Hashar has uploaded a new change for review.
https://gerrit.wikimedia.org/r/62582
Change subject: lame work in progress
......................................................................
lame work in progress
Change-Id: I8321c83a26ac082fa4ebf7f31ffb5ed5382b5322
---
D manifests/protoproxy.pp
M manifests/role/protoproxy.pp
A modules/protoproxy/manifests/instance.pp
A modules/protoproxy/manifests/package.pp
A modules/protoproxy/manifests/service.pp
5 files changed, 436 insertions(+), 377 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/82/62582/1
diff --git a/manifests/protoproxy.pp b/manifests/protoproxy.pp
deleted file mode 100644
index 4ad62c8..0000000
--- a/manifests/protoproxy.pp
+++ /dev/null
@@ -1,373 +0,0 @@
-define proxy_configuration( $proxy_addresses, $proxy_server_name,
$proxy_server_cert_name, $proxy_backend, $enabled="false",
$proxy_listen_flags='', $proxy_port='80', $ipv6_enabled='false',
$ssl_backend={} ) {
-
- nginx_site {
- "${name}":
- template => "proxy",
- install => "template",
- enable => $enabled,
- require => Package["nginx"];
- }
-
-}
-
-class protoproxy::proxy_sites {
-
- if $enable_ipv6_proxy {
- $desc = "SSL and IPv6 proxy"
- } else {
- $desc = "SSL proxy"
- }
- system_role { "protoproxy::proxy_sites": description => $desc }
-
- # FIXME: pull from lvs::configuration
- class { "lvs::realserver":
- realserver_ips => $::site ? {
- "pmtpa" => [ "208.80.152.200", "208.80.152.201",
"208.80.152.202", "208.80.152.203", "208.80.152.204", "208.80.152.205",
"208.80.152.206", "208.80.152.207", "208.80.152.208", "208.80.152.209",
"208.80.152.210", "208.80.152.211", "208.80.152.3", "208.80.152.118",
"208.80.152.218", "208.80.152.219", "2620:0:860:ed1a::", "2620:0:860:ed1a::1",
"2620:0:860:ed1a::2", "2620:0:860:ed1a::3", "2620:0:860:ed1a::4",
"2620:0:860:ed1a::5", "2620:0:860:ed1a::6", "2620:0:860:ed1a::7",
"2620:0:860:ed1a::8", "2620:0:860:ed1a::9", "2620:0:860:ed1a::a",
"2620:0:860:ed1a::b", "2620:0:860:ed1a::c", "2620:0:860:ed1a::12",
"2620:0:860:ed1a::13" ],
- "eqiad" => [ "208.80.154.224", "208.80.154.225",
"208.80.154.226", "208.80.154.227", "208.80.154.228", "208.80.154.229",
"208.80.154.230", "208.80.154.231", "208.80.154.232", "208.80.154.233",
"208.80.154.234", "208.80.154.235", "208.80.154.236", "208.80.154.242",
"208.80.154.243", "2620:0:861:ed1a::", "2620:0:861:ed1a::1",
"2620:0:861:ed1a::2", "2620:0:861:ed1a::3", "2620:0:861:ed1a::4",
"2620:0:861:ed1a::5", "2620:0:861:ed1a::6", "2620:0:861:ed1a::7",
"2620:0:861:ed1a::8", "2620:0:861:ed1a::9", "2620:0:861:ed1a::a",
"2620:0:861:ed1a::b", "2620:0:861:ed1a::c", "2620:0:861:ed1a::12",
"2620:0:861:ed1a::13" ],
- "esams" => [ "91.198.174.224", "91.198.174.225",
"91.198.174.233", "91.198.174.234", "91.198.174.226", "91.198.174.227",
"91.198.174.228", "91.198.174.229", "91.198.174.230", "91.198.174.231",
"91.198.174.232", "91.198.174.235", "2620:0:862:ed1a::", "2620:0:862:ed1a::1",
"2620:0:862:ed1a::2", "2620:0:862:ed1a::3", "2620:0:862:ed1a::4",
"2620:0:862:ed1a::5", "2620:0:862:ed1a::6", "2620:0:862:ed1a::7",
"2620:0:862:ed1a::8", "2620:0:862:ed1a::9", "2620:0:862:ed1a::a",
"2620:0:862:ed1a::b", "2620:0:862:ed1a::c" ]
- }
- }
-
- require protoproxy::package
- include protoproxy::service
- include protoproxy::ganglia
-
- # Tune kernel settings
- include generic::sysctl::high-http-performance
-
- $nginx_worker_connections = '32768'
- $nginx_use_ssl = true
-
- install_certificate{ "star.wikimedia.org": }
- install_certificate{ "star.wikipedia.org": }
- install_certificate{ "star.wiktionary.org": }
- install_certificate{ "star.wikiquote.org": }
