confdroid/puppet_cd
3
0
Fork 0
Code Wiki Activity

add dirs and files - https://gitlab.confdroid.com/internal/confdroid_management/-/issues/292

Browse Source
This commit is contained in:
Arne Teuke
2025-11-01 17:34:23 +01:00
parent 41ac17b901
commit 9fb5422b4b
13 changed files with 483 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
manifests/params.pp
View File

@@ -132,10 +132,10 @@ class puppet_cd::params (
) { ) {
# facts # facts
$fqdn = $facts['networking']['fqdn'] $fqdn = $facts['networking']['fqdn']
$domain = $facts['networking']['domain'] $domain = $facts['networking']['domain']
$os_name = $facts['os']['name'] $os_name = $facts['os']['name']
$os_release = $facts['os']['release']['major'] $os_release = $facts['os']['release']['major']
# directories # directories
## puppet ## puppet
@@ -149,10 +149,12 @@ class puppet_cd::params (
$pt_rundir_master = '/var/run/puppetlabs/puppetserver' $pt_rundir_master = '/var/run/puppetlabs/puppetserver'
$pt_vardir = '/opt/puppetlabs/puppet/cache' $pt_vardir = '/opt/puppetlabs/puppet/cache'
$pt_vardir_master = '/opt/puppetlabs/server/data/puppetserver' $pt_vardir_master = '/opt/puppetlabs/server/data/puppetserver'
## r10k ## r10k
$pt_r10k_dir = "${pt_main_dir}/r10k" $pt_r10k_dir = "${pt_main_dir}/r10k"
$pt_r10k_webhook_dir = '/etc/r10k-webhook' $pt_r10k_webhook_dir = '/etc/r10k-webhook'
## puppetdb
$pt_puppetdb_dir = '/etc/puppetlabs/puppetdb'
$pt_puppetdb_conf_dir = "${pt_puppetdb_dir}/conf.d"
# files # files
## puppet ## puppet
@@ -165,13 +167,31 @@ class puppet_cd::params (
$pt_routes_erb = 'puppet_cd/puppetdb/routes.yaml.erb' $pt_routes_erb = 'puppet_cd/puppetdb/routes.yaml.erb'
$pt_node_rb_file = "${pt_puppetdir}/node.rb" $pt_node_rb_file = "${pt_puppetdir}/node.rb"
$pt_node_rb_erb = 'puppet_cd/puppetdb/node.rb.erb' $pt_node_rb_erb = 'puppet_cd/puppetdb/node.rb.erb'
## r10k ## r10k
$pt_r10k_file = "${pt_r10k_dir}/r10k.yaml" $pt_r10k_file = "${pt_r10k_dir}/r10k.yaml"
$pt_r10k_erb = 'puppet_cd/r10k/r10k.yaml.erb' $pt_r10k_erb = 'puppet_cd/r10k/r10k.yaml.erb'
$pt_webhook_link = 'ln -sf /usr/local/share/gems/gems/r10k_gitlab_webhook-0.1.3/bin/r10k_gitlab_webhook /usr/bin/' $pt_webhook_link = 'ln -sf /usr/local/share/gems/gems/r10k_gitlab_webhook-0.1.3/bin/r10k_gitlab_webhook /usr/bin/'
$pt_webhook_service_file = '/etc/systemd/system/r10k_gitlab_webhook.service' $pt_webhook_service_file = '/etc/systemd/system/r10k_gitlab_webhook.service'
$pt_webhook_service_erb = 'puppet_cd/r10k/r10k_webhook_service.erb' $pt_webhook_service_erb = 'puppet_cd/r10k/r10k_webhook_service.erb'
## puppetdb
$pt_bootstrap_conf_file = "${pt_puppetdb_dir}/bootstrap.cfg"
$pt_bootstrap_conf_erb = 'puppet_cd/puppetdb/bootstrap.cfg.erb'
$pt_logback_conf_file = "${pt_puppetdb_dir}/logback.xml"
$pt_logback_conf_erb = 'puppet_cd/puppetdb/logback.xml.erb'
$pt_logging_conf_file = "${pt_puppetdb_dir}/request-logging.xml"
$pt_logging_conf_erb = 'puppet_cd/puppetdb/request_logging.xml.erb'
$pt_auth_conf_file = "${pt_puppetdb_conf_dir}/auth.conf"
$pt_auth_conf_erb = 'puppet_cd/puppetdb/auth.conf.erb'
$pt_config_ini_file = "${pt_puppetdb_conf_dir}/config.ini"
$pt_config_ini_erb = 'puppet_cd/puppetdb/config.ini.erb'
$pt_db_ini_file = "${pt_puppetdb_conf_dir}/database.ini"
$pt_db_ini_erb = 'puppet_cd/puppetdb/database.ini.erb'
$pt_jetty_ini_file = "${pt_puppetdb_conf_dir}/jetty.ini"
$pt_jetty_ini_erb = 'puppet_cd/puppetdb/jetty.ini.erb'
$pt_repl_ini_file = "${pt_puppetdb_conf_dir}/repl.ini"
$pt_repl_ini_erb = 'puppet_cd/puppetdb/repl.ini.erb'
$pt_service_conf_file = '/usr/lib/systemd/system/puppetdb.service'
$pt_service_conf_erb = 'puppet_cd/puppetdb/service.conf.erb'
# service # service
$pt_server_service = 'puppetserver' $pt_server_service = 'puppetserver'

