opendev
/
system-config
Code Issues
System configuration for OpenStack Infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14901 Commits
1 Branch
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
system-config/manifests/site.pp

site.pp 52KB
Raw Permalink Blame History

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274 
  1. #

  2. # Top-level variables

  3. #

  4. # There must not be any whitespace between this comment and the variables or

  5. # in between any two variables in order for them to be correctly parsed and

  6. # passed around in test.sh

  7. #

  8. # Note we do not do a hiera lookup here as we set $group on a per node basis

  9. # and that must be set before we can do hiera lookups. Doing a hiera lookup

  10. # here would fail to find any group specific info.

  11. $elasticsearch_nodes = [

  12.   "elasticsearch02.openstack.org",

  13.   "elasticsearch03.openstack.org",

  14.   "elasticsearch04.openstack.org",

  15.   "elasticsearch05.openstack.org",

  16.   "elasticsearch06.openstack.org",

  17.   "elasticsearch07.openstack.org",

  18. ]

  19. 

  20. #

  21. # Default: should at least behave like an openstack server

  22. #

  23. node default {

  24.   class { 'openstack_project::server':

  25.   }

  26. }

  27. 

  28. #

  29. # Long lived servers:

  30. #

  31. # Node-OS: xenial

  32. node /^review\d*\.open.*\.org$/ {

  33.   $group = "review"

  34. 

  35.   class { 'openstack_project::server': }

  36. 

  37.   class { 'openstack_project::review':

  38.     project_config_repo                  => 'https://opendev.org/openstack/project-config',

  39.     github_oauth_token                   => hiera('gerrit_github_token'),

  40.     github_project_username              => hiera('github_project_username', 'username'),

  41.     github_project_password              => hiera('github_project_password'),

  42.     mysql_host                           => hiera('gerrit_mysql_host', 'localhost'),

  43.     mysql_password                       => hiera('gerrit_mysql_password'),

  44.     email_private_key                    => hiera('gerrit_email_private_key'),

  45.     token_private_key                    => hiera('gerrit_rest_token_private_key'),

  46.     gerritbot_password                   => hiera('gerrit_gerritbot_password'),

  47.     gerritbot_ssh_rsa_key_contents       => hiera('gerritbot_ssh_rsa_key_contents'),

  48.     gerritbot_ssh_rsa_pubkey_contents    => hiera('gerritbot_ssh_rsa_pubkey_contents'),

  49.     ssl_cert_file_contents               => hiera('review_opendev_cert_file_contents'),

  50.     ssl_key_file_contents                => hiera('review_opendev_key_file_contents'),

  51.     ssl_chain_file_contents              => hiera('review_opendev_chain_file_contents'),

  52.     ssh_dsa_key_contents                 => hiera('gerrit_ssh_dsa_key_contents'),

  53.     ssh_dsa_pubkey_contents              => hiera('gerrit_ssh_dsa_pubkey_contents'),

  54.     ssh_rsa_key_contents                 => hiera('gerrit_ssh_rsa_key_contents'),

  55.     ssh_rsa_pubkey_contents              => hiera('gerrit_ssh_rsa_pubkey_contents'),

  56.     ssh_project_rsa_key_contents         => hiera('gerrit_project_ssh_rsa_key_contents'),

  57.     ssh_project_rsa_pubkey_contents      => hiera('gerrit_project_ssh_rsa_pubkey_contents'),

  58.     ssh_welcome_rsa_key_contents         => hiera('welcome_message_gerrit_ssh_private_key'),

  59.     ssh_welcome_rsa_pubkey_contents      => hiera('welcome_message_gerrit_ssh_public_key'),

  60.     ssh_replication_rsa_key_contents     => hiera('gerrit_replication_ssh_rsa_key_contents'),

  61.     ssh_replication_rsa_pubkey_contents  => hiera('gerrit_replication_ssh_rsa_pubkey_contents'),

  62.     lp_access_token                      => hiera('gerrit_lp_access_token'),

  63.     lp_access_secret                     => hiera('gerrit_lp_access_secret'),

  64.     lp_consumer_key                      => hiera('gerrit_lp_consumer_key'),

  65.     swift_username                       => hiera('swift_store_user', 'username'),

  66.     swift_password                       => hiera('swift_store_key'),

  67.     storyboard_password                  => hiera('gerrit_storyboard_token'),

  68.     # Compatibility layer vars for the old domain name below here.

  69.     # TODO rename the hiera keys to reduce confusion

  70.     review_openstack_cert_file_contents  => hiera('gerrit_ssl_cert_file_contents'),

  71.     review_openstack_key_file_contents   => hiera('gerrit_ssl_key_file_contents'),

  72.     review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),

  73.   }

  74. }

  75. 

  76. # Node-OS: xenial

  77. node /^review-dev\d*\.open.*\.org$/ {

  78.   $group = "review-dev"

  79. 

  80.   class { 'openstack_project::server':

  81.     afs                       => true,

  82.   }

  83. 

  84.   class { 'openstack_project::review_dev':

  85.     project_config_repo                 => 'https://opendev.org/openstack/project-config',

  86.     github_oauth_token                  => hiera('gerrit_dev_github_token'),

  87.     github_project_username             => hiera('github_dev_project_username', 'username'),

  88.     github_project_password             => hiera('github_dev_project_password'),

  89.     mysql_host                          => hiera('gerrit_dev_mysql_host', 'localhost'),

  90.     mysql_password                      => hiera('gerrit_dev_mysql_password'),

  91.     email_private_key                   => hiera('gerrit_dev_email_private_key'),

  92.     ssh_dsa_key_contents                => hiera('gerrit_dev_ssh_dsa_key_contents'),

  93.     ssh_dsa_pubkey_contents             => hiera('gerrit_dev_ssh_dsa_pubkey_contents'),

  94.     ssh_rsa_key_contents                => hiera('gerrit_dev_ssh_rsa_key_contents'),

  95.     ssh_rsa_pubkey_contents             => hiera('gerrit_dev_ssh_rsa_pubkey_contents'),

  96.     ssh_project_rsa_key_contents        => hiera('gerrit_dev_project_ssh_rsa_key_contents'),

  97.     ssh_project_rsa_pubkey_contents     => hiera('gerrit_dev_project_ssh_rsa_pubkey_contents'),

  98.     ssh_replication_rsa_key_contents    => hiera('gerrit_dev_replication_ssh_rsa_key_contents'),

  99.     ssh_replication_rsa_pubkey_contents => hiera('gerrit_dev_replication_ssh_rsa_pubkey_contents'),

  100.     lp_access_token                     => hiera('gerrit_dev_lp_access_token'),

  101.     lp_access_secret                    => hiera('gerrit_dev_lp_access_secret'),

  102.     lp_consumer_key                     => hiera('gerrit_dev_lp_consumer_key'),

  103.     storyboard_password                 => hiera('gerrit_dev_storyboard_token'),

  104.     storyboard_ssl_cert                 => hiera('gerrit_dev_storyboard_ssl_crt'),

  105.   }

  106. }

  107. 

  108. # Node-OS: xenial

  109. # Puppet-Version: !3

  110. node /^grafana\d*\.open.*\.org$/ {

  111.   $group = "grafana"

  112.   class { 'openstack_project::server': }

  113.   class { 'openstack_project::grafana':

  114.     admin_password      => hiera('grafana_admin_password'),

  115.     admin_user          => hiera('grafana_admin_user', 'username'),

  116.     mysql_host          => hiera('grafana_mysql_host', 'localhost'),

  117.     mysql_name          => hiera('grafana_mysql_name'),

  118.     mysql_password      => hiera('grafana_mysql_password'),

  119.     mysql_user          => hiera('grafana_mysql_user', 'username'),

  120.     project_config_repo => 'https://opendev.org/openstack/project-config',

  121.     secret_key          => hiera('grafana_secret_key'),

  122.   }

  123. }

  124. 

