system-config/manifests/site.pp
Ian Wienand 2254b6e43d kerberos: switch servers to Ansible control
This is a follow-on to I60b40897486b29beafc76025790c501b5055313d to
switch the KDC servers to Ansible control and remove any related
puppet configuration.

Change-Id: Ib8f6ec657ca10a3ba648bd154a035fc3d8da4be5
2021-03-17 08:30:52 +11:00

530 lines
24 KiB
Puppet

# Node-OS: xenial
node /^health\d*\.openstack\.org$/ {
$group = "health"
class { 'openstack_project::server': }
class { 'openstack_project::openstack_health_api':
subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
hostname => 'health.openstack.org',
}
}
# Node-OS: xenial
node /^cacti\d+\.open.*\.org$/ {
$group = "cacti"
# NOTE(ianw) 2020-05 : disabled pending removal, migrated to
# ansible.
# include openstack_project::ssl_cert_check
class { 'openstack_project::cacti':
cacti_hosts => hiera_array('cacti_hosts'),
vhost_name => 'cacti.openstack.org',
}
}
# Node-OS: xenial
node /^lists\d*\.open.*\.org$/ {
class { 'openstack_project::server': }
class { 'openstack_project::lists':
listpassword => hiera('listpassword'),
}
}
# Node-OS: xenial
node /^lists\d*\.katacontainers\.io$/ {
class { 'openstack_project::server': }
class { 'openstack_project::kata_lists':
listpassword => hiera('listpassword'),
}
}
# Node-OS: xenial
node /^paste\d*\.open.*\.org$/ {
$group = "paste"
class { 'openstack_project::server': }
class { 'openstack_project::paste':
db_password => hiera('paste_db_password'),
db_host => hiera('paste_db_host'),
vhost_name => 'paste.openstack.org',
}
}
# Node-OS: xenial
node /planet\d*\.open.*\.org$/ {
class { 'openstack_project::planet':
}
}
# Node-OS: xenial
node /^ethercalc\d+\.open.*\.org$/ {
$group = "ethercalc"
class { 'openstack_project::server': }
class { 'openstack_project::ethercalc':
vhost_name => 'ethercalc.openstack.org',
ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
ssl_key_file_contents => hiera('ssl_key_file_contents'),
ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
}
}
# Node-OS: xenial
node /^wiki\d+\.openstack\.org$/ {
$group = "wiki"
class { 'openstack_project::wiki':
bup_user => 'bup-wiki',
serveradmin => hiera('infra_apache_serveradmin'),
site_hostname => 'wiki.openstack.org',
ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
ssl_key_file_contents => hiera('ssl_key_file_contents'),
ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
wg_dbserver => hiera('wg_dbserver'),
wg_dbname => 'openstack_wiki',
wg_dbuser => 'wikiuser',
wg_dbpassword => hiera('wg_dbpassword'),
wg_secretkey => hiera('wg_secretkey'),
wg_upgradekey => hiera('wg_upgradekey'),
wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
wg_googleanalyticsaccount => hiera('wg_googleanalyticsaccount'),
}
}
# Node-OS: xenial
node /^wiki-dev\d+\.openstack\.org$/ {
$group = "wiki-dev"
class { 'openstack_project::wiki':
serveradmin => hiera('infra_apache_serveradmin'),
site_hostname => 'wiki-dev.openstack.org',
wg_dbserver => hiera('wg_dbserver'),
wg_dbname => 'openstack_wiki',
wg_dbuser => 'wikiuser',
wg_dbpassword => hiera('wg_dbpassword'),
wg_secretkey => hiera('wg_secretkey'),
wg_upgradekey => hiera('wg_upgradekey'),
wg_recaptchasitekey => hiera('wg_recaptchasitekey'),
wg_recaptchasecretkey => hiera('wg_recaptchasecretkey'),
disallow_robots => true,
}
}
# Node-OS: xenial
node /^logstash\d*\.open.*\.org$/ {
class { 'openstack_project::server': }
class { 'openstack_project::logstash':
discover_nodes => [
'elasticsearch03.openstack.org:9200',
'elasticsearch04.openstack.org:9200',
'elasticsearch05.openstack.org:9200',
'elasticsearch06.openstack.org:9200',
'elasticsearch07.openstack.org:9200',
'elasticsearch02.openstack.org:9200',
],
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
}
}
# Node-OS: xenial
node /^logstash-worker\d+\.open.*\.org$/ {
$group = 'logstash-worker'
$elasticsearch_nodes = [
'elasticsearch02.openstack.org',
'elasticsearch03.openstack.org',
'elasticsearch04.openstack.org',
