Restore variables

SUNET · Oct 8, 2024 · f4f0064 · f4f0064
1 parent 52900fc
commit f4f0064
Show file tree

Hide file tree

Showing 36 changed files with 143 additions and 143 deletions.
diff --git a/manifests/auth_server.pp b/manifests/auth_server.pp
@@ -3,13 +3,13 @@
     Hash $config,
     String $cert_file,
     String $key_file,
-    String $server_name      = $facts['networking']['fqdn'],
+    String $server_name      = $::fqdn,
     String $port             = '443',
     String $username         = 'sunet',
     String $group            = 'sunet',
     String $base_dir         = '/opt/sunet',
     Boolean $saml_sp         = false,
-    String $pysaml2_base_url = "https://${facts['networking']['fqdn']}/saml2/sp",
+    String $pysaml2_base_url = "https://$::fqdn/saml2/sp",
     Array $allow_clients     = [$facts['cosmos']['frontend_server_addrs']],
 ) {
 

diff --git a/manifests/bird.pp b/manifests/bird.pp
@@ -5,11 +5,11 @@
   String $username   = 'bird',
   Integer $uid       = 501,
   Integer $gid       = 501,
-  String $router_id  = $facts['networking']['interfaces']['default']['ip'],
+  String $router_id  = $::ipaddress_default,
   String $check_args = '',
 ) {
   $my_router_id = $router_id ? {
-    undef   => $facts['networking']['interfaces']['eth0']['ip'],
+    undef   => $::ipaddress_eth0,
     default => $router_id
   }
   group {$username:

diff --git a/manifests/cloudimage.pp b/manifests/cloudimage.pp
@@ -38,27 +38,27 @@
   Variant[String, Boolean] $apt_mirror  = 'http://se.archive.ubuntu.com/ubuntu',
 )
 {
-  warning ('sunet::cloudimage is deprecated - please migrate to sunet::kvm::host and sunet::kvm::cloudimage')
-  if $facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') >= 0 {
+  warning ("sunet::cloudimage is deprecated - please migrate to sunet::kvm::host and sunet::kvm::cloudimage")
+  if $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '22.04') >= 0 {
     $kvm_package = 'qemu-system-x86'
-  } elsif $facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '16.04') >= 0 {
+  } elsif $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '16.04') >= 0 {
     $kvm_package = 'qemu-kvm'
   } else {
     $kvm_package = 'kvm'  # old name
   }
-  if $facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '18.04') >= 0 {
+  if $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '18.04') >= 0 {
     # Manages CPU affinity for virtual CPUs. Seems to be required on new KVM hosts in eduid,
     # to keep the VMs from crashing.
     $numad_package = 'numad'
   } else {
     $numad_package = []
   }
-  if $facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '19.10') >= 0 {
+  if $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '19.10') >= 0 {
     $libvirt_package = 'libvirt-daemon-system'
   } else {
     $libvirt_package = 'libvirt-bin'
   }
-  if $facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') >= 0 {
+  if $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '22.04') >= 0 {
     # virsh command has been broken out of the libvirt-package for Jammy
     $virt_extra = 'libvirt-clients'
   } else {
@@ -85,7 +85,7 @@
   $network_config = "${script_dir}/${name}/${name}_network-config"
 
   if $secure_boot {
-    if str2bool($facts['sunet_kvmhost_can_secureboot']) {
+    if str2bool($::sunet_kvmhost_can_secureboot) {
       $sb_args = '--boot=uefi,loader_secure=yes,loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,nvram_template=/usr/share/OVMF/OVMF_VARS.ms.fd --machine=q35 --features smm=on'
     } else {
       # The ovmf package in Ubuntu 18.04 did not include the boot loader and NVRAM content to

diff --git a/manifests/disable_resolved_stub.pp b/manifests/disable_resolved_stub.pp
@@ -1,7 +1,7 @@
 # Disable/enable resolved stub
 class sunet::disable_resolved_stub(
   Variant[Boolean, Undef] $disable_resolved_stub = undef,
-  String $dns_ip                                 = pick($facts['networking']['interfaces']['default']['ip'], $facts['networking']['interfaces']['default']['ip6']),
+  String $dns_ip                                 = pick($::ipaddress_default, $::ipaddress6_default),
 ) {
   # If unbound is installed on a host, it is likely that the intent is for it to be used.
   # If the host has systemd resolved, the standard setting is for resolv.conf to have 'nameservers 127.0.0.53'

