Stuff that I haven't committed yet
This commit is contained in:
parent
d123344be6
commit
99c9c18149
|
@ -0,0 +1,12 @@
|
|||
search csclub.uwaterloo.ca uwaterloo.ca
|
||||
options rotate timeout:1 attempts:1 ndots:2
|
||||
|
||||
# CSC Nameservers
|
||||
nameserver 2620:101:f000:4901:c5c::4
|
||||
nameserver 2620:101:f000:7300:c5c::20
|
||||
nameserver 129.97.134.4
|
||||
nameserver 129.97.18.20
|
||||
|
||||
# IST Anycast (fallback)
|
||||
#nameserver 129.97.2.1
|
||||
#nameserver 129.97.2.2
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- hosts: identity.csclub.uwaterloo.ca
|
||||
- hosts: prometheus.csclub.uwaterloo.ca
|
||||
become: yes
|
||||
become_method: sudo
|
||||
roles:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- hosts: yerba-mate.csclub.uwaterloo.ca guayusa.csclub.uwaterloo.ca
|
||||
- hosts: wiki.uwarc.csclub.cloud
|
||||
become: yes
|
||||
become_method: sudo
|
||||
roles:
|
||||
|
@ -7,9 +7,9 @@
|
|||
- core
|
||||
- static-ipv6
|
||||
- hardware
|
||||
- virtualization-host
|
||||
- generate-hosts
|
||||
# - virtualization-host
|
||||
# - generate-hosts
|
||||
- auth
|
||||
- csc-packages
|
||||
- nfs
|
||||
# - csc-packages
|
||||
# - nfs
|
||||
- cleanup
|
||||
|
|
|
@ -2,13 +2,12 @@
|
|||
- hosts: load-balancers
|
||||
become: yes
|
||||
become_method: sudo
|
||||
serial: "50%"
|
||||
pre_tasks:
|
||||
- name: stop keepalived (to remove from rotation)
|
||||
service:
|
||||
name: keepalived
|
||||
state: stopped
|
||||
roles:
|
||||
- common
|
||||
- core
|
||||
- container
|
||||
- static-ipv6
|
||||
- generate-hosts
|
||||
- auth
|
||||
- csc-packages
|
||||
- load-balancer
|
||||
- cleanup
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Disable resolvconf
|
||||
service: name={{ item }} state=stopped enabled=no
|
||||
with_items:
|
||||
- resolvconf
|
||||
- systemd-resolved
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Remove resolvconf
|
||||
package:
|
||||
name: resolvconf
|
||||
state: absent
|
||||
|
||||
- name: Remove immutable on resolv.conf
|
||||
command: chattr -i /etc/resolv.conf
|
||||
|
||||
- name: Copy resolv.conf
|
||||
copy:
|
||||
src: resolv.conf
|
||||
dest: /etc/resolv.conf
|
||||
# attributes: 'ie'
|
||||
|
||||
- name: Set immutable on resolv.conf
|
||||
command: chattr +i /etc/resolv.conf
|
|
@ -0,0 +1,18 @@
|
|||
#!/bin/sh
|
||||
if test -z "$1"; then
|
||||
echo >&2 'usage: become_club clubaccount'
|
||||
echo >&2 ' become_club -l'
|
||||
exit 2
|
||||
fi
|
||||
if test "$(whoami)" = "$1"; then
|
||||
echo >&2 you are already $1
|
||||
exit 1
|
||||
fi
|
||||
if test -z "$SHELL"; then
|
||||
export SHELL=/bin/bash
|
||||
fi
|
||||
if test "$1" = -l; then
|
||||
sudo -l
|
||||
else
|
||||
exec sudo -H -s -u "$1"
|
||||
fi
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- name: install libpam-csc
|
||||
when: "'syscom' not in group_names"
|
||||
when: "'syscom' not in group_names and 'club-uwarc' not in group_names"
|
||||
apt: name=libpam-csc state=latest
|
||||
|
||||
- name: install required aptitude packages
|
||||
|
@ -33,6 +33,11 @@
|
|||
- { src: 'k5login', dest: '/root/.k5login' }
|
||||
- { src: 'ssh_known_hosts', dest: '/etc/ssh/ssh_known_hosts' }
|
||||
|
||||
- name: copy user scripts
|
||||
copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }}
|
||||
with_items:
|
||||
- { src: 'become_club', dest: '/usr/local/bin/become_club', mode: "u=rwx,g=rx,o=rx" }
|
||||
|
||||
- name: make sssd.conf accessable only by root
|
||||
file: path=/etc/sssd/sssd.conf owner=root group=root mode=0600
|
||||
|
||||
|
@ -51,11 +56,34 @@
|
|||
blockinfile:
|
||||
dest: /etc/pam.d/common-account
|
||||
block: |
|
||||
# make sure user is up to date, except system accounts and syscom
|
||||
# Restrict login to system accounts and syscom
|
||||
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
|
||||
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
|
||||
account required pam_csc.so
|
||||
|
||||
- name: configure PAM for iie wiki
|
||||
when: "'club-iie' in group_names"
|
||||
blockinfile:
|
||||
dest: /etc/pam.d/common-account
|
||||
block: |
|
||||
# Restrict login to system accounts, syscom and iie members
|
||||
account [success=3 default=ignore] pam_succeed_if.so quiet uid < 10000
|
||||
account [success=2 default=ignore] pam_succeed_if.so quiet user ingroup syscom
|
||||
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup iie
|
||||
account required pam_deny.so
|
||||
|
||||
- name: configure PAM for uwarc
|
||||
when: "'club-uwarc' in group_names"
|
||||
blockinfile:
|
||||
dest: /etc/pam.d/common-account
|
||||
block: |
|
||||
# Restrict login to system accounts, syscom and iie members
|
||||
account [success=3 default=ignore] pam_succeed_if.so quiet uid < 10000
|
||||
account [success=2 default=ignore] pam_succeed_if.so quiet user ingroup syscom
|
||||
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup uwarc
|
||||
account required pam_deny.so
|
||||
|
||||
|
||||
- name: restart services
|
||||
service: name={{ item }} state=restarted
|
||||
with_items:
|
||||
|
|
|
@ -5,3 +5,4 @@
|
|||
name: ntp
|
||||
state: stopped
|
||||
enabled: no
|
||||
ignore_errors: yes
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
search csclub.uwaterloo.ca uwaterloo.ca
|
||||
options rotate timeout:1 attempts:1 ndots:2
|
||||
|
||||
# CSC Nameservers
|
||||
nameserver 2620:101:f000:4901:c5c::4
