diff --git a/files/resolv.conf b/files/resolv.conf new file mode 100644 index 0000000..a0ae578 --- /dev/null +++ b/files/resolv.conf @@ -0,0 +1,12 @@ +search csclub.uwaterloo.ca uwaterloo.ca +options rotate timeout:1 attempts:1 ndots:2 + +# CSC Nameservers +nameserver 2620:101:f000:4901:c5c::4 +nameserver 2620:101:f000:7300:c5c::20 +nameserver 129.97.134.4 +nameserver 129.97.18.20 + +# IST Anycast (fallback) +#nameserver 129.97.2.1 +#nameserver 129.97.2.2 diff --git a/install-syscom-container.yml b/install-syscom-container.yml index dc43b56..01f252e 100644 --- a/install-syscom-container.yml +++ b/install-syscom-container.yml @@ -1,5 +1,5 @@ --- - - hosts: identity.csclub.uwaterloo.ca + - hosts: prometheus.csclub.uwaterloo.ca become: yes become_method: sudo roles: diff --git a/install-syscom.yml b/install-syscom.yml index 309df10..dad263f 100644 --- a/install-syscom.yml +++ b/install-syscom.yml @@ -1,5 +1,5 @@ --- - - hosts: yerba-mate.csclub.uwaterloo.ca guayusa.csclub.uwaterloo.ca + - hosts: wiki.uwarc.csclub.cloud become: yes become_method: sudo roles: @@ -7,9 +7,9 @@ - core - static-ipv6 - hardware - - virtualization-host - - generate-hosts + # - virtualization-host + # - generate-hosts - auth - - csc-packages - - nfs + # - csc-packages + # - nfs - cleanup diff --git a/loadbalancer.yml b/loadbalancer.yml index 75c5e5f..d2eddf9 100644 --- a/loadbalancer.yml +++ b/loadbalancer.yml @@ -2,13 +2,12 @@ - hosts: load-balancers become: yes become_method: sudo + serial: "50%" + pre_tasks: + - name: stop keepalived (to remove from rotation) + service: + name: keepalived + state: stopped roles: - - common - - core - - container - - static-ipv6 - - generate-hosts - - auth - - csc-packages - load-balancer - cleanup diff --git a/resolv.yml b/resolv.yml new file mode 100644 index 0000000..72c0662 --- /dev/null +++ b/resolv.yml @@ -0,0 +1,27 @@ +--- + - hosts: all + become: yes + tasks: + - name: Disable resolvconf + service: name={{ item }} state=stopped enabled=no + with_items: + - resolvconf + - systemd-resolved + ignore_errors: yes + + - name: Remove resolvconf + package: + name: resolvconf + state: absent + + - name: Remove immutable on resolv.conf + command: chattr -i /etc/resolv.conf + + - name: Copy resolv.conf + copy: + src: resolv.conf + dest: /etc/resolv.conf + # attributes: 'ie' + + - name: Set immutable on resolv.conf + command: chattr +i /etc/resolv.conf diff --git a/roles/auth/files/become_club b/roles/auth/files/become_club new file mode 100755 index 0000000..0f7b5ea --- /dev/null +++ b/roles/auth/files/become_club @@ -0,0 +1,18 @@ +#!/bin/sh +if test -z "$1"; then + echo >&2 'usage: become_club clubaccount' + echo >&2 ' become_club -l' + exit 2 +fi +if test "$(whoami)" = "$1"; then + echo >&2 you are already $1 + exit 1 +fi +if test -z "$SHELL"; then + export SHELL=/bin/bash +fi +if test "$1" = -l; then + sudo -l +else + exec sudo -H -s -u "$1" +fi diff --git a/roles/auth/tasks/main.yml b/roles/auth/tasks/main.yml index 9fdcd70..f3c8c41 100644 --- a/roles/auth/tasks/main.yml +++ b/roles/auth/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: install libpam-csc - when: "'syscom' not in group_names" + when: "'syscom' not in group_names and 'club-uwarc' not in group_names" apt: name=libpam-csc state=latest - name: install required aptitude packages @@ -33,6 +33,11 @@ - { src: 'k5login', dest: '/root/.k5login' } - { src: 'ssh_known_hosts', dest: '/etc/ssh/ssh_known_hosts' } +- name: copy user scripts + copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} + with_items: + - { src: 'become_club', dest: '/usr/local/bin/become_club', mode: "u=rwx,g=rx,o=rx" } + - name: make sssd.conf accessable only by root file: path=/etc/sssd/sssd.conf owner=root group=root mode=0600 @@ -51,11 +56,34 @@ blockinfile: dest: /etc/pam.d/common-account block: | - # make sure user is up to date, except system accounts and syscom + # Restrict login to system accounts and syscom account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000 account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom account required pam_csc.so +- name: configure PAM for iie wiki + when: "'club-iie' in group_names" + blockinfile: + dest: /etc/pam.d/common-account + block: | + # Restrict login to system accounts, syscom and iie members + account [success=3 default=ignore] pam_succeed_if.so quiet uid < 10000 + account [success=2 default=ignore] pam_succeed_if.so quiet user ingroup syscom + account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup iie + account required pam_deny.so + +- name: configure PAM for uwarc + when: "'club-uwarc' in group_names" + blockinfile: + dest: /etc/pam.d/common-account + block: | + # Restrict login to system accounts, syscom and iie members + account [success=3 default=ignore] pam_succeed_if.so quiet uid < 10000 + account [success=2 default=ignore] pam_succeed_if.so quiet user ingroup syscom + account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup uwarc + account required pam_deny.so + + - name: restart services service: name={{ item }} state=restarted with_items: diff --git a/roles/container/tasks/main.yml b/roles/container/tasks/main.yml index 2999df9..120d03a 100644 --- a/roles/container/tasks/main.yml +++ b/roles/container/tasks/main.yml @@ -5,3 +5,4 @@ name: ntp state: stopped enabled: no + ignore_errors: yes diff --git a/roles/core/files/resolv.conf b/roles/core/files/resolv.conf index 0c30b76..a0ae578 100644 --- a/roles/core/files/resolv.conf +++ b/roles/core/files/resolv.conf @@ -1,4 +1,5 @@ search csclub.uwaterloo.ca uwaterloo.ca +options rotate timeout:1 attempts:1 ndots:2 # CSC Nameservers nameserver 2620:101:f000:4901:c5c::4 @@ -7,5 +8,5 @@ nameserver 129.97.134.4 nameserver 129.97.18.20 # IST Anycast (fallback) -nameserver 129.97.2.1 -nameserver 129.97.2.2 +#nameserver 129.97.2.1 +#nameserver 129.97.2.2 diff --git a/roles/core/tasks/main.yml b/roles/core/tasks/main.yml index 604e5ef..0d11979 100644 --- a/roles/core/tasks/main.yml +++ b/roles/core/tasks/main.yml @@ -28,153 +28,153 @@ - name: Set immutable on resolv.conf command: chattr +i /etc/resolv.conf # -#- name: Install root dotfiles -# copy: src={{ item.src }} dest={{ item.dest }} backup=no -# with_items: -# - { src: 'root-dotfiles/bashrc', dest: '/root/.bashrc' } -# - { src: 'root-dotfiles/bash-preexec', dest: '/root/.bash-preexec' } -# - { src: 'root-dotfiles/vimrc', dest: '/root/.vimrc' } -# -#- name: Install Shells -# apt: name={{ item }} state=latest -# with_items: -# - bash -# - zsh -# - zsh-doc -# - dash -# - ksh -# - tcsh -# - csh -# - rc -# - bash-doc -# - bash-completion -# -#- name: Install Editors -# apt: name={{ item }} state=latest -# with_items: -# - vim-nox -# - ed -# - nano -# -#- name: Install words -# apt: name={{ item }} state=latest -# with_items: -# - wamerican-insane -# -#- name: Install utils -# apt: name={{ item }} state=latest -# with_items: -# - acl -# - tmux -# - screen -# - less -# - lsof -# - bc -# - dc -# - psmisc -# - procps -# - htop -# - schedtool -# - pciutils -# - rsync -# - iotop -# - attr -# - tree -# - parted -# - mosh -# -#- name: Install compression -# apt: name={{ item }} state=latest -# with_items: -# - bzip2 -# - gzip -# - pax -# - lzma -# - xz-utils -# - cpio -# -#- name: Install ncurses -# apt: name={{ item }} state=latest -# with_items: -# - ncurses-bin -# - ncurses-term -# -#- name: Install network -# apt: name={{ item }} state=latest -# with_items: -# - iputils-ping -# - iputils-arping -# - traceroute -# - telnet -# - iproute2 -# - ethtool -# - dnsutils -# - whois -# - wget -# - curl -# - netcat-traditional -# - netcat-openbsd -# - vlan -# - bridge-utils -# - tcpdump -# - tshark -# - ftp -# - tftp -# -#- name: Install ntp -# apt: name=ntp state=latest -# -#- name: Copy NTP configuration -# copy: -# src: ntp.conf -# dest: /etc/ntp.conf -# backup: no -# -#- name: Restart NTP -# service: -# name: ntp -# state: restarted -# -#- name: Install debian package management -# apt: name={{ item }} state=latest -# with_items: -# - aptitude -# - dselect -# -#- name: Install gpg -# apt: name=gnupg state=latest -# -#- name: Install rsyslog -# apt: name={{ item }} state=latest -# with_items: -# - rsyslog -# - rsyslog-gnutls -# -# # TODO: Configure logging -# -#- name: Restart rsyslog -# service: -# name: rsyslog -# state: restarted -# -#- name: Install fail2ban -# apt: name=fail2ban state=latest -# -#- name: Install man pages -# apt: name={{ item }} state=latest -# with_items: -# - manpages -# - info -# -#- name: Install molly-guard -# apt: name=molly-guard state=latest -# -#- name: Install ssmtp -# apt: name=ssmtp state=latest -# -#- name: Configure ssmtp -# lineinfile: dest=/etc/ssmtp/ssmtp.conf -# state=present -# backrefs=yes -# regexp='^#(FromLineOverride=YES)$' -# line='\\1' +- name: Install root dotfiles + copy: src={{ item.src }} dest={{ item.dest }} backup=no + with_items: + - { src: 'root-dotfiles/bashrc', dest: '/root/.bashrc' } + - { src: 'root-dotfiles/bash-preexec', dest: '/root/.bash-preexec' } + - { src: 'root-dotfiles/vimrc', dest: '/root/.vimrc' } + +- name: Install Shells + apt: name={{ item }} state=latest + with_items: + - bash + - zsh + - zsh-doc + - dash + - ksh + - tcsh + - csh + - rc + - bash-doc + - bash-completion + +- name: Install Editors + apt: name={{ item }} state=latest + with_items: + - vim-nox + - ed + - nano + +- name: Install words + apt: name={{ item }} state=latest + with_items: + - wamerican-insane + +- name: Install utils + apt: name={{ item }} state=latest + with_items: + - acl + - tmux + - screen + - less + - lsof + - bc + - dc + - psmisc + - procps + - htop + - schedtool + - pciutils + - rsync + - iotop + - attr + - tree + - parted + - mosh + +- name: Install compression + apt: name={{ item }} state=latest + with_items: + - bzip2 + - gzip + - pax + - lzma + - xz-utils + - cpio + +- name: Install ncurses + apt: name={{ item }} state=latest + with_items: + - ncurses-bin + - ncurses-term + +- name: Install network + apt: name={{ item }} state=latest + with_items: + - iputils-ping + - iputils-arping + - traceroute + - telnet + - iproute2 + - ethtool + - dnsutils + - whois + - wget + - curl + - netcat-traditional + - netcat-openbsd + - vlan + - bridge-utils + - tcpdump + - tshark + - ftp + - tftp + +- name: Install ntp + apt: name=ntp state=latest + +- name: Copy NTP configuration + copy: + src: ntp.conf + dest: /etc/ntp.conf + backup: no + +- name: Restart NTP + service: + name: ntp + state: restarted + +- name: Install debian package management + apt: name={{ item }} state=latest + with_items: + - aptitude + - dselect + +- name: Install gpg + apt: name=gnupg state=latest + +- name: Install rsyslog + apt: name={{ item }} state=latest + with_items: + - rsyslog + - rsyslog-gnutls + +# TODO: Configure logging + +- name: Restart rsyslog + service: + name: rsyslog + state: restarted + +- name: Install fail2ban + apt: name=fail2ban state=latest + +- name: Install man pages + apt: name={{ item }} state=latest + with_items: + - manpages + - info + +- name: Install molly-guard + apt: name=molly-guard state=latest + +- name: Install ssmtp + apt: name=ssmtp state=latest + +- name: Configure ssmtp + lineinfile: dest=/etc/ssmtp/ssmtp.conf + state=present + backrefs=yes + regexp='^(FromLineOverride=YES)$' + line='\\1' diff --git a/roles/general-use-gui/tasks/main.yml b/roles/general-use-gui/tasks/main.yml index 25ddfd4..625ffdb 100644 --- a/roles/general-use-gui/tasks/main.yml +++ b/roles/general-use-gui/tasks/main.yml @@ -67,6 +67,7 @@ - xpdf - evince - djview4 + - krita - name: Install xubuntu-desktop apt: name={{ item }} state=latest diff --git a/roles/load-balancer/files/99-nonlocalbind.conf b/roles/load-balancer/files/99-nonlocalbind.conf new file mode 100644 index 0000000..6c9c996 --- /dev/null +++ b/roles/load-balancer/files/99-nonlocalbind.conf @@ -0,0 +1,4 @@ +net.ipv4.ip_nonlocal_bind = 1 + +# Until the kernel > 4.3, a hack binds the IPs on lo +# net.ipv6.ip_nonlocal_bind = 1 diff --git a/roles/load-balancer/files/haproxy.cfg b/roles/load-balancer/files/haproxy.cfg index c4be653..807e870 100644 --- a/roles/load-balancer/files/haproxy.cfg +++ b/roles/load-balancer/files/haproxy.cfg @@ -19,10 +19,10 @@ global #ssl-default-bind-options no-sslv3 tune.ssl.default-dh-param 2048 - ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS - ssl-default-server-options no-sslv3 no-tls-tickets + ssl-default-server-options no-sslv3 no-tls-tickets defaults @@ -41,35 +41,223 @@ defaults errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http -frontend ssh - bind :2222 - mode tcp - default_backend ssh-backend +#frontend ssh +# bind :::2222 v4v6 +# mode tcp +# option tcplog +# +# default_backend ssh_general-use + +frontend http_cloud_metadata + bind :::8775 v4v6 ssl crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem + mode http + option forwardfor + + http-request set-header X-Forwarded-Proto https if { ssl_fc } + + default_backend http_metadata.cloud.csclub.uwaterloo.ca frontend http - bind :::80 v4v6 - bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.pem - mode http - default_backend http-backend + bind :::80 v4v6 + bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem crt /etc/ssl/private/csclub.cloud/csclub.cloud.pem + mode http + option forwardfor - stats enable - stats uri /status + # Add proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } -backend ssh-backend - balance roundrobin - mode tcp + # + # Determine host + # - server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22 - server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22 - server sucrose sucrose.csclub.uwaterloo.ca check port 22 + # csclub webpage + acl csclub.uwaterloo.ca hdr(host) -i csclub.uwaterloo.ca + acl csclub.uwaterloo.ca hdr(host) -i www.csclub.uwaterloo.ca + acl csclub.uwaterloo.ca hdr(host) -i www2.csclub.uwaterloo.ca -backend http-backend - balance leastconn - mode http - option forwardfor + # cloud.csclub + acl cloud.csclub.uwaterloo.ca hdr(host) -i cloud.csclub.uwaterloo.ca + acl console.cloud.csclub.uwaterloo.ca hdr(host) -i console.cloud.csclub.uwaterloo.ca + acl auth.cloud.csclub.uwaterloo.ca hdr(host) -i auth.cloud.csclub.uwaterloo.ca + acl admin.cloud.csclub.uwaterloo.ca hdr(host) -i admin.cloud.csclub.uwaterloo.ca + acl compute.cloud.csclub.uwaterloo.ca hdr(host) -i compute.cloud.csclub.uwaterloo.ca + acl dns.cloud.csclub.uwaterloo.ca hdr(host) -i dns.cloud.csclub.uwaterloo.ca + acl metadata.cloud.csclub.uwaterloo.ca hdr(host) -i metadata.cloud.csclub.uwaterloo.ca + acl network.cloud.csclub.uwaterloo.ca hdr(host) -i network.cloud.csclub.uwaterloo.ca + acl image.cloud.csclub.uwaterloo.ca hdr(host) -i image.cloud.csclub.uwaterloo.ca + acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.cloud.csclub.uwaterloo.ca + acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.csclub.uwaterloo.ca + acl volume.cloud.csclub.uwaterloo.ca hdr(host) -i volume.cloud.csclub.uwaterloo.ca - cookie SERVERID insert indirect nocache + # csclub.cloud + acl csclub.cloud hdr(host) csclub.cloud + acl csclub.cloud hdr(host) www.csclub.cloud - server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00 - server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01 + # + # csclub.cloud (users) + # + # iie + acl iie_iise-wiki.csclub.cloud hdr(host) -i iise-wiki.csclub.cloud + + # ztseguin + acl ztseguin.csclub.cloud hdr(host) -i ztseguin.csclub.cloud + acl ztseguin-reddit.csclub.cloud hdr(host) -i ztseguin-reddit.csclub.cloud + acl ztseguin-reddit.csclub.cloud hdr(host) -i reddit.csclub.cloud + + # Force SSL + redirect scheme https if !{ ssl_fc } cloud.csclub.uwaterloo.ca + redirect scheme https if !{ ssl_fc } admin.cloud.csclub.uwaterloo.ca + redirect scheme https if !{ ssl_fc } auth.cloud.csclub.uwaterloo.ca + redirect scheme https if !{ ssl_fc } console.cloud.csclub.uwaterloo.ca + redirect scheme https if !{ ssl_fc } compute.cloud.csclub.uwaterloo.ca + redirect scheme https if !{ ssl_fc } dns.cloud.csclub.uwaterloo.ca + redirect scheme https if !{ ssl_fc } metadata.cloud.csclub.uwaterloo.ca + redirect scheme https if !{ ssl_fc } network.cloud.csclub.uwaterloo.ca + redirect scheme https if !{ ssl_fc } image.cloud.csclub.uwaterloo.ca + redirect scheme https if !{ ssl_fc } object.cloud.csclub.uwaterloo.ca + redirect scheme https if !{ ssl_fc } volume.cloud.csclub.uwaterloo.ca + + redirect scheme https if !{ ssl_fc } csclub.cloud + + redirect scheme https if !{ ssl_fc } ztseguin.csclub.cloud + + redirect scheme https if !{ ssl_fc } iie_iise-wiki.csclub.cloud + + # Backend + use_backend http_csclub.uwaterloo.ca if csclub.uwaterloo.ca + + use_backend http_cloud.csclub.uwaterloo.ca if cloud.csclub.uwaterloo.ca + use_backend http_auth.cloud.csclub.uwaterloo.ca if auth.cloud.csclub.uwaterloo.ca + use_backend http_admin.cloud.csclub.uwaterloo.ca if admin.cloud.csclub.uwaterloo.ca + use_backend http_console.cloud.csclub.uwaterloo.ca if console.cloud.csclub.uwaterloo.ca + use_backend http_compute.cloud.csclub.uwaterloo.ca if compute.cloud.csclub.uwaterloo.ca + use_backend http_dns.cloud.csclub.uwaterloo.ca if dns.cloud.csclub.uwaterloo.ca + use_backend http_metadata.cloud.csclub.uwaterloo.ca if metadata.cloud.csclub.uwaterloo.ca + use_backend http_network.cloud.csclub.uwaterloo.ca if network.cloud.csclub.uwaterloo.ca + use_backend http_image.cloud.csclub.uwaterloo.ca if image.cloud.csclub.uwaterloo.ca + use_backend http_object.cloud.csclub.uwaterloo.ca if object.cloud.csclub.uwaterloo.ca + use_backend http_volume.cloud.csclub.uwaterloo.ca if volume.cloud.csclub.uwaterloo.ca + + use_backend http_cloud.csclub.uwaterloo.ca if csclub.cloud + + use_backend http_ztseguin.csclub.cloud if ztseguin.csclub.cloud + + use_backend http_iie_iise-wiki.csclub.cloud if iie_iise-wiki.csclub.cloud + +frontend stats + bind :::8443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem + mode http + no log + + stats enable + stats uri / + + acl network_allowed src 10.0.0.0/8 + acl network_allowed src 129.97.0.0/16 + acl network_allowed src 172.16.0.0/12 + acl network_allowed src 2620:101:f000::/47 + acl network_allowed src fd74:6b6a:8eca::/47 + + tcp-request connection reject if !network_allowed + +# +# BACKENDS +# +#backend ssh_general-use +# balance roundrobin +# mode tcp + +# server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22 +# server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22 +# server sucrose sucrose.csclub.uwaterloo.ca check port 22 + +backend http_csclub.uwaterloo.ca + balance leastconn + mode http + + cookie serverid insert indirect nocache + + server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00 + server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01 + +backend http_cloud.csclub.uwaterloo.ca + balance leastconn + mode http + + cookie serverid insert indirect nocache + + #server web1.cloud web1.cloud.csclub.uwaterloo.ca:80 check cookie 01 + server web1.cloud 172.19.134.5:80 check cookie 01 + +backend http_auth.cloud.csclub.uwaterloo.ca + balance roundrobin + mode http + + server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:5000 check + +backend http_admin.cloud.csclub.uwaterloo.ca + balance roundrobin + mode http + + server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:35357 check + +backend http_console.cloud.csclub.uwaterloo.ca + balance leastconn + mode http + + server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:6080 check + +backend http_compute.cloud.csclub.uwaterloo.ca + balance roundrobin + mode http + + server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8774 check + +backend http_dns.cloud.csclub.uwaterloo.ca + balance roundrobin + mode http + + server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9001 check + +backend http_network.cloud.csclub.uwaterloo.ca + balance roundrobin + mode http + + server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9696 check + +backend http_metadata.cloud.csclub.uwaterloo.ca + balance roundrobin + mode http + + server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8775 check + +backend http_image.cloud.csclub.uwaterloo.ca + balance roundrobin + mode http + + server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9292 check + +backend http_object.cloud.csclub.uwaterloo.ca + balance roundrobin + mode http + + server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8080 check + +backend http_volume.cloud.csclub.uwaterloo.ca + balance roundrobin + mode http + + server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8776 check + +backend http_ztseguin.csclub.cloud + balance roundrobin + mode http + + server ztseguin1 csc-web.zacharyseguin.ca:80 check + +backend http_iie_iise-wiki.csclub.cloud + balance roundrobin + mode http + + server wiki wiki.iie.csclub.cloud:8090 check diff --git a/roles/load-balancer/files/haproxy/config.yml b/roles/load-balancer/files/haproxy/config.yml new file mode 100644 index 0000000..82da262 --- /dev/null +++ b/roles/load-balancer/files/haproxy/config.yml @@ -0,0 +1,277 @@ +frontends: + - name: http + bind: + - host: '129.97.134.10' + port: 80 + - host: '2620:101:f000:4901:c5c::10ad' + port: 80 + + # For certificates, always ensure to update both v4 and v6 + - host: '129.97.134.10' + port: 443 + ssl: true + certs: + - /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem + - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem + - /etc/ssl/private/csclub.cloud/csclub.cloud.pem + - /etc/ssl/private/ztseguin/alerts.zacharyseguin.ca/alerts.zacharyseguin.ca.pem + # For certificates, always ensure to update both v4 and v6 + - host: '2620:101:f000:4901:c5c::10ad' + port: 443 + ssl: true + certs: + - /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem + - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem + - /etc/ssl/private/csclub.cloud/csclub.cloud.pem + - /etc/ssl/private/ztseguin/alerts.zacharyseguin.ca/alerts.zacharyseguin.ca.pem + multiple: true + projects: + csc: + proxies: + - host: www2.csclub.uwaterloo.ca + cookie: true + backends: + - host: caffeine-00.csclub.uwaterloo.ca + port: 80 + - host: caffeine-01.csclub.uwaterloo.ca + port: 80 + - host: crl.csclub.uwaterloo.ca + cookie: true + backends: + - host: caffeine-00.csclub.uwaterloo.ca + port: 80 + - host: caffeine-01.csclub.uwaterloo.ca + port: 80 + - host: cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: web1.cloud.csclub.uwaterloo.ca + port: 80 + - host: csclub.cloud + force_ssl: true + backends: + - host: web1.cloud.csclub.uwaterloo.ca + port: 80 + office: + proxies: + - host: office.csclub.cloud + force_ssl: true + backends: + - host: 172.19.134.51 + port: 80 + - host: 2620:101:f000:4903:f816:3eff:fe11:1dd9 + port: 80 + ztseguin: + proxies: + - host: ztseguin.csclub.cloud + force_ssl: true + backends: + - host: node1.web.ztseguin.csclub.cloud + port: 80 + - host: dashboard.csclub.cloud + force_ssl: true + backends: + - host: dashboard.ztseguin.csclub.cloud + port: 80 + - host: alerts.zacharyseguin.ca + force_ssl: true + backends: + - host: web1.alerts-canada.ztseguin.csclub.cloud + port: 80 + - host: ztseguin-alerts-canada.csclub.cloud + force_ssl: true + backends: + - host: web1.alerts-canada.ztseguin.csclub.cloud + port: 80 + - host: freebsd.packages.zacharyseguin.ca + backends: + - host: george-mason.zacharyseguin.ca + port: 80 + - host: twig-sockets.csclub.cloud + force_ssl: true + backends: + - host: sucrose.csclub.uwaterloo.ca + port: 25000 + - host: twig.csclub.cloud + force_ssl: true + backends: + - host: twig-prod.ztseguin.csclub.cloud + port: 80 + - host: twig-dev.csclub.cloud + force_ssl: true + backends: + - host: twig-dev.ztseguin.csclub.cloud + port: 5000 + iie: + proxies: + - host: iise-wiki.csclub.cloud + force_ssl: true + backends: + - host: wiki.iie.csclub.cloud + port: 8090 + uwarc: + proxies: + - host: uwarc-wiki.csclub.cloud + force_ssl: true + backends: + - host: wiki.uwarc.csclub.cloud + port: 80 + - host: wiki.uwarc.uwaterloo.club + force_ssl: true + backends: + - host: wiki.uwarc.csclub.cloud + port: 80 + - name: cloud-http + bind: + - host: '129.97.134.11' + port: 80 + - host: '2620:101:f000:4901:c5c::c:10ad' + port: 80 + + # For certificates, always ensure to update both v4 and v6 + - host: '129.97.134.11' + port: 443 + ssl: true + certs: + - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem + # For certificates, always ensure to update both v4 and v6 + - host: '2620:101:f000:4901:c5c::c:10ad' + port: 443 + ssl: true + certs: + - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem + multiple: true + projects: + csc-cloud: + proxies: + - host: csclub.cloud + force_ssl: true + backends: + - host: web1.cloud.csclub.uwaterloo.ca + port: 80 + - host: www.csclub.cloud + force_ssl: true + backends: + - host: web1.cloud.csclub.uwaterloo.ca + port: 80 + - host: cloud.csclub.uwaterloo.ca + force_ssl: true + cookie: true + backends: + - host: web1.cloud.csclub.uwaterloo.ca + port: 80 + - host: admin.cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 35357 + - host: auth.cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 5000 + - host: compute.cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 8774 + - host: console.cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 6080 + - host: dashboard.cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: web1.cloud.csclub.uwaterloo.ca + port: 8080 + - host: dns.cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 9001 + - host: network.cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 9696 + - host: image.cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 9292 + - host: object.cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 8080 + - host: placement.cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 8778 + - host: volume.cloud.csclub.uwaterloo.ca + force_ssl: true + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 8776 + # TODO: Force SSL for object.csclub.uwaterloo.ca domain + - name: object-http + bind: + - host: '129.97.134.12' + port: 80 + - host: '2620:101:f000:4901:c5c::c0b:10ad' + port: 80 + + # For certificates, always ensure to update both v4 and v6 + - host: '129.97.134.12' + port: 443 + ssl: true + certs: + - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem + - /etc/ssl/private/csclub.cloud/csclub.cloud.pem + # For certificates, always ensure to update both v4 and v6 + - host: '2620:101:f000:4901:c5c::c0b:10ad' + port: 443 + ssl: true + certs: + - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem + - /etc/ssl/private/csclub.cloud/csclub.cloud.pem + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 8080 + - name: cloud-metadata + bind: + - host: '::' + port: 8775 + v4v6: true + ssl: true + certs: + - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem + force_ssl: true + backends: + - host: controller1.cloud.csclub.uwaterloo.ca + port: 8775 + restrict: + - '10.0.0.0/8' + - '129.97.0.0/16' + - '172.16.0.0/12' + - '2620:101:f000::/47' + - 'fd74:6b6a:8eca::/47' + - name: stats + bind: + - host: '::' + port: 8443 + v4v6: true + ssl: true + certs: + - /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem + stats: + enable: true + uri: '/' + restrict: + - '10.0.0.0/8' + - '129.97.0.0/16' + - '172.16.0.0/12' + - '2620:101:f000::/47' + - 'fd74:6b6a:8eca::/47' diff --git a/roles/load-balancer/files/haproxy/genconfig.py b/roles/load-balancer/files/haproxy/genconfig.py new file mode 100755 index 0000000..5aa5436 --- /dev/null +++ b/roles/load-balancer/files/haproxy/genconfig.py @@ -0,0 +1,37 @@ +#!/usr/bin/env python + +from __future__ import print_function + +import os, sys +from optparse import OptionParser +import yaml +from mako.template import Template + +import pprint + +def main(): + # Arguments + parser = OptionParser() + + parser.add_option('-c', '--config', dest='config', default='config.yml', + help='Configuration file', metavar="FILE") + parser.add_option('-t', '--template', dest='template', default='haproxy.cfg.mako', + help='haproxy.cfg Mako template') + + + (options, args) = parser.parse_args() + + try: + config = yaml.load(open(options.config, 'r')) + except Exception as e: + print(e, file=sys.stderr) + config = None + + if not config or type(config) != dict: + print('Unable to load configuration: "{}"'.format(options.config), file=sys.stderr) + sys.exit(-1) + + print(Template(filename=options.template).render(config=config)) + +if __name__ == '__main__': + main() diff --git a/roles/load-balancer/files/haproxy/haproxy.cfg.mako b/roles/load-balancer/files/haproxy/haproxy.cfg.mako new file mode 100644 index 0000000..be5a92a --- /dev/null +++ b/roles/load-balancer/files/haproxy/haproxy.cfg.mako @@ -0,0 +1,147 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + tune.ssl.default-dh-param 2048 + ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDH + ssl-default-bind-options no-sslv3 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC + ssl-default-server-options no-sslv3 no-tls-tickets + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +% for frontend in config.get('frontends'): +frontend ${frontend['name']} + % for bind in frontend['bind']: + bind ${bind['host']}:${bind['port']}${' v4v6' if bind.get('v4v6', False) else ''}${' ssl crt {}'.format(' crt '.join(bind['certs'])) if bind.get('ssl', False) else ''} + % endfor + + mode ${frontend.get('mode', 'http')} + + % if frontend.get('mode', 'http') == 'http': + option forwardfor + option http-server-close + http-request set-header X-Forwarded-Proto https if { ssl_fc } + http-request set-header X-Forwarded-Proto http if !