'elasticsearch05.openstack.org',
'elasticsearch06.openstack.org',
'elasticsearch07.openstack.org',
]
class { 'openstack_project::server': }
class { 'openstack_project::logstash_worker':
discover_node => 'elasticsearch03.openstack.org',
enable_mqtt => false,
mqtt_password => hiera('mqtt_service_user_password'),
mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
}
}
# Node-OS: xenial
node /^subunit-worker\d+\.open.*\.org$/ {
$group = "subunit-worker"
class { 'openstack_project::server': }
class { 'openstack_project::subunit_worker':
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
mqtt_pass => hiera('mqtt_service_user_password'),
mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
}
}
# Node-OS: xenial
node /^elasticsearch\d+\.open.*\.org$/ {
$group = "elasticsearch"
$elasticsearch_nodes = [
'elasticsearch02.openstack.org',
'elasticsearch03.openstack.org',
'elasticsearch04.openstack.org',
'elasticsearch05.openstack.org',
'elasticsearch06.openstack.org',
'elasticsearch07.openstack.org',
]
class { 'openstack_project::server': }
class { 'openstack_project::elasticsearch_node':
discover_nodes => $elasticsearch_nodes,
}
}
# Node-OS: xenial
node /^firehose\d+\.open.*\.org$/ {
class { 'openstack_project::server': }
class { 'openstack_project::firehose':
gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
gerrit_private_key => hiera('germqtt_gerrit_ssh_private_key'),
mqtt_password => hiera('mqtt_service_user_password'),
ca_file => hiera('mosquitto_tls_ca_file'),
cert_file => hiera('mosquitto_tls_server_cert_file'),
key_file => hiera('mosquitto_tls_server_key_file'),
imap_hostname => hiera('lpmqtt_imap_server'),
imap_username => hiera('lpmqtt_imap_username'),
imap_password => hiera('lpmqtt_imap_password'),
statsd_host => 'graphite.opendev.org',
}
}
# Node-OS: trusty
# Node-OS: xenial
node /^refstack\d*\.open.*\.org$/ {
class { 'openstack_project::server': }
class { 'refstack':
mysql_host => hiera('refstack_mysql_host', 'localhost'),
mysql_database => hiera('refstack_mysql_db_name', 'refstack'),
mysql_user => hiera('refstack_mysql_user', 'refstack'),
mysql_user_password => hiera('refstack_mysql_password'),
ssl_cert_content => hiera('refstack_ssl_cert_file_contents'),
ssl_cert => '/etc/ssl/certs/refstack.pem',
ssl_key_content => hiera('refstack_ssl_key_file_contents'),
ssl_key => '/etc/ssl/private/refstack.key',
ssl_ca_content => hiera('refstack_ssl_chain_file_contents'),
ssl_ca => '/etc/ssl/certs/refstack.ca.pem',
protocol => 'https',
}
mysql_backup::backup_remote { 'refstack':
database_host => hiera('refstack_mysql_host', 'localhost'),
database_user => hiera('refstack_mysql_user', 'refstack'),
database_password => hiera('refstack_mysql_password'),
require => Class['::refstack'],
}
}
# A machine to run Storyboard
# Node-OS: xenial
node /^storyboard\d+\.opendev\.org$/ {
$group = "storyboard"
class { 'openstack_project::storyboard':
project_config_repo => 'https://opendev.org/openstack/project-config',
mysql_host => hiera('storyboard_db_host', 'localhost'),
mysql_user => hiera('storyboard_db_user', 'username'),
mysql_password => hiera('storyboard_db_password'),
rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
rabbitmq_password => hiera('storyboard_rabbit_password'),
ssl_cert => '/etc/ssl/certs/storyboard.openstack.org.pem',
ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
ssl_key => '/etc/ssl/private/storyboard.openstack.org.key',
ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
hostname => 'storyboard.openstack.org',
valid_oauth_clients => ['storyboard.openstack.org',],
cors_allowed_origins => ['https://storyboard.openstack.org',],
sender_email_address => 'storyboard@storyboard.openstack.org',
default_url => 'https://storyboard.openstack.org',
}
}
# A machine to run Storyboard devel
# Node-OS: xenial
node /^storyboard-dev\d+\.opendev\.org$/ {
$group = "storyboard-dev"
class { 'openstack_project::storyboard::dev':
