2014-12-07 16:53:39 +00:00
|
|
|
# create a new proxy server
|
|
|
|
|
|
2016-07-18 23:04:15 +00:00
|
|
|
- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=proxies:proxies-stg:!proxy07.fedoraproject.org:!proxy05.fedoraproject.org"
|
2014-12-07 16:53:39 +00:00
|
|
|
|
|
|
|
|
- name: make the box be real
|
2015-02-21 22:28:28 +00:00
|
|
|
hosts: proxies-stg:proxies
|
2014-12-07 16:53:39 +00:00
|
|
|
user: root
|
|
|
|
|
gather_facts: True
|
|
|
|
|
|
2014-12-07 19:54:49 +00:00
|
|
|
vars_files:
|
2014-12-07 16:53:39 +00:00
|
|
|
- /srv/web/infra/ansible/vars/global.yml
|
2015-01-09 22:59:18 +00:00
|
|
|
- "/srv/private/ansible/vars.yml"
|
2014-12-07 16:53:39 +00:00
|
|
|
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
|
|
|
|
|
|
|
|
|
roles:
|
|
|
|
|
- base
|
|
|
|
|
- rkhunter
|
2016-02-23 02:33:30 +00:00
|
|
|
- nagios/client
|
2014-12-07 16:53:39 +00:00
|
|
|
- collectd/base
|
|
|
|
|
- sudo
|
2015-01-07 21:55:43 +00:00
|
|
|
- rsyncd
|
2016-10-09 00:38:52 +00:00
|
|
|
- { role: mirrormanager/mirrorlist_proxy,
|
|
|
|
|
when: env == "staging"}
|
2015-01-20 23:30:00 +00:00
|
|
|
- { role: openvpn/client,
|
|
|
|
|
when: env != "staging" }
|
2015-05-07 19:06:35 +00:00
|
|
|
- apache
|
2014-12-07 16:53:39 +00:00
|
|
|
|
|
|
|
|
tasks:
|
|
|
|
|
- include: "{{ tasks }}/yumrepos.yml"
|
|
|
|
|
- include: "{{ tasks }}/2fa_client.yml"
|
|
|
|
|
- include: "{{ tasks }}/motd.yml"
|
2015-01-19 19:48:21 +00:00
|
|
|
|
|
|
|
|
# You might think we would want these tasks on the proxy nodes, but they
|
|
|
|
|
# actually deliver a configuration that our proxy-specific roles below then go
|
|
|
|
|
# and overwrite... so, let's just leave them out.
|
|
|
|
|
#- include: "{{ tasks }}/apache.yml"
|
|
|
|
|
#- include: "{{ tasks }}/mod_wsgi.yml"
|
2014-12-07 16:53:39 +00:00
|
|
|
|
|
|
|
|
handlers:
|
|
|
|
|
- include: "{{ handlers }}/restart_services.yml"
