opendev
/
system-config
Code Issues
System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14776 Commits
1 Branch
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
system-config/manifests/site.pp

site.pp 53KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299 
  1. #

  2. # Top-level variables

  3. #

  4. # There must not be any whitespace between this comment and the variables or

  5. # in between any two variables in order for them to be correctly parsed and

  6. # passed around in test.sh

  7. #

  8. # Note we do not do a hiera lookup here as we set $group on a per node basis

  9. # and that must be set before we can do hiera lookups. Doing a hiera lookup

  10. # here would fail to find any group specific info.

  11. $elasticsearch_nodes = [

  12.   "elasticsearch02.openstack.org",

  13.   "elasticsearch03.openstack.org",

  14.   "elasticsearch04.openstack.org",

  15.   "elasticsearch05.openstack.org",

  16.   "elasticsearch06.openstack.org",

  17.   "elasticsearch07.openstack.org",

  18. ]

  19. 

  20. #

  21. # Default: should at least behave like an openstack server

  22. #

  23. node default {

  24.   class { 'openstack_project::server':

  25.   }

  26. }

  27. 

  28. #

  29. # Long lived servers:

  30. #

  31. # Node-OS: xenial

  32. node /^review\d*\.open.*\.org$/ {

  33.   $group = "review"

  34. 

  35.   class { 'openstack_project::server': }

  36. 

  37.   class { 'openstack_project::review':

  38.     project_config_repo                  => 'https://opendev.org/openstack/project-config',

  39.     github_oauth_token                   => hiera('gerrit_github_token'),

  40.     github_project_username              => hiera('github_project_username', 'username'),

  41.     github_project_password              => hiera('github_project_password'),

  42.     mysql_host                           => hiera('gerrit_mysql_host', 'localhost'),

  43.     mysql_password                       => hiera('gerrit_mysql_password'),

  44.     email_private_key                    => hiera('gerrit_email_private_key'),

  45.     token_private_key                    => hiera('gerrit_rest_token_private_key'),

  46.     gerritbot_password                   => hiera('gerrit_gerritbot_password'),

  47.     gerritbot_ssh_rsa_key_contents       => hiera('gerritbot_ssh_rsa_key_contents'),

  48.     gerritbot_ssh_rsa_pubkey_contents    => hiera('gerritbot_ssh_rsa_pubkey_contents'),

  49.     ssl_cert_file_contents               => hiera('review_opendev_cert_file_contents'),

  50.     ssl_key_file_contents                => hiera('review_opendev_key_file_contents'),

  51.     ssl_chain_file_contents              => hiera('review_opendev_chain_file_contents'),

  52.     ssh_dsa_key_contents                 => hiera('gerrit_ssh_dsa_key_contents'),

  53.     ssh_dsa_pubkey_contents              => hiera('gerrit_ssh_dsa_pubkey_contents'),

  54.     ssh_rsa_key_contents                 => hiera('gerrit_ssh_rsa_key_contents'),

  55.     ssh_rsa_pubkey_contents              => hiera('gerrit_ssh_rsa_pubkey_contents'),

  56.     ssh_project_rsa_key_contents         => hiera('gerrit_project_ssh_rsa_key_contents'),

  57.     ssh_project_rsa_pubkey_contents      => hiera('gerrit_project_ssh_rsa_pubkey_contents'),

  58.     ssh_welcome_rsa_key_contents         => hiera('welcome_message_gerrit_ssh_private_key'),

  59.     ssh_welcome_rsa_pubkey_contents      => hiera('welcome_message_gerrit_ssh_public_key'),

  60.     ssh_replication_rsa_key_contents     => hiera('gerrit_replication_ssh_rsa_key_contents'),

  61.     ssh_replication_rsa_pubkey_contents  => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),

  62.     lp_access_token                      => hiera('gerrit_lp_access_token'),

  63.     lp_access_secret                     => hiera('gerrit_lp_access_secret'),

  64.     lp_consumer_key                      => hiera('gerrit_lp_consumer_key'),

  65.     swift_username                       => hiera('swift_store_user', 'username'),

  66.     swift_password                       => hiera('swift_store_key'),

  67.     storyboard_password                  => hiera('gerrit_storyboard_token'),

  68.     # Compatibility layer vars for the old domain name below here.

  69.     # TODO rename the hiera keys to reduce confusion

  70.     review_openstack_cert_file_contents  => hiera('gerrit_ssl_cert_file_contents'),

  71.     review_openstack_key_file_contents   => hiera('gerrit_ssl_key_file_contents'),

  72.     review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),

  73.   }

  74. }

  75. 

  76. # Node-OS: xenial

  77. node /^review-dev\d*\.open.*\.org$/ {

  78.   $group = "review-dev"

  79. 

  80.   class { 'openstack_project::server':

  81.     afs                       => true,

  82.   }

  83. 

  84.   class { 'openstack_project::review_dev':

  85.     project_config_repo                 => 'https://opendev.org/openstack/project-config',

  86.     github_oauth_token                  => hiera('gerrit_dev_github_token'),

  87.     github_project_username             => hiera('github_dev_project_username', 'username'),

  88.     github_project_password             => hiera('github_dev_project_password'),

  89.     mysql_host                          => hiera('gerrit_dev_mysql_host', 'localhost'),

  90.     mysql_password                      => hiera('gerrit_dev_mysql_password'),

  91.     email_private_key                   => hiera('gerrit_dev_email_private_key'),

  92.     ssh_dsa_key_contents                => hiera('gerrit_dev_ssh_dsa_key_contents'),

  93.     ssh_dsa_pubkey_contents             => hiera('gerrit_dev_ssh_dsa_pubkey_contents'),

  94.     ssh_rsa_key_contents                => hiera('gerrit_dev_ssh_rsa_key_contents'),

  95.     ssh_rsa_pubkey_contents             => hiera('gerrit_dev_ssh_rsa_pubkey_contents'),

  96.     ssh_project_rsa_key_contents        => hiera('gerrit_dev_project_ssh_rsa_key_contents'),

  97.     ssh_project_rsa_pubkey_contents     => hiera('gerrit_dev_project_ssh_rsa_pubkey_contents'),

  98.     ssh_replication_rsa_key_contents    => hiera('gerrit_dev_replication_ssh_rsa_key_contents'),

  99.     ssh_replication_rsa_pubkey_contents => hiera('gerrit_dev_replication_ssh_rsa_pubkey_contents'),

  100.     lp_access_token                     => hiera('gerrit_dev_lp_access_token'),

  101.     lp_access_secret                    => hiera('gerrit_dev_lp_access_secret'),

  102.     lp_consumer_key                     => hiera('gerrit_dev_lp_consumer_key'),

  103.     storyboard_password                 => hiera('gerrit_dev_storyboard_token'),

  104.     storyboard_ssl_cert                 => hiera('gerrit_dev_storyboard_ssl_crt'),

  105.   }

  106. }

  107. 

  108. # Node-OS: xenial

  109. # Puppet-Version: !3

  110. node /^grafana\d*\.open.*\.org$/ {

  111.   $group = "grafana"

  112.   class { 'openstack_project::server': }

  113.   class { 'openstack_project::grafana':

  114.     admin_password      => hiera('grafana_admin_password'),

  115.     admin_user          => hiera('grafana_admin_user', 'username'),

  116.     mysql_host          => hiera('grafana_mysql_host', 'localhost'),

  117.     mysql_name          => hiera('grafana_mysql_name'),

  118.     mysql_password      => hiera('grafana_mysql_password'),

  119.     mysql_user          => hiera('grafana_mysql_user', 'username'),

  120.     project_config_repo => 'https://opendev.org/openstack/project-config',

  121.     secret_key          => hiera('grafana_secret_key'),

  122.   }

  123. }

  124. 

  125. # Node-OS: xenial

  126. node /^health\d*\.openstack\.org$/ {

  127.   $group = "health"

  128.   class { 'openstack_project::server': }

  129.   class { 'openstack_project::openstack_health_api':

  130.     subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),

  131.     hostname            => 'health.openstack.org',

  132.   }

  133. }

  134. 

