diff --git a/roles/common/templates/nrpe_local.cfg b/roles/common/templates/nrpe_local.cfg index b20a35a..5313f40 100644 --- a/roles/common/templates/nrpe_local.cfg +++ b/roles/common/templates/nrpe_local.cfg @@ -1,23 +1,23 @@ command[check_ssh]=/usr/lib64/nagios/plugins/check_ssh -H 127.0.0.1 -command[check_ssh_phab]=/usr/lib64/nagios/plugins/check_ssh -H 127.0.0.1 -p {{ vcs_port }} +command[check_ssh_phab]=/usr/lib64/nagios/plugins/check_ssh -H 127.0.0.1 -p {{ vcs_port_back }} command[check_disk_vda]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/vda1 command[check_disk_vdb]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/vdb command[check_disk_repo]=/usr/lib64/nagios/plugins/check_disk -X ext4 {{ repositories_path }} command[check_http_phab]=/usr/lib64/nagios/plugins/check_http -I {{ inventory_hostname }} -H {{ domain }} -u /status/ -r ALIVE command[check_http_ex_phab]=/usr/lib64/nagios/plugins/check_http -H {{ domain }} -e 'HTTP/1.1 302 Found' command[check_http_ex_phab_ssl]=/usr/lib64/nagios/plugins/check_http -H {{ domain }} --ssl -u /status/ -r ALIVE command[check_http_jenkins]=/usr/lib64/nagios/plugins/check_http -H jenkins.{{ domain }} --ssl command[check_mysql_remote]=/usr/lib64/nagios/plugins/check_mysql -H $ARG1$ -u {{ mysql_app_user }} -p {{ mysql_app_pass }} command[check_mysql_local]=/usr/lib64/nagios/plugins/check_mysql -u root command[check_phd]=/usr/lib64/nagios/plugins/check_procs -C 'php' -a {{ phabricator_path }}phabricator/scripts/daemon/phd-daemon command[check_gluster]=/usr/lib64/nagios/plugins/check_procs -C 'glusterd' -c 1 command[check_gmond]=/usr/lib64/nagios/plugins/check_procs -C 'gmond' -c 1 command[check_gmetad]=/usr/lib64/nagios/plugins/check_procs -C 'gmetad' -c 1 command[check_httpd]=/usr/lib64/nagios/plugins/check_procs -C 'httpd' -c 1: command[check_java_jenkins]=/usr/lib64/nagios/plugins/check_procs -C 'java' -c 1 command[check_shibd]=/usr/lib64/nagios/plugins/check_procs -C 'shibd' -c 1 command[check_shib_status]=/usr/lib64/nagios/plugins/check_http -H localhost -u /Shibboleth.sso/Status -R '' command[check_postfix_master]=/usr/lib64/nagios/plugins/check_procs -C master -a '-w' -c 1 command[check_postfix_pickup]=/usr/lib64/nagios/plugins/check_procs -C pickup -c 1 command[check_postfix_qmgr]=/usr/lib64/nagios/plugins/check_procs -C qmgr -c 1 command[check_mem]=/usr/local/bin/check_mem.sh -w 95 -c 98 -W 50 -C 90 diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 index 872183b..f007b54 100644 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ b/roles/haproxy/templates/haproxy.cfg.j2 @@ -1,140 +1,148 @@ global log 127.0.0.1 local2 notice warning chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats level admin # SSL/TLS tune.ssl.default-dh-param 2048 ssl-default-bind-options no-sslv3 #ssl-default-bind-options no-tlsv10 ssl-default-bind-options no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK defaults mode http log global option dontlognull #option forceclose option redispatch retries 3 timeout connect 10s timeout client 1m timeout server 1m maxconn 3000 userlist admins user {{ monit_user }} insecure-password {{ monit_pass }} frontend public bind :::80 v4v6 redirect scheme https http-request del-header Proxy frontend public_tls rspadd Strict-Transport-Security:\ max-age=15768000 bind :::443 v4v6 ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem errorfile 503 /etc/haproxy/sorry.http http-request del-header Proxy {% if env == "prod" %} acl is_jenkins hdr(host) -i jenkins.{{ domain }} {% else %} acl is_jenkins path_beg -i /jenkins {% endif %} acl is_google path /{{ google_webmaster_file }} use_backend ci if is_jenkins use_backend google if is_google default_backend app backend google mode http errorfile 503 /etc/haproxy/google.http backend app balance source hash-type consistent option http-server-close option forwardfor {% if env == "prod" %} option httpchk HEAD /maniphest/ HTTP/1.1\r\nHost:\ {{ domain }} {% endif %} {% for host in groups['app'] %} server {{ hostvars[host]['host_name'] }} {{ host }}:80 check #send-proxy {% endfor %} backend ci balance static-rr {% for host in groups['ci'] %} server {{ hostvars[host]['host_name'] }} {{ host }}:{{ jenkins_port }} check {% endfor %} frontend monit bind *:{{ monit_port }} ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem default_backend monitd acl auth_admin http_auth(admins) http-request allow if auth_admin http-request auth realm Restricted unless auth_admin http-request deny http-request del-header Proxy backend monitd {% for host in groups['monit'] %} server {{ hostvars[host]['host_name'] }} {{ host }}:80 {% endfor %} frontend sshd mode tcp option tcplog option tcpka timeout client 1h - bind :::{{ vcs_port }} v4v6 + bind :::{{ vcs_port_front }} v4v6 + default_backend ssh + +frontend sshd-old + mode tcp + option tcplog + option tcpka + timeout client 1h + bind :::{{ vcs_port_back }} v4v6 default_backend ssh backend ssh mode tcp balance source hash-type consistent timeout connect 500s timeout server 1h {% for host in groups['app'] %} - server {{ hostvars[host]['host_name'] }} {{ host }}:{{ vcs_port }} check port {{ vcs_port }} + server {{ hostvars[host]['host_name'] }} {{ host }}:{{ vcs_port_back }} check port {{ vcs_port_back }} {% endfor %} #frontend mysqld # mode tcp # option tcplog # bind {{ internal_ip }}:3306 # default_backend mysql # #backend mysql # mode tcp # balance static-rr # option mysql-check user {{ mysql_lbs_user }} #{% for host in groups['dbs'] %} # server {{ hostvars[host]['host_name'] }} {{ host }}:3306 check port 3306 {% if not loop.first %}backup{% endif %} # #{% endfor %} listen haproxy-monit bind :::{{ stats_port }} v4v6 ssl crt /etc/letsencrypt/live/{{ domain }}/combined.pem stats enable stats refresh 5s stats show-legends stats uri / acl auth_admin http_auth(admins) stats http-request allow if auth_admin stats http-request auth realm Restricted unless auth_admin stats http-request deny stats admin if auth_admin http-request del-header Proxy diff --git a/roles/jump/files/sshd_config b/roles/jump/files/sshd_config new file mode 100644 index 0000000..24f2bef --- /dev/null +++ b/roles/jump/files/sshd_config @@ -0,0 +1,19 @@ +Port 222 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +SyslogFacility AUTHPRIV +AuthorizedKeysFile .ssh/authorized_keys +PasswordAuthentication no +ChallengeResponseAuthentication no +GSSAPIAuthentication yes +GSSAPICleanupCredentials no +UsePAM yes +X11Forwarding no +UsePrivilegeSeparation sandbox # Default for new installations. +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS +Subsystem sftp /usr/libexec/openssh/sftp-server + diff --git a/roles/jump/handlers/main.yml b/roles/jump/handlers/main.yml index c9aa4e7..a9696da 100644 --- a/roles/jump/handlers/main.yml +++ b/roles/jump/handlers/main.yml @@ -1,11 +1,16 @@ --- +- name: reload ssh + service: + name: sshd + state: reloaded + - name: restart postfix service: name: postfix state: restarted - name: rebuild aliases shell: newaliases - name: rebuild headers shell: postmap /etc/postfix/header_checks diff --git a/roles/jump/tasks/main.yml b/roles/jump/tasks/main.yml index 2802039..e692873 100644 --- a/roles/jump/tasks/main.yml +++ b/roles/jump/tasks/main.yml @@ -1,174 +1,179 @@ --- - yum: name="{{ item }}" state=present with_items: - firewalld - nmap-ncat - socat - service: name=firewalld state=started enabled=true +- name: SSH Config for admin + copy: + src: sshd_config + dest: /etc/ssh/sshd_config + notify: reload ssh + - firewalld: port: "{{ item }}/tcp" permanent: true state: enabled immediate: true with_items: - - "{{ stats_port }}" # haproxy - - "{{ monit_port }}" # ganglia - - "{{ vcs_port }}" # phabricator ssh - - 80 # phabricator http - - 443 # phabricator http - - 22 # ssh - - 25 # smtp + - "{{ stats_port }}" # haproxy + - "{{ monit_port }}" # ganglia + - "{{ vcs_port_front }}" # phabricator ssh + - "{{ vcs_port_back }}" # phabricator ssh + - 222 # admin ssh + - 80 # phabricator http + - 443 # phabricator http + - 25 # smtp - firewalld: port: "{{ item }}/tcp" permanent: true state: disabled immediate: true with_items: - "{{ jenkins_port }}" # jenkins - 8083 # test shibboleth - firewalld: port: "{{ item }}/tcp" source: "{{ ip_range }}" immediate: true permanent: true zone: internal state: enabled with_items: - - 22 # ssh - 25 # smtp - - 3306 # mysql - 5666 # nrpe - 8649 # ganglia - firewalld: port: "{{ item }}/udp" source: "{{ ip_range }}" immediate: true permanent: true zone: internal state: enabled with_items: - 8649 # ganglia # Email - name: Allow incoming email, remove old config lineinfile: dest: /etc/postfix/main.cf line: "mydestination = {{ ansible_fqdn }}, localhost" state: absent - name: Allow incoming email lineinfile: dest: /etc/postfix/main.cf line: "mydestination = {{ domain }}, {{ ansible_fqdn }}, localhost" notify: restart postfix - name: Header to filter in postfix copy: src: header_checks dest: /etc/postfix/header_checks - name: Hide originating host for postfix lineinfile: dest: /etc/postfix/main.cf line: "header_checks = regexp:/etc/postfix/header_checks" notify: rebuild headers - name: Remove alias for postmaster email lineinfile: dest: /etc/aliases line: "postmaster:\troot" state: absent notify: rebuild aliases - name: Alias for postmaster email lineinfile: dest: /etc/aliases line: "postmaster: {{ email_alias_postmaster }}" notify: rebuild aliases - name: Alias for postmaster admin lineinfile: dest: /etc/aliases line: "admin: {{ email_alias_admin }}" notify: rebuild aliases # TODO: Redirect to app instance ? - name: Alias for phabricator email lineinfile: dest: /etc/aliases line: "phabricator: {{ email_alias_phabricator }}" notify: rebuild aliases - name: Use letsencrypt cert for postfix file: path: /etc/ssl/certs/ssl-cert-snakeoil.pem src: "/etc/letsencrypt/live/{{ domain }}/cert.pem" state: link when: env != "test" - name: Use letsencrypt cert directory file: path: /etc/ssl/private/ state: directory - name: Use letsencrypt cert key for postfix file: path: /etc/ssl/certs/ssl-cert-snakeoil.key src: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" state: link when: env != "test" - name: Use letsencrypt cert key for postfix file: path: /etc/ssl/private/ssl-cert-snakeoil.key