- install_certificate{ "star.wikibooks.org": }
- install_certificate{ "star.wikisource.org": }
- install_certificate{ "star.wikinews.org": }
- install_certificate{ "star.wikiversity.org": }
- install_certificate{ "star.mediawiki.org": }
- install_certificate{ "star.wikimediafoundation.org": }
- install_certificate{ "star.wikidata.org": }
- install_certificate{ "star.wikivoyage.org": }
- install_certificate{ "unified.wikimedia.org": }
-
- file {
- "/etc/nginx/nginx.conf":
- content => template('nginx/nginx.conf.erb'),
- notify => Service['nginx'],
- require => Package['nginx'];
- }
-
- file {
- "/etc/logrotate.d/nginx":
- content => template('nginx/logrotate'),
- require => Package['nginx'];
- }
-
- nginx_site {
- "localhost.conf":
- install => "true",
- enable => "true",
- require => Package["nginx"];
- }
-
- proxy_configuration{ wikimedia:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.200", "[2620:0:860:ed1a::]" ],
- "eqiad" => [ "208.80.154.224", "[2620:0:861:ed1a::]" ],
- "esams" => [ "91.198.174.224", "[2620:0:862:ed1a::]" ]
- },
- proxy_server_name => '*.wikimedia.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- "esams" => { "primary" => "10.2.3.25", "secondary" =>
"208.80.152.200" }
- },
- ipv6_enabled => 'true',
- enabled => 'true',
- proxy_listen_flags => 'default ssl'
- }
- proxy_configuration{ bits:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.210", "[2620:0:860:ed1a::a]" ],
- "eqiad" => [ "208.80.154.234", "[2620:0:861:ed1a::a]" ],
- "esams" => [ "91.198.174.233", "[2620:0:862:ed1a::a]" ]
- },
- proxy_server_name => 'bits.wikimedia.org
geoiplookup.wikimedia.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.23" },
- "eqiad" => { "primary" => "10.2.2.23" },
- "esams" => { "primary" => "10.2.3.23", "secondary" =>
"208.80.152.210" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- proxy_configuration{ upload:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.211", "[2620:0:860:ed1a::b]" ],
- "eqiad" => [ "208.80.154.235", "[2620:0:861:ed1a::b]" ],
- "esams" => [ "91.198.174.234", "[2620:0:862:ed1a::b]" ]
- },
- proxy_server_name => 'upload.wikimedia.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.24" },
- "eqiad" => { "primary" => "10.2.2.24" },
- "esams" => { "primary" => "10.2.3.24", "secondary" =>
"208.80.152.211" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- proxy_configuration{ wikipedia:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.201", "[2620:0:860:ed1a::1]" ],
- "eqiad" => [ "208.80.154.225", "[2620:0:861:ed1a::1]" ],
- "esams" => [ "91.198.174.225", "[2620:0:862:ed1a::1]" ]
- },
- proxy_server_name => '*.wikipedia.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- "esams" => { "primary" => "10.2.3.25", "secondary" =>
"208.80.152.201" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- proxy_configuration{ wiktionary:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.202", "[2620:0:860:ed1a::2]" ],
- "eqiad" => [ "208.80.154.226", "[2620:0:861:ed1a::2]" ],
- "esams" => [ "91.198.174.226", "[2620:0:862:ed1a::2]" ]
- },
- proxy_server_name => '*.wiktionary.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- "esams" => { "primary" => "10.2.3.25", "secondary" =>
"208.80.152.202" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- proxy_configuration{ wikiquote:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.203", "[2620:0:860:ed1a::3]" ],
- "eqiad" => [ "208.80.154.227", "[2620:0:861:ed1a::3]" ],
- "esams" => [ "91.198.174.227", "[2620:0:862:ed1a::3]" ]
- },
