From f4933d7d761f26ab50bb62093f7d0565d36107a2 Mon Sep 17 00:00:00 2001 From: Edwin Zhang Date: Sun, 31 Jul 2022 00:26:47 -0400 Subject: [PATCH] Remove old playbooks --- files/rsyslog.conf | 18 -- generate-hosts.yml | 7 - loadbalancer.yml | 13 - roles/generate-hosts/tasks/main.yml | 18 -- .../load-balancer/files/99-nonlocalbind.conf | 4 - roles/load-balancer/files/haproxy.cfg | 263 ----------------- roles/load-balancer/files/haproxy/config.yml | 277 ------------------ .../load-balancer/files/haproxy/genconfig.py | 37 --- .../files/haproxy/haproxy.cfg.mako | 147 ---------- .../files/ipv6-nonlocalhack.service | 13 - roles/load-balancer/files/ssl | 1 - roles/load-balancer/tasks/main.yml | 82 ------ roles/load-balancer/templates/keepalived.conf | 72 ----- rs.yml | 16 - update-hosts.yml | 18 -- 15 files changed, 986 deletions(-) delete mode 100644 files/rsyslog.conf delete mode 100644 generate-hosts.yml delete mode 100644 loadbalancer.yml delete mode 100644 roles/generate-hosts/tasks/main.yml delete mode 100644 roles/load-balancer/files/99-nonlocalbind.conf delete mode 100644 roles/load-balancer/files/haproxy.cfg delete mode 100644 roles/load-balancer/files/haproxy/config.yml delete mode 100755 roles/load-balancer/files/haproxy/genconfig.py delete mode 100644 roles/load-balancer/files/haproxy/haproxy.cfg.mako delete mode 100644 roles/load-balancer/files/ipv6-nonlocalhack.service delete mode 120000 roles/load-balancer/files/ssl delete mode 100644 roles/load-balancer/tasks/main.yml delete mode 100644 roles/load-balancer/templates/keepalived.conf delete mode 100644 rs.yml delete mode 100644 update-hosts.yml diff --git a/files/rsyslog.conf b/files/rsyslog.conf deleted file mode 100644 index 6382821..0000000 --- a/files/rsyslog.conf +++ /dev/null @@ -1,18 +0,0 @@ - -# -# Computer Science Club -# Logging -# - -# Configure TLS -$DefaultNetstreamDriver gtls -$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem -$DefaultNetstreamDriverCertFile /etc/rsyslog.d/cert.pem -$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/key.pem - -$ActionSendStreamDriverAuthMode x509/name -$ActionSendStreamDriverPermittedPeer hydrazine.csclub.uwaterloo.ca -$ActionSendStreamDriverMode 1 # TLS-only - -# All logs are sent to the log server(s) -*.* @@hydrazine.csclub.uwaterloo.ca:10514 diff --git a/generate-hosts.yml b/generate-hosts.yml deleted file mode 100644 index 812157d..0000000 --- a/generate-hosts.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - - hosts: all - become: yes - become_method: sudo - roles: - - generate-hosts - - cleanup diff --git a/loadbalancer.yml b/loadbalancer.yml deleted file mode 100644 index d2eddf9..0000000 --- a/loadbalancer.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- - - hosts: load-balancers - become: yes - become_method: sudo - serial: "50%" - pre_tasks: - - name: stop keepalived (to remove from rotation) - service: - name: keepalived - state: stopped - roles: - - load-balancer - - cleanup diff --git a/roles/generate-hosts/tasks/main.yml b/roles/generate-hosts/tasks/main.yml deleted file mode 100644 index 186649f..0000000 --- a/roles/generate-hosts/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: update hosts - connection: local - become: no - git: repo=~git/public/hosts.git dest=/tmp/generate-hosts-{{ ansible_hostname }} - -- name: generate hosts file - connection: local - become: no - shell: /tmp/generate-hosts-{{ ansible_hostname }}/generate-hosts.py < /tmp/generate-hosts-{{ ansible_hostname }}/hosts.in > /tmp/generate-hosts-{{ ansible_hostname }}/hosts - -- name: copy hosts file - copy: src=/tmp/generate-hosts-{{ ansible_hostname }}/hosts dest=/etc/hosts backup=yes - -- name: cleanup generate-hosts - connection: local - become: no - file: path=/tmp/generate-hosts-{{ ansible_hostname }} state=absent diff --git a/roles/load-balancer/files/99-nonlocalbind.conf b/roles/load-balancer/files/99-nonlocalbind.conf