Move root dotfiles to core role; Add load-balancer role; Update webnode role

master
Zachary Seguin 6 years ago
parent a434363727
commit 16e9dce12b
  1. 1
      files/root-dotfiles
  2. 5
      hosts
  3. 13
      loadbalancer.yml
  4. 0
      roles/core/files/root-dotfiles/bash-preexec
  5. 0
      roles/core/files/root-dotfiles/bashrc
  6. 0
      roles/core/files/root-dotfiles/vimrc
  7. 8
      roles/core/tasks/main.yml
  8. 75
      roles/load-balancer/files/haproxy.cfg
  9. 49
      roles/load-balancer/tasks/main.yml
  10. 23
      roles/load-balancer/templates/keepalived.conf
  11. 3
      roles/webnode/tasks/main.yml
  12. 16
      webnode.yml

@ -0,0 +1 @@
../roles/core/files/root-dotfiles

@ -40,6 +40,7 @@ strombola.csclub.uwaterloo.ca
[syscom:children]
syscom-bare-metal
syscom-containers
load-balancers
[syscom-bare-metal]
aspartame.csclub.uwaterloo.ca
@ -66,3 +67,7 @@ nullsleep.csclub.uwaterloo.ca
[mirror]
potassium-benzoate.csclub.uwaterloo.ca
[load-balancers]
load-balancer-01.csclub.uwaterloo.ca lb_priority=150
load-balancer-02.csclub.uwaterloo.ca lb_priority=100

@ -0,0 +1,13 @@
---
- hosts: load-balancers
become: yes
become_method: sudo
roles:
# - common
#- core
#- static-ipv6
#- generate-hosts
#- auth
#- csc-packages
- load-balancer
- cleanup

@ -1,4 +1,10 @@
---
- name: Install root dotfiles
copy: src={{ item.src }} dest={{ item.dest }} backup=no
with_items:
- { src: 'root-dotfiles/bashrc', dest: '/root/.bashrc' }
- { src: 'root-dotfiles/bash-preexec', dest: '/root/.bash-preexec' }
- { src: 'root-dotfiles/vimrc', dest: '/root/.vimrc' }
- name: Install Shells
apt: name={{ item }} state=latest
@ -110,6 +116,8 @@
- name: Install rsyslog
apt: name=rsyslog state=latest
# TODO: Configure logging
- name: Install molly-guard
apt: name=molly-guard state=latest

@ -0,0 +1,75 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
#ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend ssh
bind :2222
mode tcp
default_backend ssh-backend
frontend http
bind :::80 v4v6
bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.pem
mode http
default_backend http-backend
stats enable
stats uri /status
backend ssh-backend
balance roundrobin
mode tcp
server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22
server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22
server sucrose sucrose.csclub.uwaterloo.ca check port 22
backend http-backend
balance leastconn
mode http
option forwardfor
cookie SERVERID insert indirect nocache
server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00
server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01

@ -0,0 +1,49 @@
---
# HAPROXY
- name: Install haproxy
package:
name: haproxy
state: latest
- name: Copy haproxy configuration
copy:
src: haproxy.cfg
dest: /etc/haproxy/haproxy.cfg
backup: no
register: haproxy_configuration
- name: Restart haproxy
service:
name: haproxy
state: restarted
when: haproxy_configuration.changed
- name: Ensure that haproxy is running
service:
name: haproxy
state: running
# KEEPALIVED
- name: Install keepalived
package:
name: keepalived
state: latest
- name: Copy keepalived config
template:
src: keepalived.conf
dest: /etc/keepalived/keepalived.conf
backup: no
register: keepalived_configuration
- name: Restart keepalived
service:
name: keepalived
state: restarted
when: keepalived_configuration.changed
- name: Ensure keepalived is running
service:
name: keepalived
state: running

@ -0,0 +1,23 @@
global_defs {
notification_email {
ztseguin+notifications@csclub.uwaterloo.ca
}
notification_email_from load-balancer@csclub.uwaterloo.ca
}
! load-balancer.csclub.uwaterloo.ca
vrrp_instance VI_10 {
state MASTER
interface eth0
virtual_router_id 10
priority {{ lb_priority }}
advert_int 1
authentication {
auth_type PASS
auth_pass CSC_VRRP
}
virtual_ipaddress {
129.97.134.10
2620:101:f000:4901:c5c::10ad
}
}

@ -6,6 +6,7 @@
# PHP5
- php5-fpm
- php5-mysql
- libapache2-mod-auth-cas
# MySQL
- socat
@ -20,14 +21,12 @@
fstype: none
opts: defaults,bind
state: mounted
register: apache_configuration
- name: Restart apache2
service:
name: apache2
state: restarted
enabled: yes
when: apache_configuration.changed
#
# PHP5-FPM setup

@ -3,13 +3,13 @@
become: yes
become_method: sudo
roles:
- common
- core
- static-ipv6
- generate-hosts
- auth
- csc-packages
- devel
- general-use
#- common
#- core
#- static-ipv6
#- generate-hosts
#- auth
#- csc-packages
#- devel
#- general-use
- webnode
- cleanup

Loading…
Cancel
Save