forked from ISTI-ansible-roles/ansible-roles
Various fixes to the library roles.
This commit is contained in:
parent
4fcf0c81a3
commit
d37840100e
|
@ -3,6 +3,9 @@ haproxy_latest_release: False
|
|||
haproxy_version: 1.5
|
||||
haproxy_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main"
|
||||
haproxy_pkg_state: latest
|
||||
haproxy_enabled: True
|
||||
|
||||
haproxy_default_port: 80
|
||||
haproxy_terminate_tls: False
|
||||
haproxy_ssl_port: 443
|
||||
haproxy_admin_port: 8880
|
||||
|
|
|
@ -25,3 +25,14 @@
|
|||
apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }}
|
||||
when: haproxy_latest_release
|
||||
tags: haproxy
|
||||
|
||||
- name: Ensure that haproxy is enabled and started
|
||||
service: name=haproxy state=started enabled=yes
|
||||
when: haproxy_enabled
|
||||
ignore_errors: True
|
||||
tags: haproxy
|
||||
|
||||
- name: Ensure that haproxy is stopped and disabled if needed
|
||||
service: name=haproxy state=stopped enabled=no
|
||||
when: not haproxy_enabled
|
||||
tags: haproxy
|
||||
|
|
|
@ -1,6 +1,15 @@
|
|||
---
|
||||
- name: Start the iptables service
|
||||
service: name=iptables-persistent state=started
|
||||
service: name=iptables-persistent state=restarted enabled=yes
|
||||
when:
|
||||
- is_precise
|
||||
- is_trusty
|
||||
- is_debian7
|
||||
notify: Restart fail2ban
|
||||
|
||||
- name: Start the netfilter service
|
||||
service: name=netfilter-persistent state=restarted enabled=yes
|
||||
when: is_debian8
|
||||
notify: Restart fail2ban
|
||||
|
||||
- name: Flush the iptables rules
|
||||
|
@ -19,7 +28,3 @@
|
|||
service: name=fail2ban state=restarted enabled=yes
|
||||
when: is_trusty
|
||||
|
||||
|
||||
- name: Start the netfilter service
|
||||
service: name=netfilter-persistent state=started
|
||||
notify: Restart fail2ban
|
||||
|
|
|
@ -22,7 +22,10 @@
|
|||
with_items:
|
||||
- rules.v4
|
||||
- rules.v6
|
||||
when: is_precise or is_trusty or is_debian7
|
||||
when:
|
||||
- is_precise
|
||||
- is_trusty
|
||||
- is_debian7
|
||||
notify: Start the iptables service
|
||||
tags:
|
||||
- iptables
|
||||
|
|
|
@ -61,6 +61,19 @@
|
|||
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
|
||||
{% endif %}
|
||||
|
||||
{% if mysql_db_port is defined %}
|
||||
{% if mysql_listen_on_ext_int %}
|
||||
# mysql clients
|
||||
{% for db in mysql_db_data %}
|
||||
{% for ip in db.allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP
|
||||
{% endif %}
|
||||
|
||||
{% if mongodb_allowed_hosts is defined %}
|
||||
# mongodb clients
|
||||
{% for ip in mongodb_allowed_hosts %}
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
mysql_enabled: True
|
||||
mysql_pkg_state: present
|
||||
mysql_conf_dir: /etc/mysql/conf.d
|
||||
mysql_socket: /var/run/mysqld/mysqld.sock
|
||||
|
||||
# python-mysqldb is needed by ansible to manage users and databases
|
||||
mysql_packages_list:
|
||||
|
|
|
@ -2,5 +2,5 @@
|
|||
[client]
|
||||
#password = your_password
|
||||
port = 3306
|
||||
socket = /var/lib/mysql/mysql.sock
|
||||
socket = {{ mysql_socket }}
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# The MariaDB server
|
||||
[mysqld]
