opendev
/
system-config
Code Issues Proposed changes
System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15227 Commits
1 Branch
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
system-config/manifests/site.pp

1266 lines
52KB
Raw Permalink Blame History 

  1. #

  2. # Top-level variables

  3. #

  4. # There must not be any whitespace between this comment and the variables or

  5. # in between any two variables in order for them to be correctly parsed and

  6. # passed around in test.sh

  7. #

  8. # Note we do not do a hiera lookup here as we set $group on a per node basis

  9. # and that must be set before we can do hiera lookups. Doing a hiera lookup

  10. # here would fail to find any group specific info.

  11. $elasticsearch_nodes = [

  12.   "elasticsearch02.openstack.org",

  13.   "elasticsearch03.openstack.org",

  14.   "elasticsearch04.openstack.org",

  15.   "elasticsearch05.openstack.org",

  16.   "elasticsearch06.openstack.org",

  17.   "elasticsearch07.openstack.org",

  18. ]

  19. 

  20. #

  21. # Default: should at least behave like an openstack server

  22. #

  23. node default {

  24.   class { 'openstack_project::server':

  25.   }

  26. }

  27. 

  28. #

  29. # Long lived servers:

  30. #

  31. # Node-OS: xenial

  32. node /^review\d*\.open.*\.org$/ {

  33.   $group = "review"

  34. 

  35.   class { 'openstack_project::server': }

  36. 

  37.   class { 'openstack_project::review':

  38.     project_config_repo                  => 'https://opendev.org/openstack/project-config',

  39.     github_oauth_token                   => hiera('gerrit_github_token'),

  40.     github_project_username              => hiera('github_project_username', 'username'),

  41.     github_project_password              => hiera('github_project_password'),

  42.     mysql_host                           => hiera('gerrit_mysql_host', 'localhost'),

  43.     mysql_password                       => hiera('gerrit_mysql_password'),

  44.     email_private_key                    => hiera('gerrit_email_private_key'),

  45.     token_private_key                    => hiera('gerrit_rest_token_private_key'),

  46.     gerritbot_password                   => hiera('gerrit_gerritbot_password'),

  47.     gerritbot_ssh_rsa_key_contents       => hiera('gerritbot_ssh_rsa_key_contents'),

  48.     gerritbot_ssh_rsa_pubkey_contents    => hiera('gerritbot_ssh_rsa_pubkey_contents'),

  49.     ssl_cert_file_contents               => hiera('review_opendev_cert_file_contents'),

  50.     ssl_key_file_contents                => hiera('review_opendev_key_file_contents'),

  51.     ssl_chain_file_contents              => hiera('review_opendev_chain_file_contents'),

  52.     ssh_dsa_key_contents                 => hiera('gerrit_ssh_dsa_key_contents'),

  53.     ssh_dsa_pubkey_contents              => hiera('gerrit_ssh_dsa_pubkey_contents'),

  54.     ssh_rsa_key_contents                 => hiera('gerrit_ssh_rsa_key_contents'),

  55.     ssh_rsa_pubkey_contents              => hiera('gerrit_ssh_rsa_pubkey_contents'),

  56.     ssh_project_rsa_key_contents         => hiera('gerrit_project_ssh_rsa_key_contents'),

  57.     ssh_project_rsa_pubkey_contents      => hiera('gerrit_project_ssh_rsa_pubkey_contents'),

  58.     ssh_welcome_rsa_key_contents         => hiera('welcome_message_gerrit_ssh_private_key'),

  59.     ssh_welcome_rsa_pubkey_contents      => hiera('welcome_message_gerrit_ssh_public_key'),

  60.     ssh_replication_rsa_key_contents     => hiera('gerrit_replication_ssh_rsa_key_contents'),

  61.     ssh_replication_rsa_pubkey_contents  => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),

  62.     lp_access_token                      => hiera('gerrit_lp_access_token'),

  63.     lp_access_secret                     => hiera('gerrit_lp_access_secret'),

  64.     lp_consumer_key                      => hiera('gerrit_lp_consumer_key'),

  65.     swift_username                       => hiera('swift_store_user', 'username'),

  66.     swift_password                       => hiera('swift_store_key'),

  67.     storyboard_password                  => hiera('gerrit_storyboard_token'),

  68.     # Compatibility layer vars for the old domain name below here.

  69.     # TODO rename the hiera keys to reduce confusion

  70.     review_openstack_cert_file_contents  => hiera('gerrit_ssl_cert_file_contents'),

  71.     review_openstack_key_file_contents   => hiera('gerrit_ssl_key_file_contents'),

  72.     review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),

  73.   }

  74. }

  75. 

  76. # Node-OS: xenial

  77. node /^review-dev\d*\.open.*\.org$/ {

  78.   $group = "review-dev"

  79. 

  80.   class { 'openstack_project::server':

  81.     afs                       => true,

  82.   }

  83. 

  84.   class { 'openstack_project::review_dev':

  85.     project_config_repo                 => 'https://opendev.org/openstack/project-config',

  86.     github_oauth_token                  => hiera('gerrit_dev_github_token'),

  87.     github_project_username             => hiera('github_dev_project_username', 'username'),

  88.     github_project_password             => hiera('github_dev_project_password'),

  89.     mysql_host                          => hiera('gerrit_dev_mysql_host', 'localhost'),

  90.     mysql_password                      => hiera('gerrit_dev_mysql_password'),

  91.     email_private_key                   => hiera('gerrit_dev_email_private_key'),

  92.     ssh_dsa_key_contents                => hiera('gerrit_dev_ssh_dsa_key_contents'),

  93.     ssh_dsa_pubkey_contents             => hiera('gerrit_dev_ssh_dsa_pubkey_contents'),

  94.     ssh_rsa_key_contents                => hiera('gerrit_dev_ssh_rsa_key_contents'),

  95.     ssh_rsa_pubkey_contents             => hiera('gerrit_dev_ssh_rsa_pubkey_contents'),

  96.     ssh_project_rsa_key_contents        => hiera('gerrit_dev_project_ssh_rsa_key_contents'),

  97.     ssh_project_rsa_pubkey_contents     => hiera('gerrit_dev_project_ssh_rsa_pubkey_contents'),

  98.     ssh_replication_rsa_key_contents    => hiera('gerrit_dev_replication_ssh_rsa_key_contents'),

  99.     ssh_replication_rsa_pubkey_contents => hiera('gerrit_dev_replication_ssh_rsa_pubkey_contents'),

  100.     lp_access_token                     => hiera('gerrit_dev_lp_access_token'),

  101.     lp_access_secret                    => hiera('gerrit_dev_lp_access_secret'),

  102.     lp_consumer_key                     => hiera('gerrit_dev_lp_consumer_key'),

  103.     storyboard_password                 => hiera('gerrit_dev_storyboard_token'),

  104.     storyboard_ssl_cert                 => hiera('gerrit_dev_storyboard_ssl_crt'),

  105.   }

  106. }

  107. 

  108. # Node-OS: xenial

  109. # Puppet-Version: !3

  110. node /^grafana\d*\.open.*\.org$/ {

  111.   $group = "grafana"

  112.   class { 'openstack_project::server': }

  113.   class { 'openstack_project::grafana':

  114.     admin_password      => hiera('grafana_admin_password'),

  115.     admin_user          => hiera('grafana_admin_user', 'username'),

  116.     mysql_host          => hiera('grafana_mysql_host', 'localhost'),

  117.     mysql_name          => hiera('grafana_mysql_name'),

  118.     mysql_password      => hiera('grafana_mysql_password'),

  119.     mysql_user          => hiera('grafana_mysql_user', 'username'),

  120.     project_config_repo => 'https://opendev.org/openstack/project-config',

  121.     secret_key          => hiera('grafana_secret_key'),

  122.   }

  123. }

  124. 

  125. # Node-OS: xenial

  126. node /^health\d*\.openstack\.org$/ {

  127.   $group = "health"

  128.   class { 'openstack_project::server': }

  129.   class { 'openstack_project::openstack_health_api':

  130.     subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),

  131.     hostname            => 'health.openstack.org',

  132.   }

  133. }

  134. 

  135. # Node-OS: xenial

  136. node /^cacti\d+\.open.*\.org$/ {

  137.   $group = "cacti"

  138.   include openstack_project::ssl_cert_check

  139.   class { 'openstack_project::cacti':

  140.     cacti_hosts => hiera_array('cacti_hosts'),

  141.     vhost_name  => 'cacti.openstack.org',

  142.   }

  143. }

  144. 

  145. # Node-OS: xenial

  146. node /^graphite\d*\.open.*\.org$/ {

  147.   class { 'openstack_project::server': }

  148. 

  149.   class { '::graphite':

  150.     graphite_admin_user     => hiera('graphite_admin_user', 'username'),

  151.     graphite_admin_email    => hiera('graphite_admin_email', 'email@example.com'),

  152.     graphite_admin_password => hiera('graphite_admin_password'),

  153.     # NOTE(ianw): installed on the host via ansible

  154.     ssl_cert_file           => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.cer',

  155.     ssl_key_file            => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.key',

  156.     ssl_chain_file          => '/etc/letsencrypt-certs/graphite01.opendev.org/ca.cer',

  157.   }

  158. }

  159. 

  160. # Node-OS: trusty

  161. # Node-OS: xenial

  162. node /^lists\d*\.open.*\.org$/ {

  163.   class { 'openstack_project::server': }

  164. 

  165.   class { 'openstack_project::lists':

  166.     listpassword => hiera('listpassword'),

  167.   }

  168. }

  169. 

  170. # Node-OS: xenial

  171. node /^lists\d*\.katacontainers\.io$/ {

  172.   class { 'openstack_project::server': }

  173. 

  174.   class { 'openstack_project::kata_lists':

  175.     listpassword => hiera('listpassword'),

  176.   }

  177. }

  178. 

  179. # Node-OS: xenial

  180. node /^paste\d*\.open.*\.org$/ {

  181.   $group = "paste"

  182. 

  183.   class { 'openstack_project::server': }

  184.   class { 'openstack_project::paste':

  185.     db_password         => hiera('paste_db_password'),

  186.     db_host             => hiera('paste_db_host'),

  187.     vhost_name          => 'paste.openstack.org',

  188.   }

  189. }

  190. 

  191. # Node-OS: xenial

  192. node /planet\d*\.open.*\.org$/ {

  193.   class { 'openstack_project::planet':

  194.   }

  195. }

  196. 

  197. # Node-OS: xenial

  198. node /^eavesdrop\d*\.open.*\.org$/ {

  199.   $group = "eavesdrop"

  200.   class { 'openstack_project::server': }

  201. 

  202.   class { 'openstack_project::eavesdrop':

  203.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  204.     nickpass                => hiera('openstack_meetbot_password'),

  205.     statusbot_nick          => hiera('statusbot_nick', 'username'),

  206.     statusbot_password      => hiera('statusbot_nick_password'),

  207.     statusbot_server        => 'chat.freenode.net',

  208.     statusbot_channels      => hiera_array('statusbot_channels', ['openstack_infra']),

  209.     statusbot_auth_nicks    => hiera_array('statusbot_auth_nicks'),

  210.     statusbot_wiki_user     => hiera('statusbot_wiki_username', 'username'),

  211.     statusbot_wiki_password => hiera('statusbot_wiki_password'),

  212.     statusbot_wiki_url      => 'https://wiki.openstack.org/w/api.php',

  213.     # https://wiki.openstack.org/wiki/Infrastructure_Status

  214.     statusbot_wiki_pageid   => '1781',

  215.     statusbot_wiki_successpageid => '7717',

  216.     statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',

  217.     statusbot_wiki_thankspageid => '37700',

  218.     statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',

  219.     statusbot_irclogs_url   => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',

  220.     statusbot_twitter                 => true,

  221.     statusbot_twitter_key             => hiera('statusbot_twitter_key'),

  222.     statusbot_twitter_secret          => hiera('statusbot_twitter_secret'),

  223.     statusbot_twitter_token_key       => hiera('statusbot_twitter_token_key'),

  224.     statusbot_twitter_token_secret    => hiera('statusbot_twitter_token_secret'),

  225.     accessbot_nick          => hiera('accessbot_nick', 'username'),

  226.     accessbot_password      => hiera('accessbot_nick_password'),

  227.     meetbot_channels        => hiera('meetbot_channels', ['openstack-infra']),

  228.     ptgbot_nick             => hiera('ptgbot_nick', 'username'),

  229.     ptgbot_password         => hiera('ptgbot_password'),

  230.   }

  231. }

  232. 

  233. # Node-OS: xenial

  234. node /^ethercalc\d+\.open.*\.org$/ {

  235.   $group = "ethercalc"

  236.   class { 'openstack_project::server': }

  237. 

  238.   class { 'openstack_project::ethercalc':

  239.     vhost_name              => 'ethercalc.openstack.org',

  240.     ssl_cert_file_contents  => hiera('ssl_cert_file_contents'),

  241.     ssl_key_file_contents   => hiera('ssl_key_file_contents'),

  242.     ssl_chain_file_contents => hiera('ssl_chain_file_contents'),

  243.   }

  244. }

  245. 

  246. # Node-OS: xenial

  247. node /^etherpad\d*\.open.*\.org$/ {

  248.   $group = "etherpad"

  249.   class { 'openstack_project::server': }

  250. 

  251.   class { 'openstack_project::etherpad':

  252.     vhost_name              => 'etherpad.openstack.org',

  253.     ssl_cert_file_contents  => hiera('etherpad_ssl_cert_file_contents'),

  254.     ssl_key_file_contents   => hiera('etherpad_ssl_key_file_contents'),

  255.     ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),

  256.     mysql_host              => hiera('etherpad_db_host', 'localhost'),

  257.     mysql_user              => hiera('etherpad_db_user', 'username'),

  258.     mysql_password          => hiera('etherpad_db_password'),

  259.   }

  260. }

  261. 

  262. # Node-OS: xenial

  263. node /^etherpad-dev\d*\.open.*\.org$/ {

  264.   $group = "etherpad-dev"

  265.   class { 'openstack_project::server': }

  266. 

  267.   class { 'openstack_project::etherpad_dev':

  268.     vhost_name     => 'etherpad-dev.openstack.org',

  269.     mysql_host     => hiera('etherpad-dev_db_host', 'localhost'),

  270.     mysql_user     => hiera('etherpad-dev_db_user', 'username'),

  271.     mysql_password => hiera('etherpad-dev_db_password'),

  272.   }

  273. }

  274. 

  275. # Node-OS: trusty

  276. node /^wiki\d+\.openstack\.org$/ {

  277.   $group = "wiki"

  278.   class { 'openstack_project::wiki':

  279.     bup_user                  => 'bup-wiki',

  280.     serveradmin               => hiera('infra_apache_serveradmin'),

  281.     site_hostname             => 'wiki.openstack.org',

  282.     ssl_cert_file_contents    => hiera('ssl_cert_file_contents'),

  283.     ssl_key_file_contents     => hiera('ssl_key_file_contents'),

  284.     ssl_chain_file_contents   => hiera('ssl_chain_file_contents'),

  285.     wg_dbserver               => hiera('wg_dbserver'),

  286.     wg_dbname                 => 'openstack_wiki',

  287.     wg_dbuser                 => 'wikiuser',

  288.     wg_dbpassword             => hiera('wg_dbpassword'),

  289.     wg_secretkey              => hiera('wg_secretkey'),

  290.     wg_upgradekey             => hiera('wg_upgradekey'),

  291.     wg_recaptchasitekey       => hiera('wg_recaptchasitekey'),

  292.     wg_recaptchasecretkey     => hiera('wg_recaptchasecretkey'),

  293.     wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),

  294.   }

  295. }

  296. 

