diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9bed8821e..9402e5581 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -3,9 +3,7 @@ repos: rev: v2.1.0 hooks: - id: puppet-validate - additional_dependencies: ['puppet:<7'] - id: erb-validate - additional_dependencies: ['puppet:<7'] - id: puppet-lint args: - --fail-on-warnings @@ -15,13 +13,11 @@ repos: - --no-puppet_url_without_modules-check - --no-arrow_on_right_operand_line-check - --no-variable_is_lowercase-check - additional_dependencies: ['puppet:<7', 'puppet-lint'] + additional_dependencies: ['puppet-lint'] - id: epp-validate - additional_dependencies: ['puppet:<7'] - id: r10k-validate - additional_dependencies: ['puppet:<7', 'r10k'] + additional_dependencies: ['r10k'] - id: ruby-validate - additional_dependencies: ['puppet:<7'] - repo: https://github.com/pre-commit/pre-commit-hooks.git # We need to be using python3.6 by default before this can be upgraded to 3.x+ rev: v2.5.0 diff --git a/manifests/site_ssl.pp b/manifests/site_ssl.pp index 0d51e231f..d42f4a8f4 100644 --- a/manifests/site_ssl.pp +++ b/manifests/site_ssl.pp @@ -6,7 +6,7 @@ # https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 # # This should be updated from time-to-time. -if $::lsbdistcodename == 'bullseye' { +if $facts['facts['os']['distro']['codename']'] == 'bullseye' { $ssl_ciphersuite = 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256' $ssl_protocols = 'TLSv1.2 TLSv1.3' } else { diff --git a/modules/ocf/functions/get_host_fqdns.pp b/modules/ocf/functions/get_host_fqdns.pp index effa6273e..efda9c222 100644 --- a/modules/ocf/functions/get_host_fqdns.pp +++ b/modules/ocf/functions/get_host_fqdns.pp @@ -7,6 +7,6 @@ # CNAME records 'www', then this function (with the suffix 'ocf.io' would # return ['death.ocf.io', 'dev-vhost.ocf.io', 'www.ocf.io'] function ocf::get_host_fqdns(String $suffix = 'ocf.berkeley.edu') >> Array[String] { - $dns_entries = concat([$::hostname], delete($::dnsA, '@'), $::dnsCname) + $dns_entries = concat([$facts['facts['networking']['hostname']']], delete($facts['dnsA'], '@'), $facts['dnsCname']) suffix(delete($dns_entries, ''), ".${suffix}") } diff --git a/modules/ocf/manifests/apt.pp b/modules/ocf/manifests/apt.pp index e7a21f564..24fab8aa3 100644 --- a/modules/ocf/manifests/apt.pp +++ b/modules/ocf/manifests/apt.pp @@ -11,8 +11,8 @@ $repos = 'main contrib non-free' - if $::lsbdistid == 'Debian' { - if $::operatingsystemmajrelease == '9' { + if $facts['facts['os']['distro']['id']'] == 'Debian' { + if $facts['facts['os']['release']['major']'] == '9' { apt::key { 'freexian': id => 'AB597C4F6F3380BD4B2BEBC2A07310D369055D5A', source => 'https://deb.freexian.com/extended-lts/archive-key.gpg'; @@ -21,7 +21,7 @@ apt::source { 'debian': location => 'https://mirrors.ocf.berkeley.edu/debian/', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => $repos, include => { src => true @@ -29,7 +29,7 @@ 'debian-updates': location => 'https://mirrors.ocf.berkeley.edu/debian/', - release => "${::lsbdistcodename}-updates", + release => "${facts['facts['os']['distro']['codename']']}-updates", repos => $repos, include => { src => true @@ -37,7 +37,7 @@ 'debian-security': location => 'https://mirrors.ocf.berkeley.edu/debian-security/', - release => "${::lsbdistcodename}/updates", + release => "${facts['facts['os']['distro']['codename']']}/updates", repos => $repos, include => { src => true @@ -45,12 +45,12 @@ 'extended-lts': location => 'https://mirrors.ocf.berkeley.edu/freexian/', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => $repos; 'ocf': location => 'https://apt.ocf.berkeley.edu/', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => 'main', include => { src => true @@ -58,7 +58,7 @@ 'ocf-backports': location => 'https://apt.ocf.berkeley.edu/', - release => "${::lsbdistcodename}-backports", + release => "${facts['facts['os']['distro']['codename']']}-backports", repos => 'main', include => { src => true @@ -68,7 +68,7 @@ # Pin anything coming from *-backports to be lower than normal priority apt::pin { 'ocf-backports': priority => 200, - codename => "${::lsbdistcodename}-backports", + codename => "${facts['facts['os']['distro']['codename']']}-backports", } # TODO: Submit patch to puppetlabs-apt to enable having includes for @@ -77,11 +77,11 @@ location => 'https://mirrors.ocf.berkeley.edu/debian/'; } } - elsif $::operatingsystemmajrelease == '10' { + elsif $facts['facts['os']['release']['major']'] == '10' { apt::source { 'debian': location => 'https://mirrors.ocf.berkeley.edu/debian/', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => $repos, include => { src => true @@ -89,7 +89,7 @@ 'debian-updates': location => 'https://mirrors.ocf.berkeley.edu/debian/', - release => "${::lsbdistcodename}-updates", + release => "${facts['facts['os']['distro']['codename']']}-updates", repos => $repos, include => { src => true @@ -97,7 +97,7 @@ 'debian-security': location => 'https://mirrors.ocf.berkeley.edu/debian-security/', - release => "${::lsbdistcodename}/updates", + release => "${facts['facts['os']['distro']['codename']']}/updates", repos => $repos, include => { src => true @@ -105,7 +105,7 @@ 'ocf': location => 'https://apt.ocf.berkeley.edu/', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => 'main', include => { src => true @@ -113,7 +113,7 @@ 'ocf-backports': location => 'https://apt.ocf.berkeley.edu/', - release => "${::lsbdistcodename}-backports", + release => "${facts['facts['os']['distro']['codename']']}-backports", repos => 'main', include => { src => true @@ -123,7 +123,7 @@ # Pin anything coming from *-backports to be lower than normal priority apt::pin { 'ocf-backports': priority => 200, - codename => "${::lsbdistcodename}-backports", + codename => "${facts['facts['os']['distro']['codename']']}-backports", } # TODO: Submit patch to puppetlabs-apt to enable having includes for @@ -137,7 +137,7 @@ apt::source { 'debian': location => 'https://mirrors.ocf.berkeley.edu/debian/', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => $repos, include => { src => true @@ -145,7 +145,7 @@ 'debian-updates': location => 'https://mirrors.ocf.berkeley.edu/debian/', - release => "${::lsbdistcodename}-updates", + release => "${facts['facts['os']['distro']['codename']']}-updates", repos => $repos, include => { src => true @@ -153,7 +153,7 @@ 'debian-security': location => 'https://mirrors.ocf.berkeley.edu/debian-security/', - release => "${::lsbdistcodename}-security", + release => "${facts['facts['os']['distro']['codename']']}-security", repos => $repos, include => { src => true @@ -161,7 +161,7 @@ 'ocf': location => 'https://apt.ocf.berkeley.edu/', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => 'main', include => { src => true @@ -169,7 +169,7 @@ 'ocf-backports': location => 'https://apt.ocf.berkeley.edu/', - release => "${::lsbdistcodename}-backports", + release => "${facts['facts['os']['distro']['codename']']}-backports", repos => 'main', include => { src => true @@ -179,7 +179,7 @@ # Pin anything coming from *-backports to be lower than normal priority apt::pin { 'ocf-backports': priority => 200, - codename => "${::lsbdistcodename}-backports", + codename => "${facts['facts['os']['distro']['codename']']}-backports", } # TODO: Submit patch to puppetlabs-apt to enable having includes for @@ -189,11 +189,11 @@ } } - } elsif $::lsbdistid == 'Raspbian' { + } elsif $facts['facts['os']['distro']['id']'] == 'Raspbian' { apt::source { 'raspbian': location => 'https://mirrors.ocf.berkeley.edu/raspbian/raspbian/', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => 'main contrib non-free rpi', include => { src => true @@ -201,7 +201,7 @@ 'archive-rpi': location => 'https://archive.raspberrypi.org/debian/', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => 'main ui', include => { src => true @@ -212,7 +212,7 @@ apt::source { 'puppetlabs': location => 'https://mirrors.ocf.berkeley.edu/puppetlabs/apt/', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => 'puppet', } diff --git a/modules/ocf/manifests/auth.pp b/modules/ocf/manifests/auth.pp index 4ef829a94..cca453cc5 100644 --- a/modules/ocf/manifests/auth.pp +++ b/modules/ocf/manifests/auth.pp @@ -54,7 +54,7 @@ } # nameservice configuration - if $::skip_ldap { + if $facts['skip_ldap'] { # use local copy only (never consult LDAP during lookups); # this is useful for servers which expect to not have connectivity to ldap # @@ -79,7 +79,7 @@ } # PAM user authentication - unless $::skip_kerberos { + unless $facts['skip_kerberos'] { # install Kerberos PAM module package { 'libpam-krb5': } } @@ -157,21 +157,21 @@ # Get all DNS names, FQDNs, and IPs for a host to include in SSH keys $ssh_aliases = delete(concat( - suffix(delete(any2array($::dnsA), ''), ".${::domain}"), - $::dnsA, - suffix(delete(any2array($::dnsCname), ''), ".${::domain}"), - $::dnsCname, - $::fqdn, - $::ipHostNumber, - $::ip6HostNumber, + suffix(delete(any2array($facts['dnsA']), ''), ".${facts['facts['networking']['domain']']}"), + $facts['dnsA'], + suffix(delete(any2array($facts['dnsCname']), ''), ".${facts['facts['networking']['domain']']}"), + $facts['dnsCname'], + $facts['facts['networking']['fqdn']'], + $facts['ipHostNumber'], + $facts['ip6HostNumber'], ), '') # Export SSH keys from every host if PuppetDB is running, and use them # to populate the global list in /etc/ssh/ssh_known_hosts. - if str2bool($::puppetdb_running) { - @@sshkey { $::hostname: + if str2bool($facts['puppetdb_running']) { + @@sshkey { $facts['facts['networking']['hostname']']: host_aliases => $ssh_aliases, - key => $::sshecdsakey, + key => $facts['facts['ssh']['ecdsa']['key']'], type => ecdsa-sha2-nistp256, } Sshkey <<| |>> diff --git a/modules/ocf/manifests/extrapackages.pp b/modules/ocf/manifests/extrapackages.pp index baa70a2ac..d7064e260 100644 --- a/modules/ocf/manifests/extrapackages.pp +++ b/modules/ocf/manifests/extrapackages.pp @@ -194,7 +194,7 @@ ]:; } - if Integer($::os['distro']['release']['major']) >= 11 { + if Integer($facts['os['distro']['release']['major']']) >= 11 { package { [ 'bat', @@ -206,7 +206,7 @@ backport_on => ['buster', 'stretch'], } - if $::lsbdistcodename == 'stretch' { + if $facts['facts['os']['distro']['codename']'] == 'stretch' { package { [ # php-mcrypt is deprecated since PHP 7.1 in favor of using openssl @@ -220,12 +220,12 @@ 'php7.0-dba', ]:; } - } elsif $::lsbdistcodename == 'buster' { + } elsif $facts['facts['os']['distro']['codename']'] == 'buster' { # This isn't available as php-dba unfortunately (that's just a virtual # package for this), and with virtual packages puppet will try to install # them every run, leading to unnecessary noise package { 'php7.3-dba':; } - } elsif $::lsbdistcodename == 'bullseye' { + } elsif $facts['facts['os']['distro']['codename']'] == 'bullseye' { # This isn't available as php-dba unfortunately (that's just a virtual # package for this), and with virtual packages puppet will try to install # them every run, leading to unnecessary noise diff --git a/modules/ocf/manifests/firewall/firewall46.pp b/modules/ocf/manifests/firewall/firewall46.pp index 72544dc93..fd65c2c93 100644 --- a/modules/ocf/manifests/firewall/firewall46.pp +++ b/modules/ocf/manifests/firewall/firewall46.pp @@ -2,7 +2,7 @@ # Ruby's Resolv class doesn't think it should resolve IPv6 addresses if the # local host doesn't have a public IPv6 address. Thus we only try to apply # IPv6 firewall rules here if the host already has an IPv6 address. - $providers = $::ipaddress6 ? { + $providers = $facts['facts['networking']['ip6']'] ? { undef => ['iptables'], /^fe80::/ => ['iptables'], default => ['iptables', 'ip6tables'], diff --git a/modules/ocf/manifests/hidepid.pp b/modules/ocf/manifests/hidepid.pp index 189dbda5b..fe0fe08e5 100644 --- a/modules/ocf/manifests/hidepid.pp +++ b/modules/ocf/manifests/hidepid.pp @@ -13,7 +13,7 @@ content => "[Service]\nSupplementaryGroups=${procfs_authorized_group}\n", } - if str2bool($::polkit_priv_drop) { + if str2bool($facts['polkit_priv_drop']) { # Futureproof for policykit for version 0.115. policykit will create this # user, we just need to add it to the authorized group user { 'polkitd': diff --git a/modules/ocf/manifests/init.pp b/modules/ocf/manifests/init.pp index 6b6f8e7c9..1cf015314 100644 --- a/modules/ocf/manifests/init.pp +++ b/modules/ocf/manifests/init.pp @@ -5,7 +5,7 @@ include ocf::etc include ocf::firewall include ocf::groups - if ($::hostname != 'fallingrocks') { + if ($facts['facts['networking']['hostname']'] != 'fallingrocks') { include ocf::hidepid } include ocf::kerberos diff --git a/modules/ocf/manifests/kerberos.pp b/modules/ocf/manifests/kerberos.pp index 0426f8113..fd7896b0c 100644 --- a/modules/ocf/manifests/kerberos.pp +++ b/modules/ocf/manifests/kerberos.pp @@ -1,5 +1,5 @@ class ocf::kerberos { - if $::skip_kerberos { + if $facts['skip_kerberos'] { # don't use Kerberos, so remove the packages and config file package { [ 'heimdal-clients', 'libsasl2-modules-gssapi-mit' ]: ensure => purged; diff --git a/modules/ocf/manifests/motd.pp b/modules/ocf/manifests/motd.pp index 9d8b84e5b..153111850 100644 --- a/modules/ocf/manifests/motd.pp +++ b/modules/ocf/manifests/motd.pp @@ -1,5 +1,5 @@ class ocf::motd { - $motd_from_nfs = str2bool($::ocf_nfs) and !lookup('staff_only') + $motd_from_nfs = str2bool($facts['ocf_nfs']) and !lookup('staff_only') $owner = lookup('owner', { 'default_value' => undef, }) $classes_from_hiera = lookup('classes') @@ -9,7 +9,7 @@ target => '/home/s/st/staff/motd/motd', } } else { - $is_virtual = str2bool($::is_virtual) + $is_virtual = str2bool($facts['is_virtual']) file { '/etc/motd': content => template('ocf/motd.erb'), diff --git a/modules/ocf/manifests/netlog.pp b/modules/ocf/manifests/netlog.pp index ba4348229..e000c1cdd 100644 --- a/modules/ocf/manifests/netlog.pp +++ b/modules/ocf/manifests/netlog.pp @@ -14,10 +14,10 @@ log_prefix => '[iptables-outbound] ', log_level => 7, log_uid => true; - "101 log outbound request on ${::hostname} (v4)": + "101 log outbound request on ${facts['facts['networking']['hostname']']} (v4)": provider => 'iptables', destination => "! ${ocf_ipv4_mask}"; - "101 log outbound request on ${::hostname} (v6)": + "101 log outbound request on ${facts['facts['networking']['hostname']']} (v6)": provider => 'ip6tables', destination => "! ${ocf_ipv6_mask}"; } diff --git a/modules/ocf/manifests/networking.pp b/modules/ocf/manifests/networking.pp index e1822cc3b..5def04715 100644 --- a/modules/ocf/manifests/networking.pp +++ b/modules/ocf/manifests/networking.pp @@ -4,11 +4,11 @@ $is_vlan = false, $vlan = undef, - $ipaddress = $::ipHostNumber, # lint:ignore:variable_is_lowercase + $ipaddress = $facts['ipHostNumber'], # lint:ignore:variable_is_lowercase $netmask = '255.255.255.0', $gateway = '169.229.226.1', - $ipaddress6 = $::ip6HostNumber, # lint:ignore:variable_is_lowercase + $ipaddress6 = $facts['ip6HostNumber'], # lint:ignore:variable_is_lowercase $netmask6 = '64', $gateway6 = '2607:f140:8801::1', @@ -20,9 +20,9 @@ fail("Can't have more than 3 nameservers") } - $fqdn = $::clientcert - $hostname = regsubst($::clientcert, '^([\w-]+)\..