opendev
/
system-config
Code Issues Proposed changes
System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15342 Commits
1 Branch
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
system-config/manifests/site.pp

1238 lines
50KB
Raw Permalink Blame History 

  1. #

  2. # Top-level variables

  3. #

  4. # There must not be any whitespace between this comment and the variables or

  5. # in between any two variables in order for them to be correctly parsed and

  6. # passed around in test.sh

  7. #

  8. # Note we do not do a hiera lookup here as we set $group on a per node basis

  9. # and that must be set before we can do hiera lookups. Doing a hiera lookup

  10. # here would fail to find any group specific info.

  11. $elasticsearch_nodes = [

  12.   "elasticsearch02.openstack.org",

  13.   "elasticsearch03.openstack.org",

  14.   "elasticsearch04.openstack.org",

  15.   "elasticsearch05.openstack.org",

  16.   "elasticsearch06.openstack.org",

  17.   "elasticsearch07.openstack.org",

  18. ]

  19. 

  20. #

  21. # Default: should at least behave like an openstack server

  22. #

  23. node default {

  24.   class { 'openstack_project::server':

  25.   }

  26. }

  27. 

  28. #

  29. # Long lived servers:

  30. #

  31. # Node-OS: xenial

  32. node /^review\d*\.open.*\.org$/ {

  33.   $group = "review"

  34. 

  35.   class { 'openstack_project::server': }

  36. 

  37.   class { 'openstack_project::review':

  38.     project_config_repo                  => 'https://opendev.org/openstack/project-config',

  39.     github_oauth_token                   => hiera('gerrit_github_token'),

  40.     github_project_username              => hiera('github_project_username', 'username'),

  41.     github_project_password              => hiera('github_project_password'),

  42.     mysql_host                           => hiera('gerrit_mysql_host', 'localhost'),

  43.     mysql_password                       => hiera('gerrit_mysql_password'),

  44.     email_private_key                    => hiera('gerrit_email_private_key'),

  45.     token_private_key                    => hiera('gerrit_rest_token_private_key'),

  46.     gerritbot_password                   => hiera('gerrit_gerritbot_password'),

  47.     gerritbot_ssh_rsa_key_contents       => hiera('gerritbot_ssh_rsa_key_contents'),

  48.     gerritbot_ssh_rsa_pubkey_contents    => hiera('gerritbot_ssh_rsa_pubkey_contents'),

  49.     ssl_cert_file_contents               => hiera('review_opendev_cert_file_contents'),

  50.     ssl_key_file_contents                => hiera('review_opendev_key_file_contents'),

  51.     ssl_chain_file_contents              => hiera('review_opendev_chain_file_contents'),

  52.     ssh_dsa_key_contents                 => hiera('gerrit_ssh_dsa_key_contents'),

  53.     ssh_dsa_pubkey_contents              => hiera('gerrit_ssh_dsa_pubkey_contents'),

  54.     ssh_rsa_key_contents                 => hiera('gerrit_ssh_rsa_key_contents'),

  55.     ssh_rsa_pubkey_contents              => hiera('gerrit_ssh_rsa_pubkey_contents'),

  56.     ssh_project_rsa_key_contents         => hiera('gerrit_project_ssh_rsa_key_contents'),

  57.     ssh_project_rsa_pubkey_contents      => hiera('gerrit_project_ssh_rsa_pubkey_contents'),

  58.     ssh_welcome_rsa_key_contents         => hiera('welcome_message_gerrit_ssh_private_key'),

  59.     ssh_welcome_rsa_pubkey_contents      => hiera('welcome_message_gerrit_ssh_public_key'),

  60.     ssh_replication_rsa_key_contents     => hiera('gerrit_replication_ssh_rsa_key_contents'),

  61.     ssh_replication_rsa_pubkey_contents  => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),

  62.     lp_access_token                      => hiera('gerrit_lp_access_token'),

  63.     lp_access_secret                     => hiera('gerrit_lp_access_secret'),

  64.     lp_consumer_key                      => hiera('gerrit_lp_consumer_key'),

  65.     swift_username                       => hiera('swift_store_user', 'username'),

  66.     swift_password                       => hiera('swift_store_key'),

  67.     storyboard_password                  => hiera('gerrit_storyboard_token'),

  68.     # Compatibility layer vars for the old domain name below here.

  69.     # TODO rename the hiera keys to reduce confusion

  70.     review_openstack_cert_file_contents  => hiera('gerrit_ssl_cert_file_contents'),

  71.     review_openstack_key_file_contents   => hiera('gerrit_ssl_key_file_contents'),

  72.     review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),

  73.   }

  74. }

  75. 

  76. # Node-OS: xenial

  77. # Puppet-Version: !3

  78. node /^grafana\d*\.open.*\.org$/ {

  79.   $group = "grafana"

  80.   class { 'openstack_project::server': }

  81.   class { 'openstack_project::grafana':

  82.     admin_password      => hiera('grafana_admin_password'),

  83.     admin_user          => hiera('grafana_admin_user', 'username'),

  84.     mysql_host          => hiera('grafana_mysql_host', 'localhost'),

  85.     mysql_name          => hiera('grafana_mysql_name'),

  86.     mysql_password      => hiera('grafana_mysql_password'),

  87.     mysql_user          => hiera('grafana_mysql_user', 'username'),

  88.     project_config_repo => 'https://opendev.org/openstack/project-config',

  89.     secret_key          => hiera('grafana_secret_key'),

  90.   }

  91. }

  92. 

  93. # Node-OS: xenial

  94. node /^health\d*\.openstack\.org$/ {

  95.   $group = "health"

  96.   class { 'openstack_project::server': }

  97.   class { 'openstack_project::openstack_health_api':

  98.     subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),

  99.     hostname            => 'health.openstack.org',

  100.   }

  101. }

  102. 

  103. # Node-OS: xenial

  104. node /^cacti\d+\.open.*\.org$/ {

  105.   $group = "cacti"

  106.   include openstack_project::ssl_cert_check

  107.   class { 'openstack_project::cacti':

  108.     cacti_hosts => hiera_array('cacti_hosts'),

  109.     vhost_name  => 'cacti.openstack.org',

  110.   }

  111. }

  112. 

  113. # Node-OS: xenial

  114. node /^graphite\d*\.open.*\.org$/ {

  115.   class { 'openstack_project::server': }

  116. 

  117.   class { '::graphite':

  118.     graphite_admin_user     => hiera('graphite_admin_user', 'username'),

  119.     graphite_admin_email    => hiera('graphite_admin_email', 'email@example.com'),

  120.     graphite_admin_password => hiera('graphite_admin_password'),

  121.     # NOTE(ianw): installed on the host via ansible

  122.     ssl_cert_file           => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.cer',

  123.     ssl_key_file            => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.key',

  124.     ssl_chain_file          => '/etc/letsencrypt-certs/graphite01.opendev.org/ca.cer',

  125.   }

  126. }

  127. 

  128. # Node-OS: xenial

  129. node /^lists\d*\.open.*\.org$/ {

  130.   class { 'openstack_project::server': }

  131. 

  132.   class { 'openstack_project::lists':

  133.     listpassword => hiera('listpassword'),

  134.   }

  135. }

  136. 

  137. # Node-OS: xenial

  138. node /^lists\d*\.katacontainers\.io$/ {

  139.   class { 'openstack_project::server': }

  140. 

  141.   class { 'openstack_project::kata_lists':

  142.     listpassword => hiera('listpassword'),

  143.   }

  144. }

  145. 

