xai-corp.net/provisioning
1
0
Fork 0
Code Issues 9 Releases Activity

setup nextcloud service

Browse Source
This commit is contained in:
richard
2017-07-15 23:32:27 -04:00
parent 5e8759156f
commit e6900502e4
27 changed files with 418 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
dkhost.xai-corp.net.yml
View File

@@ -24,6 +24,7 @@
- debugfs
- proc
- securityfs
- tmpfs
excluded_mountpoint_re: /[media/richard|run/user].*
docker:
init_config:
@@ -61,11 +62,24 @@
host: gluster:/elasticsearch
mount: /data/elasticsearch
certbot:
domains:
- xai-corp.net
- www.xai-corp.net
- dkregistry.xai-corp.net
- sql.xai-corp.net
- fs.xai-corp.net
- dkhost.xai-corp.net
- git.xai-corp.net
- dkui.xai-corp.net
- jenkins.xai-corp.net
- logs.xai-corp.net
- tripbuilder.xai-corp.net
- xaibox.xai-corp.net
roles:
- dockerhost
- geerlingguy.nginx
- certbot
# - docker_registry
# - docker_graylog
post_tasks:

2
dockerfiles/dkregistry/docker-compose.yml
View File

@@ -34,7 +34,7 @@ services:
restart_policy:
condition: any
delay: "1s"
max_attempts: 1
max_attempts: 15
resources:
limits:
cpus: '0.1'

29
dockerfiles/owncloud/docker-compose.yml Normal file
View File

@@ -0,0 +1,29 @@
---
# docker-compose file for owncloud server
# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml owncloud
version: '3'
services:
owncloud:
image: nextcloud:12
ports:
- 8083:80
# - 9083:9000
volumes:
- /opt/shared/nextcloud/data:/var/www/html/data
- /opt/shared/nextcloud/config:/var/www/html/config
- /opt/shared/nextcloud/apps:/var/www/html/custom_apps
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
delay: "1s"
max_attempts: 5
resources:
limits:
cpus: '1'
memory: 512M

33
dockerfiles/services/mariadb/docker-compose.yml Normal file
View File

@@ -0,0 +1,33 @@
---
# docker-compose file for mysql
# DOCKER_HOST=dkhost:2376 docker-compose up -d
# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services
version: '3'
services:
mysql:
image: "mariadb:10"
volumes:
- /opt/shared/mariadb/data:/var/lib/mysql
ports:
- "3306:3306"
environment:
MYSQL_ROOT_PASSWORD: "aifuoqibcqobcqb3"
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
delay: "1s"
max_attempts: 3
resources:
limits:
cpus: '0.5'
memory: 512M
networks:
default:
external:
name: prod-private

32
dockerfiles/services/memcached/docker-compose.yml Normal file
View File

@@ -0,0 +1,32 @@
---
# docker-compose file for memcached
# DOCKER_HOST=dkhost:2376 docker-compose up -d
# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services
version: '3'
services:
memcached:
image: "memcached:alpine"
ports:
- "11211:11211"
command:
- memcached
- -m64
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
delay: "1s"
max_attempts: 3
resources:
limits:
cpus: '0.5'
memory: 65M
networks:
default:
external:
name: prod-private

28
dockerfiles/services/redis/docker-compose.yml Normal file
View File

@@ -0,0 +1,28 @@
---
# docker-compose file for redis
# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services
version: '3'
services:
redis:
image: "redis:4-alpine"
ports:
- "6379:6379"
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
delay: "1s"
max_attempts: 3
resources:
limits:
cpus: '0.5'
memory: 256M
networks:
default:
external:
name: prod-private

2
dockerfiles/sslproxy/Dockerfile
View File

@@ -1,4 +1,4 @@
FROM nginx:alpine
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./host.conf /etc/nginx/conf.d/host.conf
COPY ./hosts /etc/nginx/conf.d/

31
dockerfiles/sslproxy/docker-compose-prod.yml Normal file
View File

@@ -0,0 +1,31 @@
---
# DOCKER_HOST=192.168.2.41:2376 docker-compose up -d
# docker login dkregistry.xai-corp.net:5000
# docker-compose build && docker push dkregistry.xai-corp.net:5000/sslproxy:latest
# DOCKER_HOST=dkhost01:2376 docker stack deploy --with-registry-auth -c docker-compose-prod.yml sslproxy
# DOCKER_HOST=dkhost01:2376 docker stack ps sslproxy
version: '3'
services:
app:
image: "dkregistry.xai-corp.net:5000/sslproxy:latest"
volumes:
- /etc/letsencrypt:/etc/letsencrypt:ro
ports:
- "443:443"
logging:
driver: syslog
options:
syslog-address: "tcp+tls://logs6.papertrailapp.com:38577"
tag: "{{.Name}}/{{.ID}}"
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
delay: 5s
max_attempts: 10
labels:
net.xai-corp.sslproxy.description: proxy ssl calls to non ssl containers

