opendev/system-config
Code Issues Proposed changes

Merge "Remove base.yaml things from openstack_project::server"

Browse Source
This commit is contained in:
Zuul
2018-08-17 10:43:53 +00:00
committed by Gerrit Code Review
parent baa717a1f9 bab6fcad3c
commit f3036203c3
55 changed files with 78 additions and 1230 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
doc/source/sysadmin.rst
View File

@@ -131,13 +131,12 @@ To create a new server, do the following:
to manually add the private information to hiera. to manually add the private information to hiera.
* You should be able to install and configure most software only with * You should be able to install and configure most software only with
puppet. Nonetheless, if you need SSH access to the host, add your ansible or puppet. Nonetheless, if you need SSH access to the host,
public key to :cgit_file:`modules/openstack_project/manifests/users.pp` and add your public key to :cgit_file:`playbooks/group_vars/all.yaml` and
include a stanza like this in your server class:: include a stanza like this in your server class::
realize ( extra_users:
User::Virtual::Localuser['USERNAME'], - your_user_name
)
* Add an RST file with documentation about the server in :cgit_file:`doc/source` * Add an RST file with documentation about the server in :cgit_file:`doc/source`
and add it to the index in that directory. and add it to the index in that directory.

73
manifests/site.pp
View File

@@ -12,7 +12,6 @@ $elasticsearch_nodes = hiera_array('elasticsearch_nodes')
# #
node default { node default {
class { 'openstack_project::server': class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
} }
} }
@@ -27,8 +26,6 @@ node 'review.openstack.org' {
iptables_public_tcp_ports => [80, 443, 29418], iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules, iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules, iptables_rules4 => $iptables_rules,
sysadmins => hiera('sysadmins', []),
extra_aliases => { 'gerrit2' => 'root' },
} }
class { 'openstack_project::review': class { 'openstack_project::review':
@@ -75,8 +72,6 @@ node 'review01.openstack.org' {
iptables_public_tcp_ports => [80, 443, 29418], iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules, iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules, iptables_rules4 => $iptables_rules,
sysadmins => hiera('sysadmins', []),
extra_aliases => { 'gerrit2' => 'root' },
} }
class { 'openstack_project::review': class { 'openstack_project::review':
@@ -123,8 +118,6 @@ node /^review-dev\d*\.openstack\.org$/ {
iptables_public_tcp_ports => [80, 443, 29418], iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules, iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules, iptables_rules4 => $iptables_rules,
sysadmins => hiera('sysadmins', []),
extra_aliases => { 'gerrit2' => 'root' },
afs => true, afs => true,
} }
@@ -157,7 +150,6 @@ node /^grafana\d*\.openstack\.org$/ {
$group = "grafana" $group = "grafana"
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80], iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::grafana': class { 'openstack_project::grafana':
admin_password => hiera('grafana_admin_password'), admin_password => hiera('grafana_admin_password'),
@@ -176,7 +168,6 @@ node /^grafana\d*\.openstack\.org$/ {
node /^health\d*\.openstack\.org$/ { node /^health\d*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::openstack_health_api': class { 'openstack_project::openstack_health_api':
subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'), subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
@@ -188,7 +179,6 @@ node /^cacti\d+\.openstack\.org$/ {
$group = "cacti" $group = "cacti"
include openstack_project::ssl_cert_check include openstack_project::ssl_cert_check
class { 'openstack_project::cacti': class { 'openstack_project::cacti':
sysadmins => hiera('sysadmins', []),
cacti_hosts => hiera_array('cacti_hosts'), cacti_hosts => hiera_array('cacti_hosts'),
vhost_name => 'cacti.openstack.org', vhost_name => 'cacti.openstack.org',
} }
@@ -198,7 +188,6 @@ node /^cacti\d+\.openstack\.org$/ {
node 'puppetmaster.openstack.org' { node 'puppetmaster.openstack.org' {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [8140], iptables_public_tcp_ports => [8140],
sysadmins => hiera('sysadmins', []),
pin_puppet => '3.6.', pin_puppet => '3.6.',
} }
class { 'openstack_project::puppetmaster': class { 'openstack_project::puppetmaster':
@@ -254,7 +243,6 @@ node /^graphite\d*\.openstack\.org$/ {
{protocol => 'udp', port => '8125', hostname => 'ze10.openstack.org'}, {protocol => 'udp', port => '8125', hostname => 'ze10.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze11.openstack.org'}, {protocol => 'udp', port => '8125', hostname => 'ze11.openstack.org'},
], ],
sysadmins => hiera('sysadmins', [])
} }
class { '::graphite': class { '::graphite':
@@ -269,7 +257,6 @@ node /^graphite\d*\.openstack\.org$/ {
node /^groups\d*\.openstack\.org$/ { node /^groups\d*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443], iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::groups': class { 'openstack_project::groups':
site_admin_password => hiera('groups_site_admin_password'), site_admin_password => hiera('groups_site_admin_password'),
@@ -287,7 +274,6 @@ node /^groups\d*\.openstack\.org$/ {
node /^groups-dev\d*\.openstack\.org$/ { node /^groups-dev\d*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443], iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::groups_dev': class { 'openstack_project::groups_dev':
site_admin_password => hiera('groups_dev_site_admin_password'), site_admin_password => hiera('groups_dev_site_admin_password'),
@@ -306,12 +292,9 @@ node /^groups-dev\d*\.openstack\.org$/ {
node /^lists\d*\.openstack\.org$/ { node /^lists\d*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [25, 80, 465], iptables_public_tcp_ports => [25, 80, 465],
manage_exim => false,
purge_apt_sources => false,
} }
class { 'openstack_project::lists': class { 'openstack_project::lists':
listadmins => hiera('listadmins', []),
listpassword => hiera('listpassword'), listpassword => hiera('listpassword'),
} }
} }
@@ -320,12 +303,9 @@ node /^lists\d*\.openstack\.org$/ {
node /^lists\d*\.katacontainers\.io$/ { node /^lists\d*\.katacontainers\.io$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [25, 80, 465], iptables_public_tcp_ports => [25, 80, 465],
manage_exim => false,
purge_apt_sources => false,
} }
class { 'openstack_project::kata_lists': class { 'openstack_project::kata_lists':
listadmins => hiera('listadmins', []),
listpassword => hiera('listpassword'), listpassword => hiera('listpassword'),
} }
} }
@@ -336,7 +316,6 @@ node /^paste\d*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80], iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::paste': class { 'openstack_project::paste':
db_password => hiera('paste_db_password'), db_password => hiera('paste_db_password'),
@@ -348,7 +327,6 @@ node /^paste\d*\.openstack\.org$/ {
# Node-OS: xenial # Node-OS: xenial
node /planet\d*\.openstack\.org$/ { node /planet\d*\.openstack\.org$/ {
class { 'openstack_project::planet': class { 'openstack_project::planet':
sysadmins => hiera('sysadmins', []),
} }
} }
@@ -357,7 +335,6 @@ node /^eavesdrop\d*\.openstack\.org$/ {
$group = "eavesdrop" $group = "eavesdrop"
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80], iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::eavesdrop': class { 'openstack_project::eavesdrop':
@@ -397,7 +374,6 @@ node /^ethercalc\d+\.openstack\.org$/ {
$group = "ethercalc" $group = "ethercalc"
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443], iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::ethercalc': class { 'openstack_project::ethercalc':
@@ -413,7 +389,6 @@ node /^ethercalc\d+\.openstack\.org$/ {
node /^etherpad\d*\.openstack\.org$/ { node /^etherpad\d*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443], iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::etherpad': class { 'openstack_project::etherpad':
@@ -431,7 +406,6 @@ node /^etherpad\d*\.openstack\.org$/ {
node /^etherpad-dev\d*\.openstack\.org$/ { node /^etherpad-dev\d*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443], iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::etherpad_dev': class { 'openstack_project::etherpad_dev':
@@ -445,7 +419,6 @@ node /^etherpad-dev\d*\.openstack\.org$/ {
node /^wiki\d+\.openstack\.org$/ { node /^wiki\d+\.openstack\.org$/ {
$group = "wiki" $group = "wiki"
class { 'openstack_project::wiki': class { 'openstack_project::wiki':
sysadmins => hiera('sysadmins', []),
bup_user => 'bup-wiki', bup_user => 'bup-wiki',
serveradmin => hiera('infra_apache_serveradmin'), serveradmin => hiera('infra_apache_serveradmin'),
site_hostname => 'wiki.openstack.org', site_hostname => 'wiki.openstack.org',
@@ -468,7 +441,6 @@ node /^wiki\d+\.openstack\.org$/ {
node /^wiki-dev\d+\.openstack\.org$/ { node /^wiki-dev\d+\.openstack\.org$/ {
$group = "wiki-dev" $group = "wiki-dev"
class { 'openstack_project::wiki': class { 'openstack_project::wiki':
sysadmins => hiera('sysadmins', []),
serveradmin => hiera('infra_apache_serveradmin'), serveradmin => hiera('infra_apache_serveradmin'),
site_hostname => 'wiki-dev.openstack.org', site_hostname => 'wiki-dev.openstack.org',
wg_dbserver => hiera('wg_dbserver'), wg_dbserver => hiera('wg_dbserver'),
@@ -489,7 +461,6 @@ node /^logstash\d*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 3306], iptables_public_tcp_ports => [22, 80, 3306],
iptables_allowed_hosts => hiera_array('logstash_iptables_rule_data'), iptables_allowed_hosts => hiera_array('logstash_iptables_rule_data'),
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::logstash': class { 'openstack_project::logstash':
@@ -512,7 +483,6 @@ node /^logstash-worker\d+\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22], iptables_public_tcp_ports => [22],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::logstash_worker': class { 'openstack_project::logstash_worker':
@@ -528,7 +498,6 @@ node /^subunit-worker\d+\.openstack\.org$/ {
$group = "subunit-worker" $group = "subunit-worker"
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22], iptables_public_tcp_ports => [22],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::subunit_worker': class { 'openstack_project::subunit_worker':
subunit2sql_db_host => hiera('subunit2sql_db_host', ''), subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
@@ -544,7 +513,6 @@ node /^elasticsearch0[1-7]\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22], iptables_public_tcp_ports => [22],
iptables_allowed_hosts => hiera_array('elasticsearch_iptables_rule_data'), iptables_allowed_hosts => hiera_array('elasticsearch_iptables_rule_data'),
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::elasticsearch_node': class { 'openstack_project::elasticsearch_node':
discover_nodes => $elasticsearch_nodes, discover_nodes => $elasticsearch_nodes,
@@ -558,11 +526,8 @@ node /^firehose\d+\.openstack\.org$/ {
# connections seem to crash mosquitto. Once this is fixed we should add # connections seem to crash mosquitto. Once this is fixed we should add
# them back # them back
iptables_public_tcp_ports => [22, 25, 80, 1883, 8883, 443], iptables_public_tcp_ports => [22, 25, 80, 1883, 8883, 443],
sysadmins => hiera('sysadmins', []),
manage_exim => false,
} }
class { 'openstack_project::firehose': class { 'openstack_project::firehose':
sysadmins => hiera('sysadmins', []),
gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'), gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'), gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'), gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'),
@@ -582,7 +547,6 @@ node /^firehose\d+\.openstack\.org$/ {
node /^git(-fe\d+)?\.openstack\.org$/ { node /^git(-fe\d+)?\.openstack\.org$/ {
$group = "git-loadbalancer" $group = "git-loadbalancer"
class { 'openstack_project::git': class { 'openstack_project::git':
sysadmins => hiera('sysadmins', []),
balancer_member_names => [ balancer_member_names => [
'git01.openstack.org', 'git01.openstack.org',
'git02.openstack.org', 'git02.openstack.org',
@@ -614,7 +578,6 @@ node /^git\d+\.openstack\.org$/ {
include openstack_project include openstack_project
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [4443, 8080, 29418], iptables_public_tcp_ports => [4443, 8080, 29418],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::git_backend': class { 'openstack_project::git_backend':
@@ -653,7 +616,6 @@ node /^mirror-update\d*\.openstack\.org$/ {
centos_keytab => hiera('centos_keytab'), centos_keytab => hiera('centos_keytab'),
epel_keytab => hiera('epel_keytab'), epel_keytab => hiera('epel_keytab'),
yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'), yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),
sysadmins => hiera('sysadmins', []),
} }
} }
@@ -664,7 +626,6 @@ node /^mirror\d*\..*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 8080, 8081, 8082], iptables_public_tcp_ports => [22, 80, 8080, 8081, 8082],
sysadmins => hiera('sysadmins', []),
afs => true, afs => true,
afs_cache_size => 50000000, # 50GB afs_cache_size => 50000000, # 50GB
} }
@@ -681,7 +642,6 @@ node /^files\d*\.openstack\.org$/ {
$group = "files" $group = "files"
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
sysadmins => hiera('sysadmins', []),
afs => true, afs => true,
afs_cache_size => 10000000, # 10GB afs_cache_size => 10000000, # 10GB
} }
@@ -712,7 +672,6 @@ node /^files\d*\.openstack\.org$/ {
node /^refstack\d*\.openstack\.org$/ { node /^refstack\d*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'refstack': class { 'refstack':
mysql_host => hiera('refstack_mysql_host', 'localhost'), mysql_host => hiera('refstack_mysql_host', 'localhost'),
@@ -741,7 +700,6 @@ node /^refstack\d*\.openstack\.org$/ {
node /^storyboard\d*\.openstack\.org$/ { node /^storyboard\d*\.openstack\.org$/ {
class { 'openstack_project::storyboard': class { 'openstack_project::storyboard':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
sysadmins => hiera('sysadmins', []),
mysql_host => hiera('storyboard_db_host', 'localhost'), mysql_host => hiera('storyboard_db_host', 'localhost'),
mysql_user => hiera('storyboard_db_user', 'username'), mysql_user => hiera('storyboard_db_user', 'username'),
mysql_password => hiera('storyboard_db_password'), mysql_password => hiera('storyboard_db_password'),
@@ -772,7 +730,6 @@ node /^storyboard\d*\.openstack\.org$/ {
node /^storyboard-dev\d*\.openstack\.org$/ { node /^storyboard-dev\d*\.openstack\.org$/ {
class { 'openstack_project::storyboard::dev': class { 'openstack_project::storyboard::dev':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
sysadmins => hiera('sysadmins', []),
mysql_host => hiera('storyboard_db_host', 'localhost'), mysql_host => hiera('storyboard_db_host', 'localhost'),
mysql_user => hiera('storyboard_db_user', 'username'), mysql_user => hiera('storyboard_db_user', 'username'),
mysql_password => hiera('storyboard_db_password'), mysql_password => hiera('storyboard_db_password'),
@@ -799,7 +756,6 @@ node /^storyboard-dev\d*\.openstack\.org$/ {
node /^static\d*\.openstack\.org$/ { node /^static\d*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443], iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::static': class { 'openstack_project::static':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
@@ -837,7 +793,6 @@ node /^zk\d+\.openstack\.org$/ {
{protocol => 'tcp', port => '3888', hostname => 'zk02.openstack.org'}, {protocol => 'tcp', port => '3888', hostname => 'zk02.openstack.org'},
{protocol => 'tcp', port => '3888', hostname => 'zk03.openstack.org'}, {protocol => 'tcp', port => '3888', hostname => 'zk03.openstack.org'},
], ],
sysadmins => hiera('sysadmins', []),
} }
class { '::zookeeper': class { '::zookeeper':
@@ -861,7 +816,6 @@ node /^status\d*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443], iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::status': class { 'openstack_project::status':
@@ -881,7 +835,6 @@ node /^survey\d+\.openstack\.org$/ {
$group = "survey" $group = "survey"
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443], iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::survey': class { 'openstack_project::survey':
@@ -905,7 +858,6 @@ node /^adns\d+\.openstack\.org$/ {
$group = 'adns' $group = 'adns'
class { 'openstack_project::server': class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_allowed_hosts => [ iptables_allowed_hosts => [
{protocol => 'tcp', port => '53', hostname => 'ns1.openstack.org'}, {protocol => 'tcp', port => '53', hostname => 'ns1.openstack.org'},
{protocol => 'tcp', port => '53', hostname => 'ns2.openstack.org'}, {protocol => 'tcp', port => '53', hostname => 'ns2.openstack.org'},
@@ -925,7 +877,6 @@ node /^ns\d+\.openstack\.org$/ {
$group = 'ns' $group = 'ns'
class { 'openstack_project::server': class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_public_udp_ports => [53], iptables_public_udp_ports => [53],
iptables_public_tcp_ports => [53], iptables_public_tcp_ports => [53],
} }
@@ -969,7 +920,6 @@ node 'nodepool.openstack.org' {
{protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'}, {protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'}, {protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'},
], ],
sysadmins => hiera('sysadmins', []),
iptables_public_tcp_ports => [80], iptables_public_tcp_ports => [80],
} }
@@ -1023,7 +973,6 @@ node /^nl\d+\.openstack\.org$/ {
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb") $clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
class { 'openstack_project::server': class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_public_tcp_ports => [80], iptables_public_tcp_ports => [80],
} }
@@ -1086,7 +1035,6 @@ node /^nb\d+\.openstack\.org$/ {
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb") $clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
class { 'openstack_project::server': class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
} }
@@ -1142,7 +1090,6 @@ node /^ze\d+\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [79, 7900], iptables_public_tcp_ports => [79, 7900],
sysadmins => hiera('sysadmins', []),
afs => true, afs => true,
} }
@@ -1257,7 +1204,6 @@ node /^zuul\d+\.openstack\.org$/ {
{protocol => 'tcp', port => '4730', hostname => 'zm07.openstack.org'}, {protocol => 'tcp', port => '4730', hostname => 'zm07.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm08.openstack.org'}, {protocol => 'tcp', port => '4730', hostname => 'zm08.openstack.org'},
], ],
sysadmins => hiera('sysadmins', []),
} }
class { '::project_config': class { '::project_config':
@@ -1348,7 +1294,6 @@ node /^zm\d+.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80], iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
} }
# NOTE(pabelanger): We call ::zuul directly, so we can override all in one # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
@@ -1383,7 +1328,6 @@ node /^zm\d+.openstack\.org$/ {
# Node-OS: trusty # Node-OS: trusty
node 'pbx.openstack.org' { node 'pbx.openstack.org' {
class { 'openstack_project::server': class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
# SIP signaling is either TCP or UDP port 5060. # SIP signaling is either TCP or UDP port 5060.
# RTP media (audio/video) uses a range of UDP ports. # RTP media (audio/video) uses a range of UDP ports.
iptables_public_tcp_ports => [5060], iptables_public_tcp_ports => [5060],
@@ -1408,8 +1352,6 @@ node /^backup\d+\..*\.ci\.openstack\.org$/ {
$group = "ci-backup" $group = "ci-backup"
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [], iptables_public_tcp_ports => [],
manage_exim => false,
purge_apt_sources => false,
} }
include openstack_project::backup_server include openstack_project::backup_server
} }
@@ -1417,7 +1359,6 @@ node /^backup\d+\..*\.ci\.openstack\.org$/ {
# Node-OS: trusty # Node-OS: trusty
node 'openstackid.org' { node 'openstackid.org' {
class { 'openstack_project::openstackid_prod': class { 'openstack_project::openstackid_prod':
sysadmins => hiera('sysadmins', []),
site_admin_password => hiera('openstackid_site_admin_password'), site_admin_password => hiera('openstackid_site_admin_password'),
id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'), id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'),
id_mysql_password => hiera('openstackid_id_mysql_password'), id_mysql_password => hiera('openstackid_id_mysql_password'),
@@ -1447,7 +1388,6 @@ node 'openstackid.org' {
# Node-OS: trusty # Node-OS: trusty
node 'openstackid-dev.openstack.org' { node 'openstackid-dev.openstack.org' {
class { 'openstack_project::openstackid_dev': class { 'openstack_project::openstackid_dev':
sysadmins => hiera('sysadmins', []),
site_admin_password => hiera('openstackid_dev_site_admin_password'), site_admin_password => hiera('openstackid_dev_site_admin_password'),
id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'), id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'),
id_mysql_password => hiera('openstackid_dev_id_mysql_password'), id_mysql_password => hiera('openstackid_dev_id_mysql_password'),
@@ -1484,7 +1424,6 @@ node 'kdc01.openstack.org' {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [88, 464, 749, 754], iptables_public_tcp_ports => [88, 464, 749, 754],
iptables_public_udp_ports => [88, 464, 749], iptables_public_udp_ports => [88, 464, 749],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::kdc': } class { 'openstack_project::kdc': }
@@ -1495,7 +1434,6 @@ node 'kdc04.openstack.org' {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [88, 464, 749, 754], iptables_public_tcp_ports => [88, 464, 749, 754],
iptables_public_udp_ports => [88, 464, 749], iptables_public_udp_ports => [88, 464, 749],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::kdc': class { 'openstack_project::kdc':
@@ -1509,9 +1447,7 @@ node 'afsdb01.openstack.org' {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007], iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
sysadmins => hiera('sysadmins', []),
afs => true, afs => true,
manage_exim => true,
} }
include openstack_project::afsdb include openstack_project::afsdb
@@ -1524,9 +1460,7 @@ node /^afsdb.*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007], iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
sysadmins => hiera('sysadmins', []),
afs => true, afs => true,
manage_exim => true,
} }
include openstack_project::afsdb include openstack_project::afsdb
@@ -1538,9 +1472,7 @@ node /^afs.*\..*\.openstack\.org$/ {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007], iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
sysadmins => hiera('sysadmins', []),
afs => true, afs => true,
manage_exim => true,
} }
include openstack_project::afsfs include openstack_project::afsfs
@@ -1551,7 +1483,6 @@ node 'ask.openstack.org' {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443], iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::ask': class { 'openstack_project::ask':
@@ -1568,7 +1499,6 @@ node 'ask.openstack.org' {
node 'ask-staging.openstack.org' { node 'ask-staging.openstack.org' {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443], iptables_public_tcp_ports => [22, 80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::ask_staging': class { 'openstack_project::ask_staging':
@@ -1583,7 +1513,6 @@ node /^translate\d+\.openstack\.org$/ {
$group = "translate" $group = "translate"
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::translate': class { 'openstack_project::translate':
admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk', admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
@@ -1612,7 +1541,6 @@ node /^translate\d+\.openstack\.org$/ {
node /^translate-dev\d*\.openstack\.org$/ { node /^translate-dev\d*\.openstack\.org$/ {
$group = "translate-dev" $group = "translate-dev"
class { 'openstack_project::translate_dev': class { 'openstack_project::translate_dev':
sysadmins => hiera('sysadmins', []),
admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk', admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
openid_url => 'https://openstackid-dev.openstack.org', openid_url => 'https://openstackid-dev.openstack.org',
listeners => ['ajp'], listeners => ['ajp'],
@@ -1633,7 +1561,6 @@ node /^codesearch\d*\.openstack\.org$/ {
$group = "codesearch" $group = "codesearch"
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80], iptables_public_tcp_ports => [80],
sysadmins => hiera('sysadmins', []),
} }
class { 'openstack_project::codesearch': class { 'openstack_project::codesearch':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',

1
modules/openstack_project/files/80retry
View File

@@ -1 +0,0 @@
APT::Acquire::Retries "20";

1
modules/openstack_project/files/90no-translations
View File

@@ -1 +0,0 @@
Acquire::Languages "none";

1
modules/openstack_project/files/bash-history.sh
View File

@@ -1 +0,0 @@
export HISTTIMEFORMAT="%Y-%m-%dT%T%z "

6
modules/openstack_project/files/centos7-puppetlabs.repo
View File

@@ -1,6 +0,0 @@
[puppetlabs-products]
name=Puppet Labs Products El 7 - $basearch
baseurl=http://yum.puppetlabs.com/el/7/products/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs
enabled=1
gpgcheck=1

4
modules/openstack_project/files/debian_limits.conf
View File

@@ -1,4 +0,0 @@
# Original 1024
* soft nofile 4096
# Original 4096
* hard nofile 8192

69
modules/openstack_project/files/rsyslog.d_50-default.conf
View File

@@ -1,69 +0,0 @@
# Default rules for rsyslog.
#
# For more information see rsyslog.conf(5) and /etc/rsyslog.conf
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
# Commenting out since we don't install xconsoles on headless servers.
#daemon.*;mail.*;\
# news.err;\
# *.=debug;*.=info;\
# *.=notice;*.=warn |/dev/xconsole

13
modules/openstack_project/files/sources.list.trusty.amd64
View File

@@ -1,13 +0,0 @@
# This file is kept updated by puppet, adapted from
# http://ubuntuguide.org/wiki/Ubuntu_Trusty_Packages_and_Repositories
deb http://us.archive.ubuntu.com/ubuntu trusty main restricted
deb http://us.archive.ubuntu.com/ubuntu trusty-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu trusty universe
deb http://us.archive.ubuntu.com/ubuntu trusty-updates universe
deb http://us.archive.ubuntu.com/ubuntu trusty multiverse
deb http://us.archive.ubuntu.com/ubuntu trusty-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main restricted
deb http://security.ubuntu.com/ubuntu trusty-security universe
deb http://security.ubuntu.com/ubuntu trusty-security multiverse

35
modules/openstack_project/files/sources.list.xenial.aarch64
View File

@@ -1,35 +0,0 @@
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted multiverse
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted multiverse
## Major bug fix updates produced after the final release of the
## distribution.
deb http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted multiverse
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted multiverse
## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://ports.ubuntu.com/ubuntu-ports/ xenial universe
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial universe
deb http://ports.ubuntu.com/ubuntu-ports/ xenial-updates universe
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-updates universe
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://ports.ubuntu.com/ubuntu-ports/ xenial-backports main restricted
# deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-backports main restricted
deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security main restricted multiverse
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security main restricted multiverse
deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security universe
deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security universe
# deb http://ports.ubuntu.com/ubuntu-ports/ xenial-security multiverse
# deb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-security multiverse

