# Copyright 2013 OpenStack Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # openstackid idp(sso-openid) # # == Class: openstackid # class openstackid ( $git_source_repo = 'https://git.openstack.org/openstack-infra/openstackid', $site_admin_password = '', $id_mysql_host = '', $id_mysql_user = '', $id_mysql_password = '', $id_db_name = '', $redis_port = '', $redis_host = '', $redis_db = 0, $redis_password = '', $vhost_name = $::fqdn, $robots_txt_source = '', $serveradmin = "webmaster@${::fqdn}", $canonicalweburl = "https://${::fqdn}/", $ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem', $ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key', $ssl_chain_file = '', $ssl_cert_file_contents = '', # If left empty puppet will not create file. $ssl_key_file_contents = '', # If left empty puppet will not create file. $ssl_chain_file_contents = '', # If left empty puppet will not create file. $httpd_acceptorthreads = '', $id_log_error_to_email = '', $id_log_error_from_email = '', $id_environment = 'dev', $id_hostname = $::hostname, $id_recaptcha_public_key = '', $id_recaptcha_private_key = '', $id_recaptcha_template = '', $openstackid_release = 'latest', $ssl_enable = true, $oauth2_enable = true, $app_url = '', $app_key = '', $app_version = '', $app_timezone = 'UTC', $email_driver = 'mail', $email_send_grid_api_key = '', $email_smtp_server = 'smtp.mailgun.org', $email_smtp_server_port = 587, $email_smtp_server_user = '', $email_smtp_server_password = '', $use_db_seeding = false, $projectroot = '/srv/openstackid/w', $docroot = '/srv/openstackid/w/public', $laravel_version = 4, $app_log_level = 'error', $app_log_email_level = 'error', $db_log_enabled = false, $banning_enabled = true, $app_debug = false, $app_locale = 'en', $curl_verify_ssl_cert = true, $curl_allow_redirect = false, $curl_timeout = 60, $assets_base_url = 'https://www.openstack.org/', $cache_driver = 'redis', $session_driver = 'redis', # on minutes $session_lifetime = 1440, $session_encrypt = true, $session_expire_on_close = false, $session_cookie_name = 'openstackid_s', $session_cookie_path = '/', $session_cookie_domain = $::fqdn, $session_cookie_secure = true, $session_cookie_http_only = true, $mysql_ssl_enabled = false, $mysql_ssl_ca_file = '/etc/mysql-client-ssl/ca-cert.pem', $mysql_ssl_ca_file_contents = '', $mysql_ssl_client_key_file = '/etc/mysql-client-ssl/client-key.pem', $mysql_ssl_client_key_file_contents = '', $mysql_ssl_client_cert_file = '/etc/mysql-client-ssl/client-cert.pem', $mysql_ssl_client_cert_file_contents = '', $mysql_ssl_cypher = 'DHE-RSA-AES256-SHA', $php_version = 5, $queue_driver = 'redis', $queue_conn = 'openstackid', $mail_from_email = 'no-reply@openstack.org', $mail_from_name = 'no-reply@openstack.org', $support_email = 'support@openstack.org', $user_spam_processor_to = '', $message_broker_exchange_name = 'message-broker', $message_broker_host = '', $message_broker_port = 5672, $message_broker_vhost = 'databus', $message_broker_login = '', $message_broker_password = '', $message_broker_ssl_enabled = false, $message_broker_ssl_ca_file = '/etc/rabbitmq-client-ssl/ca-cert.pem', $message_broker_ssl_ca_file_contents = '', $message_broker_ssl_client_cert_file = '/etc/rabbitmq-client-ssl/client-cert.pem', $message_broker_ssl_client_cert_file_contents = '', $message_broker_ssl_client_key_file = '/etc/rabbitmq-client-ssl/client-key.pem', $message_broker_ssl_client_key_file_contents = '', $message_broker_enabled = false, $cloud_storage_base_url = '', $cloud_storage_auth_url = '', $cloud_storage_app_credential_id = '', $cloud_storage_app_credential_secret = '', $cloud_storage_project_name = '', $cloud_storage_region = '', $cloud_storage_container = '', ) { # php5 packages needed for openid server $php5_packages = [ 'php5-common', 