34
manifests/puppetdb/dirs.pp Normal file
View File

@@ -0,0 +1,34 @@
## puppet_cd::puppetdb::dirs.pp
# Module name: puppet_cd
# Author: Arne Teuke (arne_teuke@confdroid)
# @summary Class manages directories for the puppetdb section
###############################################################################
class puppet_cd::puppetdb::dirs (
) inherits puppet_cd::params {
if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
require puppet_cd::main::install
file { $pt_puppetdb_dir:
ensure => directory,
owner => 'puppetdb',
group => 'puppetdb',
mode => '0750',
selrange => s0,
selrole => object_r,
seltype => puppet_etc_t,
seluser => system_u,
}
file { $pt_puppetdb_conf_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
selrange => s0,
selrole => object_r,
seltype => puppet_etc_t,
seluser => system_u,
}
}
}

131
manifests/puppetdb/files.pp Normal file
View File

@@ -0,0 +1,131 @@
## puppet_cd::puppetdb::files.pp
# Module name: puppet_cd
# Author: Arne Teuke (arne_teuke@confdroid)
# @summary Class manages config files for the puppetdb section
###############################################################################
class puppet_cd::puppetdb::files (
) inherits puppet_cd::params {
if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
require puppet_cd::puppetdb::dirs
# bootstrap.cfg
file { $pt_bootstrap_conf_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => puppet_etc_t,
seluser => system_u,
content => template($pt_bootstrap_conf_erb),
notify => Service[$pt_db_service],
}
# logback.xml
file { $pt_logback_conf_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => puppet_etc_t,
seluser => system_u,
content => template($pt_logback_conf_erb),
notify => Service[$pt_db_service],
}
# request-logging.xml
file { $pt_logging_conf_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => puppet_etc_t,
seluser => system_u,
content => template($pt_logging_conf_erb),
notify => Service[$pt_db_service],
}
# service config
file { $pt_service_conf_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => systemd_unit_file_t,
seluser => system_u,
content => template($pt_service_conf_erb),
notify => Service[$pt_db_service],
}
# conf.d files
## auth.conf
file { $pt_auth_conf_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => puppet_etc_t,
seluser => system_u,
content => template($pt_auth_conf_erb),
notify => Service[$pt_db_service],
}
# config.ini
file { $pt_config_ini_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => puppet_etc_t,
seluser => system_u,
content => template($pt_config_ini_erb),
notify => Service[$pt_db_service],
}
# database.ini
file { $pt_db_ini_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => puppet_etc_t,
seluser => system_u,
content => template($pt_db_ini_erb),
notify => Service[$pt_db_service],
}
# jetty.ini
file { $pt_jetty_ini_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => puppet_etc_t,
seluser => system_u,
content => template($pt_jetty_ini_erb),
notify => Service[$pt_db_service],
}
# repl.ini
file { $pt_repl_ini_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => puppet_etc_t,
seluser => system_u,
content => template($pt_repl_ini_erb),
notify => Service[$pt_db_service],
}
}
}

1
manifests/server/service.pp
View File

@@ -41,6 +41,7 @@ class puppet_cd::server::service (
if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) { if ($pt_use_puppetdb == true) and ($pt_puppetdb_fqdn == $fqdn) {
require puppet_cd::firewall::iptables require puppet_cd::firewall::iptables
require puppet_cd::puppetdb::files
service { $pt_db_service: service { $pt_db_service:
ensure => running, ensure => running,

50
templates/puppetdb/auth.conf.erb Normal file
View File

@@ -0,0 +1,50 @@
authorization: {
version: 1
rules: [
{
# Allow unauthenticated access to the status service endpoint
match-request: {
path: "/status/v1/services"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs status service - full"
},
{
match-request: {
path: "/status/v1/simple"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs status service - simple"
},
{
# Allow nodes to access the metrics service
# for puppetdb, the metrics service is the only
# service using the authentication service
match-request: {
path: "/metrics"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "puppetlabs puppetdb metrics"
},
{
# Deny everything else. This ACL is not strictly
# necessary, but illustrates the default policy
match-request: {
path: "/"
type: path
}
deny: "*"
sort-order: 999
name: "puppetlabs deny all"
}
]
}