13
modules/openstack_project/files/sources.list.xenial.amd64
View File

@@ -1,13 +0,0 @@
# This file is kept updated by puppet, adapted from
# https://help.ubuntu.com/lts/serverguide/configuration.html
deb http://us.archive.ubuntu.com/ubuntu xenial main restricted
deb http://us.archive.ubuntu.com/ubuntu xenial-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu xenial universe
deb http://us.archive.ubuntu.com/ubuntu xenial-updates universe
deb http://us.archive.ubuntu.com/ubuntu xenial multiverse
deb http://us.archive.ubuntu.com/ubuntu xenial-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu xenial-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu xenial-security main restricted
deb http://security.ubuntu.com/ubuntu xenial-security universe
deb http://security.ubuntu.com/ubuntu xenial-security multiverse

81
modules/openstack_project/files/yum/yum-cron.conf
View File

@@ -1,81 +0,0 @@
[commands]
# What kind of update to use:
# default = yum upgrade
# security = yum --security upgrade
# security-severity:Critical = yum --sec-severity=Critical upgrade
# minimal = yum --bugfix update-minimal
# minimal-security = yum --security update-minimal
# minimal-security-severity:Critical = --sec-severity=Critical update-minimal
update_cmd = default
# Whether a message should be emitted when updates are available,
# were downloaded, or applied.
update_messages = yes
# Whether updates should be downloaded when they are available.
download_updates = yes
# Whether updates should be applied when they are available. Note
# that download_updates must also be yes for the update to be applied.
apply_updates = yes
# Maximum amout of time to randomly sleep, in minutes. The program
# will sleep for a random amount of time between 0 and random_sleep
# minutes before running. This is useful for e.g. staggering the
# times that multiple systems will access update servers. If
# random_sleep is 0 or negative, the program will run immediately.
# 6*60 = 360
random_sleep = 360
[emitters]
# Name to use for this system in messages that are emitted. If
# system_name is None, the hostname will be used.
system_name = None
# How to send messages. Valid options are stdio and email. If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages. If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via is None or left blank, no messages will be sent.
emit_via = stdio
# The width, in characters, that messages that are emitted should be
# formatted to.
output_width = 80
[email]
# The address to send email messages from.
# NOTE: 'localhost' will be replaced with the value of system_name.
email_from = root@localhost
# List of addresses to send messages to.
email_to = root
# Name of the host to connect to to send email messages.
email_host = localhost
[groups]
# NOTE: This only works when group_command != objects, which is now the default
# List of groups to update
group_list = None
# The types of group packages to install
group_package_types = mandatory, default
[base]
# This section overrides yum.conf
# Use this to filter Yum core messages
# -4: critical
# -3: critical+errors
# -2: critical+errors+warnings (default)
debuglevel = -2
# skip_broken = True
mdpolicy = group:main
# Uncomment to auto-import new gpg keys (dangerous)
# assumeyes = True

4
modules/openstack_project/manifests/ask.pp
View File

@@ -17,10 +17,6 @@ class openstack_project::ask (
$askbot_revision = '87086ebcefc5be29e80d3228e465e6bec4523fcf' $askbot_revision = '87086ebcefc5be29e80d3228e465e6bec4523fcf'
) { ) {
realize (
User::Virtual::Localuser['mkiss'],
)
file { '/srv/dist': file { '/srv/dist':
ensure => directory, ensure => directory,
owner => 'root', owner => 'root',

4
modules/openstack_project/manifests/ask_staging.pp
View File

@@ -13,10 +13,6 @@ class openstack_project::ask_staging (
$solr_version = '4.10.4' $solr_version = '4.10.4'
) { ) {
realize (
User::Virtual::Localuser['mkiss'],
)
file { '/srv/dist': file { '/srv/dist':
ensure => directory, ensure => directory,
owner => 'root', owner => 'root',

2
modules/openstack_project/manifests/cacti.pp
View File

@@ -1,6 +1,5 @@
# Class to configure cacti on a node. # Class to configure cacti on a node.
class openstack_project::cacti ( class openstack_project::cacti (
$sysadmins = [],
$cacti_hosts = [], $cacti_hosts = [],
$vhost_name = '', $vhost_name = '',
) { ) {
@@ -11,7 +10,6 @@ class openstack_project::cacti (
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
sysadmins => $sysadmins,
} }
class { '::apache': class { '::apache':

31
modules/openstack_project/manifests/firehose.pp
View File

@@ -15,7 +15,6 @@
# firehose glue class. # firehose glue class.
# #
class openstack_project::firehose ( class openstack_project::firehose (
$sysadmins = [],
$gerrit_username = 'germqtt', $gerrit_username = 'germqtt',
$gerrit_public_key, $gerrit_public_key,
$gerrit_private_key, $gerrit_private_key,
@@ -69,36 +68,6 @@ class openstack_project::firehose (
ensure => running, ensure => running,
} }
class {'::exim':
sysadmins => $sysadmins,
local_domains => "@:firehose.openstack.org",
default_localuser_router => false,
routers => [
{'cyrus' => {
'driver' => 'accept',
'domains' => '+local_domains',
'local_part_suffix' => '+*',
'local_part_suffix_optional' => true,
'transport' => 'cyrus',
}},
{'localuser' => {
'driver' => 'accept',
'check_local_user' => true,
'transport' => 'local_delivery',
'cannot_route_message' => 'Unknown user',
}}
],
transports => [
{'cyrus' => {
'driver' => 'lmtp',
'socket' => '/var/run/cyrus/socket/lmtp',
'user' => 'cyrus',
'batch_max' => '35',
}}
],
require => Package['cyrus-imapd'],
}
include lpmqtt include lpmqtt
class {'lpmqtt::server': class {'lpmqtt::server':
mqtt_username => $mqtt_username, mqtt_username => $mqtt_username,

9
modules/openstack_project/manifests/git.pp
View File

@@ -16,14 +16,12 @@
# #
# == Class: openstack_project::git # == Class: openstack_project::git
class openstack_project::git ( class openstack_project::git (
$sysadmins = [],
$balancer_member_names = [], $balancer_member_names = [],
$balancer_member_ips = [], $balancer_member_ips = [],
$selinux_mode = 'enforcing' $selinux_mode = 'enforcing'
) { ) {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 9418], iptables_public_tcp_ports => [80, 443, 9418],
sysadmins => $sysadmins,
} }
if ($::osfamily == 'RedHat') { if ($::osfamily == 'RedHat') {
@@ -148,6 +146,13 @@ class openstack_project::git (
notify => Service['rsyslog'], notify => Service['rsyslog'],
} }
# TODO(mordred) We should get this haproxy stuff ported to ansible ASAP.
# Ansible is the one installing rsyslog.
service { 'rsyslog':
ensure => running,
enable => true,
hasrestart => true,
}
# haproxy statsd # haproxy statsd

4
modules/openstack_project/manifests/groups.pp
View File

@@ -28,10 +28,6 @@ class openstack_project::groups (
$site_ssl_chain_file = '/etc/ssl/certs/groups.openstack.org_ca.pem', $site_ssl_chain_file = '/etc/ssl/certs/groups.openstack.org_ca.pem',
) { ) {
realize (
User::Virtual::Localuser['mkiss'],
)
vcsrepo { '/srv/groups-static-pages': vcsrepo { '/srv/groups-static-pages':
ensure => latest, ensure => latest,
provider => git, provider => git,

4
modules/openstack_project/manifests/groups_dev.pp
View File

@@ -25,10 +25,6 @@ class openstack_project::groups_dev (
$site_ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key', $site_ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key',
) { ) {
realize (
User::Virtual::Localuser['mkiss'],
)
# include drupal # include drupal
vcsrepo { '/srv/groups-static-pages': vcsrepo { '/srv/groups-static-pages':

4
modules/openstack_project/manifests/infracloud/baremetal.pp
View File

@@ -35,8 +35,4 @@ class openstack_project::infracloud::baremetal (
ipv4_subnet_mask => $ipv4_subnet_mask, ipv4_subnet_mask => $ipv4_subnet_mask,
} }
realize (
User::Virtual::Localuser['colleen'],
)
} }

5
modules/openstack_project/manifests/infracloud/controller.pp
View File

@@ -50,9 +50,4 @@ class openstack_project::infracloud::controller (
neutron_subnet_allocation_pools => $neutron_subnet_allocation_pools, neutron_subnet_allocation_pools => $neutron_subnet_allocation_pools,
mysql_max_connections => $mysql_max_connections, mysql_max_connections => $mysql_max_connections,
} }
realize (
User::Virtual::Localuser['colleen'],
)
} }

17
modules/openstack_project/manifests/kata_lists.pp
View File

@@ -1,28 +1,13 @@
# == Class: openstack_project::kata_lists # == Class: openstack_project::kata_lists
# #
class openstack_project::kata_lists( class openstack_project::kata_lists(
$listadmins,
$listpassword = '' $listpassword = ''
) { ) {
$listdomain = 'lists.katacontainers.io'
class { 'exim':
sysadmins => $listadmins,
queue_interval => '1m',
queue_run_max => '50',
mailman_domains => [$listdomain],
smtp_accept_max => '100',
smtp_accept_max_per_host => '10',
}
class { 'mailman': class { 'mailman':
vhost_name => $listdomain, vhost_name => 'lists.katacontainers.io'
} }
realize (
User::Virtual::Localuser['jbryce'],
)
Maillist { Maillist {
provider => 'noaliasmailman', provider => 'noaliasmailman',
} }

100
modules/openstack_project/manifests/lists.pp
View File

@@ -1,113 +1,13 @@
# == Class: openstack_project::lists # == Class: openstack_project::lists
# #
class openstack_project::lists( class openstack_project::lists(
$listadmins,
$listpassword = '' $listpassword = ''
) { ) {
$mm_domains='lists.openstack.org:lists.zuul-ci.org:lists.airshipit.org:lists.starlingx.io'
class { 'mailman': class { 'mailman':
multihost => true, multihost => true,
} }
class { 'exim':
sysadmins => $listadmins,
queue_interval => '1m',
queue_run_max => '50',
smtp_accept_max => '100',
smtp_accept_max_per_host => '10',
extra_aliases => {
'ambassadors-owner' => 'spam',
'community-owner' => 'spam',
'foundation-board-confidential-owner' => 'spam',
'foundation-board-owner' => 'spam',
'foundation-owner' => 'spam',
'legal-discuss-owner' => 'spam',
'mailman-owner' => 'spam',
'marketing-owner' => 'spam',
'openstack-announce-owner' => 'spam',
'openstack-dev-owner' => 'spam',
'openstack-docs-owner' => 'spam',
'openstack-fr-owner' => 'spam',
'openstack-i18n-owner' => 'spam',
'openstack-infra-owner' => 'spam',
'openstack-operators-owner' => 'spam',
'openstack-owner' => 'spam',
'openstack-qa-owner' => 'spam',
'openstack-security-owner' => 'spam',
'openstack-tc-owner' => 'spam',
'openstack-vi-owner' => 'spam',
'product-wg-owner' => 'spam',
'superuser-owner' => 'spam',
'user-committee-owner' => 'spam',
'women-of-openstack-owner' => 'spam',
'spam' => ':fail: delivery temporarily disabled due to ongoing spam flood',
},
local_domains => "@:$mm_domains",
routers => [
{'mailman_verp_router' => {
'driver' => 'dnslookup',
# we only consider messages sent in through loopback
'condition' => '${if or{{eq{$sender_host_address}{127.0.0.1}}\
{eq{$sender_host_address}{::1}}}{yes}{no}}',
# we do not do this for traffic going to the local machine
'domains' => '!+local_domains',
'ignore_target_hosts' => '<; 0.0.0.0; \
64.94.110.11; \
127.0.0.0/8; \
::1/128;fe80::/10;fe \
c0::/10;ff00::/8',
# only the un-VERPed bounce addresses are handled
'senders' => '"*-bounces@*"',
'transport' => 'mailman_verp_smtp',
}
},
{'mailman_router' => {
'driver' => 'accept',
'domains' => "$mm_domains",
'require_files' => '${lookup{${lc::$domain}}lsearch{/etc/mailman/sites}}/lists/${lc::$local_part}/config.pck',
'local_part_suffix_optional' => true,
'local_part_suffix' => '-admin : \
-bounces : -bounces+* : \
-confirm : -confirm+* : \
-join : -leave : \
-owner : -request : \
-subscribe : -unsubscribe',
'transport' => 'mailman_transport',
}
},
],
transports => [
{'mailman_transport' => {
'driver' => 'pipe',
'environment' => 'MAILMAN_SITE_DIR=${lookup{${lc:$domain}}lsearch{/etc/mailman/sites}}',
'command' => '/var/lib/mailman/mail/mailman \
\'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
{post}}\' \
$local_part',
'current_directory' => '/var/lib/mailman',
'home_directory' => '/var/lib/mailman',
'user' => 'list',
'group' => 'list',
}
},
{'mailman_verp_smtp' => {
'driver' => 'smtp',
'return_path' => '${local_part:$return_path}+$local_part=$domain@${domain:$return_path}',
'max_rcpt' => '1',
'headers_remove' => 'Errors-To',
'headers_add' => 'Errors-To: ${return_path}',
}
},
]
}
realize (
User::Virtual::Localuser['smaffulli'],
)
# Disable inactive admins # Disable inactive admins
user::virtual::disable { 'oubiwann': } user::virtual::disable { 'oubiwann': }
user::virtual::disable { 'rockstar': } user::virtual::disable { 'rockstar': }

