Move root dotfiles to core role; Add load-balancer role; Update webnode role
This commit is contained in:
parent
a434363727
commit
16e9dce12b
|
@ -0,0 +1 @@
|
|||
../roles/core/files/root-dotfiles
|
5
hosts
5
hosts
|
@ -40,6 +40,7 @@ strombola.csclub.uwaterloo.ca
|
|||
[syscom:children]
|
||||
syscom-bare-metal
|
||||
syscom-containers
|
||||
load-balancers
|
||||
|
||||
[syscom-bare-metal]
|
||||
aspartame.csclub.uwaterloo.ca
|
||||
|
@ -66,3 +67,7 @@ nullsleep.csclub.uwaterloo.ca
|
|||
|
||||
[mirror]
|
||||
potassium-benzoate.csclub.uwaterloo.ca
|
||||
|
||||
[load-balancers]
|
||||
load-balancer-01.csclub.uwaterloo.ca lb_priority=150
|
||||
load-balancer-02.csclub.uwaterloo.ca lb_priority=100
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
- hosts: load-balancers
|
||||
become: yes
|
||||
become_method: sudo
|
||||
roles:
|
||||
# - common
|
||||
#- core
|
||||
#- static-ipv6
|
||||
#- generate-hosts
|
||||
#- auth
|
||||
#- csc-packages
|
||||
- load-balancer
|
||||
- cleanup
|
|
@ -1,4 +1,10 @@
|
|||
---
|
||||
- name: Install root dotfiles
|
||||
copy: src={{ item.src }} dest={{ item.dest }} backup=no
|
||||
with_items:
|
||||
- { src: 'root-dotfiles/bashrc', dest: '/root/.bashrc' }
|
||||
- { src: 'root-dotfiles/bash-preexec', dest: '/root/.bash-preexec' }
|
||||
- { src: 'root-dotfiles/vimrc', dest: '/root/.vimrc' }
|
||||
|
||||
- name: Install Shells
|
||||
apt: name={{ item }} state=latest
|
||||
|
@ -110,6 +116,8 @@
|
|||
- name: Install rsyslog
|
||||
apt: name=rsyslog state=latest
|
||||
|
||||
# TODO: Configure logging
|
||||
|
||||
- name: Install molly-guard
|
||||
apt: name=molly-guard state=latest
|
||||
|
||||
|
|
|
@ -0,0 +1,75 @@
|
|||
global
|
||||
log /dev/log local0
|
||||
log /dev/log local1 notice
|
||||
chroot /var/lib/haproxy
|
||||
stats socket /run/haproxy/admin.sock mode 660 level admin
|
||||
stats timeout 30s
|
||||
user haproxy
|
||||
group haproxy
|
||||
daemon
|
||||
|
||||
# Default SSL material locations
|
||||
ca-base /etc/ssl/certs
|
||||
crt-base /etc/ssl/private
|
||||
|
||||
# Default ciphers to use on SSL-enabled listening sockets.
|
||||
# For more information, see ciphers(1SSL). This list is from:
|
||||
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
||||
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
|
||||
#ssl-default-bind-options no-sslv3
|
||||
|
||||
tune.ssl.default-dh-param 2048
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
ssl-default-bind-options no-sslv3 no-tls-tickets
|
||||
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
ssl-default-server-options no-sslv3 no-tls-tickets
|
||||
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
option httplog
|
||||
option dontlognull
|
||||
timeout connect 5000
|
||||
timeout client 50000
|
||||
timeout server 50000
|
||||
errorfile 400 /etc/haproxy/errors/400.http
|
||||
errorfile 403 /etc/haproxy/errors/403.http
|
||||
errorfile 408 /etc/haproxy/errors/408.http
|
||||
errorfile 500 /etc/haproxy/errors/500.http
|
||||
errorfile 502 /etc/haproxy/errors/502.http
|
||||
errorfile 503 /etc/haproxy/errors/503.http
|
||||
errorfile 504 /etc/haproxy/errors/504.http
|
||||
|
||||
frontend ssh
|
||||
bind :2222
|
||||
mode tcp
|
||||
default_backend ssh-backend
|
||||
|
||||
frontend http
|
||||
bind :::80 v4v6
|
||||
bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.pem
|
||||
