diff --git a/modules/base/manifests/firewall.pp b/modules/base/manifests/firewall.pp index 98b44603a9..91eede6615 100644 --- a/modules/base/manifests/firewall.pp +++ b/modules/base/manifests/firewall.pp @@ -30,48 +30,22 @@ source => 'puppet:///modules/base/firewall/main-input-default-drop.conf', } - $firewall_rules_str = join( - query_facts('Class[Role::Icinga2]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['he-ipv6'] ) { - "${value['networking']['ip']} ${value['networking']['interfaces']['he-ipv6']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + resources { type = 'Class' and title = 'Role::Icinga2' } + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) + ferm::service { 'nrpe': proto => 'tcp', port => '5666', srange => "(${firewall_rules_str})", } - $firewall_bastion_hosts = join( - query_facts('Class[Base]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['he-ipv6'] ) { - "${value['networking']['ip']} ${value['networking']['interfaces']['he-ipv6']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + resources { type = 'Class' and title = 'Base' } + | PQL + $firewall_bastion_hosts = vmlib::generate_firewall_ip($subquery) + ferm::service { 'ssh': proto => 'tcp', port => '22', diff --git a/modules/prometheus/manifests/class.pp b/modules/prometheus/manifests/class.pp index 47efd78259..74cfb67eca 100644 --- a/modules/prometheus/manifests/class.pp +++ b/modules/prometheus/manifests/class.pp @@ -3,10 +3,15 @@ String $module, Integer $port, ) { - $servers = query_nodes("Class[${module}] or Define[${module}]") - .flatten() - .unique() - .sort() + + $pql = @("PQL") + nodes[certname] { + (resources {type = "Class" and title = "${module}" } + or resources {type = "Define" and title = "${module}" }) + order by certname + } + | PQL + $servers = puppetdb_query($pql).map |$resource| { $resource['certname'] }.flatten().unique().sort file { $dest: ensure => present, diff --git a/modules/prometheus/manifests/exporter/cadvisor.pp b/modules/prometheus/manifests/exporter/cadvisor.pp index 43a75eddbd..509e4a19e3 100644 --- a/modules/prometheus/manifests/exporter/cadvisor.pp +++ b/modules/prometheus/manifests/exporter/cadvisor.pp @@ -8,22 +8,10 @@ subscribe => Package['cadvisor'], } - $firewall_rules_str = join( - query_facts('Class[Prometheus] or Class[Role::Grafana]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + resources { type = 'Class' and title = 'Prometheus' } + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) ferm::service { 'prometheus cadvisor_exporter': proto => 'tcp', port => '4194', diff --git a/modules/prometheus/manifests/exporter/mariadb.pp b/modules/prometheus/manifests/exporter/mariadb.pp index 04c23de0ba..46cc1b955e 100644 --- a/modules/prometheus/manifests/exporter/mariadb.pp +++ b/modules/prometheus/manifests/exporter/mariadb.pp @@ -64,22 +64,10 @@ ensure => running, } - $firewall_rules_str = join( - query_facts('Class[Prometheus]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + resources { type = 'Class' and title = 'Prometheus' } + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) ferm::service { 'prometheus mysqld_exporter': proto => 'tcp', port => '9104', diff --git a/modules/prometheus/manifests/exporter/openldap.pp b/modules/prometheus/manifests/exporter/openldap.pp index ab52b3e9a3..bb17ba6cf3 100644 --- a/modules/prometheus/manifests/exporter/openldap.pp +++ b/modules/prometheus/manifests/exporter/openldap.pp @@ -28,22 +28,10 @@ } } - $firewall_rules_str = join( - query_facts('Class[Role::Prometheus]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + resources { type = 'Class' and title = 'Role::Prometheus' } + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) ferm::service { 'prometheus openldap_exporter': proto => 'tcp', port => '9142', diff --git a/modules/prometheus/manifests/exporter/varnish.pp b/modules/prometheus/manifests/exporter/varnish.pp index 2ed3aa0f47..c7820bb0d9 100644 --- a/modules/prometheus/manifests/exporter/varnish.pp +++ b/modules/prometheus/manifests/exporter/varnish.pp @@ -9,24 +9,11 @@ restart => true, } - $firewall_rules_str = join( - query_facts('Class[Role::Prometheus]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['he-ipv6'] ) { - "${value['networking']['ip']} ${value['networking']['interfaces']['he-ipv6']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + resources { type = 'Class' and title = 'Role::Prometheus' } + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) + ferm::service { 'prometheus varnish_exporter': proto => 'tcp', port => $listen_port, diff --git a/modules/prometheus/manifests/init.pp b/modules/prometheus/manifests/init.pp index c31510b315..070e4ffbb4 100644 --- a/modules/prometheus/manifests/init.pp +++ b/modules/prometheus/manifests/init.pp @@ -56,10 +56,13 @@ refreshonly => true, } - $servers = query_nodes('Class[Base]') - .flatten() - .unique() - .sort() + $pql = @("PQL") + nodes[certname] { + resources {type = "Class" and title = "Base" } + order by certname + } + | PQL + $servers = puppetdb_query($pql).map |$resource| { $resource['certname'] }.flatten().unique().sort file { '/etc/prometheus/targets/nodes.yaml': ensure => present, diff --git a/modules/puppetdb/functions/query_facts.pp b/modules/puppetdb/functions/query_facts.pp new file mode 100644 index 0000000000..d5a80a88ac --- /dev/null +++ b/modules/puppetdb/functions/query_facts.pp @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: Apache-2.0 +# @summery query for custome facts for a host and return a hash of facts values keyed to the certname +# @param filter a hash of fact name to fetch +# @param a pql subquery to apply to the query +function puppetdb::query_facts( + Array[String[1]] $filter, + Optional[String[1]] $subquery = undef, +) >> Hash[Stdlib::Fqdn, Hash] { + $_subquery = $subquery ? { + undef => '', + default => " and ${subquery}" + } + $filter_str = $filter.map |$filter| { "\"${filter}\"" }.join(',') + $pql = "facts[certname, name, value] { name in [${filter_str}] ${_subquery} }" + puppetdb::munge_facts(puppetdb_query($pql)) +} diff --git a/modules/puppetdb/lib/puppet/functions/puppetdb/munge_facts.rb b/modules/puppetdb/lib/puppet/functions/puppetdb/munge_facts.rb new file mode 100644 index 0000000000..f10833b0ec --- /dev/null +++ b/modules/puppetdb/lib/puppet/functions/puppetdb/munge_facts.rb @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: Apache-2.0 +Puppet::Functions.create_function(:'puppetdb::munge_facts') do + dispatch :munge_facts do + param 'Array[Hash]', :facts + end + + def munge_facts(facts) + facts_out = Hash.new {|h, k| h[k] = {}} + facts.each do |f| + facts_out[f['certname']][f['name']] = f['value'] + end + facts_out + end +end diff --git a/modules/role/manifests/burrow.pp b/modules/role/manifests/burrow.pp index d300ac3bbc..824aeec182 100644 --- a/modules/role/manifests/burrow.pp +++ b/modules/role/manifests/burrow.pp @@ -26,24 +26,10 @@ metrics_addr => '0.0.0.0:9500' } - $firewall_rules_str = join( - query_facts('Class[Role::Prometheus]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['he-ipv6'] ) { - "${value['networking']['ip']} ${value['networking']['interfaces']['he-ipv6']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + resources { type = 'Class' and title = 'Role::Prometheus' } + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) # Burrow offers a HTTP REST API ferm::service { 'burrow-main': diff --git a/modules/role/manifests/changeprop.pp b/modules/role/manifests/changeprop.pp index 0bf3899189..0ec1371544 100644 --- a/modules/role/manifests/changeprop.pp +++ b/modules/role/manifests/changeprop.pp @@ -4,22 +4,14 @@ include role::prometheus::statsd_exporter # TODO: Restrict beta access at some point once we get working. - $firewall_rules_str = join( - query_facts('Class[Role::Mediawiki] or Class[Role::Mediawiki_task] or Class[Role::Mediawiki_beta] or Class[Role::Icinga2]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Mediawik' } or + resources { type = 'Class' and title = 'Role::Mediawiki_task' } or + resources { type = 'Class' and title = 'Role::Mediawiki_beta' } or + resources { type = 'Class' and title = 'Role::Icinga2' }) + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) + ferm::service { 'changeprop': proto => 'tcp', port => '7200', diff --git a/modules/role/manifests/cloud.pp b/modules/role/manifests/cloud.pp index 77bbb39110..f7b0dfc641 100644 --- a/modules/role/manifests/cloud.pp +++ b/modules/role/manifests/cloud.pp @@ -4,20 +4,10 @@ class { '::cpufrequtils': } - $firewall_rules_str = join( - query_facts('Class[Role::Cloud]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['vmbr1'] ) { - "${value['networking']['interfaces']['vmbr1']['ip']} ${value['networking']['ip']} ${value['networking']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + resources { type = 'Class' and title = 'Role::Cloud' } + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) ferm::service { 'proxmox port 5900:5999': proto => 'tcp', diff --git a/modules/role/manifests/irc.pp b/modules/role/manifests/irc.pp index 64789f26f7..098acb3968 100644 --- a/modules/role/manifests/irc.pp +++ b/modules/role/manifests/irc.pp @@ -32,44 +32,21 @@ udp_port => '5071', } - $firewall_irc_rules_str = join( - query_facts('Class[Role::Mediawiki] or Class[Role::Mediawiki_task] or Class[Role::Mediawiki_beta]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Mediawik' } or + resources { type = 'Class' and title = 'Role::Mediawiki_task' } or + resources { type = 'Class' and title = 'Role::Mediawiki_beta' }) + | PQL + $firewall_irc_rules_str = vmlib::generate_firewall_ip($subquery) + ferm::service { 'ircrcbot': proto => 'udp', port => '5070', srange => "(${firewall_irc_rules_str})", } - $firewall_all_rules_str = join( - query_facts('Class[Base]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $firewall_all_rules_str = vmlib::generate_firewall_ip() + ferm::service { 'irclogserverbot': proto => 'udp', port => '5071', diff --git a/modules/role/manifests/kafka.pp b/modules/role/manifests/kafka.pp index b96b933571..671bc055f7 100644 --- a/modules/role/manifests/kafka.pp +++ b/modules/role/manifests/kafka.pp @@ -89,22 +89,11 @@ require => Class['kafka::broker'], } - $firewall_rules_str = join( - query_facts('Class[Role::Changeprop] or Class[Role::Eventgate]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Changeprop' } or + resources { type = 'Class' and title = 'Role::Eventgate' }) + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) ferm::service { 'kafka': proto => 'tcp', port => '9092', diff --git a/modules/role/manifests/mathoid.pp b/modules/role/manifests/mathoid.pp index 206e64bb3f..751f635858 100644 --- a/modules/role/manifests/mathoid.pp +++ b/modules/role/manifests/mathoid.pp @@ -2,27 +2,22 @@ class role::mathoid { include mathoid - $firewall = $facts['networking']['hostname'] =~ /^test1.+$/ ? { - true => 'Class[Role::Bastion] or Class[Role::Mediawiki_beta] or Class[Role::Icinga2]', - default => 'Class[Role::Bastion] or Class[Role::Mediawiki] or Class[Role::Mediawiki_task] or Class[Role::Icinga2]', + if ( $facts['networking']['hostname'] =~ /^test1.+$/ ) { + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Bastion' } or + resources { type = 'Class' and title = 'Role::Mediawiki_beta' } or + resources { type = 'Class' and title = 'Role::Icinga2' }) + | PQL + } else { + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Bastion' } or + resources { type = 'Class' and title = 'Role::Mediawik' } or + resources { type = 'Class' and title = 'Role::Mediawiki_task' } or + resources { type = 'Class' and title = 'Role::Icinga2' }) + | PQL } + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) - $firewall_rules_str = join( - query_facts($firewall, ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) ferm::service { 'mathoid': proto => 'tcp', port => '10044', diff --git a/modules/role/manifests/mediawiki.pp b/modules/role/manifests/mediawiki.pp index 7a829c3e91..0911f3082f 100644 --- a/modules/role/manifests/mediawiki.pp +++ b/modules/role/manifests/mediawiki.pp @@ -16,24 +16,15 @@ include