System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

site.pp 52KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274
  1. #
  2. # Top-level variables
  3. #
  4. # There must not be any whitespace between this comment and the variables or
  5. # in between any two variables in order for them to be correctly parsed and
  6. # passed around in test.sh
  7. #
  8. # Note we do not do a hiera lookup here as we set $group on a per node basis
  9. # and that must be set before we can do hiera lookups. Doing a hiera lookup
  10. # here would fail to find any group specific info.
  11. $elasticsearch_nodes = [
  12. "elasticsearch02.openstack.org",
  13. "elasticsearch03.openstack.org",
  14. "elasticsearch04.openstack.org",
  15. "elasticsearch05.openstack.org",
  16. "elasticsearch06.openstack.org",
  17. "elasticsearch07.openstack.org",
  18. ]
  19. #
  20. # Default: should at least behave like an openstack server
  21. #
  22. node default {
  23. class { 'openstack_project::server':
  24. }
  25. }
  26. #
  27. # Long lived servers:
  28. #
  29. # Node-OS: xenial
  30. node /^review\d*\.open.*\.org$/ {
  31. $group = "review"
  32. class { 'openstack_project::server': }
  33. class { 'openstack_project::review':
  34. project_config_repo => 'https://opendev.org/openstack/project-config',
  35. github_oauth_token => hiera('gerrit_github_token'),
  36. github_project_username => hiera('github_project_username', 'username'),
  37. github_project_password => hiera('github_project_password'),
  38. mysql_host => hiera('gerrit_mysql_host', 'localhost'),
  39. mysql_password => hiera('gerrit_mysql_password'),
  40. email_private_key => hiera('gerrit_email_private_key'),
  41. token_private_key => hiera('gerrit_rest_token_private_key'),
  42. gerritbot_password => hiera('gerrit_gerritbot_password'),
  43. gerritbot_ssh_rsa_key_contents => hiera('gerritbot_ssh_rsa_key_contents'),
  44. gerritbot_ssh_rsa_pubkey_contents => hiera('gerritbot_ssh_rsa_pubkey_contents'),
  45. ssl_cert_file_contents => hiera('review_opendev_cert_file_contents'),
  46. ssl_key_file_contents => hiera('review_opendev_key_file_contents'),
  47. ssl_chain_file_contents => hiera('review_opendev_chain_file_contents'),
  48. ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'),
  49. ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'),
  50. ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'),
  51. ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'),
  52. ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'),
  53. ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'),
  54. ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'),
  55. ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'),
  56. ssh_replication_rsa_key_contents => hiera('gerrit_replication_ssh_rsa_key_contents'),
  57. ssh_replication_rsa_pubkey_contents => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
  58. lp_access_token => hiera('gerrit_lp_access_token'),
  59. lp_access_secret => hiera('gerrit_lp_access_secret'),
  60. lp_consumer_key => hiera('gerrit_lp_consumer_key'),
  61. swift_username => hiera('swift_store_user', 'username'),
  62. swift_password => hiera('swift_store_key'),
  63. storyboard_password => hiera('gerrit_storyboard_token'),
  64. # Compatibility layer vars for the old domain name below here.
  65. # TODO rename the hiera keys to reduce confusion
  66. review_openstack_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
  67. review_openstack_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
  68. review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
  69. }
  70. }
  71. # Node-OS: xenial
  72. node /^review-dev\d*\.open.*\.org$/ {
  73. $group = "review-dev"
  74. class { 'openstack_project::server':
  75. afs => true,
  76. }
  77. class { 'openstack_project::review_dev':
  78. project_config_repo => 'https://opendev.org/openstack/project-config',
  79. github_oauth_token => hiera('gerrit_dev_github_token'),
  80. github_project_username => hiera('github_dev_project_username', 'username'),
  81. github_project_password => hiera('github_dev_project_password'),
  82. mysql_host => hiera('gerrit_dev_mysql_host', 'localhost'),
  83. mysql_password => hiera('gerrit_dev_mysql_password'),
  84. email_private_key => hiera('gerrit_dev_email_private_key'),
  85. ssh_dsa_key_contents => hiera('gerrit_dev_ssh_dsa_key_contents'),
  86. ssh_dsa_pubkey_contents => hiera('gerrit_dev_ssh_dsa_pubkey_contents'),
  87. ssh_rsa_key_contents => hiera('gerrit_dev_ssh_rsa_key_contents'),
  88. ssh_rsa_pubkey_contents => hiera('gerrit_dev_ssh_rsa_pubkey_contents'),
  89. ssh_project_rsa_key_contents => hiera('gerrit_dev_project_ssh_rsa_key_contents'),
  90. ssh_project_rsa_pubkey_contents => hiera('gerrit_dev_project_ssh_rsa_pubkey_contents'),
  91. ssh_replication_rsa_key_contents => hiera('gerrit_dev_replication_ssh_rsa_key_contents'),
  92. ssh_replication_rsa_pubkey_contents => hiera('gerrit_dev_replication_ssh_rsa_pubkey_contents'),
  93. lp_access_token => hiera('gerrit_dev_lp_access_token'),
  94. lp_access_secret => hiera('gerrit_dev_lp_access_secret'),
  95. lp_consumer_key => hiera('gerrit_dev_lp_consumer_key'),
  96. storyboard_password => hiera('gerrit_dev_storyboard_token'),
  97. storyboard_ssl_cert => hiera('gerrit_dev_storyboard_ssl_crt'),
  98. }
  99. }
  100. # Node-OS: xenial
  101. # Puppet-Version: !3
  102. node /^grafana\d*\.open.*\.org$/ {
  103. $group = "grafana"
  104. class { 'openstack_project::server': }
  105. class { 'openstack_project::grafana':
  106. admin_password => hiera('grafana_admin_password'),
  107. admin_user => hiera('grafana_admin_user', 'username'),
  108. mysql_host => hiera('grafana_mysql_host', 'localhost'),
  109. mysql_name => hiera('grafana_mysql_name'),
  110. mysql_password => hiera('grafana_mysql_password'),
  111. mysql_user => hiera('grafana_mysql_user', 'username'),
  112. project_config_repo => 'https://opendev.org/openstack/project-config',
  113. secret_key => hiera('grafana_secret_key'),
  114. }
  115. }
  116. # Node-OS: xenial
  117. node /^health\d*\.openstack\.org$/ {
  118. $group = "health"
  119. class { 'openstack_project::server': }
  120. class { 'openstack_project::openstack_health_api':
