System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

site.pp 53KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299
  1. #
  2. # Top-level variables
  3. #
  4. # There must not be any whitespace between this comment and the variables or
  5. # in between any two variables in order for them to be correctly parsed and
  6. # passed around in test.sh
  7. #
  8. # Note we do not do a hiera lookup here as we set $group on a per node basis
  9. # and that must be set before we can do hiera lookups. Doing a hiera lookup
  10. # here would fail to find any group specific info.
  11. $elasticsearch_nodes = [
  12. "elasticsearch02.openstack.org",
  13. "elasticsearch03.openstack.org",
  14. "elasticsearch04.openstack.org",
  15. "elasticsearch05.openstack.org",
  16. "elasticsearch06.openstack.org",
  17. "elasticsearch07.openstack.org",
  18. ]
  19. #
  20. # Default: should at least behave like an openstack server
  21. #
  22. node default {
  23. class { 'openstack_project::server':
  24. }
  25. }
  26. #
  27. # Long lived servers:
  28. #
  29. # Node-OS: xenial
  30. node /^review\d*\.open.*\.org$/ {
  31. $group = "review"
  32. class { 'openstack_project::server': }
  33. class { 'openstack_project::review':
  34. project_config_repo => 'https://opendev.org/openstack/project-config',
  35. github_oauth_token => hiera('gerrit_github_token'),
  36. github_project_username => hiera('github_project_username', 'username'),
  37. github_project_password => hiera('github_project_password'),
  38. mysql_host => hiera('gerrit_mysql_host', 'localhost'),
  39. mysql_password => hiera('gerrit_mysql_password'),
  40. email_private_key => hiera('gerrit_email_private_key'),
  41. token_private_key => hiera('gerrit_rest_token_private_key'),
  42. gerritbot_password => hiera('gerrit_gerritbot_password'),
  43. gerritbot_ssh_rsa_key_contents => hiera('gerritbot_ssh_rsa_key_contents'),
  44. gerritbot_ssh_rsa_pubkey_contents => hiera('gerritbot_ssh_rsa_pubkey_contents'),
  45. ssl_cert_file_contents => hiera('review_opendev_cert_file_contents'),
  46. ssl_key_file_contents => hiera('review_opendev_key_file_contents'),
  47. ssl_chain_file_contents => hiera('review_opendev_chain_file_contents'),
  48. ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'),
  49. ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'),
  50. ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'),
  51. ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'),
  52. ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'),
  53. ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'),
  54. ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'),
  55. ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'),
  56. ssh_replication_rsa_key_contents => hiera('gerrit_replication_ssh_rsa_key_contents'),
  57. ssh_replication_rsa_pubkey_contents => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
  58. lp_access_token => hiera('gerrit_lp_access_token'),
  59. lp_access_secret => hiera('gerrit_lp_access_secret'),
  60. lp_consumer_key => hiera('gerrit_lp_consumer_key'),
  61. swift_username => hiera('swift_store_user', 'username'),
  62. swift_password => hiera('swift_store_key'),
  63. storyboard_password => hiera('gerrit_storyboard_token'),
  64. # Compatibility layer vars for the old domain name below here.
  65. # TODO rename the hiera keys to reduce confusion
  66. review_openstack_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
  67. review_openstack_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
  68. review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
  69. }
  70. }
  71. # Node-OS: xenial
  72. node /^review-dev\d*\.open.*\.org$/ {
  73. $group = "review-dev"
  74. class { 'openstack_project::server':
  75. afs => true,
  76. }
  77. class { 'openstack_project::review_dev':
  78. project_config_repo => 'https://opendev.org/openstack/project-config',
  79. github_oauth_token => hiera('gerrit_dev_github_token'),
  80. github_project_username => hiera('github_dev_project_username', 'username'),
  81. github_project_password => hiera('github_dev_project_password'),
  82. mysql_host => hiera('gerrit_dev_mysql_host', 'localhost'),
  83. mysql_password => hiera('gerrit_dev_mysql_password'),
  84. email_private_key => hiera('gerrit_dev_email_private_key'),
  85. ssh_dsa_key_contents => hiera('gerrit_dev_ssh_dsa_key_contents'),
  86. ssh_dsa_pubkey_contents => hiera('gerrit_dev_ssh_dsa_pubkey_contents'),
  87. ssh_rsa_key_contents => hiera('gerrit_dev_ssh_rsa_key_contents'),
  88. ssh_rsa_pubkey_contents => hiera('gerrit_dev_ssh_rsa_pubkey_contents'),
  89. ssh_project_rsa_key_contents => hiera('gerrit_dev_project_ssh_rsa_key_contents'),
  90. ssh_project_rsa_pubkey_contents => hiera('gerrit_dev_project_ssh_rsa_pubkey_contents'),
  91. ssh_replication_rsa_key_contents => hiera('gerrit_dev_replication_ssh_rsa_key_contents'),
  92. ssh_replication_rsa_pubkey_contents => hiera('gerrit_dev_replication_ssh_rsa_pubkey_contents'),
  93. lp_access_token => hiera('gerrit_dev_lp_access_token'),
  94. lp_access_secret => hiera('gerrit_dev_lp_access_secret'),
  95. lp_consumer_key => hiera('gerrit_dev_lp_consumer_key'),
  96. storyboard_password => hiera('gerrit_dev_storyboard_token'),
  97. storyboard_ssl_cert => hiera('gerrit_dev_storyboard_ssl_crt'),
  98. }
  99. }
  100. # Node-OS: xenial
  101. # Puppet-Version: !3
  102. node /^grafana\d*\.open.*\.org$/ {
  103. $group = "grafana"
  104. class { 'openstack_project::server': }
  105. class { 'openstack_project::grafana':
  106. admin_password => hiera('grafana_admin_password'),
  107. admin_user => hiera('grafana_admin_user', 'username'),
  108. mysql_host => hiera('grafana_mysql_host', 'localhost'),
  109. mysql_name => hiera('grafana_mysql_name'),
  110. mysql_password => hiera('grafana_mysql_password'),
  111. mysql_user => hiera('grafana_mysql_user', 'username'),
  112. project_config_repo => 'https://opendev.org/openstack/project-config',
  113. secret_key => hiera('grafana_secret_key'),
  114. }
  115. }
  116. # Node-OS: xenial
  117. node /^health\d*\.openstack\.org$/ {
  118. $group = "health"
