Status: WIP
My puppetserver is installed using an ansible role which I tweaked a bit for my personal needs. The setup is created with CI/CD integration in mind and utilizes 2 repositories (this one + hieradata) to keep all the code up-to-date on the puppetserver. These will automatically push changes in config and manifests to the right location on the puppetserver using Jenkins pipelines.
Note
I created all of the profiles from the ground up to learn more about puppet. These profiles are not perfect and might still have flaws and bad-practices.
- Base
- Docker
- Gitea
- Grafana
- Jenkins
- Minecraft
- Prometheus
- Hashicorp Vault
File locations:
| Description | Location |
|---|---|
| Puppet manifests | /etc/puppetlabs/code/environments/production/modules/ |
| Node specific hieradata | /etc/puppetlabs/code/environments/production/data/nodes/ |
| OS specific hieradata | /etc/puppetlabs/code/environments/production/data/os/ |
| Common hieradata | /etc/puppetlabs/code/environments/production/data/common.yaml |
| Role definitions for nodes | /etc/puppetlabs/code/environments/production/manifests/site.pp |
I installed some extra modules to make my life easier:
/etc/puppetlabs/code/modules
├── puppet-archive
├── puppet-systemd
├── puppet-vault_lookup
├── puppetlabs-apt
├── puppetlabs-concat
├── puppetlabs-inifile
├── puppetlabs-mysql
├── puppetlabs-stdlib
├── saz-ssh
├── saz-timezone
└── stm-debconfTo remove the secrets from my code, I use Vault which can house these safely. By using an extra puppet module to lookup the secrets in the vault, I can make my workflow more secure and separate the secrets from the repos.
To grab one of the secrets that are stored in Vault, I can use a Deferred function to lookup a secret:
$jwt_secret = Deferred('vault_lookup::lookup', ['homelab-vm/data/gitea', { field => 'jwt_secret' }]),This will populate the jwt_secret parameter in this case with a value of type Sensitive.