*$', '\1') - $linked_ifaces_array = split($::ifaces_linked, ' ') + $fqdn = $facts['clientcert'] + $hostname = regsubst($facts['clientcert'], '^([\w-]+)\..*$', '\1') + $linked_ifaces_array = split($facts['ifaces_linked'], ' ') $first_active_iface = $linked_ifaces_array[0] # packages @@ -57,7 +57,7 @@ $logical_primary_interface = $first_active_iface } - if $::lsbdistid == 'Raspbian' { + if $facts['facts['os']['distro']['id']'] == 'Raspbian' { # The raspberry pi has wifi, so we use that for networking $logical_primary_interface = 'wlan0' } diff --git a/modules/ocf/manifests/nfs.pp b/modules/ocf/manifests/nfs.pp index c117418ec..ce1efa2b5 100644 --- a/modules/ocf/manifests/nfs.pp +++ b/modules/ocf/manifests/nfs.pp @@ -29,7 +29,7 @@ file { '/var/spool/cron/crontabs': ensure => link, - target => "/services/crontabs/${::hostname}", + target => "/services/crontabs/${facts['facts['networking']['hostname']']}", force => true; } diff --git a/modules/ocf/manifests/nginx_proxy.pp b/modules/ocf/manifests/nginx_proxy.pp index 97de337c4..5fcc1fb1a 100644 --- a/modules/ocf/manifests/nginx_proxy.pp +++ b/modules/ocf/manifests/nginx_proxy.pp @@ -8,8 +8,8 @@ $headers = {}, $ssl = false, - $ssl_cert = "/etc/ssl/private/${::fqdn}.bundle", - $ssl_key = "/etc/ssl/private/${::fqdn}.key", + $ssl_cert = "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.bundle", + $ssl_key = "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", $ssl_dhparam = '/etc/ssl/dhparam.pem', # Accept any other arbitrary options passed in and pass them on to diff --git a/modules/ocf/manifests/node_exporter.pp b/modules/ocf/manifests/node_exporter.pp index accb70494..a3c9b0e0f 100644 --- a/modules/ocf/manifests/node_exporter.pp +++ b/modules/ocf/manifests/node_exporter.pp @@ -7,7 +7,7 @@ content => template('ocf/environment.prom.erb'), } - if $::lsbdistid != 'Raspbian' { + if $facts['facts['os']['distro']['id']'] != 'Raspbian' { # Attributes for this class are defined in hieradata include prometheus::node_exporter } diff --git a/modules/ocf/manifests/packages.pp b/modules/ocf/manifests/packages.pp index ac106e8f8..c13804ad6 100644 --- a/modules/ocf/manifests/packages.pp +++ b/modules/ocf/manifests/packages.pp @@ -25,7 +25,7 @@ # kept short, since apt-dater should be used to update almost all packages. # # TODO: Fix with the Raspberry Pi? - if $::lsbdistid == 'Debian' { + if $facts['facts['os']['distro']['id']'] == 'Debian' { package { # Ensure ocflib is the latest version to quickly push out changes in lab # hours, etc. We control releases on this, so this should be safe. @@ -58,7 +58,7 @@ # Many staff want virtualbox for class projects (e.g. for CS161 and 162), so # keep it installed if this is a staff VM. Otherwise, remove it for security # reasons (setuid binaries allow network control). See debian bug#760569 - if $::type != 'staffvm' { + if $facts['type'] != 'staffvm' { package { 'virtualbox': ensure => purged; @@ -135,7 +135,7 @@ # TODO: remove this once we no longer support stretch (and move to above # packages block) - if $::os[distro][codename] != 'stretch' { + if $facts['os[distro][codename]'] != 'stretch' { package { 'kitty-terminfo':; } @@ -156,7 +156,7 @@ # python3 is python3.7 on buster and python3.9 on bullseye # install elts kernel on stretch - if $::lsbdistcodename == 'stretch' { + if $facts['facts['os']['distro']['codename']'] == 'stretch' { package { [ 'python3.7', @@ -167,7 +167,7 @@ } } # Packages to only install on Debian (not on Raspbian for example) - if $::lsbdistid == 'Debian' { + if $facts['facts['os']['distro']['id']'] == 'Debian' { package { [ 'aactivator', diff --git a/modules/ocf/manifests/packages/docker/apt.pp b/modules/ocf/manifests/packages/docker/apt.pp index 51ba2654b..e6ebf33a9 100644 --- a/modules/ocf/manifests/packages/docker/apt.pp +++ b/modules/ocf/manifests/packages/docker/apt.pp @@ -8,7 +8,7 @@ apt::source { 'docker': location => '[arch=amd64] https://download.docker.com/linux/debian', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => 'stable', require => [Apt::Key['docker'], Package['apt-transport-https']], } diff --git a/modules/ocf/manifests/packages/element/apt.pp b/modules/ocf/manifests/packages/element/apt.pp index fb1072b7e..296979cc6 100644 --- a/modules/ocf/manifests/packages/element/apt.pp +++ b/modules/ocf/manifests/packages/element/apt.pp @@ -9,7 +9,7 @@ apt::source { 'element': architecture => 'amd64', location => 'https://packages.riot.im/debian', - release => $::lsbdistcodename, + release => $facts['facts['os']['distro']['codename']'], repos => 'main', require => Apt::Key['element'], } diff --git a/modules/ocf/manifests/packages/grub.pp b/modules/ocf/manifests/packages/grub.pp index cbd9a390f..bcab5be4c 100644 --- a/modules/ocf/manifests/packages/grub.pp +++ b/modules/ocf/manifests/packages/grub.pp @@ -10,9 +10,9 @@ # need os-prober anyway to detect other OSes since we don't have other OSes, # and we'd rather not have data corruption in the future: # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788062 - if $::lsbdistid != 'Raspbian' { + if $facts['facts['os']['distro']['id']'] != 'Raspbian' { # grub-pc or grub-efi aren't available on Raspbian. - if str2bool($::is_efi_host) { + if str2bool($facts['is_efi_host']) { ocf::repackage { 'grub-efi': recommends => false, } diff --git a/modules/ocf/manifests/packages/kube/apt_first_stage.pp b/modules/ocf/manifests/packages/kube/apt_first_stage.pp index 04b5379d5..73347a202 100644 --- a/modules/ocf/manifests/packages/kube/apt_first_stage.pp +++ b/modules/ocf/manifests/packages/kube/apt_first_stage.pp @@ -21,7 +21,7 @@ apt::key { 'crio repo key': id => '2472D6D0D2F66AF87ABA8DA34D64390375060AA4', # the key is the same for both - source => "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_${::operatingsystemmajrelease}/Release.key"; + source => "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_${facts['facts['os']['release']['major']']}/Release.key"; } # TODO: Generate this from kubernetes version... @@ -30,14 +30,14 @@ # for packages: cri-o cri-o-runc apt::source { 'crio': architecture => 'amd64', - location => "http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/${crio_version}/Debian_${::operatingsystemmajrelease}/", + location => "http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/${crio_version}/Debian_${facts['facts['os']['release']['major']']}/", repos => '/', release => '', require => Apt::Key['crio repo key'], } apt::source { 'libcontainers': architecture => 'amd64', - location => "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_${::operatingsystemmajrelease}/", + location => "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_${facts['facts['os']['release']['major']']}/", repos => '/', release => '', require => Apt::Key['crio repo key'], diff --git a/modules/ocf/manifests/packages/memtest.pp b/modules/ocf/manifests/packages/memtest.pp index 10593ec28..04f7fddf5 100644 --- a/modules/ocf/manifests/packages/memtest.pp +++ b/modules/ocf/manifests/packages/memtest.pp @@ -1,5 +1,5 @@ class ocf::packages::memtest { - if $::lsbdistid != 'Raspbian' { + if $facts['facts['os']['distro']['id']'] != 'Raspbian' { package { 'memtest86+': } } } diff --git a/modules/ocf/manifests/packages/microcode.pp b/modules/ocf/manifests/packages/microcode.pp index c11b736ce..055187571 100644 --- a/modules/ocf/manifests/packages/microcode.pp +++ b/modules/ocf/manifests/packages/microcode.pp @@ -1,11 +1,11 @@ class ocf::packages::microcode { - if $::processor0 { - if $::processor0 =~ /\bIntel\b/ { + if $facts['facts['processors']['models'][0]'] { + if $facts['facts['processors']['models'][0]'] =~ /\bIntel\b/ { package { 'intel-microcode':; } - } elsif $::processor0 =~ /\bAMD\b/ { + } elsif $facts['facts['processors']['models'][0]'] =~ /\bAMD\b/ { package { 'amd64-microcode':; } } else { - fail("Don't know how to interpret processor0: ${::processor0}") + fail("Don't know how to interpret processor0: ${facts['facts['processors']['models'][0]']}") } } } diff --git a/modules/ocf/manifests/packages/mysql_server.pp b/modules/ocf/manifests/packages/mysql_server.pp index 260240e38..23d8d5482 100644 --- a/modules/ocf/manifests/packages/mysql_server.pp +++ b/modules/ocf/manifests/packages/mysql_server.pp @@ -10,7 +10,7 @@ } if $manage_service { - if Integer($::os[release][major]) < 11 { + if Integer($facts['os[release][major]']) < 11 { $servicename = 'mysql' } else { $servicename = 'mariadb' diff --git a/modules/ocf/manifests/packages/powershell/apt.pp b/modules/ocf/manifests/packages/powershell/apt.pp index 04bf69e85..0b6998575 100644 --- a/modules/ocf/manifests/packages/powershell/apt.pp +++ b/modules/ocf/manifests/packages/powershell/apt.pp @@ -4,7 +4,7 @@ id => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', source => 'https://packages.microsoft.com/keys/microsoft.asc'; } - if $::lsbdistcodename == 'stretch' { + if $facts['facts['os']['distro']['codename']'] == 'stretch' { apt::source { 'powershell': architecture => 'amd64', location => 'https://packages.microsoft.com/repos/microsoft-debian-stretch-prod', @@ -15,8 +15,8 @@ } else { apt::source { 'powershell': architecture => 'amd64', - location => "https://packages.microsoft.com/debian/${::operatingsystemmajrelease}/prod", - release => $::lsbdistcodename, + location => "https://packages.microsoft.com/debian/${facts['facts['os']['release']['major']']}/prod", + release => $facts['facts['os']['distro']['codename']'], repos => 'main', require => Apt::Key['powershell repo key'], } diff --git a/modules/ocf/manifests/packages/restic.pp b/modules/ocf/manifests/packages/restic.pp index c69b49bc0..d2b728f3c 100644 --- a/modules/ocf/manifests/packages/restic.pp +++ b/modules/ocf/manifests/packages/restic.pp @@ -1,6 +1,6 @@ class ocf::packages::restic { - if $::lsbdistcodename == 'buster' { + if $facts['facts['os']['distro']['codename']'] == 'buster' { package { 'restic': ensure => 'purged', } diff --git a/modules/ocf/manifests/privatefile.pp b/modules/ocf/manifests/privatefile.pp index cf74d8d38..3a2e75f05 100644 --- a/modules/ocf/manifests/privatefile.pp +++ b/modules/ocf/manifests/privatefile.pp @@ -42,7 +42,7 @@ ensure => $ensure, } - if $::dummy_secrets { + if $facts['dummy_secrets'] { # Provide a dummy file as a fallback with some pre-defined contents since # the private share where the source/content would have come from is not # available diff --git a/modules/ocf/manifests/puppet.pp b/modules/ocf/manifests/puppet.pp index 9b1f83b41..960e6ede5 100644 --- a/modules/ocf/manifests/puppet.pp +++ b/modules/ocf/manifests/puppet.pp @@ -11,7 +11,7 @@ # defined separately in the ocf_puppet module, causing the # puppet agent on the puppetmaster to restart twice. Make sure # the changes made here are also made in that module. - "set agent/environment ${::environment}", + "set agent/environment ${facts['environment']}", 'set agent/usecacheonfailure false', ], require => Package[$puppet_pkg], @@ -25,7 +25,7 @@ augeas { '/etc/puppet/puppet.conf': context => '/files/etc/puppet/puppet.conf', changes => [ - "set agent/environment ${::environment}", + "set agent/environment ${facts['environment']}", 'set agent/usecacheonfailure false', ], require => Package[$puppet_pkg, 'augeas-tools'], diff --git a/modules/ocf/manifests/repackage.pp b/modules/ocf/manifests/repackage.pp index e4887537b..34f4b2121 100644 --- a/modules/ocf/manifests/repackage.pp +++ b/modules/ocf/manifests/repackage.pp @@ -2,14 +2,14 @@ $package = $title, $recommends = true, $backport_on = [], - $dist = "${::lsbdistcodename}-backports", + $dist = "${facts['facts['os']['distro']['codename']']}-backports", ) { $install_options = $recommends ? { false => ['--no-install-recommends'], default => [] } - if member(any2array($backport_on), $::lsbdistcodename) { + if member(any2array($backport_on), $facts['facts['os']['distro']['codename']']) { # We can't pin packages, because it won't install required dependencies that # way, so we instead upgrade the package once (as long as it isn't a # backport version already), and then future upgrades are done the normal diff --git a/modules/ocf/manifests/serial_getty.pp b/modules/ocf/manifests/serial_getty.pp index d271fd0d0..416076b09 100644 --- a/modules/ocf/manifests/serial_getty.pp +++ b/modules/ocf/manifests/serial_getty.pp @@ -1,5 +1,5 @@ class ocf::serial_getty { - if str2bool($::is_virtual) or tagged('ocf_kvm') { + if str2bool($facts['is_virtual']) or tagged('ocf_kvm') { service { 'serial-getty@ttyS0': enable => true, provider => systemd, diff --git a/modules/ocf/manifests/smart.pp b/modules/ocf/manifests/smart.pp index 4f5e62d56..04193181e 100644 --- a/modules/ocf/manifests/smart.pp +++ b/modules/ocf/manifests/smart.pp @@ -1,5 +1,5 @@ class ocf::smart { - if !str2bool($::is_virtual) { + if !str2bool($facts['is_virtual']) { file { '/usr/local/sbin/smartmon.sh': source => 'puppet:///modules/ocf/smartmon.sh', diff --git a/modules/ocf/manifests/ssl/default.pp b/modules/ocf/manifests/ssl/default.pp index 5c8dad625..fa900e493 100644 --- a/modules/ocf/manifests/ssl/default.pp +++ b/modules/ocf/manifests/ssl/default.pp @@ -8,13 +8,13 @@ # Attempt to collect all domains for a host to include in a SSL certificate. # The '@' record needs to be handled in a special case, since # "@.ocf.berkeley.edu" and "@.ocf.io" are both not valid domains - if '@' in $::dnsA { + if '@' in $facts['dnsA'] { $extra_domains = ['ocf.berkeley.edu', 'ocf.io'] } else { $extra_domains = [] } - ocf::ssl::bundle { $::fqdn: + ocf::ssl::bundle { $facts['facts['networking']['fqdn']']: domains => ocf::get_host_fqdns() + ocf::get_host_fqdns('ocf.io') + $extra_domains, owner => $owner, group => $group, diff --git a/modules/ocf/manifests/ssl/lets_encrypt/dns.pp b/modules/ocf/manifests/ssl/lets_encrypt/dns.pp index 2853fe6ca..d9744fb63 100644 --- a/modules/ocf/manifests/ssl/lets_encrypt/dns.pp +++ b/modules/ocf/manifests/ssl/lets_encrypt/dns.pp @@ -1,5 +1,5 @@ define ocf::ssl::lets_encrypt::dns( - Array[String] $domains = [$::fqdn], + Array[String] $domains = [$facts['facts['networking']['fqdn']']], String $owner = 'ocfletsencrypt', String $group = 'ssl-cert', ) { @@ -10,7 +10,7 @@ content => "${join($domains, ' ')} > ${title}", } - $parsed_cert_info = parsejson($::le_cert_info) + $parsed_cert_info = parsejson($facts['le_cert_info']) $have_cert_info = $title in $parsed_cert_info if $have_cert_info { diff --git a/modules/ocf_apphost/manifests/init.pp b/modules/ocf_apphost/manifests/init.pp index 03eee5993..95ea69b9b 100644 --- a/modules/ocf_apphost/manifests/init.pp +++ b/modules/ocf_apphost/manifests/init.pp @@ -17,8 +17,8 @@ recurse => true, purge => true; } - if $::ocf_apphost { - $devs = split($::ocf_apphost, ',') + if $facts['ocf_apphost'] { + $devs = split($facts['ocf_apphost'], ',') } else { # ocf_apphost is empty on the first run which causes a runtime error above $devs = [] diff --git a/modules/ocf_apphost/manifests/lets_encrypt.pp b/modules/ocf_apphost/manifests/lets_encrypt.pp index cd8198e1e..9b2f40404 100644 --- a/modules/ocf_apphost/manifests/lets_encrypt.pp +++ b/modules/ocf_apphost/manifests/lets_encrypt.pp @@ -14,7 +14,7 @@ mode => '0400', } - if $::host_env == 'prod' { + if $facts['host_env'] == 'prod' { cron { 'lets-encrypt-update': command => 'chronic /usr/local/bin/lets-encrypt-update -v app', user => ocfletsencrypt, diff --git a/modules/ocf_apphost/manifests/proxy.pp b/modules/ocf_apphost/manifests/proxy.pp index d600cc658..67874a484 100644 --- a/modules/ocf_apphost/manifests/proxy.pp +++ b/modules/ocf_apphost/manifests/proxy.pp @@ -32,7 +32,7 @@ mode => '0755'; } - $build_args = $::host_env ? { + $build_args = $facts['host_env'] ? { 'dev' => '--dev', 'prod' => '', } diff --git a/modules/ocf_apt/manifests/init.pp b/modules/ocf_apt/manifests/init.pp index a47ab833f..15b3fd89f 100644 --- a/modules/ocf_apt/manifests/init.pp +++ b/modules/ocf_apt/manifests/init.pp @@ -77,8 +77,8 @@ www_root => '/opt/apt/ftp', ssl => true, http2 => on, - ssl_cert => "/etc/ssl/private/${::fqdn}.bundle", - ssl_key => "/etc/ssl/private/${::fqdn}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.bundle", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", ipv6_enable => true, ipv6_listen_port => 80, format_log => 'main', diff --git a/modules/ocf_decal/manifests/website.pp b/modules/ocf_decal/manifests/website.pp index 2d113ff61..2adb6739d 100644 --- a/modules/ocf_decal/manifests/website.pp +++ b/modules/ocf_decal/manifests/website.pp @@ -43,9 +43,9 @@ redirect_dest => 'https://decal.ocf.berkeley.edu/', ssl => true, - ssl_key => "/etc/ssl/private/${::fqdn}.key", - ssl_cert => "/etc/ssl/private/${::fqdn}.crt", - ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.crt", + ssl_chain => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.intermediate", } apache::vhost { 'decal-ssl': @@ -58,8 +58,8 @@ override => ['All'], ssl => true, - ssl_key => "/etc/ssl/private/${::fqdn}.key", - ssl_cert => "/etc/ssl/private/${::fqdn}.crt", - ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.crt", + ssl_chain => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.intermediate", } } diff --git a/modules/ocf_desktop/manifests/drivers.pp b/modules/ocf_desktop/manifests/drivers.pp index 9470fa911..3487b6fff 100644 --- a/modules/ocf_desktop/manifests/drivers.pp +++ b/modules/ocf_desktop/manifests/drivers.pp @@ -2,13 +2,13 @@ include ocf::apt::i386 # install proprietary nvidia drivers - if $::gfx_brand == 'nvidia' { + if $facts['gfx_brand'] == 'nvidia' { # Install nvidia-driver from backports so that it loads properly # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903770 ocf::repackage { ['nvidia-smi', 'nvidia-driver', 'nvidia-cuda-toolkit']: backport_on => 'stretch'; } - if $::os['distro']['codename'] in ['buster', 'stretch'] { + if $facts['os['distro']['codename']'] in ['buster', 'stretch'] { ocf::repackage { ['libgl1-nvidia-glx:i386']: backport_on => 'stretch'; } diff --git a/modules/ocf_desktop/manifests/xsession.pp b/modules/ocf_desktop/manifests/xsession.pp index a3603cc5f..e2b3f2dce 100644 --- a/modules/ocf_desktop/manifests/xsession.pp +++ b/modules/ocf_desktop/manifests/xsession.pp @@ -152,7 +152,7 @@ } # use ocf logo on login screen - if $::lsbdistcodename == 'bullseye' { + if $facts['facts['os']['distro']['codename']'] == 'bullseye' { file { ['/usr/share/icons/Adwaita', '/usr/share/icons/Adwaita/512x512', '/usr/share/icons/Adwaita/512x512/status']: ensure => directory; diff --git a/modules/ocf_docker/manifests/init.pp b/modules/ocf_docker/manifests/init.pp index a540fc0b4..c57470b90 100644 --- a/modules/ocf_docker/manifests/init.pp +++ b/modules/ocf_docker/manifests/init.pp @@ -38,8 +38,8 @@ listen_port => 443, ssl => true, - ssl_cert => "/etc/ssl/private/${::fqdn}.bundle", - ssl_key => "/etc/ssl/private/${::fqdn}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.bundle", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", ssl_dhparam => '/etc/ssl/dhparam.pem', add_header => { @@ -61,7 +61,7 @@ }; 'docker-ro': - server_name => ['docker.ocf.berkeley.edu', 'docker', $::hostname, $::fqdn], + server_name => ['docker.ocf.berkeley.edu', 'docker', $facts['facts['networking']['hostname']'], $facts['facts['networking']['fqdn']']], location_cfg_append => { # The `auth_required` is not needed, it's a hack so that the Puppet diff --git a/modules/ocf_hpc/manifests/init.pp b/modules/ocf_hpc/manifests/init.pp index e74619777..75c6a750b 100644 --- a/modules/ocf_hpc/manifests/init.pp +++ b/modules/ocf_hpc/manifests/init.pp @@ -4,7 +4,7 @@ package { 'slurm-wlm': } - if str2bool($::puppetdb_running) { + if str2bool($facts['puppetdb_running']) { $slurm_nodes_facts_query = puppetdb_query('inventory[facts] { resources { type = "Class" and title = "Ocf_hpc::Compute" } }') # To avoid a circular dependency, fallback to empty values if no nodes match the query. $slurm_nodes_facts = $slurm_nodes_facts_query == undef ? { diff --git a/modules/ocf_irc/manifests/biboumi.pp b/modules/ocf_irc/manifests/biboumi.pp index e0c6df94e..86d40287c 100644 --- a/modules/ocf_irc/manifests/biboumi.pp +++ b/modules/ocf_irc/manifests/biboumi.pp @@ -9,22 +9,22 @@ require => Package['biboumi'], } - $irc_server = $::host_env ? { + $irc_server = $facts['host_env'] ? { 'dev' => 'dev-irc.ocf.berkeley.edu', 'prod' => 'irc.ocf.berkeley.edu', } - $psql_user = $::host_env ? { + $psql_user = $facts['host_env'] ? { 