From: Adam D. Barratt Date: Sat, 28 Sep 2019 14:22:21 +0000 (+0100) Subject: Merge branch 'salsa' into fordsa X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=96133fd453443da74a750d4f10fbe89b749e16ac;hp=a0d15b85af83b8404ddac70ccb9d66b4c62c63fb;p=mirror%2Fdsa-puppet.git Merge branch 'salsa' into fordsa --- diff --git a/modules/autofs/manifests/init.pp b/modules/autofs/manifests/init.pp index dbfb6fba2..1c349232d 100644 --- a/modules/autofs/manifests/init.pp +++ b/modules/autofs/manifests/init.pp @@ -1,12 +1,12 @@ class autofs { case $::hostname { - pejacevic, piu-slave-bm-a, picconi, coccia, dillon, delfin, quantz, sor, tate, respighi: { + piu-slave-bm-a, picconi, coccia, dillon, quantz, sor, tate, respighi: { include autofs::bytemark } lw07,lw08: { include autofs::leaseweb } - tye,ullmann,piu-slave-ubc-01,hier,manziarly,lindsay,pinel,ticharich,donizetti,mekeel: { + tye,ullmann,piu-slave-ubc-01,hier,manziarly,lindsay,pinel,ticharich,donizetti,mekeel,pejacevic,delfin: { include autofs::ubc } } diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp index 350ec3fdd..643df8167 100644 --- a/modules/ferm/manifests/per_host.pp +++ b/modules/ferm/manifests/per_host.pp @@ -145,15 +145,6 @@ class ferm::per_host { )) | EOF } - ferm::rule { 'dsa-postgres-dedup': - description => 'Allow postgress access to cluster: dedup', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5439, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'delfin.debian.org', 'ipHostNumber'), " ") } - )) - | EOF - } ferm::rule { 'dsa-postgres-debsources': description => 'Allow postgress access to cluster: debsources', domain => '(ip ip6)', @@ -172,15 +163,19 @@ class ferm::per_host { rule => @("EOF"/$) &SERVICE_RANGE(tcp, 5432, ( ${ join(getfromhash($deprecated::allnodeinfo, 'ticharich.debian.org', 'ipHostNumber'), " ") } - \$HOST_PGBACKUPHOST )) | EOF } ferm::rule { 'dsa-postgres-main': - # ubc, wuiet description => 'Allow postgress access to cluster: main', domain => '(ip ip6)', - rule => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))' + rule => @("EOF"/$) + &SERVICE_RANGE(tcp, 5433, ( + ${ join(getfromhash($deprecated::allnodeinfo, 'diabelli.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") } + ${ join(getfromhash($deprecated::allnodeinfo, 'reger.debian.org', 'ipHostNumber'), " ") } + )) + | EOF } ferm::rule { 'dsa-postgres-debconf': description => 'Allow postgress access to cluster: debconf', @@ -188,7 +183,6 @@ class ferm::per_host { rule => @("EOF"/$) &SERVICE_RANGE(tcp, 5434, ( ${ join(getfromhash($deprecated::allnodeinfo, 'debussy.debian.org', 'ipHostNumber'), " ") } - \$HOST_PGBACKUPHOST )) | EOF } @@ -200,7 +194,6 @@ class ferm::per_host { ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") } ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") } ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") } - \$HOST_PGBACKUPHOST )) | EOF } @@ -213,7 +206,6 @@ class ferm::per_host { &SERVICE_RANGE(tcp, 5432, ( ${ join(getfromhash($deprecated::allnodeinfo, 'dinis.debian.org', 'ipHostNumber'), " ") } ${ join(getfromhash($deprecated::allnodeinfo, 'storace.debian.org', 'ipHostNumber'), " ") } - \$HOST_PGBACKUPHOST )) | EOF } @@ -221,12 +213,8 @@ class ferm::per_host { seger: { ferm::rule { 'dsa-postgres-backup': description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))' - } - ferm::rule { 'dsa-postgres-backup6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))' + domain => '(ip ip6)', + rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST ))' } } sallinen: { diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index dff45ac59..926584941 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -41,9 +41,7 @@ dbs.flatten! %> -@def $HOST_PGBACKUPHOST_V4 = (<%= scope.function_filter_ipv4([rolehost['postgres_backup_server']]).uniq.join(' ') %>); -@def $HOST_PGBACKUPHOST_V6 = (<%= scope.function_filter_ipv6([rolehost['postgres_backup_server']]).uniq.join(' ') %>); -@def $HOST_PGBACKUPHOST = ( $HOST_PGBACKUPHOST_V4 $HOST_PGBACKUPHOST_V6 ); +@def $HOST_PGBACKUPHOST = (<%= rolehost['postgres_backup_server'].uniq.join(' ') %>); <% @@ -58,10 +56,7 @@ end %> @def $HOST_FASTLY = (<%= getfastlyranges().join(' ') %>); -@def $HOST_DEBIAN_V4 = (<%= scope.function_filter_ipv4([dbs]).uniq.join(' ') %>); -@def $HOST_DEBIAN_V6 = (<%= scope.function_filter_ipv6([dbs]).uniq.join(' ') %>); -@def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6); - +@def $HOST_DEBIAN = (<%= dbs.uniq.join(' ') %>); @def $weasel = (); @def $weasel = ($weasel 86.59.118.144/28); # debian@sil diff --git a/modules/multipath/templates/multipath-bm.conf.erb b/modules/multipath/templates/multipath-bm.conf.erb index c8ee59798..c7933c595 100644 --- a/modules/multipath/templates/multipath-bm.conf.erb +++ b/modules/multipath/templates/multipath-bm.conf.erb @@ -46,11 +46,11 @@ multipaths { } multipath { wwid 3600c0ff000d5ad34389b6b5401000000 - alias delfin + alias OLD-delfin } multipath { wwid 3600c0ff000d5ad34aafd825601000000 - alias delfin-lvm + alias OLD-delfin-lvm } multipath { wwid 3600c0ff000d5ad347a49665401000000 @@ -84,14 +84,6 @@ multipaths { wwid 3600c0ff000d5ad348d70635401000000 alias OLD-gideon-srv } - multipath { - wwid 3600c0ff000d5ad34bf77335501000000 - alias OLD-jerea - } - multipath { - wwid 3600c0ff000d5ad34c877335501000000 - alias OLD-jerea-lvm - } multipath { wwid 3600c0ff000d5ad34c76a635401000000 alias OLD-lindsay @@ -100,14 +92,6 @@ multipaths { wwid 3600c0ff000d5ad34e86a635401000000 alias OLD-lindsay-srv } - multipath { - wwid 3600c0ff000d5ad34f1f56f5501000000 - alias OLD-mekeel - } - multipath { - wwid 3600c0ff000d5ad341b39685c01000000 - alias OLD-mekeel-srv - } multipath { wwid 3600c0ff000d5ad341ca4655401000000 alias milanollo @@ -126,11 +110,11 @@ multipaths { } multipath { wwid 3600c0ff000d5ad341dfb655401000000 - alias pejacevic + alias OLD-pejacevic } multipath { wwid 3600c0ff000d5ad3439b7645401000000 - alias pejacevic-lvm + alias OLD-pejacevic-lvm } multipath { wwid 3600c0ff000d5ad34e7e9645401000000 @@ -174,11 +158,11 @@ multipaths { } multipath { wwid 3600c0ff000d5ad341aa6645401000000 - alias rainier + alias OLD-rainier } multipath { wwid 3600c0ff000d5ad34efa7645401000000 - alias rapoport + alias OLD-rapoport } multipath { wwid 3600c0ff000d83a70491c465701000000 @@ -226,6 +210,6 @@ multipaths { } multipath { wwid 3600c0ff000d5ad34169d6b5401000000 - alias ODL-ticharich-lvm + alias OLD-ticharich-lvm } } diff --git a/modules/multipath/templates/multipath-ubc-ganeti2.conf.erb b/modules/multipath/templates/multipath-ubc-ganeti2.conf.erb index 9ffe42441..1e41e733a 100644 --- a/modules/multipath/templates/multipath-ubc-ganeti2.conf.erb +++ b/modules/multipath/templates/multipath-ubc-ganeti2.conf.erb @@ -38,6 +38,15 @@ multipaths { wwid 3600c0ff00027786c1541ce5901000000 alias debussy } + # delfin + multipath { + wwid 3600c0ff000277c5f12398f5d01000000 + alias delfin + } + multipath { + wwid 3600c0ff00027786c6a398f5d01000000 + alias delfin-lvm + } # diabelli multipath { wwid 3600c0ff00027786cba48e05701000000 @@ -184,6 +193,15 @@ multipaths { wwid 3600c0ff00027786c8c1d895d01000000 alias paradis-lvm } + # pejacevic + multipath { + wwid 3600c0ff000277c5f8cd68d5d01000000 + alias pejacevic + } + multipath { + wwid 3600c0ff00027786c94d68d5d01000000 + alias pejacevic-lvm + } # pinel multipath { wwid 3600c0ff00027786c2c07865d01000000 diff --git a/modules/postgres/manifests/backup_source.pp b/modules/postgres/manifests/backup_source.pp index d2443a187..363c8905e 100644 --- a/modules/postgres/manifests/backup_source.pp +++ b/modules/postgres/manifests/backup_source.pp @@ -38,11 +38,21 @@ class postgres::backup_source { pg_version => '9.6', pg_port => 5433, } + postgres::backup_cluster { "${::hostname}-tracker": + pg_version => '9.6', + pg_port => 5432, + pg_cluster => 'tracker', + } postgres::backup_cluster { "${::hostname}-debconf": pg_version => '9.6', pg_port => 5434, pg_cluster => 'debconf', } + postgres::backup_cluster { "${::hostname}-wannabuild": + pg_version => '9.6', + pg_port => 5436, + pg_cluster => 'wannabuild', + } } if $::hostname in [postgresql-manda-01] { diff --git a/modules/roles/manifests/pubsub.pp b/modules/roles/manifests/pubsub.pp index 0a6e72cec..20554ece2 100644 --- a/modules/roles/manifests/pubsub.pp +++ b/modules/roles/manifests/pubsub.pp @@ -1,61 +1,41 @@ class roles::pubsub { - include roles::pubsub::params - include roles::pubsub::entities - - $cluster_cookie = $roles::pubsub::params::cluster_cookie - - $cc_master = rainier - $cc_secondary = rapoport - - class { 'rabbitmq': - config_cluster => true, - cluster_nodes => [ - $cc_master, - $cc_secondary, - ], - cluster_node_type => 'disc', - erlang_cookie => '8r17so6o1s124ns49sr08n0o24342160', - delete_guest_user => true, - ssl => true, - ssl_cacert => '/etc/ssl/debian/certs/ca.crt', - ssl_cert => '/etc/ssl/debian/certs/thishost-server.crt', - ssl_key => '/etc/ssl/private/thishost-server.key', - ssl_port => 5671, - ssl_verify => 'verify_none', - repos_ensure => false, - } - - user { 'rabbitmq': - groups => 'ssl-cert' - } - - ferm::rule { 'rabbitmq': - description => 'rabbitmq connections', - rule => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V4)' - } - - ferm::rule { 'rabbitmq-v6': - domain => 'ip6', - description => 'rabbitmq connections', - rule => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V6)' - } - - if $::hostname == $cc_master { - $you = '82.195.75.95' - $you6 = '2001:41b8:202:deb::311:95' - } else { - $you = '82.195.75.94' - $you6 = '2001:41b8:202:deb::311:94' - } - - ferm::rule { 'rabbitmq_cluster': - domain => 'ip', - description => 'rabbitmq cluster connections', - rule => "proto tcp mod state state (NEW) saddr (${you}) ACCEPT" - } - ferm::rule { 'rabbitmq_cluster_v6': - domain => 'ip6', - description => 'rabbitmq cluster connections', - rule => "proto tcp mod state state (NEW) saddr (${you6}) ACCEPT" - } + include roles::pubsub::params + include roles::pubsub::entities + + $cluster_cookie = $roles::pubsub::params::cluster_cookie + + # Get the fact named hostname from all nodes in puppetdb with class Roles::Pubsub + $query = 'facts { name = "hostname" and resources { type = "Class" and title = "Roles::Pubsub" } }' + $cluster_nodes = sort(puppetdb_query($query).map |$value| { $value["value"] }) + + class { 'rabbitmq': + config_cluster => true, + cluster_nodes => $cluster_nodes, + cluster_node_type => 'disc', + erlang_cookie => '8r17so6o1s124ns49sr08n0o24342160', + delete_guest_user => true, + ssl => true, + ssl_cacert => '/etc/ssl/debian/certs/ca.crt', + ssl_cert => '/etc/ssl/debian/certs/thishost-server.crt', + ssl_key => '/etc/ssl/private/thishost-server.key', + ssl_port => 5671, + ssl_verify => 'verify_none', + repos_ensure => false, + } + + user { 'rabbitmq': + groups => 'ssl-cert' + } + + ferm::rule { 'rabbitmq': + description => 'rabbitmq connections', + domain => '(ip ip6)', + rule => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN)' + } + + @@ferm::rule::simple { "pubsub-cluster-from-${::fqdn}": + tag => 'roles::pubsub::intra-cluster', + saddr => $base::public_addresses, + } + Ferm::Rule::Simple <<| tag == 'roles::pubsub::intra-cluster' |>> } diff --git a/modules/roles/misc/static-components.yaml b/modules/roles/misc/static-components.yaml index eaef45ddb..c0b895223 100644 --- a/modules/roles/misc/static-components.yaml +++ b/modules/roles/misc/static-components.yaml @@ -32,7 +32,7 @@ components: master: dillon.debian.org source: wolkenstein.debian.org:/srv/www.debian.org/www appstream.debian.org: - master: dillon.debian.org + master: static-master-ubc-01.debian.org source: mekeel.debian.org:/srv/appstream.debian.org/public blends.debian.org: master: dillon.debian.org diff --git a/modules/stunnel4/manifests/server.pp b/modules/stunnel4/manifests/server.pp index 57a317e0f..78111d8fb 100644 --- a/modules/stunnel4/manifests/server.pp +++ b/modules/stunnel4/manifests/server.pp @@ -20,13 +20,8 @@ define stunnel4::server($accept, $connect, $local = '127.0.0.1') { ferm::rule { "stunnel-${name}": + domain => "(ip ip6)", description => "stunnel ${name}", - rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)" + rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN)" } - ferm::rule { "stunnel-${name}-v6": - domain => 'ip6', - description => "stunnel ${name}", - rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)" - } - }