From e6900502e4266cdf3c7db0f4ade3403076f55cec Mon Sep 17 00:00:00 2001 From: richard Date: Sat, 15 Jul 2017 23:32:27 -0400 Subject: [PATCH] setup nextcloud service --- dkhost.xai-corp.net.yml | 18 +- dockerfiles/dkregistry/docker-compose.yml | 2 +- dockerfiles/owncloud/docker-compose.yml | 29 ++++ .../services/mariadb/docker-compose.yml | 33 ++++ .../services/memcached/docker-compose.yml | 32 ++++ dockerfiles/services/redis/docker-compose.yml | 28 +++ dockerfiles/sslproxy/Dockerfile | 2 +- dockerfiles/sslproxy/docker-compose-prod.yml | 31 ++++ dockerfiles/sslproxy/docker-compose.yml | 21 --- dockerfiles/sslproxy/host.conf | 159 ------------------ .../hosts/dkregistry.xai-corp.net.conf | 57 +++++++ .../sslproxy/hosts/dkui.xai-corp.net.conf | 21 +++ .../sslproxy/hosts/fs.xai-corp.net.conf | 15 ++ .../sslproxy/hosts/git.xai-corp.net.conf | 15 ++ .../sslproxy/hosts/jenkins.xai-corp.net.conf | 21 +++ .../sslproxy/hosts/logs.xai-corp.net.conf | 15 ++ .../hosts/tripbuilder.xai-corp.net.conf | 14 ++ .../sslproxy/hosts/xaibox.xai-corp.net.conf | 16 ++ managed_setup.yml | 1 + .../_install_updates/tasks/rebootAndWait.yml | 18 ++ roles/certbot/tasks/main.yml | 14 +- .../files/supervisor-dd-agent.conf | 4 + roles/ddagent_source/handlers/main.yml | 12 ++ roles/ddagent_source/tasks/main.yml | 25 +++ roles/dockerhost/tasks/install-xenial.yml | 1 + roles/dockerhost/tasks/main.yml | 8 + .../templates/xai-corp.net.internal.j2 | 2 + 27 files changed, 418 insertions(+), 196 deletions(-) create mode 100644 dockerfiles/owncloud/docker-compose.yml create mode 100644 dockerfiles/services/mariadb/docker-compose.yml create mode 100644 dockerfiles/services/memcached/docker-compose.yml create mode 100644 dockerfiles/services/redis/docker-compose.yml create mode 100644 dockerfiles/sslproxy/docker-compose-prod.yml delete mode 100644 dockerfiles/sslproxy/host.conf create mode 100644 dockerfiles/sslproxy/hosts/dkregistry.xai-corp.net.conf create mode 100644 dockerfiles/sslproxy/hosts/dkui.xai-corp.net.conf create mode 100644 dockerfiles/sslproxy/hosts/fs.xai-corp.net.conf create mode 100644 dockerfiles/sslproxy/hosts/git.xai-corp.net.conf create mode 100644 dockerfiles/sslproxy/hosts/jenkins.xai-corp.net.conf create mode 100644 dockerfiles/sslproxy/hosts/logs.xai-corp.net.conf create mode 100644 dockerfiles/sslproxy/hosts/tripbuilder.xai-corp.net.conf create mode 100644 dockerfiles/sslproxy/hosts/xaibox.xai-corp.net.conf create mode 100644 roles/_install_updates/tasks/rebootAndWait.yml create mode 100644 roles/ddagent_source/files/supervisor-dd-agent.conf create mode 100644 roles/ddagent_source/handlers/main.yml create mode 100644 roles/ddagent_source/tasks/main.yml diff --git a/dkhost.xai-corp.net.yml b/dkhost.xai-corp.net.yml index 5cd6f2c..fd45997 100644 --- a/dkhost.xai-corp.net.yml +++ b/dkhost.xai-corp.net.yml @@ -24,6 +24,7 @@ - debugfs - proc - securityfs + - tmpfs excluded_mountpoint_re: /[media/richard|run/user].* docker: init_config: @@ -61,11 +62,24 @@ host: gluster:/elasticsearch mount: /data/elasticsearch + certbot: + domains: + - xai-corp.net + - www.xai-corp.net + - dkregistry.xai-corp.net + - sql.xai-corp.net + - fs.xai-corp.net + - dkhost.xai-corp.net + - git.xai-corp.net + - dkui.xai-corp.net + - jenkins.xai-corp.net + - logs.xai-corp.net + - tripbuilder.xai-corp.net + - xaibox.xai-corp.net + roles: - dockerhost - geerlingguy.nginx - certbot -# - docker_registry -# - docker_graylog post_tasks: diff --git a/dockerfiles/dkregistry/docker-compose.yml b/dockerfiles/dkregistry/docker-compose.yml index 01b6e01..9e29113 100644 --- a/dockerfiles/dkregistry/docker-compose.yml +++ b/dockerfiles/dkregistry/docker-compose.yml @@ -34,7 +34,7 @@ services: restart_policy: condition: any delay: "1s" - max_attempts: 1 + max_attempts: 15 resources: limits: cpus: '0.1' diff --git a/dockerfiles/owncloud/docker-compose.yml b/dockerfiles/owncloud/docker-compose.yml new file mode 100644 index 0000000..cf3ffa2 --- /dev/null +++ b/dockerfiles/owncloud/docker-compose.yml @@ -0,0 +1,29 @@ +--- +# docker-compose file for owncloud server + +# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml owncloud + +version: '3' +services: + + owncloud: + image: nextcloud:12 + ports: + - 8083:80 +# - 9083:9000 + volumes: + - /opt/shared/nextcloud/data:/var/www/html/data + - /opt/shared/nextcloud/config:/var/www/html/config + - /opt/shared/nextcloud/apps:/var/www/html/custom_apps + + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + delay: "1s" + max_attempts: 5 + resources: + limits: + cpus: '1' + memory: 512M diff --git a/dockerfiles/services/mariadb/docker-compose.yml b/dockerfiles/services/mariadb/docker-compose.yml new file mode 100644 index 0000000..f59b500 --- /dev/null +++ b/dockerfiles/services/mariadb/docker-compose.yml @@ -0,0 +1,33 @@ +--- +# docker-compose file for mysql +# DOCKER_HOST=dkhost:2376 docker-compose up -d +# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services + +version: '3' +services: + + mysql: + image: "mariadb:10" + volumes: + - /opt/shared/mariadb/data:/var/lib/mysql + ports: + - "3306:3306" + environment: + MYSQL_ROOT_PASSWORD: "aifuoqibcqobcqb3" + + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + delay: "1s" + max_attempts: 3 + resources: + limits: + cpus: '0.5' + memory: 512M + +networks: + default: + external: + name: prod-private diff --git a/dockerfiles/services/memcached/docker-compose.yml b/dockerfiles/services/memcached/docker-compose.yml new file mode 100644 index 0000000..e18c809 --- /dev/null +++ b/dockerfiles/services/memcached/docker-compose.yml @@ -0,0 +1,32 @@ +--- +# docker-compose file for memcached +# DOCKER_HOST=dkhost:2376 docker-compose up -d +# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services + +version: '3' +services: + + memcached: + image: "memcached:alpine" + ports: + - "11211:11211" + command: + - memcached + - -m64 + + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + delay: "1s" + max_attempts: 3 + resources: + limits: + cpus: '0.5' + memory: 65M + +networks: + default: + external: + name: prod-private diff --git a/dockerfiles/services/redis/docker-compose.yml b/dockerfiles/services/redis/docker-compose.yml new file mode 100644 index 0000000..96038f8 --- /dev/null +++ b/dockerfiles/services/redis/docker-compose.yml @@ -0,0 +1,28 @@ +--- +# docker-compose file for redis +# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services + +version: '3' +services: + + redis: + image: "redis:4-alpine" + ports: + - "6379:6379" + + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + delay: "1s" + max_attempts: 3 + resources: + limits: + cpus: '0.5' + memory: 256M + +networks: + default: + external: + name: prod-private diff --git a/dockerfiles/sslproxy/Dockerfile b/dockerfiles/sslproxy/Dockerfile index 97ead67..e5258f9 100644 --- a/dockerfiles/sslproxy/Dockerfile +++ b/dockerfiles/sslproxy/Dockerfile @@ -1,4 +1,4 @@ FROM nginx:alpine COPY ./nginx.conf /etc/nginx/nginx.conf -COPY ./host.conf /etc/nginx/conf.d/host.conf +COPY ./hosts /etc/nginx/conf.d/ diff --git a/dockerfiles/sslproxy/docker-compose-prod.yml b/dockerfiles/sslproxy/docker-compose-prod.yml new file mode 100644 index 