From 16e9dce12b970ea988fda952d7b450c7bb5102c1 Mon Sep 17 00:00:00 2001 From: Zachary Seguin Date: Sun, 11 Dec 2016 11:26:08 -0500 Subject: [PATCH] Move root dotfiles to core role; Add load-balancer role; Update webnode role --- files/root-dotfiles | 1 + hosts | 5 ++ loadbalancer.yml | 13 ++++ .../core/files}/root-dotfiles/bash-preexec | 0 .../core/files}/root-dotfiles/bashrc | 0 .../core/files}/root-dotfiles/vimrc | 0 roles/core/tasks/main.yml | 8 ++ roles/load-balancer/files/haproxy.cfg | 75 +++++++++++++++++++ roles/load-balancer/tasks/main.yml | 49 ++++++++++++ roles/load-balancer/templates/keepalived.conf | 23 ++++++ roles/webnode/tasks/main.yml | 3 +- webnode.yml | 16 ++-- 12 files changed, 183 insertions(+), 10 deletions(-) create mode 120000 files/root-dotfiles create mode 100644 loadbalancer.yml rename {files => roles/core/files}/root-dotfiles/bash-preexec (100%) rename {files => roles/core/files}/root-dotfiles/bashrc (100%) rename {files => roles/core/files}/root-dotfiles/vimrc (100%) create mode 100644 roles/load-balancer/files/haproxy.cfg create mode 100644 roles/load-balancer/tasks/main.yml create mode 100644 roles/load-balancer/templates/keepalived.conf diff --git a/files/root-dotfiles b/files/root-dotfiles new file mode 120000 index 0000000..3d4841a --- /dev/null +++ b/files/root-dotfiles @@ -0,0 +1 @@ +../roles/core/files/root-dotfiles \ No newline at end of file diff --git a/hosts b/hosts index 9f9952a..5a797d3 100644 --- a/hosts +++ b/hosts @@ -40,6 +40,7 @@ strombola.csclub.uwaterloo.ca [syscom:children] syscom-bare-metal syscom-containers +load-balancers [syscom-bare-metal] aspartame.csclub.uwaterloo.ca @@ -66,3 +67,7 @@ nullsleep.csclub.uwaterloo.ca [mirror] potassium-benzoate.csclub.uwaterloo.ca + +[load-balancers] +load-balancer-01.csclub.uwaterloo.ca lb_priority=150 +load-balancer-02.csclub.uwaterloo.ca lb_priority=100 diff --git a/loadbalancer.yml b/loadbalancer.yml new file mode 100644 index 0000000..8948819 --- /dev/null +++ b/loadbalancer.yml @@ -0,0 +1,13 @@ +--- + - hosts: load-balancers + become: yes + become_method: sudo + roles: + # - common + #- core + #- static-ipv6 + #- generate-hosts + #- auth + #- csc-packages + - load-balancer + - cleanup diff --git a/files/root-dotfiles/bash-preexec b/roles/core/files/root-dotfiles/bash-preexec similarity index 100% rename from files/root-dotfiles/bash-preexec rename to roles/core/files/root-dotfiles/bash-preexec diff --git a/files/root-dotfiles/bashrc b/roles/core/files/root-dotfiles/bashrc similarity index 100% rename from files/root-dotfiles/bashrc rename to roles/core/files/root-dotfiles/bashrc diff --git a/files/root-dotfiles/vimrc b/roles/core/files/root-dotfiles/vimrc similarity index 100% rename from files/root-dotfiles/vimrc rename to roles/core/files/root-dotfiles/vimrc diff --git a/roles/core/tasks/main.yml b/roles/core/tasks/main.yml index 065408e..2692b1b 100644 --- a/roles/core/tasks/main.yml +++ b/roles/core/tasks/main.yml @@ -1,4 +1,10 @@ --- +- name: Install root dotfiles + copy: src={{ item.src }} dest={{ item.dest }} backup=no + with_items: + - { src: 'root-dotfiles/bashrc', dest: '/root/.bashrc' } + - { src: 'root-dotfiles/bash-preexec', dest: '/root/.bash-preexec' } + - { src: 'root-dotfiles/vimrc', dest: '/root/.vimrc' } - name: Install Shells apt: name={{ item }} state=latest @@ -110,6 +116,8 @@ - name: Install rsyslog apt: name=rsyslog state=latest + # TODO: Configure logging + - name: Install molly-guard apt: name=molly-guard state=latest diff --git a/roles/load-balancer/files/haproxy.cfg b/roles/load-balancer/files/haproxy.cfg new file mode 100644 index 0000000..c4be653 --- /dev/null +++ b/roles/load-balancer/files/haproxy.cfg @@ -0,0 +1,75 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + #ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + #ssl-default-bind-options no-sslv3 + + tune.ssl.default-dh-param 2048 + ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + ssl-default-bind-options no-sslv3 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + ssl-default-server-options no-sslv3 no-tls-tickets + + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend ssh + bind :2222 + mode tcp + default_backend ssh-backend + +frontend http + bind :::80 v4v6 + bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.pem + mode http + default_backend http-backend + + stats enable + stats uri /status + +backend ssh-backend + balance roundrobin + mode tcp + + server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22 + server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22 + server sucrose sucrose.csclub.uwaterloo.ca check port 22 + +backend http-backend + balance leastconn + mode http + option forwardfor + + cookie SERVERID insert indirect nocache + + server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00 + server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01 + diff --git a/roles/load-balancer/tasks/main.yml b/roles/load-balancer/tasks/main.yml new file mode 100644 index 0000000..9a7d5d6 --- /dev/null +++ b/roles/load-balancer/tasks/main.yml @@ -0,0 +1,49 @@ +--- + +# HAPROXY +- name: Install haproxy + package: + name: haproxy + state: latest + +- name: Copy haproxy configuration + copy: + src: haproxy.cfg + dest: /etc/haproxy/haproxy.cfg + backup: no + register: haproxy_configuration + +- name: Restart haproxy + service: + name: haproxy + state: restarted + when: haproxy_configuration.changed + +- name: Ensure that haproxy is running + service: + name: haproxy + state: running + +# KEEPALIVED +- name: Install keepalived + package: + name: keepalived + state: latest + +- name: Copy keepalived config + template: + src: keepalived.conf + dest: /etc/keepalived/keepalived.conf + backup: no + register: keepalived_configuration + +- name: Restart keepalived + service: + name: keepalived + state: restarted + when: keepalived_configuration.changed + +- name: Ensure keepalived is running + service: + name: keepalived + state: running diff --git a/roles/load-balancer/templates/keepalived.conf b/roles/load-balancer/templates/keepalived.conf new file mode 100644 index 0000000..2432bf9 --- /dev/null +++ b/roles/load-balancer/templates/keepalived.conf @@ -0,0 +1,23 @@ +global_defs { + notification_email { + ztseguin+notifications@csclub.uwaterloo.ca + } + notification_email_from load-balancer@csclub.uwaterloo.ca +} + +! load-balancer.csclub.uwaterloo.ca +vrrp_instance VI_10 { + state MASTER + interface eth0 + virtual_router_id 10 + priority {{ lb_priority }} + advert_int 1 + authentication { + auth_type PASS + auth_pass CSC_VRRP + } + virtual_ipaddress { + 129.97.134.10 + 2620:101:f000:4901:c5c::10ad + } +} diff --git a/roles/webnode/tasks/main.yml b/roles/webnode/tasks/main.yml index f2e30a8..3e99fa7 100644 --- a/roles/webnode/tasks/main.yml +++ b/roles/webnode/tasks/main.yml @@ -6,6 +6,7 @@ # PHP5 - php5-fpm - php5-mysql + - libapache2-mod-auth-cas # MySQL - socat @@ -20,14 +21,12 @@ fstype: none opts: defaults,bind state: mounted - register: apache_configuration - name: Restart apache2 service: name: apache2 state: restarted enabled: yes - when: apache_configuration.changed # # PHP5-FPM setup diff --git a/webnode.yml b/webnode.yml index d306046..609d5df 100644 --- a/webnode.yml +++ b/webnode.yml @@ -3,13 +3,13 @@ become: yes become_method: sudo roles: - - common - - core - - static-ipv6 - - generate-hosts - - auth - - csc-packages - - devel - - general-use + #- common + #- core + #- static-ipv6 + #- generate-hosts + #- auth + #- csc-packages + #- devel + #- general-use - webnode - cleanup