deleted file mode 100644 index 6c9c996..0000000 --- a/roles/load-balancer/files/99-nonlocalbind.conf +++ /dev/null @@ -1,4 +0,0 @@ -net.ipv4.ip_nonlocal_bind = 1 - -# Until the kernel > 4.3, a hack binds the IPs on lo -# net.ipv6.ip_nonlocal_bind = 1 diff --git a/roles/load-balancer/files/haproxy.cfg b/roles/load-balancer/files/haproxy.cfg deleted file mode 100644 index 807e870..0000000 --- a/roles/load-balancer/files/haproxy.cfg +++ /dev/null @@ -1,263 +0,0 @@ -global - log /dev/log local0 - log /dev/log local1 notice - chroot /var/lib/haproxy - stats socket /run/haproxy/admin.sock mode 660 level admin - stats timeout 30s - user haproxy - group haproxy - daemon - - # Default SSL material locations - ca-base /etc/ssl/certs - crt-base /etc/ssl/private - - # Default ciphers to use on SSL-enabled listening sockets. - # For more information, see ciphers(1SSL). This list is from: - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - #ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS - #ssl-default-bind-options no-sslv3 - - tune.ssl.default-dh-param 2048 - ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS - ssl-default-bind-options no-sslv3 no-tls-tickets - ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS - ssl-default-server-options no-sslv3 no-tls-tickets - - -defaults - log global - mode http - option httplog - option dontlognull - timeout connect 5000 - timeout client 50000 - timeout server 50000 - errorfile 400 /etc/haproxy/errors/400.http - errorfile 403 /etc/haproxy/errors/403.http - errorfile 408 /etc/haproxy/errors/408.http - errorfile 500 /etc/haproxy/errors/500.http - errorfile 502 /etc/haproxy/errors/502.http - errorfile 503 /etc/haproxy/errors/503.http - errorfile 504 /etc/haproxy/errors/504.http - -#frontend ssh -# bind :::2222 v4v6 -# mode tcp -# option tcplog -# -# default_backend ssh_general-use - -frontend http_cloud_metadata - bind :::8775 v4v6 ssl crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem - mode http - option forwardfor - - http-request set-header X-Forwarded-Proto https if { ssl_fc } - - default_backend http_metadata.cloud.csclub.uwaterloo.ca - -frontend http - bind :::80 v4v6 - bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem crt /etc/ssl/private/csclub.cloud/csclub.cloud.pem - mode http - option forwardfor - - # Add proto - http-request set-header X-Forwarded-Proto https if { ssl_fc } - - # - # Determine host - # - - # csclub webpage - acl csclub.uwaterloo.ca hdr(host) -i csclub.uwaterloo.ca - acl csclub.uwaterloo.ca hdr(host) -i www.csclub.uwaterloo.ca - acl csclub.uwaterloo.ca hdr(host) -i www2.csclub.uwaterloo.ca - - # cloud.csclub - acl cloud.csclub.uwaterloo.ca hdr(host) -i cloud.csclub.uwaterloo.ca - acl console.cloud.csclub.uwaterloo.ca hdr(host) -i console.cloud.csclub.uwaterloo.ca - acl auth.cloud.csclub.uwaterloo.ca hdr(host) -i auth.cloud.csclub.uwaterloo.ca - acl admin.cloud.csclub.uwaterloo.ca hdr(host) -i admin.cloud.csclub.uwaterloo.ca - acl compute.cloud.csclub.uwaterloo.ca hdr(host) -i compute.cloud.csclub.uwaterloo.ca - acl dns.cloud.csclub.uwaterloo.ca hdr(host) -i dns.cloud.csclub.uwaterloo.ca - acl metadata.cloud.csclub.uwaterloo.ca hdr(host) -i metadata.cloud.csclub.uwaterloo.ca - acl network.cloud.csclub.uwaterloo.ca hdr(host) -i network.cloud.csclub.uwaterloo.ca - acl image.cloud.csclub.uwaterloo.ca hdr(host) -i image.cloud.csclub.uwaterloo.ca - acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.cloud.csclub.uwaterloo.ca - acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.csclub.uwaterloo.ca - acl volume.cloud.csclub.uwaterloo.ca hdr(host) -i volume.cloud.csclub.uwaterloo.ca - - # csclub.cloud - acl csclub.cloud hdr(host) csclub.cloud - acl csclub.cloud hdr(host) www.csclub.cloud - - # - # csclub.cloud (users) - # - - # iie - acl iie_iise-wiki.csclub.cloud hdr(host) -i iise-wiki.csclub.cloud - - # ztseguin - acl ztseguin.csclub.cloud hdr(host) -i ztseguin.csclub.cloud - acl ztseguin-reddit.csclub.cloud hdr(host) -i ztseguin-reddit.csclub.cloud - acl ztseguin-reddit.csclub.cloud hdr(host) -i reddit.csclub.cloud - - # Force SSL - redirect scheme https if !