Remove old playbooks

pull/14/head
Edwin Zhang 4 months ago
parent b55678cd8c
commit f4933d7d76
  1. 18
      files/rsyslog.conf
  2. 7
      generate-hosts.yml
  3. 13
      loadbalancer.yml
  4. 18
      roles/generate-hosts/tasks/main.yml
  5. 4
      roles/load-balancer/files/99-nonlocalbind.conf
  6. 263
      roles/load-balancer/files/haproxy.cfg
  7. 277
      roles/load-balancer/files/haproxy/config.yml
  8. 37
      roles/load-balancer/files/haproxy/genconfig.py
  9. 147
      roles/load-balancer/files/haproxy/haproxy.cfg.mako
  10. 13
      roles/load-balancer/files/ipv6-nonlocalhack.service
  11. 1
      roles/load-balancer/files/ssl
  12. 82
      roles/load-balancer/tasks/main.yml
  13. 72
      roles/load-balancer/templates/keepalived.conf
  14. 16
      rs.yml
  15. 18
      update-hosts.yml

@ -1,18 +0,0 @@
#
# Computer Science Club
# Logging
#
# Configure TLS
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/key.pem
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer hydrazine.csclub.uwaterloo.ca
$ActionSendStreamDriverMode 1 # TLS-only
# All logs are sent to the log server(s)
*.* @@hydrazine.csclub.uwaterloo.ca:10514

@ -1,7 +0,0 @@
---
- hosts: all
become: yes
become_method: sudo
roles:
- generate-hosts
- cleanup

@ -1,13 +0,0 @@
---
- hosts: load-balancers
become: yes
become_method: sudo
serial: "50%"
pre_tasks:
- name: stop keepalived (to remove from rotation)
service:
name: keepalived
state: stopped
roles:
- load-balancer
- cleanup

@ -1,18 +0,0 @@
---
- name: update hosts
connection: local
become: no
git: repo=~git/public/hosts.git dest=/tmp/generate-hosts-{{ ansible_hostname }}
- name: generate hosts file
connection: local
become: no
shell: /tmp/generate-hosts-{{ ansible_hostname }}/generate-hosts.py < /tmp/generate-hosts-{{ ansible_hostname }}/hosts.in > /tmp/generate-hosts-{{ ansible_hostname }}/hosts
- name: copy hosts file
copy: src=/tmp/generate-hosts-{{ ansible_hostname }}/hosts dest=/etc/hosts backup=yes
- name: cleanup generate-hosts
connection: local
become: no
file: path=/tmp/generate-hosts-{{ ansible_hostname }} state=absent

@ -1,4 +0,0 @@
net.ipv4.ip_nonlocal_bind = 1
# Until the kernel > 4.3, a hack binds the IPs on lo
# net.ipv6.ip_nonlocal_bind = 1