|
||||
|
@ -7,5 +8,5 @@ nameserver 129.97.134.4
|
|||
nameserver 129.97.18.20
|
||||
|
||||
# IST Anycast (fallback)
|
||||
nameserver 129.97.2.1
|
||||
nameserver 129.97.2.2
|
||||
#nameserver 129.97.2.1
|
||||
#nameserver 129.97.2.2
|
||||
|
|
|
@ -28,153 +28,153 @@
|
|||
- name: Set immutable on resolv.conf
|
||||
command: chattr +i /etc/resolv.conf
|
||||
#
|
||||
#- name: Install root dotfiles
|
||||
# copy: src={{ item.src }} dest={{ item.dest }} backup=no
|
||||
# with_items:
|
||||
# - { src: 'root-dotfiles/bashrc', dest: '/root/.bashrc' }
|
||||
# - { src: 'root-dotfiles/bash-preexec', dest: '/root/.bash-preexec' }
|
||||
# - { src: 'root-dotfiles/vimrc', dest: '/root/.vimrc' }
|
||||
#
|
||||
#- name: Install Shells
|
||||
# apt: name={{ item }} state=latest
|
||||
# with_items:
|
||||
# - bash
|
||||
# - zsh
|
||||
# - zsh-doc
|
||||
# - dash
|
||||
# - ksh
|
||||
# - tcsh
|
||||
# - csh
|
||||
# - rc
|
||||
# - bash-doc
|
||||
# - bash-completion
|
||||
#
|
||||
#- name: Install Editors
|
||||
# apt: name={{ item }} state=latest
|
||||
# with_items:
|
||||
# - vim-nox
|
||||
# - ed
|
||||
# - nano
|
||||
#
|
||||
#- name: Install words
|
||||
# apt: name={{ item }} state=latest
|
||||
# with_items:
|
||||
# - wamerican-insane
|
||||
#
|
||||
#- name: Install utils
|
||||
# apt: name={{ item }} state=latest
|
||||
# with_items:
|
||||
# - acl
|
||||
# - tmux
|
||||
# - screen
|
||||
# - less
|
||||
# - lsof
|
||||
# - bc
|
||||
# - dc
|
||||
# - psmisc
|
||||
# - procps
|
||||
# - htop
|
||||
# - schedtool
|
||||
# - pciutils
|
||||
# - rsync
|
||||
# - iotop
|
||||
# - attr
|
||||
# - tree
|
||||
# - parted
|
||||
# - mosh
|
||||
#
|
||||
#- name: Install compression
|
||||
# apt: name={{ item }} state=latest
|
||||
# with_items:
|
||||
# - bzip2
|
||||
# - gzip
|
||||
# - pax
|
||||
# - lzma
|
||||
# - xz-utils
|
||||
# - cpio
|
||||
#
|
||||
#- name: Install ncurses
|
||||
# apt: name={{ item }} state=latest
|
||||
# with_items:
|
||||
# - ncurses-bin
|
||||
# - ncurses-term
|
||||
#
|
||||
#- name: Install network
|
||||
# apt: name={{ item }} state=latest
|
||||
# with_items:
|
||||
# - iputils-ping
|
||||
# - iputils-arping
|
||||
# - traceroute
|
||||
# - telnet
|
||||
# - iproute2
|
||||
# - ethtool
|
||||
# - dnsutils
|
||||
# - whois
|
||||
# - wget
|
||||
# - curl
|
||||
# - netcat-traditional
|
||||
# - netcat-openbsd
|
||||
# - vlan
|
||||
# - bridge-utils
|
||||
# - tcpdump
|
||||
# - tshark
|
||||
# - ftp
|
||||
# - tftp
|
||||
#
|
||||
#- name: Install ntp
|
||||
# apt: name=ntp state=latest
|
||||
#
|
||||
#- name: Copy NTP configuration
|
||||
# copy:
|
||||
# src: ntp.conf
|
||||
# dest: /etc/ntp.conf
|
||||
# backup: no
|
||||
#
|
||||
#- name: Restart NTP
|
||||
# service:
|
||||
# name: ntp
|
||||
# state: restarted
|
||||
#
|
||||
#- name: Install debian package management
|
||||
# apt: name={{ item }} state=latest
|
||||
# with_items:
|
||||
# - aptitude
|
||||
# - dselect
|
||||
#
|
||||
#- name: Install gpg
|
||||
# apt: name=gnupg state=latest
|
||||
#
|
||||
#- name: Install rsyslog
|
||||
# apt: name={{ item }} state=latest
|
||||
# with_items:
|
||||
# - rsyslog
|
||||
# - rsyslog-gnutls
|
||||
#
|
||||
# # TODO: Configure logging
|
||||
#
|
||||
#- name: Restart rsyslog
|
||||
# service:
|
||||
# name: rsyslog
|
||||
# state: restarted
|
||||
#
|
||||
#- name: Install fail2ban
|
||||
# apt: name=fail2ban state=latest
|
||||
#
|
||||
#- name: Install man pages
|
||||
# apt: name={{ item }} state=latest
|
||||
# with_items:
|
||||
# - manpages
|
||||
# - info
|
||||
#
|
||||
#- name: Install molly-guard
|
||||
# apt: name=molly-guard state=latest
|
||||
#
|
||||
#- name: Install ssmtp
|
||||
# apt: name=ssmtp state=latest
|
||||
#
|
||||
#- name: Configure ssmtp
|
||||
# lineinfile: dest=/etc/ssmtp/ssmtp.conf
|
||||
# state=present
|
||||
# backrefs=yes
|
||||
# regexp='^#(FromLineOverride=YES)$'
|
||||
# line='\\1'
|
||||
- name: Install root dotfiles
|
||||
copy: src={{ item.src }} dest={{ item.dest }} backup=no
|
||||
with_items:
|
||||
- { src: 'root-dotfiles/bashrc', dest: '/root/.bashrc' }
|
||||
- { src: 'root-dotfiles/bash-preexec', dest: '/root/.bash-preexec' }
|
||||
- { src: 'root-dotfiles/vimrc', dest: '/root/.vimrc' }
|
||||
|
||||
- name: Install Shells
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
- bash
|
||||
- zsh
|
||||
- zsh-doc
|
||||
- dash
|
||||
- ksh
|
||||
- tcsh
|
||||
- csh
|
||||
- rc
|
||||
- bash-doc
|
||||
- bash-completion
|
||||
|
||||
- name: Install Editors
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
- vim-nox
|
||||
- ed
|
||||
- nano
|
||||
|
||||
- name: Install words
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
- wamerican-insane
|
||||
|
||||
- name: Install utils
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
- acl
|
||||
- tmux
|
||||
- screen
|
||||
- less
|
||||
- lsof
|
||||
- bc
|
||||
- dc
|
||||
- psmisc
|
||||
- procps
|
||||
- htop
|
||||
- schedtool
|
||||
- pciutils
|
||||
- rsync
|
||||
- iotop
|
||||
- attr
|
||||
- tree
|
||||
- parted
|
||||
- mosh
|
||||
|
||||
- name: Install compression
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
- bzip2
|
||||
- gzip
|
||||
- pax
|
||||
- lzma
|
||||
- xz-utils
|
||||
- cpio
|
||||
|
||||
- name: Install ncurses
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
- ncurses-bin