- proxy_server_name => '*.wikiquote.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- "esams" => { "primary" => "10.2.3.25", "secondary" =>
"208.80.152.203" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- proxy_configuration{ wikibooks:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.204", "[2620:0:860:ed1a::4]" ],
- "eqiad" => [ "208.80.154.228", "[2620:0:861:ed1a::4]" ],
- "esams" => [ "91.198.174.228", "[2620:0:862:ed1a::4]" ]
- },
- proxy_server_name => '*.wikibooks.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- "esams" => { "primary" => "10.2.3.25", "secondary" =>
"208.80.152.204" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- proxy_configuration{ wikisource:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.205", "[2620:0:860:ed1a::5]" ],
- "eqiad" => [ "208.80.154.229", "[2620:0:861:ed1a::5]" ],
- "esams" => [ "91.198.174.229", "[2620:0:862:ed1a::5]" ]
- },
- proxy_server_name => '*.wikisource.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- "esams" => { "primary" => "10.2.3.25", "secondary" =>
"208.80.152.205" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- proxy_configuration{ wikinews:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.206", "[2620:0:860:ed1a::6]" ],
- "eqiad" => [ "208.80.154.230", "[2620:0:861:ed1a::6]" ],
- "esams" => [ "91.198.174.230", "[2620:0:862:ed1a::6]" ]
- },
- proxy_server_name => '*.wikinews.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- "esams" => { "primary" => "10.2.3.25", "secondary" =>
"208.80.152.206" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- proxy_configuration{ wikiversity:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.207", "[2620:0:860:ed1a::7]" ],
- "eqiad" => [ "208.80.154.231", "[2620:0:861:ed1a::7]" ],
- "esams" => [ "91.198.174.231", "[2620:0:862:ed1a::7]" ]
- },
- proxy_server_name => '*.wikiversity.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- "esams" => { "primary" => "10.2.3.25", "secondary" =>
"208.80.152.207" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- proxy_configuration{ mediawiki:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.208", "[2620:0:860:ed1a::8]" ],
- "eqiad" => [ "208.80.154.232", "[2620:0:861:ed1a::8]" ],
- "esams" => [ "91.198.174.232", "[2620:0:862:ed1a::8]" ]
- },
- proxy_server_name => '*.mediawiki.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- "esams" => { "primary" => "10.2.3.25", "secondary" =>
"208.80.152.208" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- proxy_configuration{ wikimediafoundation:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.209", "[2620:0:860:ed1a::9]" ],
- "eqiad" => [ "208.80.154.233", "[2620:0:861:ed1a::9]" ],
- "esams" => [ "91.198.174.235", "[2620:0:862:ed1a::9]" ]
- },
- proxy_server_name => '*.wikimediafoundation.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- "esams" => { "primary" => "10.2.3.25", "secondary" =>
"208.80.152.209" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- proxy_configuration{ mobilewikipedia:
- proxy_addresses => {
- "pmtpa" => [ "127.0.0.1", "[2620:0:860:ed1a::c]" ],
- "eqiad" => [ "208.80.154.236", "[2620:0:861:ed1a::c]" ],
- "esams" => [ "127.0.0.1", "[2620:0:862:ed1a::c]" ]
- },
- proxy_server_name => '*.m.wikipedia.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.26" },
- "eqiad" => { "primary" => "10.2.2.26" },
- "esams" => { "primary" => "10.2.3.26", "secondary" =>
"208.80.154.236" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- # wikidata.org
- if $::site != "esams" {
- proxy_configuration{ wikidata:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.218",
"[2620:0:860:ed1a::12]" ],
- "eqiad" => [ "208.80.154.242",
"[2620:0:861:ed1a::12]" ],
- # "esams" => [ "127.0.0.1" ]
- },
- proxy_server_name => '*.wikidata.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- # "esams" => { "primary" => "10.2.3.25" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- }
- # wikivoyage.org
- if $::site != "esams" {
- proxy_configuration{ wikivoyage:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.219",
"[2620:0:860:ed1a::13]" ],
- "eqiad" => [ "208.80.154.243",
"[2620:0:861:ed1a::13]" ],
- # "esams" => [ "127.0.0.1" ]
- },
- proxy_server_name => '*.wikivoyage.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.2.1.25" },
- "eqiad" => { "primary" => "10.2.2.25" },
- # "esams" => { "primary" => "10.2.3.25" }
- },
- ipv6_enabled => 'true',
- enabled => 'true'
- }
- }
- # Misc services
- proxy_configuration{ videos:
- proxy_addresses => {
- "pmtpa" => [ "208.80.152.200", "[2620:0:860:2::80:2]" ],
- "eqiad" => [ "208.80.154.224", "[2620:0:862:3::80:2]" ],
- "esams" => [ "91.198.174.224", "[2620:0:862:1::80:2]" ]
},
- proxy_server_name => 'videos.wikimedia.org',
- proxy_server_cert_name => 'unified.wikimedia.org',
- proxy_backend => {
- "pmtpa" => { "primary" => "10.64.16.146" },
- "eqiad" => { "primary" => "10.64.16.146" },
- "esams" => { "primary" => "208.80.152.200", "secondary"
=> "208.80.152.200" }
- },
- ssl_backend => { "esams" => "true" },
- enabled => 'true'
- }
-
-}
-
-class protoproxy::package {
-
- package { ['nginx']:
- ensure => latest;
- }
-
- file {
- "/etc/nginx/sites-enabled/default":
- ensure => absent;
- }
-
-}
-
-class protoproxy::service {
- require protoproxy::proxy_sites
-
- service { ['nginx']:
- enable => true,
- ensure => running;
- }
-}
-
-class protoproxy::ganglia {
- file {
- "/usr/lib/ganglia/python_modules/apache_status.py":
- source =>
"puppet:///files/ganglia/plugins/apache_status.py",
- notify => Service[gmond];
- "/etc/ganglia/conf.d/apache_status.pyconf":
- source =>
"puppet:///files/ganglia/plugins/apache_status.pyconf",
- notify => Service[gmond];
- }
-}
-
diff --git a/manifests/role/protoproxy.pp b/manifests/role/protoproxy.pp
index 97b8717..47b91b1 100644
--- a/manifests/role/protoproxy.pp
+++ b/manifests/role/protoproxy.pp
@@ -1,11 +1,377 @@
-class role::protoproxy::ssl {
- $cluster = "ssl"
+class role::protoproxy::ssl::common {
+ $nginx_worker_connections = '32768'
+ $nginx_use_ssl = true
+
+ file { '/etc/nginx/nginx.conf':
+ content => template('nginx/nginx.conf.erb'),
+ notify => Service['nginx'],
+ require => Package['nginx'],
+ }
+
+ file { '/etc/logrotate.d/nginx':
+ content => template('nginx/logrotate'),
+ require => Package['nginx'],
+ }
+
+ nginx_site { 'localhost.conf':
+ install => true,
+ enable => true,
+ require => Package['nginx'],
+ }
+
+}
+
+class role::protoproxy::ssl {
+ system_role { 'protoproxy::proxy_sites': description => 'SSL and IPv6 proxy'
}
+
+ $cluster = 'ssl'
$enable_ipv6_proxy = true
include standard,
certificates::wmf_ca,
- protoproxy::proxy_sites
+ role::protoproxy::ssl::common
- monitor_service { "https": description => "HTTPS", check_command =>
"check_ssl_cert!*.wikimedia.org", critical => true }
+ # FIXME: pull from lvs::configuration
+ class { 'lvs::realserver':
+ realserver_ips => $::site ? {
+ 'pmtpa' => [ '208.80.152.200', '208.80.152.201', '208.80.152.202',
'208.80.152.203', '208.80.152.204', '208.80.152.205', '208.80.152.206',
'208.80.152.207', '208.80.152.208', '208.80.152.209', '208.80.152.210',
'208.80.152.211', '208.80.152.3', '208.80.152.118', '208.80.152.218',
'208.80.152.219', '2620:0:860:ed1a::', '2620:0:860:ed1a::1',
