19 files changed, 353 insertions, 0 deletions
diff --git a/personal_infra/puppet/site/00-common.pp b/personal_infra/puppet/site/00-common.pp
new file mode 100644
index 00000000..b9f2a6f7
--- /dev/null
+++ b/personal_infra/puppet/site/00-common.pp
@@ -0,0 +1,23 @@
+include automatic_updates
+include basic_software
+include root_mail
+
+if $facts['os']['family'] == 'Debian' {
+  class {'debian':}
+}
+
+$nagios_host = $facts['networking']['fqdn']
+
+nagios_host {$nagios_host:
+  use => 'generic-host',
+  address => lookup({name => 'nagios.address', default_value => $facts['networking']['fqdn']}),
+  max_check_attempts => 5,
+  contact_groups => 'admins',
+  hostgroups => 'linux',
+  check_command => 'check-host-alive',
+}
+
+# https://github.com/alexpdp7/ragent/issues/352
+if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '9' {
+  package {'compat-openssl11':}
+}
diff --git a/personal_infra/puppet/site/01-dns.pp b/personal_infra/puppet/site/01-dns.pp
new file mode 100644
index 00000000..eab766a4
--- /dev/null
+++ b/personal_infra/puppet/site/01-dns.pp
@@ -0,0 +1,10 @@
+$dns_source_hosts = lookup("dns.source_hosts")
+$dns_other_hosts = $dns_source_hosts.filter |$host_name| { $host_name != $facts["networking"]["fqdn"] }
+
+$dns_other_server_defs = $dns_other_hosts.map |$host_name| {
+  {
+    network_name => join([lookup("hostvars.'$host_name'.network.network_name"), lookup('dns.internal_domain')], '.'),
+    reverse_ip_range => lookup("hostvars.'$host_name'.network.self_internal_network"),
+    dns_ip => lookup("hostvars.'$host_name'.network.self_internal_ip"),
+  }
+}
diff --git a/personal_infra/puppet/site/01-ipa.pp b/personal_infra/puppet/site/01-ipa.pp
new file mode 100644
index 00000000..0aa7a6b4
--- /dev/null
+++ b/personal_infra/puppet/site/01-ipa.pp
@@ -0,0 +1,30 @@
+$ipa_client_package = case $facts['os']['family'] {
+  'Debian': { 'freeipa-client' }
+  'RedHat': { 'ipa-client' }
+  default: { fail($facts['os']['family']) }
+}
+
+if $facts['os']['family'] == 'Debian' and $facts['os']['release']['major'] == "11" {
+  class {'debian::backports':}
+  ->
+  Package[$ipa_client_package]
+
+  service {['sssd-pac.service', 'sssd-pac.socket']:
+    ensure => stopped,
+    enable => mask,
+  }
+}
+
+package {$ipa_client_package:}
+package {'sudo':}
+
+if 'lxc' in lookup("group_names") {
+  service {['var-lib-nfs-rpc_pipefs.mount', 'chronyd.service', 'sys-kernel-config.mount', 'sys-kernel-debug.mount', 'auth-rpcgss-module.service']:
+    ensure => stopped,
+    enable => mask,
+  }
+  ~>
+  exec {'/usr/bin/systemctl reset-failed':
+    refreshonly => true,
+  }
+}
diff --git a/personal_infra/puppet/site/01-tinc.pp b/personal_infra/puppet/site/01-tinc.pp
new file mode 100644
index 00000000..6acbbd2e
--- /dev/null
+++ b/personal_infra/puppet/site/01-tinc.pp
@@ -0,0 +1,39 @@
+$tinc_hosts = lookup("groups.tinc")
+$tinc_other_hosts = $tinc_hosts.filter |$host_name| { $host_name != $facts["networking"]["fqdn"] }
+
+$tinc_locations = Hash($tinc_hosts.map |$host_name| { [
+  lookup("hostvars.'$host_name'.network.tinc.location"),
+  {
