diff --git a/site-modules/profile/manifests/grafana.pp b/site-modules/profile/manifests/grafana.pp index 759a4dbf..05303c04 100644 --- a/site-modules/profile/manifests/grafana.pp +++ b/site-modules/profile/manifests/grafana.pp @@ -1,30 +1,30 @@ class profile::grafana { $db = lookup('grafana::db::database') $db_username = lookup('grafana::db::username') $db_password = lookup('grafana::db::password') $config = lookup('grafana::config') include ::postgresql::server ::postgresql::server::db {$db: user => $db_username, - password => postgresql_password($db_username, $db_password), + password => postgresql::postgresql_password($db_username, $db_password), } class {'::grafana': install_method => 'repo', cfg => $config + { database => { type => 'postgres', host => '127.0.0.1:5432', name => $db, user => $db_username, password => $db_password } } } contain profile::grafana::vhost contain profile::grafana::objects } diff --git a/site-modules/profile/manifests/icinga2/icingaweb2.pp b/site-modules/profile/manifests/icinga2/icingaweb2.pp index 39d9f316..f117125e 100644 --- a/site-modules/profile/manifests/icinga2/icingaweb2.pp +++ b/site-modules/profile/manifests/icinga2/icingaweb2.pp @@ -1,62 +1,62 @@ # Icinga web 2 configuration class profile::icinga2::icingaweb2 { $icinga2_db_username = lookup('icinga2::master::db::username') $icinga2_db_password = lookup('icinga2::master::db::password') $icinga2_db_database = lookup('icinga2::master::db::database') $icingaweb2_db_username = lookup('icinga2::icingaweb2::db::username') $icingaweb2_db_password = lookup('icinga2::icingaweb2::db::password') $icingaweb2_db_database = lookup('icinga2::icingaweb2::db::database') $icingaweb2_protected_customvars = lookup('icinga2::icingaweb2::protected_customvars') include profile::icinga2::apt_config include profile::icinga2::icingaweb2::vhost class {'::icingaweb2': manage_repo => false, manage_package => true, import_schema => true, db_type => 'pgsql', db_host => 'localhost', db_port => 5432, db_username => $icingaweb2_db_username, db_password => $icingaweb2_db_password, require => Postgresql::Server::Db[$icingaweb2_db_database], } # Icingaweb2 modules ::postgresql::server::db {$icingaweb2_db_database: user => $icingaweb2_db_username, - password => postgresql_password($icingaweb2_db_username, $icingaweb2_db_password), + password => postgresql::postgresql_password($icingaweb2_db_username, $icingaweb2_db_password), } class {'::icingaweb2::module::monitoring': ido_type => 'pgsql', ido_host => 'localhost', ido_port => 5432, ido_db_name => $icinga2_db_database, ido_db_username => $icinga2_db_username, ido_db_password => $icinga2_db_password, protected_customvars => join($icingaweb2_protected_customvars, ', '), commandtransports => { icinga2 => { transport => 'local', path => '/var/run/icinga2/cmd/icinga2.cmd', } } } include ::icingaweb2::module::doc # Icingaweb2 permissions ::icingaweb2::config::role {'guest': users => 'guest', permissions => 'module/monitoring', } ::icingaweb2::config::role {'icinga': users => 'icinga', permissions => '*', } } diff --git a/site-modules/profile/manifests/icinga2/master.pp b/site-modules/profile/manifests/icinga2/master.pp index b8640ed5..53701e71 100644 --- a/site-modules/profile/manifests/icinga2/master.pp +++ b/site-modules/profile/manifests/icinga2/master.pp @@ -1,102 +1,102 @@ # An icinga master host class profile::icinga2::master { $zonename = lookup('icinga2::master::zonename') $features = lookup('icinga2::features') $icinga2_network = lookup('icinga2::network') $hiera_host_vars = lookup('icinga2::host::vars', Hash, 'deep') $icinga2_db_username = lookup('icinga2::master::db::username') $icinga2_db_password = lookup('icinga2::master::db::password') $icinga2_db_database = lookup('icinga2::master::db::database') include profile::icinga2::objects include profile::icinga2::objects::agent_checks $local_host_vars = { disks => hash(flatten( $::mounts.map |$mount| { ["disk ${mount}", {disk_partitions => $mount}] }, )), plugins => keys($profile::icinga2::objects::agent_checks::plugins), } include ::postgresql::server ::postgresql::server::db {$icinga2_db_database: user => $icinga2_db_username, - password => postgresql_password($icinga2_db_username, $icinga2_db_password) + password => postgresql::postgresql_password($icinga2_db_username, $icinga2_db_password) } class {'::icinga2': confd => true, features => $features, constants => { 'ZoneName' => $zonename, }, } class { '::icinga2::feature::api': pki => 'puppet', accept_commands => true, zones => { $zonename => { endpoints => ['NodeName'], } }, } class { '::icinga2::feature::idopgsql': user => $icinga2_db_username, password => $icinga2_db_password, database => $icinga2_db_database, import_schema => true, require => Postgresql::Server::Db[$icinga2_db_database], } @@::icinga2::object::host {$::fqdn: address => ip_for_network($icinga2_network), display_name => $::fqdn, check_command => 'hostalive', vars => deep_merge($local_host_vars, $hiera_host_vars), target => "/etc/icinga2/zones.d/${zonename}/${::fqdn}.conf", } ::Profile::Icinga2::Objects::E2e_checks_deposit <<| |>> ::Profile::Icinga2::Objects::E2e_checks_vault <<| |>> ::Profile::Icinga2::Objects::E2e_checks_savecodenow <<| |>> ::Icinga2::Object::Host <<| |>> ::Icinga2::Object::Endpoint <<| |>> ::Icinga2::Object::Zone <<| |>> ::icinga2::object::zone { 'global-templates': global => true, } file {[ '/etc/icinga2/zones.d/global-templates', "/etc/icinga2/zones.d/${zonename}", ]: ensure => directory, owner => 'nagios', group => 'nagios', mode => '0755', tag => 'icinga2::config::file', recurse => true, purge => true, notify => Class['::icinga2::service'], } file {'/etc/icinga2/conf.d': ensure => directory, owner => 'nagios', group => 'nagios', mode => '0755', purge => true, recurse => true, tag => 'icinga2::config::file', notify => Class['::icinga2::service'], } } diff --git a/site-modules/profile/manifests/netbox.pp b/site-modules/profile/manifests/netbox.pp index 3eab0762..59c5feda 100644 --- a/site-modules/profile/manifests/netbox.pp +++ b/site-modules/profile/manifests/netbox.pp @@ -1,161 +1,161 @@ # deploy a netbox instance class profile::netbox { $version = lookup('netbox::version') $netbox_user = lookup('netbox::user') $db_host = lookup('netbox::db::host') $db_port = lookup('netbox::db::port') $db_database = lookup('netbox::db::database') $db_username = lookup('netbox::db::username') $db_password = lookup('netbox::db::password') $secret_key = lookup('netbox::secret_key') $allowed_hosts = lookup('netbox::allowed_hosts') $redis_host = lookup('netbox::redis::host') $redis_port = lookup('netbox::redis::port') $redis_password = lookup('netbox::redis::password') $smtp_host = lookup('netbox::mail::host') $email_from = lookup('netbox::mail::from') $gunicorn_binding = lookup('netbox::gunicorn::binding') $gunicorn_port = lookup('netbox::gunicorn::port') $data_directory = lookup('netbox::data_directory') $media_directory = "${data_directory}/media" $reports_directory = "${data_directory}/reports" $scripts_directory = "${data_directory}/scripts" $archive_url = "https://github.com/netbox-community/netbox/archive/v${version}.tar.gz" $archive_path = "/opt/netbox-v${version}.tar.gz" $install_path = "/opt/netbox-${version}" $upgrade_flag_path = "${install_path}/.upgrade_done" ensure_packages ('python3-venv') include ::postgresql::server ::postgresql::server::db {$db_database: user => $db_username, - password => postgresql_password($db_username, $db_password), + password => postgresql::postgresql_password($db_username, $db_password), require => [Class['Postgresql::Server']], } class { '::redis' : requirepass => $redis_password, bind => '127.0.0.1', port => $redis_port, } user {$netbox_user: ensure => present, system => true, shell => '/bin/bash', home => $data_directory, } archive { 'netbox': path => $archive_path, source => $archive_url, extract => true, extract_path => '/opt', creates => $install_path, cleanup => true, user => 'root', group => 'root', } file { '/opt/netbox' : ensure => link, target => $install_path, owner => 'root', group => 'root', require => Archive['netbox'], } file { 'netbox-configuration': ensure => present, path => "${install_path}/netbox/netbox/configuration.py", owner => 'root', group => 'root', mode => '0644', content => template('profile/netbox/configuration.py.erb'), require => Archive['netbox'], notify => Service['netbox'], } file { 'netbox-gunicorn-config': ensure => present, path => "${install_path}/gunicorn.py", owner => 'root', group => 'root', content => template('profile/netbox/gunicorn.py.erb'), require => Archive['netbox'], notify => Service['netbox'], } file { $data_directory : ensure => directory, owner => $netbox_user, group => $netbox_user, mode => '0750', require => User[$netbox_user] } file { $media_directory: ensure => directory, owner => $netbox_user, group => $netbox_user, mode => '0750', require => File[$data_directory], } file { $scripts_directory: ensure => directory, owner => $netbox_user, group => $netbox_user, mode => '0750', require => File[$data_directory], } file { $reports_directory: ensure => directory, owner => $netbox_user, group => $netbox_user, mode => '0750', require => File[$data_directory], } exec { 