From d37840100eef176b61f679f606329bd5ce2adece Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 13 Jul 2015 14:17:42 +0200 Subject: [PATCH] Various fixes to the library roles. --- haproxy/defaults/main.yml | 3 +++ haproxy/tasks/main.yml | 11 ++++++++++ iptables/handlers/main.yml | 15 ++++++++----- iptables/tasks/main.yml | 5 ++++- iptables/templates/iptables-rules.v4.j2 | 13 ++++++++++++ mysql/defaults/main.yml | 1 + mysql/templates/client.cnf.j2 | 2 +- mysql/templates/server.cnf.j2 | 18 ++++++++-------- postgresql/tasks/configure-access.yml | 4 ++-- revive-adserver/defaults/main.yml | 2 +- ssh-keys/defaults/main.yml | 3 ++- ubuntu-deb-general/defaults/main.yml | 21 +----------------- ubuntu-deb-general/tasks/pubkeys.yml | 8 +++---- varnish-cache/defaults/main.yml | 25 +++++++++++++++++++--- varnish-cache/handlers/main.yml | 3 +++ varnish-cache/tasks/main.yml | 22 ++++++++++++++++++- varnish-cache/templates/varnish.params.j2 | 26 ++++++++--------------- 17 files changed, 117 insertions(+), 65 deletions(-) diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml index 8fc878af..9fb3f843 100644 --- a/haproxy/defaults/main.yml +++ b/haproxy/defaults/main.yml @@ -3,6 +3,9 @@ haproxy_latest_release: False haproxy_version: 1.5 haproxy_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main" haproxy_pkg_state: latest +haproxy_enabled: True haproxy_default_port: 80 haproxy_terminate_tls: False +haproxy_ssl_port: 443 +haproxy_admin_port: 8880 diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index 4f9d9107..ddcd76a8 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -25,3 +25,14 @@ apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }} when: haproxy_latest_release tags: haproxy + +- name: Ensure that haproxy is enabled and started + service: name=haproxy state=started enabled=yes + when: haproxy_enabled + ignore_errors: True + tags: haproxy + +- name: Ensure that haproxy is stopped and disabled if needed + service: name=haproxy state=stopped enabled=no + when: not haproxy_enabled + tags: haproxy diff --git a/iptables/handlers/main.yml b/iptables/handlers/main.yml index 150bdd77..d8346c34 100644 --- a/iptables/handlers/main.yml +++ b/iptables/handlers/main.yml @@ -1,6 +1,15 @@ --- - name: Start the iptables service - service: name=iptables-persistent state=started + service: name=iptables-persistent state=restarted enabled=yes + when: + - is_precise + - is_trusty + - is_debian7 + notify: Restart fail2ban + +- name: Start the netfilter service + service: name=netfilter-persistent state=restarted enabled=yes + when: is_debian8 notify: Restart fail2ban - name: Flush the iptables rules @@ -19,7 +28,3 @@ service: name=fail2ban state=restarted enabled=yes when: is_trusty - -- name: Start the netfilter service - service: name=netfilter-persistent