  146. # Node-OS: xenial

  147. node /^paste\d*\.open.*\.org$/ {

  148.   $group = "paste"

  149. 

  150.   class { 'openstack_project::server': }

  151.   class { 'openstack_project::paste':

  152.     db_password         => hiera('paste_db_password'),

  153.     db_host             => hiera('paste_db_host'),

  154.     vhost_name          => 'paste.openstack.org',

  155.   }

  156. }

  157. 

  158. # Node-OS: xenial

  159. node /planet\d*\.open.*\.org$/ {

  160.   class { 'openstack_project::planet':

  161.   }

  162. }

  163. 

  164. # Node-OS: xenial

  165. node /^eavesdrop\d*\.open.*\.org$/ {

  166.   $group = "eavesdrop"

  167.   class { 'openstack_project::server': }

  168. 

  169.   class { 'openstack_project::eavesdrop':

  170.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  171.     nickpass                => hiera('openstack_meetbot_password'),

  172.     statusbot_nick          => hiera('statusbot_nick', 'username'),

  173.     statusbot_password      => hiera('statusbot_nick_password'),

  174.     statusbot_server        => 'chat.freenode.net',

  175.     statusbot_channels      => hiera_array('statusbot_channels', ['openstack_infra']),

  176.     statusbot_auth_nicks    => hiera_array('statusbot_auth_nicks'),

  177.     statusbot_wiki_user     => hiera('statusbot_wiki_username', 'username'),

  178.     statusbot_wiki_password => hiera('statusbot_wiki_password'),

  179.     statusbot_wiki_url      => 'https://wiki.openstack.org/w/api.php',

  180.     # https://wiki.openstack.org/wiki/Infrastructure_Status

  181.     statusbot_wiki_pageid   => '1781',

  182.     statusbot_wiki_successpageid => '7717',

  183.     statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',

  184.     statusbot_wiki_thankspageid => '37700',

  185.     statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',

  186.     statusbot_irclogs_url   => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',

  187.     statusbot_twitter                 => true,

  188.     statusbot_twitter_key             => hiera('statusbot_twitter_key'),

  189.     statusbot_twitter_secret          => hiera('statusbot_twitter_secret'),

  190.     statusbot_twitter_token_key       => hiera('statusbot_twitter_token_key'),

  191.     statusbot_twitter_token_secret    => hiera('statusbot_twitter_token_secret'),

  192.     accessbot_nick          => hiera('accessbot_nick', 'username'),

  193.     accessbot_password      => hiera('accessbot_nick_password'),

  194.     meetbot_channels        => hiera('meetbot_channels', ['openstack-infra']),

  195.     ptgbot_nick             => hiera('ptgbot_nick', 'username'),

  196.     ptgbot_password         => hiera('ptgbot_password'),

  197.   }

  198. }

  199. 

  200. # Node-OS: xenial

  201. node /^ethercalc\d+\.open.*\.org$/ {

  202.   $group = "ethercalc"

  203.   class { 'openstack_project::server': }

  204. 

  205.   class { 'openstack_project::ethercalc':

  206.     vhost_name              => 'ethercalc.openstack.org',

  207.     ssl_cert_file_contents  => hiera('ssl_cert_file_contents'),

  208.     ssl_key_file_contents   => hiera('ssl_key_file_contents'),

  209.     ssl_chain_file_contents => hiera('ssl_chain_file_contents'),

  210.   }

  211. }

  212. 

  213. # Node-OS: xenial

  214. node /^etherpad\d*\.open.*\.org$/ {

  215.   $group = "etherpad"

  216.   class { 'openstack_project::server': }

  217. 

  218.   class { 'openstack_project::etherpad':

  219.     vhost_name              => 'etherpad.openstack.org',

  220.     ssl_cert_file_contents  => hiera('etherpad_ssl_cert_file_contents'),

  221.     ssl_key_file_contents   => hiera('etherpad_ssl_key_file_contents'),

  222.     ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),

  223.     mysql_host              => hiera('etherpad_db_host', 'localhost'),

  224.     mysql_user              => hiera('etherpad_db_user', 'username'),

  225.     mysql_password          => hiera('etherpad_db_password'),

  226.   }

  227. }

  228. 

  229. # Node-OS: xenial

  230. node /^etherpad-dev\d*\.open.*\.org$/ {

  231.   $group = "etherpad-dev"

  232.   class { 'openstack_project::server': }

  233. 

  234.   class { 'openstack_project::etherpad_dev':

  235.     vhost_name     => 'etherpad-dev.openstack.org',

  236.     mysql_host     => hiera('etherpad-dev_db_host', 'localhost'),

  237.     mysql_user     => hiera('etherpad-dev_db_user', 'username'),

  238.     mysql_password => hiera('etherpad-dev_db_password'),

  239.   }

  240. }

  241. 

  242. # Node-OS: trusty

  243. node /^wiki\d+\.openstack\.org$/ {

  244.   $group = "wiki"

  245.   class { 'openstack_project::wiki':

  246.     bup_user                  => 'bup-wiki',

  247.     serveradmin               => hiera('infra_apache_serveradmin'),

  248.     site_hostname             => 'wiki.openstack.org',

  249.     ssl_cert_file_contents    => hiera('ssl_cert_file_contents'),

  250.     ssl_key_file_contents     => hiera('ssl_key_file_contents'),

  251.     ssl_chain_file_contents   => hiera('ssl_chain_file_contents'),

  252.     wg_dbserver               => hiera('wg_dbserver'),

  253.     wg_dbname                 => 'openstack_wiki',

  254.     wg_dbuser                 => 'wikiuser',

  255.     wg_dbpassword             => hiera('wg_dbpassword'),

  256.     wg_secretkey              => hiera('wg_secretkey'),

  257.     wg_upgradekey             => hiera('wg_upgradekey'),

  258.     wg_recaptchasitekey       => hiera('wg_recaptchasitekey'),

  259.     wg_recaptchasecretkey     => hiera('wg_recaptchasecretkey'),

  260.     wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),

  261.   }

  262. }

  263. 

  264. # Node-OS: trusty

  265. node /^wiki-dev\d+\.openstack\.org$/ {

  266.   $group = "wiki-dev"

  267.   class { 'openstack_project::wiki':

  268.     serveradmin           => hiera('infra_apache_serveradmin'),

  269.     site_hostname         => 'wiki-dev.openstack.org',

  270.     wg_dbserver           => hiera('wg_dbserver'),

  271.     wg_dbname             => 'openstack_wiki',

  272.     wg_dbuser             => 'wikiuser',

  273.     wg_dbpassword         => hiera('wg_dbpassword'),

  274.     wg_secretkey          => hiera('wg_secretkey'),

  275.     wg_upgradekey         => hiera('wg_upgradekey'),

  276.     wg_recaptchasitekey   => hiera('wg_recaptchasitekey'),

  277.     wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),

  278.     disallow_robots       => true,

  279.   }

  280. }

  281. 

  282. # Node-OS: xenial

  283. node /^logstash\d*\.open.*\.org$/ {

  284.   class { 'openstack_project::server': }

  285. 

  286.   class { 'openstack_project::logstash':

  287.     discover_nodes      => [

  288.       'elasticsearch03.openstack.org:9200',

  289.       'elasticsearch04.openstack.org:9200',

  290.       'elasticsearch05.openstack.org:9200',

  291.       'elasticsearch06.openstack.org:9200',

  292.       'elasticsearch07.openstack.org:9200',

  293.       'elasticsearch02.openstack.org:9200',

  294.     ],

  295.     subunit2sql_db_host => hiera('subunit2sql_db_host', ''),

  296.     subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),

  297.   }

  298. }

  299. 

