https://github.com/wikimedia/operations-puppet
Tip revision: 2eb401e5f31b84e58a913ffc3235522d46d4668b authored by Jaime Crespo on 11 April 2024, 16:18:16 UTC
mariadb: Reenable notifications for db2201 & db2202
mariadb: Reenable notifications for db2201 & db2202
Tip revision: 2eb401e
dev.yaml
# Disable omkafka because the module falls into a tight CPU loop when its
# ssl.ca.location file is not available on startup and messages are in the
# queue, which is true when we first boot a container, since we autosign puppet
# certs. How to properly solve the problem is not obvious.
profile::rsyslog::kafka_shipper::enable: false
# No proxy support yet in dev
profile::apt::use_proxy: false
# We can't access the private repo in dev
profile::apt::use_private_repo: false
# Don't add static ipv6 ips in dev env
profile::base::production::enable_ip6_mapped: false
# Default to blackholing all emails generated by dev env hosts. See also
# https://phabricator.wikimedia.org/T296373 for more context
profile::mail::default_mail_relay::template: 'profile/mail/default_mail_relay/exim4.minimal.blackhole.erb'
# Disable remote syslog logging in dev for now as certs are not setup
profile::syslog::remote::enable: false
profile::syslog::remote::central_hosts_tls: {}
# Don't manage resolv.conf as k8s handles it for now
profile::base::manage_resolvconf: false
# Treat all private networks as "bastions" for the dev environment.
bastion_hosts:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
# Allow access to '$CACHES' in firewall config from pod cidr
cache_hosts:
- 10.0.0.0/8
# Netbox not yet setup in dev env
profile::netbox::host::status: 'unknown'
profile::netbox::host::location: ~
# The java profile depends on the wmf-certificates deb
profile::base::certificates::trusted_certs:
package: 'wmf-certificates'
bundle: '/etc/ssl/certs/wmf-ca-certificates.crt'
certs: []
# Don't run debmonitor in dev for now
profile::debmonitor::client::ensure: 'absent'
profile::debmonitor::client::ssl_ca: 'puppet'
profile::debmonitor::client::ssl_ca_label: ~
# Etcd is not stood up yet, in dev
profile::firewall::defs_from_etcd: false
profile::firewall::defs_from_etcd_nft: false
# TODO: Runs but is a large CPU hog for reasons not fully understood
profile::prometheus::cadvisor::ensure: absent
# Puppet agent
# Set environment name
profile::puppet::agent::environment: 'dev'
# Set our dev puppet server hostname, otherwise we grab eqiad's from common.yaml
puppetmaster: 'puppet'
puppet_ca_server: "%{lookup('puppetmaster')}"
# Don't install the production Puppet CA
manage_puppet_ca_file: false
# Don't burn CPU on our dev's laptop by running the agent periodically, this is
# a stop gap until a better solution is devised.
profile::puppet::agent::create_timer: false
