diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies new file mode 100644 index 0000000000..70511e5e9e --- /dev/null +++ b/inventory/group_vars/proxies @@ -0,0 +1,67 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 30000 +mem_size: 4192 +num_cpus: 2 + +tcp_ports: [ + # For apache, generally. + 80, + 443, + + # This is for rsyncd, wide open to the world. + # TODO - We should lock this down into custom rules so that only certain + # hosts can rsync stuff here, right? + 873, + + # This is for the varnish cache, oddly, sitting open to the world. + # TODO - We should close this and just have users go through the apache + # reverseproxy like they should be doing anyways. + 6081, + + # This is for the haproxy HTML stats page + # TODO -- there's no need for this to be wide open to the world. With this + # in place, you can visit https://apps.fedoraproject.org:8080 and get the + # haproxy stats page. We should close this and just have admins go through + # the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1 + 8080, + + # For fedmsg websocket server over stunnel + 9939, + # For fedmsg raw zeromq socket (outbound) + 9940, + # 9941 is closed generally, is for the inbound fedmsg and is covered in + # custom_rules + ] +custom_rules: [ + # Need for rsync from log01 for logs. + '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', + + # Allow koschei.cloud to talk to the inbound fedmsg relay. + '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT', + # Allow jenkins.cloud to talk to the inbound fedmsg relay. + '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.153 -j ACCEPT', + # Allow copr-be.cloud to talk to the inbound fedmsg relay. + '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.131 -j ACCEPT', + # Also, ppc-composer.qa.fedoraproject.org (secondary arch) + '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.33 -j ACCEPT', + # Also, ppc-hub.qa.fedoraproject.org (secondary arch koji) + '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.21 -j ACCEPT', + # Also, s390-hub01.qa.fedoraproject.org (secondary arch) + '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.18 -j ACCEPT', + # Also, arm-hub01.qa.fedoraproject.org (secondary arch) + '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.31 -j ACCEPT', + ] + +fas_client_groups: sysadmin-noc + +# For the MOTD +csi_security_category: Moderate +csi_primary_contact: Fedora Admins - admin@fedoraproject.org +csi_purpose: Provides frontend (reverse) proxy for most web applications +csi_relationship: | + Using Apache -> haproxy, these hosts contact app servers and + other various hosts to provide web applications at sites like + fedoraproject.org and admin.fedoraproject.org. The proxy servers are + balanced via dns and geoIP and are spread all over the place. diff --git a/inventory/group_vars/proxies-stg b/inventory/group_vars/proxies-stg index fdfca018ae..e7a97ca154 100644 --- a/inventory/group_vars/proxies-stg +++ b/inventory/group_vars/proxies-stg @@ -9,11 +9,6 @@ tcp_ports: [ 80, 443, - # This is for rsyncd, wide open to the world. - # TODO - We should lock this down into custom rules so that only certain - # hosts can rsync stuff here, right? - 873, - # This is for the varnish cache, oddly, sitting open to the world. # TODO - We should close this and just have users go through the apache # reverseproxy like they should be doing anyways. diff --git a/inventory/host_vars/proxy03.fedoraproject.org b/inventory/host_vars/proxy03.fedoraproject.org new file mode 100644 index 0000000000..d636a47766 --- /dev/null +++ b/inventory/host_vars/proxy03.fedoraproject.org @@ -0,0 +1,15 @@ +--- +nm: 255.255.255.240 +gw: 66.35.62.174 +dns: 198.49.126.1 + +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 +ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ + +vmhost: tummy01.fedoraproject.org +volgroup: /dev/vg_host + +eth0_ip: 66.35.62.162 + +# This is consumed by the roles/fedora-web/main role +sponsor: tummy diff --git a/playbooks/groups/proxies-certificates.yml b/playbooks/groups/proxies-certificates.yml index 0f1fd7423e..5395f14686 100644 --- a/playbooks/groups/proxies-certificates.yml +++ b/playbooks/groups/proxies-certificates.yml @@ -1,5 +1,5 @@ - name: Set up those proxy certificates. Good gravy.. - hosts: proxies-stg + hosts: proxies-stg:proxy03.fedoraproject.org user: root gather_facts: True diff --git a/playbooks/groups/proxies-fedora-web.yml b/playbooks/groups/proxies-fedora-web.yml index dffb1d78db..2350464c94 100644 --- a/playbooks/groups/proxies-fedora-web.yml +++ b/playbooks/groups/proxies-fedora-web.yml @@ -1,5 +1,5 @@ - name: Set up all that fedora-web goodness. What a wonder! - hosts: proxies-stg + hosts: proxies-stg:proxy03.fedoraproject.org user: root gather_facts: True diff --git a/playbooks/groups/proxies-haproxy.yml b/playbooks/groups/proxies-haproxy.yml index ea5ffb696f..3d49e657a2 100644 --- a/playbooks/groups/proxies-haproxy.yml +++ b/playbooks/groups/proxies-haproxy.yml @@ -1,5 +1,5 @@ - name: Set up all the haproxy stuff. - hosts: proxies-stg + hosts: proxies-stg:proxy03.fedoraproject.org user: root gather_facts: True diff --git a/playbooks/groups/proxies-miscellaneous.yml b/playbooks/groups/proxies-miscellaneous.yml index d8a6485ad2..8ff210ba48 100644 --- a/playbooks/groups/proxies-miscellaneous.yml +++ b/playbooks/groups/proxies-miscellaneous.yml @@ -1,5 +1,5 @@ - name: Set up all the other proxy stuff -- miscellaneous - hosts: proxies-stg + hosts: proxies-stg:proxy03.fedoraproject.org user: root gather_facts: True diff --git a/playbooks/groups/proxies-redirects.yml b/playbooks/groups/proxies-redirects.yml index e762560db8..1b118ad057 100644 --- a/playbooks/groups/proxies-redirects.yml +++ b/playbooks/groups/proxies-redirects.yml @@ -1,5 +1,5 @@ - name: Set up those proxy redirects. Wow! - hosts: proxies-stg + hosts: proxies-stg:proxy03.fedoraproject.org user: root gather_facts: True diff --git a/playbooks/groups/proxies-reverseproxy.yml b/playbooks/groups/proxies-reverseproxy.yml index a16d31032e..1a3b6553f7 100644 --- a/playbooks/groups/proxies-reverseproxy.yml +++ b/playbooks/groups/proxies-reverseproxy.yml @@ -1,5 +1,5 @@ - name: Set up those ProxyPassReverse statements. Somebody get me a cup of coffee.. - hosts: proxies-stg + hosts: proxies-stg:proxy03.fedoraproject.org user: root gather_facts: True diff --git a/playbooks/groups/proxies-rewrites.yml b/playbooks/groups/proxies-rewrites.yml index 4676df797c..2e1b48d79f 100644 --- a/playbooks/groups/proxies-rewrites.yml +++ b/playbooks/groups/proxies-rewrites.yml @@ -1,5 +1,5 @@ - name: Set up some domain rewrites. - hosts: proxies-stg + hosts: proxies-stg:proxy03.fedoraproject.org user: root gather_facts: True diff --git a/playbooks/groups/proxies-websites.yml b/playbooks/groups/proxies-websites.yml index d4b1ecd8c8..f7203171c9 100644 --- a/playbooks/groups/proxies-websites.yml +++ b/playbooks/groups/proxies-websites.yml @@ -1,5 +1,5 @@ - name: Set up those proxy websites. My, my.. - hosts: proxies-stg + hosts: proxies-stg:proxy03.fedoraproject.org user: root gather_facts: True diff --git a/playbooks/groups/proxies.yml b/playbooks/groups/proxies.yml index ddb3e7b4d8..6d0de008bd 100644 --- a/playbooks/groups/proxies.yml +++ b/playbooks/groups/proxies.yml @@ -1,7 +1,7 @@ # create a new proxy server - name: make new proxy server - hosts: proxies-stg + hosts: proxies-stg:proxy03.fedoraproject.org user: root gather_facts: False @@ -17,7 +17,7 @@ - include: "{{ handlers }}/restart_services.yml" - name: make the box be real - hosts: proxies-stg + hosts: proxies-stg:proxy03.fedoraproject.org user: root gather_facts: True @@ -70,7 +70,7 @@ - name: Set up the proxy basics - hosts: proxies-stg + hosts: proxies-stg:proxy03.fedoraproject.org user: root gather_facts: False