Coredev production

hieradata/org/lsst/role/dev_hyp.yaml

@@ -0,0 +1,42 @@
+---
+classes:
+  - "profile::core::common"
+  - "profile::core::libvirt"
+  - "network"
+  - "libvirt"
+packages:
+  - "qemu-guest-agent"
+  - "qemu-kvm-tools"
+  - "virt-top"
+  - "virt-viewer"
+  - "libguestfs"
+  - "virt-who"
+  - "virt-what"
+  - "virt-install"
+  - "virt-manager"
+  - "vim"
+  - "bash-completion"
+  - "bash-completion-extras"
+libvirt::libvirtd_conf:
+  # yamllint disable-line rule:quoted-strings
+  access_drivers: '[ "polkit" ]'
+files:
+  # no current forge module has support for the modern polkit json rules
+  /etc/polkit-1/rules.d/80-libvirt.rules:
+    content: |
+      // Allow any user in the 'libvirt' group to connect to system libvirtd
+      // without entering a password.
+
+      polkit.addRule(function(action, subject) {
+          //if (action.id == "org.libvirt.unix.manage" &&
+          if (subject.isInGroup("libvirt")) {
+              return polkit.Result.YES;
+          }
+      });
+
+      polkit.addAdminRule(function(action, subject) {
+          return ["unix-group:libvirt"];
+      });
+    owner: "root"
+    group: "root"
+    mode: "0644"

hieradata/org/lsst/role/hypervisor.yaml

@@ -13,6 +13,9 @@ packages:
   - "virt-what"
   - "virt-install"
   - "virt-manager"
+  - "vim"
+  - "bash-completion"
+  - "bash-completion-extras"
 libvirt::libvirtd_conf:
   # yamllint disable-line rule:quoted-strings
   access_drivers: '[ "polkit" ]'

hieradata/site/dev.yaml

@@ -0,0 +1,93 @@
+---
+easy_ipa::ipa_master_fqdn: "ipa1.dev.lsst.org"
+#
+rsyslog::config::actions:
+#Send copy to logs to Ruka Cluster
+  graylogBase:
+    type: "omfwd"
+    facility: "*.*"
+    config:
+      Target: "collector.lsst.cloud"
+      Port: 5514
+      Protocol: "udp"
+  # Log anything (except mail) of level info or higher.
+  # Don't log private authentication messages!
+  #
+  # local6 is used for logs that should only be forwarded to a central log
+  # server and should never be stored locally. See IT-1734.
+  messages:
+    type: "omfile"
+    facility: "*.info;mail.none;authpriv.none;cron.none;local6.none"
+    config:
+      file: "/var/log/messages"
+  # The authpriv file has restricted access.
+  secure:
+    type: "omfile"
+    facility: "authpriv.*"
+    config:
+      file: "/var/log/secure"
+  # Everybody gets emergency messages
+  emerg:
+    type: "omusrmsg"
+    facility: "*.emerg"
+    config:
+      users: "*"
+  maillog:
+    type: "omfile"
+    facility: "mail.*"
+    config:
+      file: "-/var/log/maillog"
+  cron:
+    type: "omfile"
+    facility: "cron.*"
+    config:
+      file: "/var/log/cron"
+  # local7 does not appear to be used by CentOS 7, but for the sake of
+  # consistency we preserve it to match the CentOS configuration.
+  boot:
+    type: "omfile"
+    facility: "local7.*"
+    config:
+      file: "-/var/log/boot.log"
+# The following keys are shared between the `dhcp` and `resolv_conf` classes:
+# - dhcp::dnsdomain
+# - dhcp::nameservers
+# - dhcp::ntpservers
+#
+# @see site/ls/role/foreman.yaml
+
+# resolv.conf allows for a maximum of 6 search domains with a max length of 256
+# characters.
+# @see man 5 resolv.conf
+dhcp::dnsdomain: &dnsdomains
+  - "dev.lsst.org"
+  - "ls.lsst.org"
+  - "lsst.org"
+# resolv.conf allows for a maximum of 3 nameservers
+# @see man 5 resolv.conf
+dhcp::nameservers: &nameservers
+  - "139.229.134.7"  # dns1.dev.lsst.org
+  - "139.229.135.54"  # dns2.ls.lsst.org
+  - "208.67.222.222"  # resolver1.opendns.com
+dhcp::ntpservers: &ntpservers
+  - "ntp.shoa.cl"
+  - "1.cl.pool.ntp.org"
+  - "1.south-america.pool.ntp.org"
+
+chrony::servers: *ntpservers
+resolv_conf::nameservers: *nameservers
+resolv_conf::searchpath: *dnsdomains
+
+# Use NFSv4 on NFS enabled hosts.
+nfs::nfs_v4: true
+nfs::nfs_v4_client: true
+nfs::nfs_v4_idmap_domain: "%{::domain}"
+
+accounts::user_list:
+  root:
+    sshkeys:
+      # foreman-proxy
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIAmA8aQ9Qf8ok+zPUSwFWfEgNxUW1RptUhZE9/9PFGzhAi7XMnt6qaSFINlLxiECUXKeK3iwHI3rLxMsJpcGRGkkL9GGpUYNgyDVZt82AFN2rt7nvuYqm9M7M4Q6NeLlMEGUf9iSnzE/IpT4459iOiKdaB3SifuXWjJeUSOoNACugJcQCZm4nQGo9ZUVJcbhYael++pcobApctOOFjlaVi6s+iB4qdidMJ9CUEyQ8HBSDomBnj2dZ5QB/bDHUW1OKo/i+LbMdF1HrnEcI9AkSHfkW+OP7L5mkmRJBNsK5R6YzIb41LHCvO1Fvoinb71JkWD5ElzTLY5e7YkjRXkQV foreman-proxy@foreman.dev.lsst.org"
+# Stop iptables by default - the default rules are highly restrictive to the
+# point of harm and we don't have a meaningful permission set to make this useful.
+firewall::ensure: "stopped"