{ ssl_fc } + % endif + + % if frontend.get('stats') and frontend['stats'].get('enable', False): + stats enable + stats uri ${frontend['stats'].get('uri', '/')} + % endif + + % for restriction in frontend.get('restrict', []): + acl network_allowed src ${restriction} + % endfor + + % if frontend.get('restrict', None): + http-request deny if !network_allowed + % endif + + % if not frontend.get('multiple', False): + # SSL + % if frontend.get('force_ssl', False): + redirect scheme https if !{ ssl_fc } + % endif + + # Backend + % if frontend.get('backends'): + use_backend ${frontend['name']} + % endif + % else: + # Determine which virtual host is being requested + % for project in frontend['projects']: + # ${project} + % for proxy in frontend['projects'][project]['proxies']: + acl ${proxy['host']} hdr(host) -i ${proxy['host']} + % endfor + + % endfor + + # Redirect SSL + % for project in frontend['projects']: + # ${project} + % for proxy in frontend['projects'][project]['proxies']: + % if proxy.get('force_ssl', False): + redirect scheme https if !{ ssl_fc } ${proxy['host']} + % endif + % endfor + + % endfor + + # Select backend + % for project in frontend['projects']: + # ${project} + % for proxy in frontend['projects'][project]['proxies']: + % if proxy.get('force_ssl', False): + redirect scheme https if !{ ssl_fc } ${proxy['host']} + % endif + % endfor + + % endfor + + # Select backend + % for project in frontend['projects']: + # ${project} + % for proxy in frontend['projects'][project]['proxies']: + use_backend ${frontend['name']}_${project}_${proxy['host']} if ${proxy['host']} + % endfor + + % endfor + % endif + +% endfor + +# +# BACKENDS +# +<%def name="backend(name, definition)"> + backend ${name} + balance ${definition.get('balance', 'leastconn')} + mode http + % if definition.get('cookie', False): + + cookie serverid insert indirect nocache + % endif + + % for index, server in enumerate(definition.get('backends')): + server ${server['host']}:${server['port']} ${server['host']}:${server['port']} check ${ 'cookie {}'.format(index) if definition.get('cookie', False) else ''} + % endfor + +% for frontend in config.get('frontends', []): + % if not frontend.get('multiple', False) and frontend.get('backends'): + ${backend(frontend['name'], frontend)} + % elif frontend.get('multiple', False): + % for project in frontend['projects']: + # ${project} + % for proxy in frontend['projects'][project]['proxies']: + ${backend('{}_{}_{}'.format(frontend['name'], project, proxy['host']), proxy)} + + % endfor + % endfor + % endif +% endfor diff --git a/roles/load-balancer/files/ipv6-nonlocalhack.service b/roles/load-balancer/files/ipv6-nonlocalhack.service new file mode 100644 index 0000000..22d02a4 --- /dev/null +++ b/roles/load-balancer/files/ipv6-nonlocalhack.service @@ -0,0 +1,13 @@ +[Unit] +Description=Hack since 4.3 kernel does not support net.ipv6.ip_nonlocal_bind +Before=haproxy.service + +[Service] +ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::10ad/64 dev lo +ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::c:10ad/64 dev lo +ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::c0b:10ad/64 dev lo +RemainAfterExit=true +Type=oneshot + +[Install] +WantedBy=multi-user.target diff --git a/roles/load-balancer/files/ssl b/roles/load-balancer/files/ssl new file mode 120000 index 0000000..71a266e --- /dev/null +++ b/roles/load-balancer/files/ssl @@ -0,0 +1 @@ +/users/syscom/certs \ No newline at end of file diff --git a/roles/load-balancer/tasks/main.yml b/roles/load-balancer/tasks/main.yml index 9a7d5d6..c429b71 100644 --- a/roles/load-balancer/tasks/main.yml +++ b/roles/load-balancer/tasks/main.yml @@ -1,49 +1,82 @@ --- +# SSL CERTS +- name: Install SSL certificates + copy: + src: ssl/ + dest: /etc/ssl/private/ + directory_mode: "u=rwx,g=rx,o=" + mode: "u=rw,g=r,o=" + owner: root + group: root + +# Non-local binding +- name: Install 99-nonlocalbind.conf in /etc/sysctl.d + copy: + src: 99-nonlocalbind.conf + dest: /etc/sysctl.d + backup: no + +- name: Install ipv6-nonlocalhack.service + copy: + src: ipv6-nonlocalhack.service + dest: /etc/systemd/system/ipv6-nonlocalhack.service + backup: no + +- name: Start ipv6-nonlocalhack.service + service: + name: ipv6-nonlocalhack + state: running + # HAPROXY - name: Install haproxy package: name: haproxy state: latest -- name: Copy haproxy configuration +- name: Install packages required to generate config + package: name={{ item }} state=latest + with_items: + - python-yaml + - python-mako + +- name: Copy haproxy configuration generation copy: - src: haproxy.cfg - dest: /etc/haproxy/haproxy.cfg + src: haproxy/ + dest: /tmp/haproxy backup: no - register: haproxy_configuration + +- name: Generate haproxy configuration + shell: python genconfig.py > /etc/haproxy/haproxy.cfg + args: + chdir: /tmp/haproxy/ - name: Restart haproxy service: name: haproxy state: restarted - when: haproxy_configuration.changed - -- name: Ensure that haproxy is running - service: - name: haproxy - state: running # KEEPALIVED - name: Install keepalived package: name: keepalived state: latest + register: keepalived_installed + +- name: Stop keepalived + service: + name: keepalived + state: stopped - name: Copy keepalived config template: src: keepalived.conf dest: /etc/keepalived/keepalived.conf backup: no - register: keepalived_configuration + #register: keepalived_configuration - name: Restart keepalived service: name: keepalived state: restarted - when: keepalived_configuration.changed - -- name: Ensure keepalived is running - service: - name: keepalived - state: running + #when: keepalived_configuration.changed diff --git a/roles/load-balancer/templates/keepalived.conf b/roles/load-balancer/templates/keepalived.conf index 2432bf9..873ef04 100644 --- a/roles/load-balancer/templates/keepalived.conf +++ b/roles/load-balancer/templates/keepalived.conf @@ -1,10 +1,16 @@ global_defs { notification_email { - ztseguin+notifications@csclub.uwaterloo.ca + syscom@csclub.uwaterloo.ca } notification_email_from load-balancer@csclub.uwaterloo.ca } +vrrp_script check_haproxy { + script "pidof haproxy" + interval 1 + weight: -20 +} + ! load-balancer.csclub.uwaterloo.ca vrrp_instance VI_10 { state MASTER @@ -16,8 +22,51 @@ vrrp_instance VI_10 { auth_type PASS auth_pass CSC_VRRP } + track_script { + check_haproxy + } virtual_ipaddress { 129.97.134.10 2620:101:f000:4901:c5c::10ad } } + +! load-balancer-cloud.csclub.uwaterloo.ca +vrrp_instance VI_11 { + state MASTER + interface eth0 + virtual_router_id 11 + priority {{ lb_priority }} + advert_int 1 + authentication { + auth_type PASS + auth_pass CSC_VRRP + } + track_script { + check_haproxy + } + virtual_ipaddress { + 129.97.134.11 + 2620:101:f000:4901:c5c::c:10ad + } +} + +! load-balancer-object.csclub.uwaterloo.ca +vrrp_instance VI_12 { + state MASTER + interface eth0 + virtual_router_id 12 + priority {{ lb_priority }} + advert_int 1 + authentication { + auth_type PASS + auth_pass CSC_VRRP + } + track_script { + check_haproxy + } + virtual_ipaddress { + 129.97.134.12 + 2620:101:f000:4901:c5c::c0b:10ad + } +} diff --git a/roles/nfs/tasks/main.yml b/roles/nfs/tasks/main.yml index 0d77730..49fd62c 100644 --- a/roles/nfs/tasks/main.yml +++ b/roles/nfs/tasks/main.yml @@ -30,14 +30,18 @@ file: path={{ item }} state=directory with_items: - /users - - /music - - /scratch + - /u + # - /music + # - /scratch -- name: Add fstab entry for users - mount: src="aspartame:/users" name=/users fstype=nfs opts="noauto,bg,vers=3,sec=krb5p,nosuid,nodev,x-systemd.automount,x-systemd.requires=nfs-common.service" dump=0 passno=0 state=mounted + #- name: Add fstab entry for users + # mount: src="aspartame:/users" name=/users fstype=nfs opts="noauto,bg,vers=3,sec=krb5p,nosuid,nodev,x-systemd.automount,x-systemd.requires=nfs-common.service" dump=0 passno=0 state=mounted -- name: Add fstab entry for music - mount: src="aspartame:/music" name=/music fstype=nfs opts="bg,vers=3,sec=sys,nolock,noatime,nosuid,nodev" dump=0 passno=0 state=mounted + #- name: Add fstab entry for users (new netapp) + # mount: src="fs00:/users" name=/u fstype=nfs opts="noauto,bg,vers=3,sec=sys,nosuid,nodev,x-systemd.automount,x-systemd.requires=nfs-common.service" dump=0 passno=0 state=mounted -- name: Add fstab entry for scratch - mount: src="corn-syrup:/scratch" name=/scratch fstype=nfs opts="bg,vers=3,sec=sys,noatime,nosuid,nodev" dump=0 passno=0 state=mounted + #- name: Add fstab entry for music + # mount: src="aspartame:/music" name=/music fstype=nfs opts="bg,vers=3,sec=sys,nolock,noatime,nosuid,nodev" dump=0 passno=0 state=mounted + + #- name: Add fstab entry for scratch + # mount: src="corn-syrup:/scratch" name=/scratch fstype=nfs opts="bg,vers=3,sec=sys,noatime,nosuid,nodev" dump=0 passno=0 state=mounted diff --git a/roles/virtualization-host/files/libvirt.pkla b/roles/virtualization-host/files/libvirt.pkla new file mode 100644 index 0000000..de002f6 --- /dev/null +++ b/roles/virtualization-host/files/libvirt.pkla @@ -0,0 +1,4 @@ +[Allow syscom to libvirt] +Identity=unix-group:syscom +Action=org.libvirt.unix.manage +ResultAny=yes diff --git a/roles/virtualization-host/tasks/main.yml b/roles/virtualization-host/tasks/main.yml index 8393cde..edd7db8 100644 --- a/roles/virtualization-host/tasks/main.yml +++ b/roles/virtualization-host/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Allow syscom access to libvirt + copy: + src: libvirt.pkla + dest: /etc/polkit-1/localauthority/50-local.d/libvirt.pkla - name: Install virtualization tools apt: name={{ item }} state=latest with_items: diff --git a/upgrade.yml b/upgrade.yml new file mode 100644 index 0000000..29aecb4 --- /dev/null +++ b/upgrade.yml @@ -0,0 +1,6 @@ +--- + - hosts: all + become: yes + tasks: + - name: upgrade software packages (safe) + apt: update_cache=yes upgrade=safe