@ -1,263 +0,0 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
#ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#frontend ssh
# bind :::2222 v4v6
# mode tcp
# option tcplog
#
# default_backend ssh_general-use
frontend http_cloud_metadata
bind :::8775 v4v6 ssl crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
default_backend http_metadata.cloud.csclub.uwaterloo.ca
frontend http
bind :::80 v4v6
bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem crt /etc/ssl/private/csclub.cloud/csclub.cloud.pem
mode http
option forwardfor
# Add proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
#
# Determine host
#
# csclub webpage
acl csclub.uwaterloo.ca hdr(host) -i csclub.uwaterloo.ca
acl csclub.uwaterloo.ca hdr(host) -i www.csclub.uwaterloo.ca
acl csclub.uwaterloo.ca hdr(host) -i www2.csclub.uwaterloo.ca
# cloud.csclub
acl cloud.csclub.uwaterloo.ca hdr(host) -i cloud.csclub.uwaterloo.ca
acl console.cloud.csclub.uwaterloo.ca hdr(host) -i console.cloud.csclub.uwaterloo.ca
acl auth.cloud.csclub.uwaterloo.ca hdr(host) -i auth.cloud.csclub.uwaterloo.ca
acl admin.cloud.csclub.uwaterloo.ca hdr(host) -i admin.cloud.csclub.uwaterloo.ca
acl compute.cloud.csclub.uwaterloo.ca hdr(host) -i compute.cloud.csclub.uwaterloo.ca
acl dns.cloud.csclub.uwaterloo.ca hdr(host) -i dns.cloud.csclub.uwaterloo.ca
acl metadata.cloud.csclub.uwaterloo.ca hdr(host) -i metadata.cloud.csclub.uwaterloo.ca
acl network.cloud.csclub.uwaterloo.ca hdr(host) -i network.cloud.csclub.uwaterloo.ca
acl image.cloud.csclub.uwaterloo.ca hdr(host) -i image.cloud.csclub.uwaterloo.ca
acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.cloud.csclub.uwaterloo.ca
acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.csclub.uwaterloo.ca
acl volume.cloud.csclub.uwaterloo.ca hdr(host) -i volume.cloud.csclub.uwaterloo.ca
# csclub.cloud
acl csclub.cloud hdr(host) csclub.cloud
acl csclub.cloud hdr(host) www.csclub.cloud
#
# csclub.cloud (users)
#
# iie
acl iie_iise-wiki.csclub.cloud hdr(host) -i iise-wiki.csclub.cloud
# ztseguin
acl ztseguin.csclub.cloud hdr(host) -i ztseguin.csclub.cloud
acl ztseguin-reddit.csclub.cloud hdr(host) -i ztseguin-reddit.csclub.cloud
acl ztseguin-reddit.csclub.cloud hdr(host) -i reddit.csclub.cloud
# Force SSL
redirect scheme https if !{ ssl_fc } cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } admin.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } auth.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } console.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } compute.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } dns.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } metadata.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } network.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } image.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } object.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } volume.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } csclub.cloud
redirect scheme https if !{ ssl_fc } ztseguin.csclub.cloud
redirect scheme https if !{ ssl_fc } iie_iise-wiki.csclub.cloud
# Backend
use_backend http_csclub.uwaterloo.ca if csclub.uwaterloo.ca
use_backend http_cloud.csclub.uwaterloo.ca if cloud.csclub.uwaterloo.ca
