System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1238 lines
50KB

  1. #
  2. # Top-level variables
  3. #
  4. # There must not be any whitespace between this comment and the variables or
  5. # in between any two variables in order for them to be correctly parsed and
  6. # passed around in test.sh
  7. #
  8. # Note we do not do a hiera lookup here as we set $group on a per node basis
  9. # and that must be set before we can do hiera lookups. Doing a hiera lookup
  10. # here would fail to find any group specific info.
  11. $elasticsearch_nodes = [
  12. "elasticsearch02.openstack.org",
  13. "elasticsearch03.openstack.org",
  14. "elasticsearch04.openstack.org",
  15. "elasticsearch05.openstack.org",
  16. "elasticsearch06.openstack.org",
  17. "elasticsearch07.openstack.org",
  18. ]
  19. #
  20. # Default: should at least behave like an openstack server
  21. #
  22. node default {
  23. class { 'openstack_project::server':
  24. }
  25. }
  26. #
  27. # Long lived servers:
  28. #
  29. # Node-OS: xenial
  30. node /^review\d*\.open.*\.org$/ {
  31. $group = "review"
  32. class { 'openstack_project::server': }
  33. class { 'openstack_project::review':
  34. project_config_repo => 'https://opendev.org/openstack/project-config',
  35. github_oauth_token => hiera('gerrit_github_token'),
  36. github_project_username => hiera('github_project_username', 'username'),
  37. github_project_password => hiera('github_project_password'),
  38. mysql_host => hiera('gerrit_mysql_host', 'localhost'),
  39. mysql_password => hiera('gerrit_mysql_password'),
  40. email_private_key => hiera('gerrit_email_private_key'),
  41. token_private_key => hiera('gerrit_rest_token_private_key'),
  42. gerritbot_password => hiera('gerrit_gerritbot_password'),
  43. gerritbot_ssh_rsa_key_contents => hiera('gerritbot_ssh_rsa_key_contents'),
  44. gerritbot_ssh_rsa_pubkey_contents => hiera('gerritbot_ssh_rsa_pubkey_contents'),
  45. ssl_cert_file_contents => hiera('review_opendev_cert_file_contents'),
  46. ssl_key_file_contents => hiera('review_opendev_key_file_contents'),
  47. ssl_chain_file_contents => hiera('review_opendev_chain_file_contents'),
  48. ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'),
  49. ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'),
  50. ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'),
  51. ssh_rsa_pubkey_contents => hiera('gerrit_ssh_rsa_pubkey_contents'),
  52. ssh_project_rsa_key_contents => hiera('gerrit_project_ssh_rsa_key_contents'),
  53. ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'),
  54. ssh_welcome_rsa_key_contents => hiera('welcome_message_gerrit_ssh_private_key'),
  55. ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'),
  56. ssh_replication_rsa_key_contents => hiera('gerrit_replication_ssh_rsa_key_contents'),
  57. ssh_replication_rsa_pubkey_contents => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),
  58. lp_access_token => hiera('gerrit_lp_access_token'),
  59. lp_access_secret => hiera('gerrit_lp_access_secret'),
  60. lp_consumer_key => hiera('gerrit_lp_consumer_key'),
  61. swift_username => hiera('swift_store_user', 'username'),
  62. swift_password => hiera('swift_store_key'),
  63. storyboard_password => hiera('gerrit_storyboard_token'),
  64. # Compatibility layer vars for the old domain name below here.
  65. # TODO rename the hiera keys to reduce confusion
  66. review_openstack_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
  67. review_openstack_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
  68. review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
  69. }
  70. }
  71. # Node-OS: xenial
  72. # Puppet-Version: !3
  73. node /^grafana\d*\.open.*\.org$/ {
  74. $group = "grafana"
  75. class { 'openstack_project::server': }
  76. class { 'openstack_project::grafana':
  77. admin_password => hiera('grafana_admin_password'),
  78. admin_user => hiera('grafana_admin_user', 'username'),
  79. mysql_host => hiera('grafana_mysql_host', 'localhost'),
  80. mysql_name => hiera('grafana_mysql_name'),
  81. mysql_password => hiera('grafana_mysql_password'),
  82. mysql_user => hiera('grafana_mysql_user', 'username'),
  83. project_config_repo => 'https://opendev.org/openstack/project-config',
  84. secret_key => hiera('grafana_secret_key'),
  85. }
  86. }
  87. # Node-OS: xenial
  88. node /^health\d*\.openstack\.org$/ {
  89. $group = "health"
  90. class { 'openstack_project::server': }
  91. class { 'openstack_project::openstack_health_api':
  92. subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
  93. hostname => 'health.openstack.org',
  94. }
  95. }
  96. # Node-OS: xenial
  97. node /^cacti\d+\.open.*\.org$/ {
  98. $group = "cacti"
  99. include openstack_project::ssl_cert_check
  100. class { 'openstack_project::cacti':
  101. cacti_hosts => hiera_array('cacti_hosts'),
  102. vhost_name => 'cacti.openstack.org',
  103. }
  104. }
  105. # Node-OS: xenial
  106. node /^graphite\d*\.open.*\.org$/ {
  107. class { 'openstack_project::server': }
  108. class { '::graphite':
  109. graphite_admin_user => hiera('graphite_admin_user', 'username'),
  110. graphite_admin_email => hiera('graphite_admin_email', 'email@example.com'),
  111. graphite_admin_password => hiera('graphite_admin_password'),
  112. # NOTE(ianw): installed on the host via ansible
  113. ssl_cert_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.cer',
  114. ssl_key_file => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.key',
  115. ssl_chain_file => '/etc/letsencrypt-certs/graphite01.opendev.org/ca.cer',
  116. }
  117. }