  119. class { 'openstack_project::server': }
  120. class { 'openstack_project::openstack_health_api':
  121. subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
  122. hostname => 'health.openstack.org',
  123. }
  124. }
  125. # Node-OS: xenial
  126. node /^cacti\d+\.open.*\.org$/ {
  127. $group = "cacti"
  128. include openstack_project::ssl_cert_check
  129. class { 'openstack_project::cacti':
  130. cacti_hosts => hiera_array('cacti_hosts'),
  131. vhost_name => 'cacti.openstack.org',
  132. }
  133. }
  134. # Node-OS: xenial
  135. node /^graphite\d*\.open.*\.org$/ {
  136. class { 'openstack_project::server': }
  137. class { '::graphite':
  138. graphite_admin_user => hiera('graphite_admin_user', 'username'),
  139. graphite_admin_email => hiera('graphite_admin_email', 'email@example.com'),
  140. graphite_admin_password => hiera('graphite_admin_password'),
  141. # NOTE(ianw): installed on the host via ansible
  142. ssl_cert_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.cer',
  143. ssl_key_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.key',
  144. ssl_chain_file => '/etc/letsencrypt-certs/graphite01.opendev.org/ca.cer',
  145. }
  146. }
  147. # Node-OS: trusty
  148. # Node-OS: xenial
  149. node /^groups\d*\.open.*\.org$/ {
  150. class { 'openstack_project::server': }
  151. class { 'openstack_project::groups':
  152. site_admin_password => hiera('groups_site_admin_password'),
  153. site_mysql_host => hiera('groups_site_mysql_host', 'localhost'),
  154. site_mysql_password => hiera('groups_site_mysql_password'),
  155. conf_cron_key => hiera('groups_conf_cron_key'),
  156. site_ssl_cert_file_contents => hiera('groups_site_ssl_cert_file_contents', undef),
  157. site_ssl_key_file_contents => hiera('groups_site_ssl_key_file_contents', undef),
  158. site_ssl_chain_file_contents => hiera('groups_site_ssl_chain_file_contents', undef),
  159. }
  160. }
  161. # Node-OS: trusty
  162. # Node-OS: xenial
  163. node /^groups-dev\d*\.open.*\.org$/ {
  164. class { 'openstack_project::server': }
  165. class { 'openstack_project::groups_dev':
  166. site_admin_password => hiera('groups_dev_site_admin_password'),
  167. site_mysql_host => hiera('groups_dev_site_mysql_host', 'localhost'),
  168. site_mysql_password => hiera('groups_dev_site_mysql_password'),
  169. conf_cron_key => hiera('groups_dev_conf_cron_key'),
  170. site_ssl_cert_file_contents => hiera('groups_dev_site_ssl_cert_file_contents', undef),
  171. site_ssl_key_file_contents => hiera('groups_dev_site_ssl_key_file_contents', undef),
  172. site_ssl_cert_file => '/etc/ssl/certs/groups-dev.openstack.org.pem',
  173. site_ssl_key_file => '/etc/ssl/private/groups-dev.openstack.org.key',
  174. }
  175. }
  176. # Node-OS: trusty
  177. # Node-OS: xenial
  178. node /^lists\d*\.open.*\.org$/ {
  179. class { 'openstack_project::server': }
  180. class { 'openstack_project::lists':
  181. listpassword => hiera('listpassword'),
  182. }
  183. }
  184. # Node-OS: xenial
  185. node /^lists\d*\.katacontainers\.io$/ {
  186. class { 'openstack_project::server': }
  187. class { 'openstack_project::kata_lists':
  188. listpassword => hiera('listpassword'),
  189. }
  190. }
  191. # Node-OS: xenial
  192. node /^paste\d*\.open.*\.org$/ {
  193. $group = "paste"
  194. class { 'openstack_project::server': }
  195. class { 'openstack_project::paste':
  196. db_password => hiera('paste_db_password'),
  197. db_host => hiera('paste_db_host'),
  198. vhost_name => 'paste.openstack.org',
  199. }
  200. }
  201. # Node-OS: xenial
  202. node /planet\d*\.open.*\.org$/ {
  203. class { 'openstack_project::planet':
  204. }
  205. }
  206. # Node-OS: xenial
  207. node /^eavesdrop\d*\.open.*\.org$/ {
  208. $group = "eavesdrop"
  209. class { 'openstack_project::server': }
  210. class { 'openstack_project::eavesdrop':
  211. project_config_repo => 'https://opendev.org/openstack/project-config',
  212. nickpass => hiera('openstack_meetbot_password'),
  213. statusbot_nick => hiera('statusbot_nick', 'username'),
  214. statusbot_password => hiera('statusbot_nick_password'),
  215. statusbot_server => 'chat.freenode.net',
  216. statusbot_channels => hiera_array('statusbot_channels', ['openstack_infra']),
  217. statusbot_auth_nicks => hiera_array('statusbot_auth_nicks'),
  218. statusbot_wiki_user => hiera('statusbot_wiki_username', 'username'),
  219. statusbot_wiki_password => hiera('statusbot_wiki_password'),
  220. statusbot_wiki_url => 'https://wiki.openstack.org/w/api.php',
  221. # https://wiki.openstack.org/wiki/Infrastructure_Status
  222. statusbot_wiki_pageid => '1781',
  223. statusbot_wiki_successpageid => '7717',
  224. statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',
  225. statusbot_wiki_thankspageid => '37700',
  226. statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',
  227. statusbot_irclogs_url => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
  228. statusbot_twitter => true,
  229. statusbot_twitter_key => hiera('statusbot_twitter_key'),
  230. statusbot_twitter_secret => hiera('statusbot_twitter_secret'),
  231. statusbot_twitter_token_key => hiera('statusbot_twitter_token_key'),
  232. statusbot_twitter_token_secret => hiera('statusbot_twitter_token_secret'),
  233. accessbot_nick => hiera('accessbot_nick', 'username'),
  234. accessbot_password => hiera('accessbot_nick_password'),
  235. meetbot_channels => hiera('meetbot_channels', ['openstack-infra']),
  236. ptgbot_nick => hiera('ptgbot_nick', 'username'),
  237. ptgbot_password => hiera('ptgbot_password'),
  238. }
  239. }
  240. # Node-OS: xenial
  241. node /^ethercalc\d+\.open.*\.org$/ {
  242. $group = "ethercalc"
  243. class { 'openstack_project::server': }
  244. class { 'openstack_project::ethercalc':
  245. vhost_name => 'ethercalc.openstack.org',
  246. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  247. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  248. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  249. }
  250. }
  251. # Node-OS: xenial
  252. node /^etherpad\d*\.open.*\.org$/ {
  253. $group = "etherpad"
  254. class { 'openstack_project::server': }
