Merge pull request #942 from lsst-it/IT-4777/tang.dev

(role/tang) fwv

Puppetfile

@@ -90,6 +90,7 @@ mod 'puppet/selinux', '4.0.0'
 mod 'puppet/ssh_keygen', '6.0.0'
 mod 'puppet/sssd', '1.0.0'
 mod 'puppet/systemd', '5.2.0'
+mod 'puppet/tang', '0.1.1'
 mod 'puppet/telegraf', '5.2.0'
 mod 'puppet/tuned', '1.0.0'
 mod 'puppet/yum', '7.1.0'

hieradata/common.yaml

@@ -325,17 +325,15 @@ yum::manage_os_default_repos: true
 letsencrypt::email: "[email protected]"
 
 ipset::sets:
-  # rubin/aura "internal" prefixes
-  aura:
+  aura:  # rubin/aura "internal" prefixes
     ensure: "present"
     type: "hash:net"
     set:
       - "140.252.0.0/16"
       - "139.229.0.0/16"
       - "198.19.0.0/16"
       - "10.0.0.0/8"
-  # rubin "internal" prefixes
-  rubin:
+  rubin:  # rubin "internal" prefixes
     ensure: "present"
     type: "hash:net"
     set:
@@ -352,6 +350,20 @@ ipset::sets:
     type: "hash:net"
     set:
       - "139.229.144.0/26"
+  dev:  # dev site hosts
+    ensure: "present"
+    type: "hash:net"
+    set:
+      - "139.229.134.0/24"
+  tufde:  # tu/tts site hosts which might need FDE
+    ensure: "present"
+    type: "hash:net"
+    set:
+      - "140.252.146.32/27"
+      - "140.252.146.64/27"
+      - "140.252.147.0/28"
+      - "140.252.147.32/28"
+      - "140.252.147.64/27"
 
 # sssd ipa client setup -- do not use on ipa servers
 sssd::main_config:
@@ -517,7 +529,6 @@ profile::core::firewall::firewall:
     ipset: "rubin src"
     dport: "22"
     action: "accept"
-    require: "Ipset::Set[rubin]"
   "020 accept dhcp":
     proto: "udp"
     sport: ["67", "68"]

hieradata/node/tang01.dev.lsst.org.yaml

@@ -0,0 +1,18 @@
+---
+nm::connections:
+  enp1s0:
+    content:
+      connection:
+        id: "enp1s0"
+        uuid: "03da7500-2101-c722-2438-d0d006c28c73"
+        type: "ethernet"
+        interface-name: "enp1s0"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.134.4/24,139.229.134.254"
+        dns: "139.229.134.53;139.229.135.54;139.229.135.55;"
+        dns-search: "dev.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "ignore"
+      proxy: {}

hieradata/node/tang01.tu.lsst.org.yaml

@@ -0,0 +1,18 @@
+---
+nm::connections:
+  enp1s0:
+    content:
+      connection:
+        id: "enp1s0"
+        uuid: "03da7500-2101-c722-2438-d0d006c28c73"
+        type: "ethernet"
+        interface-name: "enp1s0"
+      ethernet: {}
+      ipv4:
+        address1: "140.252.146.87/27,140.252.146.65"
+        dns: "140.252.146.71;140.252.146.72;140.252.146.73;"
+        dns-search: "tu.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "ignore"
+      proxy: {}

hieradata/node/tang02.dev.lsst.org.yaml

@@ -0,0 +1,18 @@
+---
+nm::connections:
+  enp1s0:
+    content:
+      connection:
+        id: "enp1s0"
+        uuid: "03da7500-2101-c722-2438-d0d006c28c73"
+        type: "ethernet"
+        interface-name: "enp1s0"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.134.58/24,139.229.134.254"
+        dns: "139.229.134.53;139.229.135.54;139.229.135.55;"
+        dns-search: "dev.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "ignore"
+      proxy: {}

hieradata/node/tang02.tu.lsst.org.yaml

@@ -0,0 +1,18 @@
+---
+nm::connections:
+  enp1s0:
+    content:
+      connection:
+        id: "enp1s0"
+        uuid: "03da7500-2101-c722-2438-d0d006c28c73"
+        type: "ethernet"
+        interface-name: "enp1s0"
+      ethernet: {}
+      ipv4:
+        address1: "140.252.146.88/27,140.252.146.65"
+        dns: "140.252.146.71;140.252.146.72;140.252.146.73;"
+        dns-search: "tu.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "ignore"
+      proxy: {}

