Initial commit of PVC Ansible role
This commit is contained in:
commit
8ac0776a8e
|
@ -0,0 +1,14 @@
|
|||
# PVC Ansible
|
||||
|
||||
A set of Ansible roles to set up a PVC node host.
|
||||
|
||||
## Variables
|
||||
|
||||
A default example set of configuration variables can be found in `group_vars/default/vars.yml
|
||||
|
||||
## Using
|
||||
|
||||
0. Deploy Debian 10 to a set of servers.
|
||||
0. Create a new cluster group in the `hosts` file.
|
||||
0. Create a set of vars in `group_vars`.
|
||||
0. Run the `pvc.yml` playbook against the servers.
|
|
@ -0,0 +1,62 @@
|
|||
---
|
||||
# Ceph storage
|
||||
pvc_ceph_storage_secret_uuid: "6e1f4969-f7ea-4be1-9232-e67ce3bfc37e"
|
||||
pvc_ceph_storage_secret_key: "AQC8y6tWkfUEKxAAI9XKcXlN38Nzbrom899rJw=="
|
||||
# Database
|
||||
pvc_dns_database_name: "pvcdns"
|
||||
pvc_dns_database_user: "pvcdns"
|
||||
pvc_dns_database_password: "PVCdnsPassw0rd"
|
||||
pvc_replication_database_user: "replicator"
|
||||
pvc_replication_database_password: "PVCreplicatorPassw0rd"
|
||||
pvc_superuser_database_user: "postgres"
|
||||
pvc_superuser_database_password: "PVCpostgresPassw0rd"
|
||||
# Coordinators
|
||||
pvc_nodes:
|
||||
- hostname: "pvchv1"
|
||||
is_coordinator: yes
|
||||
node_id: 1
|
||||
router_id: "{{ blsecluster_pvc_clustersubnetsnip }}.1"
|
||||
cluster_ip: "by-id"
|
||||
storage_ip: "{{ blsecluster_pvc_storagesubnetsnip }}.25/24"
|
||||
upstream_ip: "{{ blsecluster_pvc_upstreamsubnetsnip }}.25/24"
|
||||
ipmi_host: "hv1-lom.{{ blsedomains_mgmtdomain }}"
|
||||
ipmi_user: "{{ username_ipmi_host }}"
|
||||
ipmi_password: "{{ passwd_ipmi_host }}"
|
||||
- hostname: "pvchv2"
|
||||
is_coordinator: yes
|
||||
node_id: 2
|
||||
router_id: "{{ blsecluster_pvc_clustersubnetsnip }}.2"
|
||||
cluster_ip: "by-id"
|
||||
storage_ip: "{{ blsecluster_pvc_storagesubnetsnip }}.26/24"
|
||||
upstream_ip: "{{ blsecluster_pvc_upstreamsubnetsnip }}.26/24"
|
||||
ipmi_host: "hv2-lom.{{ blsedomains_mgmtdomain }}"
|
||||
ipmi_user: "{{ username_ipmi_host }}"
|
||||
ipmi_password: "{{ passwd_ipmi_host }}"
|
||||
- hostname: "pvchv3"
|
||||
is_coordinator: yes
|
||||
node_id: 3
|
||||
router_id: "{{ blsecluster_pvc_clustersubnetsnip }}.3"
|
||||
cluster_ip: "by-id"
|
||||
storage_ip: "{{ blsecluster_pvc_storagesubnetsnip }}.27/24"
|
||||
upstream_ip: "{{ blsecluster_pvc_upstreamsubnetsnip }}.27/24"
|
||||
ipmi_host: "hv3-lom.{{ blsedomains_mgmtdomain }}"
|
||||
ipmi_user: "{{ username_ipmi_host }}"
|
||||
ipmi_password: "{{ passwd_ipmi_host }}"
|
||||
# Networks
|
||||
pvc_asn: "{{ blsecluster_pvc_asn }}"
|
||||
pvc_routers:
|
||||
- "{{ blsecluster_pvc_upstreamsubnetsnip }}.2"
|
||||
- "{{ blsecluster_pvc_upstreamsubnetsnip }}.3"
|
||||
pvc_cluster_device: "bond0"
|
||||
pvc_cluster_domain: "{{ blsedomains_pvc_clusterdomain }}"
|
||||
pvc_cluster_subnet: "{{ blsecluster_pvc_clustersubnetv4 }}"
|
||||
pvc_cluster_floatingip: "{{ blsecluster_pvc_clustersubnetsnip }}.252/24"
|
||||
pvc_storage_device: "vlan99"
|
||||
pvc_storage_domain: "{{ blsedomains_pvc_storagedomain }}"
|
||||
pvc_storage_subnet: "{{ blsecluster_pvc_storagesubnetv4 }}"
|
||||
pvc_storage_floatingip: "{{ blsecluster_pvc_storagesubnetsnip }}.252/24"
|
||||
pvc_upstream_device: "vlan100"
|
||||
pvc_upstream_domain: "{{ blsedomains_pvc_upstreamdomain }}"
|
||||
pvc_upstream_subnet: "{{ blsecluster_pvc_upstreamsubnetv4 }}"
|
||||
pvc_upstream_floatingip: "{{ blsecluster_pvc_upstreamsubnetsnip }}.252/24"
|
||||
pvc_upstream_gatewayip: "{{ blsecluster_pvc_upstreamsubnetsnip }}.1"
|
|
@ -0,0 +1,9 @@
|
|||
# PVC hosts file
|
||||
|
||||
[sites:children]
|
||||
default
|
||||
|
||||
[default]
|
||||
pvchv1
|
||||
pvchv2
|
||||
pvchv3
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- hosts: all
|
||||
remote_user: deploy
|
||||
become: yes
|
||||
roles:
|
||||
- name: base
|
||||
tags: base
|
||||
|
||||
- name: pvc
|
||||
tags: pvc
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Backup check for Check_MK
|
||||
# Installed by BLSE 2.0 ansible
|
||||
|
||||
SHARELIST=( $( cat /var/backups/shares ) )
|
||||
|
||||
echo "<<<backup>>>"
|
||||
for SHARE in ${SHARELIST[@]}; do
|
||||
echo "${SHARE} $( cat ${SHARE}/.backup )"
|
||||
done
|
|
@ -0,0 +1,15 @@
|
|||
echo '<<<cephfsmounts>>>'
|
||||
sed -n '/ ceph\? /s/[^ ]* \([^ ]*\) .*/\1/p' < /proc/mounts |
|
||||
sed 's/\\040/ /g' |
|
||||
while read MP
|
||||
do
|
||||
if [ ! -r $MP ]; then
|
||||
echo "$MP Permission denied"
|
||||
elif [ $STAT_VERSION != $STAT_BROKE ]; then
|
||||
waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" || \
|
||||
echo "$MP hanging 0 0 0 0"
|
||||
else
|
||||
waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" && \
|
||||
printf '\n'|| echo "$MP hanging 0 0 0 0"
|
||||
fi
|
||||
done
|
|
@ -0,0 +1,33 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Apt and dpkg status check for Check_MK
|
||||
# Installed by BLSE 2.0 ansible
|
||||
|
||||
TMP_DPKG="$( COLUMNS=200 dpkg --list )"
|
||||
TMP_AWK="$( awk '
|
||||
{ if (NR>5) {
|
||||
if ($1 != "ii") bad_package[$2]=$1;
|
||||
}}
|
||||
END {
|
||||
print NR-5;
|
||||
bad_package_count=asort(bad_package,junk)
|
||||
if (bad_package_count) {
|
||||
for (package in bad_package)
|
||||
print package "[" bad_package[package] "]"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
' <<<"$TMP_DPKG" )"
|
||||
|
||||
DEBIAN_VERSION="$( cat /etc/debian_version )"
|
||||
TOTAL_PACKAGES=$( head --lines=1 <<<"${TMP_AWK}" )
|
||||
UPGRADABLE_PACKAGES=( $( apt list --upgradable 2>/dev/null | grep -v '^Listing' | awk '{ gsub(/\]/,"",$NF); print $1 "[" $NF "<>" $2 "]" }' ) )
|
||||
INCONSISTENT_PACKAGES=( $( tail --lines=+2 <<<"${TMP_AWK}" ) )
|
||||
OLD_CONFIG_FILES=( $( ionice -c3 find /etc -type f -a \( -name '*.dpkg-*' -o -name '*.ucf-*' \) 2>/dev/null ) )
|
||||
|
||||
echo "<<<dpkg>>>"
|
||||
echo "debian_version ${DEBIAN_VERSION}"
|
||||
echo "total_packages ${TOTAL_PACKAGES}"
|
||||
echo "upgradable_packages ${#UPGRADABLE_PACKAGES[*]} ${UPGRADABLE_PACKAGES[*]}"
|
||||
echo "inconsistent_packages ${#INCONSISTENT_PACKAGES[*]} ${INCONSISTENT_PACKAGES[*]}"
|
||||
echo "obsolete_configuration_files ${#OLD_CONFIG_FILES[*]} ${OLD_CONFIG_FILES[*]}"
|
|
@ -0,0 +1,16 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Entropy availability check for Check_MK
|
||||
# Installed by BLSE 2.0 ansible
|
||||
|
||||
if [ -e /proc/sys/kernel/random/entropy_avail ]; then
|
||||
|
||||
echo '<<<entropy_avail>>>'
|
||||
|
||||
echo -n "entropy_avail "
|
||||
cat /proc/sys/kernel/random/entropy_avail
|
||||
|
||||
echo -n "poolsize "
|
||||
cat /proc/sys/kernel/random/poolsize
|
||||
|
||||
fi
|
|
@ -0,0 +1,52 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Open file handle freshness check for Check_MK
|
||||
# Installed by BLSE 2.0 ansible
|
||||
|
||||
OK=0
|
||||
WARNING=1
|
||||
|
||||
FRESHNESS="$( lsof -Fcftn / 2>/dev/null | grep -v '/tmp' | \
|
||||
awk '
|
||||
{
|
||||
field=substr($0,1,1);
|
||||
data=substr($0,2);
|
||||
if (field=="f") {
|
||||
file_descriptor=data;
|
||||
} else if (field=="t") {
|
||||
file_type=data;
|
||||
} else if (field=="c") {
|
||||
command_name=data;
|
||||
} else if (field=="n" && file_descriptor=="DEL" && file_type=="REG") {
|
||||
name=data;
|
||||
file[command_name]++;
|
||||
}
|
||||
}
|
||||
END {
|
||||
for (name in file) {
|
||||
error++;
|
||||
# Skip these problematic programs
|
||||
if (name=="systemd-udevd") { continue; }
|
||||
if (name=="pulseaudio") { continue; }
|
||||
if (name=="light-locker") { continue; }
|
||||
if (name=="at-spi-bus-laun") { continue; }
|
||||
if (name=="node") { continue; }
|
||||
if (error_name) { error_name=error_name " " };
|
||||
error_name=error_name name;
|
||||
}
|
||||
if (error_name) {
|
||||
print error_name;
|
||||
exit error;
|
||||
} else {
|
||||
exit;
|
||||
}
|
||||
}' )";
|
||||
|
||||
echo "<<<freshness>>>"
|
||||
if [ "$FRESHNESS" ]; then
|
||||
echo "Applications needing restart: $FRESHNESS"
|
||||
exit $WARNING
|
||||
else
|
||||
echo "No applications needing restart"
|
||||
exit $OK
|
||||
fi
|
|
@ -0,0 +1,14 @@
|
|||
#!/bin/bash
|
||||
OK=0
|
||||
WARNING=1
|
||||
|
||||
echo "<<<kernelversion>>>"
|
||||
ACTIVE="$( uname -v | awk '{ print $4" "$5 }' )"
|
||||
ONDISK="$( strings /vmlinuz | grep 'Debian' | head -1 | awk '{ print $6" "$7 }' )"
|
||||
echo ${ACTIVE}
|
||||
echo ${ONDISK}
|
||||
if [[ ${ACTIVE} != ${ONDISK} ]]; then
|
||||
exit $WARNING
|
||||
else
|
||||
exit $OK
|
||||
fi
|
|
@ -0,0 +1,68 @@
|
|||
#!/bin/bash
|
||||
|
||||
# File ownership check for Check_MK
|
||||
# Installed by BLSE 2.0 ansible
|
||||
|
||||
UID_MAX=299
|
||||
# http://www.debian.org/doc/debian-policy/ch-opersys.html
|
||||
# 0-99: Globally allocated by the Debian project
|
||||
# 100-199: (BLSE) Dynamically allocated system users and groups
|
||||
# 200-299: (BLSE) BLSE users and groups
|
||||
# 300-499: (BLSE) reserved
|
||||
# 500-599: (BLSE) system administrators
|
||||
# 600-999: (BLSE) reserved
|
||||
# 64045: (BLSE) ceph
|
||||
|
||||
function is_element_of {
|
||||
local TO_FIND=$1
|
||||
shift
|
||||
|
||||
for ARRAY_ELEMENT in $*
|
||||
do
|
||||
if test $TO_FIND = $ARRAY_ELEMENT
|
||||
then
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
OK=0
|
||||
WARNING=1
|
||||
|
||||
FILESYSTEMs=(/ /var/log)
|
||||
MOUNTs=($(awk '{print $2}' '/proc/mounts'))
|
||||
|
||||
FILEs=()
|
||||
for FILESYSTEM in ${FILESYSTEMs[@]}; do
|
||||
while IFS= read -r -d $'\0' FILE
|
||||
do
|
||||
if ! is_element_of "$FILE" ${FILESYSTEMs[*]}; then
|
||||
if is_element_of $FILE ${MOUNTs[*]}; then
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
FILEs+=($FILE)
|
||||
done < <( find ${FILESYSTEM} -xdev -uid +$UID_MAX -not -uid +64000 -not -uid 2000 \
|
||||
-not \( -type d -a \( -path /media -o -path /mnt \) \) \
|
||||
-not \( -name '.*.swp' -a -mtime -3 \) \
|
||||
-not \( -path '*/.git' -o -path '*/.git/*' \) \
|
||||
-not \( -path '*.dirtrack.Storable' \) \
|
||||
-not \( -path '/home/*' \) \
|
||||
-not \( -path '/tmp/*' \) \
|
||||
-not \( -path '/var/home/*' \) \
|
||||
-not \( -path '/var/log/gitlab/*' \) \
|
||||
-print0 2>/dev/null )
|
||||
done
|
||||
|
||||
echo "<<<file_ownership>>>"
|
||||
|
||||
if ! test ${#FILEs[*]} -eq 0; then
|
||||
echo -n "${#FILEs[*]} file(s) found with invalid ownership (must be UID <299): "
|
||||
echo "${FILEs[*]}"
|
||||
exit $WARNING
|
||||
else
|
||||
echo "All files have valid ownership"
|
||||
exit $OK
|
||||
fi
|
||||
|
Binary file not shown.