21
dockerfiles/sslproxy/docker-compose.yml
View File

@@ -18,24 +18,3 @@ services:
- /etc/letsencrypt:/etc/letsencrypt:ro
ports:
- "443:443"
#
# logging:
# driver: gelf
# options:
# gelf-address: "udp://logs.xai-corp.net:12201"
logging:
driver: syslog
options:
syslog-address: "tcp+tls://logs6.papertrailapp.com:38577"
tag: "{{.Name}}/{{.ID}}"
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
delay: 5s
max_attempts: 10
labels:
net.xai-corp.sslproxy.description: proxy ssl calls to non ssl containers

159
dockerfiles/sslproxy/host.conf
View File

@@ -1,159 +0,0 @@
# fs.xai-corp.net
server {
listen 443 ssl;
server_name fs.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/fs.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/fs.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
location / {
proxy_pass http://dkhost.xai-corp.net:8081;
}
}
# git.xai-corp.net
server {
listen 443 ssl;
server_name git.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/git.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/git.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
location / {
proxy_pass http://dkhost.xai-corp.net:10080;
}
}
# tripbuilder.xai-corp.net
server {
listen 443 ssl;
server_name tripbuilder.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/tripbuilder.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/tripbuilder.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
location / {
proxy_pass http://dkhost.xai-corp.net:8080;
}
}
# jenkins.xai-corp.net
server {
listen 443 ssl;
server_name jenkins.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/jenkins.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/jenkins.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://dkhost.xai-corp.net:8080;
}
}
# dkui.xai-corp.net
server {
listen 443 ssl;
server_name dkui.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/dkui.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/dkui.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
location / {
proxy_set_header Connection $http_connection;
proxy_pass http://dkhost.xai-corp.net:9000;
}
}
# dkregistry.xai-corp.net
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header will be unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
server {
listen 443 ssl;
server_name dkregistry.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/dkregistry.xai-corp.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dkregistry.xai-corp.net/privkey.pem;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
# To add basic authentication to v2 use auth_basic setting.
auth_basic "Registry realm";
auth_basic_user_file /opt/shared/dkregistry/auth/htpasswd;
## If $docker_distribution_api_version is empty, the header will not be added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection $http_connection;
proxy_pass http://dkhost.xai-corp.net:5000;
proxy_read_timeout 900;
}
}
# logs.xai-corp.net
server {
listen 443 ssl;
server_name logs.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/logs.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/logs.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
location / {
proxy_set_header Connection $http_connection;
proxy_pass http://dkhost.xai-corp.net:10090;
}
}

57
dockerfiles/sslproxy/hosts/dkregistry.xai-corp.net.conf Normal file
View File

@@ -0,0 +1,57 @@
# dkregistry.xai-corp.net
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header will be unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
server {
listen 443 ssl;
server_name dkregistry.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/dkregistry.xai-corp.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dkregistry.xai-corp.net/privkey.pem;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
# To add basic authentication to v2 use auth_basic setting.
auth_basic "Registry realm";
auth_basic_user_file /opt/shared/dkregistry/auth/htpasswd;
## If $docker_distribution_api_version is empty, the header will not be added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection $http_connection;
proxy_pass http://dkhost.xai-corp.net:5000;
proxy_read_timeout 900;
}
}

21
dockerfiles/sslproxy/hosts/dkui.xai-corp.net.conf Normal file
View File

@@ -0,0 +1,21 @@
# dkui.xai-corp.net
server {
listen 443 ssl;
server_name dkui.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/dkui.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/dkui.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
location / {
proxy_set_header Connection $http_connection;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://dkhost.xai-corp.net:9000;
}
}

15
dockerfiles/sslproxy/hosts/fs.xai-corp.net.conf Normal file
View File

@@ -0,0 +1,15 @@
# fs.xai-corp.net
server {
listen 443 ssl;
server_name fs.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/fs.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/fs.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
location / {
proxy_pass http://dkhost.xai-corp.net:8081;
}
}

15
dockerfiles/sslproxy/hosts/git.xai-corp.net.conf Normal file
View File

@@ -0,0 +1,15 @@
# git.xai-corp.net
server {
listen 443 ssl;
server_name git.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/git.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/git.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
location / {
proxy_pass http://dkhost.xai-corp.net:10080;
}
}

21
dockerfiles/sslproxy/hosts/jenkins.xai-corp.net.conf Normal file
View File

@@ -0,0 +1,21 @@
# jenkins.xai-corp.net
server {
listen 443 ssl;
server_name jenkins.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/jenkins.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/jenkins.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://dkhost.xai-corp.net:8080;
}
}

15
dockerfiles/sslproxy/hosts/logs.xai-corp.net.conf Normal file
View File

@@ -0,0 +1,15 @@
# logs.xai-corp.net
server {
listen 443 ssl;
server_name logs.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/logs.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/logs.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
location / {
proxy_set_header Connection $http_connection;
proxy_pass http://dkhost.xai-corp.net:10090;
}
}

14
dockerfiles/sslproxy/hosts/tripbuilder.xai-corp.net.conf Normal file
View File

