puppet-modules issueshttps://0xacab.org/nbits/puppet/puppet-modules/-/issues2021-02-12T14:37:40Zhttps://0xacab.org/nbits/puppet/puppet-modules/-/issues/1Standardize LVM's PV and VG name for servers2021-02-12T14:37:40ZdrebsStandardize LVM's PV and VG name for serversThe current stack created by `strapon` goes like this:
```
[ Filesystems ]
[ LVM ]
[ LUKS ]
[ RAID using p3 from each device ]
[p1][p2][p3] ... [p1][p2][p3]
[ ...The current stack created by `strapon` goes like this:
```
[ Filesystems ]
[ LVM ]
[ LUKS ]
[ RAID using p3 from each device ]
[p1][p2][p3] ... [p1][p2][p3]
[ disk1 ] ... [ diskN ]
```
Currently `strapon` uses the same value for PV and VG names:
- `VG_NAME` may be set as an environment variable, or uses `vg_name` as default.
- The PV name is set during the LUKS open operation and currently uses `VG_NAME`.
- The VG is then created using `VG_NAME`.
Options to consider:
| PV | VG |
| --- | --- |
| `default` | `default` |
| `pv` | `vg` |
| `$hostname` | `$hostname` |
| `disk` | `vg` |
| `disk0` | `vg0` |
From [`vgrename`'s manpage](https://sourceware.org/git/?p=lvm2.git;a=blob;f=man/vgrename.8_pregen;h=b9ac143e5e534f1aac90ce5905fb143138f66362;hb=HEAD):
```
All VGs visible to a system need to have different names, otherwise many
LVM commands will refuse to run or give warning messages. VGs with the
same name can occur when disks are moved between machines, or filters are
changed. If a newly connected disk has a VG with the same name as the VG
containing the root filesystem, the machine may not boot correctly. When
two VGs have the same name, the VG UUID can be used in place of the source
VG name.
```
## Pros of using the same PV and VG name for all nodes
- Hostname changes do not interfere in PV/VG naming (this might be frequent given our use of hostnames to determine node's environments in Puppet).
- Less complexity on automation scripts.
- Less complexity during maintenance (eg. it'll always be `lvdisplay vg`).
## Cons of using the same PV and VG name for all nodes
- Moving disks or volumes between machines needs to be done more carefully to avoid interference.
## Steps to fix
- [x] Decide on a naming scheme after considering pros and cons: Use `default`, `default` for now.
- [x] Change `strapon` to use the new naming scheme. Mapped: https://0xacab.org/strapon/strapon/-/issues/9
- ~~Reinstall test node using up to date `strapon`.~~ (Would be great, but not really needed for now)https://0xacab.org/nbits/puppet/puppet-modules/-/issues/2Manage VMs2021-10-26T22:46:31ZdrebsManage VMsWe need to be able to deploy new VMs using Puppet, in order to:
- make VM deployment more agile than it currently is, and
- pave the way for automatic environment creation.
Some things to take care of:
- [x] Declaration through Hiera
...We need to be able to deploy new VMs using Puppet, in order to:
- make VM deployment more agile than it currently is, and
- pave the way for automatic environment creation.
Some things to take care of:
- [x] Declaration through Hiera
- [x] Network configuration
- [x] OS installation (via image or automated debootstrap)
- [x] Choose which of the below will be tackled and when.
Not for now:
- Partition/device tuning
- Fail/timeout when virt-install fails/timesout
- Name resolution (eg. using `dnsmasq`)
- Automatic inclusion in Puppet
- Public IP assignement
- DRBD
- Use huge pages for memory allocation
- Libvirt storage pools
## Research
Possibilities:
- Puppet:
- https://forge.puppet.com/modules/cirrax/libvirt
- https://forge.puppet.com/modules/openstack/nova
- https://gitlab.com/shared-puppet-modules-group/puppet-ganeti (doesn't allow provisioning)
- FAI: https://fai-project.org/
- Terraform: https://github.com/dmacvicar/terraform-provider-libvirthttps://0xacab.org/nbits/puppet/puppet-modules/-/issues/9ONLYOFFICE from container using Podman2021-10-26T22:10:32ZdrebsONLYOFFICE from container using Podman- Allow using the VPN for communication with Nextcloud- Allow using the VPN for communication with Nextclouddrebsdrebshttps://0xacab.org/nbits/puppet/puppet-modules/-/issues/3Improve VM management2021-10-26T22:46:30ZdrebsImprove VM managementFrom #2:
* Partition/device tuning
* Fail/timeout when virt-install fails/timesout
* Name resolution (eg. using `dnsmasq`)
* Automatic inclusion in Puppet
* Public IP assignement
* DRBD
* Use huge pages for memory allocation
* Libvirt s...From #2:
* Partition/device tuning
* Fail/timeout when virt-install fails/timesout
* Name resolution (eg. using `dnsmasq`)
* Automatic inclusion in Puppet
* Public IP assignement
* DRBD
* Use huge pages for memory allocation
* Libvirt storage poolshttps://0xacab.org/nbits/puppet/puppet-modules/-/issues/4Cleanup unused Nginx website definitions2023-01-04T17:37:18ZdrebsCleanup unused Nginx website definitionsCurrently, when we remove a website the link in `sites-enabled` is not removed.Currently, when we remove a website the link in `sites-enabled` is not removed.https://0xacab.org/nbits/puppet/puppet-modules/-/issues/5Move VPN IP config to only one file2023-01-04T22:40:27ZdrebsMove VPN IP config to only one fileCurrently, each node has to declare it's VPN IP in a separate YAML file. This is very inconvenient to maintain. Ideally, we should have all IPs in one hiera variable, per environment.Currently, each node has to declare it's VPN IP in a separate YAML file. This is very inconvenient to maintain. Ideally, we should have all IPs in one hiera variable, per environment.https://0xacab.org/nbits/puppet/puppet-modules/-/issues/6Switch DB backend for Graphite to either MariaDB or PostgreSQL2021-10-26T22:02:42ZdrebsSwitch DB backend for Graphite to either MariaDB or PostgreSQLA panel with metrics and logshttps://0xacab.org/nbits/puppet/puppet-modules/-/issues/7Install grafana and connect it to Graphite2021-10-26T22:03:18ZdrebsInstall grafana and connect it to GraphiteA panel with metrics and logshttps://0xacab.org/nbits/puppet/puppet-modules/-/issues/8Install Loki and send logs to it2021-10-26T21:54:40ZdrebsInstall Loki and send logs to itPossible architecture:
- Use a separate VM as we'll install non-Debian packages.
