diff --git a/.gitignore b/.gitignore
index 5a9f256..c10d29d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,7 @@
vars/main.yml
vars/test.yml
*.swp
.vagrant
benchmark*.png
+hosts-test
+hosts-prod
diff --git a/Makefile b/Makefile
index ba0b789..9eb2e90 100644
--- a/Makefile
+++ b/Makefile
@@ -1,122 +1,132 @@
# vim: set noexpandtab:
ANSIBLE = ansible-playbook
SKIP_TAGS = --skip-tags "init,common"
+
PROD_BOOK = books/main_prod.yml
-TEST_BOOK = books/main_test.yml
+PROD_HOST = -i hosts-prod
PROD_VARS = ../vars/main.yml
+
+TEST_BOOK = books/main_test.yml
+TEST_HOST = -i hosts-test
TEST_VARS = ../vars/test.yml
status:
nova list
# Everything
list:
- $(ANSIBLE) $(PROD_BOOK) --list-hosts
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --list-hosts
test-list:
- $(ANSIBLE) $(TEST_BOOK) --list-hosts
+ $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --list-hosts
+
+create:
+ $(ANSIBLE) books/openstack_prod.yml
+
+test-create:
+ $(ANSIBLE) books/openstack_test.yml
init:
- $(ANSIBLE) $(PROD_BOOK)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST)
test-init:
- $(ANSIBLE) $(TEST_BOOK)
+ $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST)
-up:
- $(ANSIBLE) $(PROD_BOOK) $(SKIP_TAGS)
+all:
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) $(SKIP_TAGS)
-test-up:
- $(ANSIBLE) $(TEST_BOOK) $(SKIP_TAGS)
+test-all:
+ $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) $(SKIP_TAGS)
restart:
$(ANSIBLE) books/restart.yml
reboot:
$(ANSIBLE) books/reboot.yml
stop:
$(ANSIBLE) books/stop.yml
version:
$(ANSIBLE) --extra-vars="var=$(PROD_VARS)" books/versions.yml
test-version:
$(ANSIBLE) --extra-vars="var=$(TEST_VARS)" books/versions.yml
# Specific
app:
- $(ANSIBLE) $(PROD_BOOK) --tags conf-app $(SKIP_TAGS)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-app $(SKIP_TAGS)
test-app:
- $(ANSIBLE) $(TEST_BOOK) --tags conf-app $(SKIP_TAGS)
+ $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-app $(SKIP_TAGS)
fs:
- $(ANSIBLE) $(PROD_BOOK) --tags conf-fs $(SKIP_TAGS)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-fs $(SKIP_TAGS)
test-fs:
- $(ANSIBLE) $(TEST_BOOK) --tags conf-fs $(SKIP_TAGS)
+ $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-fs $(SKIP_TAGS)
phd:
- $(ANSIBLE) $(PROD_BOOK) --tags conf-phd $(SKIP_TAGS)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-phd $(SKIP_TAGS)
test-phd:
- $(ANSIBLE) $(TEST_BOOK) --tags conf-phd $(SKIP_TAGS)
+ $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-phd $(SKIP_TAGS)
lbs:
- $(ANSIBLE) $(PROD_BOOK) --tags conf-lbs $(SKIP_TAGS)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-lbs $(SKIP_TAGS)
test-lbs:
- $(ANSIBLE) $(TEST_BOOK) --tags conf-lbs $(SKIP_TAGS)
+ $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-lbs $(SKIP_TAGS)
monit:
- $(ANSIBLE) $(PROD_BOOK) --tags conf-monit $(SKIP_TAGS)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-monit $(SKIP_TAGS)
test-monit:
- $(ANSIBLE) $(TEST_BOOK) --tags conf-monit $(SKIP_TAGS)
+ $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-monit $(SKIP_TAGS)
backup:
- $(ANSIBLE) $(PROD_BOOK) --tags conf-backup $(SKIP_TAGS)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-backup $(SKIP_TAGS)
dbs:
- $(ANSIBLE) $(PROD_BOOK) --tags conf-dbs $(SKIP_TAGS)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-dbs $(SKIP_TAGS)
test-dbs:
- $(ANSIBLE) $(TEST_BOOK) --tags conf-dbs $(SKIP_TAGS)
+ $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags conf-dbs $(SKIP_TAGS)
ci:
- $(ANSIBLE) $(PROD_BOOK) --tags jenkins $(SKIP_TAGS)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags jenkins $(SKIP_TAGS)
test-ci:
- $(ANSIBLE) $(TEST_BOOK) --tags jenkins $(SKIP_TAGS)
+ $(ANSIBLE) $(TEST_BOOK) $(TEST_HOST) --tags jenkins $(SKIP_TAGS)
ci-slave:
- $(ANSIBLE) $(PROD_BOOK) --tags conf-ci-slave $(SKIP_TAGS)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-ci-slave $(SKIP_TAGS)
shib:
- $(ANSIBLE) $(PROD_BOOK) --tags conf-shib $(SKIP_TAGS)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags conf-shib $(SKIP_TAGS)
gluster:
- $(ANSIBLE) $(PROD_BOOK) --tags gluster $(SKIP_TAGS)
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags gluster $(SKIP_TAGS)
common:
- $(ANSIBLE) $(PROD_BOOK) --tags common --skip-tags init
+ $(ANSIBLE) $(PROD_BOOK) $(PROD_HOST) --tags common --skip-tags init
# Utils
update-phab:
$(ANSIBLE) books/update_prod.yml
