Ayounsi has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/390330 )
Change subject: [WIP] Bird-lg ...................................................................... [WIP] Bird-lg Change-Id: I3bbd8851a67fde8d9d778f6d3c263879ccfd659a --- A modules/birdlg/manifests/lg_backend.pp A modules/birdlg/manifests/lg_frontend.pp A modules/birdlg/templates/lg.cfg.erb A modules/birdlg/templates/lgproxy.cfg.erb A modules/profile/manifests/birdlg/lg_backend.pp A modules/profile/manifests/birdlg/lg_frontend.pp A modules/profile/templates/birdlg/lg.wikimedia.org.erb A modules/role/manifests/birdlg/lg_backend.pp A modules/role/manifests/birdlg/lg_frontend.pp 9 files changed, 351 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/30/390330/1 diff --git a/modules/birdlg/manifests/lg_backend.pp b/modules/birdlg/manifests/lg_backend.pp new file mode 100644 index 0000000..047ea4f --- /dev/null +++ b/modules/birdlg/manifests/lg_backend.pp @@ -0,0 +1,80 @@ +# == Class: librenms +# +# This class installs & manages Bird and lgproxy, the backend part of BirdLG +# +class birdlg::lg_backend( + $install_dir='/srv/deployment/birdlg/', + $access_list=['127.0.0.1'], + $port = 5000, +) { + + package { [ + 'python-flask', + 'python-dnspython', + 'python-memcache', + 'whois', + 'traceroute', + 'bird', + ]: + ensure => present, + } + + file { '/etc/bird/bird.conf': # TODO + ensure => present, + owner => 'bird', + group => 'bird', + mode => '0440', + content => template('birdlg/bird.conf.erb'), + } + file { '/etc/bird/bird6.conf': # TODO + ensure => present, + owner => 'bird', + group => 'bird', + mode => '0440', + content => template('birdlg/bird6.conf.erb'), + } + + service { 'bird': + ensure => running, + subscribe => [ + File['/etc/bird/bird.conf'], + File['/etc/bird/bird6.conf'], + ], + require => Package['bird'], + } + + file { "${install_dir}/lgproxy.cfg": + ensure => present, + owner => 'bird', + group => 'bird', + mode => '0440', + content => template('birdlg/lgproxy.cfg.erb'), + } + + service::uwsgi { 'lgproxy': + port => $port, + deployment_user => 'bird', # TODO + config => { + need-plugins => 'python', + chdir => $install_dir, + wsgi => 'lgproxy.wsgi', + vacuum => true, + http-socket => "0.0.0.0:${port}", + # T170189: make sure Python has a sane default encoding + env => [ + 'LANG=C.UTF-8', + 'PYTHONENCODING=utf-8', + ], + }, + healthcheck_url => '/', + icinga_check => false, + sudo_rules => [ + 'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-lgproxy restart', + 'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-lgproxy start', + 'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-lgproxy status', + 'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-lgproxy stop', + ], + } + + +} diff --git a/modules/birdlg/manifests/lg_frontend.pp b/modules/birdlg/manifests/lg_frontend.pp new file mode 100644 index 0000000..1eeb1ad --- /dev/null +++ b/modules/birdlg/manifests/lg_frontend.pp @@ -0,0 +1,29 @@ +# == Class: librenms +# +# This class installs & manages bird-lg frontend +# +class birdlg::lg_frontend( + $session_key, #TODO + $install_dir='/srv/deployment/birdlg/', +) { + + + package { [ + 'python-flask', + 'python-dnspython', + 'python-pydot', + 'python-memcache', + 'graphviz', + ]: + ensure => present, + } + + file { "${install_dir}/lg.cfg": + ensure => present, + owner => 'bird', + group => 'bird', + mode => '0440', + content => template('birdlg/lg.cfg.erb'), + } + +} diff --git a/modules/birdlg/templates/lg.cfg.erb b/modules/birdlg/templates/lg.cfg.erb new file mode 100644 index 0000000..cddcadd --- /dev/null +++ b/modules/birdlg/templates/lg.cfg.erb @@ -0,0 +1,32 @@ +DEBUG = False +LOG_FILE="<%= @install_dir %>/lg.log" +LOG_LEVEL="WARNING" + +DOMAIN = "lg.wikimedia.org" + +BIND_IP = "127.0.0.1" +BIND_PORT = 5001 + +## TODO: Need to either add a line to /etc/hosts or a A record for PROXY.DOMAIN +PROXY = { + "codfw": 5000, + "eqiad": 5000, + } + +# Used for bgpmap +ROUTER_IP = { + "codfw" : ["208.80.153.192", "2620:0:860:ffff::1", "208.80.153.193", "2620:0:860:ffff::2", "208.80.153.198", "2620:0:860:ffff::5"], + "eqiad" : ["208.80.154.196", "2620:0:861:ffff::1", "208.80.154.197", "2620:0:861:ffff::2"], +} + +AS_NUMBER = { + "codfw" : "14907", + "eqiad" : "14907" +} + +#WHOIS_SERVER = "whois.foo.bar" + +# DNS zone to query for ASN -> name mapping +ASN_ZONE = "asn.cymru.com" + +SESSION_KEY = '<%= @session_key %>' diff --git a/modules/birdlg/templates/lgproxy.cfg.erb b/modules/birdlg/templates/lgproxy.cfg.erb new file mode 100644 index 0000000..a3d954b --- /dev/null +++ b/modules/birdlg/templates/lgproxy.cfg.erb @@ -0,0 +1,8 @@ +DEBUG=False +LOG_FILE="<%= @install_dir %>/lg-proxy.log" +LOG_LEVEL="WARNING" +ACCESS_LIST = ["<%= @access_list.join('", "') %>"] +IPV4_SOURCE="" +IPV6_SOURCE="" +BIRD_SOCKET="/var/run/bird/bird.ctl" +BIRD6_SOCKET="/var/run/bird/bird6.ctl" diff --git a/modules/profile/manifests/birdlg/lg_backend.pp b/modules/profile/manifests/birdlg/lg_backend.pp new file mode 100644 index 0000000..6eaa67d --- /dev/null +++ b/modules/profile/manifests/birdlg/lg_backend.pp @@ -0,0 +1,35 @@ +# Class: profile::birdlg::lg_backend +# +# This profile installs all the bird-lg backend related parts as WMF requires it +# +# Actions: +# Deploy bird-lg +# Install uwsgi +# Configure firewall rules +# +# Requires: +# +# Sample Usage: +# include profile::birdlg::lg_backend + + +class profile::birdlg::lg_backend( +) { + $port = 5000 + + include passwords::bird-lg + $secret_key = $passwords::birdlg::secret_key ### TODO Not defined yet + + + ferm::service { 'bird-lg-proxy': + proto => 'tcp', + port => $port, + srange => '$PRODUCTION_NETWORKS', + } + +class { 'birdlg::lg_backend': + port => $port, + access_list => ['208.80.154.5','208.80.153.110'], + } + +} diff --git a/modules/profile/manifests/birdlg/lg_frontend.pp b/modules/profile/manifests/birdlg/lg_frontend.pp new file mode 100644 index 0000000..19b4075 --- /dev/null +++ b/modules/profile/manifests/birdlg/lg_frontend.pp @@ -0,0 +1,67 @@ + +# Class: profile::birdlg::lg_frontend +# +# This profile installs all the bird-lg frontend related parts as WMF requires it +# +# Actions: +# Deploy bird-lg +# Install uwsgi +# Install apache +# +# Requires: +# +# Sample Usage: +# include profile::birdlg::lg_backend + + +class profile::birdlg::lg_frontend($active_server = hiera('netmon_server', 'netmon1002.wikimedia.org')){ + # lint:ignore:wmf_styleguide + include ::apache + include ::apache::mod::headers + include ::apache::mod::proxy_http + include ::apache::mod::proxy + include ::apache::mod::rewrite + include ::apache::mod::ssl + include ::apache::mod::wsgi + # lint:endignore + + include passwords::bird-lg + $secret_key = $passwords::birdlg::secret_key + + class { 'birdlg::lg_frontend': + secret_key => $secret_key, + } + + $ssl_settings = ssl_ciphersuite('apache', 'mid', true) + + apache::site { 'lg.wikimedia.org': + content => template('profile/birdlg/lg.wikimedia.org.erb'), + } + + letsencrypt::cert::integrated { 'birdlg': + subjects => 'lg.wikimedia.org', + puppet_svc => 'apache2', + system_svc => 'apache2', + require => Class['apache::mod::ssl'], + } + + if $active_server == $::fqdn { + $monitoring_ensure = 'present' + } else { + $monitoring_ensure = 'absent' + } + + monitoring::service { 'birdlg-https': + ensure => $monitoring_ensure, + description => 