diff --git a/books/main_servers.yml b/books/main_servers.yml index 6a51513..493246b 100644 --- a/books/main_servers.yml +++ b/books/main_servers.yml @@ -1,256 +1,257 @@ --- - name: Get local commit hosts: 127.0.0.1 tags: always connection: local gather_facts: false tasks: - shell: "git show-ref -s --head HEAD | head -n 1" register: commit tags: [ 'always' ] - name: Configure Jump Server hosts: lbs tags: conf-lbs vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" port: 222 user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix postfix_mynetworks: [ "{{ ip_range }}" ] enable_postfix_relayhost: false - role: ../roles/letsencrypt when: env != "test" - role: ../roles/haproxy - role: ../roles/jump tasks: - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" #- name: Configure keepalived for jump # hosts: c4science-jump00 # roles: # - role: ../rolesepalived # keepalived_shared_ip: "{{ external_ip }}" # keepalived_role: ../rolesaster" #- name: Configure keepalived for jump2 # hosts: c4science-jump01 # roles: # - role: ../rolesepalived # keepalived_shared_ip: "{{ external_ip }}" # keepalived_role: ../roleslave" # tasks: # - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" - name: Configure Monitoring Server hosts: monit tags: conf-monit vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix tags: [ 'common' ] - role: ../roles/logcheck - role: ../roles/rsyslog - { role: ../roles/apache, apache_config: placeholder.conf } - role: ../roles/nagios - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/ganglia-gmetad tasks: - include: ../roles/galera/tasks/install.yml yum_repo: ../roles/galera/files/yum.repo - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" - name: Configure Databases hosts: dbs tags: conf-dbs vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/galera tasks: - include: ../roles/phabricator/tasks/packages.yml - include: ../roles/phabricator/tasks/users.yml - include: ../roles/phabricator/tasks/install.yml myconfig=../roles/phabricator/templates/myconfig.conf.php - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" - name: Configure App hosts: app handlers: - include: handlers/main.yml tags: conf-app vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix + postfix_mynetworks: [ "127.0.0.0/8", "{{ internal_ip }}" ] tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - { role: ../roles/apache, apache_config: phabricator.conf } - role: ../roles/glusterfs tags: ['gluster'] - role: ../roles/phabricator - role: ../roles/shibboleth tasks: - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" - name: Configure Filesystem for repositories hosts: fs tags: conf-fs vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/glusterfs tags: ['gluster'] - role: ../roles/fs tags: ['gluster'] tasks: - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" - name: Configure App Daemons hosts: phd tags: conf-phd vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/glusterfs tags: ['gluster'] tasks: - include: ../roles/phabricator/tasks/packages.yml - include: ../roles/phabricator/tasks/users.yml - include: ../roles/phabricator/tasks/glusterfs.yml - include: ../roles/phabricator/tasks/install.yml myconfig=../roles/phabricator/templates/myconfig.conf.php #- include: ../roles/phabricator/tasks/customize.yml #might be needed sometime - include: ../roles/phabricator/tasks/daemons.yml phd_init: ../roles/phabricator/templates/phd_init - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" - name: Configure Jenkins master hosts: ci vars_files: - "{{ var }}" vars: nagios_nrpe_server_allowed_hosts: "{{ groups['monit'][0] }},127.0.0.1" user: centos sudo: yes roles: - role: ../roles/common tags: [ 'common' ] - role: ../roles/swap/roles/swap tags: [ 'common' ] - role: ../roles/nrpe tags: [ 'common', 'conf-monit' ] - role: ../roles/postfix tags: [ 'common' ] - role: ../roles/ganglia-gmond tags: [ 'common' ] - role: ../roles/jenkins plugins: - 'ansicolor' - 'build-monitor-plugin' - 'build-token-root' - 'cluster-stats' - 'docker-plugin' - 'embeddable-build-status' - 'git' - 'jobgenerator' - 'job-restrictions' - 'ownership' - 'phabricator-plugin' - 'preSCMbuildstep' - 'project-stats-plugin' - 'role-strategy' prefix: "{{ jenkins_prefix }}" email: smtp_host: 'localhost' smtp_ssl: 'false' default_email_suffix: "@{{ domain }}" - role: ../roles/ci tags: [ 'jenkins' ] tasks: - shell: "echo {{ hostvars['127.0.0.1']['commit']['stdout'] }} > /{{ project_name }}_version" #- name: Configure Jenkins slave # hosts: ci-slave # tags: conf-ci-slave # vars_files: # - "{{ var }}" # user: core # sudo: yes # roles: # - role: ../rolescker diff --git a/roles/jump/handlers/main.yml b/roles/jump/handlers/main.yml index a9696da..6bd7857 100644 --- a/roles/jump/handlers/main.yml +++ b/roles/jump/handlers/main.yml @@ -1,16 +1,19 @@ --- - name: reload ssh service: name: sshd state: reloaded - name: restart postfix service: name: postfix state: restarted - name: rebuild aliases shell: newaliases - name: rebuild headers shell: postmap /etc/postfix/header_checks + +- name: rebuild transport + shell: postmap /etc/postfix/transport diff --git a/roles/jump/tasks/main.yml b/roles/jump/tasks/main.yml index e692873..c64b177 100644 --- a/roles/jump/tasks/main.yml +++ b/roles/jump/tasks/main.yml @@ -1,179 +1,190 @@ --- - yum: name="{{ item }}" state=present with_items: - firewalld - nmap-ncat - socat - service: name=firewalld state=started enabled=true - name: SSH Config for admin copy: src: sshd_config dest: /etc/ssh/sshd_config notify: reload ssh - firewalld: port: "{{ item }}/tcp" permanent: true state: enabled immediate: true with_items: - "{{ stats_port }}" # haproxy - "{{ monit_port }}" # ganglia - "{{ vcs_port_front }}" # phabricator ssh - "{{ vcs_port_back }}" # phabricator ssh - 222 # admin ssh - 80 # phabricator http - 443 # phabricator http - 25 # smtp - firewalld: port: "{{ item }}/tcp" permanent: true state: disabled immediate: true with_items: - "{{ jenkins_port }}" # jenkins - 8083 # test shibboleth - firewalld: port: "{{ item }}/tcp" source: "{{ ip_range }}" immediate: true permanent: true zone: internal state: enabled with_items: - 25 # smtp - 5666 # nrpe - 8649 # ganglia - firewalld: port: "{{ item }}/udp" source: "{{ ip_range }}" immediate: true permanent: true zone: internal state: enabled with_items: - 8649 # ganglia # Email - name: Allow incoming email, remove old config lineinfile: dest: /etc/postfix/main.cf line: "mydestination = {{ ansible_fqdn }}, localhost" state: absent - name: Allow incoming email lineinfile: dest: /etc/postfix/main.cf line: "mydestination = {{ domain }}, {{ ansible_fqdn }}, localhost" notify: restart postfix - name: Header to filter in postfix copy: src: header_checks dest: /etc/postfix/header_checks - name: Hide originating host for postfix lineinfile: dest: /etc/postfix/main.cf line: "header_checks = regexp:/etc/postfix/header_checks" notify: rebuild headers +- name: Redirect phabricator inbound email using transport + lineinfile: + dest: /etc/postfix/main.cf + line: "transport_maps = hash:/etc/postfix/transport" + +- name: Redirect phabricator inbound email + lineinfile: + dest: /etc/postfix/transport + line: "phabricator@{{ domain }} relay:[{{ groups.app[0] }}]:25" # FIXME: Use haproxy + notify: reload transport + - name: Remove alias for postmaster email lineinfile: dest: /etc/aliases line: "postmaster:\troot" state: absent notify: rebuild aliases - name: Alias for postmaster email lineinfile: dest: /etc/aliases line: "postmaster: {{ email_alias_postmaster }}" notify: rebuild aliases - name: Alias for postmaster admin lineinfile: dest: /etc/aliases line: "admin: {{ email_alias_admin }}" notify: rebuild aliases # TODO: Redirect to app instance ? - name: Alias for phabricator email lineinfile: dest: /etc/aliases line: "phabricator: {{ email_alias_phabricator }}" notify: rebuild aliases - name: Use letsencrypt cert for postfix file: path: /etc/ssl/certs/ssl-cert-snakeoil.pem src: "/etc/letsencrypt/live/{{ domain }}/cert.pem" state: link when: env != "test" - name: Use letsencrypt cert directory file: path: /etc/ssl/private/ state: directory - name: Use letsencrypt cert key for postfix file: path: /etc/ssl/certs/ssl-cert-snakeoil.key src: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" state: link when: env != "test" - name: Use letsencrypt cert key for postfix file: path: /etc/ssl/private/ssl-cert-snakeoil.key src: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" state: link when: env != "test" # SSL self-signed certificate for TEST - name: create self-signed SSL cert shell: openssl req -new -nodes -x509 -subj "/C=VD/ST=Vaud/L=Lausanne/O=c4science/CN={{ domain }}" -days 3650 -keyout /etc/ssl/certs/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -extensions v3_ca args: creates: /etc/ssl/certs/ssl-cert-snakeoil.pem when: env == "test" - name: Link to snakeoil cert for postfix file: path: /etc/ssl/private/ssl-cert-snakeoil.pem src: /etc/ssl/certs/ssl-cert-snakeoil.pem state: link when: env == "test" - name: Fake letsencrypt directory file: path: "/etc/letsencrypt/live/{{ domain }}/" state: directory when: env == "test" - name: Fake letsencrypt certificate key file file: path: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" src: /etc/ssl/certs/ssl-cert-snakeoil.key state: link when: env == "test" - name: Fake letsencrypt certificate file file: path: "/etc/letsencrypt/live/{{ domain }}/cert.pem" src: /etc/ssl/certs/ssl-cert-snakeoil.pem state: link when: env == "test" - name: create combined certificate for haproxy shell: "cat /etc/ssl/certs/ssl-cert-snakeoil.