-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #125 from lsst-it/coredev_production
Coredev production
- Loading branch information
Showing
9 changed files
with
241 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
--- | ||
classes: | ||
- "profile::core::common" | ||
- "profile::core::libvirt" | ||
- "network" | ||
- "libvirt" | ||
packages: | ||
- "qemu-guest-agent" | ||
- "qemu-kvm-tools" | ||
- "virt-top" | ||
- "virt-viewer" | ||
- "libguestfs" | ||
- "virt-who" | ||
- "virt-what" | ||
- "virt-install" | ||
- "virt-manager" | ||
- "vim" | ||
- "bash-completion" | ||
- "bash-completion-extras" | ||
libvirt::libvirtd_conf: | ||
# yamllint disable-line rule:quoted-strings | ||
access_drivers: '[ "polkit" ]' | ||
files: | ||
# no current forge module has support for the modern polkit json rules | ||
/etc/polkit-1/rules.d/80-libvirt.rules: | ||
content: | | ||
// Allow any user in the 'libvirt' group to connect to system libvirtd | ||
// without entering a password. | ||
polkit.addRule(function(action, subject) { | ||
//if (action.id == "org.libvirt.unix.manage" && | ||
if (subject.isInGroup("libvirt")) { | ||
return polkit.Result.YES; | ||
} | ||
}); | ||
polkit.addAdminRule(function(action, subject) { | ||
return ["unix-group:libvirt"]; | ||
}); | ||
owner: "root" | ||
group: "root" | ||
mode: "0644" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
--- | ||
easy_ipa::ipa_master_fqdn: "ipa1.dev.lsst.org" | ||
# | ||
rsyslog::config::actions: | ||
#Send copy to logs to Ruka Cluster | ||
graylogBase: | ||
type: "omfwd" | ||
facility: "*.*" | ||
config: | ||
Target: "collector.lsst.cloud" | ||
Port: 5514 | ||
Protocol: "udp" | ||
# Log anything (except mail) of level info or higher. | ||
# Don't log private authentication messages! | ||
# | ||
# local6 is used for logs that should only be forwarded to a central log | ||
# server and should never be stored locally. See IT-1734. | ||
messages: | ||
type: "omfile" | ||
facility: "*.info;mail.none;authpriv.none;cron.none;local6.none" | ||
config: | ||
file: "/var/log/messages" | ||
# The authpriv file has restricted access. | ||
secure: | ||
type: "omfile" | ||
facility: "authpriv.*" | ||
config: | ||
file: "/var/log/secure" | ||
# Everybody gets emergency messages | ||
emerg: | ||
type: "omusrmsg" | ||
facility: "*.emerg" | ||
config: | ||
users: "*" | ||
maillog: | ||
type: "omfile" | ||
facility: "mail.*" | ||
config: | ||
file: "-/var/log/maillog" | ||
cron: | ||
type: "omfile" | ||
facility: "cron.*" | ||
config: | ||
file: "/var/log/cron" | ||
# local7 does not appear to be used by CentOS 7, but for the sake of | ||
# consistency we preserve it to match the CentOS configuration. | ||
boot: | ||
type: "omfile" | ||
facility: "local7.*" | ||
config: | ||
file: "-/var/log/boot.log" | ||
# The following keys are shared between the `dhcp` and `resolv_conf` classes: | ||
# - dhcp::dnsdomain | ||
# - dhcp::nameservers | ||
# - dhcp::ntpservers | ||
# | ||
# @see site/ls/role/foreman.yaml | ||
|
||
# resolv.conf allows for a maximum of 6 search domains with a max length of 256 | ||
# characters. | ||
# @see man 5 resolv.conf | ||
dhcp::dnsdomain: &dnsdomains | ||
- "dev.lsst.org" | ||
- "ls.lsst.org" | ||
- "lsst.org" | ||
# resolv.conf allows for a maximum of 3 nameservers | ||
# @see man 5 resolv.conf | ||
dhcp::nameservers: &nameservers | ||
- "139.229.134.7" # dns1.dev.lsst.org | ||
- "139.229.135.54" # dns2.ls.lsst.org | ||
- "208.67.222.222" # resolver1.opendns.com | ||
dhcp::ntpservers: &ntpservers | ||
- "ntp.shoa.cl" | ||
- "1.cl.pool.ntp.org" | ||
- "1.south-america.pool.ntp.org" | ||
|
||
chrony::servers: *ntpservers | ||
resolv_conf::nameservers: *nameservers | ||
resolv_conf::searchpath: *dnsdomains | ||
|
||
# Use NFSv4 on NFS enabled hosts. | ||
nfs::nfs_v4: true | ||