|
||||
port = {{ mysql_db_port }}
|
||||
socket = /var/lib/mysql/mysql.sock
|
||||
socket = {{ mysql_socket }}
|
||||
max_connections = {{ mysql_db_max_connections }}
|
||||
skip-external-locking
|
||||
key_buffer_size = 16M
|
||||
|
@ -18,13 +18,13 @@ myisam_sort_buffer_size = 16M
|
|||
# Point the following paths to different dedicated disks
|
||||
#tmpdir = /tmp/
|
||||
|
||||
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
|
||||
# if all processes that need to connect to mysqld run on the same host.
|
||||
# All interaction with mysqld must be made via Unix sockets or named pipes.
|
||||
# Note that using this option without enabling named pipes on Windows
|
||||
# (via the "enable-named-pipe" option) will render mysqld useless!
|
||||
#
|
||||
#skip-networking
|
||||
# Instead of skip-networking the default is now to listen only on
|
||||
# localhost which is more compatible and is not less secure.
|
||||
{% if mysql_listen_on_ext_int %}
|
||||
bind-address = 0.0.0.0
|
||||
{% else %}
|
||||
bind-address = 127.0.0.1
|
||||
{% endif %}
|
||||
|
||||
# Enable binary logging. This is required for acting as a MASTER in a
|
||||
# replication configuration. You also need the binary log if you need
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
- pg_hba
|
||||
|
||||
- name: We want postgres listen on the public IP
|
||||
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="*"
|
||||
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="'*'"
|
||||
notify: Restart postgresql
|
||||
when:
|
||||
- psql_listen_on_ext_int
|
||||
|
@ -32,7 +32,7 @@
|
|||
- pg_conf
|
||||
|
||||
- name: If postgresql is only accessed from localhost make it listen only on the localhost interface
|
||||
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="localhost"
|
||||
action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="'localhost'"
|
||||
notify: Restart postgresql
|
||||
when:
|
||||
- not psql_listen_on_ext_int
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
revive_pkg_state: latest
|
||||
|
||||
revive_ad_version: 3.1.0
|
||||
revive_ad_version: 3.2.1
|
||||
|
||||
revive_ad_download_url: 'http://download.revive-adserver.com/revive-adserver-{{ revive_ad_version }}.tar.gz'
|
||||
revive_ad_install_dir: '/opt'
|
||||
|
|
|
@ -32,7 +32,8 @@ farah_karim: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzKSQSk3ntKGUW2Cy8lt/44BTK2+U