  118. # Node-OS: xenial
  119. node /^lists\d*\.open.*\.org$/ {
  120. class { 'openstack_project::server': }
  121. class { 'openstack_project::lists':
  122. listpassword => hiera('listpassword'),
  123. }
  124. }
  125. # Node-OS: xenial
  126. node /^lists\d*\.katacontainers\.io$/ {
  127. class { 'openstack_project::server': }
  128. class { 'openstack_project::kata_lists':
  129. listpassword => hiera('listpassword'),
  130. }
  131. }
  132. # Node-OS: xenial
  133. node /^paste\d*\.open.*\.org$/ {
  134. $group = "paste"
  135. class { 'openstack_project::server': }
  136. class { 'openstack_project::paste':
  137. db_password => hiera('paste_db_password'),
  138. db_host => hiera('paste_db_host'),
  139. vhost_name => 'paste.openstack.org',
  140. }
  141. }
  142. # Node-OS: xenial
  143. node /planet\d*\.open.*\.org$/ {
  144. class { 'openstack_project::planet':
  145. }
  146. }
  147. # Node-OS: xenial
  148. node /^eavesdrop\d*\.open.*\.org$/ {
  149. $group = "eavesdrop"
  150. class { 'openstack_project::server': }
  151. class { 'openstack_project::eavesdrop':
  152. project_config_repo => 'https://opendev.org/openstack/project-config',
  153. nickpass => hiera('openstack_meetbot_password'),
  154. statusbot_nick => hiera('statusbot_nick', 'username'),
  155. statusbot_password => hiera('statusbot_nick_password'),
  156. statusbot_server => 'chat.freenode.net',
  157. statusbot_channels => hiera_array('statusbot_channels', ['openstack_infra']),
  158. statusbot_auth_nicks => hiera_array('statusbot_auth_nicks'),
  159. statusbot_wiki_user => hiera('statusbot_wiki_username', 'username'),
  160. statusbot_wiki_password => hiera('statusbot_wiki_password'),
  161. statusbot_wiki_url => 'https://wiki.openstack.org/w/api.php',
  162. # https://wiki.openstack.org/wiki/Infrastructure_Status
  163. statusbot_wiki_pageid => '1781',
  164. statusbot_wiki_successpageid => '7717',
  165. statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',
  166. statusbot_wiki_thankspageid => '37700',
  167. statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',
  168. statusbot_irclogs_url => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',
  169. statusbot_twitter => true,
  170. statusbot_twitter_key => hiera('statusbot_twitter_key'),
  171. statusbot_twitter_secret => hiera('statusbot_twitter_secret'),
  172. statusbot_twitter_token_key => hiera('statusbot_twitter_token_key'),
  173. statusbot_twitter_token_secret => hiera('statusbot_twitter_token_secret'),
  174. accessbot_nick => hiera('accessbot_nick', 'username'),
  175. accessbot_password => hiera('accessbot_nick_password'),
  176. meetbot_channels => hiera('meetbot_channels', ['openstack-infra']),
  177. ptgbot_nick => hiera('ptgbot_nick', 'username'),
  178. ptgbot_password => hiera('ptgbot_password'),
  179. }
  180. }
  181. # Node-OS: xenial
  182. node /^ethercalc\d+\.open.*\.org$/ {
  183. $group = "ethercalc"
  184. class { 'openstack_project::server': }
  185. class { 'openstack_project::ethercalc':
  186. vhost_name => 'ethercalc.openstack.org',
  187. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  188. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  189. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  190. }
  191. }
  192. # Node-OS: xenial
  193. node /^etherpad\d*\.open.*\.org$/ {
  194. $group = "etherpad"
  195. class { 'openstack_project::server': }
  196. class { 'openstack_project::etherpad':
  197. vhost_name => 'etherpad.openstack.org',
  198. ssl_cert_file_contents => hiera('etherpad_ssl_cert_file_contents'),
  199. ssl_key_file_contents => hiera('etherpad_ssl_key_file_contents'),
  200. ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),
  201. mysql_host => hiera('etherpad_db_host', 'localhost'),
  202. mysql_user => hiera('etherpad_db_user', 'username'),
  203. mysql_password => hiera('etherpad_db_password'),
  204. }
  205. }
  206. # Node-OS: xenial
  207. node /^etherpad-dev\d*\.open.*\.org$/ {
  208. $group = "etherpad-dev"
  209. class { 'openstack_project::server': }
  210. class { 'openstack_project::etherpad_dev':
  211. vhost_name => 'etherpad-dev.openstack.org',
  212. mysql_host => hiera('etherpad-dev_db_host', 'localhost'),
  213. mysql_user => hiera('etherpad-dev_db_user', 'username'),
  214. mysql_password => hiera('etherpad-dev_db_password'),
  215. }
  216. }
  217. # Node-OS: trusty
  218. node /^wiki\d+\.openstack\.org$/ {
  219. $group = "wiki"
  220. class { 'openstack_project::wiki':
  221. bup_user => 'bup-wiki',
  222. serveradmin => hiera('infra_apache_serveradmin'),
  223. site_hostname => 'wiki.openstack.org',
  224. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  225. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  226. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  227. wg_dbserver => hiera('wg_dbserver'),
  228. wg_dbname => 'openstack_wiki',
  229. wg_dbuser => 'wikiuser',
  230. wg_dbpassword => hiera('wg_dbpassword'),
  231. wg_secretkey => hiera('wg_secretkey'),
  232. wg_upgradekey => hiera('wg_upgradekey'),
  233. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  234. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  235. wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),
  236. }
  237. }
  238. # Node-OS: trusty
  239. node /^wiki-dev\d+\.openstack\.org$/ {
  240. $group = "wiki-dev"
  241. class { 'openstack_project::wiki':
  242. serveradmin => hiera('infra_apache_serveradmin'),
  243. site_hostname => 'wiki-dev.openstack.org',
  244. wg_dbserver => hiera('wg_dbserver'),
  245. wg_dbname => 'openstack_wiki',
  246. wg_dbuser => 'wikiuser',