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
- name: restart rsyslog
|
||||
service:
|
||||
name: rsyslog
|
||||
state: restarted
|
||||
|
||||
- name: restart xinetd
|
||||
service:
|
||||
name: xinetd
|
||||
state: restarted
|
||||
|
||||
- name: restart postfix
|
||||
service:
|
||||
name: postfix
|
||||
state: restarted
|
||||
|
||||
- name: restart ntp
|
||||
service:
|
||||
name: ntp
|
||||
state: restarted
|
||||
|
||||
- name: restart ssh
|
||||
service:
|
||||
name: ssh
|
||||
state: restarted
|
||||
|
||||
- name: restart fail2ban
|
||||
service:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
|
||||
- name: generate locales
|
||||
command: locale-gen
|
||||
|
||||
- name: newaliases
|
||||
command: newaliases
|
|
@ -0,0 +1,719 @@
|
|||
---
|
||||
#
|
||||
# First run check
|
||||
#
|
||||
- name: first run check
|
||||
shell: "echo 'bootstrapped' > /etc/pvc-install"
|
||||
register: newhost
|
||||
args:
|
||||
creates: "/etc/pvc-install"
|
||||
|
||||
#
|
||||
# Install custom fact scripts
|
||||
#
|
||||
- name: create facts directory
|
||||
file:
|
||||
dest: "/etc/ansible/facts.d"
|
||||
state: directory
|
||||
recurse: yes
|
||||
|
||||
- name: install custom facts
|
||||
template:
|
||||
src: "etc/ansible/facts.d/{{ item }}.fact.j2"
|
||||
dest: "/etc/ansible/facts.d/{{ item }}.fact"
|
||||
mode: 0755
|
||||
register: installed_facts
|
||||
with_items:
|
||||
- host_id
|
||||
- host_group
|
||||
- dhcp_status
|
||||
|
||||
- name: regather local facts
|
||||
setup:
|
||||
gather_subset: "!all,!any,local"
|
||||
when: installed_facts.changed
|
||||
|
||||
- debug:
|
||||
var: ansible_local.host_group
|
||||
verbosity: 1
|
||||
|
||||
- debug:
|
||||
var: ansible_local.host_id
|
||||
verbosity: 1
|
||||
|
||||
- debug:
|
||||
var: ansible_local.dhcp_status
|
||||
verbosity: 1
|
||||
|
||||
#
|
||||
# Debian Buster pre-release tweaks
|
||||
#
|
||||
- name: add proper VERSION line in os-release (Debian 10.X testing only)
|
||||
lineinfile:
|
||||
dest: "/etc/os-release"
|
||||
line: 'VERSION="10 (buster)"'
|
||||
state: present
|
||||
register: installed_facts
|
||||
when:
|
||||
- ansible_distribution_major_version == "buster/sid"
|
||||
|
||||
- name: regather distribution facts
|
||||
setup:
|
||||
when:
|
||||
- installed_facts.changed
|
||||
- ansible_distribution_major_version == "buster/sid"
|
||||
|
||||
- debug:
|
||||
var: ansible_distribution_release
|
||||
verbosity: 1
|
||||
when:
|
||||
- ansible_distribution_major_version == "buster/sid"
|
||||
|
||||
#
|
||||
# Configure APT
|
||||
#
|
||||
|
||||
- name: install apt config files
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- { src: "etc/apt/apt.conf.d/10norecommends.j2", dest: "/etc/apt/apt.conf.d/10norecommends" }
|
||||
- { src: "etc/apt/apt.conf.d/50unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" }
|
||||
- { src: "etc/apt/preferences.d/pins.j2", dest: "/etc/apt/preferences.d/pins" }
|
||||
- { src: "etc/apt/sources.list.{{ ansible_machine }}.j2", dest: "/etc/apt/sources.list" }
|
||||
tags: apt
|
||||
|
||||
#
|
||||
# Safe apt upgrades (on first install only)
|
||||
#
|
||||
|
||||
- name: apt update
|
||||
apt:
|
||||
update-cache: yes
|
||||
when: newhost.changed
|
||||
|
||||
- name: aptitude safe upgrade with autoremove
|
||||
apt:
|
||||
update_cache: yes
|
||||
autoremove: yes
|
||||
upgrade: safe
|
||||
when: newhost.changed
|
||||
|
||||
- name: install dbus
|
||||
apt:
|
||||
name:
|
||||
- dbus
|
||||
state: latest
|
||||
when: newhost.changed
|
||||
|
||||
- name: clean out apt cache
|
||||
file:
|
||||
path: "/var/cache/apt/archives"
|
||||
state: absent
|
||||
when: newhost.changed
|
||||
|
||||
#
|
||||
# Purge unneeded packages
|
||||
#
|
||||
|
||||
- name: remove unneeded packages
|
||||
apt:
|
||||
name:
|
||||
- exim4
|
||||
- exim4-base
|
||||
- exim4-config
|
||||
- exim4-daemon-light
|
||||
- nano
|
||||
- joe
|
||||
state: absent
|
||||
purge: yes
|
||||
autoremove: yes
|
||||
|
||||
#
|
||||
# Install common packages
|
||||
#
|
||||
|
||||
- name: set override debconf selections
|
||||
shell: 'echo "{{ item }}" | debconf-set-selections'
|
||||
with_items:
|
||||
- "wireshark-common wireshark-common/install-setuid boolean true"
|
||||
|
||||
- name: install common packages (all arch)
|
||||
apt:
|
||||
name:
|
||||
- debconf-utils
|
||||
- iptables
|
||||
- locales
|
||||
- acpid
|
||||
- acpi-support-base
|
||||
- rsync
|
||||
- bash
|
||||
- bash-completion
|
||||
- net-tools
|
||||
- check-mk-agent
|
||||
- dns-root-data
|
||||
- bind9-host
|
||||
- dnsutils
|
||||
- postfix
|
||||
- ntp
|
||||
- openssh-client
|
||||
- openssh-server
|
||||
- libpam-systemd
|
||||
- fail2ban
|
||||
- ca-certificates
|
||||
- openssl
|
||||
- sudo
|
||||
- rsyslog
|
||||
- logrotate
|
||||
- man
|
||||
- less
|
||||
- vim
|
||||
- git
|
||||
- nmap
|
||||
- netcat-openbsd
|
||||
- htop
|
||||
- psmisc
|
||||
- dstat
|
||||
- iotop
|
||||
- lsof
|
||||
- jnettop
|
||||
- iperf
|
||||
- sysstat
|
||||
- binutils
|
||||
- deborphan
|
||||
- wget
|
||||
- curl
|
||||
- gawk
|
||||
- mmv
|
||||
- pv
|
||||
- bc
|
||||
- reptyr
|
||||
- sharutils
|
||||
- tcptraceroute
|
||||
- nethogs
|
||||
- strace
|
||||
- tshark
|
||||
- acl
|
||||
- bzip2
|
||||
- haveged
|
||||
- unattended-upgrades
|
||||
- linux-image-amd64
|
||||
- linux-headers-amd64
|
||||
|
||||
#
|
||||
# System configuration
|
||||
#
|
||||
|
||||
# capabilities
|
||||
- name: set ping capabilities
|
||||
capabilities:
|
||||
path: /bin/ping
|
||||
capability: cap_net_raw=ep
|
||||
|
||||
# locale
|
||||
- name: install locale config files
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
notify:
|
||||
- generate locales
|
||||
with_items:
|
||||
- { src: "etc/default/locale.j2", dest: "/etc/default/locale" }
|
||||
- { src: "etc/locale.gen.j2", dest: "/etc/locale.gen" }
|
||||
|
||||
- name: set timezone
|
||||
file:
|
||||
src: /usr/share/zoneinfo/Canada/Eastern
|
||||
dest: /etc/localtime
|
||||
state: link
|
||||
force: yes
|
||||
|
||||
# dns
|
||||
- name: write the hosts config
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- { src: "etc/hosts.j2", dest: "/etc/hosts" }
|
||||
tags: dns
|
||||
|
||||
- name: write the resolver configs
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- { src: "etc/dhcp/dhclient-enter-hooks.d/noresolv.j2", dest: "/etc/dhcp/dhclient-enter-hooks.d/noresolv" }
|
||||
- { src: "etc/resolv.conf.j2", dest: "/etc/resolv.conf" }
|
||||
tags: dns
|
||||
|
||||
# acpi
|
||||
- name: install sysctl tweaks
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- { src: "etc/sysctl.d/pvc.conf.j2", dest: "/etc/sysctl.d/pvc.conf" }
|
||||
|
||||
- name: activate sysctl tweaks
|
||||
shell: "sysctl -p {{ item }}"
|
||||
with_items:
|
||||
- /etc/sysctl.d/pvc.conf
|
||||
|
||||
# syslog
|
||||
- name: install rsyslog and logrotate configs
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
notify:
|
||||
- restart rsyslog
|
||||
with_items:
|
||||
- { src: "etc/rsyslog.conf.j2", dest: "/etc/rsyslog.conf" }
|
||||
- { src: "etc/logrotate.d/rsyslog.j2", dest: "/etc/logrotate.d/rsyslog" }
|
||||
tags: rsyslog
|
||||
|
||||
- name: set journalctl persistence
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: 0644
|
||||
with_items:
|
||||
- { src: "etc/systemd/journald.conf.j2", dest: "/etc/systemd/journald.conf" }
|
||||
tags: rsyslog
|
||||
|
||||
# cron
|
||||
- name: install crontab
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: 0755
|
||||
with_items:
|
||||
- { src: "etc/crontab.j2", dest: "/etc/crontab" }
|
||||
|
||||
# mta
|
||||
- name: install postfix generic config
|
||||
template:
|
||||
src: "etc/postfix/main.cf.j2"
|
||||
dest: "/etc/postfix/main.cf"
|
||||
notify:
|
||||
- restart postfix
|
||||
|
||||
- name: touch the postfix aliases file
|
||||
file:
|
||||
dest: /etc/postfix/aliases
|
||||
state: touch
|
||||
|
||||
#
|
||||
# Local alias maps
|
||||
#
|
||||
- name: install local alias maps for various users
|
||||
lineinfile:
|
||||
dest: "/etc/aliases"
|
||||
regexp: "^{{ item }}:"
|
||||
line: "{{ item }}: {{ username_email_root }}"
|
||||
state: present
|
||||
with_items:
|
||||
- root
|
||||
- postmaster
|
||||
- amavis
|
||||
- clamav
|
||||
notify:
|
||||
- newaliases
|
||||
|
||||
# ntp
|
||||
- name: write the NTP config file
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
notify:
|
||||
- restart ntp
|
||||
with_items:
|
||||
- { src: "etc/ntp.conf.j2", dest: "/etc/ntp.conf" }
|
||||
tags: ntp
|
||||
|
||||
# ssl
|
||||
- name: ensure haveged is running
|
||||
service:
|
||||
name: haveged
|
||||
state: started
|
||||
|
||||
- name: generate diffie-hellman parameters
|
||||
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048
|
||||
args:
|
||||
creates: /etc/ssl/dhparams.pem
|
||||
|
||||
- name: correct permissions on dhparams
|
||||
file:
|
||||
dest: /etc/ssl/dhparams.pem
|
||||
mode: 0440
|
||||
|
||||
# ssh
|
||||
- name: write the sshd_config files
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
notify:
|
||||
- restart ssh
|
||||
with_items:
|
||||
- { src: 'etc/ssh/ssh_config.j2', dest: '/etc/ssh/ssh_config' }
|
||||
- { src: 'etc/ssh/sshd_config.j2', dest: '/etc/ssh/sshd_config' }
|
||||
- { src: 'etc/ssh/shosts.equiv.j2', dest: '/etc/ssh/shosts.equiv' }
|
||||
- { src: 'etc/ssh/ssh_known_hosts.j2', dest: '/etc/ssh/ssh_known_hosts' }
|
||||
tags: ssh
|
||||
|
||||
- name: write sshd pam.d config
|
||||
template:
|
||||
src: "etc/pam.d/sshd.j2"
|
||||
dest: "/etc/pam.d/sshd"
|
||||
tags: ssh
|
||||
|
||||
- name: remove unneeded SSH keys (leave only RSA and ED25519)
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
state: "absent"
|
||||
with_items:
|
||||
- /etc/ssh/ssh_host_dsa_key
|
||||
- /etc/ssh/ssh_host_dsa_key.pub
|
||||
- /etc/ssh/ssh_host_ecdsa_key
|
||||
- /etc/ssh/ssh_host_ecdsa_key.pub
|
||||
notify:
|
||||
- restart ssh
|
||||
tags: ssh
|
||||
|
||||
- name: set permissions on rsa and ed25519 host keys (just in case they're wrong)
|
||||
file:
|
||||
name: "/etc/ssh/{{ item.name }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- { name: 'ssh_host_rsa_key', mode: '600' }
|
||||
- { name: 'ssh_host_rsa_key.pub', mode: '644' }
|
||||
- { name: 'ssh_host_ed25519_key', mode: '600' }
|
||||
- { name: 'ssh_host_ed25519_key.pub', mode: '644' }
|
||||
tags: ssh
|
||||
|
||||
# sudo
|
||||
- name: write the sudoers file
|
||||
template:
|
||||
src: "etc/sudoers.j2"
|
||||
dest: "/etc/sudoers"
|
||||
mode: 0440
|
||||
|
||||
# bash
|
||||
- name: write the bash.bashrc config file
|
||||
template:
|
||||
src: "etc/bash.bashrc.j2"
|
||||
dest: "/etc/bash.bashrc"
|
||||
|
||||
# motd
|
||||
- name: ensure update-motd and w scripts are present
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: 0755
|
||||
with_items:
|
||||
- { src: "usr/local/sbin/update-motd.sh.j2", dest: "/usr/local/sbin/update-motd.sh" }
|
||||
- { src: "etc/profile.d/w.sh.j2", dest: "/etc/profile.d/w.sh" }
|
||||
tags: motd
|
||||
|
||||
- name: install update-motd crontab
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: 0644
|
||||
with_items:
|
||||
- { src: "etc/cron.d/update-motd.j2", dest: "/etc/cron.d/update-motd" }
|
||||
tags: motd
|
||||
|
||||
- name: ensure /etc/motd is absent
|
||||
file:
|
||||
dest: "/etc/motd"
|
||||
state: absent
|
||||
tags: motd
|
||||
|
||||
# dpkg
|
||||
- name: install dpkg-cleanup script
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: 0755
|
||||
with_items:
|
||||
- { src: "usr/local/sbin/dpkg-cleanup.sh.j2", dest: "/usr/local/sbin/dpkg-cleanup.sh" }
|
||||
tags: dpkg
|
||||
|
||||
# fail2ban
|
||||
- name: install fail2ban configurations
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: 0644
|
||||
notify: restart fail2ban
|
||||
with_items:
|
||||
- { src: "etc/fail2ban/action.d/route.conf.j2", dest: "/etc/fail2ban/action.d/route.conf" }
|
||||
- { src: "etc/fail2ban/filter.d/sshd.conf.j2", dest: "/etc/fail2ban/filter.d/sshd.conf" }
|
||||
- { src: "etc/fail2ban/jail.d/sshd.conf.j2", dest: "/etc/fail2ban/jail.d/sshd.conf" }
|
||||
- { src: "etc/fail2ban/jail.d/sshd.local.j2", dest: "/etc/fail2ban/jail.d/sshd.local" }
|
||||
tags: fail2ban
|
||||
|
||||
#
|
||||
# Configure users
|
||||
#
|
||||
|
||||
# common
|
||||
- name: ensure /var/home exists
|
||||
file:
|
||||
state: directory
|
||||
dest: /var/home
|
||||
tags: users
|
||||
|
||||
- name: ensure group media exists
|
||||
group:
|
||||
name: media
|
||||
gid: 9000
|
||||
state: present
|
||||
tags: users
|
||||
|
||||
# root
|
||||
- name: set Root password
|
||||
user:
|
||||
name: root
|
||||
password: "{{ passwdhash_root }}"
|
||||
tags: users
|
||||
|
||||
- name: remove Root known_hosts
|
||||
file:
|
||||
state: absent
|
||||
dest: /root/.ssh/known_hosts
|
||||
tags: users
|
||||
|
||||
- name: write vimrc to root homedir
|
||||
template:
|
||||
src: var/home/user/vimrc.j2
|
||||
dest: /root/.vimrc
|
||||
mode: 0600
|
||||
tags: users
|
||||
|
||||
- name: create vimdir
|
||||
file:
|
||||
state: directory
|
||||
dest: /root/.vim
|
||||
mode: 0700
|
||||
tags: users
|
||||
|
||||
- name: write htoprc to homedir
|
||||
template:
|
||||
src: var/home/user/config/htop/htoprc.j2
|
||||
dest: /root/.htoprc
|
||||
mode: 0600
|
||||
tags: users
|
||||
|
||||
# backup
|
||||
- name: ensure backup user has shell
|
||||
user:
|
||||
name: backup
|
||||
shell: /bin/sh
|
||||
tags: users
|
||||
|
||||
- name: create backup .ssh directory
|
||||
file:
|
||||
path: /var/backups/.ssh
|
||||
state: directory
|
||||
owner: backup
|
||||
group: root
|
||||
mode: 0700
|
||||
tags: users
|
||||
|
||||
- name: create backup authorized_keys file
|
||||
template:
|
||||
src: var/backups/ssh/authorized_keys.j2
|
||||
dest: /var/backups/.ssh/authorized_keys
|
||||
owner: backup
|
||||
group: root
|
||||
mode: 0640
|
||||
tags: users
|
||||
|
||||
- name: write the sudoers file
|
||||
template:
|
||||
src: etc/sudoers.d/sudoers-backup.j2
|
||||
dest: /etc/sudoers.d/backup
|
||||
tags: users
|
||||
|
||||
- name: install the post-backup timestamp script
|
||||
template:
|
||||
src: var/backups/timestamp.sh.j2
|
||||
dest: /var/backups/timestamp.sh
|
||||
mode: 0755
|
||||
tags: users
|
||||
|
||||
- name: touch shares file
|
||||
file:
|
||||
dest: /var/backups/shares
|
||||
state: touch
|
||||
owner: backup
|
||||
tags: users
|
||||
|
||||
# deploy
|
||||
- name: ensure user deploy exists
|
||||
user:
|
||||
name: deploy
|
||||
uid: 200
|
||||
group: operator
|
||||
shell: /bin/bash
|
||||
home: /var/home/deploy
|
||||
createhome: yes
|
||||
move_home: yes
|
||||
state: present
|
||||
append: yes
|
||||
tags: users
|
||||
|
||||
- name: ensure homedir has right permissions
|
||||
file:
|
||||
dest: /var/home/deploy
|
||||
state: directory
|
||||
owner: deploy
|
||||
group: operator
|
||||
mode: 0700
|
||||
tags: users
|
||||
|
||||
- name: ensure .ssh directory exists
|
||||
file:
|
||||
dest: /var/home/deploy/.ssh
|
||||
state: directory
|
||||
owner: deploy
|
||||
group: operator
|
||||
mode: 0700
|
||||
tags: users
|
||||
|
||||
- name: add authorized keys
|
||||
authorized_key:
|
||||
user: "deploy"
|
||||
key: "{{ item.key }}"
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
# admin_users
|
||||
- name: ensure user exists
|
||||
user:
|
||||
name: "{{ item.name }}"
|
||||
uid: "{{ item.uid }}"
|
||||
group: operator
|
||||
groups: sudo,adm,media,wireshark
|
||||
shell: /bin/bash
|
||||
home: "/var/home/{{ item.name }}"
|
||||
createhome: yes
|
||||
state: present
|
||||
append: yes
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
- name: ensure homedir has right permissions
|
||||
file:
|
||||
dest: "/var/home/{{ item.name }}"
|
||||
state: directory
|
||||
owner: "{{ item.name }}"
|
||||
group: operator
|
||||
mode: 0700
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
- name: ensure .ssh directory exists
|
||||
file:
|
||||
dest: "/var/home/{{ item.name }}/.ssh"
|
||||
state: directory
|
||||
owner: "{{ item.name }}"
|
||||
group: operator
|
||||
mode: 0700
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
- name: add authorized keys
|
||||
authorized_key:
|
||||
user: "{{ item.name }}"
|
||||
key: "{{ item.key }}"
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
- name: write bashrc to homedir
|
||||
template:
|
||||
src: var/home/user/bashrc.j2
|
||||
dest: "/var/home/{{ item.name }}/.bashrc"
|
||||
owner: "{{ item.name }}"
|
||||
group: operator
|
||||
mode: 0700
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
- name: write bash_logout to homedir
|
||||
template:
|
||||
src: var/home/user/bash_logout.j2
|
||||
dest: "/var/home/{{ item.name }}/.bash_logout"
|
||||
owner: "{{ item.name }}"
|
||||
group: operator
|
||||
mode: 0700
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
- name: ensure htop config directory exists
|
||||
file:
|
||||
dest: "/var/home/{{ item.name }}/.config/htop"
|
||||
state: directory
|
||||
owner: "{{ item.name }}"
|
||||
group: operator
|
||||
mode: 0755
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
- name: write htoprc to homedir
|
||||
template:
|
||||
src: var/home/user/config/htop/htoprc.j2
|
||||
dest: "/var/home/{{ item.name }}/.config/htop/htoprc"
|
||||
owner: "{{ item.name }}"
|
||||
group: operator
|
||||
mode: 0644
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
- name: write profile to homedir
|
||||
template:
|
||||
src: var/home/user/profile.j2
|
||||
dest: "/var/home/{{ item.name }}/.profile"
|
||||
owner: "{{ item.name }}"
|
||||
group: operator
|
||||
mode: 0700
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
- name: write vimrc to homedir
|
||||
template:
|
||||
src: var/home/user/vimrc.j2
|
||||
dest: "/var/home/{{ item.name }}/.vimrc"
|
||||
owner: "{{ item.name }}"
|
||||
group: operator
|
||||
mode: 0600
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
- name: create vimdir
|
||||
file:
|
||||
state: directory
|
||||
dest: /var/home/{{ item.name }}/.vim
|
||||
owner: "{{ item.name }}"
|
||||
group: operator
|
||||
mode: 0700
|
||||
with_items: "{{ admin_users }}"
|
||||
tags: users
|
||||
|
||||
#
|
||||
# Verify and enable services
|
||||
#
|
||||
|
||||
- name: verify and enable services
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
state: started
|
||||
enabled: yes
|
||||
with_items:
|
||||
- acpid
|
||||
- rsyslog
|
||||
- postfix
|
||||
- ntp
|
||||
- ssh
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
# Ansible fact - dhcp_status
|
||||
# {{ ansible_managed }}
|
||||
DHCP_STATUS="$( grep -o 'dhcp' /etc/network/interfaces | uniq )"
|
||||
echo "\"${DHCP_STATUS}\""
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
# Ansible fact - host_group
|
||||
# {{ ansible_managed }}
|
||||
HOST_GROUP="$( hostname -s | sed 's/[0-9]*//g' )"
|
||||
echo "\"${HOST_GROUP}\""
|
|
@ -0,0 +1,8 @@
|
|||
#!/bin/bash
|
||||
# Ansible fact - host_id
|
||||
# {{ ansible_managed }}
|
||||
HOST_ID="$( hostname -s | grep -o '[0-9]\+' )"
|
||||
if [[ -z ${HOST_ID} ]]; then
|
||||
HOST_ID="0"
|
||||
fi
|
||||
echo "\"${HOST_ID}\""
|
|
@ -0,0 +1,5 @@
|
|||
# apt configuration: disable recommends
|
||||
# {{ ansible_managed }}
|
||||
|
||||
APT::Install-Recommends "0";
|
||||
APT::Install-Suggests "0";
|
|
@ -0,0 +1,37 @@
|
|||
# Unattended upgrades configuration
|
||||
# {{ ansible_managed }}
|
||||
|
||||
Unattended-Upgrade::Origins-Pattern {
|
||||
"origin=Debian,codename=${distro_codename},label=Debian";
|
||||
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||
};
|
||||
|
||||
Unattended-Upgrade::Package-Blacklist {
|
||||
# "libc6$";
|
||||
# "libc6-dev$";
|
||||
# "libc6-i686$";
|
||||
};
|
||||
|
||||
# General configurations
|
||||
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
||||
Unattended-Upgrade::MinimalSteps "true";
|
||||
Unattended-Upgrade::InstallOnShutdown "false";
|
||||
Unattended-Upgrade::Mail "root@bonilan.net";
|
||||
Unattended-Upgrade::MailOnlyOnError "true";
|
||||
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
||||
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
|
||||
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
||||
Unattended-Upgrade::SyslogEnable "true";
|
||||
Unattended-Upgrade::SyslogFacility "daemon";
|
||||
Unattended-Upgrade::Verbose "false";
|
||||
Unattended-Upgrade::Debug "false";
|
||||
|
||||
# Reboot configurations - skip cephX and hvX
|
||||
{% if 'hv' in group_names or 'ceph' in group_names %}
|
||||
Unattended-Upgrade::Automatic-Reboot "false";
|
||||
{% else %}
|
||||
Unattended-Upgrade::Automatic-Reboot "true";
|
||||
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
|
||||
{% set reboot_time_minute = 2 * ansible_local.host_id|int %}
|
||||
Unattended-Upgrade::Automatic-Reboot-Time "04:{{ '%02d' % reboot_time_minute }}";
|
||||
{% endif %}
|
|
@ -0,0 +1,12 @@
|
|||
# apt configuration: pinning preferences
|
||||
# {{ ansible_managed }}
|
||||
|
||||
Package: *
|
||||
Pin: release a={{ ansible_distribution_release }}
|
||||
Pin-Priority: 999
|
||||
|
||||
{% if 'base' in group_names %}
|
||||
Package: *
|
||||
Pin: release a={{ ansible_distribution_release }}-backports
|
||||
Pin-Priority: -1
|
||||
{% endif %}
|
|
@ -0,0 +1,14 @@
|
|||
# apt configuration: main sources list
|
||||
# {{ ansible_managed }}
|
||||
|
||||
deb http://debian.mirror.rafal.ca/debian {{ ansible_distribution_release }} main contrib non-free
|
||||
deb-src http://debian.mirror.rafal.ca/debian {{ ansible_distribution_release }} main contrib
|
||||
|
||||
deb http://security.debian.org/ {{ ansible_distribution_release }}/updates main contrib
|
||||
deb-src http://security.debian.org/ {{ ansible_distribution_release }}/updates main contrib
|
||||
|
||||
deb http://debian.mirror.rafal.ca/debian/ {{ ansible_distribution_release }}-updates main contrib
|
||||
deb-src http://debian.mirror.rafal.ca/debian/ {{ ansible_distribution_release }}-updates main contrib
|
||||
|
||||
deb https://repo.bonifacelabs.net/debian/ {{ ansible_distribution_release }}-updates main
|
||||
deb-src https://repo.bonifacelabs.net/debian/ {{ ansible_distribution_release }}-updates main