|
||||
- ncurses-term
|
||||
|
||||
- name: Install network
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
- iputils-ping
|
||||
- iputils-arping
|
||||
- traceroute
|
||||
- telnet
|
||||
- iproute2
|
||||
- ethtool
|
||||
- dnsutils
|
||||
- whois
|
||||
- wget
|
||||
- curl
|
||||
- netcat-traditional
|
||||
- netcat-openbsd
|
||||
- vlan
|
||||
- bridge-utils
|
||||
- tcpdump
|
||||
- tshark
|
||||
- ftp
|
||||
- tftp
|
||||
|
||||
- name: Install ntp
|
||||
apt: name=ntp state=latest
|
||||
|
||||
- name: Copy NTP configuration
|
||||
copy:
|
||||
src: ntp.conf
|
||||
dest: /etc/ntp.conf
|
||||
backup: no
|
||||
|
||||
- name: Restart NTP
|
||||
service:
|
||||
name: ntp
|
||||
state: restarted
|
||||
|
||||
- name: Install debian package management
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
- aptitude
|
||||
- dselect
|
||||
|
||||
- name: Install gpg
|
||||
apt: name=gnupg state=latest
|
||||
|
||||
- name: Install rsyslog
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
- rsyslog
|
||||
- rsyslog-gnutls
|
||||
|
||||
# TODO: Configure logging
|
||||
|
||||
- name: Restart rsyslog
|
||||
service:
|
||||
name: rsyslog
|
||||
state: restarted
|
||||
|
||||
- name: Install fail2ban
|
||||
apt: name=fail2ban state=latest
|
||||
|
||||
- name: Install man pages
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
- manpages
|
||||
- info
|
||||
|
||||
- name: Install molly-guard
|
||||
apt: name=molly-guard state=latest
|
||||
|
||||
- name: Install ssmtp
|
||||
apt: name=ssmtp state=latest
|
||||
|
||||
- name: Configure ssmtp
|
||||
lineinfile: dest=/etc/ssmtp/ssmtp.conf
|
||||
state=present
|
||||
backrefs=yes
|
||||
regexp='^(FromLineOverride=YES)$'
|
||||
line='\\1'
|
||||
|
|
|
@ -67,6 +67,7 @@
|
|||
- xpdf
|
||||
- evince
|
||||
- djview4
|
||||
- krita
|
||||
|
||||
- name: Install xubuntu-desktop
|
||||
apt: name={{ item }} state=latest
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
net.ipv4.ip_nonlocal_bind = 1
|
||||
|
||||
# Until the kernel > 4.3, a hack binds the IPs on lo
|
||||
# net.ipv6.ip_nonlocal_bind = 1
|
|
@ -19,10 +19,10 @@ global
|
|||
#ssl-default-bind-options no-sslv3
|
||||
|
||||
tune.ssl.default-dh-param 2048
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
ssl-default-bind-options no-sslv3 no-tls-tickets
|
||||
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
ssl-default-server-options no-sslv3 no-tls-tickets
|
||||
ssl-default-server-options no-sslv3 no-tls-tickets
|
||||
|
||||
|
||||
defaults
|
||||
|
@ -41,35 +41,223 @@ defaults
|
|||
errorfile 503 /etc/haproxy/errors/503.http
|
||||
errorfile 504 /etc/haproxy/errors/504.http
|
||||
|
||||
frontend ssh
|
||||
bind :2222
|
||||
mode tcp
|
||||
default_backend ssh-backend
|
||||
#frontend ssh
|
||||
# bind :::2222 v4v6
|
||||
# mode tcp
|
||||
# option tcplog
|
||||
#
|
||||
# default_backend ssh_general-use
|
||||
|
||||
frontend http_cloud_metadata
|
||||
bind :::8775 v4v6 ssl crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
|
||||
mode http
|
||||
option forwardfor
|
||||
|
||||
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
||||
|
||||
default_backend http_metadata.cloud.csclub.uwaterloo.ca
|
||||
|
||||
frontend http
|
||||
bind :::80 v4v6
|
||||
bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.pem
|
||||
mode http
|
||||
default_backend http-backend
|
||||
bind :::80 v4v6
|
||||
bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem crt /etc/ssl/private/csclub.cloud/csclub.cloud.pem
|
||||
mode http
|
||||
option forwardfor
|
||||
|
||||
stats enable
|
||||
stats uri /status
|
||||
# Add proto
|
||||
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
||||
|
||||
backend ssh-backend
|
||||
balance roundrobin
|
||||
mode tcp
|
||||
#
|
||||
# Determine host
|
||||
#
|
||||
|
||||
server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22
|
||||
server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22
|
||||
server sucrose sucrose.csclub.uwaterloo.ca check port 22
|
||||
# csclub webpage
|
||||
acl csclub.uwaterloo.ca hdr(host) -i csclub.uwaterloo.ca
|
||||
acl csclub.uwaterloo.ca hdr(host) -i www.csclub.uwaterloo.ca
|
||||
acl csclub.uwaterloo.ca hdr(host) -i www2.csclub.uwaterloo.ca
|
||||
|
||||
backend http-backend
|
||||
balance leastconn
|
||||
mode http
|
||||
option forwardfor
|
||||
# cloud.csclub
|
||||
acl cloud.csclub.uwaterloo.ca hdr(host) -i cloud.csclub.uwaterloo.ca
|
||||
acl console.cloud.csclub.uwaterloo.ca hdr(host) -i console.cloud.csclub.uwaterloo.ca
|
||||
acl auth.cloud.csclub.uwaterloo.ca hdr(host) -i auth.cloud.csclub.uwaterloo.ca
|
||||
acl admin.cloud.csclub.uwaterloo.ca hdr(host) -i admin.cloud.csclub.uwaterloo.ca
|
||||
acl compute.cloud.csclub.uwaterloo.ca hdr(host) -i compute.cloud.csclub.uwaterloo.ca
|
||||
acl dns.cloud.csclub.uwaterloo.ca hdr(host) -i dns.cloud.csclub.uwaterloo.ca
|
||||
acl metadata.cloud.csclub.uwaterloo.ca hdr(host) -i metadata.cloud.csclub.uwaterloo.ca
|
||||
acl network.cloud.csclub.uwaterloo.ca hdr(host) -i network.cloud.csclub.uwaterloo.ca
|
||||
acl image.cloud.csclub.uwaterloo.ca hdr(host) -i image.cloud.csclub.uwaterloo.ca
|
||||
acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.cloud.csclub.uwaterloo.ca
|
||||
acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.csclub.uwaterloo.ca
|
||||
acl volume.cloud.csclub.uwaterloo.ca hdr(host) -i volume.cloud.csclub.uwaterloo.ca
