xai-corp.net/provisioning
1
0
Fork 0
Code Issues 9 Releases Activity

refactor ansible code in to ansible-2.0 folder, and created space for ansible-2.10

Browse Source
This commit is contained in:
richard
2021-12-21 10:03:39 -05:00
parent e156b183ed
commit 22ef544758
159 changed files with 59 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ansible-2.0/roles/_install_updates/tasks/main.yml Normal file
View File

@@ -0,0 +1,9 @@
---
# update packages to latest
- name: run apt updates
apt:
upgrade: dist
update_cache: yes
cache_valid_time: 3600
when: ansible_os_family == "Debian"

18
ansible-2.0/roles/_install_updates/tasks/rebootAndWait.yml Normal file
View File

@@ -0,0 +1,18 @@
---
# wait random time to start this to offset reboots of individual machines
- pause: seconds={{ 100 | random(1,10) }}
# Send the reboot command
- shell: shutdown -r now
# This pause is mandatory, otherwise the existing control connection gets reused!
- pause: seconds=30
# Now we will run a local 'ansible -m ping' on this host until it returns.
# This works with the existing ansible hosts inventory and so any custom ansible_ssh_hosts definitions are being used
- local_action: shell ansible -u {{ ansible_user_id }} -m ping {{ inventory_hostname }}
register: result
until: result.rc == 0
retries: 30
delay: 10

4
ansible-2.0/roles/_ping/tasks/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: test connection
ping:

4
ansible-2.0/roles/_template/defaults/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
# defaults/main.yml
# define default variable values here

9
ansible-2.0/roles/_template/handlers/main.yml Normal file
View File

@@ -0,0 +1,9 @@
---
# handlers/main.yml
# define handlers here
#- name: restart <service>
# service: name=<service> state=restarted
#- name: stop <service>
# service: name=<service> state=stopped

8
ansible-2.0/roles/_template/meta/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
# meta/main.yml
# define dependancies here
# dependencies:
# - { role: geerlingguy.java }
dependencies: []

4
ansible-2.0/roles/_template/tasks/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
# tasks/main.yml
# define tasks here

10
ansible-2.0/roles/_template/vars/_extravars.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# vars/_extravars.yml
# define extra variable values here
# this file should be loaded via an include_vars statement in the task.
# often this is used for managing differences in os.
# Variable setup.
#- name: Include OS-Specific variables
# include_vars: "{{ ansible_os_family }}.yml"

4
ansible-2.0/roles/bootstrap_vms/defaults/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
#default variables for boostrap_vms
vagrant_folder: "/opt/home.xai-corp.net/vm_config"

9
ansible-2.0/roles/bootstrap_vms/meta/main.yml Normal file
View File

@@ -0,0 +1,9 @@
---
# meta/main.yml
# define dependancies here
# dependencies:
# - { role: geerlingguy.java }
dependencies:
- { role: vagrant }

32
ansible-2.0/roles/bootstrap_vms/tasks/main.yml Normal file
View File

@@ -0,0 +1,32 @@
---
# bootstrap vms on host machine
# install required system packages
- name: install system packages
apt:
state: present
name: "{{item}}"
update_cache: yes
with_items: []
# copy across vagrant file
- name: create target folder
file:
state: directory
dest: "{{ vagrant_folder }}"
- name: copy vagrant file
template:
src: Vagrantfile.j2
dest: "{{ vagrant_folder }}/Vagrantfile"
# update and run vagrant boxes
- name: update vagrant box
command: vagrant box update
args:
chdir: "{{vagrant_folder}}"
- name: vagrant up
command: vagrant up
args:
chdir: "{{vagrant_folder}}"

77
ansible-2.0/roles/bootstrap_vms/templates/Vagrantfile.j2 Normal file
View File

@@ -0,0 +1,77 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
BASE_BOX = "ubuntu/xenial64"
BRIDGE_NET = "{{vm.bridge_network}}"
$script = <<SCRIPT
echo I am provisioning...
sudo adduser --home /home/ansible --shell /bin/bash --uid 1001 --disabled-password ansible
sudo mkdir -p /home/ansible/.ssh
sudo cat /etc/sudoers
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAmJSdmj03d4fnZUuRByevPDNiReEk1fRL+7F9WPCo5zn+r5Oj84HXxd4P03DNXeGSBYmUAnsTqYEGdkjkpSrKfMm9bv8amL7hUC+Mzb+wOmXmyX1cw/SearYCBQRCz1s5p7I9+PO7XWaC0VJ99LUm1Bp4JM149U5X0Y3M2j2XV+0= RSA-1024" | sudo tee -a /home/ansible/.ssh/authorized_keys
sudo chmod 600 /home/ansible/.ssh/authorized_keys
sudo chmod 700 /home/ansible/.ssh
sudo chown -R ansible /home/ansible
sudo echo "ansible ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
sudo apt -y update && sudo apt install -y python-minimal
date > /etc/vagrant_provisioned_at
SCRIPT
Vagrant.configure("2") do |config|
config.vm.define "dkhost01" do |dkhost01|
dkhost01.vm.hostname = "dkhost01"
dkhost01.vm.box = BASE_BOX
dkhost01.vm.box_check_update = true
dkhost01.vm.network "public_network", bridge: BRIDGE_NET
dkhost01.vm.synced_folder '.', '/vagrant', disabled: true
dkhost01.vm.provision "shell", inline: $script
dkhost01.vm.provider "virtualbox" do |vb|
vb.name = "dkhost01"
vb.gui = false
vb.memory = "2048"
vb.cpus = 2
#vb.customize ["modifyvm", :id, "--autostart-enabled", "on"]
#vb.customize ["modifyvm", :id, "--autostart-delay", "30"]
vb.customize ["modifyvm", :id, "--macaddress2", "0800271a4d51"]
end
end
config.vm.define "dkhost02" do |dkhost|
dkhost.vm.hostname = "dkhost02"
dkhost.vm.box = BASE_BOX
dkhost.vm.box_check_update = true
dkhost.vm.network "public_network", bridge: BRIDGE_NET
dkhost.vm.synced_folder '.', '/vagrant', disabled: true
dkhost.vm.provision "shell", inline: $script
dkhost.vm.provider "virtualbox" do |vb|
vb.name = "dkhost01"
vb.gui = false
vb.memory = "2048"
vb.cpus = 2
#vb.customize ["modifyvm", :id, "--autostart-enabled", "on"]
#vb.customize ["modifyvm", :id, "--autostart-delay", "30"]
vb.customize ["modifyvm", :id, "--macaddress2", "0800273D10E4"]
end
end
end

33
ansible-2.0/roles/certbot/tasks/install.yml Normal file
View File

@@ -0,0 +1,33 @@
---
# main task for installing Let's Encrypt's certbot tool
# https://certbot.eff.org/#ubuntuxenial-other
- name: install certbot on ubuntu 16.04
apt:
state: latest
package: "{{ item }}"
update_cache: yes
cache_valid_time: 3600
with_items:
- "letsencrypt"
when: ansible_os_family == "Debian"
- name: create webroot /var/www/xai-corp.net
file:
state: directory
path: /var/www/xai-corp.net
#- name: create first certificates
# command: "letsencrypt certonly --webroot -w /var/www/xai-corp.net -d {{ item }}"
# args:
# creates: /etc/letsencrypt/live/{{ item }}/cert.pem
# with_items: "{{certbot.domains}}"
- name: cron job for renewing certs
cron:
name: renew let's encrypt certificates
state: absent
user: root
day: "*/2"
job: "letsencrypt renew "

10
ansible-2.0/roles/certbot/tasks/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# main install certbot
# deprecated. Use container instead
- include: install.yml
when: certbot.uninstall != true
- include: uninstall.yml
when: certbot.uninstall == true

31
ansible-2.0/roles/certbot/tasks/uninstall.yml Normal file
View File

@@ -0,0 +1,31 @@
---
# uninstall certbot
- name: stop nginx before removing it
service:
name: nginx
state: stopped
- name: uninstall certbot on ubuntu 16.04
apt:
state: absent
package: "{{ item }}"
update_cache: yes
cache_valid_time: 3600
with_items:
- "letsencrypt"
- "nginx"
when: ansible_os_family == "Debian"
- name: remove webroot /var/www/xai-corp.net
file:
state: absent
path: /var/www/xai-corp.net
- name: remove cron job for renewing certs
cron:
name: renew let's encrypt certificates
state: absent
user: root
day: "*/2"
job: "letsencrypt renew "

6
ansible-2.0/roles/cleanup/defaults/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# defaults for cleanup
cleanup:
cron: []
packages: []

18
ansible-2.0/roles/cleanup/tasks/main.yml Normal file
View File

@@ -0,0 +1,18 @@
---
# cleanup/tasks/main.yml
# removes packages and cron jobs
- name: remove packages
apt:
state: absent
name: "{{item}}"
update_cache: yes
with_items: "{{ cleanup.packages }}"
- name: remove cronjob
cron:
state: absent
name: "{{ item.name }}"
cron_file: "{{ item.file }}"
with_items: "{{ cleanup.cron }}"

33
ansible-2.0/roles/cubox-i.xai-corp.net/defaults/main.yml Normal file
View File

@@ -0,0 +1,33 @@
---
# defaults/main.yml
# define default variable values here
#/dev/sda6 /data/glusterfs/vmshares/brick1 xfs defaults 0 0
cubox-i:
fstab:
add:
vmshare:
host: /dev/sda6
mount: /data/glusterfs/vmshares/brick1
fstype: xfs
attr: defaults
gitea:
host: /dev/sda7
mount: /data/glusterfs/gitea/brick1
fstype: xfs
attr: defaults
jenkins:
host: /dev/sda8
mount: /data/glusterfs/jenkins/brick1
fstype: xfs
attr: defaults
tmp:
host: /dev/sda9
mount: /data/glusterfs/tmp/brick1
fstype: xfs
attr: defaults
elasticsearch:
host: /dev/sda10
mount: /data/glusterfs/elasticsearch/brick1
fstype: xfs
attr: defaults

22
ansible-2.0/roles/cubox-i.xai-corp.net/tasks/main.yml Normal file
View File

@@ -0,0 +1,22 @@
---
# main tasks for special cubox-i config
- name: create mount points
file:
path: "{{ item.value.mount }}"
state: directory
mode: 0755
with_dict: cubox-i.fstab.add
- name: create glusterfs mount hosts file entries
lineinfile:
state: present
dest: /etc/fstab
insertafter: EOF
regexp: '^#?{{ item.value.host }}'
line: '{{ item.value.host }} {{ item.value.mount }} {{ item.value.fstype }} {{ item.value.attr }} 0 0'
with_dict: cubox-i.fstab.add
- name: mute syslog

4
ansible-2.0/roles/ddagent_source/files/supervisor-dd-agent.conf Normal file
View File

@@ -0,0 +1,4 @@
[program:dd-agent]
command=/root/.datadog-agent/bin/agent start -d
stderr_logfile = /var/log/supervisord/ddagent-stderr.log
stdout_logfile = /var/log/supervisord/ddagent-stdout.log

12
ansible-2.0/roles/ddagent_source/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# handlers/main.yml
# define handlers here
#- name: restart <service>
# service: name=<service> state=restarted
#- name: stop <service>
# service: name=<service> state=stopped
- name: restart supervisor
service: name=supervisor start restarted

25
ansible-2.0/roles/ddagent_source/tasks/main.yml Normal file
View File

@@ -0,0 +1,25 @@
---
# install dd-agent from source
- name: install packages
apt:
state: installed
package: "{{ item }}"
update_cache: yes
cache_valid_time: 3600
with_items:
- python-psutil
- shell: DD_API_KEY=ca0faf176c4aedd4f547ed7cf85615eb DD_SKIP_INTEGRATIONS=1 DD_START_AGENT=0 sh -c "$(curl -L https://raw.githubusercontent.com/DataDog/dd-agent/master/packaging/datadog-agent/source/setup_agent.sh)"
args:
creates: "/root/.datadog-agent/bin/agent"
- name: add agent line to rc.local
lineinfile:
dest: /etc/rc.local
regexp: '^nohup sh /root/.datadog-agent/bin/agent &'
line: 'nohup sh /root/.datadog-agent/bin/agent &'
insertbefore: "^exit 0"
- name: start agent
shell: /root/.datadog-agent/bin/agent start

4
ansible-2.0/roles/devtools/defaults/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
# defaults/main.yml
# define default variable values here

9
ansible-2.0/roles/devtools/handlers/main.yml Normal file
View File

@@ -0,0 +1,9 @@
---
# handlers/main.yml
# define handlers here
#- name: restart <service>
# service: name=<service> state=restarted
#- name: stop <service>
# service: name=<service> state=stopped

8
ansible-2.0/roles/devtools/meta/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
# meta/main.yml
# define dependancies here
# dependencies:
# - { role: geerlingguy.java }
dependencies: []

