],
rewrites => [
{
rewrite_cond => [
'%{REQUEST_FILENAME} -s [OR]',
'%{REQUEST_FILENAME} -l [OR]',
'%{REQUEST_FILENAME} -d',
],
rewrite_rule => '^.*$ - [NC,L]',
},
{
rewrite_rule => '^.*$ index.php [NC,L]',
}
],
},
],
require => [
File[$ssl_cert],
File[$ssl_chain],
File[$ssl_key],
],
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"icingaweb2 http redirect on ${::fqdn}":
service_name => 'icingaweb2 http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $icingaweb2_vhost_name,
http_vhost => $icingaweb2_vhost_name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"icingaweb2 https on ${::fqdn}":
service_name => 'icingaweb2 https',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $icingaweb2_vhost_name,
http_vhost => $icingaweb2_vhost_name,
http_ssl => true,
http_sni => true,
http_uri => '/authentication/login',
http_header => ['Cookie: _chc=1'],
http_string => 'Icinga Web 2 Login',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"icingaweb2 https certificate ${::fqdn}":
service_name => 'icingaweb2 https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $icingaweb2_vhost_name,
http_vhost => $icingaweb2_vhost_name,
http_ssl => true,
http_sni => true,
http_certificate => 60,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/manifests/icinga2/master.pp b/manifests/icinga2/master.pp
index e025eff2..acb6f369 100644
--- a/manifests/icinga2/master.pp
+++ b/manifests/icinga2/master.pp
@@ -1,101 +1,101 @@
# An icinga master host
class profile::icinga2::master {
- $zonename = hiera('icinga2::master::zonename')
- $features = hiera('icinga2::features')
- $icinga2_network = hiera('icinga2::network')
+ $zonename = lookup('icinga2::master::zonename')
+ $features = lookup('icinga2::features')
+ $icinga2_network = lookup('icinga2::network')
- $hiera_host_vars = hiera_hash('icinga2::host::vars')
+ $hiera_host_vars = lookup('icinga2::host::vars', Hash, 'deep')
- $icinga2_db_username = hiera('icinga2::master::db::username')
- $icinga2_db_password = hiera('icinga2::master::db::password')
- $icinga2_db_database = hiera('icinga2::master::db::database')
+ $icinga2_db_username = lookup('icinga2::master::db::username')
+ $icinga2_db_password = lookup('icinga2::master::db::password')
+ $icinga2_db_database = lookup('icinga2::master::db::database')
include profile::icinga2::objects
include profile::icinga2::objects::agent_checks
$local_host_vars = {
disks => hash(flatten(
$::mounts.map |$mount| {
["disk ${mount}", {disk_partitions => $mount}]
},
)),
plugins => keys($profile::icinga2::objects::agent_checks::plugins),
}
include ::postgresql::server
::postgresql::server::db {$icinga2_db_database:
user => $icinga2_db_username,
password => postgresql_password($icinga2_db_username, $icinga2_db_password)
}
class {'::icinga2':
confd => true,
features => $features,
constants => {
'ZoneName' => $zonename,
},
}
class { '::icinga2::feature::api':
accept_commands => true,
zones => {},
endpoints => {},
}
class { '::icinga2::feature::idopgsql':
user => $icinga2_db_username,
password => $icinga2_db_password,
database => $icinga2_db_database,
import_schema => true,
require => Postgresql::Server::Db[$icinga2_db_database],
}
@@::icinga2::object::endpoint {$::fqdn:
target => "/etc/icinga2/zones.d/${zonename}/${::fqdn}.conf",
}
@@::icinga2::object::zone {$zonename:
endpoints => [$::fqdn],
target => "/etc/icinga2/zones.d/${zonename}/${::fqdn}.conf",
}
@@::icinga2::object::host {$::fqdn:
address => ip_for_network($icinga2_network),
display_name => $::fqdn,
check_command => 'hostalive',
vars => deep_merge($local_host_vars, $hiera_host_vars),
target => "/etc/icinga2/zones.d/${zonename}/${::fqdn}.conf",
}
::Icinga2::Object::Host <<| |>>
::Icinga2::Object::Endpoint <<| |>>
::Icinga2::Object::Zone <<| |>>
::icinga2::object::zone { 'global-templates':
global => true,
}
file {[
'/etc/icinga2/zones.d/global-templates',
"/etc/icinga2/zones.d/${zonename}",
]:
ensure => directory,
owner => 'nagios',
group => 'nagios',
mode => '0755',
tag => 'icinga2::config::file',
recurse => true,
purge => true,
}
file {'/etc/icinga2/conf.d':
ensure => directory,
owner => 'nagios',
group => 'nagios',
mode => '0755',
purge => true,
recurse => true,
tag => 'icinga2::config::file',
}
}
diff --git a/manifests/icinga2/objects/apiusers.pp b/manifests/icinga2/objects/apiusers.pp
index 1925f5bc..0617ddf1 100644
--- a/manifests/icinga2/objects/apiusers.pp
+++ b/manifests/icinga2/objects/apiusers.pp
@@ -1,13 +1,13 @@
# Icinga2 API users
class profile::icinga2::objects::apiusers {
$apiuser_file = '/etc/icinga2/conf.d/api-users.conf'
- $apiusers = hiera_hash('icinga2::apiusers')
+ $apiusers = lookup('icinga2::apiusers', Hash, 'deep')
each($apiusers) |$name, $data| {
::icinga2::object::apiuser {$name:
password => $data['password'],
permissions => $data['permissions'],
target => $apiuser_file,
}
}
}
diff --git a/manifests/icinga2/objects/common_checks.pp b/manifests/icinga2/objects/common_checks.pp
index dea745ca..27aef79b 100644
--- a/manifests/icinga2/objects/common_checks.pp
+++ b/manifests/icinga2/objects/common_checks.pp
@@ -1,82 +1,82 @@
# Icinga2 common check definitions
class profile::icinga2::objects::common_checks {
- $service_configuration = hiera('icinga2::service_configuration')
+ $service_configuration = lookup('icinga2::service_configuration')
# Done locally on the master
::icinga2::object::service {'ping4':
import => ['generic-service'],
apply => true,
check_command => 'ping4',
assign => ['host.address'],
target => '/etc/icinga2/zones.d/global-templates/services.conf',
}
::icinga2::object::service {'linux-ssh':
import => ['generic-service'],
apply => true,
check_command => 'ssh',
assign => ['host.vars.os == Linux'],
target => '/etc/icinga2/zones.d/global-templates/services.conf',
}
# Done remotely on the client: command_endpoint = host.name.
each($service_configuration['load']) |$name, $vars| {
if $name == 'default' {
$assign = 'host.vars.os == Linux'
$ignore = 'host.vars.noagent || host.vars.load'
} else {
$assign = "host.vars.os == Linux && host.vars.load == ${name}"
$ignore = 'host.vars.noagent'
}
::icinga2::object::service {"linux_load_${name}":
import => ['generic-service'],
service_name => 'load',
apply => true,
check_command => 'load',
command_endpoint => 'host.name',
assign => [$assign],
ignore => [$ignore],
target => '/etc/icinga2/zones.d/global-templates/services.conf',
vars => $vars,
}
}
::icinga2::object::service {'linux_disks':
import => ['generic-service'],
apply => 'disk_name => config in host.vars.disks',
check_command => 'disk',
command_endpoint => 'host.name',
vars => 'vars + config',
assign => ['host.vars.os == Linux'],
ignore => ['host.vars.noagent'],
target => '/etc/icinga2/zones.d/global-templates/services.conf',
}
::icinga2::object::service {'apt':
import => ['generic-service'],
apply => true,
check_command => 'apt',
command_endpoint => 'host.name',
check_interval => '3h',
vars => {
apt_timeout => '120',
apt_only_critical => 'true',
},
assign => ['host.vars.os == Linux'],
ignore => ['host.vars.noagent'],
target => '/etc/icinga2/zones.d/global-templates/services.conf',
}
::icinga2::object::service {'journalbeat':
import => ['generic-service'],
apply => true,
check_command => 'check_journal',
command_endpoint => 'host.name',
assign => ['host.vars.os == Linux'],
ignore => ['-:"check_journal" !in host.vars.plugins', 'host.vars.noagent'],
target => '/etc/icinga2/zones.d/global-templates/services.conf',
}
}
diff --git a/manifests/kafka/server.pp b/manifests/kafka/server.pp
index 4781c68a..4ed7f8ef 100644
--- a/manifests/kafka/server.pp
+++ b/manifests/kafka/server.pp
@@ -1,14 +1,14 @@
# Kafka server profile
class profile::kafka::server {
include ::profile::zookeeper::server
class {'::kafka':}
class {'::kafka::server':
- log_dirs => hiera_array('kafka::log_dirs'),
- brokers => hiera_hash('kafka::brokers'),
- zookeeper_hosts => hiera_array('kafka::zookeeper::hosts'),
- zookeeper_chroot => hiera('kafka::zookeeper::chroot'),
+ log_dirs => lookup('kafka::log_dirs', Array, 'unique'),
+ brokers => lookup('kafka::brokers', Hash, 'deep'),
+ zookeeper_hosts => lookup('kafka::zookeeper::hosts', Array, 'unique'),
+ zookeeper_chroot => lookup('kafka::zookeeper::chroot'),
}
}
diff --git a/manifests/mediawiki.pp b/manifests/mediawiki.pp
index d293be58..5457eb4a 100644
--- a/manifests/mediawiki.pp
+++ b/manifests/mediawiki.pp
@@ -1,136 +1,136 @@
# Deployment of mediawiki for the Software Heritage intranet
class profile::mediawiki {
- $mediawiki_fpm_root = hiera('mediawiki::php::fpm_listen')
+ $mediawiki_fpm_root = lookup('mediawiki::php::fpm_listen')
- $mediawiki_vhosts = hiera_hash('mediawiki::vhosts')
+ $mediawiki_vhosts = lookup('mediawiki::vhosts', Hash, 'deep')
include ::php::fpm::daemon
::php::fpm::conf {'mediawiki':
listen => $mediawiki_fpm_root,
user => 'www-data',
}
include ::profile::ssl
$ssl_cert_name = 'star_softwareheritage_org'
$ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name]
$ssl_chain = $::profile::ssl::chain_paths[$ssl_cert_name]
$ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name]
include ::mediawiki
- $mediawiki_vhost_docroot = hiera('mediawiki::vhost::docroot')
- $mediawiki_vhost_ssl_protocol = hiera('mediawiki::vhost::ssl_protocol')
- $mediawiki_vhost_ssl_honorcipherorder = hiera('mediawiki::vhost::ssl_honorcipherorder')
- $mediawiki_vhost_ssl_cipher = hiera('mediawiki::vhost::ssl_cipher')
- $mediawiki_vhost_hsts_header = hiera('mediawiki::vhost::hsts_header')
+ $mediawiki_vhost_docroot = lookup('mediawiki::vhost::docroot')
+ $mediawiki_vhost_ssl_protocol = lookup('mediawiki::vhost::ssl_protocol')
+ $mediawiki_vhost_ssl_honorcipherorder = lookup('mediawiki::vhost::ssl_honorcipherorder')
+ $mediawiki_vhost_ssl_cipher = lookup('mediawiki::vhost::ssl_cipher')
+ $mediawiki_vhost_hsts_header = lookup('mediawiki::vhost::hsts_header')
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
each ($mediawiki_vhosts) |$name, $data| {
$secret_key = $data['secret_key']
$upgrade_key = $data['upgrade_key']
$site_name = $data['site_name']
$basic_auth_content = $data['basic_auth_content']
::mediawiki::instance { $name:
vhost_docroot => $mediawiki_vhost_docroot,
vhost_aliases => $data['aliases'],
vhost_fpm_root => $mediawiki_fpm_root,
vhost_basic_auth => $basic_auth_content,
vhost_ssl_protocol => $mediawiki_vhost_ssl_protocol,
vhost_ssl_honorcipherorder => $mediawiki_vhost_ssl_honorcipherorder,
vhost_ssl_cipher => $mediawiki_vhost_ssl_cipher,
vhost_ssl_cert => $ssl_cert,
vhost_ssl_chain => $ssl_chain,
vhost_ssl_key => $ssl_key,
vhost_ssl_hsts_header => $mediawiki_vhost_hsts_header,
db_host => 'localhost',
db_basename => $data['mysql']['dbname'],
db_user => $data['mysql']['username'],
db_password => $data['mysql']['password'],
secret_key => $secret_key,
upgrade_key => $upgrade_key,
swh_logo => $data['swh_logo'],
site_name => $site_name,
}
@@::icinga2::object::service {"mediawiki (${name}) http redirect on ${::fqdn}":
service_name => "mediawiki ${name} http redirect",
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $name,
http_vhost => $name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
if $basic_auth_content != '' {
$extra_vars = {
http_expect => '401 Unauthorized',
}
@@::icinga2::object::service {"mediawiki ${name} https + auth on ${::fqdn}":
service_name => "mediawiki ${name} + auth",
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $name,
http_vhost => $name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky,
http_auth_pair => $data['icinga_http_auth_pair'],
http_string => "${site_name}",
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
} else {
$extra_vars = {
http_string => "${site_name}",
}
}
@@::icinga2::object::service {"mediawiki ${name} https on ${::fqdn}":
service_name => "mediawiki ${name}",
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $name,
http_vhost => $name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky,
} + $extra_vars,
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"mediawiki ${name} https certificate ${::fqdn}":
service_name => "mediawiki ${name} https certificate",
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_vhost => $name,
http_address => $name,
http_ssl => true,
http_sni => true,
http_certificate => 60,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
}
diff --git a/manifests/memcached.pp b/manifests/memcached.pp
index e36d99f2..0c35c3cc 100644
--- a/manifests/memcached.pp
+++ b/manifests/memcached.pp
@@ -1,12 +1,12 @@
# Install and configure local memcached server
class profile::memcached {
- $memcached_bind = hiera('memcached::server::bind')
- $memcached_port = hiera('memcached::server::port')
- $memcached_memory = hiera('memcached::server::max_memory')
+ $memcached_bind = lookup('memcached::server::bind')
+ $memcached_port = lookup('memcached::server::port')
+ $memcached_memory = lookup('memcached::server::max_memory')
class {'::memcached':
listen_ip => $memcached_bind,
tcp_port => $memcached_port,
max_memory => $memcached_max_memory,
}
}
diff --git a/manifests/mountpoints.pp b/manifests/mountpoints.pp
index 3f890ef8..8ab2beb9 100644
--- a/manifests/mountpoints.pp
+++ b/manifests/mountpoints.pp
@@ -1,31 +1,31 @@
# Handle mount points
class profile::mountpoints {
- $mountpoints = hiera_hash('mountpoints')
+ $mountpoints = lookup('mountpoints', Hash, 'deep')
each($mountpoints) |$mountpoint, $config| {
if (has_key($config, 'options') and $config['options'] =~ Array) {
$mount_config = $config + {
options => join($config['options'], ','),
}
} else {
$mount_config = $config
}
exec {"create ${mountpoint}":
creates => $mountpoint,
command => "mkdir -p ${mountpoint}",
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
} -> file {$mountpoint:}
mount {
default:
ensure => present,
dump => 0,
pass => 0,
options => 'defaults';
$mountpoint:
* => $mount_config,
require => File[$mountpoint],
}
}
}
diff --git a/manifests/munin/master.pp b/manifests/munin/master.pp
index 91886a26..f7a518b8 100644
--- a/manifests/munin/master.pp
+++ b/manifests/munin/master.pp
@@ -1,59 +1,59 @@
# Munin master class
class profile::munin::master {
- $master_hostname = hiera('munin::master::hostname')
+ $master_hostname = lookup('munin::master::hostname')
$master_hostname_domain = join(delete_at(split($master_hostname, '[.]'), 0), '.')
