class roles::pubsub {
+ include roles::pubsub::params
+ include roles::pubsub::entities
+
+ $cluster_cookie = $roles::pubsub::params::cluster_cookie
+
+ $cc_master = rainier
+ $cc_secondary = rapoport
+
+ class { 'rabbitmq':
+ config_cluster => true,
+ cluster_nodes => [
+ $cc_master,
+ $cc_secondary,
+ ],
+ cluster_node_type => 'disc',
+ erlang_cookie => '8r17so6o1s124ns49sr08n0o24342160',
+ delete_guest_user => true,
+ ssl => true,
+ ssl_cacert => '/etc/ssl/debian/certs/ca.crt',
+ ssl_cert => '/etc/ssl/debian/certs/thishost-server.crt',
+ ssl_key => '/etc/ssl/private/thishost-server.key',
+ ssl_port => 5671,
+ ssl_verify => 'verify_none',
+ repos_ensure => false,
+ }
+
+ user { 'rabbitmq':
+ groups => 'ssl-cert'
+ }
+
+ ferm::rule { 'rabbitmq':
+ description => 'rabbitmq connections',
+ domain => '(ip ip6)',
+ rule => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN)'
+ }
+
+ if $::hostname == $cc_master {
+ $other = join(getfromhash($deprecated::allnodeinfo, "${cc_secondary}.debian.org", 'ipHostNumber'), ' ')
+ } else {
+ $other = join(getfromhash($deprecated::allnodeinfo, "${cc_master}.debian.org", 'ipHostNumber'), ' ')
+ }
+
+ ferm::rule { 'rabbitmq_cluster':
+ domain => '(ip ip6)',
+ description => 'rabbitmq cluster connections',
+ rule => "proto tcp mod state state (NEW) saddr (${other}) ACCEPT"
+ }
}