  255. class { 'openstack_project::etherpad':
  256. vhost_name => 'etherpad.openstack.org',
  257. ssl_cert_file_contents => hiera('etherpad_ssl_cert_file_contents'),
  258. ssl_key_file_contents => hiera('etherpad_ssl_key_file_contents'),
  259. ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
  260. mysql_host => hiera('etherpad_db_host', 'localhost'),
  261. mysql_user => hiera('etherpad_db_user', 'username'),
  262. mysql_password => hiera('etherpad_db_password'),
  263. }
  264. }
  265. # Node-OS: xenial
  266. node /^etherpad-dev\d*\.open.*\.org$/ {
  267. $group = "etherpad-dev"
  268. class { 'openstack_project::server': }
  269. class { 'openstack_project::etherpad_dev':
  270. vhost_name => 'etherpad-dev.openstack.org',
  271. mysql_host => hiera('etherpad-dev_db_host', 'localhost'),
  272. mysql_user => hiera('etherpad-dev_db_user', 'username'),
  273. mysql_password => hiera('etherpad-dev_db_password'),
  274. }
  275. }
  276. # Node-OS: trusty
  277. node /^wiki\d+\.openstack\.org$/ {
  278. $group = "wiki"
  279. class { 'openstack_project::wiki':
  280. bup_user => 'bup-wiki',
  281. serveradmin => hiera('infra_apache_serveradmin'),
  282. site_hostname => 'wiki.openstack.org',
  283. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  284. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  285. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  286. wg_dbserver => hiera('wg_dbserver'),
  287. wg_dbname => 'openstack_wiki',
  288. wg_dbuser => 'wikiuser',
  289. wg_dbpassword => hiera('wg_dbpassword'),
  290. wg_secretkey => hiera('wg_secretkey'),
  291. wg_upgradekey => hiera('wg_upgradekey'),
  292. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  293. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  294. wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),
  295. }
  296. }
  297. # Node-OS: trusty
  298. node /^wiki-dev\d+\.openstack\.org$/ {
  299. $group = "wiki-dev"
  300. class { 'openstack_project::wiki':
  301. serveradmin => hiera('infra_apache_serveradmin'),
  302. site_hostname => 'wiki-dev.openstack.org',
  303. wg_dbserver => hiera('wg_dbserver'),
  304. wg_dbname => 'openstack_wiki',
  305. wg_dbuser => 'wikiuser',
  306. wg_dbpassword => hiera('wg_dbpassword'),
  307. wg_secretkey => hiera('wg_secretkey'),
  308. wg_upgradekey => hiera('wg_upgradekey'),
  309. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  310. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  311. disallow_robots => true,
  312. }
  313. }
  314. # Node-OS: xenial
  315. node /^logstash\d*\.open.*\.org$/ {
  316. class { 'openstack_project::server': }
  317. class { 'openstack_project::logstash':
  318. discover_nodes => [
  319. 'elasticsearch03.openstack.org:9200',
  320. 'elasticsearch04.openstack.org:9200',
  321. 'elasticsearch05.openstack.org:9200',
  322. 'elasticsearch06.openstack.org:9200',
  323. 'elasticsearch07.openstack.org:9200',
  324. 'elasticsearch02.openstack.org:9200',
  325. ],
  326. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  327. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  328. }
  329. }
  330. # Node-OS: xenial
  331. node /^logstash-worker\d+\.open.*\.org$/ {
  332. $group = 'logstash-worker'
  333. class { 'openstack_project::server': }
  334. class { 'openstack_project::logstash_worker':
  335. discover_node => 'elasticsearch03.openstack.org',
  336. enable_mqtt => false,
  337. mqtt_password => hiera('mqtt_service_user_password'),
  338. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  339. }
  340. }
  341. # Node-OS: xenial
  342. node /^subunit-worker\d+\.open.*\.org$/ {
  343. $group = "subunit-worker"
  344. class { 'openstack_project::server': }
  345. class { 'openstack_project::subunit_worker':
  346. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  347. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  348. mqtt_pass => hiera('mqtt_service_user_password'),
  349. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  350. }
  351. }
  352. # Node-OS: xenial
  353. node /^elasticsearch\d+\.open.*\.org$/ {
  354. $group = "elasticsearch"
  355. class { 'openstack_project::server': }
  356. class { 'openstack_project::elasticsearch_node':
  357. discover_nodes => $elasticsearch_nodes,
  358. }
  359. }
  360. # Node-OS: xenial
  361. node /^firehose\d+\.open.*\.org$/ {
  362. class { 'openstack_project::server': }
  363. class { 'openstack_project::firehose':
  364. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  365. gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
  366. gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'),
  367. mqtt_password => hiera('mqtt_service_user_password'),
  368. ca_file => hiera('mosquitto_tls_ca_file'),
  369. cert_file => hiera('mosquitto_tls_server_cert_file'),
  370. key_file => hiera('mosquitto_tls_server_key_file'),
  371. imap_hostname => hiera('lpmqtt_imap_server'),
  372. imap_username => hiera('lpmqtt_imap_username'),
  373. imap_password => hiera('lpmqtt_imap_password'),
  374. statsd_host => 'graphite.opendev.org',
  375. }
  376. }
  377. # A machine to drive AFS mirror updates.
  378. # Node-OS: xenial
  379. node /^mirror-update\d*\.open.*\.org$/ {
  380. $group = "afsadmin"
  381. class { 'openstack_project::mirror_update':
  382. admin_keytab => hiera('afsadmin_keytab'),
  383. fedora_keytab => hiera('fedora_keytab'),
  384. opensuse_keytab => hiera('opensuse_keytab'),
  385. reprepro_keytab => hiera('reprepro_keytab'),
  386. gem_keytab => hiera('gem_keytab'),
  387. centos_keytab => hiera('centos_keytab'),
  388. epel_keytab => hiera('epel_keytab'),
  389. yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),
  390. }
  391. }
  392. # Machines in each region to serve AFS mirrors.
  393. # Node-OS: xenial
  394. node /^mirror\d*\..*\.open.*\.org$/ {
  395. $group = "mirror"
  396. class { 'openstack_project::server':
  397. afs => true,
  398. afs_cache_size => 50000000, # 50GB
  399. }
  400. class { 'openstack_project::mirror':
  401. vhost_name => $::fqdn,
  402. require => Class['Openstack_project::Server'],
  403. }
  404. }
  405. # Serve static AFS content for docs and other sites.