|
||||
|
||||
cookie SERVERID insert indirect nocache
|
||||
# csclub.cloud
|
||||
acl csclub.cloud hdr(host) csclub.cloud
|
||||
acl csclub.cloud hdr(host) www.csclub.cloud
|
||||
|
||||
server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00
|
||||
server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01
|
||||
#
|
||||
# csclub.cloud (users)
|
||||
#
|
||||
|
||||
# iie
|
||||
acl iie_iise-wiki.csclub.cloud hdr(host) -i iise-wiki.csclub.cloud
|
||||
|
||||
# ztseguin
|
||||
acl ztseguin.csclub.cloud hdr(host) -i ztseguin.csclub.cloud
|
||||
acl ztseguin-reddit.csclub.cloud hdr(host) -i ztseguin-reddit.csclub.cloud
|
||||
acl ztseguin-reddit.csclub.cloud hdr(host) -i reddit.csclub.cloud
|
||||
|
||||
# Force SSL
|
||||
redirect scheme https if !{ ssl_fc } cloud.csclub.uwaterloo.ca
|
||||
redirect scheme https if !{ ssl_fc } admin.cloud.csclub.uwaterloo.ca
|
||||
redirect scheme https if !{ ssl_fc } auth.cloud.csclub.uwaterloo.ca
|
||||
redirect scheme https if !{ ssl_fc } console.cloud.csclub.uwaterloo.ca
|
||||
redirect scheme https if !{ ssl_fc } compute.cloud.csclub.uwaterloo.ca
|
||||
redirect scheme https if !{ ssl_fc } dns.cloud.csclub.uwaterloo.ca
|
||||
redirect scheme https if !{ ssl_fc } metadata.cloud.csclub.uwaterloo.ca
|
||||
redirect scheme https if !{ ssl_fc } network.cloud.csclub.uwaterloo.ca
|
||||
redirect scheme https if !{ ssl_fc } image.cloud.csclub.uwaterloo.ca
|
||||
redirect scheme https if !{ ssl_fc } object.cloud.csclub.uwaterloo.ca
|
||||
redirect scheme https if !{ ssl_fc } volume.cloud.csclub.uwaterloo.ca
|
||||
|
||||
redirect scheme https if !{ ssl_fc } csclub.cloud
|
||||
|
||||
redirect scheme https if !{ ssl_fc } ztseguin.csclub.cloud
|
||||
|
||||
redirect scheme https if !{ ssl_fc } iie_iise-wiki.csclub.cloud
|
||||
|
||||
# Backend
|
||||
use_backend http_csclub.uwaterloo.ca if csclub.uwaterloo.ca
|
||||
|
||||
use_backend http_cloud.csclub.uwaterloo.ca if cloud.csclub.uwaterloo.ca
|
||||
use_backend http_auth.cloud.csclub.uwaterloo.ca if auth.cloud.csclub.uwaterloo.ca
|
||||
use_backend http_admin.cloud.csclub.uwaterloo.ca if admin.cloud.csclub.uwaterloo.ca
|
||||
use_backend http_console.cloud.csclub.uwaterloo.ca if console.cloud.csclub.uwaterloo.ca
|
||||
use_backend http_compute.cloud.csclub.uwaterloo.ca if compute.cloud.csclub.uwaterloo.ca
|
||||
use_backend http_dns.cloud.csclub.uwaterloo.ca if dns.cloud.csclub.uwaterloo.ca
|
||||
use_backend http_metadata.cloud.csclub.uwaterloo.ca if metadata.cloud.csclub.uwaterloo.ca
|
||||
use_backend http_network.cloud.csclub.uwaterloo.ca if network.cloud.csclub.uwaterloo.ca
|
||||
use_backend http_image.cloud.csclub.uwaterloo.ca if image.cloud.csclub.uwaterloo.ca
|
||||
use_backend http_object.cloud.csclub.uwaterloo.ca if object.cloud.csclub.uwaterloo.ca
|
||||
use_backend http_volume.cloud.csclub.uwaterloo.ca if volume.cloud.csclub.uwaterloo.ca
|
||||
|
||||
use_backend http_cloud.csclub.uwaterloo.ca if csclub.cloud
|
||||
|
||||
use_backend http_ztseguin.csclub.cloud if ztseguin.csclub.cloud
|
||||
|
||||
use_backend http_iie_iise-wiki.csclub.cloud if iie_iise-wiki.csclub.cloud
|
||||
|
||||
frontend stats
|
||||
bind :::8443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
|
||||
mode http
|
||||
no log
|
||||
|
||||
stats enable
|
||||
stats uri /
|
||||
|
||||
acl network_allowed src 10.0.0.0/8
|
||||
acl network_allowed src 129.97.0.0/16
|
||||
acl network_allowed src 172.16.0.0/12
|
||||
acl network_allowed src 2620:101:f000::/47
|
||||
acl network_allowed src fd74:6b6a:8eca::/47
|
||||
|
||||
tcp-request connection reject if !network_allowed
|
||||
|
||||
#
|
||||
# BACKENDS
|
||||
#
|
||||
#backend ssh_general-use
|
||||
# balance roundrobin
|
||||
# mode tcp
|
||||
|
||||
# server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22
|
||||
# server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22
|
||||
# server sucrose sucrose.csclub.uwaterloo.ca check port 22
|
||||
|
||||
backend http_csclub.uwaterloo.ca
|
||||
balance leastconn
|
||||
mode http
|
||||
|
||||
cookie serverid insert indirect nocache
|
||||
|
||||
server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00
|
||||
server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01
|
||||
|
||||
backend http_cloud.csclub.uwaterloo.ca
|
||||
balance leastconn
|
||||
mode http
|
||||
|
||||
cookie serverid insert indirect nocache
|
||||
|
||||
#server web1.cloud web1.cloud.csclub.uwaterloo.ca:80 check cookie 01
|
||||
server web1.cloud 172.19.134.5:80 check cookie 01
|
||||
|
||||
backend http_auth.cloud.csclub.uwaterloo.ca
|
||||
balance roundrobin
|
||||
mode http
|
||||
|
||||
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:5000 check
|
||||
|
||||
backend http_admin.cloud.csclub.uwaterloo.ca
|
||||
balance roundrobin
|
||||
mode http
|
||||
|
||||
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:35357 check
|
||||
|
||||
backend http_console.cloud.csclub.uwaterloo.ca
|
||||
balance leastconn
|
||||
mode http
|
||||
|
||||
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:6080 check
|
||||
|
||||
backend http_compute.cloud.csclub.uwaterloo.ca
|
||||
balance roundrobin
|
||||
mode http
|
||||
|
||||
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8774 check
|
||||
|
||||
backend http_dns.cloud.csclub.uwaterloo.ca
|
||||
balance roundrobin
