modules/roles/manifests/pubsub.pp

   1 class roles::pubsub {
   2         include roles::pubsub::params
   3
   4         $cluster_cookie = $roles::pubsub::params::cluster_cookie
   5         $admin_password = $roles::pubsub::params::admin_password
   6         $ftp_password   = $roles::pubsub::params::ftp_password
   7         $cc_master      = rainier
   8         $cc_secondary   = rapoport
   9
  10         class { 'rabbitmq':
  11                 cluster           => true,
  12                 clustermembers    => [
  13                         "rabbit@${cc_master}",
  14                         "rabbit@${cc_secondary}",
  15                 ],
  16                 clustercookie     => '8r17so6o1s124ns49sr08n0o24342160',
  17                 delete_guest_user => true,
  18                 master            => $cc_master,
  19         }
  20
  21         user { 'rabbitmq':
  22                 groups => 'ssl-cert'
  23         }
  24
  25         concat::fragment { 'rabbit_ssl':
  26                 target => '/etc/rabbitmq/rabbitmq.config',
  27                 order  => 35,
  28                 source => 'puppet:///modules/roles/pubsub/rabbitmq.config'
  29         }
  30
  31         rabbitmq_user { 'admin':
  32                 admin    => true,
  33                 password => $admin_password,
  34                 provider => 'rabbitmqctl',
  35         }
  36
  37         rabbitmq_user { 'ftpteam':
  38                 admin    => true,
  39                 password => $ftp_password,
  40                 provider => 'rabbitmqctl',
  41         }
  42
  43         rabbitmq_vhost { 'packages':
  44                 ensure   => present,
  45                 provider => 'rabbitmqctl',
  46         }
  47
  48         rabbitmq_user_permissions { 'admin@packages':
  49                 configure_permission => '.*',
  50                 read_permission      => '.*',
  51                 write_permission     => '.*',
  52                 provider             => 'rabbitmqctl',
  53                 require              => [
  54                         Rabbitmq_user['admin'],
  55                         Rabbitmq_vhost['packages']
  56                 ]
  57         }
  58
  59         rabbitmq_user_permissions { 'admin@/':
  60                 configure_permission => '.*',
  61                 read_permission      => '.*',
  62                 write_permission     => '.*',
  63                 provider             => 'rabbitmqctl',
  64                 require              => Rabbitmq_user['admin']
  65         }
  66
  67         rabbitmq_user_permissions { 'ftpteam@packages':
  68                 configure_permission => '.*',
  69                 read_permission      => '.*',
  70                 write_permission     => '.*',
  71                 provider             => 'rabbitmqctl',
  72                 require              => [
  73                         Rabbitmq_user['ftpteam'],
  74                         Rabbitmq_vhost['packages']
  75                 ]
  76         }
  77
  78         rabbitmq_policy { 'mirror-packages':
  79                 vhost   => 'packages',
  80                 match   => '.*',
  81                 policy  => '{"ha-mode":"all"}',
  82                 require => Rabbitmq_vhost['packages']
  83         }
  84
  85         @ferm::rule { 'rabbitmq':
  86                 description => 'rabbitmq connections',
  87                 rule        => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V4)'
  88         }
  89
  90         @ferm::rule { 'rabbitmq-v6':
  91                 domain      => 'ip6',
  92                 description => 'rabbitmq connections',
  93                 rule        => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V6)'
  94         }
  95
  96         if $::hostname == $cc_master {
  97                 $you = $cc_secondary
  98         } else {
  99                 $you = $cc_master
 100         }
 101
 102         @ferm::rule { 'rabbitmq_cluster':
 103                 domain      => '(ip ip6)',
 104                 description => 'rabbitmq cluster connections',
 105                 rule        => "proto tcp mod state state (NEW) saddr (${you}) ACCEPT"
 106         }
 107 }