2
modules/openstack_project/manifests/mirror_update.pp
View File

@@ -1,7 +1,6 @@
# == Class: openstack_project::mirror_update # == Class: openstack_project::mirror_update
# #
class openstack_project::mirror_update ( class openstack_project::mirror_update (
$sysadmins = [],
$bandersnatch_keytab = '', $bandersnatch_keytab = '',
$reprepro_keytab = '', $reprepro_keytab = '',
$admin_keytab = '', $admin_keytab = '',
@@ -16,7 +15,6 @@ class openstack_project::mirror_update (
include ::openstack_project::reprepro_mirror include ::openstack_project::reprepro_mirror
class { 'openstack_project::server': class { 'openstack_project::server':
sysadmins => $sysadmins,
afs => true, afs => true,
} }

7
modules/openstack_project/manifests/openstackid_dev.pp
View File

@@ -15,7 +15,6 @@
# openstackid idp(sso-openid) dev server # openstackid idp(sso-openid) dev server
# #
class openstack_project::openstackid_dev ( class openstack_project::openstackid_dev (
$sysadmins = [],
$site_admin_password = '', $site_admin_password = '',
$id_mysql_host = '', $id_mysql_host = '',
$id_mysql_user = '', $id_mysql_user = '',
@@ -62,14 +61,8 @@ class openstack_project::openstackid_dev (
$session_cookie_secure = false, $session_cookie_secure = false,
) { ) {
realize (
User::Virtual::Localuser['smarcet'],
User::Virtual::Localuser['mkiss'],
)
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
sysadmins => $sysadmins,
} }
class { 'openstackid': class { 'openstackid':

7
modules/openstack_project/manifests/openstackid_prod.pp
View File

@@ -15,7 +15,6 @@
# openstackid idp(sso-openid) server # openstackid idp(sso-openid) server
# #
class openstack_project::openstackid_prod ( class openstack_project::openstackid_prod (
$sysadmins = [],
$site_admin_password = '', $site_admin_password = '',
$id_mysql_host = '', $id_mysql_host = '',
$id_mysql_user = '', $id_mysql_user = '',
@@ -63,14 +62,8 @@ class openstack_project::openstackid_prod (
$session_cookie_secure = false, $session_cookie_secure = false,
) { ) {
realize (
User::Virtual::Localuser['smarcet'],
User::Virtual::Localuser['maxwell'],
)
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
sysadmins => $sysadmins,
} }
class { 'openstackid': class { 'openstackid':

39
modules/openstack_project/manifests/params.pp
View File

@@ -1,39 +0,0 @@
# Class: openstack_project::params
#
# This class holds parameters that need to be
# accessed by other classes.
class openstack_project::params {
$cross_platform_packages = [
'at',
'git',
'lvm2',
'parted',
'rsync',
'strace',
'tcpdump',
'wget',
]
case $::osfamily {
'RedHat': {
$packages = concat($cross_platform_packages, ['iputils', 'bind-utils'])
$user_packages = ['emacs-nox', 'vim-enhanced']
$login_defs = 'puppet:///modules/openstack_project/login.defs.redhat'
}
'Debian': {
$packages = concat($cross_platform_packages, ['iputils-ping', 'dnsutils'])
case $::operatingsystemrelease {
/^(12|14)\.(04|10)$/: {
$user_packages = ['emacs23-nox', 'vim-nox', 'iftop',
'sysstat', 'iotop']
}
default: {
$user_packages = ['emacs-nox', 'vim-nox']
}
}
$login_defs = 'puppet:///modules/openstack_project/login.defs.debian'
}
default: {
fail("Unsupported osfamily: ${::osfamily} The 'openstack_project' module only supports osfamily Debian or RedHat (slaves only).")
}
}
}

3
modules/openstack_project/manifests/pbx.pp
View File

@@ -18,9 +18,6 @@
class openstack_project::pbx ( class openstack_project::pbx (
$sip_providers = [], $sip_providers = [],
) { ) {
realize (
User::Virtual::Localuser['rbryant'],
)
class { 'asterisk': class { 'asterisk':
modules_conf_source => 'puppet:///modules/openstack_project/pbx/asterisk/modules.conf', modules_conf_source => 'puppet:///modules/openstack_project/pbx/asterisk/modules.conf',

2
modules/openstack_project/manifests/planet.pp
View File

@@ -1,11 +1,9 @@
# == Class: openstack_project::planet # == Class: openstack_project::planet
# #
class openstack_project::planet ( class openstack_project::planet (
$sysadmins = []
) { ) {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80], iptables_public_tcp_ports => [80],
sysadmins => $sysadmins,
} }
include ::planet include ::planet

4
modules/openstack_project/manifests/review_dev.pp
View File

@@ -43,10 +43,6 @@ class openstack_project::review_dev (
} }
} }
realize (
User::Virtual::Localuser['zaro'],
)
class { 'project_config': class { 'project_config':
url => $project_config_repo, url => $project_config_repo,
base => 'dev/', base => 'dev/',

278
modules/openstack_project/manifests/server.pp
View File

@@ -7,116 +7,21 @@ class openstack_project::server (
$iptables_rules4 = [], $iptables_rules4 = [],
$iptables_rules6 = [], $iptables_rules6 = [],
$iptables_allowed_hosts = [], $iptables_allowed_hosts = [],
$sysadmins = [],
$extra_aliases = {},
$pin_puppet = '3.', $pin_puppet = '3.',
$ca_server = undef, $ca_server = undef,
$enable_unbound = true, $enable_unbound = true,
$afs = false, $afs = false,
$afs_cache_size = 500000, $afs_cache_size = 500000,
$manage_exim = true,
$pypi_index_url = 'https://pypi.python.org/simple', $pypi_index_url = 'https://pypi.python.org/simple',
$purge_apt_sources = true,
) { ) {
include sudoers
include openstack_project::params
include openstack_project::users
class { 'openstack_project::users_install':
install_users => true,
}
class { 'timezone': class { 'timezone':
timezone => 'Etc/UTC', timezone => 'Etc/UTC',
} }
package { 'rsyslog': # Include ::apt while we work on the puppet->ansible transition
ensure => present, if ($::osfamily == 'Debian') {
} include ::apt
service { 'rsyslog':
ensure => running,
enable => true,
hasrestart => true,
require => Package['rsyslog'],
}
# Increase syslog message size in order to capture
# python tracebacks with syslog.
file { '/etc/rsyslog.d/99-maxsize.conf':
ensure => present,
# Note MaxMessageSize is not a puppet variable.
content => '$MaxMessageSize 6k',
owner => 'root',
group => 'root',
mode => '0644',
notify => Service['rsyslog'],
require => Package['rsyslog'],
}
if $::osfamily == 'Debian' {
file { '/etc/security/limits.d/60-nofile-limit.conf':
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/openstack_project/debian_limits.conf',
replace => true,
}
file { '/etc/apt/apt.conf.d/80retry':
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/80retry',
replace => true,
}
file { '/etc/apt/apt.conf.d/90no-translations':
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/90no-translations',
replace => true,
}
# Custom rsyslog config to disable /dev/xconsole noise on Debuntu servers
file { '/etc/rsyslog.d/50-default.conf':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
source =>
'puppet:///modules/openstack_project/rsyslog.d_50-default.conf',
replace => true,
notify => Service['rsyslog'],
require => Package['rsyslog'],
}
# Purge and augment existing /etc/apt/sources.list if requested, and make
# sure apt-get update is run before any packages are installed
class { '::apt':
purge => { 'sources.list' => $purge_apt_sources }
}
if $purge_apt_sources == true {
file { '/etc/apt/sources.list.d/openstack-infra.list':
ensure => present,
group => 'root',
mode => '0444',
owner => 'root',
source => "puppet:///modules/openstack_project/sources.list.${::lsbdistcodename}.${::architecture}",
}
exec { 'update-apt':
command => 'apt-get update',
refreshonly => true,
path => '/bin:/usr/bin',
subscribe => File['/etc/apt/sources.list.d/openstack-infra.list'],
}
Exec['update-apt'] -> Package <| |>
}
}
package { $::openstack_project::params::packages:
ensure => present
} }
########################################################### ###########################################################
@@ -124,45 +29,6 @@ class openstack_project::server (
include '::ntp' include '::ntp'
if ($::osfamily == "RedHat") {
# Utils in ntp-perl are included in Debian's ntp package; we
# add it here for consistency. See also
# https://tickets.puppetlabs.com/browse/MODULES-3660
package { 'ntp-perl':
ensure => present
}
# NOTE(pabelanger): We need to ensure ntpdate service starts on boot for
# centos-7. Currently, ntpd explicitly require ntpdate to be running before
# the sync process can happen in ntpd. As a result, if ntpdate is not
# running, ntpd will start but fail to sync because of DNS is not properly
# setup.
package { 'ntpdate':
ensure => present,
}
service { 'ntpdate':
enable => true,
require => Package['ntpdate'],
}
package { 'yum-cron':
ensure => present,
}
file { '/etc/yum/yum-cron.conf':
ensure => present,
owner => root,
group => root,
mode => '0644',
source => 'puppet:///modules/openstack_project/yum/yum-cron.conf',
replace => true,
require => Package['yum-cron'],
notify => Service['yum-cron'],
}
service { 'yum-cron':
enable => true,
ensure => running,
require => Package['yum-cron'],
}
}
########################################################### ###########################################################
# Manage Root ssh # Manage Root ssh
@@ -171,24 +37,6 @@ class openstack_project::server (
trusted_ssh_source => '23.253.245.198,2001:4800:7818:101:3c21:a454:23ed:4072,23.253.234.219,2001:4800:7817:103:be76:4eff:fe04:5a1d', trusted_ssh_source => '23.253.245.198,2001:4800:7818:101:3c21:a454:23ed:4072,23.253.234.219,2001:4800:7817:103:be76:4eff:fe04:5a1d',
} }
if ! defined(File['/root/.ssh']) {
file { '/root/.ssh':
ensure => directory,
mode => '0700',
}
}
ssh_authorized_key { 'puppet-remote-2014-09-15':
ensure => present,
user => 'root',
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp',
options => [
'from="23.253.245.198,2001:4800:7818:101:3c21:a454:23ed:4072,23.253.234.219,2001:4800:7817:103:be76:4eff:fe04:5a1d,localhost"',
],
require => File['/root/.ssh'],
}
########################################################### ###########################################################
# Process if ( $high_level_directive ) blocks # Process if ( $high_level_directive ) blocks
@@ -198,13 +46,6 @@ class openstack_project::server (
} }
} }
if $manage_exim {
class { 'exim':
sysadmins => $sysadmins,
extra_aliases => $extra_aliases,
}
}
if $afs { if $afs {
class { 'openafs::client': class { 'openafs::client':
cell => 'openstack.org', cell => 'openstack.org',
@@ -244,117 +85,4 @@ class openstack_project::server (
allowed_hosts => $iptables_allowed_hosts, allowed_hosts => $iptables_allowed_hosts,
} }
# We don't like byobu
file { '/etc/profile.d/Z98-byobu.sh':
ensure => absent,
}
# Setup RFC3339 bash history timestamps
file { '/etc/profile.d/bash-history.sh':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/openstack_project/bash-history.sh',
}
if $::osfamily == 'Debian' {
# Ubuntu installs their whoopsie package by default, but it eats through
# memory and we don't need it on servers
package { 'whoopsie':
ensure => absent,
}
package { 'popularity-contest':
ensure => absent,
}
}
###########################################################
# Manage python/pip
$desired_virtualenv = '15.1.0'
class { '::pip':
index_url => $pypi_index_url,
optional_settings => {
'extra-index-url' => '',
},
manage_pip_conf => true,
}
if (( versioncmp($::virtualenv_version, $desired_virtualenv) < 0 )) {
$virtualenv_ensure = $desired_virtualenv
} else {
$virtualenv_ensure = present
}
package { 'virtualenv':
ensure => $virtualenv_ensure,
provider => openstack_pip,
require => Class['pip'],
}
###########################################################
# Turn off puppet service
service { 'puppet':
ensure => stopped,
enable => false,
}
if $::osfamily == 'Debian' {
file { '/etc/default/puppet':
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/puppet.default',
replace => true,
}
}
###########################################################
# Set up puppet repos
if ($::osfamily == 'Debian') {
# NOTE(pabelanger): Puppetlabs only support Ubuntu Trusty and below,
# anything greater will use the OS version of puppet.
if ($::operatingsystemrelease < '15.04') {
include ::apt
apt::source { 'puppetlabs':
location => 'http://apt.puppetlabs.com',
repos => 'main',
key => {
'id' =>'47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
'server' => 'pgp.mit.edu',
},
}
}
}
if ($::operatingsystem == 'CentOS') {
file { '/etc/yum.repos.d/puppetlabs.repo':
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_project/centos7-puppetlabs.repo',
replace => true,
}
}
# Disable cloud-init
file { '/etc/cloud':
ensure => directory,
}
file { '/etc/cloud/cloud-init.disabled':
ensure => file,
require => File['/etc/cloud'],
}
if ($::lsbdistcodename == 'xenial' and $::architecture == 'aarch64') {
# Make sure we install the HWE kernel for arm64; it's 4.13 v 4.3
# and works much better on linaro cloud
ensure_packages(['linux-generic-hwe-16.04'])
}
} }