  135. # Node-OS: xenial

  136. node /^cacti\d+\.open.*\.org$/ {

  137.   $group = "cacti"

  138.   include openstack_project::ssl_cert_check

  139.   class { 'openstack_project::cacti':

  140.     cacti_hosts => hiera_array('cacti_hosts'),

  141.     vhost_name  => 'cacti.openstack.org',

  142.   }

  143. }

  144. 

  145. # Node-OS: xenial

  146. node /^graphite\d*\.open.*\.org$/ {

  147.   class { 'openstack_project::server': }

  148. 

  149.   class { '::graphite':

  150.     graphite_admin_user     => hiera('graphite_admin_user', 'username'),

  151.     graphite_admin_email    => hiera('graphite_admin_email', 'email@example.com'),

  152.     graphite_admin_password => hiera('graphite_admin_password'),

  153.     # NOTE(ianw): installed on the host via ansible

  154.     ssl_cert_file           => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.cer',

  155.     ssl_key_file            => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.key',

  156.     ssl_chain_file          => '/etc/letsencrypt-certs/graphite01.opendev.org/ca.cer',

  157.   }

  158. }

  159. 

  160. # Node-OS: trusty

  161. # Node-OS: xenial

  162. node /^groups\d*\.open.*\.org$/ {

  163.   class { 'openstack_project::server': }

  164.   class { 'openstack_project::groups':

  165.     site_admin_password          => hiera('groups_site_admin_password'),

  166.     site_mysql_host              => hiera('groups_site_mysql_host', 'localhost'),

  167.     site_mysql_password          => hiera('groups_site_mysql_password'),

  168.     conf_cron_key                => hiera('groups_conf_cron_key'),

  169.     site_ssl_cert_file_contents  => hiera('groups_site_ssl_cert_file_contents', undef),

  170.     site_ssl_key_file_contents   => hiera('groups_site_ssl_key_file_contents', undef),

  171.     site_ssl_chain_file_contents => hiera('groups_site_ssl_chain_file_contents', undef),

  172.   }

  173. }

  174. 

  175. # Node-OS: trusty

  176. # Node-OS: xenial

  177. node /^groups-dev\d*\.open.*\.org$/ {

  178.   class { 'openstack_project::server': }

  179.   class { 'openstack_project::groups_dev':

  180.     site_admin_password          => hiera('groups_dev_site_admin_password'),

  181.     site_mysql_host              => hiera('groups_dev_site_mysql_host', 'localhost'),

  182.     site_mysql_password          => hiera('groups_dev_site_mysql_password'),

  183.     conf_cron_key                => hiera('groups_dev_conf_cron_key'),

  184.     site_ssl_cert_file_contents  => hiera('groups_dev_site_ssl_cert_file_contents', undef),

  185.     site_ssl_key_file_contents   => hiera('groups_dev_site_ssl_key_file_contents', undef),

  186.     site_ssl_cert_file           => '/etc/ssl/certs/groups-dev.openstack.org.pem',

  187.     site_ssl_key_file            => '/etc/ssl/private/groups-dev.openstack.org.key',

  188.   }

  189. }

  190. 

  191. # Node-OS: trusty

  192. # Node-OS: xenial

  193. node /^lists\d*\.open.*\.org$/ {

  194.   class { 'openstack_project::server': }

  195. 

  196.   class { 'openstack_project::lists':

  197.     listpassword => hiera('listpassword'),

  198.   }

  199. }

  200. 

  201. # Node-OS: xenial

  202. node /^lists\d*\.katacontainers\.io$/ {

  203.   class { 'openstack_project::server': }

  204. 

  205.   class { 'openstack_project::kata_lists':

  206.     listpassword => hiera('listpassword'),

  207.   }

  208. }

  209. 

  210. # Node-OS: xenial

  211. node /^paste\d*\.open.*\.org$/ {

  212.   $group = "paste"

  213. 

  214.   class { 'openstack_project::server': }

  215.   class { 'openstack_project::paste':

  216.     db_password         => hiera('paste_db_password'),

  217.     db_host             => hiera('paste_db_host'),

  218.     vhost_name          => 'paste.openstack.org',

  219.   }

  220. }

  221. 

  222. # Node-OS: xenial

  223. node /planet\d*\.open.*\.org$/ {

  224.   class { 'openstack_project::planet':

  225.   }

  226. }

  227. 

  228. # Node-OS: xenial

  229. node /^eavesdrop\d*\.open.*\.org$/ {

  230.   $group = "eavesdrop"

  231.   class { 'openstack_project::server': }

  232. 

  233.   class { 'openstack_project::eavesdrop':

  234.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  235.     nickpass                => hiera('openstack_meetbot_password'),

  236.     statusbot_nick          => hiera('statusbot_nick', 'username'),

  237.     statusbot_password      => hiera('statusbot_nick_password'),

  238.     statusbot_server        => 'chat.freenode.net',

  239.     statusbot_channels      => hiera_array('statusbot_channels', ['openstack_infra']),

  240.     statusbot_auth_nicks    => hiera_array('statusbot_auth_nicks'),

  241.     statusbot_wiki_user     => hiera('statusbot_wiki_username', 'username'),

  242.     statusbot_wiki_password => hiera('statusbot_wiki_password'),

  243.     statusbot_wiki_url      => 'https://wiki.openstack.org/w/api.php',

  244.     # https://wiki.openstack.org/wiki/Infrastructure_Status

  245.     statusbot_wiki_pageid   => '1781',

  246.     statusbot_wiki_successpageid => '7717',

  247.     statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',

  248.     statusbot_wiki_thankspageid => '37700',

  249.     statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',

  250.     statusbot_irclogs_url   => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',

  251.     statusbot_twitter                 => true,

  252.     statusbot_twitter_key             => hiera('statusbot_twitter_key'),

  253.     statusbot_twitter_secret          => hiera('statusbot_twitter_secret'),

  254.     statusbot_twitter_token_key       => hiera('statusbot_twitter_token_key'),

  255.     statusbot_twitter_token_secret    => hiera('statusbot_twitter_token_secret'),

  256.     accessbot_nick          => hiera('accessbot_nick', 'username'),

  257.     accessbot_password      => hiera('accessbot_nick_password'),

  258.     meetbot_channels        => hiera('meetbot_channels', ['openstack-infra']),

  259.     ptgbot_nick             => hiera('ptgbot_nick', 'username'),

  260.     ptgbot_password         => hiera('ptgbot_password'),

  261.   }

  262. }

  263. 

  264. # Node-OS: xenial

  265. node /^ethercalc\d+\.open.*\.org$/ {

  266.   $group = "ethercalc"

  267.   class { 'openstack_project::server': }

  268. 

  269.   class { 'openstack_project::ethercalc':

  270.     vhost_name              => 'ethercalc.openstack.org',

  271.     ssl_cert_file_contents  => hiera('ssl_cert_file_contents'),

  272.     ssl_key_file_contents   => hiera('ssl_key_file_contents'),

  273.     ssl_chain_file_contents => hiera('ssl_chain_file_contents'),

  274.   }

  275. }

  276. 

  277. # Node-OS: xenial

  278. node /^etherpad\d*\.open.*\.org$/ {

  279.   $group = "etherpad"

  280.   class { 'openstack_project::server': }

  281. 

  282.   class { 'openstack_project::etherpad':

  283.     vhost_name              => 'etherpad.openstack.org',

  284.     ssl_cert_file_contents  => hiera('etherpad_ssl_cert_file_contents'),

  285.     ssl_key_file_contents   => hiera('etherpad_ssl_key_file_contents'),

  286.     ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),

  287.     mysql_host              => hiera('etherpad_db_host', 'localhost'),

  288.     mysql_user              => hiera('etherpad_db_user', 'username'),

  289.     mysql_password          => hiera('etherpad_db_password'),

  290.   }

  291. }

  292. 

