System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1266 lines
52KB

  1. #
  2. # Top-level variables
  3. #
  4. # There must not be any whitespace between this comment and the variables or
  5. # in between any two variables in order for them to be correctly parsed and
  6. # passed around in test.sh
  7. #
  8. # Note we do not do a hiera lookup here as we set $group on a per node basis
  9. # and that must be set before we can do hiera lookups. Doing a hiera lookup
  10. # here would fail to find any group specific info.
  11. $elasticsearch_nodes = [
  12. "elasticsearch02.openstack.org",
  13. "elasticsearch03.openstack.org",
  14. "elasticsearch04.openstack.org",
  15. "elasticsearch05.openstack.org",
  16. "elasticsearch06.openstack.org",
  17. "elasticsearch07.openstack.org",
  18. ]
  19. #
  20. # Default: should at least behave like an openstack server
  21. #
  22. node default {
  23. class { 'openstack_project::server':
  24. }
  25. }
  26. #
  27. # Long lived servers:
  28. #
  29. # Node-OS: xenial
  30. node /^review\d*\.open.*\.org$/ {
  31. $group = "review"
  32. class { 'openstack_project::server': }
  33. class { 'openstack_project::review':
  34. project_config_repo => 'https://opendev.org/openstack/project-config',
  35. github_oauth_token => hiera('gerrit_github_token'),
  36. github_project_username => hiera('github_project_username', 'username'),
  37. github_project_password => hiera('github_project_password'),
  38. mysql_host => hiera('gerrit_mysql_host', 'localhost'),
  39. mysql_password => hiera('gerrit_mysql_password'),
  40. email_private_key => hiera('gerrit_email_private_key'),
  41. token_private_key => hiera('gerrit_rest_token_private_key'),
  42. gerritbot_password => hiera('gerrit_gerritbot_password'),
  43. gerritbot_ssh_rsa_key_contents => hiera('gerritbot_ssh_rsa_key_contents'),
  44. gerritbot_ssh_rsa_pubkey_contents => hiera('gerritbot_ssh_rsa_pubkey_contents'),
  45. ssl_cert_file_contents => hiera('review_opendev_cert_file_contents'),
  46. ssl_key_file_contents => hiera('review_opendev_key_file_contents'),
  47. ssl_chain_file_contents => hiera('review_opendev_chain_file_contents'),
  48. ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'),
  49. ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'),
  50. ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'),
  51. ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'),
  52. ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'),
  53. ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'),
  54. ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'),
  55. ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'),
  56. ssh_replication_rsa_key_contents => hiera('gerrit_replication_ssh_rsa_key_contents'),
  57. ssh_replication_rsa_pubkey_contents => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
  58. lp_access_token => hiera('gerrit_lp_access_token'),
  59. lp_access_secret => hiera('gerrit_lp_access_secret'),
  60. lp_consumer_key => hiera('gerrit_lp_consumer_key'),
  61. swift_username => hiera('swift_store_user', 'username'),
  62. swift_password => hiera('swift_store_key'),
  63. storyboard_password => hiera('gerrit_storyboard_token'),
  64. # Compatibility layer vars for the old domain name below here.
  65. # TODO rename the hiera keys to reduce confusion
  66. review_openstack_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
  67. review_openstack_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
  68. review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
  69. }
  70. }
  71. # Node-OS: xenial
  72. node /^review-dev\d*\.open.*\.org$/ {
  73. $group = "review-dev"
  74. class { 'openstack_project::server':
  75. afs => true,
  76. }
  77. class { 'openstack_project::review_dev':
  78. project_config_repo => 'https://opendev.org/openstack/project-config',
  79. github_oauth_token => hiera('gerrit_dev_github_token'),
  80. github_project_username => hiera('github_dev_project_username', 'username'),
  81. github_project_password => hiera('github_dev_project_password'),
  82. mysql_host => hiera('gerrit_dev_mysql_host', 'localhost'),
  83. mysql_password => hiera('gerrit_dev_mysql_password'),
  84. email_private_key => hiera('gerrit_dev_email_private_key'),
  85. ssh_dsa_key_contents => hiera('gerrit_dev_ssh_dsa_key_contents'),
  86. ssh_dsa_pubkey_contents => hiera('gerrit_dev_ssh_dsa_pubkey_contents'),
  87. ssh_rsa_key_contents => hiera('gerrit_dev_ssh_rsa_key_contents'),
  88. ssh_rsa_pubkey_contents => hiera('gerrit_dev_ssh_rsa_pubkey_contents'),
  89. ssh_project_rsa_key_contents => hiera('gerrit_dev_project_ssh_rsa_key_contents'),
  90. ssh_project_rsa_pubkey_contents => hiera('gerrit_dev_project_ssh_rsa_pubkey_contents'),
  91. ssh_replication_rsa_key_contents => hiera('gerrit_dev_replication_ssh_rsa_key_contents'),
  92. ssh_replication_rsa_pubkey_contents => hiera('gerrit_dev_replication_ssh_rsa_pubkey_contents'),
  93. lp_access_token => hiera('gerrit_dev_lp_access_token'),
  94. lp_access_secret => hiera('gerrit_dev_lp_access_secret'),
  95. lp_consumer_key => hiera('gerrit_dev_lp_consumer_key'),
  96. storyboard_password => hiera('gerrit_dev_storyboard_token'),
  97. storyboard_ssl_cert => hiera('gerrit_dev_storyboard_ssl_crt'),
  98. }
  99. }
  100. # Node-OS: xenial
  101. # Puppet-Version: !3
  102. node /^grafana\d*\.open.*\.org$/ {
  103. $group = "grafana"
  104. class { 'openstack_project::server': }
  105. class { 'openstack_project::grafana':
  106. admin_password => hiera('grafana_admin_password'),
  107. admin_user => hiera('grafana_admin_user', 'username'),
  108. mysql_host => hiera('grafana_mysql_host', 'localhost'),
  109. mysql_name => hiera('grafana_mysql_name'),
  110. mysql_password => hiera('grafana_mysql_password'),
  111. mysql_user => hiera('grafana_mysql_user', 'username'),
  112. project_config_repo => 'https://opendev.org/openstack/project-config',
  113. secret_key => hiera('grafana_secret_key'),
  114. }
  115. }
  116. # Node-OS: xenial
  117. node /^health\d*\.openstack\.org$/ {
  118. $group = "health"
  119. class { 'openstack_project::server': }
  120. class { 'openstack_project::openstack_health_api':
  121. subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