|
||||
mode http
|
||||
|
||||
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9001 check
|
||||
|
||||
backend http_network.cloud.csclub.uwaterloo.ca
|
||||
balance roundrobin
|
||||
mode http
|
||||
|
||||
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9696 check
|
||||
|
||||
backend http_metadata.cloud.csclub.uwaterloo.ca
|
||||
balance roundrobin
|
||||
mode http
|
||||
|
||||
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8775 check
|
||||
|
||||
backend http_image.cloud.csclub.uwaterloo.ca
|
||||
balance roundrobin
|
||||
mode http
|
||||
|
||||
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9292 check
|
||||
|
||||
backend http_object.cloud.csclub.uwaterloo.ca
|
||||
balance roundrobin
|
||||
mode http
|
||||
|
||||
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8080 check
|
||||
|
||||
backend http_volume.cloud.csclub.uwaterloo.ca
|
||||
balance roundrobin
|
||||
mode http
|
||||
|
||||
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8776 check
|
||||
|
||||
backend http_ztseguin.csclub.cloud
|
||||
balance roundrobin
|
||||
mode http
|
||||
|
||||
server ztseguin1 csc-web.zacharyseguin.ca:80 check
|
||||
|
||||
backend http_iie_iise-wiki.csclub.cloud
|
||||
balance roundrobin
|
||||
mode http
|
||||
|
||||
server wiki wiki.iie.csclub.cloud:8090 check
|
||||
|
|
|
@ -0,0 +1,277 @@
|
|||
frontends:
|
||||
- name: http
|
||||
bind:
|
||||
- host: '129.97.134.10'
|
||||
port: 80
|
||||
- host: '2620:101:f000:4901:c5c::10ad'
|
||||
port: 80
|
||||
|
||||
# For certificates, always ensure to update both v4 and v6
|
||||
- host: '129.97.134.10'
|
||||
port: 443
|
||||
ssl: true
|
||||
certs:
|
||||
- /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
|
||||
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
|
||||
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
|
||||
- /etc/ssl/private/ztseguin/alerts.zacharyseguin.ca/alerts.zacharyseguin.ca.pem
|
||||
# For certificates, always ensure to update both v4 and v6
|
||||
- host: '2620:101:f000:4901:c5c::10ad'
|
||||
port: 443
|
||||
ssl: true
|
||||
certs:
|
||||
- /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
|
||||
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
|
||||
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
|
||||
- /etc/ssl/private/ztseguin/alerts.zacharyseguin.ca/alerts.zacharyseguin.ca.pem
|
||||
multiple: true
|
||||
projects:
|
||||
csc:
|
||||
proxies:
|
||||
- host: www2.csclub.uwaterloo.ca
|
||||
cookie: true
|
||||
backends:
|
||||
- host: caffeine-00.csclub.uwaterloo.ca
|
||||
port: 80
|
||||
- host: caffeine-01.csclub.uwaterloo.ca
|
||||
port: 80
|
||||
- host: crl.csclub.uwaterloo.ca
|
||||
cookie: true
|
||||
backends:
|
||||
- host: caffeine-00.csclub.uwaterloo.ca
|
||||
port: 80
|
||||
- host: caffeine-01.csclub.uwaterloo.ca
|
||||
port: 80
|
||||
- host: cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: web1.cloud.csclub.uwaterloo.ca
|
||||
port: 80
|
||||
- host: csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: web1.cloud.csclub.uwaterloo.ca
|
||||
port: 80
|
||||
office:
|
||||
proxies:
|
||||
- host: office.csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: 172.19.134.51
|
||||
port: 80
|
||||
- host: 2620:101:f000:4903:f816:3eff:fe11:1dd9
|
||||
port: 80
|
||||
ztseguin:
|
||||
proxies:
|
||||
- host: ztseguin.csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: node1.web.ztseguin.csclub.cloud
|
||||
port: 80
|
||||
- host: dashboard.csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: dashboard.ztseguin.csclub.cloud
|
||||
port: 80
|
||||
- host: alerts.zacharyseguin.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: web1.alerts-canada.ztseguin.csclub.cloud
|
||||
port: 80
|
||||
- host: ztseguin-alerts-canada.csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: web1.alerts-canada.ztseguin.csclub.cloud
|
||||
port: 80
|
||||
- host: freebsd.packages.zacharyseguin.ca
|
||||
backends:
|
||||
- host: george-mason.zacharyseguin.ca
|
||||
port: 80
|
||||
- host: twig-sockets.csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: sucrose.csclub.uwaterloo.ca
|
||||
port: 25000
|
||||
- host: twig.csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: twig-prod.ztseguin.csclub.cloud
|
||||
port: 80
|
||||
- host: twig-dev.csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: twig-dev.ztseguin.csclub.cloud
|
||||
port: 5000
|
||||
iie:
|
||||
proxies:
|
||||
- host: iise-wiki.csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: wiki.iie.csclub.cloud
|
||||
port: 8090
|
||||
uwarc:
|
||||
proxies:
|
||||
- host: uwarc-wiki.csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: wiki.uwarc.csclub.cloud
|
||||
port: 80
|
||||
- host: wiki.uwarc.uwaterloo.club
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: wiki.uwarc.csclub.cloud
|
||||
port: 80
|
||||
- name: cloud-http
|
||||
bind:
|
||||
- host: '129.97.134.11'
|
||||
port: 80
|
||||
- host: '2620:101:f000:4901:c5c::c:10ad'
|
||||
port: 80
|
||||
|
||||
# For certificates, always ensure to update both v4 and v6
|
||||
- host: '129.97.134.11'
|
||||
port: 443
|
||||
ssl: true
|
||||
certs:
|
||||
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
|
||||
# For certificates, always ensure to update both v4 and v6
|
||||
- host: '2620:101:f000:4901:c5c::c:10ad'
|
||||
port: 443
|
||||
ssl: true
|
||||
certs:
|
||||