39
modules/openstack_project/manifests/storyboard.pp
View File

@@ -6,7 +6,6 @@ class openstack_project::storyboard(
$mysql_user = '', $mysql_user = '',
$rabbitmq_user = 'storyboard', $rabbitmq_user = 'storyboard',
$rabbitmq_password, $rabbitmq_password,
$sysadmins = [],
$superusers = $superusers =
'puppet:///modules/openstack_project/storyboard/superusers.yaml', 'puppet:///modules/openstack_project/storyboard/superusers.yaml',
$ssl_cert = undef, $ssl_cert = undef,
@@ -28,47 +27,9 @@ class openstack_project::storyboard(
} }
class { 'openstack_project::server': class { 'openstack_project::server':
sysadmins => $sysadmins,
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
manage_exim => false,
} }
class { '::exim':
sysadmins => $sysadmins,
routers => [
{'storyboard_verp_router' => {
'driver' => 'dnslookup',
# we only consider messages sent in through loopback
'condition' => '${if or{{eq{$sender_host_address}{127.0.0.1}}\
{eq{$sender_host_address}{::1}}}{yes}{no}}',
# we do not do this for traffic going to the local machine
'domains' => '!+local_domains',
'ignore_target_hosts' => '<; 0.0.0.0; 64.94.110.11; 127.0.0.0/8; \
::1/128;fe80::/10;fec0::/10;ff00::/8',
# only the un-VERPed bounce addresses are handled
'senders' => '"*-bounces@*"',
'transport' => 'storyboard_verp_smtp',
}},
# Send bounces to /dev/null until storyboard supports them.
{'storyboard' => {
'driver' => 'redirect',
'local_parts' => 'storyboard',
'local_part_suffix_optional' => true,
'local_part_suffix' => '-bounces : -bounces+*',
'data' => ':blackhole:',
}}
],
transports => [
{'storyboard_verp_smtp' => {
'driver' => 'smtp',
'return_path' => '${local_part:$return_path}+$local_part\
=$domain@${domain:$return_path}',
'max_rcpt' => '1',
'headers_remove' => 'Errors-To',
'headers_add' => 'Errors-To: ${return_path}',
}}
],
}
mysql_backup::backup_remote { 'storyboard': mysql_backup::backup_remote { 'storyboard':
database_host => $mysql_host, database_host => $mysql_host,

9
modules/openstack_project/manifests/storyboard/dev.pp
View File

@@ -6,7 +6,6 @@ class openstack_project::storyboard::dev(
$mysql_user = '', $mysql_user = '',
$rabbitmq_user = 'storyboard', $rabbitmq_user = 'storyboard',
$rabbitmq_password, $rabbitmq_password,
$sysadmins = [],
$ssl_cert_file_contents = undef, $ssl_cert_file_contents = undef,
$ssl_key_file_contents = undef, $ssl_key_file_contents = undef,
$ssl_chain_file_contents = undef, $ssl_chain_file_contents = undef,
@@ -21,7 +20,6 @@ class openstack_project::storyboard::dev(
class { 'openstack_project::storyboard': class { 'openstack_project::storyboard':
project_config_repo => $project_config_repo, project_config_repo => $project_config_repo,
sysadmins => $sysadmins,
superusers => superusers =>
'puppet:///modules/openstack_project/storyboard/dev_superusers.yaml', 'puppet:///modules/openstack_project/storyboard/dev_superusers.yaml',
mysql_host => $mysql_host, mysql_host => $mysql_host,
@@ -39,11 +37,4 @@ class openstack_project::storyboard::dev(
default_url => $default_url, default_url => $default_url,
} }
realize (
User::Virtual::Localuser['SotK'],
User::Virtual::Localuser['Zara'],
User::Virtual::Localuser['diablo_rojo'],
)
} }

6
modules/openstack_project/manifests/summit.pp
View File

@@ -1,14 +1,8 @@
class openstack_project::summit ( class openstack_project::summit (
$sysadmins = []
) { ) {
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80], iptables_public_tcp_ports => [22, 80],
sysadmins => $sysadmins
} }
realize (
User::Virtual::Localuser['ttx'],
)
} }
# vim:sw=2:ts=2:expandtab:textwidth=79 # vim:sw=2:ts=2:expandtab:textwidth=79

2
modules/openstack_project/manifests/translate_dev.pp
View File

@@ -20,7 +20,6 @@ class openstack_project::translate_dev(
$mysql_user = 'zanata', $mysql_user = 'zanata',
$mysql_password, $mysql_password,
$admin_users = '', $admin_users = '',
$sysadmins = [],
$zanata_server_user = '', $zanata_server_user = '',
$zanata_server_api_key = '', $zanata_server_api_key = '',
$project_config_repo = '', $project_config_repo = '',
@@ -37,7 +36,6 @@ class openstack_project::translate_dev(
) { ) {
class { 'openstack_project::server': class { 'openstack_project::server':
sysadmins => $sysadmins,
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
} }