17
ansible-2.0/roles/devtools/tasks/main.yml Normal file
View File

@@ -0,0 +1,17 @@
---
# tasks/main.yml
# define tasks here
- name: install composer
shell: curl -sS https://getcomposer.org/installer | php && mv composer.phar /usr/local/bin/composer
- name: install nodejs and npm
apt: pkg={{ item }} state=installed
with_items:
- nodejs
- nodejs-legacy
- npm
- name: install grunt globaly
npm: name="grunt-cli" global=yes

10
ansible-2.0/roles/devtools/vars/_extravars.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# vars/_extravars.yml
# define extra variable values here
# this file should be loaded via an include_vars statement in the task.
# often this is used for managing differences in os.
# Variable setup.
#- name: Include OS-Specific variables
# include_vars: "{{ ansible_os_family }}.yml"

7
ansible-2.0/roles/django/tasks/main.yml Normal file
View File

@@ -0,0 +1,7 @@
---
# roles/django/tasks/main.yml
- name: install packages
portage: state=present package={{ item }}
with_items:
- "dev-python/django"

30
ansible-2.0/roles/docker_graylog/files/docker-compose.yml Normal file
View File

@@ -0,0 +1,30 @@
version: '3.9'
services:
mongo:
restart: always
image: "mongo:3"
volumes:
- /opt/shared/graylog/data/mongo:/data/db
elasticsearch:
restart: always
image: "elasticsearch:2"
command: "elasticsearch -Des.cluster.name='graylog'"
volumes:
- /opt/shared/graylog/data/elasticsearch:/usr/share/elasticsearch/data
graylog:
restart: always
image: graylog2/server:2.1.0-3
volumes:
- /opt/shared/graylog/data/journal:/usr/share/graylog/data/journal
- /opt/shared/graylog/config:/usr/share/graylog/data/config
environment:
GRAYLOG_PASSWORD_SECRET: gsahu1dj901hdaiuafg3g1q
GRAYLOG_ROOT_PASSWORD_SHA2: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
GRAYLOG_WEB_ENDPOINT_URI: http://192.168.4.41:9000/api/
depends_on:
- mongo
- elasticsearch
ports:
- "9000:9000"
- "12201/udp:12201/udp"
- "1514/udp:1514/udp"

442
ansible-2.0/roles/docker_graylog/files/graylog.conf Normal file
View File

@@ -0,0 +1,442 @@
# If you are running more than one instances of Graylog server you have to select one of these
# instances as master. The master will perform some periodical tasks that non-masters won't perform.
is_master = true
# The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
# to use an absolute file path here if you are starting Graylog server from init scripts or similar.
node_id_file = /usr/share/graylog/data/config/node-id
# You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
# Generate one by using for example: pwgen -N 1 -s 96
password_secret = replacethiswithyourownsecret!
# The default root user is named 'admin'
#root_username = admin
# You MUST specify a hash password for the root user (which you only need to initially set up the
# system and in case you lose connectivity to your authentication backend)
# This password cannot be changed using the API or via the web interface. If you need to change it,
# modify it in this file.
# Create one by using for example: echo -n yourpassword | shasum -a 256
# and put the resulting hash value into the following line
root_password_sha2 = 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
# The email address of the root user.
# Default is empty
#root_email = ""
# The time zone setting of the root user.
# The configured time zone must be parseable by http://www.joda.org/joda-time/apidocs/org/joda/time/DateTimeZone.html#forID-java.lang.String-
# Default is UTC
#root_timezone = UTC
# Set plugin directory here (relative or absolute)
plugin_dir = /usr/share/graylog/plugin
# REST API listen URI. Must be reachable by other Graylog server nodes if you run a cluster.
# When using Graylog Collectors, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
rest_listen_uri = http://0.0.0.0:9000/api/
# REST API transport address. Defaults to the value of rest_listen_uri. Exception: If rest_listen_uri
# is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 system address is used.
# If set, this will be promoted in the cluster discovery APIs, so other nodes may try to connect on
# this address and it is used to generate URLs addressing entities in the REST API. (see rest_listen_uri)
# You will need to define this, if your Graylog server is running behind a HTTP proxy that is rewriting
# the scheme, host name or URI.
#rest_transport_uri = http://192.168.1.1:9000/api/
# Enable CORS headers for REST API. This is necessary for JS-clients accessing the server directly.
# If these are disabled, modern browsers will not be able to retrieve resources from the server.
# This is enabled by default. Uncomment the next line to disable it.
#rest_enable_cors = false
# Enable GZIP support for REST API. This compresses API responses and therefore helps to reduce
# overall round trip times. This is disabled by default. Uncomment the next line to enable it.
#rest_enable_gzip = true
# Enable HTTPS support for the REST API. This secures the communication with the REST API with
# TLS to prevent request forgery and eavesdropping. This is disabled by default. Uncomment the
# next line to enable it.
#rest_enable_tls = true
# The X.509 certificate file to use for securing the REST API.
#rest_tls_cert_file = /path/to/graylog.crt
# The private key to use for securing the REST API.
#rest_tls_key_file = /path/to/graylog.key
# The password to unlock the private key used for securing the REST API.
#rest_tls_key_password = secret
# The maximum size of the HTTP request headers in bytes.
#rest_max_header_size = 8192
# The maximal length of the initial HTTP/1.1 line in bytes.
#rest_max_initial_line_length = 4096
# The size of the thread pool used exclusively for serving the REST API.
#rest_thread_pool_size = 16
# Enable the embedded Graylog web interface.
# Default: true
#web_enable = false
# Web interface listen URI
web_listen_uri = http://0.0.0.0:9000/
# Enable CORS headers for the web interface. This is necessary for JS-clients accessing the server directly.
# If these are disabled, modern browsers will not be able to retrieve resources from the server.
web_enable_cors = true
# Enable/disable GZIP support for the web interface. This compresses HTTP responses and therefore helps to reduce
# overall round trip times. This is enabled by default. Uncomment the next line to disable it.
#web_enable_gzip = false
# Enable HTTPS support for the web interface. This secures the communication of the web browser with the web interface
# using TLS to prevent request forgery and eavesdropping.
# This is disabled by default. Uncomment the next line to enable it and see the other related configuration settings.
#web_enable_tls = true
# The X.509 certificate file to use for securing the web interface.
#web_tls_cert_file = /path/to/graylog-web.crt
# The private key to use for securing the web interface.
#web_tls_key_file = /path/to/graylog-web.key
# The password to unlock the private key used for securing the web interface.
#web_tls_key_password = secret
# The maximum size of the HTTP request headers in bytes.
#web_max_header_size = 8192
# The maximal length of the initial HTTP/1.1 line in bytes.
#web_max_initial_line_length = 4096
# The size of the thread pool used exclusively for serving the web interface.
#web_thread_pool_size = 16
# Embedded Elasticsearch configuration file
# pay attention to the working directory of the server, maybe use an absolute path here
# elasticsearch_config_file = /usr/share/graylog/data/config/elasticsearch.yml
# Graylog will use multiple indices to store documents in. You can configured the strategy it uses to determine
# when to rotate the currently active write index.
# It supports multiple rotation strategies:
# - "count" of messages per index, use elasticsearch_max_docs_per_index below to configure
# - "size" per index, use elasticsearch_max_size_per_index below to configure
# valid values are "count", "size" and "time", default is "count"
rotation_strategy = count
# (Approximate) maximum number of documents in an Elasticsearch index before a new index
# is being created, also see no_retention and elasticsearch_max_number_of_indices.
# Configure this if you used 'rotation_strategy = count' above.
elasticsearch_max_docs_per_index = 20000000
# (Approximate) maximum size in bytes per Elasticsearch index on disk before a new index is being created, also see
# no_retention and elasticsearch_max_number_of_indices. Default is 1GB.
# Configure this if you used 'rotation_strategy = size' above.
#elasticsearch_max_size_per_index = 1073741824
# (Approximate) maximum time before a new Elasticsearch index is being created, also see
# no_retention and elasticsearch_max_number_of_indices. Default is 1 day.
# Configure this if you used 'rotation_strategy = time' above.
# Please note that this rotation period does not look at the time specified in the received messages, but is
# using the real clock value to decide when to rotate the index!
# Specify the time using a duration and a suffix indicating which unit you want:
# 1w = 1 week
# 1d = 1 day
# 12h = 12 hours
# Permitted suffixes are: d for day, h for hour, m for minute, s for second.
#elasticsearch_max_time_per_index = 1d
# Disable checking the version of Elasticsearch for being compatible with this Graylog release.
# WARNING: Using Graylog with unsupported and untested versions of Elasticsearch may lead to data loss!
#elasticsearch_disable_version_check = true
# Disable message retention on this node, i. e. disable Elasticsearch index rotation.
#no_retention = false
# How many indices do you want to keep?
elasticsearch_max_number_of_indices = 20
# Decide what happens with the oldest indices when the maximum number of indices is reached.
# The following strategies are availble:
# - delete # Deletes the index completely (Default)
# - close # Closes the index and hides it from the system. Can be re-opened later.
retention_strategy = delete
# How many Elasticsearch shards and replicas should be used per index? Note that this only applies to newly created indices.
elasticsearch_shards = 4
elasticsearch_replicas = 0
# Prefix for all Elasticsearch indices and index aliases managed by Graylog.
elasticsearch_index_prefix = graylog
# Name of the Elasticsearch index template used by Graylog to apply the mandatory index mapping.
# # Default: graylog-internal
#elasticsearch_template_name = graylog-internal
# Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only
# be enabled with care. See also: https://www.graylog.org/documentation/general/queries/
allow_leading_wildcard_searches = true
# Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and
# should only be enabled after making sure your Elasticsearch cluster has enough memory.
allow_highlighting = true
# settings to be passed to elasticsearch's client (overriding those in the provided elasticsearch_config_file)
# all these
# this must be the same as for your Elasticsearch cluster
elasticsearch_cluster_name = graylog
# The prefix being used to generate the Elasticsearch node name which makes it easier to identify the specific Graylog
# server running the embedded Elasticsearch instance. The node name will be constructed by concatenating this prefix
# and the Graylog node ID (see node_id_file), for example "graylog-17052010-1234-5678-abcd-1337cafebabe".
# Default: graylog-
#elasticsearch_node_name_prefix = graylog-
# we don't want the Graylog server to store any data, or be master node
#elasticsearch_node_master = false
#elasticsearch_node_data = false
# use a different port if you run multiple Elasticsearch nodes on one machine
elasticsearch_transport_tcp_port = 9350
# we don't need to run the embedded HTTP server here
elasticsearch_http_enabled = false
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = elasticsearch:9300
# Change the following setting if you are running into problems with timeouts during Elasticsearch cluster discovery.
# The setting is specified in milliseconds, the default is 5000ms (5 seconds).
#elasticsearch_cluster_discovery_timeout = 5000
# the following settings allow to change the bind addresses for the Elasticsearch client in Graylog
# these settings are empty by default, letting Elasticsearch choose automatically,
# override them here or in the 'elasticsearch_config_file' if you need to bind to a special address
# refer to http://www.elasticsearch.org/guide/en/elasticsearch/reference/0.90/modules-network.html
# for special values here
elasticsearch_network_host = 0.0.0.0
#elasticsearch_network_bind_host =
#elasticsearch_network_publish_host =
# The total amount of time discovery will look for other Elasticsearch nodes in the cluster
# before giving up and declaring the current node master.
#elasticsearch_discovery_initial_state_timeout = 3s
# Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea.
# All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom
# Elasticsearch documentation: http://www.elasticsearch.org/guide/reference/index-modules/analysis/
# Note that this setting only takes effect on newly created indices.
elasticsearch_analyzer = standard
# Global request timeout for Elasticsearch requests (e. g. during search, index creation, or index time-range
# calculations) based on a best-effort to restrict the runtime of Elasticsearch operations.
# Default: 1m
#elasticsearch_request_timeout = 1m
# Time interval for index range information cleanups. This setting defines how often stale index range information
# is being purged from the database.
# Default: 1h
#index_ranges_cleanup_interval = 1h
# Batch size for the Elasticsearch output. This is the maximum (!) number of messages the Elasticsearch output
# module will get at once and write to Elasticsearch in a batch call. If the configured batch size has not been
# reached within output_flush_interval seconds, everything that is available will be flushed at once. Remember
# that every outputbuffer processor manages its own batch and performs its own batch write calls.
# ("outputbuffer_processors" variable)
output_batch_size = 500
# Flush interval (in seconds) for the Elasticsearch output. This is the maximum amount of time between two
# batches of messages written to Elasticsearch. It is only effective at all if your minimum number of messages
# for this time period is less than output_batch_size * outputbuffer_processors.
output_flush_interval = 1
# As stream outputs are loaded only on demand, an output which is failing to initialize will be tried over and
# over again. To prevent this, the following configuration options define after how many faults an output will
# not be tried again for an also configurable amount of seconds.
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
# The number of parallel running processors.
# Raise this number if your buffers are filling up.
processbuffer_processors = 5
outputbuffer_processors = 3
#outputbuffer_processor_keep_alive_time = 5000
#outputbuffer_processor_threads_core_pool_size = 3
#outputbuffer_processor_threads_max_pool_size = 30
# UDP receive buffer size for all message inputs (e. g. SyslogUDPInput).
#udp_recvbuffer_sizes = 1048576
# Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping)
# Possible types:
# - yielding
# Compromise between performance and CPU usage.
# - sleeping
# Compromise between performance and CPU usage. Latency spikes can occur after quiet periods.
# - blocking
# High throughput, low latency, higher CPU usage.
# - busy_spinning
# Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores.
processor_wait_strategy = blocking
# Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore.
# For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache.
# Start server with --statistics flag to see buffer utilization.
# Must be a power of 2. (512, 1024, 2048, ...)
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
# Enable the disk based message journal.
message_journal_enabled = true
# The directory which will be used to store the message journal. The directory must me exclusively used by Graylog and
# must not contain any other files than the ones created by Graylog itself.
message_journal_dir = /usr/share/graylog/data/journal
# Journal hold messages before they could be written to Elasticsearch.
# For a maximum of 12 hours or 5 GB whichever happens first.
# During normal operation the journal will be smaller.
#message_journal_max_age = 12h
#message_journal_max_size = 5gb
#message_journal_flush_age = 1m
#message_journal_flush_interval = 1000000
#message_journal_segment_age = 1h
#message_journal_segment_size = 100mb
# Number of threads used exclusively for dispatching internal events. Default is 2.
#async_eventbus_processors = 2
# How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual
# shutdown process. Set to 0 if you have no status checking load balancers in front.
lb_recognition_period_seconds = 3
# Every message is matched against the configured streams and it can happen that a stream contains rules which
# take an unusual amount of time to run, for example if its using regular expressions that perform excessive backtracking.
# This will impact the processing of the entire server. To keep such misbehaving stream rules from impacting other
# streams, Graylog limits the execution time for each stream.
# The default values are noted below, the timeout is in milliseconds.
# If the stream matching for one stream took longer than the timeout value, and this happened more than "max_faults" times
# that stream is disabled and a notification is shown in the web interface.
#stream_processing_timeout = 2000
#stream_processing_max_faults = 3
# Length of the interval in seconds in which the alert conditions for all streams should be checked
# and alarms are being sent.
#alert_check_interval = 60
# Since 0.21 the Graylog server supports pluggable output modules. This means a single message can be written to multiple
# outputs. The next setting defines the timeout for a single output module, including the default output module where all
# messages end up.
#
# Time in milliseconds to wait for all message outputs to finish writing a single message.
#output_module_timeout = 10000
# Time in milliseconds after which a detected stale master node is being rechecked on startup.
#stale_master_timeout = 2000
# Time in milliseconds which Graylog is waiting for all threads to stop on shutdown.
#shutdown_timeout = 30000
# MongoDB connection string
# See http://docs.mongodb.org/manual/reference/connection-string/ for details
mongodb_uri = mongodb://mongo/graylog
# Authenticate against the MongoDB server
#mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog
# Use a replica set instead of a single host
#mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog
# Increase this value according to the maximum connections your MongoDB server can handle from a single client
# if you encounter MongoDB connection problems.
mongodb_max_connections = 100
# Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5
# If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5,
# then 500 threads can block. More than that and an exception will be thrown.
# http://api.mongodb.org/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
mongodb_threads_allowed_to_block_multiplier = 5
# Drools Rule File (Use to rewrite incoming log messages)
# See: https://www.graylog.org/documentation/general/rewriting/
#rules_file = /etc/graylog/server/rules.drl
# Email transport
#transport_email_enabled = false
#transport_email_hostname = mail.example.com
#transport_email_port = 587
#transport_email_use_auth = true
#transport_email_use_tls = true
#transport_email_use_ssl = true
#transport_email_auth_username = you@example.com
#transport_email_auth_password = secret
#transport_email_subject_prefix = [graylog]
#transport_email_from_email = graylog@example.com
# Specify and uncomment this if you want to include links to the stream in your stream alert mails.
# This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users.
#transport_email_web_interface_url = https://graylog.example.com
# The default connect timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
# Default: 5s
#http_connect_timeout = 5s
# The default read timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
# Default: 10s
#http_read_timeout = 10s
# The default write timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
# Default: 10s
#http_write_timeout = 10s
# HTTP proxy for outgoing HTTP connections
#http_proxy_uri =
# Disable the optimization of Elasticsearch indices after index cycling. This may take some load from Elasticsearch
# on heavily used systems with large indices, but it will decrease search performance. The default is to optimize
# cycled indices.
#disable_index_optimization = true
# Optimize the index down to <= index_optimization_max_num_segments. A higher number may take some load from Elasticsearch
# on heavily used systems with large indices, but it will decrease search performance. The default is 1.
#index_optimization_max_num_segments = 1
# The threshold of the garbage collection runs. If GC runs take longer than this threshold, a system notification
# will be generated to warn the administrator about possible problems with the system. Default is 1 second.
#gc_warning_threshold = 1s
# Connection timeout for a configured LDAP server (e. g. ActiveDirectory) in milliseconds.
#ldap_connection_timeout = 2000
# Enable collection of Graylog-related metrics into MongoDB
# WARNING: This will add *a lot* of data into your MongoDB database on a regular interval (1 second)!
# DEPRECATED: This setting and the respective feature will be removed in a future version of Graylog.
#enable_metrics_collection = false
# Disable the use of SIGAR for collecting system stats
#disable_sigar = false
# The default cache time for dashboard widgets. (Default: 10 seconds, minimum: 1 second)
#dashboard_widget_default_cache_time = 10s
# Automatically load content packs in "content_packs_dir" on the first start of Graylog.
content_packs_loader_enabled = true
# The directory which contains content packs which should be loaded on the first start of Graylog.
content_packs_dir = /usr/share/graylog/data/contentpacks
# A comma-separated list of content packs (files in "content_packs_dir") which should be applied on
# the first start of Graylog.
content_packs_auto_load = grok-patterns.json
0