|
|
@ -0,0 +1,126 @@
|
|||
# System-wide .bashrc file for interactive bash(1) shells.
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# To enable the settings / commands in this file for login shells as well,
|
||||
# this file has to be sourced in /etc/profile.
|
||||
|
||||
# Fix the preceeding space stupidity
|
||||
export HISTCONTROL=ignorespace
|
||||
|
||||
# If not running interactively, don't do anything
|
||||
[ -z "$PS1" ] && return
|
||||
|
||||
# check the window size after each command and, if necessary,
|
||||
# update the values of LINES and COLUMNS.
|
||||
shopt -s checkwinsize
|
||||
|
||||
# set variable identifying the chroot you work in (used in the prompt below)
|
||||
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
|
||||
debian_chroot=$(cat /etc/debian_chroot)
|
||||
fi
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Returncode.
|
||||
#------------------------------------------------------------------------------
|
||||
function returncode
|
||||
{
|
||||
returncode=$?
|
||||
if [ $returncode != 0 ]; then
|
||||
echo "[$returncode]"
|
||||
else
|
||||
echo ""
|
||||
fi
|
||||
}
|
||||
|
||||
alias ll='ls -al'
|
||||
|
||||
use_color=false
|
||||
|
||||
# Set colorful PS1 only on colorful terminals.
|
||||
# dircolors --print-database uses its own built-in database
|
||||
# instead of using /etc/DIR_COLORS. Try to use the external file
|
||||
# first to take advantage of user additions. Use internal bash
|
||||
# globbing instead of external grep binary.
|
||||
safe_term=${TERM//[^[:alnum:]]/?} # sanitize TERM
|
||||
match_lhs=""
|
||||
[[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)"
|
||||
[[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(</etc/DIR_COLORS)"
|
||||
[[ -z ${match_lhs} ]] \
|
||||
&& type -P dircolors >/dev/null \
|
||||
&& match_lhs=$(dircolors --print-database)
|
||||
[[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] && use_color=true
|
||||
|
||||
if ${use_color} ; then
|
||||
# Enable colors for ls, etc. Prefer ~/.dir_colors #64489
|
||||
if type -P dircolors >/dev/null ; then
|
||||
if [[ -f ~/.dir_colors ]] ; then
|
||||
eval $(dircolors -b ~/.dir_colors)
|
||||
elif [[ -f /etc/DIR_COLORS ]] ; then
|
||||
eval $(dircolors -b /etc/DIR_COLORS)
|
||||
else
|
||||
eval $(dircolors)
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ ${EUID} == 0 ]] ; then
|
||||
PS1='\[\033[0;31m\]$(returncode)\[\033[0;37m\]\[\033[0;35m\]${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\H\[\033[01;34m\] \w \$\[\033[00m\] '
|
||||
elif [[ ${UID} == 200 ]] ; then
|
||||
PS1='\[\033[0;31m\]$(returncode)\[\033[0;37m\]\[\033[0;35m\]${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\H\[\033[01;34m\] \w \$\[\033[00m\] '
|
||||
else
|
||||
PS1='\[\033[0;31m\]$(returncode)\[\033[0;37m\]\[\033[0;35m\]${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\H\[\033[01;34m\] \w \$\[\033[00m\] '
|
||||
fi
|
||||
|
||||
alias ls='ls --color=auto'
|
||||
alias grep='grep --colour=auto'
|
||||
alias fgrep='fgrep --colour=auto'
|
||||
alias egrep='egrep --colour=auto'
|
||||
alias ll='ls -lF'
|
||||
alias la='ls -A'
|
||||
alias l='ls -CF'
|
||||
else
|
||||
if [[ ${EUID} == 0 ]] ; then
|
||||
# show root@ when we don't have colors
|
||||
PS1='\[$(returncode)\]\u@\H \w \$ '
|
||||
else
|
||||
PS1='\[$(returncode)\]\u@\H \w \$ '
|
||||
fi
|
||||
fi
|
||||
|
||||
# Try to keep environment pollution down, EPA loves us.
|
||||
unset use_color safe_term match_lhs
|
||||
|
||||
# Commented out, don't overwrite xterm -T "title" -n "icontitle" by default.
|
||||
# If this is an xterm set the title to user@host:dir
|
||||
#case "$TERM" in
|
||||
#xterm*|rxvt*)
|
||||
# PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"'
|
||||
# ;;
|
||||
#*)
|
||||
# ;;
|
||||
#esac
|
||||
|
||||
# enable bash completion in interactive shells
|
||||
if ! shopt -oq posix; then
|
||||
if [ -f /usr/share/bash-completion/bash_completion ]; then
|
||||
. /usr/share/bash-completion/bash_completion
|
||||
elif [ -f /etc/bash_completion ]; then
|
||||
. /etc/bash_completion
|
||||
fi
|
||||
fi
|
||||
|
||||
# if the command-not-found package is installed, use it
|
||||
if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then
|
||||
function command_not_found_handle {
|
||||
# check because c-n-f could've been removed in the meantime
|
||||
if [ -x /usr/lib/command-not-found ]; then
|
||||
/usr/bin/python /usr/lib/command-not-found -- "$1"
|
||||
return $?
|
||||
elif [ -x /usr/share/command-not-found/command-not-found ]; then
|
||||
/usr/bin/python /usr/share/command-not-found/command-not-found -- "$1"
|
||||
return $?
|
||||
else
|
||||
printf "%s: command not found\n" "$1" >&2
|
||||
return 127
|
||||
fi
|
||||
}
|
||||
fi
|
|
@ -0,0 +1,58 @@
|
|||
# +------------------------------------------------------------------+
|
||||
# | ____ _ _ __ __ _ __ |
|
||||
# | / ___| |__ ___ ___| | __ | \/ | |/ / |
|
||||
# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
|
||||
# | | |___| | | | __/ (__| < | | | | . \ |
|
||||
# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
|
||||
# | |
|
||||
# | Copyright Mathias Kettner 2013 mk@mathias-kettner.de |
|
||||
# +------------------------------------------------------------------+
|
||||
#
|
||||
# This file is part of Check_MK.
|
||||
# The official homepage is at http://mathias-kettner.de/check_mk.
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
# check_mk is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation in version 2. check_mk is distributed
|
||||
# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
|
||||
# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||
# PARTICULAR PURPOSE. See the GNU General Public License for more de-
|
||||
# ails. You should have received a copy of the GNU General Public
|
||||
# License along with GNU Make; see the file COPYING. If not, write
|
||||
# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
|
||||
# Boston, MA 02110-1301 USA.
|
||||
|
||||
# logwatch.cfg
|
||||
# This file configures mk_logwatch. Define your logfiles
|
||||
# and patterns to be looked for here.
|
||||
|
||||
# Name one or more logfiles
|
||||
/var/log/system.log /var/log/daemon.log
|
||||
# Patterns are indented with one space are prefixed with:
|
||||
# C: Critical messages
|
||||
# W: Warning messages
|
||||
# I: ignore these lines (OK)
|
||||
# The first match decided. Lines that do not match any pattern
|
||||
# are ignored
|
||||
C Fail event detected on md device
|
||||
I mdadm.*: Rebuild.*event detected
|
||||
W mdadm\[
|
||||
W ata.*hard resetting link
|
||||
W ata.*soft reset failed (.*FIS failed)
|
||||
W device-mapper: thin:.*reached low water mark
|
||||
C device-mapper: thin:.*no free space
|
||||
|
||||
/var/log/auth.log
|
||||
W sshd.*Corrupted MAC on input
|
||||
|
||||
/var/log/kern.log
|
||||
C panic
|
||||
C Oops
|
||||
W generic protection rip
|
||||
W .*Unrecovered read error - auto reallocate failed
|
||||
|
||||
# Globbing patterns are allowed:
|
||||
# /sapdata/*/saptrans.log
|
||||
# C ORA-
|
|
@ -0,0 +1,4 @@
|
|||
# cron file for motd
|
||||
# {{ ansible_managed }}
|
||||
|
||||
* * * * * root /bin/sh /usr/local/sbin/update-motd.sh &>/dev/null
|
|
@ -0,0 +1,12 @@
|
|||
# /etc/crontab: system-wide crontab
|
||||
# {{ ansible_managed }}
|
||||
|
||||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
# m h dom mon dow user command
|
||||
00 * * * * root cd / && run-parts --report /etc/cron.hourly
|
||||
05 0 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
|
||||
15 0 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
|
||||
30 0 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
|
||||
#
|
|
@ -0,0 +1,4 @@
|
|||
LANGUAGE=en_CA.UTF-8
|
||||
LC_ALL=en_CA.UTF-8
|
||||
LANG=en_CA.UTF-8
|
||||
LC_TYPE=en_CA.UTF-8
|
|
@ -0,0 +1,6 @@
|
|||
#!/bin/sh
|
||||
# Disasble resolv.conf generation from DHCP
|
||||
# {{ ansible_managed }}
|
||||
make_resolv_conf() {
|
||||
:
|
||||
}
|
|
@ -0,0 +1,15 @@
|
|||
# fail2ban action - route
|
||||
|
||||
[Definition]
|
||||
actionban = ip route add <blocktype> <ip>
|
||||
actionunban = ip route del <blocktype> <ip>
|
||||
actioncheck =
|
||||
actionstart =
|
||||
actionstop =
|
||||
|
||||
[Init]
|
||||
|
||||
# Option: blocktype
|
||||
# Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
|
||||
# Values: STRING
|
||||
blocktype = blackhole
|
|
@ -0,0 +1,50 @@
|
|||
# Fail2Ban filter for openssh
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = sshd
|
||||
|
||||
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \S+)?\s*$
|
||||
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
|
||||
^%(__prefix_line)sFailed \S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \d+)?(?: ssh\d*)?(?(cond_user):|(?:(?:(?! from ).)*)$)
|
||||
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
|
||||
^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
|
||||
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
|
||||
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
|
||||
^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
|
||||
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
|
||||
^%(__prefix_line)s(?:error: )?Received disconnect from <HOST>: 3: .*: Auth fail(?: \[preauth\])?$
|
||||
^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
|
||||
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
|
||||
^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
|
||||
^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
|
||||
^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
|
||||
^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \d*)?(?: ssh\d*)? \[preauth\]$
|
||||
^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
|
||||
^%(__prefix_line)sUnable to negotiate with <HOST> .*$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
[Init]
|
||||
|
||||
# "maxlines" is number of log lines to buffer for multi-line regex searches
|
||||
maxlines = 10
|
||||
|
||||
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
|
||||
# it is coming before use of <HOST> which is not hard-anchored at the end as well,
|
||||
# and later catch-all's could contain user-provided input, which need to be greedily
|
||||
# matched away first.
|
||||
#
|
||||
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Wolfgang Karall (based on sshd.conf from Cyril Jaquier)
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
before = common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = sshd
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)sUnable to negotiate with <HOST> .*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex = ^%(__prefix_line)sDid not receive identification string from .*$
|
|
@ -0,0 +1,11 @@
|
|||
[DEFAULT]
|
||||
maxretry = 3
|
||||
bantime = 14400
|
||||
ignoreip = 127.0.0.0/8 10.0.0.0/8 198.55.48.48/28
|
||||
|
||||
[ssh]
|
||||
enabled = true
|
||||
filter = sshd
|
||||
action = route
|
||||
logpath = /var/log/auth.log
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
# Local system hosts file
|
||||
# {{ ansible_managed }}
|
||||
|
||||
::1 localhost ip6-localhost ip6-loopback
|
||||
ff02::1 ip6-allmodes
|
||||
ff02::2 ip6-allrouters
|
|
@ -0,0 +1,4 @@
|
|||
# Locales configuration file
|
||||
# {{ ansible_managed }}
|
||||
|
||||
en_CA.UTF-8 UTF-8
|
|
@ -0,0 +1,23 @@
|
|||
# Logrotate configuration for loghost archives
|
||||
# {{ ansible_managed }}
|
||||
|
||||
/srv/log/kern.log
|
||||
/srv/log/daemon.log
|
||||
/srv/log/haproxy.log
|
||||
/srv/log/auth.log
|
||||
/srv/log/cron.log
|
||||
/srv/log/mail.log
|
||||
/srv/log/boot.log
|
||||
/srv/log/system.log
|
||||
{
|
||||
weekly
|
||||
missingok
|
||||
copytruncate
|
||||
dateext
|
||||
notifempty
|
||||
sharedscripts
|
||||
postrotate
|
||||
/usr/lib/rsyslog/rsyslog-rotate &>/dev/null
|
||||
/usr/local/sbin/loghost-archive.sh &>/dev/null
|
||||
endscript
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
# Logrotate configuration for standard log files
|
||||
# {{ ansible_managed }}
|
||||
|
||||
/var/log/kern.log
|
||||
/var/log/daemon.log
|
||||
/var/log/haproxy.log
|
||||
/var/log/auth.log
|
||||
/var/log/cron.log
|
||||
/var/log/mail.log
|
||||
/var/log/boot.log
|
||||
/var/log/system.log
|
||||
{
|
||||
rotate {{ logrotate_keepcount }}
|
||||
{{ logrotate_interval }}
|
||||
missingok
|
||||
notifempty
|
||||
compress
|
||||
delaycompress
|
||||
sharedscripts
|
||||
postrotate
|
||||
/usr/lib/rsyslog/rsyslog-rotate &>/dev/null
|
||||
endscript
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
# Main NTP configuration
|
||||
# {{ ansible_managed }}
|
||||
|
||||
driftfile /var/lib/ntp/ntp.drift
|
||||
|
||||
statistics loopstats peerstats clockstats
|
||||
|
||||
filegen loopstats file loopstats type day enable
|
||||
filegen peerstats file peerstats type day enable
|
||||
filegen clockstats file clockstats type day enable
|
||||
|
||||
{% if 'remote' in group_names or 'remote-jellyfin' in group_names %}
|
||||
server time.nrc.ca
|
||||
server time.chu.nrc.ca
|
||||
|
||||
restrict -4 default kod notrap nomodify nopeer
|
||||
restrict -6 default kod notrap nomodify nopeer
|
||||
{% else %}
|
||||
disable auth
|
||||
multicastclient 224.0.0.1
|
||||
multicastclient ff05::101
|
||||
|
||||
restrict -4 default notrap nomodify
|
||||
restrict -6 default notrap nomodify
|
||||
{% endif %}
|
||||
restrict 127.0.0.1
|
||||
restrict ::1
|
|
@ -0,0 +1,54 @@
|
|||
# PAM configuration for the Secure Shell service
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# Standard Un*x authentication.