+    subnet => lookup("hostvars.'$host_name'.network.self_internal_network"),
+    address => lookup("hostvars.'$host_name'.network.public_hostname"),
+  }
+] })
+
+$tinc_connect_to = $tinc_other_hosts.map |$host_name| { lookup("hostvars.'$host_name'.network.tinc.location") }
+
+$tinc_other_networks = $tinc_other_hosts.map |$host_name| { lookup("hostvars.'$host_name'.network.self_internal_network") }
+$ocserv_networks = $tinc_hosts.map |$host_name| { lookup("hostvars.'$host_name'.network.self_internal_network") }
+
+if 'tinc' in lookup("group_names") {
+  class {'tinc':
+    tinc_name           => lookup("tinc_global.name"),
+    tinc_location       => lookup("network.tinc.location"),
+    tinc_connect_to     => $tinc_connect_to,
+    tinc_locations      => $tinc_locations,
+    tinc_ip             => lookup("network.self_internal_ip"),
+    tinc_netmask        => lookup("network.self_internal_netmask"),
+    tinc_other_networks => $tinc_other_networks,
+    firewall            => !lookup({"name" => "network.disable_firewall", "default_value" => false}),
+  }
+
+  class {'ocserv':
+    ocserv_tcp_port       => 444,
+    ocserv_udp_port       => 444,
+    ocserv_default_domain => "int.pdp7.net",
+    ocserv_ipv4_network   => lookup("network.ocserv.network"),
+    ocserv_dns            => lookup("network.self_internal_ip"),
+    ocserv_split_dns      => lookup("tinc_global.ocserv_domain"),
+    ocserv_routes         => $ocserv_networks,
+    firewall              => !lookup({"name" => "network.disable_firewall", "default_value" => false}),
+  }
+}
diff --git a/personal_infra/puppet/site/02-tinc-dns.pp b/personal_infra/puppet/site/02-tinc-dns.pp
new file mode 100644
index 00000000..ba7d57f6
--- /dev/null
+++ b/personal_infra/puppet/site/02-tinc-dns.pp
@@ -0,0 +1,5 @@
+if($facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '9' and 'tinc' in lookup("group_names") and 'dns' in lookup("group_names")) {
+  exec {'/bin/sed -i "s/^bind-interfaces/bind-dynamic #bind-interfaces/" /etc/dnsmasq.conf':
+    unless => '/bin/grep "bind-dynamic #bind-interfaces" /etc/dnsmasq.conf',
+  }
+}
diff --git a/personal_infra/puppet/site/case.ces.int.pdp7.net.pp b/personal_infra/puppet/site/case.ces.int.pdp7.net.pp
new file mode 100644
index 00000000..2b4844cf
--- /dev/null
+++ b/personal_infra/puppet/site/case.ces.int.pdp7.net.pp
@@ -0,0 +1,10 @@
+node 'case.ces.int.pdp7.net' {
+  class {'dns_dhcp':}
+  ->
+  file {'/etc/dnsmasq.d/static.conf':
+    content => 'host-record=router,router.ces.int.pdp7.net,10.17.19.1
+host-record=tplink,tplink.ces.int.pdp7.net,10.17.19.2
+host-record=case.ces.int.pdp7.net,case,10.17.19.3
+',
+  }
+}
diff --git a/personal_infra/puppet/site/dixie.bcn.int.pdp7.net.pp b/personal_infra/puppet/site/dixie.bcn.int.pdp7.net.pp
new file mode 100644
index 00000000..5453eb4c
--- /dev/null
+++ b/personal_infra/puppet/site/dixie.bcn.int.pdp7.net.pp
@@ -0,0 +1,15 @@
+node 'dixie.bcn.int.pdp7.net' {
+  class {'dns_dhcp':}
+  file {'/etc/dnsmasq.d/static.conf':
+    content => "host-record=router,router.bcn.int.pdp7.net,192.168.76.1
+host-record=archerc7,archerc7.bcn.int.pdp7.net,192.168.76.6