test-update-phab:
$(ANSIBLE) books/update_test.yml
security:
$(ANSIBLE) books/security-update.yml
arbitrator:
$(ANSIBLE) books/arbitrator.yml
clean:
$(ANSIBLE) books/cleanup.yml
diff --git a/books/main_prod.yml b/books/main_prod.yml
index 5824bb9..a259bba 100644
--- a/books/main_prod.yml
+++ b/books/main_prod.yml
@@ -1,38 +1,20 @@
---
-- name: Create Instances
- hosts: 127.0.0.1
- tags: always
- connection: local
- gather_facts: false
- vars_files:
- - "../vars/main.yml"
- tasks:
- - include: ../tasks/create-security-groups.yml
- tags: [ 'init' ]
- - include: ../tasks/create-instances.yml
- tags: [ 'always' ]
- - include: ../tasks/create-volumes.yml
- tags: [ 'init' ]
- - shell: "git show-ref -s --head HEAD | head -n 1"
- register: commit
- tags: [ 'always' ]
-
- include: main_servers.yml var=../vars/main.yml
- name: Configure Backup server
hosts: backup
tags: conf-backup
vars_files:
- "../vars/main.yml"
vars:
nagios_nrpe_server_allowed_hosts: "86.119.30.4,127.0.0.1"
user: centos
sudo: yes
roles:
- role: ../roles/common
tags: [ 'common' ]
- role: ../roles/swap/roles/swap
tags: [ 'common' ]
- role: ../roles/nrpe
tags: [ 'common', 'conf-monit' ]
- role: ../roles/backup
diff --git a/books/main_servers.yml b/books/main_servers.yml
index a8514fb..60e594f 100644
--- a/books/main_servers.yml
+++ b/books/main_servers.yml
@@ -1,254 +1,258 @@
---
+- name: Get local commit
+ hosts: 127.0.0.1
+ tags: always
+ connection: local
+ gather_facts: false
+ tasks:
+ - shell: "git show-ref -s --head HEAD | head -n 1"
+ register: commit
+ tags: [ 'always' ]
+
- name: Configure Jump Server
hosts: lbs
tags: conf-lbs
vars_files:
- "{{ var }}"
vars:
nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1"
user: centos
sudo: yes
roles:
- role: ../roles/common
tags: [ 'common' ]
- role: ../roles/swap/roles/swap
tags: [ 'common' ]
- role: ../roles/ganglia-gmond
tags: [ 'common' ]
- role: ../roles/nrpe
tags: [ 'common', 'conf-monit' ]
- role: ../roles/postfix
postfix_mynetworks: [ "{{ ip_range }}" ]
enable_postfix_relayhost: false
- role: ../roles/letsencrypt
when: env != "test"
- role: ../roles/haproxy
- role: ../roles/jump
tasks:
- shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version"
handlers:
- include: ../handlers/main.yml
#- name: Configure keepalived for jump
# hosts: c4science-jump00
# roles:
# - role: ../rolesepalived
# keepalived_shared_ip: "{{ external_ip }}"
# keepalived_role: ../rolesaster"
#- name: Configure keepalived for jump2
# hosts: c4science-jump01
# roles:
# - role: ../rolesepalived
# keepalived_shared_ip: "{{ external_ip }}"
# keepalived_role: ../roleslave"
# tasks:
# - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version"
- name: Configure Monitoring Server
hosts: monit
tags: conf-monit
vars_files:
- "{{ var }}"
vars:
nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1"
user: centos
sudo: yes
roles:
- role: ../roles/common
tags: [ 'common' ]
- role: ../roles/swap/roles/swap
tags: [ 'common' ]
- role: ../roles/nrpe
tags: [ 'common', 'conf-monit' ]
- role: ../roles/postfix
- postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]"
tags: [ 'common' ]
- role: ../roles/logcheck
- role: ../roles/rsyslog
- { role: ../roles/apache, apache_config: placeholder.conf }
- role: ../roles/nagios
- role: ../roles/ganglia-gmond
tags: [ 'common' ]
- role: ../roles/ganglia-gmetad
tasks:
- include: ../roles/galera/tasks/install.yml
yum_repo: ../roles/galera/files/yum.repo
- service: name=mysql enabled=false state=stopped
- shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version"
handlers:
- include: ../handlers/main.yml
- name: Configure Databases
hosts: dbs
tags: conf-dbs
vars_files:
- "{{ var }}"
vars:
nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1"
user: centos
sudo: yes
roles:
- role: ../roles/common
tags: [ 'common' ]
- role: ../roles/swap/roles/swap
tags: [ 'common' ]
- role: ../roles/nrpe
tags: [ 'common', 'conf-monit' ]
- role: ../roles/postfix
- postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]"
tags: [ 'common' ]
- role: ../roles/ganglia-gmond
tags: [ 'common' ]
- role: ../roles/galera
tasks:
- shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version"
handlers:
- include: ../handlers/main.yml
- name: Configure App
hosts: app
tags: conf-app
vars_files:
- "{{ var }}"
vars:
nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1"