use_backend http_auth.cloud.csclub.uwaterloo.ca if auth.cloud.csclub.uwaterloo.ca
use_backend http_admin.cloud.csclub.uwaterloo.ca if admin.cloud.csclub.uwaterloo.ca
use_backend http_console.cloud.csclub.uwaterloo.ca if console.cloud.csclub.uwaterloo.ca
use_backend http_compute.cloud.csclub.uwaterloo.ca if compute.cloud.csclub.uwaterloo.ca
use_backend http_dns.cloud.csclub.uwaterloo.ca if dns.cloud.csclub.uwaterloo.ca
use_backend http_metadata.cloud.csclub.uwaterloo.ca if metadata.cloud.csclub.uwaterloo.ca
use_backend http_network.cloud.csclub.uwaterloo.ca if network.cloud.csclub.uwaterloo.ca
use_backend http_image.cloud.csclub.uwaterloo.ca if image.cloud.csclub.uwaterloo.ca
use_backend http_object.cloud.csclub.uwaterloo.ca if object.cloud.csclub.uwaterloo.ca
use_backend http_volume.cloud.csclub.uwaterloo.ca if volume.cloud.csclub.uwaterloo.ca
use_backend http_cloud.csclub.uwaterloo.ca if csclub.cloud
use_backend http_ztseguin.csclub.cloud if ztseguin.csclub.cloud
use_backend http_iie_iise-wiki.csclub.cloud if iie_iise-wiki.csclub.cloud
frontend stats
bind :::8443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
mode http
no log
stats enable
stats uri /
acl network_allowed src 10.0.0.0/8
acl network_allowed src 129.97.0.0/16
acl network_allowed src 172.16.0.0/12
acl network_allowed src 2620:101:f000::/47
acl network_allowed src fd74:6b6a:8eca::/47
tcp-request connection reject if !network_allowed
#
# BACKENDS
#
#backend ssh_general-use
# balance roundrobin
# mode tcp
# server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22
# server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22
# server sucrose sucrose.csclub.uwaterloo.ca check port 22
backend http_csclub.uwaterloo.ca
balance leastconn
mode http
cookie serverid insert indirect nocache
server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00
server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01
backend http_cloud.csclub.uwaterloo.ca
balance leastconn
mode http
cookie serverid insert indirect nocache
#server web1.cloud web1.cloud.csclub.uwaterloo.ca:80 check cookie 01
server web1.cloud 172.19.134.5:80 check cookie 01
backend http_auth.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:5000 check
backend http_admin.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:35357 check
backend http_console.cloud.csclub.uwaterloo.ca
balance leastconn
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:6080 check
backend http_compute.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8774 check
backend http_dns.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9001 check
backend http_network.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9696 check
backend http_metadata.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8775 check
backend http_image.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9292 check
backend http_object.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8080 check
backend http_volume.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8776 check
backend http_ztseguin.csclub.cloud
balance roundrobin
mode http
server ztseguin1 csc-web.zacharyseguin.ca:80 check
backend http_iie_iise-wiki.csclub.cloud
balance roundrobin
mode http
server wiki wiki.iie.csclub.cloud:8090 check

