boost-proxy: new role, extracted from internal use, to make a Boost server
This commit is contained in:
parent
54dca82838
commit
f8715078f6
|
@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
|
* boost-proxy: new role, extracted from internal use, to make a Boost server
|
||||||
* evolinux-base: replace regular kernel by cloud kernel on virtual servers
|
* evolinux-base: replace regular kernel by cloud kernel on virtual servers
|
||||||
* nagios-nrpe: check_haproxy_stats supports DRAIN status
|
* nagios-nrpe: check_haproxy_stats supports DRAIN status
|
||||||
* lxc-php: set php-fpm umask to 007
|
* lxc-php: set php-fpm umask to 007
|
||||||
|
|
17
boost-proxy/defaults/main.yml
Normal file
17
boost-proxy/defaults/main.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
boost_sysctl_config: []
|
||||||
|
boost_sysctl_file_path: /etc/sysctl.d/boost.conf
|
||||||
|
boost_allow_root_ssh_between_servers: False
|
||||||
|
|
||||||
|
boost_sites_enabled: []
|
||||||
|
boost_sites_enabled_for_all: []
|
||||||
|
boost_sites_enabled_for_group: []
|
||||||
|
boost_sites_enabled_for_host: []
|
||||||
|
|
||||||
|
other_servers_from_group_ips: []
|
||||||
|
|
||||||
|
boost_validate_haproxy: True
|
||||||
|
boost_validate_varnish: True
|
||||||
|
|
||||||
|
boost_haproxy_check_url: "/haproxycheck"
|
||||||
|
boost_varnish_check_url: "/varnishcheck"
|
6
boost-proxy/handlers/main.yml
Normal file
6
boost-proxy/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: reload sshd
|
||||||
|
service:
|
||||||
|
name: ssh
|
||||||
|
state: reloaded
|
57
boost-proxy/tasks/haproxy.yml
Normal file
57
boost-proxy/tasks/haproxy.yml
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: URL for HAProxy admin page is on default page
|
||||||
|
lineinfile:
|
||||||
|
path: "/var/www/index.html"
|
||||||
|
line: ' <li><a href="{{ haproxy_stats_external_url }}">HAProxy</a></li>'
|
||||||
|
regexp: '>HAProxy<'
|
||||||
|
insertafter: ">Stats système<"
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
|
||||||
|
- name: HAproxy run directory in chroot
|
||||||
|
file:
|
||||||
|
dest: "/var/lib/haproxy/run"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
state: directory
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
|
||||||
|
- name: HAproxy errors directory is present
|
||||||
|
file:
|
||||||
|
dest: "/etc/haproxy/errors"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
state: directory
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
- name: Maintenance file is present
|
||||||
|
copy:
|
||||||
|
src: "templates/haproxy/maintenance.http"
|
||||||
|
dest: /etc/haproxy/errors/maintenance.http
|
||||||
|
mode: "0644"
|
||||||
|
notify: reload haproxy
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
- name: 2048 bits DHparam file is present
|
||||||
|
get_url:
|
||||||
|
url: https://ssl-config.mozilla.org/ffdhe2048.txt
|
||||||
|
dest: /etc/ssl/dhparam-haproxy
|
||||||
|
mode: '0600'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
force: no
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
48
boost-proxy/tasks/main.yml
Normal file
48
boost-proxy/tasks/main.yml
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
#######################
|
||||||
|
# System configuration
|
||||||
|
#######################
|
||||||
|
|
||||||
|
# Merge variables from group_vars and host_vars
|
||||||
|
- set_fact:
|
||||||
|
boost_sites_enabled: "{{ boost_sites_enabled_for_all | union(boost_sites_enabled_for_group) | union(boost_sites_enabled_for_host) | unique }}"
|
||||||
|
tags: always
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: boost_sites_enabled
|
||||||
|
tags: always
|
||||||
|
|
||||||
|
- include: haproxy.yml
|
||||||
|
|
||||||
|
- include: sshd.yml
|
||||||
|
|
||||||
|