user: centos
sudo: yes
roles:
- role: ../roles/common
tags: [ 'common' ]
- role: ../roles/swap/roles/swap
tags: [ 'common' ]
- role: ../roles/nrpe
tags: [ 'common', 'conf-monit' ]
- role: ../roles/postfix
- postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]"
tags: [ 'common' ]
- role: ../roles/ganglia-gmond
tags: [ 'common' ]
- { role: ../roles/apache, apache_config: phabricator.conf }
- role: ../roles/glusterfs
tags: ['gluster']
- role: ../roles/phabricator
- role: ../roles/shibboleth
tasks:
- shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version"
handlers:
- include: ../handlers/main.yml
- name: Configure Filesystem for repositories
hosts: fs
tags: conf-fs
vars_files:
- "{{ var }}"
vars:
nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1"
user: centos
sudo: yes
roles:
- role: ../roles/common
tags: [ 'common' ]
- role: ../roles/swap/roles/swap
tags: [ 'common' ]
- role: ../roles/nrpe
tags: [ 'common', 'conf-monit' ]
- role: ../roles/postfix
- postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]"
tags: [ 'common' ]
- role: ../roles/ganglia-gmond
tags: [ 'common' ]
- role: ../roles/glusterfs
tags: ['gluster']
- role: ../roles/fs
tags: ['gluster']
tasks:
- shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version"
handlers:
- include: ../handlers/main.yml
- name: Configure App Daemons
hosts: phd
tags: conf-phd
vars_files:
- "{{ var }}"
vars:
nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1"
user: centos
sudo: yes
roles:
- role: ../roles/common
tags: [ 'common' ]
- role: ../roles/swap/roles/swap
tags: [ 'common' ]
- role: ../roles/nrpe
tags: [ 'common', 'conf-monit' ]
- role: ../roles/postfix
- postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]"
tags: [ 'common' ]
- role: ../roles/ganglia-gmond
tags: [ 'common' ]
- role: ../roles/glusterfs
tags: ['gluster']
tasks:
- include: ../roles/phabricator/tasks/packages.yml
- include: ../roles/phabricator/tasks/users.yml
- include: ../roles/phabricator/tasks/glusterfs.yml
- include: ../roles/phabricator/tasks/install.yml myconfig=../roles/phabricator/templates/myconfig.conf.php
- include: ../roles/phabricator/tasks/daemons.yml
phd_init: ../roles/phabricator/templates/phd_init
- shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version"
handlers:
- include: ../handlers/main.yml
- name: Configure Jenkins master
hosts: ci
vars_files:
- "{{ var }}"
vars:
nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1"
user: centos
sudo: yes
roles:
- role: ../roles/common
tags: [ 'common' ]
- role: ../roles/swap/roles/swap
tags: [ 'common' ]
- role: ../roles/nrpe
tags: [ 'common', 'conf-monit' ]
- role: ../roles/postfix
- postfix_relayhost: "[{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}]"
tags: [ 'common' ]
- role: ../roles/ganglia-gmond
tags: [ 'common' ]
- role: ../roles/jenkins
plugins:
- 'preSCMbuildstep'
- 'git'
- 'build-token-root'
- 'phabricator-plugin'
- 'docker-plugin'
- 'build-monitor-plugin'
- 'job-restrictions'
- 'project-stats-plugin'
- 'cluster-stats'
- 'embeddable-build-status'
prefix: '/build'
email:
smtp_host: 'localhost'
smtp_ssl: 'false'
default_email_suffix: "@{{ domain }}"
- role: ../roles/ci
tags: [ 'jenkins' ]
tasks:
- shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version"
#- name: Configure Jenkins slave
# hosts: ci-slave
# tags: conf-ci-slave
# vars_files:
# - "{{ var }}"
# user: core
# sudo: yes
# roles:
# - role: ../rolescker
diff --git a/books/main_test.yml b/books/main_test.yml
index 6919770..08467b7 100644
--- a/books/main_test.yml
+++ b/books/main_test.yml
@@ -1,18 +1,2 @@
---
-- name: Create test Instances
- hosts: 127.0.0.1
- tags: always
- connection: local
- gather_facts: false
- vars_files:
- - "../vars/test.yml"
- tasks:
- - include: ../tasks/create-security-groups.yml
- tags: [ 'init' ]
- - include: ../tasks/create-instances.yml
- tags: [ 'always' ]
- - shell: "git show-ref -s --head HEAD | head -n 1"
- register: commit
- tags: [ 'always' ]
-
- include: main_servers.yml var=../vars/test.yml
diff --git a/books/openstack_prod.yml b/books/openstack_prod.yml
new file mode 100644
index 0000000..a58be36
--- /dev/null
+++ b/books/openstack_prod.yml
@@ -0,0 +1,13 @@
+---
+- name: Create Instances
+ hosts: 127.0.0.1
+ connection: local
+ gather_facts: false
+ vars_files:
+ - "../vars/main.yml"
+ tasks:
+ - include: ../tasks/create-security-groups.yml
+ - include: ../tasks/create-instances.yml
+ - include: ../tasks/create-volumes.yml
+ - shell: echo "{{ groups }}" | ./utils/inventory.py prod
+
diff --git a/books/openstack_test.yml b/books/openstack_test.yml
new file mode 100644
index 0000000..6d6b640
--- /dev/null
+++ b/books/openstack_test.yml
@@ -0,0 +1,16 @@
+---
+- name: Create Instances
+ hosts: 127.0.0.1
+ connection: local
+ gather_facts: false
+ vars_files:
+ - "../vars/test.yml"
+ tasks:
+ #- include: ../tasks/create-security-groups.yml
+ - include: ../tasks/create-instances.yml
+ #- include: ../tasks/create-volumes.yml
+ - shell: "> hosts-test"
+ - shell: "echo '{ \"{{ item }}\": [{% for host in groups[item] %}{\"hostname\": \"{{ hostvars[host]['host_name'] }}\",\"addr\":\"{{ host }}\"}{% if not loop.last %},{% endif %}{% endfor %}] }' | ./utils/inventory.py test"
+ when: item not in ['all', 'ungrouped']
+ with_items: groups.keys()
+
diff --git a/roles/ci/templates/config.xml b/roles/ci/templates/config.xml
index 01513a7..be9be99 100644
--- a/roles/ci/templates/config.xml
+++ b/roles/ci/templates/config.xml
@@ -1,240 +1,240 @@
hudson.diagnosis.ReverseProxySetupMonitor
1.656
0
EXCLUSIVE
true
hudson.model.Item.Cancel
hudson.model.Item.Delete
hudson.model.Item.Read
hudson.model.Run.Delete
hudson.model.Item.Workspace
hudson.model.Item.Build
com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs
hudson.model.Item.Configure
hudson.model.Item.Discover
hudson.model.Item.ViewStatus
hudson.model.Run.Update
authenticated
hudson.model.Hudson.Read
hudson.model.Item.ViewStatus
authenticated
admin
anonymous
hudson.model.View.Delete
hudson.model.Computer.Connect
hudson.model.Run.Delete
hudson.model.Hudson.UploadPlugins
com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains
hudson.model.Computer.Create
hudson.model.View.Configure
com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Jobs
hudson.model.Hudson.ConfigureUpdateCenter
hudson.model.Computer.Build
hudson.model.Item.Configure
hudson.model.Hudson.Administer
hudson.model.Item.Cancel
hudson.model.Item.Read
com.cloudbees.plugins.credentials.CredentialsProvider.View
hudson.model.Computer.Delete
hudson.model.Item.Build
hudson.scm.SCM.Tag
hudson.model.Item.Discover
hudson.model.Item.ViewStatus
hudson.model.Hudson.Read
com.cloudbees.plugins.credentials.CredentialsProvider.Update
hudson.model.Item.Create
hudson.model.Item.Workspace
com.cloudbees.plugins.credentials.CredentialsProvider.Delete
hudson.model.View.Read
hudson.model.Hudson.RunScripts
hudson.model.View.Create
hudson.model.Item.Delete
hudson.model.Computer.Configure
com.cloudbees.plugins.credentials.CredentialsProvider.Create
com.synopsys.arc.jenkins.plugins.ownership.OwnershipPlugin.Nodes
hudson.model.Computer.Disconnect
hudson.model.Run.Update
admin
hudson.model.Item.Create
authenticated
{{ jenkins_phab_id }}
{{ jenkins_phab_secret }}
{{ jenkins_phab_url }}
false
${ITEM_ROOTDIR}/workspace
${ITEM_ROOTDIR}/builds
c4science.ch
docker-coreos
2
ubuntu ubuntu:trusty
/home/jenkins
2147483647
NORMAL
10
10
1
jenkins-ubuntu
false
2048
256
false
false
false
PULL_LATEST
2
centos centos:7
/home/jenkins
2147483647
NORMAL
10
10
1
jenkins-centos
false
2048
256
false
false
false
PULL_LATEST
- http://{{ hostvars['127.0.0.1']['openstackcislave'].results[0]['openstack']['private_v4'] }}:4243
+ http://{{ groups['ci-slave'][0] }}:4243
5
15
10
5
0
All
false
false
All
0
false
admin
false
false
true
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index a1eea5b..49910d7 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,92 +1,97 @@
---
## Proxy for TEST
- name: HTTP Proxy
lineinfile:
dest: /etc/rc.local
line: "{{ item }}"
with_items:
- "export http_proxy={{ http_proxy }}"
- "export https_proxy={{ http_proxy }}"
- "export rsync_proxy={{ http_proxy }}"
- "export ftp_proxy={{ http_proxy }}"
when: env == "test" and http_proxy is defined
## Root and centos passwords
- user: name=root password="{{ user_pwd_root }}"
- user: name=centos password="{{ user_pwd_centos }}"
## Selinux
- name: Disable SELinux
selinux: policy=targeted state=disabled
- name: Permanently disable SELinux
copy: src=selinux-config dest=/etc/selinux/config
# EPEL
- name: Install EPEL repo.
yum:
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
state: present
- name: Import EPEL GPG key.
rpm_key:
key: "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"
state: present
# Basic packages
- yum:
name="{{ item }}"
state=present
update_cache=yes
with_items:
- htop
- git
- screen
- vim
- ntp
- yum-cron
- iftop
- tcpdump
- iperf
- iotop
- name: SSH Keys
authorized_key: user=root key="{{ item }}"
with_items: "{{ ssh_keys }}"
- name: SSH Keys
authorized_key: user=centos key="{{ item }}"
with_items: "{{ ssh_keys }}"
# Hosts
- name: Clean hosts file
template:
src: hosts
dest: /etc/hosts
- name: Hosts file
lineinfile:
dest: /etc/hosts
- line: "{{ hostvars[item]['private_ip'] }} {{ hostvars[item]['host_name'] }}"
+ line: "{{ item }} {{ hostvars[item]['host_name'] }}"
with_items: groups.all
when: hostvars[item]['host_name'] is defined
+- name: Hosts file for lbs
+ lineinfile:
+ dest: /etc/hosts
+ line: "{{ internal_ip }} c4science-jump00"
+
- name: Hosts file for 10.0.0.217
lineinfile:
dest: /etc/hosts
line: "10.0.0.217 c4science-monit-cluster"
# Scripts
- name: Create scripts directory
file: state="directory" path="/root/scripts"
- name: Process memory
copy: src=ps_mem.py dest=/root/scripts/ps_mem.py mode=0750
- name: Process swap
copy: src=swap.sh dest=/root/scripts/swap.sh mode=0750
# Monit
- include: monit.yml
diff --git a/roles/common/templates/nrpe_local.cfg b/roles/common/templates/nrpe_local.cfg
index d2598c2..3d7209c 100644
--- a/roles/common/templates/nrpe_local.cfg
+++ b/roles/common/templates/nrpe_local.cfg
@@ -1,25 +1,23 @@
command[check_ssh]=/usr/lib64/nagios/plugins/check_ssh -H 127.0.0.1
command[check_ssh_phab]=/usr/lib64/nagios/plugins/check_ssh -H 127.0.0.1 -p {{ vcs_port }}
command[check_disk_vda]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/vda1
command[check_disk_vdb]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/vdb
command[check_disk_repo]=/usr/lib64/nagios/plugins/check_disk -X ext4 {{ repositories_path }}
command[check_http_phab]=/usr/lib64/nagios/plugins/check_http -I {{ inventory_hostname }} -H {{ domain }} -u /status/ -r ALIVE
command[check_http_ex_phab]=/usr/lib64/nagios/plugins/check_http -H {{ domain }} -e 'HTTP/1.1 302 Found'
command[check_http_ex_phab_ssl]=/usr/lib64/nagios/plugins/check_http -H {{ domain }} --ssl -u /status/ -r ALIVE
command[check_http_jenkins]=/usr/lib64/nagios/plugins/check_http -H jenkins.{{ domain }} --ssl
-{% if hostvars['127.0.0.1']['openstackjump'] is defined %}
-command[check_mysql_remote]=/usr/lib64/nagios/plugins/check_mysql -H {{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }} -u {{ mysql_app_user }} -p {{ mysql_app_pass }}
-{% endif %}
+command[check_mysql_remote]=/usr/lib64/nagios/plugins/check_mysql -H {{ internal_ip }} -u {{ mysql_app_user }} -p {{ mysql_app_pass }}
command[check_mysql_local]=/usr/lib64/nagios/plugins/check_mysql -u root
command[check_phd]=/usr/lib64/nagios/plugins/check_procs -C 'php' -a {{ phabricator_path }}phabricator/scripts/daemon/phd-daemon
command[check_gluster]=/usr/lib64/nagios/plugins/check_procs -C 'glusterd' -c 1
command[check_gmond]=/usr/lib64/nagios/plugins/check_procs -C 'gmond' -c 1
command[check_gmetad]=/usr/lib64/nagios/plugins/check_procs -C 'gmetad' -c 1
command[check_httpd]=/usr/lib64/nagios/plugins/check_procs -C 'httpd' -c 1:
command[check_java_jenkins]=/usr/lib64/nagios/plugins/check_procs -C 'java' -c 1
command[check_shibd]=/usr/lib64/nagios/plugins/check_procs -C 'shibd' -c 1
command[check_shib_status]=/usr/lib64/nagios/plugins/check_http -H localhost -u /Shibboleth.sso/Status -R ''
command[check_postfix_master]=/usr/lib64/nagios/plugins/check_procs -C master -a '-w' -c 1
command[check_postfix_pickup]=/usr/lib64/nagios/plugins/check_procs -C pickup -c 1
command[check_postfix_qmgr]=/usr/lib64/nagios/plugins/check_procs -C qmgr -c 1
command[check_mem]=/usr/local/bin/check_mem.sh -w 95 -c 98 -W 50 -C 90
diff --git a/roles/galera/tasks/configure.yml b/roles/galera/tasks/configure.yml
index 25daa09..5b538c2 100644
--- a/roles/galera/tasks/configure.yml
+++ b/roles/galera/tasks/configure.yml
@@ -1,86 +1,86 @@
---
# Configure MySQL with Galera
- stat: path=/var/local/mysql_reset
register: mysql_reset
- name: Copy phabricator stop words
copy: src=stopwords.txt dest=/srv/stopwords.txt
- name: Copy minimal mysql config
template: src=my-mini.cnf dest=/etc/my.cnf
when: not mysql_reset.stat.exists
notify: stop mysql
- name: Reset MySQL root password
shell: /etc/init.d/mysql start --skip-grant-tables; mysql -u root -e 'flush privileges; SET PASSWORD FOR 'root'@'localhost' = PASSWORD("");'; touch /var/local/mysql_reset; service mysql stop
when: not mysql_reset.stat.exists
args:
creates: /var/local/mysql_reset
- name: Copy mysql config
template: src=my.cnf dest=/etc/my.cnf
- name: Check Galera status