+host-record=dixie.bcn.int.pdp7.net,dixie,192.168.76.2
+dhcp-option=121,10.0.0.0/8,192.168.76.2
+",
+    notify => Service["dnsmasq"],
+  }
+
+  class {'backups':
+    sanoid_config => "",
+  }
+}
diff --git a/personal_infra/puppet/site/h1.pdp7.net.pp b/personal_infra/puppet/site/h1.pdp7.net.pp
new file mode 100644
index 00000000..a3d62bbc
--- /dev/null
+++ b/personal_infra/puppet/site/h1.pdp7.net.pp
@@ -0,0 +1,123 @@
+node 'h1.pdp7.net' {
+  class {'proxmox::freeipa':}
+  class {'dns_dhcp':}
+
+  class {'backups':
+    sanoid_config =>  @("EOT")
+      # pg data
+      [rpool/data/subvol-204-disk-1]
+        use_template = backup
+
+      # nextcloud
+      [rpool/data/subvol-208-disk-1]
+        use_template = backup
+
+      [template_backup]
+        frequently=0
+        hourly=0
+        daily=100000
+        monthly=0
+        yearly=0
+        autosnap=yes
+      | EOT
+    ,
+  }
+
+  # TODO: ugly; tinc scripts require this :(
+  package {'net-tools':}
+
+  # https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/EZSM6LQPSNRY4WA52IYVR46RSXIDU3U7/
+  # SSH hack
+  file {'/etc/ssh/sshd_config.d/weak-gss.conf':
+    content => "GSSAPIStrictAcceptorCheck no\n",
+  }
+  ~>
+  service {'sshd':}
+
+  class {'proxmox::proxy':
+    mail => lookup('mail.root_mail'),
+    base_hostname => lookup('network.public_hostname'),
+  }
+
+  proxmox::proxy_host {'idp.pdp7.net':
+    target => 'https://ipsilon.h1.int.pdp7.net/',
+    overwrite_rh_certs => 'ipsilon.h1.int.pdp7.net',
+  }
+
+  proxmox::proxy_host {'weight.pdp7.net':
+    target => 'https://k8s-prod.h1.int.pdp7.net/',
+  }
+
+  proxmox::proxy_host {'blog.pdp7.net':
+    target => 'https://k8s-test.h1.int.pdp7.net/',
+  }
+
+  proxmox::proxy_host {'miniflux.pdp7.net':
+    target => 'http://miniflux.h1.int.pdp7.net:8080/',
+  }
+
+  proxmox::proxy_host {'nextcloud.pdp7.net':
+    target => 'http://nextcloud.h1.int.pdp7.net/',
+  }
+
+  package {'haproxy':}
+  ->
+  file {'/etc/haproxy/haproxy.cfg':
+    content =>  @("EOT")
+      global
+              log /dev/log	local0
+              log /dev/log	local1 notice
+              chroot /var/lib/haproxy
+              stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+              stats timeout 30s
+              user haproxy
+              group haproxy
+              daemon
+
+              # Default SSL material locations
+              ca-base /etc/ssl/certs
+              crt-base /etc/ssl/private
+
+              # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+              ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+              ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+              ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+      defaults
+              log	global
+              mode	http
+              option	httplog
+              option	dontlognull
+              timeout connect 5000
+              timeout client  50000
+              timeout server  50000
+              errorfile 400 /etc/haproxy/errors/400.http
+              errorfile 403 /etc/haproxy/errors/403.http