  300. # Node-OS: xenial

  301. node /^logstash-worker\d+\.open.*\.org$/ {

  302.   $group = 'logstash-worker'

  303. 

  304.   class { 'openstack_project::server': }

  305. 

  306.   class { 'openstack_project::logstash_worker':

  307.     discover_node         => 'elasticsearch03.openstack.org',

  308.     enable_mqtt           => false,

  309.     mqtt_password         => hiera('mqtt_service_user_password'),

  310.     mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),

  311.   }

  312. }

  313. 

  314. # Node-OS: xenial

  315. node /^subunit-worker\d+\.open.*\.org$/ {

  316.   $group = "subunit-worker"

  317.   class { 'openstack_project::server': }

  318.   class { 'openstack_project::subunit_worker':

  319.     subunit2sql_db_host   => hiera('subunit2sql_db_host', ''),

  320.     subunit2sql_db_pass   => hiera('subunit2sql_db_password', ''),

  321.     mqtt_pass             => hiera('mqtt_service_user_password'),

  322.     mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),

  323.   }

  324. }

  325. 

  326. # Node-OS: xenial

  327. node /^elasticsearch\d+\.open.*\.org$/ {

  328.   $group = "elasticsearch"

  329.   class { 'openstack_project::server': }

  330.   class { 'openstack_project::elasticsearch_node':

  331.     discover_nodes => $elasticsearch_nodes,

  332.   }

  333. }

  334. 

  335. # Node-OS: xenial

  336. node /^firehose\d+\.open.*\.org$/ {

  337.   class { 'openstack_project::server': }

  338.   class { 'openstack_project::firehose':

  339.     gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),

  340.     gerrit_public_key   => hiera('germqtt_gerrit_ssh_public_key'),

  341.     gerrit_private_key  => hiera('germqtt_gerrit_ssh_private_key'),

  342.     mqtt_password       => hiera('mqtt_service_user_password'),

  343.     ca_file             => hiera('mosquitto_tls_ca_file'),

  344.     cert_file           => hiera('mosquitto_tls_server_cert_file'),

  345.     key_file            => hiera('mosquitto_tls_server_key_file'),

  346.     imap_hostname       => hiera('lpmqtt_imap_server'),

  347.     imap_username       => hiera('lpmqtt_imap_username'),

  348.     imap_password       => hiera('lpmqtt_imap_password'),

  349.     statsd_host         => 'graphite.opendev.org',

  350.   }

  351. }

  352. 

  353. # A machine to drive AFS mirror updates.

  354. # Node-OS: xenial

  355. node /^mirror-update\d*\.open.*\.org$/ {

  356.   $group = "afsadmin"

  357. 

  358.   class { 'openstack_project::mirror_update':

  359.     admin_keytab          => hiera('afsadmin_keytab'),

  360.     fedora_keytab         => hiera('fedora_keytab'),

  361.     opensuse_keytab       => hiera('opensuse_keytab'),

  362.     reprepro_keytab       => hiera('reprepro_keytab'),

  363.     gem_keytab            => hiera('gem_keytab'),

  364.     centos_keytab         => hiera('centos_keytab'),

  365.     epel_keytab           => hiera('epel_keytab'),

  366.     yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),

  367.   }

  368. }

  369. 

  370. # Machines in each region to serve AFS mirrors.

  371. # Node-OS: xenial

  372. node /^mirror\d*\..*\.open.*\.org$/ {

  373.   $group = "mirror"

  374. 

  375.   class { 'openstack_project::server':

  376.     afs                       => true,

  377.     afs_cache_size            => 50000000,  # 50GB

  378.   }

  379. 

  380.   class { 'openstack_project::mirror':

  381.     vhost_name => $::fqdn,

  382.     require    => Class['Openstack_project::Server'],

  383.   }

  384. }

  385. 

  386. # Serve static AFS content for docs and other sites.

  387. # Node-OS: xenial

  388. node /^files\d*\.open.*\.org$/ {

  389.   $group = "files"

  390.   class { 'openstack_project::server':

  391.     afs                       => true,

  392.     afs_cache_size            => 10000000,  # 10GB

  393.   }

  394. 

  395.   class { 'openstack_project::files':

  396.     vhost_name                        => 'files.openstack.org',

  397.     developer_cert_file_contents      => hiera('developer_cert_file_contents'),

  398.     developer_key_file_contents       => hiera('developer_key_file_contents'),

  399.     developer_chain_file_contents     => hiera('developer_chain_file_contents'),

  400.     docs_cert_file_contents           => hiera('docs_cert_file_contents'),

  401.     docs_key_file_contents            => hiera('docs_key_file_contents'),

  402.     docs_chain_file_contents          => hiera('docs_chain_file_contents'),

  403.     git_airship_cert_file_contents    => hiera('git_airship_cert_file_contents'),

  404.     git_airship_key_file_contents     => hiera('git_airship_key_file_contents'),

  405.     git_airship_chain_file_contents   => hiera('git_airship_chain_file_contents'),

  406.     git_openstack_cert_file_contents  => hiera('git_openstack_cert_file_contents'),

  407.     git_openstack_key_file_contents   => hiera('git_openstack_key_file_contents'),

  408.     git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),

  409.     git_starlingx_cert_file_contents  => hiera('git_starlingx_cert_file_contents'),

  410.     git_starlingx_key_file_contents   => hiera('git_starlingx_key_file_contents'),

  411.     git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),

  412.     require                           => Class['Openstack_project::Server'],

  413.   }

  414. 

  415.   # Temporary for evaluating htaccess rules

  416.   ::httpd::vhost { "git-test.openstack.org":

  417.     port          => 80, # Is required despite not being used.

  418.     docroot       => "/afs/openstack.org/project/git-test/www",

  419.     priority      => '50',

  420.     template      => 'openstack_project/git-test.vhost.erb',

  421.   }

  422. 

  423.   openstack_project::website { 'docs.starlingx.io':

  424.     volume_name      => 'starlingx.io',

  425.     aliases          => [],

  426.     ssl_cert         => hiera('docs_starlingx_io_ssl_cert'),

  427.     ssl_key          => hiera('docs_starlingx_io_ssl_key'),

  428.     ssl_intermediate => hiera('docs_starlingx_io_ssl_intermediate'),

  429.     require          => Class['openstack_project::files'],

  430.   }

  431. 

  432.   openstack_project::website { 'docs.opendev.org':

  433.     aliases          => [],

  434.     docroot	     => "/afs/openstack.org/project/opendev.org/docs",

  435.     ssl_cert         => hiera('docs_opendev_ssl_cert'),

  436.     ssl_key          => hiera('docs_opendev_ssl_key'),

  437.     ssl_intermediate => hiera('docs_opendev_ssl_intermediate'),

  438.     require          => Class['openstack_project::files'],

  439.   }

  440. 

  441.   openstack_project::website { 'tarballs.opendev.org':

  442.     aliases          => [],

  443.     docroot	     => "/afs/openstack.org/project/opendev.org/tarballs",

  444.     ssl_cert_file    => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer',

  445.     ssl_key_file     => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key',

  446.     ssl_chain_file   => '/etc/letsencrypt-certs/tarballs.opendev.org/ca.cer',

  447.     require          => Class['openstack_project::files'],

  448.   }

  449. 