280
modules/openstack_project/manifests/users.pp
View File

@@ -1,280 +0,0 @@
# == Class: openstack_project::users
#
class openstack_project::users {
# Make sure we have our UID/GID account minimums for dynamic users set higher
# than we'll use for static assignments, so as to avoid future conflicts.
include ::openstack_project::params
file { '/etc/login.defs':
ensure => present,
group => 'root',
mode => '0644',
owner => 'root',
source => $::openstack_project::params::login_defs,
}
User::Virtual::Localuser {
require => File['/etc/login.defs']
}
@user::virtual::localuser { 'mordred':
realname => 'Monty Taylor',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDLsTZJ8hXTmzjKxYh/7V07mIy8xl2HL+9BaUlt6A6TMsL3LSvaVQNSgmXX5g0XfPWSCKmkZb1O28q49jQI2n7n7+sHkxn0dJDxj1N2oNrzNY7pDuPrdtCijczLFdievygXNhXNkQ2WIqHXDquN/jfLLJ9L0jxtxtsUMbiL2xxZEZcaf/K5MqyPhscpqiVNE1MjE4xgPbIbv8gCKtPpYIIrktOMb4JbV7rhOp5DcSP5gXtLhOF5fbBpZ+szqrTVUcBX0oTYr3iRfOje9WPsTZIk9vBfBtF416mCNxMSRc7KhSW727AnUu85hS0xiP0MRAf69KemG1OE1pW+LtDIAEYp',
key_id => 'mordred@camelot',
uid => 2000,
gid => 2000,
}
@user::virtual::localuser { 'corvus':
realname => 'James E. Blair',
sshkeys => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAvKYcWK1T7e3PKSFiqb03EYktnoxVASpPoq2rJw2JvhsP0JfS+lKrPzpUQv7L4JCuQMsPNtZ8LnwVEft39k58Kh8XMebSfaqPYAZS5zCNvQUQIhP9myOevBZf4CDeG+gmssqRFcWEwIllfDuIzKBQGVbomR+Y5QuW0HczIbkoOYI6iyf2jB6xg+bmzR2HViofNrSa62CYmHS6dO04Z95J27w6jGWpEOTBjEQvnb9sdBc4EzaBVmxCpa2EilB1u0th7/DvuH0yP4T+X8G8UjW1gZCTOVw06fqlBCST4KjdWw1F/AuOCT7048klbf4H+mCTaEcPzzu3Fkv8ckMWtS/Z9Q==',
key_id => 'jeblair@operational-necessity',
uid => 2001,
gid => 2001,
}
@user::virtual::localuser { 'smaffulli':
realname => 'Stefano Maffulli',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDD/zAvXaOUXCAT6/B4sCMu/38d/PyOIg/tYsYFAMgfDUzuZwkjZWNGrTpp/HFrOAZISER5KmOg48DKPvm91AeZOHfAXHCP6x9/FcogP9rmc48ym1B5XyIc78QVQjgN6JMSlEZsl0GWzFhQsPDjXundflY07TZfSC1IhpG9UgzamEVFcRjmNztnBuvq2uYVGpdI+ghmqFw9kfvSXJvUbj/F7Pco5XyJBx2e+gofe+X/UNee75xgoU/FyE2a6dSSc4uP4oUBvxDNU3gIsUKrSCmV8NuVQvMB8C9gXYR+JqtcvUSS9DdUAA8StP65woVsvuU+lqb+HVAe71JotDfOBd6f',
key_id => 'stefano@mattone-E6420',
uid => 2002,
gid => 2002,
}
# NOTE(pabelanger): Inactive user
@user::virtual::localuser { 'oubiwann':
realname => 'Duncan McGreggor',
sshkeys => '',
key_id => 'oubiwann@rhosgobel',
uid => 2003,
gid => 2003,
}
# NOTE(pabelanger): Inactive user
@user::virtual::localuser { 'rockstar':
realname => 'Paul Hummer',
sshkeys => '',
key_id => 'rockstar@spackrace.local',
uid => 2004,
gid => 2004,
}
@user::virtual::localuser { 'clarkb':
realname => 'Clark Boylan',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCnfoVhOTkrY7uoebL8PoHXb0Fg4jJqGCbwkxUdNUdheIdbnfyjuRG3iL8WZnzf7nzWnD+IGo6kkAo8BkNMK9L0P0Y+5IjI8NH49KU22tQ1umij4EIf5tzLh4gsqkJmy6QLrlbf10m6UF4rLFQhKzOd4b2H2K6KbP00CIymvbW3BwvNDODM4xRE2uao387qfvXZBUkB0PpRD+7fWPoN58gpFUm407Eba3WwX5PCD+1DD+RVBsG8maIDXerQ7lvFLoSuyMswv1TfkvCj0ZFhSFbfTd2ZysCu6eryFfeixR7NY9SNcp9YTqG6LrxGA7Ci6wz+hycFHXlDrlBgfFJDe5At',
key_id => 'clark@work',
old_keys => [
'boylandcl@boylancl1',
],
uid => 2005,
gid => 2005,
}
@user::virtual::localuser { 'rlane':
realname => 'Ryan Lane',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCdtI7H+fsgSrjrdG8aGVcrN0GFW3XqLVsLG4n7JW4qH2W//hqgdL7A7cNVQNPoB9I1jAqvnO2Ct6wrVSh84QU89Uufw412M3qNSNeiGgv2c2KdxP2XBrnsLYAaJRbgOWJX7nty1jpO0xwF503ky2W3OMUsCXMAbYmYNSod6gAdzf5Xgo/3+eXRh7NbV1eKPrzwWoMOYh9T0Mvmokon/GXV5PiAA2bIaQvCy4BH/BzWiQwRM7KtiEt5lHahY172aEu+dcWxciuxHqkYqlKhbU+x1fwZJ+MpXSj5KBU+L0yf3iKySob7g6DZDST/Ylcm4MMjpOy8/9Cc6Xgpx77E/Pvd',
key_id => 'laner@Free-Public-Wifi.local',
uid => 2006,
gid => 2006,
}
@user::virtual::localuser { 'fungi':
realname => 'Jeremy Stanley',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQD3KnRBTH5QPpKjf4RWu4akzYt2gwp796cMkFl5vu8e7G/cHuh4979FeNJXMVP6F3rvZB+yXDHLCU5LBVLq0K+1GbAZT/hH38hpMOIvniwKIquvI6C/drkVPHO6YmVlapw/NI530PGnT/TAqCOycHBO5eF1bYsaqV1yZqvs9v7UZc6J4LukoLZwpmyWZ5P3ltAiiy8+FGq3SLCKWDMmv/Bjz4zTsaNbSWThJi0BydINjC1/0ze5Tyc/XgW1sDuxmmXJxgQp4EvLpronqb2hT60iA52kj8lrmoCIryRpgnbaRA7BrxKF8zIr0ZALHijxEUeWHhFJDIVRGUf0Ef0nrmBv',
key_id => 'fungi-openstack-2015',
old_keys => [
'fungi-openstack-2012',
'fungi-openstack-2013',
'fungi-openstack-2014',
],
uid => 2007,
gid => 2007,
}
@user::virtual::localuser { 'ttx':
realname => 'Thierry Carrez',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDCGpMtSehQNZL0/EJ7VUbklJygsxvii2Qi4HPSUFcLJUWAx4VltsmPkmx43D9ITwnRPRMPNtZrOvhY7v0myVlFuRnyTYAqZwigf5gxrktb+4PwCWb+2XobziUVnfJlbOTjneWSTYoZ+OjTaWd5AcVbUvgYAP2qbddycc5ACswpPDo5VrS6fQfCwE4z3BqLFNeOnqxbECHwHeFYIR6Kd6mnKAzDNZxZIkviWg9eIwwuFf5V5bUPiVkeFHVL3EJlCoYs2Em4bvYZBtrV7kUseN85X/+5Uail4uYBEcB3GLL32e6HeD1Qk4xIxLTI2bFPGUp0Oq7iPgrQQe4zCBsGi7Dx+JVy+U0JqLLAN94UPCn2fhsX7PdKfTPcxFPFKeX/PRutkb7qxdbS2ubCdOEhc6WN7OkQmbdK8lk6ms4v4dFc0ooMepWELqKC6thICsVdizpuij0+h8c4SRD3gtwGDPxrkJcodPoAimVVlW1p+RpMxsCFrK473TzgeNPVeAdSZVpqZ865VOwFqoFQB6WpmCDZQPFlkS2VDe9R54ePDHWKYLvVW6yvQqWTx3KrIrS1twSoydj+gADgBYsZaW5MNkWYHAWotEX67j6fMZ6ZSTS5yaTeLywB2Ykh0kjo4jpTFk5JNL7DINkfmCEZMLw60da29iN4QzAJr9cP1bwjf/QDqw==',
key_id => 'ttx@mercury',
uid => 2008,
gid => 2008,
}
@user::virtual::localuser { 'rbryant':
realname => 'Russell Bryant',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDZVikFz5KoRg3gKdiSa3PQ0i2bN5+bUyc4lMMg6P+jEStVddwN+nAgpa3zJaokmNAOp+MjcGa7K1Zi4b9Fe2ufusTzSKdNVlRDiw0R4Lk0LwTIfkhLywKvgcAz8hkqWPUIgTMU4xIizh50KTL9Ttsu9ULop8t7urTpPE4TthHX4nz1Y9NwYLU0W8cWhzgRonBbqtGs/Lif0NC+TdWGkVyTaP3x1A48s0SMPcZKln1hDv7KbKdknG4XyS4jlr4qI+R+har7m2ED/PH93PSXi5QnT4U6laWRg03HTxpPKWq077u/tPW9wcbkgpBcYMmDKTo/NDPtoN+r/jkbdW7zKJHx',
key_id => 'russel@russelbryant.net',
uid => 2009,
gid => 2009,
}
@user::virtual::localuser { 'pabelanger':
realname => 'Paul Belanger',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCuP0CZE8AYnbm8gxecCxKeRw0wHRyryd+FKmNNsdr0d3UvfCbqNzLigrqEBZsKpofi3M4qCWNpKRyfhnjPynLTQjP1vnX9AbL9UGoiHxScfvh3skntTYMs9ezJRd0rMJJZO76FPo8bJLDlwxAQl8m/nuj3HfYiO5hYE7P+a3rhsJh4nEfBb7xh+Q5yM0PWObkkBl6IRiBYjlcsXNZHgTA5kNuihUk5bHqAw54sHh05DhpgOITpTw4LFbh4Ew2NKq49dEb2xbTuAyAr2DHNOGgIwKEZpwtKZEIGEuiLbb4DQRsfivrvyOjnK2NFjQzGyNOHfsOldWHRQwUKUs8nrxKdXvqcrfMnSVaibeYK2TRL+6jd9kc5SIhWI3XLm7HbX7uXMD7/JQrkL25Rcs6nndDCH72DJLz+ynA/T5umMbNBQ9tybL5z73IOpfShRGjQYego22CxDOy7e/5OEMHNoksbFb1S02viM9O2puS7LDqqfT9JIbbPqCrbRi/zOXo0f4EXo6xKUAmd8qlV+6f/p57/qFihzQDaRFVlFEH3k7qwsw7PYGUTwkPaThe6xyZN6D5jqxCZU3aSYu+FGb0oYo+M5IxOm0Cb4NNsvvkRPxWtwSayfFGu6+m/+/RyA3GBcAMev7AuyKN+K2vGMsLagHOx4i+5ZAcUwGzLeXAENNum3w==',
key_id => 'pabelanger@redhat.com',
uid => 2010,
gid => 2010,
}
@user::virtual::localuser { 'mkiss':
realname => 'Marton Kiss',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCb5qdaiKaRqBRgLW8Df+zD3C4a+gO/GFZYEDEd5nvk+LDGPuzi6s639DLqdfx6yvJ1sxxNUOOYhE/T7raDeS8m8fjk0hdVzARXraYDbckt6AELl7B16ZM4aEzjAPoSByizmfwIVkO1zP6kghyumV1kr5Nqx0hTd5/thIzgwdaGBY4I+5iqcWncuLyBCs34oTh/S+QFzjmMgoT86PrdLSsBIINx/4rb2Br2Sb6pRHmzbU+3evnytdlDFwDUPfdzoCaQEdXtjISC0xBdmnjEvHJYgmSkWMZGgRgomrA06Al9M9+2PR7x+burLVVsZf9keRoC7RYLAcryRbGMExC17skL',
key_id => 'marton.kiss@gmail.com',
uid => 2011,
gid => 2011,
}
@user::virtual::localuser { 'smarcet':
realname => 'Sebastian Marcet',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDP5ce0Ywtbgi3LGMZWA5Zlv/EQ07F/gWnZOMN6TRfiCiiBNyf8ARtKgmYSINS8W537HJYBt3qTfa5xkZmpBrtE6x8OTfR5y1L+x/PrLTUkQhVDY19EixD9wDIrQIIjo2ZVq+zErXBRQuGmJ3Hl+OGw+wtvGS8f768kMnwhKUgyITjWV2tKr/q88J8mBOep48XUcRhidDWsOjgIDJQeY2lbsx1bbZ7necrJS17PHqxhUbWntyR/VKKbBbrNmf2bhtTRUSYoJuqabyGDTZ0J25A88Qt2IKELy6jsVTxHj9Y5D8oH57uB7GaNsNiU+CaOcVfwOenES9mcWOr1t5zNOdrp',
key_id => 'smarcet@gmail.com',
uid => 2012,
gid => 2012,
}
@user::virtual::localuser { 'zaro':
realname => 'Khai Do',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDJqB//ilMx7Y1tKzviAn/6yeXSRAi2VnaGN0/bfaa5Gciz+SWt8vAEAUE99fzuqeJ/ezjkuIXDFm/sjZr93y567a6sDT6CuhVUac1FZIhXRTs0J+pBOiENbwQ7RZxbkyNHQ0ndvtz3kBA1DF5D+MDkluBlIWb085Z31rFJmetsB2Zb8s1FKUjHVk/skyeKSj0qAK5KN3Wme6peWhYjwBiM0gUlxIsEZM6JLYdoPIbD5B8GYAktMN2FvJU9LgKGL93jLZ/vnMtoQIHHAG/85NdPURL1Zbi92Xlxbm4LkbcHnruBdmtPfSgaEupwJ+zFmK264OHD7QFt10ztPMbAFCFn',
key_id => 'khaido@khaido-HP-EliteBook-Folio-9470m',
uid => 2013,
gid => 2013,
}
@user::virtual::localuser { 'slukjanov':
realname => 'Sergey Lukjanov',
sshkeys => '',
uid => 2014,
gid => 2014,
}
@user::virtual::localuser { 'elizabeth':
realname => 'Elizabeth K. Joseph',
sshkeys => '',
uid => 2015,
gid => 2015,
}
@user::virtual::localuser { 'jhesketh':
realname => 'Joshua Hesketh',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQC3onVLOZiiGpQWTCIV0QwHmc3Jvqyl7UaJxIu7D49OQcLHqVZsozI9pSiCdTnWyAaM+E+5wD9yVcSTqMWqn2AZmZSwQ+Fh6KnCgPZ/o63+iCZPGL0RNk20M1iNh5dvdStDnn+j2fpeV/JONF0tBn07QvNL2eF4BwtbTG9Zhl186QNsXjXDghrSO3Etl6DSfcUhxyvMoA2LnclWWD5hLmiRhcBm+PIxveVsr4B+o0k1HV5SUOvJMWtbEC37AH5I818O4fNOob6CnOFaCsbA9oUDzB5rqxutPZb9SmNJpNoLqYqDgyppM0yeql0Kn97tUt7H4j5xHrWoGnJ4IXfuDc0AMmmy4fpcLGkNf7zcBftKS6iz/3AlOXjlp5WZvKxngJj9HIir2SE/qV4Lxw9936BzvAcQyw5+bEsLQJwi+LPZxEqLC6oklkX9dg/+1yBFHsz6mulA0b4Eq7VF9omRzrhhN4iPpU5KQYPRNz7yRYckXDxYnp2lz6yHgSYh2/lqMc+UqmCL9EAWcDw3jsgvJ6kH/YUVUojiRHD9QLqlhOusu1wrTfojjwF05mqkXKmH+LH8f8AJAlMdYg0c2WLlrcxnwCkLLxzU5cYmKcZ41LuLtQR3ik+EKjYzBXXyCEzFm6qQEbR2akpXyxvONgrf7pijrgNOi0GeatUt0bUQcAONYw==',
key_id => 'jhesketh@infra',
uid => 2016,
gid => 2016,
}
@user::virtual::localuser { 'nibz':
realname => 'Spencer Krum',
sshkeys => '',
uid => 2017,
gid => 2017,
}
@user::virtual::localuser { 'yolanda':
realname => 'Yolanda Robla',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDSR2NmJC8PSanHUpKJuaMmohG80COO2IPkE3Mxhr7US8P1B3p1c6lOrT6M1txRzBY8FlbxfOinGtutP+ADCB2taXfpO8UiaG9eOqojAT/PeP2Y2ov72rVMSWupLozUv2uAR5yyFVFHOjKPYGAa01aJtfzfJujSak8dM0ifFeFwgp/8RBGEfC7atq+45TdrfAURRcEgcOLiF5Aq6fprCOwpllnrH6VoId9YS7u/5xF2/zBjr9PuOP7jEgCaL/+FNqu7jgj87aG5jiZPlweb7GTLJON9H6eFpyfpoJE0sZ1yR9Q+e9FAqQIA44Zi748qKBlFKbLxzoC4mc0SbNUAleEL',
key_id => 'yolanda@infra',
uid => 2018,
gid => 2018,
}
@user::virtual::localuser { 'rcarrillocruz':
realname => 'Ricardo Carrillo Cruz',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQCz1CW5E87v8o7O8B5fe7j1uaPCToRdaBukjH2HzQZ+DSGTIPjirLpp5ZXPuyNnmtRMzwld6mlHYlevVEwuZTNyQwS7ut5o0LjyW6yoEcvPq0xMEZLxaso5dZAtzNgf3FzbtaUYBnkhSwX7c24lf8wPGAl7TC3yO0dePQh2lXVdaBiGB9ybVeQr+kwJIxleUE4puuQ+ONJE2D+hHjoQ/huUMpb996pb/YzkjkAxqHguMid0c1taelyW8n17nEDoWvlV9Qqbo8cerhgURo1OBt2zENLjQQ0kOkPxJx4qx3652e0kbkr11y50r9BMs418mnJdWselMxkSqQNZ+XotoH5Dwn+3K2a6Wv4OX3Dqb9SF/JTD7lA/tIkNfxgsRlzfEQ01rK1+g7Je10EnDCLEzHpFjvZ5q4EEMcYqY+osLFpHAOWGLMx+3eY4pz/xEzRP/x3sjGU09uNOZ3oCWUfSkE4xebnnWtxwWZKyFmv3GHtaqJn2UvpAbODPEYyYcOS3XV3zd233W3C09YYnFUyZbGLXpD05Yet5fZfGTnveMRn5/9LZai+dBPwoMWUJdX4yPnGXgOG8zk0u1nWfcNJfYg+xajSUDiMKjDhlkuFK/GXNYuINe42s1TxzL7pJ4X4UhqLiopeJvPg/U5xdCV5pxVKf1MVenrGe2pfwf1Yr2WMv5w==',
key_id => 'rcarrillocruz@infra',
uid => 2019,
gid => 2019,
}
@user::virtual::localuser { 'krotscheck':
realname => 'Michael Krotscheck',
sshkeys => '',
uid => 2020,
gid => 2020,
}
@user::virtual::localuser { 'colleen':
realname => 'Colleen Murphy',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDcHzySqYlH1TfAPx5PaVzqkuMbI3zksJ5E2aZBlsIN7wNSoyO0Dts6HegHZIgi5NGT05wRBAUMCNZwupqFoWDg41JBKzPKITkqvEe/FnNmJFxt591ltXigZZ+ZLoX8B12nww/eeA5nx9PT4hIsLQG50MxEm0iC4ApusaAXMXa7+gTDkzf6yyl4QwinyFFTYtyJwFw5XfQXXRQwL8Qv6mVGrhDz3Fj4VWawByQuxRHgt5G3Ux/PnZzatJ3tuSK66o1uXrvuOiGdUtDCuAFUx+kgcmUTpCC6vgMZdDbrfyw0CGxkmAUNfeEMOw0TWbdioJ2FwH5+4BEvMgiFgsCTjIwDqqyFV9eK8sd0mbJ+I82EyOXPlFPKGan6Ie6LD1qotdUW9vT3pfpR/44s/Id2un3FBnVg7GZkGJshikGO1UqjmZfhEpQ6Q+auLir+mBv2X/ril6qJ2NuQpwMRVzZmriPMxdJDs6xhzg2fGEYRvEvh0kzsqNf4OgKbSWiVOB3WALM30Cx3YdmnB6JonRGA+6CqD+LO4HQMbD7LBVcYzEIS1WtP8aPx/NiybemrF0LWmIgl34A0Tpcc+5MLzzUtgUt6lYFyWxltCP43u1N7ODH+FsFALzo6CO9DjyMxEd6Ay61hyx8Btfhn8NH/wEdCQj1WAMHU+d2ljk5ndAfp8c6LRQ==',
key_id => 'krinkle@gir',
uid => 2021,
gid => 2021,
}
@user::virtual::localuser { 'Zara':
realname => 'Zara Zaimeche',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCt9wQvGgQIvLvifm7n5g+2sjgjGCQLt03D0v5Fb5xEMufJncIDkwBNDzGvsASwHGjP9YEAA8+f8Ya+Yc9EaDgqQl9r9YEO9CoEC6O1Euk41nQJYYRnzkgmMaxTSlUKNur8XSmzoElLut6ivlLW71fZmSKHAcg9O4lgd9weDDjCcWLD1C9WmRVdtEnw6NQJd5Mn/llHqdbmMlf3I5VL8QvzPndxZEyESdSBz0ywLO5ygtUxtPaCxaanHSTz1yNooT9t2vwDnfc1LB9oT4CaEnVG+FugCPGFnn204eJ2BVEQ945ZsabgFndyvfmEwxlzAeA6+YjQYrukMijb1Owxh1fv',
key_id => 'zara.zaimeche@codethink.co.uk',
uid => 2022,
gid => 2022,
}
@user::virtual::localuser { 'SotK':
realname => 'Adam Coldrick',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCaE7gafwJQHQ9E2vlcjx8ufcGpyTdQdaBal/ZRt3aPbKXNqsDH4jOWvSXZxE0NlOGo+rWBSu0DxdyM7O5BwYxC79BaFq9JMPn1Q/p1WplOeLENX7jd6lsrLIo2x1MQ134+MliO5FNXmSF2m2il4GCQuiUdGORs/caF1mMPTDeQmf9rRS2fYW0dZ3wZgRzzehtg9LmeW8+DoU+dAeKj4igPcsDsvALmya1JB0XP1UNEG9XMdrYJCoj3K/ALQvJIVB0qwNDYdJ59erVZTvYGe5v6GMUHjIKkmaXJjJyT22hcmnRPk5yIktMrGwkiHGr4Pu0T+lyopSqLEm8HJWp6hc53',
key_id => 'adam@wrackside',
old_keys => [
'adam.coldrick@codethink.co.uk',
'adam@arreliam',
],
uid => 2023,
gid => 2023,
}
@user::virtual::localuser { 'maxwell':
realname => 'JP Maxwell',
sshkeys => 'AAAAB3NzaC1yc2EAAAABIwAAAQEA2b5I7Yff9FCrtRmSjpILUePi54Vbc8zqJTbzrIAQZGFLBi3xd2MLlhV5QVgpDBC9H3lGjbdnc81D3aFd3HwHT4dvvvyedT12PR3VDEpftdW84vw3jzdtALcayOQznjbGnScwvX5SgnRhNxuX9Rkh8qNvOsjYPUafRr9azkQoomJFkdNVI4Vb5DbLhTpt18FPeOf0UuqDt/J2tHI4SjZ3kjzr7Nbwpg8xGgANPNE0+2pJbwCA8YDt4g3bzfzvVafQs5o9Gfc9tudkR9ugQG1M+EWCgu42CleOwMTd/rYEB2fgNNPsZAWqwQfdPajVuk70EBKUEQSyoA09eEZX+xJN9Q==',
key_id => 'jpmaxman@tipit.net',
uid => 2024,
gid => 2024,
}
@user::virtual::localuser { 'ianw':
realname => 'Ian Wienand',
key_type => 'ssh-ed25519',
sshkeys => 'AAAAC3NzaC1lZDI1NTE5AAAAILOjz+dkwRWTJcW9Gt3iGHSzRBsvVlTAK6G2oH3+0D41',
key_id => 'iwienand+osinfra@redhat.com',
uid => 2025,
gid => 2025,
}
@user::virtual::localuser { 'shrews':
realname => 'David Shrewsbury',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCtNtbgLw0dyRVnuwZz4oUcWTzEUtpO2V47t4ykijdH1hkEe7qkuusM5bD8pC4L3wDZP5U3lsIAvZ97LCQp+MNJz1j8cjXuAboqP5FC3TtCJR1WtCWmOBSO7sIvcsgwse/9KZN/TETOGA9no1oKS43Adi9bXrRFAKDAAM34IVt/UHNS51vxUhuGv+56yJmaki7CjxrGtXcB4hi+TCQAfKJPzhAMwcFQUyvXJkRei6NN6uYyHnVtLR3KXEkeTesZ2GQxmQ+1jmCMN1zUN2VLypmDqAvlKtuQW+3nY89q4HDwzCpuC1rscJgOuncdMahTMoKA3/dQtT4WuJIwLQa3tEEn',
key_id => 'shrews2018',
old_keys => [
'david@koala',
],
uid => 2026,
gid => 2026,
}
@user::virtual::localuser { 'jbryce':
realname => 'Jonathan Bryce',
sshkeys => 'AAAAB3NzaC1yc2EAAAABIwAAAQEApFGM9q1gfiawBX5EnCQGxx2T1hwPDxrX2M64MfqcoBRpdrWRjxWm6Vhczfl+Ar2EQtGsuIm1QQiyiPL4zsJSQOfYXB0TqOQaAuFamSzZSNEm8coSa93E3zfXR9uln1lgCGutaWwH/KmGcSeAuuQCipKmKxc8QSAepGNP4Jx2L/EnXQh850xTQEIviJkJpA9oTRzXu12T7vzxsUCw041Q/KX16UvvGpt9IAoMAWFlQrMPzPFmqbUOIr7pRvv8TKcK9BNFS8S8jjT+wN0y/LY7cbTblgDfwSAl1P/naME5ugRVD5MZKixIE1F+x/j+M8+fpZ/EyR/6jSA3DYjEXOk2zQ==',
key_id => 'jbryce@jbryce-mbp-3.local',
uid => 2027,
gid => 2027,
}
@user::virtual::localuser { 'dmsimard':
realname => 'David Moreau-Simard',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDDyXfFj44OTsJZnHbecbYrwA8zXuMiULb+o326maOh3wh5/6fk+MzivkUzJC2uZqAlKvBnNXsrb/07eV1gRjaIQBQJxaV9HQUwMNX7AkjkDzaMXVDjG/JOium90R23gVGMukzp9IamezUscAqAxVK+2C10k3tq8dZ/GeZfHl3NFGRHlIAXsJ/SIQoxJAEA0IQ/8Y50nR1Hp2mV2xsfxH9oZhLR/eiFdhJpNupdfw/oE9+vpCHS8SG88KGeLYbn+EhH6LSCD+6WNthF6oE7NANnScqn1Fl0ZpSd3RlRb+kDVKGqNxfB7EJTeimYvqaYmrTiTZTaTJua5Bj5yBTudqnBgdHCz3xMb2Nv2s2INNcJmP/CKpivYQ8AJs6cVlqRWnLJiNQQYCj+xAXBvY5T0Xq/qOhVifLiWZvZQOTHFWqFP9asZkrGa1mFWIaR9VPQY0FoYlUOT9t6J6TRbzktJIuP5AiOVoJLL6wjZuUMjghHfkYbqtyBqE4BbCY8YF3JSf8jx+9eWy+sD+dRwKXBCrGV0dNidioZR7ZJpBb6ye8wElebjPZizKhppsNpwtRxPfiAM52f55lXGD7IDpz9CZrOKUcV2uc3Rhl50u7T3psZfX7GysZvlnAH+Yr+UM+LPBAabXAfKlMnJp+SskLuOplTeQrvAwMluBmFnla8TnwnxQ==',
key_id => 'dmsimard@hostname',
uid => 2028,
gid => 2028,
}
@user::virtual::localuser { 'frickler':
realname => 'Jens Harbott',
key_type => 'ssh-ed25519',
sshkeys => 'AAAAC3NzaC1lZDI1NTE5AAAAIGmc5fbzMptjAb5D86zSH13ZYCbf3QuV1jk9hL0r1qHw',
key_id => 'frickler@os-infra-2017',
uid => 2029,
gid => 2029,
}
@user::virtual::localuser { 'diablo_rojo':
realname => 'Kendall Nelson',
sshkeys => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCx96P1BVbRALeCz8jktUtT9qWzeXbG5yQrwQZ6n3NWsqEueCHp9DaVPDQLWIFAyvL0PKtlSOktClsUYuGfxB+dBuAFFMsx1Apk78EID4wvdXfEUDxZOsKX7zE9teJSxPEMppHAJIcnPu7dMFzZWxh+sA+fR8ZddPRunxtztGayNdYsCqDGIc9GqemjOqXDIFMIXgJLxNaHGSR56UcDHwgqmXXANkpTKsLW+U+VdNofHKpRhbXNS07jPFAAe1rBmoU/TRitzQFz7WYA4ml54ZiB7Q1O7RIyJWVBihHVrxSZbjn2a46CVeLo5Xw7loWF32wY/hA98hmpBNiF8tGSI6mh',
key_id => 'kennelson11@gmail.com',
uid => 2030,
gid => 2030,
}
}

