public
/
ansible-playbooks
13
0
Fork 0
Code Issues 8 Pull Requests Projects Releases Wiki Activity

Stuff that I haven't committed yet

This commit is contained in:
Zachary Seguin 2017-08-08 16:45:11 -04:00
parent d123344be6
commit 99c9c18149
24 changed files with 1072 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
files/resolv.conf Normal file
View File

@ -0,0 +1,12 @@
search csclub.uwaterloo.ca uwaterloo.ca
options rotate timeout:1 attempts:1 ndots:2
# CSC Nameservers
nameserver 2620:101:f000:4901:c5c::4
nameserver 2620:101:f000:7300:c5c::20
nameserver 129.97.134.4
nameserver 129.97.18.20
# IST Anycast (fallback)
#nameserver 129.97.2.1
#nameserver 129.97.2.2

2
install-syscom-container.yml
View File

@ -1,5 +1,5 @@
---
- hosts: identity.csclub.uwaterloo.ca
- hosts: prometheus.csclub.uwaterloo.ca
become: yes
become_method: sudo
roles:

10
install-syscom.yml
View File

@ -1,5 +1,5 @@
---
- hosts: yerba-mate.csclub.uwaterloo.ca guayusa.csclub.uwaterloo.ca
- hosts: wiki.uwarc.csclub.cloud
become: yes
become_method: sudo
roles:
@ -7,9 +7,9 @@
- core
- static-ipv6
- hardware
- virtualization-host
- generate-hosts
# - virtualization-host
# - generate-hosts
- auth
- csc-packages
- nfs
# - csc-packages
# - nfs
- cleanup

13
loadbalancer.yml
View File

@ -2,13 +2,12 @@
- hosts: load-balancers
become: yes
become_method: sudo
serial: "50%"
pre_tasks:
- name: stop keepalived (to remove from rotation)
service:
name: keepalived
state: stopped
roles:
- common
- core
- container
- static-ipv6
- generate-hosts
- auth
- csc-packages
- load-balancer
- cleanup

27
resolv.yml Normal file
View File

@ -0,0 +1,27 @@
---
- hosts: all
become: yes
tasks:
- name: Disable resolvconf
service: name={{ item }} state=stopped enabled=no
with_items:
- resolvconf
- systemd-resolved
ignore_errors: yes
- name: Remove resolvconf
package:
name: resolvconf
state: absent
- name: Remove immutable on resolv.conf
command: chattr -i /etc/resolv.conf
- name: Copy resolv.conf
copy:
src: resolv.conf
dest: /etc/resolv.conf
# attributes: 'ie'
- name: Set immutable on resolv.conf
command: chattr +i /etc/resolv.conf

18
roles/auth/files/become_club Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
if test -z "$1"; then
echo >&2 'usage: become_club clubaccount'
echo >&2 ' become_club -l'
exit 2
fi
if test "$(whoami)" = "$1"; then
echo >&2 you are already $1
exit 1
fi
if test -z "$SHELL"; then
export SHELL=/bin/bash
fi
if test "$1" = -l; then
sudo -l
else
exec sudo -H -s -u "$1"
fi

32
roles/auth/tasks/main.yml
View File

@ -1,7 +1,7 @@
---
- name: install libpam-csc
when: "'syscom' not in group_names"
when: "'syscom' not in group_names and 'club-uwarc' not in group_names"
apt: name=libpam-csc state=latest
- name: install required aptitude packages
@ -33,6 +33,11 @@
- { src: 'k5login', dest: '/root/.k5login' }
- { src: 'ssh_known_hosts', dest: '/etc/ssh/ssh_known_hosts' }
- name: copy user scripts
copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }}
with_items:
- { src: 'become_club', dest: '/usr/local/bin/become_club', mode: "u=rwx,g=rx,o=rx" }
- name: make sssd.conf accessable only by root
file: path=/etc/sssd/sssd.conf owner=root group=root mode=0600
@ -51,11 +56,34 @@
blockinfile:
dest: /etc/pam.d/common-account
block: |
# make sure user is up to date, except system accounts and syscom
# Restrict login to system accounts and syscom
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
account required pam_csc.so
- name: configure PAM for iie wiki
when: "'club-iie' in group_names"
blockinfile:
dest: /etc/pam.d/common-account
block: |
# Restrict login to system accounts, syscom and iie members
account [success=3 default=ignore] pam_succeed_if.so quiet uid < 10000
account [success=2 default=ignore] pam_succeed_if.so quiet user ingroup syscom
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup iie
account required pam_deny.so
- name: configure PAM for uwarc
when: "'club-uwarc' in group_names"
blockinfile:
dest: /etc/pam.d/common-account
block: |
# Restrict login to system accounts, syscom and iie members
account [success=3 default=ignore] pam_succeed_if.so quiet uid < 10000
account [success=2 default=ignore] pam_succeed_if.so quiet user ingroup syscom
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup uwarc
account required pam_deny.so
- name: restart services
service: name={{ item }} state=restarted
with_items:

1
roles/container/tasks/main.yml
View File

@ -5,3 +5,4 @@
name: ntp
state: stopped
enabled: no
ignore_errors: yes

5
roles/core/files/resolv.conf
View File

@ -1,4 +1,5 @@
search csclub.uwaterloo.ca uwaterloo.ca
options rotate timeout:1 attempts:1 ndots:2
# CSC Nameservers
nameserver 2620:101:f000:4901:c5c::4
@ -7,5 +8,5 @@ nameserver 129.97.134.4
nameserver 129.97.18.20
# IST Anycast (fallback)
nameserver 129.97.2.1
nameserver 129.97.2.2
#nameserver 129.97.2.1
#nameserver 129.97.2.2

300
roles/core/tasks/main.yml
View File

@ -28,153 +28,153 @@
- name: Set immutable on resolv.conf
command: chattr +i /etc/resolv.conf
#
#- name: Install root dotfiles
# copy: src={{ item.src }} dest={{ item.dest }} backup=no
# with_items:
# - { src: 'root-dotfiles/bashrc', dest: '/root/.bashrc' }
# - { src: 'root-dotfiles/bash-preexec', dest: '/root/.bash-preexec' }
# - { src: 'root-dotfiles/vimrc', dest: '/root/.vimrc' }
#
#- name: Install Shells
# apt: name={{ item }} state=latest
# with_items:
# - bash
# - zsh
# - zsh-doc
# - dash
# - ksh
# - tcsh
# - csh
# - rc
# - bash-doc
# - bash-completion
#
#- name: Install Editors
# apt: name={{ item }} state=latest
# with_items:
# - vim-nox
# - ed
# - nano
#
#- name: Install words
# apt: name={{ item }} state=latest
# with_items:
# - wamerican-insane
#
#- name: Install utils
# apt: name={{ item }} state=latest
# with_items:
# - acl
# - tmux
# - screen
# - less
# - lsof
# - bc
# - dc
# - psmisc
# - procps
# - htop
# - schedtool
# - pciutils
# - rsync
# - iotop
# - attr
# - tree
# - parted
# - mosh
#
#- name: Install compression
# apt: name={{ item }} state=latest
# with_items:
# - bzip2
# - gzip
# - pax
# - lzma
# - xz-utils
# - cpio
#
#- name: Install ncurses
# apt: name={{ item }} state=latest
# with_items:
# - ncurses-bin
# - ncurses-term
#
#- name: Install network
# apt: name={{ item }} state=latest
# with_items:
# - iputils-ping
# - iputils-arping
# - traceroute
# - telnet
# - iproute2
# - ethtool
# - dnsutils
# - whois
# - wget
# - curl
# - netcat-traditional
# - netcat-openbsd
# - vlan
# - bridge-utils
# - tcpdump
# - tshark
# - ftp
# - tftp
#
#- name: Install ntp
# apt: name=ntp state=latest
#
#- name: Copy NTP configuration
# copy:
# src: ntp.conf
# dest: /etc/ntp.conf
# backup: no
#
#- name: Restart NTP
# service:
# name: ntp
# state: restarted
#
#- name: Install debian package management
# apt: name={{ item }} state=latest
# with_items:
# - aptitude
# - dselect
#
#- name: Install gpg
# apt: name=gnupg state=latest
#
#- name: Install rsyslog
# apt: name={{ item }} state=latest
# with_items:
# - rsyslog
# - rsyslog-gnutls
#
# # TODO: Configure logging
#
#- name: Restart rsyslog