  450.   openstack_project::website { 'zuul-ci.org':

  451.     aliases        => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],

  452.     ssl_cert_file  => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer',

  453.     ssl_key_file   => '/etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key',

  454.     ssl_chain_file => '/etc/letsencrypt-certs/zuul-ci.org/ca.cer',

  455.     require        => Class['openstack_project::files'],

  456.   }

  457. 

  458.   openstack_project::website { 'git.zuul-ci.org':

  459.     docroot             => "/var/www/git-redirect",

  460.     allow_override_list => "Redirect RedirectMatch RewriteEngine RewriteBase RewriteCond RewriteMap RewriteOptions RewriteRule",

  461.     ssl_cert_file       => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.cer',

  462.     ssl_key_file        => '/etc/letsencrypt-certs/git.zuul-ci.org/git.zuul-ci.org.key',

  463.     ssl_chain_file      => '/etc/letsencrypt-certs/git.zuul-ci.org/ca.cer',

  464.     require             => Class['openstack_project::files'],

  465.   }

  466. 

  467. }

  468. 

  469. # Node-OS: trusty

  470. # Node-OS: xenial

  471. node /^refstack\d*\.open.*\.org$/ {

  472.   class { 'openstack_project::server': }

  473.   class { 'refstack':

  474.     mysql_host          => hiera('refstack_mysql_host', 'localhost'),

  475.     mysql_database      => hiera('refstack_mysql_db_name', 'refstack'),

  476.     mysql_user          => hiera('refstack_mysql_user', 'refstack'),

  477.     mysql_user_password => hiera('refstack_mysql_password'),

  478.     ssl_cert_content    => hiera('refstack_ssl_cert_file_contents'),

  479.     ssl_cert            => '/etc/ssl/certs/refstack.pem',

  480.     ssl_key_content     => hiera('refstack_ssl_key_file_contents'),

  481.     ssl_key             => '/etc/ssl/private/refstack.key',

  482.     ssl_ca_content      => hiera('refstack_ssl_chain_file_contents'),

  483.     ssl_ca              => '/etc/ssl/certs/refstack.ca.pem',

  484.     protocol            => 'https',

  485.   }

  486.   mysql_backup::backup_remote { 'refstack':

  487.     database_host     => hiera('refstack_mysql_host', 'localhost'),

  488.     database_user     => hiera('refstack_mysql_user', 'refstack'),

  489.     database_password => hiera('refstack_mysql_password'),

  490.     require           => Class['::refstack'],

  491.   }

  492. }

  493. 

  494. # A machine to run Storyboard

  495. # Node-OS: xenial

  496. node /^storyboard\d+\.opendev\.org$/ {

  497.   $group = "storyboard"

  498.   class { 'openstack_project::storyboard':

  499.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  500.     mysql_host              => hiera('storyboard_db_host', 'localhost'),

  501.     mysql_user              => hiera('storyboard_db_user', 'username'),

  502.     mysql_password          => hiera('storyboard_db_password'),

  503.     rabbitmq_user           => hiera('storyboard_rabbit_user', 'username'),

  504.     rabbitmq_password       => hiera('storyboard_rabbit_password'),

  505.     ssl_cert                => '/etc/ssl/certs/storyboard.openstack.org.pem',

  506.     ssl_cert_file_contents  => hiera('storyboard_ssl_cert_file_contents'),

  507.     ssl_key                 => '/etc/ssl/private/storyboard.openstack.org.key',

  508.     ssl_key_file_contents   => hiera('storyboard_ssl_key_file_contents'),

  509.     ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),

  510.     hostname                => 'storyboard.openstack.org',

  511.     valid_oauth_clients     => ['storyboard.openstack.org',],

  512.     cors_allowed_origins    => ['https://storyboard.openstack.org',],

  513.     sender_email_address    => 'storyboard@storyboard.openstack.org',

  514.     default_url             => 'https://storyboard.openstack.org',

  515.   }

  516. }

  517. 

  518. # A machine to run Storyboard devel

  519. # Node-OS: xenial

  520. node /^storyboard-dev\d+\.opendev\.org$/ {

  521.   $group = "storyboard-dev"

  522.   class { 'openstack_project::storyboard::dev':

  523.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  524.     mysql_host              => hiera('storyboard_db_host', 'localhost'),

  525.     mysql_user              => hiera('storyboard_db_user', 'username'),

  526.     mysql_password          => hiera('storyboard_db_password'),

  527.     rabbitmq_user           => hiera('storyboard_rabbit_user', 'username'),

  528.     rabbitmq_password       => hiera('storyboard_rabbit_password'),

  529.     hostname                => 'storyboard-dev.openstack.org',

  530.     valid_oauth_clients     => ['^.*',],

  531.     cors_allowed_origins    => ['^.*',],

  532.     sender_email_address    => 'storyboard-dev@storyboard-dev.openstack.org',

  533.     default_url             => 'https://storyboard-dev.openstack.org',

  534.   }

  535. 

  536. }

  537. 

  538. # A machine to serve static content.

  539. # Node-OS: trusty

  540. # Node-OS: xenial

  541. node /^static\d*\.open.*\.org$/ {

  542.   class { 'openstack_project::server': }

  543.   class { 'openstack_project::static':

  544.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  545.     swift_authurl           => 'https://identity.api.rackspacecloud.com/v2.0/',

  546.     swift_user              => 'infra-files-ro',

  547.     swift_key               => hiera('infra_files_ro_password'),

  548.     swift_tenant_name       => hiera('infra_files_tenant_name', 'tenantname'),

  549.     swift_region_name       => 'DFW',

  550.     swift_default_container => 'infra-files',

  551.     ssl_cert_file_contents  => hiera('static_ssl_cert_file_contents'),

  552.     ssl_key_file_contents   => hiera('static_ssl_key_file_contents'),

  553.     ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),

  554.   }

  555. }

  556. 

  557. # Node-OS: xenial

  558. node /^zk\d+\.open.*\.org$/ {

  559.   # We use IP addresses here so that zk listens on the public facing addresses

  560.   # allowing cluster members to talk to each other. Without this they listen

  561.   # on 127.0.1.1 because that is what we have in /etc/hosts for

  562.   # zk0X.openstack.org.

  563.   $zk_cluster_members = [

  564.     '23.253.236.126', # zk01

  565.     '172.99.117.32',  # zk02

  566.     '23.253.90.246',  # zk03

  567.   ]

  568.   class { 'openstack_project::server': }

  569. 

  570.   class { '::zookeeper':

  571.     # ID needs to be numeric, so we use regex to extra numbers from fqdn.

  572.     id             => regsubst($::fqdn, '^zk(\d+)\.open.*\.org$', '\1'),

  573.     # The frequency in hours to look for and purge old snapshots,

  574.     # defaults to 0 (disabled). The number of retained snapshots can

  575.     # be separately controlled through snap_retain_count and

  576.     # defaults to the minimum value of 3. This will quickly fill the

  577.     # disk in production if not enabled. Works on ZK >=3.4.

  578.     purge_interval => 6,

  579.     servers        => $zk_cluster_members,

  580.   }

  581. }

  582. 

  583. # A machine to serve various project status updates.

  584. # Node-OS: trusty

  585. # Node-OS: xenial

  586. node /^status\d*\.open.*\.org$/ {

  587.   $group = 'status'

  588. 

  589.   class { 'openstack_project::server': }

  590. 