33
ansible-2.0/roles/docker_graylog/files/log4j2.xml Normal file
View File

@@ -0,0 +1,33 @@
<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j">
<Appenders>
<Console name="STDOUT" target="SYSTEM_OUT">
<PatternLayout pattern="%d %-5p: %c - %m%n"/>
</Console>
<!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
<Memory name="graylog-internal-logs" bufferSize="500"/>
</Appenders>
<Loggers>
<!-- Application Loggers -->
<Logger name="org.graylog2" level="info"/>
<Logger name="com.github.joschi.jadconfig" level="warn"/>
<!-- this emits a harmless warning for ActiveDirectory every time which we can't work around :( -->
<Logger name="org.apache.directory.api.ldap.model.message.BindRequestImpl" level="error"/>
<!-- Prevent DEBUG message about Lucene Expressions not found. -->
<Logger name="org.elasticsearch.script" level="warn"/>
<!-- Disable messages from the version check -->
<Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
<!-- Suppress crazy byte array dump of Drools -->
<Logger name="org.drools.compiler.kie.builder.impl.KieRepositoryImpl" level="warn"/>
<!-- Silence chatty natty -->
<Logger name="com.joestelmach.natty.Parser" level="warn"/>
<!-- Silence Kafka log chatter -->
<Logger name="kafka.log.Log" level="warn"/>
<Logger name="kafka.log.OffsetIndex" level="warn"/>
<Root level="warn">
<AppenderRef ref="STDOUT"/>
<AppenderRef ref="graylog-internal-logs"/>
</Root>
</Loggers>
</Configuration>

35
ansible-2.0/roles/docker_graylog/tasks/main.yml Normal file
View File

@@ -0,0 +1,35 @@
---
# main tasks for running graylog on a docker host
# configure host for graylog
# create folders for certs, data,
- name: create data folders (/opt/dkregistry)
run_once: true
file:
path: "{{ item }}"
state: directory
owner: root
group: docker
mode: 0777
with_items:
- /opt/shared/graylog/config
- /opt/shared/graylog/data/config
- /opt/shared/graylog/data/elasticsearch
- /opt/shared/graylog/data/journal
- /opt/shared/graylog/data/mongo
- name: install default config files
run_once: true
copy:
src: "{{ item }}"
dest: "/opt/shared/graylog/config/{{ item }}"
with_items:
- graylog.conf
- log4j2.xml
# setup graylog docker service
#- name: run docker up
# shell: "DOCKER_HOST=dkhost03:2376 docker stack deploy -c docker-compose.yml graylog"
# run_once: true
# args:
# chdir: roles/docker_graylog/files

6
ansible-2.0/roles/docker_registry/defaults/creds.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# private credentials used in docker_registry
docker_registry.users:
- { "richard" : "richard" }
- { "testuser" : "testpassword" }

20
ansible-2.0/roles/docker_registry/files/docker-compose.yml Normal file
View File

@@ -0,0 +1,20 @@
registry:
restart: always
image: registry:2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_SECRET: aabuioqlwlcpp2
# REGISTRY_HTTP_TLS_CERTIFICATE: /certs/cert.pem
# REGISTRY_HTTP_TLS_KEY: /certs/privkey.pem
REGISTRY_HTTP_LETSENCRYPT_CACHEFILE: /var/run/letsencrypt.cache
REGISTRY_HTTP_LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
# REGISTRY_HTTP_HOST: https://192.168.4.41:5000
# REGISTRY_HTTP_ADDR: 192.168.4.41:5000
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
volumes:
- /opt/shared/dkregistry/data:/var/lib/registry
- /etc/letsencrypt/live/dkregistry.xai-corp.net:/certs
- /opt/shared/dkregistry/auth:/auth

40
ansible-2.0/roles/docker_registry/tasks/main.yml Normal file
View File

@@ -0,0 +1,40 @@
---
# Main task for creating a docker registry
- name: clean up old config
command: "{{ item }}"
with_items:
- "rm -rf /opt/dkrepository"
- "rm -rf /opt/shared/dkrepository/auth"
# create folders for certs, data,
- name: create data folders (/opt/dkregistry)
file:
path: "{{ item }}"
state: directory
owner: root
group: docker
mode: 0770
with_items:
- /opt/shared/dkregistry/data
- /opt/shared/dkregistry/auth
# make auth files using docker container
- name: create auth file
shell: echo '' > /opt/shared/dkregistry/auth/htpasswd
- name: add user to auth file
shell: "docker run --entrypoint htpasswd registry:2 -Bbn {{ item.name }} {{ item.pass }} >> /opt/shared/dkregistry/auth/htpasswd"
with_items:
- { "name" : "richard", "pass" : "richard" }
- { "name" : "testuser", "pass" : "testpassword" }
- name: copy composer file
copy:
src: docker-compose.yml
dest: /opt/dkregistry/docker-compose.yml
- name: run docker up
shell: "docker-compose down && docker-compose create && docker-compose start"
args:
chdir: /opt/dkregistry

65
ansible-2.0/roles/docker_swarm_management/tasks/main.yml Normal file
View File

@@ -0,0 +1,65 @@
---
# tasks for managing docker a swarm
# init swarm
- name: run init on a host
command: docker swarm init
args:
creates: /var/lib/docker/swarm/state.json
when: "ansible_nodename in swarm.managers"
run_once: true
# get tokens
- name: get manager_token
command: docker swarm join-token manager -q
register: manager_token
when: "ansible_nodename in swarm.managers"
run_once: true
changed_when: False
- name: get worker_token
command: docker swarm join-token worker -q
register: worker_token
when: "ansible_nodename in swarm.managers"
run_once: true
changed_when: False
#- debug: var=manager_token
# add hosts to swarm
- name: adding manager to swarm
command: docker swarm join --token={{manager_token.stdout}} {{swarm.managers[0]}}
args:
creates: /var/lib/docker/swarm/state.json
when: "ansible_nodename in swarm.managers"
- name: adding worker to swarm
command: docker swarm join --token={{worker_token.stdout}} {{swarm.managers[0]}}
args:
creates: /var/lib/docker/swarm/state.json
when: "ansible_nodename in swarm.workers"
# remove hosts from swarm
- name: remove hosts from swam if found in remove list
command: docker swarm leave
args:
removes: /var/lib/docker/swarm/state.json
when: "ansible_nodename in swarm.removed"
# swarm config
- name: get history limit
command: docker info --format '{% raw %}{{json .Swarm.Cluster.Spec.Orchestration.TaskHistoryRetentionLimit}}{% endraw %}'
register: history_limit
run_once: true
changed_when: False
- debug: var=history_limit.stdout
run_once: True
- name: set history limit
command: docker swarm update --task-history-limit {{swarm.history}}
when:
- "ansible_nodename in swarm.managers"
- 'swarm.history != history_limit.stdout|int'
run_once: true