shell: mysql -e "SHOW STATUS LIKE 'wsrep_evs_state';" -s | awk '{print $2}'
register: galera_status
- name: Bootstrap MySQL Galera cluster
shell: service mysql stop; /etc/init.d/mysql bootstrap
when: "'{{ inventory_hostname }}' == '{{ groups.dbs[0] }}' and galera_status.stdout != 'OPERATIONAL'"
- service: name=mysql state=started enabled=false
when: "'{{ inventory_hostname }}' != '{{ groups.dbs[0] }}'"
# Users
- name: Create database app user
mysql_user:
state=present
user={{ mysql_app_user }}
password={{ mysql_app_pass }}
priv=*.*:ALL
host={{ mysql_host }}
run_once: yes
- name: Create haproxy user
mysql_user:
state=present
user={{ mysql_lbs_user }}
password=""
priv=*.*:ALL
- host={{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}
+ host={{ internal_ip }}
run_once: yes
- name: Create Shibboleth user
mysql_user:
state=present
user={{ mysql_shib_user }}
password={{ mysql_shib_pass }}
priv={{ mysql_shib_db }}.*:ALL
host={{ mysql_host }}
run_once: yes
- name: Copy Shibboleth db schema
copy:
src: "install_shib.sql"
dest: "/tmp/install_shib.sql"
run_once: yes
- name: Create Shibboleth db
mysql_db:
name: "{{ mysql_shib_db }}"
run_once: yes
- name: Check if Shibboleth tables exist
shell: "mysql {{ mysql_shib_db }} -e 'show tables' | grep strings"
register: tablestatus
ignore_errors: yes
run_once: yes
- name: Populate Shibboleth db
mysql_db:
name: "{{ mysql_shib_db }}"
target: /tmp/install_shib.sql
state: import
when: "'{{ inventory_hostname }}' == '{{ groups.dbs[0] }}' and tablestatus.rc != 0"
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index 3c27fa8..e2ee757 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -1,134 +1,136 @@
global
log 127.0.0.1 local2 notice warning
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats level admin
# SSL/TLS
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3
#ssl-default-bind-options no-tlsv10
ssl-default-bind-options no-tls-tickets
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
defaults
mode http
log global
option dontlognull
#option forceclose
option redispatch
retries 3
timeout connect 10s
timeout client 1m
timeout server 1m
maxconn 3000
userlist admins
user {{ monit_user }} insecure-password {{ monit_pass }}
frontend public
bind :::80 v4v6
redirect scheme https
frontend public_tls
rspadd Strict-Transport-Security:\ max-age=15768000
bind :::443 v4v6 ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem
errorfile 503 /etc/haproxy/sorry.http
- {% if env == "prod" %}
+{% if env == "prod" %}
acl is_jenkins hdr(host) -i jenkins.{{ domain }}
- {% else %}
+{% else %}
acl is_jenkins path_beg -i /jenkins
- {% endif %}
+{% endif %}
acl is_google path /{{ google_webmaster_file }}
use_backend ci if is_jenkins
use_backend google if is_google
default_backend app
backend google
mode http
errorfile 503 /etc/haproxy/google.http
backend app
balance source
hash-type consistent
option http-server-close
option forwardfor
{% if env == "prod" %}
option httpchk HEAD /maniphest/ HTTP/1.1\r\nHost:\ {{ domain }}
{% endif %}
+
{% for host in groups['app'] %}
- server {{ hostvars[host]['host_name'] }} {{ host }}:80 check #send-proxy
+server c4science-app0{{ loop.index0 }} {{ host }}:80 check #send-proxy
{% endfor %}
backend ci
balance static-rr
- {% for host in groups['ci'] %}
- server {{ hostvars[host]['host_name']}} {{ host }}:{{ jenkins_port }} check
- {% endfor %}
+{% for host in groups['ci'] %}
+ server c4science-ci0{{ loop.index0 }} {{ host }}:{{ jenkins_port }} check
+{% endfor %}
frontend monit
bind *:{{ monit_port }} ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem
default_backend monitd
acl auth_admin http_auth(admins)
http-request allow if auth_admin
http-request auth realm Restricted unless auth_admin
http-request deny
backend monitd
- {% for host in groups['monit'] %}
- server {{ hostvars[host]['host_name'] }} {{ host }}:80
- {% endfor %}
+{% for host in groups['monit'] %}
+ server c4science-monit0{{ loop.index0 }} {{ host }}:80
+{% endfor %}
frontend sshd
mode tcp
option tcplog
option tcpka
timeout client 1h
bind :::{{ vcs_port }} v4v6
default_backend ssh
backend ssh
mode tcp
balance source
hash-type consistent
timeout connect 500s
timeout server 1h
- {% for host in groups['app'] %}
- server {{ hostvars[host]['host_name'] }} {{ host }}:{{ vcs_port }} check port {{ vcs_port }}
- {% endfor %}
+{% for host in groups['app'] %}
+ server c4science-app0{{ loop.index0 }} {{ host }}:{{ vcs_port }} check port {{ vcs_port }}
+{% endfor %}
frontend mysqld
mode tcp
option tcplog
- bind {{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}:3306
+ bind {{ internal_ip }}:3306
default_backend mysql
backend mysql
mode tcp
balance static-rr