'dev' => 'ocfdevbiboumi', 'prod' => 'ocfbiboumi', } - $psql_password = $::host_env ? { + $psql_password = $facts['host_env'] ? { 'dev' => lookup('xmpp::dev_biboumi_psql_password'), 'prod' => lookup('xmpp::biboumi_psql_password'), } - $component_password = $::host_env ? { + $component_password = $facts['host_env'] ? { 'dev' => lookup('xmpp::dev_biboumi_component_password'), 'prod' => lookup('xmpp::biboumi_component_password'), } diff --git a/modules/ocf_irc/manifests/init.pp b/modules/ocf_irc/manifests/init.pp index 5a42cb169..4121fa4ce 100644 --- a/modules/ocf_irc/manifests/init.pp +++ b/modules/ocf_irc/manifests/init.pp @@ -8,12 +8,12 @@ # The prod server also needs a cert for ocf.berkeley.edu, since we use XMPP # domain delegation. See https://prosody.im/doc/certificates#which_domain - if $::host_env == 'prod' { - ocf::ssl::bundle { $::fqdn: + if $facts['host_env'] == 'prod' { + ocf::ssl::bundle { $facts['facts['networking']['fqdn']']: domains => ocf::get_host_fqdns() + ocf::get_host_fqdns('ocf.io') + ['ocf.berkeley.edu'], } } else { - ocf::ssl::bundle { $::fqdn: + ocf::ssl::bundle { $facts['facts['networking']['fqdn']']: domains => ocf::get_host_fqdns() + ocf::get_host_fqdns('ocf.io'), } } diff --git a/modules/ocf_irc/manifests/ircd.pp b/modules/ocf_irc/manifests/ircd.pp index 7dc5d836f..6199e6e6f 100644 --- a/modules/ocf_irc/manifests/ircd.pp +++ b/modules/ocf_irc/manifests/ircd.pp @@ -7,7 +7,7 @@ restart => 'service inspircd reload', enable => true, require => Ocf::Repackage['inspircd'], - subscribe => Ocf::Ssl::Bundle[$::fqdn], + subscribe => Ocf::Ssl::Bundle[$facts['facts['networking']['fqdn']']], } -> cron { 'reload-irc-cert': command => 'chronic systemctl kill inspircd.service --signal=SIGUSR1', @@ -19,7 +19,7 @@ $irc_creds = lookup('irc_creds') - if $::lsbdistcodename == 'buster' { + if $facts['facts['os']['distro']['codename']'] == 'buster' { # Disable the AppArmor profile for inspircd, since it prevents us from # accessing the necessary TLS certs file { '/etc/apparmor.d/disable/usr.sbin.inspircd': diff --git a/modules/ocf_irc/manifests/webirc.pp b/modules/ocf_irc/manifests/webirc.pp index 2f3a16d1f..c5034bacd 100644 --- a/modules/ocf_irc/manifests/webirc.pp +++ b/modules/ocf_irc/manifests/webirc.pp @@ -1,6 +1,6 @@ class ocf_irc::webirc { - $webirc_fqdn = $::host_env ? { + $webirc_fqdn = $facts['host_env'] ? { 'dev' => 'dev-irc.ocf.berkeley.edu', 'prod' => 'irc.ocf.berkeley.edu', } @@ -13,12 +13,12 @@ } # Restart nginx if any cert changes occur - Ocf::Ssl::Bundle[$::fqdn] ~> Class['Nginx::Service'] + Ocf::Ssl::Bundle[$facts['facts['networking']['fqdn']']] ~> Class['Nginx::Service'] ocf::nginx_proxy { $webirc_fqdn: server_aliases => [ - $::hostname, - $::fqdn, + $facts['facts['networking']['hostname']'], + $facts['facts['networking']['fqdn']'], ], proxy => 'http://lb.ocf.berkeley.edu:4080', ssl => true, diff --git a/modules/ocf_irc/manifests/xmpp.pp b/modules/ocf_irc/manifests/xmpp.pp index 51b63ff0f..c645a052b 100644 --- a/modules/ocf_irc/manifests/xmpp.pp +++ b/modules/ocf_irc/manifests/xmpp.pp @@ -19,7 +19,7 @@ service { 'prosody': enable => true, require => Package['prosody'], - subscribe => Ocf::Ssl::Bundle[$::fqdn], + subscribe => Ocf::Ssl::Bundle[$facts['facts['networking']['fqdn']']], } # Make the prosody user able to read the certs @@ -38,7 +38,7 @@ } } - $vhost_name = $::host_env ? { + $vhost_name = $facts['host_env'] ? { 'dev' => 'dev-xmpp.ocf.berkeley.edu', # We use an SRV record in our DNS configuration so this host actually points # to the XMPP server. @@ -46,21 +46,21 @@ } # The subdomain used for Multi-User Chats (MUCs) - $muc_name = $::host_env ? { + $muc_name = $facts['host_env'] ? { # This doesn't resolve in DNS, but it doesn't matter since this won't be # exposed publicly. See https://prosody.im/doc/chatrooms#dns 'dev' => 'dev-xmpp-muc.ocf.berkeley.edu', 'prod' => 'xmpp.ocf.berkeley.edu', } - $irc_server = $::host_env ? { + $irc_server = $facts['host_env'] ? { 'dev' => 'dev-irc.ocf.berkeley.edu', 'prod' => 'irc.ocf.berkeley.edu', } $mysql_password = lookup('xmpp::prosody_mysql_password') - $component_password = $::host_env ? { + $component_password = $facts['host_env'] ? { 'dev' => lookup('xmpp::dev_biboumi_component_password'), 'prod' => lookup('xmpp::biboumi_component_password'), } diff --git a/modules/ocf_irc/manifests/znc.pp b/modules/ocf_irc/manifests/znc.pp index 1f2c6c25e..f163907ae 100644 --- a/modules/ocf_irc/manifests/znc.pp +++ b/modules/ocf_irc/manifests/znc.pp @@ -23,7 +23,7 @@ ensure => link, group => ocfznc, owner => ocfznc, - target => "/etc/ssl/private/${::fqdn}.pem"; + target => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.pem"; } ocf::systemd::service { 'znc': @@ -33,6 +33,6 @@ File['/var/lib/znc'], File['/var/lib/znc/znc.pem'], ], - subscribe => Ocf::Ssl::Bundle[$::fqdn], + subscribe => Ocf::Ssl::Bundle[$facts['facts['networking']['fqdn']']], } } diff --git a/modules/ocf_jenkins/manifests/proxy.pp b/modules/ocf_jenkins/manifests/proxy.pp index e415a9c30..f4877f9e4 100644 --- a/modules/ocf_jenkins/manifests/proxy.pp +++ b/modules/ocf_jenkins/manifests/proxy.pp @@ -11,8 +11,8 @@ ocf::nginx_proxy { 'jenkins.ocf.berkeley.edu': server_aliases => [ - $::hostname, - $::fqdn, + $facts['facts['networking']['hostname']'], + $facts['facts['networking']['fqdn']'], ], ssl => true, proxy => 'http://localhost:8080', diff --git a/modules/ocf_kube/manifests/controller.pp b/modules/ocf_kube/manifests/controller.pp index 517439932..68b79dbd9 100644 --- a/modules/ocf_kube/manifests/controller.pp +++ b/modules/ocf_kube/manifests/controller.pp @@ -23,15 +23,15 @@ # configure the four containers. class ocf_kube::controller { - $is_prod = $::hostname in lookup('kube::controller_nodes') - $is_dev = $::hostname in lookup('kube_dev::controller_nodes') + $is_prod = $facts['facts['networking']['hostname']'] in lookup('kube::controller_nodes') + $is_dev = $facts['facts['networking']['hostname']'] in lookup('kube_dev::controller_nodes') if $is_prod and $is_dev { - fail("${::hostname} is in both the production and the development kubernetes cluster") + fail("${facts['facts['networking']['hostname']']} is in both the production and the development kubernetes cluster") } if !$is_prod and !