9
ansible-2.0/roles/dockerhost/defaults/main.yml Normal file
View File

@@ -0,0 +1,9 @@
---
# default vars
dockerhost:
users:
- richard
- ansible
# compose_version: 1.13.0
compose_version: 1.18.0

10
ansible-2.0/roles/dockerhost/files/daemon.json Normal file
View File

@@ -0,0 +1,10 @@
{
"insecure-registries": [
"dkhost.xai-corp.net:5000"
],
"dns": [
"192.168.4.12",
"192.168.4.22",
"8.8.8.8"
]
}

3
ansible-2.0/roles/dockerhost/files/docker.service.host.conf Normal file
View File

@@ -0,0 +1,3 @@
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376

7
ansible-2.0/roles/dockerhost/handlers/main.yml Normal file
View File

@@ -0,0 +1,7 @@
---
# handlers for docker services
- name: restart docker
service:
name: docker
state: restarted

26
ansible-2.0/roles/dockerhost/tasks/fstab.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: create mount points
file:
path: "{{ item.value.mount }}"
state: directory
mode: 0755
with_dict: gluster
- name: create glusterfs mount hosts file entries
lineinfile:
state: present
dest: /etc/fstab
insertafter: EOF
regexp: '^#?{{ item.value.host }}'
line: '{{ item.value.host }} {{ item.value.mount }} glusterfs direct-io-mode=disable,defaults,_netdev 0 0'
with_dict: gluster
- name: remove glusterfs mount hosts file entries
lineinfile:
state: absent
dest: /etc/fstab
insertafter: EOF
regexp: '^#?{{ item.value.host }}'
line: '{{ item.value.host }} {{ item.value.mount }} glusterfs direct-io-mode=disable,defaults,_netdev 0 0'
with_dict: gluster_remove

31
ansible-2.0/roles/dockerhost/tasks/glusterfs-volume-driver.yml Normal file
View File

@@ -0,0 +1,31 @@
---
# install glusterfs volume driver plugin
- name: install golang packages
apt:
state: installed
package: "{{ item }}"
update_cache: yes
cache_valid_time: 3600
with_items:
- "golang-go"
- name: make golang workspace
file:
path: /opt/golang
state: directory
mode: 0775
- name: fetch go package
shell: GOPATH=/opt/golang go get github.com/amarkwalder/docker-volume-glusterfs
- name: add plugin to startup
lineinfile:
dest: /etc/rc.local
regexp: 'docker-volume-glusterfs -servers'
line: '/opt/golang/bin/docker-volume-glusterfs -servers cubox-i:home &'
insertbefore: "^exit 0"
#sudo docker-volume-glusterfs -servers gfs-1:gfs-2:gfs-3

89
ansible-2.0/roles/dockerhost/tasks/install-xenial-ce.yml Normal file
View File

@@ -0,0 +1,89 @@
---
# main tasks to install docker
- name: install packages
apt:
state: installed
package: "{{ item }}"
update_cache: yes
with_items:
- "htop"
- "wget"
- "apt-transport-https"
- "ca-certificates"
- "software-properties-common"
- "curl"
- "glusterfs-client"
- xfsprogs
- attr
- virtualbox-guest-additions-iso
- name: remove deprecated packages
apt:
state: absent
package: "{{ item }}"
with_items:
- "docker"
- "docker-engine"
- "docker.io"
- name: remove obsolete apt repro
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu ubuntu-xenial Release
state: absent
- name: install repo keys
shell: curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
- name: install apt repo
apt_repository:
repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable
state: present
- name: install prerequisits
shell: apt-get -y install linux-image-extra-$(uname -r) linux-image-extra-virtual
- name: create docker group
group: state=present name=docker gid=999 system=yes
- name: add users to docker group
user: name={{ item }} groups=docker append=yes
with_items: "{{ dockerhost.users }}"
- name: install via apt
apt:
state: latest
update_cache: true
package: "{{ item }}"
with_items:
- docker-ce
# - virtualbox-guest-dkms
- name: copy docker config file
copy:
src: daemon.json
dest: /etc/docker/daemon.json
notify:
- restart docker
## install docker-compose
- name: install docker-compose from git repo
shell: |
curl -L https://github.com/docker/compose/releases/download/{{compose_version}}/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
## expose the docker daemon on tcp
- name: expose docker daemon
file:
state: directory
path: /etc/systemd/system/docker.service.d
- name: expose docker daemon
copy:
src: docker.service.host.conf
dest: /etc/systemd/system/docker.service.d/host.conf
notify:
- restart docker

99
ansible-2.0/roles/dockerhost/tasks/install-xenial.yml Normal file
View File

@@ -0,0 +1,99 @@
---
# main tasks to install docker
- name: install packages
apt:
state: installed
package: "{{ item }}"
update_cache: yes
cache_valid_time: 3600
with_items:
- "htop"
- "wget"
- "apt-transport-https"
- "ca-certificates"
- "glusterfs-client"
- xfsprogs
- attr
- virtualbox-guest-additions-iso
#- name: install repo keys
# apt_key:
# keyserver: hkp://ha.pool.sks-keyservers.net:80
# id: 58118E89F3A912897C070ADBF76221572C52609D
- name: install apt repo
apt_repository:
repo: deb https://apt.dockerproject.org/repo ubuntu-xenial main
state: present
- name: import repo key
apt_key:
id: 58118E89F3A912897C070ADBF76221572C52609D
keyserver: "hkp://ha.pool.sks-keyservers.net:80"
state: present
- name: install prerequisits
shell: apt-get -y install linux-image-extra-$(uname -r) linux-image-extra-virtual
- name: create docker group
group: state=present name=docker gid=999 system=yes
- name: add users to docker group
user: name={{ item }} groups=docker append=yes
with_items: "{{ dockerhost.users }}"
- name: install via apt
apt:
state: latest
update_cache: true
package: "{{ item }}"
with_items:
- docker-engine
# - virtualbox-guest-dkms
- name: copy docker config file
copy:
src: daemon.json
dest: /etc/docker/daemon.json
notify:
- restart docker
#- name: create mount points for shares
# file:
# state: absent
# mode: 0774
# group: docker
# dest: /opt/shared
#
#- name: create mount points for shares
# file:
# state: link
# mode: 0774
# group: docker
# src: /media/sf_dkhost
# dest: /opt/shared
## install docker-compose
- name: install docker-compose from git repo
shell: |
curl -L https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
## expose the docker daemon on tcp
- name: expose docker daemon
file:
state: directory
path: /etc/systemd/system/docker.service.d
- name: expose docker daemon
copy:
src: docker.service.host.conf
dest: /etc/systemd/system/docker.service.d/host.conf
notify:
- restart docker

27
ansible-2.0/roles/dockerhost/tasks/main.yml Normal file
View File

@@ -0,0 +1,27 @@
---
# main docker tasks
- include: "install-xenial-ce.yml"
when: ansible_distribution_release == "xenial"
become: true
- include: "fstab.yml"
- name: symlinks
file:
state: link
src: "{{ item.src }}"
path: "{{ item.path }}"
force: yes
with_items:
- { src: "/opt/shared/letsencrypt", path: "/etc/letsencrypt" }
- name: setup owncloud cron job
cron:
name: owncloud
state: absent
user: www-data
day: "*/15"
job: "curl -k https://xaibox.xai-corp.net/cron.php"
- include: glusterfs-volume-driver.yml

10
ansible-2.0/roles/dynamic-ip/tasks/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# create cronjob to set dynamic ip
- name: create zone edit cronjob
cron:
name: zoneedit
minute: "*/30"
user: root
job: 'IP=`curl -s http://api.ipify.org` && wget -O - --http-user=rmorgan15 --http-passwd=D422B334D3768ACD "https://dynamic.zoneedit.com/auth/dynamic.html?host=test.xai-corp.net&dnsto=$IP" &>/dev/null'
cron_file: zoneedit

20
ansible-2.0/roles/glusterfs/tasks/main.yml Normal file
View File

@@ -0,0 +1,20 @@
---
# main tasks for installing glusterfs
# install packages
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=86400
- name: Ensure glusterfs server is installed.
apt: "name={{ item }} state=installed"
with_items:
- glusterfs-server
- xfsprogs
- xfsdump
- include: manage_volumes.yml
- include: prometheus_exporter.yml

57
ansible-2.0/roles/glusterfs/tasks/manage_volumes.yml Normal file
View File

@@ -0,0 +1,57 @@
---
# glusterfs mounts
# create mount points
- name: create mount points for all bricks in all volumes
file:
path: "{{ item }}"
state: directory
mode: 0755
with_items: "{{mountpoints}}"
# manage volumes
#- name: remove old gluster volumes
# gluster_volume:
# state: absent
# name: "{{ item.key }}"
# rebalance: no
# replicas: false
# cluster: "{{cluster}}"
# with_dict: "{{removed_volumes}}"
# run_once: true
- name: create gluster volumes
gluster_volume:
state: present
start_on_create: yes
name: "{{ item.key }}"
brick: '{{ item.value | join(",")}}'
rebalance: no
replicas: 2
force: true
cluster: "{{cluster}}"
with_dict: "{{volumes}}"
run_once: true
#- name: create tmp gluster volumes
# gluster_volume:
# state: present
# name: "tmp"
# brick: '/data/glusterfs/tmp/brick1/brick'
# rebalance: no
# replicas: 1
# cluster: "{{cluster}}"
# run_once: true
- name: create distributed gluster volumes
gluster_volume:
state: present
name: "{{ item.key }}"
brick: '{{ item.value | join(",")}}'
rebalance: no
replicas: false
force: true
cluster: "{{cluster}}"
with_dict: "{{distributed_volumes}}"
run_once: true

31
ansible-2.0/roles/glusterfs/tasks/prometheus_exporter.yml Normal file
View File

@@ -0,0 +1,31 @@
---
# tasks to install prometheus gluster_exporter
# https://github.com/ofesseler/gluster_exporter
# install packages
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=86400
- name: Install gluster_exporter dependencies.
apt: "name={{ item }} state=installed"
with_items:
- golang-go
- name: make golang workspace
file:
path: /opt/golang
state: directory
mode: 0775
- name: install gluster_exporter
shell: GOPATH=/opt/golang go get github.com/ofesseler/gluster_exporter
- name: add gluster_exporter to startup
lineinfile:
dest: /etc/rc.local
regexp: '/opt/golang/bin/gluster_exporter'
line: 'nohup /opt/golang/bin/gluster_exporter --profile &'
insertbefore: "^exit 0"
- name: start gluster_exporter
shell: nohup /opt/golang/bin/gluster_exporter --profile &

11
ansible-2.0/roles/home.xai-corp.net/defaults/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
# defaults/main.yml
# define default variable values here
websites:
available:
- home.xai-corp.net
- sql.xai-corp.net
enabled:
- home.xai-corp.net
- sql.xai-corp.net

15
ansible-2.0/roles/home.xai-corp.net/handlers/main.yml Normal file
View File

@@ -0,0 +1,15 @@
---
# handlers/main.yml
# define handlers here
#- name: restart <service>
# service: name=<service> state=restarted
#- name: stop <service>
# service: name=<service> state=stopped
- name: restart apache2
service: name=apache2 state=restarted
- name: reload apache2
service: name=apache2 state=reloaded

10
ansible-2.0/roles/home.xai-corp.net/meta/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# meta/main.yml
# define dependancies here
# dependencies:
# - { role: geerlingguy.java }
dependencies:
- _ping
- user-richard

17
ansible-2.0/roles/home.xai-corp.net/tasks/cron.yml Normal file
View File

@@ -0,0 +1,17 @@
---
# configure crons on home.xai-corp.net
- name: create vm reset crons
cron:
name: vm_reset_{{item}}
state: present
special_time: hourly
user: root
job: 'ping -c1 {{item}} || vboxmanage controlvm {{item}} reset &>/dev/null'
cron_file: vm_reset
with_items:
- dkhost01
- dkhost02
- dkhost04

5
ansible-2.0/roles/home.xai-corp.net/tasks/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
# tasks/main.yml
# define tasks here
- include: cron.yml