  406. # Node-OS: xenial
  407. node /^files\d*\.open.*\.org$/ {
  408. $group = "files"
  409. class { 'openstack_project::server':
  410. afs => true,
  411. afs_cache_size => 10000000, # 10GB
  412. }
  413. class { 'openstack_project::files':
  414. vhost_name => 'files.openstack.org',
  415. developer_cert_file_contents => hiera('developer_cert_file_contents'),
  416. developer_key_file_contents => hiera('developer_key_file_contents'),
  417. developer_chain_file_contents => hiera('developer_chain_file_contents'),
  418. docs_cert_file_contents => hiera('docs_cert_file_contents'),
  419. docs_key_file_contents => hiera('docs_key_file_contents'),
  420. docs_chain_file_contents => hiera('docs_chain_file_contents'),
  421. git_airship_cert_file_contents => hiera('git_airship_cert_file_contents'),
  422. git_airship_key_file_contents => hiera('git_airship_key_file_contents'),
  423. git_airship_chain_file_contents => hiera('git_airship_chain_file_contents'),
  424. git_openstack_cert_file_contents => hiera('git_openstack_cert_file_contents'),
  425. git_openstack_key_file_contents => hiera('git_openstack_key_file_contents'),
  426. git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),
  427. git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
  428. git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
  429. git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
  430. git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'),
  431. git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'),
  432. git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'),
  433. require => Class['Openstack_project::Server'],
  434. }
  435. # Temporary for evaluating htaccess rules
  436. ::httpd::vhost { "git-test.openstack.org":
  437. port => 80, # Is required despite not being used.
  438. docroot => "/afs/openstack.org/project/git-test/www",
  439. priority => '50',
  440. template => 'openstack_project/git-test.vhost.erb',
  441. }
  442. openstack_project::website { 'docs.starlingx.io':
  443. volume_name => 'starlingx.io',
  444. aliases => [],
  445. ssl_cert => hiera('docs_starlingx_io_ssl_cert'),
  446. ssl_key => hiera('docs_starlingx_io_ssl_key'),
  447. ssl_intermediate => hiera('docs_starlingx_io_ssl_intermediate'),
  448. require => Class['openstack_project::files'],
  449. }
  450. openstack_project::website { 'docs.opendev.org':
  451. aliases => [],
  452. docroot => "/afs/openstack.org/project/opendev.org/docs",
  453. ssl_cert => hiera('docs_opendev_ssl_cert'),
  454. ssl_key => hiera('docs_opendev_ssl_key'),
  455. ssl_intermediate => hiera('docs_opendev_ssl_intermediate'),
  456. require => Class['openstack_project::files'],
  457. }
  458. openstack_project::website { 'zuul-ci.org':
  459. aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],
  460. ssl_cert => hiera('zuul-ci_org_ssl_cert'),
  461. ssl_key => hiera('zuul-ci_org_ssl_key'),
  462. ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),
  463. require => Class['openstack_project::files'],
  464. }
  465. }
  466. # Node-OS: trusty
  467. # Node-OS: xenial
  468. node /^refstack\d*\.open.*\.org$/ {
  469. class { 'openstack_project::server': }
  470. class { 'refstack':
  471. mysql_host => hiera('refstack_mysql_host', 'localhost'),
  472. mysql_database => hiera('refstack_mysql_db_name', 'refstack'),
  473. mysql_user => hiera('refstack_mysql_user', 'refstack'),
  474. mysql_user_password => hiera('refstack_mysql_password'),
  475. ssl_cert_content => hiera('refstack_ssl_cert_file_contents'),
  476. ssl_cert => '/etc/ssl/certs/refstack.pem',
  477. ssl_key_content => hiera('refstack_ssl_key_file_contents'),
  478. ssl_key => '/etc/ssl/private/refstack.key',
  479. ssl_ca_content => hiera('refstack_ssl_chain_file_contents'),
  480. ssl_ca => '/etc/ssl/certs/refstack.ca.pem',
  481. protocol => 'https',
  482. }
  483. mysql_backup::backup_remote { 'refstack':
  484. database_host => hiera('refstack_mysql_host', 'localhost'),
  485. database_user => hiera('refstack_mysql_user', 'refstack'),
  486. database_password => hiera('refstack_mysql_password'),
  487. require => Class['::refstack'],
  488. }
  489. }
  490. # A machine to run Storyboard
  491. # Node-OS: xenial
  492. node /^storyboard\d+\.opendev\.org$/ {
  493. $group = "storyboard"
  494. class { 'openstack_project::storyboard':
  495. project_config_repo => 'https://opendev.org/openstack/project-config',
  496. mysql_host => hiera('storyboard_db_host', 'localhost'),
  497. mysql_user => hiera('storyboard_db_user', 'username'),
  498. mysql_password => hiera('storyboard_db_password'),
  499. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  500. rabbitmq_password => hiera('storyboard_rabbit_password'),
  501. ssl_cert => '/etc/ssl/certs/storyboard.openstack.org.pem',
  502. ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
  503. ssl_key => '/etc/ssl/private/storyboard.openstack.org.key',
  504. ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
  505. ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
  506. hostname => 'storyboard.openstack.org',
  507. valid_oauth_clients => [
  508. 'storyboard.openstack.org',
  509. 'logs.openstack.org',
  510. ],
  511. cors_allowed_origins => [
  512. 'https://storyboard.openstack.org',
  513. 'http://logs.openstack.org',
  514. ],
  515. sender_email_address => 'storyboard@storyboard.openstack.org',
  516. default_url => 'https://storyboard.openstack.org',
  517. }
  518. }
  519. # A machine to run Storyboard devel
  520. # Node-OS: xenial
  521. node /^storyboard-dev\d+\.opendev\.org$/ {
  522. $group = "storyboard-dev"
  523. class { 'openstack_project::storyboard::dev':
  524. project_config_repo => 'https://opendev.org/openstack/project-config',
  525. mysql_host => hiera('storyboard_db_host', 'localhost'),
  526. mysql_user => hiera('storyboard_db_user', 'username'),
  527. mysql_password => hiera('storyboard_db_password'),
  528. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  529. rabbitmq_password => hiera('storyboard_rabbit_password'),
  530. hostname => 'storyboard-dev.openstack.org',
  531. valid_oauth_clients => [
  532. 'storyboard-dev.openstack.org',
  533. 'logs.openstack.org',
  534. ],
  535. cors_allowed_origins => [
  536. 'https://storyboard-dev.openstack.org',
  537. 'http://logs.openstack.org',
  538. ],
  539. sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',
  540. default_url => 'https://storyboard-dev.openstack.org',
  541. }
  542. }
  543. # A machine to serve static content.