profile::puppet::agent::use_srv_records: false
profile::puppet::agent::srv_domain: ~
# PKI
profile::pki::client::signer_host: "pki1001.eqiad.default.svc.k8s.lan"
profile::pki::multirootca::cfssl_httpd_cert: false
# SSH Setup
profile::ssh::server::authorized_principals_file: '/etc/ssh/user_authorized_principals.conf'
profile::ssh::server::authorized_principals: ['root']
profile::ssh::server::trusted_user_ca_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUDw3cmSElTvxaJ8PsZiTkxfnbYv\
5RbxpzejIdBlZ0jmRBMqEfwpFO5L3I1bFeh978Q6dJwJZ09IN4X94ooATI3DidiacNP\
C1SaxaOlHkawkKOk6CHJuT4l9dwdgXgbpXmacYPkQMbbcG/XX4DwC7xXZOMMGpc0dUQ\
pdcrw6pePznvuDtOrxclhQtMubdlcJ5MppqC7lFVYSCmwTmVm8s4LQyYtckJUgE/lu9\
JIV7JkHr4/l6OnCzn9vLW446o0ZdK2jEj+5a1FzOh9m0NWw2k18PaM0rBXzbIyu+VZT\
+yqN0v+OIu+12eN2kanUQ5viJwHotn5O5iRFZthi6b+ftVsgOcYjJ/LZKOvF717zMt/\
3+/53kncZS7VGg1OkkHY2F13qaAiza4uR8vDR2xZuOWndSs/p8BqT9tPlJY836es+8N\
N8gWWKW+0La87DzoAbNg03paVYKVF+7Q5LuOdcxOEBHjD0/RwcirUitmTS4IIpb/F8G\
txOpYbqmrXCHjaMU="
profile::ssh::server::authorized_keys_file: []
profile::ssh::server::host_certs:
rsa: "ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNza\
C5jb20AAAAgI3sZBoJIHxXtN75JyU9bkx3RFj0u/ibIZTgobrCyKiQAAAADAQABAAA\
BgQCjkl44c0BQcrmKp29tGGC/7vsJCk9bUx87NfmEsR9oVhVNVc15MOW1A39qR8n4Y\
hOBxeyqmB49hsrrDL4j0+WPkFplXyZkhZTC4yQ3JKpeJXcnQxoxBZu1jeK4DsadTwB\
c0MObaYGhRFCXfUVtFf2rxHXXcIw5Ty0kOARNHSblD4yNmz3tXZvszQnxiaTSGaOFr\
rCK2oAoyZ2CDaUrwRNkvdYQJMvTXVrLPGyLceu6PRhM7dfHoJ2M53IFgC5lnTQRje/\
PEwMzJGbjFQQKFE/SmUKYAz0TA4BNq15EWhoGaFFMM2dE61nJpXNKCKszsfo5zJMn4\
RM0+enEGdKlRYe9XukVpuZSFHmJkVSUoIcxPIkn89+hyzdQ9uX7vkp1ucvCxhFwhAE\
ZcR8SGe+oFuVDm2ciN4SDD6WvxtUIZ0zAZWtoloy9hCJm1UEfVfd+r7N+D/BkiDrT/\
xY6UqfJk0dMBJWboakI6neqGLIDaeue5uUyrH3NoO4X907voCsxzZMAAAAAAAAAAAA\
AAAIAAAACSUQAAAAAAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAAZcAAAAHc\
3NoLXJzYQAAAAMBAAEAAAGBANQPDdyZISVO/Fonw+xmJOTF+dti/lFvGnN6Mh0GVnS\
OZEEyoR/CkU7kvcjVsV6H3vxDp0nAlnT0g3hf3iigBMjcOJ2Jpw08LVJrFo6UeRrCQ\
o6ToIcm5PiX13B2BeBuleZpxg+RAxttwb9dfgPALvFdk4wwalzR1RCl1yvDql4/Oe+\
4O06vFyWFC0y5t2VwnkymmoLuUVVhIKbBOZWbyzgtDJi1yQlSAT+W70khXsmQevj+X\
o6cLOf28tbjjqjRl0raMSP7lrUXM6H2bQ1bDaTXw9ozSsFfNsjK75VlP7Ko3S/44i7\
7XZ43aRqdRDm+InAei2fk7mJEVm2GLpv5+1WyA5xiMn8tko68XvXvMy3/f7/neSdxl\
LtUaDU6SQdjYXXepoCLNri5Hy8NHbFm45ad1Kz+nwGpP20+Uljzfp6z7w03yBZYpb7\
QtrzsPOgBs2DTelpVgpUX7tDku451zE4QEeMPT9HByKtSK2ZNLggilv8Xwa3E6lhuq\
atcIeNoxQAAAZQAAAAMcnNhLXNoYTItNTEyAAABgEe8WSV1W+5UC7u1F3N8oGGtnLO\
kXCakx15XW2bAJqtttjly4CKEXV/Y261iGBxHRSYn7TDDDJURZQ2uT1UV4fq6UbwvT\
7tRHda7DCorGxpCzNELJtM5M0Eh3YfPomAdqCVwfugJTpCJiJHNUZfNj0rUouj9eaJ\
KkcYafIEMVNsPdEsMhsKqSoonPQUR9/69Om6apqsAosS6phdrYxlLOATnAkl79Sc3w\
/pmz4vb9QqZaoWwT0AOPtMT/50UzW1u9/SsWAR70VggzK/1pjkPvv84zhYzFAuzUJW\
VbN1kvff6G5BMblJIt/gtLL4o33cqc8/542fZvECyoqPw6rfcFi4tBLzpwNmOa41bb\
