class autofs {
case $::hostname {
- pejacevic, piu-slave-bm-a, picconi, coccia, dillon, delfin, quantz, sor, tate, respighi: {
+ piu-slave-bm-a, picconi, coccia, dillon, quantz, sor, tate, respighi: {
include autofs::bytemark
}
lw07,lw08: {
include autofs::leaseweb
}
- tye,ullmann,piu-slave-ubc-01,hier,manziarly,lindsay,pinel,ticharich,donizetti,mekeel: {
+ tye,ullmann,piu-slave-ubc-01,hier,manziarly,lindsay,pinel,ticharich,donizetti,mekeel,pejacevic,delfin: {
include autofs::ubc
}
}
))
| EOF
}
- ferm::rule { 'dsa-postgres-dedup':
- description => 'Allow postgress access to cluster: dedup',
- domain => '(ip ip6)',
- rule => @("EOF"/$)
- &SERVICE_RANGE(tcp, 5439, (
- ${ join(getfromhash($deprecated::allnodeinfo, 'delfin.debian.org', 'ipHostNumber'), " ") }
- ))
- | EOF
- }
ferm::rule { 'dsa-postgres-debsources':
description => 'Allow postgress access to cluster: debsources',
domain => '(ip ip6)',
rule => @("EOF"/$)
&SERVICE_RANGE(tcp, 5432, (
${ join(getfromhash($deprecated::allnodeinfo, 'ticharich.debian.org', 'ipHostNumber'), " ") }
- \$HOST_PGBACKUPHOST
))
| EOF
}
ferm::rule { 'dsa-postgres-main':
- # ubc, wuiet
description => 'Allow postgress access to cluster: main',
domain => '(ip ip6)',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
+ rule => @("EOF"/$)
+ &SERVICE_RANGE(tcp, 5433, (
+ ${ join(getfromhash($deprecated::allnodeinfo, 'diabelli.debian.org', 'ipHostNumber'), " ") }
+ ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") }
+ ${ join(getfromhash($deprecated::allnodeinfo, 'reger.debian.org', 'ipHostNumber'), " ") }
+ ))
+ | EOF
}
ferm::rule { 'dsa-postgres-debconf':
description => 'Allow postgress access to cluster: debconf',
rule => @("EOF"/$)
&SERVICE_RANGE(tcp, 5434, (
${ join(getfromhash($deprecated::allnodeinfo, 'debussy.debian.org', 'ipHostNumber'), " ") }
- \$HOST_PGBACKUPHOST
))
| EOF
}
${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") }
${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") }
${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") }
- \$HOST_PGBACKUPHOST
))
| EOF
}
&SERVICE_RANGE(tcp, 5432, (
${ join(getfromhash($deprecated::allnodeinfo, 'dinis.debian.org', 'ipHostNumber'), " ") }
${ join(getfromhash($deprecated::allnodeinfo, 'storace.debian.org', 'ipHostNumber'), " ") }
- \$HOST_PGBACKUPHOST
))
| EOF
}
seger: {
ferm::rule { 'dsa-postgres-backup':
description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
- }
- ferm::rule { 'dsa-postgres-backup6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
+ domain => '(ip ip6)',
+ rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST ))'
}
}
sallinen: {
dbs.flatten!