- include: sysctl.yml
|
||||||
|
|
||||||
|
######################
|
||||||
|
# Sites configuration
|
||||||
|
######################
|
||||||
|
|
||||||
|
- include_tasks: sites.yml
|
||||||
|
|
||||||
|
#################
|
||||||
|
# external roles
|
||||||
|
#################
|
||||||
|
|
||||||
|
- import_role:
|
||||||
|
name: haproxy
|
||||||
|
|
||||||
|
- import_role:
|
||||||
|
name: varnish
|
||||||
|
|
||||||
|
- import_role:
|
||||||
|
name: nginx
|
||||||
|
|
||||||
|
- import_role:
|
||||||
|
name: certbot
|
||||||
|
|
||||||
|
##############
|
||||||
|
# validations
|
||||||
|
##############
|
||||||
|
|
||||||
|
- include_tasks: validate.yml
|
172
boost-proxy/tasks/sites.yml
Normal file
172
boost-proxy/tasks/sites.yml
Normal file
|
@ -0,0 +1,172 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
# HAProxy
|
||||||
|
|
||||||
|
- name: Create sites parent directory
|
||||||
|
file:
|
||||||
|
dest: "/etc/haproxy/sites"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
state: directory
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
- name: Create sites directories
|
||||||
|
file:
|
||||||
|
dest: "/etc/haproxy/sites/{{ item }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
state: directory
|
||||||
|
loop: "{{ boost_sites_enabled }}"
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
- name: Copy maintenance page
|
||||||
|
template:
|
||||||
|
src: "{{ lookup('first_found', file) }}"
|
||||||
|
dest: "/etc/haproxy/sites/{{ site }}/maintenance.http"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
vars:
|
||||||
|
file:
|
||||||
|
- "templates/boost-sites/{{ site }}/haproxy/maintenance.http"
|
||||||
|
- "templates/haproxy/maintenance.http"
|
||||||
|
loop: "{{ boost_sites_enabled }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: site
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
- name: Copy 503 page
|
||||||
|
template:
|
||||||
|
src: "{{ lookup('first_found', file, errors='ignore') }}"
|
||||||
|
dest: "/etc/haproxy/sites/{{ site }}/503.http"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
vars:
|
||||||
|
file:
|
||||||
|
- "templates/boost-sites/{{ site }}/haproxy/503.http"
|
||||||
|
- "templates/haproxy/503.http"
|
||||||
|
loop: "{{ boost_sites_enabled }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: site
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
- name: Copy 502 page
|
||||||
|
template:
|
||||||
|
src: "{{ lookup('first_found', file, errors='ignore') }}"
|
||||||
|
dest: "/etc/haproxy/sites/{{ site }}/502.http"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
vars:
|
||||||
|
file:
|
||||||
|
- "templates/boost-sites/{{ site }}/haproxy/502.http"
|
||||||
|
- "templates/haproxy/503.http"
|
||||||
|
loop: "{{ boost_sites_enabled }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: site
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
- name: Copy 500 page
|
||||||
|
template:
|
||||||
|
src: "{{ lookup('first_found', file) }}"
|
||||||
|
dest: "/etc/haproxy/sites/{{ site }}/500.http"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
vars:
|
||||||
|
file:
|
||||||
|
- "templates/boost-sites/{{ site }}/haproxy/500.http"
|
||||||
|
- "templates/haproxy/500.http"
|
||||||
|
loop: "{{ boost_sites_enabled }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: site
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
- name: Copy 403 page
|
||||||
|
template:
|
||||||
|
src: "{{ lookup('first_found', file) }}"
|
||||||
|
dest: "/etc/haproxy/sites/{{ site }}/403.http"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
vars:
|
||||||
|
file:
|
||||||
|
- "templates/boost-sites/{{ site }}/haproxy/403.http"
|
||||||
|
- "templates/haproxy/403.http"
|
||||||
|
loop: "{{ boost_sites_enabled }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: site
