Avoid using Packer for the frontend system

Also, move it into baserock_frontend so it is clearly differentiated
from the upstream definitions.git stuff.

It's now based off Fedora 21 instead of Fedora 20.

This is now deployed at baserock.org.

Change-Id: Icaabc84f9513d08479d8d22c19e8b632ac5108b5

4 files changed, 168 insertions, 0 deletions

diff --git a/baserock_frontend/haproxy.cfg b/baserock_frontend/haproxy.cfg
new file mode 100644
index 00000000..5ebbc031
--- /dev/null
+++ b/baserock_frontend/haproxy.cfg
@@ -0,0 +1,97 @@
+# HAProxy configuration for Baserock Project front-end proxy.
+
+global
+    maxconn 4000
+
+    daemon
+    pidfile /var/run/haproxy.pid
+    user haproxy
+    group haproxy
+
+    log /dev/log local0
+    stats socket /var/lib/haproxy/stats
+
+    # Maximum number of bits used when generating temporary
+    # keys for DHE key exchange. Higher values involve more CPU
+    # usage, lower values are less secure. HAProxy's default is
+    # 1024, which is too low and HAProxy actually warns if you use
+    # the default.
+    tune.ssl.default-dh-param 2048
+
+defaults
+    mode http
+    timeout connect 5000ms
+    timeout client 50000ms
+    timeout server 50000ms
+
+    log global
+    option httplog
+
+frontend http-in
+    # All HTTP traffic is redirected to HTTPS using the '301 Moved' HTTP code.
+    bind *:80
+    redirect scheme https code 301
+
+frontend https-in
+    # We do 'SSL termination' with HAProxy. So secure requests are received in
+    # the frontend, then decrypted and sent over HTTP on the internal network.
+    # This means we only need to have the certificate in one place, and the
+    # configuration of the other instances is simpler. It does mean that we
+    # need to avoid having any insecure machines in the cloud.
+    bind *:443 ssl crt /etc/pki/tls/private/baserock.pem
+    reqadd X-Forwarded-Proto:\ https
+
+    # Rules below here implement the URL-based forwarding to the
+    # appropriate instance. The hdr(host) call means 'extract the
+    # first Host header from the HTTP request or response', the '-m beg'
+    # switch means 'match against the beginning of it' and the '-i' flag
+    # makes the match case-insensitive.
+    #
+    # See <https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7>
+    # for more documentation than you ever dreamed of.
+
+    acl host_gerrit hdr(host) -m beg -i gerrit
+    use_backend baserock_gerrit_http if host_gerrit
+
+    acl host_irclogs hdr(host) -m beg -i irclogs
+    use_backend baserock_irclogs_http if host_irclogs
+
+    acl host_mason_x86_32 hdr(host) -m beg -i mason-x86-32
+    use_backend baserock_mason_x86_32_http if host_mason_x86_32
+
+    acl host_mason_x86_64 hdr(host) -m beg -i mason-x86-64
+    use_backend baserock_mason_x86_64_http if host_mason_x86_64
+
+    use_backend baserock_openid_provider_http if { hdr(host) -m beg -i openid }
+
+frontend ssh-in:
+    # FIXME: it'd be better if we could limit traffic on port 29418 to
+    # gerrit.baserock.org. There's no way of knowing from an SSH request
+    # which subdomain the user tried to connect to, so for now they can
+    # clone repos from 'ssh://openid.baserock.org:29418' and such like.
+    # For this reason it's probably worth pointing gerrit.baserock.org to
+    # a different floating IP that serves only the gerrit instance.
+    mode tcp
+    bind *:29418
+    default_backend baserock_gerrit_ssh
+
+# Entries here locate each server backend.
+
+backend baserock_gerrit_http
+    server baserock_gerrit 192.168.222.69:8080
+
+backend baserock_gerrit_ssh
+    mode tcp
+    server baserock_gerrit 192.168.222.69:29418
+
+backend baserock_irclogs_http
+    server baserock_irclogs 192.168.222.74:80
+
+backend baserock_mason_x86_32_http
+    server baserock_mason_x86_32 192.168.222.81:80
+
+backend baserock_mason_x86_64_http
+    server baserock_mason_x86_64 192.168.222.80:80
+
+backend baserock_openid_provider_http
+    server baserock_openid_provider 192.168.222.67:80
diff --git a/baserock_frontend/image-config.yml b/baserock_frontend/image-config.yml
new file mode 100644
index 00000000..5c3f0148
--- /dev/null
+++ b/baserock_frontend/image-config.yml
@@ -0,0 +1,30 @@
+# System configuration for Baserock HAProxy instance.
+---
+- hosts: frontend-haproxy
+  gather_facts: false
+  sudo: yes
+  tasks:
+  - name: enable persistant journal
+    shell: mkdir /var/log/journal
+    args:
+      creates: /var/log/journal
+
+  - name: ensure system up to date
+    yum: name=* state=latest
+
+  - name: HAProxy installed
+    yum: name=haproxy state=latest
+
+  - name: netcat installed
+    yum: name=nc state=latest
+
+  # Yes, SELinux prevents HAProxy from working. In this case I think it's
+  # because we ask it to listen on port 29418 for Gerrit's SSH connections.
+  - name: install libselinux-python, so Ansible can control selinux
+    yum: name=libselinux-python state=latest
+
+  - name: disable SELinux on subsequent boots
+    selinux: state=disabled
+
+  - name: disable SELinux on current boot
+    command: setenforce 0
diff --git a/baserock_frontend/instance-backup-config.yml b/baserock_frontend/instance-backup-config.yml
new file mode 100644
index 00000000..8f7ca550
--- /dev/null
+++ b/baserock_frontend/instance-backup-config.yml
@@ -0,0 +1,23 @@
+# Instance backup configuration for the baserock.org frontend system.
+#
+# We don't need to back anything up from this system, but the backup
+# SSH key needs access to it in order to SSH to the other systems on the
+# internal network.
+---
+- hosts: frontend-haproxy
+  gather_facts: false
+  sudo: yes
+  vars:
+    # The 'backup' key cannot be used to SSH into the 'frontend' machine except
+    # from this IP.
+    PERMITTED_BACKUP_HOSTS: 82.70.136.246/32
+  tasks:
+    - name: backup user
+      user:
+        name: backup
+
+    - name: authorize backup public key
+      authorized_key:
+        user: backup
+        key: "{{ lookup('file', '../keys/backup.key.pub') }}"
+        key_options: 'from="{{ PERMITTED_BACKUP_HOSTS }}",no-agent-forwarding,no-X11-forwarding'
diff --git a/baserock_frontend/instance-config.yml b/baserock_frontend/instance-config.yml
new file mode 100644
index 00000000..d7ce842b
--- /dev/null
+++ b/baserock_frontend/instance-config.yml
@@ -0,0 +1,18 @@
+# Instance configuration for Baserock HAProxy instance.
+#
+# This playbook should be run after starting an instance of the Baserock
+# frontend image.
+---
+- hosts: frontend-haproxy
+  gather_facts: false
+  sudo: yes
+  tasks:
+  # To create the .pem file, simply concatenate
+  # certs/baserock.org-ssl-certificate-temporary-dsilverstone.full.cert with
+  # the private key for that certificate (which is not committed to Git, of
+  # course).
+  - name: install SSL certificate
+    copy: src=../private/baserock.org-ssl-certificate-temporary-dsilverstone.pem dest=/etc/pki/tls/private/baserock.pem owner=haproxy mode=400
+
+  - name: HAProxy configuration
+    copy: src=haproxy.cfg dest=/etc/haproxy/haproxy.cfg