Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Add first cut at a ansible prod proxy: proxy03.fedoraproject.org

Browse source
This commit is contained in:
Kevin Fenzi 2015-01-20 20:42:17 +00:00
parent 58dbc5c375
commit bc1d906cd2
12 changed files with 93 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

67
inventory/group_vars/proxies Normal file
View file

@ -0,0 +1,67 @@
---
# Define resources for this group of hosts here.
lvm_size: 30000
mem_size: 4192
num_cpus: 2
tcp_ports: [
# For apache, generally.
80,
443,
# This is for rsyncd, wide open to the world.
# TODO - We should lock this down into custom rules so that only certain
# hosts can rsync stuff here, right?
873,
# This is for the varnish cache, oddly, sitting open to the world.
# TODO - We should close this and just have users go through the apache
# reverseproxy like they should be doing anyways.
6081,
# This is for the haproxy HTML stats page
# TODO -- there's no need for this to be wide open to the world. With this
# in place, you can visit https://apps.fedoraproject.org:8080 and get the
# haproxy stats page. We should close this and just have admins go through
# the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1
8080,
# For fedmsg websocket server over stunnel
9939,
# For fedmsg raw zeromq socket (outbound)
9940,
# 9941 is closed generally, is for the inbound fedmsg and is covered in
# custom_rules
]
custom_rules: [
# Need for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
# Allow koschei.cloud to talk to the inbound fedmsg relay.
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
# Allow jenkins.cloud to talk to the inbound fedmsg relay.
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.153 -j ACCEPT',
# Allow copr-be.cloud to talk to the inbound fedmsg relay.
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.131 -j ACCEPT',
# Also, ppc-composer.qa.fedoraproject.org (secondary arch)
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.33 -j ACCEPT',
# Also, ppc-hub.qa.fedoraproject.org (secondary arch koji)
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.21 -j ACCEPT',
# Also, s390-hub01.qa.fedoraproject.org (secondary arch)
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.18 -j ACCEPT',
# Also, arm-hub01.qa.fedoraproject.org (secondary arch)
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.31 -j ACCEPT',
]
fas_client_groups: sysadmin-noc
# For the MOTD
csi_security_category: Moderate
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Provides frontend (reverse) proxy for most web applications
csi_relationship: |
Using Apache -> haproxy, these hosts contact app servers and
other various hosts to provide web applications at sites like
fedoraproject.org and admin.fedoraproject.org. The proxy servers are
balanced via dns and geoIP and are spread all over the place.

5
inventory/group_vars/proxies-stg
View file

@ -9,11 +9,6 @@ tcp_ports: [
80,
443,
# This is for rsyncd, wide open to the world.
# TODO - We should lock this down into custom rules so that only certain
# hosts can rsync stuff here, right?
873,
# This is for the varnish cache, oddly, sitting open to the world.
# TODO - We should close this and just have users go through the apache
# reverseproxy like they should be doing anyways.

15
inventory/host_vars/proxy03.fedoraproject.org Normal file
View file

@ -0,0 +1,15 @@
---
nm: 255.255.255.240
gw: 66.35.62.174
dns: 198.49.126.1
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
vmhost: tummy01.fedoraproject.org
volgroup: /dev/vg_host
eth0_ip: 66.35.62.162
# This is consumed by the roles/fedora-web/main role
sponsor: tummy

2
playbooks/groups/proxies-certificates.yml
View file

@ -1,5 +1,5 @@
- name: Set up those proxy certificates. Good gravy..
hosts: proxies-stg
hosts: proxies-stg:proxy03.fedoraproject.org
user: root
gather_facts: True

2
playbooks/groups/proxies-fedora-web.yml
View file

@ -1,5 +1,5 @@
- name: Set up all that fedora-web goodness. What a wonder!
hosts: proxies-stg
hosts: proxies-stg:proxy03.fedoraproject.org
user: root
gather_facts: True

2
playbooks/groups/proxies-haproxy.yml
View file

@ -1,5 +1,5 @@
- name: Set up all the haproxy stuff.
hosts: proxies-stg
hosts: proxies-stg:proxy03.fedoraproject.org
user: root
gather_facts: True

2
playbooks/groups/proxies-miscellaneous.yml
View file

@ -1,5 +1,5 @@
- name: Set up all the other proxy stuff -- miscellaneous
hosts: proxies-stg
hosts: proxies-stg:proxy03.fedoraproject.org
user: root
gather_facts: True

2
playbooks/groups/proxies-redirects.yml
View file

@ -1,5 +1,5 @@
- name: Set up those proxy redirects. Wow!
hosts: proxies-stg
hosts: proxies-stg:proxy03.fedoraproject.org
user: root
gather_facts: True

2
playbooks/groups/proxies-reverseproxy.yml
View file

@ -1,5 +1,5 @@
- name: Set up those ProxyPassReverse statements. Somebody get me a cup of coffee..
hosts: proxies-stg
hosts: proxies-stg:proxy03.fedoraproject.org
user: root
gather_facts: True

2
playbooks/groups/proxies-rewrites.yml
View file

@ -1,5 +1,5 @@
- name: Set up some domain rewrites.
hosts: proxies-stg
hosts: proxies-stg:proxy03.fedoraproject.org
user: root
gather_facts: True

2
playbooks/groups/proxies-websites.yml
View file

@ -1,5 +1,5 @@
- name: Set up those proxy websites. My, my..
hosts: proxies-stg
hosts: proxies-stg:proxy03.fedoraproject.org
user: root
gather_facts: True

6
playbooks/groups/proxies.yml
View file

@ -1,7 +1,7 @@
# create a new proxy server
- name: make new proxy server
hosts: proxies-stg
hosts: proxies-stg:proxy03.fedoraproject.org
user: root
gather_facts: False
@ -17,7 +17,7 @@
- include: "{{ handlers }}/restart_services.yml"
- name: make the box be real
hosts: proxies-stg
hosts: proxies-stg:proxy03.fedoraproject.org
user: root
gather_facts: True
@ -70,7 +70,7 @@
- name: Set up the proxy basics
hosts: proxies-stg
hosts: proxies-stg:proxy03.fedoraproject.org
user: root
gather_facts: False