  247. wg_dbpassword => hiera('wg_dbpassword'),
  248. wg_secretkey => hiera('wg_secretkey'),
  249. wg_upgradekey => hiera('wg_upgradekey'),
  250. wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
  251. wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
  252. disallow_robots => true,
  253. }
  254. }
  255. # Node-OS: xenial
  256. node /^logstash\d*\.open.*\.org$/ {
  257. class { 'openstack_project::server': }
  258. class { 'openstack_project::logstash':
  259. discover_nodes => [
  260. 'elasticsearch03.openstack.org:9200',
  261. 'elasticsearch04.openstack.org:9200',
  262. 'elasticsearch05.openstack.org:9200',
  263. 'elasticsearch06.openstack.org:9200',
  264. 'elasticsearch07.openstack.org:9200',
  265. 'elasticsearch02.openstack.org:9200',
  266. ],
  267. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  268. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  269. }
  270. }
  271. # Node-OS: xenial
  272. node /^logstash-worker\d+\.open.*\.org$/ {
  273. $group = 'logstash-worker'
  274. class { 'openstack_project::server': }
  275. class { 'openstack_project::logstash_worker':
  276. discover_node => 'elasticsearch03.openstack.org',
  277. enable_mqtt => false,
  278. mqtt_password => hiera('mqtt_service_user_password'),
  279. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  280. }
  281. }
  282. # Node-OS: xenial
  283. node /^subunit-worker\d+\.open.*\.org$/ {
  284. $group = "subunit-worker"
  285. class { 'openstack_project::server': }
  286. class { 'openstack_project::subunit_worker':
  287. subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
  288. subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
  289. mqtt_pass => hiera('mqtt_service_user_password'),
  290. mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
  291. }
  292. }
  293. # Node-OS: xenial
  294. node /^elasticsearch\d+\.open.*\.org$/ {
  295. $group = "elasticsearch"
  296. class { 'openstack_project::server': }
  297. class { 'openstack_project::elasticsearch_node':
  298. discover_nodes => $elasticsearch_nodes,
  299. }
  300. }
  301. # Node-OS: xenial
  302. node /^firehose\d+\.open.*\.org$/ {
  303. class { 'openstack_project::server': }
  304. class { 'openstack_project::firehose':
  305. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  306. gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
  307. gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'),
  308. mqtt_password => hiera('mqtt_service_user_password'),
  309. ca_file => hiera('mosquitto_tls_ca_file'),
  310. cert_file => hiera('mosquitto_tls_server_cert_file'),
  311. key_file => hiera('mosquitto_tls_server_key_file'),
  312. imap_hostname => hiera('lpmqtt_imap_server'),
  313. imap_username => hiera('lpmqtt_imap_username'),
  314. imap_password => hiera('lpmqtt_imap_password'),
  315. statsd_host => 'graphite.opendev.org',
  316. }
  317. }
  318. # A machine to drive AFS mirror updates.
  319. # Node-OS: xenial
  320. node /^mirror-update\d*\.open.*\.org$/ {
  321. $group = "afsadmin"
  322. class { 'openstack_project::mirror_update':
  323. admin_keytab => hiera('afsadmin_keytab'),
  324. fedora_keytab => hiera('fedora_keytab'),
  325. opensuse_keytab => hiera('opensuse_keytab'),
  326. reprepro_keytab => hiera('reprepro_keytab'),
  327. gem_keytab => hiera('gem_keytab'),
  328. centos_keytab => hiera('centos_keytab'),
  329. epel_keytab => hiera('epel_keytab'),
  330. yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),
  331. }
  332. }
  333. # Machines in each region to serve AFS mirrors.
  334. # Node-OS: xenial
  335. node /^mirror\d*\..*\.open.*\.org$/ {
  336. $group = "mirror"
  337. class { 'openstack_project::server':
  338. afs => true,
  339. afs_cache_size => 50000000, # 50GB
  340. }
  341. class { 'openstack_project::mirror':
  342. vhost_name => $::fqdn,
  343. require => Class['Openstack_project::Server'],
  344. }
  345. }
  346. # Serve static AFS content for docs and other sites.
  347. # Node-OS: xenial
  348. node /^files\d*\.open.*\.org$/ {
  349. $group = "files"
  350. class { 'openstack_project::server':
  351. afs => true,
  352. afs_cache_size => 10000000, # 10GB
  353. }
  354. class { 'openstack_project::files':
  355. vhost_name => 'files.openstack.org',
  356. developer_cert_file_contents => hiera('developer_cert_file_contents'),
  357. developer_key_file_contents => hiera('developer_key_file_contents'),
  358. developer_chain_file_contents => hiera('developer_chain_file_contents'),
  359. docs_cert_file_contents => hiera('docs_cert_file_contents'),
  360. docs_key_file_contents => hiera('docs_key_file_contents'),
  361. docs_chain_file_contents => hiera('docs_chain_file_contents'),
  362. git_airship_cert_file_contents => hiera('git_airship_cert_file_contents'),
  363. git_airship_key_file_contents => hiera('git_airship_key_file_contents'),
  364. git_airship_chain_file_contents => hiera('git_airship_chain_file_contents'),
  365. git_openstack_cert_file_contents => hiera('git_openstack_cert_file_contents'),
  366. git_openstack_key_file_contents => hiera('git_openstack_key_file_contents'),
  367. git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),
  368. git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'),
  369. git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'),
  370. git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),
  371. require => Class['Openstack_project::Server'],
  372. }
  373. # Temporary for evaluating htaccess rules
  374. ::httpd::vhost { "git-test.openstack.org":
  375. port => 80, # Is required despite not being used.