  122. hostname => 'health.openstack.org',
  123. }
  124. }
  125. # Node-OS: xenial
  126. node /^cacti\d+\.open.*\.org$/ {
  127. $group = "cacti"
  128. include openstack_project::ssl_cert_check
  129. class { 'openstack_project::cacti':
  130. cacti_hosts => hiera_array('cacti_hosts'),
  131. vhost_name => 'cacti.openstack.org',
  132. }
  133. }
  134. # Node-OS: xenial
  135. node /^graphite\d*\.open.*\.org$/ {
  136. class { 'openstack_project::server': }
  137. class { '::graphite':
  138. graphite_admin_user => hiera('graphite_admin_user', 'username'),
  139. graphite_admin_email => hiera('graphite_admin_email', 'email@example.com'),
  140. graphite_admin_password => hiera('graphite_admin_password'),
  141. # NOTE(ianw): installed on the host via ansible
  142. ssl_cert_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.cer',
  143. ssl_key_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.key',
  144. ssl_chain_file => '/etc/letsencrypt-certs/graphite01.opendev.org/ca.cer',
  145. }
  146. }
  147. # Node-OS: trusty
  148. # Node-OS: xenial
  149. node /^lists\d*\.open.*\.org$/ {
  150. class { 'openstack_project::server': }
  151. class { 'openstack_project::lists':
  152. listpassword => hiera('listpassword'),
  153. }
  154. }
  155. # Node-OS: xenial
  156. node /^lists\d*\.katacontainers\.io$/ {
  157. class { 'openstack_project::server': }
  158. class { 'openstack_project::kata_lists':
  159. listpassword => hiera('listpassword'),
  160. }
  161. }
  162. # Node-OS: xenial
  163. node /^paste\d*\.open.*\.org$/ {
  164. $group = "paste"
  165. class { 'openstack_project::server': }
  166. class { 'openstack_project::paste':
  167. db_password => hiera('paste_db_password'),
  168. db_host => hiera('paste_db_host'),
  169. vhost_name => 'paste.openstack.org',
  170. }
  171. }
  172. # Node-OS: xenial
  173. node /planet\d*\.open.*\.org$/ {
  174. class { 'openstack_project::planet':
  175. }
  176. }
  177. # Node-OS: xenial
  178. node /^eavesdrop\d*\.open.*\.org$/ {
  179. $group = "eavesdrop"
  180. class { 'openstack_project::server': }
  181. class { 'openstack_project::eavesdrop':
  182. project_config_repo => 'https://opendev.org/openstack/project-config',
  183. nickpass => hiera('openstack_meetbot_password'),
  184. statusbot_nick => hiera('statusbot_nick', 'username'),
  185. statusbot_password => hiera('statusbot_nick_password'),
  186. statusbot_server => 'chat.freenode.net',
  187. statusbot_channels => hiera_array('statusbot_channels', ['openstack_infra']),
  188. statusbot_auth_nicks => hiera_array('statusbot_auth_nicks'),
  189. statusbot_wiki_user => hiera('statusbot_wiki_username', 'username'),
  190. statusbot_wiki_password => hiera('statusbot_wiki_password'),
  191. statusbot_wiki_url => 'https://wiki.openstack.org/w/api.php',
  192. # https://wiki.openstack.org/wiki/Infrastructure_Status
  193. statusbot_wiki_pageid => '1781',
  194. statusbot_wiki_successpageid => '7717',
  195. statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',
  196. statusbot_wiki_thankspageid => '37700',
  197. statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',
  198. statusbot_irclogs_url => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
  199. statusbot_twitter => true,
  200. statusbot_twitter_key => hiera('statusbot_twitter_key'),
  201. statusbot_twitter_secret => hiera('statusbot_twitter_secret'),
  202. statusbot_twitter_token_key => hiera('statusbot_twitter_token_key'),
  203. statusbot_twitter_token_secret => hiera('statusbot_twitter_token_secret'),
  204. accessbot_nick => hiera('accessbot_nick', 'username'),
  205. accessbot_password => hiera('accessbot_nick_password'),
  206. meetbot_channels => hiera('meetbot_channels', ['openstack-infra']),
  207. ptgbot_nick => hiera('ptgbot_nick', 'username'),
  208. ptgbot_password => hiera('ptgbot_password'),
  209. }
  210. }
  211. # Node-OS: xenial
  212. node /^ethercalc\d+\.open.*\.org$/ {
  213. $group = "ethercalc"
  214. class { 'openstack_project::server': }
  215. class { 'openstack_project::ethercalc':
  216. vhost_name => 'ethercalc.openstack.org',
  217. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  218. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  219. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  220. }
  221. }
  222. # Node-OS: xenial
  223. node /^etherpad\d*\.open.*\.org$/ {
  224. $group = "etherpad"
  225. class { 'openstack_project::server': }
  226. class { 'openstack_project::etherpad':
  227. vhost_name => 'etherpad.openstack.org',
  228. ssl_cert_file_contents => hiera('etherpad_ssl_cert_file_contents'),
  229. ssl_key_file_contents => hiera('etherpad_ssl_key_file_contents'),
  230. ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
  231. mysql_host => hiera('etherpad_db_host', 'localhost'),
  232. mysql_user => hiera('etherpad_db_user', 'username'),
  233. mysql_password => hiera('etherpad_db_password'),
  234. }
  235. }
  236. # Node-OS: xenial
  237. node /^etherpad-dev\d*\.open.*\.org$/ {
  238. $group = "etherpad-dev"
  239. class { 'openstack_project::server': }
  240. class { 'openstack_project::etherpad_dev':
  241. vhost_name => 'etherpad-dev.openstack.org',
  242. mysql_host => hiera('etherpad-dev_db_host', 'localhost'),
  243. mysql_user => hiera('etherpad-dev_db_user', 'username'),
  244. mysql_password => hiera('etherpad-dev_db_password'),
  245. }
  246. }
  247. # Node-OS: trusty
  248. node /^wiki\d+\.openstack\.org$/ {
  249. $group = "wiki"
  250. class { 'openstack_project::wiki':
  251. bup_user => 'bup-wiki',
  252. serveradmin => hiera('infra_apache_serveradmin'),
  253. site_hostname => 'wiki.openstack.org',
  254. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  255. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  256. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  257. wg_dbserver => hiera('wg_dbserver'),
  258. wg_dbname => 'openstack_wiki',
  259. wg_dbuser => 'wikiuser',
  260. wg_dbpassword => hiera('wg_dbpassword'),
  261. wg_secretkey => hiera('wg_secretkey'),
  262. wg_upgradekey => hiera('wg_upgradekey'),
  263. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  264. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  265. wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),
