Move root dotfiles to core role; Add load-balancer role; Update webnode role
This commit is contained in:
parent
a434363727
commit
16e9dce12b
|
@ -0,0 +1 @@
|
||||||
|
../roles/core/files/root-dotfiles
|
5
hosts
5
hosts
|
@ -40,6 +40,7 @@ strombola.csclub.uwaterloo.ca
|
||||||
[syscom:children]
|
[syscom:children]
|
||||||
syscom-bare-metal
|
syscom-bare-metal
|
||||||
syscom-containers
|
syscom-containers
|
||||||
|
load-balancers
|
||||||
|
|
||||||
[syscom-bare-metal]
|
[syscom-bare-metal]
|
||||||
aspartame.csclub.uwaterloo.ca
|
aspartame.csclub.uwaterloo.ca
|
||||||
|
@ -66,3 +67,7 @@ nullsleep.csclub.uwaterloo.ca
|
||||||
|
|
||||||
[mirror]
|
[mirror]
|
||||||
potassium-benzoate.csclub.uwaterloo.ca
|
potassium-benzoate.csclub.uwaterloo.ca
|
||||||
|
|
||||||
|
[load-balancers]
|
||||||
|
load-balancer-01.csclub.uwaterloo.ca lb_priority=150
|
||||||
|
load-balancer-02.csclub.uwaterloo.ca lb_priority=100
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
- hosts: load-balancers
|
||||||
|
become: yes
|
||||||
|
become_method: sudo
|
||||||
|
roles:
|
||||||
|
# - common
|
||||||
|
#- core
|
||||||
|
#- static-ipv6
|
||||||
|
#- generate-hosts
|
||||||
|
#- auth
|
||||||
|
#- csc-packages
|
||||||
|
- load-balancer
|
||||||
|
- cleanup
|
|
@ -1,4 +1,10 @@
|
||||||
---
|
---
|
||||||
|
- name: Install root dotfiles
|
||||||
|
copy: src={{ item.src }} dest={{ item.dest }} backup=no
|
||||||
|
with_items:
|
||||||
|
- { src: 'root-dotfiles/bashrc', dest: '/root/.bashrc' }
|
||||||
|
- { src: 'root-dotfiles/bash-preexec', dest: '/root/.bash-preexec' }
|
||||||
|
- { src: 'root-dotfiles/vimrc', dest: '/root/.vimrc' }
|
||||||
|
|
||||||
- name: Install Shells
|
- name: Install Shells
|
||||||
apt: name={{ item }} state=latest
|
apt: name={{ item }} state=latest
|
||||||
|
@ -110,6 +116,8 @@
|
||||||
- name: Install rsyslog
|
- name: Install rsyslog
|
||||||
apt: name=rsyslog state=latest
|
apt: name=rsyslog state=latest
|
||||||
|
|
||||||
|
# TODO: Configure logging
|
||||||
|
|
||||||
- name: Install molly-guard
|
- name: Install molly-guard
|
||||||
apt: name=molly-guard state=latest
|
apt: name=molly-guard state=latest
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,75 @@
|
||||||
|
global
|
||||||
|
log /dev/log local0
|
||||||
|
log /dev/log local1 notice
|
||||||
|
chroot /var/lib/haproxy
|
||||||
|
stats socket /run/haproxy/admin.sock mode 660 level admin
|
||||||
|
stats timeout 30s
|
||||||
|
user haproxy
|
||||||
|
group haproxy
|
||||||
|
daemon
|
||||||
|
|
||||||
|
# Default SSL material locations
|
||||||
|
ca-base /etc/ssl/certs
|
||||||
|
crt-base /etc/ssl/private
|
||||||
|
|
||||||
|
# Default ciphers to use on SSL-enabled listening sockets.
|
||||||
|
# For more information, see ciphers(1SSL). This list is from:
|
||||||
|
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
||||||
|
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
|
||||||
|
#ssl-default-bind-options no-sslv3
|
||||||
|
|
||||||
|
tune.ssl.default-dh-param 2048
|
||||||
|
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||||
|
ssl-default-bind-options no-sslv3 no-tls-tickets
|
||||||
|
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||||
|
ssl-default-server-options no-sslv3 no-tls-tickets
|
||||||
|
|
||||||
|
|
||||||
|
defaults
|
||||||
|
log global
|
||||||
|
mode http
|
||||||
|
option httplog
|
||||||
|
option dontlognull
|
||||||
|
timeout connect 5000
|
||||||
|
timeout client 50000
|
||||||
|
timeout server 50000
|
||||||
|
errorfile 400 /etc/haproxy/errors/400.http
|
||||||
|
errorfile 403 /etc/haproxy/errors/403.http
|
||||||
|
errorfile 408 /etc/haproxy/errors/408.http
|
||||||
|
errorfile 500 /etc/haproxy/errors/500.http
|
||||||
|
errorfile 502 /etc/haproxy/errors/502.http
|
||||||
|
errorfile 503 /etc/haproxy/errors/503.http
|
||||||
|
errorfile 504 /etc/haproxy/errors/504.http
|
||||||
|
|
||||||
|
frontend ssh
|
||||||
|
bind :2222
|
||||||
|
mode tcp
|
||||||
|
default_backend ssh-backend
|
||||||
|
|
||||||
|
frontend http
|
||||||
|
bind :::80 v4v6
|
||||||
|
bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.pem