@ -1,277 +0,0 @@
frontends:
- name: http
bind:
- host: '129.97.134.10'
port: 80
- host: '2620:101:f000:4901:c5c::10ad'
port: 80
# For certificates, always ensure to update both v4 and v6
- host: '129.97.134.10'
port: 443
ssl: true
certs:
- /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
- /etc/ssl/private/ztseguin/alerts.zacharyseguin.ca/alerts.zacharyseguin.ca.pem
# For certificates, always ensure to update both v4 and v6
- host: '2620:101:f000:4901:c5c::10ad'
port: 443
ssl: true
certs:
- /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
- /etc/ssl/private/ztseguin/alerts.zacharyseguin.ca/alerts.zacharyseguin.ca.pem
multiple: true
projects:
csc:
proxies:
- host: www2.csclub.uwaterloo.ca
cookie: true
backends:
- host: caffeine-00.csclub.uwaterloo.ca
port: 80
- host: caffeine-01.csclub.uwaterloo.ca
port: 80
- host: crl.csclub.uwaterloo.ca
cookie: true
backends:
- host: caffeine-00.csclub.uwaterloo.ca
port: 80
- host: caffeine-01.csclub.uwaterloo.ca
port: 80
- host: cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 80
- host: csclub.cloud
force_ssl: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 80
office:
proxies:
- host: office.csclub.cloud
force_ssl: true
backends:
- host: 172.19.134.51
port: 80
- host: 2620:101:f000:4903:f816:3eff:fe11:1dd9
port: 80
ztseguin:
proxies:
- host: ztseguin.csclub.cloud
force_ssl: true
backends:
- host: node1.web.ztseguin.csclub.cloud
port: 80
- host: dashboard.csclub.cloud
force_ssl: true
backends:
- host: dashboard.ztseguin.csclub.cloud
port: 80
- host: alerts.zacharyseguin.ca
force_ssl: true
backends:
- host: web1.alerts-canada.ztseguin.csclub.cloud
port: 80
- host: ztseguin-alerts-canada.csclub.cloud
force_ssl: true
backends:
- host: web1.alerts-canada.ztseguin.csclub.cloud
port: 80
- host: freebsd.packages.zacharyseguin.ca
backends:
- host: george-mason.zacharyseguin.ca
port: 80
- host: twig-sockets.csclub.cloud
force_ssl: true
backends:
- host: sucrose.csclub.uwaterloo.ca
port: 25000
- host: twig.csclub.cloud
force_ssl: true
backends:
- host: twig-prod.ztseguin.csclub.cloud
port: 80
- host: twig-dev.csclub.cloud
force_ssl: true
backends:
- host: twig-dev.ztseguin.csclub.cloud
port: 5000
iie:
proxies:
- host: iise-wiki.csclub.cloud
force_ssl: true
backends:
- host: wiki.iie.csclub.cloud
port: 8090
uwarc:
proxies:
- host: uwarc-wiki.csclub.cloud
force_ssl: true
backends:
- host: wiki.uwarc.csclub.cloud
port: 80
- host: wiki.uwarc.uwaterloo.club
force_ssl: true
backends:
- host: wiki.uwarc.csclub.cloud
port: 80
- name: cloud-http
bind:
- host: '129.97.134.11'
port: 80
- host: '2620:101:f000:4901:c5c::c:10ad'
port: 80
# For certificates, always ensure to update both v4 and v6
- host: '129.97.134.11'
port: 443
ssl: true
certs:
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
# For certificates, always ensure to update both v4 and v6
- host: '2620:101:f000:4901:c5c::c:10ad'
port: 443
ssl: true
certs:
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
multiple: true
projects:
csc-cloud:
proxies:
- host: csclub.cloud
force_ssl: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 80
- host: www.csclub.cloud
force_ssl: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 80
- host: cloud.csclub.uwaterloo.ca
force_ssl: true
cookie: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 80
- host: admin.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 35357
- host: auth.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 5000
- host: compute.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8774
- host: console.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 6080
- host: dashboard.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: web1.cloud.csclub.uwaterloo.ca
port: 8080
- host: dns.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 9001
- host: network.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 9696
- host: image.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 9292
- host: object.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8080
- host: placement.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8778
- host: volume.cloud.csclub.uwaterloo.ca
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8776
# TODO: Force SSL for object.csclub.uwaterloo.ca domain
- name: object-http
bind:
- host: '129.97.134.12'
port: 80
- host: '2620:101:f000:4901:c5c::c0b:10ad'
port: 80
# For certificates, always ensure to update both v4 and v6
- host: '129.97.134.12'
port: 443
ssl: true
certs:
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
# For certificates, always ensure to update both v4 and v6
- host: '2620:101:f000:4901:c5c::c0b:10ad'
port: 443
ssl: true
certs:
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
- /etc/ssl/private/csclub.cloud/csclub.cloud.pem
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8080
- name: cloud-metadata
bind:
- host: '::'
port: 8775
v4v6: true
ssl: true
certs:
- /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
force_ssl: true
backends:
- host: controller1.cloud.csclub.uwaterloo.ca
port: 8775
restrict:
- '10.0.0.0/8'
- '129.97.0.0/16'
- '172.16.0.0/12'
- '2620:101:f000::/47'
- 'fd74:6b6a:8eca::/47'
- name: stats
bind:
- host: '::'
port: 8443
v4v6: true
ssl: true
certs:
- /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
stats:
enable: true
uri: '/'
restrict:
- '10.0.0.0/8'
- '129.97.0.0/16'
- '172.16.0.0/12'
- '2620:101:f000::/47'
- 'fd74:6b6a:8eca::/47'