  266. }
  267. }
  268. # Node-OS: trusty
  269. node /^wiki-dev\d+\.openstack\.org$/ {
  270. $group = "wiki-dev"
  271. class { 'openstack_project::wiki':
  272. serveradmin => hiera('infra_apache_serveradmin'),
  273. site_hostname => 'wiki-dev.openstack.org',
  274. wg_dbserver => hiera('wg_dbserver'),
  275. wg_dbname => 'openstack_wiki',
  276. wg_dbuser => 'wikiuser',
  277. wg_dbpassword => hiera('wg_dbpassword'),
  278. wg_secretkey => hiera('wg_secretkey'),
  279. wg_upgradekey => hiera('wg_upgradekey'),
  280. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  281. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  282. disallow_robots => true,
  283. }
  284. }
  285. # Node-OS: xenial
  286. node /^logstash\d*\.open.*\.org$/ {
  287. class { 'openstack_project::server': }
  288. class { 'openstack_project::logstash':
  289. discover_nodes => [
  290. 'elasticsearch03.openstack.org:9200',
  291. 'elasticsearch04.openstack.org:9200',
  292. 'elasticsearch05.openstack.org:9200',
  293. 'elasticsearch06.openstack.org:9200',
  294. 'elasticsearch07.openstack.org:9200',
  295. 'elasticsearch02.openstack.org:9200',
  296. ],
  297. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  298. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  299. }
  300. }
  301. # Node-OS: xenial
  302. node /^logstash-worker\d+\.open.*\.org$/ {
  303. $group = 'logstash-worker'
  304. class { 'openstack_project::server': }
  305. class { 'openstack_project::logstash_worker':
  306. discover_node => 'elasticsearch03.openstack.org',
  307. enable_mqtt => false,
  308. mqtt_password => hiera('mqtt_service_user_password'),
  309. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  310. }
  311. }
  312. # Node-OS: xenial
  313. node /^subunit-worker\d+\.open.*\.org$/ {
  314. $group = "subunit-worker"
  315. class { 'openstack_project::server': }
  316. class { 'openstack_project::subunit_worker':
  317. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  318. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  319. mqtt_pass => hiera('mqtt_service_user_password'),
  320. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  321. }
  322. }
  323. # Node-OS: xenial
  324. node /^elasticsearch\d+\.open.*\.org$/ {
  325. $group = "elasticsearch"
  326. class { 'openstack_project::server': }
  327. class { 'openstack_project::elasticsearch_node':
  328. discover_nodes => $elasticsearch_nodes,
  329. }
  330. }
  331. # Node-OS: xenial
  332. node /^firehose\d+\.open.*\.org$/ {
  333. class { 'openstack_project::server': }
  334. class { 'openstack_project::firehose':
  335. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  336. gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
  337. gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'),
  338. mqtt_password => hiera('mqtt_service_user_password'),
  339. ca_file => hiera('mosquitto_tls_ca_file'),
  340. cert_file => hiera('mosquitto_tls_server_cert_file'),
  341. key_file => hiera('mosquitto_tls_server_key_file'),
  342. imap_hostname => hiera('lpmqtt_imap_server'),
  343. imap_username => hiera('lpmqtt_imap_username'),
  344. imap_password => hiera('lpmqtt_imap_password'),
  345. statsd_host => 'graphite.opendev.org',
  346. }
  347. }
  348. # A machine to drive AFS mirror updates.
  349. # Node-OS: xenial
  350. node /^mirror-update\d*\.open.*\.org$/ {
  351. $group = "afsadmin"
  352. class { 'openstack_project::mirror_update':
  353. admin_keytab => hiera('afsadmin_keytab'),
  354. fedora_keytab => hiera('fedora_keytab'),
  355. opensuse_keytab => hiera('opensuse_keytab'),
  356. reprepro_keytab => hiera('reprepro_keytab'),
  357. gem_keytab => hiera('gem_keytab'),
  358. centos_keytab => hiera('centos_keytab'),
  359. epel_keytab => hiera('epel_keytab'),
  360. yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),
  361. }
  362. }
  363. # Machines in each region to serve AFS mirrors.
  364. # Node-OS: xenial
  365. node /^mirror\d*\..*\.open.*\.org$/ {
  366. $group = "mirror"
  367. class { 'openstack_project::server':
  368. afs => true,
  369. afs_cache_size => 50000000, # 50GB
  370. }
  371. class { 'openstack_project::mirror':
  372. vhost_name => $::fqdn,
  373. require => Class['Openstack_project::Server'],
  374. }
  375. }
  376. # Serve static AFS content for docs and other sites.
  377. # Node-OS: xenial
  378. node /^files\d*\.open.*\.org$/ {
  379. $group = "files"
  380. class { 'openstack_project::server':
  381. afs => true,
  382. afs_cache_size => 10000000, # 10GB
  383. }
  384. class { 'openstack_project::files':
  385. vhost_name => 'files.openstack.org',
  386. developer_cert_file_contents => hiera('developer_cert_file_contents'),
  387. developer_key_file_contents => hiera('developer_key_file_contents'),
  388. developer_chain_file_contents => hiera('developer_chain_file_contents'),
  389. docs_cert_file_contents => hiera('docs_cert_file_contents'),
  390. docs_key_file_contents => hiera('docs_key_file_contents'),
  391. docs_chain_file_contents => hiera('docs_chain_file_contents'),
  392. git_airship_cert_file_contents => hiera('git_airship_cert_file_contents'),
  393. git_airship_key_file_contents => hiera('git_airship_key_file_contents'),
  394. git_airship_chain_file_contents => hiera('git_airship_chain_file_contents'),
  395. git_openstack_cert_file_contents => hiera('git_openstack_cert_file_contents'),
  396. git_openstack_key_file_contents => hiera('git_openstack_key_file_contents'),
  397. git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),
  398. git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
  399. git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
  400. git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
  401. git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'),
  402. git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'),
  403. git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'),
  404. require => Class['Openstack_project::Server'],
  405. }
  406. # Temporary for evaluating htaccess rules
  407. ::httpd::vhost { "git-test.openstack.org":
  408. port => 80, # Is required despite not being used.