$master_hostname_target = "${::hostname}.${master_hostname_domain}."
class { '::munin::master':
extra_config => ["cgiurl_graph http://$master_hostname"],
}
include ::profile::apache::common
include ::apache::mod::rewrite
include ::apache::mod::fcgid
apache::vhost { $master_hostname:
port => 80,
docroot => '/var/www/html',
rewrites => [
{
comment => 'static resources',
rewrite_rule => [
'^/favicon.ico /etc/munin/static/favicon.ico [L]',
'^/static/(.*) /etc/munin/static/$1 [L]',
],
},
{
comment => 'HTML',
rewrite_cond => [
'%{REQUEST_URI} .html$ [or]',
'%{REQUEST_URI} =/',
],
rewrite_rule => [
'^/(.*) /usr/lib/munin/cgi/munin-cgi-html/$1 [L]',
],
},
{
comment => 'Images',
rewrite_rule => [
'^/munin-cgi/munin-cgi-graph/(.*) /usr/lib/munin/cgi/munin-cgi-graph/$1 [L]',
'^/(.*) /usr/lib/munin/cgi/munin-cgi-graph/$1 [L]',
],
},
],
directories => [
{ 'path' => '/usr/lib/munin/cgi',
'options' => '+ExecCGI',
'sethandler' => 'fcgid-script' },
],
}
- $bind_key = hiera('bind::update_key')
+ $bind_key = lookup('bind::update_key')
@@resource_record { 'munin/CNAME':
record => $master_hostname,
type => 'CNAME',
data => $master_hostname_target,
keyfile => "/etc/bind/keys/${bind_key}",
}
}
diff --git a/manifests/munin/node.pp b/manifests/munin/node.pp
index c4966a50..6db0cfb8 100644
--- a/manifests/munin/node.pp
+++ b/manifests/munin/node.pp
@@ -1,41 +1,41 @@
# Munin node class
class profile::munin::node {
- $munin_node_allow = hiera('munin::node::allow')
- $munin_node_network = hiera('munin::node::network')
- $munin_node_plugins_disable = hiera_array('munin::node::plugins::disable')
- $munin_node_plugins_enable = hiera_array('munin::node::plugins::enable')
+ $munin_node_allow = lookup('munin::node::allow')
+ $munin_node_network = lookup('munin::node::network')
+ $munin_node_plugins_disable = lookup('munin::node::plugins::disable', Array, 'unique')
+ $munin_node_plugins_enable = lookup('munin::node::plugins::enable', Array, 'unique')
class { '::munin::node':
allow => $munin_node_allow,
address => ip_for_network($munin_node_network),
bind_address => ip_for_network($munin_node_network),
masterconfig => [
'',
'# The apt plugin doesn\'t graph by default. Let\'s make it.',
'apt.graph yes',
'apt.graph_category system',
'apt.graph_vlabel Total Packages',
'',
'# Move the libvirt plugins to a spaceless category',
'libvirt_blkstat.graph_category virtualization',
'libvirt_cputime.graph_category virtualization',
'libvirt_ifstat.graph_category virtualization',
'libvirt_mem.graph_category virtualization',
],
}
munin::plugin { $munin_node_plugins_enable:
ensure => link,
}
munin::plugin { $munin_node_plugins_disable:
ensure => absent,
}
file_line { 'disable munin-node cron mail':
ensure => present,
path => '/etc/cron.d/munin-node',
line => 'MAILTO=""',
match => '^MAILTO=',
require => Package['munin-node'],
}
}
diff --git a/manifests/munin/plugins/rabbitmq.pp b/manifests/munin/plugins/rabbitmq.pp
index 228e5114..e8c0ca08 100644
--- a/manifests/munin/plugins/rabbitmq.pp
+++ b/manifests/munin/plugins/rabbitmq.pp
@@ -1,41 +1,41 @@
class profile::munin::plugins::rabbitmq {
- $messages_warn = hiera('munin::plugins::rabbitmq::messages_warn')
- $messages_crit = hiera('munin::plugins::rabbitmq::messages_crit')
- $queue_memory_warn = hiera('munin::plugins::rabbitmq::queue_memory_warn')
- $queue_memory_crit = hiera('munin::plugins::rabbitmq::queue_memory_crit')
+ $messages_warn = lookup('munin::plugins::rabbitmq::messages_warn')
+ $messages_crit = lookup('munin::plugins::rabbitmq::messages_crit')
+ $queue_memory_warn = lookup('munin::plugins::rabbitmq::queue_memory_warn')
+ $queue_memory_crit = lookup('munin::plugins::rabbitmq::queue_memory_crit')
munin::plugin {
'rabbitmq_connections':
ensure => present,
source => 'puppet:///modules/profile/munin/rabbitmq/rabbitmq_connections',
config => ['user root'];
'rabbitmq_consumers':
ensure => present,
source => 'puppet:///modules/profile/munin/rabbitmq/rabbitmq_consumers',
config => ['user root'];
'rabbitmq_messages':
ensure => present,
source => 'puppet:///modules/profile/munin/rabbitmq/rabbitmq_messages',
config => [
'user root',
"env.queue_warn ${messages_warn}",
"env.queue_crit ${messages_crit}",
];
'rabbitmq_messages_unacknowledged':
ensure => present,
source => 'puppet:///modules/profile/munin/rabbitmq/rabbitmq_messages_unacknowledged',
config => ['user root'];
'rabbitmq_messages_uncommitted':
ensure => present,
source => 'puppet:///modules/profile/munin/rabbitmq/rabbitmq_messages_uncommitted',
config => ['user root'];
'rabbitmq_queue_memory':
ensure => present,
source => 'puppet:///modules/profile/munin/rabbitmq/rabbitmq_queue_memory',
config => [
'user root',
"env.queue_warn ${queue_memory_warn}",
"env.queue_crit ${queue_memory_crit}",
];
}
}
diff --git a/manifests/munin/stats_export.pp b/manifests/munin/stats_export.pp
index 810b702b..79a9d353 100644
--- a/manifests/munin/stats_export.pp
+++ b/manifests/munin/stats_export.pp
@@ -1,84 +1,84 @@
# stats_export master class
class profile::munin::stats_export {
- $vhost_name = hiera('stats_export::vhost::name')
- $vhost_docroot = hiera('stats_export::vhost::docroot')
- $vhost_ssl_protocol = hiera('stats_export::vhost::ssl_protocol')
- $vhost_ssl_honorcipherorder = hiera('stats_export::vhost::ssl_honorcipherorder')
- $vhost_ssl_cipher = hiera('stats_export::vhost::ssl_cipher')
- $vhost_hsts_header = hiera('stats_export::vhost::hsts_header')
+ $vhost_name = lookup('stats_export::vhost::name')
+ $vhost_docroot = lookup('stats_export::vhost::docroot')
+ $vhost_ssl_protocol = lookup('stats_export::vhost::ssl_protocol')
+ $vhost_ssl_honorcipherorder = lookup('stats_export::vhost::ssl_honorcipherorder')
+ $vhost_ssl_cipher = lookup('stats_export::vhost::ssl_cipher')
+ $vhost_hsts_header = lookup('stats_export::vhost::hsts_header')
$export_file = "${vhost_docroot}/history_counters.json"
$packages = ['python3-click']
package {$packages:
ensure => present,
}
file {'/usr/local/bin/export-rrd':
ensure => present,
owner => 'root',
group => 'root',
mode => '0755',
source => 'puppet:///modules/profile/munin/stats_export/export-rrd',
require => Package[$packages],
}
cron {'stats_export':
ensure => present,
user => 'www-data',
command => "/usr/local/bin/export-rrd > ${export_file}.tmp && /bin/mv ${export_file}.tmp ${export_file}",
hour => fqdn_rand(24, 'stats_export_hour'),
minute => fqdn_rand(60, 'stats_export_minute'),
month => '*',
monthday => '*',
weekday => '*',
require => [
File['/usr/local/bin/export-rrd'],
File[$vhost_docroot],
],
}
file {$vhost_docroot:
ensure => directory,
owner => 'www-data',
group => 'www-data',
mode => '0755',
}
include ::profile::apache::common
include ::profile::ssl
::apache::vhost {"${vhost_name}_non-ssl":
servername => $vhost_name,
port => '80',
docroot => $vhost_docroot,
redirect_status => 'permanent',
redirect_dest => "https://${vhost_name}/",
}
$ssl_cert_name = 'stats_export_softwareheritage_org'
$ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name]
$ssl_chain = $::profile::ssl::chain_paths[$ssl_cert_name]
$ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name]
::apache::vhost {"${vhost_name}_ssl":
servername => $vhost_name,
port => '443',
ssl => true,
ssl_protocol => $vhost_ssl_protocol,
ssl_honorcipherorder => $vhost_ssl_honorcipherorder,
ssl_cipher => $vhost_ssl_cipher,
ssl_cert => $ssl_cert,
ssl_chain => $ssl_chain,
ssl_key => $ssl_key,
headers => [$vhost_hsts_header],
docroot => $vhost_docroot,
require => [
File[$ssl_cert],
File[$ssl_chain],
File[$ssl_key],
],
}
}
diff --git a/manifests/network.pp b/manifests/network.pp
index 0ee5dee9..70ec6b32 100644
--- a/manifests/network.pp
+++ b/manifests/network.pp
@@ -1,47 +1,47 @@
# Network configuration for Software Heritage servers
#
# Supports one private and one public interface
class profile::network {
debnet::iface::loopback { 'lo': }
- $interfaces = hiera('networks')
+ $interfaces = lookup('networks')
each($interfaces) |$label, $data| {
if $label == 'private' {
file_line {'private route table':
ensure => 'present',
line => '42 private',
path => '/etc/iproute2/rt_tables',
}
$ups = [
"ip route add 192.168.101.0/24 via ${data['gateway']}",
"ip route add 192.168.200.0/21 via ${data['gateway']}",
"ip rule add from ${data['address']} table private",
"ip route add default via ${data['gateway']} dev ${data['interface']} table private",
'ip route flush cache',
]
$downs = [
"ip route del default via ${data['gateway']} dev ${data['interface']} table private",
"ip rule del from ${data['address']} table private",
"ip route del 192.168.200.0/24 via ${data['gateway']}",
"ip route del 192.168.101.0/24 via ${data['gateway']}",
'ip route flush cache',
]
$gateway = undef
} else {
$ups = []
$downs = []
$gateway = $data['gateway']
}
debnet::iface { $data['interface']:
method => 'static',
address => $data['address'],
netmask => $data['netmask'],
gateway => $gateway,
ups => $ups,
downs => $downs,
}
}
}
diff --git a/manifests/nginx.pp b/manifests/nginx.pp
index 8018f643..393ea901 100644
--- a/manifests/nginx.pp
+++ b/manifests/nginx.pp
@@ -1,12 +1,12 @@
# Deployment of nginx as a reverse proxy for Software Heritage RPC servers
class profile::nginx {
- $accept_mutex = hiera('nginx::accept_mutex')
- $package_name = hiera('nginx::package_name')
+ $accept_mutex = lookup('nginx::accept_mutex')
+ $package_name = lookup('nginx::package_name')
class {'::nginx':
package_name => $package_name,
manage_repo => false,
accept_mutex => $accept_mutex,
}
}
diff --git a/manifests/phabricator.pp b/manifests/phabricator.pp
index 0a4e8565..bbdf4b7e 100644
--- a/manifests/phabricator.pp
+++ b/manifests/phabricator.pp
@@ -1,332 +1,332 @@
# Setup an instance of phabricator
class profile::phabricator {
- $phabricator_basepath = hiera('phabricator::basepath')
- $phabricator_user = hiera('phabricator::user')
- $phabricator_vcs_user = hiera('phabricator::vcs_user')
-
- $phabricator_db_root_password = hiera('phabricator::mysql::root_password')
- $phabricator_db_basename = hiera('phabricator::mysql::database_prefix')
- $phabricator_db_user = hiera('phabricator::mysql::username')
- $phabricator_db_password = hiera('phabricator::mysql::password')
-
- $phabricator_db_max_allowed_packet = hiera('phabricator::mysql::conf::max_allowed_packet')
- $phabricator_db_sql_mode = hiera('phabricator::mysql::conf::sql_mode')
- $phabricator_db_ft_stopword_file = hiera('phabricator::mysql::conf::ft_stopword_file')
- $phabricator_db_ft_min_word_len = hiera('phabricator::mysql::conf::ft_min_word_len')
- $phabricator_db_ft_boolean_syntax = hiera('phabricator::mysql::conf::ft_boolean_syntax')
- $phabricator_db_innodb_buffer_pool_size = hiera('phabricator::mysql::conf::innodb_buffer_pool_size')
- $phabricator_db_innodb_file_per_table = hiera('phabricator::mysql::conf::innodb_file_per_table')
- $phabricator_db_innodb_flush_method = hiera('phabricator::mysql::conf::innodb_flush_method')
- $phabricator_db_innodb_log_file_size = hiera('phabricator::mysql::conf::innodb_log_file_size')
-
- $phabricator_fpm_listen = hiera('phabricator::php::fpm_listen')
- $phabricator_max_size = hiera('phabricator::php::max_file_size')
- $phabricator_opcache_validate_timestamps = hiera('phabricator::php::opcache_validate_timestamps')
-
- $phabricator_notification_listen = hiera('phabricator::notification::listen')
- $phabricator_notification_client_host = hiera('phabricator::notification::client_host')
- $phabricator_notification_client_port = hiera('phabricator::notification::client_port')
-
- $phabricator_vhost_name = hiera('phabricator::vhost::name')
- $phabricator_vhost_docroot = hiera('phabricator::vhost::docroot')
+ $phabricator_basepath = lookup('phabricator::basepath')
+ $phabricator_user = lookup('phabricator::user')
+ $phabricator_vcs_user = lookup('phabricator::vcs_user')
+
+ $phabricator_db_root_password = lookup('phabricator::mysql::root_password')
+ $phabricator_db_basename = lookup('phabricator::mysql::database_prefix')
+ $phabricator_db_user = lookup('phabricator::mysql::username')
+ $phabricator_db_password = lookup('phabricator::mysql::password')
+
+ $phabricator_db_max_allowed_packet = lookup('phabricator::mysql::conf::max_allowed_packet')
+ $phabricator_db_sql_mode = lookup('phabricator::mysql::conf::sql_mode')
+ $phabricator_db_ft_stopword_file = lookup('phabricator::mysql::conf::ft_stopword_file')
+ $phabricator_db_ft_min_word_len = lookup('phabricator::mysql::conf::ft_min_word_len')
+ $phabricator_db_ft_boolean_syntax = lookup('phabricator::mysql::conf::ft_boolean_syntax')
+ $phabricator_db_innodb_buffer_pool_size = lookup('phabricator::mysql::conf::innodb_buffer_pool_size')
+ $phabricator_db_innodb_file_per_table = lookup('phabricator::mysql::conf::innodb_file_per_table')
+ $phabricator_db_innodb_flush_method = lookup('phabricator::mysql::conf::innodb_flush_method')
+ $phabricator_db_innodb_log_file_size = lookup('phabricator::mysql::conf::innodb_log_file_size')
+
+ $phabricator_fpm_listen = lookup('phabricator::php::fpm_listen')
+ $phabricator_max_size = lookup('phabricator::php::max_file_size')
+ $phabricator_opcache_validate_timestamps = lookup('phabricator::php::opcache_validate_timestamps')
+
+ $phabricator_notification_listen = lookup('phabricator::notification::listen')
+ $phabricator_notification_client_host = lookup('phabricator::notification::client_host')
+ $phabricator_notification_client_port = lookup('phabricator::notification::client_port')
+
+ $phabricator_vhost_name = lookup('phabricator::vhost::name')
+ $phabricator_vhost_docroot = lookup('phabricator::vhost::docroot')
$phabricator_vhost_basic_auth_file = "${phabricator_basepath}/http_auth"
- $phabricator_vhost_basic_auth_content = hiera('phabricator::vhost::basic_auth_content')
- $phabricator_vhost_ssl_protocol = hiera('phabricator::vhost::ssl_protocol')
- $phabricator_vhost_ssl_honorcipherorder = hiera('phabricator::vhost::ssl_honorcipherorder')
- $phabricator_vhost_ssl_cipher = hiera('phabricator::vhost::ssl_cipher')
- $phabricator_vhost_hsts_header = hiera('phabricator::vhost::hsts_header')
+ $phabricator_vhost_basic_auth_content = lookup('phabricator::vhost::basic_auth_content')
+ $phabricator_vhost_ssl_protocol = lookup('phabricator::vhost::ssl_protocol')
+ $phabricator_vhost_ssl_honorcipherorder = lookup('phabricator::vhost::ssl_honorcipherorder')
+ $phabricator_vhost_ssl_cipher = lookup('phabricator::vhost::ssl_cipher')
+ $phabricator_vhost_hsts_header = lookup('phabricator::vhost::hsts_header')
include ::systemd
$homedirs = {
$phabricator_user => $phabricator_basepath,
$phabricator_vcs_user => "${phabricator_basepath}/vcshome",
}
$homedir_modes = {
$phabricator_user => '0644',
$phabricator_vcs_user => '0640',
}
each([$phabricator_user, $phabricator_vcs_user]) |$name| {
user {$name:
ensure => present,
system => true,
shell => '/bin/bash',
home => $homedirs[$name],
}
file {$homedirs[$name]:
ensure => directory,
owner => $name,
group => $name,
mode => $homedir_modes[$name],
}
}
::sudo::conf {'phabricator-ssh':
ensure => present,
content => "${phabricator_vcs_user} ALL=(${phabricator_user}) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/hg",
}
::sudo::conf {'phabricator-http':
ensure => present,
content => "www-data ALL=(${phabricator_user}) SETENV: NOPASSWD: /usr/bin/git-http-backend, /usr/bin/hg",
require => File['/usr/bin/git-http-backend'],
}
file {'/usr/bin/git-http-backend':
ensure => link,
target => '/usr/lib/git-core/git-http-backend',
}
$phabricator_ssh_hook = '/usr/bin/phabricator-ssh-hook.sh'
$phabricator_ssh_config = '/etc/ssh/ssh_config.phabricator'
file {$phabricator_ssh_hook:
ensure => present,
owner => 'root',
group => 'root',
mode => '0755',
content => template('profile/phabricator/phabricator-ssh-hook.sh.erb'),
}
file {$phabricator_ssh_config:
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => template('profile/phabricator/sshd_config.phabricator.erb'),
require => File[$phabricator_ssh_hook],
}
file {'/etc/systemd/system/phabricator-sshd.service':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/phabricator/phabricator-sshd.service.erb'),