|
||||||
|
mode http
|
||||||
|
default_backend http-backend
|
||||||
|
|
||||||
|
stats enable
|
||||||
|
stats uri /status
|
||||||
|
|
||||||
|
backend ssh-backend
|
||||||
|
balance roundrobin
|
||||||
|
mode tcp
|
||||||
|
|
||||||
|
server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22
|
||||||
|
server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22
|
||||||
|
server sucrose sucrose.csclub.uwaterloo.ca check port 22
|
||||||
|
|
||||||
|
backend http-backend
|
||||||
|
balance leastconn
|
||||||
|
mode http
|
||||||
|
option forwardfor
|
||||||
|
|
||||||
|
cookie SERVERID insert indirect nocache
|
||||||
|
|
||||||
|
server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00
|
||||||
|
server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
# HAPROXY
|
||||||
|
- name: Install haproxy
|
||||||
|
package:
|
||||||
|
name: haproxy
|
||||||
|
state: latest
|
||||||
|
|
||||||
|
- name: Copy haproxy configuration
|
||||||
|
copy:
|
||||||
|
src: haproxy.cfg
|
||||||
|
dest: /etc/haproxy/haproxy.cfg
|
||||||
|
backup: no
|
||||||
|
register: haproxy_configuration
|
||||||
|
|
||||||
|
- name: Restart haproxy
|
||||||
|
service:
|
||||||
|
name: haproxy
|
||||||
|
state: restarted
|
||||||
|
when: haproxy_configuration.changed
|
||||||
|
|
||||||
|
- name: Ensure that haproxy is running
|
||||||
|
service:
|
||||||
|
name: haproxy
|
||||||
|
state: running
|
||||||
|
|
||||||
|
# KEEPALIVED
|
||||||
|
- name: Install keepalived
|
||||||
|
package:
|
||||||
|
name: keepalived
|
||||||
|
state: latest
|
||||||
|
|
||||||
|
- name: Copy keepalived config
|
||||||
|
template:
|
||||||
|
src: keepalived.conf
|
||||||
|
dest: /etc/keepalived/keepalived.conf
|
||||||
|
backup: no
|
||||||
|
register: keepalived_configuration
|
||||||
|
|
||||||
|
- name: Restart keepalived
|
||||||
|
service:
|
||||||
|
name: keepalived
|
||||||
|
state: restarted
|
||||||
|
when: keepalived_configuration.changed
|
||||||
|
|
||||||
|
- name: Ensure keepalived is running
|
||||||
|
service:
|
||||||
|
name: keepalived
|
||||||
|
state: running
|
|
@ -0,0 +1,23 @@
|
||||||
|
global_defs {
|
||||||
|
notification_email {
|
||||||
|
ztseguin+notifications@csclub.uwaterloo.ca
|
||||||
|
}
|
||||||
|
notification_email_from load-balancer@csclub.uwaterloo.ca
|
||||||
|
}
|
||||||
|
|
||||||
|
! load-balancer.csclub.uwaterloo.ca
|
||||||
|
vrrp_instance VI_10 {
|
||||||
|
state MASTER
|
||||||
|
interface eth0
|
||||||
|
virtual_router_id 10
|
||||||
|
priority {{ lb_priority }}
|
||||||
|
advert_int 1
|
||||||
|
authentication {
|
||||||
|
auth_type PASS
|
||||||
|
auth_pass CSC_VRRP
|
||||||
|
}
|
||||||
|
virtual_ipaddress {
|
||||||
|
129.97.134.10
|
||||||
|
2620:101:f000:4901:c5c::10ad
|
||||||
|
}
|
||||||
|
}
|
|
@ -6,6 +6,7 @@
|
||||||
# PHP5
|
# PHP5
|
||||||
- php5-fpm
|
- php5-fpm
|
||||||
- php5-mysql
|
- php5-mysql
|
||||||
|
- libapache2-mod-auth-cas
|
||||||
|
|
||||||
# MySQL
|
# MySQL
|
||||||
- socat
|
- socat
|
||||||
|
@ -20,14 +21,12 @@
|
||||||
fstype: none
|
fstype: none
|
||||||
opts: defaults,bind
|
opts: defaults,bind
|
||||||
state: mounted
|
state: mounted
|
||||||
register: apache_configuration
|
|
||||||
|
|
||||||
- name: Restart apache2
|
- name: Restart apache2
|
||||||
service:
|
service:
|
||||||
name: apache2
|
name: apache2
|
||||||
state: restarted
|
state: restarted
|
||||||
enabled: yes
|
enabled: yes
|
||||||
when: apache_configuration.changed
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# PHP5-FPM setup
|
# PHP5-FPM setup
|
||||||
|
|
16
webnode.yml
16
webnode.yml
|
@ -3,13 +3,13 @@
|
||||||
become: yes
|
become: yes
|
||||||
become_method: sudo
|
become_method: sudo
|
||||||
roles:
|
roles:
|
||||||
- common
|
#- common
|
||||||
- core
|
#- core
|
||||||
- static-ipv6
|
#- static-ipv6
|
||||||
- generate-hosts
|
#- generate-hosts
|
||||||
- auth
|
#- auth
|
||||||
- csc-packages
|
#- csc-packages
|
||||||
- devel
|
#- devel
|
||||||
- general-use
|
#- general-use
|
||||||
- webnode
|
- webnode
|
||||||
- cleanup
|
- cleanup
|
||||||
|
|
Loading…
Reference in New Issue