state=started - notify: Restart fail2ban diff --git a/iptables/tasks/main.yml b/iptables/tasks/main.yml index edd085a7..5dc7ec66 100644 --- a/iptables/tasks/main.yml +++ b/iptables/tasks/main.yml @@ -22,7 +22,10 @@ with_items: - rules.v4 - rules.v6 - when: is_precise or is_trusty or is_debian7 + when: + - is_precise + - is_trusty + - is_debian7 notify: Start the iptables service tags: - iptables diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2 index a0f60d27..5670652d 100644 --- a/iptables/templates/iptables-rules.v4.j2 +++ b/iptables/templates/iptables-rules.v4.j2 @@ -61,6 +61,19 @@ -A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP {% endif %} +{% if mysql_db_port is defined %} +{% if mysql_listen_on_ext_int %} +# mysql clients +{% for db in mysql_db_data %} +{% for ip in db.allowed_hosts %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT +{% endfor %} +{% endfor %} +{% endif %} +-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT +-A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP +{% endif %} + {% if mongodb_allowed_hosts is defined %} # mongodb clients {% for ip in mongodb_allowed_hosts %} diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index 72d4f75a..ba9167e3 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -2,6 +2,7 @@ mysql_enabled: True mysql_pkg_state: present mysql_conf_dir: /etc/mysql/conf.d +mysql_socket: /var/run/mysqld/mysqld.sock # python-mysqldb is needed by ansible to manage users and databases mysql_packages_list: diff --git a/mysql/templates/client.cnf.j2 b/mysql/templates/client.cnf.j2 index 196d5dcf..a0bfa0c8 100644 --- a/mysql/templates/client.cnf.j2 +++ b/mysql/templates/client.cnf.j2 @@ -2,5 +2,5 @@ [client] #password = your_password port = 3306 -socket = /var/lib/mysql/mysql.sock +socket = {{ mysql_socket }} diff --git a/mysql/templates/server.cnf.j2 b/mysql/templates/server.cnf.j2 index f92e0686..71dc007f 100644 --- a/mysql/templates/server.cnf.j2 +++ b/mysql/templates/server.cnf.j2 @@ -3,7 +3,7 @@ # The MariaDB server [mysqld] port = {{ mysql_db_port }} -socket = /var/lib/mysql/mysql.sock +socket = {{ mysql_socket }} max_connections = {{ mysql_db_max_connections }} skip-external-locking key_buffer_size = 16M @@ -18,13 +18,13 @@ myisam_sort_buffer_size = 16M # Point the following paths to different dedicated disks #tmpdir = /tmp/ -# Don't listen on a TCP/IP port at all. This can be a security enhancement, -# if all processes that need to connect to mysqld run on the same host. -# All interaction with mysqld must be made via Unix sockets or named pipes. -# Note that using this option without enabling named pipes on Windows -# (via the "enable-named-pipe" option) will render mysqld useless! -# -#skip-networking +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +{% if