  293. # Node-OS: xenial

  294. node /^etherpad-dev\d*\.open.*\.org$/ {

  295.   $group = "etherpad-dev"

  296.   class { 'openstack_project::server': }

  297. 

  298.   class { 'openstack_project::etherpad_dev':

  299.     vhost_name     => 'etherpad-dev.openstack.org',

  300.     mysql_host     => hiera('etherpad-dev_db_host', 'localhost'),

  301.     mysql_user     => hiera('etherpad-dev_db_user', 'username'),

  302.     mysql_password => hiera('etherpad-dev_db_password'),

  303.   }

  304. }

  305. 

  306. # Node-OS: trusty

  307. node /^wiki\d+\.openstack\.org$/ {

  308.   $group = "wiki"

  309.   class { 'openstack_project::wiki':

  310.     bup_user                  => 'bup-wiki',

  311.     serveradmin               => hiera('infra_apache_serveradmin'),

  312.     site_hostname             => 'wiki.openstack.org',

  313.     ssl_cert_file_contents    => hiera('ssl_cert_file_contents'),

  314.     ssl_key_file_contents     => hiera('ssl_key_file_contents'),

  315.     ssl_chain_file_contents   => hiera('ssl_chain_file_contents'),

  316.     wg_dbserver               => hiera('wg_dbserver'),

  317.     wg_dbname                 => 'openstack_wiki',

  318.     wg_dbuser                 => 'wikiuser',

  319.     wg_dbpassword             => hiera('wg_dbpassword'),

  320.     wg_secretkey              => hiera('wg_secretkey'),

  321.     wg_upgradekey             => hiera('wg_upgradekey'),

  322.     wg_recaptchasitekey       => hiera('wg_recaptchasitekey'),

  323.     wg_recaptchasecretkey     => hiera('wg_recaptchasecretkey'),

  324.     wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),

  325.   }

  326. }

  327. 

  328. # Node-OS: trusty

  329. node /^wiki-dev\d+\.openstack\.org$/ {

  330.   $group = "wiki-dev"

  331.   class { 'openstack_project::wiki':

  332.     serveradmin           => hiera('infra_apache_serveradmin'),

  333.     site_hostname         => 'wiki-dev.openstack.org',

  334.     wg_dbserver           => hiera('wg_dbserver'),

  335.     wg_dbname             => 'openstack_wiki',

  336.     wg_dbuser             => 'wikiuser',

  337.     wg_dbpassword         => hiera('wg_dbpassword'),

  338.     wg_secretkey          => hiera('wg_secretkey'),

  339.     wg_upgradekey         => hiera('wg_upgradekey'),

  340.     wg_recaptchasitekey   => hiera('wg_recaptchasitekey'),

  341.     wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),

  342.     disallow_robots       => true,

  343.   }

  344. }

  345. 

  346. # Node-OS: xenial

  347. node /^logstash\d*\.open.*\.org$/ {

  348.   class { 'openstack_project::server': }

  349. 

  350.   class { 'openstack_project::logstash':

  351.     discover_nodes      => [

  352.       'elasticsearch03.openstack.org:9200',

  353.       'elasticsearch04.openstack.org:9200',

  354.       'elasticsearch05.openstack.org:9200',

  355.       'elasticsearch06.openstack.org:9200',

  356.       'elasticsearch07.openstack.org:9200',

  357.       'elasticsearch02.openstack.org:9200',

  358.     ],

  359.     subunit2sql_db_host => hiera('subunit2sql_db_host', ''),

  360.     subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),

  361.   }

  362. }

  363. 

  364. # Node-OS: xenial

  365. node /^logstash-worker\d+\.open.*\.org$/ {

  366.   $group = 'logstash-worker'

  367. 

  368.   class { 'openstack_project::server': }

  369. 

  370.   class { 'openstack_project::logstash_worker':

  371.     discover_node         => 'elasticsearch03.openstack.org',

  372.     enable_mqtt           => false,

  373.     mqtt_password         => hiera('mqtt_service_user_password'),

  374.     mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),

  375.   }

  376. }

  377. 

  378. # Node-OS: xenial

  379. node /^subunit-worker\d+\.open.*\.org$/ {

  380.   $group = "subunit-worker"

  381.   class { 'openstack_project::server': }

  382.   class { 'openstack_project::subunit_worker':

  383.     subunit2sql_db_host   => hiera('subunit2sql_db_host', ''),

  384.     subunit2sql_db_pass   => hiera('subunit2sql_db_password', ''),

  385.     mqtt_pass             => hiera('mqtt_service_user_password'),

  386.     mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),

  387.   }

  388. }

  389. 

  390. # Node-OS: xenial

  391. node /^elasticsearch\d+\.open.*\.org$/ {

  392.   $group = "elasticsearch"

  393.   class { 'openstack_project::server': }

  394.   class { 'openstack_project::elasticsearch_node':

  395.     discover_nodes => $elasticsearch_nodes,

  396.   }

  397. }

  398. 

  399. # Node-OS: xenial

  400. node /^firehose\d+\.open.*\.org$/ {

  401.   class { 'openstack_project::server': }

  402.   class { 'openstack_project::firehose':

  403.     gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),

  404.     gerrit_public_key   => hiera('germqtt_gerrit_ssh_public_key'),

  405.     gerrit_private_key  => hiera('germqtt_gerrit_ssh_private_key'),

  406.     mqtt_password       => hiera('mqtt_service_user_password'),

  407.     ca_file             => hiera('mosquitto_tls_ca_file'),

  408.     cert_file           => hiera('mosquitto_tls_server_cert_file'),

  409.     key_file            => hiera('mosquitto_tls_server_key_file'),

  410.     imap_hostname       => hiera('lpmqtt_imap_server'),

  411.     imap_username       => hiera('lpmqtt_imap_username'),

  412.     imap_password       => hiera('lpmqtt_imap_password'),

  413.     statsd_host         => 'graphite.opendev.org',

  414.   }

  415. }

  416. 

  417. # A machine to drive AFS mirror updates.

  418. # Node-OS: xenial

  419. node /^mirror-update\d*\.open.*\.org$/ {

  420.   $group = "afsadmin"

  421. 

  422.   class { 'openstack_project::mirror_update':

  423.     admin_keytab          => hiera('afsadmin_keytab'),

  424.     fedora_keytab         => hiera('fedora_keytab'),

  425.     opensuse_keytab       => hiera('opensuse_keytab'),

  426.     reprepro_keytab       => hiera('reprepro_keytab'),

  427.     gem_keytab            => hiera('gem_keytab'),

  428.     centos_keytab         => hiera('centos_keytab'),

  429.     epel_keytab           => hiera('epel_keytab'),

  430.     yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),

  431.   }

  432. }

  433. 

  434. # Machines in each region to serve AFS mirrors.

  435. # Node-OS: xenial

  436. node /^mirror\d*\..*\.open.*\.org$/ {

  437.   $group = "mirror"

  438. 

  439.   class { 'openstack_project::server':

  440.     afs                       => true,

  441.     afs_cache_size            => 50000000,  # 50GB

  442.   }

  443. 

  444.   class { 'openstack_project::mirror':

  445.     vhost_name => $::fqdn,

  446.     require    => Class['Openstack_project::Server'],

  447.   }

  448. }

  449. 

  450. # Serve static AFS content for docs and other sites.

  451. # Node-OS: xenial

  452. node /^files\d*\.open.*\.org$/ {

  453.   $group = "files"

  454.   class { 'openstack_project::server':

  455.     afs                       => true,

  456.     afs_cache_size            => 10000000,  # 10GB

  457.   }

  458. 