  297. # Node-OS: trusty

  298. node /^wiki-dev\d+\.openstack\.org$/ {

  299.   $group = "wiki-dev"

  300.   class { 'openstack_project::wiki':

  301.     serveradmin           => hiera('infra_apache_serveradmin'),

  302.     site_hostname         => 'wiki-dev.openstack.org',

  303.     wg_dbserver           => hiera('wg_dbserver'),

  304.     wg_dbname             => 'openstack_wiki',

  305.     wg_dbuser             => 'wikiuser',

  306.     wg_dbpassword         => hiera('wg_dbpassword'),

  307.     wg_secretkey          => hiera('wg_secretkey'),

  308.     wg_upgradekey         => hiera('wg_upgradekey'),

  309.     wg_recaptchasitekey   => hiera('wg_recaptchasitekey'),

  310.     wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),

  311.     disallow_robots       => true,

  312.   }

  313. }

  314. 

  315. # Node-OS: xenial

  316. node /^logstash\d*\.open.*\.org$/ {

  317.   class { 'openstack_project::server': }

  318. 

  319.   class { 'openstack_project::logstash':

  320.     discover_nodes      => [

  321.       'elasticsearch03.openstack.org:9200',

  322.       'elasticsearch04.openstack.org:9200',

  323.       'elasticsearch05.openstack.org:9200',

  324.       'elasticsearch06.openstack.org:9200',

  325.       'elasticsearch07.openstack.org:9200',

  326.       'elasticsearch02.openstack.org:9200',

  327.     ],

  328.     subunit2sql_db_host => hiera('subunit2sql_db_host', ''),

  329.     subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),

  330.   }

  331. }

  332. 

  333. # Node-OS: xenial

  334. node /^logstash-worker\d+\.open.*\.org$/ {

  335.   $group = 'logstash-worker'

  336. 

  337.   class { 'openstack_project::server': }

  338. 

  339.   class { 'openstack_project::logstash_worker':

  340.     discover_node         => 'elasticsearch03.openstack.org',

  341.     enable_mqtt           => false,

  342.     mqtt_password         => hiera('mqtt_service_user_password'),

  343.     mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),

  344.   }

  345. }

  346. 

  347. # Node-OS: xenial

  348. node /^subunit-worker\d+\.open.*\.org$/ {

  349.   $group = "subunit-worker"

  350.   class { 'openstack_project::server': }

  351.   class { 'openstack_project::subunit_worker':

  352.     subunit2sql_db_host   => hiera('subunit2sql_db_host', ''),

  353.     subunit2sql_db_pass   => hiera('subunit2sql_db_password', ''),

  354.     mqtt_pass             => hiera('mqtt_service_user_password'),

  355.     mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),

  356.   }

  357. }

  358. 

  359. # Node-OS: xenial

  360. node /^elasticsearch\d+\.open.*\.org$/ {

  361.   $group = "elasticsearch"

  362.   class { 'openstack_project::server': }

  363.   class { 'openstack_project::elasticsearch_node':

  364.     discover_nodes => $elasticsearch_nodes,

  365.   }

  366. }

  367. 

  368. # Node-OS: xenial

  369. node /^firehose\d+\.open.*\.org$/ {

  370.   class { 'openstack_project::server': }

  371.   class { 'openstack_project::firehose':

  372.     gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),

  373.     gerrit_public_key   => hiera('germqtt_gerrit_ssh_public_key'),

  374.     gerrit_private_key  => hiera('germqtt_gerrit_ssh_private_key'),

  375.     mqtt_password       => hiera('mqtt_service_user_password'),

  376.     ca_file             => hiera('mosquitto_tls_ca_file'),

  377.     cert_file           => hiera('mosquitto_tls_server_cert_file'),

  378.     key_file            => hiera('mosquitto_tls_server_key_file'),

  379.     imap_hostname       => hiera('lpmqtt_imap_server'),

  380.     imap_username       => hiera('lpmqtt_imap_username'),

  381.     imap_password       => hiera('lpmqtt_imap_password'),

  382.     statsd_host         => 'graphite.opendev.org',

  383.   }

  384. }

  385. 

  386. # A machine to drive AFS mirror updates.

  387. # Node-OS: xenial

  388. node /^mirror-update\d*\.open.*\.org$/ {

  389.   $group = "afsadmin"

  390. 

  391.   class { 'openstack_project::mirror_update':

  392.     admin_keytab          => hiera('afsadmin_keytab'),

  393.     fedora_keytab         => hiera('fedora_keytab'),

  394.     opensuse_keytab       => hiera('opensuse_keytab'),

  395.     reprepro_keytab       => hiera('reprepro_keytab'),

  396.     gem_keytab            => hiera('gem_keytab'),

  397.     centos_keytab         => hiera('centos_keytab'),

  398.     epel_keytab           => hiera('epel_keytab'),

  399.     yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),

  400.   }

  401. }

  402. 

  403. # Machines in each region to serve AFS mirrors.

  404. # Node-OS: xenial

  405. node /^mirror\d*\..*\.open.*\.org$/ {

  406.   $group = "mirror"

  407. 

  408.   class { 'openstack_project::server':

  409.     afs                       => true,

  410.     afs_cache_size            => 50000000,  # 50GB

  411.   }

  412. 

  413.   class { 'openstack_project::mirror':

  414.     vhost_name => $::fqdn,

  415.     require    => Class['Openstack_project::Server'],

  416.   }

  417. }

  418. 

  419. # Serve static AFS content for docs and other sites.

  420. # Node-OS: xenial

  421. node /^files\d*\.open.*\.org$/ {

  422.   $group = "files"

  423.   class { 'openstack_project::server':

  424.     afs                       => true,

  425.     afs_cache_size            => 10000000,  # 10GB

  426.   }

  427. 

  428.   class { 'openstack_project::files':

  429.     vhost_name                        => 'files.openstack.org',

  430.     developer_cert_file_contents      => hiera('developer_cert_file_contents'),

  431.     developer_key_file_contents       => hiera('developer_key_file_contents'),

  432.     developer_chain_file_contents     => hiera('developer_chain_file_contents'),

  433.     docs_cert_file_contents           => hiera('docs_cert_file_contents'),

  434.     docs_key_file_contents            => hiera('docs_key_file_contents'),

  435.     docs_chain_file_contents          => hiera('docs_chain_file_contents'),

  436.     git_airship_cert_file_contents    => hiera('git_airship_cert_file_contents'),

  437.     git_airship_key_file_contents     => hiera('git_airship_key_file_contents'),

  438.     git_airship_chain_file_contents   => hiera('git_airship_chain_file_contents'),

  439.     git_openstack_cert_file_contents  => hiera('git_openstack_cert_file_contents'),

  440.     git_openstack_key_file_contents   => hiera('git_openstack_key_file_contents'),

  441.     git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),

  442.     git_starlingx_cert_file_contents  => hiera('git_starlingx_cert_file_contents'),

  443.     git_starlingx_key_file_contents   => hiera('git_starlingx_key_file_contents'),

  444.     git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),

  445.     git_zuul_cert_file_contents       => hiera('git_zuul_cert_file_contents'),

  446.     git_zuul_key_file_contents        => hiera('git_zuul_key_file_contents'),

  447.     git_zuul_chain_file_contents      => hiera('git_zuul_chain_file_contents'),

  448.     require                           => Class['Openstack_project::Server'],

  449.   }

  450. 