'2620:0:860:ed1a::2', '2620:0:860:ed1a::3', '2620:0:860:ed1a::4',
'2620:0:860:ed1a::5', '2620:0:860:ed1a::6', '2620:0:860:ed1a::7',
'2620:0:860:ed1a::8', '2620:0:860:ed1a::9', '2620:0:860:ed1a::a',
'2620:0:860:ed1a::b', '2620:0:860:ed1a::c', '2620:0:860:ed1a::12',
'2620:0:860:ed1a::13' ],
+ 'eqiad' => [ '208.80.154.224', '208.80.154.225', '208.80.154.226',
'208.80.154.227', '208.80.154.228', '208.80.154.229', '208.80.154.230',
'208.80.154.231', '208.80.154.232', '208.80.154.233', '208.80.154.234',
'208.80.154.235', '208.80.154.236', '208.80.154.242', '208.80.154.243',
'2620:0:861:ed1a::', '2620:0:861:ed1a::1', '2620:0:861:ed1a::2',
'2620:0:861:ed1a::3', '2620:0:861:ed1a::4', '2620:0:861:ed1a::5',
'2620:0:861:ed1a::6', '2620:0:861:ed1a::7', '2620:0:861:ed1a::8',
'2620:0:861:ed1a::9', '2620:0:861:ed1a::a', '2620:0:861:ed1a::b',
'2620:0:861:ed1a::c', '2620:0:861:ed1a::12', '2620:0:861:ed1a::13' ],
+ 'esams' => [ '91.198.174.224', '91.198.174.225', '91.198.174.233',
'91.198.174.234', '91.198.174.226', '91.198.174.227', '91.198.174.228',
'91.198.174.229', '91.198.174.230', '91.198.174.231', '91.198.174.232',
'91.198.174.235', '2620:0:862:ed1a::', '2620:0:862:ed1a::1',
'2620:0:862:ed1a::2', '2620:0:862:ed1a::3', '2620:0:862:ed1a::4',
'2620:0:862:ed1a::5', '2620:0:862:ed1a::6', '2620:0:862:ed1a::7',
'2620:0:862:ed1a::8', '2620:0:862:ed1a::9', '2620:0:862:ed1a::a',
'2620:0:862:ed1a::b', '2620:0:862:ed1a::c' ],
+ }
+ }
+
+ install_certificate{ 'star.wikimedia.org': }
+ install_certificate{ 'star.wikipedia.org': }
+ install_certificate{ 'star.wiktionary.org': }
+ install_certificate{ 'star.wikiquote.org': }
+ install_certificate{ 'star.wikibooks.org': }
+ install_certificate{ 'star.wikisource.org': }
+ install_certificate{ 'star.wikinews.org': }
+ install_certificate{ 'star.wikiversity.org': }
+ install_certificate{ 'star.mediawiki.org': }
+ install_certificate{ 'star.wikimediafoundation.org': }
+ install_certificate{ 'star.wikidata.org': }
+ install_certificate{ 'star.wikivoyage.org': }
+ install_certificate{ 'unified.wikimedia.org': }
+
+ protoproxy::instance{ 'wikimedia':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.200', '[2620:0:860:ed1a::]' ],
+ 'eqiad' => [ '208.80.154.224', '[2620:0:861:ed1a::]' ],
+ 'esams' => [ '91.198.174.224', '[2620:0:862:ed1a::]' ]
+ },
+ proxy_server_name => '*.wikimedia.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ 'esams' => { 'primary' => '10.2.3.25', 'secondary' => '208.80.152.200' }
+ },
+ ipv6_enabled => true,
+ enabled => true,
+ proxy_listen_flags => 'default ssl'
+ }
+ protoproxy::instance{ 'bits':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.210', '[2620:0:860:ed1a::a]' ],
+ 'eqiad' => [ '208.80.154.234', '[2620:0:861:ed1a::a]' ],
+ 'esams' => [ '91.198.174.233', '[2620:0:862:ed1a::a]' ]
+ },
+ proxy_server_name => 'bits.wikimedia.org geoiplookup.wikimedia.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.23' },
+ 'eqiad' => { 'primary' => '10.2.2.23' },
+ 'esams' => { 'primary' => '10.2.3.23', 'secondary' => '208.80.152.210' }
+ },
+ ipv6_enabled => true,
+ enabled => true
+ }
+ protoproxy::instance{ 'upload':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.211', '[2620:0:860:ed1a::b]' ],
+ 'eqiad' => [ '208.80.154.235', '[2620:0:861:ed1a::b]' ],
+ 'esams' => [ '91.198.174.234', '[2620:0:862:ed1a::b]' ]
+ },
+ proxy_server_name => 'upload.wikimedia.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.24' },
+ 'eqiad' => { 'primary' => '10.2.2.24' },
+ 'esams' => { 'primary' => '10.2.3.24', 'secondary' => '208.80.152.211' }
+ },
+ ipv6_enabled => true,