@ -1,37 +0,0 @@
#!/usr/bin/env python
from __future__ import print_function
import os, sys
from optparse import OptionParser
import yaml
from mako.template import Template
import pprint
def main():
# Arguments
parser = OptionParser()
parser.add_option('-c', '--config', dest='config', default='config.yml',
help='Configuration file', metavar="FILE")
parser.add_option('-t', '--template', dest='template', default='haproxy.cfg.mako',
help='haproxy.cfg Mako template')
(options, args) = parser.parse_args()
try:
config = yaml.load(open(options.config, 'r'))
except Exception as e:
print(e, file=sys.stderr)
config = None
if not config or type(config) != dict:
print('Unable to load configuration: "{}"'.format(options.config), file=sys.stderr)
sys.exit(-1)
print(Template(filename=options.template).render(config=config))
if __name__ == '__main__':
main()

@ -1,147 +0,0 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDH
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
% for frontend in config.get('frontends'):
frontend ${frontend['name']}
% for bind in frontend['bind']:
bind ${bind['host']}:${bind['port']}${' v4v6' if bind.get('v4v6', False) else ''}${' ssl crt {}'.format(' crt '.join(bind['certs'])) if bind.get('ssl', False) else ''}
% endfor
mode ${frontend.get('mode', 'http')}
% if frontend.get('mode', 'http') == 'http':
option forwardfor
option http-server-close
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
% endif
% if frontend.get('stats') and frontend['stats'].get('enable', False):
stats enable
stats uri ${frontend['stats'].get('uri', '/')}
% endif
% for restriction in frontend.get('restrict', []):
acl network_allowed src ${restriction}
% endfor
% if frontend.get('restrict', None):
http-request deny if !network_allowed
% endif
% if not frontend.get('multiple', False):
# SSL
% if frontend.get('force_ssl', False):
redirect scheme https if !{ ssl_fc }
% endif
# Backend
% if frontend.get('backends'):
use_backend ${frontend['name']}
% endif
% else:
# Determine which virtual host is being requested
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
acl ${proxy['host']} hdr(host) -i ${proxy['host']}
% endfor
% endfor
# Redirect SSL
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
% if proxy.get('force_ssl', False):
redirect scheme https if !{ ssl_fc } ${proxy['host']}
% endif
% endfor
% endfor
# Select backend
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
% if proxy.get('force_ssl', False):
redirect scheme https if !{ ssl_fc } ${proxy['host']}
% endif
% endfor
% endfor
# Select backend
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
use_backend ${frontend['name']}_${project}_${proxy['host']} if ${proxy['host']}
% endfor
% endfor
% endif
% endfor
#
# BACKENDS
#
<%def name="backend(name, definition)">
backend ${name}
balance ${definition.get('balance', 'leastconn')}
mode http
% if definition.get('cookie', False):
cookie serverid insert indirect nocache
% endif
% for index, server in enumerate(definition.get('backends')):
server ${server['host']}:${server['port']} ${server['host']}:${server['port']} check ${ 'cookie {}'.format(index) if definition.get('cookie', False) else ''}
% endfor
</%def>
% for frontend in config.get('frontends', []):
% if not frontend.get('multiple', False) and frontend.get('backends'):
${backend(frontend['name'], frontend)}
% elif frontend.get('multiple', False):
% for project in frontend['projects']:
# ${project}
% for proxy in frontend['projects'][project]['proxies']:
${backend('{}_{}_{}'.format(frontend['name'], project, proxy['host']), proxy)}
% endfor
% endfor
% endif
% endfor

@ -1,13 +0,0 @@
[Unit]
Description=Hack since 4.3 kernel does not support net.ipv6.ip_nonlocal_bind
Before=haproxy.service
[Service]
ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::10ad/64 dev lo
ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::c:10ad/64 dev lo
ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::c0b:10ad/64 dev lo
RemainAfterExit=true
Type=oneshot
[Install]
WantedBy=multi-user.target

@ -1 +0,0 @@
/users/syscom/certs

@ -1,82 +0,0 @@
---
# SSL CERTS
- name: Install SSL certificates
copy:
src: ssl/
dest: /etc/ssl/private/
directory_mode: "u=rwx,g=rx,o="
mode: "u=rw,g=r,o="
owner: root
group: root
# Non-local binding
- name: Install 99-nonlocalbind.conf in /etc/sysctl.d
copy:
src: 99-nonlocalbind.conf
dest: /etc/sysctl.d
backup: no
- name: Install ipv6-nonlocalhack.service
copy:
src: ipv6-nonlocalhack.service
dest: /etc/systemd/system/ipv6-nonlocalhack.service
backup: no
- name: Start ipv6-nonlocalhack.service
service:
name: ipv6-nonlocalhack
state: running
# HAPROXY
- name: Install haproxy
package:
name: haproxy
state: latest
- name: Install packages required to generate config
package: name={{ item }} state=latest
with_items:
- python-yaml
- python-mako
- name: Copy haproxy configuration generation
copy:
src: haproxy/
dest: /tmp/haproxy
backup: no
- name: Generate haproxy configuration
shell: python genconfig.py > /etc/haproxy/haproxy.cfg
args:
chdir: /tmp/haproxy/
- name: Restart haproxy
service:
name: haproxy
state: restarted
# KEEPALIVED
- name: Install keepalived
package:
name: keepalived
state: latest
register: keepalived_installed
- name: Stop keepalived
service:
name: keepalived
state: stopped
- name: Copy keepalived config
template:
src: keepalived.conf
dest: /etc/keepalived/keepalived.conf
backup: no
#register: keepalived_configuration
- name: Restart keepalived
service:
name: keepalived
state: restarted
#when: keepalived_configuration.changed

@ -1,72 +0,0 @@
global_defs {
notification_email {
syscom@csclub.uwaterloo.ca
}
notification_email_from load-balancer@csclub.uwaterloo.ca
}
vrrp_script check_haproxy {
script "pidof haproxy"
interval 1
weight: -20
}
! load-balancer.csclub.uwaterloo.ca
vrrp_instance VI_10 {
state MASTER
interface eth0
virtual_router_id 10
priority {{ lb_priority }}
advert_int 1
authentication {
auth_type PASS
auth_pass CSC_VRRP
}
track_script {
check_haproxy
}
virtual_ipaddress {
129.97.134.10
2620:101:f000:4901:c5c::10ad
}
}
! load-balancer-cloud.csclub.uwaterloo.ca
vrrp_instance VI_11 {
state MASTER
interface eth0
virtual_router_id 11
priority {{ lb_priority }}
advert_int 1
authentication {
auth_type PASS
auth_pass CSC_VRRP
}
track_script {
check_haproxy
}
virtual_ipaddress {
129.97.134.11
2620:101:f000:4901:c5c::c:10ad
}
}
! load-balancer-object.csclub.uwaterloo.ca
vrrp_instance VI_12 {
state MASTER
interface eth0
virtual_router_id 12
priority {{ lb_priority }}
advert_int 1
authentication {
auth_type PASS
auth_pass CSC_VRRP
}
track_script {
check_haproxy
}
virtual_ipaddress {
129.97.134.12
2620:101:f000:4901:c5c::c0b:10ad
}
}

@ -1,16 +0,0 @@
---
- hosts: new-office
become: yes
tasks:
- name: install rsyslog-gnutls
package: name=rsyslog-gnutls state=latest
- name: copy tls keys
copy: src={{ item.src }} dest={{ item.dest }} mode=0640 owner=root group=syslog
with_items:
- { src: '/scratch/syscom/{{ ansible_hostname }}/rsyslog.d/ca.pem', dest: '/etc/rsyslog.d/ca.pem' }
- { src: '/scratch/syscom/{{ ansible_hostname }}/rsyslog.d/cert.pem', dest: '/etc/rsyslog.d/cert.pem' }
- { src: '/scratch/syscom/{{ ansible_hostname }}/rsyslog.d/key.pem', dest: '/etc/rsyslog.d/key.pem' }
- name: copy rsyslog config
copy: src='files/rsyslog.conf' dest='/etc/rsyslog.d/csclub.conf' mode=0644
- name: restart rsyslog
service: name=rsyslog state=restarted

@ -1,18 +0,0 @@
---
- hosts: all
become: yes
become_method: sudo
tasks:
- name: update hosts
connection: local
git: repo=~git/public/hosts.git dest=/tmp/generate-hosts-{{ ansible_hostname }}
- name: generate hosts file
connection: local
shell: /tmp/generate-hosts-{{ ansible_hostname }}/generate-hosts.py < /tmp/generate-hosts-{{ ansible_hostname }}/hosts.in > /tmp/generate-hosts-{{ ansible_hostname }}/hosts
- name: copy hosts file
copy: src=/tmp/generate-hosts-{{ ansible_hostname }}/hosts dest=/etc/hosts backup=no
- name: etckeeper commit
command: etckeeper commit "Update /etc/hosts with ansible"
- name: delete local copy
connection: local
command: rm -rf /tmp/generate-hosts-{{ ansible_hostname }}
Loading…
Cancel
Save