  121. subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
  122. hostname => 'health.openstack.org',
  123. }
  124. }
  125. # Node-OS: xenial
  126. node /^cacti\d+\.open.*\.org$/ {
  127. $group = "cacti"
  128. include openstack_project::ssl_cert_check
  129. class { 'openstack_project::cacti':
  130. cacti_hosts => hiera_array('cacti_hosts'),
  131. vhost_name => 'cacti.openstack.org',
  132. }
  133. }
  134. # Node-OS: xenial
  135. node /^graphite\d*\.open.*\.org$/ {
  136. class { 'openstack_project::server': }
  137. class { '::graphite':
  138. graphite_admin_user => hiera('graphite_admin_user', 'username'),
  139. graphite_admin_email => hiera('graphite_admin_email', 'email@example.com'),
  140. graphite_admin_password => hiera('graphite_admin_password'),
  141. # NOTE(ianw): installed on the host via ansible
  142. ssl_cert_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.cer',
  143. ssl_key_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.key',
  144. ssl_chain_file => '/etc/letsencrypt-certs/graphite01.opendev.org/ca.cer',
  145. }
  146. }
  147. # Node-OS: trusty
  148. # Node-OS: xenial
  149. node /^lists\d*\.open.*\.org$/ {
  150. class { 'openstack_project::server': }
  151. class { 'openstack_project::lists':
  152. listpassword => hiera('listpassword'),
  153. }
  154. }
  155. # Node-OS: xenial
  156. node /^lists\d*\.katacontainers\.io$/ {
  157. class { 'openstack_project::server': }
  158. class { 'openstack_project::kata_lists':
  159. listpassword => hiera('listpassword'),
  160. }
  161. }
  162. # Node-OS: xenial
  163. node /^paste\d*\.open.*\.org$/ {
  164. $group = "paste"
  165. class { 'openstack_project::server': }
  166. class { 'openstack_project::paste':
  167. db_password => hiera('paste_db_password'),
  168. db_host => hiera('paste_db_host'),
  169. vhost_name => 'paste.openstack.org',
  170. }
  171. }
  172. # Node-OS: xenial
  173. node /planet\d*\.open.*\.org$/ {
  174. class { 'openstack_project::planet':
  175. }
  176. }
  177. # Node-OS: xenial
  178. node /^eavesdrop\d*\.open.*\.org$/ {
  179. $group = "eavesdrop"
  180. class { 'openstack_project::server': }
  181. class { 'openstack_project::eavesdrop':
  182. project_config_repo => 'https://opendev.org/openstack/project-config',
  183. nickpass => hiera('openstack_meetbot_password'),
  184. statusbot_nick => hiera('statusbot_nick', 'username'),
  185. statusbot_password => hiera('statusbot_nick_password'),
  186. statusbot_server => 'chat.freenode.net',
  187. statusbot_channels => hiera_array('statusbot_channels', ['openstack_infra']),
  188. statusbot_auth_nicks => hiera_array('statusbot_auth_nicks'),
  189. statusbot_wiki_user => hiera('statusbot_wiki_username', 'username'),
  190. statusbot_wiki_password => hiera('statusbot_wiki_password'),
  191. statusbot_wiki_url => 'https://wiki.openstack.org/w/api.php',
  192. # https://wiki.openstack.org/wiki/Infrastructure_Status
  193. statusbot_wiki_pageid => '1781',
  194. statusbot_wiki_successpageid => '7717',
  195. statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',
  196. statusbot_wiki_thankspageid => '37700',
  197. statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',
  198. statusbot_irclogs_url => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
  199. statusbot_twitter => true,
  200. statusbot_twitter_key => hiera('statusbot_twitter_key'),
  201. statusbot_twitter_secret => hiera('statusbot_twitter_secret'),
  202. statusbot_twitter_token_key => hiera('statusbot_twitter_token_key'),
  203. statusbot_twitter_token_secret => hiera('statusbot_twitter_token_secret'),
  204. accessbot_nick => hiera('accessbot_nick', 'username'),
  205. accessbot_password => hiera('accessbot_nick_password'),
  206. meetbot_channels => hiera('meetbot_channels', ['openstack-infra']),
  207. ptgbot_nick => hiera('ptgbot_nick', 'username'),
  208. ptgbot_password => hiera('ptgbot_password'),
  209. }
  210. }
  211. # Node-OS: xenial
  212. node /^ethercalc\d+\.open.*\.org$/ {
  213. $group = "ethercalc"
  214. class { 'openstack_project::server': }
  215. class { 'openstack_project::ethercalc':
  216. vhost_name => 'ethercalc.openstack.org',
  217. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  218. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  219. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  220. }
  221. }
  222. # Node-OS: xenial
  223. node /^etherpad\d*\.open.*\.org$/ {
  224. $group = "etherpad"
  225. class { 'openstack_project::server': }
  226. class { 'openstack_project::etherpad':
  227. vhost_name => 'etherpad.openstack.org',
  228. ssl_cert_file_contents => hiera('etherpad_ssl_cert_file_contents'),
  229. ssl_key_file_contents => hiera('etherpad_ssl_key_file_contents'),
  230. ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
  231. mysql_host => hiera('etherpad_db_host', 'localhost'),
  232. mysql_user => hiera('etherpad_db_user', 'username'),
  233. mysql_password => hiera('etherpad_db_password'),
  234. }
  235. }
  236. # Node-OS: xenial
  237. node /^etherpad-dev\d*\.open.*\.org$/ {
  238. $group = "etherpad-dev"
  239. class { 'openstack_project::server': }
  240. class { 'openstack_project::etherpad_dev':
  241. vhost_name => 'etherpad-dev.openstack.org',
  242. mysql_host => hiera('etherpad-dev_db_host', 'localhost'),
  243. mysql_user => hiera('etherpad-dev_db_user', 'username'),
  244. mysql_password => hiera('etherpad-dev_db_password'),
  245. }
  246. }
  247. # Node-OS: trusty
  248. node /^wiki\d+\.openstack\.org$/ {
  249. $group = "wiki"
  250. class { 'openstack_project::wiki':
  251. bup_user => 'bup-wiki',
  252. serveradmin => hiera('infra_apache_serveradmin'),
  253. site_hostname => 'wiki.openstack.org',
  254. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  255. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  256. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  257. wg_dbserver => hiera('wg_dbserver'),
  258. wg_dbname => 'openstack_wiki',
  259. wg_dbuser => 'wikiuser',
  260. wg_dbpassword => hiera('wg_dbpassword'),
  261. wg_secretkey => hiera('wg_secretkey'),
  262. wg_upgradekey => hiera('wg_upgradekey'),