|
|||
luca_frosini: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlTQulSJFayTJyOOecgsct35u7uvVQGX/Da11UZVxvJzw2sQKOMSCMBBGF9zUlcMoP/qvF425jVMM71S8kamCcqgSN528fp9W/Nhw7s15NbCE3H9tJ3B+u5ESOYsRfgogeTIyL26aIY/2rke0DoKDIMU3YlOtN/1ipt5cY9uV3ootxTM126y2WChICGo0h77M/Ta1pIccUE0XbuaA1HwlJBkfDzQ2kh5tkaC7mjeETstOQzpEoPFoVr0qwSPz1Y6l8uiedpDZejrq64Z2zRcSxjEQ1wuA9r8uO7TJQttUKK8m/dHMe6q3WAiFc9sOYe4tf/GEmziB8VloMTNCPJQiz lucafrosini@pc-frosini
|
||||
francesco_mangiacrapa: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDa0NzwaCcauxAFlsupU2xG2eff9nzep9bnb8pISbX2lk+K4yoJvJOAz9W9klJtpPX/IUJx18YR4jjDNcdiYWNh4Y+5jKT2EhSPNkj7Vw2MhA/ZeOrfHx7JNtL8gdxa8XxYB0ZoZqutRppmaRwWmGGwdVh0wyUzWR/v0OT01IuQGYVneLKIjUtx+BcWGsosWISaOQzVbv9iTFbSwgjbkKFHzHasxwKsrK4t1wvbzuxwhVC+5/VKghBJWN219m/PO+itww/fSes0KpI5X/7q8jrYzUgYwrKwt290U41Fx8syDQ6101YnRzMXZRyZwuVNh2S7WosGWebg5nPS4IjKho/F francesco-mangiacrapa@ubuntu-francesco-i24
|
||||
lucia_vadicamo: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAqR/WChJL0M/EOQ1Jg7x7H5dmgb9jb/Rs+ZsWFdEvIlbNzZPUhTofvazHHLObR/RtLl4+9jjG83bNJHOTysrtY0c4BOcgBRFm3HRAr6TTU7bpoC0bleycKWmgXbP3nVfRgwd0N0tlmsDMBopdfZ7BwUH3SARQ8ssWbi1ahTP6IiYE6oCOxzDhXHRRGIdHhcRbE6vFaN+BTQKX/1zfFimPnuhiQUyZwX1KtBNnjxbxaNTIUbyDUxmyLo3S66EnNqXD6n4jDDWXJb0HkI4eDTtGFxaF02PSzXr8X3ZTWDBX+/YkzaWeesvtubYa0QlZ19D2+WJZJi0SmPDf7XifPtq0iu2UB4DFPQeRGAIctxmxTSMQMhngblSdSY6R+ZXG8yxtd/b3iNQaD3s8xkjYeXouno6djnJyIA/Wu2Asn6zLJC5qyVTTNUq5QNMIoNoX4Eq74eri2yzieQGRegDNie5NxjiRyo4kdHV3gihRDm53MCUL1aKz0SijmSfNeaP8weO77qKXaYNbuiEJYtU2io14mOHYHfMlvFf059QcqxQUAEOWl1YrELExHJmNJKjl/2/nCq6Ns4JMDEHicisjTfE5GAZHJVFgKRVroRzySHfxRTBXXyPDPzjN9aZy7HKSFiUXnKKS3jrVsbQ5xKdtOOzo6Uy3mIakTQ/JWDbzQ0fMwoE= lucia.vadicamo@isti.cnr.it
|
||||
sahar_vahdati: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB38nRuOy6g0UEkYLZ5v+VGQIbZAFjylEtbmZJAN3OMm+wcgoCTIBvytZ6Ajp8ZTT1tTqo2rsAVb8O5pv08Qaunl5VBfvEUyqNdYX9SY1kB5PzKtBZBbkkUI4AE7BNJKKuki0nYvOHP5p07FdobC2OjILGxci4zn37X+CGEykNrXQ== rsa-key-20150605
|
||||
sahar_vahdati_old: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB38nRuOy6g0UEkYLZ5v+VGQIbZAFjylEtbmZJAN3OMm+wcgoCTIBvytZ6Ajp8ZTT1tTqo2rsAVb8O5pv08Qaunl5VBfvEUyqNdYX9SY1kB5PzKtBZBbkkUI4AE7BNJKKuki0nYvOHP5p07FdobC2OjILGxci4zn37X+CGEykNrXQ== rsa-key-20150605
|
||||