'php5-curl', 'php5-cli', 'php5-mcrypt', 'php5-mysqlnd', 'php5-fpm', 'php5-json', 'php5-gmp', ] # php7 packages needed for openid server $php7_packages = [ 'php7.2-common', 'php7.2-curl', 'php7.2-cli', 'php7.2-mysqlnd', 'php7.2-fpm', 'php7.2-json', 'php7.2-gmp', 'php7.2-xml', 'php7.2-zip', 'php7.2-mbstring', ] if($php_version == 7 ){ $php_service_name = 'php7.2-fpm' $php_packages = $php7_packages } else{ $php_service_name = 'php5-fpm' $php_packages = $php5_packages } $main_packages = [ 'curl', 'wget', 'build-essential', 'software-properties-common', 'python-software-properties', 'supervisor', 'python3-pip', 'python3-dev', 'libssl-dev', 'libffi-dev', 'python3-setuptools', 'python3-venv', 'libmysqlclient-dev', ] package { $main_packages: ensure => present, } if ($php_version == 7) { if ($::lsbdistcodename == 'xenial') { apt::ppa { 'ppa:ondrej/php': require => [ Package[$main_packages], ], notify => Exec['apt_update'], } $php7_requires = [ Class['apt::update'], Apt::Ppa['ppa:ondrej/php'], ] } else{ $php7_requires = [ Class['apt::update'], Package[$main_packages], ] } package { $php7_packages: ensure => present, provider => 'apt', require => [ $php7_requires, ] } } else { package { $php5_packages: ensure => present, require => [ Package[$main_packages], ], } } if ($php_version == 7) { # php7-fpm configuration file { '/etc/php/7.2/fpm/php-fpm.conf': ensure => present, owner => 'root', group => 'www-data', mode => '0640', source => 'puppet:///modules/openstackid/php7/php-fpm.conf', require => [ Package[$php_service_name], ], notify => Service[$php_service_name], } file { '/etc/php/7.2/fpm/php.ini': ensure => present, owner => 'root', group => 'www-data', mode => '0640', source => 'puppet:///modules/openstackid/php7/php.ini', require => [ Package[$php_service_name], ], notify => Service[$php_service_name], } file { '/etc/php/7.2/fpm/pool.d/www.conf': ensure => present, owner => 'root', group => 'www-data', mode => '0640', source => 'puppet:///modules/openstackid/php7/www.conf', require => [ Package[$php_service_name], ], notify => Service[$php_service_name], } service { $php_service_name: ensure => 'running', enable => true, require => Package[$php_service_name], } } else{ # php5-fpm configuration exec { 'enable_php5-mbcrypt': command => '/usr/sbin/php5enmod mcrypt', timeout => 0, require => [ Package[$php_service_name], ], notify => Service[$php_service_name], } file { '/etc/php5/fpm/php-fpm.conf': ensure => present, owner => 'root', group => 'www-data', mode => '0640', source => 'puppet:///modules/openstackid/php-fpm.conf', require => [ Package[$php_service_name], ], notify => Service[$php_service_name], } file { '/etc/php5/fpm/php.ini': ensure => present, owner => 'root', group => 'www-data', mode => '0640', source => 'puppet:///modules/openstackid/php.ini', require => [ Package[$php_service_name], ], notify => Service[$php_service_name], } file { '/etc/php5/fpm/pool.d/www.conf': ensure => present, owner => 'root', group => 'www-data', mode => '0640', source => 'puppet:///modules/openstackid/www.conf', require => [ Package[$php_service_name], ], notify => Service[$php_service_name], } service { $php_service_name: ensure => 'running', enable => true, require => Package[$php_service_name], } } # the deploy scripts use the curl CLI if !defined(Package['curl']) { package { 'curl': ensure => present, } } # force 10.x version class { 'nodejs': repo_url_suffix => '10.x', legacy_debian_symlinks => false, } group { 'openstackid': ensure => present, } user { 'openstackid': ensure => present, managehome => true, comment => 'OpenStackID User', shell => '/bin/bash', gid => 'openstackid', require => Group['openstackid'], } file { '/etc/openstackid': ensure => directory, owner => 'root', group => 'root', mode => '0755', } file { '/etc/scripts': ensure => directory, owner => 'root', group => 'root', mode => '0755', } file { '/etc/scripts/supervisor_watchdog.sh': ensure => present, content => template('openstackid/supervisor_watchdog.sh.erb'), owner => 'root', group => 'www-data', mode => '0770', require => [ Package['supervisor'], File['/etc/scripts'], ] } file { '/etc/supervisor/conf.d/supervisor.conf': ensure => present, content => template('openstackid/supervisor.conf.erb'), owner => 'root', group => 'www-data', mode => '0640', require => [ Package['supervisor'], ] } file { '/etc/openstackid/.env': ensure => present, content => template('openstackid/.env.erb'), owner => 'root', group => 'www-data', mode => '0640', require => [ File['/etc/openstackid'], ] } # mysql ssl connection configuration if($mysql_ssl_enabled) { file { '/etc/mysql-client-ssl': ensure => 'directory', owner => 'root', group => 'www-data', mode => '0775', } if $mysql_ssl_ca_file_contents != '' { file { $mysql_ssl_ca_file: ensure => file, owner => 'root', group => 'www-data', mode => '0640', content => $mysql_ssl_ca_file_contents, notify => Class['apache::service'], before => Apache::Vhost::Custom[$vhost_name], require => File['/etc/mysql-client-ssl'], } } if $mysql_ssl_client_key_file_contents != '' { file { $mysql_ssl_client_key_file: ensure => file, owner => 'root', group => 'www-data', mode => '0640', content => $mysql_ssl_client_key_file_contents, notify => Class['apache::service'], before => Apache::Vhost::Custom[$vhost_name], require => File['/etc/mysql-client-ssl'], } } if $mysql_ssl_client_cert_file_contents != '' { file { $mysql_ssl_client_cert_file: ensure => file, owner => 'root', group => 'www-data', mode => '0640', content => $mysql_ssl_client_cert_file_contents, notify => Class['apache::service'], before => Apache::Vhost::Custom[$vhost_name], require => File['/etc/mysql-client-ssl'], } } } # rabbitmq ssl connection config if($message_broker_ssl_enabled and $message_broker_enabled){ file { '/etc/rabbitmq-client-ssl': ensure => 'directory', owner => 'root', group => 'www-data', mode => '0775', } if $message_broker_ssl_ca_file_contents != '' { file { $message_broker_ssl_ca_file: ensure => file, owner => 'root', group => 'www-data', mode => '0640', content => $message_broker_ssl_ca_file_contents, notify => Class['apache::service'], before => Apache::Vhost::Custom[$vhost_name], require => File['/etc/rabbitmq-client-ssl'], } } if $message_broker_ssl_client_cert_file_contents != '' { file { $message_broker_ssl_client_cert_file: ensure => file, owner => 'root', group => 'www-data', mode => '0640', content => $message_broker_ssl_client_cert_file_contents, notify => Class['apache::service'], before => Apache::Vhost::Custom[$vhost_name], require => File['/etc/rabbitmq-client-ssl'], } } if $message_broker_ssl_client_key_file_contents != '' { file { $message_broker_ssl_client_key_file: ensure => file, owner => 'root', group => 'www-data', mode => '0640', content => $message_broker_ssl_client_key_file_contents, notify => Class['apache::service'], before => Apache::Vhost::Custom[$vhost_name], require => File['/etc/rabbitmq-client-ssl'], } } } $docroot_dirs = [ '/srv/openstackid' ] file { $docroot_dirs: ensure => directory, owner => 'root', group => 'root', mode => '0755', } class { 'apache': default_vhost => false, mpm_module => false, } # apache mpm event connection tweaking class {'apache::mod::event': serverlimit => 16, startservers => 3, threadlimit => 256, threadsperchild => 256, maxclients => 4096, maxrequestsperchild => 5000, maxrequestworkers => 4096, } apache::listen { '80': } apache::listen { '443': } apache::vhost::custom { $vhost_name: priority => '50', content => template('openstackid/vhost.erb'), require => File[$docroot_dirs], } class { 