project_config_repo => 'https://opendev.org/openstack/project-config',
mysql_host => hiera('storyboard_db_host', 'localhost'),
mysql_user => hiera('storyboard_db_user', 'username'),
mysql_password => hiera('storyboard_db_password'),
rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
rabbitmq_password => hiera('storyboard_rabbit_password'),
hostname => 'storyboard-dev.openstack.org',
valid_oauth_clients => ['^.*',],
cors_allowed_origins => ['^.*',],
sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',
default_url => 'https://storyboard-dev.openstack.org',
}
}
# A machine to serve various project status updates.
# Node-OS: xenial
node /^status\d*\.open.*\.org$/ {
$group = 'status'
class { 'openstack_project::server': }
class { 'openstack_project::status':
gerrit_host => 'review.opendev.org',
gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
reviewday_ssh_public_key => hiera('reviewday_rsa_pubkey_contents'),
reviewday_ssh_private_key => hiera('reviewday_rsa_key_contents'),
recheck_ssh_public_key => hiera('elastic-recheck_gerrit_ssh_public_key'),
recheck_ssh_private_key => hiera('elastic-recheck_gerrit_ssh_private_key'),
recheck_bot_nick => 'openstackrecheck',
recheck_bot_passwd => hiera('elastic-recheck_ircbot_password'),
}
}
# Node-OS: xenial
node /^survey\d+\.open.*\.org$/ {
$group = "survey"
class { 'openstack_project::server': }
class { 'openstack_project::survey':
vhost_name => 'survey.openstack.org',
auth_openid => true,
ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
ssl_key_file_contents => hiera('ssl_key_file_contents'),
ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
dbpassword => hiera('dbpassword'),
dbhost => hiera('dbhost'),
adminuser => hiera('adminuser'),
adminpass => hiera('adminpass'),
adminmail => hiera('adminmail'),
}
}
# Node-OS: xenial
node /^nb\d+\.open.*\.org$/ {
$group = 'nodepool'
class { 'openstack_project::server': }
include openstack_project
class { '::openstackci::nodepool_builder':
nodepool_ssh_public_key => hiera('zuul_worker_ssh_public_key_contents'),
vhost_name => $::fqdn,
enable_build_log_via_http => true,
project_config_repo => 'https://opendev.org/openstack/project-config',
statsd_host => 'graphite.opendev.org',
upload_workers => '16',
revision => 'master',
python_version => 3,
zuulv3 => true,
ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
}
cron { 'mirror_gitgc':
user => 'nodepool',
hour => '20',
minute => '0',
command => 'find /opt/dib_cache/source-repositories/ -type d -name "*.git" -exec git --git-dir="{}" gc \; >/dev/null',
environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
require => Class['::openstackci::nodepool_builder'],
}
}
# Node-OS: xenial
node /^pbx\d*\.open.*\.org$/ {
$group = "pbx"
class { 'openstack_project::server': }
class { 'openstack_project::pbx':
sip_providers => [
{
provider => 'voipms',
hostname => 'dallas.voip.ms',
username => hiera('voipms_username', 'username'),
password => hiera('voipms_password'),
outgoing => false,
},
],
}
}
# Node-OS: xenial
node /^openstackid\d*(\.openstack)?\.org$/ {
$group = "openstackid"
class { 'openstack_project::openstackid_prod':
site_admin_password => hiera('openstackid_site_admin_password'),
id_mysql_host => hiera('openstackid_id_mysql_host', 'localhost'),
id_mysql_password => hiera('openstackid_id_mysql_password'),
id_mysql_user => hiera('openstackid_id_mysql_user', 'username'),
id_db_name => hiera('openstackid_id_db_name'),
redis_password => hiera('openstackid_redis_password'),
ssl_cert_file_contents => hiera('openstackid_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('openstackid_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('openstackid_ssl_chain_file_contents'),
id_recaptcha_public_key => hiera('openstackid_recaptcha_public_key'),
id_recaptcha_private_key => hiera('openstackid_recaptcha_private_key'),