  125. # Node-OS: xenial

  126. node /^health\d*\.openstack\.org$/ {

  127.   $group = "health"

  128.   class { 'openstack_project::server': }

  129.   class { 'openstack_project::openstack_health_api':

  130.     subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),

  131.     hostname            => 'health.openstack.org',

  132.   }

  133. }

  134. 

  135. # Node-OS: xenial

  136. node /^cacti\d+\.open.*\.org$/ {

  137.   $group = "cacti"

  138.   include openstack_project::ssl_cert_check

  139.   class { 'openstack_project::cacti':

  140.     cacti_hosts => hiera_array('cacti_hosts'),

  141.     vhost_name  => 'cacti.openstack.org',

  142.   }

  143. }

  144. 

  145. # Node-OS: xenial

  146. node /^graphite\d*\.open.*\.org$/ {

  147.   class { 'openstack_project::server': }

  148. 

  149.   class { '::graphite':

  150.     graphite_admin_user     => hiera('graphite_admin_user', 'username'),

  151.     graphite_admin_email    => hiera('graphite_admin_email', 'email@example.com'),

  152.     graphite_admin_password => hiera('graphite_admin_password'),

  153.     # NOTE(ianw): installed on the host via ansible

  154.     ssl_cert_file           => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.cer',

  155.     ssl_key_file            => '/etc/letsencrypt-certs/graphite01.opendev.org/graphite01.opendev.org.key',

  156.     ssl_chain_file          => '/etc/letsencrypt-certs/graphite01.opendev.org/ca.cer',

  157.   }

  158. }

  159. 

  160. # Node-OS: trusty

  161. # Node-OS: xenial

  162. node /^lists\d*\.open.*\.org$/ {

  163.   class { 'openstack_project::server': }

  164. 

  165.   class { 'openstack_project::lists':

  166.     listpassword => hiera('listpassword'),

  167.   }

  168. }

  169. 

  170. # Node-OS: xenial

  171. node /^lists\d*\.katacontainers\.io$/ {

  172.   class { 'openstack_project::server': }

  173. 

  174.   class { 'openstack_project::kata_lists':

  175.     listpassword => hiera('listpassword'),

  176.   }

  177. }

  178. 

  179. # Node-OS: xenial

  180. node /^paste\d*\.open.*\.org$/ {

  181.   $group = "paste"

  182. 

  183.   class { 'openstack_project::server': }

  184.   class { 'openstack_project::paste':

  185.     db_password         => hiera('paste_db_password'),

  186.     db_host             => hiera('paste_db_host'),

  187.     vhost_name          => 'paste.openstack.org',

  188.   }

  189. }

  190. 

  191. # Node-OS: xenial

  192. node /planet\d*\.open.*\.org$/ {

  193.   class { 'openstack_project::planet':

  194.   }

  195. }

  196. 

  197. # Node-OS: xenial

  198. node /^eavesdrop\d*\.open.*\.org$/ {

  199.   $group = "eavesdrop"

  200.   class { 'openstack_project::server': }

  201. 

  202.   class { 'openstack_project::eavesdrop':

  203.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  204.     nickpass                => hiera('openstack_meetbot_password'),

  205.     statusbot_nick          => hiera('statusbot_nick', 'username'),

  206.     statusbot_password      => hiera('statusbot_nick_password'),

  207.     statusbot_server        => 'chat.freenode.net',

  208.     statusbot_channels      => hiera_array('statusbot_channels', ['openstack_infra']),

  209.     statusbot_auth_nicks    => hiera_array('statusbot_auth_nicks'),

  210.     statusbot_wiki_user     => hiera('statusbot_wiki_username', 'username'),

  211.     statusbot_wiki_password => hiera('statusbot_wiki_password'),

  212.     statusbot_wiki_url      => 'https://wiki.openstack.org/w/api.php',

  213.     # https://wiki.openstack.org/wiki/Infrastructure_Status

  214.     statusbot_wiki_pageid   => '1781',

  215.     statusbot_wiki_successpageid => '7717',

  216.     statusbot_wiki_successpageurl => 'https://wiki.openstack.org/wiki/Successes',

  217.     statusbot_wiki_thankspageid => '37700',

  218.     statusbot_wiki_thankspageurl => 'https://wiki.openstack.org/wiki/Thanks',

  219.     statusbot_irclogs_url   => 'http://eavesdrop.openstack.org/irclogs/%(chan)s/%(chan)s.%(date)s.log.html',

  220.     statusbot_twitter                 => true,

  221.     statusbot_twitter_key             => hiera('statusbot_twitter_key'),

  222.     statusbot_twitter_secret          => hiera('statusbot_twitter_secret'),

  223.     statusbot_twitter_token_key       => hiera('statusbot_twitter_token_key'),

  224.     statusbot_twitter_token_secret    => hiera('statusbot_twitter_token_secret'),

  225.     accessbot_nick          => hiera('accessbot_nick', 'username'),

  226.     accessbot_password      => hiera('accessbot_nick_password'),

  227.     meetbot_channels        => hiera('meetbot_channels', ['openstack-infra']),

  228.     ptgbot_nick             => hiera('ptgbot_nick', 'username'),

  229.     ptgbot_password         => hiera('ptgbot_password'),

  230.   }

  231. }

  232. 

  233. # Node-OS: xenial

  234. node /^ethercalc\d+\.open.*\.org$/ {

  235.   $group = "ethercalc"

  236.   class { 'openstack_project::server': }

  237. 

  238.   class { 'openstack_project::ethercalc':

  239.     vhost_name              => 'ethercalc.openstack.org',

  240.     ssl_cert_file_contents  => hiera('ssl_cert_file_contents'),

  241.     ssl_key_file_contents   => hiera('ssl_key_file_contents'),

  242.     ssl_chain_file_contents => hiera('ssl_chain_file_contents'),

  243.   }

  244. }

  245. 

  246. # Node-OS: xenial

  247. node /^etherpad\d*\.open.*\.org$/ {

  248.   $group = "etherpad"

  249.   class { 'openstack_project::server': }

  250. 

  251.   class { 'openstack_project::etherpad':

  252.     vhost_name              => 'etherpad.openstack.org',

  253.     ssl_cert_file_contents  => hiera('etherpad_ssl_cert_file_contents'),

  254.     ssl_key_file_contents   => hiera('etherpad_ssl_key_file_contents'),

  255.     ssl_chain_file_contents => hiera('etherpad_ssl_chain_file_contents'),

  256.     mysql_host              => hiera('etherpad_db_host', 'localhost'),

  257.     mysql_user              => hiera('etherpad_db_user', 'username'),

  258.     mysql_password          => hiera('etherpad_db_password'),

  259.   }

  260. }

  261. 

  262. # Node-OS: xenial

  263. node /^etherpad-dev\d*\.open.*\.org$/ {

  264.   $group = "etherpad-dev"

  265.   class { 'openstack_project::server': }

  266. 

  267.   class { 'openstack_project::etherpad_dev':

  268.     vhost_name     => 'etherpad-dev.openstack.org',

  269.     mysql_host     => hiera('etherpad-dev_db_host', 'localhost'),

  270.     mysql_user     => hiera('etherpad-dev_db_user', 'username'),

  271.     mysql_password => hiera('etherpad-dev_db_password'),

  272.   }

  273. }

  274. 

  275. # Node-OS: trusty

  276. node /^wiki\d+\.openstack\.org$/ {

  277.   $group = "wiki"

  278.   class { 'openstack_project::wiki':

  279.     bup_user                  => 'bup-wiki',

  280.     serveradmin               => hiera('infra_apache_serveradmin'),

  281.     site_hostname             => 'wiki.openstack.org',

  282.     ssl_cert_file_contents    => hiera('ssl_cert_file_contents'),

  283.     ssl_key_file_contents     => hiera('ssl_key_file_contents'),

  284.     ssl_chain_file_contents   => hiera('ssl_chain_file_contents'),

  285.     wg_dbserver               => hiera('wg_dbserver'),

  286.     wg_dbname                 => 'openstack_wiki',

  287.     wg_dbuser                 => 'wikiuser',

  288.     wg_dbpassword             => hiera('wg_dbpassword'),

  289.     wg_secretkey              => hiera('wg_secretkey'),

  290.     wg_upgradekey             => hiera('wg_upgradekey'),

  291.     wg_recaptchasitekey       => hiera('wg_recaptchasitekey'),

  292.     wg_recaptchasecretkey     => hiera('wg_recaptchasecretkey'),

  293.     wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),

  294.   }

  295. }

  296. 