{ ssl_fc } cloud.csclub.uwaterloo.ca - redirect scheme https if !{ ssl_fc } admin.cloud.csclub.uwaterloo.ca - redirect scheme https if !{ ssl_fc } auth.cloud.csclub.uwaterloo.ca - redirect scheme https if !{ ssl_fc } console.cloud.csclub.uwaterloo.ca - redirect scheme https if !{ ssl_fc } compute.cloud.csclub.uwaterloo.ca - redirect scheme https if !{ ssl_fc } dns.cloud.csclub.uwaterloo.ca - redirect scheme https if !{ ssl_fc } metadata.cloud.csclub.uwaterloo.ca - redirect scheme https if !{ ssl_fc } network.cloud.csclub.uwaterloo.ca - redirect scheme https if !{ ssl_fc } image.cloud.csclub.uwaterloo.ca - redirect scheme https if !{ ssl_fc } object.cloud.csclub.uwaterloo.ca - redirect scheme https if !{ ssl_fc } volume.cloud.csclub.uwaterloo.ca - - redirect scheme https if !{ ssl_fc } csclub.cloud - - redirect scheme https if !{ ssl_fc } ztseguin.csclub.cloud - - redirect scheme https if !{ ssl_fc } iie_iise-wiki.csclub.cloud - - # Backend - use_backend http_csclub.uwaterloo.ca if csclub.uwaterloo.ca - - use_backend http_cloud.csclub.uwaterloo.ca if cloud.csclub.uwaterloo.ca - use_backend http_auth.cloud.csclub.uwaterloo.ca if auth.cloud.csclub.uwaterloo.ca - use_backend http_admin.cloud.csclub.uwaterloo.ca if admin.cloud.csclub.uwaterloo.ca - use_backend http_console.cloud.csclub.uwaterloo.ca if console.cloud.csclub.uwaterloo.ca - use_backend http_compute.cloud.csclub.uwaterloo.ca if compute.cloud.csclub.uwaterloo.ca - use_backend http_dns.cloud.csclub.uwaterloo.ca if dns.cloud.csclub.uwaterloo.ca - use_backend http_metadata.cloud.csclub.uwaterloo.ca if metadata.cloud.csclub.uwaterloo.ca - use_backend http_network.cloud.csclub.uwaterloo.ca if network.cloud.csclub.uwaterloo.ca - use_backend http_image.cloud.csclub.uwaterloo.ca if image.cloud.csclub.uwaterloo.ca - use_backend http_object.cloud.csclub.uwaterloo.ca if object.cloud.csclub.uwaterloo.ca - use_backend http_volume.cloud.csclub.uwaterloo.ca if volume.cloud.csclub.uwaterloo.ca - - use_backend http_cloud.csclub.uwaterloo.ca if csclub.cloud - - use_backend http_ztseguin.csclub.cloud if ztseguin.csclub.cloud - - use_backend http_iie_iise-wiki.csclub.cloud if iie_iise-wiki.csclub.cloud - -frontend stats - bind :::8443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem - mode http - no log - - stats enable - stats uri / - - acl network_allowed src 10.0.0.0/8 - acl network_allowed src 129.97.0.0/16 - acl network_allowed src 172.16.0.0/12 - acl network_allowed src 2620:101:f000::/47 - acl network_allowed src fd74:6b6a:8eca::/47 - - tcp-request connection reject if !network_allowed - -# -# BACKENDS -# -#backend ssh_general-use -# balance roundrobin -# mode tcp - -# server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22 -# server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22 -# server sucrose sucrose.csclub.uwaterloo.ca check port 22 - -backend http_csclub.uwaterloo.ca - balance leastconn - mode http - - cookie serverid insert indirect nocache - - server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00 - server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01 - -backend http_cloud.csclub.uwaterloo.ca - balance leastconn - mode http - - cookie serverid insert indirect nocache - - #server web1.cloud web1.cloud.csclub.uwaterloo.ca:80 check cookie 01 - server web1.cloud 172.19.134.5:80 check cookie 01 - -backend http_auth.cloud.csclub.uwaterloo.ca - balance roundrobin - mode http - - server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:5000 check - -backend http_admin.cloud.csclub.uwaterloo.ca - balance roundrobin - mode http - - server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:35357 