Skip to content

Commit

Permalink
Merge pull request #125 from lsst-it/coredev_production
Browse files Browse the repository at this point in the history
Coredev production
  • Loading branch information
jhoblitt committed May 10, 2020
2 parents eab611a + 129a512 commit 93b94e8
Show file tree
Hide file tree
Showing 9 changed files with 241 additions and 3 deletions.
42 changes: 42 additions & 0 deletions hieradata/org/lsst/role/dev_hyp.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
classes:
- "profile::core::common"
- "profile::core::libvirt"
- "network"
- "libvirt"
packages:
- "qemu-guest-agent"
- "qemu-kvm-tools"
- "virt-top"
- "virt-viewer"
- "libguestfs"
- "virt-who"
- "virt-what"
- "virt-install"
- "virt-manager"
- "vim"
- "bash-completion"
- "bash-completion-extras"
libvirt::libvirtd_conf:
# yamllint disable-line rule:quoted-strings
access_drivers: '[ "polkit" ]'
files:
# no current forge module has support for the modern polkit json rules
/etc/polkit-1/rules.d/80-libvirt.rules:
content: |
// Allow any user in the 'libvirt' group to connect to system libvirtd
// without entering a password.
polkit.addRule(function(action, subject) {
//if (action.id == "org.libvirt.unix.manage" &&
if (subject.isInGroup("libvirt")) {
return polkit.Result.YES;
}
});
polkit.addAdminRule(function(action, subject) {
return ["unix-group:libvirt"];
});
owner: "root"
group: "root"
mode: "0644"
3 changes: 3 additions & 0 deletions hieradata/org/lsst/role/hypervisor.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ packages:
- "virt-what"
- "virt-install"
- "virt-manager"
- "vim"
- "bash-completion"
- "bash-completion-extras"
libvirt::libvirtd_conf:
# yamllint disable-line rule:quoted-strings
access_drivers: '[ "polkit" ]'
Expand Down
93 changes: 93 additions & 0 deletions hieradata/site/dev.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
---
easy_ipa::ipa_master_fqdn: "ipa1.dev.lsst.org"
#
rsyslog::config::actions:
#Send copy to logs to Ruka Cluster
graylogBase:
type: "omfwd"
facility: "*.*"
config:
Target: "collector.lsst.cloud"
Port: 5514
Protocol: "udp"
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#
# local6 is used for logs that should only be forwarded to a central log
# server and should never be stored locally. See IT-1734.
messages:
type: "omfile"
facility: "*.info;mail.none;authpriv.none;cron.none;local6.none"
config:
file: "/var/log/messages"
# The authpriv file has restricted access.
secure:
type: "omfile"
facility: "authpriv.*"
config:
file: "/var/log/secure"
# Everybody gets emergency messages
emerg:
type: "omusrmsg"
facility: "*.emerg"
config:
users: "*"
maillog:
type: "omfile"
facility: "mail.*"
config:
file: "-/var/log/maillog"
cron:
type: "omfile"
facility: "cron.*"
config:
file: "/var/log/cron"
# local7 does not appear to be used by CentOS 7, but for the sake of
# consistency we preserve it to match the CentOS configuration.
boot:
type: "omfile"
facility: "local7.*"
config:
file: "-/var/log/boot.log"
# The following keys are shared between the `dhcp` and `resolv_conf` classes:
# - dhcp::dnsdomain
# - dhcp::nameservers
# - dhcp::ntpservers
#
# @see site/ls/role/foreman.yaml

# resolv.conf allows for a maximum of 6 search domains with a max length of 256
# characters.
# @see man 5 resolv.conf
dhcp::dnsdomain: &dnsdomains
- "dev.lsst.org"
- "ls.lsst.org"
- "lsst.org"
# resolv.conf allows for a maximum of 3 nameservers
# @see man 5 resolv.conf
dhcp::nameservers: &nameservers
- "139.229.134.7" # dns1.dev.lsst.org
- "139.229.135.54" # dns2.ls.lsst.org
- "208.67.222.222" # resolver1.opendns.com
dhcp::ntpservers: &ntpservers
- "ntp.shoa.cl"
- "1.cl.pool.ntp.org"
- "1.south-america.pool.ntp.org"

chrony::servers: *ntpservers
resolv_conf::nameservers: *nameservers
resolv_conf::searchpath: *dnsdomains