  297. # Node-OS: trusty

  298. node /^wiki-dev\d+\.openstack\.org$/ {

  299.   $group = "wiki-dev"

  300.   class { 'openstack_project::wiki':

  301.     serveradmin           => hiera('infra_apache_serveradmin'),

  302.     site_hostname         => 'wiki-dev.openstack.org',

  303.     wg_dbserver           => hiera('wg_dbserver'),

  304.     wg_dbname             => 'openstack_wiki',

  305.     wg_dbuser             => 'wikiuser',

  306.     wg_dbpassword         => hiera('wg_dbpassword'),

  307.     wg_secretkey          => hiera('wg_secretkey'),

  308.     wg_upgradekey         => hiera('wg_upgradekey'),

  309.     wg_recaptchasitekey   => hiera('wg_recaptchasitekey'),

  310.     wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),

  311.     disallow_robots       => true,

  312.   }

  313. }

  314. 

  315. # Node-OS: xenial

  316. node /^logstash\d*\.open.*\.org$/ {

  317.   class { 'openstack_project::server': }

  318. 

  319.   class { 'openstack_project::logstash':

  320.     discover_nodes      => [

  321.       'elasticsearch03.openstack.org:9200',

  322.       'elasticsearch04.openstack.org:9200',

  323.       'elasticsearch05.openstack.org:9200',

  324.       'elasticsearch06.openstack.org:9200',

  325.       'elasticsearch07.openstack.org:9200',

  326.       'elasticsearch02.openstack.org:9200',

  327.     ],

  328.     subunit2sql_db_host => hiera('subunit2sql_db_host', ''),

  329.     subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),

  330.   }

  331. }

  332. 

  333. # Node-OS: xenial

  334. node /^logstash-worker\d+\.open.*\.org$/ {

  335.   $group = 'logstash-worker'

  336. 

  337.   class { 'openstack_project::server': }

  338. 

  339.   class { 'openstack_project::logstash_worker':

  340.     discover_node         => 'elasticsearch03.openstack.org',

  341.     enable_mqtt           => false,

  342.     mqtt_password         => hiera('mqtt_service_user_password'),

  343.     mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),

  344.   }

  345. }

  346. 

  347. # Node-OS: xenial

  348. node /^subunit-worker\d+\.open.*\.org$/ {

  349.   $group = "subunit-worker"

  350.   class { 'openstack_project::server': }

  351.   class { 'openstack_project::subunit_worker':

  352.     subunit2sql_db_host   => hiera('subunit2sql_db_host', ''),

  353.     subunit2sql_db_pass   => hiera('subunit2sql_db_password', ''),

  354.     mqtt_pass             => hiera('mqtt_service_user_password'),

  355.     mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),

  356.   }

  357. }

  358. 

  359. # Node-OS: xenial

  360. node /^elasticsearch\d+\.open.*\.org$/ {

  361.   $group = "elasticsearch"

  362.   class { 'openstack_project::server': }

  363.   class { 'openstack_project::elasticsearch_node':

  364.     discover_nodes => $elasticsearch_nodes,

  365.   }

  366. }

  367. 

  368. # Node-OS: xenial

  369. node /^firehose\d+\.open.*\.org$/ {

  370.   class { 'openstack_project::server': }

  371.   class { 'openstack_project::firehose':

  372.     gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),

  373.     gerrit_public_key   => hiera('germqtt_gerrit_ssh_public_key'),

  374.     gerrit_private_key  => hiera('germqtt_gerrit_ssh_private_key'),

  375.     mqtt_password       => hiera('mqtt_service_user_password'),

  376.     ca_file             => hiera('mosquitto_tls_ca_file'),

  377.     cert_file           => hiera('mosquitto_tls_server_cert_file'),

  378.     key_file            => hiera('mosquitto_tls_server_key_file'),

  379.     imap_hostname       => hiera('lpmqtt_imap_server'),

  380.     imap_username       => hiera('lpmqtt_imap_username'),

  381.     imap_password       => hiera('lpmqtt_imap_password'),

  382.     statsd_host         => 'graphite.opendev.org',

  383.   }

  384. }

  385. 

  386. # A machine to drive AFS mirror updates.

  387. # Node-OS: xenial

  388. node /^mirror-update\d*\.open.*\.org$/ {

  389.   $group = "afsadmin"

  390. 

  391.   class { 'openstack_project::mirror_update':

  392.     admin_keytab          => hiera('afsadmin_keytab'),

  393.     fedora_keytab         => hiera('fedora_keytab'),

  394.     opensuse_keytab       => hiera('opensuse_keytab'),

  395.     reprepro_keytab       => hiera('reprepro_keytab'),

  396.     gem_keytab            => hiera('gem_keytab'),

  397.     centos_keytab         => hiera('centos_keytab'),

  398.     epel_keytab           => hiera('epel_keytab'),

  399.     yum_puppetlabs_keytab => hiera('yum_puppetlabs_keytab'),

  400.   }

  401. }

  402. 

  403. # Machines in each region to serve AFS mirrors.

  404. # Node-OS: xenial

  405. node /^mirror\d*\..*\.open.*\.org$/ {

  406.   $group = "mirror"

  407. 

  408.   class { 'openstack_project::server':

  409.     afs                       => true,

  410.     afs_cache_size            => 50000000,  # 50GB

  411.   }

  412. 

  413.   class { 'openstack_project::mirror':

  414.     vhost_name => $::fqdn,

  415.     require    => Class['Openstack_project::Server'],

  416.   }

  417. }

  418. 

  419. # Serve static AFS content for docs and other sites.

  420. # Node-OS: xenial

  421. node /^files\d*\.open.*\.org$/ {

  422.   $group = "files"

  423.   class { 'openstack_project::server':

  424.     afs                       => true,

  425.     afs_cache_size            => 10000000,  # 10GB

  426.   }

  427. 

  428.   class { 'openstack_project::files':

  429.     vhost_name                        => 'files.openstack.org',

  430.     developer_cert_file_contents      => hiera('developer_cert_file_contents'),

  431.     developer_key_file_contents       => hiera('developer_key_file_contents'),

  432.     developer_chain_file_contents     => hiera('developer_chain_file_contents'),

  433.     docs_cert_file_contents           => hiera('docs_cert_file_contents'),

  434.     docs_key_file_contents            => hiera('docs_key_file_contents'),

  435.     docs_chain_file_contents          => hiera('docs_chain_file_contents'),

  436.     git_airship_cert_file_contents    => hiera('git_airship_cert_file_contents'),

  437.     git_airship_key_file_contents     => hiera('git_airship_key_file_contents'),

  438.     git_airship_chain_file_contents   => hiera('git_airship_chain_file_contents'),

  439.     git_openstack_cert_file_contents  => hiera('git_openstack_cert_file_contents'),

  440.     git_openstack_key_file_contents   => hiera('git_openstack_key_file_contents'),

  441.     git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'),

  442.     git_starlingx_cert_file_contents  => hiera('git_starlingx_cert_file_contents'),

  443.     git_starlingx_key_file_contents   => hiera('git_starlingx_key_file_contents'),

  444.     git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'),

  445.     git_zuul_cert_file_contents       => hiera('git_zuul_cert_file_contents'),

  446.     git_zuul_key_file_contents        => hiera('git_zuul_key_file_contents'),

  447.     git_zuul_chain_file_contents      => hiera('git_zuul_chain_file_contents'),

  448.     require                           => Class['Openstack_project::Server'],

  449.   }

  450. 