39
ansible-2.0/roles/home.xai-corp.net/tasks/vhosts.yml Normal file
View File

@@ -0,0 +1,39 @@
---
#
# setup the vhosts for apache based websites
# - name: fetch existing vhosts
# fetch: src=/etc/apache2/vhost-available/{{ item }} dest=backups/
# with_items:
# - 00_default_ssl_vhost.conf
# - 00_default_vhost.conf
# - 01_home_vhost.conf
# - 02_test_vhost.conf
# - 04_sql_vhost.conf
# - 05_mail_vhost.conf
# - default_vhost.include
#
# - fetch: src=/etc/apache2/httpd.conf dest=backups/
- name: create vhost dirs
file: state=directory path=/etc/apache2/{{ item }} owner=root group=root mode=0750
with_items:
- sites-available
- sites-enabled
- name: main apache conf
template: src=httpd.conf dest=/etc/apache2/httpd.conf owner=root group=root mode=640
notify:
- reload apache2
- name: setup available vhosts
template: src={{ item }}.j2 dest=/etc/apache2/sites-available/{{ item }}.conf owner=root group=root mode=0640
with_items: "{{ websites.available }}"
notify:
- reload apache2
- name: enable sites
file: state=link src=/etc/apache2/sites-available/{{ item }}.conf dest=/etc/apache2/sites-enabled/{{ item }}.conf
with_items: "{{ websites.enabled }}"
notify:
- reload apache2

28
ansible-2.0/roles/home.xai-corp.net/templates/home.xai-corp.net.j2 Normal file
View File

@@ -0,0 +1,28 @@
<IfModule ssl_module>
<VirtualHost *:80>
ServerName home.xai-corp.net
Redirect / https://home.xai-corp.net/
</VirtualHost>
<VirtualHost *:443>
ServerName home.xai-corp.net
ServerAdmin admin@xai-corp.net
DocumentRoot "/var/www/home.xai-corp.net/public"
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-S$
SSLHonorCipherOrder On
SSLCertificateFile /etc/ssl/apache2/home.xai-corp.net.crt
SSLCertificateKeyFile /etc/ssl/apache2/home.xai-corp.net.key
<Directory "/var/www/home.xai-corp.net/public">
Options Indexes FollowSymLinks
AllowOverride All
Order deny,allow
Allow from 192.168.4.
</Directory>
</VirtualHost>
</IfModule>

181
ansible-2.0/roles/home.xai-corp.net/templates/httpd.conf Normal file
View File

@@ -0,0 +1,181 @@
# This is a modification of the default Apache 2.2 configuration file
# for Gentoo Linux.
#
# Support:
# http://www.gentoo.org/main/en/lists.xml [mailing lists]
# http://forums.gentoo.org/ [web forums]
# irc://irc.freenode.net#gentoo-apache [irc chat]
#
# Bug Reports:
# http://bugs.gentoo.org [gentoo related bugs]
# http://httpd.apache.org/bug_report.html [apache httpd related bugs]
#
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "var/log/apache2/foo_log"
# with ServerRoot set to "/usr" will be interpreted by the
# server as "/usr/var/log/apache2/foo.log".
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to point the LockFile directive
# at a local disk. If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
ServerRoot "/usr/lib/apache2"
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
# GENTOO: Automatically defined based on APACHE2_MODULES USE_EXPAND variable.
# Do not change manually, it will be overwritten on upgrade.
#
# The following modules are considered as the default configuration.
# If you wish to disable one of them, you may have to alter other
# configuration directives.
#
# Change these at your own risk!
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
<IfDefine CACHE>
LoadModule cache_module modules/mod_cache.so
</IfDefine>
LoadModule cgi_module modules/mod_cgi.so
LoadModule cgid_module modules/mod_cgid.so
<IfDefine DAV>
LoadModule dav_module modules/mod_dav.so
</IfDefine>
<IfDefine DAV>
LoadModule dav_fs_module modules/mod_dav_fs.so
</IfDefine>
<IfDefine DAV>
LoadModule dav_lock_module modules/mod_dav_lock.so
</IfDefine>
LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
<IfDefine CACHE>
LoadModule disk_cache_module modules/mod_disk_cache.so
</IfDefine>
LoadModule env_module modules/mod_env.so
LoadModule expires_module modules/mod_expires.so
LoadModule ext_filter_module modules/mod_ext_filter.so
<IfDefine CACHE>
LoadModule file_cache_module modules/mod_file_cache.so
</IfDefine>
LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
<IfDefine INFO>
LoadModule info_module modules/mod_info.so
</IfDefine>
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
<IfDefine CACHE>
LoadModule mem_cache_module modules/mod_mem_cache.so
</IfDefine>
LoadModule mime_module modules/mod_mime.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule negotiation_module modules/mod_negotiation.so
<IfDefine PROXY>
LoadModule proxy_module modules/mod_proxy.so
</IfDefine>
<IfDefine PROXY>
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
</IfDefine>
<IfDefine PROXY>
LoadModule proxy_connect_module modules/mod_proxy_connect.so
</IfDefine>
<IfDefine PROXY>
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
</IfDefine>
<IfDefine PROXY>
LoadModule proxy_http_module modules/mod_proxy_http.so
</IfDefine>
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule speling_module modules/mod_speling.so
<IfDefine SSL>
LoadModule ssl_module modules/mod_ssl.so
</IfDefine>
<IfDefine STATUS>
LoadModule status_module modules/mod_status.so
</IfDefine>
LoadModule unique_id_module modules/mod_unique_id.so
<IfDefine USERDIR>
LoadModule userdir_module modules/mod_userdir.so
</IfDefine>
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User apache
Group apache
# Supplemental configuration
#
# Most of the configuration files in the /etc/apache2/modules.d/ directory can
# be turned on using APACHE2_OPTS in /etc/conf.d/apache2 to add extra features
# or to modify the default configuration of the server.
#
# To know which flag to add to APACHE2_OPTS, look at the first line of the
# the file, which will usually be an <IfDefine OPTION> where OPTION is the
# flag to use.
Include /etc/apache2/modules.d/*.conf
# Virtual-host support
#
# Gentoo has made using virtual-hosts easy. In /etc/apache2/vhosts.d/ we
# include a default vhost (enabled by adding -D DEFAULT_VHOST to
# APACHE2_OPTS in /etc/conf.d/apache2).
#Include /etc/apache2/vhosts.d/*.conf
Include /etc/apache2/sites-enabled/*.conf
ServerName localhost
Listen 80
NameVirtualHost *:80
Listen 443
NameVirtualHost *:443
# vim: ts=4 filetype=apache

29
ansible-2.0/roles/home.xai-corp.net/templates/sql.xai-corp.net.j2 Normal file
View File

@@ -0,0 +1,29 @@
<IfModule ssl_module>
<VirtualHost *:80>
ServerName sql.xai-corp.net
Redirect / https://sql.xai-corp.net/
</VirtualHost>
<VirtualHost *:443>
ServerName sql.xai-corp.net
ServerAdmin admin@xai-corp.net
DocumentRoot "/var/www/sql.xai-corp.net/htdocs"
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-S$
SSLHonorCipherOrder On
SSLCertificateFile /etc/ssl/apache2/sql.xai-corp.net.crt
SSLCertificateKeyFile /etc/ssl/apache2/sql.xai-corp.net.key
<Directory "/var/www/sql.xai-corp.net/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
Order deny,allow
Allow from 192.168.4.
</Directory>
</VirtualHost>
</IfModule>

10
ansible-2.0/roles/home.xai-corp.net/vars/_extravars.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# vars/_extravars.yml
# define extra variable values here
# this file should be loaded via an include_vars statement in the task.
# often this is used for managing differences in os.
# Variable setup.
#- name: Include OS-Specific variables
# include_vars: "{{ ansible_os_family }}.yml"

6
ansible-2.0/roles/java/defaults/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# defaults/main.yml
# define default variable values here
java_packages:
- openjdk-7-jdk

9
ansible-2.0/roles/java/handlers/main.yml Normal file
View File

@@ -0,0 +1,9 @@
---
# handlers/main.yml
# define handlers here
#- name: restart <service>
# service: name=<service> state=restarted
#- name: stop <service>
# service: name=<service> state=stopped

8
ansible-2.0/roles/java/meta/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
# meta/main.yml
# define dependancies here
# dependencies:
# - { role: geerlingguy.java }
dependencies: []

12
ansible-2.0/roles/java/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# tasks/main.yml
# define tasks here
# install packages
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=86400
- name: Ensure Java is installed.
apt: "name={{ item }} state=installed"
with_items: java_packages

10
ansible-2.0/roles/java/vars/_extravars.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# vars/_extravars.yml
# define extra variable values here
# this file should be loaded via an include_vars statement in the task.
# often this is used for managing differences in os.
# Variable setup.
#- name: Include OS-Specific variables
# include_vars: "{{ ansible_os_family }}.yml"

35
ansible-2.0/roles/jenkins/defaults/main.yml Normal file
View File

@@ -0,0 +1,35 @@
---
# defaults/main.yml
# define default variable values here
jenkins_repo_url: deb http://pkg.jenkins-ci.org/debian binary/
jenkins_repo_key_url: http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key
jenkins_connection_delay: 5
jenkins_connection_retries: 60
jenkins_hostname: localhost
jenkins_port: 8080
jenkins_jar_location: /opt/jenkins-cli.jar
jenkins_home: /var/lib/jenkins
jenkins_plugins:
- git
- scm-sync-configuration
- ssh
- ansible
- bitbucket-pullrequest-builder
- windows-slaves
- ssh-slaves
- ant
- cloudbees-folder
- role-strategy
- phing
- build-pipeline-plugin
- delivery-pipeline-plugin
- deployment-sphere
- ownership
jenkins_git_user: jenkins
jenkins_git_email: jenkins@xai-corp.net
http_standard_port: 80

12
ansible-2.0/roles/jenkins/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# handlers/main.yml
# define handlers here
#- name: restart <service>
# service: name=<service> state=restarted
#- name: stop <service>
# service: name=<service> state=stopped
- name: restart jenkins
service: name=jenkins state=restarted

7
ansible-2.0/roles/jenkins/meta/main.yml Normal file
View File

@@ -0,0 +1,7 @@
---
# meta/main.yml
# define dependancies here
dependencies:
- {role: java }
- {role: nginx }

96
ansible-2.0/roles/jenkins/tasks/main.yml Normal file
View File

@@ -0,0 +1,96 @@
---
# tasks/main.yml
# define tasks here
# install packages
- name: Ensure dependencies are installed.
apt: pkg=curl state=installed
- name: Add Jenkins apt repository key.
apt_key:
url: "{{ jenkins_repo_key_url }}"
state: present
- name: Add Jenkins apt repository.
apt_repository:
repo: "{{ jenkins_repo_url }}"
state: present
update_cache: yes
- name: Ensure Jenkins is installed.
apt: pkg=jenkins state=installed
# start jenkins
- name: Ensure Jenkins is started and runs on startup.
service: name=jenkins state=started enabled=yes
- name: Wait for Jenkins to start up.
shell: curl --head --silent http://{{ jenkins_hostname }}:8080/cli/
register: result
until: result.stdout.find("200 OK") != -1
retries: "{{ jenkins_connection_retries }}"
delay: "{{ jenkins_connection_delay }}"
changed_when: false
# install cli
- name: Get the jenkins-cli jarfile from the Jenkins server.
get_url:
url: "http://{{ jenkins_hostname }}:8080/jnlpJars/jenkins-cli.jar"
dest: "{{ jenkins_jar_location }}"
register: jarfile_get
until: "'OK' in jarfile_get.msg or 'file already exists' in jarfile_get.msg"
retries: 5
delay: 10
# - name: Copy ssh key for authentication
# copy: src={ HOME }/.ssh/jenkins.pub dest="/var/lib/jenkins/.ssh/"
# configure jenkins
# - name: Update jenkins config
# lineinfile: dest=/var/lib/jenkins/config.xml regexp={{ item.reg }} line={{ item.line }}
# with_items:
# - {"reg": "<useSecurity>.*</useSecurity>", "line": "<useSecurity>false</useSecurity>"}
# setup .gitconfig
- name: Setup .gitconfig for jenkins user
template: dest="{{ jenkins_home }}/.gitconfig" src="gitconfig.j2" owner="jenkins" group="jenkins"
# update and install plugins
- name: Create Jenkins updates folder.
file:
path: /var/lib/jenkins/updates
owner: jenkins
group: jenkins
mode: 0755
state: directory
- name: Update Jenkins plugin data.
shell: >
curl -L https://updates.jenkins-ci.org/update-center.json | sed '1d;$d' > /var/lib/jenkins/updates/default.json
creates=/var/lib/jenkins/updates/default.json
- name: Permissions for default.json updates info.
file:
path: /var/lib/jenkins/updates/default.json
owner: jenkins
group: jenkins
mode: 0755
- name: Install Jenkins plugins.
command: >
java -jar {{ jenkins_jar_location }} -s http://{{ jenkins_hostname }}:8080/ install-plugin {{ item }}
creates=/var/lib/jenkins/plugins/{{ item }}.jpi
with_items: jenkins_plugins
notify: restart jenkins
- name: setup folder for jenkins slave on localhost
file: state=directory path=/var/lib/jenkins-slave owner=jenkins group=jenkins mode=0777
# install nginx as proxy
- name: Copy the nginx configuration file
template: src=nginx.jenkins.conf.j2 dest=/etc/nginx/sites-available/jenkins.conf
- name: Enable Jenkins Nginx configuration
file: src=/etc/nginx/sites-available/jenkins.conf dest=/etc/nginx/sites-enabled/jenkins.conf state=link
notify:
- reload nginx