src: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" state: link when: env != "test" # SSL self-signed certificate for TEST - name: create self-signed SSL cert shell: openssl req -new -nodes -x509 -subj "/C=VD/ST=Vaud/L=Lausanne/O=c4science/CN={{ domain }}" -days 3650 -keyout /etc/ssl/certs/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -extensions v3_ca args: creates: /etc/ssl/certs/ssl-cert-snakeoil.pem when: env == "test" - name: Link to snakeoil cert for postfix file: path: /etc/ssl/private/ssl-cert-snakeoil.pem src: /etc/ssl/certs/ssl-cert-snakeoil.pem state: link when: env == "test" - name: Fake letsencrypt directory file: path: "/etc/letsencrypt/live/{{ domain }}/" state: directory when: env == "test" - name: Fake letsencrypt certificate key file file: path: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" src: /etc/ssl/certs/ssl-cert-snakeoil.key state: link when: env == "test" - name: Fake letsencrypt certificate file file: path: "/etc/letsencrypt/live/{{ domain }}/cert.pem" src: /etc/ssl/certs/ssl-cert-snakeoil.pem state: link when: env == "test" - name: create combined certificate for haproxy shell: "cat /etc/ssl/certs/ssl-cert-snakeoil.* > /etc/letsencrypt/live/{{ domain }}/combined.pem" args: creates: "/etc/letsencrypt/live/{{ domain }}/combined.pem" when: env == "test" diff --git a/roles/phabricator/templates/myconfig.conf.php b/roles/phabricator/templates/myconfig.conf.php index 7d5914a..4b57ecd 100644 --- a/roles/phabricator/templates/myconfig.conf.php +++ b/roles/phabricator/templates/myconfig.conf.php @@ -1,81 +1,81 @@ '{{ http_scheme }}{{ domain }}/', 'phabricator.timezone' => 'Europe/Berlin', 'phabricator.serious-business' => true, 'phabricator.show-prototypes' => true, 'phabricator.developer-mode' => {{ developer_mode }}, 'phabricator.allowed-uris' => array( '{{ http_scheme }}{{ domain }}/', '{{ http_scheme }}{{ external_ip }}/' ), 'user.custom-field-definitions' => array( 'c4science:org' => array( 'name' => 'Organization', 'type' => 'text', 'caption' => 'Domain name of a home organization', 'required' => false, 'search' => true ) ), 'debug.sample-rate' => 0, 'phd.log-directory' => '/var/log/phabricator', 'phd.taskmasters' => 20, 'phd.user' => '{{ phd_user }}', 'security.strict-transport-security' => true, 'security.require-https' => true, 'security.alternate-file-domain' => '{{ file_domain }}', 'darkconsole.enabled' => false, 'policy.allow-public' => true, 'auth.require-approval' => false, 'auth.require-email-verification' => false, 'cluster.addresses' => array( {% for host in groups['app'] %} "{{ hostvars[host]['inventory_hostname'] }}/32", {% endfor %} ), 'diffusion.ssh-user' => '{{ vcs_user }}', - 'diffusion.ssh-port' => {{ vcs_port }}, + //'diffusion.ssh-port' => {{ vcs_port_front }}, 'diffusion.allow-http-auth' => true, 'cluster.databases' => array( {% for host in groups['dbs'] %} array( 'host' => '{{ host }}', 'role' => '{% if loop.first %}master{% else %}replica{% endif %}' ), {% endfor %} ), 'mysql.pass' => '{{ mysql_app_pass }}', 'mysql.user' => '{{ mysql_app_user }}', //'amazon-s3.access-key' => '{{ s3_access_key }}', //'amazon-s3.secret-key' => '{{ s3_secret_key }}', //'amazon-s3.endpoint' => '{{ s3_endpoint }}', //'amazon-s3.region' => '{{ s3_region }}', //'storage.s3.bucket' => '{{ s3_bucket }}', 'storage.local-disk.path' => '{{ repositories_path }}files', 'files.enable-imagemagick' => true, #'auth.email-domains' => [ # {% for domain in phabricator_domains %} # "{{ domain }}", # {% endfor %} #], 'pygments.enabled' => true, 'environment.append-paths' => array( "/usr/libexec/git-core", "/bin", "/usr/bin", "/usr/local/bin" ), 'metamta.default-address' => 'phabricator@{{ domain }}', 'metamta.domain' => '{{ domain }}', ); diff --git a/roles/phabricator/templates/sshd_config b/roles/phabricator/templates/sshd_config index 4532be7..678e17f 100644 --- a/roles/phabricator/templates/sshd_config +++ b/roles/phabricator/templates/sshd_config @@ -1,18 +1,18 @@ AuthorizedKeysCommand /usr/libexec/phabricator_ssh_hook.sh AuthorizedKeysCommandUser {{ vcs_user }} AllowUsers {{ vcs_user }} -Port {{ vcs_port }} +Port {{ vcs_port_back }} Protocol 2 PermitRootLogin no AllowAgentForwarding no AllowTcpForwarding no PrintMotd no PrintLastLog no PasswordAuthentication no AuthorizedKeysFile none HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key PidFile /var/run/sshd_phabricator.pid diff --git a/vars/main.yml.example b/vars/main.yml.example index 0147c53..f5aca21 100644 --- a/vars/main.yml.example +++ b/vars/main.yml.example @@ -1,112 +1,113 @@ --- env: prod project_name: "c4science" ansible_ssh_user: "centos" proxy: no http_proxy: "" no_proxy: "localhost" proxy_url: "{{ http_proxy }}" user_pwd_root: "" user_pwd_centos: "" # OpenStack keypair_name: "" image_id: "" image_id_coreos: "" public_net: "" private_net: "" flavor_id_small: "" flavor_id_medium: "" flavor_id_large: "" flavor_id_small_backup: "" private_net_backup: "" image_id_backup: "" region_main: "" region_back: "" # Storage s3_access_key: "" s3_secret_key: "" s3_endpoint: "" s3_bucket: "" s3_region: "" # Lbs internal_ip: 0.0.0.0 external_ip: 0.0.0.0 backup_ip: 0.0.0.0 ip_range: "10.0.0.0/16" jenkins_port: 8080 stats_port: 8082 monit_port: 8081 monit_user: admin monit_pass: rolling_reboot_proxy_host: "{{ external_ip }}" rolling_reboot_pause: 30 rolling_reboot_wait_delay: 20 # App developer_mode: false http_scheme: 'http://' domain: example.com file_domain: "{{ http_scheme }}static.{{ domain }}/" phabricator_branch: stable phabricator_path: /srv/www/facebook/ repositories_path: /var/repo/ phd_user: phabricator www_user: apache vcs_user: git -vcs_port: 2222 +vcs_port_front: 22 +vcs_port_back: 2222 jenkins_admin_user: admin jenkins_admin_password: jenkins_phab_url: "{{ http_scheme }}{{ domain }}/" jenkins_phab_id: "PHID-" jenkins_phab_secret: "" jenkins_prefix: "/" jenkins_url: "{{ http_scheme }}jenkins.{{ domain }}{{ jenkins_prefix }}" shib_metadata_file: "metadata.xml" shib_metadata_provider: "http://example.com/{{ shib_metadata_file }}" phabricator_domains: - "{{ domain }}" - 'example.com' google_webmaster_file: "googleXYZ.html" # Dbs mysql_repl_user: "repl" mysql_repl_pass: "" mysql_app_user: "" mysql_app_pass: "" mysql_shib_user: "" mysql_shib_pass: "" mysql_shib_db: "shibboleth" mysql_lbs_user: "haproxy" mysql_cluster_name: "" mysql_host: "10.0.0.0/255.255.0.0" # SSH ssh_keys: - "ssh-rsa mysuperkey1" - "ssh-rsa mysuperkey2" # Swap swap_path: "/swapfile" dd_bs_size_mb: 32 swap_count: 128 swappiness: 10 vfs_cache_pressure: 50 # Email configure_postfix: true enable_postfix_domain_rewrite: true enable_postfix_relayhost: true postfix_relayhost: "[{{ internal_ip }}]" postfix_rewrite_domain: "{{ domain }}" email_alias_phabricator: "" email_alias_postmaster: "" email_alias_admin: "" email_monitoring: ""