  409. docroot => "/afs/openstack.org/project/git-test/www",
  410. priority => '50',
  411. template => 'openstack_project/git-test.vhost.erb',
  412. }
  413. openstack_project::website { 'docs.starlingx.io':
  414. volume_name => 'starlingx.io',
  415. aliases => [],
  416. ssl_cert => hiera('docs_starlingx_io_ssl_cert'),
  417. ssl_key => hiera('docs_starlingx_io_ssl_key'),
  418. ssl_intermediate => hiera('docs_starlingx_io_ssl_intermediate'),
  419. require => Class['openstack_project::files'],
  420. }
  421. openstack_project::website { 'docs.opendev.org':
  422. aliases => [],
  423. docroot => "/afs/openstack.org/project/opendev.org/docs",
  424. ssl_cert => hiera('docs_opendev_ssl_cert'),
  425. ssl_key => hiera('docs_opendev_ssl_key'),
  426. ssl_intermediate => hiera('docs_opendev_ssl_intermediate'),
  427. require => Class['openstack_project::files'],
  428. }
  429. openstack_project::website { 'tarballs.opendev.org':
  430. aliases => [],
  431. docroot => "/afs/openstack.org/project/opendev.org/tarballs",
  432. ssl_cert_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer',
  433. ssl_key_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key',
  434. ssl_chain_file => '/etc/letsencrypt-certs/tarballs.opendev.org/ca.cer',
  435. require => Class['openstack_project::files'],
  436. }
  437. openstack_project::website { 'zuul-ci.org':
  438. aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],
  439. ssl_cert => hiera('zuul-ci_org_ssl_cert'),
  440. ssl_key => hiera('zuul-ci_org_ssl_key'),
  441. ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),
  442. require => Class['openstack_project::files'],
  443. }
  444. }
  445. # Node-OS: trusty
  446. # Node-OS: xenial
  447. node /^refstack\d*\.open.*\.org$/ {
  448. class { 'openstack_project::server': }
  449. class { 'refstack':
  450. mysql_host => hiera('refstack_mysql_host', 'localhost'),
  451. mysql_database => hiera('refstack_mysql_db_name', 'refstack'),
  452. mysql_user => hiera('refstack_mysql_user', 'refstack'),
  453. mysql_user_password => hiera('refstack_mysql_password'),
  454. ssl_cert_content => hiera('refstack_ssl_cert_file_contents'),
  455. ssl_cert => '/etc/ssl/certs/refstack.pem',
  456. ssl_key_content => hiera('refstack_ssl_key_file_contents'),
  457. ssl_key => '/etc/ssl/private/refstack.key',
  458. ssl_ca_content => hiera('refstack_ssl_chain_file_contents'),
  459. ssl_ca => '/etc/ssl/certs/refstack.ca.pem',
  460. protocol => 'https',
  461. }
  462. mysql_backup::backup_remote { 'refstack':
  463. database_host => hiera('refstack_mysql_host', 'localhost'),
  464. database_user => hiera('refstack_mysql_user', 'refstack'),
  465. database_password => hiera('refstack_mysql_password'),
  466. require => Class['::refstack'],
  467. }
  468. }
  469. # A machine to run Storyboard
  470. # Node-OS: xenial
  471. node /^storyboard\d+\.opendev\.org$/ {
  472. $group = "storyboard"
  473. class { 'openstack_project::storyboard':
  474. project_config_repo => 'https://opendev.org/openstack/project-config',
  475. mysql_host => hiera('storyboard_db_host', 'localhost'),
  476. mysql_user => hiera('storyboard_db_user', 'username'),
  477. mysql_password => hiera('storyboard_db_password'),
  478. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  479. rabbitmq_password => hiera('storyboard_rabbit_password'),
  480. ssl_cert => '/etc/ssl/certs/storyboard.openstack.org.pem',
  481. ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
  482. ssl_key => '/etc/ssl/private/storyboard.openstack.org.key',
  483. ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
  484. ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
  485. hostname => 'storyboard.openstack.org',
  486. valid_oauth_clients => ['storyboard.openstack.org',],
  487. cors_allowed_origins => ['https://storyboard.openstack.org',],
  488. sender_email_address => 'storyboard@storyboard.openstack.org',
  489. default_url => 'https://storyboard.openstack.org',
  490. }
  491. }
  492. # A machine to run Storyboard devel
  493. # Node-OS: xenial
  494. node /^storyboard-dev\d+\.opendev\.org$/ {
  495. $group = "storyboard-dev"
  496. class { 'openstack_project::storyboard::dev':
  497. project_config_repo => 'https://opendev.org/openstack/project-config',
  498. mysql_host => hiera('storyboard_db_host', 'localhost'),
  499. mysql_user => hiera('storyboard_db_user', 'username'),
  500. mysql_password => hiera('storyboard_db_password'),
  501. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  502. rabbitmq_password => hiera('storyboard_rabbit_password'),
  503. hostname => 'storyboard-dev.openstack.org',
  504. valid_oauth_clients => ['^.*',],
  505. cors_allowed_origins => ['^.*',],
  506. sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',
  507. default_url => 'https://storyboard-dev.openstack.org',
  508. }
  509. }
  510. # A machine to serve static content.
  511. # Node-OS: trusty
  512. # Node-OS: xenial
  513. node /^static\d*\.open.*\.org$/ {
  514. class { 'openstack_project::server': }
  515. class { 'openstack_project::static':
  516. project_config_repo => 'https://opendev.org/openstack/project-config',
  517. swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
  518. swift_user => 'infra-files-ro',
  519. swift_key => hiera('infra_files_ro_password'),
  520. swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
  521. swift_region_name => 'DFW',
  522. swift_default_container => 'infra-files',
  523. ssl_cert_file_contents => hiera('static_ssl_cert_file_contents'),
  524. ssl_key_file_contents => hiera('static_ssl_key_file_contents'),
  525. ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
  526. }
  527. }
  528. # Node-OS: xenial
  529. node /^zk\d+\.open.*\.org$/ {
  530. # We use IP addresses here so that zk listens on the public facing addresses
  531. # allowing cluster members to talk to each other. Without this they listen
  532. # on 127.0.1.1 because that is what we have in /etc/hosts for
  533. # zk0X.openstack.org.
  534. $zk_cluster_members = [
  535. '23.253.236.126', # zk01
  536. '172.99.117.32', # zk02
  537. '23.253.90.246', # zk03
  538. ]
  539. class { 'openstack_project::server': }
  540. class { '::zookeeper':
  541. # ID needs to be numeric, so we use regex to extra numbers from fqdn.