3
ansible-2.0/roles/jenkins/templates/gitconfig.j2 Normal file
View File

@@ -0,0 +1,3 @@
[user]
email = {{ jenkins_git_user }}
name = {{ jenkins_git_user }}

56
ansible-2.0/roles/jenkins/templates/nginx.jenkins.conf.j2 Normal file
View File

@@ -0,0 +1,56 @@
server {
listen {{ http_standard_port }};
server_name {{ jenkins_hostname }};
access_log /var/log/nginx/jenkins_access.log;
error_log /var/log/nginx/jenkins_error.log;
location /userContent {
# Have nginx handle all the static requests to the userContent folder files
# NOTE: This is the $JENKINS_HOME dir
root /var/lib/jenkins/;
if (!-f $request_filename){
# This file does not exist, might be a directory or a /**view** url
rewrite (.*) /$1 last;
break;
}
sendfile on;
}
location @jenkins {
sendfile off;
proxy_pass http://127.0.0.1:{{ jenkins_port }};
proxy_redirect default;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
# This is the maximum upload size
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
location / {
# This is the jenkins web root directory (mentioned in the /etc/default/jenkins file)
root /var/run/jenkins/war/;
# Optional configuration to detect and redirect iPhones
if ($http_user_agent ~* '(iPhone|iPod)') {
rewrite ^/$ /view/iphone/ redirect;
}
try_files $uri @jenkins;
}
}

10
ansible-2.0/roles/jenkins/vars/_extravars.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# vars/_extravars.yml
# define extra variable values here
# this file should be loaded via an include_vars statement in the task.
# often this is used for managing differences in os.
# Variable setup.
#- name: Include OS-Specific variables
# include_vars: "{{ ansible_os_family }}.yml"

10
ansible-2.0/roles/kubernetes-vagrant/defaults/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
#default values
vagrant_installer_url: https://releases.hashicorp.com/vagrant/1.8.6/vagrant_1.8.6_x86_64.deb
vagrant_installer_path: /tmp/vagrant_installer.deb
kubernetes_kubectl_url: https://storage.googleapis.com/kubernetes-release/release/v1.4.3/bin/linux/amd64/kubectl
kubernetes_kubectl_path: /usr/local/bin/kubectl
kubernates_vagrant_config_path: /opt/home.xai-corp.net/coreos-kubernetes/multi-node/vagrant

9
ansible-2.0/roles/kubernetes-vagrant/meta/main.yml Normal file
View File

@@ -0,0 +1,9 @@
---
# meta/main.yml
# define dependancies here
# dependencies:
# - { role: geerlingguy.java }
dependencies:
- { role: vagrant }

54
ansible-2.0/roles/kubernetes-vagrant/tasks/main.yml Normal file
View File

@@ -0,0 +1,54 @@
---
# main tasks for kubernetes role
# install required system packages
- name: install system packages
apt:
state: present
name: "{{item}}"
update_cache: yes
with_items:
- git
- virtualbox
# install kubectl
- stat: path="{{kubernetes_kubectl_path}}"
register: kubectl_exe
- name: download kubectl
get_url:
url: "{{ kubernetes_kubectl_url }}"
dest: "{{kubernetes_kubectl_path}}"
mode: 0755
when: kubectl_exe.stat.exists == False
# get vagrant file from git
- name: fetch vagrantfile
git:
repo: https://github.com/coreos/coreos-kubernetes.git
dest: /opt/home.xai-corp.net/coreos-kubernetes
- stat: path="{{kubernates_vagrant_config_path}}/config.rb"
register: k8s_config
- name: create k8s config
command: cp {{kubernates_vagrant_config_path}}/config.rb.sample {{kubernates_vagrant_config_path}}/config.rb
# update vagrant box
- name: update vagrant box
command: vagrant box update
args:
chdir: "{{kubernates_vagrant_config_path}}"
- name: vagrant up
command: vagrant up
args:
chdir: "{{kubernates_vagrant_config_path}}"
- name: configure kubectl
command: "{{ item }}"
with_items:
- kubectl config set-cluster vagrant-multi-cluster --server=https://172.17.4.99:443 --certificate-authority=${PWD}/ssl/ca.pem
- kubectl config set-credentials vagrant-multi-admin --certificate-authority=${PWD}/ssl/ca.pem --client-key=${PWD}/ssl/admin-key.pem --client-certificate=${PWD}/ssl/admin.pem
- kubectl config set-context vagrant-multi --cluster=vagrant-multi-cluster --user=vagrant-multi-admin
- kubectl config use-context vagrant-multi

163
ansible-2.0/roles/motd/files/cubox.sh Normal file
View File

@@ -0,0 +1,163 @@
#!/bin/bash
#
# 30-sysinfo - generate the system information
# Copyright (c) 2015-2017 Igor Pecovnik
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
THIS_SCRIPT="sysinfo"
MOTD_DISABLE=""
[[ -f /etc/default/armbian-motd ]] && . /etc/default/armbian-motd
for f in $MOTD_DISABLE; do
[[ $f == $THIS_SCRIPT ]] && exit 0
done
# define which hard drive you want to monitor
storage=/dev/sda1
# don't edit below here
function display() {
# $1=name $2=value $3=red_limit $4=minimal_show_limit $5=unit $6=after $7=acs/desc{
# battery red color is opposite, lower number
if [[ "$1" == "Battery" ]]; then local great="<"; else local great=">"; fi
if [[ -n "$2" && "$2" > "0" && (( "${2%.*}" -ge "$4" )) ]]; then
printf "%-14s%s" "$1:"
if awk "BEGIN{exit ! ($2 $great $3)}"; then echo -ne "\e[0;91m $2"; else echo -ne "\e[0;92m $2"; fi
printf "%-1s%s\x1B[0m" "$5"
printf "%-11s%s\t" "$6"
return 1
fi
} # display
function getboardtemp() {
if [ -f /etc/armbianmonitor/datasources/soctemp ]; then
read raw_temp </etc/armbianmonitor/datasources/soctemp
if [ ${raw_temp} -le 200 ]; then
# Allwinner legacy kernels output degree C
board_temp=${raw_temp}
else
# Marvell gets special treatment for whatever reasons
grep -qi Marvell /proc/cpuinfo && \
board_temp=$(( $(awk '{printf("%d",$1/1000)}' <<<${raw_temp}) - 20 )) || \
board_temp=$(awk '{printf("%d",$1/1000)}' <<<${raw_temp})
fi
elif [ -f /etc/armbianmonitor/datasources/pmictemp ]; then
# fallback to PMIC temperature
board_temp=$(awk '{printf("%d",$1/1000)}' </etc/armbianmonitor/datasources/pmictemp)
fi
} # getboardtemp
function batteryinfo() {
# Battery info for Allwinner
mainline_dir="/sys/power/axp_pmu"
legacy_dir="/sys/class/power_supply"
if [[ -e "$mainline_dir" ]]; then
read status_battery_connected < $mainline_dir/battery/connected
if [[ "$status_battery_connected" == "1" ]]; then
read status_battery_charging < $mainline_dir/charger/charging
read status_ac_connect < $mainline_dir/ac/connected
read battery_percent< $mainline_dir/battery/capacity
# dispay charging / percentage
if [[ "$status_ac_connect" == "1" && "$battery_percent" -lt "100" ]]; then
status_battery_text=" charging"
elif [[ "$status_ac_connect" == "1" && "$battery_percent" -eq "100" ]]; then
status_battery_text=" charged"
else
status_battery_text=" discharging"
fi
fi
elif [[ -e "$legacy_dir/battery" ]]; then
if [[ (("$(cat $legacy_dir/battery/voltage_now)" -gt "5" )) ]]; then
status_battery_text=" "$(awk '{print tolower($0)}' < $legacy_dir/battery/status)
read battery_percent <$legacy_dir/battery/capacity
fi
fi
} # batteryinfo
function ambienttemp() {
# read ambient temperature from USB device if available
amb_temp=$(temper -c 2>/dev/null)
case ${amb_temp} in
*"find the USB device"*)
echo ""
;;
*)
amb_temp=$(awk '{print $NF}' <<<$amb_temp | sed 's/C//g')
echo -n "scale=1;${amb_temp}/1" | grep -oE "\-?[[:digit:]]+.[[:digit:]]"
esac
} # ambienttemp
function get_ip_addresses() {
# return up to 2 IPv4 address(es) comma separated
hostname -I | tr " " "\n" | \
grep -E "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" | \
tail -n2 | sed ':a;N;$!ba;s/\n/,/g'
} # get_ip_addresses
function storage_info() {
# storage info
RootInfo=$(df -h /)
root_usage=$(awk '/\// {print $(NF-1)}' <<<${RootInfo} | sed 's/%//g')
root_total=$(awk '/\// {print $(NF-4)}' <<<${RootInfo})
StorageInfo=$(df -h $storage 2>/dev/null | grep $storage)
if [ -n "${StorageInfo}" ]; then
storage_usage=$(awk '/\// {print $(NF-1)}' <<<${StorageInfo} | sed 's/%//g')
storage_total=$(awk '/\// {print $(NF-4)}' <<<${StorageInfo})
[[ "$storage" == */sd* ]] && hdd_temp=$(hddtemp -u C -nq $storage)
fi
} # storage_info
# query various systems and send some stuff to the background for overall faster execution.
# Works only with ambienttemp and batteryinfo since A20 is slow enough :)
amb_temp=$(ambienttemp &)
ip_address=$(get_ip_addresses &)
batteryinfo
storage_info
getboardtemp
critical_load=$(( 1 + $(grep -c processor /proc/cpuinfo) / 2 ))
# get uptime, logged in users and load in one take
UptimeString=$(uptime | tr -d ',')
time=$(awk -F" " '{print $3" "$4}' <<<"${UptimeString}")
load="$(awk -F"average: " '{print $2}'<<<"${UptimeString}")"
users="$(awk -F" user" '{print $1}'<<<"${UptimeString}")"
case ${time} in
1:*) # 1-2 hours
time=$(awk -F" " '{print $3" hour"}' <<<"${UptimeString}")
;;
*:*) # 2-24 hours
time=$(awk -F" " '{print $3" hours"}' <<<"${UptimeString}")
;;
esac
# memory and swap
mem_info=$(LANG=en_US.UTF-8 free -w 2>/dev/null | grep "^Mem" || LANG=en_US.UTF-8 free | grep "^Mem")
memory_usage=$(awk '{printf("%.0f",(($2-($4+$6+$7))/$2) * 100)}' <<<${mem_info})
memory_total=$(awk '{printf("%d",$2/1024)}' <<<${mem_info})
swap_info=$(LANG=en_US.UTF-8 free -m | grep "^Swap")
swap_usage=$( (awk '/Swap/ { printf("%3.0f", $3/$2*100) }' <<<${swap_info} 2>/dev/null || echo 0) | tr -c -d '[:digit:]')
swap_total=$(awk '{print $(2)}' <<<${swap_info})
# display info
display "System load" "${load%% *}" "${critical_load}" "0" "" "${load#* }"
printf "Up time: \x1B[92m%s\x1B[0m\t\t" "$time"
display "Local users" "${users##* }" "3" "2" ""
echo "" # fixed newline
display "Memory usage" "$memory_usage" "70" "0" " %" " of ${memory_total}MB"
display "Swap usage" "$swap_usage" "10" "0" " %" " of $swap_total""Mb"
printf "IP: "
printf "\x1B[92m%s\x1B[0m" "$ip_address"
echo "" # fixed newline
a=0;b=0;c=0
display "CPU temp" "$board_temp" "45" "0" "°C" "" ; a=$?
display "HDD temp" "$hdd_temp" "45" "0" "°C" "" ; b=$?
display "Ambient temp" "$amb_temp" "40" "0" "°C" "" ; c=$?
(( ($a+$b+$c) >0 )) && echo "" # new line only if some value is displayed
display "Usage of /" "$root_usage" "90" "1" "%" " of $root_total"
display "storage/" "$storage_usage" "90" "1" "%" " of $storage_total"
display "Battery" "$battery_percent" "20" "1" "%" "$status_battery_text"
echo ""
echo ""

2
ansible-2.0/roles/motd/files/hostname.sh Normal file
View File

@@ -0,0 +1,2 @@
#!/bin/bash
figlet $(hostname)