  459.   class { 'openstack_project::files':

  460.     vhost_name                        => 'files.openstack.org',

  461.     developer_cert_file_contents      => hiera('developer_cert_file_contents'),

  462.     developer_key_file_contents       => hiera('developer_key_file_contents'),

  463.     developer_chain_file_contents     => hiera('developer_chain_file_contents'),

  464.     docs_cert_file_contents           => hiera('docs_cert_file_contents'),

  465.     docs_key_file_contents            => hiera('docs_key_file_contents'),

  466.     docs_chain_file_contents          => hiera('docs_chain_file_contents'),

  467.     git_airship_cert_file_contents    => hiera('git_airship_cert_file_contents'),

  468.     git_airship_key_file_contents     => hiera('git_airship_key_file_contents'),

  469.     git_airship_chain_file_contents   => hiera('git_airship_chain_file_contents'),

  470.     git_openstack_cert_file_contents  => hiera('git_openstack_cert_file_contents'),

  471.     git_openstack_key_file_contents   => hiera('git_openstack_key_file_contents'),

  472.     git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),

  473.     git_starlingx_cert_file_contents  => hiera('git_starlingx_cert_file_contents'),

  474.     git_starlingx_key_file_contents   => hiera('git_starlingx_key_file_contents'),

  475.     git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),

  476.     git_zuul_cert_file_contents       => hiera('git_zuul_cert_file_contents'),

  477.     git_zuul_key_file_contents        => hiera('git_zuul_key_file_contents'),

  478.     git_zuul_chain_file_contents      => hiera('git_zuul_chain_file_contents'),

  479.     require                           => Class['Openstack_project::Server'],

  480.   }

  481. 

  482.   # Temporary for evaluating htaccess rules

  483.   ::httpd::vhost { "git-test.openstack.org":

  484.     port          => 80, # Is required despite not being used.

  485.     docroot       => "/afs/openstack.org/project/git-test/www",

  486.     priority      => '50',

  487.     template      => 'openstack_project/git-test.vhost.erb',

  488.   }

  489. 

  490.   openstack_project::website { 'docs.starlingx.io':

  491.     volume_name      => 'starlingx.io',

  492.     aliases          => [],

  493.     ssl_cert         => hiera('docs_starlingx_io_ssl_cert'),

  494.     ssl_key          => hiera('docs_starlingx_io_ssl_key'),

  495.     ssl_intermediate => hiera('docs_starlingx_io_ssl_intermediate'),

  496.     require          => Class['openstack_project::files'],

  497.   }

  498. 

  499.   openstack_project::website { 'docs.opendev.org':

  500.     aliases          => [],

  501.     docroot	     => "/afs/openstack.org/project/opendev.org/docs",

  502.     ssl_cert         => hiera('docs_opendev_ssl_cert'),

  503.     ssl_key          => hiera('docs_opendev_ssl_key'),

  504.     ssl_intermediate => hiera('docs_opendev_ssl_intermediate'),

  505.     require          => Class['openstack_project::files'],

  506.   }

  507. 

  508.   openstack_project::website { 'zuul-ci.org':

  509.     aliases          => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],

  510.     ssl_cert         => hiera('zuul-ci_org_ssl_cert'),

  511.     ssl_key          => hiera('zuul-ci_org_ssl_key'),

  512.     ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),

  513.     require          => Class['openstack_project::files'],

  514.   }

  515. 

  516. }

  517. 

  518. # Node-OS: trusty

  519. # Node-OS: xenial

  520. node /^refstack\d*\.open.*\.org$/ {

  521.   class { 'openstack_project::server': }

  522.   class { 'refstack':

  523.     mysql_host          => hiera('refstack_mysql_host', 'localhost'),

  524.     mysql_database      => hiera('refstack_mysql_db_name', 'refstack'),

  525.     mysql_user          => hiera('refstack_mysql_user', 'refstack'),

  526.     mysql_user_password => hiera('refstack_mysql_password'),

  527.     ssl_cert_content    => hiera('refstack_ssl_cert_file_contents'),

  528.     ssl_cert            => '/etc/ssl/certs/refstack.pem',

  529.     ssl_key_content     => hiera('refstack_ssl_key_file_contents'),

  530.     ssl_key             => '/etc/ssl/private/refstack.key',

  531.     ssl_ca_content      => hiera('refstack_ssl_chain_file_contents'),

  532.     ssl_ca              => '/etc/ssl/certs/refstack.ca.pem',

  533.     protocol            => 'https',

  534.   }

  535.   mysql_backup::backup_remote { 'refstack':

  536.     database_host     => hiera('refstack_mysql_host', 'localhost'),

  537.     database_user     => hiera('refstack_mysql_user', 'refstack'),

  538.     database_password => hiera('refstack_mysql_password'),

  539.     require           => Class['::refstack'],

  540.   }

  541. }

  542. 

  543. # A machine to run Storyboard

  544. # Node-OS: xenial

  545. node /^storyboard\d+\.opendev\.org$/ {

  546.   $group = "storyboard"

  547.   class { 'openstack_project::storyboard':

  548.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  549.     mysql_host              => hiera('storyboard_db_host', 'localhost'),

  550.     mysql_user              => hiera('storyboard_db_user', 'username'),

  551.     mysql_password          => hiera('storyboard_db_password'),

  552.     rabbitmq_user           => hiera('storyboard_rabbit_user', 'username'),

  553.     rabbitmq_password       => hiera('storyboard_rabbit_password'),

  554.     ssl_cert                => '/etc/ssl/certs/storyboard.openstack.org.pem',

  555.     ssl_cert_file_contents  => hiera('storyboard_ssl_cert_file_contents'),

  556.     ssl_key                 => '/etc/ssl/private/storyboard.openstack.org.key',

  557.     ssl_key_file_contents   => hiera('storyboard_ssl_key_file_contents'),

  558.     ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),

  559.     hostname                => 'storyboard.openstack.org',

  560.     valid_oauth_clients     => [

  561.       'storyboard.openstack.org',

  562.       'logs.openstack.org',

  563.     ],

  564.     cors_allowed_origins     => [

  565.       'https://storyboard.openstack.org',

  566.       'http://logs.openstack.org',

  567.     ],

  568.     sender_email_address => 'storyboard@storyboard.openstack.org',

  569.     default_url          => 'https://storyboard.openstack.org',

  570.   }

  571. }

  572. 

  573. # A machine to run Storyboard devel

  574. # Node-OS: xenial

  575. node /^storyboard-dev\d+\.opendev\.org$/ {

  576.   $group = "storyboard-dev"

  577.   class { 'openstack_project::storyboard::dev':

  578.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  579.     mysql_host              => hiera('storyboard_db_host', 'localhost'),

  580.     mysql_user              => hiera('storyboard_db_user', 'username'),

  581.     mysql_password          => hiera('storyboard_db_password'),

  582.     rabbitmq_user           => hiera('storyboard_rabbit_user', 'username'),

  583.     rabbitmq_password       => hiera('storyboard_rabbit_password'),

  584.     hostname                => 'storyboard-dev.openstack.org',

  585.     valid_oauth_clients     => [

  586.       'storyboard-dev.openstack.org',

  587.       'logs.openstack.org',

  588.     ],

  589.     cors_allowed_origins     => [

  590.       'https://storyboard-dev.openstack.org',

  591.       'http://logs.openstack.org',

  592.     ],

  593.     sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',

  594.     default_url          => 'https://storyboard-dev.openstack.org',

  595.   }

  596. 

  597. }

  598. 

  599. # A machine to serve static content.

  600. # Node-OS: trusty

  601. # Node-OS: xenial

  602. node /^static\d*\.open.*\.org$/ {

  603.   class { 'openstack_project::server': }

  604.   class { 'openstack_project::static':

  605.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  606.     swift_authurl           => 'https://identity.api.rackspacecloud.com/v2.0/',

  607.     swift_user              => 'infra-files-ro',

  608.     swift_key               => hiera('infra_files_ro_password'),

  609.     swift_tenant_name       => hiera('infra_files_tenant_name', 'tenantname'),

  610.     swift_region_name       => 'DFW',

  611.     swift_default_container => 'infra-files',

  612.     ssl_cert_file_contents  => hiera('static_ssl_cert_file_contents'),

  613.     ssl_key_file_contents   => hiera('static_ssl_key_file_contents'),

  614.     ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),

  615.   }

  616. }

  617. 