diff --git a/manifests/dockerhost.pp b/manifests/dockerhost.pp
@@ -8,7 +8,7 @@
   Boolean $run_docker_cleanup                 = true,
   Variant[String, Boolean] $docker_network    = lookup('dockerhost_docker_network', Variant[String, Boolean], undef, '172.18.0.0/22'),
   String $docker_network_v6                   = lookup('dockerhost_docker_network_v6', String, undef, 'fd0c:d0c::/64'),  # default bridge
-  Variant[String, Array[String]] $docker_dns  = $facts['networking']['interfaces']['default']['ip'],
+  Variant[String, Array[String]] $docker_dns  = $facts['ipaddress_default'],
   Boolean $ufw_allow_docker_dns               = true,
   Boolean $manage_dockerhost_unbound          = false,
   String $compose_image                       = 'docker.sunet.se/library/docker-compose',

diff --git a/manifests/etcd/node.pp b/manifests/etcd/node.pp
@@ -3,11 +3,11 @@
   String           $docker_tag,
   String           $service_name       = 'etcd',
   Optional[String] $disco_url          = undef,
-  Array[String]    $cluster_nodes      = [$facts['networking']['fqdn']],
+  Array[String]    $cluster_nodes      = [$::fqdn],
   Optional[String] $discovery_srv      = undef,  # DNS SRV record for cluster node discovery
   Enum['on', 'readonly', 'off'] $proxy = 'off',
-  String           $s2s_ip_or_host     = $facts['networking']['fqdn'],
-  String           $c2s_ip_or_host     = $facts['networking']['fqdn'],
+  String           $s2s_ip_or_host     = $::fqdn,
+  String           $c2s_ip_or_host     = $::fqdn,
   Enum['https', 'http'] $c2s_proto     = 'https',
   String           $etcd_listen_ip     = '0.0.0.0',
   String           $docker_image       = 'gcr.io/etcd-development/etcd',
@@ -40,11 +40,11 @@
 
   # Use infra-cert per default if cert/key/ca file not supplied
   $cert_file = $tls_cert_file ? {
-    undef => $facts['tls_certificates'][$::fqdn]['infra_cert'],
+    undef => $::tls_certificates[$::fqdn]['infra_cert'],
     default => $tls_cert_file,
   }
   $key_file = $tls_key_file ? {
-    undef => $facts['tls_certificates'][$::fqdn]['infra_key'],
+    undef => $::tls_certificates[$::fqdn]['infra_key'],
     default => $tls_key_file,
   }
   $trusted_ca_file = pick($tls_ca_file, '/etc/ssl/certs/infra.crt')

diff --git a/manifests/etcd_node.pp b/manifests/etcd_node.pp
@@ -8,16 +8,16 @@
   $proxy_readonly  = false,
   $browser         = false,
   $docker_net      = 'docker',
-  $etcd_s2s_ip     = $facts['networking']['interfaces']['eth1']['ip'],
+  $etcd_s2s_ip     = $::ipaddress_eth1,
   $etcd_s2s_proto  = 'http',    # XXX default ought to be https
   $etcd_c2s_ip     = '0.0.0.0',
   $etcd_c2s_proto  = 'http',    # XXX default ought to be https
   $etcd_listen_ip  = '0.0.0.0',
   $etcd_image      = 'quay.io/coreos/etcd',
   $etcd_extra      = [],        # extra arguments to etcd
-  $tls_key_file    = "/etc/ssl/private/${facts['networking']['fqdn']}_infra.key",
+  $tls_key_file    = "/etc/ssl/private/${::fqdn}_infra.key",
   $tls_ca_file     = '/etc/ssl/certs/infra.crt',
-  $tls_cert_file   = "/etc/ssl/certs/${facts['networking']['fqdn']}_infra.crt",
+  $tls_cert_file   = "/etc/ssl/certs/${::fqdn}_infra.crt",
   $expose_ports    = true,
   $expose_port_pre = '',
   $allow_clients   = ['any'],
@@ -60,7 +60,7 @@
       default => ["--discovery ${disco_url}"]
   }
   $common_args = [$disco_args,
-                  "--name ${facts['networking']['hostname']}",
+                  "--name ${::hostname}",
                   '--data-dir /data',
                   "--key-file ${tls_key_file}",
                   "--ca-file ${tls_ca_file}",
@@ -96,7 +96,7 @@
   $ports = $expose_ports ? {
     true => ["${expose_port_pre}:2380:2380",
               "${expose_port_pre}:2379:2379",
-              "${facts['networking']['interfaces']['docker0']['ip']}:4001:2379",
+              "${::ipaddress_docker0}:4001:2379",
               ],
     false => []
   }
@@ -123,7 +123,7 @@
     }
     sunet::misc::ufw_allow { 'allow-etcd-client-on-docker0':
       from => '172.16.0.0/12',
-      to   => $facts['networking']['interfaces']['docker0']['ip'],
+      to   => $::ipaddress_docker0,
       port => '4001',
     }
     sunet::misc::ufw_allow { 'allow-etcd-peer':