# service:
# name: rsyslog
# state: restarted
#
#- name: Install fail2ban
# apt: name=fail2ban state=latest
#
#- name: Install man pages
# apt: name={{ item }} state=latest
# with_items:
# - manpages
# - info
#
#- name: Install molly-guard
# apt: name=molly-guard state=latest
#
#- name: Install ssmtp
# apt: name=ssmtp state=latest
#
#- name: Configure ssmtp
# lineinfile: dest=/etc/ssmtp/ssmtp.conf
# state=present
# backrefs=yes
# regexp='^#(FromLineOverride=YES)$'
# line='\\1'
- name: Install root dotfiles
copy: src={{ item.src }} dest={{ item.dest }} backup=no
with_items:
- { src: 'root-dotfiles/bashrc', dest: '/root/.bashrc' }
- { src: 'root-dotfiles/bash-preexec', dest: '/root/.bash-preexec' }
- { src: 'root-dotfiles/vimrc', dest: '/root/.vimrc' }
- name: Install Shells
apt: name={{ item }} state=latest
with_items:
- bash
- zsh
- zsh-doc
- dash
- ksh
- tcsh
- csh
- rc
- bash-doc
- bash-completion
- name: Install Editors
apt: name={{ item }} state=latest
with_items:
- vim-nox
- ed
- nano
- name: Install words
apt: name={{ item }} state=latest
with_items:
- wamerican-insane
- name: Install utils
apt: name={{ item }} state=latest
with_items:
- acl
- tmux
- screen
- less
- lsof
- bc
- dc
- psmisc
- procps
- htop
- schedtool
- pciutils
- rsync
- iotop
- attr
- tree
- parted
- mosh
- name: Install compression
apt: name={{ item }} state=latest
with_items:
- bzip2
- gzip
- pax
- lzma
- xz-utils
- cpio
- name: Install ncurses
apt: name={{ item }} state=latest
with_items:
- ncurses-bin
- ncurses-term
- name: Install network
apt: name={{ item }} state=latest
with_items:
- iputils-ping
- iputils-arping
- traceroute
- telnet
- iproute2
- ethtool
- dnsutils
- whois
- wget
- curl
- netcat-traditional
- netcat-openbsd
- vlan
- bridge-utils
- tcpdump
- tshark
- ftp
- tftp
- name: Install ntp
apt: name=ntp state=latest
- name: Copy NTP configuration
copy:
src: ntp.conf
dest: /etc/ntp.conf
backup: no
- name: Restart NTP
service:
name: ntp
state: restarted
- name: Install debian package management
apt: name={{ item }} state=latest
with_items:
- aptitude
- dselect
- name: Install gpg
apt: name=gnupg state=latest
- name: Install rsyslog
apt: name={{ item }} state=latest
with_items:
- rsyslog
- rsyslog-gnutls
# TODO: Configure logging
- name: Restart rsyslog
service:
name: rsyslog
state: restarted
- name: Install fail2ban
apt: name=fail2ban state=latest
- name: Install man pages
apt: name={{ item }} state=latest
with_items:
- manpages
- info
- name: Install molly-guard
apt: name=molly-guard state=latest
- name: Install ssmtp
apt: name=ssmtp state=latest
- name: Configure ssmtp
lineinfile: dest=/etc/ssmtp/ssmtp.conf
state=present
backrefs=yes
regexp='^(FromLineOverride=YES)$'
line='\\1'