  618. # Node-OS: xenial

  619. node /^zk\d+\.open.*\.org$/ {

  620.   # We use IP addresses here so that zk listens on the public facing addresses

  621.   # allowing cluster members to talk to each other. Without this they listen

  622.   # on 127.0.1.1 because that is what we have in /etc/hosts for

  623.   # zk0X.openstack.org.

  624.   $zk_cluster_members = [

  625.     '23.253.236.126', # zk01

  626.     '172.99.117.32',  # zk02

  627.     '23.253.90.246',  # zk03

  628.   ]

  629.   class { 'openstack_project::server': }

  630. 

  631.   class { '::zookeeper':

  632.     # ID needs to be numeric, so we use regex to extra numbers from fqdn.

  633.     id             => regsubst($::fqdn, '^zk(\d+)\.open.*\.org$', '\1'),

  634.     # The frequency in hours to look for and purge old snapshots,

  635.     # defaults to 0 (disabled). The number of retained snapshots can

  636.     # be separately controlled through snap_retain_count and

  637.     # defaults to the minimum value of 3. This will quickly fill the

  638.     # disk in production if not enabled. Works on ZK >=3.4.

  639.     purge_interval => 6,

  640.     servers        => $zk_cluster_members,

  641.   }

  642. }

  643. 

  644. # A machine to serve various project status updates.

  645. # Node-OS: trusty

  646. # Node-OS: xenial

  647. node /^status\d*\.open.*\.org$/ {

  648.   $group = 'status'

  649. 

  650.   class { 'openstack_project::server': }

  651. 

  652.   class { 'openstack_project::status':

  653.     gerrit_host                   => 'review.opendev.org',

  654.     gerrit_ssh_host_key           => hiera('gerrit_ssh_rsa_pubkey_contents'),

  655.     reviewday_ssh_public_key      => hiera('reviewday_rsa_pubkey_contents'),

  656.     reviewday_ssh_private_key     => hiera('reviewday_rsa_key_contents'),

  657.     recheck_ssh_public_key        => hiera('elastic-recheck_gerrit_ssh_public_key'),

  658.     recheck_ssh_private_key       => hiera('elastic-recheck_gerrit_ssh_private_key'),

  659.     recheck_bot_nick              => 'openstackrecheck',

  660.     recheck_bot_passwd            => hiera('elastic-recheck_ircbot_password'),

  661.   }

  662. }

  663. 

  664. # Node-OS: xenial

  665. node /^survey\d+\.open.*\.org$/ {

  666.   $group = "survey"

  667.   class { 'openstack_project::server': }

  668. 

  669.   class { 'openstack_project::survey':

  670.     vhost_name              => 'survey.openstack.org',

  671.     auth_openid             => true,

  672.     ssl_cert_file_contents  => hiera('ssl_cert_file_contents'),

  673.     ssl_key_file_contents   => hiera('ssl_key_file_contents'),

  674.     ssl_chain_file_contents => hiera('ssl_chain_file_contents'),

  675.     dbpassword              => hiera('dbpassword'),

  676.     dbhost                  => hiera('dbhost'),

  677.     adminuser               => hiera('adminuser'),

  678.     adminpass               => hiera('adminpass'),

  679.     adminmail               => hiera('adminmail'),

  680.   }

  681. }

  682. 

  683. # Node-OS: xenial

  684. node /^nl\d+\.open.*\.org$/ {

  685.   $group = 'nodepool'

  686. 

  687.   # NOTE(ianw) From 09-2018 (https://review.opendev.org/#/c/598329/)

  688.   # the cloud credentials are deployed with ansible via the

  689.   # configure-openstacksdk role and are no longer configured here

  690. 

  691.   class { 'openstack_project::server': }

  692. 

  693.   include openstack_project

  694. 

  695.   class { '::openstackci::nodepool_launcher':

  696.     nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),

  697.     project_config_repo      => 'https://opendev.org/openstack/project-config',

  698.     statsd_host              => 'graphite.opendev.org',

  699.     revision                 => 'master',

  700.     python_version           => 3,

  701.     enable_webapp            => true,

  702.   }

  703. }

  704. 

  705. # Node-OS: xenial

  706. node /^nb\d+\.open.*\.org$/ {

  707.   $group = 'nodepool'

  708. 

  709.   class { 'openstack_project::server': }

  710. 

  711.   include openstack_project

  712. 

  713.   class { '::openstackci::nodepool_builder':

  714.     nodepool_ssh_public_key       => hiera('zuul_worker_ssh_public_key_contents'),

  715.     vhost_name                    => $::fqdn,

  716.     enable_build_log_via_http     => true,

  717.     project_config_repo           => 'https://opendev.org/openstack/project-config',

  718.     statsd_host                   => 'graphite.opendev.org',

  719.     upload_workers                => '16',

  720.     revision                      => 'master',

  721.     python_version                => 3,

  722.     zuulv3                        => true,

  723.     ssl_cert_file                 => '/etc/ssl/certs/ssl-cert-snakeoil.pem',

  724.     ssl_key_file                  => '/etc/ssl/private/ssl-cert-snakeoil.key',

  725.   }

  726. 

  727.   cron { 'mirror_gitgc':

  728.     user        => 'nodepool',

  729.     hour        => '20',

  730.     minute      => '0',

  731.     command     => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',

  732.     environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',

  733.     require     => Class['::openstackci::nodepool_builder'],

  734.   }

  735. }

  736. 

  737. # Node-OS: xenial

  738. node /^ze\d+\.open.*\.org$/ {

  739.   $group = "zuul-executor"

  740. 

  741.   $gerrit_server           = 'review.opendev.org'

  742.   $gerrit_user             = 'zuul'

  743.   $gerrit_ssh_host_key     = hiera('gerrit_ssh_rsa_pubkey_contents')

  744.   $gerrit_ssh_private_key  = hiera('gerrit_ssh_private_key_contents')

  745.   $zuul_ssh_private_key    = hiera('zuul_ssh_private_key_contents')

  746.   $zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')

  747.   $git_email               = 'zuul@openstack.org'

  748.   $git_name                = 'OpenStack Zuul'

  749.   $revision                = 'master'

  750. 

  751.   class { 'openstack_project::server':

  752.     afs                       => true,

  753.   }

  754. 

  755.   class { '::project_config':

  756.     url => 'https://opendev.org/openstack/project-config',

  757.   }

  758. 

  759.   # We use later HWE kernels for better memory managment, requiring an

  760.   # updated AFS version which we install from our custom ppa.

  761.   include ::apt

  762.   apt::ppa { 'ppa:openstack-ci-core/openafs-amd64-hwe': }

  763.   package { 'linux-generic-hwe-16.04':

  764.     ensure  => present,

  765.     require => [

  766.       Apt::Ppa['ppa:openstack-ci-core/openafs-amd64-hwe'],

  767.       Class['apt::update'],

  768.     ],

  769.   }

  770. 

  771.   # Skopeo is required for pushing/pulling from the intermediate

  772.   # registry, and is available in the projectatomic ppa.

  773. 

  774.   apt::ppa { 'ppa:projectatomic/ppa': }

  775.   package { 'skopeo':

  776.     # Pin skopeo back to 0.1.36-1~dev~ubuntu16.04.2~ppa14 which is before

  777.     # the code that changed the required capabilities, breaking the use of

  778.     # skopeo from inside of bubblewrap.

  779.     ensure  => '0.1.36-1~dev~ubuntu16.04.2~ppa14',

  780.     require => [

  781.       Apt::Ppa['ppa:projectatomic/ppa'],

  782.       Class['apt::update'],

  783.     ],

  784.   }

  785. 

  786.   # Socat is also required for pushing/pulling images

  787.   package { 'socat':

  788.     ensure  => present,

  789.     require => [

  790.       Class['apt::update'],

  791.     ],

  792.   }

  793. 

  794.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  795.   # settings.