mysql_listen_on_ext_int %} +bind-address = 0.0.0.0 +{% else %} +bind-address = 127.0.0.1 +{% endif %} # Enable binary logging. This is required for acting as a MASTER in a # replication configuration. You also need the binary log if you need @@ -49,4 +49,4 @@ innodb_flush_log_at_trx_commit = 1 innodb_lock_wait_timeout = 50 [mysqld_safe] -open-files-limit = {{ mysql_safe_open_files_limit }} \ No newline at end of file +open-files-limit = {{ mysql_safe_open_files_limit }} diff --git a/postgresql/tasks/configure-access.yml b/postgresql/tasks/configure-access.yml index bc6c71e0..d406f976 100644 --- a/postgresql/tasks/configure-access.yml +++ b/postgresql/tasks/configure-access.yml @@ -21,7 +21,7 @@ - pg_hba - name: We want postgres listen on the public IP - action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="*" + action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="'*'" notify: Restart postgresql when: - psql_listen_on_ext_int @@ -32,7 +32,7 @@ - pg_conf - name: If postgresql is only accessed from localhost make it listen only on the localhost interface - action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="localhost" + action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="'localhost'" notify: Restart postgresql when: - not psql_listen_on_ext_int diff --git a/revive-adserver/defaults/main.yml b/revive-adserver/defaults/main.yml index cddfdebd..560a499b 100644 --- a/revive-adserver/defaults/main.yml +++ b/revive-adserver/defaults/main.yml @@ -1,7 +1,7 @@ --- revive_pkg_state: latest -revive_ad_version: 3.1.0 +revive_ad_version: 3.2.1 revive_ad_download_url: 'http://download.revive-adserver.com/revive-adserver-{{ revive_ad_version }}.tar.gz' revive_ad_install_dir: '/opt' diff --git a/ssh-keys/defaults/main.yml b/ssh-keys/defaults/main.yml index b69fce4f..705648e8 100644 --- a/ssh-keys/defaults/main.yml +++ b/ssh-keys/defaults/main.yml @@ -32,7 +32,8 @@ farah_karim: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzKSQSk3ntKGUW2Cy8lt/44BTK2+U luca_frosini: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlTQulSJFayTJyOOecgsct35u7uvVQGX/Da11UZVxvJzw2sQKOMSCMBBGF9zUlcMoP/qvF425jVMM71S8kamCcqgSN528fp9W/Nhw7s15NbCE3H9tJ3B+u5ESOYsRfgogeTIyL26aIY/2rke0DoKDIMU3YlOtN/1ipt5cY9uV3ootxTM126y2WChICGo0h77M/Ta1pIccUE0XbuaA1HwlJBkfDzQ2kh5tkaC7mjeETstOQzpEoPFoVr0qwSPz1Y6l8uiedpDZejrq64Z2zRcSxjEQ1wuA9r8uO7TJQttUKK8m/dHMe6q3WAiFc9sOYe4tf/GEmziB8VloMTNCPJQiz lucafrosini@pc-frosini francesco_mangiacrapa: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDa0NzwaCcauxAFlsupU2xG2eff9nzep9bnb8pISbX2lk+K4yoJvJOAz9W9klJtpPX/IUJx18YR4jjDNcdiYWNh4Y+5jKT2EhSPNkj7Vw2MhA/ZeOrfHx7JNtL8gdxa8XxYB0ZoZqutRppmaRwWmGGwdVh0wyUzWR/v0OT01IuQGYVneLKIjUtx+BcWGsosWISaOQzVbv9iTFbSwgjbkKFHzHasxwKsrK4t1wvbzuxwhVC+5/VKghBJWN219m/PO+itww/fSes0KpI5X/7q8jrYzUgYwrKwt290U41Fx8syDQ6101YnRzMXZRyZwuVNh2S7WosGWebg5nPS4IjKho/F