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
|
||||
multiple: true
|
||||
projects:
|
||||
csc-cloud:
|
||||
proxies:
|
||||
- host: csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: web1.cloud.csclub.uwaterloo.ca
|
||||
port: 80
|
||||
- host: www.csclub.cloud
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: web1.cloud.csclub.uwaterloo.ca
|
||||
port: 80
|
||||
- host: cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
cookie: true
|
||||
backends:
|
||||
- host: web1.cloud.csclub.uwaterloo.ca
|
||||
port: 80
|
||||
- host: admin.cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 35357
|
||||
- host: auth.cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 5000
|
||||
- host: compute.cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 8774
|
||||
- host: console.cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 6080
|
||||
- host: dashboard.cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: web1.cloud.csclub.uwaterloo.ca
|
||||
port: 8080
|
||||
- host: dns.cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 9001
|
||||
- host: network.cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 9696
|
||||
- host: image.cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 9292
|
||||
- host: object.cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 8080
|
||||
- host: placement.cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 8778
|
||||
- host: volume.cloud.csclub.uwaterloo.ca
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 8776
|
||||
# TODO: Force SSL for object.csclub.uwaterloo.ca domain
|
||||
- name: object-http
|
||||
bind:
|
||||
- host: '129.97.134.12'
|
||||
port: 80
|
||||
- host: '2620:101:f000:4901:c5c::c0b:10ad'
|
||||
port: 80
|
||||
|
||||
# For certificates, always ensure to update both v4 and v6
|
||||
- host: '129.97.134.12'
|
||||
port: 443
|
||||
ssl: true
|
||||
certs:
|
||||
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
|
||||
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
|
||||
# For certificates, always ensure to update both v4 and v6
|
||||
- host: '2620:101:f000:4901:c5c::c0b:10ad'
|
||||
port: 443
|
||||
ssl: true
|
||||
certs:
|
||||
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
|
||||
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 8080
|
||||
- name: cloud-metadata
|
||||
bind:
|
||||
- host: '::'
|
||||
port: 8775
|
||||
v4v6: true
|
||||
ssl: true
|
||||
certs:
|
||||
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
|
||||
force_ssl: true
|
||||
backends:
|
||||
- host: controller1.cloud.csclub.uwaterloo.ca
|
||||
port: 8775
|
||||
restrict:
|
||||
- '10.0.0.0/8'
|
||||
- '129.97.0.0/16'
|
||||
- '172.16.0.0/12'
|
||||
- '2620:101:f000::/47'
|
||||
- 'fd74:6b6a:8eca::/47'
|
||||
- name: stats
|
||||
bind:
|
||||
- host: '::'
|
||||
port: 8443
|
||||
v4v6: true
|
||||
ssl: true
|
||||
certs:
|
||||
- /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
|
||||
stats:
|
||||
enable: true
|
||||
uri: '/'
|
||||
restrict:
|
||||
- '10.0.0.0/8'
|
||||
- '129.97.0.0/16'
|
||||
- '172.16.0.0/12'
|
||||
- '2620:101:f000::/47'
|
||||
- 'fd74:6b6a:8eca::/47'
|
|
@ -0,0 +1,37 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
from __future__ import print_function
|
||||
|
||||
import os, sys
|
||||
from optparse import OptionParser
|
||||
import yaml
|
||||
from mako.template import Template
|
||||
|
||||
import pprint
|
||||
|
||||
def main():
|
||||
# Arguments
|
||||
parser = OptionParser()
|
||||
|
||||
parser.add_option('-c', '--config', dest='config', default='config.yml',
|
||||
help='Configuration file', metavar="FILE")
|
||||
parser.add_option('-t', '--template', dest='template', default='haproxy.cfg.mako',
|
||||
help='haproxy.cfg Mako template')
|
||||
|
||||
|
||||
(options, args) = parser.parse_args()
|
||||
|
||||
try:
|
||||
config = yaml.load(open(options.config, 'r'))
|
||||
except Exception as e:
|
||||
print(e, file=sys.stderr)
|
||||
config = None
|
||||
|
||||
if not config or type(config) != dict:
|
||||
print('Unable to load configuration: "{}"'.format(options.config), file=sys.stderr)
|
||||
sys.exit(-1)
|
||||
|
||||
print(Template(filename=options.template).render(config=config))
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
|
@ -0,0 +1,147 @@
|
|||
global
|
||||
log /dev/log local0
|
||||
log /dev/log local1 notice
|
||||
chroot /var/lib/haproxy
|
||||
stats socket /run/haproxy/admin.sock mode 660 level admin
|
||||
stats timeout 30s
|
||||
user haproxy
|
||||
group haproxy
|
||||
daemon
|
||||
|
||||
# Default SSL material locations
|
||||
ca-base /etc/ssl/certs
|
||||
crt-base /etc/ssl/private
|
||||
|
||||
tune.ssl.default-dh-param 2048
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDH
|
||||
ssl-default-bind-options no-sslv3 no-tls-tickets
|
||||
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC
|
||||
ssl-default-server-options no-sslv3 no-tls-tickets
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
option httplog
|
||||
option dontlognull
|
||||
timeout connect 5000
|
||||
timeout client 50000
|
||||
timeout server 50000
|
||||
errorfile 400 /etc/haproxy/errors/400.http
|
||||
errorfile 403 /etc/haproxy/errors/403.http
|
||||
errorfile 408 /etc/haproxy/errors/408.http
|
||||
errorfile 500 /etc/haproxy/errors/500.http
|
||||
errorfile 502 /etc/haproxy/errors/502.http
|
||||