  796.   class { '::zuul':

  797.     gearman_server           => 'zuul01.openstack.org',

  798.     gerrit_server            => $gerrit_server,

  799.     gerrit_user              => $gerrit_user,

  800.     zuul_ssh_private_key     => $gerrit_ssh_private_key,

  801.     git_email                => $git_email,

  802.     git_name                 => $git_name,

  803.     worker_private_key_file  => '/var/lib/zuul/ssh/nodepool_id_rsa',

  804.     revision                 => $revision,

  805.     python_version           => 3,

  806.     zookeeper_hosts          => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  807.     zuulv3                   => true,

  808.     connections              => hiera('zuul_connections', []),

  809.     gearman_client_ssl_cert  => hiera('gearman_client_ssl_cert'),

  810.     gearman_client_ssl_key   => hiera('gearman_client_ssl_key'),

  811.     gearman_ssl_ca           => hiera('gearman_ssl_ca'),

  812.     #TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs

  813.     # properly. We need to revisting this post Queens PTG.

  814.     trusted_ro_paths         => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],

  815.     trusted_rw_paths         => ['/afs'],

  816.     untrusted_ro_paths       => ['/etc/ssl/certs'],

  817.     disk_limit_per_job       => 5000,  # Megabytes

  818.     site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,

  819.     require                  => $::project_config::config_dir,

  820.     statsd_host              => 'graphite.opendev.org',

  821.   }

  822. 

  823.   class { '::zuul::executor': }

  824. 

  825.   # This is used by the log job submission playbook which runs under

  826.   # python2

  827.   package { 'gear':

  828.     ensure   => latest,

  829.     provider => openstack_pip,

  830.     require  => Class['pip'],

  831.   }

  832. 

  833.   file { '/var/lib/zuul/ssh/nodepool_id_rsa':

  834.     owner   => 'zuul',

  835.     group   => 'zuul',

  836.     mode    => '0400',

  837.     require => File['/var/lib/zuul/ssh'],

  838.     content => $zuul_ssh_private_key,

  839.   }

  840. 

  841.   file { '/var/lib/zuul/ssh/static_id_rsa':

  842.     owner   => 'zuul',

  843.     group   => 'zuul',

  844.     mode    => '0400',

  845.     require => File['/var/lib/zuul/ssh'],

  846.     content => $zuul_static_private_key,

  847.   }

  848. 

  849.   class { '::zuul::known_hosts':

  850.     known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",

  851.   }

  852. }

  853. 

  854. # Node-OS: xenial

  855. node /^zuul\d+\.open.*\.org$/ {

  856.   $group = "zuul-scheduler"

  857.   $gerrit_server        = 'review.opendev.org'

  858.   $gerrit_user          = 'zuul'

  859.   $gerrit_ssh_host_key  = hiera('gerrit_zuul_user_ssh_key_contents')

  860.   $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')

  861.   $zuul_url             = "http://zuul.openstack.org/p"

  862.   $git_email            = 'zuul@openstack.org'

  863.   $git_name             = 'OpenStack Zuul'

  864.   $revision             = 'master'

  865. 

  866.   class { 'openstack_project::server': }

  867. 

  868.   class { '::project_config':

  869.     url => 'https://opendev.org/openstack/project-config',

  870.   }

  871. 

  872.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  873.   # settings.

  874.   class { '::zuul':

  875.     gerrit_server                 => $gerrit_server,

  876.     gerrit_user                   => $gerrit_user,

  877.     zuul_ssh_private_key          => $zuul_ssh_private_key,

  878.     git_email                     => $git_email,

  879.     git_name                      => $git_name,

  880.     revision                      => $revision,

  881.     python_version                => 3,

  882.     zookeeper_hosts               => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  883.     zookeeper_session_timeout     => 40,

  884.     zuulv3                        => true,

  885.     connections                   => hiera('zuul_connections', []),

  886.     connection_secrets            => hiera('zuul_connection_secrets', []),

  887.     vhost_name                    => 'zuul.openstack.org',

  888.     zuul_status_url               => 'http://127.0.0.1:8001/openstack',

  889.     zuul_web_url                  => 'http://127.0.0.1:9000',

  890.     zuul_tenant_name              => 'openstack',

  891.     gearman_client_ssl_cert       => hiera('gearman_client_ssl_cert'),

  892.     gearman_client_ssl_key        => hiera('gearman_client_ssl_key'),

  893.     gearman_server_ssl_cert       => hiera('gearman_server_ssl_cert'),

  894.     gearman_server_ssl_key        => hiera('gearman_server_ssl_key'),

  895.     gearman_ssl_ca                => hiera('gearman_ssl_ca'),

  896.     proxy_ssl_cert_file_contents  => hiera('zuul_ssl_cert_file_contents'),

  897.     proxy_ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),

  898.     proxy_ssl_key_file_contents   => hiera('zuul_ssl_key_file_contents'),

  899.     statsd_host                   => 'graphite.opendev.org',

  900.     status_url                    => 'https://zuul.openstack.org',

  901.     relative_priority             => true,

  902.   }

  903. 

  904.   file { "/etc/zuul/github.key":

  905.     ensure  => present,

  906.     owner   => 'zuul',

  907.     group   => 'zuul',

  908.     mode    => '0600',

  909.     content => hiera('zuul_github_app_key'),

  910.     require => File['/etc/zuul'],

  911.   }

  912. 

  913.   class { '::zuul::scheduler':

  914.     layout_dir     => $::project_config::zuul_layout_dir,

  915.     require        => $::project_config::config_dir,

  916.     python_version => 3,

  917.     use_mysql      => true,

  918.   }

  919. 

  920.   class { '::zuul::web':

  921.     # We manage backups below

  922.     enable_status_backups => false,

  923.     vhosts => {

  924.       'zuul.openstack.org' => {

  925.         port       => 443,

  926.         docroot    => '/opt/zuul-web/content',

  927.         priority   => '50',

  928.         ssl        => true,

  929.         template   => 'zuul/zuulv3.vhost.erb',

  930.         vhost_name => 'zuul.openstack.org',

  931.       },

  932.       'zuul.opendev.org' => {

  933.         port       => 443,

  934.         docroot    => '/opt/zuul-web/content',

  935.         priority   => '40',

  936.         ssl        => true,

  937.         template   => 'zuul/zuulv3.vhost.erb',

  938.         vhost_name => 'zuul.opendev.org',

  939.       },

  940.       'zuul.openstack.org-http' => {

  941.         port       => 80,

  942.         docroot    => '/opt/zuul-web/content',

  943.         priority   => '50',

  944.         ssl        => false,

  945.         template   => 'zuul/zuulv3.vhost.erb',

  946.         vhost_name => 'zuul.openstack.org',

  947.       },

  948.       'zuul.opendev.org-http' => {

  949.         port       => 80,

  950.         docroot    => '/opt/zuul-web/content',

  951.         priority   => '40',

  952.         ssl        => false,

  953.         template   => 'zuul/zuulv3.vhost.erb',

  954.         vhost_name => 'zuul.opendev.org',

  955.       },

  956.     },

  957.     vhosts_flags => {

  958.       'zuul.openstack.org' => {

  959.         tenant_name => 'openstack',

  960.         ssl         => true,

  961.       },

  962.       'zuul.opendev.org' => {

  963.         tenant_name => '',

  964.         ssl         => true,

  965.       },

  966.       'zuul.openstack.org-http' => {

  967.         tenant_name => 'openstack',

  968.         ssl         => false,

  969.       },

  970.       'zuul.opendev.org-http' => {

  971.         tenant_name => '',

  972.         ssl         => false,

  973.       },

  974.     },

  975.     vhosts_ssl => {

  976.       'zuul.openstack.org' => {

  977.         ssl_cert_file_contents  => hiera('zuul_ssl_cert_file_contents'),

  978.         ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),

  979.         ssl_key_file_contents   => hiera('zuul_ssl_key_file_contents'),

  980.       },

  981.       'zuul.opendev.org' => {

  982.         ssl_cert_file_contents  => hiera('opendev_zuul_ssl_cert_file_contents'),

  983.         ssl_chain_file_contents => hiera('opendev_zuul_ssl_chain_file_contents'),

  984.         ssl_key_file_contents   => hiera('opendev_zuul_ssl_key_file_contents'),

  985.       },

  986.     },

  987.   }

  988. 