option mysql-check user {{ mysql_lbs_user }}
- {% for host in groups['dbs'] %}
- server {{ hostvars[host]['host_name'] }} {{ host }}:3306 check port 3306 {% if not loop.first %}backup{% endif %}
+{% for host in groups['dbs'] %}
+ server c4science-db0{{ loop.index0 }} {{ host }}:3306 check port 3306 {% if not loop.first %}backup{% endif %}
- {% endfor %}
+{% endfor %}
listen haproxy-monit
bind :::{{ stats_port }} v4v6 ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem
stats enable
stats refresh 5s
stats show-legends
stats uri /
acl auth_admin http_auth(admins)
stats http-request allow if auth_admin
stats http-request auth realm Restricted unless auth_admin
stats http-request deny
stats admin if auth_admin
+
diff --git a/roles/nagios/templates/hosts.cfg b/roles/nagios/templates/hosts.cfg
index 152682a..afd26b2 100644
--- a/roles/nagios/templates/hosts.cfg
+++ b/roles/nagios/templates/hosts.cfg
@@ -1,33 +1,35 @@
define host{
name linux-box
use generic-host
check_period 24x7
check_interval 5
retry_interval 1
max_check_attempts 10
check_command check-host-alive
notification_period 24x7
notification_interval 30
notification_options d,r
contact_groups c4science_admins
register 0
}
-{% for host in groups['all'] %}
-{% if hostvars[host]['host_name'] is defined %}
-define host{
- use linux-box
- host_name {{ hostvars[host]['host_name'] }}
-{% if hostvars[host]['host_name'] == 'c4science-jump00' %}
- address {{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}
-{% else %}
- address {{ host }}
-{% endif %}
-{% if hostvars[host]['group_names'][0] not in ['lbs', 'monit', 'backup'] %}
- hostgroups {{ hostvars[host]['group_names'][0] }}
-{% else %}
- hostgroups utils
-{% endif %}
-}
+{% for group in groups.keys() %}
+{% if group not in ['all', 'ungrouped'] %}
+ {% for host in groups[group] %}
+ define host{
+ use linux-box
+ host_name {{ hostvars[host]['host_name'] }}
+ {% if host == '{{ external_ip }}' %}
+ address {{ internal_ip }}
+ {% else %}
+ address {{ host }}
+ {% if group not in ['lbs', 'monit', 'backup'] %}
+ hostgroups {{ group }}
+ {% else %}
+ hostgroups utils
+ {% endif %}
+ }
+ {% endif %}
+ {% endfor %}
{% endif %}
{% endfor %}
diff --git a/roles/phabricator/templates/myconfig.conf.php b/roles/phabricator/templates/myconfig.conf.php
index 7724b63..5d45c78 100644
--- a/roles/phabricator/templates/myconfig.conf.php
+++ b/roles/phabricator/templates/myconfig.conf.php
@@ -1,80 +1,80 @@
'{{ http_scheme }}{{ domain }}/',
'phabricator.timezone' => 'Europe/Berlin',
'phabricator.serious-business' => true,
'phabricator.show-prototypes' => true,
'phabricator.developer-mode' => {{ developer_mode }},
'phabricator.allowed-uris' => array(
'{{ http_scheme }}{{ domain }}/',
'{{ http_scheme }}{{ external_ip }}/'
),
'user.custom-field-definitions' => array(
'c4science:org' => array(
'name' => 'Organization',
'type' => 'text',
'caption' => 'Domain name of a home organization',
'required' => false,
'search' => true
),
'c4science:orgtype' => array(
'name' => 'Organization type',
'type' => 'text',
'caption' => 'Type of a home organization',
'required' => false,
'search' => true
)
),
'phd.log-directory' => '/var/log/phabricator',
'phd.taskmasters' => 20,
'phd.user' => '{{ phd_user }}',
'security.strict-transport-security' => true,
'security.require-https' => true,
'security.alternate-file-domain' => '{{ file_domain }}',
'darkconsole.enabled' => false,
'policy.allow-public' => true,
'auth.require-approval' => false,
'auth.require-email-verification' => false,
'cluster.addresses' => array(
{% for host in groups['app'] %}
"{{ hostvars[host]['inventory_hostname'] }}/32",
{% endfor %}
),
'diffusion.ssh-user' => '{{ vcs_user }}',
'diffusion.ssh-port' => {{ vcs_port }},
'diffusion.allow-http-auth' => true,
- 'mysql.host' => "{{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }}",
+ 'mysql.host' => "{{ internal_ip }}",
'mysql.pass' => '{{ mysql_app_pass }}',
'mysql.user' => '{{ mysql_app_user }}',
//'amazon-s3.access-key' => '{{ s3_access_key }}',
//'amazon-s3.secret-key' => '{{ s3_secret_key }}',
//'amazon-s3.endpoint' => '{{ s3_endpoint }}',
//'amazon-s3.region' => '{{ s3_region }}',
//'storage.s3.bucket' => '{{ s3_bucket }}',
'storage.local-disk.path' => '{{ repositories_path }}files',
'files.enable-imagemagick' => true,
#'auth.email-domains' => [
# {% for domain in phabricator_domains %}
# "{{ domain }}",
# {% endfor %}
#],
'pygments.enabled' => true,
'environment.append-paths' => array(
"/usr/libexec/git-core",
"/bin",
"/usr/bin",
"/usr/local/bin"
),
'metamta.default-address' => 'phabricator@{{ domain }}',
'metamta.domain' => '{{ domain }}',
);
diff --git a/roles/shibboleth/templates/shibboleth2.xml b/roles/shibboleth/templates/shibboleth2.xml