errorfile 503 /etc/haproxy/errors/503.http
|
||||
errorfile 504 /etc/haproxy/errors/504.http
|
||||
|
||||
% for frontend in config.get('frontends'):
|
||||
frontend ${frontend['name']}
|
||||
% for bind in frontend['bind']:
|
||||
bind ${bind['host']}:${bind['port']}${' v4v6' if bind.get('v4v6', False) else ''}${' ssl crt {}'.format(' crt '.join(bind['certs'])) if bind.get('ssl', False) else ''}
|
||||
% endfor
|
||||
|
||||
mode ${frontend.get('mode', 'http')}
|
||||
|
||||
% if frontend.get('mode', 'http') == 'http':
|
||||
option forwardfor
|
||||
option http-server-close
|
||||
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
||||
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
|
||||
% endif
|
||||
|
||||
% if frontend.get('stats') and frontend['stats'].get('enable', False):
|
||||
stats enable
|
||||
stats uri ${frontend['stats'].get('uri', '/')}
|
||||
% endif
|
||||
|
||||
% for restriction in frontend.get('restrict', []):
|
||||
acl network_allowed src ${restriction}
|
||||
% endfor
|
||||
|
||||
% if frontend.get('restrict', None):
|
||||
http-request deny if !network_allowed
|
||||
% endif
|
||||
|
||||
% if not frontend.get('multiple', False):
|
||||
# SSL
|
||||
% if frontend.get('force_ssl', False):
|
||||
redirect scheme https if !{ ssl_fc }
|
||||
% endif
|
||||
|
||||
# Backend
|
||||
% if frontend.get('backends'):
|
||||
use_backend ${frontend['name']}
|
||||
% endif
|
||||
% else:
|
||||
# Determine which virtual host is being requested
|
||||
% for project in frontend['projects']:
|
||||
# ${project}
|
||||
% for proxy in frontend['projects'][project]['proxies']:
|
||||
acl ${proxy['host']} hdr(host) -i ${proxy['host']}
|
||||
% endfor
|
||||
|
||||
% endfor
|
||||
|
||||
# Redirect SSL
|
||||
% for project in frontend['projects']:
|
||||
# ${project}
|
||||
% for proxy in frontend['projects'][project]['proxies']:
|
||||
% if proxy.get('force_ssl', False):
|
||||
redirect scheme https if !{ ssl_fc } ${proxy['host']}
|
||||
% endif
|
||||
% endfor
|
||||
|
||||
% endfor
|
||||
|
||||
# Select backend
|
||||
% for project in frontend['projects']:
|
||||
# ${project}
|
||||
% for proxy in frontend['projects'][project]['proxies']:
|
||||
% if proxy.get('force_ssl', False):
|
||||
redirect scheme https if !{ ssl_fc } ${proxy['host']}
|
||||
% endif
|
||||
% endfor
|
||||
|
||||
% endfor
|
||||
|
||||
# Select backend
|
||||
% for project in frontend['projects']:
|
||||
# ${project}
|
||||
% for proxy in frontend['projects'][project]['proxies']:
|
||||
use_backend ${frontend['name']}_${project}_${proxy['host']} if ${proxy['host']}
|
||||
% endfor
|
||||
|
||||
% endfor
|
||||
% endif
|
||||
|
||||
% endfor
|
||||
|
||||
#
|
||||
# BACKENDS
|
||||
#
|
||||
<%def name="backend(name, definition)">
|
||||
backend ${name}
|
||||
balance ${definition.get('balance', 'leastconn')}
|
||||
mode http
|
||||
% if definition.get('cookie', False):
|
||||
|
||||
cookie serverid insert indirect nocache
|
||||
% endif
|
||||
|
||||
% for index, server in enumerate(definition.get('backends')):
|
||||
server ${server['host']}:${server['port']} ${server['host']}:${server['port']} check ${ 'cookie {}'.format(index) if definition.get('cookie', False) else ''}
|
||||
% endfor
|
||||
</%def>
|
||||
% for frontend in config.get('frontends', []):
|
||||
% if not frontend.get('multiple', False) and frontend.get('backends'):
|
||||
${backend(frontend['name'], frontend)}
|
||||
% elif frontend.get('multiple', False):
|
||||
% for project in frontend['projects']:
|
||||
# ${project}
|
||||
% for proxy in frontend['projects'][project]['proxies']:
|
||||
${backend('{}_{}_{}'.format(frontend['name'], project, proxy['host']), proxy)}
|
||||
|
||||
% endfor
|
||||
% endfor
|
||||
% endif
|
||||
% endfor
|
|
@ -0,0 +1,13 @@
|
|||
[Unit]
|
||||
Description=Hack since 4.3 kernel does not support net.ipv6.ip_nonlocal_bind
|
||||
Before=haproxy.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::10ad/64 dev lo
|
||||
ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::c:10ad/64 dev lo
|
||||
ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::c0b:10ad/64 dev lo
|
||||
RemainAfterExit=true
|
||||
Type=oneshot
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1 @@
|
|||
/users/syscom/certs
|
|
@ -1,49 +1,82 @@
|
|||
---
|
||||
|
||||
# SSL CERTS
|
||||
- name: Install SSL certificates
|
||||
copy:
|
||||
src: ssl/
|
||||
dest: /etc/ssl/private/
|
||||
directory_mode: "u=rwx,g=rx,o="
|
||||
mode: "u=rw,g=r,o="
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
# Non-local binding
|
||||
- name: Install 99-nonlocalbind.conf in /etc/sysctl.d
|
||||
copy:
|
||||
src: 99-nonlocalbind.conf
|
||||
dest: /etc/sysctl.d
|
||||
backup: no
|
||||
|
||||
- name: Install ipv6-nonlocalhack.service
|
||||
copy:
|
||||
src: ipv6-nonlocalhack.service
|
||||
dest: /etc/systemd/system/ipv6-nonlocalhack.service
|
||||
backup: no
|
||||
|
||||
- name: Start ipv6-nonlocalhack.service
|
||||
service:
|
||||
name: ipv6-nonlocalhack
|
||||
state: running
|
||||
|
||||
# HAPROXY
|
||||
- name: Install haproxy
|
||||
package:
|
||||
name: haproxy
|
||||
state: latest
|
||||
|
||||
- name: Copy haproxy configuration
|
||||
- name: Install packages required to generate config
|
||||
package: name={{ item }} state=latest
|
||||
with_items:
|
||||
- python-yaml
|
||||
- python-mako
|
||||
|
||||