sahar_vahdati: ssh-dss AAAAB3NzaC1kc3MAAAEBAMAfb7STRygwnvobeoYs+znGDFSauwFJ53SGiqxWvws7VO84JLCGPrInrnFYhU6eJAWd7W24ebQhBLqEKprJ85+j068F8kBL3EoR3yyS47jHeM9nZtQEoPuPJIdQotKEUcsEB0qXsdxrK/g2xOwEE/QTvxHHoHdrlrV5i8nL2iRJZTLn1OdoyHTUJMX778RJuqsApY9duyi6Sx7YshF4uFqNiarrEUu0ldG2K8akBwQEvDBJuXsDKD5GJmRzBbqDX8xswTORelvcVtDk/TD0wMMKudBNQfktTPXATBCx6oPQ3gzBlLDF4KrnwKZ+I75c6/Q+AIz3OMM8vrcB6JMLk0MAAAAVAPKLs+YuP5ulRX484PevayNHavKJAAABAFcjNAQ1KxUKaNBeDMtNj8WWkMyx02HUPWf8ztKetTyvavK4ILTrQAwsgvH3dmOMSnm4ckWMSxQ/v+zbU/mKNddyNo7BJqRT4rKbQUvp5Mg5E+PkZNZaiTu9C8rLIa1JbUoEyssqLAlFbIviJlwpLgaf+jY7ZCJso7kCYRWkcXMaEnNvqCd5u8IAGBZijI/L9TtAIyjgYoh4pYdAPWjYTjH+nH9xpIuN7KQEVq1ba/WyAe9xVNPta+fnuHiUHbUpNaExhIs4pskfCI5EuBBgxtixkSPssZaNFlWXx2rwFLnfvnLxeG9t7qbXs5LPoo0x0miq/eo+jgIHel9uEvN/BNYAAAEAQ/qXwtXcw1aA7PoKOTOmwaproFmcnu/7unEEu16/G4F2t76kz4CwehGgq19MnbgfzBL64qfs9A5UxI4HRJ6e5/Ik1a1dv/tSVSgA+rKJWeCZr1cTg5Y/u7OAk/mik0nL7r7TraofYvGAWl7ckYeN/28wv5TWSNB6CkPix69DgLvapjU5RG+7DPhzINc5MF75MjFRTnc5eAeC2wv2+3MzGzm78+i6UPpwd7Jj/BKTvtj0XinHJj+QNhkVtH6lAYDnAJNrQXpiGCKScVs1YCNbF9xHtBN1wlU99k+FdjLVsef3L348c3QWTVloXoh+HC0eNwt8QvLUyZLGyaCAy0ifvw== dsa-key-20150709
|
||||
christoph_lange: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvFxHqgmIkBfdyxRCMGhj2R+Bj05EBB7DlBrlKy6eM3K3EnPP+0dlMW+KhGwcu5sHFjyPtdngEO8AX1TQCUgifhd9++fBVAfUfKU5+dUqqyFFeQjQMqbf7pzWCJ9JjQ5tk1If9IzgBe/50ro0SCqIbod3FogSe4RZqQV1P0znxaHt4ngJSRYnRK+6gniMuT+SlcKgjDM8v8RP4ELWvE0ibduUGoyCEzmmroXgymcL7tpqHTdfo8o3mbcwqRGmCHEplQttFG57PwkJlcQvhKuJHo/Sgcyx2WuEFL/vZMFnuXhaNFg7I1UIO9bNwsLjsbnR9FEK9rjwwl8dKQHDh5R1zQ== clange@BACH
|
||||
|
||||
# Use the list when you want to give access to non root users
|
||||
|
|
|
@ -79,25 +79,7 @@ install_resolvconf: True
|
|||
configure_munin: False
|
||||
|
||||
# Manage the root ssh keys
|
||||
manage_root_ssh_keys: True
|
||||
|
||||
cm_pubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJN8XR/N4p6FfymWJy7mwR3vbUboC4P+7CgZalflhK5iH0P7c24/zZDY9Y5QIq58IViY7napqZuRkNHnHcvm9mxtSxQ16qe03NulABN5V/ljgR0sQAWz8pwv68LDpR9uBSCbXDdDCUUlS+zOxCHA6s7O7PSFavX4An1Vd/mjwoeR4eLRQXNcKsK2Pu/BZ3TCLmWyi2otnxFiJ8IoKW1CvjxKWmt5BvAvys0dfsdnTSVz9yiUMwN5Oj8cw/jhKqadnkvqTGfGl1ELm9L2V7hT6LM0cIom9oRsQf+JJ6loBe3UUZGaAhY2jmARmZdX3qV9Wh+UtxaWMEAXB9mf/2cK9f jenkins@cm
|
||||