eP/swcQRWrAoJAhXtNH5gCqgnNPClXYwPHc1Wnz++pD22BYfxHdI8q5UBNAlwZ/avv\
LCZDVGh3lPtgj3E+6sTG8pWWhQRrU5XroX6aAIXlO2ufbuH+a+Jqof0rqVyAnGQSKA\
uxeovFX2f9Rb6lEAQOG7VnPQA=="
# TODO: Consider moving this to labs-private
profile::ssh::server::host_keys:
rsa: |-
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAo5JeOHNAUHK5iqdvbRhgv+77CQpPW1MfOzX5hLEfaFYVTVXNeTDl
tQN/akfJ+GITgcXsqpgePYbK6wy+I9Plj5BaZV8mZIWUwuMkNySqXiV3J0MaMQWbtY3iuA
7GnU8AXNDDm2mBoURQl31FbRX9q8R113CMOU8tJDgETR0m5Q+MjZs97V2b7M0J8Ymk0hmj
ha6witqAKMmdgg2lK8ETZL3WECTL011ayzxsi3Hruj0YTO3Xx6CdjOdyBYAuZZ00EY3vzx
MDMyRm4xUEChRP0plCmAM9EwOATateRFoaBmhRTDNnROtZyaVzSgirM7H6OcyTJ+ETNPnp
xBnSpUWHvV7pFabmUhR5iZFUlKCHMTyJJ/Pfocs3UPbl+75KdbnLwsYRcIQBGXEfEhnvqB
blQ5tnIjeEgw+lr8bVCGdMwGVraJaMvYQiZtVBH1X3fq+zfg/wZIg60/8WOlKnyZNHTASV
m6GpCOp3qhiyA2nrnublMqx9zaDuF/dO76ArMc2TAAAFiI4BETCOAREwAAAAB3NzaC1yc2
EAAAGBAKOSXjhzQFByuYqnb20YYL/u+wkKT1tTHzs1+YSxH2hWFU1VzXkw5bUDf2pHyfhi
E4HF7KqYHj2GyusMviPT5Y+QWmVfJmSFlMLjJDckql4ldydDGjEFm7WN4rgOxp1PAFzQw5
tpgaFEUJd9RW0V/avEdddwjDlPLSQ4BE0dJuUPjI2bPe1dm+zNCfGJpNIZo4WusIragCjJ
nYINpSvBE2S91hAky9NdWss8bItx67o9GEzt18egnYzncgWALmWdNBGN788TAzMkZuMVBA
oUT9KZQpgDPRMDgE2rXkRaGgZoUUwzZ0TrWcmlc0oIqzOx+jnMkyfhEzT56cQZ0qVFh71e
6RWm5lIUeYmRVJSghzE8iSfz36HLN1D25fu+SnW5y8LGEXCEARlxHxIZ76gW5UObZyI3hI
MPpa/G1QhnTMBla2iWjL2EImbVQR9V936vs34P8GSIOtP/FjpSp8mTR0wElZuhqQjqd6oY
sgNp657m5TKsfc2g7hf3Tu+gKzHNkwAAAAMBAAEAAAGALvdMcXX6Lf868ipwTolU4ldaoj
ZhIc5EpeoyCl0XMQyikjGETXtyQV7PO3OAdP6oLjdn5HXIHQ9yfToL8Fqby/R9WCURb4SB
edHhaKnw9xZX16CnSRMcqe0i/4lSkwGHj57rw1hwfZ8RauXvxMovK5493c21nZDz27Xv2j
p4HAYya8h66AhcSIp5A+7rMd5luvE1RLFHYi69uIV1exI1oNP3PmxqT/a6pqdjXUipEDER
pKkYL3wZMMeV0CmFaOzRfBebPyJ5yI8sK8Ay1B5QD4Qtn3sDYcqdZoCCzMHSpv6+ciL1KW
1vPLSHXXzWw8uRYwwYLy7IVXIpJiQ39Yqzd66I3wiQcEWp1iCCOL+bgSMLNE8b5wpMTkYK
2AnKwwmTa0SM/CU8KShJ1oVG+C6l05qB5qoslAp7Xb+ozzIUudbsL/uf5G4cgvwSiF00rU
dypDB/Ko4fUirQ5XMZ63FZyuM1ywZcmV0r4EGvwFz5UX0bx6FYdVrU0rU0Vsauc4bJAAAA
wQC0wmOlLAnp4pV1fxfDQt3Qfif1mSOCCpjg2mMRR/dy4O73bm2qcKFvYJiWM+JSNvx2PM
x3Fyln/YnSpz+LPkes6a4C4D26hTKq4VbncjCu30ilCgPq5JcdSU3ZASqCVF3s7ITNYbP1
r4VF+gGYUckbgrp8D4+lbcxj7rOZvHaPy3cNaeszoGAKRMYl2GIsRTLf2qg1+njA94itcv
RdaCKz/wiiPGZKtrKw7sI9qqR2QRyzej19xI6YSZL+Fk5650UAAADBAN63D/QFqCspbTtc
zcVJC5s3cvhwUwbPS0W9SfczLuy+xLeyVBiAMPSi7lep+wR24pol4IcSypNXbop4HRqdES
vwowb6fCOmDzScu7HocB8quzdGAio6AERQ7kOchkTd9UwZ4cfMloE7jMJlPZ+VVs/+2UyF
kt3wsaanSkrhLOHx4sS3T+9K6WMAMLgcgSXIQj5M2rNUyb3Onpw9/sM4+5IJapA+aMSH+x
s+Vh71LQdtdj8UZwSaUB50agl0yfJDKwAAAMEAvASE7XupLJOiJWs3kEoasPz5QCFy7/fX
jcjTkzL+U1+XAK45RGwTV5L0sVaY1K64VJGnzVcRiZUPMhOFluuSxYIZ7j+WS7TdMkC6sF
8nrZ1Dz3B/8R6Ue7BrxuXH2k2gDFrelogAQ63lNI6JDPd6mXRONG9QMvyAYcFYNzkjdGx5
BE1hTiiqwL3Cc3xMyULBg05JVyZXqboKW3eNVt+MGxpD5ztlOGVFrdRI1P+YS8KigkEmLs
MYo0ebD8xrGgs5AAAAEmpoYXRoYXdheUBza2l0dGxlcw==
-----END OPENSSH PRIVATE KEY-----