* > /etc/letsencrypt/live/{{ domain }}/combined.pem" args: creates: "/etc/letsencrypt/live/{{ domain }}/combined.pem" when: env == "test" diff --git a/roles/phabricator/handlers/main.yml b/roles/phabricator/handlers/main.yml index 8789862..c6dee03 100644 --- a/roles/phabricator/handlers/main.yml +++ b/roles/phabricator/handlers/main.yml @@ -1,26 +1,29 @@ --- - name: reload apache service: name: httpd state: reloaded - name: restart sshd_phabricator service: name: sshd_phabricator state: restarted - name: restart glusterd service: name: glusterd state: restarted - name: restart phd shell: service phd restart - name: reload systemctl shell: systemctl daemon-reload - name: restart gmond service: name: gmond state: restarted + +- name: rebuild transport + shell: postmap /etc/postfix/transport diff --git a/roles/phabricator/tasks/install.yml b/roles/phabricator/tasks/install.yml index 3421ec9..1b2484d 100644 --- a/roles/phabricator/tasks/install.yml +++ b/roles/phabricator/tasks/install.yml @@ -1,77 +1,88 @@ --- ## Install Phabricator # Source: https://github.com/relrod/phabricator-ansible - name: Create log directory file: state=directory path=/var/log/phabricator owner="{{ phd_user }}" group="{{ phd_user }}" - name: Create directory file: state=directory path=/srv/www owner="{{ phd_user }}" - name: Create tmp directory file: state=directory path=/var/tmp/phd/ owner="{{ phd_user }}" - name: Clone phacility/libphutil git: repo: https://github.com/phacility/libphutil dest: "{{ phabricator_path }}libphutil" version: "{{ phabricator_branch }}" update: false sudo_user: "{{ phd_user }}" - name: Clone phacility/arcanist git: repo: https://github.com/phacility/arcanist.git dest: "{{ phabricator_path }}arcanist" version: "{{ phabricator_branch }}" update: false sudo_user: "{{ phd_user }}" - name: Create symlink for arc file: path: /usr/local/bin/arc src: "{{ phabricator_path }}arcanist/bin/arc" state: link - name: Clone phacility/phabricator git: repo: https://github.com/phacility/phabricator.git dest: "{{ phabricator_path }}phabricator" version: "{{ phabricator_branch }}" update: false sudo_user: "{{ phd_user }}" - name: Remove local configuration if present file: path="{{ phabricator_path }}phabricator/conf/local/local.json" state=absent - name: Create a conf/custom directory. file: state=directory path={{ phabricator_path }}phabricator/conf/custom sudo_user: "{{ phd_user }}" - name: Place a starting-point custom config in {{ phabricator_path }}phabricator/conf/custom/myconfig.conf.php template: src: "{{ myconfig }}" dest: "{{ phabricator_path }}phabricator/conf/custom/myconfig.conf.php" mode: 0644 owner: root group: "{{ phd_user }}" notify: reload apache - name: Include the config shell: echo 'custom/myconfig' > {{ phabricator_path }}phabricator/conf/local/ENVIRONMENT args: creates: "{{ phabricator_path }}phabricator/conf/local/ENVIRONMENT" sudo_user: "{{ phd_user }}" - name: Migrate the database command: chdir={{ phabricator_path }}phabricator ./bin/storage upgrade --force sudo_user: "{{ phd_user }}" run_once: yes when: "'app' in group_names" +- name: Redirect phabricator inbound email using transport + lineinfile: + dest: /etc/postfix/main.cf + line: "transport_maps = hash:/etc/postfix/transport" + +- name: Redirect phabricator inbound email locally + lineinfile: + dest: /etc/postfix/transport + line: "phabricator@{{ domain }} local:" + notify: reload transport + - name: Email with postfix lineinfile: dest: /etc/aliases line: "{{ phd_user }}: |{{ phabricator_path }}phabricator/scripts/mail/mail_handler.php" when: "'app' in group_names" diff --git a/roles/phabricator/tasks/packages.yml b/roles/phabricator/tasks/packages.yml index 2bd5ed4..76190d1 100644 --- a/roles/phabricator/tasks/packages.yml +++ b/roles/phabricator/tasks/packages.yml @@ -1,27 +1,29 @@ --- - yum: name="{{ item }}" state=present enablerepo=cr #FIXME: disable when libunwind is in Base again with_items: - php - php-mysql - php-gd - php-mbstring - php-posix - php-pear - php-devel - php-ldap + - php-mbstring + - php-pecl-mailparse - pcre-devel - rdiff-backup - mercurial - subversion - gcc-c++ - ImageMagick - patch - yum: name="{{ item }}" state=absent with_items: - php-pecl-apcu