  263. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  264. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  265. wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),
  266. }
  267. }
  268. # Node-OS: trusty
  269. node /^wiki-dev\d+\.openstack\.org$/ {
  270. $group = "wiki-dev"
  271. class { 'openstack_project::wiki':
  272. serveradmin => hiera('infra_apache_serveradmin'),
  273. site_hostname => 'wiki-dev.openstack.org',
  274. wg_dbserver => hiera('wg_dbserver'),
  275. wg_dbname => 'openstack_wiki',
  276. wg_dbuser => 'wikiuser',
  277. wg_dbpassword => hiera('wg_dbpassword'),
  278. wg_secretkey => hiera('wg_secretkey'),
  279. wg_upgradekey => hiera('wg_upgradekey'),
  280. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  281. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  282. disallow_robots => true,
  283. }
  284. }
  285. # Node-OS: xenial
  286. node /^logstash\d*\.open.*\.org$/ {
  287. class { 'openstack_project::server': }
  288. class { 'openstack_project::logstash':
  289. discover_nodes => [
  290. 'elasticsearch03.openstack.org:9200',
  291. 'elasticsearch04.openstack.org:9200',
  292. 'elasticsearch05.openstack.org:9200',
  293. 'elasticsearch06.openstack.org:9200',
  294. 'elasticsearch07.openstack.org:9200',
  295. 'elasticsearch02.openstack.org:9200',
  296. ],
  297. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  298. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  299. }
  300. }
  301. # Node-OS: xenial
  302. node /^logstash-worker\d+\.open.*\.org$/ {
  303. $group = 'logstash-worker'
  304. class { 'openstack_project::server': }
  305. class { 'openstack_project::logstash_worker':
  306. discover_node => 'elasticsearch03.openstack.org',
  307. enable_mqtt => false,
  308. mqtt_password => hiera('mqtt_service_user_password'),
  309. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  310. }
  311. }
  312. # Node-OS: xenial
  313. node /^subunit-worker\d+\.open.*\.org$/ {
  314. $group = "subunit-worker"
  315. class { 'openstack_project::server': }
  316. class { 'openstack_project::subunit_worker':
  317. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  318. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  319. mqtt_pass => hiera('mqtt_service_user_password'),
  320. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  321. }
  322. }
  323. # Node-OS: xenial
  324. node /^elasticsearch\d+\.open.*\.org$/ {
  325. $group = "elasticsearch"
  326. class { 'openstack_project::server': }
  327. class { 'openstack_project::elasticsearch_node':
  328. discover_nodes => $elasticsearch_nodes,
  329. }
  330. }
  331. # Node-OS: xenial
  332. node /^firehose\d+\.open.*\.org$/ {
  333. class { 'openstack_project::server': }
  334. class { 'openstack_project::firehose':
  335. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  336. gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
  337. gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'),
  338. mqtt_password => hiera('mqtt_service_user_password'),
  339. ca_file => hiera('mosquitto_tls_ca_file'),
  340. cert_file => hiera('mosquitto_tls_server_cert_file'),
  341. key_file => hiera('mosquitto_tls_server_key_file'),
  342. imap_hostname => hiera('lpmqtt_imap_server'),
  343. imap_username => hiera('lpmqtt_imap_username'),
  344. imap_password => hiera('lpmqtt_imap_password'),
  345. statsd_host => 'graphite.opendev.org',
  346. }
  347. }
  348. # A machine to drive AFS mirror updates.
  349. # Node-OS: xenial
  350. node /^mirror-update\d*\.open.*\.org$/ {
  351. $group = "afsadmin"
  352. class { 'openstack_project::mirror_update':
  353. admin_keytab => hiera('afsadmin_keytab'),
  354. fedora_keytab => hiera('fedora_keytab'),
  355. opensuse_keytab => hiera('opensuse_keytab'),
  356. reprepro_keytab => hiera('reprepro_keytab'),
  357. gem_keytab => hiera('gem_keytab'),
  358. centos_keytab => hiera('centos_keytab'),
  359. epel_keytab => hiera('epel_keytab'),
  360. yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),
  361. }
  362. }
  363. # Machines in each region to serve AFS mirrors.
  364. # Node-OS: xenial
  365. node /^mirror\d*\..*\.open.*\.org$/ {
  366. $group = "mirror"
  367. class { 'openstack_project::server':
  368. afs => true,
  369. afs_cache_size => 50000000, # 50GB
  370. }
  371. class { 'openstack_project::mirror':
  372. vhost_name => $::fqdn,
  373. require => Class['Openstack_project::Server'],
  374. }
  375. }
  376. # Serve static AFS content for docs and other sites.
  377. # Node-OS: xenial
  378. node /^files\d*\.open.*\.org$/ {
  379. $group = "files"
  380. class { 'openstack_project::server':
  381. afs => true,
  382. afs_cache_size => 10000000, # 10GB
  383. }
  384. class { 'openstack_project::files':
  385. vhost_name => 'files.openstack.org',
  386. developer_cert_file_contents => hiera('developer_cert_file_contents'),
  387. developer_key_file_contents => hiera('developer_key_file_contents'),
  388. developer_chain_file_contents => hiera('developer_chain_file_contents'),
  389. docs_cert_file_contents => hiera('docs_cert_file_contents'),
  390. docs_key_file_contents => hiera('docs_key_file_contents'),
  391. docs_chain_file_contents => hiera('docs_chain_file_contents'),
  392. git_airship_cert_file_contents => hiera('git_airship_cert_file_contents'),
  393. git_airship_key_file_contents => hiera('git_airship_key_file_contents'),
  394. git_airship_chain_file_contents => hiera('git_airship_chain_file_contents'),
  395. git_openstack_cert_file_contents => hiera('git_openstack_cert_file_contents'),
  396. git_openstack_key_file_contents => hiera('git_openstack_key_file_contents'),
  397. git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),
  398. git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
  399. git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
  400. git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
  401. git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'),
  402. git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'),
  403. git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'),
  404. require => Class['Openstack_project::Server'],
  405. }
  406. # Temporary for evaluating htaccess rules
  407. ::httpd::vhost { "git-test.openstack.org":
  408. port => 80, # Is required despite not being used.