notify => Exec['systemd-daemon-reload'],
require => File[$phabricator_ssh_config],
}
service {'phabricator-sshd':
ensure => 'running',
enable => true,
require => [
File['/etc/systemd/system/phabricator-sshd.service'],
Exec['systemd-daemon-reload'],
],
}
include ::mysql::client
class {'::mysql::server':
root_password => $phabricator_db_root_password,
override_options => {
mysqld => {
max_allowed_packet => $phabricator_db_max_allowed_packet,
sql_mode => $phabricator_db_sql_mode,
ft_stopword_file => $phabricator_db_ft_stopword_file,
ft_min_word_len => $phabricator_db_ft_min_word_len,
ft_boolean_syntax => $phabricator_db_ft_boolean_syntax,
innodb_buffer_pool_size => $phabricator_db_innodb_buffer_pool_size,
innodb_file_per_table => $phabricator_db_innodb_file_per_table,
innodb_flush_method => $phabricator_db_innodb_flush_method,
innodb_log_file_size => $phabricator_db_innodb_log_file_size,
}
}
}
$mysql_username = "${phabricator_db_user}@localhost"
$mysql_tables = "${phabricator_db_basename}_%.*"
mysql_user {$mysql_username:
ensure => present,
password_hash => mysql_password($phabricator_db_password),
}
mysql_grant {"${mysql_username}/${mysql_tables}":
user => $mysql_username,
table => $mysql_tables,
privileges => ['ALL'],
require => Mysql_user[$mysql_username],
}
include ::php::cli
include ::php::fpm::daemon
::php::ini {'/etc/php/7.1/cli/php.ini':}
::php::fpm::conf {'phabricator':
listen => $phabricator_fpm_listen,
user => 'www-data',
php_admin_value => {
post_max_size => $phabricator_max_size,
upload_max_filesize => $phabricator_max_size,
'opcache.validate_timestamps' => $phabricator_opcache_validate_timestamps,
},
}
::php::module {[
'apcu',
'curl',
'gd',
'mailparse',
'mysql',
]:
}
include ::profile::ssl
include ::profile::apache::common
include ::apache::mod::proxy
include ::profile::apache::mod_proxy_fcgi
::apache::mod {'proxy_wstunnel':}
::apache::vhost {"${phabricator_vhost_name}_non-ssl":
servername => $phabricator_vhost_name,
port => '80',
docroot => $phabricator_vhost_docroot,
docroot_owner => $phabricator_user,
docroot_group => $phabricator_user,
redirect_status => 'permanent',
redirect_dest => "https://${phabricator_vhost_name}/",
}
$ssl_cert_name = 'star_softwareheritage_org'
$ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name]
$ssl_chain = $::profile::ssl::chain_paths[$ssl_cert_name]
$ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name]
::apache::vhost {"${phabricator_vhost_name}_ssl":
servername => $phabricator_vhost_name,
port => '443',
ssl => true,
ssl_protocol => $phabricator_vhost_ssl_protocol,
ssl_honorcipherorder => $phabricator_vhost_ssl_honorcipherorder,
ssl_cipher => $phabricator_vhost_ssl_cipher,
ssl_cert => $ssl_cert,
ssl_chain => $ssl_chain,
ssl_key => $ssl_key,
headers => [$phabricator_vhost_hsts_header],
docroot => $phabricator_vhost_docroot,
docroot_owner => $phabricator_user,
docroot_group => $phabricator_user,
rewrites => [
{ rewrite_rule => '^/rsrc/(.*) - [L,QSA]' },
{ rewrite_rule => '^/favicon.ico - [L,QSA]' },
{ rewrite_rule => "^/ws/(.*)$ ws://${phabricator_notification_listen}/\$1 [L,P]" },
{ rewrite_rule => "^(.*)$ fcgi://${phabricator_fpm_listen}${phabricator_vhost_docroot}/index.php?__path__=\$1 [B,L,P,QSA]" },
],
setenvif => [
"Authorization \"(.*)\" HTTP_AUTHORIZATION=\$1",
],
require => [
File[$ssl_cert],
File[$ssl_chain],
File[$ssl_key],
],
}
file {$phabricator_vhost_basic_auth_file:
ensure => absent,
}
# Uses:
# $phabricator_basepath
# $phabricator_user
file {'/etc/systemd/system/phabricator-phd.service':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/phabricator/phabricator-phd.service.erb'),
notify => Exec['systemd-daemon-reload'],
}
service {'phabricator-phd':
ensure => 'running',
enable => true,
require => [
File['/etc/systemd/system/phabricator-phd.service'],
Exec['systemd-daemon-reload'],
],
}
# Uses:
# $phabricator_basepath
# $phabricator_user
# $phabricator_notification_*
file {'/etc/systemd/system/phabricator-aphlict.service':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/phabricator/phabricator-aphlict.service.erb'),
notify => Exec['systemd-daemon-reload'],
}
service {'phabricator-aphlict':
ensure => 'running',
enable => true,
require => [
File['/etc/systemd/system/phabricator-aphlict.service'],
Exec['systemd-daemon-reload'],
],
}
package {'python-pygments':
ensure => installed,
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"phabricator http redirect on ${::fqdn}":
service_name => 'phabricator http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $phabricator_vhost_name,
http_vhost => $phabricator_vhost_name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"phabricator https on ${::fqdn}":
service_name => 'phabricator',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $phabricator_vhost_name,
http_vhost => $phabricator_vhost_name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"phabricator https certificate ${::fqdn}":
service_name => 'phabricator https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $phabricator_vhost_name,
http_vhost => $phabricator_vhost_name,
http_ssl => true,
http_sni => true,
http_certificate => 60,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/manifests/postgresql/apt_config.pp b/manifests/postgresql/apt_config.pp
index a041d06c..55f8b122 100644
--- a/manifests/postgresql/apt_config.pp
+++ b/manifests/postgresql/apt_config.pp
@@ -1,29 +1,29 @@
# PostgreSQL APT configuration
class profile::postgresql::apt_config {
- $pgdg_mirror = hiera('postgresql::apt_config::pgdg::mirror')
- $pgdg_keyid = hiera('postgresql::apt_config::pgdg::keyid')
- $pgdg_key = hiera('postgresql::apt_config::pgdg::key')
- $pglogical_mirror = hiera('postgresql::apt_config::pglogical::mirror')
- $pglogical_keyid = hiera('postgresql::apt_config::pglogical::keyid')
- $pglogical_key = hiera('postgresql::apt_config::pglogical::key')
+ $pgdg_mirror = lookup('postgresql::apt_config::pgdg::mirror')
+ $pgdg_keyid = lookup('postgresql::apt_config::pgdg::keyid')
+ $pgdg_key = lookup('postgresql::apt_config::pgdg::key')
+ $pglogical_mirror = lookup('postgresql::apt_config::pglogical::mirror')
+ $pglogical_keyid = lookup('postgresql::apt_config::pglogical::keyid')
+ $pglogical_key = lookup('postgresql::apt_config::pglogical::key')
::apt::source {'pgdg':
location => $pgdg_mirror,
release => "${::lsbdistcodename}-pgdg",
repos => 'main',
key => {
id => $pgdg_keyid,
content => $pgdg_key,
},
}
::apt::source {'pglogical':
location => $pglogical_mirror,
release => "${::lsbdistcodename}-2ndquadrant",
repos => 'main',
key => {
id => $pglogical_keyid,
content => $pglogical_key,
},
}
}
diff --git a/manifests/puppet/base.pp b/manifests/puppet/base.pp
index 74176f24..96973ee6 100644
--- a/manifests/puppet/base.pp
+++ b/manifests/puppet/base.pp
@@ -1,53 +1,53 @@
# Base puppet configuration for all hosts.
class profile::puppet::base {
- $puppetmaster = hiera('puppet::master::hostname')
+ $puppetmaster = lookup('puppet::master::hostname')
$agent_config = {
runmode => 'none',
pluginsync => true,
puppetmaster => $puppetmaster,
hiera_config => "\$environmentpath/production/hiera.yaml",
}
file { '/usr/local/sbin/swh-puppet-test':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0755',
content => template('profile/puppet/swh-puppet-test.sh.erb'),
}
file { '/usr/local/sbin/swh-puppet-apply':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0755',
content => template('profile/puppet/swh-puppet-apply.sh.erb'),
}
# Backported packages
if $::lsbdistcodename == 'jessie' {
$pinned_packages = [
'facter',
'hiera',
'puppet',
'puppet-common',
'puppetmaster',
'puppetmaster-common',
'puppetmaster-passenger',
'ruby-deep-merge',
]
::apt::pin {'puppet':
explanation => 'Pin puppet dependencies to backports',
codename => 'jessie-backports',
packages => $pinned_packages,
priority => 990,
}
} else {
::apt::pin {'puppet':
ensure => 'absent',
}
}
}
diff --git a/manifests/puppet/master.pp b/manifests/puppet/master.pp
index 3823b958..74edf56d 100644
--- a/manifests/puppet/master.pp
+++ b/manifests/puppet/master.pp
@@ -1,29 +1,29 @@
# Puppet master profile
class profile::puppet::master {
- $puppetdb = hiera('puppet::master::puppetdb')
+ $puppetdb = lookup('puppet::master::puppetdb')
include ::profile::puppet::base
class { '::puppet':
server => true,
server_common_modules_path => '',
server_environments => [],
server_external_nodes => '',
server_foreman => false,
server_passenger => true,
server_puppetdb_host => $puppetdb,
server_reports => 'store,puppetdb',
server_storeconfigs_backend => 'puppetdb',
* => $::profile::puppet::base::agent_config,
}
file { '/usr/local/sbin/swh-puppet-master-deploy':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0755',
content => template('profile/puppet/swh-puppet-master-deploy.sh.erb'),
}
}
diff --git a/manifests/rabbitmq.pp b/manifests/rabbitmq.pp
index 195eb48d..a689f1cc 100644
--- a/manifests/rabbitmq.pp
+++ b/manifests/rabbitmq.pp
@@ -1,34 +1,34 @@
class profile::rabbitmq {
include ::profile::munin::plugins::rabbitmq
- $rabbitmq_user = hiera('rabbitmq::monitoring::user')
- $rabbitmq_password = hiera('rabbitmq::monitoring::password')
+ $rabbitmq_user = lookup('rabbitmq::monitoring::user')
+ $rabbitmq_password = lookup('rabbitmq::monitoring::password')
package {'rabbitmq-server':
ensure => installed
}
service {'rabbitmq-server':
ensure => 'running',
enable => true,
require => Package['rabbitmq-server'],
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"rabbitmq-server on ${::fqdn}":
service_name => 'rabbitmq server',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'rabbitmq_server',
vars => {
rabbitmq_port => 15672,
rabbitmq_vhost => '/',
rabbitmq_node => $::hostname,
rabbitmq_user => $rabbitmq_user,
rabbitmq_password => $rabbitmq_password,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/manifests/resolv_conf.pp b/manifests/resolv_conf.pp
index b14e7973..c4202e96 100644
--- a/manifests/resolv_conf.pp
+++ b/manifests/resolv_conf.pp
@@ -1,10 +1,10 @@
# Configure resolv.conf
class profile::resolv_conf {
- $nameservers = hiera('dns::nameservers')
- $search_domains = hiera('dns::search_domains')
+ $nameservers = lookup('dns::nameservers')
+ $search_domains = lookup('dns::search_domains')
class {'::resolv_conf':
nameservers => $nameservers,
searchpath => $search_domains,
}
}
diff --git a/manifests/ssh/server.pp b/manifests/ssh/server.pp
index a24d7ba2..0b3b524a 100644
--- a/manifests/ssh/server.pp
+++ b/manifests/ssh/server.pp
@@ -1,49 +1,49 @@
# Configure the SSH server
class profile::ssh::server {
- $sshd_port = hiera('ssh::port')
- $sshd_permitrootlogin = hiera('ssh::permitrootlogin')
+ $sshd_port = lookup('ssh::port')
+ $sshd_permitrootlogin = lookup('ssh::permitrootlogin')
class { '::ssh::server':
storeconfigs_enabled => false,
options => {
'PermitRootLogin' => $sshd_permitrootlogin,
'Port' => $sshd_port,
},
}
- $users = hiera_hash('users')
+ $users = lookup('users', Hash, 'deep')
each($users) |$name, $data| {
if $name == 'root' {
$home = '/root'
} else {
$home = "/home/${name}"
}
file { "${home}/.ssh":
ensure => directory,
owner => $name,
group => $name,
mode => '0600',
require => [
User[$name],
File[$home],
],
}
if $data['authorized_keys'] {
each($data['authorized_keys']) |$nick, $key| {
ssh_authorized_key { "${name} ${nick}":
ensure => 'present',
user => $name,
key => $key['key'],
type => $key['type'],
require => File["${home}/.ssh"],
}
}
}
}
}
diff --git a/manifests/ssl.pp b/manifests/ssl.pp
index d156c143..fe3f63c2 100644
--- a/manifests/ssl.pp
+++ b/manifests/ssl.pp
@@ -1,58 +1,58 @@
# Deploy SSL certificates
class profile::ssl {
$public_dir = '/etc/ssl/certs/softwareheritage'
$private_dir = '/etc/ssl/private/softwareheritage'
- $ssl_certificates = hiera_hash('ssl')
+ $ssl_certificates = lookup('ssl', Hash, 'deep')
$cert_domains = keys($ssl_certificates)
# Generate {'foo' => "${public_dir}/foo.crt"} from ['foo']
$certificate_paths = hash(flatten(zip($cert_domains, prefix(suffix($cert_domains, '.crt'), "${public_dir}/"))))
$chain_paths = hash(flatten(zip($cert_domains, prefix(suffix($cert_domains, '.chain'), "${public_dir}/"))))
$private_key_paths = hash(flatten(zip($cert_domains, prefix(suffix($cert_domains, '.key'), "${private_dir}/"))))
file {$public_dir:
ensure => 'directory',
purge => true,
recurse => true,
owner => 'root',
group => 'root',
mode => '0644',
}
file {$private_dir:
ensure => 'directory',
purge => true,
recurse => true,
owner => 'root',
group => 'root',
mode => '0600',
}
each($ssl_certificates) |$domain, $data| {
file {$certificate_paths[$domain]:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $data['certificate'],
}
file {$chain_paths[$domain]:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $data['ca_bundle'],
}
file {$private_key_paths[$domain]:
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $data['private_key'],
}
}
}
diff --git a/manifests/swh.pp b/manifests/swh.pp
index 61e086f8..b8dbcbd3 100644
--- a/manifests/swh.pp
+++ b/manifests/swh.pp
@@ -1,41 +1,41 @@
# Base class for Software Heritage-specific configuration
class profile::swh {
- $swh_base_directory = hiera('swh::base_directory')
- $swh_conf_directory = hiera('swh::conf_directory')
- $swh_global_conf_file = hiera('swh::global_conf::file')
- $swh_global_conf_contents = hiera('swh::global_conf::contents')
- $swh_log_directory = hiera('swh::log_directory')
+ $swh_base_directory = lookup('swh::base_directory')
+ $swh_conf_directory = lookup('swh::conf_directory')
+ $swh_global_conf_file = lookup('swh::global_conf::file')
+ $swh_global_conf_contents = lookup('swh::global_conf::contents')
+ $swh_log_directory = lookup('swh::log_directory')
$swh_logrotate_conf = '/etc/logrotate.d/softwareheritage'
file {[
$swh_base_directory,
$swh_conf_directory,
$swh_log_directory,
]:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file {$swh_global_conf_file:
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0644',
content => $swh_global_conf_contents,
}
file {$swh_logrotate_conf:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/swh/logrotate.conf.erb'),
}
include profile::swh::deploy
include profile::swh::apt_config
}
diff --git a/manifests/swh/apt_config.pp b/manifests/swh/apt_config.pp
index 97673200..d3cb5fce 100644
--- a/manifests/swh/apt_config.pp
+++ b/manifests/swh/apt_config.pp
@@ -1,72 +1,72 @@
# Base class for Software Heritage-specific apt configuration
class profile::swh::apt_config {
- $debian_mirror = hiera('swh::apt_config::debian_mirror')
- $debian_security_mirror = hiera('swh::apt_config::debian_security_mirror')
- $debian_enable_non_free = hiera('swh::apt_config::enable_non_free')
+ $debian_mirror = lookup('swh::apt_config::debian_mirror')
+ $debian_security_mirror = lookup('swh::apt_config::debian_security_mirror')
+ $debian_enable_non_free = lookup('swh::apt_config::enable_non_free')
class {'::apt':
purge => {
'sources.list' => true,
'sources.list.d' => false,
'preferences' => true,
'preferences.d' => true,
},
}
package {'apt-transport-https':
ensure => 'present',
}
- if hiera('swh::apt_config::unattended_upgrades') {
+ if lookup('swh::apt_config::unattended_upgrades') {
include profile::swh::apt_config::unattended_upgrades
}
$repos = $debian_enable_non_free ? {
true => 'main contrib non-free',
default => 'main',
}
::apt::source {'debian':
location => $debian_mirror,
release => $::lsbdistcodename,
repos => $repos,
}
::apt::source {'debian-updates':
location => $debian_mirror,
release => "${::lsbdistcodename}-updates",
repos => $repos,
}
::apt::source {'debian-security':
location => $debian_security_mirror,
release => "${::lsbdistcodename}/updates",
repos => $repos,
}
if $::lsbdistcodename == 'jessie' {
class {'::apt::backports':
pin => 100,
location => $debian_mirror,
repos => $repos,
}
}
- $swh_repository = hiera('swh::apt_config::swh_repository')
+ $swh_repository = lookup('swh::apt_config::swh_repository')
$swh_release = $::lsbdistcodename ? {
'buster' => 'sid',
'stretch' => 'stretch-swh',
default => $::lsbdistcodename,
}
::apt::source {'softwareheritage':
comment => 'Software Heritage specific package repository',
location => $swh_repository,
release => $swh_release,
repos => 'main',
allow_unsigned => true,
}
Package['apt-transport-https'] -> Class['apt::update'] -> Package <| title != 'apt-transport-https' |>
}
diff --git a/manifests/swh/apt_config/unattended_upgrades.pp b/manifests/swh/apt_config/unattended_upgrades.pp
index 9a47cd18..220cf153 100644
--- a/manifests/swh/apt_config/unattended_upgrades.pp
+++ b/manifests/swh/apt_config/unattended_upgrades.pp
@@ -1,11 +1,11 @@
# Unattended upgrades configuration
class profile::swh::apt_config::unattended_upgrades {
- $origins = hiera('swh::apt_config::unattended_upgraes::origins')
+ $origins = lookup('swh::apt_config::unattended_upgraes::origins')
class {'::unattended_upgrades':
mail => {
to => 'root',
},
origins => $origins,
}
}
diff --git a/manifests/swh/deploy.pp b/manifests/swh/deploy.pp
index 4d7fc957..6ef5f6fa 100644
--- a/manifests/swh/deploy.pp
+++ b/manifests/swh/deploy.pp
@@ -1,40 +1,40 @@
# Deployment of the deployment private key for Software Heritage
class profile::swh::deploy {
- $deploy_group = hiera('swh::deploy::group')
- $deploy_directory = hiera('swh::deploy::directory')
+ $deploy_group = lookup('swh::deploy::group')
+ $deploy_directory = lookup('swh::deploy::directory')
file {$deploy_directory:
ensure => directory,
owner => 'root',
group => $deploy_group,
mode => '0750',
require => [
Group[$deploy_group],
]
}
file {"${deploy_directory}/id_rsa":
ensure => present,
- content => hiera('swh::deploy::private_key'),
+ content => lookup('swh::deploy::private_key'),
owner => 'root',
group => $deploy_group,
mode => '0640',
require => [
File[$deploy_directory],
Group[$deploy_group],
],
}
file {"${deploy_directory}/id_rsa.pub":
ensure => present,
- content => hiera('swh::deploy::public_key'),
+ content => lookup('swh::deploy::public_key'),
owner => 'root',
group => $deploy_group,
mode => '0640',
require => [
File[$deploy_directory],
Group[$deploy_group],
],
}
}
diff --git a/manifests/swh/deploy/archiver.pp b/manifests/swh/deploy/archiver.pp
index 84c72a64..ff2a715a 100644
--- a/manifests/swh/deploy/archiver.pp
+++ b/manifests/swh/deploy/archiver.pp
@@ -1,21 +1,21 @@
# Archiver base configuration
class profile::swh::deploy::archiver {
include ::profile::swh::deploy::objstorage_cloud
- $config_dir = hiera('swh::deploy::worker::swh_storage_archiver::conf_directory')
+ $config_dir = lookup('swh::deploy::worker::swh_storage_archiver::conf_directory')
file {$config_dir:
ensure => 'directory',
owner => 'swhworker',
group => 'swhworker',
mode => '0644',
}
$packages = ['python3-swh.archiver']
package {$packages:
ensure => 'installed',
}
}
diff --git a/manifests/swh/deploy/archiver_content_updater.pp b/manifests/swh/deploy/archiver_content_updater.pp
index f0c059b0..3bb8c300 100644
--- a/manifests/swh/deploy/archiver_content_updater.pp
+++ b/manifests/swh/deploy/archiver_content_updater.pp
@@ -1,47 +1,47 @@
# Deployment of the swh.storage.archiver.updater
class profile::swh::deploy::archiver_content_updater {
include profile::swh::deploy::archiver
- $conf_file = hiera('swh::deploy::archiver_content_updater::conf_file')
- $user = hiera('swh::deploy::archiver_content_updater::user')
- $group = hiera('swh::deploy::archiver_content_updater::group')
+ $conf_file = lookup('swh::deploy::archiver_content_updater::conf_file')
+ $user = lookup('swh::deploy::archiver_content_updater::user')
+ $group = lookup('swh::deploy::archiver_content_updater::group')
- $content_updater_config = hiera('swh::deploy::archiver_content_updater::config')
+ $content_updater_config = lookup('swh::deploy::archiver_content_updater::config')
include ::systemd
$service_name = 'swh-archiver-content-updater'
$service_file = "/etc/systemd/system/${service_name}.service"
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @content_updater_config.to_yaml %>\n"),
notify => Service[$service_name],
}
# Template uses variables
# - $user
# - $group
#
file {$service_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/swh/deploy/archiver/swh-content-updater.service.erb'),
notify => [
Exec['systemd-daemon-reload'],
Service[$service_name],
],
}
service {$service_name:
ensure => running,
enable => false,
require => File[$service_file],
}
}
diff --git a/manifests/swh/deploy/base_storage.pp b/manifests/swh/deploy/base_storage.pp
index 24700d9b..93401e27 100644
--- a/manifests/swh/deploy/base_storage.pp
+++ b/manifests/swh/deploy/base_storage.pp
@@ -1,11 +1,11 @@
class profile::swh::deploy::base_storage {
- $swh_conf_storage_directory = hiera('swh::deploy::storage::conf_directory')
+ $swh_conf_storage_directory = lookup('swh::deploy::storage::conf_directory')
file {$swh_conf_storage_directory:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
}
diff --git a/manifests/swh/deploy/base_vault.pp b/manifests/swh/deploy/base_vault.pp
index 84f96e88..aaeb5ddb 100644
--- a/manifests/swh/deploy/base_vault.pp
+++ b/manifests/swh/deploy/base_vault.pp
@@ -1,16 +1,16 @@
class profile::swh::deploy::base_vault {
- $conf_directory = hiera('swh::deploy::vault::conf_directory')
+ $conf_directory = lookup('swh::deploy::vault::conf_directory')
file {$conf_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0755',
}
$packages = ['python3-swh.vault']
package {$packages:
ensure => 'present',
}
}
diff --git a/manifests/swh/deploy/deposit.pp b/manifests/swh/deploy/deposit.pp
index 5c00a290..6e22abf5 100644
--- a/manifests/swh/deploy/deposit.pp
+++ b/manifests/swh/deploy/deposit.pp
@@ -1,260 +1,260 @@
# Deployment of the swh.deposit server
class profile::swh::deploy::deposit {
- $conf_directory = hiera('swh::deploy::deposit::conf_directory')
+ $conf_directory = lookup('swh::deploy::deposit::conf_directory')
- $swh_conf_file = hiera('swh::deploy::deposit::swh_conf_file')
- $user = hiera('swh::deploy::deposit::user')
- $group = hiera('swh::deploy::deposit::group')
- $swh_conf_raw = hiera('swh::deploy::deposit::config')
+ $swh_conf_file = lookup('swh::deploy::deposit::swh_conf_file')
+ $user = lookup('swh::deploy::deposit::user')
+ $group = lookup('swh::deploy::deposit::group')
+ $swh_conf_raw = lookup('swh::deploy::deposit::config')
$swh_packages = ['python3-swh.deposit']
$static_dir = '/usr/lib/python3/dist-packages/swh/deposit/static'
# private data file to read from swh.deposit.settings.production
- $settings_private_data_file = hiera('swh::deploy::deposit::settings_private_data_file')
- $settings_private_data = hiera('swh::deploy::deposit::settings_private_data')
+ $settings_private_data_file = lookup('swh::deploy::deposit::settings_private_data_file')
+ $settings_private_data = lookup('swh::deploy::deposit::settings_private_data')
- $backend_listen_host = hiera('swh::deploy::deposit::backend::listen::host')
- $backend_listen_port = hiera('swh::deploy::deposit::backend::listen::port')
+ $backend_listen_host = lookup('swh::deploy::deposit::backend::listen::host')
+ $backend_listen_port = lookup('swh::deploy::deposit::backend::listen::port')
$backend_listen_address = "${backend_listen_host}:${backend_listen_port}"
- $backend_workers = hiera('swh::deploy::deposit::backend::workers')
- $backend_http_keepalive = hiera('swh::deploy::deposit::backend::http_keepalive')
- $backend_http_timeout = hiera('swh::deploy::deposit::backend::http_timeout')
- $backend_reload_mercy = hiera('swh::deploy::deposit::backend::reload_mercy')
+ $backend_workers = lookup('swh::deploy::deposit::backend::workers')
+ $backend_http_keepalive = lookup('swh::deploy::deposit::backend::http_keepalive')
+ $backend_http_timeout = lookup('swh::deploy::deposit::backend::http_timeout')
+ $backend_reload_mercy = lookup('swh::deploy::deposit::backend::reload_mercy')
- $vhost_name = hiera('swh::deploy::deposit::vhost::name')
- $vhost_port = hiera('apache::http_port')
- $vhost_aliases = hiera('swh::deploy::deposit::vhost::aliases')
- $vhost_docroot = hiera('swh::deploy::deposit::vhost::docroot')
+ $vhost_name = lookup('swh::deploy::deposit::vhost::name')
+ $vhost_port = lookup('apache::http_port')
+ $vhost_aliases = lookup('swh::deploy::deposit::vhost::aliases')
+ $vhost_docroot = lookup('swh::deploy::deposit::vhost::docroot')
$vhost_basic_auth_file = "${conf_directory}/http_auth"
# swh::deploy::deposit::vhost::basic_auth_content in private
- $vhost_basic_auth_content = hiera('swh::deploy::deposit::vhost::basic_auth_content')
- $vhost_ssl_port = hiera('apache::https_port')
- $vhost_ssl_protocol = hiera('swh::deploy::deposit::vhost::ssl_protocol')
- $vhost_ssl_honorcipherorder = hiera('swh::deploy::deposit::vhost::ssl_honorcipherorder')
- $vhost_ssl_cipher = hiera('swh::deploy::deposit::vhost::ssl_cipher')
- $locked_endpoints = hiera_array('swh::deploy::deposit::locked_endpoints')
+ $vhost_basic_auth_content = lookup('swh::deploy::deposit::vhost::basic_auth_content')
+ $vhost_ssl_port = lookup('apache::https_port')
+ $vhost_ssl_protocol = lookup('swh::deploy::deposit::vhost::ssl_protocol')
+ $vhost_ssl_honorcipherorder = lookup('swh::deploy::deposit::vhost::ssl_honorcipherorder')
+ $vhost_ssl_cipher = lookup('swh::deploy::deposit::vhost::ssl_cipher')
+ $locked_endpoints = lookup('swh::deploy::deposit::locked_endpoints', Array, 'unique')
- $media_root_directory = hiera('swh::deploy::deposit::media_root_directory')
+ $media_root_directory = lookup('swh::deploy::deposit::media_root_directory')
include ::gunicorn
package {$swh_packages:
ensure => latest,
require => Apt::Source['softwareheritage'],
notify => Service['gunicorn-swh-deposit'],
}
file {$conf_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0755',
}
# swh's configuration part (upload size, etc...)
file {$swh_conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @swh_conf_raw.to_yaml %>\n"),
notify => Service['gunicorn-swh-deposit'],
}
file {$media_root_directory:
ensure => directory,
owner => $user,
group => $group,
mode => '2750',
}
# swh's private configuration part (db, secret key, media_root)
file {$settings_private_data_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @settings_private_data.to_yaml %>\n"),
notify => Service['gunicorn-swh-deposit'],
}
::gunicorn::instance {'swh-deposit':
ensure => enabled,
user => $user,
group => $group,
executable => 'swh.deposit.wsgi',
settings => {
bind => $backend_listen_address,
workers => $backend_workers,
worker_class => 'sync',
timeout => $backend_http_timeout,
graceful_timeout => $backend_reload_mercy,
keepalive => $backend_http_keepalive,
}
}
$endpoint_directories = $locked_endpoints.map |$endpoint| {
{ path => "^${endpoint}",
provider => 'locationmatch',
auth_type => 'Basic',
auth_name => 'Software Heritage Deposit',
auth_user_file => $vhost_basic_auth_file,
auth_require => 'valid-user',
}
}
include ::profile::apache::common
include ::apache::mod::proxy
include ::apache::mod::headers
::apache::vhost {"${vhost_name}_non-ssl":
servername => $vhost_name,
serveraliases => $vhost_aliases,
port => $vhost_port,
docroot => $vhost_docroot,
proxy_pass => [
{ path => '/static',
url => '!',
},
{ path => '/robots.txt',
url => '!',
},
{ path => '/favicon.ico',
url => '!',
},
{ path => '/',
url => "http://${backend_listen_address}/",
},
],
directories => [
{ path => '/1',
provider => 'location',
allow => 'from all',
satisfy => 'Any',
headers => ['add Access-Control-Allow-Origin "*"'],
},
{ path => $static_dir,
options => ['-Indexes'],
},
] + $endpoint_directories,
aliases => [
{ alias => '/static',
path => $static_dir,
},
{ alias => '/robots.txt',
path => "${static_dir}/robots.txt",
},
],
require => [
File[$vhost_basic_auth_file],
]
}
$ssl_cert_name = 'star_softwareheritage_org'
include ::profile::hitch
realize(::Profile::Hitch::Ssl_cert[$ssl_cert_name])
include ::profile::varnish
::profile::varnish::vhost {$vhost_name:
aliases => $vhost_aliases,
- hsts_max_age => hiera('strict_transport_security::max_age'),
+ hsts_max_age => lookup('strict_transport_security::max_age'),
}
file {$vhost_basic_auth_file:
ensure => present,
owner => 'root',
group => 'www-data',
mode => '0640',
content => $vhost_basic_auth_content,
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"swh-deposit api (localhost on ${::fqdn})":
service_name => 'swh-deposit api (localhost)',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
command_endpoint => $::fqdn,
vars => {
http_address => '127.0.0.1',
http_port => $backend_listen_port,
http_uri => '/',
http_string => 'The Software Heritage Deposit',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
if $backend_listen_host != '127.0.0.1' {
@@::icinga2::object::service {"swh-deposit api (remote on ${::fqdn})":
service_name => 'swh-deposit api (remote)',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_port => $backend_listen_port,
http_uri => '/',
http_string => 'The Software Heritage Deposit',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
@@::icinga2::object::service {"swh-deposit http redirect on ${::fqdn}":
service_name => 'swh deposit http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_port,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"swh-deposit https on ${::fqdn}":
service_name => 'swh deposit',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_ssl_port,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"swh-deposit https certificate ${::fqdn}":
service_name => 'swh deposit https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_ssl_port,
http_ssl => true,
http_sni => true,
http_certificate => 60,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/manifests/swh/deploy/indexer.pp b/manifests/swh/deploy/indexer.pp
index f4a0ffc4..fb59160c 100644
--- a/manifests/swh/deploy/indexer.pp
+++ b/manifests/swh/deploy/indexer.pp
@@ -1,31 +1,31 @@
# Base class for the indexer manifests
class profile::swh::deploy::indexer {
include ::profile::swh::deploy::objstorage_cloud
$config_directory = '/etc/softwareheritage/indexer'
$config_file = "${config_directory}/base.yml"
- $config = hiera('swh::deploy::worker::swh_indexer::base::config')
+ $config = lookup('swh::deploy::worker::swh_indexer::base::config')
$packages = ['python3-swh.indexer']
file {$config_directory:
ensure => 'directory',
owner => 'swhworker',
group => 'swhworker',
mode => '0755',
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhdev',
# Contains passwords
mode => '0640',
content => inline_template("<%= @config.to_yaml %>\n"),
}
package {$packages:
ensure => 'latest',
}
}
diff --git a/manifests/swh/deploy/indexer_storage.pp b/manifests/swh/deploy/indexer_storage.pp
index 9baded72..a2258dfb 100644
--- a/manifests/swh/deploy/indexer_storage.pp
+++ b/manifests/swh/deploy/indexer_storage.pp
@@ -1,92 +1,92 @@
# Deployment of the swh.indexer.storage.api.server
class profile::swh::deploy::indexer_storage {
include ::profile::swh::deploy::base_storage
- $conf_file = hiera('swh::deploy::indexer::storage::conf_file')
- $user = hiera('swh::deploy::indexer::storage::user')
- $group = hiera('swh::deploy::indexer::storage::group')
+ $conf_file = lookup('swh::deploy::indexer::storage::conf_file')
+ $user = lookup('swh::deploy::indexer::storage::user')
+ $group = lookup('swh::deploy::indexer::storage::group')
$swh_packages = ['python3-swh.indexer.storage']
- $backend_listen_host = hiera('swh::deploy::indexer::storage::backend::listen::host')
- $backend_listen_port = hiera('swh::deploy::indexer::storage::backend::listen::port')
+ $backend_listen_host = lookup('swh::deploy::indexer::storage::backend::listen::host')
+ $backend_listen_port = lookup('swh::deploy::indexer::storage::backend::listen::port')
$backend_listen_address = "${backend_listen_host}:${backend_listen_port}"
- $backend_workers = hiera('swh::deploy::indexer::storage::backend::workers')
- $backend_http_keepalive = hiera('swh::deploy::indexer::storage::backend::http_keepalive')
- $backend_http_timeout = hiera('swh::deploy::indexer::storage::backend::http_timeout')