0000000..261587b --- /dev/null +++ b/dockerfiles/sslproxy/docker-compose-prod.yml @@ -0,0 +1,31 @@ +--- +# DOCKER_HOST=192.168.2.41:2376 docker-compose up -d +# docker login dkregistry.xai-corp.net:5000 +# docker-compose build && docker push dkregistry.xai-corp.net:5000/sslproxy:latest +# DOCKER_HOST=dkhost01:2376 docker stack deploy --with-registry-auth -c docker-compose-prod.yml sslproxy +# DOCKER_HOST=dkhost01:2376 docker stack ps sslproxy + +version: '3' +services: + app: + image: "dkregistry.xai-corp.net:5000/sslproxy:latest" + volumes: + - /etc/letsencrypt:/etc/letsencrypt:ro + ports: + - "443:443" + + logging: + driver: syslog + options: + syslog-address: "tcp+tls://logs6.papertrailapp.com:38577" + tag: "{{.Name}}/{{.ID}}" + + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + delay: 5s + max_attempts: 10 + labels: + net.xai-corp.sslproxy.description: proxy ssl calls to non ssl containers diff --git a/dockerfiles/sslproxy/docker-compose.yml b/dockerfiles/sslproxy/docker-compose.yml index 24f6626..1848580 100644 --- a/dockerfiles/sslproxy/docker-compose.yml +++ b/dockerfiles/sslproxy/docker-compose.yml @@ -18,24 +18,3 @@ services: - /etc/letsencrypt:/etc/letsencrypt:ro ports: - "443:443" -# -# logging: -# driver: gelf -# options: -# gelf-address: "udp://logs.xai-corp.net:12201" - - logging: - driver: syslog - options: - syslog-address: "tcp+tls://logs6.papertrailapp.com:38577" - tag: "{{.Name}}/{{.ID}}" - - deploy: - mode: replicated - replicas: 1 - restart_policy: - condition: any - delay: 5s - max_attempts: 10 - labels: - net.xai-corp.sslproxy.description: proxy ssl calls to non ssl containers diff --git a/dockerfiles/sslproxy/host.conf b/dockerfiles/sslproxy/host.conf deleted file mode 100644 index 72cf86f..0000000 --- a/dockerfiles/sslproxy/host.conf +++ /dev/null @@ -1,159 +0,0 @@ -# fs.xai-corp.net -server { - listen 443 ssl; - server_name fs.xai-corp.net; - ssl_certificate /etc/letsencrypt/live/fs.xai-corp.net/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/fs.xai-corp.net/privkey.pem; - - #Strict-Transport-Security: max-age=15768000 - add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; - - location / { - proxy_pass http://dkhost.xai-corp.net:8081; - } - -} - -# git.xai-corp.net -server { - listen 443 ssl; - server_name git.xai-corp.net; - ssl_certificate /etc/letsencrypt/live/git.xai-corp.net/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/git.xai-corp.net/privkey.pem; - - #Strict-Transport-Security: max-age=15768000 - add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; - - location / { - proxy_pass http://dkhost.xai-corp.net:10080; - } - -} - -# tripbuilder.xai-corp.net -server { - listen 443 ssl; - server_name tripbuilder.xai-corp.net; - ssl_certificate /etc/letsencrypt/live/tripbuilder.xai-corp.net/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/tripbuilder.xai-corp.net/privkey.pem; - - #Strict-Transport-Security: max-age=15768000 - add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; - - location / { - proxy_pass http://dkhost.xai-corp.net:8080; - } -} - -# jenkins.xai-corp.net -server { - listen 443 ssl; - server_name jenkins.xai-corp.net; - ssl_certificate /etc/letsencrypt/live/jenkins.xai-corp.net/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/jenkins.xai-corp.net/privkey.pem; - - #Strict-Transport-Security: max-age=15768000 - add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; - - location / { - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_pass http://dkhost.xai-corp.net:8080; - } - -} - -# dkui.xai-corp.net -server { - listen 443 