|
2014-12-07 19:54:49 +00:00
|
|
|
|
2014-12-08 16:25:06 +00:00
|
|
|
|
2014-12-12 19:17:23 +00:00
|
|
|
# TODO
|
|
|
|
|
#
|
|
|
|
|
# - fedora-web::build (bapp0*)
|
2014-12-12 19:45:14 +00:00
|
|
|
# - fedora-docs::build (bapp0*)
|
2014-12-17 16:40:18 +00:00
|
|
|
# - review-stats::build (bapp0*)
|
2014-12-17 16:47:09 +00:00
|
|
|
# - membership-map::build (bapp0*)
|
2014-12-12 19:17:23 +00:00
|
|
|
#
|
2014-12-17 19:33:50 +00:00
|
|
|
## TBD
|
|
|
|
|
# - sysctl ip_conntrack_max bits - do we still need this on rhel7?
|
|
|
|
|
# - semanage ports.. we're likely going to need one for every app.
|
|
|
|
|
# - sebooleans.. let's try running first, see what gets blocked, and then
|
|
|
|
|
# selectively enable where semanage port fails
|
|
|
|
|
#
|
2014-12-17 17:25:43 +00:00
|
|
|
## Not going to do
|
|
|
|
|
# - smolt::proxy -- note going to do this. smolt is dead. long live smolt.
|
2014-12-17 17:26:47 +00:00
|
|
|
# - domainnotarget stuff - only smolt used this
|
2014-12-18 18:34:00 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: Set up the proxy basics
|
2015-02-21 22:28:28 +00:00
|
|
|
hosts: proxies-stg:proxies
|
2014-12-18 18:34:00 +00:00
|
|
|
user: root
|
|
|
|
|
gather_facts: False
|
|
|
|
|
|
|
|
|
|
vars_files:
|
|
|
|
|
- /srv/web/infra/ansible/vars/global.yml
|
2015-01-09 22:59:18 +00:00
|
|
|
- "/srv/private/ansible/vars.yml"
|
2014-12-18 18:34:00 +00:00
|
|
|
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
|
|
|
|
|
2015-01-06 14:50:22 +00:00
|
|
|
handlers:
|
|
|
|
|
- include: "{{ handlers }}/restart_services.yml"
|
|
|
|
|
|
2016-03-08 22:17:48 +00:00
|
|
|
pre_tasks:
|
|
|
|
|
#
|
2016-03-15 15:55:32 +00:00
|
|
|
# When we have a prerelease we also need to drop the config files.
|
2016-03-08 22:17:48 +00:00
|
|
|
|
2016-11-21 17:47:18 +00:00
|
|
|
# - name: Remove prerelease-to-final-spins-1
|
|
|
|
|
# file: path=/etc/httpd/conf.d/spins.fedoraproject.org/prerelease-to-final-spins-1-redirectmatch.conf state=absent
|
|
|
|
|
# tags:
|
|
|
|
|
# - httpd/redirect
|
|
|
|
|
#
|
|
|
|
|
# - name: Remove prerelease-to-final-spins-2
|
|
|
|
|
# file: path=/etc/httpd/conf.d/spins.fedoraproject.org/prerelease-to-final-spins-2-redirectmatch.conf state=absent
|
|
|
|
|
# tags:
|
|
|
|
|
# - httpd/redirect
|
|
|
|
|
#
|
|
|
|
|
# - name: Remove prerelease-to-final-labs-1
|
|
|
|
|
# file: path=/etc/httpd/conf.d/labs.fedoraproject.org/prerelease-to-final-labs-1-redirectmatch.conf state=absent
|
|
|
|
|
# tags:
|
|
|
|
|
# - httpd/redirect
|
|
|
|
|
#
|
|
|
|
|
# - name: Remove prerelease-to-final-labs-2
|
|
|
|
|
# file: path=/etc/httpd/conf.d/labs.fedoraproject.org/prerelease-to-final-labs-2-redirectmatch.conf state=absent
|
|
|
|
|
# tags:
|
|
|
|
|
# - httpd/redirect
|
|
|
|
|
#
|
|
|
|
|
# - name: Remove prerelease-to-final-arm-1
|
|
|
|
|
# file: path=/etc/httpd/conf.d/arm.fedoraproject.org/prerelease-to-final-arm-1-redirectmatch.conf state=absent
|
|
|
|
|
# tags:
|
|
|
|
|
# - httpd/redirect
|
|
|
|
|
#
|
|
|
|
|
# - name: Remove prerelease-to-final-arm-2
|
|
|
|
|
# file: path=/etc/httpd/conf.d/arm.fedoraproject.org/prerelease-to-final-arm-2-redirectmatch.conf state=absent
|
|
|
|
|
# tags:
|
|
|
|
|
# - httpd/redirect
|
|
|
|
|
#
|
|
|
|
|
# - name: Remove prerelease-to-final-gfo
|
|
|
|
|
# file: path=/etc/httpd/conf.d/getfedora.org/prerelease-to-final-gfo-redirectmatch.conf state=absent
|
|
|
|
|
# tags:
|
|
|
|
|
# - httpd/redirect
|
|
|
|
|
#
|
|
|
|
|
# - name: Remove prerelease-to-final-spins
|
|
|
|
|
# file: path=/etc/httpd/conf.d/spins.fedoraproject.org/prerelease-to-final-spins-redirectmatch.conf state=absent
|
|
|
|
|
# tags:
|
|
|
|
|
# - httpd/redirect
|
|
|
|
|
#
|
|
|
|
|
# - name: Remove prerelease-to-final-labs
|
|
|
|
|
# file: path=/etc/httpd/conf.d/labs.fedoraproject.org/prerelease-to-final-labs-redirectmatch.conf state=absent
|
|
|
|
|
# tags:
|
|
|
|
|
# - httpd/redirect
|
|
|
|
|
#
|
|
|
|
|
# - name: Remove prerelease-to-final-arm
|
|
|
|
|
# file: path=/etc/httpd/conf.d/arm.fedoraproject.org/prerelease-to-final-arm-redirectmatch.conf state=absent
|
|
|
|
|
# tags:
|
|
|
|
|
# - httpd/redirect
|
2016-03-08 22:17:48 +00:00
|
|
|
|
2014-12-18 18:34:00 +00:00
|
|
|
roles:
|
|
|
|
|
- httpd/proxy
|
2015-01-06 22:05:39 +00:00
|
|
|
- varnish
|
2016-02-10 01:32:38 +00:00
|
|
|
#
|
|
|
|
|
# Re-run hosts here so things are ok for the haproxy check
|
|
|
|
|
#
|
|
|
|
|
- hosts
|
2014-12-08 16:25:06 +00:00
|
|
|
|
2014-12-07 19:57:32 +00:00
|
|
|
# After setting up the "basics" of the proxy hosts above, here below we break
|
|
|
|
|
# out the proxy-specific configuration into a couple different sub-playbooks.
|
|
|
|
|
# Othewise, this file would be unbearably long.
|
2014-12-07 19:54:49 +00:00
|
|
|
|
2016-02-09 23:01:16 +00:00
|
|
|
- include: /srv/web/infra/ansible/playbooks/include/proxies-certificates.yml
|
|
|
|
|
- include: /srv/web/infra/ansible/playbooks/include/proxies-websites.yml
|
2016-07-19 04:27:47 +00:00
|
|
|
- include: /srv/web/infra/ansible/playbooks/include/proxies-reverseproxy.yml
|
2016-02-09 23:01:16 +00:00
|
|
|
- include: /srv/web/infra/ansible/playbooks/include/proxies-rewrites.yml
|
|
|
|
|
- include: /srv/web/infra/ansible/playbooks/include/proxies-redirects.yml
|
|
|
|
|
- include: /srv/web/infra/ansible/playbooks/include/proxies-fedora-web.yml
|
|
|
|
|
- include: /srv/web/infra/ansible/playbooks/include/proxies-haproxy.yml
|
|
|
|
|
- include: /srv/web/infra/ansible/playbooks/include/proxies-miscellaneous.yml
|
|
|
|
|
|
2016-02-09 23:03:18 +00:00
|
|
|
- name: Make sure we are deployed fully
|
|
|
|
|
hosts: proxies-stg:proxies
|
|
|
|
|
user: root
|
|
|
|
|
gather_facts: False
|
|
|
|
|
|
|
|
|
|
vars_files:
|
|
|
|
|
- /srv/web/infra/ansible/vars/global.yml
|
|
|
|
|
- "/srv/private/ansible/vars.yml"
|
|
|
|
|
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
|
|
|
|
|
|
|
|
|
handlers:
|
|
|
|
|
- include: "{{ handlers }}/restart_services.yml"
|
|
|
|
|
|
2016-03-03 20:34:34 +00:00
|
|
|
pre_tasks:
|
2016-02-09 23:01:16 +00:00
|
|
|
#
|
|
|
|
|
# If this is an initial deployment, we need the initial ticketkey
|
|
|
|
|
# If it's not, doesn't hurt to copy it over again
|
|
|
|
|
#
|
2016-02-09 22:52:06 +00:00
|
|
|
- name: deploy ticket key
|
|
|
|
|
copy: src=/root/ticketkey_{{env}}.tkey dest=/etc/httpd/ticketkey_{{env}}.tkey
|
|
|
|
|
owner=root group=root mode=0600
|
|
|
|
|
notify:
|
|
|
|
|
- reload httpd
|
|
|
|
|
|
2016-02-09 23:01:16 +00:00
|
|
|
#
|
2016-08-08 19:36:31 +00:00
|
|
|
# If this is an initial deployment, make sure docs are synced over.
|
2016-02-09 23:18:27 +00:00
|
|
|
# Do not count these as changed ever
|
2016-02-09 23:01:16 +00:00
|
|
|
#
|
2016-02-09 22:52:06 +00:00
|
|
|
- name: make sure docs are synced. This could take a very very very logtime to finish
|
2016-02-09 23:09:18 +00:00
|
|
|
shell: /usr/local/bin/lock-wrapper docs-sync "/usr/local/bin/docs-rsync" >& /dev/null
|
2016-02-09 23:18:27 +00:00
|
|
|
changed_when: false
|
2016-02-10 14:45:35 +00:00
|
|
|
ignore_errors: true
|
2016-02-09 23:01:16 +00:00
|
|
|
|
2016-02-09 22:52:06 +00:00
|
|
|
- name: make sure selinux contexts are right on srv
|
2016-02-09 23:18:27 +00:00
|
|
|
command: restorecon -R /srv
|
|
|
|
|
changed_when: false
|
2016-03-03 20:28:42 +00:00
|
|
|
|
|
|
|
|
roles:
|
|
|
|
|
- fas_client
|