|
||||
@include common-auth
|
||||
|
||||
# Disallow non-root logins when /etc/nologin exists.
|
||||
account required pam_nologin.so
|
||||
|
||||
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||||
# access limits that are hard to express in sshd_config.
|
||||
# account required pam_access.so
|
||||
|
||||
# Standard Un*x authorization.
|
||||
@include common-account
|
||||
|
||||
# SELinux needs to be the first session rule. This ensures that any
|
||||
# lingering context has been cleared. Without this it is possible that a
|
||||
# module could execute code in the wrong domain.
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
|
||||
# Set the loginuid process attribute.
|
||||
session required pam_loginuid.so
|
||||
|
||||
# Create a new session keyring.
|
||||
session optional pam_keyinit.so force revoke
|
||||
|
||||
# Standard Un*x session setup and teardown.
|
||||
@include common-session
|
||||
|
||||
# Print the message of the day upon successful login.
|
||||
session optional pam_motd.so motd=/run/pvc-motd.dynamic
|
||||
session optional pam_motd.so noupdate
|
||||
|
||||
# Print the status of the user's mailbox upon successful login.
|
||||
#session optional pam_mail.so standard noenv # [1]
|
||||
|
||||
# Set up user limits from /etc/security/limits.conf.
|
||||
session required pam_limits.so
|
||||
|
||||
# Read environment variables from /etc/environment and
|
||||
# /etc/security/pam_env.conf.
|
||||
session required pam_env.so # [1]
|
||||
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||||
# /etc/default/locale, so read that as well.
|
||||
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# SELinux needs to intervene at login time to ensure that the process starts
|
||||
# in the proper default security context. Only sessions which are intended
|
||||
# to run in the user's context should be run after this.
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||
|
||||
# Standard Un*x password updating.
|
||||
@include common-password
|
|
@ -0,0 +1,17 @@
|
|||
# Postfix main configuration for non-MTA hosts
|
||||
# {{ ansible_managed }}
|
||||
|
||||
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
||||
biff = no
|
||||
append_dot_mydomain = no
|
||||
readme_directory = no
|
||||
smtpd_use_tls=no
|
||||
|
||||
alias_maps = hash:/etc/postfix/aliases
|
||||
alias_database = hash:/etc/postfix/aliases
|
||||
mydestination =
|
||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||
mailbox_size_limit = 0
|
||||
recipient_delimiter = +
|
||||
inet_interfaces = 127.0.0.1
|
||||
inet_protocols = ipv4
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Message of the day script to print active users
|
||||
# {{ ansible_managed }}
|
||||
|
||||
export PROCPS_FROMLEN=36 PROCPS_USERLEN=12
|
||||
w
|
|
@ -0,0 +1,5 @@
|
|||
# DNS resolver configuration
|
||||
# {{ ansible_managed }}
|
||||
|
||||
options timeout:1 attempts:3 rotate
|
||||
nameserver 1.1.1.1
|
|
@ -0,0 +1,37 @@
|
|||
# Main rsyslog configuration
|
||||
# {{ ansible_managed }}
|
||||
|
||||
#### ####
|
||||
#### MODULES ####
|
||||
#### ####
|
||||
|
||||
module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
|
||||
module(load="imklog") # provides kernel logging support (previously done by rklogd)
|
||||
|
||||
$ModLoad imudp
|
||||
$UDPServerAddress ::1
|
||||
$UDPServerRun 514
|
||||
|
||||
#### ####
|
||||
#### GLOBAL DIRECTIVES ####
|
||||
#### ####
|
||||
|
||||
$PreserveFQDN on
|
||||
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
|
||||
|
||||
#### ####
|
||||
#### RULES ####
|
||||
#### ####
|
||||
|
||||
ruleset(name="local") {
|
||||
kern.* /var/log/kern.log
|
||||
auth,authpriv.* /var/log/auth.log
|
||||
cron.* /var/log/cron.log
|
||||
daemon,user.* /var/log/daemon.log
|
||||
mail.* /var/log/mail.log
|
||||
local5.* /var/log/nginx.log
|
||||
local6.* /var/log/haproxy.log
|
||||
local7.* /var/log/boot.log
|
||||
*.info;kern,daemon,user,auth,authpriv,cron,mail,local6.none,local7.none /var/log/system.log
|
||||
}
|
||||
$DefaultRuleset local
|
|
@ -0,0 +1,3 @@
|
|||
# SSH remote allowed hosts
|
||||
# {{ ansible_managed }}
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
# Default SSH client configuration
|
||||
# {{ ansible_managed }}
|
||||
|
||||
Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
# ForwardX11Trusted yes
|
||||
# RhostsRSAAuthentication no
|
||||
# RSAAuthentication yes
|
||||
# PasswordAuthentication yes
|
||||
# EnableSSHKeysign yes
|
||||
# HostbasedAuthentication yes
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
# GSSAPIKeyExchange no
|
||||
# GSSAPITrustDNS no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
# ConnectTimeout 0
|
||||
# StrictHostKeyChecking ask
|
||||
# IdentityFile ~/.ssh/identity
|
||||
# IdentityFile ~/.ssh/id_rsa
|
||||
# IdentityFile ~/.ssh/id_dsa
|
||||
# Port 22
|
||||
# Protocol 2,1
|
||||
# Cipher 3des
|
||||
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
|
||||
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
|
||||
# EscapeChar ~
|
||||
# Tunnel no
|
||||
# TunnelDevice any:any
|
||||
# PermitLocalCommand no
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# PreferredAuthentications hostbased,pubkey
|
||||
SendEnv LANG LC_*
|
||||
HashKnownHosts yes
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPIDelegateCredentials no
|
||||
PubkeyAuthentication yes
|
||||
HostbasedAuthentication yes
|
||||
EnableSSHKeysign yes
|
|
@ -0,0 +1,3 @@
|
|||
# SSH remote allowed hosts
|
||||
# {{ ansible_managed }}
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
# Main SSH daemon configuraton
|
||||
# {{ ansible_managed }}
|
||||
|
||||
Port 22
|
||||
ListenAddress ::
|
||||
ListenAddress 0.0.0.0
|
||||
Protocol 2
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
UsePrivilegeSeparation yes
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
LoginGraceTime 120
|
||||
UsePAM yes
|
||||
StrictModes yes
|
||||
X11Forwarding no
|
||||
PrintMotd no
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
MACs hmac-sha2-512,hmac-sha2-256
|
||||
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
|
||||
|
||||
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||
|
||||
PubkeyAuthentication yes
|
||||
PermitEmptyPasswords no
|
||||
ChallengeResponseAuthentication no
|
||||
PasswordAuthentication no
|
||||
{% if 'hv' in group_names %}
|
||||
HostbasedAuthentication yes
|
||||
HostbasedUsesNameFromPacketOnly yes
|
||||
IgnoreRhosts no
|
||||
PermitRootLogin yes
|
||||
{% else %}
|
||||
HostbasedAuthentication no
|
||||
IgnoreRhosts yes
|
||||
PermitRootLogin no
|
||||
{% endif %}
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTH -l INFO
|
|
@ -0,0 +1,5 @@
|
|||
# sudoers configuraton for BackupPC
|
||||
# {{ ansible_managed }}
|
||||
|
||||
Cmnd_Alias BACKUPS = /usr/bin/rsync, /var/backups/timestamp.sh
|
||||
backup ALL=(root) NOPASSWD: BACKUPS
|
|
@ -0,0 +1,12 @@
|
|||
# sudoers configuraton; per-host declarations go in /etc/sudoers.d
|
||||
# {{ ansible_managed }}
|
||||
|
||||
Defaults env_reset
|
||||
Defaults mail_badpass
|
||||
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
root ALL=(ALL:ALL) NOPASSWD: ALL
|
||||
deploy ALL=(ALL:ALL) NOPASSWD: /bin/sh
|
||||
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
|
||||
|
||||
#includedir /etc/sudoers.d
|
|
@ -0,0 +1,47 @@
|
|||
# General sysctl parameters for BLSE2
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# Reduce swappiness
|
||||
vm.swappiness = 1
|
||||
|
||||
# enable Spoof protection (reverse-path filter)
|
||||
# Turn on Source Address Verification in all interfaces to
|
||||
# prevent some spoofing attacks
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
|
||||
# Ignore ICMP broadcasts
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
|
||||
# Ignore bogus ICMP errors
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
{% if not 'rpi' in group_names %}
|
||||
net.ipv6.conf.all.accept_redirects = 0
|
||||
{% endif %}
|
||||
|
||||
# Do not send ICMP redirects (we are not a router)
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
|
||||
# Do not accept IP source route packets (we are not a router)
|
||||
net.ipv4.conf.all.accept_source_route = 0
|
||||
{% if not 'rpi' in group_names %}
|
||||
net.ipv6.conf.all.accept_source_route = 0
|
||||
{% endif %}
|
||||
|
||||
# Don't log Martian Packets
|
||||
net.ipv4.conf.all.log_martians = 0
|
||||
|
||||
# Explicit Congestion Notification (ECN)
|
||||
net.ipv4.tcp_ecn = 1
|
||||
|
||||
# number of seconds the kernel waits before rebooting on a panic
|
||||
kernel.panic = 60
|
||||
|
||||
# Panic on an OOPS
|
||||
kernel.panic_on_oops = 1
|
||||
|
||||
# Restrict dmesg
|
||||
kernel.dmesg_restrict = 1
|
|
@ -0,0 +1,4 @@
|
|||
# Journald configuration
|
||||
# {{ ansible_managed }}
|
||||
[Journal]
|
||||
Storage=persistent
|
|
@ -0,0 +1,10 @@
|
|||
# systemd socket definition file
|
||||
[Unit]
|
||||
Description=Check_MK Agent Socket
|
||||
|
||||
[Socket]
|
||||
ListenStream=6556
|
||||
Accept=true
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
|
@ -0,0 +1,12 @@
|
|||
# systemd service definition file
|
||||
[Unit]
|
||||
Description=Check_MK
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/check_mk_agent
|
||||
KillMode=process
|
||||
|
||||
User=root
|
||||
Group=root
|
||||
|
||||
StandardInput=socket
|
|
@ -0,0 +1,5 @@
|
|||
set showcmd
|
||||
set number
|
||||
set cursorline
|
||||
syntax on
|
||||
set mouse=
|
|
@ -0,0 +1,18 @@
|
|||
#!/bin/bash
|
||||
|
||||
# dpkg-cleanup.sh - Remove obsolete packages and config files
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# Phase 1 - purge `rc` packages
|
||||
PACKAGE_LIST=( $( dpkg --list | awk '/^rc/{ print $2 } /^ri/{ print $2 }' ) )
|
||||
apt purge -y ${PACKAGE_LIST[@]}
|
||||
|
||||
# Phase 2 - autoremove packages
|
||||
apt autoremove --purge -y
|
||||
|
||||
# Phase 3 - clean archives
|
||||
apt clean
|
||||
|
||||
# Phase 4 - find and remove obsolete config files
|
||||
OLD_FILES_LIST=( $( find /etc -type f -a \( -name '*.dpkg-*' -o -name '*.ucf-*' \) 2>/dev/null ) )
|
||||
rm -f ${OLD_FILES_LIST[@]}
|
|
@ -0,0 +1,23 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Archive old logs on loghost
|
||||
# {{ ansible_managed }}
|
||||
|
||||
LOGPATH=/srv/log
|
||||
ARCHIVEPATH=${LOGPATH}/archive/
|
||||
test -d $ARCHIVEPATH || mkdir -p $ARCHIVEPATH
|
||||
for LOGFILE in \
|
||||
kern.log \
|
||||
daemon.log \
|
||||
haproxy.log \
|
||||
auth.log \
|
||||
cron.log \
|
||||
mail.log \
|
||||
boot.log \
|
||||
system.log
|
||||
do
|
||||
test -d ${ARCHIVEPATH}/${LOGFILE} || mkdir -p ${ARCHIVEPATH}/${LOGFILE}
|
||||
mv ${LOGPATH}/${LOGFILE}-* ${ARCHIVEPATH}/${LOGFILE}
|
||||
gzip ${ARCHIVEPATH}/${LOGFILE}/*
|
||||
find ${ARCHIVEPATH}/${LOGFILE} -type f -ctime +90 -exec rm {} \;
|
||||
done
|
|
@ -0,0 +1,26 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Update dynamic MOTD file
|
||||
# {{ ansible_managed }}
|
||||
|
||||
set -o errexit
|
||||
|
||||
TMPFILE=$(mktemp)
|
||||
TGTFILE=/run/pvc-motd.dynamic
|
||||
DEBVER="({{ ansible_lsb.description }})"
|
||||
|
||||
echo >> $TMPFILE
|
||||
echo "\033[01;34mParallel Virtual Cluster \033[01;36m${DEBVER}\033[0m" >> $TMPFILE
|
||||
echo -n "> \033[01;32m$(hostname)\033[0m" >> $TMPFILE
|
||||
if test -f /etc/hostdesc; then
|
||||
echo " - $( cat /etc/hostdesc )" >> $TMPFILE
|
||||
else
|
||||
echo >> $TMPFILE
|
||||
fi
|
||||
# Get machine information
|
||||
echo "> \033[1;37mPVC node\033[0m on \033[1;31m$(
|
||||
/usr/sbin/dmidecode | grep -A1 'Chassis Information' | tail -1 | awk -F':' '{print $2}' | tr -s ' '
|
||||
)\033[0m hardware" >> $TMPFILE
|
||||
echo "> $(/bin/uname -srvmo)" >> $TMPFILE
|
||||
|
||||
mv $TMPFILE $TGTFILE || rm $TMPFILE
|
|
@ -0,0 +1,4 @@
|
|||
# backup user authorized_keys
|
||||
# {{ ansible_managed }}
|
||||
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnndMxkLF+Trm7Zpo59daJbH6C6SbInl8f1PAizxtUkWg8skP5EXkUc0eguos+5o6BG1VL0c8SWBnl4smvZL075l2wC3+cJeDUIyxC6aue6vualFMPj5p0h4gJWrX+L5r1b1hxnR3r5Mqx7/2W9K35/u3M6TPnRXn0XjGN93j8dsywfDOuU4xH+w0INM4iNeEne4l2SEAVA0Sm7nGNss4X18iwjnxyKgqUB+HtG2WHyEPr/Uv5OiEC+4n4LvkMRMpupx33U5ZH7pgyfFKJJsIObBf4nC4xUUZyCG2FlHiWzX0Ua9xxwz9OJIeqlwfYsLFrHEbPS5KpAXukEjshKGY1 backuppc@base.bonilan.net
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Writes timestamps on successful BackupPC completion and updates dynamic share inventory for this host
|
||||
# {{ ansible_managed }}
|
||||
|
||||
OK="$1"
|
||||
SHARE="$2"
|
||||
grep -F "${SHARE}" /var/backups/shares || echo "${SHARE}" >> /var/backups/shares
|
||||
if [[ ${OK} -eq 1 ]]; then
|
||||
/bin/date +%s > ${SHARE}/.backup
|
||||
fi
|
|
@ -0,0 +1,7 @@
|
|||
# BLSE 2.0 bash_logout file
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# when leaving the console clear the screen to increase privacy