  409. docroot => "/afs/openstack.org/project/git-test/www",
  410. priority => '50',
  411. template => 'openstack_project/git-test.vhost.erb',
  412. }
  413. openstack_project::website { 'docs.starlingx.io':
  414. volume_name => 'starlingx.io',
  415. aliases => [],
  416. ssl_cert => hiera('docs_starlingx_io_ssl_cert'),
  417. ssl_key => hiera('docs_starlingx_io_ssl_key'),
  418. ssl_intermediate => hiera('docs_starlingx_io_ssl_intermediate'),
  419. require => Class['openstack_project::files'],
  420. }
  421. openstack_project::website { 'docs.opendev.org':
  422. aliases => [],
  423. docroot => "/afs/openstack.org/project/opendev.org/docs",
  424. ssl_cert => hiera('docs_opendev_ssl_cert'),
  425. ssl_key => hiera('docs_opendev_ssl_key'),
  426. ssl_intermediate => hiera('docs_opendev_ssl_intermediate'),
  427. require => Class['openstack_project::files'],
  428. }
  429. openstack_project::website { 'tarballs.opendev.org':
  430. aliases => [],
  431. docroot => "/afs/openstack.org/project/opendev.org/tarballs",
  432. ssl_cert_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer',
  433. ssl_key_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key',
  434. ssl_chain_file => '/etc/letsencrypt-certs/tarballs.opendev.org/ca.cer',
  435. require => Class['openstack_project::files'],
  436. }
  437. openstack_project::website { 'zuul-ci.org':
  438. aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],
  439. ssl_cert => hiera('zuul-ci_org_ssl_cert'),
  440. ssl_key => hiera('zuul-ci_org_ssl_key'),
  441. ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),
  442. require => Class['openstack_project::files'],
  443. }
  444. }
  445. # Node-OS: trusty
  446. # Node-OS: xenial
  447. node /^refstack\d*\.open.*\.org$/ {
  448. class { 'openstack_project::server': }
  449. class { 'refstack':
  450. mysql_host => hiera('refstack_mysql_host', 'localhost'),
  451. mysql_database => hiera('refstack_mysql_db_name', 'refstack'),
  452. mysql_user => hiera('refstack_mysql_user', 'refstack'),
  453. mysql_user_password => hiera('refstack_mysql_password'),
  454. ssl_cert_content => hiera('refstack_ssl_cert_file_contents'),
  455. ssl_cert => '/etc/ssl/certs/refstack.pem',
  456. ssl_key_content => hiera('refstack_ssl_key_file_contents'),
  457. ssl_key => '/etc/ssl/private/refstack.key',
  458. ssl_ca_content => hiera('refstack_ssl_chain_file_contents'),
  459. ssl_ca => '/etc/ssl/certs/refstack.ca.pem',
  460. protocol => 'https',
  461. }
  462. mysql_backup::backup_remote { 'refstack':
  463. database_host => hiera('refstack_mysql_host', 'localhost'),
  464. database_user => hiera('refstack_mysql_user', 'refstack'),
  465. database_password => hiera('refstack_mysql_password'),
  466. require => Class['::refstack'],
  467. }
  468. }
  469. # A machine to run Storyboard
  470. # Node-OS: xenial
  471. node /^storyboard\d+\.opendev\.org$/ {
  472. $group = "storyboard"
  473. class { 'openstack_project::storyboard':
  474. project_config_repo => 'https://opendev.org/openstack/project-config',
  475. mysql_host => hiera('storyboard_db_host', 'localhost'),
  476. mysql_user => hiera('storyboard_db_user', 'username'),
  477. mysql_password => hiera('storyboard_db_password'),
  478. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  479. rabbitmq_password => hiera('storyboard_rabbit_password'),
  480. ssl_cert => '/etc/ssl/certs/storyboard.openstack.org.pem',
  481. ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
  482. ssl_key => '/etc/ssl/private/storyboard.openstack.org.key',
  483. ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
  484. ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
  485. hostname => 'storyboard.openstack.org',
  486. valid_oauth_clients => [
  487. 'storyboard.openstack.org',
  488. 'logs.openstack.org',
  489. ],
  490. cors_allowed_origins => [
  491. 'https://storyboard.openstack.org',
  492. 'http://logs.openstack.org',
  493. ],
  494. sender_email_address => 'storyboard@storyboard.openstack.org',
  495. default_url => 'https://storyboard.openstack.org',
  496. }
  497. }
  498. # A machine to run Storyboard devel
  499. # Node-OS: xenial
  500. node /^storyboard-dev\d+\.opendev\.org$/ {
  501. $group = "storyboard-dev"
  502. class { 'openstack_project::storyboard::dev':
  503. project_config_repo => 'https://opendev.org/openstack/project-config',
  504. mysql_host => hiera('storyboard_db_host', 'localhost'),
  505. mysql_user => hiera('storyboard_db_user', 'username'),
  506. mysql_password => hiera('storyboard_db_password'),
  507. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  508. rabbitmq_password => hiera('storyboard_rabbit_password'),
  509. hostname => 'storyboard-dev.openstack.org',
  510. valid_oauth_clients => [
  511. 'storyboard-dev.openstack.org',
  512. 'logs.openstack.org',
  513. ],
  514. cors_allowed_origins => [
  515. 'https://storyboard-dev.openstack.org',
  516. 'http://logs.openstack.org',
  517. ],
  518. sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',
  519. default_url => 'https://storyboard-dev.openstack.org',
  520. }
  521. }
  522. # A machine to serve static content.
  523. # Node-OS: trusty
  524. # Node-OS: xenial
  525. node /^static\d*\.open.*\.org$/ {
  526. class { 'openstack_project::server': }
  527. class { 'openstack_project::static':
  528. project_config_repo => 'https://opendev.org/openstack/project-config',
  529. swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
  530. swift_user => 'infra-files-ro',
  531. swift_key => hiera('infra_files_ro_password'),
  532. swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
  533. swift_region_name => 'DFW',
  534. swift_default_container => 'infra-files',
  535. ssl_cert_file_contents => hiera('static_ssl_cert_file_contents'),
  536. ssl_key_file_contents => hiera('static_ssl_key_file_contents'),
  537. ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
  538. }
  539. }
  540. # Node-OS: xenial
  541. node /^zk\d+\.open.*\.org$/ {
  542. # We use IP addresses here so that zk listens on the public facing addresses
  543. # allowing cluster members to talk to each other. Without this they listen
  544. # on 127.0.1.1 because that is what we have in /etc/hosts for
  545. # zk0X.openstack.org.