66
modules/openstack_project/manifests/users_install.pp
View File

@@ -1,66 +0,0 @@
# Class: openstack_project::users_install
#
# This class handles adding and removing openstack admin users
# from the servers.
#
# Parameters:
# install_users - Boolean to set install or removal of O.O
# admins. Defaults to 'false', can be set in hiera.
#
# Requires:
# openstack_project::users - must contain the users designated.
#
# Sample Usage:
# include openstack_project::users_install
# class { 'openstack_project::users_install':
# install_users => true,
# }
class openstack_project::users_install (
$install_users = false,
) {
include ::openstack_project::users
## TODO: this should be it's own manifest.
if ( $install_users == true ) {
package { $::openstack_project::params::user_packages:
ensure => present
}
## NOTE: This list is arranged in order of chronological precedence,
## additions should be appended to the end.
realize (
User::Virtual::Localuser['mordred'],
User::Virtual::Localuser['corvus'],
User::Virtual::Localuser['clarkb'],
User::Virtual::Localuser['fungi'],
User::Virtual::Localuser['jhesketh'],
User::Virtual::Localuser['yolanda'],
User::Virtual::Localuser['pabelanger'],
User::Virtual::Localuser['rcarrillocruz'],
User::Virtual::Localuser['ianw'],
User::Virtual::Localuser['shrews'],
User::Virtual::Localuser['dmsimard'],
User::Virtual::Localuser['frickler'],
)
user::virtual::disable{'slukjanov':}
user::virtual::disable{'elizabeth':}
user::virtual::disable{'nibz':}
} else {
user::virtual::disable{'mordred':}
user::virtual::disable{'corvus':}
user::virtual::disable{'clarkb':}
user::virtual::disable{'fungi':}
user::virtual::disable{'slukjanov':}
user::virtual::disable{'elizabeth':}
user::virtual::disable{'jhesketh':}
user::virtual::disable{'nibz':}
user::virtual::disable{'yolanda':}
user::virtual::disable{'pabelanger':}
user::virtual::disable{'rcarrillocruz':}
user::virtual::disable{'ianw':}
user::virtual::disable{'shrews':}
user::virtual::disable{'dmsimard':}
user::virtual::disable{'frickler':}
}
}

8
modules/openstack_project/manifests/wiki.pp
View File

@@ -2,7 +2,6 @@
# #
class openstack_project::wiki ( class openstack_project::wiki (
$site_hostname, $site_hostname,
$sysadmins = [],
$bup_user = undef, $bup_user = undef,
$serveradmin = undef, $serveradmin = undef,
$ssl_cert_file_contents = undef, $ssl_cert_file_contents = undef,
@@ -26,15 +25,8 @@ class openstack_project::wiki (
class { 'openstack_project::server': class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443], iptables_public_tcp_ports => [80, 443],
sysadmins => $sysadmins,
} }
realize (
User::Virtual::Localuser['rlane'],
User::Virtual::Localuser['mkiss'],
User::Virtual::Localuser['maxwell'],
)
class { 'mediawiki': class { 'mediawiki':
role => 'all', role => 'all',
mediawiki_location => '/srv/mediawiki/w', mediawiki_location => '/srv/mediawiki/w',

8
modules/openstack_project/spec/acceptance/basic_spec.rb
View File

@@ -47,19 +47,21 @@ describe 'openstack_project::server' do
'clarkb', 'clarkb',
'fungi', 'fungi',
'jhesketh', 'jhesketh',
'yolanda',
'pabelanger', 'pabelanger',
'rcarrillocruz',
'ianw', 'ianw',
'shrews', 'shrews',
'dmsimard', 'dmsimard',
'yolanda',
'rcarrillocruz',
'frickler'].each do |user| 'frickler'].each do |user|
describe user(user) do describe user(user) do
it { should exist } it { should exist }
end end
end end
['slukjanov', 'elizabeth', 'nibz'].each do |user| ['slukjanov',
'elizabeth',
'nibz'].each do |user|
describe user(user) do describe user(user) do
it { should_not exist } it { should_not exist }
end end