- name: Copy haproxy configuration generation
|
||||
copy:
|
||||
src: haproxy.cfg
|
||||
dest: /etc/haproxy/haproxy.cfg
|
||||
src: haproxy/
|
||||
dest: /tmp/haproxy
|
||||
backup: no
|
||||
register: haproxy_configuration
|
||||
|
||||
- name: Generate haproxy configuration
|
||||
shell: python genconfig.py > /etc/haproxy/haproxy.cfg
|
||||
args:
|
||||
chdir: /tmp/haproxy/
|
||||
|
||||
- name: Restart haproxy
|
||||
service:
|
||||
name: haproxy
|
||||
state: restarted
|
||||
when: haproxy_configuration.changed
|
||||
|
||||
- name: Ensure that haproxy is running
|
||||
service:
|
||||
name: haproxy
|
||||
state: running
|
||||
|
||||
# KEEPALIVED
|
||||
- name: Install keepalived
|
||||
package:
|
||||
name: keepalived
|
||||
state: latest
|
||||
register: keepalived_installed
|
||||
|
||||
- name: Stop keepalived
|
||||
service:
|
||||
name: keepalived
|
||||
state: stopped
|
||||
|
||||
- name: Copy keepalived config
|
||||
template:
|
||||
src: keepalived.conf
|
||||
dest: /etc/keepalived/keepalived.conf
|
||||
backup: no
|
||||
register: keepalived_configuration
|
||||
#register: keepalived_configuration
|
||||
|
||||
- name: Restart keepalived
|
||||
service:
|
||||
name: keepalived
|
||||
state: restarted
|
||||
when: keepalived_configuration.changed
|
||||
|
||||
- name: Ensure keepalived is running
|
||||
service:
|
||||
name: keepalived
|
||||
state: running
|
||||
#when: keepalived_configuration.changed
|
||||
|
|
|
@ -1,10 +1,16 @@
|
|||
global_defs {
|
||||
notification_email {
|
||||
ztseguin+notifications@csclub.uwaterloo.ca
|
||||
syscom@csclub.uwaterloo.ca
|
||||
}
|
||||
notification_email_from load-balancer@csclub.uwaterloo.ca
|
||||
}
|
||||
|
||||
vrrp_script check_haproxy {
|
||||
script "pidof haproxy"
|
||||
interval 1
|
||||
weight: -20
|
||||
}
|
||||
|
||||
! load-balancer.csclub.uwaterloo.ca
|
||||
vrrp_instance VI_10 {
|
||||
state MASTER
|
||||
|
@ -16,8 +22,51 @@ vrrp_instance VI_10 {
|
|||
auth_type PASS
|
||||
auth_pass CSC_VRRP
|
||||
}
|
||||
track_script {
|
||||
check_haproxy
|
||||
}
|
||||
virtual_ipaddress {
|
||||
129.97.134.10
|
||||
2620:101:f000:4901:c5c::10ad
|
||||
}
|
||||
}
|
||||
|
||||
! load-balancer-cloud.csclub.uwaterloo.ca
|
||||
vrrp_instance VI_11 {
|
||||
state MASTER
|
||||
interface eth0
|
||||
virtual_router_id 11
|
||||
priority {{ lb_priority }}
|
||||
advert_int 1
|
||||
authentication {
|
||||
auth_type PASS
|
||||
auth_pass CSC_VRRP
|
||||
}
|
||||
track_script {
|
||||
check_haproxy
|
||||
}
|
||||
virtual_ipaddress {
|
||||
129.97.134.11
|
||||
2620:101:f000:4901:c5c::c:10ad
|
||||
}
|
||||
}
|
||||
|
||||
! load-balancer-object.csclub.uwaterloo.ca
|
||||
vrrp_instance VI_12 {
|
||||
state MASTER
|
||||
interface eth0
|
||||
virtual_router_id 12
|
||||
priority {{ lb_priority }}
|
||||
advert_int 1
|
||||
authentication {
|
||||
auth_type PASS
|
||||
auth_pass CSC_VRRP
|
||||
}
|
||||
track_script {
|
||||
check_haproxy
|
||||
}
|
||||
virtual_ipaddress {
|
||||
129.97.134.12
|
||||
2620:101:f000:4901:c5c::c0b:10ad
|
||||
}
|
||||
}
|
||||
|
|
|
@ -30,14 +30,18 @@
|
|||
file: path={{ item }} state=directory
|
||||
with_items:
|
||||
- /users
|
||||
- /music
|
||||
- /scratch
|
||||
- /u
|
||||
# - /music
|
||||
# - /scratch
|
||||
|
||||
- name: Add fstab entry for users
|
||||
mount: src="aspartame:/users" name=/users fstype=nfs opts="noauto,bg,vers=3,sec=krb5p,nosuid,nodev,x-systemd.automount,x-systemd.requires=nfs-common.service" dump=0 passno=0 state=mounted
|
||||
#- name: Add fstab entry for users
|
||||
# mount: src="aspartame:/users" name=/users fstype=nfs opts="noauto,bg,vers=3,sec=krb5p,nosuid,nodev,x-systemd.automount,x-systemd.requires=nfs-common.service" dump=0 passno=0 state=mounted
|
||||
|
||||
- name: Add fstab entry for music
|
||||
mount: src="aspartame:/music" name=/music fstype=nfs opts="bg,vers=3,sec=sys,nolock,noatime,nosuid,nodev" dump=0 passno=0 state=mounted
|
||||
#- name: Add fstab entry for users (new netapp)
|
||||
# mount: src="fs00:/users" name=/u fstype=nfs opts="noauto,bg,vers=3,sec=sys,nosuid,nodev,x-systemd.automount,x-systemd.requires=nfs-common.service" dump=0 passno=0 state=mounted
|
||||
|
||||
- name: Add fstab entry for scratch
|
||||
mount: src="corn-syrup:/scratch" name=/scratch fstype=nfs opts="bg,vers=3,sec=sys,noatime,nosuid,nodev" dump=0 passno=0 state=mounted
|
||||
#- name: Add fstab entry for music
|
||||
# mount: src="aspartame:/music" name=/music fstype=nfs opts="bg,vers=3,sec=sys,nolock,noatime,nosuid,nodev" dump=0 passno=0 state=mounted
|
||||
|
||||
#- name: Add fstab entry for scratch
|
||||
# mount: src="corn-syrup:/scratch" name=/scratch fstype=nfs opts="bg,vers=3,sec=sys,noatime,nosuid,nodev" dump=0 passno=0 state=mounted
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
[Allow syscom to libvirt]
|
||||
Identity=unix-group:syscom
|
||||
Action=org.libvirt.unix.manage
|
||||
ResultAny=yes
|
|
@ -1,4 +1,8 @@
|
|||
---
|
||||
- name: Allow syscom access to libvirt
|
||||
copy:
|
||||
src: libvirt.pkla
|
||||
dest: /etc/polkit-1/localauthority/50-local.d/libvirt.pkla
|
||||
- name: Install virtualization tools
|
||||
apt: name={{ item }} state=latest
|
||||
with_items:
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
tasks:
|
||||
- name: upgrade software packages (safe)
|
||||
apt: update_cache=yes upgrade=safe
|
Loading…
Reference in New Issue