  989.   zuul::status_backups { 'openstack-zuul-tenant':

  990.     tenant_name => 'openstack',

  991.     ssl         => true,

  992.     status_uri  => 'https://zuul.opendev.org/api/tenant/openstack/status',

  993.   }

  994. 

  995.   zuul::status_backups { 'kata-zuul-tenant':

  996.     tenant_name => 'kata-containers',

  997.     ssl         => true,

  998.     status_uri  => 'https://zuul.opendev.org/api/tenant/kata-containers/status',

  999.   }

  1000. 

  1001.   class { '::zuul::fingergw': }

  1002. 

  1003.   class { '::zuul::known_hosts':

  1004.     known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",

  1005.   }

  1006. 

  1007.   include bup

  1008.   bup::site { 'rax.ord':

  1009.     backup_user   => 'bup-zuulv3',

  1010.     backup_server => 'backup01.ord.rax.ci.openstack.org',

  1011.   }

  1012. 

  1013. }

  1014. 

  1015. # Node-OS: xenial

  1016. node /^zm\d+.open.*\.org$/ {

  1017.   $group = "zuul-merger"

  1018. 

  1019.   $gerrit_server        = 'review.opendev.org'

  1020.   $gerrit_user          = 'zuul'

  1021.   $gerrit_ssh_host_key  = hiera('gerrit_ssh_rsa_pubkey_contents')

  1022.   $zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')

  1023.   $zuul_url             = "http://${::fqdn}/p"

  1024.   $git_email            = 'zuul@openstack.org'

  1025.   $git_name             = 'OpenStack Zuul'

  1026.   $revision             = 'master'

  1027. 

  1028.   class { 'openstack_project::server': }

  1029. 

  1030.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  1031.   # settings.

  1032.   class { '::zuul':

  1033.     gearman_server          => 'zuul01.openstack.org',

  1034.     gerrit_server           => $gerrit_server,

  1035.     gerrit_user             => $gerrit_user,

  1036.     zuul_ssh_private_key    => $zuul_ssh_private_key,

  1037.     git_email               => $git_email,

  1038.     git_name                => $git_name,

  1039.     revision                => $revision,

  1040.     python_version          => 3,

  1041.     zookeeper_hosts         => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  1042.     zuulv3                  => true,

  1043.     connections             => hiera('zuul_connections', []),

  1044.     gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),

  1045.     gearman_client_ssl_key  => hiera('gearman_client_ssl_key'),

  1046.     gearman_ssl_ca          => hiera('gearman_ssl_ca'),

  1047.     statsd_host             => 'graphite.opendev.org',

  1048.   }

  1049. 

  1050.   class { 'openstack_project::zuul_merger':

  1051.     gerrit_server        => $gerrit_server,

  1052.     gerrit_user          => $gerrit_user,

  1053.     gerrit_ssh_host_key  => $gerrit_ssh_host_key,

  1054.     zuul_ssh_private_key => $zuul_ssh_private_key,

  1055.     manage_common_zuul   => false,

  1056.   }

  1057. }

  1058. 

  1059. # Node-OS: xenial

  1060. node /^pbx\d*\.open.*\.org$/ {

  1061.   $group = "pbx"

  1062.   class { 'openstack_project::server': }

  1063.   class { 'openstack_project::pbx':

  1064.     sip_providers => [

  1065.       {

  1066.         provider => 'voipms',

  1067.         hostname => 'dallas.voip.ms',

  1068.         username => hiera('voipms_username', 'username'),

  1069.         password => hiera('voipms_password'),

  1070.         outgoing => false,

  1071.       },

  1072.     ],

  1073.   }

  1074. }

  1075. 

  1076. # Node-OS: xenial

  1077. # A backup machine.  Don't run cron or puppet agent on it.

  1078. node /^backup\d+\..*\.ci\.open.*\.org$/ {

  1079.   $group = "ci-backup"

  1080.   class { 'openstack_project::server': }

  1081.   include openstack_project::backup_server

  1082. }

  1083. 

  1084. # Node-OS: xenial

  1085. node /^openstackid\d*(\.openstack)?\.org$/ {

  1086.   $group = "openstackid"

  1087.   class { 'openstack_project::openstackid_prod':

  1088.     site_admin_password                 => hiera('openstackid_site_admin_password'),

  1089.     id_mysql_host                       => hiera('openstackid_id_mysql_host', 'localhost'),

  1090.     id_mysql_password                   => hiera('openstackid_id_mysql_password'),

  1091.     id_mysql_user                       => hiera('openstackid_id_mysql_user', 'username'),

  1092.     id_db_name                          => hiera('openstackid_id_db_name'),

  1093.     ss_mysql_host                       => hiera('openstackid_ss_mysql_host', 'localhost'),

  1094.     ss_mysql_password                   => hiera('openstackid_ss_mysql_password'),

  1095.     ss_mysql_user                       => hiera('openstackid_ss_mysql_user', 'username'),

  1096.     ss_db_name                          => hiera('openstackid_ss_db_name', 'username'),

  1097.     redis_password                      => hiera('openstackid_redis_password'),

  1098.     ssl_cert_file_contents              => hiera('openstackid_ssl_cert_file_contents'),

  1099.     ssl_key_file_contents               => hiera('openstackid_ssl_key_file_contents'),

  1100.     ssl_chain_file_contents             => hiera('openstackid_ssl_chain_file_contents'),

  1101.     id_recaptcha_public_key             => hiera('openstackid_recaptcha_public_key'),

  1102.     id_recaptcha_private_key            => hiera('openstackid_recaptcha_private_key'),

  1103.     vhost_name                          => 'openstackid.org',

  1104.     session_cookie_domain               => 'openstackid.org',

  1105.     serveradmin                         => 'webmaster@openstackid.org',

  1106.     canonicalweburl                     => 'https://openstackid.org/',

  1107.     app_url                             => 'https://openstackid.org',

  1108.     app_key                             => hiera('openstackid_app_key'),

  1109.     id_log_error_to_email               => 'openstack@tipit.net',

  1110.     id_log_error_from_email             => 'noreply@openstack.org',

  1111.     email_driver                        => 'sendgrid',

  1112.     email_send_grid_api_key             => hiera('openstackid_send_grid_api_key'),

  1113.     php_version                         => 7,

  1114.     mysql_ssl_enabled                   => true,

  1115.     mysql_ssl_ca_file_contents          => hiera('openstackid_mysql_ssl_ca_file_contents'),

  1116.     mysql_ssl_client_key_file_contents  => hiera('openstackid_mysql_ssl_client_key_file_contents'),

  1117.     mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),

  1118.     lost_password_url                   => 'https://openstackid.org/lost-password',

  1119.     registration_url                    => 'https://openstackid.org/registration',

  1120.     registration_mobile_url             => 'https://openstackid.org/registration-mobile',

  1121.     resend_verification_url             => 'https://openstackid.org/resend-verification',

  1122.   }

  1123. }

  1124. 