  546. $zk_cluster_members = [
  547. '23.253.236.126', # zk01
  548. '172.99.117.32', # zk02
  549. '23.253.90.246', # zk03
  550. ]
  551. class { 'openstack_project::server': }
  552. class { '::zookeeper':
  553. # ID needs to be numeric, so we use regex to extra numbers from fqdn.
  554. id => regsubst($::fqdn, '^zk(\d+)\.open.*\.org$', '\1'),
  555. # The frequency in hours to look for and purge old snapshots,
  556. # defaults to 0 (disabled). The number of retained snapshots can
  557. # be separately controlled through snap_retain_count and
  558. # defaults to the minimum value of 3. This will quickly fill the
  559. # disk in production if not enabled. Works on ZK >=3.4.
  560. purge_interval => 6,
  561. servers => $zk_cluster_members,
  562. }
  563. }
  564. # A machine to serve various project status updates.
  565. # Node-OS: trusty
  566. # Node-OS: xenial
  567. node /^status\d*\.open.*\.org$/ {
  568. $group = 'status'
  569. class { 'openstack_project::server': }
  570. class { 'openstack_project::status':
  571. gerrit_host => 'review.opendev.org',
  572. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  573. reviewday_ssh_public_key => hiera('reviewday_rsa_pubkey_contents'),
  574. reviewday_ssh_private_key => hiera('reviewday_rsa_key_contents'),
  575. recheck_ssh_public_key => hiera('elastic-recheck_gerrit_ssh_public_key'),
  576. recheck_ssh_private_key => hiera('elastic-recheck_gerrit_ssh_private_key'),
  577. recheck_bot_nick => 'openstackrecheck',
  578. recheck_bot_passwd => hiera('elastic-recheck_ircbot_password'),
  579. }
  580. }
  581. # Node-OS: xenial
  582. node /^survey\d+\.open.*\.org$/ {
  583. $group = "survey"
  584. class { 'openstack_project::server': }
  585. class { 'openstack_project::survey':
  586. vhost_name => 'survey.openstack.org',
  587. auth_openid => true,
  588. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  589. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  590. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  591. dbpassword => hiera('dbpassword'),
  592. dbhost => hiera('dbhost'),
  593. adminuser => hiera('adminuser'),
  594. adminpass => hiera('adminpass'),
  595. adminmail => hiera('adminmail'),
  596. }
  597. }
  598. # Node-OS: xenial
  599. node /^nl\d+\.open.*\.org$/ {
  600. $group = 'nodepool'
  601. # NOTE(ianw) From 09-2018 (https://review.opendev.org/#/c/598329/)
  602. # the cloud credentials are deployed with ansible via the
  603. # configure-openstacksdk role and are no longer configured here
  604. class { 'openstack_project::server': }
  605. include openstack_project
  606. class { '::openstackci::nodepool_launcher':
  607. nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),
  608. project_config_repo => 'https://opendev.org/openstack/project-config',
  609. statsd_host => 'graphite.opendev.org',
  610. revision => 'master',
  611. python_version => 3,
  612. enable_webapp => true,
  613. }
  614. }
  615. # Node-OS: xenial
  616. node /^nb\d+\.open.*\.org$/ {
  617. $group = 'nodepool'
  618. class { 'openstack_project::server': }
  619. include openstack_project
  620. class { '::openstackci::nodepool_builder':
  621. nodepool_ssh_public_key => hiera('zuul_worker_ssh_public_key_contents'),
  622. vhost_name => $::fqdn,
  623. enable_build_log_via_http => true,
  624. project_config_repo => 'https://opendev.org/openstack/project-config',
  625. statsd_host => 'graphite.opendev.org',
  626. upload_workers => '16',
  627. revision => 'master',
  628. python_version => 3,
  629. zuulv3 => true,
  630. ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
  631. ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
  632. }
  633. cron { 'mirror_gitgc':
  634. user => 'nodepool',
  635. hour => '20',
  636. minute => '0',
  637. command => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',
  638. environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
  639. require => Class['::openstackci::nodepool_builder'],
  640. }
  641. }
  642. # Node-OS: xenial
  643. node /^ze\d+\.open.*\.org$/ {
  644. $group = "zuul-executor"
  645. $gerrit_server = 'review.opendev.org'
  646. $gerrit_user = 'zuul'
  647. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  648. $gerrit_ssh_private_key = hiera('gerrit_ssh_private_key_contents')
  649. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  650. $zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')
  651. $git_email = 'zuul@openstack.org'
  652. $git_name = 'OpenStack Zuul'
  653. $revision = 'master'
  654. class { 'openstack_project::server':
  655. afs => true,
  656. }
  657. class { '::project_config':
  658. url => 'https://opendev.org/openstack/project-config',
  659. }
  660. # We use later HWE kernels for better memory managment, requiring an
  661. # updated AFS version which we install from our custom ppa.
  662. include ::apt
  663. apt::ppa { 'ppa:openstack-ci-core/openafs-amd64-hwe': }
  664. package { 'linux-generic-hwe-16.04':
  665. ensure => present,
  666. require => [
  667. Apt::Ppa['ppa:openstack-ci-core/openafs-amd64-hwe'],
  668. Class['apt::update'],
  669. ],
  670. }
  671. # Skopeo is required for pushing/pulling from the intermediate
  672. # registry, and is available in the projectatomic ppa.
  673. apt::ppa { 'ppa:projectatomic/ppa': }
  674. package { 'skopeo':
  675. ensure => present,
  676. require => [
  677. Apt::Ppa['ppa:projectatomic/ppa'],
  678. Class['apt::update'],
  679. ],
  680. }
  681. # Socat is also required for pushing/pulling images
  682. package { 'socat':
  683. ensure => present,
  684. require => [
  685. Class['apt::update'],
  686. ],
  687. }
  688. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  689. # settings.
  690. class { '::zuul':
  691. gearman_server => 'zuul01.openstack.org',
  692. gerrit_server => $gerrit_server,
  693. gerrit_user => $gerrit_user,
  694. zuul_ssh_private_key => $gerrit_ssh_private_key,
  695. git_email => $git_email,
  696. git_name => $git_name,
  697. worker_private_key_file => '/var/lib/zuul/ssh/nodepool_id_rsa',
  698. revision => $revision,
  699. python_version => 3,
  700. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  701. zuulv3 => true,
  702. connections => hiera('zuul_connections', []),
  703. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  704. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  705. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  706. #TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs
  707. # properly. We need to revisting this post Queens PTG.