andrea_dellamico: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ9n6B+J5S7NPnwjejPC2WrvcRzC07WPnAoQ7ZHZ0Mv9JakyWItswzI3Drz/zI0mCamyuye+9dWz9v/ZRwUfBobVyXuptRaZIwxlMC/KsTZofpp3RHOBTteZ4/VM0VhEeiOHu+GuzNE0fRB2gsusWeMMae2cq4TjVAOMcQmJX496L703Smc14gFrP8y/P9jbC5HquuVnPR29PsW4mHidPmjdKkO7QmDfFAj44pEUGeInYOJe708C03NCpsjHw8AVdAJ6Pf16EOdDH+z8D6CByVO3s8UT0HJ85BRoIy6254/hmYLzyd/eRnCXHS/dke+ivrlA3XxG4+DmqjuJR/Jpfx adellam@semovente
|
||||
tommaso_piccioli: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzcHuDU7PgJwz34AsVG0E2+ZRx17ZKW1uDEGABNk3Z60/c9LTwWKPj6kcIRy6RzFJI5X+IgPJnYouXVmJsIWjVL8IRk8fP1ffJC6Fyf6H7+fCxu/Wwed5OoOCvKeZ0bEmJ1tlXFM6+EnxKqLCvz3fsNy8e4WKMnpS1hT8K6YB7PMjt60S3wOaxds1Lv4NmmgnfGM5uZFYrZCx1/GJCzNSh7AEEEUIVQ1B8xmXbet7whNiwDmiOnXSlt38dkIYT8kNMuRCj/r9wPr7FmoUCOFzUVXTcnuYagKyURrZ8QDyHbK6XQLYXgvCz/lWoErGFbDqpmBHHyvKSeLPxYfJpWJ70w== tom@tom
|
||||
backup_agent: ssh-dss AAAAB3NzaC1kc3MAAACBANBn5i7oJd12+GAeDVSAiPqCxcCDzWe41g3Vy/LhbYKwG0smPNJRfvyf7lKWkgolJfMJZrk7bBVhJoApkV7vkFkrSPueyRC+/ohjafpOsmxRYiOaSrDZ2c9TbGFVZTh23pUXoDPp2Z0N8l471b9Mx/nqgtflCV+IVICcDZbUhcCTAAAAFQC+fmfljTFllCMKsgrSJcQAtiIT/QAAAIEAvrsLfmQzHQjt4G5FhcPVbvP87KUsDh0xksCfMRP6bQBz/3mcnt7V5/MLll/CZMiOWjRK3ww9zCYHprUwQtAZSllFWiGUKw1tDvf1ZQGESYP/vvWwcpPZpVsRHlhRtuMsQchSRxw03yYOqEEa2akWzQlvaZ4CWWym931mZg6zY4AAAACAG/l8dU/QEMK1JP3rDV0kZYvcxjUC9Mxw5ScTyVqVnxDL75ssX9HiQamsiTk0dYNyl8qkB38FfkB4LhEb8FkHs4toN+nTNPPlLqhpYMs+anwyNy32LnXAVP02VJ2+3exwGe0b5vtIFpj+j8s7YZMHN5x6d4xhZ9oq5M2pJN6M48E= root@dlibbackup
|
||||
monja_dariva: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQJvgDc8lQB+EArajGPEirRuYxGcInfiM3uRS0P5Dhqch6cuNdMFFjCoQVFL2Dvs7QNSRm8mvnPLWOCYLEFPBdXlA63w+n3VWoVOs0lUgQM77/axetd/K8BCkJlcA/exvVxLtzc5k8hN1k3OJY/Npi2Xa4WyEMV6t7+vYK3MXPjFBy4Y/aLWZvHcCn0zUbeB8T8PJ2S8taCIOMzemUzjGs3c0f4y6oaJx1gPw31PCahkaVS4ZLSt+0y3DRaGiXjyzgbQPf1whBOT4SSiX3SgdMvxA/Fzz2sSAn9PNfKq+/vygn7qDB79qzBhOXs36dPuwmsqggxIZasGUT/YfRp5Cw== monja@pc-monja
|
||||
|
||||
old_marko_mikulicic: ssh-dss AAAAB3NzaC1kc3MAAACBAO/KjuevegLjP3SXeZAdmHySuOjlNWllsuurdzes9HwF7HBEtFAuSE7vBeNcpfsdUytq92JUBAwNk9VwxNnnyVgeznFQ7ocGBh0Yfu4j9EXiWVA7vO8xZ9kqjl+HwUELrR1a8d4mngXgNQ1OAm+i3vvpBA6b4CV2L2hrEsPL5LPVAAAAFQD0VroYiG13uOsHCJaVyWH6V7w4twAAAIA4moWcTj36r+FpJYHH3c+QGC8XgPi6mwsqJexJ3sZRfEDAuDTgB5UyLJStY5EE2pChVpACx8KDlONcyuCdA8HIDC+RAJ03tY//UR2Ndg1y0yH8BnpjFM9Ow5JcoWzz9clC4GD0zGA90aiQd37I3JfPoTTEjLvJegg/C8GtlLtB+AAAAIEAgHwTzFLfZ0Q5tDK/kxeKa/x52O4ZfOXBTOYQZy5A6+ohoOOIKuEYmUOxh9ovE38St2+Q+1CgGnhBA79Y2pBdzpvY6VwKdcQBtyZSsJ7ghMTpksdNwZkZ3rIDgMi0yeBUl9qe339dXzV77uM/Q8Tx0UhSHTEIpyu1WZ8d/AAqrCQ= marko