  451.   # Temporary for evaluating htaccess rules

  452.   ::httpd::vhost { "git-test.openstack.org":

  453.     port          => 80, # Is required despite not being used.

  454.     docroot       => "/afs/openstack.org/project/git-test/www",

  455.     priority      => '50',

  456.     template      => 'openstack_project/git-test.vhost.erb',

  457.   }

  458. 

  459.   openstack_project::website { 'docs.starlingx.io':

  460.     volume_name      => 'starlingx.io',

  461.     aliases          => [],

  462.     ssl_cert         => hiera('docs_starlingx_io_ssl_cert'),

  463.     ssl_key          => hiera('docs_starlingx_io_ssl_key'),

  464.     ssl_intermediate => hiera('docs_starlingx_io_ssl_intermediate'),

  465.     require          => Class['openstack_project::files'],

  466.   }

  467. 

  468.   openstack_project::website { 'docs.opendev.org':

  469.     aliases          => [],

  470.     docroot	     => "/afs/openstack.org/project/opendev.org/docs",

  471.     ssl_cert         => hiera('docs_opendev_ssl_cert'),

  472.     ssl_key          => hiera('docs_opendev_ssl_key'),

  473.     ssl_intermediate => hiera('docs_opendev_ssl_intermediate'),

  474.     require          => Class['openstack_project::files'],

  475.   }

  476. 

  477.   openstack_project::website { 'tarballs.opendev.org':

  478.     aliases          => [],

  479.     docroot	     => "/afs/openstack.org/project/opendev.org/tarballs",

  480.     ssl_cert_file    => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer',

  481.     ssl_key_file     => '/etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key',

  482.     ssl_chain_file   => '/etc/letsencrypt-certs/tarballs.opendev.org/ca.cer',

  483.     require          => Class['openstack_project::files'],

  484.   }

  485. 

  486.   openstack_project::website { 'zuul-ci.org':

  487.     aliases          => ['www.zuul-ci.org', 'zuulci.org', 'www.zuulci.org'],

  488.     ssl_cert         => hiera('zuul-ci_org_ssl_cert'),

  489.     ssl_key          => hiera('zuul-ci_org_ssl_key'),

  490.     ssl_intermediate => hiera('zuul-ci_org_ssl_intermediate'),

  491.     require          => Class['openstack_project::files'],

  492.   }

  493. 

  494. }

  495. 

  496. # Node-OS: trusty

  497. # Node-OS: xenial

  498. node /^refstack\d*\.open.*\.org$/ {

  499.   class { 'openstack_project::server': }

  500.   class { 'refstack':

  501.     mysql_host          => hiera('refstack_mysql_host', 'localhost'),

  502.     mysql_database      => hiera('refstack_mysql_db_name', 'refstack'),

  503.     mysql_user          => hiera('refstack_mysql_user', 'refstack'),

  504.     mysql_user_password => hiera('refstack_mysql_password'),

  505.     ssl_cert_content    => hiera('refstack_ssl_cert_file_contents'),

  506.     ssl_cert            => '/etc/ssl/certs/refstack.pem',

  507.     ssl_key_content     => hiera('refstack_ssl_key_file_contents'),

  508.     ssl_key             => '/etc/ssl/private/refstack.key',

  509.     ssl_ca_content      => hiera('refstack_ssl_chain_file_contents'),

  510.     ssl_ca              => '/etc/ssl/certs/refstack.ca.pem',

  511.     protocol            => 'https',

  512.   }

  513.   mysql_backup::backup_remote { 'refstack':

  514.     database_host     => hiera('refstack_mysql_host', 'localhost'),

  515.     database_user     => hiera('refstack_mysql_user', 'refstack'),

  516.     database_password => hiera('refstack_mysql_password'),

  517.     require           => Class['::refstack'],

  518.   }

  519. }

  520. 

  521. # A machine to run Storyboard

  522. # Node-OS: xenial

  523. node /^storyboard\d+\.opendev\.org$/ {

  524.   $group = "storyboard"

  525.   class { 'openstack_project::storyboard':

  526.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  527.     mysql_host              => hiera('storyboard_db_host', 'localhost'),

  528.     mysql_user              => hiera('storyboard_db_user', 'username'),

  529.     mysql_password          => hiera('storyboard_db_password'),

  530.     rabbitmq_user           => hiera('storyboard_rabbit_user', 'username'),

  531.     rabbitmq_password       => hiera('storyboard_rabbit_password'),

  532.     ssl_cert                => '/etc/ssl/certs/storyboard.openstack.org.pem',

  533.     ssl_cert_file_contents  => hiera('storyboard_ssl_cert_file_contents'),

  534.     ssl_key                 => '/etc/ssl/private/storyboard.openstack.org.key',

  535.     ssl_key_file_contents   => hiera('storyboard_ssl_key_file_contents'),

  536.     ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),

  537.     hostname                => 'storyboard.openstack.org',

  538.     valid_oauth_clients     => [

  539.       'storyboard.openstack.org',

  540.       'logs.openstack.org',

  541.     ],

  542.     cors_allowed_origins     => [

  543.       'https://storyboard.openstack.org',

  544.       'http://logs.openstack.org',

  545.     ],

  546.     sender_email_address => 'storyboard@storyboard.openstack.org',

  547.     default_url          => 'https://storyboard.openstack.org',

  548.   }

  549. }

  550. 

  551. # A machine to run Storyboard devel

  552. # Node-OS: xenial

  553. node /^storyboard-dev\d+\.opendev\.org$/ {

  554.   $group = "storyboard-dev"

  555.   class { 'openstack_project::storyboard::dev':

  556.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  557.     mysql_host              => hiera('storyboard_db_host', 'localhost'),

  558.     mysql_user              => hiera('storyboard_db_user', 'username'),

  559.     mysql_password          => hiera('storyboard_db_password'),

  560.     rabbitmq_user           => hiera('storyboard_rabbit_user', 'username'),

  561.     rabbitmq_password       => hiera('storyboard_rabbit_password'),

  562.     hostname                => 'storyboard-dev.openstack.org',

  563.     valid_oauth_clients     => [

  564.       'storyboard-dev.openstack.org',

  565.       'logs.openstack.org',

  566.     ],

  567.     cors_allowed_origins     => [

  568.       'https://storyboard-dev.openstack.org',

  569.       'http://logs.openstack.org',

  570.     ],

  571.     sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',

  572.     default_url          => 'https://storyboard-dev.openstack.org',

  573.   }

  574. 

  575. }

  576. 

  577. # A machine to serve static content.

  578. # Node-OS: trusty

  579. # Node-OS: xenial

  580. node /^static\d*\.open.*\.org$/ {

  581.   class { 'openstack_project::server': }

  582.   class { 'openstack_project::static':

  583.     project_config_repo     => 'https://opendev.org/openstack/project-config',

  584.     swift_authurl           => 'https://identity.api.rackspacecloud.com/v2.0/',

  585.     swift_user              => 'infra-files-ro',

  586.     swift_key               => hiera('infra_files_ro_password'),

  587.     swift_tenant_name       => hiera('infra_files_tenant_name', 'tenantname'),

  588.     swift_region_name       => 'DFW',

  589.     swift_default_container => 'infra-files',

  590.     ssl_cert_file_contents  => hiera('static_ssl_cert_file_contents'),

  591.     ssl_key_file_contents   => hiera('static_ssl_key_file_contents'),

  592.     ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),

  593.   }

  594. }

  595. 

  596. # Node-OS: xenial

  597. node /^zk\d+\.open.*\.org$/ {

  598.   # We use IP addresses here so that zk listens on the public facing addresses

  599.   # allowing cluster members to talk to each other. Without this they listen

  600.   # on 127.0.1.1 because that is what we have in /etc/hosts for

  601.   # zk0X.openstack.org.