  542. id => regsubst($::fqdn, '^zk(\d+)\.open.*\.org$', '\1'),
  543. # The frequency in hours to look for and purge old snapshots,
  544. # defaults to 0 (disabled). The number of retained snapshots can
  545. # be separately controlled through snap_retain_count and
  546. # defaults to the minimum value of 3. This will quickly fill the
  547. # disk in production if not enabled. Works on ZK >=3.4.
  548. purge_interval => 6,
  549. servers => $zk_cluster_members,
  550. }
  551. }
  552. # A machine to serve various project status updates.
  553. # Node-OS: trusty
  554. # Node-OS: xenial
  555. node /^status\d*\.open.*\.org$/ {
  556. $group = 'status'
  557. class { 'openstack_project::server': }
  558. class { 'openstack_project::status':
  559. gerrit_host => 'review.opendev.org',
  560. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  561. reviewday_ssh_public_key => hiera('reviewday_rsa_pubkey_contents'),
  562. reviewday_ssh_private_key => hiera('reviewday_rsa_key_contents'),
  563. recheck_ssh_public_key => hiera('elastic-recheck_gerrit_ssh_public_key'),
  564. recheck_ssh_private_key => hiera('elastic-recheck_gerrit_ssh_private_key'),
  565. recheck_bot_nick => 'openstackrecheck',
  566. recheck_bot_passwd => hiera('elastic-recheck_ircbot_password'),
  567. }
  568. }
  569. # Node-OS: xenial
  570. node /^survey\d+\.open.*\.org$/ {
  571. $group = "survey"
  572. class { 'openstack_project::server': }
  573. class { 'openstack_project::survey':
  574. vhost_name => 'survey.openstack.org',
  575. auth_openid => true,
  576. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  577. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  578. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  579. dbpassword => hiera('dbpassword'),
  580. dbhost => hiera('dbhost'),
  581. adminuser => hiera('adminuser'),
  582. adminpass => hiera('adminpass'),
  583. adminmail => hiera('adminmail'),
  584. }
  585. }
  586. # Node-OS: xenial
  587. node /^nl\d+\.open.*\.org$/ {
  588. $group = 'nodepool'
  589. # NOTE(ianw) From 09-2018 (https://review.opendev.org/#/c/598329/)
  590. # the cloud credentials are deployed with ansible via the
  591. # configure-openstacksdk role and are no longer configured here
  592. class { 'openstack_project::server': }
  593. include openstack_project
  594. class { '::openstackci::nodepool_launcher':
  595. nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),
  596. project_config_repo => 'https://opendev.org/openstack/project-config',
  597. statsd_host => 'graphite.opendev.org',
  598. revision => 'master',
  599. python_version => 3,
  600. enable_webapp => true,
  601. }
  602. }
  603. # Node-OS: xenial
  604. node /^nb\d+\.open.*\.org$/ {
  605. $group = 'nodepool'
  606. class { 'openstack_project::server': }
  607. include openstack_project
  608. class { '::openstackci::nodepool_builder':
  609. nodepool_ssh_public_key => hiera('zuul_worker_ssh_public_key_contents'),
  610. vhost_name => $::fqdn,
  611. enable_build_log_via_http => true,
  612. project_config_repo => 'https://opendev.org/openstack/project-config',
  613. statsd_host => 'graphite.opendev.org',
  614. upload_workers => '16',
  615. revision => 'master',
  616. python_version => 3,
  617. zuulv3 => true,
  618. ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
  619. ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
  620. }
  621. cron { 'mirror_gitgc':
  622. user => 'nodepool',
  623. hour => '20',
  624. minute => '0',
  625. command => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',
  626. environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
  627. require => Class['::openstackci::nodepool_builder'],
  628. }
  629. }
  630. # Node-OS: xenial
  631. node /^ze\d+\.open.*\.org$/ {
  632. $group = "zuul-executor"
  633. $gerrit_server = 'review.opendev.org'
  634. $gerrit_user = 'zuul'
  635. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  636. $gerrit_ssh_private_key = hiera('gerrit_ssh_private_key_contents')
  637. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  638. $zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')
  639. $git_email = 'zuul@openstack.org'
  640. $git_name = 'OpenStack Zuul'
  641. $revision = 'master'
  642. class { 'openstack_project::server':
  643. afs => true,
  644. }
  645. class { '::project_config':
  646. url => 'https://opendev.org/openstack/project-config',
  647. }
  648. # We use later HWE kernels for better memory managment, requiring an
  649. # updated AFS version which we install from our custom ppa.
  650. include ::apt
  651. apt::ppa { 'ppa:openstack-ci-core/openafs-amd64-hwe': }
  652. package { 'linux-generic-hwe-16.04':
  653. ensure => present,
  654. require => [
  655. Apt::Ppa['ppa:openstack-ci-core/openafs-amd64-hwe'],
  656. Class['apt::update'],
  657. ],
  658. }
  659. # Skopeo is required for pushing/pulling from the intermediate
  660. # registry, and is available in the projectatomic ppa.
  661. apt::ppa { 'ppa:projectatomic/ppa': }
  662. package { 'skopeo':
  663. ensure => present,
  664. require => [
  665. Apt::Ppa['ppa:projectatomic/ppa'],
  666. Class['apt::update'],
  667. ],
  668. }
  669. # Socat is also required for pushing/pulling images
  670. package { 'socat':
  671. ensure => present,
  672. require => [
  673. Class['apt::update'],
  674. ],
  675. }
  676. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  677. # settings.
  678. class { '::zuul':
  679. gearman_server => 'zuul01.openstack.org',
  680. gerrit_server => $gerrit_server,
  681. gerrit_user => $gerrit_user,
  682. zuul_ssh_private_key => $gerrit_ssh_private_key,
  683. git_email => $git_email,
  684. git_name => $git_name,
  685. worker_private_key_file => '/var/lib/zuul/ssh/nodepool_id_rsa',
  686. revision => $revision,
  687. python_version => 3,
  688. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  689. zuulv3 => true,
  690. connections => hiera('zuul_connections', []),
  691. connection_secrets => hiera('zuul_connection_secrets', []),
  692. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  693. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  694. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  695. #TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs
  696. # properly. We need to revisting this post Queens PTG.