check - -backend http_console.cloud.csclub.uwaterloo.ca - balance leastconn - mode http - - server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:6080 check - -backend http_compute.cloud.csclub.uwaterloo.ca - balance roundrobin - mode http - - server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8774 check - -backend http_dns.cloud.csclub.uwaterloo.ca - balance roundrobin - mode http - - server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9001 check - -backend http_network.cloud.csclub.uwaterloo.ca - balance roundrobin - mode http - - server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9696 check - -backend http_metadata.cloud.csclub.uwaterloo.ca - balance roundrobin - mode http - - server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8775 check - -backend http_image.cloud.csclub.uwaterloo.ca - balance roundrobin - mode http - - server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9292 check - -backend http_object.cloud.csclub.uwaterloo.ca - balance roundrobin - mode http - - server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8080 check - -backend http_volume.cloud.csclub.uwaterloo.ca - balance roundrobin - mode http - - server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8776 check - -backend http_ztseguin.csclub.cloud - balance roundrobin - mode http - - server ztseguin1 csc-web.zacharyseguin.ca:80 check - -backend http_iie_iise-wiki.csclub.cloud - balance roundrobin - mode http - - server wiki wiki.iie.csclub.cloud:8090 check diff --git a/roles/load-balancer/files/haproxy/config.yml b/roles/load-balancer/files/haproxy/config.yml deleted file mode 100644 index 82da262..0000000 --- a/roles/load-balancer/files/haproxy/config.yml +++ /dev/null @@ -1,277 +0,0 @@ -frontends: - - name: http - bind: - - host: '129.97.134.10' - port: 80 - - host: '2620:101:f000:4901:c5c::10ad' - port: 80 - - # For certificates, always ensure to update both v4 and v6 - - host: '129.97.134.10' - port: 443 - ssl: true - certs: - - /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem - - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem - - /etc/ssl/private/csclub.cloud/csclub.cloud.pem - - /etc/ssl/private/ztseguin/alerts.zacharyseguin.ca/alerts.zacharyseguin.ca.pem - # For certificates, always ensure to update both v4 and v6 - - host: '2620:101:f000:4901:c5c::10ad' - port: 443 - ssl: true - certs: - - /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem - - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem - - /etc/ssl/private/csclub.cloud/csclub.cloud.pem - - /etc/ssl/private/ztseguin/alerts.zacharyseguin.ca/alerts.zacharyseguin.ca.pem - multiple: true - projects: - csc: - proxies: - - host: www2.csclub.uwaterloo.ca - cookie: true - backends: - - host: caffeine-00.csclub.uwaterloo.ca - port: 80 - - host: caffeine-01.csclub.uwaterloo.ca - port: 80 - - host: crl.csclub.uwaterloo.ca - cookie: true - backends: - - host: caffeine-00.csclub.uwaterloo.ca - port: 80 - - host: caffeine-01.csclub.uwaterloo.ca - port: 80 - - host: cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: web1.cloud.csclub.uwaterloo.ca - port: 80 - - host: csclub.cloud - force_ssl: true - backends: - - host: web1.cloud.csclub.uwaterloo.ca - port: 80 - office: - proxies: - - host: office.csclub.cloud - force_ssl: true - backends: - - host: 172.19.134.51 - port: 80 - - host: 2620:101:f000:4903:f816:3eff:fe11:1dd9 - port: 80 - ztseguin: - proxies: - - host: ztseguin.csclub.cloud - force_ssl: true - backends: - - host: node1.web.ztseguin.csclub.cloud - port: 80 - - host: dashboard.csclub.cloud - force_ssl: true - backends: - - host: dashboard.ztseguin.csclub.cloud - port: 80 - - host: alerts.zacharyseguin.ca - force_ssl: true - backends: - - host: web1.alerts-canada.ztseguin.csclub.cloud - port: 80 - - host: ztseguin-alerts-canada.csclub.cloud - force_ssl: true - backends: - - host: web1.alerts-canada.ztseguin.csclub.cloud - port: 80 - - host: freebsd.packages.zacharyseguin.ca - backends: - - host: george-mason.zacharyseguin.ca - port: 80 - - host: twig-sockets.csclub.cloud - force_ssl: true - backends: - - host: sucrose.csclub.uwaterloo.ca - port: 25000 - - host: twig.csclub.cloud - force_ssl: true - backends: - - host: twig-prod.ztseguin.csclub.cloud - port: 80 - - host: twig-dev.csclub.cloud - force_ssl: true - backends: - - host: twig-dev.ztseguin.csclub.cloud - port: 5000 - iie: - proxies: - - host: iise-wiki.csclub.cloud - force_ssl: true - backends: - - host: wiki.iie.csclub.cloud - port: 8090 - uwarc: - proxies: - - host: uwarc-wiki.csclub.cloud - force_ssl: true - backends: - - host: wiki.uwarc.csclub.cloud - port: 80 - - host: wiki.uwarc.uwaterloo.club - force_ssl: true - backends: - - host: wiki.uwarc.csclub.cloud - port: 80 - - name: cloud-http - bind: - - host: '129.97.134.11' - port: 80 - - host: '2620:101:f000:4901:c5c::c:10ad' - port: 80 - - # For certificates, always ensure to update both v4 and v6 - - host: '129.97.134.11' - port: 443 - ssl: true - certs: - - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem - # For certificates, always ensure to update both v4 and v6 - - host: '2620:101:f000:4901:c5c::c:10ad' - port: 443 - ssl: true - certs: - - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem - multiple: true - projects: - csc-cloud: - proxies: - - host: csclub.cloud - force_ssl: true - backends: - - host: web1.cloud.csclub.uwaterloo.ca - port: 80 - - host: www.csclub.cloud - force_ssl: true - backends: - - host: web1.cloud.csclub.uwaterloo.ca - port: 80 - - host: cloud.csclub.uwaterloo.ca - force_ssl: true - cookie: true - backends: - - host: web1.cloud.csclub.uwaterloo.ca - port: 80 - - host: admin.cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 35357 - - host: auth.cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 5000 - - host: compute.cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 8774 - - host: console.cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 6080 - - host: dashboard.cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: web1.cloud.csclub.uwaterloo.ca - port: 8080 - - host: dns.cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 9001 - - host: network.cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 9696 - - host: image.cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 9292 - - host: object.cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 8080 - - host: placement.cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 8778 - - host: volume.cloud.csclub.uwaterloo.ca - force_ssl: true - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 8776 - # TODO: Force SSL for object.csclub.uwaterloo.ca domain - - name: object-http - bind: - - host: '129.97.134.12' - port: 80 - - host: '2620:101:f000:4901:c5c::c0b:10ad' - port: 80 - - # For certificates, always ensure to update both v4 and v6 - - host: '129.97.134.12' - port: 443 - ssl: true - certs: - - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem - - /etc/ssl/private/csclub.cloud/csclub.cloud.pem - # For certificates, always ensure to update both v4 and v6 - - host: '2620:101:f000:4901:c5c::c0b:10ad' - port: 443 - ssl: true - certs: - - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem - - /etc/ssl/private/csclub.cloud/csclub.cloud.pem - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 8080 - - name: cloud-metadata - bind: - - host: '::' - port: 8775 - v4v6: true - ssl: true - certs: - - /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem - force_ssl: true - backends: - - host: controller1.cloud.csclub.uwaterloo.ca - port: 8775 - restrict: - - '10.0.0.0/8' - - '129.97.0.0/16' - - '172.16.0.0/12' - - '2620:101:f000::/47' - - 'fd74:6b6a:8eca::/47' - - name: stats - bind: - - host: '::' - port: 8443 - v4v6: true - ssl: true - certs: - - /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem - stats: - enable: true - uri: '/' - restrict: - - '10.0.0.0/8' - - '129.97.0.0/16' - - '172.16.0.0/12' - - '2620:101:f000::/47' - - 'fd74:6b6a:8eca::/47' diff --git a/roles/load-balancer/files/haproxy/genconfig.py b/roles/load-balancer/files/haproxy/genconfig.py deleted file mode 100755 index 5aa5436..0000000 --- a/roles/load-balancer/files/haproxy/genconfig.py +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/env python - -from __future__ import print_function - -import os, sys -from optparse import OptionParser -import yaml -from mako.template import Template - -import pprint - -def main(): - # Arguments - parser = OptionParser() - - parser.add_option('-c', '--config', dest='config', default='config.yml', - help='Configuration file', metavar="FILE") - parser.add_option('-t', '--template', dest='template', default='haproxy.cfg.mako', - help='haproxy.cfg Mako template') - - - (options, args) = parser.parse_args() - - try: - config = yaml.load(open(options.config, 'r')) - except Exception as e: - print(e, file=sys.stderr) - config = None - - if not config or type(config) != dict: - print('Unable to load configuration: "{}"'.format(options.config), file=sys.stderr) - sys.exit(-1) - - print(Template(filename=options.template).render(config=config)) - -if __name__ == '__main__': - main() diff --git a/roles/load-balancer/files/haproxy/haproxy.cfg.mako b/roles/load-balancer/files/haproxy/haproxy.cfg.mako deleted file mode 100644 index be5a92a..0000000 --- a/roles/load-balancer/files/haproxy/haproxy.cfg.mako +++ /dev/null @@ -1,147 +0,0 @@ -global - log /dev/log local0 - log /dev/log local1 notice - chroot /var/lib/haproxy - stats socket /run/haproxy/admin.sock mode 660 level admin - stats timeout 30s - user haproxy - group haproxy - daemon - - # Default SSL material locations - ca-base /etc/ssl/certs - crt-base /etc/ssl/private - - tune.ssl.default-dh-param 2048 - ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDH - ssl-default-bind-options no-sslv3 no-tls-tickets - ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC - ssl-default-server-options no-sslv3 no-tls-tickets - -defaults - log global - mode http - option httplog - option dontlognull - timeout connect 5000 - timeout client 50000 - timeout server 50000 - errorfile 400 /etc/haproxy/errors/400.http - errorfile 403 /etc/haproxy/errors/403.http - errorfile 408 /etc/haproxy/errors/408.http - errorfile 500 /etc/haproxy/errors/500.http - errorfile 502 /etc/haproxy/errors/502.http - errorfile 503 /etc/haproxy/errors/503.http - errorfile 504 /etc/haproxy/errors/504.http - -% for frontend in config.get('frontends'): -frontend ${frontend['name']} - % for bind in frontend['bind']: - bind ${bind['host']}:${bind['port']}${' v4v6' if bind.get('v4v6', False) else ''}${' ssl crt {}'.format(' crt '.join(bind['certs'])) if bind.get('ssl', False) else ''} - % endfor - - mode ${frontend.get('mode', 'http')} - - % if frontend.get('mode', 'http') == 'http': - option forwardfor - option http-server-close - http-request set-header X-Forwarded-Proto https if { ssl_fc } - http-request set-header X-Forwarded-Proto http if !{ ssl_fc } - % endif - - % if frontend.get('stats') and frontend['stats'].get('enable', False): - stats enable - stats uri ${frontend['stats'].get('uri', '/')} - % endif - - % for restriction in frontend.get('restrict', []): - acl network_allowed src ${restriction} - % endfor - - % if frontend.get('restrict', None): - http-request deny if !network_allowed - % endif - - % if not frontend.get('multiple', False): - # SSL - % if frontend.get('force_ssl', False): - redirect scheme https if !