  376. docroot => "/afs/openstack.org/project/git-test/www",
  377. priority => '50',
  378. template => 'openstack_project/git-test.vhost.erb',
  379. }
  380. openstack_project::website { 'docs.starlingx.io':
  381. volume_name => 'starlingx.io',
  382. aliases => [],
  383. ssl_cert => hiera('docs_starlingx_io_ssl_cert'),
  384. ssl_key => hiera('docs_starlingx_io_ssl_key'),
  385. ssl_intermediate => hiera('docs_starlingx_io_ssl_intermediate'),
  386. require => Class['openstack_project::files'],
  387. }
  388. openstack_project::website { 'docs.opendev.org':
  389. aliases => [],
  390. docroot => "/afs/openstack.org/project/opendev.org/docs",
  391. ssl_cert => hiera('docs_opendev_ssl_cert'),
  392. ssl_key => hiera('docs_opendev_ssl_key'),
  393. ssl_intermediate => hiera('docs_opendev_ssl_intermediate'),
  394. require => Class['openstack_project::files'],
  395. }
  396. openstack_project::website { 'tarballs.opendev.org':
  397. aliases => [],
  398. docroot => "/afs/openstack.org/project/opendev.org/tarballs",
  399. ssl_cert_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer',
  400. ssl_key_file => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key',
  401. ssl_chain_file => '/etc/letsencrypt-certs/tarballs.opendev.org/ca.cer',
  402. require => Class['openstack_project::files'],
  403. }
  404. openstack_project::website { 'zuul-ci.org':
  405. aliases => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],
  406. ssl_cert_file => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer',
  407. ssl_key_file => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key',
  408. ssl_chain_file => '/etc/letsencrypt-certs/zuul-ci.org/ca.cer',
  409. require => Class['openstack_project::files'],
  410. }
  411. openstack_project::website { 'git.zuul-ci.org':
  412. docroot => "/var/www/git-redirect",
  413. allow_override_list => "Redirect RedirectMatch RewriteEngine RewriteBase RewriteCond RewriteMap RewriteOptions RewriteRule",
  414. ssl_cert_file => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.cer',
  415. ssl_key_file => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.key',
  416. ssl_chain_file => '/etc/letsencrypt-certs/git.zuul-ci.org/ca.cer',
  417. require => Class['openstack_project::files'],
  418. }
  419. }
  420. # Node-OS: trusty
  421. # Node-OS: xenial
  422. node /^refstack\d*\.open.*\.org$/ {
  423. class { 'openstack_project::server': }
  424. class { 'refstack':
  425. mysql_host => hiera('refstack_mysql_host', 'localhost'),
  426. mysql_database => hiera('refstack_mysql_db_name', 'refstack'),
  427. mysql_user => hiera('refstack_mysql_user', 'refstack'),
  428. mysql_user_password => hiera('refstack_mysql_password'),
  429. ssl_cert_content => hiera('refstack_ssl_cert_file_contents'),
  430. ssl_cert => '/etc/ssl/certs/refstack.pem',
  431. ssl_key_content => hiera('refstack_ssl_key_file_contents'),
  432. ssl_key => '/etc/ssl/private/refstack.key',
  433. ssl_ca_content => hiera('refstack_ssl_chain_file_contents'),
  434. ssl_ca => '/etc/ssl/certs/refstack.ca.pem',
  435. protocol => 'https',
  436. }
  437. mysql_backup::backup_remote { 'refstack':
  438. database_host => hiera('refstack_mysql_host', 'localhost'),
  439. database_user => hiera('refstack_mysql_user', 'refstack'),
  440. database_password => hiera('refstack_mysql_password'),
  441. require => Class['::refstack'],
  442. }
  443. }
  444. # A machine to run Storyboard
  445. # Node-OS: xenial
  446. node /^storyboard\d+\.opendev\.org$/ {
  447. $group = "storyboard"
  448. class { 'openstack_project::storyboard':
  449. project_config_repo => 'https://opendev.org/openstack/project-config',
  450. mysql_host => hiera('storyboard_db_host', 'localhost'),
  451. mysql_user => hiera('storyboard_db_user', 'username'),
  452. mysql_password => hiera('storyboard_db_password'),
  453. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  454. rabbitmq_password => hiera('storyboard_rabbit_password'),
  455. ssl_cert => '/etc/ssl/certs/storyboard.openstack.org.pem',
  456. ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
  457. ssl_key => '/etc/ssl/private/storyboard.openstack.org.key',
  458. ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
  459. ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
  460. hostname => 'storyboard.openstack.org',
  461. valid_oauth_clients => ['storyboard.openstack.org',],
  462. cors_allowed_origins => ['https://storyboard.openstack.org',],
  463. sender_email_address => 'storyboard@storyboard.openstack.org',
  464. default_url => 'https://storyboard.openstack.org',
  465. }
  466. }
  467. # A machine to run Storyboard devel
  468. # Node-OS: xenial
  469. node /^storyboard-dev\d+\.opendev\.org$/ {
  470. $group = "storyboard-dev"
  471. class { 'openstack_project::storyboard::dev':
  472. project_config_repo => 'https://opendev.org/openstack/project-config',
  473. mysql_host => hiera('storyboard_db_host', 'localhost'),
  474. mysql_user => hiera('storyboard_db_user', 'username'),
  475. mysql_password => hiera('storyboard_db_password'),
  476. rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
  477. rabbitmq_password => hiera('storyboard_rabbit_password'),
  478. hostname => 'storyboard-dev.openstack.org',
  479. valid_oauth_clients => ['^.*',],
  480. cors_allowed_origins => ['^.*',],
  481. sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',
  482. default_url => 'https://storyboard-dev.openstack.org',
  483. }
  484. }
  485. # A machine to serve static content.
  486. # Node-OS: trusty
  487. # Node-OS: xenial
  488. node /^static\d*\.open.*\.org$/ {
  489. class { 'openstack_project::server': }
  490. class { 'openstack_project::static':
  491. project_config_repo => 'https://opendev.org/openstack/project-config',
  492. swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
  493. swift_user => 'infra-files-ro',
  494. swift_key => hiera('infra_files_ro_password'),
  495. swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
  496. swift_region_name => 'DFW',
  497. swift_default_container => 'infra-files',
  498. ssl_cert_file_contents => hiera('static_ssl_cert_file_contents'),
  499. ssl_key_file_contents => hiera('static_ssl_key_file_contents'),
  500. ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
  501. }
  502. }
  503. # Node-OS: xenial
  504. node /^zk\d+\.open.*\.org$/ {
  505. # We use IP addresses here so that zk listens on the public facing addresses
  506. # allowing cluster members to talk to each other. Without this they listen
  507. # on 127.0.1.1 because that is what we have in /etc/hosts for
  508. # zk0X.openstack.org.
  509. $zk_cluster_members = [
  510. '23.253.236.126', # zk01
  511. '172.99.117.32', # zk02
  512. '23.253.90.246', # zk03
  513. ]
  514. class { 'openstack_project::server': }
  515. class { '::zookeeper':
  516. # ID needs to be numeric, so we use regex to extra numbers from fqdn.
  517. id => regsubst($::fqdn, '^zk(\d+)\.open.*\.org$', '\1'),
  518. # The frequency in hours to look for and purge old snapshots,
  519. # defaults to 0 (disabled). The number of retained snapshots can
  520. # be separately controlled through snap_retain_count and
  521. # defaults to the minimum value of 3. This will quickly fill the
  522. # disk in production if not enabled. Works on ZK >=3.4.
  523. purge_interval => 6,
  524. servers => $zk_cluster_members,
  525. }
  526. }
  527. # A machine to serve various project status updates.