1
roles/general-use-gui/tasks/main.yml
View File

@ -67,6 +67,7 @@
- xpdf
- evince
- djview4
- krita
- name: Install xubuntu-desktop
apt: name={{ item }} state=latest

4
roles/load-balancer/files/99-nonlocalbind.conf Normal file
View File

@ -0,0 +1,4 @@
net.ipv4.ip_nonlocal_bind = 1
# Until the kernel > 4.3, a hack binds the IPs on lo
# net.ipv6.ip_nonlocal_bind = 1

238
roles/load-balancer/files/haproxy.cfg
View File

@ -19,10 +19,10 @@ global
#ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
@ -41,35 +41,223 @@ defaults
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend ssh
bind :2222
mode tcp
default_backend ssh-backend
#frontend ssh
# bind :::2222 v4v6
# mode tcp
# option tcplog
#
# default_backend ssh_general-use
frontend http_cloud_metadata
bind :::8775 v4v6 ssl crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
default_backend http_metadata.cloud.csclub.uwaterloo.ca
frontend http
bind :::80 v4v6
bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.pem
mode http
default_backend http-backend
bind :::80 v4v6
bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem crt /etc/ssl/private/csclub.cloud/csclub.cloud.pem
mode http
option forwardfor
stats enable
stats uri /status
# Add proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
backend ssh-backend
balance roundrobin
mode tcp
#
# Determine host
#
server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22
server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22
server sucrose sucrose.csclub.uwaterloo.ca check port 22
# csclub webpage
acl csclub.uwaterloo.ca hdr(host) -i csclub.uwaterloo.ca
acl csclub.uwaterloo.ca hdr(host) -i www.csclub.uwaterloo.ca
acl csclub.uwaterloo.ca hdr(host) -i www2.csclub.uwaterloo.ca
backend http-backend
balance leastconn
mode http
option forwardfor
# cloud.csclub
acl cloud.csclub.uwaterloo.ca hdr(host) -i cloud.csclub.uwaterloo.ca
acl console.cloud.csclub.uwaterloo.ca hdr(host) -i console.cloud.csclub.uwaterloo.ca
acl auth.cloud.csclub.uwaterloo.ca hdr(host) -i auth.cloud.csclub.uwaterloo.ca
acl admin.cloud.csclub.uwaterloo.ca hdr(host) -i admin.cloud.csclub.uwaterloo.ca
acl compute.cloud.csclub.uwaterloo.ca hdr(host) -i compute.cloud.csclub.uwaterloo.ca
acl dns.cloud.csclub.uwaterloo.ca hdr(host) -i dns.cloud.csclub.uwaterloo.ca
acl metadata.cloud.csclub.uwaterloo.ca hdr(host) -i metadata.cloud.csclub.uwaterloo.ca
acl network.cloud.csclub.uwaterloo.ca hdr(host) -i network.cloud.csclub.uwaterloo.ca
acl image.cloud.csclub.uwaterloo.ca hdr(host) -i image.cloud.csclub.uwaterloo.ca
acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.cloud.csclub.uwaterloo.ca
acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.csclub.uwaterloo.ca
acl volume.cloud.csclub.uwaterloo.ca hdr(host) -i volume.cloud.csclub.uwaterloo.ca
cookie SERVERID insert indirect nocache
# csclub.cloud
acl csclub.cloud hdr(host) csclub.cloud
acl csclub.cloud hdr(host) www.csclub.cloud
server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00
server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01
#
# csclub.cloud (users)
#
# iie
acl iie_iise-wiki.csclub.cloud hdr(host) -i iise-wiki.csclub.cloud
# ztseguin
acl ztseguin.csclub.cloud hdr(host) -i ztseguin.csclub.cloud
acl ztseguin-reddit.csclub.cloud hdr(host) -i ztseguin-reddit.csclub.cloud
acl ztseguin-reddit.csclub.cloud hdr(host) -i reddit.csclub.cloud
# Force SSL
redirect scheme https if !{ ssl_fc } cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } admin.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } auth.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } console.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } compute.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } dns.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } metadata.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } network.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } image.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } object.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } volume.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } csclub.cloud
