Move root dotfiles to core role; Add load-balancer role; Update webnode role

files/root-dotfiles

@@ -0,0 +1 @@
+../roles/core/files/root-dotfiles

hosts

@@ -40,6 +40,7 @@ strombola.csclub.uwaterloo.ca
 [syscom:children]
 syscom-bare-metal
 syscom-containers
+load-balancers
 
 [syscom-bare-metal]
 aspartame.csclub.uwaterloo.ca
@@ -66,3 +67,7 @@ nullsleep.csclub.uwaterloo.ca
 
 [mirror]
 potassium-benzoate.csclub.uwaterloo.ca
+
+[load-balancers]
+load-balancer-01.csclub.uwaterloo.ca lb_priority=150
+load-balancer-02.csclub.uwaterloo.ca lb_priority=100

loadbalancer.yml

@@ -0,0 +1,13 @@
+---
+  - hosts: load-balancers
+    become: yes
+    become_method: sudo
+    roles:
+       #      - common
+       #- core
+       #- static-ipv6
+       #- generate-hosts
+       #- auth
+       #- csc-packages
+      - load-balancer
+      - cleanup

roles/core/tasks/main.yml

@@ -1,4 +1,10 @@
 ---
+-   name: Install root dotfiles
+    copy: src={{ item.src }} dest={{ item.dest }} backup=no
+    with_items:
+       - { src: 'root-dotfiles/bashrc', dest: '/root/.bashrc' }
+       - { src: 'root-dotfiles/bash-preexec', dest: '/root/.bash-preexec' }
+       - { src: 'root-dotfiles/vimrc', dest: '/root/.vimrc' }
 
 -   name: Install Shells
     apt: name={{ item }} state=latest
@@ -110,6 +116,8 @@
 -   name: Install rsyslog
     apt: name=rsyslog state=latest
 
+    # TODO: Configure logging
+
 -   name: Install molly-guard
     apt: name=molly-guard state=latest
 

roles/load-balancer/files/haproxy.cfg

@@ -0,0 +1,75 @@
+global
+   log /dev/log   local0
+   log /dev/log   local1 notice
+   chroot /var/lib/haproxy
+   stats socket /run/haproxy/admin.sock mode 660 level admin
+   stats timeout 30s
+   user haproxy
+   group haproxy
+   daemon
+
+   # Default SSL material locations
+   ca-base /etc/ssl/certs
+   crt-base /etc/ssl/private
+
+   # Default ciphers to use on SSL-enabled listening sockets.
+   # For more information, see ciphers(1SSL). This list is from:
+   #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+   #ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+   #ssl-default-bind-options no-sslv3
+
+   tune.ssl.default-dh-param 2048
+    ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+   ssl-default-bind-options no-sslv3 no-tls-tickets
+   ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+    ssl-default-server-options no-sslv3 no-tls-tickets
+
+
+defaults
+   log   global
+   mode   http
+   option   httplog
+   option   dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+   errorfile 400 /etc/haproxy/errors/400.http
+   errorfile 403 /etc/haproxy/errors/403.http
+   errorfile 408 /etc/haproxy/errors/408.http
+   errorfile 500 /etc/haproxy/errors/500.http
+   errorfile 502 /etc/haproxy/errors/502.http
+   errorfile 503 /etc/haproxy/errors/503.http
+   errorfile 504 /etc/haproxy/errors/504.http
+
+frontend ssh
+   bind :2222
+   mode tcp
+   default_backend ssh-backend
+
+frontend http
+   bind :::80 v4v6
+   bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.pem
+   mode http
+   default_backend http-backend
+
+   stats enable
+   stats uri /status
+
+backend ssh-backend
+   balance roundrobin
+   mode tcp
+
+   server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22
+   server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22
+   server sucrose sucrose.csclub.uwaterloo.ca check port 22
+
+backend http-backend
+   balance leastconn
+   mode http
+   option forwardfor
+
+   cookie SERVERID insert indirect nocache
+
+   server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00
+   server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01
+

roles/load-balancer/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+# HAPROXY
+- name: Install haproxy
+  package:
+     name: haproxy
+     state: latest
+
+- name: Copy haproxy configuration
+  copy:
+     src: haproxy.cfg
+     dest: /etc/haproxy/haproxy.cfg
+     backup: no
+  register: haproxy_configuration
+
+- name: Restart haproxy
+  service:
+     name: haproxy
+     state: restarted
+  when: haproxy_configuration.changed
+
+- name: Ensure that haproxy is running
+  service:
+     name: haproxy
+     state: running
+
+# KEEPALIVED
+- name: Install keepalived
+  package:
+     name: keepalived
+     state: latest
+
+- name: Copy keepalived config
+  template:
+     src: keepalived.conf
+     dest: /etc/keepalived/keepalived.conf
+     backup: no
+  register: keepalived_configuration
+
+- name: Restart keepalived
+  service:
+     name: keepalived
+     state: restarted
+  when: keepalived_configuration.changed
+
+- name: Ensure keepalived is running
+  service:
+     name: keepalived
+     state: running

roles/load-balancer/templates/keepalived.conf

@@ -0,0 +1,23 @@
+global_defs {
+   notification_email {
+      ztseguin+notifications@csclub.uwaterloo.ca
+   }
+   notification_email_from load-balancer@csclub.uwaterloo.ca
+}
+
+! load-balancer.csclub.uwaterloo.ca
+vrrp_instance VI_10 {
+   state MASTER
+   interface eth0
+   virtual_router_id 10
+   priority {{ lb_priority }}
+   advert_int 1
+   authentication {
+      auth_type PASS
+      auth_pass CSC_VRRP
+   }
+   virtual_ipaddress {
+      129.97.134.10
+      2620:101:f000:4901:c5c::10ad
+   }
+}

roles/webnode/tasks/main.yml

@@ -6,6 +6,7 @@
      # PHP5
      - php5-fpm
      - php5-mysql
+     - libapache2-mod-auth-cas
 
      # MySQL
      - socat
@@ -20,14 +21,12 @@
      fstype: none
      opts: defaults,bind
      state: mounted
-  register: apache_configuration
 
 - name: Restart apache2
   service:
      name: apache2
      state: restarted
      enabled: yes
-  when: apache_configuration.changed
 
 #
 # PHP5-FPM setup

webnode.yml

@@ -3,13 +3,13 @@
     become: yes
     become_method: sudo
     roles:
-      - common
-      - core
-      - static-ipv6
-      - generate-hosts
-      - auth
-      - csc-packages
-      - devel
-      - general-use
+       #- common
+       #- core
+       #- static-ipv6
+       #- generate-hosts
+       #- auth
+       #- csc-packages
+       #- devel
+       #- general-use
       - webnode
       - cleanup