@@ -0,0 +1,14 @@
# tripbuilder.xai-corp.net
server {
listen 443 ssl;
server_name tripbuilder.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/tripbuilder.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/tripbuilder.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
location / {
proxy_pass http://dkhost.xai-corp.net:8080;
}
}

16
dockerfiles/sslproxy/hosts/xaibox.xai-corp.net.conf Normal file
View File

@@ -0,0 +1,16 @@
# xaibox.xai-corp.net
server {
listen 443 ssl;
server_name xaibox.xai-corp.net;
ssl_certificate /etc/letsencrypt/live/xaibox.xai-corp.net/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/xaibox.xai-corp.net/privkey.pem;
#Strict-Transport-Security: max-age=15768000
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
location / {
proxy_set_header Connection $http_connection;
proxy_pass http://dkhost.xai-corp.net:8083;
}
}

1
managed_setup.yml
View File

@@ -82,6 +82,7 @@
- rsyslog
- motd
- { role: Datadog.datadog, when: ansible_architecture != 'armv7l' } #does not support armhf architecture. should switch to fluentd or logstash
- { role: ddagent_source, when: ansible_architecture == 'armv7l' }
tasks:
- name: add ansible to sudoers

18
roles/_install_updates/tasks/rebootAndWait.yml Normal file
View File

@@ -0,0 +1,18 @@
---
# wait random time to start this to offset reboots of individual machines
- pause: seconds={{ 100 | random(1,10) }}
# Send the reboot command
- shell: shutdown -r now
# This pause is mandatory, otherwise the existing control connection gets reused!
- pause: seconds=30
# Now we will run a local 'ansible -m ping' on this host until it returns.
# This works with the existing ansible hosts inventory and so any custom ansible_ssh_hosts definitions are being used
- local_action: shell ansible -u {{ ansible_user_id }} -m ping {{ inventory_hostname }}
register: result
until: result.rc == 0
retries: 30
delay: 10

14
roles/certbot/tasks/main.yml
View File

@@ -21,18 +21,8 @@
command: "letsencrypt certonly --webroot -w /var/www/xai-corp.net -d {{ item }}"
args:
creates: /etc/letsencrypt/live/{{ item }}/cert.pem
with_items:
- xai-corp.net
- www.xai-corp.net
- dkregistry.xai-corp.net
- sql.xai-corp.net
- fs.xai-corp.net
- dkhost.xai-corp.net
- git.xai-corp.net
- dkui.xai-corp.net
- jenkins.xai-corp.net
- logs.xai-corp.net
- tripbuilder.xai-corp.net
with_items: "{{certbot.domains}}"
- name: cron job for renewing certs
cron:

4
roles/ddagent_source/files/supervisor-dd-agent.conf Normal file
View File

@@ -0,0 +1,4 @@
[program:dd-agent]
command=/root/.datadog-agent/bin/agent start -d
stderr_logfile = /var/log/supervisord/ddagent-stderr.log
stdout_logfile = /var/log/supervisord/ddagent-stdout.log

12
roles/ddagent_source/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# handlers/main.yml
# define handlers here
#- name: restart <service>
# service: name=<service> state=restarted
#- name: stop <service>
# service: name=<service> state=stopped
- name: restart supervisor
service: name=supervisor start restarted

25
roles/ddagent_source/tasks/main.yml Normal file
View File

@@ -0,0 +1,25 @@
---
# install dd-agent from source
- name: install packages
apt:
state: installed
package: "{{ item }}"
update_cache: yes
cache_valid_time: 3600
with_items:
- python-psutil
- shell: DD_API_KEY=ca0faf176c4aedd4f547ed7cf85615eb sh -c "$(curl -L https://raw.githubusercontent.com/DataDog/dd-agent/master/packaging/datadog-agent/source/setup_agent.sh)"
args:
creates: "/root/.datadog-agent/bin/agent"
- name: add agent line to rc.local
lineinfile:
dest: /etc/rc.local
regexp: '^nohup sh /root/.datadog-agent/bin/agent &'
line: 'nohup sh /root/.datadog-agent/bin/agent &'
insertbefore: "^exit 0"
- name: start agent
shell: /root/.datadog-agent/bin/agent start

1
roles/dockerhost/tasks/install-xenial.yml
View File

@@ -14,6 +14,7 @@
- "glusterfs-client"
- xfsprogs
- attr
- virtualbox-guest-additions-iso
#- name: install repo keys
# apt_key:

8
roles/dockerhost/tasks/main.yml
View File

@@ -15,3 +15,11 @@
force: yes
with_items:
- { src: "/opt/shared/letsencrypt", path: "/etc/letsencrypt" }
- name: setup owncloud cron job
cron:
name: owncloud
state: present
user: www-data
day: "*/15"
job: "curl -k https://xaibox.xai-corp.net/cron.php"

2
roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
View File

@@ -53,4 +53,6 @@ jenkins IN CNAME dkhost
logs IN CNAME dkhost
dkregistry IN CNAME dkhost
sql IN CNAME dkhost
mysql IN CNAME dkhost
tripbuilder IN CNAME dkhost
xaibox IN CNAME dkhost