- $backend_reload_mercy = hiera('swh::deploy::indexer::storage::backend::reload_mercy')
- $backend_max_requests = hiera('swh::deploy::indexer::storage::backend::max_requests')
- $backend_max_requests_jitter = hiera('swh::deploy::indexer::storage::backend::max_requests_jitter')
+ $backend_workers = lookup('swh::deploy::indexer::storage::backend::workers')
+ $backend_http_keepalive = lookup('swh::deploy::indexer::storage::backend::http_keepalive')
+ $backend_http_timeout = lookup('swh::deploy::indexer::storage::backend::http_timeout')
+ $backend_reload_mercy = lookup('swh::deploy::indexer::storage::backend::reload_mercy')
+ $backend_max_requests = lookup('swh::deploy::indexer::storage::backend::max_requests')
+ $backend_max_requests_jitter = lookup('swh::deploy::indexer::storage::backend::max_requests_jitter')
- $idx_storage_config = hiera('swh::deploy::indexer::storage::config')
+ $idx_storage_config = lookup('swh::deploy::indexer::storage::config')
include ::gunicorn
package {$swh_packages:
ensure => latest,
require => Apt::Source['softwareheritage'],
notify => Service['gunicorn-swh-indexer-storage'],
}
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @idx_storage_config.to_yaml %>\n"),
notify => Service['gunicorn-swh-indexer-storage'],
}
::gunicorn::instance {'swh-indexer-storage':
ensure => enabled,
user => $user,
group => $group,
executable => 'swh.indexer.storage.api.server:run_from_webserver',
settings => {
bind => $backend_listen_address,
workers => $backend_workers,
worker_class => 'sync',
timeout => $backend_http_timeout,
graceful_timeout => $backend_reload_mercy,
keepalive => $backend_http_keepalive,
max_requests => $backend_max_requests,
max_requests_jitter => $backend_max_requests_jitter,
}
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"swh-indexer-storage api (localhost on ${::fqdn})":
service_name => 'swh-indexer-storage api (localhost)',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
command_endpoint => $::fqdn,
vars => {
http_address => '127.0.0.1',
http_port => $backend_listen_port,
http_uri => '/',
http_string => 'SWH Indexer Storage API server',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
if $backend_listen_host != '127.0.0.1' {
@@::icinga2::object::service {"swh-indexer-storage api (remote on ${::fqdn})":
service_name => 'swh-indexer-storage api (remote)',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_port => $backend_listen_port,
http_uri => '/',
http_string => 'SWH Indexer Storage API server',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
}
diff --git a/manifests/swh/deploy/journal.pp b/manifests/swh/deploy/journal.pp
index f5ad0193..338f947e 100644
--- a/manifests/swh/deploy/journal.pp
+++ b/manifests/swh/deploy/journal.pp
@@ -1,18 +1,18 @@
# Base Journal configuration
class profile::swh::deploy::journal {
- $conf_directory = hiera('swh::deploy::journal::conf_directory')
+ $conf_directory = lookup('swh::deploy::journal::conf_directory')
file {$conf_directory:
ensure => 'directory',
owner => 'swhworker',
group => 'swhworker',
mode => '0644',
}
$package_name = 'python3-swh.journal'
package {$package_name:
ensure => latest,
}
}
diff --git a/manifests/swh/deploy/journal_publisher.pp b/manifests/swh/deploy/journal_publisher.pp
index 4e5bfd02..f7efcd00 100644
--- a/manifests/swh/deploy/journal_publisher.pp
+++ b/manifests/swh/deploy/journal_publisher.pp
@@ -1,57 +1,57 @@
# Deployment of the swh.journal.publisher
class profile::swh::deploy::journal_publisher {
include ::profile::swh::deploy::journal
- $conf_file = hiera('swh::deploy::journal_publisher::conf_file')
- $user = hiera('swh::deploy::journal_publisher::user')
- $group = hiera('swh::deploy::journal_publisher::group')
+ $conf_file = lookup('swh::deploy::journal_publisher::conf_file')
+ $user = lookup('swh::deploy::journal_publisher::user')
+ $group = lookup('swh::deploy::journal_publisher::group')
- $publisher_config = hiera('swh::deploy::journal_publisher::config')
+ $publisher_config = lookup('swh::deploy::journal_publisher::config')
include ::systemd
$service_name = 'swh-journal-publisher'
$service_file = "/etc/systemd/system/${service_name}.service"
file {$conf_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0750',
}
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
require => File[$conf_directory],
content => inline_template("<%= @publisher_config.to_yaml %>\n"),
notify => Service[$service_name],
}
# Template uses variables
# - $user
# - $group
#
file {$service_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/swh/deploy/journal/swh-journal-publisher.service.erb'),
require => Package[$package_name],
notify => [
Exec['systemd-daemon-reload'],
Service[$service_name],
],
}
service {$service_name:
ensure => running,
enable => false,
require => File[$service_file],
}
}
diff --git a/manifests/swh/deploy/journal_simple_checker_producer.pp b/manifests/swh/deploy/journal_simple_checker_producer.pp
index d243a9ae..f97709cc 100644
--- a/manifests/swh/deploy/journal_simple_checker_producer.pp
+++ b/manifests/swh/deploy/journal_simple_checker_producer.pp
@@ -1,57 +1,57 @@
# Deployment of the swh.journal.checker
class profile::swh::deploy::journal_simple_checker_producer {
include ::profile::swh::deploy::journal
- $conf_file = hiera('swh::deploy::journal_simple_checker_producer::conf_file')
- $user = hiera('swh::deploy::journal_simple_checker_producer::user')
- $group = hiera('swh::deploy::journal_simple_checker_producer::group')
+ $conf_file = lookup('swh::deploy::journal_simple_checker_producer::conf_file')
+ $user = lookup('swh::deploy::journal_simple_checker_producer::user')
+ $group = lookup('swh::deploy::journal_simple_checker_producer::group')
- $checker_config = hiera(
+ $checker_config = lookup(
'swh::deploy::journal_simple_checker_producer::config')
include ::systemd
$service_name = 'swh-journal-simple-checker-producer'
$service_file = "/etc/systemd/system/${service_name}.service"
file {$conf_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0750',
}
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
require => File[$conf_directory],
content => inline_template("<%= @checker_config.to_yaml %>\n"),
notify => Service[$service_name],
}
# Template uses variables
# - $user
# - $group
#
file {$service_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/swh/deploy/journal/swh-journal-simple-checker-producer.service.erb'),
require => Package[$package_name],
notify => [
Exec['systemd-daemon-reload'],
Service[$service_name],
],
}
service {$service_name:
ensure => running,
enable => false,
require => File[$service_file],
}
}
diff --git a/manifests/swh/deploy/objstorage.pp b/manifests/swh/deploy/objstorage.pp
index 7bca9325..28477ddd 100644
--- a/manifests/swh/deploy/objstorage.pp
+++ b/manifests/swh/deploy/objstorage.pp
@@ -1,25 +1,25 @@
# Deployment of the swh.objstorage.api server
class profile::swh::deploy::objstorage {
- $conf_directory = hiera('swh::deploy::objstorage::conf_directory')
- $group = hiera('swh::deploy::objstorage::group')
+ $conf_directory = lookup('swh::deploy::objstorage::conf_directory')
+ $group = lookup('swh::deploy::objstorage::group')
$swh_packages = ['python3-swh.objstorage']
package {$swh_packages:
ensure => latest,
require => Apt::Source['softwareheritage'],
}
Package[$swh_packages] ~> Service['gunicorn-swh-vault']
file {$conf_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0750',
}
::profile::swh::deploy::rpc_server {'objstorage':
executable => 'swh.objstorage.api.server:make_app_from_configfile()',
worker => 'async',
}
}
diff --git a/manifests/swh/deploy/objstorage_archive_notifier_checker.pp b/manifests/swh/deploy/objstorage_archive_notifier_checker.pp
index 92cbcc9a..0d80b700 100644
--- a/manifests/swh/deploy/objstorage_archive_notifier_checker.pp
+++ b/manifests/swh/deploy/objstorage_archive_notifier_checker.pp
@@ -1,49 +1,49 @@
# Deployment of the swh.objstorage.checker.ArchiveNotifierContentChecker
class profile::swh::deploy::objstorage_archive_notifier_checker {
- $conf_directory = hiera('swh::deploy::objstorage_archive_notifier_checker::conf_directory')
- $conf_file = hiera('swh::deploy::objstorage_archive_notifier_checker::conf_file')
- $user = hiera('swh::deploy::objstorage_archive_notifier_checker::user')
- $group = hiera('swh::deploy::objstorage_archive_notifier_checker::group')
+ $conf_directory = lookup('swh::deploy::objstorage_archive_notifier_checker::conf_directory')
+ $conf_file = lookup('swh::deploy::objstorage_archive_notifier_checker::conf_file')
+ $user = lookup('swh::deploy::objstorage_archive_notifier_checker::user')
+ $group = lookup('swh::deploy::objstorage_archive_notifier_checker::group')
# configuration file
- $archive_notifier_config = hiera('swh::deploy::objstorage_archive_notifier_checker::config')
+ $archive_notifier_config = lookup('swh::deploy::objstorage_archive_notifier_checker::config')
$swh_packages = ['python3-swh.objstorage.checker']
package {$swh_packages:
ensure => latest,
require => Apt::Source['softwareheritage'],
}
file {$conf_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0750',
}
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @archive_notifier_config.to_yaml %>\n"),
}
include ::systemd
file {'/etc/systemd/system/objstorage_archive_notifier_checker.service':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/swh/deploy/storage/objstorage_archive_notifier_checker.service.erb'),
notify => Exec['systemd-daemon-reload'],
require => [
File[$conf_file],
Package[$swh_packages],
]
}
}
diff --git a/manifests/swh/deploy/objstorage_log_checker.pp b/manifests/swh/deploy/objstorage_log_checker.pp
index 166a7095..5c4cfac8 100644
--- a/manifests/swh/deploy/objstorage_log_checker.pp
+++ b/manifests/swh/deploy/objstorage_log_checker.pp
@@ -1,49 +1,49 @@
# Deployment of the swh.objstorage.checker.LogContentChecker
class profile::swh::deploy::objstorage_log_checker {
- $conf_directory = hiera('swh::deploy::objstorage_log_checker::conf_directory')
- $conf_file = hiera('swh::deploy::objstorage_log_checker::conf_file')
- $user = hiera('swh::deploy::objstorage_log_checker::user')
- $group = hiera('swh::deploy::objstorage_log_checker::group')
+ $conf_directory = lookup('swh::deploy::objstorage_log_checker::conf_directory')
+ $conf_file = lookup('swh::deploy::objstorage_log_checker::conf_file')
+ $user = lookup('swh::deploy::objstorage_log_checker::user')
+ $group = lookup('swh::deploy::objstorage_log_checker::group')
# configuration file
- $log_checker_config = hiera('swh::deploy::objstorage_log_checker::config')
+ $log_checker_config = lookup('swh::deploy::objstorage_log_checker::config')
$swh_packages = ['python3-swh.objstorage.checker']
package {$swh_packages:
ensure => latest,
require => Apt::Source['softwareheritage'],
}
file {$conf_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0750',
}
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @log_checker_config.to_yaml %>\n"),
}
include ::systemd
file {'/etc/systemd/system/objstorage_log_checker.service':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/swh/deploy/storage/objstorage_log_checker.service.erb'),
notify => Exec['systemd-daemon-reload'],
require => [
File[$conf_file],
Package[$swh_packages],
]
}
}
diff --git a/manifests/swh/deploy/objstorage_repair_checker.pp b/manifests/swh/deploy/objstorage_repair_checker.pp
index 7692abf2..dbf36376 100644
--- a/manifests/swh/deploy/objstorage_repair_checker.pp
+++ b/manifests/swh/deploy/objstorage_repair_checker.pp
@@ -1,48 +1,48 @@
# Deployment of the swh.objstorage.checker.RepairContentChecker
class profile::swh::deploy::objstorage_repair_checker {
- $conf_directory = hiera('swh::deploy::objstorage_repair_checker::conf_directory')
- $conf_file = hiera('swh::deploy::objstorage_repair_checker::conf_file')
- $user = hiera('swh::deploy::objstorage_repair_checker::user')
- $group = hiera('swh::deploy::objstorage_repair_checker::group')
+ $conf_directory = lookup('swh::deploy::objstorage_repair_checker::conf_directory')
+ $conf_file = lookup('swh::deploy::objstorage_repair_checker::conf_file')
+ $user = lookup('swh::deploy::objstorage_repair_checker::user')
+ $group = lookup('swh::deploy::objstorage_repair_checker::group')
- $repair_checker_config = hiera('swh::deploy::objstorage_repair_checker::config')
+ $repair_checker_config = lookup('swh::deploy::objstorage_repair_checker::config')
$swh_packages = ['python3-swh.objstorage.checker']
package {$swh_packages:
ensure => latest,
require => Apt::Source['softwareheritage'],
}
file {$conf_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0750',
}
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @repair_checker_config.to_yaml %>\n"),
}
include ::systemd
file {'/etc/systemd/system/objstorage_repair_checker.service':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/swh/deploy/storage/objstorage_repair_checker.service.erb'),
notify => Exec['systemd-daemon-reload'],
require => [
File[$conf_file],
Package[$swh_packages],
]
}
}
diff --git a/manifests/swh/deploy/rpc_server.pp b/manifests/swh/deploy/rpc_server.pp
index e31db6c4..2ffbeadc 100644
--- a/manifests/swh/deploy/rpc_server.pp
+++ b/manifests/swh/deploy/rpc_server.pp
@@ -1,138 +1,138 @@
# Deploy an instance of a rpc service
define profile::swh::deploy::rpc_server (
String $executable,
String $instance_name = $name,
String $http_check_string = "SWH ${capitalize($name)} API server",
Enum['sync', 'async'] $worker = 'sync',
) {
include ::profile::nginx
- $conf_file = hiera("swh::deploy::${instance_name}::conf_file")
- $user = hiera("swh::deploy::${instance_name}::user")
- $group = hiera("swh::deploy::${instance_name}::group")
+ $conf_file = lookup("swh::deploy::${instance_name}::conf_file")
+ $user = lookup("swh::deploy::${instance_name}::user")
+ $group = lookup("swh::deploy::${instance_name}::group")
$service_name = "swh-${instance_name}"
$gunicorn_service_name = "gunicorn-${service_name}"
$gunicorn_unix_socket = "unix:/run/gunicorn/${service_name}/gunicorn.sock"
- $backend_listen_host = hiera("swh::deploy::${instance_name}::backend::listen::host")
- $backend_listen_port = hiera("swh::deploy::${instance_name}::backend::listen::port")
- $nginx_server_names = hiera("swh::deploy::${instance_name}::backend::server_names")
+ $backend_listen_host = lookup("swh::deploy::${instance_name}::backend::listen::host")
+ $backend_listen_port = lookup("swh::deploy::${instance_name}::backend::listen::port")
+ $nginx_server_names = lookup("swh::deploy::${instance_name}::backend::server_names")
- $backend_workers = hiera("swh::deploy::${instance_name}::backend::workers")
- $backend_http_keepalive = hiera("swh::deploy::${instance_name}::backend::http_keepalive")
- $backend_http_timeout = hiera("swh::deploy::${instance_name}::backend::http_timeout")
- $backend_reload_mercy = hiera("swh::deploy::${instance_name}::backend::reload_mercy")
- $backend_max_requests = hiera("swh::deploy::${instance_name}::backend::max_requests")
- $backend_max_requests_jitter = hiera("swh::deploy::${instance_name}::backend::max_requests_jitter")
+ $backend_workers = lookup("swh::deploy::${instance_name}::backend::workers")
+ $backend_http_keepalive = lookup("swh::deploy::${instance_name}::backend::http_keepalive")
+ $backend_http_timeout = lookup("swh::deploy::${instance_name}::backend::http_timeout")
+ $backend_reload_mercy = lookup("swh::deploy::${instance_name}::backend::reload_mercy")
+ $backend_max_requests = lookup("swh::deploy::${instance_name}::backend::max_requests")
+ $backend_max_requests_jitter = lookup("swh::deploy::${instance_name}::backend::max_requests_jitter")
- $instance_config = hiera("swh::deploy::${instance_name}::config")
+ $instance_config = lookup("swh::deploy::${instance_name}::config")
include ::gunicorn
case $worker {
'sync': {
$gunicorn_worker_class = 'sync'
$nginx_proxy_buffering = 'on'
}
'async': {
$gunicorn_worker_class = 'aiohttp.worker.GunicornWebWorker'
$nginx_proxy_buffering = 'off'
}
default: {
fail("Worker class ${worker} is unsupported by this module.")