  528. # Node-OS: trusty
  529. # Node-OS: xenial
  530. node /^status\d*\.open.*\.org$/ {
  531. $group = 'status'
  532. class { 'openstack_project::server': }
  533. class { 'openstack_project::status':
  534. gerrit_host => 'review.opendev.org',
  535. gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
  536. reviewday_ssh_public_key => hiera('reviewday_rsa_pubkey_contents'),
  537. reviewday_ssh_private_key => hiera('reviewday_rsa_key_contents'),
  538. recheck_ssh_public_key => hiera('elastic-recheck_gerrit_ssh_public_key'),
  539. recheck_ssh_private_key => hiera('elastic-recheck_gerrit_ssh_private_key'),
  540. recheck_bot_nick => 'openstackrecheck',
  541. recheck_bot_passwd => hiera('elastic-recheck_ircbot_password'),
  542. }
  543. }
  544. # Node-OS: xenial
  545. node /^survey\d+\.open.*\.org$/ {
  546. $group = "survey"
  547. class { 'openstack_project::server': }
  548. class { 'openstack_project::survey':
  549. vhost_name => 'survey.openstack.org',
  550. auth_openid => true,
  551. ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
  552. ssl_key_file_contents => hiera('ssl_key_file_contents'),
  553. ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
  554. dbpassword => hiera('dbpassword'),
  555. dbhost => hiera('dbhost'),
  556. adminuser => hiera('adminuser'),
  557. adminpass => hiera('adminpass'),
  558. adminmail => hiera('adminmail'),
  559. }
  560. }
  561. # Node-OS: xenial
  562. node /^nl\d+\.open.*\.org$/ {
  563. $group = 'nodepool'
  564. # NOTE(ianw) From 09-2018 (https://review.opendev.org/#/c/598329/)
  565. # the cloud credentials are deployed with ansible via the
  566. # configure-openstacksdk role and are no longer configured here
  567. class { 'openstack_project::server': }
  568. include openstack_project
  569. class { '::openstackci::nodepool_launcher':
  570. nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),
  571. project_config_repo => 'https://opendev.org/openstack/project-config',
  572. statsd_host => 'graphite.opendev.org',
  573. revision => 'master',
  574. python_version => 3,
  575. enable_webapp => true,
  576. }
  577. }
  578. # Node-OS: xenial
  579. node /^nb\d+\.open.*\.org$/ {
  580. $group = 'nodepool'
  581. class { 'openstack_project::server': }
  582. include openstack_project
  583. class { '::openstackci::nodepool_builder':
  584. nodepool_ssh_public_key => hiera('zuul_worker_ssh_public_key_contents'),
  585. vhost_name => $::fqdn,
  586. enable_build_log_via_http => true,
  587. project_config_repo => 'https://opendev.org/openstack/project-config',
  588. statsd_host => 'graphite.opendev.org',
  589. upload_workers => '16',
  590. revision => 'master',
  591. python_version => 3,
  592. zuulv3 => true,
  593. ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
  594. ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
  595. }
  596. cron { 'mirror_gitgc':
  597. user => 'nodepool',
  598. hour => '20',
  599. minute => '0',
  600. command => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',
  601. environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
  602. require => Class['::openstackci::nodepool_builder'],
  603. }
  604. }
  605. # Node-OS: xenial
  606. node /^ze\d+\.open.*\.org$/ {
  607. $group = "zuul-executor"
  608. $gerrit_server = 'review.opendev.org'
  609. $gerrit_user = 'zuul'
  610. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  611. $gerrit_ssh_private_key = hiera('gerrit_ssh_private_key_contents')
  612. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  613. $zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')
  614. $git_email = 'zuul@openstack.org'
  615. $git_name = 'OpenStack Zuul'
  616. $revision = 'master'
  617. class { 'openstack_project::server':
  618. afs => true,
  619. }
  620. class { '::project_config':
  621. url => 'https://opendev.org/openstack/project-config',
  622. }
  623. # We use later HWE kernels for better memory managment, requiring an
  624. # updated AFS version which we install from our custom ppa.
  625. include ::apt
  626. apt::ppa { 'ppa:openstack-ci-core/openafs-amd64-hwe': }
  627. package { 'linux-generic-hwe-16.04':
  628. ensure => present,
  629. require => [
  630. Apt::Ppa['ppa:openstack-ci-core/openafs-amd64-hwe'],
  631. Class['apt::update'],
  632. ],
  633. }
  634. # Skopeo is required for pushing/pulling from the intermediate
  635. # registry, and is available in the projectatomic ppa.
  636. apt::ppa { 'ppa:projectatomic/ppa': }
  637. package { 'skopeo':
  638. ensure => present,
  639. require => [
  640. Apt::Ppa['ppa:projectatomic/ppa'],
  641. Class['apt::update'],
  642. ],
  643. }
  644. # Socat is also required for pushing/pulling images
  645. package { 'socat':
  646. ensure => present,
  647. require => [
  648. Class['apt::update'],
  649. ],
  650. }
  651. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  652. # settings.
  653. class { '::zuul':
  654. gearman_server => 'zuul01.openstack.org',
  655. gerrit_server => $gerrit_server,
  656. gerrit_user => $gerrit_user,
  657. zuul_ssh_private_key => $gerrit_ssh_private_key,
  658. git_email => $git_email,
  659. git_name => $git_name,
  660. worker_private_key_file => '/var/lib/zuul/ssh/nodepool_id_rsa',
  661. revision => $revision,
  662. python_version => 3,
  663. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  664. zuulv3 => true,
  665. connections => hiera('zuul_connections', []),
  666. connection_secrets => hiera('zuul_connection_secrets', []),
  667. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  668. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  669. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  670. #TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs
  671. # properly. We need to revisting this post Queens PTG.