  544. # Node-OS: trusty
  545. # Node-OS: xenial
  546. node /^static\d*\.open.*\.org$/ {
  547. class { 'openstack_project::server': }
  548. class { 'openstack_project::static':
  549. project_config_repo => 'https://opendev.org/openstack/project-config',
  550. swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
  551. swift_user => 'infra-files-ro',
  552. swift_key => hiera('infra_files_ro_password'),
  553. swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
  554. swift_region_name => 'DFW',
  555. swift_default_container => 'infra-files',
  556. ssl_cert_file_contents => hiera('static_ssl_cert_file_contents'),
  557. ssl_key_file_contents => hiera('static_ssl_key_file_contents'),
  558. ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
  559. }
  560. }
  561. # Node-OS: xenial
  562. node /^zk\d+\.open.*\.org$/ {
  563. # We use IP addresses here so that zk listens on the public facing addresses
  564. # allowing cluster members to talk to each other. Without this they listen
  565. # on 127.0.1.1 because that is what we have in /etc/hosts for
  566. # zk0X.openstack.org.
  567. $zk_cluster_members = [
  568. '23.253.236.126', # zk01
  569. '172.99.117.32', # zk02
  570. '23.253.90.246', # zk03
  571. ]
  572. class { 'openstack_project::server': }
  573. class { '::zookeeper':
  574. # ID needs to be numeric, so we use regex to extra numbers from fqdn.
  575. id => regsubst($::fqdn, '^zk(\d+)\.open.*\.org$', '\1'),
  576. # The frequency in hours to look for and purge old snapshots,
  577. # defaults to 0 (disabled). The number of retained snapshots can
  578. # be separately controlled through snap_retain_count and
  579. # defaults to the minimum value of 3. This will quickly fill the
  580. # disk in production if not enabled. Works on ZK >=3.4.
  581. purge_interval => 6,
  582. servers => $zk_cluster_members,
  583. }
  584. }
  585. # A machine to serve various project status updates.
  586. # Node-OS: trusty
  587. # Node-OS: xenial
  588. node /^status\d*\.open.*\.org$/ {
  589. $group = 'status'
  590. class { 'openstack_project::server': }
  591. class { 'openstack_project::status':
  592. gerrit_host => 'review.opendev.org',
  593. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  594. reviewday_ssh_public_key => hiera('reviewday_rsa_pubkey_contents'),
  595. reviewday_ssh_private_key => hiera('reviewday_rsa_key_contents'),
  596. recheck_ssh_public_key => hiera('elastic-recheck_gerrit_ssh_public_key'),
  597. recheck_ssh_private_key => hiera('elastic-recheck_gerrit_ssh_private_key'),
  598. recheck_bot_nick => 'openstackrecheck',
  599. recheck_bot_passwd => hiera('elastic-recheck_ircbot_password'),
  600. }
  601. }
  602. # Node-OS: xenial
  603. node /^survey\d+\.open.*\.org$/ {
  604. $group = "survey"
  605. class { 'openstack_project::server': }
  606. class { 'openstack_project::survey':
  607. vhost_name => 'survey.openstack.org',
  608. auth_openid => true,
  609. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  610. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  611. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  612. dbpassword => hiera('dbpassword'),
  613. dbhost => hiera('dbhost'),
  614. adminuser => hiera('adminuser'),
  615. adminpass => hiera('adminpass'),
  616. adminmail => hiera('adminmail'),
  617. }
  618. }
  619. # Node-OS: xenial
  620. node /^nl\d+\.open.*\.org$/ {
  621. $group = 'nodepool'
  622. # NOTE(ianw) From 09-2018 (https://review.opendev.org/#/c/598329/)
  623. # the cloud credentials are deployed with ansible via the
  624. # configure-openstacksdk role and are no longer configured here
  625. class { 'openstack_project::server': }
  626. include openstack_project
  627. class { '::openstackci::nodepool_launcher':
  628. nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),
  629. project_config_repo => 'https://opendev.org/openstack/project-config',
  630. statsd_host => 'graphite.opendev.org',
  631. revision => 'master',
  632. python_version => 3,
  633. enable_webapp => true,
  634. }
  635. }
  636. # Node-OS: xenial
  637. node /^nb\d+\.open.*\.org$/ {
  638. $group = 'nodepool'
  639. class { 'openstack_project::server': }
  640. include openstack_project
  641. class { '::openstackci::nodepool_builder':
  642. nodepool_ssh_public_key => hiera('zuul_worker_ssh_public_key_contents'),
  643. vhost_name => $::fqdn,
  644. enable_build_log_via_http => true,
  645. project_config_repo => 'https://opendev.org/openstack/project-config',
  646. statsd_host => 'graphite.opendev.org',
  647. upload_workers => '16',
  648. revision => 'master',
  649. python_version => 3,
  650. zuulv3 => true,
  651. ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
  652. ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
  653. }
  654. cron { 'mirror_gitgc':
  655. user => 'nodepool',
  656. hour => '20',
  657. minute => '0',
  658. command => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',
  659. environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
  660. require => Class['::openstackci::nodepool_builder'],
  661. }
  662. }
  663. # Node-OS: xenial
  664. node /^ze\d+\.open.*\.org$/ {
  665. $group = "zuul-executor"
  666. $gerrit_server = 'review.opendev.org'
  667. $gerrit_user = 'zuul'
  668. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  669. $gerrit_ssh_private_key = hiera('gerrit_ssh_private_key_contents')
  670. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  671. $zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')
  672. $git_email = 'zuul@openstack.org'
  673. $git_name = 'OpenStack Zuul'
  674. $revision = 'master'
  675. class { 'openstack_project::server':
  676. afs => true,
  677. }
  678. class { '::project_config':
  679. url => 'https://opendev.org/openstack/project-config',
  680. }
  681. # We use later HWE kernels for better memory managment, requiring an
  682. # updated AFS version which we install from our custom ppa.
  683. include ::apt
  684. apt::ppa { 'ppa:openstack-ci-core/openafs-amd64-hwe': }
  685. package { 'linux-generic-hwe-16.04':
  686. ensure => present,
  687. require => [
  688. Apt::Ppa['ppa:openstack-ci-core/openafs-amd64-hwe'],
  689. Class['apt::update'],
  690. ],
  691. }
  692. # Skopeo is required for pushing/pulling from the intermediate
  693. # registry, and is available in the projectatomic ppa.
  694. apt::ppa { 'ppa:projectatomic/ppa': }
  695. package { 'skopeo':
  696. # Pin skopeo back to 0.1.36-1~dev~ubuntu16.04.2~ppa14 which is before
  697. # the code that changed the required capabilities, breaking the use of
  698. # skopeo from inside of bubblewrap.
  699. ensure => '0.1.36-1~dev~ubuntu16.04.2~ppa14',
  700. require => [
  701. Apt::Ppa['ppa:projectatomic/ppa'],
  702. Class['apt::update'],
  703. ],
  704. }
  705. # Socat is also required for pushing/pulling images
  706. package { 'socat':
  707. ensure => present,
  708. require => [
  709. Class['apt::update'],
  710. ],
  711. }
  712. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  713. # settings.
  714. class { '::zuul':
  715. gearman_server => 'zuul01.openstack.org',
  716. gerrit_server => $gerrit_server,
  717. gerrit_user => $gerrit_user,
  718. zuul_ssh_private_key => $gerrit_ssh_private_key,
  719. git_email => $git_email,
  720. git_name => $git_name,
  721. worker_private_key_file => '/var/lib/zuul/ssh/nodepool_id_rsa',
  722. revision => $revision,
  723. python_version => 3,
  724. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  725. zuulv3 => true,
  726. connections => hiera('zuul_connections', []),
  727. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  728. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  729. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  730. #TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs
  731. # properly. We need to revisting this post Queens PTG.
  732. trusted_ro_paths => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],
  733. trusted_rw_paths => ['/afs'],
  734. untrusted_ro_paths => ['/etc/ssl/certs'],
  735. disk_limit_per_job => 5000, # Megabytes
  736. site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,
  737. require => $::project_config::config_dir,
  738. statsd_host => 'graphite.opendev.org',
  739. }
  740. class { '::zuul::executor': }
  741. # This is used by the log job submission playbook which runs under
  742. # python2
  743. package { 'gear':
  744. ensure => latest,
  745. provider => openstack_pip,
  746. require => Class['pip'],
  747. }
  748. file { '/var/lib/zuul/ssh/nodepool_id_rsa':
  749. owner => 'zuul',
  750. group => 'zuul',
  751. mode => '0400',
  752. require => File['/var/lib/zuul/ssh'],
  753. content => $zuul_ssh_private_key,
  754. }
  755. file { '/var/lib/zuul/ssh/static_id_rsa':
  756. owner => 'zuul',
  757. group => 'zuul',
  758. mode => '0400',
  759. require => File['/var/lib/zuul/ssh'],
  760. content => $zuul_static_private_key,
  761. }
  762. class { '::zuul::known_hosts':
  763. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  764. }
  765. }
  766. # Node-OS: xenial
  767. node /^zuul\d+\.open.*\.org$/ {
  768. $group = "zuul-scheduler"
  769. $gerrit_server = 'review.opendev.org'
  770. $gerrit_user = 'zuul'
  771. $gerrit_ssh_host_key = hiera('gerrit_zuul_user_ssh_key_contents')
  772. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  773. $zuul_url = "http://zuul.openstack.org/p"
  774. $git_email = 'zuul@openstack.org'
  775. $git_name = 'OpenStack Zuul'
  776. $revision = 'master'
  777. class { 'openstack_project::server': }
  778. class { '::project_config':
  779. url => 'https://opendev.org/openstack/project-config',
  780. }
  781. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  782. # settings.
  783. class { '::zuul':
  784. gerrit_server => $gerrit_server,
  785. gerrit_user => $gerrit_user,
  786. zuul_ssh_private_key => $zuul_ssh_private_key,
  787. git_email => $git_email,
  788. git_name => $git_name,
  789. revision => $revision,
  790. python_version => 3,
  791. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  792. zookeeper_session_timeout => 40,
  793. zuulv3 => true,
  794. connections => hiera('zuul_connections', []),
  795. connection_secrets => hiera('zuul_connection_secrets', []),
  796. vhost_name => 'zuul.openstack.org',
  797. zuul_status_url => 'http://127.0.0.1:8001/openstack',
  798. zuul_web_url => 'http://127.0.0.1:9000',
  799. zuul_tenant_name => 'openstack',
  800. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  801. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  802. gearman_server_ssl_cert => hiera('gearman_server_ssl_cert'),
  803. gearman_server_ssl_key => hiera('gearman_server_ssl_key'),
  804. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  805. proxy_ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  806. proxy_ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  807. proxy_ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  808. statsd_host => 'graphite.opendev.org',
  809. status_url => 'https://zuul.openstack.org',
  810. relative_priority => true,
  811. }
  812. file { "/etc/zuul/github.key":
  813. ensure => present,
  814. owner => 'zuul',
  815. group => 'zuul',
  816. mode => '0600',
  817. content => hiera('zuul_github_app_key'),
  818. require => File['/etc/zuul'],
  819. }
  820. class { '::zuul::scheduler':
  821. layout_dir => $::project_config::zuul_layout_dir,
  822. require => $::project_config::config_dir,
  823. python_version => 3,
  824. use_mysql => true,
  825. }
  826. class { '::zuul::web':
  827. # We manage backups below
  828. enable_status_backups => false,
  829. vhosts => {
  830. 'zuul.openstack.org' => {
  831. port => 443,
  832. docroot => '/opt/zuul-web/content',
  833. priority => '50',
  834. ssl => true,
  835. template => 'zuul/zuulv3.vhost.erb',
  836. vhost_name => 'zuul.openstack.org',
  837. },
  838. 'zuul.opendev.org' => {
  839. port => 443,
  840. docroot => '/opt/zuul-web/content',
  841. priority => '40',
  842. ssl => true,
  843. template => 'zuul/zuulv3.vhost.erb',
  844. vhost_name => 'zuul.opendev.org',
  845. },
  846. 'zuul.openstack.org-http' => {
  847. port => 80,
  848. docroot => '/opt/zuul-web/content',
  849. priority => '50',
  850. ssl => false,
  851. template => 'zuul/zuulv3.vhost.erb',
  852. vhost_name => 'zuul.openstack.org',
  853. },
  854. 'zuul.opendev.org-http' => {
  855. port => 80,
  856. docroot => '/opt/zuul-web/content',
  857. priority => '40',
  858. ssl => false,
  859. template => 'zuul/zuulv3.vhost.erb',
  860. vhost_name => 'zuul.opendev.org',
  861. },
  862. },
  863. vhosts_flags => {
  864. 'zuul.openstack.org' => {
  865. tenant_name => 'openstack',
  866. ssl => true,
  867. },
  868. 'zuul.opendev.org' => {
  869. tenant_name => '',
  870. ssl => true,
  871. },
  872. 'zuul.openstack.org-http' => {
  873. tenant_name => 'openstack',
  874. ssl => false,
  875. },
  876. 'zuul.opendev.org-http' => {
  877. tenant_name => '',
  878. ssl => false,
  879. },
  880. },
  881. vhosts_ssl => {
  882. 'zuul.openstack.org' => {
  883. ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  884. ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  885. ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  886. },
  887. 'zuul.opendev.org' => {
  888. ssl_cert_file_contents => hiera('opendev_zuul_ssl_cert_file_contents'),
  889. ssl_chain_file_contents => hiera('opendev_zuul_ssl_chain_file_contents'),
  890. ssl_key_file_contents => hiera('opendev_zuul_ssl_key_file_contents'),
  891. },
  892. },
  893. }
  894. zuul::status_backups { 'openstack-zuul-tenant':
  895. tenant_name => 'openstack',
  896. ssl => true,
  897. status_uri => 'https://zuul.opendev.org/api/tenant/openstack/status',
  898. }
  899. zuul::status_backups { 'kata-zuul-tenant':
  900. tenant_name => 'kata-containers',
  901. ssl => true,
  902. status_uri => 'https://zuul.opendev.org/api/tenant/kata-containers/status',
  903. }
  904. class { '::zuul::fingergw': }
  905. class { '::zuul::known_hosts':
  906. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  907. }
  908. include bup
  909. bup::site { 'rax.ord':
  910. backup_user => 'bup-zuulv3',
  911. backup_server => 'backup01.ord.rax.ci.openstack.org',
  912. }
  913. }
  914. # Node-OS: xenial
  915. node /^zm\d+.open.*\.org$/ {
  916. $group = "zuul-merger"
  917. $gerrit_server = 'review.opendev.org'
  918. $gerrit_user = 'zuul'
  919. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  920. $zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')
  921. $zuul_url = "http://${::fqdn}/p"
  922. $git_email = 'zuul@openstack.org'
  923. $git_name = 'OpenStack Zuul'
  924. $revision = 'master'
  925. class { 'openstack_project::server': }
  926. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  927. # settings.