  697. trusted_ro_paths => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],
  698. trusted_rw_paths => ['/afs'],
  699. untrusted_ro_paths => ['/etc/ssl/certs'],
  700. disk_limit_per_job => 5000, # Megabytes
  701. site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,
  702. require => $::project_config::config_dir,
  703. statsd_host => 'graphite.opendev.org',
  704. }
  705. class { '::zuul::executor': }
  706. # This is used by the log job submission playbook which runs under
  707. # python2
  708. package { 'gear':
  709. ensure => latest,
  710. provider => openstack_pip,
  711. require => Class['pip'],
  712. }
  713. file { '/var/lib/zuul/ssh/nodepool_id_rsa':
  714. owner => 'zuul',
  715. group => 'zuul',
  716. mode => '0400',
  717. require => File['/var/lib/zuul/ssh'],
  718. content => $zuul_ssh_private_key,
  719. }
  720. file { '/var/lib/zuul/ssh/static_id_rsa':
  721. owner => 'zuul',
  722. group => 'zuul',
  723. mode => '0400',
  724. require => File['/var/lib/zuul/ssh'],
  725. content => $zuul_static_private_key,
  726. }
  727. class { '::zuul::known_hosts':
  728. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  729. }
  730. }
  731. # Node-OS: xenial
  732. node /^zuul\d+\.open.*\.org$/ {
  733. $group = "zuul-scheduler"
  734. $gerrit_server = 'review.opendev.org'
  735. $gerrit_user = 'zuul'
  736. $gerrit_ssh_host_key = hiera('gerrit_zuul_user_ssh_key_contents')
  737. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  738. $zuul_url = "http://zuul.openstack.org/p"
  739. $git_email = 'zuul@openstack.org'
  740. $git_name = 'OpenStack Zuul'
  741. $revision = 'master'
  742. class { 'openstack_project::server': }
  743. class { '::project_config':
  744. url => 'https://opendev.org/openstack/project-config',
  745. }
  746. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  747. # settings.
  748. class { '::zuul':
  749. gerrit_server => $gerrit_server,
  750. gerrit_user => $gerrit_user,
  751. zuul_ssh_private_key => $zuul_ssh_private_key,
  752. git_email => $git_email,
  753. git_name => $git_name,
  754. revision => $revision,
  755. python_version => 3,
  756. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  757. zookeeper_session_timeout => 40,
  758. zuulv3 => true,
  759. connections => hiera('zuul_connections', []),
  760. connection_secrets => hiera('zuul_connection_secrets', []),
  761. vhost_name => 'zuul.openstack.org',
  762. zuul_status_url => 'http://127.0.0.1:8001/openstack',
  763. zuul_web_url => 'http://127.0.0.1:9000',
  764. zuul_tenant_name => 'openstack',
  765. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  766. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  767. gearman_server_ssl_cert => hiera('gearman_server_ssl_cert'),
  768. gearman_server_ssl_key => hiera('gearman_server_ssl_key'),
  769. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  770. proxy_ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  771. proxy_ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  772. proxy_ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  773. statsd_host => 'graphite.opendev.org',
  774. status_url => 'https://zuul.openstack.org',
  775. relative_priority => true,
  776. web_root => 'https://zuul.opendev.org',
  777. }
  778. file { "/etc/zuul/github.key":
  779. ensure => present,
  780. owner => 'zuul',
  781. group => 'zuul',
  782. mode => '0600',
  783. content => hiera('zuul_github_app_key'),
  784. require => File['/etc/zuul'],
  785. }
  786. class { '::zuul::scheduler':
  787. layout_dir => $::project_config::zuul_layout_dir,
  788. require => $::project_config::config_dir,
  789. python_version => 3,
  790. use_mysql => true,
  791. }
  792. class { '::zuul::web':
  793. # We manage backups below
  794. enable_status_backups => false,
  795. vhosts => {
  796. 'zuul.openstack.org' => {
  797. port => 443,
  798. docroot => '/opt/zuul-web/content',
  799. priority => '50',
  800. ssl => true,
  801. template => 'zuul/zuulv3.vhost.erb',
  802. vhost_name => 'zuul.openstack.org',
  803. },
  804. 'zuul.opendev.org' => {
  805. port => 443,
  806. docroot => '/opt/zuul-web/content',
  807. priority => '40',
  808. ssl => true,
  809. template => 'zuul/zuulv3.vhost.erb',
  810. vhost_name => 'zuul.opendev.org',
  811. },
  812. 'zuul.openstack.org-http' => {
  813. port => 80,
  814. docroot => '/opt/zuul-web/content',
  815. priority => '50',
  816. ssl => false,
  817. template => 'zuul/zuulv3.vhost.erb',
  818. vhost_name => 'zuul.openstack.org',
  819. },
  820. 'zuul.opendev.org-http' => {
  821. port => 80,
  822. docroot => '/opt/zuul-web/content',
  823. priority => '40',
  824. ssl => false,
  825. template => 'zuul/zuulv3.vhost.erb',
  826. vhost_name => 'zuul.opendev.org',
  827. },
  828. },
  829. vhosts_flags => {
  830. 'zuul.openstack.org' => {
  831. tenant_name => 'openstack',
  832. ssl => true,
  833. },
  834. 'zuul.opendev.org' => {
  835. tenant_name => '',
  836. ssl => true,
  837. },
  838. 'zuul.openstack.org-http' => {
  839. tenant_name => 'openstack',
  840. ssl => false,
  841. },
  842. 'zuul.opendev.org-http' => {
  843. tenant_name => '',
  844. ssl => false,
  845. },
  846. },
  847. vhosts_ssl => {
  848. 'zuul.openstack.org' => {
  849. ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  850. ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  851. ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  852. },
  853. 'zuul.opendev.org' => {
  854. ssl_cert_file_contents => hiera('opendev_zuul_ssl_cert_file_contents'),
  855. ssl_chain_file_contents => hiera('opendev_zuul_ssl_chain_file_contents'),
  856. ssl_key_file_contents => hiera('opendev_zuul_ssl_key_file_contents'),
  857. },
  858. },
  859. }
  860. zuul::status_backups { 'openstack-zuul-tenant':
  861. tenant_name => 'openstack',
  862. ssl => true,
  863. status_uri => 'https://zuul.opendev.org/api/tenant/openstack/status',
  864. }
  865. zuul::status_backups { 'kata-zuul-tenant':
  866. tenant_name => 'kata-containers',
  867. ssl => true,
  868. status_uri => 'https://zuul.opendev.org/api/tenant/kata-containers/status',
  869. }
  870. class { '::zuul::fingergw': }
  871. class { '::zuul::known_hosts':
  872. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  873. }
  874. include bup
  875. bup::site { 'rax.ord':
  876. backup_user => 'bup-zuulv3',
  877. backup_server => 'backup01.ord.rax.ci.openstack.org',
  878. }
  879. }
  880. # Node-OS: xenial
  881. node /^zm\d+.open.*\.org$/ {
  882. $group = "zuul-merger"
  883. $gerrit_server = 'review.opendev.org'
  884. $gerrit_user = 'zuul'
  885. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  886. $zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')
  887. $zuul_url = "http://${::fqdn}/p"
  888. $git_email = 'zuul@openstack.org'
  889. $git_name = 'OpenStack Zuul'
  890. $revision = 'master'
  891. class { 'openstack_project::server': }
  892. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  893. # settings.