  451.   # Temporary for evaluating htaccess rules

  452.   ::httpd::vhost { "git-test.openstack.org":

  453.     port          => 80, # Is required despite not being used.

  454.     docroot       => "/afs/openstack.org/project/git-test/www",

  455.     priority      => '50',

  456.     template      => 'openstack_project/git-test.vhost.erb',

  457.   }

  458. 

  459.   openstack_project::website { 'docs.starlingx.io':

  460.     volume_name      => 'starlingx.io',

  461.     aliases          => [],

  462.     ssl_cert         => hiera('docs_starlingx_io_ssl_cert'),

  463.     ssl_key          => hiera('docs_starlingx_io_ssl_key'),

  464.     ssl_intermediate => hiera('docs_starlingx_io_ssl_intermediate'),

  465.     require          => Class['openstack_project::files'],

  466.   }

  467. 

  468.   openstack_project::website { 'docs.opendev.org':

  469.     aliases          => [],

  470.     docroot	     => "/afs/openstack.org/project/opendev.org/docs",

  471.     ssl_cert         => hiera('docs_opendev_ssl_cert'),

  472.     ssl_key          => hiera('docs_opendev_ssl_key'),

  473.     ssl_intermediate => hiera('docs_opendev_ssl_intermediate'),

  474.     require          => Class['openstack_project::files'],

  475.   }

  476. 

  477.   openstack_project::website { 'tarballs.opendev.org':

  478.     aliases          => [],

  479.     docroot	     => "/afs/openstack.org/project/opendev.org/tarballs",

  480.     ssl_cert_file    => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer',

  481.     ssl_key_file     => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key',

  482.     ssl_chain_file   => '/etc/letsencrypt-certs/tarballs.opendev.org/ca.cer',

  483.     require          => Class['openstack_project::files'],

  484.   }

  485. 

  486.   openstack_project::website { 'zuul-ci.org':

  487.     aliases          => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],

  488.     ssl_cert         => hiera('zuul-ci_org_ssl_cert'),

  489.     ssl_key          => hiera('zuul-ci_org_ssl_key'),

  490.     ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),

  491.     require          => Class['openstack_project::files'],

  492.   }

  493. 

  494. }

  495. 

  496. # Node-OS: trusty

  497. # Node-OS: xenial

  498. node /^refstack\d*\.open.*\.org$/ {

  499.   class { 'openstack_project::server': }

  500.   class { 'refstack':

  501.     mysql_host          => hiera('refstack_mysql_host', 'localhost'),

  502.     mysql_database      => hiera('refstack_mysql_db_name', 'refstack'),

  503.     mysql_user          => hiera('refstack_mysql_user', 'refstack'),

  504.     mysql_user_password => hiera('refstack_mysql_password'),

  505.     ssl_cert_content    => hiera('refstack_ssl_cert_file_contents'),

  506.     ssl_cert            => '/etc/ssl/certs/refstack.pem',

  507.     ssl_key_content     => hiera('refstack_ssl_key_file_contents'),

  508.     ssl_key             => '/etc/ssl/private/refstack.key',

  509.     ssl_ca_content      => hiera('refstack_ssl_chain_file_contents'),

  510.     ssl_ca              => '/etc/ssl/certs/refstack.ca.pem',

  511.     protocol            => 'https',

  512.   }

  513.   mysql_backup::backup_remote { 'refstack':

  514.     database_host     => hiera('refstack_mysql_host', 'localhost'),

  515.     database_user     => hiera('refstack_mysql_user', 'refstack'),

  516.     database_password => hiera('refstack_mysql_password'),

  517.     require           => Class['::refstack'],

  518.   }

  519. }

  520. 

  521. # A machine to run Storyboard

  522. # Node-OS: xenial

  523. node /^storyboard\d+\.opendev\.org$/ {

  524.   $group = "storyboard"

  525.   class { 'openstack_project::storyboard':

  526.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  527.     mysql_host              => hiera('storyboard_db_host', 'localhost'),

  528.     mysql_user              => hiera('storyboard_db_user', 'username'),

  529.     mysql_password          => hiera('storyboard_db_password'),

  530.     rabbitmq_user           => hiera('storyboard_rabbit_user', 'username'),

  531.     rabbitmq_password       => hiera('storyboard_rabbit_password'),

  532.     ssl_cert                => '/etc/ssl/certs/storyboard.openstack.org.pem',

  533.     ssl_cert_file_contents  => hiera('storyboard_ssl_cert_file_contents'),

  534.     ssl_key                 => '/etc/ssl/private/storyboard.openstack.org.key',

  535.     ssl_key_file_contents   => hiera('storyboard_ssl_key_file_contents'),

  536.     ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),

  537.     hostname                => 'storyboard.openstack.org',

  538.     valid_oauth_clients     => ['storyboard.openstack.org',],

  539.     cors_allowed_origins    => ['https://storyboard.openstack.org',],

  540.     sender_email_address    => 'storyboard@storyboard.openstack.org',

  541.     default_url             => 'https://storyboard.openstack.org',

  542.   }

  543. }

  544. 

  545. # A machine to run Storyboard devel

  546. # Node-OS: xenial

  547. node /^storyboard-dev\d+\.opendev\.org$/ {

  548.   $group = "storyboard-dev"

  549.   class { 'openstack_project::storyboard::dev':

  550.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  551.     mysql_host              => hiera('storyboard_db_host', 'localhost'),

  552.     mysql_user              => hiera('storyboard_db_user', 'username'),

  553.     mysql_password          => hiera('storyboard_db_password'),

  554.     rabbitmq_user           => hiera('storyboard_rabbit_user', 'username'),

  555.     rabbitmq_password       => hiera('storyboard_rabbit_password'),

  556.     hostname                => 'storyboard-dev.openstack.org',

  557.     valid_oauth_clients     => ['^.*',],

  558.     cors_allowed_origins    => ['^.*',],

  559.     sender_email_address    => 'storyboard-dev@storyboard-dev.openstack.org',

  560.     default_url             => 'https://storyboard-dev.openstack.org',

  561.   }

  562. 

  563. }

  564. 

  565. # A machine to serve static content.

  566. # Node-OS: trusty

  567. # Node-OS: xenial

  568. node /^static\d*\.open.*\.org$/ {

  569.   class { 'openstack_project::server': }

  570.   class { 'openstack_project::static':

  571.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  572.     swift_authurl           => 'https://identity.api.rackspacecloud.com/v2.0/',

  573.     swift_user              => 'infra-files-ro',

  574.     swift_key               => hiera('infra_files_ro_password'),

  575.     swift_tenant_name       => hiera('infra_files_tenant_name', 'tenantname'),

  576.     swift_region_name       => 'DFW',

  577.     swift_default_container => 'infra-files',

  578.     ssl_cert_file_contents  => hiera('static_ssl_cert_file_contents'),

  579.     ssl_key_file_contents   => hiera('static_ssl_key_file_contents'),

  580.     ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),

  581.   }

  582. }

  583. 

  584. # Node-OS: xenial

  585. node /^zk\d+\.open.*\.org$/ {

  586.   # We use IP addresses here so that zk listens on the public facing addresses

  587.   # allowing cluster members to talk to each other. Without this they listen

  588.   # on 127.0.1.1 because that is what we have in /etc/hosts for

  589.   # zk0X.openstack.org.

  590.   $zk_cluster_members = [

  591.     '23.253.236.126', # zk01

  592.     '172.99.117.32',  # zk02

  593.     '23.253.90.246',  # zk03

  594.   ]

  595.   class { 'openstack_project::server': }

  596. 

  597.   class { '::zookeeper':

  598.     # ID needs to be numeric, so we use regex to extra numbers from fqdn.