ssl; - server_name dkui.xai-corp.net; - ssl_certificate /etc/letsencrypt/live/dkui.xai-corp.net/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/dkui.xai-corp.net/privkey.pem; - - #Strict-Transport-Security: max-age=15768000 - add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; - - location / { - proxy_set_header Connection $http_connection; - proxy_pass http://dkhost.xai-corp.net:9000; - } - -} - -# dkregistry.xai-corp.net -## Set a variable to help us decide if we need to add the -## 'Docker-Distribution-Api-Version' header. -## The registry always sets this header. -## In the case of nginx performing auth, the header will be unset -## since nginx is auth-ing before proxying. -map $upstream_http_docker_distribution_api_version $docker_distribution_api_version { -'' 'registry/2.0'; -} - -server { - listen 443 ssl; - server_name dkregistry.xai-corp.net; - ssl_certificate /etc/letsencrypt/live/dkregistry.xai-corp.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/dkregistry.xai-corp.net/privkey.pem; - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - #Strict-Transport-Security: max-age=15768000 - add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; - - # disable any limits to avoid HTTP 413 for large image uploads - client_max_body_size 0; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) - chunked_transfer_encoding on; - - location /v2/ { - # Do not allow connections from docker 1.5 and earlier - # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents - if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { - return 404; - } - - # To add basic authentication to v2 use auth_basic setting. - auth_basic "Registry realm"; - auth_basic_user_file /opt/shared/dkregistry/auth/htpasswd; - - ## If $docker_distribution_api_version is empty, the header will not be added. - ## See the map directive above where this variable is defined. - add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; - - proxy_set_header Host $http_host; # required for docker client's sake - proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Connection $http_connection; - - proxy_pass http://dkhost.xai-corp.net:5000; - proxy_read_timeout 900; - } - -} - -# logs.xai-corp.net -server { - listen 443 ssl; - server_name logs.xai-corp.net; - ssl_certificate /etc/letsencrypt/live/logs.xai-corp.net/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/logs.xai-corp.net/privkey.pem; - #Strict-Transport-Security: max-age=15768000 - add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; - - location / { - proxy_set_header Connection $http_connection; - proxy_pass http://dkhost.xai-corp.net:10090; - } - -} diff --git a/dockerfiles/sslproxy/hosts/dkregistry.xai-corp.net.conf b/dockerfiles/sslproxy/hosts/dkregistry.xai-corp.net.conf new file mode 100644 index 0000000..2e7787f --- /dev/null +++ b/dockerfiles/sslproxy/hosts/dkregistry.xai-corp.net.conf @@ -0,0 +1,57 @@ +# dkregistry.xai-corp.net +## Set a variable to help us decide if we need to add the +## 'Docker-Distribution-Api-Version' header. +## The registry always sets this header. +## In the case of nginx performing auth, the header will be unset +## since nginx is auth-ing before proxying. +map $upstream_http_docker_distribution_api_version $docker_distribution_api_version { +'' 'registry/2.0'; +} + +server { + listen 443 ssl; + server_name dkregistry.xai-corp.net; + ssl_certificate /etc/letsencrypt/live/dkregistry.xai-corp.