%>
-@def $HOST_PGBACKUPHOST_V4 = (<%= scope.function_filter_ipv4([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
-@def $HOST_PGBACKUPHOST_V6 = (<%= scope.function_filter_ipv6([rolehost['postgres_backup_server']]).uniq.join(' ') %>);
-@def $HOST_PGBACKUPHOST = ( $HOST_PGBACKUPHOST_V4 $HOST_PGBACKUPHOST_V6 );
+@def $HOST_PGBACKUPHOST = (<%= rolehost['postgres_backup_server'].uniq.join(' ') %>);
<%
%>
@def $HOST_FASTLY = (<%= getfastlyranges().join(' ') %>);
-@def $HOST_DEBIAN_V4 = (<%= scope.function_filter_ipv4([dbs]).uniq.join(' ') %>);
-@def $HOST_DEBIAN_V6 = (<%= scope.function_filter_ipv6([dbs]).uniq.join(' ') %>);
-@def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6);
-
+@def $HOST_DEBIAN = (<%= dbs.uniq.join(' ') %>);
@def $weasel = ();
@def $weasel = ($weasel 86.59.118.144/28); # debian@sil
}
multipath {
wwid 3600c0ff000d5ad34389b6b5401000000
- alias delfin
+ alias OLD-delfin
}
multipath {
wwid 3600c0ff000d5ad34aafd825601000000
- alias delfin-lvm
+ alias OLD-delfin-lvm
}
multipath {
wwid 3600c0ff000d5ad347a49665401000000
wwid 3600c0ff000d5ad348d70635401000000
alias OLD-gideon-srv
}
- multipath {
- wwid 3600c0ff000d5ad34bf77335501000000
- alias OLD-jerea
- }
- multipath {
- wwid 3600c0ff000d5ad34c877335501000000
- alias OLD-jerea-lvm
- }
multipath {
wwid 3600c0ff000d5ad34c76a635401000000
alias OLD-lindsay
wwid 3600c0ff000d5ad34e86a635401000000
alias OLD-lindsay-srv
}
- multipath {
- wwid 3600c0ff000d5ad34f1f56f5501000000
- alias OLD-mekeel
- }
- multipath {
- wwid 3600c0ff000d5ad341b39685c01000000
- alias OLD-mekeel-srv
- }
multipath {
wwid 3600c0ff000d5ad341ca4655401000000
alias milanollo
}
multipath {
wwid 3600c0ff000d5ad341dfb655401000000
- alias pejacevic
+ alias OLD-pejacevic
}
multipath {
wwid 3600c0ff000d5ad3439b7645401000000
- alias pejacevic-lvm
+ alias OLD-pejacevic-lvm
}
multipath {
wwid 3600c0ff000d5ad34e7e9645401000000
}
multipath {
wwid 3600c0ff000d5ad341aa6645401000000
- alias rainier
+ alias OLD-rainier
}
multipath {
wwid 3600c0ff000d5ad34efa7645401000000
- alias rapoport
+ alias OLD-rapoport
}
multipath {
wwid 3600c0ff000d83a70491c465701000000
}
multipath {
wwid 3600c0ff000d5ad34169d6b5401000000
- alias ODL-ticharich-lvm
+ alias OLD-ticharich-lvm
}
}
wwid 3600c0ff00027786c1541ce5901000000
alias debussy
}
+ # delfin
+ multipath {
+ wwid 3600c0ff000277c5f12398f5d01000000
+ alias delfin
+ }
+ multipath {
+ wwid 3600c0ff00027786c6a398f5d01000000
+ alias delfin-lvm
+ }
# diabelli
multipath {
wwid 3600c0ff00027786cba48e05701000000
wwid 3600c0ff00027786c8c1d895d01000000
alias paradis-lvm
}
+ # pejacevic
+ multipath {
+ wwid 3600c0ff000277c5f8cd68d5d01000000
+ alias pejacevic
+ }
+ multipath {
+ wwid 3600c0ff00027786c94d68d5d01000000
+ alias pejacevic-lvm
+ }
# pinel
multipath {
wwid 3600c0ff00027786c2c07865d01000000
pg_version => '9.6',
pg_port => 5433,
}
+ postgres::backup_cluster { "${::hostname}-tracker":
+ pg_version => '9.6',
+ pg_port => 5432,
+ pg_cluster => 'tracker',
+ }
postgres::backup_cluster { "${::hostname}-debconf":
pg_version => '9.6',
pg_port => 5434,
pg_cluster => 'debconf',
}
+ postgres::backup_cluster { "${::hostname}-wannabuild":
+ pg_version => '9.6',
+ pg_port => 5436,
+ pg_cluster => 'wannabuild',
+ }
}
if $::hostname in [postgresql-manda-01] {
class roles::pubsub {
- include roles::pubsub::params
- include roles::pubsub::entities
-
- $cluster_cookie = $roles::pubsub::params::cluster_cookie