  599.     id             => regsubst($::fqdn, '^zk(\d+)\.open.*\.org$', '\1'),

  600.     # The frequency in hours to look for and purge old snapshots,

  601.     # defaults to 0 (disabled). The number of retained snapshots can

  602.     # be separately controlled through snap_retain_count and

  603.     # defaults to the minimum value of 3. This will quickly fill the

  604.     # disk in production if not enabled. Works on ZK >=3.4.

  605.     purge_interval => 6,

  606.     servers        => $zk_cluster_members,

  607.   }

  608. }

  609. 

  610. # A machine to serve various project status updates.

  611. # Node-OS: trusty

  612. # Node-OS: xenial

  613. node /^status\d*\.open.*\.org$/ {

  614.   $group = 'status'

  615. 

  616.   class { 'openstack_project::server': }

  617. 

  618.   class { 'openstack_project::status':

  619.     gerrit_host                   => 'review.opendev.org',

  620.     gerrit_ssh_host_key           => hiera('gerrit_ssh_rsa_pubkey_contents'),

  621.     reviewday_ssh_public_key      => hiera('reviewday_rsa_pubkey_contents'),

  622.     reviewday_ssh_private_key     => hiera('reviewday_rsa_key_contents'),

  623.     recheck_ssh_public_key        => hiera('elastic-recheck_gerrit_ssh_public_key'),

  624.     recheck_ssh_private_key       => hiera('elastic-recheck_gerrit_ssh_private_key'),

  625.     recheck_bot_nick              => 'openstackrecheck',

  626.     recheck_bot_passwd            => hiera('elastic-recheck_ircbot_password'),

  627.   }

  628. }

  629. 

  630. # Node-OS: xenial

  631. node /^survey\d+\.open.*\.org$/ {

  632.   $group = "survey"

  633.   class { 'openstack_project::server': }

  634. 

  635.   class { 'openstack_project::survey':

  636.     vhost_name              => 'survey.openstack.org',

  637.     auth_openid             => true,

  638.     ssl_cert_file_contents  => hiera('ssl_cert_file_contents'),

  639.     ssl_key_file_contents   => hiera('ssl_key_file_contents'),

  640.     ssl_chain_file_contents => hiera('ssl_chain_file_contents'),

  641.     dbpassword              => hiera('dbpassword'),

  642.     dbhost                  => hiera('dbhost'),

  643.     adminuser               => hiera('adminuser'),

  644.     adminpass               => hiera('adminpass'),

  645.     adminmail               => hiera('adminmail'),

  646.   }

  647. }

  648. 

  649. # Node-OS: xenial

  650. node /^nl\d+\.open.*\.org$/ {

  651.   $group = 'nodepool'

  652. 

  653.   # NOTE(ianw) From 09-2018 (https://review.opendev.org/#/c/598329/)

  654.   # the cloud credentials are deployed with ansible via the

  655.   # configure-openstacksdk role and are no longer configured here

  656. 

  657.   class { 'openstack_project::server': }

  658. 

  659.   include openstack_project

  660. 

  661.   class { '::openstackci::nodepool_launcher':

  662.     nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),

  663.     project_config_repo      => 'https://opendev.org/openstack/project-config',

  664.     statsd_host              => 'graphite.opendev.org',

  665.     revision                 => 'master',

  666.     python_version           => 3,

  667.     enable_webapp            => true,

  668.   }

  669. }

  670. 

  671. # Node-OS: xenial

  672. node /^nb\d+\.open.*\.org$/ {

  673.   $group = 'nodepool'

  674. 

  675.   class { 'openstack_project::server': }

  676. 

  677.   include openstack_project

  678. 

  679.   class { '::openstackci::nodepool_builder':

  680.     nodepool_ssh_public_key       => hiera('zuul_worker_ssh_public_key_contents'),

  681.     vhost_name                    => $::fqdn,

  682.     enable_build_log_via_http     => true,

  683.     project_config_repo           => 'https://opendev.org/openstack/project-config',

  684.     statsd_host                   => 'graphite.opendev.org',

  685.     upload_workers                => '16',

  686.     revision                      => 'master',

  687.     python_version                => 3,

  688.     zuulv3                        => true,

  689.     ssl_cert_file                 => '/etc/ssl/certs/ssl-cert-snakeoil.pem',

  690.     ssl_key_file                  => '/etc/ssl/private/ssl-cert-snakeoil.key',

  691.   }

  692. 

  693.   cron { 'mirror_gitgc':

  694.     user        => 'nodepool',

  695.     hour        => '20',

  696.     minute      => '0',

  697.     command     => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',

  698.     environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',

  699.     require     => Class['::openstackci::nodepool_builder'],

  700.   }

  701. }

  702. 

  703. # Node-OS: xenial

  704. node /^ze\d+\.open.*\.org$/ {

  705.   $group = "zuul-executor"

  706. 

  707.   $gerrit_server           = 'review.opendev.org'

  708.   $gerrit_user             = 'zuul'

  709.   $gerrit_ssh_host_key     = hiera('gerrit_ssh_rsa_pubkey_contents')

  710.   $gerrit_ssh_private_key  = hiera('gerrit_ssh_private_key_contents')

  711.   $zuul_ssh_private_key    = hiera('zuul_ssh_private_key_contents')

  712.   $zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')

  713.   $git_email               = 'zuul@openstack.org'

  714.   $git_name                = 'OpenStack Zuul'

  715.   $revision                = 'master'

  716. 

  717.   class { 'openstack_project::server':

  718.     afs                       => true,

  719.   }

  720. 

  721.   class { '::project_config':

  722.     url => 'https://opendev.org/openstack/project-config',

  723.   }

  724. 

  725.   # We use later HWE kernels for better memory managment, requiring an

  726.   # updated AFS version which we install from our custom ppa.

  727.   include ::apt

  728.   apt::ppa { 'ppa:openstack-ci-core/openafs-amd64-hwe': }

  729.   package { 'linux-generic-hwe-16.04':

  730.     ensure  => present,

  731.     require => [

  732.       Apt::Ppa['ppa:openstack-ci-core/openafs-amd64-hwe'],

  733.       Class['apt::update'],

  734.     ],

  735.   }

  736. 

  737.   # Skopeo is required for pushing/pulling from the intermediate

  738.   # registry, and is available in the projectatomic ppa.

  739. 

  740.   apt::ppa { 'ppa:projectatomic/ppa': }

  741.   package { 'skopeo':

  742.     ensure  => present,

  743.     require => [

  744.       Apt::Ppa['ppa:projectatomic/ppa'],

  745.       Class['apt::update'],

  746.     ],

  747.   }

  748. 

  749.   # Socat is also required for pushing/pulling images

  750.   package { 'socat':

  751.     ensure  => present,

  752.     require => [

  753.       Class['apt::update'],

  754.     ],

  755.   }

  756. 

  757.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  758.   # settings.

  759.   class { '::zuul':

  760.     gearman_server           => 'zuul01.openstack.org',

  761.     gerrit_server            => $gerrit_server,

  762.     gerrit_user              => $gerrit_user,

  763.     zuul_ssh_private_key     => $gerrit_ssh_private_key,

  764.     git_email                => $git_email,

  765.     git_name                 => $git_name,

  766.     worker_private_key_file  => '/var/lib/zuul/ssh/nodepool_id_rsa',

  767.     revision                 => $revision,

  768.     python_version           => 3,

  769.     zookeeper_hosts          => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  770.     zuulv3                   => true,

  771.     connections              => hiera('zuul_connections', []),

  772.     connection_secrets      => hiera('zuul_connection_secrets', []),

  773.     gearman_client_ssl_cert  => hiera('gearman_client_ssl_cert'),

  774.     gearman_client_ssl_key   => hiera('gearman_client_ssl_key'),

  775.     gearman_ssl_ca           => hiera('gearman_ssl_ca'),

  776.     #TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs

  777.     # properly. We need to revisting this post Queens PTG.