  591.   class { 'openstack_project::status':

  592.     gerrit_host                   => 'review.opendev.org',

  593.     gerrit_ssh_host_key           => hiera('gerrit_ssh_rsa_pubkey_contents'),

  594.     reviewday_ssh_public_key      => hiera('reviewday_rsa_pubkey_contents'),

  595.     reviewday_ssh_private_key     => hiera('reviewday_rsa_key_contents'),

  596.     recheck_ssh_public_key        => hiera('elastic-recheck_gerrit_ssh_public_key'),

  597.     recheck_ssh_private_key       => hiera('elastic-recheck_gerrit_ssh_private_key'),

  598.     recheck_bot_nick              => 'openstackrecheck',

  599.     recheck_bot_passwd            => hiera('elastic-recheck_ircbot_password'),

  600.   }

  601. }

  602. 

  603. # Node-OS: xenial

  604. node /^survey\d+\.open.*\.org$/ {

  605.   $group = "survey"

  606.   class { 'openstack_project::server': }

  607. 

  608.   class { 'openstack_project::survey':

  609.     vhost_name              => 'survey.openstack.org',

  610.     auth_openid             => true,

  611.     ssl_cert_file_contents  => hiera('ssl_cert_file_contents'),

  612.     ssl_key_file_contents   => hiera('ssl_key_file_contents'),

  613.     ssl_chain_file_contents => hiera('ssl_chain_file_contents'),

  614.     dbpassword              => hiera('dbpassword'),

  615.     dbhost                  => hiera('dbhost'),

  616.     adminuser               => hiera('adminuser'),

  617.     adminpass               => hiera('adminpass'),

  618.     adminmail               => hiera('adminmail'),

  619.   }

  620. }

  621. 

  622. # Node-OS: xenial

  623. node /^nl\d+\.open.*\.org$/ {

  624.   $group = 'nodepool'

  625. 

  626.   # NOTE(ianw) From 09-2018 (https://review.opendev.org/#/c/598329/)

  627.   # the cloud credentials are deployed with ansible via the

  628.   # configure-openstacksdk role and are no longer configured here

  629. 

  630.   class { 'openstack_project::server': }

  631. 

  632.   include openstack_project

  633. 

  634.   class { '::openstackci::nodepool_launcher':

  635.     nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),

  636.     project_config_repo      => 'https://opendev.org/openstack/project-config',

  637.     statsd_host              => 'graphite.opendev.org',

  638.     revision                 => 'master',

  639.     python_version           => 3,

  640.     enable_webapp            => true,

  641.   }

  642. }

  643. 

  644. # Node-OS: xenial

  645. node /^nb\d+\.open.*\.org$/ {

  646.   $group = 'nodepool'

  647. 

  648.   class { 'openstack_project::server': }

  649. 

  650.   include openstack_project

  651. 

  652.   class { '::openstackci::nodepool_builder':

  653.     nodepool_ssh_public_key       => hiera('zuul_worker_ssh_public_key_contents'),

  654.     vhost_name                    => $::fqdn,

  655.     enable_build_log_via_http     => true,

  656.     project_config_repo           => 'https://opendev.org/openstack/project-config',

  657.     statsd_host                   => 'graphite.opendev.org',

  658.     upload_workers                => '16',

  659.     revision                      => 'master',

  660.     python_version                => 3,

  661.     zuulv3                        => true,

  662.     ssl_cert_file                 => '/etc/ssl/certs/ssl-cert-snakeoil.pem',

  663.     ssl_key_file                  => '/etc/ssl/private/ssl-cert-snakeoil.key',

  664.   }

  665. 

  666.   cron { 'mirror_gitgc':

  667.     user        => 'nodepool',

  668.     hour        => '20',

  669.     minute      => '0',

  670.     command     => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',

  671.     environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',

  672.     require     => Class['::openstackci::nodepool_builder'],

  673.   }

  674. }

  675. 

  676. # Node-OS: xenial

  677. node /^ze\d+\.open.*\.org$/ {

  678.   $group = "zuul-executor"

  679. 

  680.   $gerrit_server           = 'review.opendev.org'

  681.   $gerrit_user             = 'zuul'

  682.   $gerrit_ssh_host_key     = hiera('gerrit_ssh_rsa_pubkey_contents')

  683.   $gerrit_ssh_private_key  = hiera('gerrit_ssh_private_key_contents')

  684.   $zuul_ssh_private_key    = hiera('zuul_ssh_private_key_contents')

  685.   $zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')

  686.   $git_email               = 'zuul@openstack.org'

  687.   $git_name                = 'OpenStack Zuul'

  688.   $revision                = 'master'

  689. 

  690.   class { 'openstack_project::server':

  691.     afs                       => true,

  692.   }

  693. 

  694.   class { '::project_config':

  695.     url => 'https://opendev.org/openstack/project-config',

  696.   }

  697. 

  698.   # We use later HWE kernels for better memory managment, requiring an

  699.   # updated AFS version which we install from our custom ppa.

  700.   include ::apt

  701.   apt::ppa { 'ppa:openstack-ci-core/openafs-amd64-hwe': }

  702.   package { 'linux-generic-hwe-16.04':

  703.     ensure  => present,

  704.     require => [

  705.       Apt::Ppa['ppa:openstack-ci-core/openafs-amd64-hwe'],

  706.       Class['apt::update'],

  707.     ],

  708.   }

  709. 

  710.   # Skopeo is required for pushing/pulling from the intermediate

  711.   # registry, and is available in the projectatomic ppa.

  712. 

  713.   apt::ppa { 'ppa:projectatomic/ppa': }

  714.   package { 'skopeo':

  715.     ensure  => present,

  716.     require => [

  717.       Apt::Ppa['ppa:projectatomic/ppa'],

  718.       Class['apt::update'],

  719.     ],

  720.   }

  721. 

  722.   # Socat is also required for pushing/pulling images

  723.   package { 'socat':

  724.     ensure  => present,

  725.     require => [

  726.       Class['apt::update'],

  727.     ],

  728.   }

  729. 

  730.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  731.   # settings.

  732.   class { '::zuul':

  733.     gearman_server           => 'zuul01.openstack.org',

  734.     gerrit_server            => $gerrit_server,

  735.     gerrit_user              => $gerrit_user,

  736.     zuul_ssh_private_key     => $gerrit_ssh_private_key,

  737.     git_email                => $git_email,

  738.     git_name                 => $git_name,

  739.     worker_private_key_file  => '/var/lib/zuul/ssh/nodepool_id_rsa',

  740.     revision                 => $revision,

  741.     python_version           => 3,

  742.     zookeeper_hosts          => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  743.     zuulv3                   => true,

  744.     connections              => hiera('zuul_connections', []),

  745.     connection_secrets      => hiera('zuul_connection_secrets', []),

  746.     gearman_client_ssl_cert  => hiera('gearman_client_ssl_cert'),

  747.     gearman_client_ssl_key   => hiera('gearman_client_ssl_key'),

  748.     gearman_ssl_ca           => hiera('gearman_ssl_ca'),

  749.     #TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs

  750.     # properly. We need to revisting this post Queens PTG.

  751.     trusted_ro_paths         => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],

  752.     trusted_rw_paths         => ['/afs'],

  753.     untrusted_ro_paths       => ['/etc/ssl/certs'],

  754.     disk_limit_per_job       => 5000,  # Megabytes

  755.     site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,

  756.     require                  => $::project_config::config_dir,

  757.     statsd_host              => 'graphite.opendev.org',

  758.   }

  759. 

  760.   class { '::zuul::executor': }

  761. 

  762.   # This is used by the log job submission playbook which runs under

  763.   # python2

  764.   package { 'gear':

  765.     ensure   => latest,

  766.     provider => openstack_pip,

  767.     require  => Class['pip'],

  768.   }

  769. 

  770.   file { '/var/lib/zuul/ssh/nodepool_id_rsa':

  771.     owner   => 'zuul',

  772.     group   => 'zuul',

  773.     mode    => '0400',

  774.     require => File['/var/lib/zuul/ssh'],

  775.     content => $zuul_ssh_private_key,

  776.   }

  777. 

  778.   file { '/var/lib/zuul/ssh/static_id_rsa':

  779.     owner   => 'zuul',

  780.     group   => 'zuul',

  781.     mode    => '0400',

  782.     require => File['/var/lib/zuul/ssh'],

  783.     content => $zuul_static_private_key,

  784.   }

  785. 

  786.   class { '::zuul::known_hosts':

  787.     known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",

  788.   }

  789. }

  790. 

  791. # Node-OS: xenial

  792. node /^zuul\d+\.open.*\.org$/ {

  793.   $group = "zuul-scheduler"

  794.   $gerrit_server        = 'review.opendev.org'

  795.   $gerrit_user          = 'zuul'

  796.   $gerrit_ssh_host_key  = hiera('gerrit_zuul_user_ssh_key_contents')

  797.   $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')

  798.   $zuul_url             = "http://zuul.openstack.org/p"

  799.   $git_email            = 'zuul@openstack.org'

  800.   $git_name             = 'OpenStack Zuul'

  801.   $revision             = 'master'

  802. 

  803.   class { 'openstack_project::server': }

  804. 

  805.   class { '::project_config':

  806.     url => 'https://opendev.org/openstack/project-config',

  807.   }

  808. 

  809.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  810.   # settings.

  811.   class { '::zuul':

  812.     gerrit_server                 => $gerrit_server,

  813.     gerrit_user                   => $gerrit_user,

  814.     zuul_ssh_private_key          => $zuul_ssh_private_key,

  815.     git_email                     => $git_email,

  816.     git_name                      => $git_name,

  817.     revision                      => $revision,

  818.     python_version                => 3,

  819.     zookeeper_hosts               => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  820.     zookeeper_session_timeout     => 40,

  821.     zuulv3                        => true,

  822.     connections                   => hiera('zuul_connections', []),

  823.     connection_secrets            => hiera('zuul_connection_secrets', []),

  824.     vhost_name                    => 'zuul.openstack.org',

  825.     zuul_status_url               => 'http://127.0.0.1:8001/openstack',

  826.     zuul_web_url                  => 'http://127.0.0.1:9000',

  827.     zuul_tenant_name              => 'openstack',

  828.     gearman_client_ssl_cert       => hiera('gearman_client_ssl_cert'),

  829.     gearman_client_ssl_key        => hiera('gearman_client_ssl_key'),

  830.     gearman_server_ssl_cert       => hiera('gearman_server_ssl_cert'),

  831.     gearman_server_ssl_key        => hiera('gearman_server_ssl_key'),

  832.     gearman_ssl_ca                => hiera('gearman_ssl_ca'),

  833.     proxy_ssl_cert_file_contents  => hiera('zuul_ssl_cert_file_contents'),

  834.     proxy_ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),

  835.     proxy_ssl_key_file_contents   => hiera('zuul_ssl_key_file_contents'),

  836.     statsd_host                   => 'graphite.opendev.org',

  837.     status_url                    => 'https://zuul.openstack.org',

  838.     relative_priority             => true,

  839.     web_root                      => 'https://zuul.opendev.org',

  840.   }

  841. 

  842.   file { "/etc/zuul/github.key":

  843.     ensure  => present,

  844.     owner   => 'zuul',

  845.     group   => 'zuul',

  846.     mode    => '0600',

  847.     content => hiera('zuul_github_app_key'),

  848.     require => File['/etc/zuul'],

  849.   }

  850. 

  851.   class { '::zuul::scheduler':

  852.     layout_dir     => $::project_config::zuul_layout_dir,

  853.     require        => $::project_config::config_dir,

  854.     python_version => 3,

  855.     use_mysql      => true,

  856.   }

  857. 

  858.   class { '::zuul::web':

  859.     # We manage backups below

  860.     enable_status_backups => false,

  861.     vhosts => {

  862.       'zuul.openstack.org' => {

  863.         port       => 443,

  864.         docroot    => '/opt/zuul-web/content',

  865.         priority   => '50',

  866.         ssl        => true,

  867.         template   => 'zuul/zuulv3.vhost.erb',

  868.         vhost_name => 'zuul.openstack.org',

  869.       },

  870.       'zuul.opendev.org' => {

  871.         port       => 443,

  872.         docroot    => '/opt/zuul-web/content',

  873.         priority   => '40',

  874.         ssl        => true,

  875.         template   => 'zuul/zuulv3.vhost.erb',

  876.         vhost_name => 'zuul.opendev.org',

  877.       },

  878.       'zuul.openstack.org-http' => {

  879.         port       => 80,

  880.         docroot    => '/opt/zuul-web/content',

  881.         priority   => '50',

  882.         ssl        => false,

  883.         template   => 'zuul/zuulv3.vhost.erb',

  884.         vhost_name => 'zuul.openstack.org',

  885.       },

  886.       'zuul.opendev.org-http' => {

  887.         port       => 80,

  888.         docroot    => '/opt/zuul-web/content',

  889.         priority   => '40',

  890.         ssl        => false,

  891.         template   => 'zuul/zuulv3.vhost.erb',

  892.         vhost_name => 'zuul.opendev.org',

  893.       },

  894.     },

  895.     vhosts_flags => {

  896.       'zuul.openstack.org' => {

  897.         tenant_name => 'openstack',

  898.         ssl         => true,

  899.         use_le      => false,

  900.       },

  901.       'zuul.opendev.org' => {

  902.         tenant_name => '',

  903.         ssl         => true,

  904.         use_le      => true,

  905.       },

  906.       'zuul.openstack.org-http' => {

  907.         tenant_name => 'openstack',

  908.         ssl         => false,

  909.         use_le      => false,

  910.       },

  911.       'zuul.opendev.org-http' => {

  912.         tenant_name => '',

  913.         ssl         => false,

  914.         use_le      => false,

  915.       },

  916.     },

  917.     vhosts_ssl => {

  918.       'zuul.openstack.org' => {

  919.         ssl_cert_file_contents  => hiera('zuul_ssl_cert_file_contents'),

  920.         ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),

  921.         ssl_key_file_contents   => hiera('zuul_ssl_key_file_contents'),

  922.       },

  923.     },

  924.   }

  925. 

  926.   zuul::status_backups { 'openstack-zuul-tenant':

  927.     tenant_name => 'openstack',

  928.     ssl         => true,

  929.     status_uri  => 'https://zuul.opendev.org/api/tenant/openstack/status',

  930.   }

  931. 

  932.   zuul::status_backups { 'kata-zuul-tenant':

  933.     tenant_name => 'kata-containers',

  934.     ssl         => true,

  935.     status_uri  => 'https://zuul.opendev.org/api/tenant/kata-containers/status',

  936.   }

  937. 

  938.   class { '::zuul::fingergw': }

  939. 

  940.   class { '::zuul::known_hosts':

  941.     known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",

  942.   }

  943. 