francesco-mangiacrapa@ubuntu-francesco-i24 lucia_vadicamo: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAqR/WChJL0M/EOQ1Jg7x7H5dmgb9jb/Rs+ZsWFdEvIlbNzZPUhTofvazHHLObR/RtLl4+9jjG83bNJHOTysrtY0c4BOcgBRFm3HRAr6TTU7bpoC0bleycKWmgXbP3nVfRgwd0N0tlmsDMBopdfZ7BwUH3SARQ8ssWbi1ahTP6IiYE6oCOxzDhXHRRGIdHhcRbE6vFaN+BTQKX/1zfFimPnuhiQUyZwX1KtBNnjxbxaNTIUbyDUxmyLo3S66EnNqXD6n4jDDWXJb0HkI4eDTtGFxaF02PSzXr8X3ZTWDBX+/YkzaWeesvtubYa0QlZ19D2+WJZJi0SmPDf7XifPtq0iu2UB4DFPQeRGAIctxmxTSMQMhngblSdSY6R+ZXG8yxtd/b3iNQaD3s8xkjYeXouno6djnJyIA/Wu2Asn6zLJC5qyVTTNUq5QNMIoNoX4Eq74eri2yzieQGRegDNie5NxjiRyo4kdHV3gihRDm53MCUL1aKz0SijmSfNeaP8weO77qKXaYNbuiEJYtU2io14mOHYHfMlvFf059QcqxQUAEOWl1YrELExHJmNJKjl/2/nCq6Ns4JMDEHicisjTfE5GAZHJVFgKRVroRzySHfxRTBXXyPDPzjN9aZy7HKSFiUXnKKS3jrVsbQ5xKdtOOzo6Uy3mIakTQ/JWDbzQ0fMwoE= lucia.vadicamo@isti.cnr.it -sahar_vahdati: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB38nRuOy6g0UEkYLZ5v+VGQIbZAFjylEtbmZJAN3OMm+wcgoCTIBvytZ6Ajp8ZTT1tTqo2rsAVb8O5pv08Qaunl5VBfvEUyqNdYX9SY1kB5PzKtBZBbkkUI4AE7BNJKKuki0nYvOHP5p07FdobC2OjILGxci4zn37X+CGEykNrXQ== rsa-key-20150605 +sahar_vahdati_old: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB38nRuOy6g0UEkYLZ5v+VGQIbZAFjylEtbmZJAN3OMm+wcgoCTIBvytZ6Ajp8ZTT1tTqo2rsAVb8O5pv08Qaunl5VBfvEUyqNdYX9SY1kB5PzKtBZBbkkUI4AE7BNJKKuki0nYvOHP5p07FdobC2OjILGxci4zn37X+CGEykNrXQ== rsa-key-20150605 +sahar_vahdati: ssh-dss AAAAB3NzaC1kc3MAAAEBAMAfb7STRygwnvobeoYs+znGDFSauwFJ53SGiqxWvws7VO84JLCGPrInrnFYhU6eJAWd7W24ebQhBLqEKprJ85+j068F8kBL3EoR3yyS47jHeM9nZtQEoPuPJIdQotKEUcsEB0qXsdxrK/g2xOwEE/QTvxHHoHdrlrV5i8nL2iRJZTLn1OdoyHTUJMX778RJuqsApY9duyi6Sx7YshF4uFqNiarrEUu0ldG2K8akBwQEvDBJuXsDKD5GJmRzBbqDX8xswTORelvcVtDk/TD0wMMKudBNQfktTPXATBCx6oPQ3gzBlLDF4KrnwKZ+I75c6/Q+AIz3OMM8vrcB6JMLk0MAAAAVAPKLs+YuP5ulRX484PevayNHavKJAAABAFcjNAQ1KxUKaNBeDMtNj8WWkMyx02HUPWf8ztKetTyvavK4ILTrQAwsgvH3dmOMSnm4ckWMSxQ/v+zbU/mKNddyNo7BJqRT4rKbQUvp5Mg5E+PkZNZaiTu9C8rLIa1JbUoEyssqLAlFbIviJlwpLgaf+jY7ZCJso7kCYRWkcXMaEnNvqCd5u8IAGBZijI/L9TtAIyjgYoh4pYdAPWjYTjH+nH9xpIuN7KQEVq1ba/WyAe9xVNPta+fnuHiUHbUpNaExhIs4pskfCI5EuBBgxtixkSPssZaNFlWXx2rwFLnfvnLxeG9t7qbXs5LPoo0x0miq/eo+jgIHel9uEvN/BNYAAAEAQ/qXwtXcw1aA7PoKOTOmwaproFmcnu/7unEEu16/G4F2t76kz4CwehGgq19MnbgfzBL64qfs9A5UxI4HRJ6e5/Ik1a1dv/tSVSgA+rKJWeCZr1cTg5Y/u7OAk/mik0nL7r7TraofYvGAWl7ckYeN/28wv5TWSNB6CkPix69DgLvapjU5RG+7DPhzINc5MF75MjFRTnc5eAeC2wv2+3MzGzm78+i6UPpwd7Jj/BKTvtj0XinHJj+QNhkVtH6lAYDnAJNrQXpiGCKScVs1YCNbF9xHtBN1wlU99k+FdjLVsef3L348c3QWTVloXoh+HC0eNwt8QvLUyZLGyaCAy0ifvw== dsa-key-20150709 christoph_lange: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvFxHqgmIkBfdyxRCMGhj2R+Bj05EBB7DlBrlKy6eM3K3EnPP+0dlMW+KhGwcu5sHFjyPtdngEO8AX1TQCUgifhd9++fBVAfUfKU5+dUqqyFFeQjQMqbf7pzWCJ9JjQ5tk1If9IzgBe/50ro0SCqIbod3FogSe4RZqQV1P0znxaHt4ngJSRYnRK+6gniMuT+SlcKgjDM8v8RP4ELWvE0ibduUGoyCEzmmroXgymcL7tpqHTdfo8o3mbcwqRGmCHEplQttFG57PwkJlcQvhKuJHo/Sgcyx2WuEFL/vZMFnuXhaNFg7I1UIO9bNwsLjsbnR9FEK9rjwwl8dKQHDh5R1zQ== clange@BACH # Use the list when you want to give access to non root users diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index 1d2f17bd..8aefed53 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -79,25 +79,7 @@ install_resolvconf: True configure_munin: False # Manage the root ssh keys -manage_root_ssh_keys: True - -cm_pubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJN8XR/N4p6FfymWJy7mwR3vbUboC4P+7CgZalflhK5iH0P7c24/zZDY9Y5QIq58IViY7napqZuRkNHnHcvm9mxtSxQ16qe03NulABN5V/ljgR0sQAWz8pwv68LDpR9uBSCbXDdDCUUlS+zOxCHA6s7O7PSFavX4An1Vd/mjwoeR4eLRQXNcKsK2Pu/BZ3TCLmWyi2otnxFiJ8IoKW1CvjxKWmt5BvAvys0dfsdnTSVz9yiUMwN5Oj8cw/jhKqadnkvqTGfGl1ELm9L2V7hT6LM0cIom9oRsQf+JJ6loBe3UUZGaAhY2jmARmZdX3qV9Wh+UtxaWMEAXB9mf/2cK9f jenkins@cm -andrea_dellamico: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ9n6B+J5S7NPnwjejPC2WrvcRzC07WPnAoQ7ZHZ0Mv9JakyWItswzI3Drz/zI0mCamyuye+9dWz9v/ZRwUfBobVyXuptRaZIwxlMC/KsTZofpp3RHOBTteZ4/VM0VhEeiOHu+GuzNE0fRB2gsusWeMMae2cq4TjVAOMcQmJX496L703Smc14gFrP8y/P9jbC5HquuVnPR29PsW4mHidPmjdKkO7QmDfFAj44pEUGeInYOJe708C03NCpsjHw8AVdAJ6Pf16EOdDH+z8D6CByVO3s8UT0HJ85BRoIy6254/hmYLzyd/eRnCXHS/dke+ivrlA3XxG4+DmqjuJR/Jpfx adellam@semovente -tommaso_piccioli: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzcHuDU7PgJwz34AsVG0E2+ZRx17ZKW1uDEGABNk3Z60/c9LTwWKPj6kcIRy6RzFJI5X+IgPJnYouXVmJsIWjVL8IRk8fP1ffJC6Fyf6H7+fCxu/Wwed5OoOCvKeZ0bEmJ1tlXFM6+EnxKqLCvz3fsNy8e4WKMnpS1hT8K6YB7PMjt60S3wOaxds1Lv4NmmgnfGM5uZFYrZCx1/GJCzNSh7AEEEUIVQ1B8xmXbet7whNiwDmiOnXSlt38dkIYT8kNMuRCj/r9wPr7FmoUCOFzUVXTcnuYagKyURrZ8QDyHbK6XQLYXgvCz/lWoErGFbDqpmBHHyvKSeLPxYfJpWJ70w== tom@tom -backup_agent: ssh-dss AAAAB3NzaC1kc3MAAACBANBn5i7oJd12+GAeDVSAiPqCxcCDzWe41g3Vy/LhbYKwG0smPNJRfvyf7lKWkgolJfMJZrk7bBVhJoApkV7vkFkrSPueyRC+/ohjafpOsmxRYiOaSrDZ2c9TbGFVZTh23pUXoDPp2Z0N8l471b9Mx/nqgtflCV+IVICcDZbUhcCTAAAAFQC+fmfljTFllCMKsgrSJcQAtiIT/QAAAIEAvrsLfmQzHQjt4G5FhcPVbvP87KUsDh0xksCfMRP6bQBz/3mcnt7V5/MLll/CZMiOWjRK3ww9zCYHprUwQtAZSllFWiGUKw1tDvf1ZQGESYP/vvWwcpPZpVsRHlhRtuMsQchSRxw03yYOqEEa2akWzQlvaZ4CWWym931mZg6zY4AAAACAG/l8dU/QEMK1JP3rDV0kZYvcxjUC9Mxw5ScTyVqVnxDL75ssX9HiQamsiTk0dYNyl8qkB38FfkB4LhEb8FkHs4toN+nTNPPlLqhpYMs+anwyNy32LnXAVP02VJ2+3exwGe0b5vtIFpj+j8s7YZMHN5x6d4xhZ9oq5M2pJN6M48E= root@dlibbackup -monja_dariva: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQJvgDc8lQB+EArajGPEirRuYxGcInfiM3uRS0P5Dhqch6cuNdMFFjCoQVFL2Dvs7QNSRm8mvnPLWOCYLEFPBdXlA63w+n3VWoVOs0lUgQM77/axetd/K8BCkJlcA/exvVxLtzc5k8hN1k3OJY/Npi2Xa4WyEMV6t7+vYK3MXPjFBy4Y/aLWZvHcCn0zUbeB8T8PJ2S8taCIOMzemUzjGs3c0f4y6oaJx1gPw31PCahkaVS4ZLSt+0y3DRaGiXjyzgbQPf1whBOT4SSiX3SgdMvxA/Fzz2sSAn9PNfKq+/vygn7qDB79qzBhOXs36dPuwmsqggxIZasGUT/YfRp5Cw== monja@pc-monja - -old_marko_mikulicic: ssh-dss AAAAB3NzaC1kc3MAAACBAO/KjuevegLjP3SXeZAdmHySuOjlNWllsuurdzes9HwF7HBEtFAuSE7vBeNcpfsdUytq92JUBAwNk9VwxNnnyVgeznFQ7ocGBh0Yfu4j9EXiWVA7vO8xZ9kqjl+HwUELrR1a8d4mngXgNQ1OAm+i3vvpBA6b4CV2L2hrEsPL5LPVAAAAFQD0VroYiG13uOsHCJaVyWH6V7w4twAAAIA4moWcTj36r+FpJYHH3c+QGC8XgPi6mwsqJexJ3sZRfEDAuDTgB5UyLJStY5EE2pChVpACx8KDlONcyuCdA8HIDC+RAJ03tY//UR2Ndg1y0yH8BnpjFM9Ow5JcoWzz9clC4GD0zGA90aiQd37I3JfPoTTEjLvJegg/C8GtlLtB+AAAAIEAgHwTzFLfZ0Q5tDK/kxeKa/x52O4ZfOXBTOYQZy5A6+ohoOOIKuEYmUOxh9ovE38St2+Q+1CgGnhBA79Y2pBdzpvY6VwKdcQBtyZSsJ7ghMTpksdNwZkZ3rIDgMi0yeBUl9qe339dXzV77uM/Q8Tx0UhSHTEIpyu1WZ8d/AAqrCQ= marko - -root_ssh_keys: - - '{{ cm_pubkey }}' - - '{{ andrea_dellamico }}' - - '{{ tommaso_piccioli }}' - - '{{ backup_agent }}' - - '{{ monja_dariva }}' - -obsolete_root_ssh_keys: - - '{{ old_marko_mikulicic }}' +manage_root_ssh_keys: False # # debian/ubuntu distributions controllers @@ -109,7 +91,6 @@ has_htop: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_lsb['major_release'] }}' >= 5" is_debian: "'{{ ansible_distribution }}' == 'Debian'" -#is_debian7: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 7" is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'" is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'" is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 6)" diff --git a/ubuntu-deb-general/tasks/pubkeys.yml b/ubuntu-deb-general/tasks/pubkeys.yml index cfdc6434..5189511d 100644 --- a/ubuntu-deb-general/tasks/pubkeys.yml +++ b/ubuntu-deb-general/tasks/pubkeys.yml @@ -3,11 +3,11 @@ - name: various pub ssh keys for users and apps authorized_key: user=root key="{{ item }}" state=present with_items: root_ssh_keys - tags: - - root_pubkeys + when: manage_root_ssh_keys + tags: root_pubkeys - name: Remove obsolete keys from the authorized ones authorized_key: user=root key="{{ item }}" state=absent with_items: obsolete_root_ssh_keys - tags: - - root_pubkeys + when: obsolete_root_ssh_keys is defined + tags: root_pubkeys diff --git a/varnish-cache/defaults/main.yml b/varnish-cache/defaults/main.yml index bd519c7b..6e2afd50 100644 --- a/varnish-cache/defaults/main.yml +++ b/varnish-cache/defaults/main.yml @@ -8,23 +8,42 @@ varnish_pkg_name: varnish varnish_pkg_state: present varnish_enabled: True - -varnish_listen_port: 6810 +varnish_instance_name: '{{ ansible_fqdn }}' +varnish_listen_port: 6081 +varnish_admin_listen_port: 6082 +varnish_admin_listen_host: 127.0.0.1 +varnish_vcl_conf: /etc/varnish/default.vcl +varnish_secret_file: /etc/varnish/secret +varnish_pid_file: /var/run/varnish.pid +varnish_n_files: 131072 +varnish_memlock: 82000 varnish_static_c_timeout: 240s varnish_static_first_byte_timeout: 360s varnish_static_between_bytes_timeout: 360s varnish_min_threads: 10 varnish_max_threads: 1000 +varnish_thread_timeout: 120 # We are using 3000 in production varnish_static_max_connections: 200 +# +# Choose if we want static disk based cache or volatile ram based one +varnish_use_disk_cache: True varnish_storage_file: /var/lib/varnish/varnish_storage.bin # We are using 12288M in production varnish_storage_size: 1G +# +varnish_use_ram_cache: False # Expressed in MBs. We do not use it right now -varnish_ram_cache_size: 512 +varnish_ram_cache_size: 512M # We are using 48000 in production varnish_ttl: 120 varnish_user: varnish varnish_group: varnish varnish_purge_whitelist: - 127.0.0.1 + +varnish_set_sysctl_params: False +varnish_sysctl_file: 30-varnish.conf +varnish_sysctl_kernel_parameters: + - { name: 'net.core.rmem_max', value: '212992' } + - { name: 'net.core.wmem_max', value: '212992' } diff --git a/varnish-cache/handlers/main.yml b/varnish-cache/handlers/main.yml index 9a6c15ce..8620c797 100644 --- a/varnish-cache/handlers/main.yml +++ b/varnish-cache/handlers/main.yml @@ -2,4 +2,7 @@ - name: Reload varnish service: name=varnish state=reloaded +- name: Restart varnish + service: name=varnish state=restarted + diff --git a/varnish-cache/tasks/main.yml b/varnish-cache/tasks/main.yml index 87781899..40d1337a 100644 --- a/varnish-cache/tasks/main.yml +++ b/varnish-cache/tasks/main.yml @@ -27,11 +27,31 @@ with_items: varnish_pkg_name tags: varnish +- name: Configure some kernel parameters via sysctl + sysctl: name={{ item.name }} value={{ item.value }} sysctl_file=/etc/sysctl.d/{{ varnish_sysctl_file }} reload=yes state=present + with_items: varnish_sysctl_kernel_parameters + when: varnish_set_sysctl_params + tags: [ 'varnish', 'varnishconf', 'sysctl' ] + - name: Install the varnish parameters file. The config file needs to be set by a local task template: src={{ item }}.j2 dest=/etc/default/varnish owner=root group=root mode=0444 with_items: - varnish.params - notify: Reload varnish + notify: Restart varnish + tags: [ 'varnish', 'varnishconf' ] + +- name: Install the varnish systemd unit in debian 8 + template: src={{ item }}.systemd.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0444 + with_items: + - varnish.service + notify: Restart varnish + when: is_debian8 + register: install_varnish_unit + tags: [ 'varnish', 'varnishconf' ] + +- name: Reload the systemd unit when changed + command: systemctl daemon-reload + when: ( install_varnish_unit | changed ) tags: [ 'varnish', 'varnishconf' ] - name: Ensure that the varnish service is started and enabled diff --git a/varnish-cache/templates/varnish.params.j2 b/varnish-cache/templates/varnish.params.j2 index fb505730..b0ab8516 100644 --- a/varnish-cache/templates/varnish.params.j2 +++ b/varnish-cache/templates/varnish.params.j2 @@ -12,23 +12,23 @@ START=no RELOAD_VCL=1 # Maximum number of open