  778.     trusted_ro_paths         => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],

  779.     trusted_rw_paths         => ['/afs'],

  780.     untrusted_ro_paths       => ['/etc/ssl/certs'],

  781.     disk_limit_per_job       => 5000,  # Megabytes

  782.     site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,

  783.     require                  => $::project_config::config_dir,

  784.     statsd_host              => 'graphite.opendev.org',

  785.   }

  786. 

  787.   class { '::zuul::executor': }

  788. 

  789.   # This is used by the log job submission playbook which runs under

  790.   # python2

  791.   package { 'gear':

  792.     ensure   => latest,

  793.     provider => openstack_pip,

  794.     require  => Class['pip'],

  795.   }

  796. 

  797.   file { '/var/lib/zuul/ssh/nodepool_id_rsa':

  798.     owner   => 'zuul',

  799.     group   => 'zuul',

  800.     mode    => '0400',

  801.     require => File['/var/lib/zuul/ssh'],

  802.     content => $zuul_ssh_private_key,

  803.   }

  804. 

  805.   file { '/var/lib/zuul/ssh/static_id_rsa':

  806.     owner   => 'zuul',

  807.     group   => 'zuul',

  808.     mode    => '0400',

  809.     require => File['/var/lib/zuul/ssh'],

  810.     content => $zuul_static_private_key,

  811.   }

  812. 

  813.   class { '::zuul::known_hosts':

  814.     known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",

  815.   }

  816. }

  817. 

  818. # Node-OS: xenial

  819. node /^zuul\d+\.open.*\.org$/ {

  820.   $group = "zuul-scheduler"

  821.   $gerrit_server        = 'review.opendev.org'

  822.   $gerrit_user          = 'zuul'

  823.   $gerrit_ssh_host_key  = hiera('gerrit_zuul_user_ssh_key_contents')

  824.   $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')

  825.   $zuul_url             = "http://zuul.openstack.org/p"

  826.   $git_email            = 'zuul@openstack.org'

  827.   $git_name             = 'OpenStack Zuul'

  828.   $revision             = 'master'

  829. 

  830.   class { 'openstack_project::server': }

  831. 

  832.   class { '::project_config':

  833.     url => 'https://opendev.org/openstack/project-config',

  834.   }

  835. 

  836.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  837.   # settings.

  838.   class { '::zuul':

  839.     gerrit_server                 => $gerrit_server,

  840.     gerrit_user                   => $gerrit_user,

  841.     zuul_ssh_private_key          => $zuul_ssh_private_key,

  842.     git_email                     => $git_email,

  843.     git_name                      => $git_name,

  844.     revision                      => $revision,

  845.     python_version                => 3,

  846.     zookeeper_hosts               => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  847.     zookeeper_session_timeout     => 40,

  848.     zuulv3                        => true,

  849.     connections                   => hiera('zuul_connections', []),

  850.     connection_secrets            => hiera('zuul_connection_secrets', []),

  851.     vhost_name                    => 'zuul.openstack.org',

  852.     zuul_status_url               => 'http://127.0.0.1:8001/openstack',

  853.     zuul_web_url                  => 'http://127.0.0.1:9000',

  854.     zuul_tenant_name              => 'openstack',

  855.     gearman_client_ssl_cert       => hiera('gearman_client_ssl_cert'),

  856.     gearman_client_ssl_key        => hiera('gearman_client_ssl_key'),

  857.     gearman_server_ssl_cert       => hiera('gearman_server_ssl_cert'),

  858.     gearman_server_ssl_key        => hiera('gearman_server_ssl_key'),

  859.     gearman_ssl_ca                => hiera('gearman_ssl_ca'),

  860.     proxy_ssl_cert_file_contents  => hiera('zuul_ssl_cert_file_contents'),

  861.     proxy_ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),

  862.     proxy_ssl_key_file_contents   => hiera('zuul_ssl_key_file_contents'),

  863.     statsd_host                   => 'graphite.opendev.org',

  864.     status_url                    => 'https://zuul.openstack.org',

  865.     relative_priority             => true,

  866.     web_root                      => 'https://zuul.opendev.org',

  867.   }

  868. 

  869.   file { "/etc/zuul/github.key":

  870.     ensure  => present,

  871.     owner   => 'zuul',

  872.     group   => 'zuul',

  873.     mode    => '0600',

  874.     content => hiera('zuul_github_app_key'),

  875.     require => File['/etc/zuul'],

  876.   }

  877. 

  878.   class { '::zuul::scheduler':

  879.     layout_dir     => $::project_config::zuul_layout_dir,

  880.     require        => $::project_config::config_dir,

  881.     python_version => 3,

  882.     use_mysql      => true,

  883.   }

  884. 

  885.   class { '::zuul::web':

  886.     # We manage backups below

  887.     enable_status_backups => false,

  888.     vhosts => {

  889.       'zuul.openstack.org' => {

  890.         port       => 443,

  891.         docroot    => '/opt/zuul-web/content',

  892.         priority   => '50',

  893.         ssl        => true,

  894.         template   => 'zuul/zuulv3.vhost.erb',

  895.         vhost_name => 'zuul.openstack.org',

  896.       },

  897.       'zuul.opendev.org' => {

  898.         port       => 443,

  899.         docroot    => '/opt/zuul-web/content',

  900.         priority   => '40',

  901.         ssl        => true,

  902.         template   => 'zuul/zuulv3.vhost.erb',

  903.         vhost_name => 'zuul.opendev.org',

  904.       },

  905.       'zuul.openstack.org-http' => {

  906.         port       => 80,

  907.         docroot    => '/opt/zuul-web/content',

  908.         priority   => '50',

  909.         ssl        => false,

  910.         template   => 'zuul/zuulv3.vhost.erb',

  911.         vhost_name => 'zuul.openstack.org',

  912.       },

  913.       'zuul.opendev.org-http' => {

  914.         port       => 80,

  915.         docroot    => '/opt/zuul-web/content',

  916.         priority   => '40',

  917.         ssl        => false,

  918.         template   => 'zuul/zuulv3.vhost.erb',

  919.         vhost_name => 'zuul.opendev.org',

  920.       },

  921.     },

  922.     vhosts_flags => {

  923.       'zuul.openstack.org' => {

  924.         tenant_name => 'openstack',

  925.         ssl         => true,

  926.       },

  927.       'zuul.opendev.org' => {

  928.         tenant_name => '',

  929.         ssl         => true,

  930.       },

  931.       'zuul.openstack.org-http' => {

  932.         tenant_name => 'openstack',

  933.         ssl         => false,

  934.       },

  935.       'zuul.opendev.org-http' => {

  936.         tenant_name => '',

  937.         ssl         => false,

  938.       },

  939.     },

  940.     vhosts_ssl => {

  941.       'zuul.openstack.org' => {

  942.         ssl_cert_file_contents  => hiera('zuul_ssl_cert_file_contents'),

  943.         ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),

  944.         ssl_key_file_contents   => hiera('zuul_ssl_key_file_contents'),

  945.       },

  946.       'zuul.opendev.org' => {

  947.         ssl_cert_file_contents  => hiera('opendev_zuul_ssl_cert_file_contents'),

  948.         ssl_chain_file_contents => hiera('opendev_zuul_ssl_chain_file_contents'),

  949.         ssl_key_file_contents   => hiera('opendev_zuul_ssl_key_file_contents'),

  950.       },

  951.     },

  952.   }

  953. 

  954.   zuul::status_backups { 'openstack-zuul-tenant':

  955.     tenant_name => 'openstack',

  956.     ssl         => true,

  957.     status_uri  => 'https://zuul.opendev.org/api/tenant/openstack/status',

  958.   }

  959. 