  602.   $zk_cluster_members = [

  603.     '23.253.236.126', # zk01

  604.     '172.99.117.32',  # zk02

  605.     '23.253.90.246',  # zk03

  606.   ]

  607.   class { 'openstack_project::server': }

  608. 

  609.   class { '::zookeeper':

  610.     # ID needs to be numeric, so we use regex to extra numbers from fqdn.

  611.     id             => regsubst($::fqdn, '^zk(\d+)\.open.*\.org$', '\1'),

  612.     # The frequency in hours to look for and purge old snapshots,

  613.     # defaults to 0 (disabled). The number of retained snapshots can

  614.     # be separately controlled through snap_retain_count and

  615.     # defaults to the minimum value of 3. This will quickly fill the

  616.     # disk in production if not enabled. Works on ZK >=3.4.

  617.     purge_interval => 6,

  618.     servers        => $zk_cluster_members,

  619.   }

  620. }

  621. 

  622. # A machine to serve various project status updates.

  623. # Node-OS: trusty

  624. # Node-OS: xenial

  625. node /^status\d*\.open.*\.org$/ {

  626.   $group = 'status'

  627. 

  628.   class { 'openstack_project::server': }

  629. 

  630.   class { 'openstack_project::status':

  631.     gerrit_host                   => 'review.opendev.org',

  632.     gerrit_ssh_host_key           => hiera('gerrit_ssh_rsa_pubkey_contents'),

  633.     reviewday_ssh_public_key      => hiera('reviewday_rsa_pubkey_contents'),

  634.     reviewday_ssh_private_key     => hiera('reviewday_rsa_key_contents'),

  635.     recheck_ssh_public_key        => hiera('elastic-recheck_gerrit_ssh_public_key'),

  636.     recheck_ssh_private_key       => hiera('elastic-recheck_gerrit_ssh_private_key'),

  637.     recheck_bot_nick              => 'openstackrecheck',

  638.     recheck_bot_passwd            => hiera('elastic-recheck_ircbot_password'),

  639.   }

  640. }

  641. 

  642. # Node-OS: xenial

  643. node /^survey\d+\.open.*\.org$/ {

  644.   $group = "survey"

  645.   class { 'openstack_project::server': }

  646. 

  647.   class { 'openstack_project::survey':

  648.     vhost_name              => 'survey.openstack.org',

  649.     auth_openid             => true,

  650.     ssl_cert_file_contents  => hiera('ssl_cert_file_contents'),

  651.     ssl_key_file_contents   => hiera('ssl_key_file_contents'),

  652.     ssl_chain_file_contents => hiera('ssl_chain_file_contents'),

  653.     dbpassword              => hiera('dbpassword'),

  654.     dbhost                  => hiera('dbhost'),

  655.     adminuser               => hiera('adminuser'),

  656.     adminpass               => hiera('adminpass'),

  657.     adminmail               => hiera('adminmail'),

  658.   }

  659. }

  660. 

  661. # Node-OS: xenial

  662. node /^nl\d+\.open.*\.org$/ {

  663.   $group = 'nodepool'

  664. 

  665.   # NOTE(ianw) From 09-2018 (https://review.opendev.org/#/c/598329/)

  666.   # the cloud credentials are deployed with ansible via the

  667.   # configure-openstacksdk role and are no longer configured here

  668. 

  669.   class { 'openstack_project::server': }

  670. 

  671.   include openstack_project

  672. 

  673.   class { '::openstackci::nodepool_launcher':

  674.     nodepool_ssh_private_key => hiera('zuul_worker_ssh_private_key_contents'),

  675.     project_config_repo      => 'https://opendev.org/openstack/project-config',

  676.     statsd_host              => 'graphite.opendev.org',

  677.     revision                 => 'master',

  678.     python_version           => 3,

  679.     enable_webapp            => true,

  680.   }

  681. }

  682. 

  683. # Node-OS: xenial

  684. node /^nb\d+\.open.*\.org$/ {

  685.   $group = 'nodepool'

  686. 

  687.   class { 'openstack_project::server': }

  688. 

  689.   include openstack_project

  690. 

  691.   class { '::openstackci::nodepool_builder':

  692.     nodepool_ssh_public_key       => hiera('zuul_worker_ssh_public_key_contents'),

  693.     vhost_name                    => $::fqdn,

  694.     enable_build_log_via_http     => true,

  695.     project_config_repo           => 'https://opendev.org/openstack/project-config',

  696.     statsd_host                   => 'graphite.opendev.org',

  697.     upload_workers                => '16',

  698.     revision                      => 'master',

  699.     python_version                => 3,

  700.     zuulv3                        => true,

  701.     ssl_cert_file                 => '/etc/ssl/certs/ssl-cert-snakeoil.pem',

  702.     ssl_key_file                  => '/etc/ssl/private/ssl-cert-snakeoil.key',

  703.   }

  704. 

  705.   cron { 'mirror_gitgc':

  706.     user        => 'nodepool',

  707.     hour        => '20',

  708.     minute      => '0',

  709.     command     => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',

  710.     environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',

  711.     require     => Class['::openstackci::nodepool_builder'],

  712.   }

  713. }

  714. 

  715. # Node-OS: xenial

  716. node /^ze\d+\.open.*\.org$/ {

  717.   $group = "zuul-executor"

  718. 

  719.   $gerrit_server           = 'review.opendev.org'

  720.   $gerrit_user             = 'zuul'

  721.   $gerrit_ssh_host_key     = hiera('gerrit_ssh_rsa_pubkey_contents')

  722.   $gerrit_ssh_private_key  = hiera('gerrit_ssh_private_key_contents')

  723.   $zuul_ssh_private_key    = hiera('zuul_ssh_private_key_contents')

  724.   $zuul_static_private_key = hiera('jenkins_ssh_private_key_contents')

  725.   $git_email               = 'zuul@openstack.org'

  726.   $git_name                = 'OpenStack Zuul'

  727.   $revision                = 'master'

  728. 

  729.   class { 'openstack_project::server':

  730.     afs                       => true,

  731.   }

  732. 

  733.   class { '::project_config':

  734.     url => 'https://opendev.org/openstack/project-config',

  735.   }

  736. 

  737.   # We use later HWE kernels for better memory managment, requiring an

  738.   # updated AFS version which we install from our custom ppa.

  739.   include ::apt

  740.   apt::ppa { 'ppa:openstack-ci-core/openafs-amd64-hwe': }

  741.   package { 'linux-generic-hwe-16.04':

  742.     ensure  => present,

  743.     require => [

  744.       Apt::Ppa['ppa:openstack-ci-core/openafs-amd64-hwe'],

  745.       Class['apt::update'],

  746.     ],

  747.   }

  748. 

  749.   # Skopeo is required for pushing/pulling from the intermediate

  750.   # registry, and is available in the projectatomic ppa.

  751. 

  752.   apt::ppa { 'ppa:projectatomic/ppa': }

  753.   package { 'skopeo':

  754.     ensure  => present,

  755.     require => [

  756.       Apt::Ppa['ppa:projectatomic/ppa'],

  757.       Class['apt::update'],

  758.     ],

  759.   }

  760. 

  761.   # Socat is also required for pushing/pulling images

  762.   package { 'socat':

  763.     ensure  => present,

  764.     require => [

  765.       Class['apt::update'],

  766.     ],

  767.   }

  768. 

  769.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  770.   # settings.

  771.   class { '::zuul':

  772.     gearman_server           => 'zuul01.openstack.org',

  773.     gerrit_server            => $gerrit_server,

  774.     gerrit_user              => $gerrit_user,

  775.     zuul_ssh_private_key     => $gerrit_ssh_private_key,

  776.     git_email                => $git_email,

  777.     git_name                 => $git_name,

  778.     worker_private_key_file  => '/var/lib/zuul/ssh/nodepool_id_rsa',

  779.     revision                 => $revision,

  780.     python_version           => 3,

  781.     zookeeper_hosts          => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  782.     zuulv3                   => true,

  783.     connections              => hiera('zuul_connections', []),

  784.     gearman_client_ssl_cert  => hiera('gearman_client_ssl_cert'),

  785.     gearman_client_ssl_key   => hiera('gearman_client_ssl_key'),

  786.     gearman_ssl_ca           => hiera('gearman_ssl_ca'),

  787.     #TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs

  788.     # properly. We need to revisting this post Queens PTG.