|
||||
if [ "$SHLVL" = 1 ]; then
|
||||
[ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
|
||||
fi
|
|
@ -0,0 +1,144 @@
|
|||
#!/bin/bash
|
||||
|
||||
# BLSE 2.0 bashrc file
|
||||
# {{ ansible_managed }}
|
||||
|
||||
#
|
||||
# GENERAL SETTINGS
|
||||
#
|
||||
|
||||
# Before anything, see if we're running interactively. If not, skip everything here.
|
||||
[[ $- == *i* ]] || return
|
||||
|
||||
# Ensure bash completion is enabled if installed
|
||||
if ! shopt -oq posix; then
|
||||
if [ -f /usr/share/bash-completion/bash_completion ]; then
|
||||
. /usr/share/bash-completion/bash_completion
|
||||
elif [ -f /etc/bash_completion ]; then
|
||||
. /etc/bash_completion
|
||||
fi
|
||||
fi
|
||||
|
||||
# Some other tweaks
|
||||
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
|
||||
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
|
||||
debian_chroot=$(cat /etc/debian_chroot)
|
||||
fi
|
||||
|
||||
# Set history limits and values
|
||||
shopt -s cdspell
|
||||
shopt -s dirspell
|
||||
shopt -s dotglob
|
||||
shopt -s histreedit
|
||||
shopt -s histverify
|
||||
shopt -s histappend
|
||||
PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
|
||||
HISTCONTROL=ignoreboth
|
||||
HISTSIZE=25000
|
||||
HISTFILESIZE=25000
|
||||
|
||||
#
|
||||
# BASH SETTINGS
|
||||
#
|
||||
|
||||
# Set a shiny Linux Mint-style PS1 with spaces for easy double-click-select
|
||||
git_branch() {
|
||||
git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/git:\1 /'
|
||||
}
|
||||
export PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\[\033[01;32m\]\H\[\033[01;34m\] \[\e[35m\]$(git_branch)\[\033[01;34m\]\w \$\[\033[00m\] '
|
||||
|
||||
# Sensible PATH (find things in *sbin* as non-root user)
|
||||
export PATH="/usr/lib/check_mk_agent/plugins:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games"
|
||||
|
||||
# Set PATH to include ~/Scripts if it exists
|
||||
if [ -d ~/Scripts ]; then
|
||||
export PATH=~/Scripts:$PATH
|
||||
fi
|
||||
|
||||
# Set editor to vim
|
||||
export EDITOR=/usr/bin/vim
|
||||
|
||||
# Force SCREEN to xterm due to Debian weirdness
|
||||
export SCREEN="xterm"
|
||||
|
||||
|
||||
#
|
||||
# ALIASES
|
||||
#
|
||||
|
||||
# Coloured command aliases
|
||||
alias ls='ls --color=always'
|
||||
alias dir='dir --color=always'
|
||||
alias vdir='vdir --color=always'
|
||||
alias grep='grep --color=always'
|
||||
alias fgrep='fgrep --color=always'
|
||||
alias egrep='egrep --color=always'
|
||||
alias xzgrep='xzgrep --color=always'
|
||||
alias less='less -r'
|
||||
|
||||
# Convenient ls aliases
|
||||
alias ll='ls -alh'
|
||||
alias la='ls -A'
|
||||
alias l='ls -lh'
|
||||
|
||||
# Always-sudo commands, because fuck typing sudo all the time
|
||||
alias service='sudo service'
|
||||
alias systemctl='sudo systemctl'
|
||||
alias journalctl='sudo journalctl'
|
||||
alias dmesg='sudo dmesg'
|
||||
alias apt='sudo apt'
|
||||
alias dpkg='sudo dpkg'
|
||||
alias find='sudo find'
|
||||
alias htop='sudo htop'
|
||||
alias powertop='sudo powertop'
|
||||
alias jnettop='sudo jnettop'
|
||||
alias wavemon='sudo wavemon'
|
||||
alias parted='sudo parted'
|
||||
alias fdisk='sudo fdisk'
|
||||
alias gdisk='sudo gdisk'
|
||||
alias chroot='sudo chroot'
|
||||
alias mount='sudo mount'
|
||||
alias umount='sudo umount'
|
||||
alias virsh='sudo virsh -c qemu:///system'
|
||||
alias ceph='sudo ceph'
|
||||
alias rbd='sudo rbd'
|
||||
alias mysql='sudo mysql'
|
||||
alias zpool='sudo zpool'
|
||||
alias zfs='sudo zfs'
|
||||
alias crm='sudo crm'
|
||||
|
||||
# Cool aliases
|
||||
alias cccp='sudo rsync -auv --progress'
|
||||
alias untmp='sudo umount /tmp/tmp.*{/*/*,/*,} 2>/dev/null'
|
||||
alias txz='tar -p --same-owner -I pxz'
|
||||
alias stxz='sudo tar -p --same-owner -I pxz'
|
||||
alias zkcli='sudo /usr/share/zookeeper/bin/zkCli.sh'
|
||||
alias hatop='sudo hatop -s /var/lib/haproxy/admin.sock'
|
||||
alias patronictl='sudo patronictl -c /etc/patroni/config.yml -d zookeeper://localhost:2181'
|
||||
alias repo='sudo reprepro -b /srv/debrepo'
|
||||
alias beet='sudo -u debian-deluged beet --config=/srv/deluged/config.beets/config.yaml'
|
||||
{% if 'mon' in group_names %}
|
||||
alias icli='sudo -u monitor icli --status-file /omd/sites/monitor/tmp/nagios/status.dat --config /omd/sites/monitor/var/nagios/objects.cache -z \!o'
|
||||
|
||||
#
|
||||
# Show monitoring stats
|
||||
#
|
||||
|
||||
icli
|
||||
{% endif %}
|
||||
|
||||
#
|
||||
# SOURCE OTHER SCRIPTS
|
||||
#
|
||||
|
||||
test -f ~/.bashrc.d/* && . ~/.bashrc.d/*
|
||||
|
||||
#
|
||||
# NICE AND CLEAN
|
||||
#
|
||||
|
||||
echo
|
||||
|
||||
#
|
||||
# END OF FILE
|
||||
#
|
|
@ -0,0 +1,25 @@
|
|||
# htop config file
|
||||
# {{ ansible_managed }}
|
||||
fields=0 48 17 18 38 39 40 2 46 47 49 1
|
||||
sort_key=46
|
||||
sort_direction=1
|
||||
hide_threads=0
|
||||
hide_kernel_threads=0
|
||||
hide_userland_threads=0
|
||||
shadow_other_users=0
|
||||
show_thread_names=1
|
||||
highlight_base_name=1
|
||||
highlight_megabytes=1
|
||||
highlight_threads=1
|
||||
tree_view=0
|
||||
header_margin=1
|
||||
detailed_cpu_time=1
|
||||
cpu_count_from_zero=0
|
||||
update_process_names=1
|
||||
account_guest_in_cpu_meter=1
|
||||
color_scheme=0
|
||||
delay=15
|
||||
left_meters=LeftCPUs2 Blank CPU Blank Blank Memory Swap
|
||||
left_meter_modes=1 2 1 2 2 1 1
|
||||
right_meters=RightCPUs2 Blank LoadAverage Tasks Blank Hostname Clock Uptime Blank
|
||||
right_meter_modes=1 2 2 2 2 2 2 2 2
|
|
@ -0,0 +1,16 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
EDITOR=/usr/bin/vim
|
||||
|
||||
# if running bash
|
||||
if [ -n "$BASH_VERSION" ]; then
|
||||
# include .bashrc if it exists
|
||||
if [ -f "$HOME/.bashrc" ]; then
|
||||
. "$HOME/.bashrc"
|
||||
fi
|
||||
fi
|
||||
|
||||
# set PATH so it includes user's private bin if it exists
|
||||
if [ -d "$HOME/bin" ] ; then
|
||||
PATH="$HOME/bin:$PATH"
|
||||
fi
|
|
@ -0,0 +1,13 @@
|
|||
set showcmd
|
||||
set number
|
||||
set cursorline
|
||||
set autoindent
|
||||
set expandtab
|
||||
set tabstop=4
|
||||
set viminfo='100,<1000,s1000,h
|
||||
hi CursorLine term=bold cterm=bold guibg=Grey40
|
||||
syntax on
|
||||
set ruler
|
||||
set directory=~/.vim
|
||||
set mouse=
|
||||
autocmd Filetype gitcommit setlocal spell textwidth=72
|
|
@ -0,0 +1,13 @@
|
|||
# package-pvc
|
||||
|
||||
This package configures the PVC virtual cluster system.
|
||||
|
||||
# Supplemental variables
|
||||
|
||||
## Configurable
|
||||
|
||||
### `ceph_storage_secret_key`: The Ceph storage secret key in base64 format.
|
||||
* Should be obtained from Ceph cluster.
|
||||
|
||||
### `ceph_storage_secret_uuid`: A UUID for the Ceph secret in libvirt.
|
||||
* Should be unique per cluster.
|
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
# Ceph storage
|
||||
ceph_storage_secret_key: ""
|
||||
ceph_storage_secret_uuid: ""
|
||||
# Database
|
||||
pvc_dns_database_name: "pvcdns"
|
||||
pvc_dns_database_user: "pvcdns"
|
||||
pvc_dns_database_password: "PVCdnsPassw0rd"
|
||||
# Coordinators
|
||||
pvc_nodes:
|
||||
- hostname: "pvc1"
|
||||
is_coordinator: yes
|
||||
node_id: 1
|
||||
router_id: "10.0.0.1"
|
||||
cluster_ip: "by-id"
|
||||
storage_ip: "by-id"
|
||||
upstream_ip: ""
|
||||
ipmi_host: "pvc1-lom"
|
||||
ipmi_user: ""
|
||||
ipmi_password: ""
|
||||
- hostname: "pvc2"
|
||||
is_coordinator: yes
|
||||
node_id: 2
|
||||
router_id: "10.0.0.2"
|
||||
cluster_ip: "by-id"
|
||||
storage_ip: "by-id"
|
||||
upstream_ip: ""
|
||||
ipmi_host: "pvc2-lom"
|
||||
ipmi_user: ""
|
||||
ipmi_password: ""
|
||||
- hostname: "pvc3"
|
||||
is_coordinator: yes
|
||||
node_id: 3
|
||||
router_id: "10.0.0.3"
|
||||
cluster_ip: "by-id"
|
||||
storage_ip: "by-id"
|
||||
upstream_ip: ""
|
||||
ipmi_host: "pvc3-lom"
|
||||
ipmi_user: ""
|
||||
ipmi_password: ""
|
||||
# Networks
|
||||
pvc_asn: "65001"
|
||||
pvc_routers:
|
||||
- ""
|
||||
pvc_cluster_device: "eth0"
|
||||
pvc_cluster_domain: "pvc.local"
|
||||
pvc_cluster_subnet: "10.0.0.0/24"
|
||||
pvc_cluster_floatingip: "10.0.0.251/24"
|
||||
pvc_storage_device: "eth1"
|
||||
pvc_storage_domain: "pvc.storage"
|
||||
pvc_storage_subnet: "10.0.1.0/24"
|
||||
pvc_storage_floatingip: "10.0.1.251/24"
|
||||
pvc_upstream_device: "eth2"
|
||||
pvc_upstream_domain: ""
|
||||
pvc_upstream_subnet: ""
|
||||
pvc_upstream_floatingip: ""
|
||||
pvc_upstream_gatewayip: ""
|
|
@ -0,0 +1,90 @@
|
|||
#!/bin/bash
|
||||
# +------------------------------------------------------------------+
|
||||
# | ____ _ _ __ __ _ __ |
|
||||
# | / ___| |__ ___ ___| | __ | \/ | |/ / |
|
||||
# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
|
||||
# | | |___| | | | __/ (__| < | | | | . \ |
|
||||
# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
|
||||
# | |
|
||||
# | Copyright Mathias Kettner 2014 mk@mathias-kettner.de |
|
||||
# +------------------------------------------------------------------+
|
||||
#
|
||||
# This file is part of Check_MK.
|
||||
# The official homepage is at http://mathias-kettner.de/check_mk.
|
||||
#
|
||||
# check_mk is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation in version 2. check_mk is distributed
|
||||
# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
|
||||
# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||
# PARTICULAR PURPOSE. See the GNU General Public License for more de-
|
||||
# tails. You should have received a copy of the GNU General Public
|
||||
# License along with GNU Make; see the file COPYING. If not, write
|
||||
# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
|
||||
# Boston, MA 02110-1301 USA.
|
||||
|
||||
# gets optional socket as argument
|
||||
function do_query() {
|
||||
INSTANCE=$(echo $1|awk -v FS="=" '{print $2}')
|
||||
COUNT=$(ps -efww | grep [/]usr/sbin/mysqld | grep socket | wc -l)
|
||||
if [ $COUNT -gt 1 ]
|
||||
then
|
||||
INSTANCE_NAME=$(ps -efww|grep socket|grep "${INSTANCE}"|grep "[u]ser" | sed -ne 's/.*socket=\([^.]*\).*/\1/p')
|
||||
INSTANCE_NAME="[[${INSTANCE_NAME##*/}]]"
|
||||
else
|
||||
INSTANCE_NAME="[[$(ps -efww|grep socket|grep "${INSTANCE}"|grep "[u]ser" | sed -ne 's/.*user=\([^ ]*\).*/\1/p')]]"
|
||||
fi
|
||||
|
||||
|
||||
|
||||
# Check if mysqld is running and root password setup
|
||||
echo "<<<mysql_ping>>>"
|
||||
echo $INSTANCE_NAME
|
||||
mysqladmin --defaults-extra-file=/root/.my.cnf $1 ping 2>&1
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
|
||||
echo "<<<mysql>>>"
|
||||
echo $INSTANCE_NAME
|
||||
mysql --defaults-extra-file=/root/.my.cnf $1 -sN \
|
||||
-e "show global status ; show global variables ;"
|
||||
|
||||
echo "<<<mysql_capacity>>>"
|
||||
echo $INSTANCE_NAME
|
||||
mysql --defaults-extra-file=/root/.my.cnf $1 -sN \
|
||||
-e "SELECT table_schema, sum(data_length + index_length), sum(data_free)
|
||||
FROM information_schema.TABLES GROUP BY table_schema"
|
||||
|
||||
echo "<<<mysql_slave>>>"
|
||||
echo $INSTANCE_NAME
|
||||
mysql --defaults-extra-file=/root/.my.cnf $1 -s \
|
||||
-e "show slave status\G"
|
||||
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
if which mysqladmin >/dev/null
|
||||
then
|
||||
mysql_sockets=$(fgrep socket /root/.my.cnf|sed -ne 's/.*socket=\([^ ]*\).*/\1/p')
|
||||
if [ -z "$mysql_sockets" ] ; then
|
||||
mysql_sockets=$(ps -efww | grep mysqld | grep "[s]ocket" | sed -ne 's/.*socket=\([^ ]*\).*/\1/p')
|
||||
fi
|
||||
if [ -z "$mysql_sockets" ] ; then
|
||||
do_query ""
|
||||
else
|
||||
for socket in $mysql_sockets ; do
|
||||
do_query "--socket="$socket
|
||||
done
|
||||
fi
|
||||
#echo "<<<mysql_version>>>"
|
||||
#mysql -V
|
||||
|
||||
echo "<<<mysql_port>>>"
|
||||
ps -efww|grep mysqld|while read LINE; do echo $LINE|grep "[u]ser" | sed -ne 's/.*user=\([^ ]*\).*/\1/p'; echo $LINE|grep mysqld | grep "[p]ort"|sed -ne 's/.*port=\([^ ]*\).*/\1/p' ; done|xargs -n2
|
||||
|
||||
#echo "<<<mysql_instances>>>"
|
||||
#mysql --defaults-extra-file=/root/.my.cnf $1 -s \
|
||||
# -e "show INSTANCES"
|
||||
|
||||
fi
|
|
@ -0,0 +1,485 @@
|
|||
#!/bin/bash
|
||||
# +------------------------------------------------------------------+
|
||||
# | ____ _ _ __ __ _ __ |
|
||||
# | / ___| |__ ___ ___| | __ | \/ | |/ / |
|
||||
# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
|
||||
# | | |___| | | | __/ (__| < | | | | . \ |
|
||||
# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
|
||||
# | |
|
||||
# | Copyright Mathias Kettner 2015 mk@mathias-kettner.de |
|
||||
# +------------------------------------------------------------------+
|
||||
#
|
||||
# This file is part of Check_MK.
|
||||
# The official homepage is at http://mathias-kettner.de/check_mk.
|
||||
#
|
||||
# check_mk is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation in version 2. check_mk is distributed
|
||||
# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
|
||||
# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||
# PARTICULAR PURPOSE. See the GNU General Public License for more de-
|
||||
# tails. You should have received a copy of the GNU General Public
|
||||
# License along with GNU Make; see the file COPYING. If not, write
|
||||
# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
|
||||
# Boston, MA 02110-1301 USA.
|
||||
|
||||
|
||||
# TODO postgres_connections output format
|
||||
|
||||
|
||||
# .--common funcs--------------------------------------------------------.
|
||||
# | __ |
|
||||
# | ___ ___ _ __ ___ _ __ ___ ___ _ __ / _|_ _ _ __ ___ ___ |
|
||||
# | / __/ _ \| '_ ` _ \| '_ ` _ \ / _ \| '_ \ | |_| | | | '_ \ / __/ __| |
|
||||
# || (_| (_) | | | | | | | | | | | (_) | | | || _| |_| | | | | (__\__ \ |
|
||||
# | \___\___/|_| |_| |_|_| |_| |_|\___/|_| |_||_| \__,_|_| |_|\___|___/ |
|
||||
# | |
|
||||
# '----------------------------------------------------------------------'
|
||||
|
||||
|
||||
function compare_version_greater_equal() {
|
||||
local GREATER_ONE
|
||||
GREATER_ONE=$(echo "$1 $2" | awk '{if ($1 >= $2) print $1; else print $2}')
|
||||
if [ "$GREATER_ONE" == "$1" ] ; then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
#.
|
||||
# .--section funcs-------------------------------------------------------.
|
||||
# | _ _ __ |
|
||||
# | ___ ___ ___| |_(_) ___ _ __ / _|_ _ _ __ ___ ___ |
|
||||
# | / __|/ _ \/ __| __| |/ _ \| '_ \ | |_| | | | '_ \ / __/ __| |
|
||||
# | \__ \ __/ (__| |_| | (_) | | | | | _| |_| | | | | (__\__ \ |
|
||||
# | |___/\___|\___|\__|_|\___/|_| |_| |_| \__,_|_| |_|\___|___/ |
|
||||
# | |
|
||||
# '----------------------------------------------------------------------'
|
||||
|
||||
|
||||
function postgres_instances() {
|
||||
echo '<<<postgres_instances>>>'
|
||||
# If we have no instances we take db id (pqsql/postgres) because
|
||||
# ps output may be unreadable
|
||||
# In case of instances ps output shows them readable
|
||||
if [ ! -z "${1}" ]; then
|
||||
echo "[[[${1}]]]"
|
||||
fi
|
||||
pgrep -laf bin/postgres
|
||||
}
|
||||
|
||||
|
||||
function postgres_sessions() {
|
||||
# Postgres 9.2 uses 'query' instead of 'current_query'
|
||||
local OUTPUT
|
||||
OUTPUT="$(echo "\echo '<<<postgres_sessions>>>${INSTANCE_SECTION}'
|
||||
SELECT (
|
||||
SELECT column_name
|
||||
FROM information_schema.columns
|
||||
WHERE table_name='pg_stat_activity' AND column_name in ('query', 'current_query')
|
||||
) = '<IDLE>' as query, count(*)
|
||||
FROM pg_stat_activity
|
||||
GROUP BY (query = '<IDLE>');" |\
|
||||
sudo -u "$DBUSER" $export_PGPASSFILE $psql -X --variable ON_ERROR_STOP=1 -d $PGDATABASE ${EXTRA_ARGS} -A -t -F' ' 2>/dev/null)"
|
||||
|
||||
echo "$OUTPUT"
|
||||
# line with number of idle sessions is sometimes missing on Postgres 8.x. This can lead
|
||||
# to an altogether empty section and thus the check disappearing.
|
||||
echo "$OUTPUT" | grep -q '^t ' || echo "t 0"
|
||||
}
|
||||
|
||||
|
||||
function postgres_simple_queries() {
|
||||
# Querytime
|
||||
# Supports versions >= 8.3, > 9.1
|
||||
local QUERYTIME_QUERY
|
||||
if compare_version_greater_equal "$POSTGRES_VERSION" "9.2" ; then
|
||||
QUERYTIME_QUERY="SELECT datname, datid, usename, client_addr, state AS state, COALESCE(ROUND(EXTRACT(epoch FROM now()-query_start)),0) AS seconds,
|
||||
pid, regexp_replace(query, E'[\\n\\r\\u2028]+', ' ', 'g' ) AS current_query FROM pg_stat_activity WHERE (query_start IS NOT NULL AND (state NOT LIKE 'idle%' OR state IS NULL)) ORDER BY query_start, pid DESC;"
|
||||
else
|
||||
QUERYTIME_QUERY="SELECT datname, datid, usename, client_addr, '' AS state, COALESCE(ROUND(EXTRACT(epoch FROM now()-query_start)),0) AS seconds,
|
||||
procpid as pid, regexp_replace(current_query, E'[\\n\\r\\u2028]+', ' ', 'g' ) AS current_query FROM pg_stat_activity WHERE (query_start IS NOT NULL AND current_query NOT LIKE '<IDLE>%') ORDER BY query_start, procpid DESC;"
