diff --git a/.gitignore b/.gitignore index 5a9f256..c10d29d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,7 @@ vars/main.yml vars/test.yml *.swp .vagrant benchmark*.png +hosts-test +hosts-prod diff --git a/Makefile b/Makefile index ba0b789..9eb2e90 100644 --- a/Makefile +++ b/Makefile @@ -1,122 +1,132 @@ # vim: set noexpandtab: ANSIBLE = ansible-playbook SKIP_TAGS = --skip-tags "init,common" + PROD_BOOK = books/main_prod.yml -TEST_BOOK = books/main_test.yml +PROD_HOST = -i hosts-prod PROD_VARS = ../vars/main.yml + +TEST_BOOK = books/main_test.yml +TEST_HOST = -i hosts-test TEST_VARS = ../vars/test.yml status: nova list # Everything list: - $(ANSIBLE) $(PROD_BOOK) --list-hosts + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --list-hosts test-list: - $(ANSIBLE) $(TEST_BOOK) --list-hosts + $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --list-hosts + +create: + $(ANSIBLE) books/openstack_prod.yml + +test-create: + $(ANSIBLE) books/openstack_test.yml init: - $(ANSIBLE) $(PROD_BOOK) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) test-init: - $(ANSIBLE) $(TEST_BOOK) + $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) -up: - $(ANSIBLE) $(PROD_BOOK) $(SKIP_TAGS) +all: + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) $(SKIP_TAGS) -test-up: - $(ANSIBLE) $(TEST_BOOK) $(SKIP_TAGS) +test-all: + $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) $(SKIP_TAGS) restart: $(ANSIBLE) books/restart.yml reboot: $(ANSIBLE) books/reboot.yml stop: $(ANSIBLE) books/stop.yml version: $(ANSIBLE) --extra-vars="var=$(PROD_VARS)" books/versions.yml test-version: $(ANSIBLE) --extra-vars="var=$(TEST_VARS)" books/versions.yml # Specific app: - $(ANSIBLE) $(PROD_BOOK) --tags conf-app $(SKIP_TAGS) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-app $(SKIP_TAGS) test-app: - $(ANSIBLE) $(TEST_BOOK) --tags conf-app $(SKIP_TAGS) + $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-app $(SKIP_TAGS) fs: - $(ANSIBLE) $(PROD_BOOK) --tags conf-fs $(SKIP_TAGS) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-fs $(SKIP_TAGS) test-fs: - $(ANSIBLE) $(TEST_BOOK) --tags conf-fs $(SKIP_TAGS) + $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-fs $(SKIP_TAGS) phd: - $(ANSIBLE) $(PROD_BOOK) --tags conf-phd $(SKIP_TAGS) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-phd $(SKIP_TAGS) test-phd: - $(ANSIBLE) $(TEST_BOOK) --tags conf-phd $(SKIP_TAGS) + $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-phd $(SKIP_TAGS) lbs: - $(ANSIBLE) $(PROD_BOOK) --tags conf-lbs $(SKIP_TAGS) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-lbs $(SKIP_TAGS) test-lbs: - $(ANSIBLE) $(TEST_BOOK) --tags conf-lbs $(SKIP_TAGS) + $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-lbs $(SKIP_TAGS) monit: - $(ANSIBLE) $(PROD_BOOK) --tags conf-monit $(SKIP_TAGS) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-monit $(SKIP_TAGS) test-monit: - $(ANSIBLE) $(TEST_BOOK) --tags conf-monit $(SKIP_TAGS) + $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-monit $(SKIP_TAGS) backup: - $(ANSIBLE) $(PROD_BOOK) --tags conf-backup $(SKIP_TAGS) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-backup $(SKIP_TAGS) dbs: - $(ANSIBLE) $(PROD_BOOK) --tags conf-dbs $(SKIP_TAGS) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-dbs $(SKIP_TAGS) test-dbs: - $(ANSIBLE) $(TEST_BOOK) --tags conf-dbs $(SKIP_TAGS) + $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-dbs $(SKIP_TAGS) ci: - $(ANSIBLE) $(PROD_BOOK) --tags jenkins $(SKIP_TAGS) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags jenkins $(SKIP_TAGS) test-ci: - $(ANSIBLE) $(TEST_BOOK) --tags jenkins $(SKIP_TAGS) + $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags jenkins $(SKIP_TAGS) ci-slave: - $(ANSIBLE) $(PROD_BOOK) --tags conf-ci-slave $(SKIP_TAGS) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-ci-slave $(SKIP_TAGS) shib: - $(ANSIBLE) $(PROD_BOOK) --tags conf-shib $(SKIP_TAGS) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-shib $(SKIP_TAGS) gluster: - $(ANSIBLE) $(PROD_BOOK) --tags gluster $(SKIP_TAGS) + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags gluster $(SKIP_TAGS) common: - $(ANSIBLE) $(PROD_BOOK) --tags common --skip-tags init + $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags common --skip-tags init # Utils update-phab: $(ANSIBLE) books/update_prod.yml test-update-phab: $(ANSIBLE) books/update_test.yml security: $(ANSIBLE) books/security-update.yml arbitrator: $(ANSIBLE) books/arbitrator.yml clean: $(ANSIBLE) books/cleanup.yml diff --git a/books/main_prod.yml b/books/main_prod.yml index 5824bb9..a259bba 100644 --- a/books/main_prod.yml +++ b/books/main_prod.yml @@ -1,38 +1,20 @@ --- -- name: Create Instances - hosts: 127.0.0.1 - tags: always - connection: local - gather_facts: false - vars_files: - - "../vars/main.yml" - tasks: - - include: ../tasks/create-security-groups.yml - tags: [ 'init' ] - - include: ../tasks/create-instances.yml - tags: [ 'always' ] - - include: ../tasks/create-volumes.yml - tags: [ 'init' ] - - shell: "git show-ref -s --head HEAD | head -n 1" - register: commit - tags: [ 'always' ] - - include: main_servers.yml var=../vars/main.yml - name: Configure Backup server hosts: backup tags: conf-backup vars_files: - "../vars/main.yml" vars: nagios_nrpe_server_allowed_hosts: "86.119.30.4,127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/backup diff --git a/books/main_servers.yml b/books/main_servers.yml index a8514fb..60e594f 100644 --- a/books/main_servers.yml +++ b/books/main_servers.yml @@ -1,254 +1,258 @@ --- +- name: Get local commit + hosts: 127.0.0.1 + tags: always + connection: local + gather_facts: false + tasks: + - shell: "git show-ref -s --head HEAD | head -n 1" + register: commit + tags: [ 'always' ] + - name: Configure Jump Server hosts: lbs tags: conf-lbs vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix postfix_mynetworks: [ "{{ ip_range }}" ] enable_postfix_relayhost: false - role: ../roles/letsencrypt when: env != "test" - role: ../roles/haproxy - role: ../roles/jump tasks: - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" handlers: - include: ../handlers/main.yml #- name: Configure keepalived for jump # hosts: c4science-jump00 # roles: # - role: ../rolesepalived # keepalived_shared_ip: "{{ external_ip }}" # keepalived_role: ../rolesaster" #- name: Configure keepalived for jump2 # hosts: c4science-jump01 # roles: # - role: ../rolesepalived # keepalived_shared_ip: "{{ external_ip }}" # keepalived_role: ../roleslave" # tasks: # - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" - name: Configure Monitoring Server hosts: monit tags: conf-monit vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix - postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]" tags: [ 'common' ] - role: ../roles/logcheck - role: ../roles/rsyslog - { role: ../roles/apache, apache_config: placeholder.conf } - role: ../roles/nagios - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/ganglia-gmetad tasks: - include: ../roles/galera/tasks/install.yml yum_repo: ../roles/galera/files/yum.repo - service: name=mysql enabled=false state=stopped - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" handlers: - include: ../handlers/main.yml - name: Configure Databases hosts: dbs tags: conf-dbs vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix - postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]" tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/galera tasks: - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" handlers: - include: ../handlers/main.yml - name: Configure App hosts: app tags: conf-app vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix - postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]" tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - { role: ../roles/apache, apache_config: phabricator.conf } - role: ../roles/glusterfs tags: ['gluster'] - role: ../roles/phabricator - role: ../roles/shibboleth tasks: - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" handlers: - include: ../handlers/main.yml - name: Configure Filesystem for repositories hosts: fs tags: conf-fs vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix - postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]" tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/glusterfs tags: ['gluster'] - role: ../roles/fs tags: ['gluster'] tasks: - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" handlers: - include: ../handlers/main.yml - name: Configure App Daemons hosts: phd tags: conf-phd vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix - postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]" tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/glusterfs tags: ['gluster'] tasks: - include: ../roles/phabricator/tasks/packages.yml - include: ../roles/phabricator/tasks/users.yml - include: ../roles/phabricator/tasks/glusterfs.yml - include: ../roles/phabricator/tasks/install.yml myconfig=../roles/phabricator/templates/myconfig.conf.php - include: ../roles/phabricator/tasks/daemons.yml phd_init: ../roles/phabricator/templates/phd_init - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" handlers: - include: ../handlers/main.yml - name: Configure Jenkins master hosts: ci vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix - postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]" tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/jenkins plugins: - 'preSCMbuildstep' - 'git' - 'build-token-root' - 'phabricator-plugin' - 'docker-plugin' - 'build-monitor-plugin' - 'job-restrictions' - 'project-stats-plugin' - 'cluster-stats' - 'embeddable-build-status' prefix: '/build' email: smtp_host: 'localhost' smtp_ssl: 'false' default_email_suffix: "@{{ domain }}" - role: ../roles/ci tags: [ 'jenkins' ] tasks: - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" #- name: Configure Jenkins slave # hosts: ci-slave # tags: conf-ci-slave # vars_files: # - "{{ var }}" # user: core # sudo: yes # roles: # - role: ../rolescker diff --git a/books/main_test.yml b/books/main_test.yml index 6919770..08467b7 100644 --- a/books/main_test.yml +++ b/books/main_test.yml @@ -1,18 +1,2 @@ --- -- name: Create test Instances - hosts: 127.0.0.1 - tags: always - connection: local - gather_facts: false - vars_files: - - "../vars/test.yml" - tasks: - - include: ../tasks/create-security-groups.yml - tags: [ 'init' ] - - include: ../tasks/create-instances.yml - tags: [ 'always' ] - - shell: "git show-ref -s --head HEAD | head -n 1" - register: commit - tags: [ 'always' ] - - include: main_servers.yml var=../vars/test.yml diff --git a/books/openstack_prod.yml b/books/openstack_prod.yml new file mode 100644 index 0000000..a58be36 --- /dev/null +++ b/books/openstack_prod.yml @@ -0,0 +1,13 @@ +--- +- name: Create Instances + hosts: 127.0.0.1 + connection: local + gather_facts: false + vars_files: + - "../vars/main.yml" + tasks: + - include: ../tasks/create-security-groups.yml + - include: ../tasks/create-instances.yml + - include: ../tasks/create-volumes.yml + - shell: echo "{{ groups }}" | ./utils/inventory.py prod + diff --git a/books/openstack_test.yml b/books/openstack_test.yml new file mode 100644 index 0000000..6d6b640 --- /dev/null +++ b/books/openstack_test.yml @@ -0,0 +1,16 @@ +--- +- name: Create Instances + hosts: 127.0.0.1 + connection: local + gather_facts: false + vars_files: + - "../vars/test.yml" + tasks: + #- include: ../tasks/create-security-groups.yml + - include: ../tasks/create-instances.yml + #- include: ../tasks/create-volumes.yml + - shell: "> hosts-test" + - shell: "echo '{ \"{{ item }}\": [{% for host in groups[item] %}{\"hostname\": \"{{ hostvars[host]['host_name'] }}\",\"addr\":\"{{ host }}\"}{% if not loop.last %},{% endif %}{% endfor %}] }' | ./utils/inventory.py test" + when: item not in ['all', 'ungrouped'] + with_items: groups.keys() + diff --git a/roles/ci/templates/config.xml b/roles/ci/templates/config.xml index 01513a7..be9be99 100644 --- a/roles/ci/templates/config.xml +++ b/roles/ci/templates/config.xml @@ -1,240 +1,240 @@ hudson.diagnosis.ReverseProxySetupMonitor 1.656 0 EXCLUSIVE true hudson.model.Item.Cancel hudson.model.Item.Delete hudson.model.Item.Read hudson.model.Run.Delete hudson.model.Item.Workspace hudson.model.Item.Build com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs hudson.model.Item.Configure hudson.model.Item.Discover hudson.model.Item.ViewStatus hudson.model.Run.Update authenticated hudson.model.Hudson.Read hudson.model.Item.ViewStatus authenticated admin anonymous hudson.model.View.Delete hudson.model.Computer.Connect hudson.model.Run.Delete hudson.model.Hudson.UploadPlugins com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains hudson.model.Computer.Create hudson.model.View.Configure com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs hudson.model.Hudson.ConfigureUpdateCenter hudson.model.Computer.Build hudson.model.Item.Configure hudson.model.Hudson.Administer hudson.model.Item.Cancel hudson.model.Item.Read com.cloudbees.plugins.credentials.CredentialsProvider.View hudson.model.Computer.Delete hudson.model.Item.Build hudson.scm.SCM.Tag hudson.model.Item.Discover hudson.model.Item.ViewStatus hudson.model.Hudson.Read com.cloudbees.plugins.credentials.CredentialsProvider.Update hudson.model.Item.Create hudson.model.Item.Workspace com.cloudbees.plugins.credentials.CredentialsProvider.Delete hudson.model.View.Read hudson.model.Hudson.RunScripts hudson.model.View.Create hudson.model.Item.Delete hudson.model.Computer.Configure com.cloudbees.plugins.credentials.CredentialsProvider.Create com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Nodes hudson.model.Computer.Disconnect hudson.model.Run.Update admin hudson.model.Item.Create authenticated {{ jenkins_phab_id }} {{ jenkins_phab_secret }} {{ jenkins_phab_url }} false ${ITEM_ROOTDIR}/workspace ${ITEM_ROOTDIR}/builds c4science.ch docker-coreos 2 ubuntu ubuntu:trusty 22 59c90edd-cfc6-4ae8-83d3-87cb8ae9880f 0 0 /home/jenkins 2147483647 NORMAL 10 10 1 jenkins-ubuntu false 2048 256 false false false PULL_LATEST 2 centos centos:7 22 59c90edd-cfc6-4ae8-83d3-87cb8ae9880f 0 0 /home/jenkins 2147483647 NORMAL 10 10 1 jenkins-centos false 2048 256 false false false PULL_LATEST - http://{{ hostvars['127.0.0.1']['openstackcislave'].results[0]['openstack']['private_v4'] }}:4243 + http://{{ groups['ci-slave'][0] }}:4243 5 15 10 5 0 All false false All 0 false admin false false true diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index a1eea5b..49910d7 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,92 +1,97 @@ --- ## Proxy for TEST - name: HTTP Proxy lineinfile: dest: /etc/rc.local line: "{{ item }}" with_items: - "export http_proxy={{ http_proxy }}" - "export https_proxy={{ http_proxy }}" - "export rsync_proxy={{ http_proxy }}" - "export ftp_proxy={{ http_proxy }}" when: env == "test" and http_proxy is defined ## Root and centos passwords - user: name=root password="{{ user_pwd_root }}" - user: name=centos password="{{ user_pwd_centos }}" ## Selinux - name: Disable SELinux selinux: policy=targeted state=disabled - name: Permanently disable SELinux copy: src=selinux-config dest=/etc/selinux/config # EPEL - name: Install EPEL repo. yum: name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm" state: present - name: Import EPEL GPG key. rpm_key: key: "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7" state: present # Basic packages - yum: name="{{ item }}" state=present update_cache=yes with_items: - htop - git - screen - vim - ntp - yum-cron - iftop - tcpdump - iperf - iotop - name: SSH Keys authorized_key: user=root key="{{ item }}" with_items: "{{ ssh_keys }}" - name: SSH Keys authorized_key: user=centos key="{{ item }}" with_items: "{{ ssh_keys }}" # Hosts - name: Clean hosts file template: src: hosts dest: /etc/hosts - name: Hosts file lineinfile: dest: /etc/hosts - line: "{{ hostvars[item]['private_ip'] }} {{ hostvars[item]['host_name'] }}" + line: "{{ item }} {{ hostvars[item]['host_name'] }}" with_items: groups.all when: hostvars[item]['host_name'] is defined +- name: Hosts file for lbs + lineinfile: + dest: /etc/hosts + line: "{{ internal_ip }} c4science-jump00" + - name: Hosts file for 10.0.0.217 lineinfile: dest: /etc/hosts line: "10.0.0.217 c4science-monit-cluster" # Scripts - name: Create scripts directory file: state="directory" path="/root/scripts" - name: Process memory copy: src=ps_mem.py dest=/root/scripts/ps_mem.py mode=0750 - name: Process swap copy: src=swap.sh dest=/root/scripts/swap.sh mode=0750 # Monit - include: monit.yml diff --git a/roles/common/templates/nrpe_local.cfg b/roles/common/templates/nrpe_local.cfg index d2598c2..3d7209c 100644 --- a/roles/common/templates/nrpe_local.cfg +++ b/roles/common/templates/nrpe_local.cfg @@ -1,25 +1,23 @@ command[check_ssh]=/usr/lib64/nagios/plugins/check_ssh -H 127.0.0.1 command[check_ssh_phab]=/usr/lib64/nagios/plugins/check_ssh -H 127.0.0.1 -p {{ vcs_port }} command[check_disk_vda]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/vda1 command[check_disk_vdb]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/vdb command[check_disk_repo]=/usr/lib64/nagios/plugins/check_disk -X ext4 {{ repositories_path }} command[check_http_phab]=/usr/lib64/nagios/plugins/check_http -I {{ inventory_hostname }} -H {{ domain }} -u /status/ -r ALIVE command[check_http_ex_phab]=/usr/lib64/nagios/plugins/check_http -H {{ domain }} -e 'HTTP/1.1 302 Found' command[check_http_ex_phab_ssl]=/usr/lib64/nagios/plugins/check_http -H {{ domain }} --ssl -u /status/ -r ALIVE command[check_http_jenkins]=/usr/lib64/nagios/plugins/check_http -H jenkins.{{ domain }} --ssl -{% if hostvars['127.0.0.1']['openstackjump'] is defined %} -command[check_mysql_remote]=/usr/lib64/nagios/plugins/check_mysql -H {{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }} -u {{ mysql_app_user }} -p {{ mysql_app_pass }} -{% endif %} +command[check_mysql_remote]=/usr/lib64/nagios/plugins/check_mysql -H {{ internal_ip }} -u {{ mysql_app_user }} -p {{ mysql_app_pass }} command[check_mysql_local]=/usr/lib64/nagios/plugins/check_mysql -u root command[check_phd]=/usr/lib64/nagios/plugins/check_procs -C 'php' -a {{ phabricator_path }}phabricator/scripts/daemon/phd-daemon command[check_gluster]=/usr/lib64/nagios/plugins/check_procs -C 'glusterd' -c 1 command[check_gmond]=/usr/lib64/nagios/plugins/check_procs -C 'gmond' -c 1 command[check_gmetad]=/usr/lib64/nagios/plugins/check_procs -C 'gmetad' -c 1 command[check_httpd]=/usr/lib64/nagios/plugins/check_procs -C 'httpd' -c 1: command[check_java_jenkins]=/usr/lib64/nagios/plugins/check_procs -C 'java' -c 1 command[check_shibd]=/usr/lib64/nagios/plugins/check_procs -C 'shibd' -c 1 command[check_shib_status]=/usr/lib64/nagios/plugins/check_http -H localhost -u /Shibboleth.sso/Status -R '' command[check_postfix_master]=/usr/lib64/nagios/plugins/check_procs -C master -a '-w' -c 1 command[check_postfix_pickup]=/usr/lib64/nagios/plugins/check_procs -C pickup -c 1 command[check_postfix_qmgr]=/usr/lib64/nagios/plugins/check_procs -C qmgr -c 1 command[check_mem]=/usr/local/bin/check_mem.sh -w 95 -c 98 -W 50 -C 90 diff --git a/roles/galera/tasks/configure.yml b/roles/galera/tasks/configure.yml index 25daa09..5b538c2 100644 --- a/roles/galera/tasks/configure.yml +++ b/roles/galera/tasks/configure.yml @@ -1,86 +1,86 @@ --- # Configure MySQL with Galera - stat: path=/var/local/mysql_reset register: mysql_reset - name: Copy phabricator stop words copy: src=stopwords.txt dest=/srv/stopwords.txt - name: Copy minimal mysql config template: src=my-mini.cnf dest=/etc/my.cnf when: not mysql_reset.stat.exists notify: stop mysql - name: Reset MySQL root password shell: /etc/init.d/mysql start --skip-grant-tables; mysql -u root -e 'flush privileges; SET PASSWORD FOR 'root'@'localhost' = PASSWORD("");'; touch /var/local/mysql_reset; service mysql stop when: not mysql_reset.stat.exists args: creates: /var/local/mysql_reset - name: Copy mysql config template: src=my.cnf dest=/etc/my.cnf - name: Check Galera status shell: mysql -e "SHOW STATUS LIKE 'wsrep_evs_state';" -s | awk '{print $2}' register: galera_status - name: Bootstrap MySQL Galera cluster shell: service mysql stop; /etc/init.d/mysql bootstrap when: "'{{ inventory_hostname }}' == '{{ groups.dbs[0] }}' and galera_status.stdout != 'OPERATIONAL'" - service: name=mysql state=started enabled=false when: "'{{ inventory_hostname }}' != '{{ groups.dbs[0] }}'" # Users - name: Create database app user mysql_user: state=present user={{ mysql_app_user }} password={{ mysql_app_pass }} priv=*.*:ALL host={{ mysql_host }} run_once: yes - name: Create haproxy user mysql_user: state=present user={{ mysql_lbs_user }} password="" priv=*.*:ALL - host={{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }} + host={{ internal_ip }} run_once: yes - name: Create Shibboleth user mysql_user: state=present user={{ mysql_shib_user }} password={{ mysql_shib_pass }} priv={{ mysql_shib_db }}.