|
||||
|
||||
root_ssh_keys:
|
||||
- '{{ cm_pubkey }}'
|
||||
- '{{ andrea_dellamico }}'
|
||||
- '{{ tommaso_piccioli }}'
|
||||
- '{{ backup_agent }}'
|
||||
- '{{ monja_dariva }}'
|
||||
|
||||
obsolete_root_ssh_keys:
|
||||
- '{{ old_marko_mikulicic }}'
|
||||
manage_root_ssh_keys: False
|
||||
|
||||
#
|
||||
# debian/ubuntu distributions controllers
|
||||
|
@ -109,7 +91,6 @@ has_htop: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution
|
|||
has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_lsb['major_release'] }}' >= 5"
|
||||
|
||||
is_debian: "'{{ ansible_distribution }}' == 'Debian'"
|
||||
#is_debian7: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 7"
|
||||
is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'"
|
||||
is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'"
|
||||
is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 6)"
|
||||
|
|
|
@ -3,11 +3,11 @@
|
|||
- name: various pub ssh keys for users and apps
|
||||
authorized_key: user=root key="{{ item }}" state=present
|
||||
with_items: root_ssh_keys
|
||||
tags:
|
||||
- root_pubkeys
|
||||
when: manage_root_ssh_keys
|
||||
tags: root_pubkeys
|
||||
|
||||
- name: Remove obsolete keys from the authorized ones
|
||||
authorized_key: user=root key="{{ item }}" state=absent
|
||||
with_items: obsolete_root_ssh_keys
|
||||
tags:
|
||||
- root_pubkeys
|
||||
when: obsolete_root_ssh_keys is defined
|
||||
tags: root_pubkeys
|
||||
|
|
|
@ -8,23 +8,42 @@ varnish_pkg_name: varnish
|
|||
varnish_pkg_state: present
|
||||
varnish_enabled: True
|
||||
|
||||
|
||||
varnish_listen_port: 6810
|
||||
varnish_instance_name: '{{ ansible_fqdn }}'
|
||||
varnish_listen_port: 6081
|
||||
varnish_admin_listen_port: 6082
|
||||
varnish_admin_listen_host: 127.0.0.1
|
||||
varnish_vcl_conf: /etc/varnish/default.vcl
|
||||
varnish_secret_file: /etc/varnish/secret
|
||||
varnish_pid_file: /var/run/varnish.pid
|
||||
varnish_n_files: 131072
|
||||
varnish_memlock: 82000
|
||||
varnish_static_c_timeout: 240s
|
||||
varnish_static_first_byte_timeout: 360s
|
||||
varnish_static_between_bytes_timeout: 360s
|
||||
varnish_min_threads: 10
|
||||
varnish_max_threads: 1000
|
||||
varnish_thread_timeout: 120
|
||||
# We are using 3000 in production
|
||||
varnish_static_max_connections: 200
|
||||
#
|
||||