mode http
|
||||
default_backend http-backend
|
||||
|
||||
stats enable
|
||||
stats uri /status
|
||||
|
||||
backend ssh-backend
|
||||
balance roundrobin
|
||||
mode tcp
|
||||
|
||||
server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22
|
||||
server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22
|
||||
server sucrose sucrose.csclub.uwaterloo.ca check port 22
|
||||
|
||||
backend http-backend
|
||||
balance leastconn
|
||||
mode http
|
||||
option forwardfor
|
||||
|
||||
cookie SERVERID insert indirect nocache
|
||||
|
||||
server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00
|
||||
server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
|
||||
# HAPROXY
|
||||
- name: Install haproxy
|
||||
package:
|
||||
name: haproxy
|
||||
state: latest
|
||||
|
||||
- name: Copy haproxy configuration
|
||||
copy:
|
||||
src: haproxy.cfg
|
||||
dest: /etc/haproxy/haproxy.cfg
|
||||
backup: no
|
||||
register: haproxy_configuration
|
||||
|
||||
- name: Restart haproxy
|
||||
service:
|
||||
name: haproxy
|
||||
state: restarted
|
||||
when: haproxy_configuration.changed
|
||||
|
||||
- name: Ensure that haproxy is running
|
||||
service:
|
||||
name: haproxy
|
||||
state: running
|
||||
|
||||
# KEEPALIVED
|
||||
- name: Install keepalived
|
||||
package:
|
||||
name: keepalived
|
||||
state: latest
|
||||
|
||||
- name: Copy keepalived config
|
||||
template:
|
||||
src: keepalived.conf
|
||||
dest: /etc/keepalived/keepalived.conf
|
||||
backup: no
|
||||
register: keepalived_configuration
|
||||
|
||||
- name: Restart keepalived
|
||||
service:
|
||||
name: keepalived
|
||||
state: restarted
|
||||
when: keepalived_configuration.changed
|
||||
|
||||
- name: Ensure keepalived is running
|
||||
service:
|
||||
name: keepalived
|
||||
state: running
|
|
@ -0,0 +1,23 @@
|
|||
global_defs {
|
||||
notification_email {
|
||||
ztseguin+notifications@csclub.uwaterloo.ca
|
||||
}
|
||||
notification_email_from load-balancer@csclub.uwaterloo.ca
|
||||
}
|
||||
|
||||
! load-balancer.csclub.uwaterloo.ca
|
||||
vrrp_instance VI_10 {
|
||||
state MASTER
|
||||
interface eth0
|
||||
virtual_router_id 10
|
||||
priority {{ lb_priority }}
|
||||
advert_int 1
|
||||
authentication {
|
||||
auth_type PASS
|
||||
auth_pass CSC_VRRP
|
||||
}
|
||||
virtual_ipaddress {
|
||||
129.97.134.10
|
||||
2620:101:f000:4901:c5c::10ad
|
||||
}
|
||||
}
|
|
@ -6,6 +6,7 @@
|
|||
# PHP5
|
||||
- php5-fpm
|
||||
- php5-mysql
|
||||
- libapache2-mod-auth-cas
|
||||
|
||||
# MySQL
|
||||
- socat
|
||||
|
@ -20,14 +21,12 @@
|
|||
fstype: none
|
||||
opts: defaults,bind
|
||||
state: mounted
|
||||
register: apache_configuration
|
||||
|
||||
- name: Restart apache2
|
||||
service:
|
||||
name: apache2
|
||||
state: restarted
|
||||
enabled: yes
|
||||
when: apache_configuration.changed
|
||||
|
||||
#
|
||||
# PHP5-FPM setup
|
||||
|
|
16
webnode.yml
16
webnode.yml
|
@ -3,13 +3,13 @@
|
|||
become: yes
|
||||
become_method: sudo
|
||||
roles:
|
||||
- common
|
||||
- core
|
||||
- static-ipv6
|
||||
- generate-hosts
|
||||
- auth
|
||||
- csc-packages
|
||||
- devel
|
||||
- general-use
|
||||
#- common
|
||||
#- core
|
||||
#- static-ipv6
|
||||
#- generate-hosts
|
||||
#- auth
|
||||
#- csc-packages
|
||||
#- devel
|
||||
#- general-use
|
||||
- webnode
|
||||
- cleanup
|
||||
|
|
Loading…
Reference in New Issue