vhost_name => 'openstackid.org',
session_cookie_domain => 'openstackid.org',
serveradmin => 'webmaster@openstackid.org',
canonicalweburl => 'https://openstackid.org/',
app_url => 'https://openstackid.org',
app_key => hiera('openstackid_app_key'),
id_log_error_to_email => 'openstack@tipit.net',
id_log_error_from_email => 'noreply@openstack.org',
email_driver => 'sendgrid',
email_send_grid_api_key => hiera('openstackid_send_grid_api_key'),
php_version => 7,
mysql_ssl_enabled => true,
mysql_ssl_ca_file_contents => hiera('openstackid_mysql_ssl_ca_file_contents'),
mysql_ssl_client_key_file_contents => hiera('openstackid_mysql_ssl_client_key_file_contents'),
mysql_ssl_client_cert_file_contents => hiera('openstackid_mysql_ssl_client_cert_file_contents'),
user_spam_processor_to => hiera('openstackid_user_spam_processor_to'),
message_broker_exchange_name => 'message-broker',
message_broker_host => hiera('openstackid_message_broker_host'),
message_broker_port => 5671,
message_broker_vhost => 'databus',
message_broker_login => hiera('openstackid_message_broker_login'),
message_broker_password => hiera('openstackid_message_broker_password'),
message_broker_ssl_enabled => true,
message_broker_ssl_ca_file_contents => hiera('openstackid_message_broker_ssl_ca_file_contents'),
message_broker_ssl_client_cert_file_contents => hiera('openstackid_message_broker_ssl_client_cert_file_contents'),
message_broker_ssl_client_key_file_contents => hiera('openstackid_message_broker_ssl_client_key_file_contents'),
message_broker_enabled => true,
cloud_storage_base_url => hiera('openstackid_cloud_storage_base_url'),
cloud_storage_auth_url => 'https://auth.vexxhost.net/v3',
cloud_storage_app_credential_id => hiera('openstackid_cloud_storage_app_credential_id'),
cloud_storage_app_credential_secret => hiera('openstackid_cloud_storage_app_credential_secret'),
cloud_storage_project_name => hiera('openstackid_cloud_storage_project_name'),
cloud_storage_region => 'ca-ymq-1',
cloud_storage_container => 'idp-osf',
}
}
# Node-OS: xenial
node /^openstackid-dev\d*\.openstack\.org$/ {
$group = "openstackid-dev"
class { 'openstack_project::openstackid_dev':
site_admin_password => hiera('openstackid_dev_site_admin_password'),
id_mysql_host => hiera('openstackid_dev_id_mysql_host', 'localhost'),
id_mysql_password => hiera('openstackid_dev_id_mysql_password'),
id_mysql_user => hiera('openstackid_dev_id_mysql_user', 'username'),
redis_password => hiera('openstackid_dev_redis_password'),
ssl_cert_file_contents => hiera('openstackid_dev_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('openstackid_dev_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('openstackid_dev_ssl_chain_file_contents'),
id_recaptcha_public_key => hiera('openstackid_dev_recaptcha_public_key'),
id_recaptcha_private_key => hiera('openstackid_dev_recaptcha_private_key'),
vhost_name => 'openstackid-dev.openstack.org',
session_cookie_domain => 'openstackid-dev.openstack.org',
serveradmin => 'webmaster@openstackid-dev.openstack.org',
canonicalweburl => 'https://openstackid-dev.openstack.org/',
app_url => 'https://openstackid-dev.openstack.org',
app_key => hiera('openstackid_dev_app_key'),
id_log_error_to_email => 'openstack@tipit.net',
id_log_error_from_email => 'noreply@openstack.org',
email_driver => 'sendgrid',
email_send_grid_api_key => hiera('openstackid_dev_send_grid_api_key'),
php_version => 7,
mysql_ssl_enabled => true,
mysql_ssl_ca_file_contents => hiera('openstackid_dev_mysql_ssl_ca_file_contents'),
mysql_ssl_client_key_file_contents => hiera('openstackid_dev_mysql_ssl_client_key_file_contents'),
mysql_ssl_client_cert_file_contents => hiera('openstackid_dev_mysql_ssl_client_cert_file_contents'),
user_spam_processor_to => hiera('openstackid_dev_user_spam_processor_to'),
message_broker_exchange_name => 'message-broker',