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
- name: Copy 404 page
|
||||||
|
template:
|
||||||
|
src: "{{ lookup('first_found', file) }}"
|
||||||
|
dest: "/etc/haproxy/sites/{{ site }}/404.http"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
vars:
|
||||||
|
file:
|
||||||
|
- "templates/boost-sites/{{ site }}/haproxy/404.http"
|
||||||
|
- "templates/haproxy/404.http"
|
||||||
|
loop: "{{ boost_sites_enabled }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: site
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
# Varnish
|
||||||
|
|
||||||
|
- name: Create sites parent directory
|
||||||
|
file:
|
||||||
|
dest: "/etc/varnish/sites"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
state: directory
|
||||||
|
tags:
|
||||||
|
- varnish
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
- name: Copy sites custom VCL
|
||||||
|
template:
|
||||||
|
src: "templates/boost-sites/{{ site }}/varnish/default.vcl.j2"
|
||||||
|
dest: "/etc/varnish/sites/{{ site }}.vcl"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
loop: "{{ boost_sites_enabled }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: site
|
||||||
|
notify: reload varnish
|
||||||
|
tags:
|
||||||
|
- varnish
|
||||||
|
- config
|
||||||
|
- update-config
|
27
boost-proxy/tasks/sshd.yml
Normal file
27
boost-proxy/tasks/sshd.yml
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "root can connect over SSH from other servers"
|
||||||
|
blockinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
marker: "# {mark} ROOT AUTHORIZATION"
|
||||||
|
block: |
|
||||||
|
Match User root Address {{ other_servers_from_group_ips | join(',') }}
|
||||||
|
AllowGroups root
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
PasswordAuthentication no
|
||||||
|
PermitRootLogin without-password
|
||||||
|
state: present
|
||||||
|
notify: reload sshd
|
||||||
|
when: (boost_allow_root_ssh_between_servers | bool) and (other_servers_from_group_ips | length > 0)
|
||||||
|
tags:
|
||||||
|
- ssh
|
||||||
|
|
||||||
|
- name: "root can connect over SSH from other servers"
|
||||||
|
blockinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
marker: "# {mark} ROOT AUTHORIZATION"
|
||||||
|
state: absent
|
||||||
|
notify: reload sshd
|
||||||
|
when: not (boost_allow_root_ssh_between_servers | bool) or (other_servers_from_group_ips | length <= 0)
|
||||||
|
tags:
|
||||||
|
- ssh
|
12
boost-proxy/tasks/sysctl.yml
Normal file
12
boost-proxy/tasks/sysctl.yml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Boost optimization for sysctl
|
||||||
|
sysctl:
|
||||||
|
sysctl_file: "{{ boost_sysctl_file_path }}"
|
||||||
|
name: "{{ item.key }}"
|
||||||
|
value: "{{ item.value }}"
|
||||||
|
reload: yes
|
||||||
|
sysctl_set: yes
|
||||||
|
loop: "{{ boost_sysctl_config }}"
|
||||||
|
tags:
|
||||||
|
- sysctl
|
24
boost-proxy/tasks/validate.yml
Normal file
24
boost-proxy/tasks/validate.yml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
- name: check if HAProxy configuration is valid
|
||||||
|
shell:
|
||||||
|
cmd: "haproxy -c -f /etc/haproxy/haproxy.cfg"
|
||||||
|
changed_when: false
|
||||||
|
check_mode: no
|
||||||
|
register: haproxy_validate
|
||||||
|
when: boost_validate_haproxy
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
|
- name: check if Varnish configuration is valid
|
||||||
|
shell:
|
||||||
|
cmd: "sudo -u vcache TMPDIR={{ varnish_tmp_dir }} varnishd -C -f /etc/varnish/default.vcl > /dev/null"
|
||||||
|
args:
|
||||||
|
warn: False
|
||||||
|
changed_when: false
|
||||||
|
check_mode: no
|
||||||
|
register: varnish_validate
|
||||||
|
when: boost_validate_varnish
|
||||||
|
tags:
|
||||||
|
- always
|
Loading…
Reference in a new issue