+ enabled => true
+ }
+ protoproxy::instance{ 'wikipedia':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.201', '[2620:0:860:ed1a::1]' ],
+ 'eqiad' => [ '208.80.154.225', '[2620:0:861:ed1a::1]' ],
+ 'esams' => [ '91.198.174.225', '[2620:0:862:ed1a::1]' ]
+ },
+ proxy_server_name => '*.wikipedia.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ 'esams' => { 'primary' => '10.2.3.25', 'secondary' => '208.80.152.201' }
+ },
+ ipv6_enabled => true,
+ enabled => true,
+ }
+ protoproxy::instance{ 'wiktionary':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.202', '[2620:0:860:ed1a::2]' ],
+ 'eqiad' => [ '208.80.154.226', '[2620:0:861:ed1a::2]' ],
+ 'esams' => [ '91.198.174.226', '[2620:0:862:ed1a::2]' ]
+ },
+ proxy_server_name => '*.wiktionary.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ 'esams' => { 'primary' => '10.2.3.25', 'secondary' => '208.80.152.202' }
+ },
+ ipv6_enabled => true,
+ enabled => 'true'
+ }
+ protoproxy::instance{ 'wikiquote':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.203', '[2620:0:860:ed1a::3]' ],
+ 'eqiad' => [ '208.80.154.227', '[2620:0:861:ed1a::3]' ],
+ 'esams' => [ '91.198.174.227', '[2620:0:862:ed1a::3]' ]
+ },
+ proxy_server_name => '*.wikiquote.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ 'esams' => { 'primary' => '10.2.3.25', 'secondary' => '208.80.152.203' }
+ },
+ ipv6_enabled => 'true',
+ enabled => 'true'
+ }
+ protoproxy::instance{ 'wikibooks':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.204', '[2620:0:860:ed1a::4]' ],
+ 'eqiad' => [ '208.80.154.228', '[2620:0:861:ed1a::4]' ],
+ 'esams' => [ '91.198.174.228', '[2620:0:862:ed1a::4]' ]
+ },
+ proxy_server_name => '*.wikibooks.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ 'esams' => { 'primary' => '10.2.3.25', 'secondary' => '208.80.152.204' }
+ },
+ ipv6_enabled => 'true',
+ enabled => 'true'
+ }
+ protoproxy::instance{ 'wikisource':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.205', '[2620:0:860:ed1a::5]' ],
+ 'eqiad' => [ '208.80.154.229', '[2620:0:861:ed1a::5]' ],
+ 'esams' => [ '91.198.174.229', '[2620:0:862:ed1a::5]' ]
+ },
+ proxy_server_name => '*.wikisource.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ 'esams' => { 'primary' => '10.2.3.25', 'secondary' => '208.80.152.205' }
+ },
+ ipv6_enabled => 'true',
+ enabled => 'true'
+ }
+ protoproxy::instance{ 'wikinews':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.206', '[2620:0:860:ed1a::6]' ],
+ 'eqiad' => [ '208.80.154.230', '[2620:0:861:ed1a::6]' ],
+ 'esams' => [ '91.198.174.230', '[2620:0:862:ed1a::6]' ]
+ },
+ proxy_server_name => '*.wikinews.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ 'esams' => { 'primary' => '10.2.3.25', 'secondary' => '208.80.152.206' }
+ },
+ ipv6_enabled => 'true',
+ enabled => 'true'
+ }
+ protoproxy::instance{ 'wikiversity':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.207', '[2620:0:860:ed1a::7]' ],
+ 'eqiad' => [ '208.80.154.231', '[2620:0:861:ed1a::7]' ],
+ 'esams' => [ '91.198.174.231', '[2620:0:862:ed1a::7]' ]
+ },
+ proxy_server_name => '*.wikiversity.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ 'esams' => { 'primary' => '10.2.3.25', 'secondary' => '208.80.152.207' }
+ },
+ ipv6_enabled => 'true',
+ enabled => 'true'
+ }
+ protoproxy::instance{ 'mediawiki':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.208', '[2620:0:860:ed1a::8]' ],
+ 'eqiad' => [ '208.80.154.232', '[2620:0:861:ed1a::8]' ],
+ 'esams' => [ '91.198.174.232', '[2620:0:862:ed1a::8]' ]
+ },
+ proxy_server_name => '*.mediawiki.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ 'esams' => { 'primary' => '10.2.3.25', 'secondary' => '208.80.152.208' }