redirect scheme https if !{ ssl_fc } ztseguin.csclub.cloud
redirect scheme https if !{ ssl_fc } iie_iise-wiki.csclub.cloud
# Backend
use_backend http_csclub.uwaterloo.ca if csclub.uwaterloo.ca
use_backend http_cloud.csclub.uwaterloo.ca if cloud.csclub.uwaterloo.ca
use_backend http_auth.cloud.csclub.uwaterloo.ca if auth.cloud.csclub.uwaterloo.ca
use_backend http_admin.cloud.csclub.uwaterloo.ca if admin.cloud.csclub.uwaterloo.ca
use_backend http_console.cloud.csclub.uwaterloo.ca if console.cloud.csclub.uwaterloo.ca
use_backend http_compute.cloud.csclub.uwaterloo.ca if compute.cloud.csclub.uwaterloo.ca
use_backend http_dns.cloud.csclub.uwaterloo.ca if dns.cloud.csclub.uwaterloo.ca
use_backend http_metadata.cloud.csclub.uwaterloo.ca if metadata.cloud.csclub.uwaterloo.ca
use_backend http_network.cloud.csclub.uwaterloo.ca if network.cloud.csclub.uwaterloo.ca
use_backend http_image.cloud.csclub.uwaterloo.ca if image.cloud.csclub.uwaterloo.ca
use_backend http_object.cloud.csclub.uwaterloo.ca if object.cloud.csclub.uwaterloo.ca
use_backend http_volume.cloud.csclub.uwaterloo.ca if volume.cloud.csclub.uwaterloo.ca
use_backend http_cloud.csclub.uwaterloo.ca if csclub.cloud
use_backend http_ztseguin.csclub.cloud if ztseguin.csclub.cloud
use_backend http_iie_iise-wiki.csclub.cloud if iie_iise-wiki.csclub.cloud
frontend stats
bind :::8443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
mode http
no log
stats enable
stats uri /
acl network_allowed src 10.0.0.0/8
acl network_allowed src 129.97.0.0/16
acl network_allowed src 172.16.0.0/12
acl network_allowed src 2620:101:f000::/47
acl network_allowed src fd74:6b6a:8eca::/47
tcp-request connection reject if !network_allowed
#
# BACKENDS
#
#backend ssh_general-use
# balance roundrobin
# mode tcp
# server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22
# server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22
# server sucrose sucrose.csclub.uwaterloo.ca check port 22
backend http_csclub.uwaterloo.ca
balance leastconn
mode http
cookie serverid insert indirect nocache
server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00
server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01
backend http_cloud.csclub.uwaterloo.ca
balance leastconn
mode http
cookie serverid insert indirect nocache
#server web1.cloud web1.cloud.csclub.uwaterloo.ca:80 check cookie 01
server web1.cloud 172.19.134.5:80 check cookie 01
backend http_auth.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:5000 check
backend http_admin.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:35357 check
backend http_console.cloud.csclub.uwaterloo.ca
balance leastconn
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:6080 check
backend http_compute.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8774 check
backend http_dns.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9001 check
backend http_network.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9696 check
backend http_metadata.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8775 check
backend http_image.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9292 check
backend http_object.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8080 check
backend http_volume.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8776 check
backend http_ztseguin.csclub.cloud
balance roundrobin
mode http
server ztseguin1 csc-web.zacharyseguin.ca:80 check
backend http_iie_iise-wiki.csclub.cloud
balance roundrobin
mode http
server wiki wiki.iie.csclub.cloud:8090 check

