ansible/inventory/group_vars/proxies

---
# Define resources for this group of hosts here.
blocked_ip_v6: []
blocked_ips: ['14.102.69.78', '104.219.54.236', '103.38.177.2', '110.172.140.98', '183.80.131.253', '113.190.178.137', '115.76.39.108', '116.109.31.204', '209.64.155.56']
collectd_apache: true
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Provides frontend (reverse) proxy for most web applications
csi_relationship: |
  Using Apache -> haproxy, these hosts contact app servers and
      other various hosts to provide web applications at sites like
      fedoraproject.org and admin.fedoraproject.org.  The proxy servers are
      balanced via dns and geoIP and are spread all over the place.
# For the MOTD
csi_security_category: Moderate
custom_rules: [
  # Need for rsync from log01 for logs.
  '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
  # allow varnish from localhost
  '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
  # also allow varnish from internal for purge requests
  '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.0/24 --dport 6081 -j ACCEPT',
  # Allow happinesspackets.fedorainfracloud.org to talk to inbound fedmsg relay.
  '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.58 -j ACCEPT',
  # Allow openqa01 to talk to the inbound fedmsg relay.
  '-A INPUT -p tcp -m tcp --dport 9941 -s 10.3.174.0/24 -j ACCEPT',
  # For Zanata
  # See files/httpd/website_id_fp_o_zanata.conf for info
  '-A INPUT -p tcp -m tcp --dport 44342 -s 209.132.183.252 -j ACCEPT',
  '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT']
ipa_client_shell_groups:
  - fi-apprentice
  - sysadmin-noc
  - sysadmin-veteran
  - sysadmin-web
ipa_client_sudo_groups:
  - sysadmin-web
ipa_host_group: proxies
ipa_host_group_desc: Proxies between internal hosts and the Internet
lvm_size: 50000
# This is used in the httpd.conf to determine the value for serverlimit and
# maxrequestworkers. On 8gb proxies, 900 seems fine. But on 4gb proxies, this
# should be lowered in the host vars for that proxy.
maxrequestworkers: 1500
mem_size: 8192
nagios_Check_Services:
  swap: false
nat_rules: [
  # For Zanata, redirect 443/tcp -> 43342/tcp for TLS reasons
  # See files/httpd/website_id_fp_o_zanata.conf for info
  '-A PREROUTING -s 209.132.183.252 -p tcp --dport 443 -j REDIRECT --to 44342']
num_cpus: 6
ocp_masters:
  - bootstrap.ocp.iad2.fedoraproject.org
  - ocp01.ocp.iad2.fedoraproject.org
  - ocp02.ocp.iad2.fedoraproject.org
  - ocp03.ocp.iad2.fedoraproject.org
ocp_nodes:
  - worker01.ocp.iad2.fedoraproject.org
  - worker02.ocp.iad2.fedoraproject.org
  - worker03.ocp.iad2.fedoraproject.org
  - worker04.ocp.iad2.fedoraproject.org
  - worker05.ocp.iad2.fedoraproject.org
  - worker06.ocp.iad2.fedoraproject.org
openshift_masters:
  - os-master01.vpn.fedoraproject.org
  - os-master02.vpn.fedoraproject.org
  - os-master03.vpn.fedoraproject.org
openshift_nodes:
  - os-node01.vpn.fedoraproject.org
  - os-node02.vpn.fedoraproject.org
  - os-node03.vpn.fedoraproject.org
postvpnservices:
  - haproxy
  - varnish
primary_auth_source: ipa
tcp_ports: [
  # For apache, generally.
  80, 443,
  # This is for TCP krb5
  1088,
  # This is for RabbitMQ public access
  5671,
  # openshift 4 api
  6443,
  # This is for RabbitMQ internal-public access
  15671,
  # This is for the haproxy HTML stats page
  # TODO -- there's no need for this to be wide open to the world.  With this
  # in place, you can visit https://apps.fedoraproject.org:8080 and get the
  # haproxy stats page.  We should close this and just have admins go through
  # the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1
  8080,
  # This is for TOTP
  8443,
  # For fedmsg websocket server over stunnel
  9939,
  # For fedmsg raw zeromq socket (outbound)
  9940,
  # 9941 is closed generally, is for the inbound fedmsg and is covered in
  # custom_rules
]
varnish_group: proxies
Add first cut at a ansible prod proxy: proxy03.fedoraproject.org 2015-01-20 20:42:17 +00:00			`---`
			`# Define resources for this group of hosts here.`
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`blocked_ip_v6: []`
			`blocked_ips: ['14.102.69.78', '104.219.54.236', '103.38.177.2', '110.172.140.98', '183.80.131.253', '113.190.178.137', '115.76.39.108', '116.109.31.204', '209.64.155.56']`
			`collectd_apache: true`
			`csi_primary_contact: Fedora Admins - admin@fedoraproject.org`
			`csi_purpose: Provides frontend (reverse) proxy for most web applications`
			`csi_relationship: \|`
			`Using Apache -> haproxy, these hosts contact app servers and`
			`other various hosts to provide web applications at sites like`
			`fedoraproject.org and admin.fedoraproject.org. The proxy servers are`
			`balanced via dns and geoIP and are spread all over the place.`
			`# For the MOTD`
			`csi_security_category: Moderate`
			`custom_rules: [`
			`# Need for rsync from log01 for logs.`
			`'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',`
			`# allow varnish from localhost`
			`'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',`
			`# also allow varnish from internal for purge requests`
			`'-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.0/24 --dport 6081 -j ACCEPT',`
			`# Allow happinesspackets.fedorainfracloud.org to talk to inbound fedmsg relay.`
			`'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.58 -j ACCEPT',`
			`# Allow openqa01 to talk to the inbound fedmsg relay.`
			`'-A INPUT -p tcp -m tcp --dport 9941 -s 10.3.174.0/24 -j ACCEPT',`
			`# For Zanata`
			`# See files/httpd/website_id_fp_o_zanata.conf for info`
			`'-A INPUT -p tcp -m tcp --dport 44342 -s 209.132.183.252 -j ACCEPT',`
proxies: open ocp4 api port in both stg and prod This fixes ticket 10521. Basically we want to just open the api. It requires auth to do anything and other openshift instances have it available, so it shouldn't hopefully expose us to too much risk. With ocp3 the api was part of the normal port/web flow, but with ocp4 it's a seperate port. This also adds new workers to haproxy. I can drop that part if it's controversal, but it should be fine I would think. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-03 12:51:39 -08:00			'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT']
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`ipa_client_shell_groups:`
			`- fi-apprentice`
			`- sysadmin-noc`
			`- sysadmin-veteran`
			`- sysadmin-web`
			`ipa_client_sudo_groups:`
			`- sysadmin-web`
			`ipa_host_group: proxies`
			`ipa_host_group_desc: Proxies between internal hosts and the Internet`
Give proxies more disk Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-11-21 21:48:23 +00:00			`lvm_size: 50000`
Killed trailing spaces in group/host vars with fire. Normally it's just a nitpick to not have trailing spaces on variables. However, for some things like mac address, it really matters. Bunches of buildhw's were failing ansibile because they were passing "mac address " to linux-system-roles networking and ansible was going 'huh, nope, I can't find that mac address here at all'. So, just blow all the tailing spaces away to avoid any other variables that hit this. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-05-04 08:52:52 -07:00			`# This is used in the httpd.conf to determine the value for serverlimit and`