  944.   include bup

  945.   bup::site { 'rax.ord':

  946.     backup_user   => 'bup-zuulv3',

  947.     backup_server => 'backup01.ord.rax.ci.openstack.org',

  948.   }

  949. 

  950. }

  951. 

  952. # Node-OS: xenial

  953. node /^zm\d+.open.*\.org$/ {

  954.   $group = "zuul-merger"

  955. 

  956.   $gerrit_server        = 'review.opendev.org'

  957.   $gerrit_user          = 'zuul'

  958.   $gerrit_ssh_host_key  = hiera('gerrit_ssh_rsa_pubkey_contents')

  959.   $zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')

  960.   $zuul_url             = "http://${::fqdn}/p"

  961.   $git_email            = 'zuul@openstack.org'

  962.   $git_name             = 'OpenStack Zuul'

  963.   $revision             = 'master'

  964. 

  965.   class { 'openstack_project::server': }

  966. 

  967.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  968.   # settings.

  969.   class { '::zuul':

  970.     gearman_server          => 'zuul01.openstack.org',

  971.     gerrit_server           => $gerrit_server,

  972.     gerrit_user             => $gerrit_user,

  973.     zuul_ssh_private_key    => $zuul_ssh_private_key,

  974.     git_email               => $git_email,

  975.     git_name                => $git_name,

  976.     revision                => $revision,

  977.     python_version          => 3,

  978.     zookeeper_hosts         => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  979.     zuulv3                  => true,

  980.     connections             => hiera('zuul_connections', []),

  981.     connection_secrets      => hiera('zuul_connection_secrets', []),

  982.     gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),

  983.     gearman_client_ssl_key  => hiera('gearman_client_ssl_key'),

  984.     gearman_ssl_ca          => hiera('gearman_ssl_ca'),

  985.     statsd_host             => 'graphite.opendev.org',

  986.   }

  987. 

  988.   class { 'openstack_project::zuul_merger':

  989.     gerrit_server        => $gerrit_server,

  990.     gerrit_user          => $gerrit_user,

  991.     gerrit_ssh_host_key  => $gerrit_ssh_host_key,

  992.     zuul_ssh_private_key => $zuul_ssh_private_key,

  993.     manage_common_zuul   => false,

  994.   }

  995. }

  996. 

  997. # Node-OS: xenial

  998. node /^pbx\d*\.open.*\.org$/ {

  999.   $group = "pbx"

  1000.   class { 'openstack_project::server': }

  1001.   class { 'openstack_project::pbx':

  1002.     sip_providers => [

  1003.       {

  1004.         provider => 'voipms',

  1005.         hostname => 'dallas.voip.ms',

  1006.         username => hiera('voipms_username', 'username'),

  1007.         password => hiera('voipms_password'),

  1008.         outgoing => false,

  1009.       },

  1010.     ],

  1011.   }

  1012. }

  1013. 

  1014. # Node-OS: xenial

  1015. # A backup machine.  Don't run cron or puppet agent on it.

  1016. node /^backup\d+\..*\.ci\.open.*\.org$/ {

  1017.   $group = "ci-backup"

  1018.   class { 'openstack_project::server': }

  1019.   include openstack_project::backup_server

  1020. }

  1021. 

  1022. # Node-OS: xenial

  1023. node /^openstackid\d*(\.openstack)?\.org$/ {

  1024.   $group = "openstackid"

  1025.   class { 'openstack_project::openstackid_prod':

  1026.     site_admin_password                 => hiera('openstackid_site_admin_password'),

  1027.     id_mysql_host                       => hiera('openstackid_id_mysql_host', 'localhost'),

  1028.     id_mysql_password                   => hiera('openstackid_id_mysql_password'),

  1029.     id_mysql_user                       => hiera('openstackid_id_mysql_user', 'username'),

  1030.     id_db_name                          => hiera('openstackid_id_db_name'),

  1031.     ss_mysql_host                       => hiera('openstackid_ss_mysql_host', 'localhost'),

  1032.     ss_mysql_password                   => hiera('openstackid_ss_mysql_password'),

  1033.     ss_mysql_user                       => hiera('openstackid_ss_mysql_user', 'username'),

  1034.     ss_db_name                          => hiera('openstackid_ss_db_name', 'username'),

  1035.     redis_password                      => hiera('openstackid_redis_password'),

  1036.     ssl_cert_file_contents              => hiera('openstackid_ssl_cert_file_contents'),

  1037.     ssl_key_file_contents               => hiera('openstackid_ssl_key_file_contents'),

  1038.     ssl_chain_file_contents             => hiera('openstackid_ssl_chain_file_contents'),

  1039.     id_recaptcha_public_key             => hiera('openstackid_recaptcha_public_key'),

  1040.     id_recaptcha_private_key            => hiera('openstackid_recaptcha_private_key'),

  1041.     vhost_name                          => 'openstackid.org',

  1042.     session_cookie_domain               => 'openstackid.org',

  1043.     serveradmin                         => 'webmaster@openstackid.org',

  1044.     canonicalweburl                     => 'https://openstackid.org/',

  1045.     app_url                             => 'https://openstackid.org',

  1046.     app_key                             => hiera('openstackid_app_key'),

  1047.     id_log_error_to_email               => 'openstack@tipit.net',

  1048.     id_log_error_from_email             => 'noreply@openstack.org',

  1049.     email_driver                        => 'sendgrid',

  1050.     email_send_grid_api_key             => hiera('openstackid_send_grid_api_key'),

  1051.     php_version                         => 7,

  1052.     mysql_ssl_enabled                   => true,

  1053.     mysql_ssl_ca_file_contents          => hiera('openstackid_mysql_ssl_ca_file_contents'),

  1054.     mysql_ssl_client_key_file_contents  => hiera('openstackid_mysql_ssl_client_key_file_contents'),

  1055.     mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),

  1056.     lost_password_url                   => 'https://openstackid.org/lost-password',

  1057.     registration_url                    => 'https://openstackid.org/registration',

  1058.     registration_mobile_url             => 'https://openstackid.org/registration-mobile',

  1059.     resend_verification_url             => 'https://openstackid.org/resend-verification',

  1060.   }

  1061. }

  1062. 

  1063. # Node-OS: xenial

  1064. node /^openstackid-dev\d*\.openstack\.org$/ {

  1065.   $group = "openstackid-dev"

  1066.   class { 'openstack_project::openstackid_dev':

  1067.     site_admin_password                 => hiera('openstackid_dev_site_admin_password'),

  1068.     id_mysql_host                       => hiera('openstackid_dev_id_mysql_host', 'localhost'),

  1069.     id_mysql_password                   => hiera('openstackid_dev_id_mysql_password'),

  1070.     id_mysql_user                       => hiera('openstackid_dev_id_mysql_user', 'username'),

  1071.     ss_mysql_host                       => hiera('openstackid_dev_ss_mysql_host', 'localhost'),

  1072.     ss_mysql_password                   => hiera('openstackid_dev_ss_mysql_password'),

  1073.     ss_mysql_user                       => hiera('openstackid_dev_ss_mysql_user', 'username'),

  1074.     ss_db_name                          => hiera('openstackid_dev_ss_db_name', 'username'),

  1075.     redis_password                      => hiera('openstackid_dev_redis_password'),

  1076.     ssl_cert_file_contents              => hiera('openstackid_dev_ssl_cert_file_contents'),

  1077.     ssl_key_file_contents               => hiera('openstackid_dev_ssl_key_file_contents'),

  1078.     ssl_chain_file_contents             => hiera('openstackid_dev_ssl_chain_file_contents'),