hieradata/node/tang03.dev.lsst.org.yaml

@@ -0,0 +1,18 @@
+---
+nm::connections:
+  enp1s0:
+    content:
+      connection:
+        id: "enp1s0"
+        uuid: "03da7500-2101-c722-2438-d0d006c28c73"
+        type: "ethernet"
+        interface-name: "enp1s0"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.134.59/24,139.229.134.254"
+        dns: "139.229.134.53;139.229.135.54;139.229.135.55;"
+        dns-search: "dev.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "ignore"
+      proxy: {}

hieradata/node/tang03.tu.lsst.org.yaml

@@ -0,0 +1,18 @@
+---
+nm::connections:
+  enp1s0:
+    content:
+      connection:
+        id: "enp1s0"
+        uuid: "03da7500-2101-c722-2438-d0d006c28c73"
+        type: "ethernet"
+        interface-name: "enp1s0"
+      ethernet: {}
+      ipv4:
+        address1: "140.252.146.89/27,140.252.146.65"
+        dns: "140.252.146.71;140.252.146.72;140.252.146.73;"
+        dns-search: "tu.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "ignore"
+      proxy: {}

hieradata/role/perfsonar.yaml

@@ -23,7 +23,6 @@ profile::core::firewall::firewall:
     ipset: "aura src"
     dport: "22"
     action: "accept"
-    require: "Ipset::Set[aura]"
 
 files:
   # perfsonar packaging installs this one file with the wrong mode

hieradata/role/tang.yaml

@@ -0,0 +1,19 @@
+---
+classes:
+  - "profile::core::common"
+  - "profile::core::firewall"
+  - "restic"
+  - "tang"
+packages:
+  - "jose"
+
+firewall::ensure: "running"
+
+restic::repositories:
+  awsrepo:
+    backup_path:
+      - "/var/db/tang"
+    backup_timer: "*-*-* *:47:00"
+    enable_forget: true
+    forget_timer: "*-*-* 15:00:00"
+    forget_flags: "--keep-within 1y"

hieradata/site/dev.yaml

@@ -56,4 +56,3 @@ profile::core::firewall::firewall:
     ipset: "ayekan src"
     dport: "9100"
     action: "accept"
-    require: "Ipset::Set[ayekan]"

hieradata/site/dev/role/tang.yaml

@@ -0,0 +1,8 @@
+---
+profile::core::firewall::firewall:
+  "200 accept tang":
+    proto: "tcp"
+    state: "NEW"
+    ipset: "dev src"
+    dport: "7500"
+    action: "accept"

hieradata/site/ls.yaml

@@ -55,4 +55,3 @@ profile::core::firewall::firewall:
     ipset: "ayekan src"
     dport: "9100"
     action: "accept"
-    require: "Ipset::Set[ayekan]"

hieradata/site/tu/role/tang.yaml

@@ -0,0 +1,8 @@
+---
+profile::core::firewall::firewall:
+  "200 accept tang":
+    proto: "tcp"
+    state: "NEW"
+    ipset: "tufde src"
+    dport: "7500"
+    action: "accept"

site/profile/manifests/core/firewall.pp

@@ -14,6 +14,9 @@
   include firewall
   include ipset
 
+  Class['ipset'] -> Class['firewall']
+  Ipset::Set <| |> -> Class['firewall']
+
   if $purge_firewall {
     resources { 'firewall': purge => true }
   }

spec/classes/archive/commmon_spec.rb

@@ -3,9 +3,9 @@
 require 'spec_helper'
 
 describe 'profile::archive::common' do
-  on_supported_os.each do |os, facts|
+  on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-      let(:facts) { facts }
+      let(:facts) { os_facts }
       let(:pre_condition) do
         <<~PP
           # change service unit name from sssd.service to sssd

spec/classes/archive/data/auxtel_spec.rb

@@ -3,9 +3,9 @@
 require 'spec_helper'
 
 describe 'profile::archive::data::auxtel' do
-  on_supported_os.each do |os, facts|
+  on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-      let(:facts) { facts }
+      let(:facts) { os_facts }
 