  708. trusted_ro_paths => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],
  709. trusted_rw_paths => ['/afs'],
  710. untrusted_ro_paths => ['/etc/ssl/certs'],
  711. disk_limit_per_job => 5000, # Megabytes
  712. site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,
  713. require => $::project_config::config_dir,
  714. statsd_host => 'graphite.opendev.org',
  715. }
  716. class { '::zuul::executor': }
  717. # This is used by the log job submission playbook which runs under
  718. # python2
  719. package { 'gear':
  720. ensure => latest,
  721. provider => openstack_pip,
  722. require => Class['pip'],
  723. }
  724. file { '/var/lib/zuul/ssh/nodepool_id_rsa':
  725. owner => 'zuul',
  726. group => 'zuul',
  727. mode => '0400',
  728. require => File['/var/lib/zuul/ssh'],
  729. content => $zuul_ssh_private_key,
  730. }
  731. file { '/var/lib/zuul/ssh/static_id_rsa':
  732. owner => 'zuul',
  733. group => 'zuul',
  734. mode => '0400',
  735. require => File['/var/lib/zuul/ssh'],
  736. content => $zuul_static_private_key,
  737. }
  738. class { '::zuul::known_hosts':
  739. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  740. }
  741. }
  742. # Node-OS: xenial
  743. node /^zuul\d+\.open.*\.org$/ {
  744. $group = "zuul-scheduler"
  745. $gerrit_server = 'review.opendev.org'
  746. $gerrit_user = 'zuul'
  747. $gerrit_ssh_host_key = hiera('gerrit_zuul_user_ssh_key_contents')
  748. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  749. $zuul_url = "http://zuul.openstack.org/p"
  750. $git_email = 'zuul@openstack.org'
  751. $git_name = 'OpenStack Zuul'
  752. $revision = 'master'
  753. class { 'openstack_project::server': }
  754. class { '::project_config':
  755. url => 'https://opendev.org/openstack/project-config',
  756. }
  757. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  758. # settings.
  759. class { '::zuul':
  760. gerrit_server => $gerrit_server,
  761. gerrit_user => $gerrit_user,
  762. zuul_ssh_private_key => $zuul_ssh_private_key,
  763. git_email => $git_email,
  764. git_name => $git_name,
  765. revision => $revision,
  766. python_version => 3,
  767. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  768. zookeeper_session_timeout => 40,
  769. zuulv3 => true,
  770. connections => hiera('zuul_connections', []),
  771. connection_secrets => hiera('zuul_connection_secrets', []),
  772. vhost_name => 'zuul.openstack.org',
  773. zuul_status_url => 'http://127.0.0.1:8001/openstack',
  774. zuul_web_url => 'http://127.0.0.1:9000',
  775. zuul_tenant_name => 'openstack',
  776. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  777. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  778. gearman_server_ssl_cert => hiera('gearman_server_ssl_cert'),
  779. gearman_server_ssl_key => hiera('gearman_server_ssl_key'),
  780. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  781. proxy_ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  782. proxy_ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  783. proxy_ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  784. statsd_host => 'graphite.opendev.org',
  785. status_url => 'https://zuul.openstack.org',
  786. relative_priority => true,
  787. }
  788. file { "/etc/zuul/github.key":
  789. ensure => present,
  790. owner => 'zuul',
  791. group => 'zuul',
  792. mode => '0600',
  793. content => hiera('zuul_github_app_key'),
  794. require => File['/etc/zuul'],
  795. }
  796. class { '::zuul::scheduler':
  797. layout_dir => $::project_config::zuul_layout_dir,
  798. require => $::project_config::config_dir,
  799. python_version => 3,
  800. use_mysql => true,
  801. }
  802. class { '::zuul::web':
  803. # We manage backups below
  804. enable_status_backups => false,
  805. vhosts => {
  806. 'zuul.openstack.org' => {
  807. port => 443,
  808. docroot => '/opt/zuul-web/content',
  809. priority => '50',
  810. ssl => true,
  811. template => 'zuul/zuulv3.vhost.erb',
  812. vhost_name => 'zuul.openstack.org',
  813. },
  814. 'zuul.opendev.org' => {
  815. port => 443,
  816. docroot => '/opt/zuul-web/content',
  817. priority => '40',
  818. ssl => true,
  819. template => 'zuul/zuulv3.vhost.erb',
  820. vhost_name => 'zuul.opendev.org',
  821. },
  822. 'zuul.openstack.org-http' => {
  823. port => 80,
  824. docroot => '/opt/zuul-web/content',
  825. priority => '50',
  826. ssl => false,
  827. template => 'zuul/zuulv3.vhost.erb',
  828. vhost_name => 'zuul.openstack.org',
  829. },
  830. 'zuul.opendev.org-http' => {
  831. port => 80,
  832. docroot => '/opt/zuul-web/content',
  833. priority => '40',
  834. ssl => false,
  835. template => 'zuul/zuulv3.vhost.erb',
  836. vhost_name => 'zuul.opendev.org',
  837. },
  838. },
  839. vhosts_flags => {
  840. 'zuul.openstack.org' => {
  841. tenant_name => 'openstack',
  842. ssl => true,
  843. },
  844. 'zuul.opendev.org' => {
  845. tenant_name => '',
  846. ssl => true,
  847. },
  848. 'zuul.openstack.org-http' => {
  849. tenant_name => 'openstack',
  850. ssl => false,
  851. },
  852. 'zuul.opendev.org-http' => {
  853. tenant_name => '',
  854. ssl => false,
  855. },
  856. },
  857. vhosts_ssl => {
  858. 'zuul.openstack.org' => {
  859. ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  860. ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  861. ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  862. },
  863. 'zuul.opendev.org' => {
  864. ssl_cert_file_contents => hiera('opendev_zuul_ssl_cert_file_contents'),
  865. ssl_chain_file_contents => hiera('opendev_zuul_ssl_chain_file_contents'),
  866. ssl_key_file_contents => hiera('opendev_zuul_ssl_key_file_contents'),
  867. },
  868. },
  869. }
  870. zuul::status_backups { 'openstack-zuul-tenant':
  871. tenant_name => 'openstack',
  872. ssl => true,
  873. status_uri => 'https://zuul.opendev.org/api/tenant/openstack/status',
  874. }
  875. zuul::status_backups { 'kata-zuul-tenant':
  876. tenant_name => 'kata-containers',
  877. ssl => true,
  878. status_uri => 'https://zuul.opendev.org/api/tenant/kata-containers/status',
  879. }
  880. class { '::zuul::fingergw': }
  881. class { '::zuul::known_hosts':
  882. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  883. }
  884. include bup
  885. bup::site { 'rax.ord':
  886. backup_user => 'bup-zuulv3',
  887. backup_server => 'backup01.ord.rax.ci.openstack.org',
  888. }
  889. }
  890. # Node-OS: xenial
  891. node /^zm\d+.open.*\.org$/ {
  892. $group = "zuul-merger"
  893. $gerrit_server = 'review.opendev.org'
  894. $gerrit_user = 'zuul'
  895. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  896. $zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')
  897. $zuul_url = "http://${::fqdn}/p"
  898. $git_email = 'zuul@openstack.org'
  899. $git_name = 'OpenStack Zuul'
  900. $revision = 'master'
  901. class { 'openstack_project::server': }
  902. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  903. # settings.