|
||||
fi
|
||||
|
||||
# Number of current connections per database
|
||||
# We need to output the databases, too.
|
||||
# This query does not report databases without an active query
|
||||
local CONNECTIONS_QUERY
|
||||
if compare_version_greater_equal "$POSTGRES_VERSION" "9.2" ; then
|
||||
CONNECTIONS_QUERY="SELECT COUNT(datid) AS current,
|
||||
(SELECT setting AS mc FROM pg_settings WHERE name = 'max_connections') AS mc,
|
||||
d.datname
|
||||
FROM pg_database d
|
||||
LEFT JOIN pg_stat_activity s ON (s.datid = d.oid) WHERE state <> 'idle'
|
||||
GROUP BY 2,3
|
||||
ORDER BY datname;"
|
||||
else
|
||||
CONNECTIONS_QUERY="SELECT COUNT(datid) AS current,
|
||||
(SELECT setting AS mc FROM pg_settings WHERE name = 'max_connections') AS mc,
|
||||
d.datname
|
||||
FROM pg_database d
|
||||
LEFT JOIN pg_stat_activity s ON (s.datid = d.oid) WHERE current_query <> '<IDLE>'
|
||||
GROUP BY 2,3
|
||||
ORDER BY datname;"
|
||||
fi
|
||||
|
||||
echo "\pset footer off
|
||||
\echo '<<<postgres_stat_database:sep(59)>>>${INSTANCE_SECTION}'
|
||||
SELECT datid, datname, numbackends, xact_commit, xact_rollback, blks_read, blks_hit, tup_returned, tup_fetched, tup_inserted, tup_updated, tup_deleted, pg_database_size(datname) AS datsize FROM pg_stat_database;
|
||||
|
||||
\echo '<<<postgres_locks:sep(59)>>>${INSTANCE_SECTION}'
|
||||
\echo '[databases_start]'
|
||||
$ECHO_DATABASES
|
||||
\echo '[databases_end]'
|
||||
SELECT datname, granted, mode FROM pg_locks l RIGHT JOIN pg_database d ON (d.oid=l.database) WHERE d.datallowconn;
|
||||
|
||||
\echo '<<<postgres_query_duration:sep(59)>>>${INSTANCE_SECTION}'
|
||||
\echo '[databases_start]'
|
||||
$ECHO_DATABASES
|
||||
\echo '[databases_end]'
|
||||
$QUERYTIME_QUERY
|
||||
|
||||
\echo '<<<postgres_connections:sep(59)>>>${INSTANCE_SECTION}'
|
||||
\echo '[databases_start]'
|
||||
$ECHO_DATABASES
|
||||
\echo '[databases_end]'
|
||||
$CONNECTIONS_QUERY" \
|
||||
| sudo -u "$DBUSER" $export_PGPASSFILE $psql -X -d $PGDATABASE ${EXTRA_ARGS} -q -A -F';'
|
||||
}
|
||||
|
||||
|
||||
function postgres_stats() {
|
||||
# Contains last vacuum time and analyze time
|
||||
local LASTVACUUM="SELECT current_database() AS datname, nspname AS sname, relname AS tname,
|
||||
CASE WHEN v IS NULL THEN -1 ELSE round(extract(epoch FROM v)) END AS vtime,
|
||||
CASE WHEN g IS NULL THEN -1 ELSE round(extract(epoch FROM v)) END AS atime
|
||||
FROM (SELECT nspname, relname, GREATEST(pg_stat_get_last_vacuum_time(c.oid), pg_stat_get_last_autovacuum_time(c.oid)) AS v,
|
||||
GREATEST(pg_stat_get_last_analyze_time(c.oid), pg_stat_get_last_autoanalyze_time(c.oid)) AS g
|
||||
FROM pg_class c, pg_namespace n
|
||||
WHERE relkind = 'r' AND n.oid = c.relnamespace AND n.nspname <> 'information_schema'
|
||||
ORDER BY 3) AS foo;"
|
||||
|
||||
local FIRST=
|
||||
local QUERY="\pset footer off
|
||||
BEGIN;
|
||||
SET statement_timeout=30000;
|
||||
COMMIT;
|
||||
|
||||
\echo '<<<postgres_stats:sep(59)>>>${INSTANCE_SECTION}'
|
||||
\echo '[databases_start]'
|
||||
$ECHO_DATABASES
|
||||
\echo '[databases_end]'"
|
||||
|
||||
for db in $DATABASES ; do
|
||||
QUERY="$QUERY
|
||||
\c $db
|
||||
$LASTVACUUM
|
||||
"
|
||||
if [ -z $FIRST ] ; then
|
||||
FIRST=false
|
||||
QUERY="$QUERY
|
||||
\pset tuples_only on
|
||||
"
|
||||
fi
|
||||
done
|
||||
echo "$QUERY" | sudo -u "$DBUSER" $export_PGPASSFILE $psql -X ${EXTRA_ARGS} -q -A -F';' | grep -v -e 'COMMIT$' -e 'SET$' -e 'BEGIN$'
|
||||
}
|
||||
|
||||
|
||||
function postgres_version() {
|
||||
# Postgres version an connection time
|
||||
echo -e "<<<postgres_version:sep(1)>>>${INSTANCE_SECTION}"
|
||||
(TIMEFORMAT='%3R'; time echo "SELECT version() AS v" |\
|
||||
sudo -u "$DBUSER" $export_PGPASSFILE $psql -X -d $PGDATABASE ${EXTRA_ARGS} -t -A -F';'; echo -e "<<<postgres_conn_time>>>${INSTANCE_SECTION}") 2>&1
|
||||
}
|
||||
|
||||
|
||||
function postgres_bloat() {
|
||||
# Bloat index and tables
|
||||
# Supports versions <9.0, >=9.0
|
||||
# This huge query has been gratefully taken from Greg Sabino Mullane's check_postgres.pl
|
||||
local BLOAT_QUERY
|
||||
if compare_version_greater_equal "$POSTGRES_VERSION" "9.0" ; then
|
||||
BLOAT_QUERY="SELECT
|
||||
current_database() AS db, schemaname, tablename, reltuples::bigint AS tups, relpages::bigint AS pages, otta,
|
||||
ROUND(CASE WHEN otta=0 OR sml.relpages=0 OR sml.relpages=otta THEN 0.0 ELSE sml.relpages/otta::numeric END,1) AS tbloat,
|
||||
CASE WHEN relpages < otta THEN 0 ELSE relpages::bigint - otta END AS wastedpages,
|
||||
CASE WHEN relpages < otta THEN 0 ELSE bs*(sml.relpages-otta)::bigint END AS wastedbytes,
|
||||
CASE WHEN relpages < otta THEN 0 ELSE (bs*(relpages-otta))::bigint END AS wastedsize,
|
||||
iname, ituples::bigint AS itups, ipages::bigint AS ipages, iotta,
|
||||
ROUND(CASE WHEN iotta=0 OR ipages=0 OR ipages=iotta THEN 0.0 ELSE ipages/iotta::numeric END,1) AS ibloat,
|
||||
CASE WHEN ipages < iotta THEN 0 ELSE ipages::bigint - iotta END AS wastedipages,
|
||||
CASE WHEN ipages < iotta THEN 0 ELSE bs*(ipages-iotta) END AS wastedibytes,
|
||||
CASE WHEN ipages < iotta THEN 0 ELSE (bs*(ipages-iotta))::bigint END AS wastedisize,
|
||||
CASE WHEN relpages < otta THEN
|
||||
CASE WHEN ipages < iotta THEN 0 ELSE bs*(ipages-iotta::bigint) END
|
||||
ELSE CASE WHEN ipages < iotta THEN bs*(relpages-otta::bigint)
|
||||
ELSE bs*(relpages-otta::bigint + ipages-iotta::bigint) END
|
||||
END AS totalwastedbytes
|
||||
FROM (
|
||||
SELECT
|
||||
nn.nspname AS schemaname,
|
||||
cc.relname AS tablename,
|
||||
COALESCE(cc.reltuples,0) AS reltuples,
|
||||
COALESCE(cc.relpages,0) AS relpages,
|
||||
COALESCE(bs,0) AS bs,
|
||||
COALESCE(CEIL((cc.reltuples*((datahdr+ma-
|
||||
(CASE WHEN datahdr%ma=0 THEN ma ELSE datahdr%ma END))+nullhdr2+4))/(bs-20::float)),0) AS otta,
|
||||
COALESCE(c2.relname,'?') AS iname, COALESCE(c2.reltuples,0) AS ituples, COALESCE(c2.relpages,0) AS ipages,
|
||||
COALESCE(CEIL((c2.reltuples*(datahdr-12))/(bs-20::float)),0) AS iotta -- very rough approximation, assumes all cols
|
||||
FROM
|
||||
pg_class cc
|
||||
JOIN pg_namespace nn ON cc.relnamespace = nn.oid AND nn.nspname <> 'information_schema'
|
||||
LEFT JOIN
|
||||
(
|
||||
SELECT
|
||||
ma,bs,foo.nspname,foo.relname,
|
||||
(datawidth+(hdr+ma-(case when hdr%ma=0 THEN ma ELSE hdr%ma END)))::numeric AS datahdr,
|
||||
(maxfracsum*(nullhdr+ma-(case when nullhdr%ma=0 THEN ma ELSE nullhdr%ma END))) AS nullhdr2
|
||||
FROM (
|
||||
SELECT
|
||||
ns.nspname, tbl.relname, hdr, ma, bs,
|
||||
SUM((1-coalesce(null_frac,0))*coalesce(avg_width, 2048)) AS datawidth,
|
||||
MAX(coalesce(null_frac,0)) AS maxfracsum,
|
||||
hdr+(
|
||||
SELECT 1+count(*)/8
|
||||
FROM pg_stats s2
|
||||
WHERE null_frac<>0 AND s2.schemaname = ns.nspname AND s2.tablename = tbl.relname
|
||||
) AS nullhdr
|
||||
FROM pg_attribute att
|
||||
JOIN pg_class tbl ON att.attrelid = tbl.oid
|
||||
JOIN pg_namespace ns ON ns.oid = tbl.relnamespace
|
||||
LEFT JOIN pg_stats s ON s.schemaname=ns.nspname
|
||||
AND s.tablename = tbl.relname
|
||||
AND s.inherited=false
|
||||
AND s.attname=att.attname,
|
||||
(
|
||||
SELECT
|
||||
(SELECT current_setting('block_size')::numeric) AS bs,
|
||||
CASE WHEN SUBSTRING(SPLIT_PART(v, ' ', 2) FROM '#\[0-9]+.[0-9]+#\%' for '#')
|
||||
IN ('8.0','8.1','8.2') THEN 27 ELSE 23 END AS hdr,
|
||||
CASE WHEN v ~ 'mingw32' OR v ~ '64-bit' THEN 8 ELSE 4 END AS ma
|
||||
FROM (SELECT version() AS v) AS foo
|
||||
) AS constants
|
||||
WHERE att.attnum > 0 AND tbl.relkind='r'
|
||||
GROUP BY 1,2,3,4,5
|
||||
) AS foo
|
||||
) AS rs
|
||||
ON cc.relname = rs.relname AND nn.nspname = rs.nspname
|
||||
LEFT JOIN pg_index i ON indrelid = cc.oid
|
||||
LEFT JOIN pg_class c2 ON c2.oid = i.indexrelid
|
||||
) AS sml
|
||||
WHERE sml.relpages - otta > 0 OR ipages - iotta > 10 ORDER BY totalwastedbytes DESC LIMIT 10;"
|
||||
else
|
||||
BLOAT_QUERY="SELECT
|
||||
current_database() AS db, schemaname, tablename, reltuples::bigint AS tups, relpages::bigint AS pages, otta,
|
||||
ROUND(CASE WHEN otta=0 OR sml.relpages=0 OR sml.relpages=otta THEN 0.0 ELSE sml.relpages/otta::numeric END,1) AS tbloat,
|
||||
CASE WHEN relpages < otta THEN 0 ELSE relpages::bigint - otta END AS wastedpages,
|
||||
CASE WHEN relpages < otta THEN 0 ELSE bs*(sml.relpages-otta)::bigint END AS wastedbytes,
|
||||
CASE WHEN relpages < otta THEN '0 bytes'::text ELSE (bs*(relpages-otta))::bigint || ' bytes' END AS wastedsize,
|
||||
iname, ituples::bigint AS itups, ipages::bigint AS ipages, iotta,
|
||||
ROUND(CASE WHEN iotta=0 OR ipages=0 OR ipages=iotta THEN 0.0 ELSE ipages/iotta::numeric END,1) AS ibloat,
|
||||
CASE WHEN ipages < iotta THEN 0 ELSE ipages::bigint - iotta END AS wastedipages,
|
||||
CASE WHEN ipages < iotta THEN 0 ELSE bs*(ipages-iotta) END AS wastedibytes,
|
||||
CASE WHEN ipages < iotta THEN '0 bytes' ELSE (bs*(ipages-iotta))::bigint || ' bytes' END AS wastedisize,
|
||||
CASE WHEN relpages < otta THEN
|
||||
CASE WHEN ipages < iotta THEN 0 ELSE bs*(ipages-iotta::bigint) END
|
||||
ELSE CASE WHEN ipages < iotta THEN bs*(relpages-otta::bigint)
|
||||
ELSE bs*(relpages-otta::bigint + ipages-iotta::bigint) END
|
||||
END AS totalwastedbytes
|
||||
FROM (
|
||||
SELECT
|
||||
nn.nspname AS schemaname,
|
||||
cc.relname AS tablename,
|
||||
COALESCE(cc.reltuples,0) AS reltuples,
|
||||
COALESCE(cc.relpages,0) AS relpages,
|
||||
COALESCE(bs,0) AS bs,
|
||||
COALESCE(CEIL((cc.reltuples*((datahdr+ma-
|
||||
(CASE WHEN datahdr%ma=0 THEN ma ELSE datahdr%ma END))+nullhdr2+4))/(bs-20::float)),0) AS otta,
|
||||
COALESCE(c2.relname,'?') AS iname, COALESCE(c2.reltuples,0) AS ituples, COALESCE(c2.relpages,0) AS ipages,
|
||||
COALESCE(CEIL((c2.reltuples*(datahdr-12))/(bs-20::float)),0) AS iotta -- very rough approximation, assumes all cols
|
||||
FROM
|
||||
pg_class cc
|
||||
JOIN pg_namespace nn ON cc.relnamespace = nn.oid AND nn.nspname <> 'information_schema'
|
||||
LEFT JOIN
|
||||
(
|
||||
SELECT
|
||||
ma,bs,foo.nspname,foo.relname,
|
||||
(datawidth+(hdr+ma-(case when hdr%ma=0 THEN ma ELSE hdr%ma END)))::numeric AS datahdr,
|
||||
(maxfracsum*(nullhdr+ma-(case when nullhdr%ma=0 THEN ma ELSE nullhdr%ma END))) AS nullhdr2
|
||||
FROM (
|
||||
SELECT
|
||||
ns.nspname, tbl.relname, hdr, ma, bs,
|
||||
SUM((1-coalesce(null_frac,0))*coalesce(avg_width, 2048)) AS datawidth,
|
||||
MAX(coalesce(null_frac,0)) AS maxfracsum,
|
||||
hdr+(
|
||||
SELECT 1+count(*)/8
|
||||
FROM pg_stats s2
|
||||
WHERE null_frac<>0 AND s2.schemaname = ns.nspname AND s2.tablename = tbl.relname
|
||||
) AS nullhdr
|
||||
FROM pg_attribute att
|
||||
JOIN pg_class tbl ON att.attrelid = tbl.oid
|
||||
JOIN pg_namespace ns ON ns.oid = tbl.relnamespace
|
||||
LEFT JOIN pg_stats s ON s.schemaname=ns.nspname
|
||||
AND s.tablename = tbl.relname
|
||||
AND s.attname=att.attname,
|
||||
(
|
||||
SELECT
|
||||
(SELECT current_setting('block_size')::numeric) AS bs,
|
||||
CASE WHEN SUBSTRING(SPLIT_PART(v, ' ', 2) FROM '#\"[0-9]+.[0-9]+#\"%' for '#')
|
||||
IN ('8.0','8.1','8.2') THEN 27 ELSE 23 END AS hdr,
|
||||
CASE WHEN v ~ 'mingw32' OR v ~ '64-bit' THEN 8 ELSE 4 END AS ma
|
||||
FROM (SELECT version() AS v) AS foo
|
||||
) AS constants
|
||||
WHERE att.attnum > 0 AND tbl.relkind='r'
|
||||
GROUP BY 1,2,3,4,5
|
||||
) AS foo
|
||||
) AS rs
|
||||
ON cc.relname = rs.relname AND nn.nspname = rs.nspname
|
||||
LEFT JOIN pg_index i ON indrelid = cc.oid
|
||||
LEFT JOIN pg_class c2 ON c2.oid = i.indexrelid
|
||||
) AS sml
|
||||
WHERE sml.relpages - otta > 0 OR ipages - iotta > 10 ORDER BY totalwastedbytes DESC LIMIT 10;"
|
||||
fi
|
||||
|
||||
local FIRST=
|
||||
local QUERY="\pset footer off
|
||||
\echo '<<<postgres_bloat:sep(59)>>>${INSTANCE_SECTION}'
|
||||
\echo '[databases_start]'
|
||||
$ECHO_DATABASES
|
||||
\echo '[databases_end]'"
|
||||
|
||||
for db in $DATABASES ; do
|
||||
QUERY="$QUERY
|
||||
\c $db
|
||||
$BLOAT_QUERY
|
||||
"
|
||||
if [ -z $FIRST ] ; then
|
||||
FIRST=false
|
||||
QUERY="$QUERY
|
||||
\pset tuples_only on
|
||||
"
|
||||
fi
|
||||
done
|
||||
echo "$QUERY" | sudo -u "$DBUSER" $export_PGPASSFILE $psql -X ${EXTRA_ARGS} -q -A -F';'
|
||||
}
|
||||
|
||||
|
||||
#.