+              errorfile 408 /etc/haproxy/errors/408.http
+              errorfile 500 /etc/haproxy/errors/500.http
+              errorfile 502 /etc/haproxy/errors/502.http
+              errorfile 503 /etc/haproxy/errors/503.http
+              errorfile 504 /etc/haproxy/errors/504.http
+
+      frontend gemini
+              bind :1965
+              mode tcp
+              option tcplog
+              default_backend blog
+              # TODO: sni
+              # tcp-request inspect-delay 5s
+              # acl blog req_ssl_sni blog.pdp7.net
+              # use_backend blog if blog
+
+      backend blog
+              mode tcp
+              server blog k8s-test.h1.int.pdp7.net:31965
+      | EOT
+    ,
+  }
+  ~>
+  service {'haproxy':
+    enable => true,
+    ensure => running,
+  }
+}
diff --git a/personal_infra/puppet/site/h2.pdp7.net.pp b/personal_infra/puppet/site/h2.pdp7.net.pp
new file mode 100644
index 00000000..51dda7a1
--- /dev/null
+++ b/personal_infra/puppet/site/h2.pdp7.net.pp
@@ -0,0 +1,9 @@
+node 'h2.pdp7.net' {
+  class {'dns_dhcp':}
+
+  file {'/etc/dnsmasq.d/static.conf':
+    content => "dhcp-host=freeswitch,10.42.42.3,freeswitch
+host-record=h2.h2.int.pdp7.net,10.42.42.1
+",
+  }
+}
diff --git a/personal_infra/puppet/site/ipa8.h1.int.pdp7.net.pp b/personal_infra/puppet/site/ipa8.h1.int.pdp7.net.pp
new file mode 100644
index 00000000..ef81ee3f
--- /dev/null
+++ b/personal_infra/puppet/site/ipa8.h1.int.pdp7.net.pp
@@ -0,0 +1,2 @@
+node 'ipa8.h1.int.pdp7.net' {
+}
diff --git a/personal_infra/puppet/site/ipa9.h1.int.pdp7.net.pp b/personal_infra/puppet/site/ipa9.h1.int.pdp7.net.pp
new file mode 100644
index 00000000..2228f424
--- /dev/null
+++ b/personal_infra/puppet/site/ipa9.h1.int.pdp7.net.pp
@@ -0,0 +1,3 @@
+node 'ipa9.h1.int.pdp7.net' {
+  class {'freeipa::server':}
+}
diff --git a/personal_infra/puppet/site/ipsilon.h1.int.pdp7.net.pp b/personal_infra/puppet/site/ipsilon.h1.int.pdp7.net.pp
new file mode 100644
index 00000000..b5f756cf
--- /dev/null
+++ b/personal_infra/puppet/site/ipsilon.h1.int.pdp7.net.pp
@@ -0,0 +1,3 @@
+node 'ipsilon.h1.int.pdp7.net' {
+  class {'ipsilon':}
+}
diff --git a/personal_infra/puppet/site/maelcum.mad.int.pdp7.net.pp b/personal_infra/puppet/site/maelcum.mad.int.pdp7.net.pp
new file mode 100644
index 00000000..064af4d4
--- /dev/null
+++ b/personal_infra/puppet/site/maelcum.mad.int.pdp7.net.pp
@@ -0,0 +1,10 @@
+node 'maelcum.mad.int.pdp7.net' {
+  class {'dns_dhcp':}
+  file {'/etc/dnsmasq.d/static.conf':
+    content => 'host-record=router,router.mad.int.pdp7.net,10.34.10.1
+dhcp-host=d8:8c:79:1a:11:59,chromecast,10.34.10.3
+host-record=maelcum.mad.int.pdp7.net,maelcum,10.34.10.2
+',
+    notify => Service['dnsmasq'],
+  }
+}
diff --git a/personal_infra/puppet/site/miniflux.h1.int.pdp7.net.pp b/personal_infra/puppet/site/miniflux.h1.int.pdp7.net.pp
new file mode 100644
index 00000000..c6c0862e
--- /dev/null
+++ b/personal_infra/puppet/site/miniflux.h1.int.pdp7.net.pp
@@ -0,0 +1,8 @@
+node 'miniflux.h1.int.pdp7.net' {
+  class {'miniflux':
+    database_url => "host=pg.h1.int.pdp7.net user=miniflux dbname=miniflux sslmode=disable",