diff --git a/manifests/frontend/load_balancer.pp b/manifests/frontend/load_balancer.pp
@@ -77,7 +77,7 @@
       docker_imagetag       => pick($config['load_balancer']['telegraf_imagetag'], 'stable'),
       docker_volumes        => pick($config['load_balancer']['telegraf_volumes'], []),
       forward_url           => $config['load_balancer']['telegraf_forward_url'],
-      statsd_listen_address => pick($facts['networking']['interfaces']['docker0']['ip'], 'no-address-provided'),
+      statsd_listen_address => pick($::ipaddress_docker0, 'no-address-provided'),
     }
 
     sunet::misc::ufw_allow { 'always-https-allow-http':

diff --git a/manifests/frontend/load_balancer/peer.pp b/manifests/frontend/load_balancer/peer.pp
@@ -9,11 +9,11 @@
   # depending on the address family of $remote_ip
   if ! is_ipaddr($local_ip) {
     if is_ipaddr($remote_ip, 4) {
-      $_local_ip = $facts['networking']['interfaces']['default']['ip']
+      $_local_ip = $::ipaddress_default
       $_local_ip_family = 4
       $_local_ip_fact = 'ipaddress_default'
     } elsif is_ipaddr($remote_ip, 6) {
-      $_local_ip = $facts['networking']['interfaces']['default']['ip6']
+      $_local_ip = $::ipaddress6_default
       $_local_ip_family = 6
       $_local_ip_fact = 'ipaddress6_default'
     }

diff --git a/manifests/frontend/load_balancer/website.pp b/manifests/frontend/load_balancer/website.pp
@@ -16,23 +16,23 @@
 
   # Figure out what certificate to pass to the haproxy container
   if ! has_key($config, 'tls_certificate_bundle') {
-    if has_key($facts['tls_certificates'], 'snakeoil') {
-      $snakeoil = $facts['tls_certificates']['snakeoil']['bundle']
+    if has_key($::tls_certificates, 'snakeoil') {
+      $snakeoil = $::tls_certificates['snakeoil']['bundle']
     }
-    if has_key($facts['tls_certificates'], $site_name) {
+    if has_key($::tls_certificates, $site_name) {
       # Site name found in tls_certificates - good start
       $_tls_certificate_bundle = pick(
-        $facts['tls_certificates'][$site_name]['haproxy'],
-        $facts['tls_certificates'][$site_name]['certkey'],
-        $facts['tls_certificates'][$site_name]['infra_certkey'],
-        $facts['tls_certificates'][$site_name]['bundle'],
-        $facts['tls_certificates'][$site_name]['dehydrated_bundle'],
+        $::tls_certificates[$site_name]['haproxy'],
+        $::tls_certificates[$site_name]['certkey'],
+        $::tls_certificates[$site_name]['infra_certkey'],
+        $::tls_certificates[$site_name]['bundle'],
+        $::tls_certificates[$site_name]['dehydrated_bundle'],
         'NOMATCH',
       )
       if $_tls_certificate_bundle != 'NOMATCH' {
         $tls_certificate_bundle = $_tls_certificate_bundle
       } else {
-        $_site_certs = $facts['tls_certificates'][$site_name]
+        $_site_certs = $::tls_certificates[$site_name]
         notice(join([
           "None of the certificates for site ${site_name} matched my list ",
           "(haproxy, certkey, infra_certkey, bundle, dehydrated_bundle): ${_site_certs}"
@@ -65,10 +65,10 @@
 