  1125. # Node-OS: xenial

  1126. node /^openstackid-dev\d*\.openstack\.org$/ {

  1127.   $group = "openstackid-dev"

  1128.   class { 'openstack_project::openstackid_dev':

  1129.     site_admin_password                 => hiera('openstackid_dev_site_admin_password'),

  1130.     id_mysql_host                       => hiera('openstackid_dev_id_mysql_host', 'localhost'),

  1131.     id_mysql_password                   => hiera('openstackid_dev_id_mysql_password'),

  1132.     id_mysql_user                       => hiera('openstackid_dev_id_mysql_user', 'username'),

  1133.     ss_mysql_host                       => hiera('openstackid_dev_ss_mysql_host', 'localhost'),

  1134.     ss_mysql_password                   => hiera('openstackid_dev_ss_mysql_password'),

  1135.     ss_mysql_user                       => hiera('openstackid_dev_ss_mysql_user', 'username'),

  1136.     ss_db_name                          => hiera('openstackid_dev_ss_db_name', 'username'),

  1137.     redis_password                      => hiera('openstackid_dev_redis_password'),

  1138.     ssl_cert_file_contents              => hiera('openstackid_dev_ssl_cert_file_contents'),

  1139.     ssl_key_file_contents               => hiera('openstackid_dev_ssl_key_file_contents'),

  1140.     ssl_chain_file_contents             => hiera('openstackid_dev_ssl_chain_file_contents'),

  1141.     id_recaptcha_public_key             => hiera('openstackid_dev_recaptcha_public_key'),

  1142.     id_recaptcha_private_key            => hiera('openstackid_dev_recaptcha_private_key'),

  1143.     vhost_name                          => 'openstackid-dev.openstack.org',

  1144.     session_cookie_domain               => 'openstackid-dev.openstack.org',

  1145.     serveradmin                         => 'webmaster@openstackid-dev.openstack.org',

  1146.     canonicalweburl                     => 'https://openstackid-dev.openstack.org/',

  1147.     app_url                             => 'https://openstackid-dev.openstack.org',

  1148.     app_key                             => hiera('openstackid_dev_app_key'),

  1149.     id_log_error_to_email               => 'openstack@tipit.net',

  1150.     id_log_error_from_email             => 'noreply@openstack.org',

  1151.     email_driver                        => 'sendgrid',

  1152.     email_send_grid_api_key             => hiera('openstackid_dev_send_grid_api_key'),

  1153.     php_version                         => 7,

  1154.     mysql_ssl_enabled                   => true,

  1155.     mysql_ssl_ca_file_contents          => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),

  1156.     mysql_ssl_client_key_file_contents  => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),

  1157.     mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),

  1158.     lost_password_url                   => 'https://openstackid-dev.openstack.org/lost-password',

  1159.     registration_url                    => 'https://openstackid-dev.openstack.org/registration',

  1160.     registration_mobile_url             => 'https://openstackid-dev.openstack.org/registration-mobile',

  1161.     resend_verification_url             => 'https://openstackid-dev.openstack.org/resend-verification',

  1162.   }

  1163. }

  1164. 

  1165. # Node-OS: trusty

  1166. # Used for testing all-in-one deployments

  1167. node 'single-node-ci.test.only' {

  1168.   include ::openstackci::single_node_ci

  1169. }

  1170. 

  1171. # Node-OS: xenial

  1172. node /^kdc03\.open.*\.org$/ {

  1173.   class { 'openstack_project::server': }

  1174. 

  1175.   class { 'openstack_project::kdc': }

  1176. }

  1177. 

  1178. # Node-OS: xenial

  1179. node /^kdc04\.open.*\.org$/ {

  1180.   class { 'openstack_project::server': }

  1181. 

  1182.   class { 'openstack_project::kdc':

  1183.     slave => true,

  1184.   }

  1185. }

  1186. 

  1187. # Node-OS: xenial

  1188. node /^afsdb01\.open.*\.org$/ {

  1189.   $group = "afsdb"

  1190. 

  1191.   class { 'openstack_project::server':

  1192.     afs                       => true,

  1193.   }

  1194. 

  1195.   include openstack_project::afsdb

  1196.   include openstack_project::afsrelease

  1197. }

  1198. 

  1199. # Node-OS: xenial

  1200. node /^afsdb.*\.open.*\.org$/ {

  1201.   $group = "afsdb"

  1202. 

  1203.   class { 'openstack_project::server':

  1204.     afs                       => true,

  1205.   }

  1206. 

  1207.   include openstack_project::afsdb

  1208. }

  1209. 

  1210. # Node-OS: xenial

  1211. node /^afs.*\..*\.open.*\.org$/ {

  1212.   $group = "afs"

  1213. 

  1214.   class { 'openstack_project::server':

  1215.     afs                       => true,

  1216.   }

  1217. 

  1218.   include openstack_project::afsfs

  1219. }

  1220. 

  1221. # Node-OS: trusty

  1222. node /^ask\d*\.open.*\.org$/ {

  1223. 

  1224.   class { 'openstack_project::server': }

  1225. 

  1226.   class { 'openstack_project::ask':

  1227.     db_user                      => hiera('ask_db_user', 'ask'),

  1228.     db_password                  => hiera('ask_db_password'),

  1229.     redis_password               => hiera('ask_redis_password'),

  1230.     site_ssl_cert_file_contents  => hiera('ask_site_ssl_cert_file_contents', undef),

  1231.     site_ssl_key_file_contents   => hiera('ask_site_ssl_key_file_contents', undef),

  1232.     site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),

  1233.   }

  1234. }

  1235. 

  1236. # Node-OS: trusty

  1237. node /^ask-staging\d*\.open.*\.org$/ {

  1238.   class { 'openstack_project::server': }

  1239. 

  1240.   class { 'openstack_project::ask_staging':

  1241.     db_password                  => hiera('ask_staging_db_password'),

  1242.     redis_password               => hiera('ask_staging_redis_password'),

  1243.   }

  1244. }

  1245. 

  1246. # Node-OS: xenial

  1247. node /^translate\d+\.open.*\.org$/ {

  1248.   $group = "translate"

  1249.   class { 'openstack_project::server': }

  1250.   class { 'openstack_project::translate':

  1251.     admin_users                => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',

  1252.     openid_url                 => 'https://openstackid.org',

  1253.     listeners                  => ['ajp'],

  1254.     from_address               => 'noreply@openstack.org',

  1255.     mysql_host                 => hiera('translate_mysql_host', 'localhost'),

  1256.     mysql_password             => hiera('translate_mysql_password'),

  1257.     zanata_server_user         => hiera('proposal_zanata_user'),

  1258.     zanata_server_api_key      => hiera('proposal_zanata_api_key'),

  1259.     zanata_wildfly_version     => '10.1.0',

  1260.     zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',

  1261.     zanata_main_version        => 4,

  1262.     zanata_url                 => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',

  1263.     zanata_checksum            => 'eaf8bd07401dade758b677007d2358f173193d17',

  1264.     project_config_repo        => 'https://opendev.org/openstack/project-config',

  1265.     ssl_cert_file_contents     => hiera('translate_ssl_cert_file_contents'),

  1266.     ssl_key_file_contents      => hiera('translate_ssl_key_file_contents'),

  1267.     ssl_chain_file_contents    => hiera('translate_ssl_chain_file_contents'),

  1268.     vhost_name                 => 'translate.openstack.org',

  1269.   }

  1270. }

  1271. 

  1272. # Node-OS: xenial

  1273. node /^translate-dev\d*\.open.*\.org$/ {

  1274.   $group = "translate-dev"

  1275.   class { 'openstack_project::translate_dev':

  1276.     admin_users           => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',

  1277.     openid_url            => 'https://openstackid-dev.openstack.org',

  1278.     listeners             => ['ajp'],

  1279.     from_address          => 'noreply@openstack.org',

  1280.     mysql_host            => hiera('translate_dev_mysql_host', 'localhost'),

  1281.     mysql_password        => hiera('translate_dev_mysql_password'),

  1282.     zanata_server_user    => hiera('proposal_zanata_user'),

  1283.     zanata_server_api_key => hiera('proposal_zanata_api_key'),

  1284.     project_config_repo   => 'https://opendev.org/openstack/project-config',

  1285.     vhost_name            => 'translate-dev.openstack.org',

  1286.   }

  1287. }

  1288. 

  1289. 

  1290. # Node-OS: xenial

  1291. node /^codesearch\d*\.open.*\.org$/ {

  1292.   $group = "codesearch"

  1293.   class { 'openstack_project::server': }

  1294.   class { 'openstack_project::codesearch':

  1295.     project_config_repo => 'https://opendev.org/openstack/project-config',

  1296.   }

  1297. }

  1298. 

  1299. # vim:sw=2:ts=2:expandtab:textwidth=79