mediawiki if $strict_firewall { - $firewall_rules_str = join( - query_facts('Class[Role::Mediawiki] or Class[Role::Mediawiki_task] or Class[Role::Varnish] or Class[Role::Icinga2] or Class[Role::Prometheus] or Class[Role::Bastion]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['he-ipv6'] ) { - "${value['networking']['ip']} ${value['networking']['interfaces']['he-ipv6']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Mediawik' } or + resources { type = 'Class' and title = 'Role::Mediawiki_task' } or + resources { type = 'Class' and title = 'Role::Varnish' } or + resources { type = 'Class' and title = 'Role::Icinga2' } or + resources { type = 'Class' and title = 'Role::Prometheus' } or + resources { type = 'Class' and title = 'Role::Bastion' }) + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) ferm::service { 'http': proto => 'tcp', diff --git a/modules/role/manifests/mediawiki_beta.pp b/modules/role/manifests/mediawiki_beta.pp index ebdbb92a8d..bed2016cff 100644 --- a/modules/role/manifests/mediawiki_beta.pp +++ b/modules/role/manifests/mediawiki_beta.pp @@ -21,24 +21,14 @@ include mediawiki if $strict_firewall { - $firewall_rules_str = join( - query_facts('Class[Role::Mediawiki_beta] or Class[Role::Varnish] or Class[Role::Icinga2] or Class[Role::Prometheus] or Class[Role::Bastion]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['he-ipv6'] ) { - "${value['networking']['ip']} ${value['networking']['interfaces']['he-ipv6']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Mediawiki_beta' } or + resources { type = 'Class' and title = 'Role::Varnish' } or + resources { type = 'Class' and title = 'Role::Icinga2' } or + resources { type = 'Class' and title = 'Role::Prometheus' } or + resources { type = 'Class' and title = 'Role::Bastion' }) + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) ferm::service { 'http': proto => 'tcp', diff --git a/modules/role/manifests/phorge.pp b/modules/role/manifests/phorge.pp index 44ed738f79..d57f6af81c 100644 --- a/modules/role/manifests/phorge.pp +++ b/modules/role/manifests/phorge.pp @@ -4,25 +4,13 @@ $cloudflare_ipv4 = split(file('/etc/puppetlabs/puppet/private/files/firewall/cloudflare_ipv4'), /[\r\n]/) $cloudflare_ipv6 = split(file('/etc/puppetlabs/puppet/private/files/firewall/cloudflare_ipv6'), /[\r\n]/) + $cf = join($cloudflare_ipv4 + $cloudflare_ipv6, ' ') - $firewall_rules_str = join( - $cloudflare_ipv4 + $cloudflare_ipv6 + query_facts('Class[Role::Varnish] or Class[Role::Icinga2]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['he-ipv6'] ) { - "${value['networking']['ip']} ${value['networking']['interfaces']['he-ipv6']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Varnish' } or + resources { type = 'Class' and title = 'Role::Icinga2' }) + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) + " ${$cf}" ferm::service { 'http': proto => 'tcp', diff --git a/modules/role/manifests/poolcounter.pp b/modules/role/manifests/poolcounter.pp index 212b9df4eb..851a79ef8c 100644 --- a/modules/role/manifests/poolcounter.pp +++ b/modules/role/manifests/poolcounter.pp @@ -2,27 +2,20 @@ class role::poolcounter { include poolcounter - $firewall = $facts['networking']['hostname'] =~ /^test1.+$/ ? { - true => 'Class[Role::Mediawiki_beta] or Class[Role::Icinga2]', - default => 'Class[Role::Mediawiki] or Class[Role::Mediawiki_task] or Class[Role::Icinga2]', + if ( $facts['networking']['hostname'] =~ /^test1.+$/ ) { + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Mediawiki_beta' } or + resources { type = 'Class' and title = 'Role::Icinga2' }) + | PQL + } else { + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Mediawik' } or + resources { type = 'Class' and title = 'Role::Mediawiki_task' } or + resources { type = 'Class' and title = 'Role::Icinga2' }) + | PQL } + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) - $firewall_rules_str = join( - query_facts($firewall, ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) ferm::service { 'poolcounter': proto => 'tcp', port => '7531', diff --git a/modules/role/manifests/redis.pp b/modules/role/manifests/redis.pp index 68bba46a73..49a5d7c6af 100644 --- a/modules/role/manifests/redis.pp +++ b/modules/role/manifests/redis.pp @@ -9,27 +9,20 @@ maxmemory => $redis_heap, } - $firewall = $facts['networking']['hostname'] =~ /^test1.