+ },
+ ipv6_enabled => 'true',
+ enabled => 'true'
+ }
+ protoproxy::instance{ 'wikimediafoundation':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.209', '[2620:0:860:ed1a::9]' ],
+ 'eqiad' => [ '208.80.154.233', '[2620:0:861:ed1a::9]' ],
+ 'esams' => [ '91.198.174.235', '[2620:0:862:ed1a::9]' ]
+ },
+ proxy_server_name => '*.wikimediafoundation.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ 'esams' => { 'primary' => '10.2.3.25', 'secondary' => '208.80.152.209' }
+ },
+ ipv6_enabled => 'true',
+ enabled => 'true'
+ }
+ protoproxy::instance{ 'mobilewikipedia':
+ proxy_addresses => {
+ 'pmtpa' => [ '127.0.0.1', '[2620:0:860:ed1a::c]' ],
+ 'eqiad' => [ '208.80.154.236', '[2620:0:861:ed1a::c]' ],
+ 'esams' => [ '127.0.0.1', '[2620:0:862:ed1a::c]' ]
+ },
+ proxy_server_name => '*.m.wikipedia.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.26' },
+ 'eqiad' => { 'primary' => '10.2.2.26' },
+ 'esams' => { 'primary' => '10.2.3.26', 'secondary' => '208.80.154.236' }
+ },
+ ipv6_enabled => 'true',
+ enabled => 'true'
+ }
+ # wikidata.org
+ if $::site != 'esams' {
+ protoproxy::instance{ wikidata:
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.218', '[2620:0:860:ed1a::12]' ],
+ 'eqiad' => [ '208.80.154.242', '[2620:0:861:ed1a::12]' ],
+ # 'esams' => [ '127.0.0.1' ]
+ },
+ proxy_server_name => '*.wikidata.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ # 'esams' => { 'primary' => '10.2.3.25' }
+ },
+ ipv6_enabled => 'true',
+ enabled => 'true'
+ }
+ }
+ # wikivoyage.org
+ if $::site != 'esams' {
+ protoproxy::instance{ 'wikivoyage':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.219', '[2620:0:860:ed1a::13]' ],
+ 'eqiad' => [ '208.80.154.243', '[2620:0:861:ed1a::13]' ],
+ # 'esams' => [ '127.0.0.1' ]
+ },
+ proxy_server_name => '*.wikivoyage.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.2.1.25' },
+ 'eqiad' => { 'primary' => '10.2.2.25' },
+ # 'esams' => { 'primary' => '10.2.3.25' }
+ },
+ ipv6_enabled => 'true',
+ enabled => 'true'
+ }
+ }
+ # Misc services
+ protoproxy::instance{ 'videos':
+ proxy_addresses => {
+ 'pmtpa' => [ '208.80.152.200', '[2620:0:860:2::80:2]' ],
+ 'eqiad' => [ '208.80.154.224', '[2620:0:862:3::80:2]' ],
+ 'esams' => [ '91.198.174.224', '[2620:0:862:1::80:2]' ] },
+ proxy_server_name => 'videos.wikimedia.org',
+ proxy_server_cert_name => 'unified.wikimedia.org',
+ proxy_backend => {
+ 'pmtpa' => { 'primary' => '10.64.16.146' },
+ 'eqiad' => { 'primary' => '10.64.16.146' },
+ 'esams' => { 'primary' => '208.80.152.200', 'secondary' =>
'208.80.152.200' }
+ },
+ ssl_backend => { 'esams' => 'true' },
+ enabled => 'true'
+ }
+
+ monitor_service { 'https':
+ description => 'HTTPS',
+ check_command => 'check_ssl_cert!*.wikimedia.org',
+ critical => true,
+ }
+
+ # Ganglia
+ file { '/usr/lib/ganglia/python_modules/apache_status.py':
+ source => 'puppet:///files/ganglia/plugins/apache_status.py',
+ notify => Service[gmond];
+ }
+ file { '/etc/ganglia/conf.d/apache_status.pyconf':
+ source => 'puppet:///files/ganglia/plugins/apache_status.pyconf',
+ notify => Service[gmond];
+ }
+
+}
+
+class role::protoproxy::ssl::beta::common {
+ $cluster = 'ssl'
+
+ $enable_ipv6_proxy = false
+
+ include standard,
+ certificates::wmf_labs_ca,
+ role::protoproxy::ssl::common
+
+ # TODO install_certificate
+ install_certificate { 'star.wmflabs.org': }
+
+}
+
+# Because beta does not have a frontend LVS to redirect the requests made
+# to port 443, we have to setup a nginx proxy on each of the caches.