index a3b6047..61c50bc 100644
--- a/roles/shibboleth/templates/shibboleth2.xml
+++ b/roles/shibboleth/templates/shibboleth2.xml
@@ -1,155 +1,155 @@
- DRIVER=MySQL;SERVER={{ hostvars['127.0.0.1']['openstackjump'].results[0]['openstack']['private_v4'] }};USER={{ mysql_shib_user }};PASSWORD={{ mysql_shib_pass }};DATABASE={{ mysql_shib_db }};APP={{ project_name }}
+ DRIVER=MySQL;SERVER={{ internal_ip }};USER={{ mysql_shib_user }};PASSWORD={{ mysql_shib_pass }};DATABASE={{ mysql_shib_db }};APP={{ project_name }}
SAML2
Local
SWITCHaai Metadata Signer
2.16.756.1.2.6.7
diff --git a/utils/Vagrantfile b/utils/Vagrantfile
index 1950bbf..c46dd4a 100644
--- a/utils/Vagrantfile
+++ b/utils/Vagrantfile
@@ -1,50 +1,44 @@
Vagrant.configure(2) do |config|
config.vm.box_url = "http://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1603_01.VirtualBox.box"
config.vm.box = "vagrant-centos-7.1"
config.vm.provider "virtualbox" do |v|
v.memory = 2048
v.cpus = 2
end
config.vm.define "10.10.0.2" do |machine|
machine.vm.hostname = "c4science-dev"
machine.vm.network "private_network", ip: "10.10.0.2"
machine.vm.provision :ansible do |ansible|
ansible.groups = {
"lbs" => ["10.10.0.2"],
"dbs" => ["10.10.0.2"],
"app" => ["10.10.0.2"],
"phd" => ["10.10.0.2"],
"fs" => ["10.10.0.2"],
"monit" => ["10.10.0.2"],
"ci" => ["10.10.0.2"],
"ci-slave" => ["10.10.0.2"],
}
ansible.playbook = "../books/main_dev.yml"
ansible.sudo = true
ansible.verbose = 'v'
ansible.extra_vars = {
proxy: 'no',
http_proxy: '',
ansible_ssh_user: 'vagrant',
domain: "10.10.0.2",
+ internal_ip: "10.10.0.2",
external_ip: "10.10.0.2",
- backup_ip: "127.0.0.1",
- openstackjump: {
- results: [{
- openstack: {
- private_v4: "10.10.0.2"
- }
- }]
- }
+ backup_ip: "127.0.0.1"
}
ansible.host_vars = {
"10.10.0.2" => {
"host_name" => "c4science-dev",
"private_ip" => "10.10.0.2"
},
}
end
end
end
diff --git a/utils/inventory.py b/utils/inventory.py
new file mode 100755
index 0000000..1ae273c
--- /dev/null
+++ b/utils/inventory.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python2
+
+import json, sys
+
+FILE = 'hosts-%s' % sys.argv[1]
+JSON = json.loads(sys.stdin.read())
+INVENTORY = ''
+
+groups = [i for i in JSON]
+for g in groups:
+ INVENTORY += '[%s]\n' % g
+ for h in JSON[g]:
+ INVENTORY += '%s host_name=%s private_ip=%s\n' % (h['addr'], h['hostname'], h['private_ip'])
+ INVENTORY += '\n'
+
+f = open(FILE, 'a')
+f.write(INVENTORY)
+f.close()
+
diff --git a/vars/main.yml.example b/vars/main.yml.example
index 0dd8173..35f6911 100644
--- a/vars/main.yml.example
+++ b/vars/main.yml.example
@@ -1,106 +1,108 @@
---
env: prod
project_name: "c4science"
ansible_ssh_user: "centos"
proxy: no
http_proxy: ""
no_proxy: "localhost"
proxy_url: "{{ http_proxy }}"
user_pwd_root: ""
user_pwd_centos: ""
# OpenStack
keypair_name: ""
image_id: ""
image_id_coreos: ""
public_net: ""
private_net: ""
flavor_id_small: ""
flavor_id_medium: ""
flavor_id_large: ""
flavor_id_small_backup: ""
private_net_backup: ""
image_id_backup: ""
region_main: ""
region_back: ""
# Storage
s3_access_key: ""
s3_secret_key: ""
s3_endpoint: ""
s3_bucket: ""
s3_region: ""
# Lbs
+internal_ip: 0.0.0.0
external_ip: 0.0.0.0
backup_ip: 0.0.0.0
ip_range: "10.0.0.0/16"
jenkins_port: 8080
stats_port: 8082
monit_port: 8081
monit_user: admin
monit_pass:
rolling_reboot_proxy_host: "{{ external_ip }}"
rolling_reboot_pause: 30
rolling_reboot_wait_delay: 20
# App
developer_mode: false
http_scheme: 'http://'
domain: example.com
file_domain: "{{ http_scheme }}static.{{ domain }}/"
phabricator_path: /srv/www/facebook/
repositories_path: /var/repo/
phd_user: phabricator
www_user: apache
vcs_user: git
vcs_port: 2222
jenkins_admin_user: admin
jenkins_admin_pass:
jenkins_phab_url: "{{ http_scheme }}{{ domain }}/"
jenkins_phab_id: "PHID-"
jenkins_phab_secret: ""
jenkins_url: "{{ http_scheme }}jenkins.{{ domain }}/"
shib_metadata_file: "metadata.xml"
shib_metadata_provider: "http://example.com/{{ shib_metadata_file }}"
phabricator_domains:
- "{{ domain }}"
- 'example.com'
google_webmaster_file: "googleXYZ.html"
# Dbs
mysql_app_user: ""
mysql_app_pass: ""
mysql_shib_user: ""
mysql_shib_pass: ""
mysql_shib_db: "shibboleth"
mysql_lbs_user: "haproxy"
mysql_cluster_name: ""
mysql_host: "10.0.0.0/255.255.0.0"
# SSH
ssh_keys:
- "ssh-rsa mysuperkey1"
- "ssh-rsa mysuperkey2"
# Swap
swap_path: "/swapfile"
dd_bs_size_mb: 32
swap_count: 128
swappiness: 10
vfs_cache_pressure: 50
# Email
configure_postfix: true
enable_postfix_domain_rewrite: true
enable_postfix_relayhost: true
+postfix_relayhost: "[{{ internal_ip }}]"
postfix_rewrite_domain: "{{ domain }}"
email_alias_phabricator: ""
email_alias_postmaster: ""
email_alias_admin: ""
email_monitoring: ""