{ ssl_fc } - % endif - - # Backend - % if frontend.get('backends'): - use_backend ${frontend['name']} - % endif - % else: - # Determine which virtual host is being requested - % for project in frontend['projects']: - # ${project} - % for proxy in frontend['projects'][project]['proxies']: - acl ${proxy['host']} hdr(host) -i ${proxy['host']} - % endfor - - % endfor - - # Redirect SSL - % for project in frontend['projects']: - # ${project} - % for proxy in frontend['projects'][project]['proxies']: - % if proxy.get('force_ssl', False): - redirect scheme https if !{ ssl_fc } ${proxy['host']} - % endif - % endfor - - % endfor - - # Select backend - % for project in frontend['projects']: - # ${project} - % for proxy in frontend['projects'][project]['proxies']: - % if proxy.get('force_ssl', False): - redirect scheme https if !{ ssl_fc } ${proxy['host']} - % endif - % endfor - - % endfor - - # Select backend - % for project in frontend['projects']: - # ${project} - % for proxy in frontend['projects'][project]['proxies']: - use_backend ${frontend['name']}_${project}_${proxy['host']} if ${proxy['host']} - % endfor - - % endfor - % endif - -% endfor - -# -# BACKENDS -# -<%def name="backend(name, definition)"> - backend ${name} - balance ${definition.get('balance', 'leastconn')} - mode http - % if definition.get('cookie', False): - - cookie serverid insert indirect nocache - % endif - - % for index, server in enumerate(definition.get('backends')): - server ${server['host']}:${server['port']} ${server['host']}:${server['port']} check ${ 'cookie {}'.format(index) if definition.get('cookie', False) else ''} - % endfor - -% for frontend in config.get('frontends', []): - % if not frontend.get('multiple', False) and frontend.get('backends'): - ${backend(frontend['name'], frontend)} - % elif frontend.get('multiple', False): - % for project in frontend['projects']: - # ${project} - % for proxy in frontend['projects'][project]['proxies']: - ${backend('{}_{}_{}'.format(frontend['name'], project, proxy['host']), proxy)} - - % endfor - % endfor - % endif -% endfor diff --git a/roles/load-balancer/files/ipv6-nonlocalhack.service b/roles/load-balancer/files/ipv6-nonlocalhack.service deleted file mode 100644 index 22d02a4..0000000 --- a/roles/load-balancer/files/ipv6-nonlocalhack.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Hack since 4.3 kernel does not support net.ipv6.ip_nonlocal_bind -Before=haproxy.service - -[Service] -ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::10ad/64 dev lo -ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::c:10ad/64 dev lo -ExecStart=/sbin/ip -6 addr add 2620:101:f000:4901:c5c::c0b:10ad/64 dev lo -RemainAfterExit=true -Type=oneshot - -[Install] -WantedBy=multi-user.target diff --git a/roles/load-balancer/files/ssl b/roles/load-balancer/files/ssl deleted file mode 120000 index 71a266e..0000000 --- a/roles/load-balancer/files/ssl +++ /dev/null @@ -1 +0,0 @@ -/users/syscom/certs \ No newline at end of file diff --git a/roles/load-balancer/tasks/main.yml b/roles/load-balancer/tasks/main.yml deleted file mode 100644 index c429b71..0000000 --- a/roles/load-balancer/tasks/main.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- - -# SSL CERTS -- name: Install SSL certificates - copy: - src: ssl/ - dest: /etc/ssl/private/ - directory_mode: "u=rwx,g=rx,o=" - mode: "u=rw,g=r,o=" - owner: root - group: root - -# Non-local binding -- name: Install 99-nonlocalbind.conf in /etc/sysctl.d - copy: - src: 99-nonlocalbind.conf - dest: /etc/sysctl.d - backup: no - -- name: Install ipv6-nonlocalhack.service - copy: - src: ipv6-nonlocalhack.service - dest: /etc/systemd/system/ipv6-nonlocalhack.service - backup: no - -- name: Start ipv6-nonlocalhack.service - service: - name: ipv6-nonlocalhack - state: running - -# HAPROXY -- name: Install haproxy - package: - name: haproxy - state: latest - -- name: Install packages required to generate config - package: name={{ item }} state=latest - with_items: - - python-yaml - - python-mako - -- name: Copy haproxy configuration generation - copy: - src: haproxy/ - dest: /tmp/haproxy - backup: no - -- name: Generate