# Use NFSv4 on NFS enabled hosts.
nfs::nfs_v4: true
nfs::nfs_v4_client: true
nfs::nfs_v4_idmap_domain: "%{::domain}"

accounts::user_list:
root:
sshkeys:
# foreman-proxy
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIAmA8aQ9Qf8ok+zPUSwFWfEgNxUW1RptUhZE9/9PFGzhAi7XMnt6qaSFINlLxiECUXKeK3iwHI3rLxMsJpcGRGkkL9GGpUYNgyDVZt82AFN2rt7nvuYqm9M7M4Q6NeLlMEGUf9iSnzE/IpT4459iOiKdaB3SifuXWjJeUSOoNACugJcQCZm4nQGo9ZUVJcbhYael++pcobApctOOFjlaVi6s+iB4qdidMJ9CUEyQ8HBSDomBnj2dZ5QB/bDHUW1OKo/i+LbMdF1HrnEcI9AkSHfkW+OP7L5mkmRJBNsK5R6YzIb41LHCvO1Fvoinb71JkWD5ElzTLY5e7YkjRXkQV foreman-proxy@foreman.dev.lsst.org"
# Stop iptables by default - the default rules are highly restrictive to the
# point of harm and we don't have a meaningful permission set to make this useful.
firewall::ensure: "stopped"
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,14 @@ network::interfaces_hash:
bootproto: "none"
onboot: "yes"
type: "Ethernet"
p1p1.1800:
p1p1.2101:
bootproto: "dhcp"
onboot: "yes"
vlan: "yes"
bridge: "br1800"
bridge: "br2101"
type: "none"
nozeroconf: "yes"
br1800:
br2101:
bootproto: "none"
onboot: "yes"
type: "bridge"
36 changes: 36 additions & 0 deletions hieradata/site/dev/role/dnscache.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
dns::forwarders:
- "208.67.222.222"
- "208.67.220.220"
dns::allow_recursion:
- "139.229.0.0/16"
- "198.19.0.0/16"
- "localnets"
- "localhost"
dns::zones:
lsst.local:
zonetype: "forward"
forward: "only"
forwarders:
- "139.229.136.35"
dns::additional_directives:
- "logging {"
- " channel queries_syslog {"
- " severity info;"
- " print-category yes;"
- " syslog local6;"
- " };"
- ""
- " category queries {"
- " queries_syslog;"
- " };"
- "};"

files:
"/var/log/named":
ensure: "directory"
owner: "named"
group: "named"
mode: "0750"
backup: false
purge: false
24 changes: 24 additions & 0 deletions hieradata/site/dev/role/foreman.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
classes:
- "dhcp"

dhcp::interfaces:
- "eth0"

dhcp::default_lease_time: 43200
dhcp::max_lease_time: 86400
dhcp::authoritative: true
dhcp::ddns_update_style: "none"
dhcp::logfacility: "daemon"
dhcp::bootp: true
dhcp::pxeserver: "139.229.134.5" # foreman.dev.lsst.org
# theforeman/dhcp 5.0.1 only supports `option domain-search` per pool
dhcp::pools:
IT-Services:
network: "139.229.134.0"
mask: "255.255.255.0"
gateway: "139.229.134.254"
range: "139.229.134.120 139.229.134.149"
search_domains: "%{alias('dhcp::dnsdomain')}"

profile::core::puppet_master::smee_url: "https://smee.io/lpxrggGObEn5YTA"
35 changes: 35 additions & 0 deletions hieradata/site/dev/role/hypervisor.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
---
lookup_options:
accounts::user_list:
merge:
strategy: "deep"
accounts::user_list:
# foreman role user to access libvirt over ssh
foreman:
groups:
- "libvirt"
managehome: true
system: true
sshkeys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDC2HnZjyVotvxCC2lIGNsxAyH3lQkl+zThq7zvWB42alReex6Zil5K9Ff87ulwlhhfNM/C39i1gEs2DZNiZEcbA5TgfEOoJ8qaqqnuv1CB2s9kqNRSeH/QQq+43gYSh7JVTWvQdJwwQUGXMzGDm2U7oIZSBW3VL3PPI2LB0DWU0NXI6lzBjRA/6dhrDKwQH2+FlbWqAxkOc2lAfTKl+QvpXcp12Mj71+uOHBn7TGgnncTRfKCJ3WExptltxj1SDzlPJAmAg0wi64y2u+IqZVVQk91qdKjQ7r203XoujJLoJ45YmIeOLnhrkxsqfsqddxtHbvocuupL58PP0OSoIvE5 foreman@foreman.dev.lsst.org"
network::interfaces_hash:
# Note: em1 is not managed since this will apply to multiple hypervisors
em2: # em2 is not connected
bootproto: "none"
onboot: "no"
type: "Ethernet"
p2p2:
bootproto: "none"
onboot: "yes"
type: "Ethernet"
p2p2.2101:
bootproto: "none"
onboot: "yes"
vlan: "yes"
bridge: "br2101"
type: "none"
nozeroconf: "yes"
br2101:
bootproto: "none"
onboot: "yes"
type: "bridge"
2 changes: 2 additions & 0 deletions hieradata/site/dev/role/ipamaster.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---
easy_ipa::ipa_master_fqdn: "ipa1.dev.lsst.org"
3 changes: 3 additions & 0 deletions hieradata/site/dev/role/ipareplica.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
easy_ipa::configure_replica_ca: true
easy_ipa::ipa_master_fqdn: "ipa1.tuc.lsst.cloud"

0 comments on commit 93b94e8

Please sign in to comment.