34
templates/puppetdb/bootstrap.cfg.erb Normal file
View File

@@ -0,0 +1,34 @@
###############################################################################
######### File created by Puppet - manual changes will be overwritten #########
###############################################################################
# This file is used by the application framework (trapperkeeper) to
# determine what services should be loaded at boot time.
# For more info, see:
# https://github.com/puppetlabs/trapperkeeper/wiki/Bootstrapping
# Web Server
puppetlabs.trapperkeeper.services.webserver.jetty10-service/jetty10-service
# Webrouting
puppetlabs.trapperkeeper.services.webrouting.webrouting-service/webrouting-service
# TK metrics - the authorization service is currently only used by the metrics service
puppetlabs.trapperkeeper.services.authorization.authorization-service/authorization-service
puppetlabs.trapperkeeper.services.metrics.metrics-service/metrics-webservice
# TK status
puppetlabs.trapperkeeper.services.status.status-service/status-service
puppetlabs.trapperkeeper.services.scheduler.scheduler-service/scheduler-service
# PuppetDB Services
puppetlabs.puppetdb.cli.services/puppetdb-service
puppetlabs.puppetdb.command/command-service
puppetlabs.puppetdb.pdb-routing/maint-mode-service
puppetlabs.puppetdb.pdb-routing/pdb-routing-service
puppetlabs.puppetdb.config/config-service
# NREPL
puppetlabs.trapperkeeper.services.nrepl.nrepl-service/nrepl-service
# Dashboard redirect for "/" (not "/pdb"): remove to disable
puppetlabs.puppetdb.dashboard/dashboard-redirect-service

20
templates/puppetdb/config.ini.erb Normal file
View File

@@ -0,0 +1,20 @@
###############################################################################
######### File created by Puppet - manual changes will be overwritten #########
###############################################################################
# See README.md for more thorough explanations of each section and
# option.
[global]
# Store mq/db data in a custom directory
vardir = /opt/puppetlabs/server/data/puppetdb
# Use an external logback config file
logging-config = /etc/puppetlabs/puppetdb/logback.xml
[command-processing]
# How many command-processing threads to use, defaults to (CPUs / 2)
# threads = 4
# How many threads can write to disk at once, defaults to min(CPUs / 2, 4)
# concurrent-writes = 4

17
templates/puppetdb/database.ini.erb Normal file
View File

@@ -0,0 +1,17 @@
###############################################################################
######### File created by Puppet - manual changes will be overwritten #########
###############################################################################
[database]
# The database address, i.e. //HOST:PORT/DATABASE_NAME
subname = <%= @pt_db_subname %>
# Connect as a specific user
username = <%= @pt_db_username %>
# Use a specific password
password = <%= @pt_db_password %>
# How often (in minutes) to compact the database
gc-interval = <%= @pt_gc_interval %>

37
templates/puppetdb/jetty.ini.erb Normal file
View File

@@ -0,0 +1,37 @@
###############################################################################
######### File created by Puppet - manual changes will be overwritten #########
###############################################################################
[jetty]
# IP address or hostname to listen for clear-text HTTP. To avoid resolution
# issues, IP addresses are recommended over hostnames.
# Default is `localhost`.
# host = <host>
# Port to listen on for clear-text HTTP.
port = <%= @pt_http_port %>
# The following are SSL specific settings. They can be configured
# automatically with the tool `puppetdb ssl-setup`, which is normally
# ran during package installation.
# IP address to listen on for HTTPS connections. Hostnames can also be used
# but are not recommended to avoid DNS resolution issues. To listen on all
# interfaces, use `0.0.0.0`.
ssl-host = 0.0.0.0
# The port to listen on for HTTPS connections
ssl-port = <%= @pt_https_port %>
# Private key path
ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem
# Public certificate path
ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem
# Certificate authority path
ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem
# Access logging configuration path. To turn off access logging
# comment out the line with `access-log-config=...`
access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml

52
templates/puppetdb/logback.xml.erb Normal file
View File

@@ -0,0 +1,52 @@
<configuration scan="true" scanPeriod="60 seconds">
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{2}] %m%n</pattern>
</encoder>
</appender>
<appender name="F1" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>/var/log/puppetlabs/puppetdb/puppetdb.log</file>
<append>true</append>
<rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
<fileNamePattern>/var/log/puppetlabs/puppetdb/puppetdb-%d{yyyy-MM-dd}.%i.log.gz</fileNamePattern>
<!-- each file should be at most 200MB, keep 90 days worth of history, but at most 1GB total-->
<maxFileSize>200MB</maxFileSize>
<maxHistory>90</maxHistory>
<totalSizeCap>1GB</totalSizeCap>
</rollingPolicy>
<encoder>
<pattern>%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{2}] %m%n</pattern>
</encoder>
</appender>
<!-- Supress internal Spring Framework logging -->
<logger name="org.springframework.jms.connection" level="warn"/>
<appender name="STATUS" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>/var/log/puppetlabs/puppetdb/puppetdb-status.log</file>
<append>true</append>
<rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
<!-- rollover daily -->
<fileNamePattern>/var/log/puppetlabs/puppetdb/puppetdb-status-%d{yyyy-MM-dd}.%i.log.gz</fileNamePattern>
<!-- each file should be at most 200MB, keep 90 days worth of history, but at most 1GB total-->
<maxFileSize>200MB</maxFileSize>
<maxHistory>90</maxHistory>
<totalSizeCap>1GB</totalSizeCap>
</rollingPolicy>
<encoder>
<!-- note that this will only log the JSON message (%m) and a newline (%n)-->
<pattern>%m%n</pattern>
</encoder>
</appender>
<!-- without additivity="false", the status log messages will be sent to every other appender as well-->
<logger name="puppetlabs.trapperkeeper.services.status.status-debug-logging" level="debug" additivity="false">
<appender-ref ref="STATUS"/>
</logger>
<root level="info">
<appender-ref ref="${logappender:-DUMMY}" />
<appender-ref ref="F1" />
</root>
</configuration>

13
templates/puppetdb/repl.ini.erb Normal file
View File

@@ -0,0 +1,13 @@
###############################################################################
######### File created by Puppet - manual changes will be overwritten #########
###############################################################################
[nrepl]
# Set to true to enable the remote REPL
enabled = <%= @pt_repl_on %>
# What port the REPL should listen on
port = <%= @pt_repl_port %>
# IP address to listen on
host = <%= @pt_repl_host %>

17
templates/puppetdb/request_logging.xml.erb Normal file
View File

@@ -0,0 +1,17 @@
<configuration debug="false">
<appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>/var/log/puppetlabs/puppetdb/puppetdb-access.log</file>
<append>true</append>
<rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
<fileNamePattern>/var/log/puppetlabs/puppetdb/puppetdb-access-%d{yyyy-MM-dd}.%i.log.gz</fileNamePattern>
<!-- each file should be at most 200MB, keep 90 days worth of history, but at most 1GB total-->
<maxFileSize>200MB</maxFileSize>
<maxHistory>90</maxHistory>
<totalSizeCap>1GB</totalSizeCap>
</rollingPolicy>
<encoder>
<pattern>%h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" %D %header{X-Uncompressed-Length}</pattern>
</encoder>
</appender>
<appender-ref ref="FILE" />
</configuration>

51
templates/puppetdb/service.conf.erb Normal file
View File

@@ -0,0 +1,51 @@
###############################################################################
######### File created by Puppet - manual changes will be overwritten #########
###############################################################################
#
# Local settings can be configured without being overwritten by package upgrades, for example
# if you want to increase puppetdb open-files-limit to 10000,
# you need to increase systemd's LimitNOFILE setting, so create a file named
# "/etc/systemd/system/puppetdb.service.d/limits.conf" containing:
# [Service]
# LimitNOFILE=10000
# You can confirm it worked by running systemctl daemon-reload
# then running systemctl show puppetdb | grep LimitNOFILE
#
[Unit]
Description=puppetdb Service
After=syslog.target network.target nss-lookup.target
[Service]
Type=forking
EnvironmentFile=/etc/sysconfig/puppetdb
User=puppetdb
TimeoutStartSec=14400
TimeoutStopSec=60
Restart=on-failure
StartLimitBurst=5
PIDFile=/run/puppetlabs/puppetdb/puppetdb.pid
# https://tickets.puppetlabs.com/browse/EZ-129
# Prior to systemd v228, TasksMax was unset by default, and unlimited. Starting in 228 a default of '512'
# was implemented. This is low enough to cause problems for certain applications. In systemd 231, the
# default was changed to be 15% of the default kernel limit. This explicitly sets TasksMax to 4915,
# which should match the default in systemd 231 and later.
# See https://github.com/systemd/systemd/issues/3211#issuecomment-233676333
TasksMax=4915
#set default privileges to -rw-r-----
UMask=027
ExecReload=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb reload
ExecStart=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb start
ExecStop=/opt/puppetlabs/server/apps/puppetdb/bin/puppetdb stop
KillMode=process
SuccessExitStatus=143
StandardOutput=journal
[Install]
WantedBy=multi-user.target