$is_dev { - fail("${::hostname} is not in any kubernetes cluster") + fail("${facts['facts['networking']['hostname']']} is not in any kubernetes cluster") } # Namespace for hiera variables @@ -49,7 +49,7 @@ # initial cluster members $initial_cluster_hosts = lookup("${kube_prefix}::controller_nodes").reduce([]) |$acc, $node| { - (($acc != []) and $acc[-1] == $::hostname) ? { + (($acc != []) and $acc[-1] == $facts['facts['networking']['hostname']']) ? { # If we are on the list, stop adding nodes true => $acc, # Otherwise, add the next node, and recurse @@ -179,10 +179,10 @@ # kubelet server key '/etc/kubernetes/pki/kubelet-server.crt': mode => '0600', - content_path => "${certs_dir}/${::hostname}-kubelet-server.crt"; + content_path => "${certs_dir}/${facts['facts['networking']['hostname']']}-kubelet-server.crt"; '/etc/kubernetes/pki/kubelet-server.key': mode => '0600', - content_path => "${certs_dir}/${::hostname}-kubelet-server.key"; + content_path => "${certs_dir}/${facts['facts['networking']['hostname']']}-kubelet-server.key"; # kubelet -> apiserver client key '/etc/kubernetes/pki/apiserver-kubelet-client.crt': @@ -242,18 +242,18 @@ # apiserver/etcd -> etcd client key '/etc/kubernetes/pki/etcd/client.crt': mode => '0600', - content_path => "${certs_dir}/${::hostname}-etcd-client.crt"; + content_path => "${certs_dir}/${facts['facts['networking']['hostname']']}-etcd-client.crt"; '/etc/kubernetes/pki/etcd/client.key': mode => '0600', - content_path => "${certs_dir}/${::hostname}-etcd-client.key"; + content_path => "${certs_dir}/${facts['facts['networking']['hostname']']}-etcd-client.key"; # etcd server key '/etc/kubernetes/pki/etcd/server.crt': mode => '0600', - content_path => "${certs_dir}/${::hostname}-etcd-server.crt"; + content_path => "${certs_dir}/${facts['facts['networking']['hostname']']}-etcd-server.crt"; '/etc/kubernetes/pki/etcd/server.key': mode => '0600', - content_path => "${certs_dir}/${::hostname}-etcd-server.key"; + content_path => "${certs_dir}/${facts['facts['networking']['hostname']']}-etcd-server.key"; # front-proxy ca '/etc/kubernetes/pki/front-proxy-ca.crt': diff --git a/modules/ocf_ldap/manifests/init.pp b/modules/ocf_ldap/manifests/init.pp index eacf5c0ec..c50bb0fb5 100644 --- a/modules/ocf_ldap/manifests/init.pp +++ b/modules/ocf_ldap/manifests/init.pp @@ -4,7 +4,7 @@ # Install libarchive-zip-perl for crc32 command for calculating hashes of # ldif files in /etc/ldap/slapd.d, slapd is the ldap server package { ['slapd', 'ocf-ldap-overlay', 'libarchive-zip-perl']:; } - if $::host_env == 'dev' { + if $facts['host_env'] == 'dev' { package { [ # ocf-ldap-overlay build dependencies @@ -109,7 +109,7 @@ } # Pushing to GitHub is disabled for dev-* hosts to prevent duplicate backups - if $::host_env == 'prod' { + if $facts['host_env'] == 'prod' { # GitHub deploy hook and key file { '/var/backups/ldap/.git/hooks/post-commit': diff --git a/modules/ocf_mirrors/manifests/init.pp b/modules/ocf_mirrors/manifests/init.pp index a77df90d1..bc043c4fb 100644 --- a/modules/ocf_mirrors/manifests/init.pp +++ b/modules/ocf_mirrors/manifests/init.pp @@ -134,8 +134,8 @@ listen_options => 'default_server', ssl => true, http2 => on, - ssl_cert => "/etc/ssl/private/${::fqdn}.bundle", - ssl_key => "/etc/ssl/private/${::fqdn}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.bundle", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", ipv6_enable => true, ipv6_listen_port => 80, ipv6_listen_options => 'default_server', diff --git a/modules/ocf_postgres/manifests/init.pp b/modules/ocf_postgres/manifests/init.pp index e7a7ecbfd..8bb7787a6 100644 --- a/modules/ocf_postgres/manifests/init.pp +++ b/modules/ocf_postgres/manifests/init.pp @@ -17,9 +17,9 @@ 'ssl': value => 'on'; 'ssl_cert_file': - value => "/etc/ssl/private/${::fqdn}.bundle"; + value => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.bundle"; 'ssl_key_file': - value => "/etc/ssl/private/${::fqdn}.key"; + value => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key"; } ocf::firewall::firewall46 { diff --git a/modules/ocf_prometheus/manifests/alertmanager.pp b/modules/ocf_prometheus/manifests/alertmanager.pp index d3bcb577b..ffecc8b02 100644 --- a/modules/ocf_prometheus/manifests/alertmanager.pp +++ b/modules/ocf_prometheus/manifests/alertmanager.pp @@ -16,7 +16,7 @@ class { 'prometheus::alertmanager': version => '0.23.0', - extra_options => "--cluster.advertise-address=${::ipaddress}:9094 --web.external-url=\"https://prometheus.ocf.berkeley.edu/alertmanager\"", + extra_options => "--cluster.advertise-address=${facts['facts['networking']['ip']']}:9094 --web.external-url=\"https://prometheus.ocf.berkeley.edu/alertmanager\"", global => { 'smtp_smarthost' => 'smtp.ocf.berkeley.edu:25', diff --git a/modules/ocf_prometheus/manifests/proxy.pp b/modules/ocf_prometheus/manifests/proxy.pp index be56c651e..1df75fa0b 100644 --- a/modules/ocf_prometheus/manifests/proxy.pp +++ b/modules/ocf_prometheus/manifests/proxy.pp @@ -3,7 +3,7 @@ include apache::mod::proxy include apache::mod::proxy_http - $cname = $::host_env ? { + $cname = $facts['host_env'] ? { 'dev' => 'dev-prometheus', 'prod' => 'prometheus', } @@ -33,9 +33,9 @@ port => 443, docroot => '/var/www/html', ssl => true, - ssl_key => "/etc/ssl/private/${::fqdn}.key", - ssl_cert => "/etc/ssl/private/${::fqdn}.crt", - ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.crt", + ssl_chain => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.intermediate", headers => ['always set Strict-Transport-Security max-age=31536000'], proxy_preserve_host => true, diff --git a/modules/ocf_puppet/manifests/environments.pp b/modules/ocf_puppet/manifests/environments.pp index b796f7117..b031e4633 100644 --- a/modules/ocf_puppet/manifests/environments.pp +++ b/modules/ocf_puppet/manifests/environments.pp @@ -8,10 +8,10 @@ # don't use any more, but used to use. # # Instead, we just call `git clone`. - if $::ocf_staff { - $staff = split($::ocf_staff, ',') + if $facts['ocf_staff'] { + $staff = split($facts['ocf_staff'], ',') $staff.each |$user| { - $repo_path = "${::puppet_environmentpath}/${user}" + $repo_path = "${facts['puppet_environmentpath']}/${user}" # We do the git checkout as the user, so we must ensure the directory exists # (and is owned by the user) first, since users can't make directories under diff --git a/modules/ocf_puppet/manifests/puppetboard.pp b/modules/ocf_puppet/manifests/puppetboard.pp index 56ec1de5f..dfa36c614 100644 --- a/modules/ocf_puppet/manifests/puppetboard.pp +++ b/modules/ocf_puppet/manifests/puppetboard.pp @@ -1,7 +1,7 @@ class ocf_puppet::puppetboard { include ocf::firewall::allow_web - $puppet_fqdn = $::host_env ? { + $puppet_fqdn = $facts['host_env'] ? { 'dev' => 'dev-puppet.ocf.berkeley.edu', 'prod' => 'puppet.ocf.berkeley.edu', } @@ -21,8 +21,8 @@ 'pb.ocf.berkeley.edu', 'pb', 'puppet', - $::hostname, - $::fqdn, + $facts['facts['networking']['hostname']'], + $facts['facts['networking']['fqdn']'], ], proxy => 'http://lb.ocf.berkeley.edu:4080', ssl => true, diff --git a/modules/ocf_puppet/manifests/puppetserver.pp b/modules/ocf_puppet/manifests/puppetserver.pp index a21fd375b..bd8de036d 100644 --- a/modules/ocf_puppet/manifests/puppetserver.pp +++ b/modules/ocf_puppet/manifests/puppetserver.pp @@ -52,7 +52,7 @@ match_request_path => '/puppet-ca/v1/(?:certificate|certificate_status)', match_request_type => 'regex', match_request_method => ['get', 'post', 'put', 'delete'], - allow => $::fqdn, + allow => $facts['facts['networking']['fqdn']'], sort_order => 998, path => '/etc/puppetlabs/puppetserver/conf.d/auth.conf', require => Package['puppetserver'], diff --git a/modules/ocf_ssh/manifests/webssh.pp b/modules/ocf_ssh/manifests/webssh.pp index 9be2f0a91..df76527b3 100644 --- a/modules/ocf_ssh/manifests/webssh.pp +++ b/modules/ocf_ssh/manifests/webssh.pp @@ -20,7 +20,7 @@ weekday => 'Wednesday', } - case $::hostname { + case $facts['facts['networking']['hostname']'] { tsunami: { $webssh_fqdn = 'ssh.ocf.berkeley.edu' } default: { $webssh_fqdn = 'dev-ssh.ocf.berkeley.edu' } } @@ -52,8 +52,8 @@ proxy => 'http://webssh', ssl => true, - ssl_cert => "/etc/ssl/private/${::fqdn}.bundle", - ssl_key => "/etc/ssl/private/${::fqdn}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.bundle", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", add_header => { 'Strict-Transport-Security' => 'max-age=31536000', diff --git a/modules/ocf_www/manifests/lets_encrypt.pp b/modules/ocf_www/manifests/lets_encrypt.pp index c12cb8fa1..36dad48d7 100644 --- a/modules/ocf_www/manifests/lets_encrypt.pp +++ b/modules/ocf_www/manifests/lets_encrypt.pp @@ -14,7 +14,7 @@ mode => '0400', } - if $::host_env == 'prod' { + if $facts['host_env'] == 'prod' { cron { 'lets-encrypt-update': command => 'chronic /usr/local/bin/lets-encrypt-update -v web', user => ocfletsencrypt, diff --git a/modules/ocf_www/manifests/mod/php.pp b/modules/ocf_www/manifests/mod/php.pp index b8609d382..22ff61139 100644 --- a/modules/ocf_www/manifests/mod/php.pp +++ b/modules/ocf_www/manifests/mod/php.pp @@ -1,7 +1,7 @@ class ocf_www::mod::php { package { ['php-cgi', 'php-apcu']:; } - $php_version = $::lsbdistcodename ? { + $php_version = $facts['facts['os']['distro']['codename']'] ? { 'stretch' => '7.0', 'buster' => '7.3', 'bullseye' => '7.4', diff --git a/modules/ocf_www/manifests/site/ocfweb_redirects.pp b/modules/ocf_www/manifests/site/ocfweb_redirects.pp index 502c634cc..5c21a2bfb 100644 --- a/modules/ocf_www/manifests/site/ocfweb_redirects.pp +++ b/modules/ocf_www/manifests/site/ocfweb_redirects.pp @@ -2,7 +2,7 @@ # redirect those sites to the appropriate pages on ocfweb. class ocf_www::site::ocfweb_redirects { # accounts - $accounts_canonical_url = $::host_env ? { + $accounts_canonical_url = $facts['host_env'] ? { 'dev' => 'https://dev-accounts.ocf.berkeley.edu/', 'prod' => 'https://accounts.ocf.berkeley.edu/', } @@ -14,9 +14,9 @@ docroot => '/var/www/html', ssl => true, - ssl_key => "/etc/ssl/private/${::fqdn}.key", - ssl_cert => "/etc/ssl/private/${::fqdn}.crt", - ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.crt", + ssl_chain => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.intermediate", rewrites => [ {rewrite_rule => '^/(change-password(/.*)?)?$ https://www.ocf.berkeley.edu/account/password [R=301,L]'}, @@ -43,7 +43,7 @@ } # wiki - $wiki_canonical_url = $::host_env ? { + $wiki_canonical_url = $facts['host_env'] ? { 'dev' => 'https://dev-wiki.ocf.berkeley.edu/', 'prod' => 'https://wiki.ocf.berkeley.edu/', } @@ -55,9 +55,9 @@ docroot => '/var/www/html', ssl => true, - ssl_key => "/etc/ssl/private/${::fqdn}.key", - ssl_cert => "/etc/ssl/private/${::fqdn}.crt", - ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.crt", + ssl_chain => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.intermediate", rewrites => [ {rewrite_rule => '^/(.*)$ https://www.ocf.berkeley.edu/docs/$1 [R=301]'}, @@ -80,7 +80,7 @@ } # hello - $hello_canonical_url = $::host_env ? { + $hello_canonical_url = $facts['host_env'] ? { 'dev' => 'https://dev-hello.ocf.berkeley.edu/', 'prod' => 'https://hello.ocf.berkeley.edu/', } @@ -96,9 +96,9 @@ docroot => '/var/www/html', ssl => true, - ssl_key => "/etc/ssl/private/${::fqdn}.key", - ssl_cert => "/etc/ssl/private/${::fqdn}.crt", - ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.crt", + ssl_chain => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.intermediate", rewrites => [ {rewrite_rule => '^/lab.html$ https://www.ocf.berkeley.edu/about/lab/open-source [R=301,L]'}, diff --git a/modules/ocf_www/manifests/site/shorturl.pp b/modules/ocf_www/manifests/site/shorturl.pp index 7401f763f..2af1dc474 100644 --- a/modules/ocf_www/manifests/site/shorturl.pp +++ b/modules/ocf_www/manifests/site/shorturl.pp @@ -1,5 +1,5 @@ class ocf_www::site::shorturl { - $canonical_url = $::host_env ? { + $canonical_url = $facts['host_env'] ? { 'dev' => 'https://dev-ocf-io.ocf.berkeley.edu/', 'prod' => 'https://ocf.io/', } @@ -11,9 +11,9 @@ docroot => '/var/www/html', ssl => true, - ssl_key => "/etc/ssl/private/${::fqdn}.key", - ssl_cert => "/etc/ssl/private/${::fqdn}.crt", - ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.crt", + ssl_chain => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.intermediate", rewrites => [ # Short URLs diff --git a/modules/ocf_www/manifests/site/unavailable.pp b/modules/ocf_www/manifests/site/unavailable.pp index 11eda0140..1ee39dd23 100644 --- a/modules/ocf_www/manifests/site/unavailable.pp +++ b/modules/ocf_www/manifests/site/unavailable.pp @@ -49,8 +49,8 @@ port => 443, ssl => true, - ssl_key => "/etc/ssl/private/${::fqdn}.key", - ssl_cert => "/etc/ssl/private/${::fqdn}.crt", - ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.crt", + ssl_chain => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.intermediate", } } diff --git a/modules/ocf_www/manifests/site/www.pp b/modules/ocf_www/manifests/site/www.pp index 31fecb89c..72dd14b66 100644 --- a/modules/ocf_www/manifests/site/www.pp +++ b/modules/ocf_www/manifests/site/www.pp @@ -43,9 +43,9 @@ docroot => '/services/http/users', ssl => true, - ssl_key => "/etc/ssl/private/${::fqdn}.key", - ssl_cert => "/etc/ssl/private/${::fqdn}.crt", - ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate", + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.crt", + ssl_chain => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.intermediate", headers => ['always set Strict-Transport-Security max-age=31536000'], request_headers => ['set X-Forwarded-Proto https'], @@ -132,7 +132,7 @@ } # canonical redirects - $canonical_url = $::host_env ? { + $canonical_url = $facts['host_env'] ? { 'dev' => 'https://dev-www.ocf.berkeley.edu$1', 'prod' => 'https://www.ocf.berkeley.edu$1', } @@ -156,8 +156,8 @@ 'death.berkeley.edu', 'linux.berkeley.edu', - $::hostname, - $::fqdn, + $facts['facts['networking']['hostname']'], + $facts['facts['networking']['fqdn']'], ], port => 80, docroot => '/var/www/html', @@ -172,7 +172,7 @@ serveraliases => [ 'dev-ocf.berkeley.edu', 'secure.ocf.berkeley.edu', - $::fqdn, + $facts['facts['networking']['fqdn']'], ], directories => [ { @@ -191,8 +191,8 @@ redirectmatch_dest => $canonical_url, ssl => true, - ssl_key => "/etc/ssl/private/${::fqdn}.key", - ssl_cert => "/etc/ssl/private/${::fqdn}.crt", - ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate"; + ssl_key => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.key", + ssl_cert => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.crt", + ssl_chain => "/etc/ssl/private/${facts['facts['networking']['fqdn']']}.intermediate"; } } diff --git a/modules/ocf_www/manifests/ssl.pp b/modules/ocf_www/manifests/ssl.pp index 93b65078b..7814deb7c 100644 --- a/modules/ocf_www/manifests/ssl.pp +++ b/modules/ocf_www/manifests/ssl.pp @@ -2,8 +2,8 @@ class ocf_www::ssl { apache::custom_config { 'ocf-ssl': content => " - SSLProtocol ${::ssl_protocols} - SSLCipherSuite ${::ssl_ciphersuite} + SSLProtocol ${facts['ssl_protocols']} + SSLCipherSuite ${facts['ssl_ciphersuite']} ", } }