  789.     trusted_ro_paths         => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],

  790.     trusted_rw_paths         => ['/afs'],

  791.     untrusted_ro_paths       => ['/etc/ssl/certs'],

  792.     disk_limit_per_job       => 5000,  # Megabytes

  793.     site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,

  794.     require                  => $::project_config::config_dir,

  795.     statsd_host              => 'graphite.opendev.org',

  796.   }

  797. 

  798.   class { '::zuul::executor': }

  799. 

  800.   # This is used by the log job submission playbook which runs under

  801.   # python2

  802.   package { 'gear':

  803.     ensure   => latest,

  804.     provider => openstack_pip,

  805.     require  => Class['pip'],

  806.   }

  807. 

  808.   file { '/var/lib/zuul/ssh/nodepool_id_rsa':

  809.     owner   => 'zuul',

  810.     group   => 'zuul',

  811.     mode    => '0400',

  812.     require => File['/var/lib/zuul/ssh'],

  813.     content => $zuul_ssh_private_key,

  814.   }

  815. 

  816.   file { '/var/lib/zuul/ssh/static_id_rsa':

  817.     owner   => 'zuul',

  818.     group   => 'zuul',

  819.     mode    => '0400',

  820.     require => File['/var/lib/zuul/ssh'],

  821.     content => $zuul_static_private_key,

  822.   }

  823. 

  824.   class { '::zuul::known_hosts':

  825.     known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",

  826.   }

  827. }

  828. 

  829. # Node-OS: xenial

  830. node /^zuul\d+\.open.*\.org$/ {

  831.   $group = "zuul-scheduler"

  832.   $gerrit_server        = 'review.opendev.org'

  833.   $gerrit_user          = 'zuul'

  834.   $gerrit_ssh_host_key  = hiera('gerrit_zuul_user_ssh_key_contents')

  835.   $zuul_ssh_private_key = hiera('zuul_ssh_private_key_contents')

  836.   $zuul_url             = "http://zuul.openstack.org/p"

  837.   $git_email            = 'zuul@openstack.org'

  838.   $git_name             = 'OpenStack Zuul'

  839.   $revision             = 'master'

  840. 

  841.   class { 'openstack_project::server': }

  842. 

  843.   class { '::project_config':

  844.     url => 'https://opendev.org/openstack/project-config',

  845.   }

  846. 

  847.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  848.   # settings.

  849.   class { '::zuul':

  850.     gerrit_server                 => $gerrit_server,

  851.     gerrit_user                   => $gerrit_user,

  852.     zuul_ssh_private_key          => $zuul_ssh_private_key,

  853.     git_email                     => $git_email,

  854.     git_name                      => $git_name,

  855.     revision                      => $revision,

  856.     python_version                => 3,

  857.     zookeeper_hosts               => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  858.     zookeeper_session_timeout     => 40,

  859.     zuulv3                        => true,

  860.     connections                   => hiera('zuul_connections', []),

  861.     connection_secrets            => hiera('zuul_connection_secrets', []),

  862.     vhost_name                    => 'zuul.openstack.org',

  863.     zuul_status_url               => 'http://127.0.0.1:8001/openstack',

  864.     zuul_web_url                  => 'http://127.0.0.1:9000',

  865.     zuul_tenant_name              => 'openstack',

  866.     gearman_client_ssl_cert       => hiera('gearman_client_ssl_cert'),

  867.     gearman_client_ssl_key        => hiera('gearman_client_ssl_key'),

  868.     gearman_server_ssl_cert       => hiera('gearman_server_ssl_cert'),

  869.     gearman_server_ssl_key        => hiera('gearman_server_ssl_key'),

  870.     gearman_ssl_ca                => hiera('gearman_ssl_ca'),

  871.     proxy_ssl_cert_file_contents  => hiera('zuul_ssl_cert_file_contents'),

  872.     proxy_ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),

  873.     proxy_ssl_key_file_contents   => hiera('zuul_ssl_key_file_contents'),

  874.     statsd_host                   => 'graphite.opendev.org',

  875.     status_url                    => 'https://zuul.openstack.org',

  876.     relative_priority             => true,

  877.   }

  878. 

  879.   file { "/etc/zuul/github.key":

  880.     ensure  => present,

  881.     owner   => 'zuul',

  882.     group   => 'zuul',

  883.     mode    => '0600',

  884.     content => hiera('zuul_github_app_key'),

  885.     require => File['/etc/zuul'],

  886.   }

  887. 

  888.   class { '::zuul::scheduler':

  889.     layout_dir     => $::project_config::zuul_layout_dir,

  890.     require        => $::project_config::config_dir,

  891.     python_version => 3,

  892.     use_mysql      => true,

  893.   }

  894. 

  895.   class { '::zuul::web':

  896.     # We manage backups below

  897.     enable_status_backups => false,

  898.     vhosts => {

  899.       'zuul.openstack.org' => {

  900.         port       => 443,

  901.         docroot    => '/opt/zuul-web/content',

  902.         priority   => '50',

  903.         ssl        => true,

  904.         template   => 'zuul/zuulv3.vhost.erb',

  905.         vhost_name => 'zuul.openstack.org',

  906.       },

  907.       'zuul.opendev.org' => {

  908.         port       => 443,

  909.         docroot    => '/opt/zuul-web/content',

  910.         priority   => '40',

  911.         ssl        => true,

  912.         template   => 'zuul/zuulv3.vhost.erb',

  913.         vhost_name => 'zuul.opendev.org',

  914.       },

  915.       'zuul.openstack.org-http' => {

  916.         port       => 80,

  917.         docroot    => '/opt/zuul-web/content',

  918.         priority   => '50',

  919.         ssl        => false,

  920.         template   => 'zuul/zuulv3.vhost.erb',

  921.         vhost_name => 'zuul.openstack.org',

  922.       },

  923.       'zuul.opendev.org-http' => {

  924.         port       => 80,

  925.         docroot    => '/opt/zuul-web/content',

  926.         priority   => '40',

  927.         ssl        => false,

  928.         template   => 'zuul/zuulv3.vhost.erb',

  929.         vhost_name => 'zuul.opendev.org',

  930.       },

  931.     },

  932.     vhosts_flags => {

  933.       'zuul.openstack.org' => {

  934.         tenant_name => 'openstack',

  935.         ssl         => true,

  936.       },

  937.       'zuul.opendev.org' => {

  938.         tenant_name => '',

  939.         ssl         => true,

  940.       },

  941.       'zuul.openstack.org-http' => {

  942.         tenant_name => 'openstack',

  943.         ssl         => false,

  944.       },

  945.       'zuul.opendev.org-http' => {

  946.         tenant_name => '',

  947.         ssl         => false,

  948.       },

  949.     },

  950.     vhosts_ssl => {

  951.       'zuul.openstack.org' => {

  952.         ssl_cert_file_contents  => hiera('zuul_ssl_cert_file_contents'),

  953.         ssl_chain_file_contents => hiera('zuul_ssl_chain_file_contents'),

  954.         ssl_key_file_contents   => hiera('zuul_ssl_key_file_contents'),

  955.       },

  956.       'zuul.opendev.org' => {

  957.         ssl_cert_file_contents  => hiera('opendev_zuul_ssl_cert_file_contents'),

  958.         ssl_chain_file_contents => hiera('opendev_zuul_ssl_chain_file_contents'),

  959.         ssl_key_file_contents   => hiera('opendev_zuul_ssl_key_file_contents'),

  960.       },

  961.     },

  962.   }

  963. 