message_broker_host => hiera('openstackid_dev_message_broker_host'),
message_broker_port => 5671,
message_broker_vhost => 'databus',
message_broker_login => hiera('openstackid_dev_message_broker_login'),
message_broker_password => hiera('openstackid_dev_message_broker_password'),
message_broker_ssl_enabled => true,
message_broker_ssl_ca_file_contents => hiera('openstackid_dev_message_broker_ssl_ca_file_contents'),
message_broker_ssl_client_cert_file_contents => hiera('openstackid_dev_message_broker_ssl_client_cert_file_contents'),
message_broker_ssl_client_key_file_contents => hiera('openstackid_dev_message_broker_ssl_client_key_file_contents'),
message_broker_enabled => true,
cloud_storage_base_url => hiera('openstackid_dev_cloud_storage_base_url'),
cloud_storage_auth_url => 'https://auth.vexxhost.net/v3',
cloud_storage_app_credential_id => hiera('openstackid_dev_cloud_storage_app_credential_id'),
cloud_storage_app_credential_secret => hiera('openstackid_dev_cloud_storage_app_credential_secret'),
cloud_storage_project_name => hiera('openstackid_dev_cloud_storage_project_name'),
cloud_storage_region => 'ca-ymq-1',
cloud_storage_container => 'idp-osf',
}
}
# Node-OS: xenial
node /^ask\d*\.open.*\.org$/ {
class { 'openstack_project::server': }
class { 'openstack_project::ask':
db_user => hiera('ask_db_user', 'ask'),
db_password => hiera('ask_db_password'),
redis_password => hiera('ask_redis_password'),
site_ssl_cert_file_contents => hiera('ask_site_ssl_cert_file_contents', undef),
site_ssl_key_file_contents => hiera('ask_site_ssl_key_file_contents', undef),
site_ssl_chain_file_contents => hiera('ask_site_ssl_chain_file_contents', undef),
}
}
# Node-OS: xenial
node /^ask-staging\d*\.open.*\.org$/ {
class { 'openstack_project::server': }
class { 'openstack_project::ask_staging':
db_password => hiera('ask_staging_db_password'),
redis_password => hiera('ask_staging_redis_password'),
}
}
# Node-OS: xenial
node /^translate\d+\.open.*\.org$/ {
$group = "translate"
class { 'openstack_project::server': }
class { 'openstack_project::translate':
admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
openid_url => 'https://openstackid.org',
listeners => ['ajp'],
from_address => 'noreply@openstack.org',
mysql_host => hiera('translate_mysql_host', 'localhost'),
mysql_password => hiera('translate_mysql_password'),
zanata_server_user => hiera('proposal_zanata_user'),
zanata_server_api_key => hiera('proposal_zanata_api_key'),
zanata_wildfly_version => '10.1.0',
zanata_wildfly_install_url => 'https://repo1.maven.org/maven2/org/wildfly/wildfly-dist/10.1.0.Final/wildfly-dist-10.1.0.Final.tar.gz',
zanata_main_version => 4,
zanata_url => 'https://github.com/zanata/zanata-platform/releases/download/platform-4.3.3/zanata-4.3.3-wildfly.zip',
zanata_checksum => 'eaf8bd07401dade758b677007d2358f173193d17',
project_config_repo => 'https://opendev.org/openstack/project-config',
ssl_cert_file_contents => hiera('translate_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('translate_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('translate_ssl_chain_file_contents'),
vhost_name => 'translate.openstack.org',
}
}
# Node-OS: xenial
node /^translate-dev\d*\.open.*\.org$/ {
$group = "translate-dev"
class { 'openstack_project::translate_dev':
admin_users => 'aeng,cboylan,eumel,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
openid_url => 'https://openstackid-dev.openstack.org',
listeners => ['ajp'],
from_address => 'noreply@openstack.org',
mysql_host => hiera('translate_dev_mysql_host', 'localhost'),
mysql_password => hiera('translate_dev_mysql_password'),
zanata_server_user => hiera('proposal_zanata_user'),
zanata_server_api_key => hiera('proposal_zanata_api_key'),
project_config_repo => 'https://opendev.org/openstack/project-config',
vhost_name => 'translate-dev.openstack.org',
}
}
# vim:sw=2:ts=2:expandtab:textwidth=79