167
ansible-2.0/roles/motd/files/systats.sh Normal file
View File

@@ -0,0 +1,167 @@
#!/bin/bash
#
# 10-sysinfo - generate the system information
# Copyright (c) 2013 Nick Charlton
#
# Authors: Nick Charlton &lt;hello@nickcharlton.net&gt;
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# define which hard drive you want to monitor
storage=/dev/sda1
function display() {
# $1=name $2=value $3=red_limit $4=minimal_show_limit $5=unit $6=after $7=acs/desc{
# battery red color is opposite, lower number
if [[ "$1" == "Battery" ]]; then local great="<"; else local great=">"; fi
if [[ -n "$2" && "$2" > "0" && (( "${2%.*}" -ge "$4" )) ]]; then
printf "%-14s%s" "$1:"
if awk "BEGIN{exit ! ($2 $great $3)}"; then echo -ne "\e[0;91m $2"; else echo -ne "\e[0;92m $2"; fi
printf "%-1s%s\x1B[0m" "$5"
printf "%-11s%s\t" "$6"
return 1
fi
} # display
#function getboardtemp() {
# if [ -f /etc/armbianmonitor/datasources/soctemp ]; then
# read raw_temp </etc/armbianmonitor/datasources/soctemp
# if [ ${raw_temp} -le 200 ]; then
# # Allwinner legacy kernels output degree C
# board_temp=${raw_temp}
# else
# # Marvell gets special treatment for whatever reasons
# grep -qi Marvell /proc/cpuinfo && \
# board_temp=$(( $(awk '{printf("%d",$1/1000)}' <<<${raw_temp}) - 20 )) || \
# board_temp=$(awk '{printf("%d",$1/1000)}' <<<${raw_temp})
# fi
# elif [ -f /etc/armbianmonitor/datasources/pmictemp ]; then
# # fallback to PMIC temperature
# board_temp=$(awk '{printf("%d",$1/1000)}' </etc/armbianmonitor/datasources/pmictemp)
# fi
#} # getboardtemp
#function batteryinfo() {
# # Battery info for Allwinner
# mainline_dir="/sys/power/axp_pmu"
# legacy_dir="/sys/class/power_supply"
# if [[ -e "$mainline_dir" ]]; then
# read status_battery_connected < $mainline_dir/battery/connected
# if [[ "$status_battery_connected" == "1" ]]; then
# read status_battery_charging < $mainline_dir/charger/charging
# read status_ac_connect < $mainline_dir/ac/connected
# read battery_percent< $mainline_dir/battery/capacity
# # dispay charging / percentage
# if [[ "$status_ac_connect" == "1" && "$battery_percent" -lt "100" ]]; then
# status_battery_text=" charging"
# elif [[ "$status_ac_connect" == "1" && "$battery_percent" -eq "100" ]]; then
# status_battery_text=" charged"
# else
# status_battery_text=" discharging"
# fi
# fi
# elif [[ -e "$legacy_dir/battery" ]]; then
# if [[ (("$(cat $legacy_dir/battery/voltage_now)" -gt "5" )) ]]; then
# status_battery_text=" "$(awk '{print tolower($0)}' < $legacy_dir/battery/status)
# read battery_percent <$legacy_dir/battery/capacity
# fi
# fi
#} # batteryinfo
#
#function ambienttemp() {
# # read ambient temperature from USB device if available
# amb_temp=$(temper -c 2>/dev/null)
# case ${amb_temp} in
# *"find the USB device"*)
# echo ""
# ;;
# *)
# amb_temp=$(awk '{print $NF}' <<<$amb_temp | sed 's/C//g')
# echo -n "scale=1;${amb_temp}/1" | grep -oE "\-?[[:digit:]]+.[[:digit:]]"
# esac
#} # ambienttemp
function get_ip_addresses() {
# return up to 2 IPv4 address(es) comma separated
hostname -I | tr " " "\n" | \
grep "192.168." | \
tail -n2 | sed ':a;N;$!ba;s/\n/,/g'
} # get_ip_addresses
ip_address=$(get_ip_addresses &)
## storage
#function storage_info() {
# # storage info
# RootInfo=$(df -h /)
# root_usage=$(awk '/\// {print $(NF-1)}' <<<${RootInfo} | sed 's/%//g')
# root_total=$(awk '/\// {print $(NF-4)}' <<<${RootInfo})
# StorageInfo=$(df -h $storage 2>/dev/null | grep $storage)
# if [ -n "${StorageInfo}" ]; then
# storage_usage=$(awk '/\// {print $(NF-1)}' <<<${StorageInfo} | sed 's/%//g')
# storage_total=$(awk '/\// {print $(NF-4)}' <<<${StorageInfo})
# [[ "$storage" == */sd* ]] && hdd_temp=$(hddtemp -u C -nq $storage)
# fi
#} # storage_info
#storage_info
root_usage=`df -h / | awk '/\// {print $(NF-1)}'`
## System info
date=`date`
UptimeString=$(uptime | tr -d ',')
time=$(awk -F" " '{print $3" "$4}' <<<"${UptimeString}")
load="$(awk -F"average: " '{print $2}'<<<"${UptimeString}")"
users="$(awk -F" user" '{print $1}'<<<"${UptimeString}")"
critical_load=$(( 1 + $(grep -c processor /proc/cpuinfo) / 2 ))
processes=`ps aux | wc -l`
## memory and swap
mem_info=$(LANG=en_US.UTF-8 free -w 2>/dev/null | grep "^Mem" || LANG=en_US.UTF-8 free | grep "^Mem")
memory_usage=$(awk '{printf("%.0f",(($2-($4+$6+$7))/$2) * 100)}' <<<${mem_info})
memory_total=$(awk '{printf("%d",$2/1024)}' <<<${mem_info})
swap_info=$(LANG=en_US.UTF-8 free -m | grep "^Swap")
swap_usage=$( (awk '/Swap/ { printf("%3.0f", $3/$2*100) }' <<<${swap_info} 2>/dev/null || echo 0) | tr -c -d '[:digit:]')
swap_total=$(awk '{print $(2)}' <<<${swap_info})
swap_usage=`free -m | awk '/Swap:/ { printf("%3.1f%%", $3/$2*100) }'`
#batteryinfo
#getboardtemp
# DISPLAY
echo "System information as of: $date"
echo
display "System load" "${load%% *}" "${critical_load}" "0" "" "${load#* }"
printf "Up time: \x1B[92m%s\x1B[0m\t\t" "$time"
echo "" # fixed newline
display "Memory usage" "$memory_usage" "70" "0" " %" " of ${memory_total}MB"
display "Swap usage" "$swap_usage" "10" "0" " %" " of ${swap_total}Mb"
echo ""
display "Usage of /" "$root_usage" "90" "1" "%" " of $root_total"
printf "IP: "
printf "\x1B[92m%s\x1B[0m" "$ip_address"
echo ""
display "Local users" "${users##* }" "3" "0" ""
display "Processes" "${processes##* }" "150" "100" ""
echo ""
#a=0;b=0;c=0
#display "CPU temp" "$board_temp" "45" "0" "°C" "" ; a=$?
#display "HDD temp" "$hdd_temp" "45" "0" "°C" "" ; b=$?
#display "Ambient temp" "$amb_temp" "40" "0" "°C" "" ; c=$?
#(( ($a+$b+$c) >0 )) && echo "" # new line only if some value is displayed

38
ansible-2.0/roles/motd/tasks/main.yml Normal file
View File

@@ -0,0 +1,38 @@
---
# main tasks for setting up motd dynamic shell header
- debug: var=ansible_nodename
- name: Install the nginx packages
apt:
name: "{{ item }}"
update_cache: yes
cache_valid_time: 3600
state: latest
with_items:
- lsb-release
- figlet
- update-motd
- lm-sensors
when: ansible_architecture != 'armv7l'
- name: remove help text
file:
state: absent
path: "{{ item }}"
with_items:
- /etc/update-motd.d/10-help-text
- /etc/update-motd.d/51-cloudguest
when: ansible_architecture != 'armv7l'
- name: add new info
copy:
src: "{{ item.src }}"
dest: /etc/update-motd.d/{{ item.dest }}
mode: 755
with_items:
- { src: hostname.sh, dest: 10-hostname }
- { src: systats.sh, dest: 11-sysstats}
when: ansible_architecture != 'armv7l'

4
ansible-2.0/roles/nginx/defaults/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
# defaults/main.yml
# define default variable values here

12
ansible-2.0/roles/nginx/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# handlers/main.yml
# define handlers here
#- name: restart <service>
# service: name=<service> state=restarted
#- name: stop <service>
# service: name=<service> state=stopped
- name: reload nginx
service: name=nginx state=reloaded

8
ansible-2.0/roles/nginx/meta/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
# meta/main.yml
# define dependancies here
# dependencies:
# - { role: geerlingguy.java }
dependencies: []

16
ansible-2.0/roles/nginx/tasks/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
# tasks/main.yml
# define tasks here
- name: Install the nginx packages
apt: name={{ item }} state=present
with_items:
- nginx
# - name: Ensure log directory exist
# file: path=/etc/nginx/sites-enabled state=directory mode=0644
- name: Copy the nginx configuration file
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
notify:
- reload nginx

49
ansible-2.0/roles/nginx/templates/nginx.conf.j2 Normal file
View File

@@ -0,0 +1,49 @@
user root;
worker_processes 8;
worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;
pid /var/run/nginx.pid;
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 65535;
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
log_format full '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" $request_time';
charset utf-8;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 64k;
client_max_body_size 8m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60;
open_file_cache max=65535 inactive=10s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/javascript text/css application/xml application/json;
gzip_vary on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

10
ansible-2.0/roles/nginx/vars/_extravars.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# vars/_extravars.yml
# define extra variable values here
# this file should be loaded via an include_vars statement in the task.
# often this is used for managing differences in os.
# Variable setup.
#- name: Include OS-Specific variables
# include_vars: "{{ ansible_os_family }}.yml"

14
ansible-2.0/roles/ns.xai-corp.net/defaults/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
# defaults/main.yml
# define default variable values here
bind:
user: root
group: bind
service: bind9
zonefiles:
- xai-corp.net.internal
- localhost.zone
- xai-corp.net.external
- xai-corp.net.reverse

12
ansible-2.0/roles/ns.xai-corp.net/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# handlers/main.yml
# define handlers here
#- name: restart <service>
# service: name=<service> state=restarted
#- name: stop <service>
# service: name=<service> state=stopped
- name: restart bind
service: name={{ bind.service }} state=restarted

8
ansible-2.0/roles/ns.xai-corp.net/meta/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
# meta/main.yml
# define dependancies here
# dependencies:
# - { role: geerlingguy.java }
dependencies: []

45
ansible-2.0/roles/ns.xai-corp.net/tasks/main.yml Normal file
View File

@@ -0,0 +1,45 @@
---
# tasks/main.yml
# define tasks here
- name: install bind package
apt:
name: "{{ item }}"
update_cache: yes
cache_valid_time: 86400
state: latest
with_items:
- bind9
- name: set correct permissions for logging
file:
state=directory
path=/var/log/named/
owner={{ bind.user }}
group={{ bind.group }}
mode=0777
notify:
- restart bind
- name: copy zone files to /etc/bind/
template:
src: "{{ item }}.j2"
dest: /etc/bind/db.{{ item }}
owner: "{{ bind.user }}"
group: "{{ bind.group }}"
mode: 0644
with_items: "{{ bind.zonefiles }}"
notify:
- restart bind
- name: test zone files
command: named-checkzone xai-corp.net /etc/bind/db.xai-corp.net.internal
- name: copy named.confs to /etc/bind/
template: src={{ item }}.j2 dest=/etc/bind/{{ item }} owner={{ bind.user }} group={{ bind.group }} mode=0640
with_items:
- named.conf.local
- named.conf.options
- named.conf.default-zones
notify:
- restart bind

12
ansible-2.0/roles/ns.xai-corp.net/templates/localhost.zone.j2 Normal file
View File

@@ -0,0 +1,12 @@
$TTL 1W
@ IN SOA localhost. root.localhost. (
20150920 ; Serial
28800 ; Refresh
14400 ; Retry
604800 ; Expire - 1 week
86400 ) ; Minimum
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1

30
ansible-2.0/roles/ns.xai-corp.net/templates/named.conf.default-zones.j2 Normal file
View File

@@ -0,0 +1,30 @@
// prime the server with knowledge of the root servers
view "defaults" {
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
};

205
ansible-2.0/roles/ns.xai-corp.net/templates/named.conf.j2 Normal file
View File