  964.   zuul::status_backups { 'openstack-zuul-tenant':

  965.     tenant_name => 'openstack',

  966.     ssl         => true,

  967.     status_uri  => 'https://zuul.opendev.org/api/tenant/openstack/status',

  968.   }

  969. 

  970.   zuul::status_backups { 'kata-zuul-tenant':

  971.     tenant_name => 'kata-containers',

  972.     ssl         => true,

  973.     status_uri  => 'https://zuul.opendev.org/api/tenant/kata-containers/status',

  974.   }

  975. 

  976.   class { '::zuul::fingergw': }

  977. 

  978.   class { '::zuul::known_hosts':

  979.     known_hosts_content => "[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ${gerrit_ssh_host_key}\n[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==\n",

  980.   }

  981. 

  982.   include bup

  983.   bup::site { 'rax.ord':

  984.     backup_user   => 'bup-zuulv3',

  985.     backup_server => 'backup01.ord.rax.ci.openstack.org',

  986.   }

  987. 

  988. }

  989. 

  990. # Node-OS: xenial

  991. node /^zm\d+.open.*\.org$/ {

  992.   $group = "zuul-merger"

  993. 

  994.   $gerrit_server        = 'review.opendev.org'

  995.   $gerrit_user          = 'zuul'

  996.   $gerrit_ssh_host_key  = hiera('gerrit_ssh_rsa_pubkey_contents')

  997.   $zuul_ssh_private_key = hiera('zuulv3_ssh_private_key_contents')

  998.   $zuul_url             = "http://${::fqdn}/p"

  999.   $git_email            = 'zuul@openstack.org'

  1000.   $git_name             = 'OpenStack Zuul'

  1001.   $revision             = 'master'

  1002. 

  1003.   class { 'openstack_project::server': }

  1004. 

  1005.   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one

  1006.   # settings.

  1007.   class { '::zuul':

  1008.     gearman_server          => 'zuul01.openstack.org',

  1009.     gerrit_server           => $gerrit_server,

  1010.     gerrit_user             => $gerrit_user,

  1011.     zuul_ssh_private_key    => $zuul_ssh_private_key,

  1012.     git_email               => $git_email,

  1013.     git_name                => $git_name,

  1014.     revision                => $revision,

  1015.     python_version          => 3,

  1016.     zookeeper_hosts         => 'zk01.openstack.org:2181,zk02.openstack.org:2181,zk03.openstack.org:2181',

  1017.     zuulv3                  => true,

  1018.     connections             => hiera('zuul_connections', []),

  1019.     gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'),

  1020.     gearman_client_ssl_key  => hiera('gearman_client_ssl_key'),

  1021.     gearman_ssl_ca          => hiera('gearman_ssl_ca'),

  1022.     statsd_host             => 'graphite.opendev.org',

  1023.   }

  1024. 

  1025.   class { 'openstack_project::zuul_merger':

  1026.     gerrit_server        => $gerrit_server,

  1027.     gerrit_user          => $gerrit_user,

  1028.     gerrit_ssh_host_key  => $gerrit_ssh_host_key,

  1029.     zuul_ssh_private_key => $zuul_ssh_private_key,

  1030.     manage_common_zuul   => false,

  1031.   }

  1032. }

  1033. 

  1034. # Node-OS: xenial

  1035. node /^pbx\d*\.open.*\.org$/ {

  1036.   $group = "pbx"

  1037.   class { 'openstack_project::server': }

  1038.   class { 'openstack_project::pbx':

  1039.     sip_providers => [

  1040.       {

  1041.         provider => 'voipms',

  1042.         hostname => 'dallas.voip.ms',

  1043.         username => hiera('voipms_username', 'username'),

  1044.         password => hiera('voipms_password'),

  1045.         outgoing => false,

  1046.       },

  1047.     ],

  1048.   }

  1049. }

  1050. 

  1051. # Node-OS: xenial

  1052. # A backup machine.  Don't run cron or puppet agent on it.

  1053. node /^backup\d+\..*\.ci\.open.*\.org$/ {

  1054.   $group = "ci-backup"

  1055.   class { 'openstack_project::server': }

  1056.   include openstack_project::backup_server

  1057. }

  1058. 

  1059. # Node-OS: xenial

  1060. node /^openstackid\d*(\.openstack)?\.org$/ {

  1061.   $group = "openstackid"

  1062.   class { 'openstack_project::openstackid_prod':

  1063.     site_admin_password                 => hiera('openstackid_site_admin_password'),

  1064.     id_mysql_host                       => hiera('openstackid_id_mysql_host', 'localhost'),

  1065.     id_mysql_password                   => hiera('openstackid_id_mysql_password'),

  1066.     id_mysql_user                       => hiera('openstackid_id_mysql_user', 'username'),

  1067.     id_db_name                          => hiera('openstackid_id_db_name'),

  1068.     ss_mysql_host                       => hiera('openstackid_ss_mysql_host', 'localhost'),

  1069.     ss_mysql_password                   => hiera('openstackid_ss_mysql_password'),

  1070.     ss_mysql_user                       => hiera('openstackid_ss_mysql_user', 'username'),

  1071.     ss_db_name                          => hiera('openstackid_ss_db_name', 'username'),

  1072.     redis_password                      => hiera('openstackid_redis_password'),

  1073.     ssl_cert_file_contents              => hiera('openstackid_ssl_cert_file_contents'),

  1074.     ssl_key_file_contents               => hiera('openstackid_ssl_key_file_contents'),

  1075.     ssl_chain_file_contents             => hiera('openstackid_ssl_chain_file_contents'),

  1076.     id_recaptcha_public_key             => hiera('openstackid_recaptcha_public_key'),

  1077.     id_recaptcha_private_key            => hiera('openstackid_recaptcha_private_key'),

  1078.     vhost_name                          => 'openstackid.org',

  1079.     session_cookie_domain               => 'openstackid.org',

  1080.     serveradmin                         => 'webmaster@openstackid.org',

  1081.     canonicalweburl                     => 'https://openstackid.org/',

  1082.     app_url                             => 'https://openstackid.org',

  1083.     app_key                             => hiera('openstackid_app_key'),

  1084.     id_log_error_to_email               => 'openstack@tipit.net',

  1085.     id_log_error_from_email             => 'noreply@openstack.org',

  1086.     email_driver                        => 'sendgrid',

  1087.     email_send_grid_api_key             => hiera('openstackid_send_grid_api_key'),

  1088.     php_version                         => 7,

  1089.     mysql_ssl_enabled                   => true,

  1090.     mysql_ssl_ca_file_contents          => hiera('openstackid_mysql_ssl_ca_file_contents'),

  1091.     mysql_ssl_client_key_file_contents  => hiera('openstackid_mysql_ssl_client_key_file_contents'),

  1092.     mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),

  1093.     lost_password_url                   => 'https://openstackid.org/lost-password',

  1094.     registration_url                    => 'https://openstackid.org/registration',

  1095.     registration_mobile_url             => 'https://openstackid.org/registration-mobile',

  1096.     resend_verification_url             => 'https://openstackid.org/resend-verification',

  1097.   }

  1098. }

  1099. 