   if $::facts['sunet_nftables_enabled'] != 'yes' {
     # OLD setup
-    $_docker_ip = $facts['networking']['interfaces']['docker0']['ip']
+    $_docker_ip = $::facts['ipaddress_docker0']
     # On old setups, containers can't reach IPv6 only ACME-C backend directly, but have to go through
     # a proxy process (always-https) running on the frontend host itself.
-    $_letsencrypt_override_address = $facts['networking']['interfaces']['default']['ip']
+    $_letsencrypt_override_address = $::facts['ipaddress_default']
   } else {
     # NEW setup with Docker in namespace
     $_docker_ip = '172.16.0.2'  # TODO: Parameterise this somehow
@@ -78,9 +78,9 @@
   # Add IP and hostname of the host running the container - used to reach the
   # acme-c proxy in eduid
   $config3a = merge($config2, {
-    'frontend_ip4' => $facts['networking']['interfaces']['default']['ip'],
-    'frontend_ip6' => $facts['networking']['interfaces']['default']['ip6'],
-    'frontend_fqdn' => $facts['networking']['fqdn'],
+    'frontend_ip4' => $::ipaddress_default,
+    'frontend_ip6' => $::ipaddress6_default,
+    'frontend_fqdn' => $::fqdn,
   })
 
   if $_letsencrypt_override_address {
@@ -143,7 +143,7 @@
   $haproxy_volumes        = pick($config['haproxy_volumes'], false)
   $multinode_port         = pick_default($config['multinode_port'], false)
   $statsd_enabled         = pick($config['statsd_enabled'], true)
-  $statsd_host            = pick($_docker_ip, $facts['networking']['ip'])
+  $statsd_host            = pick($_docker_ip, $::ipaddress)
   $varnish_config         = pick($config['varnish_config'], '/opt/frontend/config/common/default.vcl')
   $varnish_enabled        = pick($config['varnish_enabled'], false)
   $varnish_image          = pick($config['varnish_image'], 'docker.sunet.se/library/varnish')
@@ -228,7 +228,7 @@
     })
   }
 
-  if has_key($config, 'letsencrypt_server') and $config['letsencrypt_server'] != $facts['networking']['fqdn'] {
+  if has_key($config, 'letsencrypt_server') and $config['letsencrypt_server'] != $::fqdn {
     sunet::dehydrated::client_define { $name :
       domain        => $name,
       server        => $config['letsencrypt_server'],

diff --git a/manifests/frontend/load_balancer/website2.pp b/manifests/frontend/load_balancer/website2.pp
@@ -15,23 +15,23 @@
 
   if ! has_key($config, 'tls_certificate_bundle') {
     # Put suitable certificate path in $config['tls_certificate_bundle']
-    if has_key($facts['tls_certificates'], 'snakeoil') {
-      $snakeoil = $facts['tls_certificates']['snakeoil']['bundle']
+    if has_key($::tls_certificates, 'snakeoil') {
+      $snakeoil = $::tls_certificates['snakeoil']['bundle']
     }
-    if has_key($facts['tls_certificates'], $site_name) {
+    if has_key($::tls_certificates, $site_name) {
       # Site name found in tls_certificates - good start
       $_tls_certificate_bundle = pick(
-        $facts['tls_certificates'][$site_name]['haproxy'],
-        $facts['tls_certificates'][$site_name]['certkey'],
-        $facts['tls_certificates'][$site_name]['infra_certkey'],
-        $facts['tls_certificates'][$site_name]['bundle'],
-        $facts['tls_certificates'][$site_name]['dehydrated_bundle'],
+        $::tls_certificates[$site_name]['haproxy'],
+        $::tls_certificates[$site_name]['certkey'],
+        $::tls_certificates[$site_name]['infra_certkey'],
+        $::tls_certificates[$site_name]['bundle'],
+        $::tls_certificates[$site_name]['dehydrated_bundle'],
         'NOMATCH',
       )
       if $_tls_certificate_bundle != 'NOMATCH' {
         $tls_certificate_bundle = $_tls_certificate_bundle
       } else {
-        $_site_certs = $facts['tls_certificates'][$site_name]
+        $_site_certs = $::tls_certificates[$site_name]
         notice("None of the certificates for site ${site_name} matched my list (haproxy, certkey, infra_certkey, bundle, dehydrated_bundle): ${_site_certs}")
         if $snakeoil {
           $tls_certificate_bundle = $snakeoil
@@ -53,9 +53,9 @@
   # Add IP and hostname of the host running the container - used to reach the
   # acme-c proxy in eduid
   $config3 = merge($config2, {
-    'frontend_ip4' => $facts['networking']['interfaces']['default']['ip'],
-    'frontend_ip6' => $facts['networking']['interfaces']['default']['ip6'],
-    'frontend_fqdn' => $facts['networking']['fqdn'],
+    'frontend_ip4' => $::ipaddress_default,
+    'frontend_ip6' => $::ipaddress6_default,
+    'frontend_fqdn' => $::fqdn,
   })
 