|
||||
# .--main----------------------------------------------------------------.
|
||||
# | _ |
|
||||
# | _ __ ___ __ _(_)_ __ |
|
||||
# | | '_ ` _ \ / _` | | '_ \ |
|
||||
# | | | | | | | (_| | | | | | |
|
||||
# | |_| |_| |_|\__,_|_|_| |_| |
|
||||
# | |
|
||||
# '----------------------------------------------------------------------'
|
||||
|
||||
|
||||
### postgres.cfg ##
|
||||
# DBUSER=OS_USER_NAME
|
||||
# INSTANCE=/home/postgres/db1.env:USER_NAME:/PATH/TO/.pgpass
|
||||
# INSTANCE=/home/postgres/db2.env:USER_NAME:/PATH/TO/.pgpass
|
||||
|
||||
# TODO @dba USERNAME in .pgpass ?
|
||||
# INSTANCE=/home/postgres/db2.env:/PATH/TO/.pgpass
|
||||
|
||||
|
||||
function postgres_main() {
|
||||
if [ -z "$DBUSER" ] || [ -z "$PGDATABASE" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
EXTRA_ARGS=""
|
||||
if [ ! -z "$PGUSER" ]; then
|
||||
EXTRA_ARGS=$EXTRA_ARGS" -U $PGUSER"
|
||||
fi
|
||||
if [ ! -z "$PGPORT" ]; then
|
||||
EXTRA_ARGS=$EXTRA_ARGS" -p $PGPORT"
|
||||
fi
|
||||
|
||||
if [ ! -z "$PGPASSFILE" ]; then
|
||||
export_PGPASSFILE="export PGPASSFILE=$PGPASSFILE; "
|
||||
fi
|
||||
|
||||
DATABASES="$(echo "SELECT datname FROM pg_database WHERE datistemplate = false;" |\
|
||||
sudo -u "$DBUSER" $export_PGPASSFILE $psql -X -d $PGDATABASE ${EXTRA_ARGS} -t -A -F';')"
|
||||
ECHO_DATABASES="$(echo "$DATABASES" | sed 's/^/\\echo /')"
|
||||
|
||||
POSTGRES_VERSION=$(sudo -u "$DBUSER" $psql -X -V -d $PGDATABASE ${EXTRA_ARGS} | egrep -o '[0-9]{1,}\.[0-9]{1,}')
|
||||
|
||||
postgres_sessions
|
||||
postgres_simple_queries
|
||||
#postgres_stats
|
||||
postgres_version
|
||||
postgres_bloat
|
||||
}
|
||||
|
||||
|
||||
MK_CONFFILE=$MK_CONFDIR/postgres.cfg
|
||||
if [ -e "$MK_CONFFILE" ]; then
|
||||
|
||||
postgres_instances
|
||||
|
||||
DBUSER=$(grep DBUSER "$MK_CONFFILE" | sed 's/.*=//g')
|
||||
cat "$MK_CONFFILE" | while read line
|
||||
do
|
||||
case $line in
|
||||
INSTANCE*)
|
||||
instance=$line
|
||||
;;
|
||||
*)
|
||||
instance=
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ ! -z "$instance" ]; then
|
||||
instance_path=$(echo "$instance" | sed 's/.*=\(.*\):.*:.*$/\1/g')
|
||||
instance_name=$(echo "$instance_path" | sed -e 's/.*\/\(.*\)/\1/g' -e 's/\.env$//g')
|
||||
if [ ! -z "$instance_name" ]; then
|
||||
INSTANCE_SECTION="\n[[[$instance_name]]]"
|
||||
else
|
||||
INSTANCE_SECTION=""
|
||||
fi
|
||||
|
||||
psql="/$DBUSER/$(grep "^export PGVERSION=" "$instance_path" |
|
||||
sed -e 's/.*=//g' -e 's/\s*#.*$//g')/bin/psql"
|
||||
|
||||
PGUSER=$(echo "$instance" | sed 's/.*=.*:\(.*\):.*$/\1/g')
|
||||
PGPASSFILE="$(echo "$instance" | sed 's/.*=.*:.*:\(.*\)$/\1/g')"
|
||||
PGDATABASE=$(grep "^export PGDATABASE=" "$instance_path" |
|
||||
sed -e 's/.*=//g' -e 's/\s*#.*$//g')
|
||||
PGPORT=$(grep "^export PGPORT=" "$instance_path" |
|
||||
sed -e 's/.*=//g' -e 's/\s*#.*$//g')
|
||||
|
||||
# Fallback
|
||||
if [ ! -f "$psql" ]; then
|
||||
psql="$(cat $instance_path | grep "^export PGHOME=" |
|
||||
sed -e 's/.*=//g' -e 's/\s*#.*$//g')/psql"
|
||||
fi
|
||||
|
||||
postgres_main
|
||||
|
||||
fi
|
||||
done
|
||||
|
||||
else
|
||||
|
||||
if id pgsql >/dev/null 2>&1; then
|
||||
DBUSER=pgsql
|
||||
elif id postgres >/dev/null 2>&1; then
|
||||
DBUSER=postgres
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
INSTANCE_SECTION=""
|
||||
|
||||
postgres_instances "$DBUSER"
|
||||
|
||||
psql="psql"
|
||||
PGDATABASE=postgres
|
||||
postgres_main
|
||||
|
||||
fi
|
|
@ -0,0 +1,94 @@
|
|||
CREATE TABLE domains (
|
||||
id SERIAL PRIMARY KEY,
|
||||
name VARCHAR(255) NOT NULL,
|
||||
master VARCHAR(128) DEFAULT NULL,
|
||||
last_check INT DEFAULT NULL,
|
||||
type VARCHAR(6) NOT NULL,
|
||||
notified_serial INT DEFAULT NULL,
|
||||
account VARCHAR(40) DEFAULT NULL,
|
||||
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
|
||||
);
|
||||
|
||||
CREATE UNIQUE INDEX name_index ON domains(name);
|
||||
|
||||
|
||||
CREATE TABLE records (
|
||||
id BIGSERIAL PRIMARY KEY,
|
||||
domain_id INT DEFAULT NULL,
|
||||
name VARCHAR(255) DEFAULT NULL,
|
||||
type VARCHAR(10) DEFAULT NULL,
|
||||
content VARCHAR(65535) DEFAULT NULL,
|
||||
ttl INT DEFAULT NULL,
|
||||
prio INT DEFAULT NULL,
|
||||
disabled BOOL DEFAULT 'f',
|
||||
ordername VARCHAR(255),
|
||||
auth BOOL DEFAULT 't',
|
||||
CONSTRAINT domain_exists
|
||||
FOREIGN KEY(domain_id) REFERENCES domains(id)
|
||||
ON DELETE CASCADE,
|
||||
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
|
||||
);
|
||||
|
||||
CREATE INDEX rec_name_index ON records(name);
|
||||
CREATE INDEX nametype_index ON records(name,type);
|
||||
CREATE INDEX domain_id ON records(domain_id);
|
||||
CREATE INDEX recordorder ON records (domain_id, ordername text_pattern_ops);
|
||||
|
||||
|
||||
CREATE TABLE supermasters (
|
||||
ip INET NOT NULL,
|
||||
nameserver VARCHAR(255) NOT NULL,
|
||||
account VARCHAR(40) NOT NULL,
|
||||
PRIMARY KEY(ip, nameserver)
|
||||
);
|
||||
|
||||
|
||||
CREATE TABLE comments (
|
||||
id SERIAL PRIMARY KEY,
|
||||
domain_id INT NOT NULL,
|
||||
name VARCHAR(255) NOT NULL,
|
||||
type VARCHAR(10) NOT NULL,
|
||||
modified_at INT NOT NULL,
|
||||
account VARCHAR(40) DEFAULT NULL,
|
||||
comment VARCHAR(65535) NOT NULL,
|
||||
CONSTRAINT domain_exists
|
||||
FOREIGN KEY(domain_id) REFERENCES domains(id)
|
||||
ON DELETE CASCADE,
|
||||
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
|
||||
);
|
||||
|
||||
CREATE INDEX comments_domain_id_idx ON comments (domain_id);
|
||||
CREATE INDEX comments_name_type_idx ON comments (name, type);
|
||||
CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);
|
||||
|
||||
|
||||
CREATE TABLE domainmetadata (
|
||||
id SERIAL PRIMARY KEY,
|
||||
domain_id INT REFERENCES domains(id) ON DELETE CASCADE,
|
||||
kind VARCHAR(32),
|
||||
content TEXT
|
||||
);
|
||||
|
||||
CREATE INDEX domainidmetaindex ON domainmetadata(domain_id);
|
||||
|
||||
|
||||
CREATE TABLE cryptokeys (
|
||||
id SERIAL PRIMARY KEY,
|
||||
domain_id INT REFERENCES domains(id) ON DELETE CASCADE,
|
||||
flags INT NOT NULL,
|
||||
active BOOL,
|
||||
content TEXT
|
||||
);
|
||||
|
||||
CREATE INDEX domainidindex ON cryptokeys(domain_id);
|
||||
|
||||
|
||||
CREATE TABLE tsigkeys (
|
||||
id SERIAL PRIMARY KEY,
|
||||
name VARCHAR(255),
|
||||
algorithm VARCHAR(50),
|
||||
secret VARCHAR(255),
|
||||
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
|
||||
);
|
||||
|
||||
CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
- name: restart zookeeper
|
||||
service:
|
||||
name: zookeeper
|
||||
state: restarted
|
||||
|
||||
- name: restart libvirtd
|
||||
service:
|
||||
name: libvirtd
|
||||
state: restarted
|
||||
|
||||
- name: restart frr
|
||||
service:
|
||||
name: frr
|
||||
state: restarted
|
||||
|
||||
- name: restart patroni
|
||||
service:
|
||||
name: patroni
|
||||
state: restarted
|
||||
|
||||
- name: restart pvcd
|
||||
service:
|
||||
name: pvcd
|
||||
state: restarted
|
|
@ -0,0 +1,48 @@
|
|||
---
|
||||
- name: create ceph group
|
||||
group:
|
||||
name: ceph
|
||||
gid: 64046
|
||||
state: present
|
||||
|
||||
- name: install packages
|
||||
apt:
|
||||
name:
|
||||
- ceph-osd
|
||||
- ceph-mds
|
||||
- ceph-mon
|
||||
- ceph-mgr
|
||||
- radosgw
|
||||
- libjemalloc2
|
||||
state: latest
|
||||
|
||||
- name: install sysctl tweaks
|
||||
template:
|
||||
src: ceph/sysctl.conf.j2
|
||||
dest: /etc/sysctl.d/pvc-ceph.conf
|
||||
|
||||
- name: activate sysctl tweaks
|
||||
command: sysctl -p /etc/sysctl.d/pvc-ceph.conf
|
||||
|
||||
- name: install user limits overrides
|
||||
template:
|
||||
src: ceph/limits.conf.j2
|
||||
dest: /etc/security/limits.d/99-pvc-ceph.conf
|
||||
|
||||
- name: install ceph default config
|
||||
template:
|
||||
src: ceph/default.conf.j2
|
||||
dest: /etc/default/ceph
|
||||
|
||||
- name: create ceph configuration directory
|
||||
file:
|
||||
dest: /etc/ceph
|
||||
state: directory
|
||||
|
||||
- name: install ceph cluster configurations
|
||||
template:
|
||||
src: ceph/{{ item }}.j2
|
||||
dest: /etc/ceph/{{ item }}
|
||||
with_items:
|
||||
- ceph.conf
|
||||
- ceph.client.admin.keyring
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
- name: install frr packages
|
||||
apt:
|
||||
name:
|
||||
- frr
|
||||
state: latest
|
||||
|
||||
- name: install frr configuration
|
||||
template:
|
||||
src: frr/{{ item }}.j2
|
||||
dest: /etc/frr/{{ item }}
|
||||
with_items:
|
||||
- daemons
|
||||
- frr.conf
|
||||
notify: restart frr
|
||||
ignore_errors: true
|
||||
|
||||
- name: disable services
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
enabled: no
|
||||
with_items:
|
||||
- frr
|
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
- name: install libvirt packages
|
||||
apt:
|
||||
name:
|
||||
- libvirt-daemon-system
|
||||
- qemu-kvm
|
||||
- qemu-utils
|
||||
- qemu-block-extra
|
||||
- vhostmd
|
||||
- ceph-common
|
||||
- libjemalloc2
|
||||
state: latest
|
||||
|
||||
- name: install libvirt configuration
|
||||
template:
|
||||
src: libvirt/{{ item }}.j2
|
||||
dest: /etc/libvirt/{{ item }}
|
||||
with_items:
|
||||
- libvirtd.conf
|
||||
- ceph-secret.xml
|
||||
notify: restart libvirtd
|
||||
|
||||
- name: define ceph secret
|
||||
command: virsh secret-define /etc/libvirt/ceph-secret.xml
|
||||
ignore_errors: true
|
||||
|
||||
- name: set ceph secret value
|
||||
command: virsh secret-set-value --secret {{ ceph_storage_secret_uuid }} --base64 {{ ceph_storage_secret_key }}
|
||||
ignore_errors: true
|
||||
|
||||
- name: configure libvirt for listening
|
||||
replace:
|
||||
dest: /etc/default/libvirtd
|
||||
regexp: '#libvirtd_opts=""'
|
||||
replace: 'libvirtd_opts="--listen"'
|
||||
notify: restart libvirtd
|
||||
|
||||
- name: disable services
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
enabled: no
|
||||
with_items:
|
||||
- libvirtd
|
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
- name: add module blacklist
|
||||
template:
|
||||
src: system/blacklist.j2
|
||||
dest: /etc/modprobe.d/blacklist.conf
|
||||
|
||||
- include_tasks: ceph.yml
|
||||
tags: pvc-ceph
|
||||
|
||||
- include_tasks: zookeeper.yml
|
||||
tags: pvc-zookeeper
|
||||
|
||||
- include_tasks: libvirt.yml
|
||||
tags: pvc-libvirt
|
||||
|
||||
- include_tasks: frr.yml
|
||||
tags: pvc-frr
|
||||
|
||||
- include_tasks: patroni.yml
|
||||
tags: pvc-patroni
|
||||
|
||||
- include_tasks: pvc.yml
|
||||
tags: pvc-pvc
|
||||
run_once: true
|
||||
delegate_to: "{{ item }}"
|
||||
with_items: "{{ play_hosts }}"
|
|
@ -0,0 +1,128 @@
|
|||
---
|
||||
- name: install patroni packages via apt
|
||||
apt:
|
||||
name:
|
||||
- python-psycopg2
|
||||
- python3-kazoo
|
||||
- patroni
|
||||
- postgresql-11
|
||||
state: latest
|
||||
update-cache: yes
|
||||
|
||||
- name: first run check
|
||||
shell: "echo 'bootstrapped' > /etc/postgresql/pvc"
|
||||
register: newinstance
|
||||
args:
|
||||
creates: /etc/postgresql/pvc
|
||||
|
||||
- name: stop and disable postgresql
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
state: stopped
|
||||
enabled: no
|
||||
with_items:
|
||||
- postgresql
|
||||
- postgresql@11-main
|
||||
when: newinstance.changed
|
||||
|
||||
- name: remove obsolete database directories
|
||||
file:
|
||||
dest: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- /etc/postgresql/11
|
||||
- /var/lib/postgresql/11
|
||||
when: newinstance.changed
|
||||
|
||||
- name: create patroni database directory
|
||||
file:
|
||||
dest: /var/lib/postgresql/patroni/pvc
|
||||
state: directory
|
||||
owner: postgres
|
||||
mode: 0700
|
||||
when: newinstance.changed
|
||||
|
||||
- name: install postgresql customization configuration file
|
||||
template:
|
||||
src: patroni/postgresql.pvc.conf.j2
|
||||
dest: /etc/postgresql/postgresql.pvc.conf
|
||||
owner: postgres
|
||||
group: sudo
|
||||
mode: 0640
|
||||
notify: restart patroni
|
||||
|
||||
- name: install patroni configuration file
|
||||
template:
|
||||
src: patroni/patroni.yml.j2
|
||||
dest: /etc/patroni/config.yml
|
||||
owner: postgres
|
||||
group: postgres
|
||||
mode: 0640
|
||||
notify: restart patroni
|
||||
|
||||
- name: install check_mk agent check
|
||||
copy:
|
||||
src: patroni/postgres
|
||||
dest: /usr/lib/check_mk_agent/plugins/postgres
|
||||
mode: 0755
|
||||
|
||||
- name: ensure patroni services are enabled and started
|
||||
service:
|
||||
name: "{{ item }}.service"
|
||||
state: started
|
||||
enabled: yes
|
||||
with_items:
|
||||
- patroni
|
||||
|
||||
- name: install initial schema files
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: postgres
|
||||
group: sudo
|
||||
mode: 0640
|
||||
with_items:
|
||||
- { src: "patroni/powerdns-schema.sql", dest: "/etc/postgresql/powerdns-schema.sql" }
|
||||
|
||||
- name: set up PVC DNS database on first host
|
||||
block:
|
||||
- name: wait 15s for cluster to initialize
|
||||
pause:
|
||||
seconds: 15
|
||||
|
||||
- name: create user for role
|
||||
postgresql_user:
|
||||
name: "{{ pvc_dns_database_user }}"
|
||||
password: "{{ pvc_dns_database_password }}"
|
||||
state: present
|
||||
login_host: /run/postgresql
|
||||
|
||||
- name: create database for role
|
||||
postgresql_db:
|
||||
name: "{{ pvc_dns_database_name }}"
|
||||
owner: "{{ pvc_dns_database_user }}"
|
||||
encoding: utf8
|
||||
state: present
|
||||
login_host: /run/postgresql
|
||||
|
||||
- name: set user privs for role
|
||||
postgresql_user:
|
||||
name: "{{ pvc_dns_database_user }}"
|
||||
db: "{{ pvc_dns_database_name }}"
|
||||
priv: ALL
|
||||
login_host: /run/postgresql
|
||||
|
||||
- name: create extensions
|
||||
postgresql_ext:
|
||||
name: "{{ item }}"
|
||||
db: "{{ pvc_dns_database_name }}"
|
||||
login_host: /run/postgresql
|
||||
with_items: "{{ extensions }}"
|
||||
when: extensions is defined
|
||||
|
||||
- name: import dns database schema
|
||||
command: "psql -U {{ pvc_dns_database_user }} -f /etc/postgresql/powerdns-schema.sql {{ pvc_dns_database_name }}"
|
||||
|
||||
become: yes
|
||||
become_user: postgres
|
||||
when: newinstance.changed and ansible_local.host_id == '1'
|
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
- name: install pvc packages
|
||||
apt:
|
||||
name:
|
||||
- pvc-daemon
|
||||
- pvc-client-cli
|
||||
- pvc-client-common
|
||||
state: latest
|
||||
|
||||
- name: install pvc configuration
|
||||
template:
|
||||
src: pvc/{{ item }}.j2
|
||||
dest: /etc/pvc/{{ item }}
|
||||
with_items:
|
||||
- pvcd.yaml
|
||||
notify: restart pvcd
|
||||
|
||||
- name: verify if cluster has been started
|
||||
shell: "/usr/share/zookeeper/bin/zkCli.sh stat /nodes 2>&1 | grep -q 'Node does not exist'"
|
||||
register: cluster_init
|
||||
failed_when: no
|
||||
|
||||
- name: bootstrap a fresh cluster
|
||||
shell: /usr/bin/pvc init
|
||||
when: cluster_init.rc == 0 and ansible_local.host_id == 1
|
||||
|
||||
- name: stop and disable unneccessary services
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
state: stopped
|
||||
enabled: no
|
||||
with_items:
|
||||
- pdns.service
|
||||
|
||||
- name: start and enable services
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
state: started
|
||||
enabled: yes
|
||||
with_items:
|
||||
- pvc-flush.service
|
||||
- pvcd.service
|
||||
- pvcd.target
|
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
- name: install zookeeper packages
|
||||
apt:
|
||||
name:
|
||||
- zookeeperd
|
||||
- zookeeper-bin
|
||||
state: latest
|
||||
|
||||
- name: install zookeeper configuration
|
||||
template:
|
||||
src: zookeeper/{{ item }}.j2
|
||||
dest: /etc/zookeeper/conf/{{ item }}
|
||||
with_items:
|
||||
- configuration.xsl
|
||||
- environment
|
||||
- log4j.properties
|
||||
- myid
|
||||
- zoo.cfg
|
||||
notify: restart zookeeper
|
||||
|
||||
- name: disable services
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
enabled: no
|
||||
with_items:
|
||||
- zookeeper
|
|
@ -0,0 +1,4 @@
|
|||
# Environment file for ceph daemon systemd unit files.
|
||||
# {{ ansible_managed }}
|
||||
|
||||
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1
|
|
@ -0,0 +1,4 @@
|
|||
# Limits for ceph processes
|
||||
# {{ ansible_managed }}
|
||||
ceph soft nproc unlimited
|
||||
ceph soft nofile unlimited
|
|
@ -0,0 +1,4 @@
|
|||
# sysctl: tweak settings for Ceph
|
||||
# {{ ansible_managed }}
|
||||
|
||||
vm.swappiness = 0
|
|
@ -0,0 +1,16 @@
|
|||
# frr daemon status
|
||||
# {{ ansible_managed }}
|
||||
zebra=yes
|
||||
bgpd=yes
|
||||
ospfd=no
|
||||
ospf6d=no
|
||||
ripd=no
|
||||
ripngd=no
|
||||
isisd=no
|
||||
pimd=no
|
||||
ldpd=no
|
||||
nhrpd=no
|
||||
eigrpd=no
|
||||
babeld=no
|
||||
sharpd=no
|
||||
pbrd=no
|
|
@ -0,0 +1,53 @@
|
|||
! frr main configuration
|
||||
! {{ ansible_managed }}
|
||||
!
|
||||
frr version 4.0
|
||||
frr defaults traditional
|
||||
hostname cloud-14
|
||||
no ipv6 forwarding
|
||||
username cumulus nopassword
|
||||
!
|
||||
service integrated-vtysh-config
|
||||
!
|
||||
log syslog informational
|
||||
!
|
||||
line vty
|
||||
!
|
||||
! BGP EVPN mesh configuration
|
||||
!
|
||||
router bgp {{ pvc_asn }}
|
||||
bgp router-id {% for node in pvc_nodes if node.hostname == ansible_hostname %}{{ node.router_id }}{% endfor %}
|
||||
|
||||
no bgp default ipv4-unicast
|
||||
! BGP sessions with route reflectors
|
||||
neighbor fabric peer-group
|
||||
neighbor fabric remote-as {{ pvc_asn }}
|
||||
neighbor fabric capability extended-nexthop
|
||||
{% for node in pvc_nodes if node.is_coordinator %}
|
||||
neighbor {{ node.router_id }} peer-group fabric
|
||||
{% endfor %}
|
||||
! BGP sessions with upstream routers
|
||||
neighbor upstream peer-group
|
||||
neighbor upstream remote-as {{ pvc_asn }}
|
||||
neighbor upstream capability extended-nexthop
|
||||
{% for router in pvc_routers %}
|
||||
neighbor {{ router }} peer-group upstream
|
||||
{% endfor %}
|
||||
!
|
||||
address-family l2vpn evpn
|
||||
neighbor fabric activate
|
||||
advertise-all-vni
|
||||
exit-address-family
|
||||
address-family ipv4 unicast
|
||||
neighbor fabric activate
|
||||
neighbor upstream activate
|
||||
redistribute connected
|
||||
exit-address-family
|
||||
address-family ipv6 unicast
|
||||
neighbor fabric activate
|
||||
neighbor upstream activate
|
||||
redistribute connected
|
||||
exit-address-family
|
||||
!
|
||||
exit
|
||||
!
|
|
@ -0,0 +1,6 @@
|
|||
<secret ephemeral='no' private='no'>
|
||||
<uuid>{{ ceph_storage_secret_uuid }}</uuid>
|
||||
<usage type='ceph'>
|
||||
<name>client.libvirt secret</name>
|
||||
</usage>
|
||||
</secret>
|
|
@ -0,0 +1,7 @@
|
|||
# PVC libvirt daemon configuration file
|
||||
# {{ ansible_managed }}
|
||||
|
||||
listen_tls = 0
|
||||
listen_tcp = 1
|
||||
tcp_port = "16509"
|
||||
auth_tcp = "none"
|
|
@ -0,0 +1,63 @@
|
|||
scope: pvcdns
|
||||
namespace: /patroni
|
||||
name: {{ ansible_hostname }}
|
||||
|
||||
restapi:
|
||||
listen: '0.0.0.0:8008'
|
||||
connect_address: '{{ ansible_fqdn }}:8008'
|
||||
|
||||
zookeeper:
|
||||
hosts: [ {% for host in groups[ansible_local.host_group] %}'{{ host }}.{{ ansible_domain }}:2181',{% endfor %} ]
|
||||
|
||||
bootstrap:
|
||||
dcs:
|
||||
ttl: 30
|
||||
loop_wait: 10
|
||||
retry_timeout: 10
|
||||
maximum_lag_on_failover: 1048576
|
||||
postgresql:
|
||||
use_pg_rewind: true
|
||||
|
||||
initdb:
|
||||
- encoding: UTF8
|
||||
- data-checksums
|
||||
|
||||
pg_hba:
|
||||
- local all all peer
|
||||
- host replication replicator 127.0.0.1/32 trust
|
||||
{% for host in groups[ansible_local.host_group] %}
|
||||
- host replication replicator {{ host }}.{{ ansible_domain }} trust
|
||||
{% endfor %}
|
||||
- host all all 0.0.0.0/0 md5
|
||||
|
||||
users:
|
||||
admin:
|
||||
password: admin
|
||||
options:
|
||||
- createrole
|
||||
- createdb
|
||||
|
||||
postgresql:
|
||||
listen: '0.0.0.0:5432'
|
||||
connect_address: '{{ ansible_fqdn }}:5432'
|
||||
log_destination: 'stderr'
|
||||
log_min_messages: INFO
|
||||
custom_conf: /etc/postgresql/postgresql.pvc.conf
|
||||
bin_dir: /usr/lib/postgresql/11/bin
|
||||
data_dir: /var/lib/postgresql/patroni/pvc
|
||||
pgpass: /tmp/pgpass
|
||||
authentication:
|
||||
replication:
|
||||
username: '{{ pvc_replication_database_user }}'
|
||||
password: '{{ pvc_replication_database_password }}'
|
||||
superuser:
|
||||
username: '{{ pvc_superuser_database_user }}'
|
||||
password: '{{ pvc_superuser_database_password }}'
|
||||
parameters:
|
||||
unix_socket_directories: '/run/postgresql'
|
||||
|
||||
tags:
|
||||
nofailover: false
|
||||
noloadbalance: false
|
||||
clonefrom: false
|
||||
nosync: false
|
|
@ -0,0 +1,21 @@
|
|||
# Additional PostgreSQL tuning parameters for PVC Patroni instance
|
||||
# {{ ansible_managed }}
|
||||
|
||||
max_connections = 100
|
||||
shared_buffers = 64MB
|
||||
effective_cache_size = 256MB
|
||||
dynamic_shared_memory_type = posix
|
||||
|
||||
random_page_cost = 1
|
||||
seq_page_cost = 1
|
||||
|
||||
log_timezone = 'localtime'
|
||||
datestyle = 'iso, dmy'
|
||||
timezone = 'localtime'
|
||||
|
||||
lc_messages = 'en_CA.UTF-8'
|
||||
lc_monetary = 'en_CA.UTF-8'
|
||||
lc_numeric = 'en_CA.UTF-8'
|
||||
lc_time = 'en_CA.UTF-8'
|
||||
|
||||
default_text_search_config = 'pg_catalog.english'
|
|
@ -0,0 +1,75 @@
|
|||
---
|
||||
# pvcd cluster configuration
|
||||
# {{ ansible_managed }}
|
||||
pvc:
|
||||
node: {% for node in pvc_nodes if node.hostname == ansible_hostname %}{{ node.hostname }}{% endfor %}
|
||||
|
||||
functions:
|
||||
enable_hypervisor: True
|
||||
enable_networking: True
|
||||
enable_storage: False
|
||||
cluster:
|
||||
coordinators:
|
||||
{% for node in pvc_nodes if node.is_coordinator %}
|
||||
- {{ node.hostname }}
|
||||
{% endfor %}
|
||||
networks:
|
||||
cluster:
|
||||
domain: {{ pvc_cluster_domain }}
|
||||
network: {{ pvc_cluster_subnet }}
|
||||
floating_ip: {{ pvc_cluster_floatingip }}
|
||||
storage:
|
||||
domain: {{ pvc_storage_domain }}
|
||||
network: {{ pvc_storage_subnet }}
|
||||
floating_ip: {{ pvc_storage_floatingip }}
|
||||
upstream:
|
||||
domain: {{ pvc_upstream_domain }}
|
||||
network: {{ pvc_upstream_subnet }}
|
||||
floating_ip: {{ pvc_upstream_floatingip }}
|
||||
gateway: {{ pvc_upstream_gatewayip }}
|
||||
coordinator:
|
||||
dns:
|
||||
database:
|
||||
host: localhost
|
||||
port: 5432
|
||||
name: pvcdns
|
||||
user: pvcdns
|
||||
pass: PVCdnsPassw0rd
|
||||
system:
|
||||
fencing:
|
||||
intervals:
|
||||
keepalive_interval: 5
|
||||
fence_intervals: 6
|
||||
suicide_intervals: 0
|
||||
actions:
|
||||
successful_fence: migrate
|
||||
failed_fence: None
|
||||
ipmi:
|
||||
host: {% for node in pvc_nodes if node.hostname == ansible_hostname %}{{ node.ipmi_host }}{% endfor %}
|
||||
|
||||
user: {% for node in pvc_nodes if node.hostname == ansible_hostname %}{{ node.ipmi_user }}{% endfor %}
|
||||
|
||||
pass: {% for node in pvc_nodes if node.hostname == ansible_hostname %}{{ node.ipmi_password }}{% endfor %}
|
||||
|
||||
migration:
|
||||
target_selector: mem
|
||||
configuration:
|
||||
directories:
|
||||
dynamic_directory: "/run/pvc"
|
||||
log_directory: "/var/log/pvc"
|
||||
console_log_directory: "/var/log/libvirt"
|
||||
logging:
|
||||
file_logging: True
|
||||
stdout_logging: True
|
||||
console_log_lines: 1000
|
||||
networking:
|
||||
devices:
|
||||
cluster: {{ pvc_cluster_device }}
|
||||
storage: {{ pvc_storage_device }}
|
||||
upstream: {{ pvc_upstream_device }}
|
||||
addresses:
|
||||
cluster: {% for node in pvc_nodes if node.hostname == ansible_hostname %}{{ node.cluster_ip }}{% endfor %}
|
||||
|
||||
storage: {% for node in pvc_nodes if node.hostname == ansible_hostname %}{{ node.storage_ip }}{% endfor %}
|
||||
|
||||
upstream: {% for node in pvc_nodes if node.hostname == ansible_hostname %}{{ node.upstream_ip }}{% endfor %}
|
|
@ -0,0 +1,11 @@
|
|||
# modprobe blacklist
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# Blacklist GPU drivers
|
||||
blacklist nouveau
|
||||
blacklist radeon
|
||||
blacklist amdgpu
|
||||
blacklist snd_hda_intel
|
||||
|
||||
# Blacklist HP Proliant management
|
||||
blacklist hpwdt
|
|
@ -0,0 +1,25 @@
|
|||
<!-- {{ ansible_managed }} -->
|
||||
<?xml version="1.0"?>
|
||||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
|
||||
<xsl:output method="html"/>
|
||||
<xsl:template match="configuration">
|
||||
<html>
|
||||
<body>
|
||||
<table border="1">
|
||||
<tr>
|
||||
<td>name</td>
|
||||
<td>value</td>
|
||||
<td>description</td>
|
||||
</tr>
|
||||
<xsl:for-each select="property">
|
||||
<tr>
|
||||
<td><a name="{name}"><xsl:value-of select="name"/></a></td>
|
||||
<td><xsl:value-of select="value"/></td>
|
||||
<td><xsl:value-of select="description"/></td>
|
||||
</tr>
|
||||
</xsl:for-each>
|
||||
</table>
|
||||
</body>
|
||||
</html>
|
||||
</xsl:template>
|
||||
</xsl:stylesheet>
|
|
@ -0,0 +1,10 @@
|
|||
# {{ ansible_managed }}
|
||||
ZOOMAIN=org.apache.zookeeper.server.quorum.QuorumPeerMain
|
||||
ZOOCFGDIR=/etc/zookeeper/conf
|
||||
ZOOCFG=/etc/zookeeper/conf/zoo.cfg
|
||||
ZOO_LOG_DIR=/var/log/zookeeper
|
||||
ZOO_LOG4J_PROP=INFO,ROLLINGFILE
|
||||
JMXLOCALONLY=false
|
||||
JAVA_OPTS=""
|
||||
JAVA=/usr/bin/java
|
||||
CLASSPATH="/etc/zookeeper/conf:/usr/share/java/jline.jar:/usr/share/java/log4j-1.2.jar:/usr/share/java/xercesImpl.jar:/usr/share/java/xmlParserAPIs.jar:/usr/share/java/netty.jar:/usr/share/java/slf4j-api.jar:/usr/share/java/slf4j-log4j12.jar:/usr/share/java/zookeeper.jar"
|
|
@ -0,0 +1,50 @@
|
|||
# ZooKeeper Logging Configuration
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# Format is "<default threshold> (, <appender>)+
|
||||
|
||||
log4j.rootLogger=${zookeeper.root.logger}
|
||||
|
||||
# Example: console appender only
|
||||
# log4j.rootLogger=INFO, CONSOLE
|
||||
|
||||
# Example with rolling log file
|
||||
#log4j.rootLogger=DEBUG, CONSOLE, ROLLINGFILE
|
||||
|
||||
# Example with rolling log file and tracing
|
||||
#log4j.rootLogger=TRACE, CONSOLE, ROLLINGFILE, TRACEFILE
|
||||
|
||||
#
|
||||
# Log INFO level and above messages to the console
|
||||
#
|
||||
log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
|
||||
log4j.appender.CONSOLE.Threshold=INFO
|
||||
log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
|
||||
log4j.appender.CONSOLE.layout.ConversionPattern=%d{ISO8601} - %-5p [%t:%C{1}@%L] - %m%n
|
||||
|
||||
#
|
||||
# Add ROLLINGFILE to rootLogger to get log file output
|
||||
# Log DEBUG level and above messages to a log file
|
||||
log4j.appender.ROLLINGFILE=org.apache.log4j.RollingFileAppender
|
||||
log4j.appender.ROLLINGFILE.Threshold=DEBUG
|
||||
log4j.appender.ROLLINGFILE.File=${zookeeper.log.dir}/zookeeper.log
|
||||
|
||||
# Max log file size of 10MB
|
||||
log4j.appender.ROLLINGFILE.MaxFileSize=10MB
|
||||
# uncomment the next line to limit number of backup files
|
||||
#log4j.appender.ROLLINGFILE.MaxBackupIndex=10
|
||||
|
||||
log4j.appender.ROLLINGFILE.layout=org.apache.log4j.PatternLayout
|
||||
log4j.appender.ROLLINGFILE.layout.ConversionPattern=%d{ISO8601} - %-5p [%t:%C{1}@%L] - %m%n
|
||||
|
||||
|
||||
#
|
||||
# Add TRACEFILE to rootLogger to get log file output
|
||||
# Log DEBUG level and above messages to a log file
|
||||
log4j.appender.TRACEFILE=org.apache.log4j.FileAppender
|
||||
log4j.appender.TRACEFILE.Threshold=TRACE
|
||||
log4j.appender.TRACEFILE.File=${zookeeper.log.dir}/zookeeper_trace.log
|
||||
|
||||
log4j.appender.TRACEFILE.layout=org.apache.log4j.PatternLayout
|
||||
### Notice we are including log4j's NDC here (%x)
|
||||
log4j.appender.TRACEFILE.layout.ConversionPattern=%d{ISO8601} - %-5p [%t:%C{1}@%L][%x] - %m%n
|
|
@ -0,0 +1 @@
|
|||
{{ ansible_local.host_id }}
|
|
@ -0,0 +1,13 @@
|
|||
# PVC Zookeeper configuration
|
||||
# {{ ansible_managed }}
|
||||
|
||||
tickTime=1000
|
||||
initLimit=10
|
||||
syncLimit=5
|
||||
dataDir=/var/lib/zookeeper
|
||||
|
||||
clientPort=2181
|
||||
|
||||
{% for node in pvc_nodes if node.is_coordinator %}
|
||||
server.{{ node.node_id }}={{ node.hostname }}:2888:3888
|
||||
{% endfor %}
|
Loading…
Reference in New Issue