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dkregistry.xai-corp.net/privkey.pem; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + #Strict-Transport-Security: max-age=15768000 + add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + location /v2/ { + # Do not allow connections from docker 1.5 and earlier + # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents + if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { + return 404; + } + + # To add basic authentication to v2 use auth_basic setting. + auth_basic "Registry realm"; + auth_basic_user_file /opt/shared/dkregistry/auth/htpasswd; + + ## If $docker_distribution_api_version is empty, the header will not be added. + ## See the map directive above where this variable is defined. + add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; + + proxy_set_header Host $http_host; # required for docker client's sake + proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Connection $http_connection; + + proxy_pass http://dkhost.xai-corp.net:5000; + proxy_read_timeout 900; + } + +} diff --git a/dockerfiles/sslproxy/hosts/dkui.xai-corp.net.conf b/dockerfiles/sslproxy/hosts/dkui.xai-corp.net.conf new file mode 100644 index 0000000..4718cf9 --- /dev/null +++ b/dockerfiles/sslproxy/hosts/dkui.xai-corp.net.conf @@ -0,0 +1,21 @@ +# dkui.xai-corp.net +server { + listen 443 ssl; + server_name dkui.xai-corp.net; + ssl_certificate /etc/letsencrypt/live/dkui.xai-corp.net/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/dkui.xai-corp.net/privkey.pem; + + #Strict-Transport-Security: max-age=15768000 + add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; + + location / { + proxy_set_header Connection $http_connection; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://dkhost.xai-corp.net:9000; + } + +} diff --git a/dockerfiles/sslproxy/hosts/fs.xai-corp.net.conf b/dockerfiles/sslproxy/hosts/fs.xai-corp.net.conf new file mode 100644 index 0000000..31530a3 --- /dev/null +++ b/dockerfiles/sslproxy/hosts/fs.xai-corp.net.conf @@ -0,0 +1,15 @@ +# fs.xai-corp.net +server { + listen 443 ssl; + server_name fs.xai-corp.net; + ssl_certificate /etc/letsencrypt/live/fs.xai-corp.net/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/fs.xai-corp.net/privkey.pem; + + #Strict-Transport-Security: max-age=15768000 + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; + + location / { + proxy_pass http://dkhost.xai-corp.net:8081; + } + +} diff --git a/dockerfiles/sslproxy/hosts/git.xai-corp.net.conf b/dockerfiles/sslproxy/hosts/git.xai-corp.net.conf new file mode 100644 index 0000000..95325de --- /dev/null +++ b/dockerfiles/sslproxy/hosts/git.xai-corp.net.conf @@ -0,0 +1,15 @@ +# git.xai-corp.net +server { + listen 443 ssl; + server_name git.xai-corp.net; + ssl_certificate /etc/letsencrypt/live/git.xai-corp.net/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/git.xai-corp.net/privkey.pem; + + #Strict-Transport-Security: max-age=15768000 + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; + + location / { + proxy_pass http://dkhost.xai-corp.net:10080; + } + +} diff --git a/dockerfiles/sslproxy/hosts/jenkins.xai-corp.net.conf b/dockerfiles/sslproxy/hosts/jenkins.xai-corp.net.conf new file mode 100644 index 0000000..ffda5d8 --- /dev/null +++ b/dockerfiles/sslproxy/hosts/jenkins.xai-corp.net.conf @@ -0,0 +1,21 @@ +# jenkins.xai-corp.net +server { + listen 443 ssl; + server_name jenkins.xai-corp.net; + ssl_certificate /etc/letsencrypt/live/jenkins.xai-corp.net/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/jenkins.xai-corp.net/privkey.pem; + + #Strict-Transport-Security: max-age=15768000 + add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; + + location / { + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://dkhost.xai-corp.net:8080; + } + +} diff --git a/dockerfiles/sslproxy/hosts/logs.xai-corp.net.conf b/dockerfiles/sslproxy/hosts/logs.xai-corp.net.conf new file mode 100644 index 0000000..8b33da8 --- /dev/null +++ b/dockerfiles/sslproxy/hosts/logs.xai-corp.net.conf @@ -0,0 +1,15 @@ +# logs.xai-corp.net +server { + listen 443 ssl; + server_name logs.xai-corp.net; + ssl_certificate /etc/letsencrypt/live/logs.xai-corp.net/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/logs.xai-corp.net/privkey.pem; + #Strict-Transport-Security: max-age=15768000 + add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; + + location / { + proxy_set_header Connection $http_connection; + proxy_pass http://dkhost.xai-corp.net:10090; + } + +} diff --git a/dockerfiles/sslproxy/hosts/tripbuilder.xai-corp.net.conf b/dockerfiles/sslproxy/hosts/tripbuilder.xai-corp.net.conf new file mode 100644 index 0000000..c359dd7 --- /dev/null +++ b/dockerfiles/sslproxy/hosts/tripbuilder.xai-corp.net.conf @@ -0,0 +1,14 @@ +# tripbuilder.xai-corp.net +server { + listen 443 ssl; + server_name tripbuilder.xai-corp.net; + ssl_certificate /etc/letsencrypt/live/tripbuilder.xai-corp.net/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/tripbuilder.xai-corp.net/privkey.pem; + + #Strict-Transport-Security: max-age=15768000 + add_header Strict-Transport-Security "max-age=600; includeSubDomains" always; + + location / { + proxy_pass http://dkhost.xai-corp.net:8080; + } +} diff --git a/dockerfiles/sslproxy/hosts/xaibox.xai-corp.net.conf b/dockerfiles/sslproxy/hosts/xaibox.xai-corp.net.conf new file mode 100644 index 0000000..9b01e76 --- /dev/null +++ b/dockerfiles/sslproxy/hosts/xaibox.xai-corp.net.conf @@ -0,0 +1,16 @@ +# xaibox.xai-corp.net +server { + listen 443 ssl; + server_name xaibox.xai-corp.net; + ssl_certificate /etc/letsencrypt/live/xaibox.xai-corp.net/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/xaibox.xai-corp.net/privkey.pem; + + #Strict-Transport-Security: max-age=15768000 + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + + location / { + proxy_set_header Connection $http_connection; + proxy_pass http://dkhost.xai-corp.net:8083; + } + +} diff --git a/managed_setup.yml b/managed_setup.yml index fd5afa7..e186365 100644 --- a/managed_setup.yml +++ b/managed_setup.yml @@ -82,6 +82,7 @@ - rsyslog - motd - { role: Datadog.datadog, when: ansible_architecture != 'armv7l' } #does not support armhf architecture. should switch to fluentd or logstash + - { role: ddagent_source, when: ansible_architecture == 'armv7l' } tasks: - name: add ansible to sudoers diff --git a/roles/_install_updates/tasks/rebootAndWait.yml b/roles/_install_updates/tasks/rebootAndWait.yml new file mode 100644 index 0000000..7059139 --- /dev/null +++ b/roles/_install_updates/tasks/rebootAndWait.yml @@ -0,0 +1,18 @@ +--- + +# wait random time to start this to offset reboots of individual machines +- pause: seconds={{ 100 | random(1,10) }} + +# Send the reboot command +- shell: shutdown -r now + +# This pause is mandatory, otherwise the existing control connection gets reused! +- pause: seconds=30 + +# Now we will run a local 'ansible -m ping' on this host until it returns. +# This works with the existing ansible hosts inventory and so any custom ansible_ssh_hosts definitions are being used +- local_action: shell ansible -u {{ ansible_user_id }} -m ping {{ inventory_hostname }} + register: result + until: result.rc == 0 + retries: 30 + delay: 10 diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index c47970a..c5511fb 