277
roles/load-balancer/files/haproxy/config.yml Normal file
View File

@ -0,0 +1,277 @@
frontends:
- name: http
bind:
- host: '129.97.134.10'
port: 80
- host: '2620:101:f000:4901:c5c::10ad'
port: 80
# For certificates, always ensure to update both v4 and v6
- host: '129.97.134.10'
port: 443
ssl: true
certs:
- /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
- /etc/ssl/private/ztseguin/alerts.zacharyseguin.ca/alerts.zacharyseguin.ca.pem
# For certificates, always ensure to update both v4 and v6
- host: '2620:101:f000:4901:c5c::10ad'
port: 443
ssl: true
certs:
- /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
- /etc/ssl/private/ztseguin/alerts.zacharyseguin.ca/alerts.zacharyseguin.ca.pem
multiple: true
projects:
csc:
proxies:
- host: www2.csclub.uwaterloo.ca
cookie: true
backends:
- host: caffeine-00.csclub.uwaterloo.ca
port: 80
- host: caffeine-01.csclub.uwaterloo.ca
port: 80
- host: crl.csclub.uwaterloo.ca
cookie: true
backends:
- host: caffeine-00.csclub.uwaterloo.ca
port: 80
- host: caffeine-01.csclub.uwaterloo.ca
port: 80
- host: cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 80
- host: csclub.cloud
force_ssl: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 80
office:
proxies:
- host: office.csclub.cloud
force_ssl: true
backends:
- host: 172.19.134.51
port: 80
- host: 2620:101:f000:4903:f816:3eff:fe11:1dd9
port: 80
ztseguin:
proxies:
- host: ztseguin.csclub.cloud
force_ssl: true
backends:
- host: node1.web.ztseguin.csclub.cloud
port: 80
- host: dashboard.csclub.cloud
force_ssl: true
backends:
- host: dashboard.ztseguin.csclub.cloud
port: 80
- host: alerts.zacharyseguin.ca
force_ssl: true
backends:
- host: web1.alerts-canada.ztseguin.csclub.cloud
port: 80
- host: ztseguin-alerts-canada.csclub.cloud
force_ssl: true
backends:
- host: web1.alerts-canada.ztseguin.csclub.cloud
port: 80
- host: freebsd.packages.zacharyseguin.ca
backends:
- host: george-mason.zacharyseguin.ca
port: 80
- host: twig-sockets.csclub.cloud
force_ssl: true
backends:
- host: sucrose.csclub.uwaterloo.ca
port: 25000
- host: twig.csclub.cloud
force_ssl: true
backends:
- host: twig-prod.ztseguin.csclub.cloud
port: 80
- host: twig-dev.csclub.cloud
force_ssl: true
backends:
- host: twig-dev.ztseguin.csclub.cloud
port: 5000
iie:
proxies:
- host: iise-wiki.csclub.cloud
force_ssl: true
backends:
- host: wiki.iie.csclub.cloud
port: 8090
uwarc:
proxies:
- host: uwarc-wiki.csclub.cloud
force_ssl: true
backends:
- host: wiki.uwarc.csclub.cloud
port: 80
- host: wiki.uwarc.uwaterloo.club
force_ssl: true
backends:
- host: wiki.uwarc.csclub.cloud
port: 80
- name: cloud-http
bind:
- host: '129.97.134.11'
port: 80
- host: '2620:101:f000:4901:c5c::c:10ad'
port: 80
# For certificates, always ensure to update both v4 and v6
- host: '129.97.134.11'
port: 443
ssl: true
certs:
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
# For certificates, always ensure to update both v4 and v6
- host: '2620:101:f000:4901:c5c::c:10ad'
port: 443
ssl: true
certs:
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
multiple: true
projects:
csc-cloud:
proxies:
- host: csclub.cloud
force_ssl: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 80
- host: www.csclub.cloud
force_ssl: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 80
- host: cloud.csclub.uwaterloo.ca
force_ssl: true
cookie: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 80
- host: admin.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 35357
- host: auth.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 5000
- host: compute.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8774
- host: console.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 6080
- host: dashboard.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 8080
- host: dns.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 9001
- host: network.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 9696
- host: image.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 9292
- host: object.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8080
- host: placement.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8778
- host: volume.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8776
# TODO: Force SSL for object.csclub.uwaterloo.ca domain
- name: object-http
bind:
- host: '129.97.134.12'
port: 80
- host: '2620:101:f000:4901:c5c::c0b:10ad'
port: 80
# For certificates, always ensure to update both v4 and v6
- host: '129.97.134.12'
port: 443
ssl: true
certs:
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
# For certificates, always ensure to update both v4 and v6
- host: '2620:101:f000:4901:c5c::c0b:10ad'
port: 443
ssl: true
certs:
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8080
- name: cloud-metadata
bind:
- host: '::'
port: 8775
v4v6: true
ssl: true
certs:
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8775
restrict:
- '10.0.0.0/8'
- '129.97.0.0/16'
- '172.16.0.0/12'
- '2620:101:f000::/47'
- 'fd74:6b6a:8eca::/47'
- name: stats
bind:
- host: '::'
port: 8443
v4v6: true
ssl: true
certs:
- /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
stats:
enable: true
uri: '/'
restrict:
- '10.0.0.0/8'
- '129.97.0.0/16'
- '172.16.0.0/12'
- '2620:101:f000::/47'
- 'fd74:6b6a:8eca::/47'

37
roles/load-balancer/files/haproxy/genconfig.py Executable file
View File

@ -0,0 +1,37 @@
#!/usr/bin/env python
from __future__ import print_function
import os, sys
from optparse import OptionParser
import yaml
from mako.template import Template
import pprint
def main():
# Arguments
parser = OptionParser()
parser.add_option('-c', '--config', dest='config', default='config.yml',
help='Configuration file', metavar="FILE")
parser.add_option('-t', '--template', dest='template', default='haproxy.cfg.mako',
help='haproxy.cfg Mako template')
(options, args) = parser.parse_args()
try:
config = yaml.load(open(options.config, 'r'))
except Exception as e:
print(e, file=sys.stderr)
config = None
if not config or type(config) != dict:
print('Unable to load configuration: "{}"'.format(options.config), file=sys.stderr)
sys.exit(-1)
print(Template(filename=options.template).render(config=config))
if __name__ == '__main__':
main()

147
roles/load-balancer/files/haproxy/haproxy.cfg.mako Normal file
View File

@ -0,0 +1,147 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDH
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
% for frontend in config.get('frontends'):
frontend ${frontend['name']}
% for bind in frontend['bind']:
bind ${bind['host']}:${bind['port']}${' v4v6' if bind.get('v4v6', False) else ''}${' ssl crt {}'.format(' crt '.join(bind['certs'])) if bind.get('ssl', False) else ''}
% endfor
mode ${frontend.get('mode', 'http')}
% if frontend.get('mode', 'http') == 'http':
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
% endif
% if frontend.get('stats') and frontend['stats'].get('enable', False):
stats enable
stats uri ${frontend['stats'].get('uri', '/')}
% endif
% for restriction in frontend.get('restrict', []):
acl network_allowed src ${restriction}
% endfor
% if frontend.get('restrict', None):
http-request deny if !network_allowed
% endif
% if not frontend.get('multiple', False):
# SSL
% if frontend.get('force_ssl', False):
redirect scheme https if !{ ssl_fc }
% endif
# Backend
% if frontend.get('backends'):
use_backend ${frontend['name']}
% endif
% else:
# Determine which virtual host is being requested
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
acl ${proxy['host']} hdr(host) -i ${proxy['host']}
% endfor
% endfor
# Redirect SSL
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
% if proxy.get('force_ssl', False):
redirect scheme https if !{ ssl_fc } ${proxy['host']}
% endif
% endfor
% endfor
# Select backend
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
% if proxy.get('force_ssl', False):
redirect scheme https if !{ ssl_fc } ${proxy['host']}
% endif
% endfor
% endfor
# Select backend
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
use_backend ${frontend['name']}_${project}_${proxy['host']} if ${proxy['host']}
% endfor
% endfor
% endif
% endfor
#
# BACKENDS
#
<%def name="backend(name, definition)">
backend ${name}
balance ${definition.get('balance', 'leastconn')}
mode http
% if definition.get('cookie', False):
cookie serverid insert indirect nocache
% endif
% for index, server in enumerate(definition.get('backends')):
server ${server['host']}:${server['port']} ${server['host']}:${server['port']} check ${ 'cookie {}'.format(index) if definition.get('cookie', False) else ''}
% endfor
</%def>
% for frontend in config.get('frontends', []):
% if not frontend.get('multiple', False) and frontend.get('backends'):
${backend(frontend['name'], frontend)}
% elif frontend.get('multiple', False):
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
${backend('{}_{}_{}'.format(frontend['name'], project, proxy['host']), proxy)}
% endfor
% endfor
% endif
% endfor

13
roles/load-balancer/files/ipv6-nonlocalhack.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Hack since 4.3 kernel does not support net.ipv6.ip_nonlocal_bind
Before=haproxy.service
[Service]
ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::10ad/64 dev lo
ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::c:10ad/64 dev lo
ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::c0b:10ad/64 dev lo
RemainAfterExit=true
Type=oneshot
[Install]
WantedBy=multi-user.target

1
roles/load-balancer/files/ssl Symbolic link
View File

@ -0,0 +1 @@
/users/syscom/certs

67
roles/load-balancer/tasks/main.yml
View File

@ -1,49 +1,82 @@
---
# SSL CERTS
- name: Install SSL certificates
copy:
src: ssl/
dest: /etc/ssl/private/
directory_mode: "u=rwx,g=rx,o="
mode: "u=rw,g=r,o="
owner: root
group: root
# Non-local binding
- name: Install 99-nonlocalbind.conf in /etc/sysctl.d
copy:
src: 99-nonlocalbind.conf
dest: /etc/sysctl.d
backup: no
- name: Install ipv6-nonlocalhack.service
copy:
src: ipv6-nonlocalhack.service
dest: /etc/systemd/system/ipv6-nonlocalhack.service
backup: no
- name: Start ipv6-nonlocalhack.service
service:
name: ipv6-nonlocalhack
state: running
# HAPROXY
- name: Install haproxy
package:
name: haproxy
state: latest
- name: Copy haproxy configuration
- name: Install packages required to generate config
package: name={{ item }} state=latest
with_items:
- python-yaml
- python-mako
- name: Copy haproxy configuration generation
copy:
src: haproxy.cfg
dest: /etc/haproxy/haproxy.cfg
src: haproxy/
dest: /tmp/haproxy
backup: no
register: haproxy_configuration
- name: Generate haproxy configuration
shell: python genconfig.py > /etc/haproxy/haproxy.cfg
args:
chdir: /tmp/haproxy/
- name: Restart haproxy
service:
name: haproxy
state: restarted
when: haproxy_configuration.changed
- name: Ensure that haproxy is running
service:
name: haproxy
state: running
# KEEPALIVED
- name: Install keepalived
package:
name: keepalived
state: latest
register: keepalived_installed
- name: Stop keepalived
service:
name: keepalived
state: stopped
- name: Copy keepalived config
template:
src: keepalived.conf
dest: /etc/keepalived/keepalived.conf
backup: no
register: keepalived_configuration
#register: keepalived_configuration
- name: Restart keepalived
service:
name: keepalived
state: restarted
when: keepalived_configuration.changed
- name: Ensure keepalived is running
service:
name: keepalived
state: running
#when: keepalived_configuration.changed

51
roles/load-balancer/templates/keepalived.conf
View File

@ -1,10 +1,16 @@
global_defs {
notification_email {
ztseguin+notifications@csclub.uwaterloo.ca
syscom@csclub.uwaterloo.ca
}
notification_email_from load-balancer@csclub.uwaterloo.ca
}
vrrp_script check_haproxy {
script "pidof haproxy"
interval 1
weight: -20
}
! load-balancer.csclub.uwaterloo.ca
vrrp_instance VI_10 {
state MASTER
@ -16,8 +22,51 @@ vrrp_instance VI_10 {
auth_type PASS
auth_pass CSC_VRRP
}
track_script {
check_haproxy
}
virtual_ipaddress {
129.97.134.10
2620:101:f000:4901:c5c::10ad
}
}
! load-balancer-cloud.csclub.uwaterloo.ca
vrrp_instance VI_11 {
state MASTER
interface eth0
virtual_router_id 11
priority {{ lb_priority }}
advert_int 1
authentication {
auth_type PASS
auth_pass CSC_VRRP
}
track_script {
check_haproxy
}
virtual_ipaddress {
129.97.134.11
2620:101:f000:4901:c5c::c:10ad
}
}
! load-balancer-object.csclub.uwaterloo.ca
vrrp_instance VI_12 {
state MASTER
interface eth0
virtual_router_id 12
priority {{ lb_priority }}
advert_int 1
authentication {
auth_type PASS
auth_pass CSC_VRRP
}
track_script {
check_haproxy
}
virtual_ipaddress {
129.97.134.12
2620:101:f000:4901:c5c::c0b:10ad
}
}

20
roles/nfs/tasks/main.yml
View File

@ -30,14 +30,18 @@
file: path={{ item }} state=directory
with_items:
- /users
- /music
- /scratch
- /u
# - /music
# - /scratch
- name: Add fstab entry for users
mount: src="aspartame:/users" name=/users fstype=nfs opts="noauto,bg,vers=3,sec=krb5p,nosuid,nodev,x-systemd.automount,x-systemd.requires=nfs-common.service" dump=0 passno=0 state=mounted
#- name: Add fstab entry for users
# mount: src="aspartame:/users" name=/users fstype=nfs opts="noauto,bg,vers=3,sec=krb5p,nosuid,nodev,x-systemd.automount,x-systemd.requires=nfs-common.service" dump=0 passno=0 state=mounted
- name: Add fstab entry for music
mount: src="aspartame:/music" name=/music fstype=nfs opts="bg,vers=3,sec=sys,nolock,noatime,nosuid,nodev" dump=0 passno=0 state=mounted
#- name: Add fstab entry for users (new netapp)
# mount: src="fs00:/users" name=/u fstype=nfs opts="noauto,bg,vers=3,sec=sys,nosuid,nodev,x-systemd.automount,x-systemd.requires=nfs-common.service" dump=0 passno=0 state=mounted
- name: Add fstab entry for scratch
mount: src="corn-syrup:/scratch" name=/scratch fstype=nfs opts="bg,vers=3,sec=sys,noatime,nosuid,nodev" dump=0 passno=0 state=mounted
#- name: Add fstab entry for music
# mount: src="aspartame:/music" name=/music fstype=nfs opts="bg,vers=3,sec=sys,nolock,noatime,nosuid,nodev" dump=0 passno=0 state=mounted
#- name: Add fstab entry for scratch
# mount: src="corn-syrup:/scratch" name=/scratch fstype=nfs opts="bg,vers=3,sec=sys,noatime,nosuid,nodev" dump=0 passno=0 state=mounted

4
roles/virtualization-host/files/libvirt.pkla Normal file
View File

@ -0,0 +1,4 @@
[Allow syscom to libvirt]
Identity=unix-group:syscom
Action=org.libvirt.unix.manage
ResultAny=yes

4
roles/virtualization-host/tasks/main.yml
View File

@ -1,4 +1,8 @@
---
- name: Allow syscom access to libvirt
copy:
src: libvirt.pkla
dest: /etc/polkit-1/localauthority/50-local.d/libvirt.pkla
- name: Install virtualization tools
apt: name={{ item }} state=latest
with_items:

6
upgrade.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: all
become: yes
tasks:
- name: upgrade software packages (safe)
apt: update_cache=yes upgrade=safe