  928. class { '::zuul':
  929. gearman_server => 'zuul01.openstack.org',
  930. gerrit_server => $gerrit_server,
  931. gerrit_user => $gerrit_user,
  932. zuul_ssh_private_key => $zuul_ssh_private_key,
  933. git_email => $git_email,
  934. git_name => $git_name,
  935. revision => $revision,
  936. python_version => 3,
  937. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  938. zuulv3 => true,
  939. connections => hiera('zuul_connections', []),
  940. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  941. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  942. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  943. statsd_host => 'graphite.opendev.org',
  944. }
  945. class { 'openstack_project::zuul_merger':
  946. gerrit_server => $gerrit_server,
  947. gerrit_user => $gerrit_user,
  948. gerrit_ssh_host_key => $gerrit_ssh_host_key,
  949. zuul_ssh_private_key => $zuul_ssh_private_key,
  950. manage_common_zuul => false,
  951. }
  952. }
  953. # Node-OS: xenial
  954. node /^pbx\d*\.open.*\.org$/ {
  955. $group = "pbx"
  956. class { 'openstack_project::server': }
  957. class { 'openstack_project::pbx':
  958. sip_providers => [
  959. {
  960. provider => 'voipms',
  961. hostname => 'dallas.voip.ms',
  962. username => hiera('voipms_username', 'username'),
  963. password => hiera('voipms_password'),
  964. outgoing => false,
  965. },
  966. ],
  967. }
  968. }
  969. # Node-OS: xenial
  970. # A backup machine. Don't run cron or puppet agent on it.
  971. node /^backup\d+\..*\.ci\.open.*\.org$/ {
  972. $group = "ci-backup"
  973. class { 'openstack_project::server': }
  974. include openstack_project::backup_server
  975. }
  976. # Node-OS: xenial
  977. node /^openstackid\d*(\.openstack)?\.org$/ {
  978. $group = "openstackid"
  979. class { 'openstack_project::openstackid_prod':
  980. site_admin_password => hiera('openstackid_site_admin_password'),
  981. id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'),
  982. id_mysql_password => hiera('openstackid_id_mysql_password'),
  983. id_mysql_user => hiera('openstackid_id_mysql_user', 'username'),
  984. id_db_name => hiera('openstackid_id_db_name'),
  985. ss_mysql_host => hiera('openstackid_ss_mysql_host', 'localhost'),
  986. ss_mysql_password => hiera('openstackid_ss_mysql_password'),
  987. ss_mysql_user => hiera('openstackid_ss_mysql_user', 'username'),
  988. ss_db_name => hiera('openstackid_ss_db_name', 'username'),
  989. redis_password => hiera('openstackid_redis_password'),
  990. ssl_cert_file_contents => hiera('openstackid_ssl_cert_file_contents'),
  991. ssl_key_file_contents => hiera('openstackid_ssl_key_file_contents'),
  992. ssl_chain_file_contents => hiera('openstackid_ssl_chain_file_contents'),
  993. id_recaptcha_public_key => hiera('openstackid_recaptcha_public_key'),
  994. id_recaptcha_private_key => hiera('openstackid_recaptcha_private_key'),
  995. vhost_name => 'openstackid.org',
  996. session_cookie_domain => 'openstackid.org',
  997. serveradmin => 'webmaster@openstackid.org',
  998. canonicalweburl => 'https://openstackid.org/',
  999. app_url => 'https://openstackid.org',
  1000. app_key => hiera('openstackid_app_key'),
  1001. id_log_error_to_email => 'openstack@tipit.net',
  1002. id_log_error_from_email => 'noreply@openstack.org',
  1003. email_driver => 'sendgrid',
  1004. email_send_grid_api_key => hiera('openstackid_send_grid_api_key'),
  1005. php_version => 7,
  1006. mysql_ssl_enabled => true,
  1007. mysql_ssl_ca_file_contents => hiera('openstackid_mysql_ssl_ca_file_contents'),
  1008. mysql_ssl_client_key_file_contents => hiera('openstackid_mysql_ssl_client_key_file_contents'),
  1009. mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),
  1010. lost_password_url => 'https://openstackid.org/lost-password',
  1011. registration_url => 'https://openstackid.org/registration',
  1012. registration_mobile_url => 'https://openstackid.org/registration-mobile',
  1013. resend_verification_url => 'https://openstackid.org/resend-verification',
  1014. }
  1015. }
  1016. # Node-OS: xenial
  1017. node /^openstackid-dev\d*\.openstack\.org$/ {
  1018. $group = "openstackid-dev"
  1019. class { 'openstack_project::openstackid_dev':
  1020. site_admin_password => hiera('openstackid_dev_site_admin_password'),
  1021. id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'),
  1022. id_mysql_password => hiera('openstackid_dev_id_mysql_password'),
  1023. id_mysql_user => hiera('openstackid_dev_id_mysql_user', 'username'),
  1024. ss_mysql_host => hiera('openstackid_dev_ss_mysql_host', 'localhost'),
  1025. ss_mysql_password => hiera('openstackid_dev_ss_mysql_password'),
  1026. ss_mysql_user => hiera('openstackid_dev_ss_mysql_user', 'username'),
  1027. ss_db_name => hiera('openstackid_dev_ss_db_name', 'username'),
  1028. redis_password => hiera('openstackid_dev_redis_password'),
  1029. ssl_cert_file_contents => hiera('openstackid_dev_ssl_cert_file_contents'),
  1030. ssl_key_file_contents => hiera('openstackid_dev_ssl_key_file_contents'),
  1031. ssl_chain_file_contents => hiera('openstackid_dev_ssl_chain_file_contents'),
  1032. id_recaptcha_public_key => hiera('openstackid_dev_recaptcha_public_key'),
  1033. id_recaptcha_private_key => hiera('openstackid_dev_recaptcha_private_key'),
  1034. vhost_name => 'openstackid-dev.openstack.org',
  1035. session_cookie_domain => 'openstackid-dev.openstack.org',
  1036. serveradmin => 'webmaster@openstackid-dev.openstack.org',
  1037. canonicalweburl => 'https://openstackid-dev.openstack.org/',