  904. class { '::zuul':
  905. gearman_server => 'zuul01.openstack.org',
  906. gerrit_server => $gerrit_server,
  907. gerrit_user => $gerrit_user,
  908. zuul_ssh_private_key => $zuul_ssh_private_key,
  909. git_email => $git_email,
  910. git_name => $git_name,
  911. revision => $revision,
  912. python_version => 3,
  913. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  914. zuulv3 => true,
  915. connections => hiera('zuul_connections', []),
  916. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  917. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  918. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  919. statsd_host => 'graphite.opendev.org',
  920. }
  921. class { 'openstack_project::zuul_merger':
  922. gerrit_server => $gerrit_server,
  923. gerrit_user => $gerrit_user,
  924. gerrit_ssh_host_key => $gerrit_ssh_host_key,
  925. zuul_ssh_private_key => $zuul_ssh_private_key,
  926. manage_common_zuul => false,
  927. }
  928. }
  929. # Node-OS: xenial
  930. node /^pbx\d*\.open.*\.org$/ {
  931. $group = "pbx"
  932. class { 'openstack_project::server': }
  933. class { 'openstack_project::pbx':
  934. sip_providers => [
  935. {
  936. provider => 'voipms',
  937. hostname => 'dallas.voip.ms',
  938. username => hiera('voipms_username', 'username'),
  939. password => hiera('voipms_password'),
  940. outgoing => false,
  941. },
  942. ],
  943. }
  944. }
  945. # Node-OS: xenial
  946. # A backup machine. Don't run cron or puppet agent on it.
  947. node /^backup\d+\..*\.ci\.open.*\.org$/ {
  948. $group = "ci-backup"
  949. class { 'openstack_project::server': }
  950. include openstack_project::backup_server
  951. }
  952. # Node-OS: xenial
  953. node /^openstackid\d*(\.openstack)?\.org$/ {
  954. $group = "openstackid"
  955. class { 'openstack_project::openstackid_prod':
  956. site_admin_password => hiera('openstackid_site_admin_password'),
  957. id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'),
  958. id_mysql_password => hiera('openstackid_id_mysql_password'),
  959. id_mysql_user => hiera('openstackid_id_mysql_user', 'username'),
  960. id_db_name => hiera('openstackid_id_db_name'),
  961. ss_mysql_host => hiera('openstackid_ss_mysql_host', 'localhost'),
  962. ss_mysql_password => hiera('openstackid_ss_mysql_password'),
  963. ss_mysql_user => hiera('openstackid_ss_mysql_user', 'username'),
  964. ss_db_name => hiera('openstackid_ss_db_name', 'username'),
  965. redis_password => hiera('openstackid_redis_password'),
  966. ssl_cert_file_contents => hiera('openstackid_ssl_cert_file_contents'),
  967. ssl_key_file_contents => hiera('openstackid_ssl_key_file_contents'),
  968. ssl_chain_file_contents => hiera('openstackid_ssl_chain_file_contents'),
  969. id_recaptcha_public_key => hiera('openstackid_recaptcha_public_key'),
  970. id_recaptcha_private_key => hiera('openstackid_recaptcha_private_key'),
  971. vhost_name => 'openstackid.org',
  972. session_cookie_domain => 'openstackid.org',
  973. serveradmin => 'webmaster@openstackid.org',
  974. canonicalweburl => 'https://openstackid.org/',
  975. app_url => 'https://openstackid.org',
  976. app_key => hiera('openstackid_app_key'),
  977. id_log_error_to_email => 'openstack@tipit.net',
  978. id_log_error_from_email => 'noreply@openstack.org',
  979. email_driver => 'sendgrid',
  980. email_send_grid_api_key => hiera('openstackid_send_grid_api_key'),
  981. php_version => 7,
  982. mysql_ssl_enabled => true,
  983. mysql_ssl_ca_file_contents => hiera('openstackid_mysql_ssl_ca_file_contents'),
  984. mysql_ssl_client_key_file_contents => hiera('openstackid_mysql_ssl_client_key_file_contents'),
  985. mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),
  986. lost_password_url => 'https://openstackid.org/lost-password',
  987. registration_url => 'https://openstackid.org/registration',
  988. registration_mobile_url => 'https://openstackid.org/registration-mobile',
  989. resend_verification_url => 'https://openstackid.org/resend-verification',
  990. }
  991. }
  992. # Node-OS: xenial
  993. node /^openstackid-dev\d*\.openstack\.org$/ {
  994. $group = "openstackid-dev"
  995. class { 'openstack_project::openstackid_dev':
  996. site_admin_password => hiera('openstackid_dev_site_admin_password'),
  997. id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'),
  998. id_mysql_password => hiera('openstackid_dev_id_mysql_password'),
  999. id_mysql_user => hiera('openstackid_dev_id_mysql_user', 'username'),
  1000. ss_mysql_host => hiera('openstackid_dev_ss_mysql_host', 'localhost'),
  1001. ss_mysql_password => hiera('openstackid_dev_ss_mysql_password'),
  1002. ss_mysql_user => hiera('openstackid_dev_ss_mysql_user', 'username'),
  1003. ss_db_name => hiera('openstackid_dev_ss_db_name', 'username'),
  1004. redis_password => hiera('openstackid_dev_redis_password'),
  1005. ssl_cert_file_contents => hiera('openstackid_dev_ssl_cert_file_contents'),
  1006. ssl_key_file_contents => hiera('openstackid_dev_ssl_key_file_contents'),
  1007. ssl_chain_file_contents => hiera('openstackid_dev_ssl_chain_file_contents'),
  1008. id_recaptcha_public_key => hiera('openstackid_dev_recaptcha_public_key'),
  1009. id_recaptcha_private_key => hiera('openstackid_dev_recaptcha_private_key'),
  1010. vhost_name => 'openstackid-dev.openstack.org',
  1011. session_cookie_domain => 'openstackid-dev.openstack.org',
  1012. serveradmin => 'webmaster@openstackid-dev.openstack.org',
  1013. canonicalweburl => 'https://openstackid-dev.openstack.org/',
