boost-proxy: new role, extracted from internal use, to make a Boost server
This commit is contained in:
parent
54dca82838
commit
f8715078f6
|
@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Added
|
||||
|
||||
* boost-proxy: new role, extracted from internal use, to make a Boost server
|
||||
* evolinux-base: replace regular kernel by cloud kernel on virtual servers
|
||||
* nagios-nrpe: check_haproxy_stats supports DRAIN status
|
||||
* lxc-php: set php-fpm umask to 007
|
||||
|
|
17
boost-proxy/defaults/main.yml
Normal file
17
boost-proxy/defaults/main.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
boost_sysctl_config: []
|
||||
boost_sysctl_file_path: /etc/sysctl.d/boost.conf
|
||||
boost_allow_root_ssh_between_servers: False
|
||||
|
||||
boost_sites_enabled: []
|
||||
boost_sites_enabled_for_all: []
|
||||
boost_sites_enabled_for_group: []
|
||||
boost_sites_enabled_for_host: []
|
||||
|
||||
other_servers_from_group_ips: []
|
||||
|
||||
boost_validate_haproxy: True
|
||||
boost_validate_varnish: True
|
||||
|
||||
boost_haproxy_check_url: "/haproxycheck"
|
||||
boost_varnish_check_url: "/varnishcheck"
|
6
boost-proxy/handlers/main.yml
Normal file
6
boost-proxy/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
- name: reload sshd
|
||||
service:
|
||||
name: ssh
|
||||
state: reloaded
|
57
boost-proxy/tasks/haproxy.yml
Normal file
57
boost-proxy/tasks/haproxy.yml
Normal file
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
|
||||
- name: URL for HAProxy admin page is on default page
|
||||
lineinfile:
|
||||
path: "/var/www/index.html"
|
||||
line: ' <li><a href="{{ haproxy_stats_external_url }}">HAProxy</a></li>'
|
||||
regexp: '>HAProxy<'
|
||||
insertafter: ">Stats système<"
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
|
||||
- name: HAproxy run directory in chroot
|
||||
file:
|
||||
dest: "/var/lib/haproxy/run"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
state: directory
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
|
||||
- name: HAproxy errors directory is present
|
||||
file:
|
||||
dest: "/etc/haproxy/errors"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
state: directory
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- name: Maintenance file is present
|
||||
copy:
|
||||
src: "templates/haproxy/maintenance.http"
|
||||
dest: /etc/haproxy/errors/maintenance.http
|
||||
mode: "0644"
|
||||
notify: reload haproxy
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- name: 2048 bits DHparam file is present
|
||||
get_url:
|
||||
url: https://ssl-config.mozilla.org/ffdhe2048.txt
|
||||
dest: /etc/ssl/dhparam-haproxy
|
||||
mode: '0600'
|
||||
owner: root
|
||||
group: root
|
||||
force: no
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
48
boost-proxy/tasks/main.yml
Normal file
48
boost-proxy/tasks/main.yml
Normal file
|
@ -0,0 +1,48 @@
|
|||
---
|
||||
|
||||
#######################
|
||||
# System configuration
|
||||
#######################
|
||||
|
||||
# Merge variables from group_vars and host_vars
|
||||
- set_fact:
|
||||
boost_sites_enabled: "{{ boost_sites_enabled_for_all | union(boost_sites_enabled_for_group) | union(boost_sites_enabled_for_host) | unique }}"
|
||||
tags: always
|
||||
|
||||
- debug:
|
||||
var: boost_sites_enabled
|
||||
tags: always
|
||||
|
||||
- include: haproxy.yml
|
||||
|
||||
- include: sshd.yml
|
||||
|
||||
- include: sysctl.yml
|
||||
|
||||
######################
|
||||
# Sites configuration
|
||||
######################
|
||||
|
||||
- include_tasks: sites.yml
|
||||
|
||||
#################
|
||||
# external roles
|
||||
#################
|
||||
|
||||
- import_role:
|
||||
name: haproxy
|
||||
|
||||
- import_role:
|
||||
name: varnish
|
||||
|
||||
- import_role:
|
||||
name: nginx
|
||||
|
||||
- import_role:
|
||||
name: certbot
|
||||
|
||||
##############
|
||||
# validations
|
||||
##############
|
||||
|
||||
- include_tasks: validate.yml
|
172
boost-proxy/tasks/sites.yml
Normal file
172
boost-proxy/tasks/sites.yml
Normal file
|
@ -0,0 +1,172 @@
|
|||
---
|
||||
|
||||
# HAProxy
|
||||
|
||||
- name: Create sites parent directory
|
||||
file:
|
||||
dest: "/etc/haproxy/sites"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
state: directory
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- name: Create sites directories
|
||||
file:
|
||||
dest: "/etc/haproxy/sites/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
state: directory
|
||||
loop: "{{ boost_sites_enabled }}"
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- name: Copy maintenance page
|
||||
template:
|
||||
src: "{{ lookup('first_found', file) }}"
|
||||
dest: "/etc/haproxy/sites/{{ site }}/maintenance.http"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
vars:
|
||||
file:
|
||||
- "templates/boost-sites/{{ site }}/haproxy/maintenance.http"
|
||||
- "templates/haproxy/maintenance.http"
|
||||
loop: "{{ boost_sites_enabled }}"
|
||||
loop_control:
|
||||
loop_var: site
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- name: Copy 503 page
|
||||
template:
|
||||
src: "{{ lookup('first_found', file, errors='ignore') }}"
|
||||