+$/ ? { - true => 'Class[Role::Mediawiki_beta] or Class[Role::Icinga2]', - default => 'Class[Role::Mediawiki] or Class[Role::Mediawiki_task] or Class[Role::Icinga2]', + if ( $facts['networking']['hostname'] =~ /^test1.+$/ ) { + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Mediawiki_beta' } or + resources { type = 'Class' and title = 'Role::Icinga2' }) + | PQL + } else { + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Mediawik' } or + resources { type = 'Class' and title = 'Role::Mediawiki_task' } or + resources { type = 'Class' and title = 'Role::Icinga2' }) + | PQL } + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) - $firewall_rules_str = join( - query_facts($firewall, ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) ferm::service { 'redis': proto => 'tcp', port => '6379', diff --git a/modules/role/manifests/reports.pp b/modules/role/manifests/reports.pp index fcc440cb68..09cea19c3c 100644 --- a/modules/role/manifests/reports.pp +++ b/modules/role/manifests/reports.pp @@ -4,23 +4,13 @@ $cloudflare_ipv4 = split(file('/etc/puppetlabs/puppet/private/files/firewall/cloudflare_ipv4'), /[\r\n]/) $cloudflare_ipv6 = split(file('/etc/puppetlabs/puppet/private/files/firewall/cloudflare_ipv6'), /[\r\n]/) + $cf = join($cloudflare_ipv4 + $cloudflare_ipv6, ' ') - $firewall_srange = join( - $cloudflare_ipv4 + $cloudflare_ipv6 + query_facts('Class[Role::Varnish] or Class[Role::Icinga2]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Varnish' } or + resources { type = 'Class' and title = 'Role::Icinga2' }) + | PQL + $firewall_srange = vmlib::generate_firewall_ip($subquery) + " ${$cf}" ferm::service { 'http': proto => 'tcp', diff --git a/modules/role/manifests/ssl.pp b/modules/role/manifests/ssl.pp index f0c2ba048b..c9701f00d7 100644 --- a/modules/role/manifests/ssl.pp +++ b/modules/role/manifests/ssl.pp @@ -2,22 +2,11 @@ class role::ssl { include ::ssl - $firewall_srange = join( - query_facts('Class[Role::Varnish] or Class[Role::Icinga2]', ['networking']) - .map |$key, $value| { - if ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } elsif ( $value['networking']['interfaces']['ens18'] ) { - "${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}" - } else { - "${value['networking']['ip']} ${value['networking']['ip6']}" - } - } - .flatten() - .unique() - .sort(), - ' ' - ) + $subquery = @("PQL") + (resources { type = 'Class' and title = 'Role::Varnish' } or + resources { type = 'Class' and title = 'Role::Icinga2' }) + | PQL + $firewall_rules_str = vmlib::generate_firewall_ip($subquery) if !defined(Ferm::Service['http']) { ferm::service { 'http': diff --git a/modules/vmlib/functions/generate_firewall_ip.pp b/modules/vmlib/functions/generate_firewall_ip.pp new file mode 100644 index 0000000000..5553b5c000 --- /dev/null +++ b/modules/vmlib/functions/generate_firewall_ip.pp @@ -0,0 +1,18 @@ +function vmlib::generate_firewall_ip ( + Optional[String[1]] $subquery = undef +) >> String { + join( + puppetdb::query_facts(['networking'], $subquery).values.map |$_facts| { + if ( $_facts['networking']['interfaces']['vmbr1'] ) { + "${value['value']['interfaces']['vmbr1']['ip']} ${value['value']['ip']} ${value['value']['ip6']}" + } elsif ( $_facts['networking']['interfaces']['ens19'] and $_facts['networking']['interfaces']['ens18'] ) { + "${value['value']['interfaces']['ens19']['ip']} ${value['value']['interfaces']['ens18']['ip']} ${value['value']['interfaces']['ens18']['ip6']}" + } elsif ( $value['value']['interfaces']['ens18'] ) { + "${value['value']['interfaces']['ens18']['ip']} ${value['value']['interfaces']['ens18']['ip6']}" + } else { + "${value['value']['ip']} ${value['value']['ip6']}" + } + }.flatten.sort.unique, + ' ' + ) +}