files (for ulimit -n) -NFILES=131072 +NFILES={{ varnish_n_files }} # Maximum locked memory size (for ulimit -l) # Used for locking the shared memory log in memory. If you increase log size, # you need to increase this number as well -MEMLOCK=82000 +MEMLOCK={{ varnish_memlock }} # Default varnish instance name is the local nodename. Can be overridden with # the -n switch, to have more instances on a single server. -INSTANCE=$(uname -n) +INSTANCE={{ varnish_instance_name }} ## Alternative 3, Advanced configuration # # See varnishd(1) for more information. # # # Main configuration file. You probably want to change it :) -VARNISH_VCL_CONF=/etc/varnish/default.vcl +VARNISH_VCL_CONF={{ varnish_vcl_conf }} # # # Default address and port to bind to # # Blank address means all IPv4 and IPv6 interfaces, otherwise specify @@ -37,11 +37,11 @@ VARNISH_VCL_CONF=/etc/varnish/default.vcl VARNISH_LISTEN_PORT={{ varnish_listen_port }} # # # Telnet admin interface listen address and port -VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1 -VARNISH_ADMIN_LISTEN_PORT=6082 +VARNISH_ADMIN_LISTEN_ADDRESS={{ varnish_admin_listen_host }} +VARNISH_ADMIN_LISTEN_PORT={{ varnish_admin_listen_port }} # # Shared secret file for admin interface -VARNISH_SECRET_FILE=/etc/varnish/secret +VARNISH_SECRET_FILE={{ varnish_secret_file }} # # The minimum number of worker threads to start VARNISH_MIN_THREADS={{ varnish_min_threads }} @@ -50,7 +50,7 @@ VARNISH_MIN_THREADS={{ varnish_min_threads }} VARNISH_MAX_THREADS={{ varnish_max_threads }} # # # Idle timeout for worker threads -VARNISH_THREAD_TIMEOUT=120 +VARNISH_THREAD_TIMEOUT={{ varnish_thread_timeout }} # # # Cache file location VARNISH_STORAGE_FILE={{ varnish_storage_file }} @@ -70,12 +70,4 @@ VARNISH_TTL={{ varnish_ttl }} VARNISH_USER={{ varnish_user }} VARNISH_GROUP={{ varnish_group }} # -DAEMON_OPTS="-a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} \ - -f ${VARNISH_VCL_CONF} \ - -T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} \ - -t ${VARNISH_TTL} \ - -p thread_pool_min=${VARNISH_MIN_THREADS} \ - -p thread_pool_max=${VARNISH_MAX_THREADS} \ - -p thread_pool_timeout=${VARNISH_THREAD_TIMEOUT} \ - -S ${VARNISH_SECRET_FILE} \ - -s ${VARNISH_STORAGE}" +DAEMON_OPTS="-a :{{ varnish_listen_port }} -P {{ varnish_pid_file }} -f {{ varnish_vcl_conf }} -T {{ varnish_admin_listen_host }}:{{ varnish_admin_listen_port }} -t {{ varnish_ttl }} -p thread_pool_min={{ varnish_min_threads }} -p thread_pool_max={{ varnish_max_threads }} -p thread_pool_timeout={{ varnish_thread_timeout }} -S {{ varnish_secret_file }} -n {{ varnish_instance_name }} {% if varnish_use_disk_cache %}-s file,{{ varnish_storage_file }},{{ varnish_storage_size }}{% endif %} {% if varnish_use_ram_cache %}-s malloc,{{ varnish_ram_cache_size }}{% endif %}"