  672. trusted_ro_paths => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],
  673. trusted_rw_paths => ['/afs'],
  674. untrusted_ro_paths => ['/etc/ssl/certs'],
  675. disk_limit_per_job => 5000, # Megabytes
  676. site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,
  677. require => $::project_config::config_dir,
  678. statsd_host => 'graphite.opendev.org',
  679. }
  680. class { '::zuul::executor': }
  681. # This is used by the log job submission playbook which runs under
  682. # python2
  683. package { 'gear':
  684. ensure => latest,
  685. provider => openstack_pip,
  686. require => Class['pip'],
  687. }
  688. file { '/var/lib/zuul/ssh/nodepool_id_rsa':
  689. owner => 'zuul',
  690. group => 'zuul',
  691. mode => '0400',
  692. require => File['/var/lib/zuul/ssh'],
  693. content => $zuul_ssh_private_key,
  694. }
  695. file { '/var/lib/zuul/ssh/static_id_rsa':
  696. owner => 'zuul',
  697. group => 'zuul',
  698. mode => '0400',
  699. require => File['/var/lib/zuul/ssh'],
  700. content => $zuul_static_private_key,
  701. }
  702. class { '::zuul::known_hosts':
  703. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  704. }
  705. }
  706. # Node-OS: xenial
  707. node /^zuul\d+\.open.*\.org$/ {
  708. $group = "zuul-scheduler"
  709. $gerrit_server = 'review.opendev.org'
  710. $gerrit_user = 'zuul'
  711. $gerrit_ssh_host_key = hiera('gerrit_zuul_user_ssh_key_contents')
  712. $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')
  713. $zuul_url = "http://zuul.openstack.org/p"
  714. $git_email = 'zuul@openstack.org'
  715. $git_name = 'OpenStack Zuul'
  716. $revision = 'master'
  717. class { 'openstack_project::server': }
  718. class { '::project_config':
  719. url => 'https://opendev.org/openstack/project-config',
  720. }
  721. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  722. # settings.
  723. class { '::zuul':
  724. gerrit_server => $gerrit_server,
  725. gerrit_user => $gerrit_user,
  726. zuul_ssh_private_key => $zuul_ssh_private_key,
  727. git_email => $git_email,
  728. git_name => $git_name,
  729. revision => $revision,
  730. python_version => 3,
  731. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  732. zookeeper_session_timeout => 40,
  733. zuulv3 => true,
  734. connections => hiera('zuul_connections', []),
  735. connection_secrets => hiera('zuul_connection_secrets', []),
  736. vhost_name => 'zuul.openstack.org',
  737. zuul_status_url => 'http://127.0.0.1:8001/openstack',
  738. zuul_web_url => 'http://127.0.0.1:9000',
  739. zuul_tenant_name => 'openstack',
  740. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  741. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  742. gearman_server_ssl_cert => hiera('gearman_server_ssl_cert'),
  743. gearman_server_ssl_key => hiera('gearman_server_ssl_key'),
  744. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  745. proxy_ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  746. proxy_ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  747. proxy_ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  748. statsd_host => 'graphite.opendev.org',
  749. status_url => 'https://zuul.openstack.org',
  750. relative_priority => true,
  751. web_root => 'https://zuul.opendev.org',
  752. }
  753. file { "/etc/zuul/github.key":
  754. ensure => present,
  755. owner => 'zuul',
  756. group => 'zuul',
  757. mode => '0600',
  758. content => hiera('zuul_github_app_key'),
  759. require => File['/etc/zuul'],
  760. }
  761. class { '::zuul::scheduler':
  762. layout_dir => $::project_config::zuul_layout_dir,
  763. require => $::project_config::config_dir,
  764. python_version => 3,
  765. use_mysql => true,
  766. }
  767. class { '::zuul::web':
  768. # We manage backups below
  769. enable_status_backups => false,
  770. vhosts => {
  771. 'zuul.openstack.org' => {
  772. port => 443,
  773. docroot => '/opt/zuul-web/content',
  774. priority => '50',
  775. ssl => true,
  776. template => 'zuul/zuulv3.vhost.erb',
  777. vhost_name => 'zuul.openstack.org',
  778. },
  779. 'zuul.opendev.org' => {
  780. port => 443,
  781. docroot => '/opt/zuul-web/content',
  782. priority => '40',
  783. ssl => true,
  784. template => 'zuul/zuulv3.vhost.erb',
  785. vhost_name => 'zuul.opendev.org',
  786. },
  787. 'zuul.openstack.org-http' => {
  788. port => 80,
  789. docroot => '/opt/zuul-web/content',
  790. priority => '50',
  791. ssl => false,
  792. template => 'zuul/zuulv3.vhost.erb',
  793. vhost_name => 'zuul.openstack.org',
  794. },
  795. 'zuul.opendev.org-http' => {
  796. port => 80,
  797. docroot => '/opt/zuul-web/content',
  798. priority => '40',
  799. ssl => false,
  800. template => 'zuul/zuulv3.vhost.erb',
  801. vhost_name => 'zuul.opendev.org',
  802. },
  803. },
  804. vhosts_flags => {
  805. 'zuul.openstack.org' => {
  806. tenant_name => 'openstack',
  807. ssl => true,
  808. use_le => false,
  809. },
  810. 'zuul.opendev.org' => {
  811. tenant_name => '',
  812. ssl => true,
  813. use_le => true,
  814. },
  815. 'zuul.openstack.org-http' => {
  816. tenant_name => 'openstack',
  817. ssl => false,
  818. use_le => false,
  819. },
  820. 'zuul.opendev.org-http' => {
  821. tenant_name => '',
  822. ssl => false,
  823. use_le => false,
  824. },
  825. },
  826. vhosts_ssl => {
  827. 'zuul.openstack.org' => {
  828. ssl_cert_file_contents => hiera('zuul_ssl_cert_file_contents'),
  829. ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),
  830. ssl_key_file_contents => hiera('zuul_ssl_key_file_contents'),
  831. },
  832. },
  833. }
  834. zuul::status_backups { 'openstack-zuul-tenant':
  835. tenant_name => 'openstack',
  836. ssl => true,
  837. status_uri => 'https://zuul.opendev.org/api/tenant/openstack/status',
  838. }
  839. zuul::status_backups { 'kata-zuul-tenant':
  840. tenant_name => 'kata-containers',
  841. ssl => true,
  842. status_uri => 'https://zuul.opendev.org/api/tenant/kata-containers/status',
  843. }
  844. class { '::zuul::fingergw': }
  845. class { '::zuul::known_hosts':
  846. known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",
  847. }
  848. include bup
  849. bup::site { 'rax.ord':
  850. backup_user => 'bup-zuulv3',
  851. backup_server => 'backup01.ord.rax.ci.openstack.org',
  852. }
  853. }
  854. # Node-OS: xenial
  855. node /^zm\d+.open.*\.org$/ {
  856. $group = "zuul-merger"
  857. $gerrit_server = 'review.opendev.org'
  858. $gerrit_user = 'zuul'
  859. $gerrit_ssh_host_key = hiera('gerrit_ssh_rsa_pubkey_contents')
  860. $zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')
  861. $zuul_url = "http://${::fqdn}/p"
  862. $git_email = 'zuul@openstack.org'
  863. $git_name = 'OpenStack Zuul'
  864. $revision = 'master'
  865. class { 'openstack_project::server': }
  866. # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  867. # settings.
