diff --git a/main.yml b/main.yml index 099e890..2d1a0b1 100644 --- a/main.yml +++ b/main.yml @@ -1,200 +1,221 @@ --- - name: Create Instances hosts: 127.0.0.1 tags: always connection: local gather_facts: false vars_files: - "vars/main.yml" tasks: - include: tasks/create-security-groups.yml tags: [ 'init' ] - include: tasks/create-instances.yml tags: [ 'always' ] - include: tasks/create-volumes.yml tags: [ 'init' ] - name: Configure Jump Server hosts: lbs tags: conf-lbs vars_files: - "vars/main.yml" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: common tags: [ 'common' ] - role: swap/roles/swap tags: [ 'common' ] - role: ganglia-gmond - role: nrpe tags: [ 'common', 'conf-monit' ] - role: postfix postfix_mynetworks: [ 10.0.0.0/16 ] enable_postfix_relayhost: false - role: letsencrypt - role: haproxy - role: jump handlers: - include: handlers/main.yml #- name: Configure keepalived for jump # hosts: c4science-jump00 # roles: # - role: keepalived # keepalived_shared_ip: "{{ external_ip }}" # keepalived_role: "master" #- name: Configure keepalived for jump2 # hosts: c4science-jump01 # roles: # - role: keepalived # keepalived_shared_ip: "{{ external_ip }}" # keepalived_role: "slave" +- name: Configure Shibboleth + hosts: shib + tags: conf-shib + vars_files: + - "vars/main.yml" + vars: + nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" + user: centos + sudo: yes + roles: + - role: common + tags: [ 'common' ] + - role: swap/roles/swap + tags: [ 'common' ] + - role: nrpe + tags: [ 'common', 'conf-monit' ] + - role: postfix + postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]" + handlers: + - include: handlers/main.yml + - name: Configure Monitoring Server hosts: monit tags: conf-monit vars_files: - "vars/main.yml" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: common tags: [ 'common' ] - role: swap/roles/swap tags: [ 'common' ] - role: nrpe tags: [ 'common', 'conf-monit' ] - role: postfix postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]" - role: rsyslog - role: logcheck - role: apache - role: nagios - role: ganglia-gmond - role: ganglia-gmetad tasks: - include: roles/galera/tasks/install.yml yum_repo: roles/galera/files/yum.repo - service: name=mysql enabled=false state=stopped handlers: - include: handlers/main.yml - name: Configure Databases hosts: dbs tags: conf-dbs vars_files: - "vars/main.yml" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: common tags: [ 'common' ] - role: swap/roles/swap tags: [ 'common' ] - role: nrpe tags: [ 'common', 'conf-monit' ] - role: postfix postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]" - role: ganglia-gmond - role: galera handlers: - include: handlers/main.yml - name: Configure App hosts: app tags: conf-app vars_files: - "vars/main.yml" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: common tags: [ 'common' ] - role: swap/roles/swap tags: [ 'common' ] - role: nrpe tags: [ 'common', 'conf-monit' ] - role: postfix postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]" - role: ganglia-gmond - { role: nginx, nginx_config: nginx-phabricator.conf } - role: glusterfs - role: phabricator handlers: - include: handlers/main.yml - name: Configure Jenkins master hosts: ci vars_files: - "vars/main.yml" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: common tags: [ 'common' ] - role: swap/roles/swap tags: [ 'common' ] - role: nrpe tags: [ 'common', 'conf-monit' ] - role: postfix postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]" - role: ganglia-gmond - role: ci tags: [ 'jenkins' ] - role: jenkins plugins: - 'preSCMbuildstep' - 'git' - 'build-token-root' - 'phabricator-plugin' - 'docker-plugin' - 'build-monitor-plugin' - 'job-restrictions' - 'project-stats-plugin' - 'cluster-stats' - 'embeddable-build-status' prefix: '/build' email: smtp_host: 'mail.epfl.ch' smtp_ssl: 'true' default_email_suffix: '@epfl.ch' #- name: Configure Jenkins slave # hosts: ci-slave # tags: conf-ci-slave # vars_files: # - "vars/main.yml" # user: core # sudo: yes # roles: # - role: docker - name: Configure Backup server hosts: backup tags: conf-backup vars_files: - "vars/main.yml" vars: nagios_nrpe_server_allowed_hosts: "86.119.30.4,127.0.0.1" user: centos sudo: yes roles: - role: common tags: [ 'common' ] - role: swap/roles/swap tags: [ 'common' ] - role: nrpe tags: [ 'common', 'conf-monit' ] - role: backup diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 index 47b2eb5..6d5ced3 100644 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ b/roles/haproxy/templates/haproxy.cfg.j2 @@ -1,132 +1,134 @@ global log 127.0.0.1 local2 notice warning chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats level admin # SSL/TLS tune.ssl.default-dh-param 2048 ssl-default-bind-options no-sslv3 ssl-default-bind-options no-tlsv10 ssl-default-bind-options no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK defaults mode http log global option dontlognull #option forceclose option redispatch retries 3 timeout connect 10s timeout client 1m timeout server 1m maxconn 3000 userlist admins user {{ monit_user }} insecure-password admin #password {{ monit_pass }} frontend public bind *:80 #acl host_sub1 hdr(host) -i jenkins.{{ domain }} #use_backend ci if host_sub1 #redirect scheme https if !host_sub1 redirect scheme https frontend public_tls rspadd Strict-Transport-Security:\ max-age=15768000 bind *:443 ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem errorfile 400 /etc/haproxy/sorry.http errorfile 403 /etc/haproxy/sorry.http errorfile 408 /etc/haproxy/sorry.http errorfile 500 /etc/haproxy/sorry.http errorfile 502 /etc/haproxy/sorry.http errorfile 503 /etc/haproxy/sorry.http errorfile 504 /etc/haproxy/sorry.http acl host_sub1 hdr(host) -i jenkins.{{ domain }} acl host_sub2 path_beg -i /Shibboleth.sso use_backend ci if host_sub1 use_backend shib if host_sub2 default_backend app backend app balance source hash-type consistent option httpchk HEAD /maniphest/ HTTP/1.1\r\nHost:\ {{ domain }} {% for host in groups['app'] %} server {{ hostvars[host]['host_name'] }} {{ host }}:80 check send-proxy {% endfor %} backend shib balance static-rr - server c4science-testshib 10.0.108.112:80 check + {% for host in groups['shib'] %} + server {{ hostvars[host]['host_name']}} {{ host }}:80 check + {% endfor %} backend ci balance static-rr {% for host in groups['ci'] %} server {{ hostvars[host]['host_name']}} {{ host }}:{{ jenkins_port }} check {% endfor %} frontend monit bind *:{{ monit_port }} ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem default_backend monitd acl auth_admin http_auth(admins) http-request allow if auth_admin http-request auth realm Restricted unless auth_admin http-request deny backend monitd {% for host in groups['monit'] %} server {{ hostvars[host]['host_name'] }} {{ host }}:80 {% endfor %} frontend sshd mode tcp option tcplog bind *:{{ vcs_port }} default_backend ssh timeout client 1h backend ssh mode tcp balance source hash-type consistent {% for host in groups['app'] %} server {{ hostvars[host]['host_name'] }} {{ host }}:{{ vcs_port }} check port {{ vcs_port }} {% endfor %} frontend mysqld mode tcp option tcplog bind {{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}:3306 default_backend mysql backend mysql mode tcp balance static-rr option mysql-check user {{ mysql_lbs_user }} {% for host in groups['dbs'] %} server {{ hostvars[host]['host_name'] }} {{ host }}:3306 check port 3306 {% endfor %} listen haproxy-monit bind *:{{ stats_port }} ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem stats enable stats refresh 5s stats show-legends stats uri / acl auth_admin http_auth(admins) stats http-request allow if auth_admin stats http-request auth realm Restricted unless auth_admin stats http-request deny stats admin if auth_admin diff --git a/tasks/create-instances.yml b/tasks/create-instances.yml index 3037cc0..476bf3b 100644 --- a/tasks/create-instances.yml +++ b/tasks/create-instances.yml @@ -1,200 +1,223 @@ --- # Create instances - name: Create jump os_server: state: present security_groups: all name: "c4science-jump0{{ item }}" image: "{{ image_id }}" key_name: "{{ keypair_name }}" wait: yes floating_ips: - "{{ external_ip }}" nics: - net-id: "{{ private_net}}" flavor: "{{ flavor_id_small }}" meta: hostname: "c4science-jump0{{ item }}" group: ansible register: openstackjump with_items: - 0 - add_host: name: "{{ openstackjump.results[item].openstack.public_v4 }}" private_ip: "{{ openstackjump.results[item].openstack.private_v4 }}" host_name: "c4science-jump0{{ item }}" groupname: lbs with_items: - 0 - name: Create App os_server: state: present security_groups: all name: "c4science-app0{{ item }}" image: "{{ image_id }}" key_name: "{{ keypair_name }}" wait: yes auto_ip: no nics: - net-id: "{{ private_net}}" flavor: "{{ flavor_id_medium}}" meta: hostname: "c4science-app0{{ item }}" group: ansible register: "openstackapp" with_items: - 0 - 1 - 2 - add_host: name: "{{ openstackapp.results[item].openstack.private_v4 }}" private_ip: "{{ openstackapp.results[item].openstack.private_v4 }}" host_name: "c4science-app0{{ item }}" groupname: app with_items: - 0 - 1 - 2 - name: Create Db os_server: state: present security_groups: all name: "c4science-db0{{ item }}" image: "{{ image_id }}" key_name: "{{ keypair_name }}" wait: yes auto_ip: no nics: - net-id: "{{ private_net}}" flavor: "{{ flavor_id_medium}}" meta: hostname: "c4science-db0{{ item }}" group: ansible register: openstackdb with_items: - 0 - 1 - 2 - add_host: name: "{{ openstackdb.results[item].openstack.private_v4 }}" private_ip: "{{ openstackdb.results[item].openstack.private_v4 }}" host_name: "c4science-db0{{ item }}" groupname: dbs with_items: - 0 - 1 - 2 +- name: Create Shibboleth instance + os_server: + state: present + security_groups: all + name: c4science-shib + image: "{{ image_id }}" + key_name: "{{ keypair_name }}" + wait: yes + auto_ip: no + nics: + - net-id: "{{ private_net }}" + flavor: "{{ flavor_id_small }}" + meta: + hostname: c4science-shib + group: ansible + register: openstackshib + +- add_host: + name: "{{ openstackshib.openstack.private_v4 }}" + private_ip: "{{ openstackshib.openstack.private_v4 }}" + host_name: "c4science-shib" + groupname: shib + - name: Create Monitoring instance os_server: state: present security_groups: all name: c4science-monit image: "{{ image_id }}" key_name: "{{ keypair_name }}" wait: yes auto_ip: no nics: - net-id: "{{ private_net}}" flavor: "{{ flavor_id_medium}}" meta: hostname: c4science-monit group: ansible register: openstackmonit - add_host: name: "{{ openstackmonit.openstack.private_v4 }}" private_ip: "{{ openstackmonit.openstack.private_v4 }}" host_name: "c4science-monit" groupname: monit - name: Create Jenkins master os_server: state: present security_groups: all name: "c4science-ci0{{ item }}" image: "{{ image_id }}" key_name: "{{ keypair_name }}" wait: yes auto_ip: no nics: - net-id: "{{ private_net }}" flavor: "{{ flavor_id_medium }}" meta: hostname: "c4science-ci0{{ item }}" group: ansible register: openstackci with_items: - 0 - add_host: name: "{{ openstackci.results[item].openstack.private_v4 }}" private_ip: "{{ openstackci.results[item].openstack.private_v4 }}" host_name: "c4science-ci0{{ item }}" groupname: ci with_items: - 0 - name: Create Jenkins slaves os_server: state: present security_groups: all name: "c4science-ci-slave0{{ item }}" image: "{{ image_id_coreos }}" key_name: "{{ keypair_name }}" wait: yes auto_ip: no nics: - net-id: "{{ private_net }}" flavor: "{{ flavor_id_medium }}" meta: hostname: "c4science-ci-slave0{{ item }}" group: ansible register: openstackcislave with_items: - 0 - add_host: name: "{{ openstackcislave.results[item].openstack.private_v4 }}" private_ip: "{{ openstackcislave.results[item].openstack.private_v4 }}" host_name: "c4science-ci-slave0{{ item }}" groupname: ci-slave with_items: - 0 #- name: Create backup instance # os_server: # state: present # region_name: "{{ region_back }}" # security_groups: all # name: c4science-backup # image: "{{ image_id_backup }}" # key_name: "{{ keypair_name }}" # wait: yes # floating_ips: # - "{{ backup_ip }}" # nics: # - net-id: "{{ private_net_backup}}" # flavor: "{{ flavor_id_small_backup }}" # meta: # hostname: c4science-backup # group: ansible # register: openstackbackup # #- add_host: # name: "{{ openstackbackup.openstack.public_v4 }}" # private_ip: "{{ openstackbackup.openstack.private_v4 }}" # host_name: "c4science-backup" # groupname: backup - add_host: name: "{{ backup_ip }}" private_ip: "{{ backup_ip }}" host_name: "c4science-backup" groupname: backup