- Rsyslog for log centralization
- Loki (from upstream repositories).
- Promtail (from upstream repositories) to parse logs and send to Loki.Possible architecture:
- Use a separate VM as we'll install non-Debian packages.
- Rsyslog for log centralization
- Loki (from upstream repositories).
- Promtail (from upstream repositories) to parse logs and send to Loki.A panel with metrics and logshttps://0xacab.org/nbits/puppet/puppet-modules/-/issues/10Have finer control of APT keys2023-01-04T22:43:15ZdrebsHave finer control of APT keysPuppet should have total control of the APT keyring.Puppet should have total control of the APT keyring.https://0xacab.org/nbits/puppet/puppet-modules/-/issues/11Have finer control of APT configuration in /etc/apt/apt.conf.d2023-01-04T22:43:36ZdrebsHave finer control of APT configuration in /etc/apt/apt.conf.dRight now we don't purge `/etc/apt/apt.conf.d`, so it may contain package- and manually-installed files. We should evaluate the cost-benefit of having Puppet completely control the contents of that directory.Right now we don't purge `/etc/apt/apt.conf.d`, so it may contain package- and manually-installed files. We should evaluate the cost-benefit of having Puppet completely control the contents of that directory.https://0xacab.org/nbits/puppet/puppet-modules/-/issues/12Deal with expired or near-expiration trusted keys2021-09-23T19:29:44ZdrebsDeal with expired or near-expiration trusted keysWe currently only allow provisioning to production if pushes are signed with "trusted keys". If a trusted key expires, the admin will not be able to push and will need to do manual intervention in the server to recover.
We need to:
- [...We currently only allow provisioning to production if pushes are signed with "trusted keys". If a trusted key expires, the admin will not be able to push and will need to do manual intervention in the server to recover.
We need to:
- [ ] Provide instructions to update keys directly in the server when one is locked out.
- [ ] Try to update keys when near expiration.
- [ ] Notify when a key is near expiration.https://0xacab.org/nbits/puppet/puppet-modules/-/issues/13Allow for configuring TLS certificates using Hiera2021-09-22T11:01:49ZdrebsAllow for configuring TLS certificates using Hierahttps://0xacab.org/nbits/puppet/puppet-modules/-/issues/14Improve monitoring of TLS certificates2023-01-04T17:40:51ZdrebsImprove monitoring of TLS certificatesCurrently, we only monitor certificates that are published as an HTTPS service.
It'd be good to have:
- [ ] Monitoring of the certificate files in the file system.
- [ ] Monitoring of non-HTTP services (IMAP, SMTP, Mumble, etc).Currently, we only monitor certificates that are published as an HTTPS service.
It'd be good to have:
- [ ] Monitoring of the certificate files in the file system.
- [ ] Monitoring of non-HTTP services (IMAP, SMTP, Mumble, etc).https://0xacab.org/nbits/puppet/puppet-modules/-/issues/15Configure Nginx default_server on ports 80 and 4432023-01-05T00:29:55ZdrebsConfigure Nginx default_server on ports 80 and 443Currently, `default_server` is configured for port 80 with the bare minimum for TLS challenges publishing.
Need:
- Listen on port 443
- Default to 404 for unknown domains.Currently, `default_server` is configured for port 80 with the bare minimum for TLS challenges publishing.
Need:
- Listen on port 443
- Default to 404 for unknown domains.https://0xacab.org/nbits/puppet/puppet-modules/-/issues/16Add dynamic per-repository entries for unattended-upgrades2023-01-04T22:38:59ZdrebsAdd dynamic per-repository entries for unattended-upgradesWe sometimes use 3rd party APT repositories (eg. Docker, Jitsi, etc). If not configured, packages from those repositories will not be upgraded by unattended-upgrades. We should add a way to dynamically pass entries to the `unattended_upg...We sometimes use 3rd party APT repositories (eg. Docker, Jitsi, etc). If not configured, packages from those repositories will not be upgraded by unattended-upgrades. We should add a way to dynamically pass entries to the `unattended_upgrades` Puppet module classes so they can automatically upgrade packages from custom repositories.https://0xacab.org/nbits/puppet/puppet-modules/-/issues/17Evaluate possible use of Prometheus2021-10-26T22:03:43ZdrebsEvaluate possible use of PrometheusA panel with metrics and logs