  1014. app_url => 'https://openstackid-dev.openstack.org',
  1015. app_key => hiera('openstackid_dev_app_key'),
  1016. id_log_error_to_email => 'openstack@tipit.net',
  1017. id_log_error_from_email => 'noreply@openstack.org',
  1018. email_driver => 'sendgrid',
  1019. email_send_grid_api_key => hiera('openstackid_dev_send_grid_api_key'),
  1020. php_version => 7,
  1021. mysql_ssl_enabled => true,
  1022. mysql_ssl_ca_file_contents => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),
  1023. mysql_ssl_client_key_file_contents => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),
  1024. mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),
  1025. lost_password_url => 'https://openstackid-dev.openstack.org/lost-password',
  1026. registration_url => 'https://openstackid-dev.openstack.org/registration',
  1027. registration_mobile_url => 'https://openstackid-dev.openstack.org/registration-mobile',
  1028. resend_verification_url => 'https://openstackid-dev.openstack.org/resend-verification',
  1029. }
  1030. }
  1031. # Node-OS: trusty
  1032. # Used for testing all-in-one deployments
  1033. node 'single-node-ci.test.only' {
  1034. include ::openstackci::single_node_ci
  1035. }
  1036. # Node-OS: xenial
  1037. node /^kdc03\.open.*\.org$/ {
  1038. class { 'openstack_project::server': }
  1039. class { 'openstack_project::kdc': }
  1040. }
  1041. # Node-OS: xenial
  1042. node /^kdc04\.open.*\.org$/ {
  1043. class { 'openstack_project::server': }
  1044. class { 'openstack_project::kdc':
  1045. slave => true,
  1046. }
  1047. }
  1048. # Node-OS: xenial
  1049. node /^afsdb01\.open.*\.org$/ {
  1050. $group = "afsdb"
  1051. class { 'openstack_project::server':
  1052. afs => true,
  1053. }
  1054. include openstack_project::afsdb
  1055. include openstack_project::afsrelease
  1056. }
  1057. # Node-OS: xenial
  1058. node /^afsdb.*\.open.*\.org$/ {
  1059. $group = "afsdb"
  1060. class { 'openstack_project::server':
  1061. afs => true,
  1062. }
  1063. include openstack_project::afsdb
  1064. }
  1065. # Node-OS: xenial
  1066. node /^afs.*\..*\.open.*\.org$/ {
  1067. $group = "afs"
  1068. class { 'openstack_project::server':
  1069. afs => true,
  1070. }
  1071. include openstack_project::afsfs
  1072. }
  1073. # Node-OS: trusty
  1074. node /^ask\d*\.open.*\.org$/ {
  1075. class { 'openstack_project::server': }
  1076. class { 'openstack_project::ask':
  1077. db_user => hiera('ask_db_user', 'ask'),
  1078. db_password => hiera('ask_db_password'),
  1079. redis_password => hiera('ask_redis_password'),
  1080. site_ssl_cert_file_contents => hiera('ask_site_ssl_cert_file_contents', undef),
  1081. site_ssl_key_file_contents => hiera('ask_site_ssl_key_file_contents', undef),
  1082. site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),
  1083. }
  1084. }
  1085. # Node-OS: trusty
  1086. node /^ask-staging\d*\.open.*\.org$/ {
  1087. class { 'openstack_project::server': }
  1088. class { 'openstack_project::ask_staging':
  1089. db_password => hiera('ask_staging_db_password'),
  1090. redis_password => hiera('ask_staging_redis_password'),
  1091. }
  1092. }
  1093. # Node-OS: xenial
  1094. node /^translate\d+\.open.*\.org$/ {
  1095. $group = "translate"
  1096. class { 'openstack_project::server': }
  1097. class { 'openstack_project::translate':
  1098. admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  1099. openid_url => 'https://openstackid.org',
  1100. listeners => ['ajp'],
  1101. from_address => 'noreply@openstack.org',
  1102. mysql_host => hiera('translate_mysql_host', 'localhost'),
  1103. mysql_password => hiera('translate_mysql_password'),
  1104. zanata_server_user => hiera('proposal_zanata_user'),
  1105. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  1106. zanata_wildfly_version => '10.1.0',
  1107. zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',
  1108. zanata_main_version => 4,
  1109. zanata_url => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',
  1110. zanata_checksum => 'eaf8bd07401dade758b677007d2358f173193d17',
  1111. project_config_repo => 'https://opendev.org/openstack/project-config',
  1112. ssl_cert_file_contents => hiera('translate_ssl_cert_file_contents'),
  1113. ssl_key_file_contents => hiera('translate_ssl_key_file_contents'),
  1114. ssl_chain_file_contents => hiera('translate_ssl_chain_file_contents'),
  1115. vhost_name => 'translate.openstack.org',
  1116. }
  1117. }
  1118. # Node-OS: xenial
  1119. node /^translate-dev\d*\.open.*\.org$/ {
  1120. $group = "translate-dev"
  1121. class { 'openstack_project::translate_dev':
  1122. admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  1123. openid_url => 'https://openstackid-dev.openstack.org',
  1124. listeners => ['ajp'],
  1125. from_address => 'noreply@openstack.org',
  1126. mysql_host => hiera('translate_dev_mysql_host', 'localhost'),
  1127. mysql_password => hiera('translate_dev_mysql_password'),
  1128. zanata_server_user => hiera('proposal_zanata_user'),
  1129. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  1130. project_config_repo => 'https://opendev.org/openstack/project-config',
  1131. vhost_name => 'translate-dev.openstack.org',
  1132. }
  1133. }
  1134. # Node-OS: xenial
  1135. node /^codesearch\d*\.open.*\.org$/ {
  1136. $group = "codesearch"
  1137. class { 'openstack_project::server': }
  1138. class { 'openstack_project::codesearch':
  1139. project_config_repo => 'https://opendev.org/openstack/project-config',
  1140. }
  1141. }
  1142. # vim:sw=2:ts=2:expandtab:textwidth=79