   $local_config = lookup('sunet_frontend_local', undef, undef, {})
@@ -107,7 +107,7 @@
   $multinode_port         = pick_default($config['multinode_port'], false)
   $set_fqdn               = pick($config['set_fqdn'], false)
   $statsd_enabled         = pick($config['statsd_enabled'], true)
-  $statsd_host            = pick($facts['networking']['interfaces']['docker0']['ip'], $facts['networking']['ip'])
+  $statsd_host            = pick($::ipaddress_docker0, $::ipaddress)
   $varnish_config         = pick($config['varnish_config'], '/opt/frontend/config/common/default.vcl')
   $varnish_enabled        = pick($config['varnish_enabled'], false)
   $varnish_image          = pick($config['varnish_image'], 'docker.sunet.se/library/varnish')
@@ -165,7 +165,7 @@
     command => "/usr/sbin/ufw route allow out on br-${instance}",
   }
 
-  if has_key($config, 'letsencrypt_server') and $config['letsencrypt_server'] != $facts['networking']['fqdn'] {
+  if has_key($config, 'letsencrypt_server') and $config['letsencrypt_server'] != $::fqdn {
     sunet::dehydrated::client_define { $name :
       domain        => $name,
       server        => $config['letsencrypt_server'],

diff --git a/manifests/frontend/route_reflector.pp b/manifests/frontend/route_reflector.pp
@@ -1,6 +1,6 @@
 # SUNET frontend BGP Route Reflector config
 class sunet::frontend::route_reflector(
-  String $router_id = $facts['networking']['interfaces']['default']['ip'],
+  String $router_id = $::ipaddress_default,
 ) {
   $config = lookup('sunet_frontend', undef, undef, undef)
   if $config =~ Hash[String, Hash] {

diff --git a/manifests/gitolite.pp b/manifests/gitolite.pp
@@ -14,8 +14,8 @@
         shell      => '/bin/bash'
     })
 
-    $hostname = $facts['networking']['fqdn']
-    $shortname = $facts['networking']['hostname']
+    $hostname = $::fqdn
+    $shortname = $::hostname
 
     $home = $username ? {
         'root'    => '/root',

diff --git a/manifests/glb.pp b/manifests/glb.pp
@@ -36,7 +36,7 @@
       image            => 'docker.sunet.se/geodns',
       imagetag         => $geodns_version,
       volumes          => ['/etc/geodns:/etc/geodns','/etc/GeoLiteFiles:/usr/share/GeoIP'],
-      ports            => ["${facts['networking']['interfaces']['default']['ip']}:53:5353/udp","${facts['networking']['interfaces']['default']['ip']}:53:5353"],
+      ports            => ["${::ipaddress_default}:53:5353/udp","${::ipaddress_default}:53:5353"],
       command          => '-port 5353',
       extra_parameters => ['--security-opt seccomp=unconfined'],
   }
@@ -46,16 +46,16 @@
       volumes          => ['/etc/geodns:/etc/geodns'],
       env              => ["ZONE=${zone}"],
       extra_parameters => ['--security-opt seccomp=unconfined'],
-  }
-  ufw::allow { 'allow-dns-udp':
-      ip    => $facts['networking']['interfaces']['default']['ip'],
-      port  => '53',
-      proto => 'udp',
-  }
-  ufw::allow { 'allow-dns-tcp':
-      ip    => $facts['networking']['interfaces']['default']['ip'],
-      port  => '53',
-      proto => 'tcp',
-  }
-  sunet::nagios::nrpe_check_process { 'geodns': }
+   }
+   ufw::allow { "allow-dns-udp":
+      ip   => "${::ipaddress_default}",
+      port => '53',
+      proto => "udp",
+   }
+   ufw::allow { "allow-dns-tcp":
+      ip   => "${::ipaddress_default}",
+      port => '53',
+      proto => "tcp",
+   }
+   sunet::nagios::nrpe_check_process { 'geodns': }
 }