       it { is_expected.to compile.with_all_deps }
 

spec/classes/archive/data/comcam_spec.rb

@@ -3,9 +3,9 @@
 require 'spec_helper'
 
 describe 'profile::archive::data::comcam' do
-  on_supported_os.each do |os, facts|
+  on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-      let(:facts) { facts }
+      let(:facts) { os_facts }
 
       it { is_expected.to compile.with_all_deps }
 

spec/classes/archive/data_spec.rb

@@ -3,9 +3,9 @@
 require 'spec_helper'
 
 describe 'profile::archive::data' do
-  on_supported_os.each do |os, facts|
+  on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-      let(:facts) { facts }
+      let(:facts) { os_facts }
 
       it { is_expected.to compile.with_all_deps }
 

spec/classes/ccs/common_spec.rb

@@ -3,9 +3,9 @@
 require 'spec_helper'
 
 describe 'profile::ccs::common' do
-  on_supported_os.each do |os, facts|
+  on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-      let(:facts) { facts.merge(site: 'ls') }
+      let(:facts) { override_facts(os_facts, site: 'ls') }
       let(:pre_condition) do
         <<~PP
           include ssh

spec/classes/ccs/el9_spec.rb

@@ -3,11 +3,11 @@
 require 'spec_helper'
 
 describe 'profile::ccs::el9' do
-  on_supported_os.each do |os, facts|
+  on_supported_os.each do |os, os_facts|
     next unless os =~ %r{almalinux-9-x86_64}
 
     context "on #{os}" do
-      let(:facts) { facts.merge(site: 'ls') }
+      let(:facts) { override_facts(os_facts, site: 'ls') }
       let(:pre_condition) do
         <<~PP
           include ssh

spec/classes/ccs/file_transfer_spec.rb

@@ -3,9 +3,9 @@
 require 'spec_helper'
 
 describe 'profile::ccs::file_transfer' do
-  on_supported_os.each do |os, facts|
+  on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-      let(:facts) { facts }
+      let(:facts) { os_facts }
 
       context 'with param install => true' do
         let(:params) do

spec/classes/ccs/graphical_spec.rb

@@ -3,9 +3,9 @@
 require 'spec_helper'
 
 describe 'profile::ccs::graphical' do
-  on_supported_os.each do |os, facts|
+  on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-      let(:facts) { facts }
+      let(:facts) { os_facts }
       let(:unwanted_pkgs) do
         %w[
           gnome-initial-setup
@@ -22,9 +22,9 @@
 
       it { is_expected.to compile.with_all_deps }
 
-      include_examples 'x2go packages', facts: facts
+      include_examples 'x2go packages', os_facts: os_facts
 
-      if facts[:os]['release']['major'] == '7'
+      if os_facts[:os]['release']['major'] == '7'
         it do
           unwanted_pkgs.each do |pkg|
             is_expected.to contain_yum__group('GNOME Desktop').with(

spec/classes/ccs/sal_dx_spec.rb

@@ -3,9 +3,9 @@
 require 'spec_helper'
 
 describe 'profile::ccs::sal_dx' do
-  on_supported_os.each do |os, facts|
+  on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-      let(:facts) { facts }
+      let(:facts) { os_facts }
 
       context 'with no params' do
         it { is_expected.to compile.with_all_deps }

spec/classes/core/bash_completion_spec.rb

@@ -3,13 +3,13 @@
 require 'spec_helper'
 
 describe 'profile::core::bash_completion' do
-  on_supported_os.each do |os, facts|
+  on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-      let(:facts) { facts }
+      let(:facts) { os_facts }
 
       it { is_expected.to compile.with_all_deps }
 
-      include_examples 'bash_completion', facts: facts
+      include_examples 'bash_completion', os_facts: os_facts
     end
   end
 end

spec/classes/core/ca_spec.rb

@@ -3,9 +3,9 @@
 require 'spec_helper'
 
 describe 'profile::core::ca' do
-  on_supported_os.each do |os, facts|
+  on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-      let(:facts) { facts }
+      let(:facts) { os_facts }
 
       it { is_expected.to compile.with_all_deps }
       it { is_expected.to contain_package('ca-certificates').with_ensure('latest') }