'apache::mod::ssl': } class { 'apache::mod::rewrite': } class { 'apache::mod::proxy': } class { 'apache::mod::headers': } apache::mod { 'proxy_fcgi': } if $ssl_cert_file_contents != '' { file { $ssl_cert_file: owner => 'root', group => 'root', mode => '0640', content => $ssl_cert_file_contents, notify => Class['apache::service'], before => Apache::Vhost::Custom[$vhost_name], } } if $ssl_key_file_contents != '' { file { $ssl_key_file: owner => 'root', group => 'root', mode => '0640', content => $ssl_key_file_contents, notify => Class['apache::service'], before => Apache::Vhost::Custom[$vhost_name], } } if $ssl_chain_file_contents != '' { file { $ssl_chain_file: owner => 'root', group => 'root', mode => '0640', content => $ssl_chain_file_contents, notify => Class['apache::service'], before => Apache::Vhost::Custom[$vhost_name], } } file { '/etc/apache2': ensure => directory, owner => 'root', group => 'root', mode => '0755', } openstackid::deploy { 'deploytool': } file { '/opt/deploy/conf.d/openstackid.conf': content => template('openstackid/openstackid.conf.erb'), owner => 'root', group => 'root', mode => '0644', require => Openstackid::Deploy['deploytool'], } $deploy_site_requires = [ File['/opt/deploy/conf.d/openstackid.conf'], Apache::Vhost::Custom[$vhost_name], File['/etc/openstackid/.env'], Package['curl'], Package[$php_packages] , Class['nodejs'], ] $update_site_requires = [ File['/opt/deploy/conf.d/openstackid.conf'], Apache::Vhost::Custom[$vhost_name], File['/etc/openstackid/.env'], Package[$php_packages] , Class['nodejs'], ] exec { 'deploy-site': path => '/usr/local/bin:/usr/bin:/bin', command => '/opt/deploy/deploy.sh init openstackid', onlyif => '/opt/deploy/deploy.sh status openstackid | grep N/A', logoutput => on_failure, require => $deploy_site_requires, } exec { 'update-site': path => '/usr/local/bin:/usr/bin:/bin', command => '/opt/deploy/deploy.sh update openstackid', onlyif => '/opt/deploy/deploy.sh status openstackid | grep UPDATE', logoutput => on_failure, require => $update_site_requires, } # system configuration tweaking $my_sysctl_settings = { # redis : http://redis.io/topics/admin 'vm.overcommit_memory' => { value => 1 }, 'net.core.rmem_default' => { value => 31457280 }, 'net.core.rmem_max' => { value => 12582912 }, 'net.core.wmem_default' => { value => 31457280 }, 'net.core.wmem_max' => { value => 12582912 }, # Defines the size of the kernel queue for accepting new connections. # Increase number of incoming connections 'net.core.somaxconn' => { value => 4096 }, # Increase number of incoming connections backlog 'net.core.netdev_max_backlog' => { value => 65536 }, 'net.core.optmem_max' => { value => 25165824 }, # Defines the range of usable ports on your system. 'net.ipv4.ip_local_port_range' => { value => "10000\t65535"}, 'net.ipv4.tcp_mem' => { value => "65536\t131072\t262144" }, 'net.ipv4.udp_mem' => { value => "65536\t131072\t262144" }, 'net.ipv4.tcp_rmem' => { value => "8192\t87380\t16777216" }, 'net.ipv4.udp_rmem_min' => { value => 16384 }, 'net.ipv4.tcp_wmem' => { value => "8192\t65536\t16777216" }, 'net.ipv4.udp_wmem_min' => { value => 16384 }, 'net.ipv4.tcp_max_tw_buckets' => { value => 1440000 }, # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks 'net.ipv4.tcp_tw_recycle' => { value => 1 }, 'net.ipv4.tcp_tw_reuse' => { value => 1 }, } $my_sysctl_defaults = { } create_resources(sysctl::value,$my_sysctl_settings,$my_sysctl_defaults) cron { 'InstallLaravelSchedule': ensure => 'present', command => "/usr/bin/php ${projectroot}/artisan schedule:run >> /dev/null 2>&1", user => 'www-data', minute => '*', } cron { 'InstallSupervisorWatchdog': ensure => 'present', command => '/etc/scripts/supervisor_watchdog.sh >> /var/log/supervisor_watchdog.log 2>&1', user => 'root', minute => '*/5', } }