}
}
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @instance_config.to_yaml %>\n"),
notify => Service["gunicorn-swh-${instance_name}"],
}
::nginx::resource::upstream {"swh-${instance_name}-gunicorn":
upstream_fail_timeout => 0,
members => [
$gunicorn_unix_socket,
],
}
# Default server on listen_port: return 444 for wrong domain name
::nginx::resource::server {"nginx-swh-${instance_name}-default":
ensure => present,
listen_ip => $backend_listen_host,
listen_port => $backend_listen_port,
listen_options => 'default_server',
maintenance => true,
maintenance_value => 'return 444',
}
# actual server
::nginx::resource::server {"nginx-swh-${instance_name}":
ensure => present,
listen_ip => $backend_listen_host,
listen_port => $backend_listen_port,
listen_options => 'deferred',
server_name => $nginx_server_names,
client_max_body_size => '4G',
proxy => "http://swh-${instance_name}-gunicorn",
proxy_buffering => $nginx_proxy_buffering,
}
::gunicorn::instance {$service_name:
ensure => enabled,
user => $user,
group => $group,
executable => $executable,
settings => {
bind => $gunicorn_unix_socket,
workers => $backend_workers,
worker_class => $gunicorn_worker_class,
timeout => $backend_http_timeout,
graceful_timeout => $backend_reload_mercy,
keepalive => $backend_http_keepalive,
max_requests => $backend_max_requests,
max_requests_jitter => $backend_max_requests_jitter,
},
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"swh-${instance_name} api (localhost on ${::fqdn})":
service_name => "swh-${instance_name} api (localhost)",
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
command_endpoint => $::fqdn,
vars => {
http_address => '127.0.0.1',
http_vhost => '127.0.0.1',
http_port => $backend_listen_port,
http_uri => '/',
http_string => $http_check_string,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
if $backend_listen_host != '127.0.0.1' {
@@::icinga2::object::service {"swh-${instance_name} api (remote on ${::fqdn})":
service_name => "swh-${instance_name} api (remote)",
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_vhost => $::fqdn,
http_port => $backend_listen_port,
http_uri => '/',
http_string => 'SWH Vault API server',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
}
diff --git a/manifests/swh/deploy/scheduler.pp b/manifests/swh/deploy/scheduler.pp
index 25ce0616..664b37b2 100644
--- a/manifests/swh/deploy/scheduler.pp
+++ b/manifests/swh/deploy/scheduler.pp
@@ -1,131 +1,131 @@
# Deployment of swh-scheduler related utilities
class profile::swh::deploy::scheduler {
- $conf_file = hiera('swh::deploy::scheduler::conf_file')
- $user = hiera('swh::deploy::scheduler::user')
- $group = hiera('swh::deploy::scheduler::group')
- $database = hiera('swh::deploy::scheduler::database')
+ $conf_file = lookup('swh::deploy::scheduler::conf_file')
+ $user = lookup('swh::deploy::scheduler::user')
+ $group = lookup('swh::deploy::scheduler::group')
+ $database = lookup('swh::deploy::scheduler::database')
- $task_broker = hiera('swh::deploy::scheduler::task_broker')
- $task_packages = hiera('swh::deploy::scheduler::task_packages')
- $task_modules = hiera('swh::deploy::scheduler::task_modules')
- $task_backported_packages = hiera('swh::deploy::scheduler::backported_packages')
+ $task_broker = lookup('swh::deploy::scheduler::task_broker')
+ $task_packages = lookup('swh::deploy::scheduler::task_packages')
+ $task_modules = lookup('swh::deploy::scheduler::task_modules')
+ $task_backported_packages = lookup('swh::deploy::scheduler::backported_packages')
include ::systemd
$listener_service_name = 'swh-scheduler-listener'
$listener_service_file = "/etc/systemd/system/${listener_service_name}.service"
$listener_service_template = "profile/swh/deploy/scheduler/${listener_service_name}.service.erb"
$runner_service_name = 'swh-scheduler-runner'
$runner_service_file = "/etc/systemd/system/${runner_service_name}.service"
$runner_service_template = "profile/swh/deploy/scheduler/${runner_service_name}.service.erb"
$worker_conf_file = '/etc/softwareheritage/worker.ini'
$packages = ['python3-swh.scheduler']
$services = [$listener_service_name, $runner_service_name]
$pinned_packages = $task_backported_packages[$::lsbdistcodename]
if $pinned_packages {
::apt::pin {'swh-scheduler':
explanation => 'Pin swh.scheduler dependencies to backports',
codename => "${::lsbdistcodename}-backports",
packages => $pinned_packages,
priority => 990,
} ->
package {$task_packages:
ensure => installed,
notify => Service[$runner_service_name],
}
} else {
package {$task_packages:
ensure => installed,
notify => Service[$runner_service_name],
}
}
package {$packages:
ensure => installed,
notify => Service[$services],
}
# Template uses variables
# - $database
#
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => template('profile/swh/deploy/scheduler/scheduler.ini.erb'),
notify => Service[$services],
}
# Template uses variables
# - $task_broker
# - $task_modules
#
file {$worker_conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => template('profile/swh/deploy/scheduler/worker.ini.erb'),
notify => Service[$runner_service_name],
}
# Template uses variables
# - $user
# - $group
#
file {$listener_service_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template($listener_service_template),
notify => [
Exec['systemd-daemon-reload'],
Service[$listener_service_name],
],
}
# Template uses variables
# - $user
# - $group
#
file {$runner_service_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template($runner_service_template),
notify => [
Exec['systemd-daemon-reload'],
Service[$runner_service_name],
],
}
service {$runner_service_name:
ensure => running,
enable => true,
require => [
Package[$packages],
Package[$task_packages],
File[$conf_file],
File[$worker_conf_file],
File[$runner_service_file],
],
}
service {$listener_service_name:
ensure => running,
enable => true,
require => [
Package[$packages],
File[$conf_file],
File[$worker_conf_file],
File[$listener_service_file],
],
}
}
diff --git a/manifests/swh/deploy/storage.pp b/manifests/swh/deploy/storage.pp
index 5af8347f..06db7b0e 100644
--- a/manifests/swh/deploy/storage.pp
+++ b/manifests/swh/deploy/storage.pp
@@ -1,92 +1,92 @@
# Deployment of the swh.storage.api server
class profile::swh::deploy::storage {
include ::profile::swh::deploy::base_storage
- $conf_file = hiera('swh::deploy::storage::conf_file')
- $user = hiera('swh::deploy::storage::user')
- $group = hiera('swh::deploy::storage::group')
+ $conf_file = lookup('swh::deploy::storage::conf_file')
+ $user = lookup('swh::deploy::storage::user')
+ $group = lookup('swh::deploy::storage::group')
$swh_packages = ['python3-swh.storage']
- $backend_listen_host = hiera('swh::deploy::storage::backend::listen::host')
- $backend_listen_port = hiera('swh::deploy::storage::backend::listen::port')
+ $backend_listen_host = lookup('swh::deploy::storage::backend::listen::host')
+ $backend_listen_port = lookup('swh::deploy::storage::backend::listen::port')
$backend_listen_address = "${backend_listen_host}:${backend_listen_port}"
- $backend_workers = hiera('swh::deploy::storage::backend::workers')
- $backend_http_keepalive = hiera('swh::deploy::storage::backend::http_keepalive')
- $backend_http_timeout = hiera('swh::deploy::storage::backend::http_timeout')
- $backend_reload_mercy = hiera('swh::deploy::storage::backend::reload_mercy')
- $backend_max_requests = hiera('swh::deploy::storage::backend::max_requests')
- $backend_max_requests_jitter = hiera('swh::deploy::storage::backend::max_requests_jitter')
+ $backend_workers = lookup('swh::deploy::storage::backend::workers')
+ $backend_http_keepalive = lookup('swh::deploy::storage::backend::http_keepalive')
+ $backend_http_timeout = lookup('swh::deploy::storage::backend::http_timeout')
+ $backend_reload_mercy = lookup('swh::deploy::storage::backend::reload_mercy')
+ $backend_max_requests = lookup('swh::deploy::storage::backend::max_requests')
+ $backend_max_requests_jitter = lookup('swh::deploy::storage::backend::max_requests_jitter')
- $storage_config = hiera('swh::deploy::storage::config')
+ $storage_config = lookup('swh::deploy::storage::config')
include ::gunicorn
package {$swh_packages:
ensure => latest,
require => Apt::Source['softwareheritage'],
notify => Service['gunicorn-swh-storage'],
}
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @storage_config.to_yaml %>\n"),
notify => Service['gunicorn-swh-storage'],
}
::gunicorn::instance {'swh-storage':
ensure => enabled,
user => $user,
group => $group,
executable => 'swh.storage.api.server:run_from_webserver',
settings => {
bind => $backend_listen_address,
workers => $backend_workers,
worker_class => 'sync',
timeout => $backend_http_timeout,
graceful_timeout => $backend_reload_mercy,
keepalive => $backend_http_keepalive,
max_requests => $backend_max_requests,
max_requests_jitter => $backend_max_requests_jitter,
}
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"swh-storage api (localhost on ${::fqdn})":
service_name => 'swh-storage api (localhost)',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
command_endpoint => $::fqdn,
vars => {
http_address => '127.0.0.1',
http_port => $backend_listen_port,
http_uri => '/',
http_string => 'SWH Storage API server',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
if $backend_listen_host != '127.0.0.1' {
@@::icinga2::object::service {"swh-storage api (remote on ${::fqdn})":
service_name => 'swh-storage api (remote)',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_port => $backend_listen_port,
http_uri => '/',
http_string => 'SWH Storage API server',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
}
diff --git a/manifests/swh/deploy/storage_listener.pp b/manifests/swh/deploy/storage_listener.pp
index d407f859..f08a4ff3 100644
--- a/manifests/swh/deploy/storage_listener.pp
+++ b/manifests/swh/deploy/storage_listener.pp
@@ -1,68 +1,68 @@
# Deployment of the swh.storage.listener
class profile::swh::deploy::storage_listener {
- $conf_directory = hiera('swh::deploy::storage_listener::conf_directory')
- $conf_file = hiera('swh::deploy::storage_listener::conf_file')
- $user = hiera('swh::deploy::storage_listener::user')
- $group = hiera('swh::deploy::storage_listener::group')
- $database = hiera('swh::deploy::storage_listener::database')
- $topic_prefix = hiera('swh::deploy::storage_listener::topic_prefix')
- $kafka_brokers = hiera_array('swh::deploy::storage_listener::kafka_brokers')
- $poll_timeout = hiera('swh::deploy::storage_listener::poll_timeout')
+ $conf_directory = lookup('swh::deploy::storage_listener::conf_directory')
+ $conf_file = lookup('swh::deploy::storage_listener::conf_file')
+ $user = lookup('swh::deploy::storage_listener::user')
+ $group = lookup('swh::deploy::storage_listener::group')
+ $database = lookup('swh::deploy::storage_listener::database')
+ $topic_prefix = lookup('swh::deploy::storage_listener::topic_prefix')
+ $kafka_brokers = lookup('swh::deploy::storage_listener::kafka_brokers', Array, 'unique')
+ $poll_timeout = lookup('swh::deploy::storage_listener::poll_timeout')
include ::systemd
$service_name = 'swh-storage-listener'
$service_file = "/etc/systemd/system/${service_name}.service"
package {'python3-swh.storage.listener':
ensure => latest,
notify => Service[$service_name],
}
file {$conf_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0750',
}
# Template uses variables
# - $database
# - $kafka_brokers
# - $topic_prefix
# - $poll_timeout
#
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
require => File[$conf_directory],
content => template('profile/swh/deploy/storage_listener/listener.ini.erb'),
notify => Service[$service_name],
}
# Template uses variables
# - $user
# - $group
#
file {$service_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/swh/deploy/storage_listener/swh-storage-listener.service.erb'),
require => Package['python3-swh.storage.listener'],
notify => [
Exec['systemd-daemon-reload'],
Service[$service_name],
],
}
service {$service_name:
ensure => running,
enable => true,
require => File[$service_file],
}
}
diff --git a/manifests/swh/deploy/webapp.pp b/manifests/swh/deploy/webapp.pp
index ed1996cb..8de3771f 100644
--- a/manifests/swh/deploy/webapp.pp
+++ b/manifests/swh/deploy/webapp.pp
@@ -1,250 +1,250 @@
# WebApp deployment
class profile::swh::deploy::webapp {
- $conf_directory = hiera('swh::deploy::webapp::conf_directory')
- $conf_file = hiera('swh::deploy::webapp::conf_file')
- $user = hiera('swh::deploy::webapp::user')
- $group = hiera('swh::deploy::webapp::group')
+ $conf_directory = lookup('swh::deploy::webapp::conf_directory')
+ $conf_file = lookup('swh::deploy::webapp::conf_file')
+ $user = lookup('swh::deploy::webapp::user')
+ $group = lookup('swh::deploy::webapp::group')
- $webapp_config = hiera('swh::deploy::webapp::config')
- $conf_log_dir = hiera('swh::deploy::webapp::conf::log_dir')
+ $webapp_config = lookup('swh::deploy::webapp::config')
+ $conf_log_dir = lookup('swh::deploy::webapp::conf::log_dir')
- $backend_listen_host = hiera('swh::deploy::webapp::backend::listen::host')
- $backend_listen_port = hiera('swh::deploy::webapp::backend::listen::port')
+ $backend_listen_host = lookup('swh::deploy::webapp::backend::listen::host')
+ $backend_listen_port = lookup('swh::deploy::webapp::backend::listen::port')
$backend_listen_address = "${backend_listen_host}:${backend_listen_port}"
- $backend_workers = hiera('swh::deploy::webapp::backend::workers')
- $backend_http_keepalive = hiera('swh::deploy::webapp::backend::http_keepalive')
- $backend_http_timeout = hiera('swh::deploy::webapp::backend::http_timeout')
- $backend_reload_mercy = hiera('swh::deploy::webapp::backend::reload_mercy')
+ $backend_workers = lookup('swh::deploy::webapp::backend::workers')
+ $backend_http_keepalive = lookup('swh::deploy::webapp::backend::http_keepalive')
+ $backend_http_timeout = lookup('swh::deploy::webapp::backend::http_timeout')
+ $backend_reload_mercy = lookup('swh::deploy::webapp::backend::reload_mercy')
$swh_packages = ['python3-swh.web']
$static_dir = '/usr/lib/python3/dist-packages/swh/web/static'
- $vhost_name = hiera('swh::deploy::webapp::vhost::name')
- $vhost_port = hiera('apache::http_port')
- $vhost_aliases = hiera('swh::deploy::webapp::vhost::aliases')
- $vhost_docroot = hiera('swh::deploy::webapp::vhost::docroot')
+ $vhost_name = lookup('swh::deploy::webapp::vhost::name')
+ $vhost_port = lookup('apache::http_port')
+ $vhost_aliases = lookup('swh::deploy::webapp::vhost::aliases')
+ $vhost_docroot = lookup('swh::deploy::webapp::vhost::docroot')
$vhost_basic_auth_file = "${conf_directory}/http_auth"
- $vhost_basic_auth_content = hiera('swh::deploy::webapp::vhost::basic_auth_content')
- $vhost_ssl_port = hiera('apache::https_port')
- $vhost_ssl_protocol = hiera('swh::deploy::webapp::vhost::ssl_protocol')
- $vhost_ssl_honorcipherorder = hiera('swh::deploy::webapp::vhost::ssl_honorcipherorder')
- $vhost_ssl_cipher = hiera('swh::deploy::webapp::vhost::ssl_cipher')
+ $vhost_basic_auth_content = lookup('swh::deploy::webapp::vhost::basic_auth_content')
+ $vhost_ssl_port = lookup('apache::https_port')
+ $vhost_ssl_protocol = lookup('swh::deploy::webapp::vhost::ssl_protocol')
+ $vhost_ssl_honorcipherorder = lookup('swh::deploy::webapp::vhost::ssl_honorcipherorder')
+ $vhost_ssl_cipher = lookup('swh::deploy::webapp::vhost::ssl_cipher')
- $locked_endpoints = hiera_array('swh::deploy::webapp::locked_endpoints')
+ $locked_endpoints = lookup('swh::deploy::webapp::locked_endpoints', Array, 'unique')
$endpoint_directories = $locked_endpoints.map |$endpoint| {
{ path => "^${endpoint}",
provider => 'locationmatch',
auth_type => 'Basic',
auth_name => 'Software Heritage development',
auth_user_file => $vhost_basic_auth_file,
auth_require => 'valid-user',
}
}
include ::gunicorn
package {$swh_packages:
ensure => latest,
require => Apt::Source['softwareheritage'],
notify => Service['gunicorn-swh-webapp'],
}
file {$conf_directory:
ensure => directory,
owner => 'root',
group => $group,
mode => '0755',
}
file {$conf_log_dir:
ensure => directory,
owner => 'root',
group => $group,
mode => '0770',
}
file {$vhost_docroot:
ensure => directory,
owner => 'root',
group => $group,
mode => '0755',
}
file {$conf_file:
ensure => present,
owner => 'root',
group => $group,
mode => '0640',
content => inline_template("<%= @webapp_config.to_yaml %>\n"),
notify => Service['gunicorn-swh-webapp'],
}
::gunicorn::instance {'swh-webapp':
ensure => enabled,
user => $user,
group => $group,
executable => 'swh.web.wsgi:application',
settings => {
bind => $backend_listen_address,
workers => $backend_workers,
worker_class => 'sync',
timeout => $backend_http_timeout,
graceful_timeout => $backend_reload_mercy,
keepalive => $backend_http_keepalive,
}
}
include ::profile::apache::common
include ::apache::mod::proxy
include ::apache::mod::headers
::apache::vhost {"${vhost_name}_non-ssl":
servername => $vhost_name,
serveraliases => $vhost_aliases,
port => $vhost_port,
docroot => $vhost_docroot,
proxy_pass => [
{ path => '/static',
url => '!',
},
{ path => '/robots.txt',
url => '!',
},
{ path => '/favicon.ico',
url => '!',
},
{ path => '/',
url => "http://${backend_listen_address}/",
},
],
directories => [
{ path => '/api',
provider => 'location',
allow => 'from all',
satisfy => 'Any',
headers => ['add Access-Control-Allow-Origin "*"'],
},
{ path => $static_dir,
options => ['-Indexes'],
},
] + $endpoint_directories,
aliases => [
{ alias => '/static',
path => $static_dir,
},
{ alias => '/robots.txt',
path => "${static_dir}/robots.txt",
},
],
require => [
File[$vhost_basic_auth_file],
],
}
$ssl_cert_name = 'star_softwareheritage_org'
include ::profile::hitch
realize(::Profile::Hitch::Ssl_cert[$ssl_cert_name])
include ::profile::varnish
::profile::varnish::vhost {$vhost_name:
aliases => $vhost_aliases,
- hsts_max_age => hiera('strict_transport_security::max_age'),
+ hsts_max_age => lookup('strict_transport_security::max_age'),
}
file {$vhost_basic_auth_file:
ensure => present,
owner => 'root',
group => 'www-data',
mode => '0640',
content => $vhost_basic_auth_content,
}
$icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
@@::icinga2::object::service {"swh-webapp http redirect on ${::fqdn}":
service_name => 'swh webapp http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_port,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"swh-webapp https on ${::fqdn}":
service_name => 'swh webapp',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_ssl_port,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"swh-webapp https certificate ${::fqdn}":
service_name => 'swh webapp https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_ssl_port,
http_ssl => true,
http_sni => true,
http_certificate => 60,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"swh-webapp counters ${::fqdn}":
service_name => 'swh webapp counters',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_ssl_port,
http_uri => '/api/1/stat/counters/',
http_ssl => true,
http_string => '\"content\":'
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"swh-webapp content known ${::fqdn}":
service_name => 'swh webapp content known',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_port => $vhost_ssl_port,
http_uri => '/api/1/content/known/search/',
http_ssl => true,
http_post => 'q=8624bcdae55baeef00cd11d5dfcfa60f68710a02',
http_string => '\"found\":true',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/manifests/swh/deploy/worker.pp b/manifests/swh/deploy/worker.pp
index 544bd24d..2c106ea8 100644
--- a/manifests/swh/deploy/worker.pp
+++ b/manifests/swh/deploy/worker.pp
@@ -1,9 +1,9 @@
# Worker deployment
class profile::swh::deploy::worker {
- $instances = hiera('swh::deploy::worker::instances')
+ $instances = lookup('swh::deploy::worker::instances')
each($instances) |$instance| {
$classname = "::profile::swh::deploy::worker::${instance}"
include $classname
}
}
diff --git a/manifests/swh/deploy/worker/swh_indexer_ctags.pp b/manifests/swh/deploy/worker/swh_indexer_ctags.pp
index e83e17aa..e4d797fa 100644
--- a/manifests/swh/deploy/worker/swh_indexer_ctags.pp
+++ b/manifests/swh/deploy/worker/swh_indexer_ctags.pp
@@ -1,38 +1,38 @@
# Deployment for swh-indexer-ctags
class profile::swh::deploy::worker::swh_indexer_ctags {
include ::profile::swh::deploy::indexer
- $concurrency = hiera('swh::deploy::worker::swh_indexer::ctags::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_indexer::ctags::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_indexer::ctags::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_indexer::ctags::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_indexer::ctags::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_indexer::ctags::task_broker')
$config_file = '/etc/softwareheritage/indexer/ctags.yml'
- $config = hiera('swh::deploy::worker::swh_indexer::ctags::config')
+ $config = lookup('swh::deploy::worker::swh_indexer::ctags::config')
$task_modules = ['swh.indexer.tasks']
$task_queues = ['swh_indexer_content_ctags']
::profile::swh::deploy::worker::instance {'swh_indexer_ctags':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Class['profile::swh::deploy::indexer'],
Class['profile::swh::deploy::objstorage_cloud'],
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhdev',
# Contains passwords
mode => '0640',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_indexer_fossology_license.pp b/manifests/swh/deploy/worker/swh_indexer_fossology_license.pp
index e6fb999a..00382417 100644
--- a/manifests/swh/deploy/worker/swh_indexer_fossology_license.pp
+++ b/manifests/swh/deploy/worker/swh_indexer_fossology_license.pp
@@ -1,38 +1,38 @@
# Deployment for swh-indexer-fossology-license
class profile::swh::deploy::worker::swh_indexer_fossology_license {
include ::profile::swh::deploy::indexer
- $concurrency = hiera('swh::deploy::worker::swh_indexer::fossology_license::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_indexer::fossology_license::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_indexer::fossology_license::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_indexer::fossology_license::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_indexer::fossology_license::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_indexer::fossology_license::task_broker')
$config_file = '/etc/softwareheritage/indexer/fossology_license.yml'
- $config = hiera('swh::deploy::worker::swh_indexer::fossology_license::config')
+ $config = lookup('swh::deploy::worker::swh_indexer::fossology_license::config')
$task_modules = ['swh.indexer.tasks']
$task_queues = ['swh_indexer_content_fossology_license']
::profile::swh::deploy::worker::instance {'swh_indexer_fossology_license':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Class['profile::swh::deploy::indexer'],
Class['profile::swh::deploy::objstorage_cloud'],
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhdev',
# Contains passwords
mode => '0640',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_indexer_language.pp b/manifests/swh/deploy/worker/swh_indexer_language.pp
index f22f7be7..c686bc6f 100644
--- a/manifests/swh/deploy/worker/swh_indexer_language.pp
+++ b/manifests/swh/deploy/worker/swh_indexer_language.pp
@@ -1,38 +1,38 @@
# Deployment for swh-indexer-language
class profile::swh::deploy::worker::swh_indexer_language {
include ::profile::swh::deploy::indexer
- $concurrency = hiera('swh::deploy::worker::swh_indexer::language::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_indexer::language::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_indexer::language::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_indexer::language::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_indexer::language::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_indexer::language::task_broker')
$config_file = '/etc/softwareheritage/indexer/language.yml'
- $config = hiera('swh::deploy::worker::swh_indexer::language::config')
+ $config = lookup('swh::deploy::worker::swh_indexer::language::config')
$task_modules = ['swh.indexer.tasks']
$task_queues = ['swh_indexer_content_language']
::profile::swh::deploy::worker::instance {'swh_indexer_language':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Class['profile::swh::deploy::indexer'],
Class['profile::swh::deploy::objstorage_cloud'],
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhdev',
# Contains passwords
mode => '0640',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_indexer_mimetype.pp b/manifests/swh/deploy/worker/swh_indexer_mimetype.pp
index 1c77c6c7..2cfca538 100644
--- a/manifests/swh/deploy/worker/swh_indexer_mimetype.pp
+++ b/manifests/swh/deploy/worker/swh_indexer_mimetype.pp
@@ -1,38 +1,38 @@
# Deployment for swh-indexer-mimetype
class profile::swh::deploy::worker::swh_indexer_mimetype {
include ::profile::swh::deploy::indexer
- $concurrency = hiera('swh::deploy::worker::swh_indexer::mimetype::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_indexer::mimetype::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_indexer::mimetype::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_indexer::mimetype::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_indexer::mimetype::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_indexer::mimetype::task_broker')
$config_file = '/etc/softwareheritage/indexer/mimetype.yml'
- $config = hiera('swh::deploy::worker::swh_indexer::mimetype::config')
+ $config = lookup('swh::deploy::worker::swh_indexer::mimetype::config')
$task_modules = ['swh.indexer.tasks']
$task_queues = ['swh_indexer_content_mimetype']
::profile::swh::deploy::worker::instance {'swh_indexer_mimetype':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Class['profile::swh::deploy::indexer'],
Class['profile::swh::deploy::objstorage_cloud'],
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhdev',
# Contains passwords
mode => '0640',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_indexer_orchestrator.pp b/manifests/swh/deploy/worker/swh_indexer_orchestrator.pp
index 901419c6..4c0852fa 100644
--- a/manifests/swh/deploy/worker/swh_indexer_orchestrator.pp
+++ b/manifests/swh/deploy/worker/swh_indexer_orchestrator.pp
@@ -1,37 +1,37 @@
# Deployment for swh-indexer
class profile::swh::deploy::worker::swh_indexer_orchestrator {
include ::profile::swh::deploy::indexer
- $concurrency = hiera('swh::deploy::worker::swh_indexer::orchestrator::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_indexer::orchestrator::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_indexer::orchestrator::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_indexer::orchestrator::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_indexer::orchestrator::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_indexer::orchestrator::task_broker')
$config_file = '/etc/softwareheritage/indexer/orchestrator.yml'
- $config = hiera('swh::deploy::worker::swh_indexer::orchestrator::config')
+ $config = lookup('swh::deploy::worker::swh_indexer::orchestrator::config')
$task_modules = ['swh.indexer.tasks']
$task_queues = ['swh_indexer_orchestrator_content_all']
::profile::swh::deploy::worker::instance {'swh_indexer_orchestrator':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Class['profile::swh::deploy::indexer'],
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhworker',
mode => '0644',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_indexer_orchestrator_text.pp b/manifests/swh/deploy/worker/swh_indexer_orchestrator_text.pp
index ddc14ef8..dbf5226c 100644
--- a/manifests/swh/deploy/worker/swh_indexer_orchestrator_text.pp
+++ b/manifests/swh/deploy/worker/swh_indexer_orchestrator_text.pp
@@ -1,37 +1,37 @@
# Deployment for swh-indexer
class profile::swh::deploy::worker::swh_indexer_orchestrator_text {
include ::profile::swh::deploy::indexer
- $concurrency = hiera('swh::deploy::worker::swh_indexer::orchestrator_text::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_indexer::orchestrator_text::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_indexer::orchestrator_text::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_indexer::orchestrator_text::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_indexer::orchestrator_text::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_indexer::orchestrator_text::task_broker')
$config_file = '/etc/softwareheritage/indexer/orchestrator_text.yml'
- $config = hiera('swh::deploy::worker::swh_indexer::orchestrator_text::config')
+ $config = lookup('swh::deploy::worker::swh_indexer::orchestrator_text::config')
$task_modules = ['swh.indexer.tasks']
$task_queues = ['swh_indexer_orchestrator_content_text']
::profile::swh::deploy::worker::instance {'swh_indexer_orchestrator_text':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Class['profile::swh::deploy::indexer'],
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhworker',
mode => '0644',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_indexer_rehash.pp b/manifests/swh/deploy/worker/swh_indexer_rehash.pp
index 3a085d43..d01040c4 100644
--- a/manifests/swh/deploy/worker/swh_indexer_rehash.pp
+++ b/manifests/swh/deploy/worker/swh_indexer_rehash.pp
@@ -1,38 +1,38 @@
# Deployment for swh-indexer-rehash
class profile::swh::deploy::worker::swh_indexer_rehash {
include ::profile::swh::deploy::indexer
- $concurrency = hiera('swh::deploy::worker::swh_indexer::rehash::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_indexer::rehash::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_indexer::rehash::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_indexer::rehash::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_indexer::rehash::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_indexer::rehash::task_broker')
$config_file = '/etc/softwareheritage/indexer/rehash.yml'
- $config = hiera('swh::deploy::worker::swh_indexer::rehash::config')
+ $config = lookup('swh::deploy::worker::swh_indexer::rehash::config')
$task_modules = ['swh.indexer.tasks']
$task_queues = ['swh_indexer_content_rehash']
::profile::swh::deploy::worker::instance {'swh_indexer_rehash':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Class['profile::swh::deploy::indexer'],
Class['profile::swh::deploy::objstorage_cloud'],
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhdev',
# Contains passwords
mode => '0640',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_lister_debian.pp b/manifests/swh/deploy/worker/swh_lister_debian.pp
index f6672603..10992afc 100644
--- a/manifests/swh/deploy/worker/swh_lister_debian.pp
+++ b/manifests/swh/deploy/worker/swh_lister_debian.pp
@@ -1,36 +1,36 @@
# Deployment for swh-lister-debian
class profile::swh::deploy::worker::swh_lister_debian {
- $concurrency = hiera('swh::deploy::worker::swh_lister_debian::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_lister_debian::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_lister_debian::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_lister_debian::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_lister_debian::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_lister_debian::task_broker')
$config_file = '/etc/softwareheritage/lister-debian.yml'
- $config = hiera_hash('swh::deploy::worker::swh_lister_debian::config')
+ $config = lookup('swh::deploy::worker::swh_lister_debian::config', Hash, 'deep')
$task_modules = ['swh.lister.debian.tasks']
$task_queues = ['swh_lister_debian']
include ::profile::swh::deploy::base_lister
::profile::swh::deploy::worker::instance {'swh_lister_debian':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Package['python3-swh.lister'],
File[$config_file],
],
}
# Contains passwords
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhdev',
mode => '0640',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_lister_github.pp b/manifests/swh/deploy/worker/swh_lister_github.pp
index cf813456..c33fda29 100644
--- a/manifests/swh/deploy/worker/swh_lister_github.pp
+++ b/manifests/swh/deploy/worker/swh_lister_github.pp
@@ -1,36 +1,36 @@
# Deployment for swh-lister-github
class profile::swh::deploy::worker::swh_lister_github {
- $concurrency = hiera('swh::deploy::worker::swh_lister_github::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_lister_github::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_lister_github::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_lister_github::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_lister_github::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_lister_github::task_broker')
$config_file = '/etc/softwareheritage/lister-github.com.yml'
- $config = hiera_hash('swh::deploy::worker::swh_lister_github::config')
+ $config = lookup('swh::deploy::worker::swh_lister_github::config', Hash, 'deep')
$task_modules = ['swh.lister.github.tasks']
$task_queues = ['swh_lister_github_discover', 'swh_lister_github_refresh']
include ::profile::swh::deploy::base_lister
::profile::swh::deploy::worker::instance {'swh_lister_github':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Package['python3-swh.lister'],
File[$config_file],
],
}
# Contains passwords
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhdev',
mode => '0640',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_loader_debian.pp b/manifests/swh/deploy/worker/swh_loader_debian.pp
index 1db5638b..03ea6d32 100644
--- a/manifests/swh/deploy/worker/swh_loader_debian.pp
+++ b/manifests/swh/deploy/worker/swh_loader_debian.pp
@@ -1,52 +1,52 @@
# Deployment for swh-loader-debian
class profile::swh::deploy::worker::swh_loader_debian {
- $concurrency = hiera('swh::deploy::worker::swh_loader_debian::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_loader_debian::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_loader_debian::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_loader_debian::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_loader_debian::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_loader_debian::task_broker')
$config_file = '/etc/softwareheritage/loader/debian.yml'
- $config = hiera('swh::deploy::worker::swh_loader_debian::config')
+ $config = lookup('swh::deploy::worker::swh_loader_debian::config')
$task_modules = ['swh.loader.debian.tasks']
$task_queues = ['swh_loader_debian']
if $::lsbdistcodename == 'jessie' {
$pinned_packages = [
'python3-sqlalchemy',
]
::apt::pin {'swh-loader-debian':
explanation => 'Pin swh.loader.debian dependencies to backports',
codename => 'jessie-backports',
packages => $pinned_packages,
priority => 990,
}
}
$packages = ['python3-swh.loader.debian']
package {$packages:
ensure => 'present',
}
::profile::swh::deploy::worker::instance {'swh_loader_debian':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Package[$packages],
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhworker',
mode => '0644',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_loader_deposit.pp b/manifests/swh/deploy/worker/swh_loader_deposit.pp
index 2ccc0ae2..d224c486 100644
--- a/manifests/swh/deploy/worker/swh_loader_deposit.pp
+++ b/manifests/swh/deploy/worker/swh_loader_deposit.pp
@@ -1,65 +1,65 @@
# Deployment for swh-loader-deposit
class profile::swh::deploy::worker::swh_loader_deposit {
- $concurrency = hiera('swh::deploy::worker::swh_loader_deposit::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_loader_deposit::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_loader_deposit::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_loader_deposit::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_loader_deposit::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_loader_deposit::task_broker')
- $deposit_config_directory = hiera('swh::deploy::deposit::conf_directory')
- $config_file = hiera('swh::deploy::worker::swh_loader_deposit::swh_conf_file')
- $config = hiera('swh::deploy::worker::swh_loader_deposit::config')
+ $deposit_config_directory = lookup('swh::deploy::deposit::conf_directory')