nfs::nfs_v4_client: true | ||
nfs::nfs_v4_idmap_domain: "%{::domain}" | ||
|
||
accounts::user_list: | ||
root: | ||
sshkeys: | ||
# foreman-proxy | ||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIAmA8aQ9Qf8ok+zPUSwFWfEgNxUW1RptUhZE9/9PFGzhAi7XMnt6qaSFINlLxiECUXKeK3iwHI3rLxMsJpcGRGkkL9GGpUYNgyDVZt82AFN2rt7nvuYqm9M7M4Q6NeLlMEGUf9iSnzE/IpT4459iOiKdaB3SifuXWjJeUSOoNACugJcQCZm4nQGo9ZUVJcbhYael++pcobApctOOFjlaVi6s+iB4qdidMJ9CUEyQ8HBSDomBnj2dZ5QB/bDHUW1OKo/i+LbMdF1HrnEcI9AkSHfkW+OP7L5mkmRJBNsK5R6YzIb41LHCvO1Fvoinb71JkWD5ElzTLY5e7YkjRXkQV foreman-proxy@foreman.dev.lsst.org" | ||
# Stop iptables by default - the default rules are highly restrictive to the | ||
# point of harm and we don't have a meaningful permission set to make this useful. | ||
firewall::ensure: "stopped" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
--- | ||
dns::forwarders: | ||
- "208.67.222.222" | ||
- "208.67.220.220" | ||
dns::allow_recursion: | ||
- "139.229.0.0/16" | ||
- "198.19.0.0/16" | ||
- "localnets" | ||
- "localhost" | ||
dns::zones: | ||
lsst.local: | ||
zonetype: "forward" | ||
forward: "only" | ||
forwarders: | ||
- "139.229.136.35" | ||
dns::additional_directives: | ||
- "logging {" | ||
- " channel queries_syslog {" | ||
- " severity info;" | ||
- " print-category yes;" | ||
- " syslog local6;" | ||
- " };" | ||
- "" | ||
- " category queries {" | ||
- " queries_syslog;" | ||
- " };" | ||
- "};" | ||
|
||
files: | ||
"/var/log/named": | ||
ensure: "directory" | ||
owner: "named" | ||
group: "named" | ||
mode: "0750" | ||
backup: false | ||
purge: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
--- | ||
classes: | ||
- "dhcp" | ||
|
||
dhcp::interfaces: | ||
- "eth0" | ||
|
||
dhcp::default_lease_time: 43200 | ||
dhcp::max_lease_time: 86400 | ||
dhcp::authoritative: true | ||
dhcp::ddns_update_style: "none" | ||
dhcp::logfacility: "daemon" | ||
dhcp::bootp: true | ||
dhcp::pxeserver: "139.229.134.5" # foreman.dev.lsst.org | ||
# theforeman/dhcp 5.0.1 only supports `option domain-search` per pool | ||
dhcp::pools: | ||
IT-Services: | ||
network: "139.229.134.0" | ||
mask: "255.255.255.0" | ||
gateway: "139.229.134.254" | ||
range: "139.229.134.120 139.229.134.149" | ||
search_domains: "%{alias('dhcp::dnsdomain')}" | ||
|
||
profile::core::puppet_master::smee_url: "https://smee.io/lpxrggGObEn5YTA" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
--- | ||
lookup_options: | ||
accounts::user_list: | ||
merge: | ||
strategy: "deep" | ||
accounts::user_list: | ||
# foreman role user to access libvirt over ssh | ||
foreman: | ||
groups: | ||
- "libvirt" | ||
managehome: true | ||
system: true | ||
sshkeys: | ||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDC2HnZjyVotvxCC2lIGNsxAyH3lQkl+zThq7zvWB42alReex6Zil5K9Ff87ulwlhhfNM/C39i1gEs2DZNiZEcbA5TgfEOoJ8qaqqnuv1CB2s9kqNRSeH/QQq+43gYSh7JVTWvQdJwwQUGXMzGDm2U7oIZSBW3VL3PPI2LB0DWU0NXI6lzBjRA/6dhrDKwQH2+FlbWqAxkOc2lAfTKl+QvpXcp12Mj71+uOHBn7TGgnncTRfKCJ3WExptltxj1SDzlPJAmAg0wi64y2u+IqZVVQk91qdKjQ7r203XoujJLoJ45YmIeOLnhrkxsqfsqddxtHbvocuupL58PP0OSoIvE5 foreman@foreman.dev.lsst.org" | ||
network::interfaces_hash: | ||
# Note: em1 is not managed since this will apply to multiple hypervisors | ||
em2: # em2 is not connected | ||
bootproto: "none" | ||
onboot: "no" | ||
type: "Ethernet" | ||
p2p2: | ||
bootproto: "none" | ||
onboot: "yes" | ||
type: "Ethernet" | ||
p2p2.2101: | ||
bootproto: "none" | ||
onboot: "yes" | ||
vlan: "yes" | ||
bridge: "br2101" | ||
type: "none" | ||
nozeroconf: "yes" | ||
br2101: | ||
bootproto: "none" | ||
onboot: "yes" | ||
type: "bridge" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
easy_ipa::ipa_master_fqdn: "ipa1.dev.lsst.org" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
--- | ||
easy_ipa::configure_replica_ca: true | ||
easy_ipa::ipa_master_fqdn: "ipa1.tuc.lsst.cloud" |