@@ -0,0 +1,205 @@
/*
* Refer to the named.conf(5) and named(8) man pages, and the documentation
* in /usr/share/doc/bind-9 for more details.
* Online versions of the documentation can be found here:
* http://www.isc.org/software/bind/documentation
*
* If you are going to set up an authoritative server, make sure you
* understand the hairy details of how DNS works. Even with simple mistakes,
* you can break connectivity for affected parties, or cause huge amounts of
* useless Internet traffic.
*/
acl "xfer" {
/* Deny transfers by default except for the listed hosts.
* If we have other name servers, place them here.
*/
none;
};
/*
* You might put in here some ips which are allowed to use the cache or
* recursive queries
*/
acl "trusted" {
127.0.0.0/8;
192.168.4.0/24;
::1/128;
};
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
//bindkeys-file "/etc/bind/bind.keys";
/*listen-on-v6 { ::1; };*/
listen-on { 127.0.0.1; 192.168.4.12; };
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
// allow-recursion {
// /* Only trusted addresses are allowed to use recursion. */
// trusted;
// };
allow-transfer {
/* Zone tranfers are denied by default. */
none;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
/*
* If you've got a DNS server around at your upstream provider, enter its
* IP address here, and enable the line below. This will make you benefit
* from its cache, thus reduce overall DNS traffic in the Internet.
*
* Uncomment the following lines to turn on DNS forwarding, and change
* and/or update the forwarding ip address(es):
*/
forward first;
forwarders {
// 207.164.234.129; // Your ISP NS
// 207.164.234.193; // Your ISP NS
8.8.8.8; // Google Open DNS
8.8.4.4; // Google Open DNS
4.2.2.1; // Level3 Public DNS
4.2.2.2; // Level3 Public DNS
};
//dnssec-enable yes;
//dnssec-validation yes;
/*
* As of bind 9.8.0:
* "If the root key provided has expired,
* named will log the expiration and validation will not work."
*/
//dnssec-validation auto;
/* if you have problems and are behind a firewall: */
//query-source address * port 53;
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 3 size 5M;
severity notice;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/24; ::1/128; } keys { "rndc-key"; };
};
view "internal" {
match-clients { 192.168.4.12; localhost; 192.168.4.0/24; };
recursion yes;
zone "." in {
type hint;
file "/var/bind/named.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/localhost.zone";
notify no;
};
zone "xai-corp.net." IN {
type master;
file "pri/xai-corp.net.internal";
allow-transfer { none; };
};
zone "4.168.192.in-addr.arpa." IN {
type master;
file "pri/xai-corp.net.reverse";
allow-update { none; };
};
};
view "external" {
match-clients { none; };
recursion no;
// zone "xai-corp.net" {
// type master;
// file "pri/xai-corp.net.external";
// allow-query { none; };
// allow-transfer { 127.0.0.1; };
// };
};
/*
* Briefly, a zone which has been declared delegation-only will be effectively
* limited to containing NS RRs for subdomains, but no actual data beyond its
* own apex (for example, its SOA RR and apex NS RRset). This can be used to
* filter out "wildcard" or "synthesized" data from NAT boxes or from
* authoritative name servers whose undelegated (in-zone) data is of no
* interest.
* See http://www.isc.org/software/bind/delegation-only for more info
*/
//zone "COM" { type delegation-only; };
//zone "NET" { type delegation-only; };
//zone "YOUR-DOMAIN.TLD" {
// type master;
// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
// allow-query { any; };
// allow-transfer { xfer; };
//};
//zone "YOUR-SLAVE.TLD" {
// type slave;
// file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
// masters { <MASTER>; };
/* Anybody is allowed to query but transfer should be controlled by the master. */
// allow-query { any; };
// allow-transfer { none; };
/* The master should be the only one who notifies the slaves, shouldn't it? */
// allow-notify { <MASTER>; };
// notify no;
//};

85
ansible-2.0/roles/ns.xai-corp.net/templates/named.conf.local.j2 Normal file
View File

@@ -0,0 +1,85 @@
# named.conf.local
#
# - local zones and views
view "internal" {
match-clients { trusted; };
recursion yes;
// zone "." in {
// type hint;
// file "/etc/bind/named.cache";
// };
zone "localhost" IN {
type master;
file "/etc/bind/db.127";
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "/etc/bind/db.127";
notify no;
};
zone "xai-corp.net." IN {
type master;
file "/etc/bind/db.xai-corp.net.internal";
allow-transfer { none; };
};
zone "4.168.192.in-addr.arpa." IN {
type master;
file "/etc/bind/db.xai-corp.net.reverse";
allow-update { none; };
};
};
view "external" {
match-clients { none; };
recursion no;
// zone "xai-corp.net" {
// type master;
// file "/etc/bind/db.xai-corp.net.external";
// allow-query { none; };
// allow-transfer { 127.0.0.1; };
// };
};
/*
* Briefly, a zone which has been declared delegation-only will be effectively
* limited to containing NS RRs for subdomains, but no actual data beyond its
* own apex (for example, its SOA RR and apex NS RRset). This can be used to
* filter out "wildcard" or "synthesized" data from NAT boxes or from
* authoritative name servers whose undelegated (in-zone) data is of no
* interest.
* See http://www.isc.org/software/bind/delegation-only for more info
*/
//zone "COM" { type delegation-only; };
//zone "NET" { type delegation-only; };
//zone "YOUR-DOMAIN.TLD" {
// type master;
// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
// allow-query { any; };
// allow-transfer { xfer; };
//};
//zone "YOUR-SLAVE.TLD" {
// type slave;
// file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
// masters { <MASTER>; };
/* Anybody is allowed to query but transfer should be controlled by the master. */
// allow-query { any; };
// allow-transfer { none; };
/* The master should be the only one who notifies the slaves, shouldn't it? */
// allow-notify { <MASTER>; };
// notify no;
//};

81
ansible-2.0/roles/ns.xai-corp.net/templates/named.conf.options.j2 Normal file
View File

@@ -0,0 +1,81 @@
/*
* Refer to the named.conf(5) and named(8) man pages, and the documentation
* in /usr/share/doc/bind-9 for more details.
* Online versions of the documentation can be found here:
* http://www.isc.org/software/bind/documentation
*
* If you are going to set up an authoritative server, make sure you
* understand the hairy details of how DNS works. Even with simple mistakes,
* you can break connectivity for affected parties, or cause huge amounts of
* useless Internet traffic.
*/
acl "xfer" {
/* Deny transfers by default except for the listed hosts.
* If we have other name servers, place them here.
*/
none;
};
/*
* You might put in here some ips which are allowed to use the cache or
* recursive queries
*/
acl "trusted" {
127.0.0.0/8;
192.168.4.0/24;
::1/128;
};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forward first;
forwarders {
// 207.164.234.129; // Your ISP NS
// 207.164.234.193; // Your ISP NS
// 4.2.2.1; // Level3 Public DNS
// 4.2.2.2; // Level3 Public DNS
8.8.8.8; // Google Open DNS
8.8.4.4; // Google Open DNS
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 3 size 5M;
severity notice;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/24; ::1/128; } keys { "rndc-key"; };
};

17
ansible-2.0/roles/ns.xai-corp.net/templates/xai-corp.net.external.j2 Normal file
View File

@@ -0,0 +1,17 @@
$ORIGIN xai-corp.net.
$TTL 2d
@ IN SOA ns.xai-corp.net. root.xai-corp.net. (
20150920;serial
3h ;refresh
1h ;retry
1w ;expiry
1d ) ;minimum
xai-corp.net. IN NS ns.xai-corp.net.
;xai-corp.net. IN A 208.94.116.179
;xai-corp.net. IN A 208.94.116.21
;xai-corp.net. IN A 208.94.117.26
;www.xai-corp.net. IN A 208.94.116.179
;www.xai-corp.net. IN A 208.94.116.21
;www.xai-corp.net. IN A 208.94.117.26

73
ansible-2.0/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 Normal file
View File

@@ -0,0 +1,73 @@
$TTL 1D
@ IN SOA xai-corp.net. root.xai-corp.net. (
20150920; serial
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum
xai-corp.net. IN NS ns.xai-corp.net.
xai-corp.net. IN MX 0 mail.xai-corp.net.
xai-corp.net. IN TXT "v=spf1 ip4:192.168.4.11/32 mx ptr mx:mail.xai-corp.net ~all"
;mail IN A 192.168.4.12
gateway IN A 192.168.4.4
wireless IN A 192.168.4.3
printer IN A 192.168.4.13
scanner IN CNAME printer
laser IN A 192.168.4.14
tv IN A 192.168.4.16
xaicorp1 IN A 192.168.4.103
garden IN A 192.168.4.20
; bare metal servers
home IN A 192.168.4.11
cubox-i IN A 192.168.4.12
; virtual machine servers
home02 IN A 192.168.4.22
dkhost01 IN A 192.168.4.41
dkhost02 IN A 192.168.4.52
dkhost03 IN A 192.168.4.53
dkhost04 IN A 192.168.4.54
dkhost05 IN A 192.168.4.55
; dns servers
ns IN A 192.168.4.22
ns02 IN CNAME cubox-i
; gluster servers
gluster IN A 192.168.4.11
;gluster IN A 192.168.4.12
; docker swarm nodes
dkhost IN A 192.168.4.11
;dkhost IN A 192.168.4.41
;dkhost IN A 192.168.4.52
;dkhost IN A 192.168.4.53
;dkhost IN A 192.168.4.54
;dkhost IN A 192.168.4.55
; docker swarm managers
dkmanager IN A 192.168.4.11
;dkmanager IN A 192.168.4.52
;dkmanager IN A 192.168.4.54
; service domains
fs IN CNAME dkhost
git IN CNAME dkhost
dkui IN CNAME dkhost
jenkins IN CNAME dkhost
logs IN CNAME dkhost
dkregistry IN CNAME dkhost
sql IN CNAME dkhost
mysql IN CNAME dkhost
tripbuilder IN CNAME dkhost
xaibox IN CNAME dkhost
office IN CNAME dkhost
www IN CNAME dkhost
mail IN CNAME dkhost
abcapi IN CNAME dkhost
prometheus IN CNAME dkhost
metrics IN CNAME dkhost
; xai-corp.net. IN CNAME dkhost

25
ansible-2.0/roles/ns.xai-corp.net/templates/xai-corp.net.reverse.j2 Normal file
View File

@@ -0,0 +1,25 @@
$TTL 24h
$ORIGIN 4.168.192.IN-ADDR.ARPA.
@ IN SOA ns.xai-corp.net. root.xai-corp.net. (
20150920; serial
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum
@ IN NS ns.xai-corp.net.
1 IN PTR gateway.xai-corp.net.
3 IN PTR wireless.xai-corp.net.
13 IN PTR printer.xai-corp.net.
14 IN PTR laser.xai-corp.net.
16 IN PTR tv.xai-corp.net.
103 IN PTR xaicorp1.xai-corp.net.
11 IN PTR home.xai-corp.net.
12 IN PTR cubox-i.xai-corp.net.
20 IN PTR garden.xai-corp.net.
22 IN PTR home02.xai-corp.net.
41 IN PTR dkhost01.xai-corp.net.
43 IN PTR dkhost02.xai-corp.net.
53 IN PTR dkhost03.xai-corp.net.
54 IN PTR dkhost04.xai-corp.net.

10
ansible-2.0/roles/ns.xai-corp.net/vars/_extravars.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# vars/_extravars.yml
# define extra variable values here
# this file should be loaded via an include_vars statement in the task.
# often this is used for managing differences in os.
# Variable setup.
#- name: Include OS-Specific variables
# include_vars: "{{ ansible_os_family }}.yml"

12
ansible-2.0/roles/php5-fpm-phalcon/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# handlers/main.yml
# define handlers here
#- name: restart <service>
# service: name=<service> state=restarted
#- name: stop <service>
# service: name=<service> state=stopped
- name: restart php
service: name=php5-fpm state=restarted

31
ansible-2.0/roles/php5-fpm-phalcon/tasks/main.yml Normal file
View File

@@ -0,0 +1,31 @@
---
# tasks/main.yml
# define tasks here
# install packages
- name: Ensure dependencies are installed.
apt: pkg={{ item }} state=installed
with_items:
- php5-fpm
- php5-curl
# phalcon
- apt_repository: repo='ppa:phalcon/stable' state=present
- apt: pkg=php5-phalcon state=installed update_cache=yes
# config
- name: php.ini setup
lineinfile: dest=/etc/php5/fpm/php.ini line='{{ item.line }}' regexp='{{ item.regexp }}'
with_items:
- { "line":"cgi.fix_pathinfo=0", "regexp":";?cgi.fix_pathinfo=" }
notify:
- restart php
- name: pool.d/www.conf setup
lineinfile: dest=/etc/php5/fpm/pool.d/www.conf line='{{ item.line }}' regexp='{{ item.regexp }}'
with_items:
- { "line":"listen = /var/run/php5-fpm.sock", "regexp":";?listen =" }
notify:
- restart php

6
ansible-2.0/roles/php7-fpm/defaults/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# default vars
php7-fpm:
packages:
- php-zip

Some files were not shown because too many files have changed in this diff Show More