+ $config_file = lookup('swh::deploy::worker::swh_loader_deposit::swh_conf_file')
+ $config = lookup('swh::deploy::worker::swh_loader_deposit::config')
$task_modules = ['swh.deposit.loader.tasks']
$task_queues = ['swh_checker_deposit', 'swh_loader_deposit']
$packages = ['python3-swh.deposit.loader']
- $private_tmp = hiera('swh::deploy::worker::swh_loader_deposit::private_tmp')
+ $private_tmp = lookup('swh::deploy::worker::swh_loader_deposit::private_tmp')
$service_name = 'swh_loader_deposit'
package {$packages:
ensure => 'latest',
notify => Service["swh-worker@$service_name"],
}
# This installs the swh-worker@$service_name service
::profile::swh::deploy::worker::instance {$service_name:
ensure => running,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
private_tmp => $private_tmp,
require => [
Package[$packages],
File[$config_file],
],
}
file {$deposit_config_directory:
ensure => directory,
owner => 'swhworker',
group => 'swhdev',
mode => '0750',
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhdev',
mode => '0640',
content => inline_template("<%= @config.to_yaml %>\n"),
require => [
File[$deposit_config_directory],
],
}
- $swh_client_conf_file = hiera('swh::deploy::deposit::client::swh_conf_file')
- $swh_client_config = hiera('swh::deploy::deposit::client::settings_private_data')
+ $swh_client_conf_file = lookup('swh::deploy::deposit::client::swh_conf_file')
+ $swh_client_config = lookup('swh::deploy::deposit::client::settings_private_data')
file {$swh_client_conf_file:
owner => 'swhworker',
group => 'swhdev',
mode => '0640',
content => inline_template("<%= @swh_client_config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_loader_git.pp b/manifests/swh/deploy/worker/swh_loader_git.pp
index d8e2c038..595397d9 100644
--- a/manifests/swh/deploy/worker/swh_loader_git.pp
+++ b/manifests/swh/deploy/worker/swh_loader_git.pp
@@ -1,35 +1,35 @@
# Deployment for swh-loader-git (remote)
class profile::swh::deploy::worker::swh_loader_git {
include ::profile::swh::deploy::base_loader_git
- $concurrency = hiera('swh::deploy::worker::swh_loader_git::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_loader_git::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_loader_git::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_loader_git::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_loader_git::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_loader_git::task_broker')
$config_file = '/etc/softwareheritage/loader/git-updater.yml'
- $config = hiera('swh::deploy::worker::swh_loader_git::config')
+ $config = lookup('swh::deploy::worker::swh_loader_git::config')
$task_modules = ['swh.loader.git.tasks']
$task_queues = ['swh_loader_git']
::profile::swh::deploy::worker::instance {'swh_loader_git':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Class['profile::swh::deploy::base_loader_git'],
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhworker',
mode => '0644',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_loader_git_disk.pp b/manifests/swh/deploy/worker/swh_loader_git_disk.pp
index e4dc1574..c0d9b971 100644
--- a/manifests/swh/deploy/worker/swh_loader_git_disk.pp
+++ b/manifests/swh/deploy/worker/swh_loader_git_disk.pp
@@ -1,39 +1,39 @@
# Deployment for swh-loader-git (disk)
class profile::swh::deploy::worker::swh_loader_git_disk {
include ::profile::swh::deploy::base_loader_git
- $concurrency = hiera('swh::deploy::worker::swh_loader_git_disk::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_loader_git_disk::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_loader_git_disk::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_loader_git_disk::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_loader_git_disk::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_loader_git_disk::task_broker')
$config_file = '/etc/softwareheritage/loader/git-loader.yml'
- $config = hiera('swh::deploy::worker::swh_loader_git_disk::config')
+ $config = lookup('swh::deploy::worker::swh_loader_git_disk::config')
$task_modules = ['swh.loader.git.tasks']
$task_queues = ['swh_loader_git_express', 'swh_loader_git_archive']
$service_name = 'swh_loader_git_disk'
Package[$::profile::swh::deploy::base_loader_git::packages] ~> Service["swh-worker@$service_name"]
::profile::swh::deploy::worker::instance {$service_name:
ensure => running,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Class['profile::swh::deploy::base_loader_git'],
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhworker',
mode => '0644',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_loader_mercurial.pp b/manifests/swh/deploy/worker/swh_loader_mercurial.pp
index 6737a454..5cf92187 100644
--- a/manifests/swh/deploy/worker/swh_loader_mercurial.pp
+++ b/manifests/swh/deploy/worker/swh_loader_mercurial.pp
@@ -1,45 +1,45 @@
# Deployment for swh-loader-mercurial (disk)
class profile::swh::deploy::worker::swh_loader_mercurial {
include ::profile::swh::deploy::base_loader_git
- $concurrency = hiera('swh::deploy::worker::swh_loader_mercurial::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_loader_mercurial::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_loader_mercurial::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_loader_mercurial::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_loader_mercurial::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_loader_mercurial::task_broker')
$config_file = '/etc/softwareheritage/loader/hg.yml'
- $config = hiera('swh::deploy::worker::swh_loader_mercurial::config')
+ $config = lookup('swh::deploy::worker::swh_loader_mercurial::config')
$task_modules = ['swh.loader.mercurial.tasks']
$task_queues = ['swh_loader_mercurial', 'swh_loader_mercurial_archive']
$service_name = 'swh_loader_mercurial'
- $private_tmp = hiera('swh::deploy::worker::swh_loader_mercurial::private_tmp')
+ $private_tmp = lookup('swh::deploy::worker::swh_loader_mercurial::private_tmp')
$packages = ['python3-swh.loader.mercurial']
package {$packages:
ensure => 'latest',
notify => Service["swh-worker@$service_name"]
}
::profile::swh::deploy::worker::instance {$service_name:
ensure => running,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
private_tmp => $private_tmp,
require => [
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhworker',
mode => '0644',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_loader_svn.pp b/manifests/swh/deploy/worker/swh_loader_svn.pp
index c988e419..55b94d0f 100644
--- a/manifests/swh/deploy/worker/swh_loader_svn.pp
+++ b/manifests/swh/deploy/worker/swh_loader_svn.pp
@@ -1,43 +1,43 @@
# Deployment for swh-loader-svn
class profile::swh::deploy::worker::swh_loader_svn {
- $concurrency = hiera('swh::deploy::worker::swh_loader_svn::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_loader_svn::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_loader_svn::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_loader_svn::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_loader_svn::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_loader_svn::task_broker')
$config_file = '/etc/softwareheritage/loader/svn.yml'
- $config = hiera('swh::deploy::worker::swh_loader_svn::config')
+ $config = lookup('swh::deploy::worker::swh_loader_svn::config')
$task_modules = ['swh.loader.svn.tasks']
$task_queues = ['swh_loader_svn', 'swh_loader_svn_mount_and_load']
$packages = ['python3-swh.loader.svn']
- $limit_no_file = hiera('swh::deploy::worker::swh_loader_svn::limit_no_file')
- $private_tmp = hiera('swh::deploy::worker::swh_loader_svn::private_tmp')
+ $limit_no_file = lookup('swh::deploy::worker::swh_loader_svn::limit_no_file')
+ $private_tmp = lookup('swh::deploy::worker::swh_loader_svn::private_tmp')
package {$packages:
ensure => 'latest',
}
::profile::swh::deploy::worker::instance {'swh_loader_svn':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
limit_no_file => $limit_no_file,
private_tmp => $private_tmp,
require => [
Package[$packages],
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhworker',
mode => '0644',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_storage_archiver.pp b/manifests/swh/deploy/worker/swh_storage_archiver.pp
index 86b2c54a..3f547c7a 100644
--- a/manifests/swh/deploy/worker/swh_storage_archiver.pp
+++ b/manifests/swh/deploy/worker/swh_storage_archiver.pp
@@ -1,35 +1,35 @@
# Deployment for swh-storage-archiver
class profile::swh::deploy::worker::swh_storage_archiver {
include ::profile::swh::deploy::archiver
- $concurrency = hiera('swh::deploy::worker::swh_storage_archiver::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_storage_archiver::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_storage_archiver::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_storage_archiver::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_storage_archiver::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_storage_archiver::task_broker')
- $config_file = hiera('swh::deploy::worker::swh_storage_archiver::conf_file')
- $config = hiera('swh::deploy::worker::swh_storage_archiver::config')
+ $config_file = lookup('swh::deploy::worker::swh_storage_archiver::conf_file')
+ $config = lookup('swh::deploy::worker::swh_storage_archiver::config')
$task_modules = ['swh.archiver.tasks']
$task_queues = ['swh_storage_archive_worker']
::profile::swh::deploy::worker::instance {'swh_storage_archiver':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
File[$config_file],
],
}
file {$config_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhdev',
# Contains passwords
mode => '0640',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/swh/deploy/worker/swh_vault_cooker.pp b/manifests/swh/deploy/worker/swh_vault_cooker.pp
index 9e139ca9..e31d4985 100644
--- a/manifests/swh/deploy/worker/swh_vault_cooker.pp
+++ b/manifests/swh/deploy/worker/swh_vault_cooker.pp
@@ -1,36 +1,36 @@
# Deployment of a vault cooker
class profile::swh::deploy::worker::swh_vault_cooker {
include ::profile::swh::deploy::base_vault
- $concurrency = hiera('swh::deploy::worker::swh_vault_cooker::concurrency')
- $loglevel = hiera('swh::deploy::worker::swh_vault_cooker::loglevel')
- $task_broker = hiera('swh::deploy::worker::swh_vault_cooker::task_broker')
+ $concurrency = lookup('swh::deploy::worker::swh_vault_cooker::concurrency')
+ $loglevel = lookup('swh::deploy::worker::swh_vault_cooker::loglevel')
+ $task_broker = lookup('swh::deploy::worker::swh_vault_cooker::task_broker')
- $conf_file = hiera('swh::deploy::worker::swh_vault_cooker::conf_file')
- $config = hiera('swh::deploy::worker::swh_vault_cooker::config')
+ $conf_file = lookup('swh::deploy::worker::swh_vault_cooker::conf_file')
+ $config = lookup('swh::deploy::worker::swh_vault_cooker::config')
$task_modules = ['swh.vault.cooking_tasks']
$task_queues = ['swh_vault_cooking']
::profile::swh::deploy::worker::instance {'swh_vault_cooker':
ensure => present,
concurrency => $concurrency,
loglevel => $loglevel,
task_broker => $task_broker,
task_modules => $task_modules,
task_queues => $task_queues,
require => [
Package[$packages],
File[$conf_file],
],
}
file {$conf_file:
ensure => 'present',
owner => 'swhworker',
group => 'swhworker',
mode => '0644',
content => inline_template("<%= @config.to_yaml %>\n"),
}
}
diff --git a/manifests/systemd_journal/journalbeat.pp b/manifests/systemd_journal/journalbeat.pp
index b1c1c019..84236410 100644
--- a/manifests/systemd_journal/journalbeat.pp
+++ b/manifests/systemd_journal/journalbeat.pp
@@ -1,78 +1,78 @@
# Journalbeat: a systemd journal collection beater for the ELK stack
class profile::systemd_journal::journalbeat {
$package = 'journalbeat'
$user = 'journalbeat'
$group = 'nogroup'
$homedir = '/var/lib/journalbeat'
$configdir = '/etc/journalbeat'
$configfile = "${configdir}/journalbeat.yml"
$service = 'journalbeat'
$servicefile = "/etc/systemd/system/${service}.service"
- $logstash_hosts = hiera('systemd_journal::logstash_hosts')
+ $logstash_hosts = lookup('systemd_journal::logstash_hosts')
include ::systemd
package {$package:
ensure => present
}
user {$user:
ensure => present,
gid => $group,
groups => 'systemd-journal',
home => $homedir,
managehome => true,
system => true,
}
# Uses variables
# - $user
# - $homedir
# - $configfile
#
file {$servicefile:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/systemd_journal/journalbeat/journalbeat.service.erb'),
require => Package[$package],
notify => [
Exec['systemd-daemon-reload'],
Service[$service],
],
}
file {$configdir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0644',
}
# Uses variables
# - $logstash_hosts
#
file {$configfile:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/systemd_journal/journalbeat/journalbeat.yml.erb'),
notify => [
Exec['systemd-daemon-reload'],
Service[$service],
],
}
service {$service:
ensure => running,
enable => true,
require => [
File[$servicefile],
File[$configfile],
Exec['systemd-daemon-reload'],
],
}
}
diff --git a/manifests/unbound.pp b/manifests/unbound.pp
index 66d55acd..ac34a77a 100644
--- a/manifests/unbound.pp
+++ b/manifests/unbound.pp
@@ -1,94 +1,94 @@
# Parameters for the unbound DNS resolver
class profile::unbound {
- $has_local_cache = hiera('dns::local_cache')
+ $has_local_cache = lookup('dns::local_cache')
$package = 'unbound'
$service = 'unbound'
$conf_dir = '/etc/unbound/unbound.conf.d'
$forwarders_file = "${conf_dir}/forwarders.conf"
$insecure_file = "${conf_dir}/insecure.conf"
$auto_root_data = '/var/lib/unbound/root.key'
if $has_local_cache {
include ::profile::resolv_conf
- $forwarders = hiera('dns::forwarders')
- $forward_zones = hiera('dns::forward_zones')
- $insecure = hiera('dns::forwarder_insecure')
+ $forwarders = lookup('dns::forwarders')
+ $forward_zones = lookup('dns::forward_zones')
+ $insecure = lookup('dns::forwarder_insecure')
package {$package:
ensure => installed,
}
package {'dns-root-data':
ensure => installed,
}
service {$service:
ensure => running,
enable => true,
require => [
Package[$package],
File[$forwarders_file],
File[$auto_root_data],
],
}
Service[$service] -> File['/etc/resolv.conf']
# uses variables $forwarders, $forward_zones
file {$forwarders_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profile/unbound/forwarders.conf.erb'),
require => Package[$package],
notify => Service[$service],
}
$insecure_ensure = $insecure ? {
true => present,
default => absent,
}
file {$insecure_file:
ensure => $insecure_ensure,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/profile/unbound/insecure.conf',
require => Package[$package],
notify => Service[$service],
}
file {'/etc/default/unbound':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
require => Package[$package],
}
file {$auto_root_data:
ensure => present,
owner => 'unbound',
group => 'unbound',
mode => '0644',
replace => 'no',
source => '/usr/share/dns/root.key',
require => [
Package[$package],
Package['dns-root-data'],
],
}
file_line {'unbound root auto update':
ensure => present,
path => '/etc/default/unbound',
match => '^ROOT_TRUST_ANCHOR_UPDATE\=',
line => 'ROOT_TRUST_ANCHOR_UPDATE=false',
require => Package[$package],
notify => Service[$service],
}
}
}
diff --git a/manifests/varnish.pp b/manifests/varnish.pp
index c7946a4d..8e2e1b34 100644
--- a/manifests/varnish.pp
+++ b/manifests/varnish.pp
@@ -1,71 +1,71 @@
# Varnish configuration
class profile::varnish {
$includes_dir = '/etc/varnish/includes'
$includes_vcl_name = 'includes.vcl'
$includes_vcl = "/etc/varnish/${includes_vcl_name}"
- $http_port = hiera('varnish::http_port')
- $backend_http_port = hiera('varnish::backend_http_port')
+ $http_port = lookup('varnish::http_port')
+ $backend_http_port = lookup('varnish::backend_http_port')
- $listen = hiera('varnish::listen')
- $admin_listen = hiera('varnish::admin_listen')
- $admin_port = hiera('varnish::admin_port')
- $http2_support = hiera('varnish::http2_support')
- $secret = hiera('varnish::secret')
- $storage_type = hiera('varnish::storage_type')
- $storage_size = hiera('varnish::storage_size')
- $storage_file = hiera('varnish::storage_file')
+ $listen = lookup('varnish::listen')
+ $admin_listen = lookup('varnish::admin_listen')
+ $admin_port = lookup('varnish::admin_port')
+ $http2_support = lookup('varnish::http2_support')
+ $secret = lookup('varnish::secret')
+ $storage_type = lookup('varnish::storage_type')
+ $storage_size = lookup('varnish::storage_size')
+ $storage_file = lookup('varnish::storage_file')
if $http2_support {
$runtime_params = {
feature => '+http2',
}
} else {
$runtime_params = {}
}
class {'::varnish':
addrepo => false,
listen => $listen,
admin_listen => $admin_listen,
admin_port => $admin_port,
secret => $secret,
storage_type => $storage_type,
storage_size => $storage_size,
storage_file => $storage_file,
runtime_params => $runtime_params,
}
::varnish::vcl {'/etc/varnish/default.vcl':
content => template('profile/varnish/default.vcl.erb'),
require => Concat[$includes_vcl],
}
file {$includes_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0644',
require => Class['varnish::install'],
notify => Exec['vcl_reload'],
}
concat {$includes_vcl:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
ensure_newline => true,
require => Class['varnish::install'],
notify => Exec['vcl_reload'],
}
concat::fragment {"${includes_vcl}:header":
target => $includes_vcl,
content => "# File managed with puppet (module profile::varnish)\n# All modifications will be lost\n\n",
order => '00',
}
include ::profile::varnish::default_vcls
}
diff --git a/manifests/zookeeper/client.pp b/manifests/zookeeper/client.pp
index a6677406..a92573cb 100644
--- a/manifests/zookeeper/client.pp
+++ b/manifests/zookeeper/client.pp
@@ -1,8 +1,8 @@
# Zookeeper cluster client class
class profile::zookeeper::client {
class {'::zookeeper':
- hosts => hiera_hash('zookeeper::hosts'),
- data_dir => hiera('zookeeper::data_dir'),
+ hosts => lookup('zookeeper::hosts', Hash, 'deep'),
+ data_dir => lookup('zookeeper::data_dir'),
}
}