# Choose if we want static disk based cache or volatile ram based one
|
||||
varnish_use_disk_cache: True
|
||||
varnish_storage_file: /var/lib/varnish/varnish_storage.bin
|
||||
# We are using 12288M in production
|
||||
varnish_storage_size: 1G
|
||||
#
|
||||
varnish_use_ram_cache: False
|
||||
# Expressed in MBs. We do not use it right now
|
||||
varnish_ram_cache_size: 512
|
||||
varnish_ram_cache_size: 512M
|
||||
# We are using 48000 in production
|
||||
varnish_ttl: 120
|
||||
varnish_user: varnish
|
||||
varnish_group: varnish
|
||||
varnish_purge_whitelist:
|
||||
- 127.0.0.1
|
||||
|
||||
varnish_set_sysctl_params: False
|
||||
varnish_sysctl_file: 30-varnish.conf
|
||||
varnish_sysctl_kernel_parameters:
|
||||
- { name: 'net.core.rmem_max', value: '212992' }
|
||||
- { name: 'net.core.wmem_max', value: '212992' }
|
||||
|
|
|
@ -2,4 +2,7 @@
|
|||
- name: Reload varnish
|
||||
service: name=varnish state=reloaded
|
||||
|
||||
- name: Restart varnish
|
||||
service: name=varnish state=restarted
|
||||
|
||||
|
||||
|
|
|
@ -27,11 +27,31 @@
|
|||
with_items: varnish_pkg_name
|
||||
tags: varnish
|
||||
|
||||
- name: Configure some kernel parameters via sysctl
|
||||
sysctl: name={{ item.name }} value={{ item.value }} sysctl_file=/etc/sysctl.d/{{ varnish_sysctl_file }} reload=yes state=present
|
||||
with_items: varnish_sysctl_kernel_parameters
|
||||
when: varnish_set_sysctl_params
|
||||
tags: [ 'varnish', 'varnishconf', 'sysctl' ]
|
||||
|
||||
- name: Install the varnish parameters file. The config file needs to be set by a local task
|
||||
template: src={{ item }}.j2 dest=/etc/default/varnish owner=root group=root mode=0444
|
||||
with_items:
|
||||
- varnish.params
|
||||
notify: Reload varnish
|
||||
notify: Restart varnish
|
||||
tags: [ 'varnish', 'varnishconf' ]
|
||||
|
||||
- name: Install the varnish systemd unit in debian 8
|
||||
template: src={{ item }}.systemd.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0444
|
||||
with_items:
|
||||
- varnish.service
|
||||
notify: Restart varnish
|
||||
when: is_debian8
|
||||
register: install_varnish_unit
|
||||
tags: [ 'varnish', 'varnishconf' ]
|
||||
|
||||
- name: Reload the systemd unit when changed
|
||||
command: systemctl daemon-reload
|
||||
when: ( install_varnish_unit | changed )
|
||||
tags: [ 'varnish', 'varnishconf' ]