-
- $cc_master = rainier
- $cc_secondary = rapoport
-
- class { 'rabbitmq':
- config_cluster => true,
- cluster_nodes => [
- $cc_master,
- $cc_secondary,
- ],
- cluster_node_type => 'disc',
- erlang_cookie => '8r17so6o1s124ns49sr08n0o24342160',
- delete_guest_user => true,
- ssl => true,
- ssl_cacert => '/etc/ssl/debian/certs/ca.crt',
- ssl_cert => '/etc/ssl/debian/certs/thishost-server.crt',
- ssl_key => '/etc/ssl/private/thishost-server.key',
- ssl_port => 5671,
- ssl_verify => 'verify_none',
- repos_ensure => false,
- }
-
- user { 'rabbitmq':
- groups => 'ssl-cert'
- }
-
- ferm::rule { 'rabbitmq':
- description => 'rabbitmq connections',
- rule => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V4)'
- }
-
- ferm::rule { 'rabbitmq-v6':
- domain => 'ip6',
- description => 'rabbitmq connections',
- rule => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V6)'
- }
-
- if $::hostname == $cc_master {
- $you = '82.195.75.95'
- $you6 = '2001:41b8:202:deb::311:95'
- } else {
- $you = '82.195.75.94'
- $you6 = '2001:41b8:202:deb::311:94'
- }
-
- ferm::rule { 'rabbitmq_cluster':
- domain => 'ip',
- description => 'rabbitmq cluster connections',
- rule => "proto tcp mod state state (NEW) saddr (${you}) ACCEPT"
- }
- ferm::rule { 'rabbitmq_cluster_v6':
- domain => 'ip6',
- description => 'rabbitmq cluster connections',
- rule => "proto tcp mod state state (NEW) saddr (${you6}) ACCEPT"
- }
+ include roles::pubsub::params
+ include roles::pubsub::entities
+
+ $cluster_cookie = $roles::pubsub::params::cluster_cookie
+
+ # Get the fact named hostname from all nodes in puppetdb with class Roles::Pubsub
+ $query = 'facts { name = "hostname" and resources { type = "Class" and title = "Roles::Pubsub" } }'
+ $cluster_nodes = sort(puppetdb_query($query).map |$value| { $value["value"] })
+
+ class { 'rabbitmq':
+ config_cluster => true,
+ cluster_nodes => $cluster_nodes,
+ cluster_node_type => 'disc',
+ erlang_cookie => '8r17so6o1s124ns49sr08n0o24342160',
+ delete_guest_user => true,
+ ssl => true,
+ ssl_cacert => '/etc/ssl/debian/certs/ca.crt',
+ ssl_cert => '/etc/ssl/debian/certs/thishost-server.crt',
+ ssl_key => '/etc/ssl/private/thishost-server.key',
+ ssl_port => 5671,
+ ssl_verify => 'verify_none',
+ repos_ensure => false,
+ }
+
+ user { 'rabbitmq':
+ groups => 'ssl-cert'
+ }
+
+ ferm::rule { 'rabbitmq':
+ description => 'rabbitmq connections',
+ domain => '(ip ip6)',
+ rule => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN)'
+ }
+
+ @@ferm::rule::simple { "pubsub-cluster-from-${::fqdn}":
+ tag => 'roles::pubsub::intra-cluster',
+ saddr => $base::public_addresses,
+ }
+ Ferm::Rule::Simple <<| tag == 'roles::pubsub::intra-cluster' |>>
}
master: dillon.debian.org
source: wolkenstein.debian.org:/srv/www.debian.org/www
appstream.debian.org:
- master: dillon.debian.org
+ master: static-master-ubc-01.debian.org
source: mekeel.debian.org:/srv/appstream.debian.org/public
blends.debian.org:
master: dillon.debian.org
ferm::rule {
"stunnel-${name}":
+ domain => "(ip ip6)",
description => "stunnel ${name}",
- rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)"
+ rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN)"
}
- ferm::rule { "stunnel-${name}-v6":
- domain => 'ip6',
- description => "stunnel ${name}",
- rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)"
- }
-
}
projects / mirror / dsa-puppet.git / commitdiff