+    polling_frequency => 60,
+    batch_size => 100,
+    polling_parser_error_limit => 0,
+  }
+}
diff --git a/personal_infra/puppet/site/nagios.h1.int.pdp7.net.pp b/personal_infra/puppet/site/nagios.h1.int.pdp7.net.pp
new file mode 100644
index 00000000..6db53e62
--- /dev/null
+++ b/personal_infra/puppet/site/nagios.h1.int.pdp7.net.pp
@@ -0,0 +1,16 @@
+node 'nagios.h1.int.pdp7.net' {
+  class {'nagios':}
+  class {'nagios::k8s':}
+
+  $k8s_hosts = lookup("groups.k8s")
+
+  $k8s_hosts.each |String $k8s_host| {
+    nagios_host {$k8s_host:
+      use => 'generic-host',
+      max_check_attempts => 5,
+      contact_groups => 'admins',
+      hostgroups => 'k8s',
+      check_command => 'check-host-alive',
+    }
+  }
+}
diff --git a/personal_infra/puppet/site/nc1.pdp7.net.pp b/personal_infra/puppet/site/nc1.pdp7.net.pp
new file mode 100644
index 00000000..e6939c8e
--- /dev/null
+++ b/personal_infra/puppet/site/nc1.pdp7.net.pp
@@ -0,0 +1,3 @@
+node 'nc1.pdp7.net' {
+  class {'freeipa::server':}
+}
diff --git a/personal_infra/puppet/site/nextcloud.h1.int.pdp7.net.pp b/personal_infra/puppet/site/nextcloud.h1.int.pdp7.net.pp
new file mode 100644
index 00000000..29753d5b
--- /dev/null
+++ b/personal_infra/puppet/site/nextcloud.h1.int.pdp7.net.pp
@@ -0,0 +1,22 @@
+node 'nextcloud.h1.int.pdp7.net' {
+  class {'nextcloud':
+    database_name => 'nextcloud',
+    database_user => 'nextcloud',
+    database_host => 'pg.h1.int.pdp7.net',
+  }
+
+  file {'/var/lib/nextcloud/apps':
+    ensure => 'link',
+    target => '/nextcloud/apps/',
+  }
+
+  file {'/var/lib/nextcloud/data':
+    ensure => 'link',
+    target => '/nextcloud/data/',
+  }
+
+  file {'/etc/nextcloud/config.php':
+    ensure => 'link',
+    target => '/nextcloud/config.php',
+  }
+}
diff --git a/personal_infra/puppet/site/pg.h1.int.pdp7.net.pp b/personal_infra/puppet/site/pg.h1.int.pdp7.net.pp
new file mode 100644
index 00000000..6c5ef035
--- /dev/null
+++ b/personal_infra/puppet/site/pg.h1.int.pdp7.net.pp
@@ -0,0 +1,16 @@
+node 'pg.h1.int.pdp7.net' {
+  class {'postgres':
+    pg_hba_conf => @(EOT)
+      # TYPE  DATABASE        USER            ADDRESS                   METHOD
+      # "local" is for Unix domain socket connections only
+      local   all             all                                       peer
+      host    weight          k8s_prod        k8s-prod.h1.int.pdp7.net  trust
+      host    weight          grafana         grafana.h2.int.pdp7.net   trust
+      host    miniflux        miniflux        miniflux.h1.int.pdp7.net  trust
+      host    nextcloud       nextcloud       nextcloud.h1.int.pdp7.net trust
+      | EOT
+    ,
+  }
+
+  package {'postgresql15-contrib':} # hstore for miniflux
+}
diff --git a/personal_infra/puppet/site/ws.h1.int.pdp7.net.pp b/personal_infra/puppet/site/ws.h1.int.pdp7.net.pp
new file mode 100644
index 00000000..d667839f
--- /dev/null
+++ b/personal_infra/puppet/site/ws.h1.int.pdp7.net.pp
@@ -0,0 +1,6 @@
+node 'ws.h1.int.pdp7.net' {
+  class {'podman':
+    user => 'alex',
+    storage_driver => 'zfs',
+  }
+}