|
||||
|
||||
- name: Ensure that the varnish service is started and enabled
|
||||
|
|
|
@ -12,23 +12,23 @@ START=no
|
|||
RELOAD_VCL=1
|
||||
|
||||
# Maximum number of open files (for ulimit -n)
|
||||
NFILES=131072
|
||||
NFILES={{ varnish_n_files }}
|
||||
|
||||
# Maximum locked memory size (for ulimit -l)
|
||||
# Used for locking the shared memory log in memory. If you increase log size,
|
||||
# you need to increase this number as well
|
||||
MEMLOCK=82000
|
||||
MEMLOCK={{ varnish_memlock }}
|
||||
|
||||
# Default varnish instance name is the local nodename. Can be overridden with
|
||||
# the -n switch, to have more instances on a single server.
|
||||
INSTANCE=$(uname -n)
|
||||
INSTANCE={{ varnish_instance_name }}
|
||||
|
||||
## Alternative 3, Advanced configuration
|
||||
#
|
||||
# See varnishd(1) for more information.
|
||||
#
|
||||
# # Main configuration file. You probably want to change it :)
|
||||
VARNISH_VCL_CONF=/etc/varnish/default.vcl
|
||||
VARNISH_VCL_CONF={{ varnish_vcl_conf }}
|
||||
#
|
||||
# # Default address and port to bind to
|
||||
# # Blank address means all IPv4 and IPv6 interfaces, otherwise specify
|
||||
|
@ -37,11 +37,11 @@ VARNISH_VCL_CONF=/etc/varnish/default.vcl
|
|||
VARNISH_LISTEN_PORT={{ varnish_listen_port }}
|
||||
#
|
||||
# # Telnet admin interface listen address and port
|
||||
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
|
||||
VARNISH_ADMIN_LISTEN_PORT=6082
|
||||
VARNISH_ADMIN_LISTEN_ADDRESS={{ varnish_admin_listen_host }}
|
||||
VARNISH_ADMIN_LISTEN_PORT={{ varnish_admin_listen_port }}
|
||||
#
|
||||
# Shared secret file for admin interface
|
||||
VARNISH_SECRET_FILE=/etc/varnish/secret
|
||||
VARNISH_SECRET_FILE={{ varnish_secret_file }}
|
||||
|
||||
# # The minimum number of worker threads to start
|
||||
VARNISH_MIN_THREADS={{ varnish_min_threads }}
|
||||
|
@ -50,7 +50,7 @@ VARNISH_MIN_THREADS={{ varnish_min_threads }}
|
|||
VARNISH_MAX_THREADS={{ varnish_max_threads }}
|
||||
#
|
||||
# # Idle timeout for worker threads
|
||||
VARNISH_THREAD_TIMEOUT=120
|
||||
VARNISH_THREAD_TIMEOUT={{ varnish_thread_timeout }}
|
||||
#
|
||||
# # Cache file location
|
||||
VARNISH_STORAGE_FILE={{ varnish_storage_file }}
|
||||
|
@ -70,12 +70,4 @@ VARNISH_TTL={{ varnish_ttl }}
|
|||
VARNISH_USER={{ varnish_user }}
|
||||
VARNISH_GROUP={{ varnish_group }}
|
||||
#
|
||||
DAEMON_OPTS="-a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} \
|
||||
-f ${VARNISH_VCL_CONF} \
|
||||
-T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} \
|
||||
-t ${VARNISH_TTL} \
|
||||
-p thread_pool_min=${VARNISH_MIN_THREADS} \
|
||||
-p thread_pool_max=${VARNISH_MAX_THREADS} \
|
||||
-p thread_pool_timeout=${VARNISH_THREAD_TIMEOUT} \
|
||||
-S ${VARNISH_SECRET_FILE} \
|
||||
-s ${VARNISH_STORAGE}"
|
||||
DAEMON_OPTS="-a :{{ varnish_listen_port }} -P {{ varnish_pid_file }} -f {{ varnish_vcl_conf }} -T {{ varnish_admin_listen_host }}:{{ varnish_admin_listen_port }} -t {{ varnish_ttl }} -p thread_pool_min={{ varnish_min_threads }} -p thread_pool_max={{ varnish_max_threads }} -p thread_pool_timeout={{ varnish_thread_timeout }} -S {{ varnish_secret_file }} -n {{ varnish_instance_name }} {% if varnish_use_disk_cache %}-s file,{{ varnish_storage_file }},{{ varnish_storage_size }}{% endif %} {% if varnish_use_ram_cache %}-s malloc,{{ varnish_ram_cache_size }}{% endif %}"
|
||||
|
|
Loading…
Reference in New Issue