haproxy configuration - shell: python genconfig.py > /etc/haproxy/haproxy.cfg - args: - chdir: /tmp/haproxy/ - -- name: Restart haproxy - service: - name: haproxy - state: restarted - -# KEEPALIVED -- name: Install keepalived - package: - name: keepalived - state: latest - register: keepalived_installed - -- name: Stop keepalived - service: - name: keepalived - state: stopped - -- name: Copy keepalived config - template: - src: keepalived.conf - dest: /etc/keepalived/keepalived.conf - backup: no - #register: keepalived_configuration - -- name: Restart keepalived - service: - name: keepalived - state: restarted - #when: keepalived_configuration.changed diff --git a/roles/load-balancer/templates/keepalived.conf b/roles/load-balancer/templates/keepalived.conf deleted file mode 100644 index 873ef04..0000000 --- a/roles/load-balancer/templates/keepalived.conf +++ /dev/null @@ -1,72 +0,0 @@ -global_defs { - notification_email { - syscom@csclub.uwaterloo.ca - } - notification_email_from load-balancer@csclub.uwaterloo.ca -} - -vrrp_script check_haproxy { - script "pidof haproxy" - interval 1 - weight: -20 -} - -! load-balancer.csclub.uwaterloo.ca -vrrp_instance VI_10 { - state MASTER - interface eth0 - virtual_router_id 10 - priority {{ lb_priority }} - advert_int 1 - authentication { - auth_type PASS - auth_pass CSC_VRRP - } - track_script { - check_haproxy - } - virtual_ipaddress { - 129.97.134.10 - 2620:101:f000:4901:c5c::10ad - } -} - -! load-balancer-cloud.csclub.uwaterloo.ca -vrrp_instance VI_11 { - state MASTER - interface eth0 - virtual_router_id 11 - priority {{ lb_priority }} - advert_int 1 - authentication { - auth_type PASS - auth_pass CSC_VRRP - } - track_script { - check_haproxy - } - virtual_ipaddress { - 129.97.134.11 - 2620:101:f000:4901:c5c::c:10ad - } -} - -! load-balancer-object.csclub.uwaterloo.ca -vrrp_instance VI_12 { - state MASTER - interface eth0 - virtual_router_id 12 - priority {{ lb_priority }} - advert_int 1 - authentication { - auth_type PASS - auth_pass CSC_VRRP - } - track_script { - check_haproxy - } - virtual_ipaddress { - 129.97.134.12 - 2620:101:f000:4901:c5c::c0b:10ad - } -} diff --git a/rs.yml b/rs.yml deleted file mode 100644 index 1a337b3..0000000 --- a/rs.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- hosts: new-office - become: yes - tasks: - - name: install rsyslog-gnutls - package: name=rsyslog-gnutls state=latest - - name: copy tls keys - copy: src={{ item.src }} dest={{ item.dest }} mode=0640 owner=root group=syslog - with_items: - - { src: '/scratch/syscom/{{ ansible_hostname }}/rsyslog.d/ca.pem', dest: '/etc/rsyslog.d/ca.pem' } - - { src: '/scratch/syscom/{{ ansible_hostname }}/rsyslog.d/cert.pem', dest: '/etc/rsyslog.d/cert.pem' } - - { src: '/scratch/syscom/{{ ansible_hostname }}/rsyslog.d/key.pem', dest: '/etc/rsyslog.d/key.pem' } - - name: copy rsyslog config - copy: src='files/rsyslog.conf' dest='/etc/rsyslog.d/csclub.conf' mode=0644 - - name: restart rsyslog - service: name=rsyslog state=restarted diff --git a/update-hosts.yml b/update-hosts.yml deleted file mode 100644 index 8c0cf90..0000000 --- a/update-hosts.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- hosts: all - become: yes - become_method: sudo - tasks: - - name: update hosts - connection: local - git: repo=~git/public/hosts.git dest=/tmp/generate-hosts-{{ ansible_hostname }} - - name: generate hosts file - connection: local - shell: /tmp/generate-hosts-{{ ansible_hostname }}/generate-hosts.py < /tmp/generate-hosts-{{ ansible_hostname }}/hosts.in > /tmp/generate-hosts-{{ ansible_hostname }}/hosts - - name: copy hosts file - copy: src=/tmp/generate-hosts-{{ ansible_hostname }}/hosts dest=/etc/hosts backup=no - - name: etckeeper commit - command: etckeeper commit "Update /etc/hosts with ansible" - - name: delete local copy - connection: local - command: rm -rf /tmp/generate-hosts-{{ ansible_hostname }}