The document discusses the creation of reusable Puppet profiles, emphasizing the use of component modules, profiles, and roles to manage and configure technology stacks effectively. It presents various design patterns, including granular roles and conditional logic, as well as providing examples of Puppet classes and defined types for web server and database setups. Additionally, it highlights best practices for documentation and validation of code within the Puppet ecosystem.

1. Creating Reusable Puppet Profiles
Bram Vogelaar
@attachmentgenie

2. $whoami
• Used to be a Molecular Biologist
• Then became a Dev
• Now an Ops
• Currently Cloud Engineer @ The Factory

3. Webserver.pp circapuppet 0.24
includeapache
apache::vhost{ 'vhost.example.com':
port => '80',
docroot => '/var/www/vhost',
}
include::php
class { '::mysql::server':
root_password=> 'secret',
}
class { '::mysql::server::account_security':}
class { '::mysql::client': }
mysql::db{ 'mydb':
user => 'myuser',
password=> 'topsecret',
host => 'localhost',
grant => ['SELECT', 'UPDATE'],
}
include::firewall
firewall{'http':
dport => '80',
proto => 'tcp',
action => 'accept',
}

4. Webserver.pp circapuppet 0.24
class customer_x inherits webserver {
includecustomer_x
}
class customer_y inherits webserver {
includecustomer_y
}

5. A design pattern emerged
• Component modules — Modules that manage one particular technology.
• Profiles — Wrapper classes that use (multiple) component modules to configure a layered technology stack.
• Roles — Wrapper classes that use multiple profiles to build a complete system configuration.
https://www.craigdunn.org/2012/05/239/

6. Roles & Profiles
class roles::webserver {
include::profiles::apache
}
class roles::database {
include::profiles::mysql
}
class roles::allinone {
include::profiles::apache
include::profiles::mysql
}

7. • profiles::website::apache::vhosts:
'icinga.alerting.vagrant':
port:80
docroot:'/usr/share/icingaweb2/public'
directories:
- 'icingaweb':
path:'/usr/share/icingaweb2/public'
directoryindex:'index.php'
options:
- 'SymLinksIfOwnerMatch'
setenv:
- 'ICINGAWEB_CONFIGDIR"/etc/icingaweb2"'
rewrites:
- 'icingaweb':
comment: 'Icingaweb2'
rewrite_base:'/icingaweb2'
rewrite_cond:
- '%%{}{REQUEST_FILENAME} -s[OR]'
- '%%{}{REQUEST_FILENAME} -l [OR]'
- '%%{}{REQUEST_FILENAME} -d‘
…
YAML Programming

8. Roles & Profiles
• First approach: Granular roles
• Second approach: Conditional logic
• Third approach: Nested roles
• Fourth approach: Multiple roles per node
• Fifth approach: Super profiles
• Sixth approach: Building roles in the node classifier
https://puppet.com/docs/pe/2021.3/osp/designing_convenient_roles.html

9. modules ❯ pdk new module [--template-url=<value>]
modules ❯ pdk convert [--template-url=<value>]
modules ❯ pdk new class profiles::technology
modules ❯ pdk new defined_type profiles::technology::thing
modules ❯ bundle exec rake pdksync
Standardize your layout (and toolset)

10. #Installs,configures,andmanagesnomad
#
#@exampleTosetup asinglenomadserver,withseveralagentsattached,ontheserver.
# class { 'nomad':
# config_hash=>{
# 'region' =>'us-west',
# 'datacenter'=>'ptk',
# 'bind_addr' =>'0.0.0.0',
# 'data_dir' =>'/opt/nomad',
# 'server' =>{
# 'enabled' => true,
# 'bootstrap_expect'=>3,
# }
# }
# }
Document yourcode…no really!

11. modules ❯ pdk validate –parallel
modules ❯ pdk test unit
Validate your code… no really

12. • class roles::webserver {
includeprofiles::bootstrap
include profiles::database
includeprofiles::webserver
}
Roles & Profiles

13. class nginx (
$temp_path = ‘/tmp’,
$confd_only = false,
$daemon = undef,
$severity = 'error‘,
…
Using types

14. class profiles::website::nginx (
Stdlib::Absolutepath $temp_path,
Boolean $confd_only = false,
Optional[Enum['on', 'off']] $daemon = undef,
Nginx::Severity $severity = 'error',
…
Using types

15. type Nginx::Severity = Enum[
'debug',
'info',
'notice',
'warn',
'error',
'crit',
'alert',
'emerg' # lint:ignore:trailing_comma
]
…
Using types

16. modules ❯ grep -r "apache::vhost" . | wc –l
modules ❯ 75
(D)on’t (R)epeat (Y)ourself

17. • define profile_static_app::vhost(
String$public_name,
String$internal_name,
String$package_name,
) {
::profile_static_app::instance{$public_name:
package_name=>$package_name,
ensure => $package_ensure,
}
::profile_apache::vhost{$public_name:
docroot =>$docroot,
internal_name => $internal_name,
internal_aliases=>$internal_aliases,
public_name =>$public_name,
public_aliases =>$public_aliases,
force_ssl =>$force_ssl,
letsencrypt =>$letsencrypt,
rproxy_type =>$rproxy_type,
rproxy_basicauth=> $rproxy_basicauth,
custom_fragment =>$custom_fragment,
}
}
Defined Types (vhost)

18. • php::fpm::pool{ $name:
access_log => $acces_log,
listen => $fpm_listen,
pm =>$process_manager,
pm_status_path=>"/${name}_status",
}
if $create_cachetool_config{
::profile_php::cachetool::config{ $name:
fpm_listen=>$fpm_listen,
location =>$cachetool_config_dir,
}
}
if $enable_ship_logs{
::profile_base::rsyslog::file{ "${name}-pool":
location=>$acces_log,
}
}
if $enable_ship_metrics{
notify{ 'nometricstoseehere':}
}
}
Defined Types (app instance)

19. create_resources( 'apache::vhost', $vhosts, $instances)
VS
create_resources( '::profile_symfony::vhost', $instances)
create_resources( '::profile_drupal::vhost', $instances)
Profiles andDefined Types

20. Feature flag it all
class profiles::website (
Boolean $apache = false,
Boolean $nginx = false,
Boolean $traefik = false,
){
if $apache{
class {'::profiles::website::apache': }
}
if $nginx{
class {'::profiles::website::nginx': }
}
if $traefik{
class {'::profiles::website::traefik': }
}
}

21. ---
classes:
- roles::prometheus
profiles::alerting::alertmanager:true
profiles::bootstrap::keepalive:true
…
Feature flag it all

22. Contact
bram@attachmentgenie.com
@attachmentgenie
https://www.slideshare.net/attachmentgenie
https://github.com/attachmentgenie/attachmentgenie-profiles

23. The Floor is yours…
Questions ?