4
playbooks/base.yaml
View File

@@ -9,6 +9,10 @@
roles: roles:
- base-server - base-server
- hosts: "puppet:!disabled"
roles:
- disable-puppet-agent
- hosts: "!ci-backup:!disabled" - hosts: "!ci-backup:!disabled"
roles: roles:
- exim - exim

12
playbooks/group_vars/all.yaml
View File

@@ -80,6 +80,18 @@ all_users:
uid: 2016 uid: 2016
gid: 2016 gid: 2016
yolanda:
comment: Yolanda Robla
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSR2NmJC8PSanHUpKJuaMmohG80COO2IPkE3Mxhr7US8P1B3p1c6lOrT6M1txRzBY8FlbxfOinGtutP+ADCB2taXfpO8UiaG9eOqojAT/PeP2Y2ov72rVMSWupLozUv2uAR5yyFVFHOjKPYGAa01aJtfzfJujSak8dM0ifFeFwgp/8RBGEfC7atq+45TdrfAURRcEgcOLiF5Aq6fprCOwpllnrH6VoId9YS7u/5xF2/zBjr9PuOP7jEgCaL/+FNqu7jgj87aG5jiZPlweb7GTLJON9H6eFpyfpoJE0sZ1yR9Q+e9FAqQIA44Zi748qKBlFKbLxzoC4mc0SbNUAleEL yolanda@infra
uid: 2018
gid: 2018
rcarrillocruz:
comment: Ricardo Carrillo Cruz
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCz1CW5E87v8o7O8B5fe7j1uaPCToRdaBukjH2HzQZ+DSGTIPjirLpp5ZXPuyNnmtRMzwld6mlHYlevVEwuZTNyQwS7ut5o0LjyW6yoEcvPq0xMEZLxaso5dZAtzNgf3FzbtaUYBnkhSwX7c24lf8wPGAl7TC3yO0dePQh2lXVdaBiGB9ybVeQr+kwJIxleUE4puuQ+ONJE2D+hHjoQ/huUMpb996pb/YzkjkAxqHguMid0c1taelyW8n17nEDoWvlV9Qqbo8cerhgURo1OBt2zENLjQQ0kOkPxJx4qx3652e0kbkr11y50r9BMs418mnJdWselMxkSqQNZ+XotoH5Dwn+3K2a6Wv4OX3Dqb9SF/JTD7lA/tIkNfxgsRlzfEQ01rK1+g7Je10EnDCLEzHpFjvZ5q4EEMcYqY+osLFpHAOWGLMx+3eY4pz/xEzRP/x3sjGU09uNOZ3oCWUfSkE4xebnnWtxwWZKyFmv3GHtaqJn2UvpAbODPEYyYcOS3XV3zd233W3C09YYnFUyZbGLXpD05Yet5fZfGTnveMRn5/9LZai+dBPwoMWUJdX4yPnGXgOG8zk0u1nWfcNJfYg+xajSUDiMKjDhlkuFK/GXNYuINe42s1TxzL7pJ4X4UhqLiopeJvPg/U5xdCV5pxVKf1MVenrGe2pfwf1Yr2WMv5w== rcarrillocruz@infra
uid: 2019
gid: 2019
colleen: colleen:
comment: Colleen Murphy comment: Colleen Murphy
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcHzySqYlH1TfAPx5PaVzqkuMbI3zksJ5E2aZBlsIN7wNSoyO0Dts6HegHZIgi5NGT05wRBAUMCNZwupqFoWDg41JBKzPKITkqvEe/FnNmJFxt591ltXigZZ+ZLoX8B12nww/eeA5nx9PT4hIsLQG50MxEm0iC4ApusaAXMXa7+gTDkzf6yyl4QwinyFFTYtyJwFw5XfQXXRQwL8Qv6mVGrhDz3Fj4VWawByQuxRHgt5G3Ux/PnZzatJ3tuSK66o1uXrvuOiGdUtDCuAFUx+kgcmUTpCC6vgMZdDbrfyw0CGxkmAUNfeEMOw0TWbdioJ2FwH5+4BEvMgiFgsCTjIwDqqyFV9eK8sd0mbJ+I82EyOXPlFPKGan6Ie6LD1qotdUW9vT3pfpR/44s/Id2un3FBnVg7GZkGJshikGO1UqjmZfhEpQ6Q+auLir+mBv2X/ril6qJ2NuQpwMRVzZmriPMxdJDs6xhzg2fGEYRvEvh0kzsqNf4OgKbSWiVOB3WALM30Cx3YdmnB6JonRGA+6CqD+LO4HQMbD7LBVcYzEIS1WtP8aPx/NiybemrF0LWmIgl34A0Tpcc+5MLzzUtgUt6lYFyWxltCP43u1N7ODH+FsFALzo6CO9DjyMxEd6Ay61hyx8Btfhn8NH/wEdCQj1WAMHU+d2ljk5ndAfp8c6LRQ== krinkle@gir key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcHzySqYlH1TfAPx5PaVzqkuMbI3zksJ5E2aZBlsIN7wNSoyO0Dts6HegHZIgi5NGT05wRBAUMCNZwupqFoWDg41JBKzPKITkqvEe/FnNmJFxt591ltXigZZ+ZLoX8B12nww/eeA5nx9PT4hIsLQG50MxEm0iC4ApusaAXMXa7+gTDkzf6yyl4QwinyFFTYtyJwFw5XfQXXRQwL8Qv6mVGrhDz3Fj4VWawByQuxRHgt5G3Ux/PnZzatJ3tuSK66o1uXrvuOiGdUtDCuAFUx+kgcmUTpCC6vgMZdDbrfyw0CGxkmAUNfeEMOw0TWbdioJ2FwH5+4BEvMgiFgsCTjIwDqqyFV9eK8sd0mbJ+I82EyOXPlFPKGan6Ie6LD1qotdUW9vT3pfpR/44s/Id2un3FBnVg7GZkGJshikGO1UqjmZfhEpQ6Q+auLir+mBv2X/ril6qJ2NuQpwMRVzZmriPMxdJDs6xhzg2fGEYRvEvh0kzsqNf4OgKbSWiVOB3WALM30Cx3YdmnB6JonRGA+6CqD+LO4HQMbD7LBVcYzEIS1WtP8aPx/NiybemrF0LWmIgl34A0Tpcc+5MLzzUtgUt6lYFyWxltCP43u1N7ODH+FsFALzo6CO9DjyMxEd6Ay61hyx8Btfhn8NH/wEdCQj1WAMHU+d2ljk5ndAfp8c6LRQ== krinkle@gir

2
playbooks/group_vars/ask.yaml Normal file
View File

@@ -0,0 +1,2 @@
extra_users:
- mkiss

2
playbooks/group_vars/groups.yaml Normal file
View File

@@ -0,0 +1,2 @@
extra_users:
- mkiss

2
playbooks/group_vars/review-dev.yaml Normal file
View File

@@ -0,0 +1,2 @@
exim_extra_aliases:
gerrit2: root

2
playbooks/group_vars/review.yaml Normal file
View File

@@ -0,0 +1,2 @@
exim_extra_aliases:
gerrit2: root

4
playbooks/group_vars/storyboard-dev.yaml Normal file
View File

@@ -0,0 +1,4 @@
extra_users:
- SotK
- Zara
- diablo_rojo

3
playbooks/group_vars/wiki.yaml Normal file
View File

@@ -0,0 +1,3 @@
extra_users:
- mkiss
- maxwell

2
playbooks/host_vars/lists.katacontainers.io.yaml
View File

@@ -56,3 +56,5 @@ exim_transports:
# Errors-To: may carry old return_path # Errors-To: may carry old return_path
headers_remove = Errors-To headers_remove = Errors-To
headers_add = Errors-To: ${return_path} headers_add = Errors-To: ${return_path}
extra_users:
- jbryce

3
playbooks/host_vars/openstackid-dev.openstack.org.yaml Normal file
View File

@@ -0,0 +1,3 @@
extra_users:
- smarcet
- mkiss

3
playbooks/host_vars/openstackid.org.yaml Normal file
View File

@@ -0,0 +1,3 @@
extra_users:
- smarcet
- maxwell

0
modules/openstack_project/files/puppet.default → playbooks/roles/disable-puppet-agent/files/puppet.default
View File

5
playbooks/roles/disable-puppet-agent/tasks/Debian.yaml Normal file
View File

@@ -0,0 +1,5 @@
- name: Prevent puppet agent from running
copy:
mode: 0644
src: puppet.default
dest: /etc/default/puppet

10
playbooks/roles/disable-puppet-agent/tasks/main.yaml Normal file
View File

@@ -0,0 +1,10 @@
- name: Include OS-specific tasks
include_tasks: "{{ lookup('first_found', file_list) }}"
vars:
file_list: "{{ distro_lookup_path }}"
- name: Disable the puppet service
service:
name: puppet
enabled: no
state: stopped

3
playbooks/roles/install-ansible/files/groups.yaml
View File

@@ -4,6 +4,7 @@ groups:
afs: inventory_hostname is match('afs\d+.*openstack.org') afs: inventory_hostname is match('afs\d+.*openstack.org')
afsadmin: inventory_hostname is match('mirror-update\d+\.openstack\.org') afsadmin: inventory_hostname is match('mirror-update\d+\.openstack\.org')
afsdb: inventory_hostname is match('afsdb.*openstack.org') afsdb: inventory_hostname is match('afsdb.*openstack.org')
ask: inventory_hostname.startswith('ask')
cacti: inventory_hostname is match('cacti\d+\.openstack\.org') cacti: inventory_hostname is match('cacti\d+\.openstack\.org')
ci-backup: inventory_hostname is match('backup\d+.*\ci\.openstack\.org') ci-backup: inventory_hostname is match('backup\d+.*\ci\.openstack\.org')
disabled: inventory_hostname.startswith('backup') or inventory_hostname.startswith('wiki') or inventory_hostname.startswith('puppetmaster') disabled: inventory_hostname.startswith('backup') or inventory_hostname.startswith('wiki') or inventory_hostname.startswith('puppetmaster')
@@ -16,6 +17,7 @@ groups:
git-loadbalancer: inventory_hostname is match('git(-fe\d+)?\.openstack\.org') git-loadbalancer: inventory_hostname is match('git(-fe\d+)?\.openstack\.org')
git-server: inventory_hostname is match('git\d+\.openstack\.org') git-server: inventory_hostname is match('git\d+\.openstack\.org')
grafana: inventory_hostname.startswith('grafana') grafana: inventory_hostname.startswith('grafana')
groups: inventory_hostname.regex_match('groups(-dev)?\d*\.openstack\.org')
logstash-worker: inventory_hostname.startswith('logstash-worker') logstash-worker: inventory_hostname.startswith('logstash-worker')
mailman: inventory_hostname.startswith('lists') mailman: inventory_hostname.startswith('lists')
nodepool: inventory_hostname is match('^(nodepool|nb|nl)') nodepool: inventory_hostname is match('^(nodepool|nb|nl)')
@@ -26,6 +28,7 @@ groups:
review: inventory_hostname is match('review\d+\.openstack\.org') review: inventory_hostname is match('review\d+\.openstack\.org')
status: inventory_hostname.startswith('status') status: inventory_hostname.startswith('status')
storyboard: inventory_hostname.startswith('storyboard') storyboard: inventory_hostname.startswith('storyboard')
storyboard-dev: inventory_hostname is match('storyboard-dev\d*\.openstack\.org')
subunit-worker: inventory_hostname.startswith('subunit-worker') subunit-worker: inventory_hostname.startswith('subunit-worker')
survey: inventory_hostname.startswith('survey') survey: inventory_hostname.startswith('survey')
translate-dev: inventory_hostname is match('translate-dev\d+\.openstack\.org') translate-dev: inventory_hostname is match('translate-dev\d+\.openstack\.org')

1
run_all.sh
View File

@@ -34,6 +34,7 @@ set +e
timeout -k 2m 120m ansible-playbook -f 10 ${ANSIBLE_PLAYBOOKS}/update-system-config.yaml timeout -k 2m 120m ansible-playbook -f 10 ${ANSIBLE_PLAYBOOKS}/update-system-config.yaml
# Update the puppet version # Update the puppet version
timeout -k 2m 120m ansible-playbook -f 10 ${ANSIBLE_PLAYBOOKS}/update_puppet_version.yaml timeout -k 2m 120m ansible-playbook -f 10 ${ANSIBLE_PLAYBOOKS}/update_puppet_version.yaml
# Run the git/gerrit/zuul sequence, since it's important that they all work together # Run the git/gerrit/zuul sequence, since it's important that they all work together
timeout -k 2m 120m ansible-playbook -f 10 ${ANSIBLE_PLAYBOOKS}/remote_puppet_git.yaml timeout -k 2m 120m ansible-playbook -f 10 ${ANSIBLE_PLAYBOOKS}/remote_puppet_git.yaml
# Run AFS changes separately so we can make sure to only do one at a time # Run AFS changes separately so we can make sure to only do one at a time