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -21,18 +21,8 @@ command: "letsencrypt certonly --webroot -w /var/www/xai-corp.net -d {{ item }}" args: creates: /etc/letsencrypt/live/{{ item }}/cert.pem - with_items: - - xai-corp.net - - www.xai-corp.net - - dkregistry.xai-corp.net - - sql.xai-corp.net - - fs.xai-corp.net - - dkhost.xai-corp.net - - git.xai-corp.net - - dkui.xai-corp.net - - jenkins.xai-corp.net - - logs.xai-corp.net - - tripbuilder.xai-corp.net + with_items: "{{certbot.domains}}" + - name: cron job for renewing certs cron: diff --git a/roles/ddagent_source/files/supervisor-dd-agent.conf b/roles/ddagent_source/files/supervisor-dd-agent.conf new file mode 100644 index 0000000..309ce1e --- /dev/null +++ b/roles/ddagent_source/files/supervisor-dd-agent.conf @@ -0,0 +1,4 @@ +[program:dd-agent] +command=/root/.datadog-agent/bin/agent start -d +stderr_logfile = /var/log/supervisord/ddagent-stderr.log +stdout_logfile = /var/log/supervisord/ddagent-stdout.log diff --git a/roles/ddagent_source/handlers/main.yml b/roles/ddagent_source/handlers/main.yml new file mode 100644 index 0000000..007b2ec --- /dev/null +++ b/roles/ddagent_source/handlers/main.yml @@ -0,0 +1,12 @@ +--- +# handlers/main.yml +# define handlers here + +#- name: restart +# service: name= state=restarted + +#- name: stop +# service: name= state=stopped + +- name: restart supervisor + service: name=supervisor start restarted diff --git a/roles/ddagent_source/tasks/main.yml b/roles/ddagent_source/tasks/main.yml new file mode 100644 index 0000000..c4b5709 --- /dev/null +++ b/roles/ddagent_source/tasks/main.yml @@ -0,0 +1,25 @@ +--- +# install dd-agent from source + +- name: install packages + apt: + state: installed + package: "{{ item }}" + update_cache: yes + cache_valid_time: 3600 + with_items: + - python-psutil + +- shell: DD_API_KEY=ca0faf176c4aedd4f547ed7cf85615eb sh -c "$(curl -L https://raw.githubusercontent.com/DataDog/dd-agent/master/packaging/datadog-agent/source/setup_agent.sh)" + args: + creates: "/root/.datadog-agent/bin/agent" + +- name: add agent line to rc.local + lineinfile: + dest: /etc/rc.local + regexp: '^nohup sh /root/.datadog-agent/bin/agent &' + line: 'nohup sh /root/.datadog-agent/bin/agent &' + insertbefore: "^exit 0" + +- name: start agent + shell: /root/.datadog-agent/bin/agent start diff --git a/roles/dockerhost/tasks/install-xenial.yml b/roles/dockerhost/tasks/install-xenial.yml index 00508d9..03dcb74 100644 --- a/roles/dockerhost/tasks/install-xenial.yml +++ b/roles/dockerhost/tasks/install-xenial.yml @@ -14,6 +14,7 @@ - "glusterfs-client" - xfsprogs - attr + - virtualbox-guest-additions-iso #- name: install repo keys # apt_key: diff --git a/roles/dockerhost/tasks/main.yml b/roles/dockerhost/tasks/main.yml index 2da320f..af36d0b 100644 --- a/roles/dockerhost/tasks/main.yml +++ b/roles/dockerhost/tasks/main.yml @@ -15,3 +15,11 @@ force: yes with_items: - { src: "/opt/shared/letsencrypt", path: "/etc/letsencrypt" } + +- name: setup owncloud cron job + cron: + name: owncloud + state: present + user: www-data + day: "*/15" + job: "curl -k https://xaibox.xai-corp.net/cron.php" diff --git a/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 b/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 index fe4fea2..3571a65 100644 --- a/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 +++ b/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 @@ -53,4 +53,6 @@ jenkins IN CNAME dkhost logs IN CNAME dkhost dkregistry IN CNAME dkhost sql IN CNAME dkhost +mysql IN CNAME dkhost tripbuilder IN CNAME dkhost +xaibox IN CNAME dkhost