'netbox-upgrade': command => "${install_path}/upgrade.sh", cwd => $install_path, creates => $upgrade_flag_path, require => [File['netbox-configuration'], File[$media_directory], Package['python3-venv'], Postgresql::Server::Db[$db_database], ], notify => Exec['netbox-flag-upgrade-done'], } exec {'netbox-flag-upgrade-done': command => "touch ${upgrade_flag_path}", path => '/usr/bin', refreshonly => true, } ['netbox', 'netbox-rq'].each |$service| { Exec['netbox-flag-upgrade-done'] ~> ::systemd::unit_file {"${service}.service": ensure => present, content => template("profile/netbox/${service}.service.erb"), } ~> service {$service: ensure => 'running', enable => true, require => [File['netbox-gunicorn-config'], File['netbox-configuration']], } } ::profile::cron::d {'netbox-housekeeping': target => 'netbox', minute => 'fqdn_rand', hour => 'fqdn_rand', user => $netbox_user, command => "chronic ${install_path}/venv/bin/python ${install_path}/netbox/manage.py housekeeping", } } diff --git a/site-modules/profile/manifests/postgresql/server.pp b/site-modules/profile/manifests/postgresql/server.pp index ef3f87c1..b3fa96f9 100644 --- a/site-modules/profile/manifests/postgresql/server.pp +++ b/site-modules/profile/manifests/postgresql/server.pp @@ -1,123 +1,123 @@ # Install and configure a postgresql server class profile::postgresql::server { $swh_base_directory = lookup('swh::base_directory') $postgres_pass = lookup('swh::deploy::db::postgres::password') $listen_addresses = lookup('swh::postgresql::listen_addresses').join(',') # allow access through credentials $network_accesses = lookup('swh::postgresql::network_accesses').map | $nwk | { "host all all ${nwk} md5" } $postgres_version = lookup('swh::postgresql::version') $postgres_port = lookup('swh::postgresql::port') $postgres_datadir_base = lookup('swh::postgresql::datadir_base') $postgres_datadir = lookup('swh::postgresql::datadir') $postgres_max_connections = lookup('swh::postgresql::max_connections') $ip_mask_allow_all_users = '0.0.0.0/0' file { [ $postgres_datadir_base, "${postgres_datadir_base}/${postgres_version}" ] : ensure => directory, owner => 'root', group => 'root', mode => '0655', } -> class { 'postgresql::server': ip_mask_allow_all_users => $ip_mask_allow_all_users, ipv4acls => $network_accesses, postgres_password => $postgres_pass, port => $postgres_port, listen_addresses => [$listen_addresses], datadir => $postgres_datadir, needs_initdb => true, # Needed because managed_repo is false and data_dir is redefined by us ¯\_(ツ)_/¯ require => Class['profile::postgresql::apt_config'], pg_hba_conf_defaults => false, # see below for the actual default rules pg_hba_rules => { # Supersedes the default rules installed by puppetlab-postgres, thus # allowing pgbouncer/pgsql connection to the postgres user 'local access as postgres user' => { database => 'all', user => 'postgres', type => 'local', auth_method => 'ident', order => 1, }, 'local access to database with same name' => { database => 'all', user => 'all', type => 'local', auth_method => 'ident', order => 2, }, 'allow localhost TCP access to postgresql user' => { database => 'all', user => 'postgres', type => 'host', address => '127.0.0.1/32', auth_method => 'md5', order => 3, }, 'allow access to all users' => { database => 'all', user => 'all', type => 'host', address => $ip_mask_allow_all_users, auth_method => 'md5', order => 100, }, 'allow access to ipv6 localhost' => { database => 'all', user => 'all', type => 'host', address => '::1/128', auth_method => 'md5', order => 101, } }, } postgresql::server::config_entry{'max_connections': ensure => present, value => $postgres_max_connections, } postgresql::server::config_entry{'shared_preload_libraries': ensure => present, value => 'pg_stat_statements', } # read-only user $guest = 'guest' postgresql::server::role { $guest: - password_hash => postgresql_password($guest, 'guest'), + password_hash => postgresql::postgresql_password($guest, 'guest'), require => Class['postgresql::server'] } $dbs = lookup('swh::dbs') each($dbs) | $db_type, $db_config | { # db_type in {storage, indexer, scheduler, etc...} $db_pass = pick( $db_config['password'], lookup("swh::deploy::${db_type}::db::password", {'default_value' => undef}) ) $db_name = $db_config['name'] $db_user = $db_config['user'] postgresql::server::db { $db_name: user => $db_user, password => $db_pass, owner => $db_user, require => Class['postgresql::server'] } # guest user has read access on tables postgresql::server::database_grant { $db_name: privilege => 'connect', db => $db_name, role => $guest, require => Postgresql::Server::Db[$db_name] } } }