hieradata/site/ls/role/dev_hyp.yaml → hieradata/site/dev/role/dev_hyp.yaml

@@ -17,14 +17,14 @@ network::interfaces_hash:
     bootproto: "none"
     onboot: "yes"
     type: "Ethernet"
-  p1p1.1800:
+  p1p1.2101:
     bootproto: "dhcp"
     onboot: "yes"
     vlan: "yes"
-    bridge: "br1800"
+    bridge: "br2101"
     type: "none"
     nozeroconf: "yes"
-  br1800:
+  br2101:
     bootproto: "none"
     onboot: "yes"
     type: "bridge"

hieradata/site/dev/role/dnscache.yaml

@@ -0,0 +1,36 @@
+---
+dns::forwarders:
+  - "208.67.222.222"
+  - "208.67.220.220"
+dns::allow_recursion:
+  - "139.229.0.0/16"
+  - "198.19.0.0/16"
+  - "localnets"
+  - "localhost"
+dns::zones:
+  lsst.local:
+    zonetype: "forward"
+    forward: "only"
+    forwarders:
+      - "139.229.136.35"
+dns::additional_directives:
+  - "logging {"
+  - "    channel queries_syslog {"
+  - "        severity info;"
+  - "        print-category yes;"
+  - "        syslog local6;"
+  - "    };"
+  - ""
+  - "    category queries {"
+  - "        queries_syslog;"
+  - "    };"
+  - "};"
+
+files:
+  "/var/log/named":
+    ensure: "directory"
+    owner: "named"
+    group: "named"
+    mode: "0750"
+    backup: false
+    purge: false

hieradata/site/dev/role/foreman.yaml

@@ -0,0 +1,24 @@
+---
+classes:
+  - "dhcp"
+
+dhcp::interfaces:
+  - "eth0"
+
+dhcp::default_lease_time: 43200
+dhcp::max_lease_time: 86400
+dhcp::authoritative: true
+dhcp::ddns_update_style: "none"
+dhcp::logfacility: "daemon"
+dhcp::bootp: true
+dhcp::pxeserver: "139.229.134.5"  # foreman.dev.lsst.org
+# theforeman/dhcp 5.0.1 only supports `option domain-search` per pool
+dhcp::pools:
+  IT-Services:
+    network: "139.229.134.0"
+    mask: "255.255.255.0"
+    gateway: "139.229.134.254"
+    range: "139.229.134.120 139.229.134.149"
+    search_domains: "%{alias('dhcp::dnsdomain')}"
+
+profile::core::puppet_master::smee_url: "https://smee.io/lpxrggGObEn5YTA"

hieradata/site/dev/role/hypervisor.yaml

@@ -0,0 +1,35 @@
+---
+lookup_options:
+  accounts::user_list:
+    merge:
+      strategy: "deep"
+accounts::user_list:
+  # foreman role user to access libvirt over ssh
+  foreman:
+    groups:
+      - "libvirt"
+    managehome: true
+    system: true
+    sshkeys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDC2HnZjyVotvxCC2lIGNsxAyH3lQkl+zThq7zvWB42alReex6Zil5K9Ff87ulwlhhfNM/C39i1gEs2DZNiZEcbA5TgfEOoJ8qaqqnuv1CB2s9kqNRSeH/QQq+43gYSh7JVTWvQdJwwQUGXMzGDm2U7oIZSBW3VL3PPI2LB0DWU0NXI6lzBjRA/6dhrDKwQH2+FlbWqAxkOc2lAfTKl+QvpXcp12Mj71+uOHBn7TGgnncTRfKCJ3WExptltxj1SDzlPJAmAg0wi64y2u+IqZVVQk91qdKjQ7r203XoujJLoJ45YmIeOLnhrkxsqfsqddxtHbvocuupL58PP0OSoIvE5 foreman@foreman.dev.lsst.org"
+network::interfaces_hash:
+  # Note: em1 is not managed since this will apply to multiple hypervisors
+  em2:  # em2 is not connected
+    bootproto: "none"
+    onboot: "no"
+    type: "Ethernet"
+  p2p2:
+    bootproto: "none"
+    onboot: "yes"
+    type: "Ethernet"
+  p2p2.2101:
+    bootproto: "none"
+    onboot: "yes"
+    vlan: "yes"
+    bridge: "br2101"
+    type: "none"
+    nozeroconf: "yes"
+  br2101:
+    bootproto: "none"
+    onboot: "yes"
+    type: "bridge"

hieradata/site/dev/role/ipamaster.yaml

@@ -0,0 +1,2 @@
+---
+easy_ipa::ipa_master_fqdn: "ipa1.dev.lsst.org"

hieradata/site/dev/role/ipareplica.yaml

@@ -0,0 +1,3 @@
+---
+easy_ipa::configure_replica_ca: true
+easy_ipa::ipa_master_fqdn: "ipa1.tuc.lsst.cloud"