dest: "/etc/haproxy/sites/{{ site }}/503.http"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
vars:
|
||||
file:
|
||||
- "templates/boost-sites/{{ site }}/haproxy/503.http"
|
||||
- "templates/haproxy/503.http"
|
||||
loop: "{{ boost_sites_enabled }}"
|
||||
loop_control:
|
||||
loop_var: site
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- name: Copy 502 page
|
||||
template:
|
||||
src: "{{ lookup('first_found', file, errors='ignore') }}"
|
||||
dest: "/etc/haproxy/sites/{{ site }}/502.http"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
vars:
|
||||
file:
|
||||
- "templates/boost-sites/{{ site }}/haproxy/502.http"
|
||||
- "templates/haproxy/503.http"
|
||||
loop: "{{ boost_sites_enabled }}"
|
||||
loop_control:
|
||||
loop_var: site
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- name: Copy 500 page
|
||||
template:
|
||||
src: "{{ lookup('first_found', file) }}"
|
||||
dest: "/etc/haproxy/sites/{{ site }}/500.http"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
vars:
|
||||
file:
|
||||
- "templates/boost-sites/{{ site }}/haproxy/500.http"
|
||||
- "templates/haproxy/500.http"
|
||||
loop: "{{ boost_sites_enabled }}"
|
||||
loop_control:
|
||||
loop_var: site
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- name: Copy 403 page
|
||||
template:
|
||||
src: "{{ lookup('first_found', file) }}"
|
||||
dest: "/etc/haproxy/sites/{{ site }}/403.http"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
vars:
|
||||
file:
|
||||
- "templates/boost-sites/{{ site }}/haproxy/403.http"
|
||||
- "templates/haproxy/403.http"
|
||||
loop: "{{ boost_sites_enabled }}"
|
||||
loop_control:
|
||||
loop_var: site
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- name: Copy 404 page
|
||||
template:
|
||||
src: "{{ lookup('first_found', file) }}"
|
||||
dest: "/etc/haproxy/sites/{{ site }}/404.http"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
vars:
|
||||
file:
|
||||
- "templates/boost-sites/{{ site }}/haproxy/404.http"
|
||||
- "templates/haproxy/404.http"
|
||||
loop: "{{ boost_sites_enabled }}"
|
||||
loop_control:
|
||||
loop_var: site
|
||||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
- update-config
|
||||
|
||||
# Varnish
|
||||
|
||||
- name: Create sites parent directory
|
||||
file:
|
||||
dest: "/etc/varnish/sites"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
state: directory
|
||||
tags:
|
||||
- varnish
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- name: Copy sites custom VCL
|
||||
template:
|
||||
src: "templates/boost-sites/{{ site }}/varnish/default.vcl.j2"
|
||||
dest: "/etc/varnish/sites/{{ site }}.vcl"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
loop: "{{ boost_sites_enabled }}"
|
||||
loop_control:
|
||||
loop_var: site
|
||||
notify: reload varnish
|
||||
tags:
|
||||
- varnish
|
||||
- config
|
||||
- update-config
|
27
boost-proxy/tasks/sshd.yml
Normal file
27
boost-proxy/tasks/sshd.yml
Normal file
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
|
||||
- name: "root can connect over SSH from other servers"
|
||||
blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
marker: "# {mark} ROOT AUTHORIZATION"
|
||||
block: |
|
||||
Match User root Address {{ other_servers_from_group_ips | join(',') }}
|
||||
AllowGroups root
|
||||
PubkeyAuthentication yes
|
||||
PasswordAuthentication no
|
||||
PermitRootLogin without-password
|
||||
state: present
|
||||
notify: reload sshd
|
||||
when: (boost_allow_root_ssh_between_servers | bool) and (other_servers_from_group_ips | length > 0)
|
||||
tags:
|
||||
- ssh
|
||||
|
||||
- name: "root can connect over SSH from other servers"
|
||||
blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
marker: "# {mark} ROOT AUTHORIZATION"
|
||||
state: absent
|
||||
notify: reload sshd
|
||||
when: not (boost_allow_root_ssh_between_servers | bool) or (other_servers_from_group_ips | length <= 0)
|
||||
tags:
|
||||
- ssh
|
12
boost-proxy/tasks/sysctl.yml
Normal file
12
boost-proxy/tasks/sysctl.yml
Normal file
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
|
||||
- name: Boost optimization for sysctl
|
||||
sysctl:
|
||||
sysctl_file: "{{ boost_sysctl_file_path }}"
|
||||
name: "{{ item.key }}"
|
||||
value: "{{ item.value }}"
|
||||
reload: yes
|
||||
sysctl_set: yes
|
||||
loop: "{{ boost_sysctl_config }}"
|
||||
tags:
|
||||
- sysctl
|
24
boost-proxy/tasks/validate.yml
Normal file
24
boost-proxy/tasks/validate.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
|
||||
|
||||
- name: check if HAProxy configuration is valid
|
||||
shell:
|
||||
cmd: "haproxy -c -f /etc/haproxy/haproxy.cfg"
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
register: haproxy_validate
|
||||
when: boost_validate_haproxy
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: check if Varnish configuration is valid
|
||||
shell:
|
||||
cmd: "sudo -u vcache TMPDIR={{ varnish_tmp_dir }} varnishd -C -f /etc/varnish/default.vcl > /dev/null"
|
||||
args:
|
||||
warn: False
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
register: varnish_validate
|
||||
when: boost_validate_varnish
|
||||
tags:
|
||||
- always
|
Loading…
Reference in a new issue