Publish our puppet repository
The Puppet repository used for the Tor infrastructure is not public. We should fix that.
so concretely, the TL;DR: of what I am proposing is this:
- Use a control repository
Get rid of 3rdparty, that is:
convert everything to hiera (#30020) - this requires creating
rolesfor each machine (more or less) -- effectively done as far as this issue is concerned
site-modules/and audit for private data
move any private data into
publish everything but
hiera/as a new (secret) repository
- convert everything to hiera (#30020) - this requires creating
- Deploy with g10k
- Authenticate with checksums
- Deploy to branch-specific environments
- Rename the default branch "production"
- Push directly on the Puppet server
- Use a role account (#29663)
This comes from the proposed solution section of the Puppet documentation, which also includes further improvements to the Puppet server setup. Note that steps 5 to 8 could actually be split in a separate ticket, but steps 3 and 4 are mandatory to ensure code integrity.
Once this is done, the final picture will look like this in
hiera/- private data.
machine -> roleassignements, secret stuff like the alias file, machine location, price and other similar metadata and details (see also legacy/trac#29816 (moved))
modules/- equivalent of the current
3rdparty/directory: fully public, reusable code that's aimed at collaboration. mostly code from the Puppet forge or our own repository if no equivalent there
site-modules/profiles/- magic sauce on top of 3rd party
modules/, already created a few
modules/profiles/for grafana and prometheus, the profiles configure official 3rd party classes with our site-specific criteria
site-modules/roles/- abstract classes that regroup a few profiles. for example
roles::monitoringcould currently include
profiles::grafanaas an implementation
site-modules/MODULE/- remaining custom modules that still need to be published (by moving in their own repository and
modules/or by replacing with an existing module in
This could all be done in the current repository, without creating a new clean history one, but it would prepare us for that final step. And that step would simply be to move
roles/ into a public repository, while keeping
hiera/ private in its own repository.