*:ALL host={{ mysql_host }} run_once: yes - name: Copy Shibboleth db schema copy: src: "install_shib.sql" dest: "/tmp/install_shib.sql" run_once: yes - name: Create Shibboleth db mysql_db: name: "{{ mysql_shib_db }}" run_once: yes - name: Check if Shibboleth tables exist shell: "mysql {{ mysql_shib_db }} -e 'show tables' | grep strings" register: tablestatus ignore_errors: yes run_once: yes - name: Populate Shibboleth db mysql_db: name: "{{ mysql_shib_db }}" target: /tmp/install_shib.sql state: import when: "'{{ inventory_hostname }}' == '{{ groups.dbs[0] }}' and tablestatus.rc != 0" diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 index 3c27fa8..e2ee757 100644 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ b/roles/haproxy/templates/haproxy.cfg.j2 @@ -1,134 +1,136 @@ global log 127.0.0.1 local2 notice warning chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats level admin # SSL/TLS tune.ssl.default-dh-param 2048 ssl-default-bind-options no-sslv3 #ssl-default-bind-options no-tlsv10 ssl-default-bind-options no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK defaults mode http log global option dontlognull #option forceclose option redispatch retries 3 timeout connect 10s timeout client 1m timeout server 1m maxconn 3000 userlist admins user {{ monit_user }} insecure-password {{ monit_pass }} frontend public bind :::80 v4v6 redirect scheme https frontend public_tls rspadd Strict-Transport-Security:\ max-age=15768000 bind :::443 v4v6 ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem errorfile 503 /etc/haproxy/sorry.http - {% if env == "prod" %} +{% if env == "prod" %} acl is_jenkins hdr(host) -i jenkins.{{ domain }} - {% else %} +{% else %} acl is_jenkins path_beg -i /jenkins - {% endif %} +{% endif %} acl is_google path /{{ google_webmaster_file }} use_backend ci if is_jenkins use_backend google if is_google default_backend app backend google mode http errorfile 503 /etc/haproxy/google.http backend app balance source hash-type consistent option http-server-close option forwardfor {% if env == "prod" %} option httpchk HEAD /maniphest/ HTTP/1.1\r\nHost:\ {{ domain }} {% endif %} + {% for host in groups['app'] %} - server {{ hostvars[host]['host_name'] }} {{ host }}:80 check #send-proxy +server c4science-app0{{ loop.index0 }} {{ host }}:80 check #send-proxy {% endfor %} backend ci balance static-rr - {% for host in groups['ci'] %} - server {{ hostvars[host]['host_name']}} {{ host }}:{{ jenkins_port }} check - {% endfor %} +{% for host in groups['ci'] %} + server c4science-ci0{{ loop.index0 }} {{ host }}:{{ jenkins_port }} check +{% endfor %} frontend monit bind *:{{ monit_port }} ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem default_backend monitd acl auth_admin http_auth(admins) http-request allow if auth_admin http-request auth realm Restricted unless auth_admin http-request deny backend monitd - {% for host in groups['monit'] %} - server {{ hostvars[host]['host_name'] }} {{ host }}:80 - {% endfor %} +{% for host in groups['monit'] %} + server c4science-monit0{{ loop.index0 }} {{ host }}:80 +{% endfor %} frontend sshd mode tcp option tcplog option tcpka timeout client 1h bind :::{{ vcs_port }} v4v6 default_backend ssh backend ssh mode tcp balance source hash-type consistent timeout connect 500s timeout server 1h - {% for host in groups['app'] %} - server {{ hostvars[host]['host_name'] }} {{ host }}:{{ vcs_port }} check port {{ vcs_port }} - {% endfor %} +{% for host in groups['app'] %} + server c4science-app0{{ loop.index0 }} {{ host }}:{{ vcs_port }} check port {{ vcs_port }} +{% endfor %} frontend mysqld mode tcp option tcplog - bind {{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}:3306 + bind {{ internal_ip }}:3306 default_backend mysql backend mysql mode tcp balance static-rr option mysql-check user {{ mysql_lbs_user }} - {% for host in groups['dbs'] %} - server {{ hostvars[host]['host_name'] }} {{ host }}:3306 check port 3306 {% if not loop.first %}backup{% endif %} +{% for host in groups['dbs'] %} + server c4science-db0{{ loop.index0 }} {{ host }}:3306 check port 3306 {% if not loop.first %}backup{% endif %} - {% endfor %} +{% endfor %} listen haproxy-monit bind :::{{ stats_port }} v4v6 ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem stats enable stats refresh 5s stats show-legends stats uri / acl auth_admin http_auth(admins) stats http-request allow if auth_admin stats http-request auth realm Restricted unless auth_admin stats http-request deny stats admin if auth_admin + diff --git a/roles/nagios/templates/hosts.cfg b/roles/nagios/templates/hosts.cfg index 152682a..afd26b2 100644 --- a/roles/nagios/templates/hosts.cfg +++ b/roles/nagios/templates/hosts.cfg @@ -1,33 +1,35 @@ define host{ name linux-box use generic-host check_period 24x7 check_interval 5 retry_interval 1 max_check_attempts 10 check_command check-host-alive notification_period 24x7 notification_interval 30 notification_options d,r contact_groups c4science_admins register 0 } -{% for host in groups['all'] %} -{% if hostvars[host]['host_name'] is defined %} -define host{ - use linux-box - host_name {{ hostvars[host]['host_name'] }} -{% if hostvars[host]['host_name'] == 'c4science-jump00' %} - address {{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }} -{% else %} - address {{ host }} -{% endif %} -{% if hostvars[host]['group_names'][0] not in ['lbs', 'monit', 'backup'] %} - hostgroups {{ hostvars[host]['group_names'][0] }} -{% else %} - hostgroups utils -{% endif %} -} +{% for group in groups.keys() %} +{% if group not in ['all', 'ungrouped'] %} + {% for host in groups[group] %} + define host{ + use linux-box + host_name {{ hostvars[host]['host_name'] }} + {% if host == '{{ external_ip }}' %} + address {{ internal_ip }} + {% else %} + address {{ host }} + {% if group not in ['lbs', 'monit', 'backup'] %} + hostgroups {{ group }} + {% else %} + hostgroups utils + {% endif %} + } + {% endif %} + {% endfor %} {% endif %} {% endfor %} diff --git a/roles/phabricator/templates/myconfig.conf.php b/roles/phabricator/templates/myconfig.conf.php index 7724b63..5d45c78 100644 --- a/roles/phabricator/templates/myconfig.conf.php +++ b/roles/phabricator/templates/myconfig.conf.php @@ -1,80 +1,80 @@ '{{ http_scheme }}{{ domain }}/', 'phabricator.timezone' => 'Europe/Berlin', 'phabricator.serious-business' => true, 'phabricator.show-prototypes' => true, 'phabricator.developer-mode' => {{ developer_mode }}, 'phabricator.allowed-uris' => array( '{{ http_scheme }}{{ domain }}/', '{{ http_scheme }}{{ external_ip }}/' ), 'user.custom-field-definitions' => array( 'c4science:org' => array( 'name' => 'Organization', 'type' => 'text', 'caption' => 'Domain name of a home organization', 'required' => false, 'search' => true ), 'c4science:orgtype' => array( 'name' => 'Organization type', 'type' => 'text', 'caption' => 'Type of a home organization', 'required' => false, 'search' => true ) ), 'phd.log-directory' => '/var/log/phabricator', 'phd.taskmasters' => 20, 'phd.user' => '{{ phd_user }}', 'security.strict-transport-security' => true, 'security.require-https' => true, 'security.alternate-file-domain' => '{{ file_domain }}', 'darkconsole.enabled' => false, 'policy.allow-public' => true, 'auth.require-approval' => false, 'auth.require-email-verification' => false, 'cluster.addresses' => array( {% for host in groups['app'] %} "{{ hostvars[host]['inventory_hostname'] }}/32", {% endfor %} ), 'diffusion.ssh-user' => '{{ vcs_user }}', 'diffusion.ssh-port' => {{ vcs_port }}, 'diffusion.allow-http-auth' => true, - 'mysql.host' => "{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}", + 'mysql.host' => "{{ internal_ip }}", 'mysql.pass' => '{{ mysql_app_pass }}', 'mysql.user' => '{{ mysql_app_user }}', //'amazon-s3.access-key' => '{{ s3_access_key }}', //'amazon-s3.secret-key' => '{{ s3_secret_key }}', //'amazon-s3.endpoint' => '{{ s3_endpoint }}', //'amazon-s3.region' => '{{ s3_region }}', //'storage.s3.bucket' => '{{ s3_bucket }}', 'storage.local-disk.path' => '{{ repositories_path }}files', 'files.enable-imagemagick' => true, #'auth.email-domains' => [ # {% for domain in phabricator_domains %} # "{{ domain }}", # {% endfor %} #], 'pygments.enabled' => true, 'environment.append-paths' => array( "/usr/libexec/git-core", "/bin", "/usr/bin", "/usr/local/bin" ), 'metamta.default-address' => 'phabricator@{{ domain }}', 'metamta.domain' => '{{ domain }}', ); diff --git a/roles/shibboleth/templates/shibboleth2.xml b/roles/shibboleth/templates/shibboleth2.xml index a3b6047..61c50bc 100644 --- a/roles/shibboleth/templates/shibboleth2.xml +++ b/roles/shibboleth/templates/shibboleth2.xml @@ -1,155 +1,155 @@ - DRIVER=MySQL;SERVER={{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }};USER={{ mysql_shib_user }};PASSWORD={{ mysql_shib_pass }};DATABASE={{ mysql_shib_db }};APP={{ project_name }} + DRIVER=MySQL;SERVER={{ internal_ip }};USER={{ mysql_shib_user }};PASSWORD={{ mysql_shib_pass }};DATABASE={{ mysql_shib_db }};APP={{ project_name }} SAML2 Local SWITCHaai Metadata Signer 2.16.756.1.2.6.7 diff --git a/utils/Vagrantfile b/utils/Vagrantfile index 1950bbf..c46dd4a 100644 --- a/utils/Vagrantfile +++ b/utils/Vagrantfile @@ -1,50 +1,44 @@ Vagrant.configure(2) do |config| config.vm.box_url = "http://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1603_01.VirtualBox.box" config.vm.box = "vagrant-centos-7.1" config.vm.provider "virtualbox" do |v| v.memory = 2048 v.cpus = 2 end config.vm.define "10.10.0.2" do |machine| machine.vm.hostname = "c4science-dev" machine.vm.network "private_network", ip: "10.10.0.2" machine.vm.provision :ansible do |ansible| ansible.groups = { "lbs" => ["10.10.0.2"], "dbs" => ["10.10.0.2"], "app" => ["10.10.0.2"], "phd" => ["10.10.0.2"], "fs" => ["10.10.0.2"], "monit" => ["10.10.0.2"], "ci" => ["10.10.0.2"], "ci-slave" => ["10.10.0.2"], } ansible.playbook = "../books/main_dev.yml" ansible.sudo = true ansible.verbose = 'v' ansible.extra_vars = { proxy: 'no', http_proxy: '', ansible_ssh_user: 'vagrant', domain: "10.10.0.2", + internal_ip: "10.10.0.2", external_ip: "10.10.0.2", - backup_ip: "127.0.0.1", - openstackjump: { - results: [{ - openstack: { - private_v4: "10.10.0.2" - } - }] - } + backup_ip: "127.0.0.1" } ansible.host_vars = { "10.10.0.2" => { "host_name" => "c4science-dev", "private_ip" => "10.10.0.2" }, } end end end diff --git a/utils/inventory.py b/utils/inventory.py new file mode 100755 index 0000000..1ae273c --- /dev/null +++ b/utils/inventory.py @@ -0,0 +1,19 @@ +#!/usr/bin/env python2 + +import json, sys + +FILE = 'hosts-%s' % sys.argv[1] +JSON = json.loads(sys.stdin.read()) +INVENTORY = '' + +groups = [i for i in JSON] +for g in groups: + INVENTORY += '[%s]\n' % g + for h in JSON[g]: + INVENTORY += '%s host_name=%s private_ip=%s\n' % (h['addr'], h['hostname'], h['private_ip']) + INVENTORY += '\n' + +f = open(FILE, 'a') +f.write(INVENTORY) +f.close() + diff --git a/vars/main.yml.example b/vars/main.yml.example index 0dd8173..35f6911 100644 --- a/vars/main.yml.example +++ b/vars/main.yml.example @@ -1,106 +1,108 @@ --- env: prod project_name: "c4science" ansible_ssh_user: "centos" proxy: no http_proxy: "" no_proxy: "localhost" proxy_url: "{{ http_proxy }}" user_pwd_root: "" user_pwd_centos: "" # OpenStack keypair_name: "" image_id: "" image_id_coreos: "" public_net: "" private_net: "" flavor_id_small: "" flavor_id_medium: "" flavor_id_large: "" flavor_id_small_backup: "" private_net_backup: "" image_id_backup: "" region_main: "" region_back: "" # Storage s3_access_key: "" s3_secret_key: "" s3_endpoint: "" s3_bucket: "" s3_region: "" # Lbs +internal_ip: 0.0.0.0 external_ip: 0.0.0.0 backup_ip: 0.0.0.0 ip_range: "10.0.0.0/16" jenkins_port: 8080 stats_port: 8082 monit_port: 8081 monit_user: admin monit_pass: rolling_reboot_proxy_host: "{{ external_ip }}" rolling_reboot_pause: 30 rolling_reboot_wait_delay: 20 # App developer_mode: false http_scheme: 'http://' domain: example.com file_domain: "{{ http_scheme }}static.{{ domain }}/" phabricator_path: /srv/www/facebook/ repositories_path: /var/repo/ phd_user: phabricator www_user: apache vcs_user: git vcs_port: 2222 jenkins_admin_user: admin jenkins_admin_pass: jenkins_phab_url: "{{ http_scheme }}{{ domain }}/" jenkins_phab_id: "PHID-" jenkins_phab_secret: "" jenkins_url: "{{ http_scheme }}jenkins.{{ domain }}/" shib_metadata_file: "metadata.xml" shib_metadata_provider: "http://example.com/{{ shib_metadata_file }}" phabricator_domains: - "{{ domain }}" - 'example.com' google_webmaster_file: "googleXYZ.html" # Dbs mysql_app_user: "" mysql_app_pass: "" mysql_shib_user: "" mysql_shib_pass: "" mysql_shib_db: "shibboleth" mysql_lbs_user: "haproxy" mysql_cluster_name: "" mysql_host: "10.0.0.0/255.255.0.0" # SSH ssh_keys: - "ssh-rsa mysuperkey1" - "ssh-rsa mysuperkey2" # Swap swap_path: "/swapfile" dd_bs_size_mb: 32 swap_count: 128 swappiness: 10 vfs_cache_pressure: 50 # Email configure_postfix: true enable_postfix_domain_rewrite: true enable_postfix_relayhost: true +postfix_relayhost: "[{{ internal_ip }}]" postfix_rewrite_domain: "{{ domain }}" email_alias_phabricator: "" email_alias_postmaster: "" email_alias_admin: "" email_monitoring: ""