			`# maxrequestworkers. On 8gb proxies, 900 seems fine. But on 4gb proxies, this`
Stab at making our lower mem proxies happier so they don't nagios flood us 2015-02-06 18:16:31 +00:00			`# should be lowered in the host vars for that proxy.`
proxies: increase max workers Also add a ssl connection cache. These changes are live on proxy01/10 and seem to have made them stable again. Will look at pushing to the rest tomorrow. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-09-21 16:19:14 -07:00			`maxrequestworkers: 1500`
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`mem_size: 8192`
nagios: stop checking swap on more hosts Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-01-31 11:25:33 -08:00			`nagios_Check_Services:`
			`swap: false`
Move this rule to nat_rules Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org> 2019-04-13 21:47:45 +02:00			`nat_rules: [`
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`# For Zanata, redirect 443/tcp -> 43342/tcp for TLS reasons`
			`# See files/httpd/website_id_fp_o_zanata.conf for info`
			`'-A PREROUTING -s 209.132.183.252 -p tcp --dport 443 -j REDIRECT --to 44342']`
			`num_cpus: 6`
metrics-for-apps: Adding inventory/groupvars/changes for ocp prod Signed-off-by: David Kirwan <dkirwan@redhat.com> 2021-08-30 13:12:45 +09:00			`ocp_masters:`
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`- bootstrap.ocp.iad2.fedoraproject.org`
			`- ocp01.ocp.iad2.fedoraproject.org`
			`- ocp02.ocp.iad2.fedoraproject.org`
			`- ocp03.ocp.iad2.fedoraproject.org`
metrics-for-apps: Adding inventory/groupvars/changes for ocp prod Signed-off-by: David Kirwan <dkirwan@redhat.com> 2021-08-30 13:12:45 +09:00			`ocp_nodes:`
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`- worker01.ocp.iad2.fedoraproject.org`
			`- worker02.ocp.iad2.fedoraproject.org`
			`- worker03.ocp.iad2.fedoraproject.org`
ocp4: add worker04 prod node Signed-off-by: Mark O Brien <markobri@redhat.com> 2022-02-01 14:57:45 +00:00			`- worker04.ocp.iad2.fedoraproject.org`
ocp4: add initial config for worker05 prod Signed-off-by: Mark O Brien <markobri@redhat.com> 2022-02-07 15:35:38 +00:00			`- worker05.ocp.iad2.fedoraproject.org`
ocp4: add proxy settings for worker06 Signed-off-by: Mark O Brien <markobri@redhat.com> 2022-02-10 14:33:19 +00:00			`- worker06.ocp.iad2.fedoraproject.org`
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`openshift_masters:`
			`- os-master01.vpn.fedoraproject.org`
			`- os-master02.vpn.fedoraproject.org`
			`- os-master03.vpn.fedoraproject.org`
			`openshift_nodes:`
			`- os-node01.vpn.fedoraproject.org`
			`- os-node02.vpn.fedoraproject.org`
			`- os-node03.vpn.fedoraproject.org`
			`postvpnservices:`
			`- haproxy`
			`- varnish`
			`primary_auth_source: ipa`
			`tcp_ports: [`
			`# For apache, generally.`
			`80, 443,`
			`# This is for TCP krb5`
			`1088,`
			`# This is for RabbitMQ public access`
			`5671,`
proxies: open ocp4 api port in both stg and prod This fixes ticket 10521. Basically we want to just open the api. It requires auth to do anything and other openshift instances have it available, so it shouldn't hopefully expose us to too much risk. With ocp3 the api was part of the normal port/web flow, but with ocp4 it's a seperate port. This also adds new workers to haproxy. I can drop that part if it's controversal, but it should be fine I would think. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-03 12:51:39 -08:00			`# openshift 4 api`
			`6443,`
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`# This is for RabbitMQ internal-public access`
			`15671,`
			`# This is for the haproxy HTML stats page`
			`# TODO -- there's no need for this to be wide open to the world. With this`
			`# in place, you can visit https://apps.fedoraproject.org:8080 and get the`
			`# haproxy stats page. We should close this and just have admins go through`
			`# the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1`
			`8080,`
			`# This is for TOTP`
			`8443,`
			`# For fedmsg websocket server over stunnel`
			`9939,`
			`# For fedmsg raw zeromq socket (outbound)`
			`9940,`
			`# 9941 is closed generally, is for the inbound fedmsg and is covered in`
			`# custom_rules`
			`]`
			`varnish_group: proxies`