  868. class { '::zuul':
  869. gearman_server => 'zuul01.openstack.org',
  870. gerrit_server => $gerrit_server,
  871. gerrit_user => $gerrit_user,
  872. zuul_ssh_private_key => $zuul_ssh_private_key,
  873. git_email => $git_email,
  874. git_name => $git_name,
  875. revision => $revision,
  876. python_version => 3,
  877. zookeeper_hosts => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',
  878. zuulv3 => true,
  879. connections => hiera('zuul_connections', []),
  880. connection_secrets => hiera('zuul_connection_secrets', []),
  881. gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),
  882. gearman_client_ssl_key => hiera('gearman_client_ssl_key'),
  883. gearman_ssl_ca => hiera('gearman_ssl_ca'),
  884. statsd_host => 'graphite.opendev.org',
  885. }
  886. class { 'openstack_project::zuul_merger':
  887. gerrit_server => $gerrit_server,
  888. gerrit_user => $gerrit_user,
  889. gerrit_ssh_host_key => $gerrit_ssh_host_key,
  890. zuul_ssh_private_key => $zuul_ssh_private_key,
  891. manage_common_zuul => false,
  892. }
  893. }
  894. # Node-OS: xenial
  895. node /^pbx\d*\.open.*\.org$/ {
  896. $group = "pbx"
  897. class { 'openstack_project::server': }
  898. class { 'openstack_project::pbx':
  899. sip_providers => [
  900. {
  901. provider => 'voipms',
  902. hostname => 'dallas.voip.ms',
  903. username => hiera('voipms_username', 'username'),
  904. password => hiera('voipms_password'),
  905. outgoing => false,
  906. },
  907. ],
  908. }
  909. }
  910. # Node-OS: xenial
  911. # A backup machine. Don't run cron or puppet agent on it.
  912. node /^backup\d+\..*\.ci\.open.*\.org$/ {
  913. $group = "ci-backup"
  914. class { 'openstack_project::server': }
  915. include openstack_project::backup_server
  916. }
  917. # Node-OS: xenial
  918. node /^openstackid\d*(\.openstack)?\.org$/ {
  919. $group = "openstackid"
  920. class { 'openstack_project::openstackid_prod':
  921. site_admin_password => hiera('openstackid_site_admin_password'),
  922. id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'),
  923. id_mysql_password => hiera('openstackid_id_mysql_password'),
  924. id_mysql_user => hiera('openstackid_id_mysql_user', 'username'),
  925. id_db_name => hiera('openstackid_id_db_name'),
  926. ss_mysql_host => hiera('openstackid_ss_mysql_host', 'localhost'),
  927. ss_mysql_password => hiera('openstackid_ss_mysql_password'),
  928. ss_mysql_user => hiera('openstackid_ss_mysql_user', 'username'),
  929. ss_db_name => hiera('openstackid_ss_db_name', 'username'),
  930. redis_password => hiera('openstackid_redis_password'),
  931. ssl_cert_file_contents => hiera('openstackid_ssl_cert_file_contents'),
  932. ssl_key_file_contents => hiera('openstackid_ssl_key_file_contents'),
  933. ssl_chain_file_contents => hiera('openstackid_ssl_chain_file_contents'),
  934. id_recaptcha_public_key => hiera('openstackid_recaptcha_public_key'),
  935. id_recaptcha_private_key => hiera('openstackid_recaptcha_private_key'),
  936. vhost_name => 'openstackid.org',
  937. session_cookie_domain => 'openstackid.org',
  938. serveradmin => 'webmaster@openstackid.org',
  939. canonicalweburl => 'https://openstackid.org/',
  940. app_url => 'https://openstackid.org',
  941. app_key => hiera('openstackid_app_key'),
  942. id_log_error_to_email => 'openstack@tipit.net',
  943. id_log_error_from_email => 'noreply@openstack.org',
  944. email_driver => 'sendgrid',
  945. email_send_grid_api_key => hiera('openstackid_send_grid_api_key'),
  946. php_version => 7,
  947. mysql_ssl_enabled => true,
  948. mysql_ssl_ca_file_contents => hiera('openstackid_mysql_ssl_ca_file_contents'),
  949. mysql_ssl_client_key_file_contents => hiera('openstackid_mysql_ssl_client_key_file_contents'),
  950. mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),
  951. lost_password_url => 'https://openstackid.org/lost-password',
  952. registration_url => 'https://openstackid.org/registration',
  953. registration_mobile_url => 'https://openstackid.org/registration-mobile',
  954. resend_verification_url => 'https://openstackid.org/resend-verification',
  955. }
  956. }
  957. # Node-OS: xenial
  958. node /^openstackid-dev\d*\.openstack\.org$/ {
  959. $group = "openstackid-dev"
  960. class { 'openstack_project::openstackid_dev':
  961. site_admin_password => hiera('openstackid_dev_site_admin_password'),
  962. id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'),
  963. id_mysql_password => hiera('openstackid_dev_id_mysql_password'),
  964. id_mysql_user => hiera('openstackid_dev_id_mysql_user', 'username'),
  965. ss_mysql_host => hiera('openstackid_dev_ss_mysql_host', 'localhost'),
  966. ss_mysql_password => hiera('openstackid_dev_ss_mysql_password'),
  967. ss_mysql_user => hiera('openstackid_dev_ss_mysql_user', 'username'),
  968. ss_db_name => hiera('openstackid_dev_ss_db_name', 'username'),
  969. redis_password => hiera('openstackid_dev_redis_password'),
  970. ssl_cert_file_contents => hiera('openstackid_dev_ssl_cert_file_contents'),
  971. ssl_key_file_contents => hiera('openstackid_dev_ssl_key_file_contents'),
  972. ssl_chain_file_contents => hiera('openstackid_dev_ssl_chain_file_contents'),
  973. id_recaptcha_public_key => hiera('openstackid_dev_recaptcha_public_key'),
  974. id_recaptcha_private_key => hiera('openstackid_dev_recaptcha_private_key'),
  975. vhost_name => 'openstackid-dev.openstack.org',
  976. session_cookie_domain => 'openstackid-dev.openstack.org',
  977. serveradmin => 'webmaster@openstackid-dev.openstack.org',
  978. canonicalweburl => 'https://openstackid-dev.openstack.org/',