'HTTPS', + check_command => 'check_ssl_http_letsencrypt!lg.wikimedia.org', + } + + monitoring::service { 'birdlg': + ensure => $monitoring_ensure, + description => 'LibreNMS HTTPS', + check_command => 'check_https_url!lg.wikimedia.org!https://lg.wikimedia.org', + } + + +} diff --git a/modules/profile/templates/birdlg/lg.wikimedia.org.erb b/modules/profile/templates/birdlg/lg.wikimedia.org.erb new file mode 100644 index 0000000..5d97636 --- /dev/null +++ b/modules/profile/templates/birdlg/lg.wikimedia.org.erb @@ -0,0 +1,60 @@ +##################################################################### +### THIS FILE IS MANAGED BY PUPPET +##################################################################### +# vim: filetype=apache + + +<VirtualHost *:80> + ServerName birdlg.wikimedia.org + ServerAdmin n...@wikimedia.org + Include /etc/acme/challenge-apache.conf + RewriteEngine on + RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/ + RewriteRule ^/(.*)$ https://birdlg.wikimedia.org/$1 [L,R=301] +</VirtualHost> + +<VirtualHost *:443> + ServerName netbox.wikimedia.org + ServerAdmin n...@wikimedia.org + + SSLEngine on + SSLCertificateFile /etc/acme/cert/birdlg.crt + SSLCertificateChainFile /etc/acme/cert/birdlg.chain.crt + SSLCertificateKeyFile /etc/acme/key/birdlg.key + <%= @ssl_settings.join("\n ") %> + + # https://httpoxy.org/ + RequestHeader unset Proxy early + + ProxyPreserveHost On + + Alias /static /srv/deployment/birdlg/static + + # Needed to allow token-based API authentication + WSGIPassAuthorization on + + <Directory /srv/deployment/birdlg/static> + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Require all granted + </Directory> + + <Location /static> + ProxyPass ! + </Location> + + <%- if @port -%> + ProxyPass / http://127.0.0.1:<%= @port%>/ + ProxyPassReverse / http://127.0.0.1:<%= @port%>/ + <%- else -%> + ProxyPass / http://127.0.0.1:5001/ + ProxyPassReverse / http://127.0.0.1:5001/ + <%- end -%> + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + CustomLog /var/log/apache2/lg.wikimedia.org-access.log wmf + ErrorLog /var/log/apache2/lg.wikimedia.org-error.log + +</VirtualHost> diff --git a/modules/role/manifests/birdlg/lg_backend.pp b/modules/role/manifests/birdlg/lg_backend.pp new file mode 100644 index 0000000..6259dd6 --- /dev/null +++ b/modules/role/manifests/birdlg/lg_backend.pp @@ -0,0 +1,20 @@ +# Class: role::birdlg::lg_backend +# +# This profile installs all the bird-lg backend related parts as WMF requires it +# +# Actions: +# Deploy bird-lg backend +# +# Requires: +# +# Sample Usage: +# include role::birdlg::lg_backend +# + +class role::birdlg::lg_backend { + + system::role { 'birdlg::lg_backend': description => 'Bird-lg backend' } + + include ::profile::birdlg::lg_backend + +} diff --git a/modules/role/manifests/birdlg/lg_frontend.pp b/modules/role/manifests/birdlg/lg_frontend.pp new file mode 100644 index 0000000..f9628a0 --- /dev/null +++ b/modules/role/manifests/birdlg/lg_frontend.pp @@ -0,0 +1,20 @@ +# Class: role::birdlg::lg_frontend +# +# This profile installs all the bird-lg frontend related parts as WMF requires it +# +# Actions: +# Deploy bird-lg frontend +# +# Requires: +# +# Sample Usage: +# include role::birdlg::lg_frontend +# + +class role::birdlg::lg_frontend { + + system::role { 'birdlg::lg_frontend': description => 'Bird-lg frontend' } + + include ::profile::birdlg::lg_frontend + +} -- To view, visit https://gerrit.wikimedia.org/r/390330 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3bbd8851a67fde8d9d778f6d3c263879ccfd659a Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ayounsi <ayou...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits