diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-06-19 17:16:39 +0100 |
---|---|---|
committer | Baserock Gerrit <gerrit@baserock.org> | 2015-07-13 12:27:43 +0000 |
commit | 0feb2555a62834a42b03e2902e68c870156a0fc2 (patch) | |
tree | c9ecf589005e64e52a67d04c5055bd4a6f9a9202 /baserock_frontend | |
parent | 5889f7c9539d10bd32050e4e96404bdb9ffa762b (diff) | |
download | infrastructure-0feb2555a62834a42b03e2902e68c870156a0fc2.tar.gz |
Avoid using Packer for the frontend system
Also, move it into baserock_frontend so it is clearly differentiated
from the upstream definitions.git stuff.
It's now based off Fedora 21 instead of Fedora 20.
This is now deployed at baserock.org.
Change-Id: Icaabc84f9513d08479d8d22c19e8b632ac5108b5
Diffstat (limited to 'baserock_frontend')
-rw-r--r-- | baserock_frontend/haproxy.cfg | 97 | ||||
-rw-r--r-- | baserock_frontend/image-config.yml | 30 | ||||
-rw-r--r-- | baserock_frontend/instance-backup-config.yml | 23 | ||||
-rw-r--r-- | baserock_frontend/instance-config.yml | 18 |
4 files changed, 168 insertions, 0 deletions
diff --git a/baserock_frontend/haproxy.cfg b/baserock_frontend/haproxy.cfg new file mode 100644 index 00000000..5ebbc031 --- /dev/null +++ b/baserock_frontend/haproxy.cfg @@ -0,0 +1,97 @@ +# HAProxy configuration for Baserock Project front-end proxy. + +global + maxconn 4000 + + daemon + pidfile /var/run/haproxy.pid + user haproxy + group haproxy + + log /dev/log local0 + stats socket /var/lib/haproxy/stats + + # Maximum number of bits used when generating temporary + # keys for DHE key exchange. Higher values involve more CPU + # usage, lower values are less secure. HAProxy's default is + # 1024, which is too low and HAProxy actually warns if you use + # the default. + tune.ssl.default-dh-param 2048 + +defaults + mode http + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + + log global + option httplog + +frontend http-in + # All HTTP traffic is redirected to HTTPS using the '301 Moved' HTTP code. + bind *:80 + redirect scheme https code 301 + +frontend https-in + # We do 'SSL termination' with HAProxy. So secure requests are received in + # the frontend, then decrypted and sent over HTTP on the internal network. + # This means we only need to have the certificate in one place, and the + # configuration of the other instances is simpler. It does mean that we + # need to avoid having any insecure machines in the cloud. + bind *:443 ssl crt /etc/pki/tls/private/baserock.pem + reqadd X-Forwarded-Proto:\ https + + # Rules below here implement the URL-based forwarding to the + # appropriate instance. The hdr(host) call means 'extract the + # first Host header from the HTTP request or response', the '-m beg' + # switch means 'match against the beginning of it' and the '-i' flag + # makes the match case-insensitive. + # + # See <https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7> + # for more documentation than you ever dreamed of. + + acl host_gerrit hdr(host) -m beg -i gerrit + use_backend baserock_gerrit_http if host_gerrit + + acl host_irclogs hdr(host) -m beg -i irclogs + use_backend baserock_irclogs_http if host_irclogs + + acl host_mason_x86_32 hdr(host) -m beg -i mason-x86-32 + use_backend baserock_mason_x86_32_http if host_mason_x86_32 + + acl host_mason_x86_64 hdr(host) -m beg -i mason-x86-64 + use_backend baserock_mason_x86_64_http if host_mason_x86_64 + + use_backend baserock_openid_provider_http if { hdr(host) -m beg -i openid } + +frontend ssh-in: + # FIXME: it'd be better if we could limit traffic on port 29418 to + # gerrit.baserock.org. There's no way of knowing from an SSH request + # which subdomain the user tried to connect to, so for now they can + # clone repos from 