+
+class role::protoproxy::ssl::beta::bits {
+
+ system_role { 'role::protoproxy::ssl:beta::bits': description => 'SSL proxy
on beta for bits', }
+
+ include role::protoproxy::ssl::beta::common
+
+ protoproxy::instance { 'bits':
+ proxy_adddresses => {
+ 'pmtpa' => [ '10.4.0.51' ], # deployment-cache-bits03
+ },
+ proxy_server_name => 'bits.beta.wmflabs.org',
+ proxy_server_cert_name => 'star.wmfabs.org',
+ proxy_backend => {
+ # send all traffic to the local cache
+ 'pmtpa' => { 'primary' => '127.0.0.1' }
+ },
+ ipv6_enabled => false,
+ enabled => true,
+ }
+
}
diff --git a/modules/protoproxy/manifests/instance.pp
b/modules/protoproxy/manifests/instance.pp
new file mode 100644
index 0000000..a43df84
--- /dev/null
+++ b/modules/protoproxy/manifests/instance.pp
@@ -0,0 +1,47 @@
+# Definition: protoproxy::instance
+#
+# This class creates a Nginx installation.
+#
+# FIXME document parameters
+#
+# Parameters:
+# - $proxy_addresses
+# - $proxy_addresses
+# - $proxy_server_name
+# - $proxy_server_cert_name
+# - $proxy_backend
+# - $enabled
+# - $proxy_listen_flags
+# - $proxy_port
+# - $ipv6_enabled
+# - $ssl_backend
+#
+# Actions:
+# Install nginx package and creates a configuration out of a template.
+#
+# Requires:
+# nginx_site definition and the nginx package
+#
+# Example usage:
+#
+# See wikimedia role::protoproxy
+define protoproxy::instance(
+ $proxy_addresses,
+ $proxy_server_name,
+ $proxy_server_cert_name,
+ $proxy_backend,
+ $enabled=false,
+ $proxy_listen_flags='',
+ $proxy_port='80',
+ $ipv6_enabled=false,
+ $ssl_backend={},
+) {
+
+ nginx_site { $name:
+ enable => $enabled,
+ template => 'proxy',
+ install => 'template',
+ require => Package['nginx'],
+ }
+
+}
diff --git a/modules/protoproxy/manifests/package.pp
b/modules/protoproxy/manifests/package.pp
new file mode 100644
index 0000000..fb4e574
--- /dev/null
+++ b/modules/protoproxy/manifests/package.pp
@@ -0,0 +1,11 @@
+class protoproxy::package {
+
+ package { ['nginx']:
+ ensure => latest;
+ }
+
+ file { '/etc/nginx/sites-enabled/default':
+ ensure => absent;
+ }
+
+}
diff --git a/modules/protoproxy/manifests/service.pp
b/modules/protoproxy/manifests/service.pp
new file mode 100644
index 0000000..08bc3fe
--- /dev/null
+++ b/modules/protoproxy/manifests/service.pp
@@ -0,0 +1,8 @@
+class protoproxy::service {
+# FIXME require protoproxy::proxy_sites
+
+ service { ['nginx']:
+ ensure => running,
+ enable => true,
+ }
+}
--
To view, visit https://gerrit.wikimedia.org/r/62582
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I8321c83a26ac082fa4ebf7f31ffb5ed5382b5322
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