  1038. app_url => 'https://openstackid-dev.openstack.org',
  1039. app_key => hiera('openstackid_dev_app_key'),
  1040. id_log_error_to_email => 'openstack@tipit.net',
  1041. id_log_error_from_email => 'noreply@openstack.org',
  1042. email_driver => 'sendgrid',
  1043. email_send_grid_api_key => hiera('openstackid_dev_send_grid_api_key'),
  1044. php_version => 7,
  1045. mysql_ssl_enabled => true,
  1046. mysql_ssl_ca_file_contents => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),
  1047. mysql_ssl_client_key_file_contents => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),
  1048. mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),
  1049. lost_password_url => 'https://openstackid-dev.openstack.org/lost-password',
  1050. registration_url => 'https://openstackid-dev.openstack.org/registration',
  1051. registration_mobile_url => 'https://openstackid-dev.openstack.org/registration-mobile',
  1052. resend_verification_url => 'https://openstackid-dev.openstack.org/resend-verification',
  1053. }
  1054. }
  1055. # Node-OS: trusty
  1056. # Used for testing all-in-one deployments
  1057. node 'single-node-ci.test.only' {
  1058. include ::openstackci::single_node_ci
  1059. }
  1060. # Node-OS: xenial
  1061. node /^kdc03\.open.*\.org$/ {
  1062. class { 'openstack_project::server': }
  1063. class { 'openstack_project::kdc': }
  1064. }
  1065. # Node-OS: xenial
  1066. node /^kdc04\.open.*\.org$/ {
  1067. class { 'openstack_project::server': }
  1068. class { 'openstack_project::kdc':
  1069. slave => true,
  1070. }
  1071. }
  1072. # Node-OS: xenial
  1073. node /^afsdb01\.open.*\.org$/ {
  1074. $group = "afsdb"
  1075. class { 'openstack_project::server':
  1076. afs => true,
  1077. }
  1078. include openstack_project::afsdb
  1079. include openstack_project::afsrelease
  1080. }
  1081. # Node-OS: xenial
  1082. node /^afsdb.*\.open.*\.org$/ {
  1083. $group = "afsdb"
  1084. class { 'openstack_project::server':
  1085. afs => true,
  1086. }
  1087. include openstack_project::afsdb
  1088. }
  1089. # Node-OS: xenial
  1090. node /^afs.*\..*\.open.*\.org$/ {
  1091. $group = "afs"
  1092. class { 'openstack_project::server':
  1093. afs => true,
  1094. }
  1095. include openstack_project::afsfs
  1096. }
  1097. # Node-OS: trusty
  1098. node /^ask\d*\.open.*\.org$/ {
  1099. class { 'openstack_project::server': }
  1100. class { 'openstack_project::ask':
  1101. db_user => hiera('ask_db_user', 'ask'),
  1102. db_password => hiera('ask_db_password'),
  1103. redis_password => hiera('ask_redis_password'),
  1104. site_ssl_cert_file_contents => hiera('ask_site_ssl_cert_file_contents', undef),
  1105. site_ssl_key_file_contents => hiera('ask_site_ssl_key_file_contents', undef),
  1106. site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),
  1107. }
  1108. }
  1109. # Node-OS: trusty
  1110. node /^ask-staging\d*\.open.*\.org$/ {
  1111. class { 'openstack_project::server': }
  1112. class { 'openstack_project::ask_staging':
  1113. db_password => hiera('ask_staging_db_password'),
  1114. redis_password => hiera('ask_staging_redis_password'),
  1115. }
  1116. }
  1117. # Node-OS: xenial
  1118. node /^translate\d+\.open.*\.org$/ {
  1119. $group = "translate"
  1120. class { 'openstack_project::server': }
  1121. class { 'openstack_project::translate':
  1122. admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  1123. openid_url => 'https://openstackid.org',
  1124. listeners => ['ajp'],
  1125. from_address => 'noreply@openstack.org',
  1126. mysql_host => hiera('translate_mysql_host', 'localhost'),
  1127. mysql_password => hiera('translate_mysql_password'),
  1128. zanata_server_user => hiera('proposal_zanata_user'),
  1129. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  1130. zanata_wildfly_version => '10.1.0',
  1131. zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',
  1132. zanata_main_version => 4,
  1133. zanata_url => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',
  1134. zanata_checksum => 'eaf8bd07401dade758b677007d2358f173193d17',
  1135. project_config_repo => 'https://opendev.org/openstack/project-config',
  1136. ssl_cert_file_contents => hiera('translate_ssl_cert_file_contents'),
  1137. ssl_key_file_contents => hiera('translate_ssl_key_file_contents'),
  1138. ssl_chain_file_contents => hiera('translate_ssl_chain_file_contents'),
  1139. vhost_name => 'translate.openstack.org',
  1140. }
  1141. }
  1142. # Node-OS: xenial
  1143. node /^translate-dev\d*\.open.*\.org$/ {
  1144. $group = "translate-dev"
  1145. class { 'openstack_project::translate_dev':
  1146. admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  1147. openid_url => 'https://openstackid-dev.openstack.org',
  1148. listeners => ['ajp'],
  1149. from_address => 'noreply@openstack.org',
  1150. mysql_host => hiera('translate_dev_mysql_host', 'localhost'),
  1151. mysql_password => hiera('translate_dev_mysql_password'),
  1152. zanata_server_user => hiera('proposal_zanata_user'),
  1153. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  1154. project_config_repo => 'https://opendev.org/openstack/project-config',
  1155. vhost_name => 'translate-dev.openstack.org',
  1156. }
  1157. }
  1158. # Node-OS: xenial
  1159. node /^codesearch\d*\.open.*\.org$/ {
  1160. $group = "codesearch"
  1161. class { 'openstack_project::server': }
  1162. class { 'openstack_project::codesearch':
  1163. project_config_repo => 'https://opendev.org/openstack/project-config',
  1164. }
  1165. }
  1166. # vim:sw=2:ts=2:expandtab:textwidth=79