  960.   zuul::status_backups { 'kata-zuul-tenant':

  961.     tenant_name => 'kata-containers',

  962.     ssl         => true,

  963.     status_uri  => 'https://zuul.opendev.org/api/tenant/kata-containers/status',

  964.   }

  965. 

  966.   class { '::zuul::fingergw': }

  967. 

  968.   class { '::zuul::known_hosts':

  969.     known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",

  970.   }

  971. 

  972.   include bup

  973.   bup::site { 'rax.ord':

  974.     backup_user   => 'bup-zuulv3',

  975.     backup_server => 'backup01.ord.rax.ci.openstack.org',

  976.   }

  977. 

  978. }

  979. 

  980. # Node-OS: xenial

  981. node /^zm\d+.open.*\.org$/ {

  982.   $group = "zuul-merger"

  983. 

  984.   $gerrit_server        = 'review.opendev.org'

  985.   $gerrit_user          = 'zuul'

  986.   $gerrit_ssh_host_key  = hiera('gerrit_ssh_rsa_pubkey_contents')

  987.   $zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')

  988.   $zuul_url             = "http://${::fqdn}/p"

  989.   $git_email            = 'zuul@openstack.org'

  990.   $git_name             = 'OpenStack Zuul'

  991.   $revision             = 'master'

  992. 

  993.   class { 'openstack_project::server': }

  994. 

  995.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  996.   # settings.

  997.   class { '::zuul':

  998.     gearman_server          => 'zuul01.openstack.org',

  999.     gerrit_server           => $gerrit_server,

  1000.     gerrit_user             => $gerrit_user,

  1001.     zuul_ssh_private_key    => $zuul_ssh_private_key,

  1002.     git_email               => $git_email,

  1003.     git_name                => $git_name,

  1004.     revision                => $revision,

  1005.     python_version          => 3,

  1006.     zookeeper_hosts         => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  1007.     zuulv3                  => true,

  1008.     connections             => hiera('zuul_connections', []),

  1009.     connection_secrets      => hiera('zuul_connection_secrets', []),

  1010.     gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),

  1011.     gearman_client_ssl_key  => hiera('gearman_client_ssl_key'),

  1012.     gearman_ssl_ca          => hiera('gearman_ssl_ca'),

  1013.     statsd_host             => 'graphite.opendev.org',

  1014.   }

  1015. 

  1016.   class { 'openstack_project::zuul_merger':

  1017.     gerrit_server        => $gerrit_server,

  1018.     gerrit_user          => $gerrit_user,

  1019.     gerrit_ssh_host_key  => $gerrit_ssh_host_key,

  1020.     zuul_ssh_private_key => $zuul_ssh_private_key,

  1021.     manage_common_zuul   => false,

  1022.   }

  1023. }

  1024. 

  1025. # Node-OS: xenial

  1026. node /^pbx\d*\.open.*\.org$/ {

  1027.   $group = "pbx"

  1028.   class { 'openstack_project::server': }

  1029.   class { 'openstack_project::pbx':

  1030.     sip_providers => [

  1031.       {

  1032.         provider => 'voipms',

  1033.         hostname => 'dallas.voip.ms',

  1034.         username => hiera('voipms_username', 'username'),

  1035.         password => hiera('voipms_password'),

  1036.         outgoing => false,

  1037.       },

  1038.     ],

  1039.   }

  1040. }

  1041. 

  1042. # Node-OS: xenial

  1043. # A backup machine.  Don't run cron or puppet agent on it.

  1044. node /^backup\d+\..*\.ci\.open.*\.org$/ {

  1045.   $group = "ci-backup"

  1046.   class { 'openstack_project::server': }

  1047.   include openstack_project::backup_server

  1048. }

  1049. 

  1050. # Node-OS: xenial

  1051. node /^openstackid\d*(\.openstack)?\.org$/ {

  1052.   $group = "openstackid"

  1053.   class { 'openstack_project::openstackid_prod':

  1054.     site_admin_password                 => hiera('openstackid_site_admin_password'),

  1055.     id_mysql_host                       => hiera('openstackid_id_mysql_host', 'localhost'),

  1056.     id_mysql_password                   => hiera('openstackid_id_mysql_password'),

  1057.     id_mysql_user                       => hiera('openstackid_id_mysql_user', 'username'),

  1058.     id_db_name                          => hiera('openstackid_id_db_name'),

  1059.     ss_mysql_host                       => hiera('openstackid_ss_mysql_host', 'localhost'),

  1060.     ss_mysql_password                   => hiera('openstackid_ss_mysql_password'),

  1061.     ss_mysql_user                       => hiera('openstackid_ss_mysql_user', 'username'),

  1062.     ss_db_name                          => hiera('openstackid_ss_db_name', 'username'),

  1063.     redis_password                      => hiera('openstackid_redis_password'),

  1064.     ssl_cert_file_contents              => hiera('openstackid_ssl_cert_file_contents'),

  1065.     ssl_key_file_contents               => hiera('openstackid_ssl_key_file_contents'),

  1066.     ssl_chain_file_contents             => hiera('openstackid_ssl_chain_file_contents'),

  1067.     id_recaptcha_public_key             => hiera('openstackid_recaptcha_public_key'),

  1068.     id_recaptcha_private_key            => hiera('openstackid_recaptcha_private_key'),

  1069.     vhost_name                          => 'openstackid.org',

  1070.     session_cookie_domain               => 'openstackid.org',

  1071.     serveradmin                         => 'webmaster@openstackid.org',

  1072.     canonicalweburl                     => 'https://openstackid.org/',

  1073.     app_url                             => 'https://openstackid.org',

  1074.     app_key                             => hiera('openstackid_app_key'),

  1075.     id_log_error_to_email               => 'openstack@tipit.net',

  1076.     id_log_error_from_email             => 'noreply@openstack.org',

  1077.     email_driver                        => 'sendgrid',

  1078.     email_send_grid_api_key             => hiera('openstackid_send_grid_api_key'),

  1079.     php_version                         => 7,

  1080.     mysql_ssl_enabled                   => true,

  1081.     mysql_ssl_ca_file_contents          => hiera('openstackid_mysql_ssl_ca_file_contents'),

  1082.     mysql_ssl_client_key_file_contents  => hiera('openstackid_mysql_ssl_client_key_file_contents'),

  1083.     mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),

  1084.     lost_password_url                   => 'https://openstackid.org/lost-password',

  1085.     registration_url                    => 'https://openstackid.org/registration',

  1086.     registration_mobile_url             => 'https://openstackid.org/registration-mobile',

  1087.     resend_verification_url             => 'https://openstackid.org/resend-verification',

  1088.   }

  1089. }

  1090. 

