diff options
| author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2021-08-18 12:30:45 +0200 |
|---|---|---|
| committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2021-09-09 16:49:25 +0100 |
| commit | faf30d36e0e60253770ab92a79b2971df112276b (patch) | |
| tree | 7700912e470052b8c1aab5564278d1739cc2f464 | |
| parent | f72496241cd197cf06a25ed203b0cc76aee682da (diff) | |
| download | infrastructure-faf30d36e0e60253770ab92a79b2971df112276b.tar.gz | |
baserock_frontend: Move to Ubuntu
| -rw-r--r-- | baserock_frontend/haproxy.cfg | 2 | ||||
| -rw-r--r-- | baserock_frontend/image-config.yml | 33 | ||||
| -rw-r--r-- | baserock_frontend/instance-config.yml | 2 |
3 files changed, 10 insertions, 27 deletions
diff --git a/baserock_frontend/haproxy.cfg b/baserock_frontend/haproxy.cfg index 1217e957..8a638e57 100644 --- a/baserock_frontend/haproxy.cfg +++ b/baserock_frontend/haproxy.cfg @@ -49,7 +49,7 @@ frontend https-in # This means we only need to have the certificate in one place, and the # configuration of the other instances is simpler. It does mean that we # need to avoid having any insecure machines in the cloud. - bind *:443 ssl no-sslv3 crt /etc/pki/tls/private/baserock.pem + bind *:443 ssl no-sslv3 crt /etc/ssl/private/baserock.pem reqadd X-Forwarded-Proto:\ https # Rules below here implement the URL-based forwarding to the diff --git a/baserock_frontend/image-config.yml b/baserock_frontend/image-config.yml index 08a9b64a..a8ee88d2 100644 --- a/baserock_frontend/image-config.yml +++ b/baserock_frontend/image-config.yml @@ -1,34 +1,17 @@ # System configuration for Baserock HAProxy instance. --- - hosts: frontend-haproxy - gather_facts: false - sudo: yes + become: yes tasks: - # See: https://fedoramagazine.org/getting-ansible-working-fedora-23/ - - name: install Python2 and required deps for Ansible modules - raw: dnf install -y python2 python2-dnf - - - name: enable persistant journal - shell: mkdir /var/log/journal - args: - creates: /var/log/journal - - name: ensure system up to date - dnf: name=* state=latest + apt: + upgrade: yes + update_cache: yes - name: HAProxy installed - dnf: name=haproxy state=latest + apt: + name: haproxy - name: netcat installed - dnf: name=nc state=latest - - # Yes, SELinux prevents HAProxy from working. In this case I think it's - # because we ask it to listen on port 29418 for Gerrit's SSH connections. - - name: install libselinux-python, so Ansible can control selinux - dnf: name=libselinux-python state=latest - - - name: disable SELinux on subsequent boots - selinux: state=disabled - - - name: disable SELinux on current boot - command: setenforce 0 + apt: + name: netcat diff --git a/baserock_frontend/instance-config.yml b/baserock_frontend/instance-config.yml index 1cebce31..491ee535 100644 --- a/baserock_frontend/instance-config.yml +++ b/baserock_frontend/instance-config.yml @@ -10,7 +10,7 @@ - name: install SSL certificate copy: content: "{{ lookup('file', '../private/frontend-with-key.pem') }}" - dest: /etc/pki/tls/private/baserock.pem + dest: /etc/ssl/private/baserock.pem owner: haproxy mode: 400 notify: |