'ssh://openid.baserock.org:29418' and such like. + # For this reason it's probably worth pointing gerrit.baserock.org to + # a different floating IP that serves only the gerrit instance. + mode tcp + bind *:29418 + default_backend baserock_gerrit_ssh + +# Entries here locate each server backend. + +backend baserock_gerrit_http + server baserock_gerrit 192.168.222.69:8080 + +backend baserock_gerrit_ssh + mode tcp + server baserock_gerrit 192.168.222.69:29418 + +backend baserock_irclogs_http + server baserock_irclogs 192.168.222.74:80 + +backend baserock_mason_x86_32_http + server baserock_mason_x86_32 192.168.222.81:80 + +backend baserock_mason_x86_64_http + server baserock_mason_x86_64 192.168.222.80:80 + +backend baserock_openid_provider_http + server baserock_openid_provider 192.168.222.67:80 diff --git a/baserock_frontend/image-config.yml b/baserock_frontend/image-config.yml new file mode 100644 index 00000000..5c3f0148 --- /dev/null +++ b/baserock_frontend/image-config.yml @@ -0,0 +1,30 @@ +# System configuration for Baserock HAProxy instance. +--- +- hosts: frontend-haproxy + gather_facts: false + sudo: yes + tasks: + - name: enable persistant journal + shell: mkdir /var/log/journal + args: + creates: /var/log/journal + + - name: ensure system up to date + yum: name=* state=latest + + - name: HAProxy installed + yum: name=haproxy state=latest + + - name: netcat installed + yum: name=nc state=latest + + # Yes, SELinux prevents HAProxy from working. In this case I think it's + # because we ask it to listen on port 29418 for Gerrit's SSH connections. + - name: install libselinux-python, so Ansible can control selinux + yum: name=libselinux-python state=latest + + - name: disable SELinux on subsequent boots + selinux: state=disabled + + - name: disable SELinux on current boot + command: setenforce 0 diff --git a/baserock_frontend/instance-backup-config.yml b/baserock_frontend/instance-backup-config.yml new file mode 100644 index 00000000..8f7ca550 --- /dev/null +++ b/baserock_frontend/instance-backup-config.yml @@ -0,0 +1,23 @@ +# Instance backup configuration for the baserock.org frontend system. +# +# We don't need to back anything up from this system, but the backup +# SSH key needs access to it in order to SSH to the other systems on the +# internal network. +--- +- hosts: frontend-haproxy + gather_facts: false + sudo: yes + vars: + # The 'backup' key cannot be used to SSH into the 'frontend' machine except + # from this IP. + PERMITTED_BACKUP_HOSTS: 82.70.136.246/32 + tasks: + - name: backup user + user: + name: backup + + - name: authorize backup public key + authorized_key: + user: backup + key: "{{ lookup('file', '../keys/backup.key.pub') }}" + key_options: 'from="{{ PERMITTED_BACKUP_HOSTS }}",no-agent-forwarding,no-X11-forwarding' diff --git a/baserock_frontend/instance-config.yml b/baserock_frontend/instance-config.yml new file mode 100644 index 00000000..d7ce842b --- /dev/null +++ b/baserock_frontend/instance-config.yml @@ -0,0 +1,18 @@ +# Instance configuration for Baserock HAProxy instance. +# +# This playbook should be run after starting an instance of the Baserock +# frontend image. +--- +- hosts: frontend-haproxy + gather_facts: false + sudo: yes + tasks: + # To create the .pem file, simply concatenate + # certs/baserock.org-ssl-certificate-temporary-dsilverstone.full.cert with + # the private key for that certificate (which is not committed to Git, of + # course). + - name: install SSL certificate + copy: src=../private/baserock.org-ssl-certificate-temporary-dsilverstone.pem dest=/etc/pki/tls/private/baserock.pem owner=haproxy mode=400 + + - name: HAProxy configuration + copy: src=haproxy.cfg dest=/etc/haproxy/haproxy.cfg |