  1091. # Node-OS: xenial

  1092. node /^openstackid-dev\d*\.openstack\.org$/ {

  1093.   $group = "openstackid-dev"

  1094.   class { 'openstack_project::openstackid_dev':

  1095.     site_admin_password                 => hiera('openstackid_dev_site_admin_password'),

  1096.     id_mysql_host                       => hiera('openstackid_dev_id_mysql_host', 'localhost'),

  1097.     id_mysql_password                   => hiera('openstackid_dev_id_mysql_password'),

  1098.     id_mysql_user                       => hiera('openstackid_dev_id_mysql_user', 'username'),

  1099.     ss_mysql_host                       => hiera('openstackid_dev_ss_mysql_host', 'localhost'),

  1100.     ss_mysql_password                   => hiera('openstackid_dev_ss_mysql_password'),

  1101.     ss_mysql_user                       => hiera('openstackid_dev_ss_mysql_user', 'username'),

  1102.     ss_db_name                          => hiera('openstackid_dev_ss_db_name', 'username'),

  1103.     redis_password                      => hiera('openstackid_dev_redis_password'),

  1104.     ssl_cert_file_contents              => hiera('openstackid_dev_ssl_cert_file_contents'),

  1105.     ssl_key_file_contents               => hiera('openstackid_dev_ssl_key_file_contents'),

  1106.     ssl_chain_file_contents             => hiera('openstackid_dev_ssl_chain_file_contents'),

  1107.     id_recaptcha_public_key             => hiera('openstackid_dev_recaptcha_public_key'),

  1108.     id_recaptcha_private_key            => hiera('openstackid_dev_recaptcha_private_key'),

  1109.     vhost_name                          => 'openstackid-dev.openstack.org',

  1110.     session_cookie_domain               => 'openstackid-dev.openstack.org',

  1111.     serveradmin                         => 'webmaster@openstackid-dev.openstack.org',

  1112.     canonicalweburl                     => 'https://openstackid-dev.openstack.org/',

  1113.     app_url                             => 'https://openstackid-dev.openstack.org',

  1114.     app_key                             => hiera('openstackid_dev_app_key'),

  1115.     id_log_error_to_email               => 'openstack@tipit.net',

  1116.     id_log_error_from_email             => 'noreply@openstack.org',

  1117.     email_driver                        => 'sendgrid',

  1118.     email_send_grid_api_key             => hiera('openstackid_dev_send_grid_api_key'),

  1119.     php_version                         => 7,

  1120.     mysql_ssl_enabled                   => true,

  1121.     mysql_ssl_ca_file_contents          => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),

  1122.     mysql_ssl_client_key_file_contents  => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),

  1123.     mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),

  1124.     lost_password_url                   => 'https://openstackid-dev.openstack.org/lost-password',

  1125.     registration_url                    => 'https://openstackid-dev.openstack.org/registration',

  1126.     registration_mobile_url             => 'https://openstackid-dev.openstack.org/registration-mobile',

  1127.     resend_verification_url             => 'https://openstackid-dev.openstack.org/resend-verification',

  1128.   }

  1129. }

  1130. 

  1131. # Node-OS: trusty

  1132. # Used for testing all-in-one deployments

  1133. node 'single-node-ci.test.only' {

  1134.   include ::openstackci::single_node_ci

  1135. }

  1136. 

  1137. # Node-OS: xenial

  1138. node /^kdc03\.open.*\.org$/ {

  1139.   class { 'openstack_project::server': }

  1140. 

  1141.   class { 'openstack_project::kdc': }

  1142. }

  1143. 

  1144. # Node-OS: xenial

  1145. node /^kdc04\.open.*\.org$/ {

  1146.   class { 'openstack_project::server': }

  1147. 

  1148.   class { 'openstack_project::kdc':

  1149.     slave => true,

  1150.   }

  1151. }

  1152. 

  1153. # Node-OS: xenial

  1154. node /^afsdb01\.open.*\.org$/ {

  1155.   $group = "afsdb"

  1156. 

  1157.   class { 'openstack_project::server':

  1158.     afs                       => true,

  1159.   }

  1160. 

  1161.   include openstack_project::afsdb

  1162.   include openstack_project::afsrelease

  1163. }

  1164. 

  1165. # Node-OS: xenial

  1166. node /^afsdb.*\.open.*\.org$/ {

  1167.   $group = "afsdb"

  1168. 

  1169.   class { 'openstack_project::server':

  1170.     afs                       => true,

  1171.   }

  1172. 

  1173.   include openstack_project::afsdb

  1174. }

  1175. 

  1176. # Node-OS: xenial

  1177. node /^afs.*\..*\.open.*\.org$/ {

  1178.   $group = "afs"

  1179. 

  1180.   class { 'openstack_project::server':

  1181.     afs                       => true,

  1182.   }

  1183. 

  1184.   include openstack_project::afsfs

  1185. }

  1186. 

  1187. # Node-OS: trusty

  1188. node /^ask\d*\.open.*\.org$/ {

  1189. 

  1190.   class { 'openstack_project::server': }

  1191. 

  1192.   class { 'openstack_project::ask':

  1193.     db_user                      => hiera('ask_db_user', 'ask'),

  1194.     db_password                  => hiera('ask_db_password'),

  1195.     redis_password               => hiera('ask_redis_password'),

  1196.     site_ssl_cert_file_contents  => hiera('ask_site_ssl_cert_file_contents', undef),

  1197.     site_ssl_key_file_contents   => hiera('ask_site_ssl_key_file_contents', undef),

  1198.     site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),

  1199.   }

  1200. }

  1201. 

  1202. # Node-OS: trusty

  1203. node /^ask-staging\d*\.open.*\.org$/ {

  1204.   class { 'openstack_project::server': }

  1205. 

  1206.   class { 'openstack_project::ask_staging':

  1207.     db_password                  => hiera('ask_staging_db_password'),

  1208.     redis_password               => hiera('ask_staging_redis_password'),

  1209.   }

  1210. }

  1211. 

  1212. # Node-OS: xenial

  1213. node /^translate\d+\.open.*\.org$/ {

  1214.   $group = "translate"

  1215.   class { 'openstack_project::server': }

  1216.   class { 'openstack_project::translate':

  1217.     admin_users                => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',

  1218.     openid_url                 => 'https://openstackid.org',

  1219.     listeners                  => ['ajp'],

  1220.     from_address               => 'noreply@openstack.org',

  1221.     mysql_host                 => hiera('translate_mysql_host', 'localhost'),

  1222.     mysql_password             => hiera('translate_mysql_password'),

  1223.     zanata_server_user         => hiera('proposal_zanata_user'),

  1224.     zanata_server_api_key      => hiera('proposal_zanata_api_key'),

  1225.     zanata_wildfly_version     => '10.1.0',

  1226.     zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',

  1227.     zanata_main_version        => 4,

  1228.     zanata_url                 => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',

  1229.     zanata_checksum            => 'eaf8bd07401dade758b677007d2358f173193d17',

  1230.     project_config_repo        => 'https://opendev.org/openstack/project-config',

  1231.     ssl_cert_file_contents     => hiera('translate_ssl_cert_file_contents'),

  1232.     ssl_key_file_contents      => hiera('translate_ssl_key_file_contents'),

  1233.     ssl_chain_file_contents    => hiera('translate_ssl_chain_file_contents'),

  1234.     vhost_name                 => 'translate.openstack.org',

  1235.   }

  1236. }

  1237. 

  1238. # Node-OS: xenial

  1239. node /^translate-dev\d*\.open.*\.org$/ {

  1240.   $group = "translate-dev"

  1241.   class { 'openstack_project::translate_dev':

  1242.     admin_users           => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',

  1243.     openid_url            => 'https://openstackid-dev.openstack.org',

  1244.     listeners             => ['ajp'],

  1245.     from_address          => 'noreply@openstack.org',

  1246.     mysql_host            => hiera('translate_dev_mysql_host', 'localhost'),

  1247.     mysql_password        => hiera('translate_dev_mysql_password'),

  1248.     zanata_server_user    => hiera('proposal_zanata_user'),

  1249.     zanata_server_api_key => hiera('proposal_zanata_api_key'),

  1250.     project_config_repo   => 'https://opendev.org/openstack/project-config',

  1251.     vhost_name            => 'translate-dev.openstack.org',

  1252.   }

  1253. }

  1254. 

  1255. 

  1256. # Node-OS: xenial

  1257. node /^codesearch\d*\.open.*\.org$/ {

  1258.   $group = "codesearch"

  1259.   class { 'openstack_project::server': }

  1260.   class { 'openstack_project::codesearch':

  1261.     project_config_repo => 'https://opendev.org/openstack/project-config',

  1262.   }

  1263. }

  1264. 

  1265. # vim:sw=2:ts=2:expandtab:textwidth=79