  979. app_url => 'https://openstackid-dev.openstack.org',
  980. app_key => hiera('openstackid_dev_app_key'),
  981. id_log_error_to_email => 'openstack@tipit.net',
  982. id_log_error_from_email => 'noreply@openstack.org',
  983. email_driver => 'sendgrid',
  984. email_send_grid_api_key => hiera('openstackid_dev_send_grid_api_key'),
  985. php_version => 7,
  986. mysql_ssl_enabled => true,
  987. mysql_ssl_ca_file_contents => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),
  988. mysql_ssl_client_key_file_contents => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),
  989. mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),
  990. lost_password_url => 'https://openstackid-dev.openstack.org/lost-password',
  991. registration_url => 'https://openstackid-dev.openstack.org/registration',
  992. registration_mobile_url => 'https://openstackid-dev.openstack.org/registration-mobile',
  993. resend_verification_url => 'https://openstackid-dev.openstack.org/resend-verification',
  994. }
  995. }
  996. # Node-OS: trusty
  997. # Used for testing all-in-one deployments
  998. node 'single-node-ci.test.only' {
  999. include ::openstackci::single_node_ci
  1000. }
  1001. # Node-OS: xenial
  1002. node /^kdc03\.open.*\.org$/ {
  1003. class { 'openstack_project::server': }
  1004. class { 'openstack_project::kdc': }
  1005. }
  1006. # Node-OS: xenial
  1007. node /^kdc04\.open.*\.org$/ {
  1008. class { 'openstack_project::server': }
  1009. class { 'openstack_project::kdc':
  1010. slave => true,
  1011. }
  1012. }
  1013. # Node-OS: xenial
  1014. node /^afsdb01\.open.*\.org$/ {
  1015. $group = "afsdb"
  1016. class { 'openstack_project::server':
  1017. afs => true,
  1018. }
  1019. include openstack_project::afsdb
  1020. include openstack_project::afsrelease
  1021. }
  1022. # Node-OS: xenial
  1023. node /^afsdb.*\.open.*\.org$/ {
  1024. $group = "afsdb"
  1025. class { 'openstack_project::server':
  1026. afs => true,
  1027. }
  1028. include openstack_project::afsdb
  1029. }
  1030. # Node-OS: xenial
  1031. node /^afs.*\..*\.open.*\.org$/ {
  1032. $group = "afs"
  1033. class { 'openstack_project::server':
  1034. afs => true,
  1035. }
  1036. include openstack_project::afsfs
  1037. }
  1038. # Node-OS: xenial
  1039. node /^ask\d*\.open.*\.org$/ {
  1040. class { 'openstack_project::server': }
  1041. class { 'openstack_project::ask':
  1042. db_user => hiera('ask_db_user', 'ask'),
  1043. db_password => hiera('ask_db_password'),
  1044. redis_password => hiera('ask_redis_password'),
  1045. site_ssl_cert_file_contents => hiera('ask_site_ssl_cert_file_contents', undef),
  1046. site_ssl_key_file_contents => hiera('ask_site_ssl_key_file_contents', undef),
  1047. site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),
  1048. }
  1049. }
  1050. # Node-OS: xenial
  1051. node /^ask-staging\d*\.open.*\.org$/ {
  1052. class { 'openstack_project::server': }
  1053. class { 'openstack_project::ask_staging':
  1054. db_password => hiera('ask_staging_db_password'),
  1055. redis_password => hiera('ask_staging_redis_password'),
  1056. }
  1057. }
  1058. # Node-OS: xenial
  1059. node /^translate\d+\.open.*\.org$/ {
  1060. $group = "translate"
  1061. class { 'openstack_project::server': }
  1062. class { 'openstack_project::translate':
  1063. admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  1064. openid_url => 'https://openstackid.org',
  1065. listeners => ['ajp'],
  1066. from_address => 'noreply@openstack.org',
  1067. mysql_host => hiera('translate_mysql_host', 'localhost'),
  1068. mysql_password => hiera('translate_mysql_password'),
  1069. zanata_server_user => hiera('proposal_zanata_user'),
  1070. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  1071. zanata_wildfly_version => '10.1.0',
  1072. zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',
  1073. zanata_main_version => 4,
  1074. zanata_url => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',
  1075. zanata_checksum => 'eaf8bd07401dade758b677007d2358f173193d17',
  1076. project_config_repo => 'https://opendev.org/openstack/project-config',
  1077. ssl_cert_file_contents => hiera('translate_ssl_cert_file_contents'),
  1078. ssl_key_file_contents => hiera('translate_ssl_key_file_contents'),
  1079. ssl_chain_file_contents => hiera('translate_ssl_chain_file_contents'),
  1080. vhost_name => 'translate.openstack.org',
  1081. }
  1082. }
  1083. # Node-OS: xenial
  1084. node /^translate-dev\d*\.open.*\.org$/ {
  1085. $group = "translate-dev"
  1086. class { 'openstack_project::translate_dev':
  1087. admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
  1088. openid_url => 'https://openstackid-dev.openstack.org',
  1089. listeners => ['ajp'],
  1090. from_address => 'noreply@openstack.org',
  1091. mysql_host => hiera('translate_dev_mysql_host', 'localhost'),
  1092. mysql_password => hiera('translate_dev_mysql_password'),
  1093. zanata_server_user => hiera('proposal_zanata_user'),
  1094. zanata_server_api_key => hiera('proposal_zanata_api_key'),
  1095. project_config_repo => 'https://opendev.org/openstack/project-config',
  1096. vhost_name => 'translate-dev.openstack.org',
  1097. }
  1098. }
  1099. # Node-OS: xenial
  1100. node /^codesearch\d*\.open.*\.org$/ {
  1101. $group = "codesearch"
  1102. class { 'openstack_project::server': }
  1103. class { 'openstack_project::codesearch':
  1104. project_config_repo => 'https://opendev.org/openstack/project-config',
  1105. }
  1106. }
  1107. # vim:sw=2:ts=2:expandtab:textwidth=79