  1079.     id_recaptcha_public_key             => hiera('openstackid_dev_recaptcha_public_key'),

  1080.     id_recaptcha_private_key            => hiera('openstackid_dev_recaptcha_private_key'),

  1081.     vhost_name                          => 'openstackid-dev.openstack.org',

  1082.     session_cookie_domain               => 'openstackid-dev.openstack.org',

  1083.     serveradmin                         => 'webmaster@openstackid-dev.openstack.org',

  1084.     canonicalweburl                     => 'https://openstackid-dev.openstack.org/',

  1085.     app_url                             => 'https://openstackid-dev.openstack.org',

  1086.     app_key                             => hiera('openstackid_dev_app_key'),

  1087.     id_log_error_to_email               => 'openstack@tipit.net',

  1088.     id_log_error_from_email             => 'noreply@openstack.org',

  1089.     email_driver                        => 'sendgrid',

  1090.     email_send_grid_api_key             => hiera('openstackid_dev_send_grid_api_key'),

  1091.     php_version                         => 7,

  1092.     mysql_ssl_enabled                   => true,

  1093.     mysql_ssl_ca_file_contents          => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),

  1094.     mysql_ssl_client_key_file_contents  => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),

  1095.     mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),

  1096.     lost_password_url                   => 'https://openstackid-dev.openstack.org/lost-password',

  1097.     registration_url                    => 'https://openstackid-dev.openstack.org/registration',

  1098.     registration_mobile_url             => 'https://openstackid-dev.openstack.org/registration-mobile',

  1099.     resend_verification_url             => 'https://openstackid-dev.openstack.org/resend-verification',

  1100.   }

  1101. }

  1102. 

  1103. # Node-OS: trusty

  1104. # Used for testing all-in-one deployments

  1105. node 'single-node-ci.test.only' {

  1106.   include ::openstackci::single_node_ci

  1107. }

  1108. 

  1109. # Node-OS: xenial

  1110. node /^kdc03\.open.*\.org$/ {

  1111.   class { 'openstack_project::server': }

  1112. 

  1113.   class { 'openstack_project::kdc': }

  1114. }

  1115. 

  1116. # Node-OS: xenial

  1117. node /^kdc04\.open.*\.org$/ {

  1118.   class { 'openstack_project::server': }

  1119. 

  1120.   class { 'openstack_project::kdc':

  1121.     slave => true,

  1122.   }

  1123. }

  1124. 

  1125. # Node-OS: xenial

  1126. node /^afsdb01\.open.*\.org$/ {

  1127.   $group = "afsdb"

  1128. 

  1129.   class { 'openstack_project::server':

  1130.     afs                       => true,

  1131.   }

  1132. 

  1133.   include openstack_project::afsdb

  1134.   include openstack_project::afsrelease

  1135. }

  1136. 

  1137. # Node-OS: xenial

  1138. node /^afsdb.*\.open.*\.org$/ {

  1139.   $group = "afsdb"

  1140. 

  1141.   class { 'openstack_project::server':

  1142.     afs                       => true,

  1143.   }

  1144. 

  1145.   include openstack_project::afsdb

  1146. }

  1147. 

  1148. # Node-OS: xenial

  1149. node /^afs.*\..*\.open.*\.org$/ {

  1150.   $group = "afs"

  1151. 

  1152.   class { 'openstack_project::server':

  1153.     afs                       => true,

  1154.   }

  1155. 

  1156.   include openstack_project::afsfs

  1157. }

  1158. 

  1159. # Node-OS: xenial

  1160. node /^ask\d*\.open.*\.org$/ {

  1161. 

  1162.   class { 'openstack_project::server': }

  1163. 

  1164.   class { 'openstack_project::ask':

  1165.     db_user                      => hiera('ask_db_user', 'ask'),

  1166.     db_password                  => hiera('ask_db_password'),

  1167.     redis_password               => hiera('ask_redis_password'),

  1168.     site_ssl_cert_file_contents  => hiera('ask_site_ssl_cert_file_contents', undef),

  1169.     site_ssl_key_file_contents   => hiera('ask_site_ssl_key_file_contents', undef),

  1170.     site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),

  1171.   }

  1172. }

  1173. 

  1174. # Node-OS: xenial

  1175. node /^ask-staging\d*\.open.*\.org$/ {

  1176.   class { 'openstack_project::server': }

  1177. 

  1178.   class { 'openstack_project::ask_staging':

  1179.     db_password                  => hiera('ask_staging_db_password'),

  1180.     redis_password               => hiera('ask_staging_redis_password'),

  1181.   }

  1182. }

  1183. 

  1184. # Node-OS: xenial

  1185. node /^translate\d+\.open.*\.org$/ {

  1186.   $group = "translate"

  1187.   class { 'openstack_project::server': }

  1188.   class { 'openstack_project::translate':

  1189.     admin_users                => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',

  1190.     openid_url                 => 'https://openstackid.org',

  1191.     listeners                  => ['ajp'],

  1192.     from_address               => 'noreply@openstack.org',

  1193.     mysql_host                 => hiera('translate_mysql_host', 'localhost'),

  1194.     mysql_password             => hiera('translate_mysql_password'),

  1195.     zanata_server_user         => hiera('proposal_zanata_user'),

  1196.     zanata_server_api_key      => hiera('proposal_zanata_api_key'),

  1197.     zanata_wildfly_version     => '10.1.0',

  1198.     zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',

  1199.     zanata_main_version        => 4,

  1200.     zanata_url                 => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',

  1201.     zanata_checksum            => 'eaf8bd07401dade758b677007d2358f173193d17',

  1202.     project_config_repo        => 'https://opendev.org/openstack/project-config',

  1203.     ssl_cert_file_contents     => hiera('translate_ssl_cert_file_contents'),

  1204.     ssl_key_file_contents      => hiera('translate_ssl_key_file_contents'),

  1205.     ssl_chain_file_contents    => hiera('translate_ssl_chain_file_contents'),

  1206.     vhost_name                 => 'translate.openstack.org',

  1207.   }

  1208. }

  1209. 

  1210. # Node-OS: xenial

  1211. node /^translate-dev\d*\.open.*\.org$/ {

  1212.   $group = "translate-dev"

  1213.   class { 'openstack_project::translate_dev':

  1214.     admin_users           => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',

  1215.     openid_url            => 'https://openstackid-dev.openstack.org',

  1216.     listeners             => ['ajp'],

  1217.     from_address          => 'noreply@openstack.org',

  1218.     mysql_host            => hiera('translate_dev_mysql_host', 'localhost'),

  1219.     mysql_password        => hiera('translate_dev_mysql_password'),

  1220.     zanata_server_user    => hiera('proposal_zanata_user'),

  1221.     zanata_server_api_key => hiera('proposal_zanata_api_key'),

  1222.     project_config_repo   => 'https://opendev.org/openstack/project-config',

  1223.     vhost_name            => 'translate-dev.openstack.org',

  1224.   }

  1225. }

  1226. 

  1227. 

  1228. # Node-OS: xenial

  1229. node /^codesearch\d*\.open.*\.org$/ {

  1230.   $group = "codesearch"

  1231.   class { 'openstack_project::server': }

  1232.   class { 'openstack_project::codesearch':

  1233.     project_config_repo => 'https://opendev.org/openstack/project-config',

  1234.   }

  1235. }

  1236. 

  1237. # vim:sw=2:ts=2:expandtab:textwidth=79