  894. class { '::zuul':
  895. gearman_server => 'zuul01.openstack.org',
  896. gerrit_server => $gerrit_server,
  897. gerrit_user => $gerrit_user,
  898. zuul_ssh_private_key => $zuul_ssh_private_key,
  899. git_email => $git_email,
  900. git_name => $git_name,
  901. revision => $revision,
  902. python_version => 3,
  903. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  904. zuulv3 => true,
  905. connections => hiera('zuul_connections', []),
  906. connection_secrets => hiera('zuul_connection_secrets', []),
  907. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  908. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  909. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  910. statsd_host => 'graphite.opendev.org',
  911. }
  912. class { 'openstack_project::zuul_merger':
  913. gerrit_server => $gerrit_server,
  914. gerrit_user => $gerrit_user,
  915. gerrit_ssh_host_key => $gerrit_ssh_host_key,
  916. zuul_ssh_private_key => $zuul_ssh_private_key,
  917. manage_common_zuul => false,
  918. }
  919. }
  920. # Node-OS: xenial
  921. node /^pbx\d*\.open.*\.org$/ {
  922. $group = "pbx"
  923. class { 'openstack_project::server': }
  924. class { 'openstack_project::pbx':
  925. sip_providers => [
  926. {
  927. provider => 'voipms',
  928. hostname => 'dallas.voip.ms',
  929. username => hiera('voipms_username', 'username'),
  930. password => hiera('voipms_password'),
  931. outgoing => false,
  932. },
  933. ],
  934. }
  935. }
  936. # Node-OS: xenial
  937. # A backup machine. Don't run cron or puppet agent on it.
  938. node /^backup\d+\..*\.ci\.open.*\.org$/ {
  939. $group = "ci-backup"
  940. class { 'openstack_project::server': }
  941. include openstack_project::backup_server
  942. }
  943. # Node-OS: xenial
  944. node /^openstackid\d*(\.openstack)?\.org$/ {
  945. $group = "openstackid"
  946. class { 'openstack_project::openstackid_prod':
  947. site_admin_password => hiera('openstackid_site_admin_password'),
  948. id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'),
  949. id_mysql_password => hiera('openstackid_id_mysql_password'),
  950. id_mysql_user => hiera('openstackid_id_mysql_user', 'username'),
  951. id_db_name => hiera('openstackid_id_db_name'),
  952. ss_mysql_host => hiera('openstackid_ss_mysql_host', 'localhost'),
  953. ss_mysql_password => hiera('openstackid_ss_mysql_password'),
  954. ss_mysql_user => hiera('openstackid_ss_mysql_user', 'username'),
  955. ss_db_name => hiera('openstackid_ss_db_name', 'username'),
  956. redis_password => hiera('openstackid_redis_password'),
  957. ssl_cert_file_contents => hiera('openstackid_ssl_cert_file_contents'),
  958. ssl_key_file_contents => hiera('openstackid_ssl_key_file_contents'),
  959. ssl_chain_file_contents => hiera('openstackid_ssl_chain_file_contents'),
  960. id_recaptcha_public_key => hiera('openstackid_recaptcha_public_key'),
  961. id_recaptcha_private_key => hiera('openstackid_recaptcha_private_key'),
  962. vhost_name => 'openstackid.org',
  963. session_cookie_domain => 'openstackid.org',
  964. serveradmin => 'webmaster@openstackid.org',
  965. canonicalweburl => 'https://openstackid.org/',
  966. app_url => 'https://openstackid.org',
  967. app_key => hiera('openstackid_app_key'),
  968. id_log_error_to_email => 'openstack@tipit.net',
  969. id_log_error_from_email => 'noreply@openstack.org',
  970. email_driver => 'sendgrid',
  971. email_send_grid_api_key => hiera('openstackid_send_grid_api_key'),
  972. php_version => 7,
  973. mysql_ssl_enabled => true,
  974. mysql_ssl_ca_file_contents => hiera('openstackid_mysql_ssl_ca_file_contents'),
  975. mysql_ssl_client_key_file_contents => hiera('openstackid_mysql_ssl_client_key_file_contents'),
  976. mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),
  977. lost_password_url => 'https://openstackid.org/lost-password',
  978. registration_url => 'https://openstackid.org/registration',
  979. registration_mobile_url => 'https://openstackid.org/registration-mobile',
  980. resend_verification_url => 'https://openstackid.org/resend-verification',
  981. }
  982. }
  983. # Node-OS: xenial
  984. node /^openstackid-dev\d*\.openstack\.org$/ {
  985. $group = "openstackid-dev"
  986. class { 'openstack_project::openstackid_dev':
  987. site_admin_password => hiera('openstackid_dev_site_admin_password'),
  988. id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'),
  989. id_mysql_password => hiera('openstackid_dev_id_mysql_password'),
  990. id_mysql_user => hiera('openstackid_dev_id_mysql_user', 'username'),
  991. ss_mysql_host => hiera('openstackid_dev_ss_mysql_host', 'localhost'),
  992. ss_mysql_password => hiera('openstackid_dev_ss_mysql_password'),
  993. ss_mysql_user => hiera('openstackid_dev_ss_mysql_user', 'username'),
  994. ss_db_name => hiera('openstackid_dev_ss_db_name', 'username'),
  995. redis_password => hiera('openstackid_dev_redis_password'),
  996. ssl_cert_file_contents => hiera('openstackid_dev_ssl_cert_file_contents'),
  997. ssl_key_file_contents => hiera('openstackid_dev_ssl_key_file_contents'),
  998. ssl_chain_file_contents => hiera('openstackid_dev_ssl_chain_file_contents'),
  999. id_recaptcha_public_key => hiera('openstackid_dev_recaptcha_public_key'),
  1000. id_recaptcha_private_key => hiera('openstackid_dev_recaptcha_private_key'),
  1001. vhost_name => 'openstackid-dev.openstack.org',
  1002. session_cookie_domain => 'openstackid-dev.openstack.org',
  1003. serveradmin => 'webmaster@openstackid-dev.openstack.org',
  1004. canonicalweburl => 'https://openstackid-dev.openstack.org/',
