Infrastructure/ansible
5
0
Fork 0
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions
ansible/playbooks/groups/proxies.yml
Kevin Fenzi a2c6a6fad6 Move proxy01 over to ansible and rhel7
2015-02-19 16:58:38 +00:00

132 lines
4.1 KiB
YAML
Raw Blame History

# create a new proxy server
- name: make new proxy server
hosts: proxies-stg:proxies:!proxy02.fedoraproject.org:!proxy07.fedoraproject.org
user: root
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- include: "{{ tasks }}/virt_instance_create.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: make the box be real
hosts: proxies-stg:proxies:!proxy02.fedoraproject.org:!proxy07.fedoraproject.org
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- hosts
- rkhunter
- nagios_client
- fas_client
- collectd/base
- sudo
- rsyncd
- { role: openvpn/client,
when: env != "staging" }
tasks:
- include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/apache.yml"
# You might think we would want these tasks on the proxy nodes, but they
# actually deliver a configuration that our proxy-specific roles below then go
# and overwrite... so, let's just leave them out.
#- include: "{{ tasks }}/apache.yml"
#- include: "{{ tasks }}/mod_wsgi.yml"
handlers:
- include: "{{ handlers }}/restart_services.yml"
# TODO
#
# - fedora-web::build (bapp0*)
# - fedora-docs::build (bapp0*)
# - review-stats::build (bapp0*)
# - membership-map::build (bapp0*)
#
## TBD
# - sysctl ip_conntrack_max bits - do we still need this on rhel7?
# - semanage ports.. we're likely going to need one for every app.
# - sebooleans.. let's try running first, see what gets blocked, and then
# selectively enable where semanage port fails
#
## Not going to do
# - smolt::proxy -- note going to do this. smolt is dead. long live smolt.
# - domainnotarget stuff - only smolt used this
- name: Set up the proxy basics
hosts: proxies-stg:proxies:!proxy02.fedoraproject.org:!proxy07.fedoraproject.org
user: root
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
handlers:
- include: "{{ handlers }}/restart_services.yml"
roles:
- httpd/proxy
- varnish
# After setting up the "basics" of the proxy hosts above, here below we break
# out the proxy-specific configuration into a couple different sub-playbooks.
# Othewise, this file would be unbearably long.
- include: /srv/web/infra/ansible/playbooks/include/proxies-certificates.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-websites.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-reverseproxy.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-rewrites.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-redirects.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-fedora-web.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-haproxy.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-miscellaneous.yml
#- name: Some after the after stuff for proxies.
# hosts: proxies-stg
# user: root
# gather_facts: False
#
# vars_files:
# - /srv/web/infra/ansible/vars/global.yml
# - "/srv/private/ansible/vars.yml"
# - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
#
# tasks:
#
# ## TODO - we should audit each one of these sebooleans to make sure they're
# ## really necessary. The proxies are more forward-facing than other machines
# ## so we should take a little more care..
# ## Really, before we are generally allowing httpd to do stuff carte blanche,
# ## we should lock things down with 'semanage port' first. See
# ## roles/fedmsg/base/ for an example.
# #
# #- name: Set some sebooleans
# # seboolean: name={{item}} state=true persistent=true
# # with_items:
# # - httpd_can_network_connect_db
# # - httpd_can_network_relay
# # - httpd_can_network_connect
# # - allow_ypbind
# # tags:
# # - selinux
Reference in a new issue View git blame Copy permalink