Puppet Class: profile::wmcs::instance

Defined in:
modules/profile/manifests/wmcs/instance.pp

Overview

basic profile for every CloudVPS instance

Parameters:

  • mount_nfs (Boolean) (defaults to: lookup('mount_nfs', {default_value => true}))
  • diamond_remove (Boolean) (defaults to: lookup('diamond::remove', {default_value => false}))
  • sudo_flavor (String) (defaults to: lookup('sudo_flavor', {default_value => 'sudoldap'}))
  • metrics_server (Stdlib::Fqdn) (defaults to: lookup('statsite::instance::graphite_host', {default_value => 'localhost'}))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# File 'modules/profile/manifests/wmcs/instance.pp', line 2

class profile::wmcs::instance(
    Boolean      $mount_nfs      = lookup('mount_nfs',                         {default_value => true}),
    Boolean      $diamond_remove = lookup('diamond::remove',                   {default_value => false}),
    String       $sudo_flavor    = lookup('sudo_flavor',                       {default_value => 'sudoldap'}),
    Stdlib::Fqdn $metrics_server = lookup('statsite::instance::graphite_host', {default_value => 'localhost'}),
) {
    # force sudo on buster
    if $sudo_flavor == 'sudo' or os_version('debian >= buster') {
        if ! defined(Class['Sudo']) {
            class { '::sudo': }
        }
    } else {
        if ! defined(Class['Sudo::Sudoldap']) {
            class { '::sudo::sudoldap': }
        }
    }

    sudo::group { 'ops':
        privileges => ['ALL=(ALL) NOPASSWD: ALL'],
    }

    class { 'profile::ldap::client::labs':
        # Puppet requires ldap, so we need to update ldap before anything
        #  happens to puppet.
        before => File['/etc/puppet/puppet.conf'],
    }

    # make common logs readable
    class { 'base::syslogs':
        readable => true,
    }

    file { '/etc/mailname':
        ensure  => present,
        content => "${::fqdn}\n",
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
    }

    package { 'puppet-lint':
        ensure => present,
    }

    # We are using nfsv4, which doesn't require rpcbind on clients. T241710
    # However, removing the package removes nfs-common.
    if $facts['nfscommon_version'] {
        service { 'rpcbind':
            ensure => 'stopped',
        }
        exec { '/bin/systemctl mask rpcbind.service':
            creates => '/etc/systemd/system/rpcbind.service',
        }
    }

    # Allows per-host overriding of NFS mounts
    if $mount_nfs {
        require profile::wmcs::nfsclient
    }

    # In production, we try to be punctilious about having Puppet manage
    # system state, and thus it's reasonable to purge Apache site configs
    # that have not been declared via Puppet. But on Labs we want to allow
    # users to manage configuration files locally if they so choose,
    # without having Puppet clobber them. So provision a
    # /etc/apache2/sites-local directory for Apache to recurse into during
    # initialization, but do not manage its contents.
    exec { 'enable_sites_local':
        command => '/bin/mkdir -m0755 /etc/apache2/sites-local && \
                    /usr/bin/touch /etc/apache2/sites-local/dummy.conf && \
                    /bin/echo "Include sites-local/*" >> /etc/apache2/apache2.conf',
        onlyif  => '/usr/bin/test -d /etc/apache2 -a ! -d /etc/apache2/sites-local',
    }

    # In production, puppet freshness checks are done by icinga. Labs has no
    # icinga, so collect puppet freshness metrics via diamond/graphite
    if ! $diamond_remove {
        # Prefix labs metrics with project name
        $path_prefix  = $::labsproject
        $server_ip    = ipresolve($metrics_server, 4)

        class { '::diamond':
            path_prefix   => $path_prefix,
            keep_logs_for => '0',
            service       => true,
            settings      => {
                # lint:ignore:quoted_booleans
                # Diamond needs its bools in string-literals.
                enabled => 'true',
                # lint:endignore
                host    =>  $server_ip,
                port    => '2003',
                batch   => '20',
            },
        }

        base::service_auto_restart { 'diamond': }

        diamond::collector { 'MinimalPuppetAgent':
            ensure => 'absent',
        }
    }

    class { '::prometheus::node_ssh_open_sessions': }

    hiera_include('classes', [])

    # Signal to rc.local that this VM is up and we don't need to run the firstboot
    #  script anymore
    file { '/root/firstboot_done':
        ensure  => present,
        content => '',
    }
}