  1005. app_url => 'https://openstackid-dev.openstack.org',
  1006. app_key => hiera('openstackid_dev_app_key'),
  1007. id_log_error_to_email => 'openstack@tipit.net',
  1008. id_log_error_from_email => 'noreply@openstack.org',
  1009. email_driver => 'sendgrid',
  1010. email_send_grid_api_key => hiera('openstackid_dev_send_grid_api_key'),
  1011. php_version => 7,
  1012. mysql_ssl_enabled => true,
  1013. mysql_ssl_ca_file_contents => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),
  1014. mysql_ssl_client_key_file_contents => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),
  1015. mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),
  1016. lost_password_url => 'https://openstackid-dev.openstack.org/lost-password',
  1017. registration_url => 'https://openstackid-dev.openstack.org/registration',
  1018. registration_mobile_url => 'https://openstackid-dev.openstack.org/registration-mobile',
  1019. resend_verification_url => 'https://openstackid-dev.openstack.org/resend-verification',
  1020. }
  1021. }
  1022. # Node-OS: trusty
  1023. # Used for testing all-in-one deployments
  1024. node 'single-node-ci.test.only' {
  1025. include ::openstackci::single_node_ci
  1026. }
  1027. # Node-OS: xenial
  1028. node /^kdc03\.open.*\.org$/ {
  1029. class { 'openstack_project::server': }
  1030. class { 'openstack_project::kdc': }
  1031. }
  1032. # Node-OS: xenial
  1033. node /^kdc04\.open.*\.org$/ {
  1034. class { 'openstack_project::server': }
  1035. class { 'openstack_project::kdc':
  1036. slave => true,
  1037. }
  1038. }
  1039. # Node-OS: xenial
  1040. node /^afsdb01\.open.*\.org$/ {
  1041. $group = "afsdb"
  1042. class { 'openstack_project::server':
  1043. afs => true,
  1044. }
  1045. include openstack_project::afsdb
  1046. include openstack_project::afsrelease
  1047. }
  1048. # Node-OS: xenial
  1049. node /^afsdb.*\.open.*\.org$/ {
  1050. $group = "afsdb"
  1051. class { 'openstack_project::server':
  1052. afs => true,
  1053. }
  1054. include openstack_project::afsdb
  1055. }
  1056. # Node-OS: xenial
  1057. node /^afs.*\..*\.open.*\.org$/ {
  1058. $group = "afs"
  1059. class { 'openstack_project::server':
  1060. afs => true,
  1061. }
  1062. include openstack_project::afsfs
  1063. }
  1064. # Node-OS: trusty
  1065. node /^ask\d*\.open.*\.org$/ {
  1066. class { 'openstack_project::server': }
  1067. class { 'openstack_project::ask':
  1068. db_user => hiera('ask_db_user', 'ask'),
  1069. db_password => hiera('ask_db_password'),
  1070. redis_password => hiera('ask_redis_password'),
  1071. site_ssl_cert_file_contents => hiera('ask_site_ssl_cert_file_contents', undef),
  1072. site_ssl_key_file_contents => hiera('ask_site_ssl_key_file_contents', undef),
  1073. site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),
  1074. }
  1075. }
  1076. # Node-OS: trusty
  1077. node /^ask-staging\d*\.open.*\.org$/ {
  1078. class { 'openstack_project::server': }
  1079. class { 'openstack_project::ask_staging':
  1080. db_password => hiera('ask_staging_db_password'),
  1081. redis_password => hiera('ask_staging_redis_password'),
  1082. }
  1083. }
  1084. # Node-OS: xenial
  1085. node /^translate\d+\.open.*\.org$/ {
  1086. $group = "translate"
  1087. class { 'openstack_project::server': }
  1088. class { 'openstack_project::translate':
  1089. admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  1090. openid_url => 'https://openstackid.org',
  1091. listeners => ['ajp'],
  1092. from_address => 'noreply@openstack.org',
  1093. mysql_host => hiera('translate_mysql_host', 'localhost'),
  1094. mysql_password => hiera('translate_mysql_password'),
  1095. zanata_server_user => hiera('proposal_zanata_user'),
  1096. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  1097. zanata_wildfly_version => '10.1.0',
  1098. zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',
  1099. zanata_main_version => 4,
  1100. zanata_url => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',
  1101. zanata_checksum => 'eaf8bd07401dade758b677007d2358f173193d17',
  1102. project_config_repo => 'https://opendev.org/openstack/project-config',
  1103. ssl_cert_file_contents => hiera('translate_ssl_cert_file_contents'),
  1104. ssl_key_file_contents => hiera('translate_ssl_key_file_contents'),
  1105. ssl_chain_file_contents => hiera('translate_ssl_chain_file_contents'),
  1106. vhost_name => 'translate.openstack.org',
  1107. }
  1108. }
  1109. # Node-OS: xenial
  1110. node /^translate-dev\d*\.open.*\.org$/ {
  1111. $group = "translate-dev"
  1112. class { 'openstack_project::translate_dev':
  1113. admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  1114. openid_url => 'https://openstackid-dev.openstack.org',
  1115. listeners => ['ajp'],
  1116. from_address => 'noreply@openstack.org',
  1117. mysql_host => hiera('translate_dev_mysql_host', 'localhost'),
  1118. mysql_password => hiera('translate_dev_mysql_password'),
  1119. zanata_server_user => hiera('proposal_zanata_user'),
  1120. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  1121. project_config_repo => 'https://opendev.org/openstack/project-config',
  1122. vhost_name => 'translate-dev.openstack.org',
  1123. }
  1124. }
  1125. # Node-OS: xenial
  1126. node /^codesearch\d*\.open.*\.org$/ {
  1127. $group = "codesearch"
  1128. class { 'openstack_project::server': }
  1129. class { 'openstack_project::codesearch':
  1130. project_config_repo => 'https://opendev.org/openstack/project-config',
  1131. }
  1132. }
  1133. # vim:sw=2:ts=2:expandtab:textwidth=79