  1100. # Node-OS: xenial

  1101. node /^openstackid-dev\d*\.openstack\.org$/ {

  1102.   $group = "openstackid-dev"

  1103.   class { 'openstack_project::openstackid_dev':

  1104.     site_admin_password                 => hiera('openstackid_dev_site_admin_password'),

  1105.     id_mysql_host                       => hiera('openstackid_dev_id_mysql_host', 'localhost'),

  1106.     id_mysql_password                   => hiera('openstackid_dev_id_mysql_password'),

  1107.     id_mysql_user                       => hiera('openstackid_dev_id_mysql_user', 'username'),

  1108.     ss_mysql_host                       => hiera('openstackid_dev_ss_mysql_host', 'localhost'),

  1109.     ss_mysql_password                   => hiera('openstackid_dev_ss_mysql_password'),

  1110.     ss_mysql_user                       => hiera('openstackid_dev_ss_mysql_user', 'username'),

  1111.     ss_db_name                          => hiera('openstackid_dev_ss_db_name', 'username'),

  1112.     redis_password                      => hiera('openstackid_dev_redis_password'),

  1113.     ssl_cert_file_contents              => hiera('openstackid_dev_ssl_cert_file_contents'),

  1114.     ssl_key_file_contents               => hiera('openstackid_dev_ssl_key_file_contents'),

  1115.     ssl_chain_file_contents             => hiera('openstackid_dev_ssl_chain_file_contents'),

  1116.     id_recaptcha_public_key             => hiera('openstackid_dev_recaptcha_public_key'),

  1117.     id_recaptcha_private_key            => hiera('openstackid_dev_recaptcha_private_key'),

  1118.     vhost_name                          => 'openstackid-dev.openstack.org',

  1119.     session_cookie_domain               => 'openstackid-dev.openstack.org',

  1120.     serveradmin                         => 'webmaster@openstackid-dev.openstack.org',

  1121.     canonicalweburl                     => 'https://openstackid-dev.openstack.org/',

  1122.     app_url                             => 'https://openstackid-dev.openstack.org',

  1123.     app_key                             => hiera('openstackid_dev_app_key'),

  1124.     id_log_error_to_email               => 'openstack@tipit.net',

  1125.     id_log_error_from_email             => 'noreply@openstack.org',

  1126.     email_driver                        => 'sendgrid',

  1127.     email_send_grid_api_key             => hiera('openstackid_dev_send_grid_api_key'),

  1128.     php_version                         => 7,

  1129.     mysql_ssl_enabled                   => true,

  1130.     mysql_ssl_ca_file_contents          => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),

  1131.     mysql_ssl_client_key_file_contents  => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),

  1132.     mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),

  1133.     lost_password_url                   => 'https://openstackid-dev.openstack.org/lost-password',

  1134.     registration_url                    => 'https://openstackid-dev.openstack.org/registration',

  1135.     registration_mobile_url             => 'https://openstackid-dev.openstack.org/registration-mobile',

  1136.     resend_verification_url             => 'https://openstackid-dev.openstack.org/resend-verification',

  1137.   }

  1138. }

  1139. 

  1140. # Node-OS: trusty

  1141. # Used for testing all-in-one deployments

  1142. node 'single-node-ci.test.only' {

  1143.   include ::openstackci::single_node_ci

  1144. }

  1145. 

  1146. # Node-OS: xenial

  1147. node /^kdc03\.open.*\.org$/ {

  1148.   class { 'openstack_project::server': }

  1149. 

  1150.   class { 'openstack_project::kdc': }

  1151. }

  1152. 

  1153. # Node-OS: xenial

  1154. node /^kdc04\.open.*\.org$/ {

  1155.   class { 'openstack_project::server': }

  1156. 

  1157.   class { 'openstack_project::kdc':

  1158.     slave => true,

  1159.   }

  1160. }

  1161. 

  1162. # Node-OS: xenial

  1163. node /^afsdb01\.open.*\.org$/ {

  1164.   $group = "afsdb"

  1165. 

  1166.   class { 'openstack_project::server':

  1167.     afs                       => true,

  1168.   }

  1169. 

  1170.   include openstack_project::afsdb

  1171.   include openstack_project::afsrelease

  1172. }

  1173. 

  1174. # Node-OS: xenial

  1175. node /^afsdb.*\.open.*\.org$/ {

  1176.   $group = "afsdb"

  1177. 

  1178.   class { 'openstack_project::server':

  1179.     afs                       => true,

  1180.   }

  1181. 

  1182.   include openstack_project::afsdb

  1183. }

  1184. 

  1185. # Node-OS: xenial

  1186. node /^afs.*\..*\.open.*\.org$/ {

  1187.   $group = "afs"

  1188. 

  1189.   class { 'openstack_project::server':

  1190.     afs                       => true,

  1191.   }

  1192. 

  1193.   include openstack_project::afsfs

  1194. }

  1195. 

  1196. # Node-OS: trusty

  1197. node /^ask\d*\.open.*\.org$/ {

  1198. 

  1199.   class { 'openstack_project::server': }

  1200. 

  1201.   class { 'openstack_project::ask':

  1202.     db_user                      => hiera('ask_db_user', 'ask'),

  1203.     db_password                  => hiera('ask_db_password'),

  1204.     redis_password               => hiera('ask_redis_password'),

  1205.     site_ssl_cert_file_contents  => hiera('ask_site_ssl_cert_file_contents', undef),

  1206.     site_ssl_key_file_contents   => hiera('ask_site_ssl_key_file_contents', undef),

  1207.     site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),

  1208.   }

  1209. }

  1210. 

  1211. # Node-OS: trusty

  1212. node /^ask-staging\d*\.open.*\.org$/ {

  1213.   class { 'openstack_project::server': }

  1214. 

  1215.   class { 'openstack_project::ask_staging':

  1216.     db_password                  => hiera('ask_staging_db_password'),

  1217.     redis_password               => hiera('ask_staging_redis_password'),

  1218.   }

  1219. }

  1220. 

  1221. # Node-OS: xenial

  1222. node /^translate\d+\.open.*\.org$/ {

  1223.   $group = "translate"

  1224.   class { 'openstack_project::server': }

  1225.   class { 'openstack_project::translate':

  1226.     admin_users                => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',

  1227.     openid_url                 => 'https://openstackid.org',

  1228.     listeners                  => ['ajp'],

  1229.     from_address               => 'noreply@openstack.org',

  1230.     mysql_host                 => hiera('translate_mysql_host', 'localhost'),

  1231.     mysql_password             => hiera('translate_mysql_password'),

  1232.     zanata_server_user         => hiera('proposal_zanata_user'),

  1233.     zanata_server_api_key      => hiera('proposal_zanata_api_key'),

  1234.     zanata_wildfly_version     => '10.1.0',

  1235.     zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',

  1236.     zanata_main_version        => 4,

  1237.     zanata_url                 => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',

  1238.     zanata_checksum            => 'eaf8bd07401dade758b677007d2358f173193d17',

  1239.     project_config_repo        => 'https://opendev.org/openstack/project-config',

  1240.     ssl_cert_file_contents     => hiera('translate_ssl_cert_file_contents'),

  1241.     ssl_key_file_contents      => hiera('translate_ssl_key_file_contents'),

  1242.     ssl_chain_file_contents    => hiera('translate_ssl_chain_file_contents'),

  1243.     vhost_name                 => 'translate.openstack.org',

  1244.   }

  1245. }

  1246. 

  1247. # Node-OS: xenial

  1248. node /^translate-dev\d*\.open.*\.org$/ {

  1249.   $group = "translate-dev"

  1250.   class { 'openstack_project::translate_dev':

  1251.     admin_users           => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',

  1252.     openid_url            => 'https://openstackid-dev.openstack.org',

  1253.     listeners             => ['ajp'],

  1254.     from_address          => 'noreply@openstack.org',

  1255.     mysql_host            => hiera('translate_dev_mysql_host', 'localhost'),

  1256.     mysql_password        => hiera('translate_dev_mysql_password'),

  1257.     zanata_server_user    => hiera('proposal_zanata_user'),

  1258.     zanata_server_api_key => hiera('proposal_zanata_api_key'),

  1259.     project_config_repo   => 'https://opendev.org/openstack/project-config',

  1260.     vhost_name            => 'translate-dev.openstack.org',

  1261.   }

  1262. }

  1263. 

  1264. 

  1265. # Node-OS: xenial

  1266. node /^codesearch\d*\.open.*\.org$/ {

  1267.   $group = "codesearch"

  1268.   class { 'openstack_project::server': }

  1269.   class { 'openstack_project::codesearch':

  1270.     project_config_repo => 'https://opendev.org/openstack/project-config',

  1271.   }

  1272. }

  1273. 

  1274. # vim:sw=2:ts=2:expandtab:textwidth=79