modules/roles/manifests/pubsub.pp

   1 class roles::pubsub {
   2         include roles::pubsub::params
   3
   4         $cluster_cookie  = $roles::pubsub::params::cluster_cookie
   5         $admin_password  = $roles::pubsub::params::admin_password
   6         $ftp_password    = $roles::pubsub::params::ftp_password
   7         $buildd_password = $roles::pubsub::params::buildd_password
   8         $wbadm_password  = $roles::pubsub::params::wbadm_password
   9
  10         $cc_master       = rainier
  11         $cc_secondary    = rapoport
  12
  13         class { 'rabbitmq':
  14                 cluster           => true,
  15                 clustermembers    => [
  16                         "rabbit@${cc_master}",
  17                         "rabbit@${cc_secondary}",
  18                 ],
  19                 clustercookie     => '8r17so6o1s124ns49sr08n0o24342160',
  20                 delete_guest_user => true,
  21                 master            => $cc_master,
  22         }
  23
  24         user { 'rabbitmq':
  25                 groups => 'ssl-cert'
  26         }
  27
  28         concat::fragment { 'rabbit_ssl':
  29                 target => '/etc/rabbitmq/rabbitmq.config',
  30                 order  => 35,
  31                 source => 'puppet:///modules/roles/pubsub/rabbitmq.config'
  32         }
  33
  34         rabbitmq_user { 'admin':
  35                 admin    => true,
  36                 password => $admin_password,
  37                 provider => 'rabbitmqctl',
  38         }
  39
  40         rabbitmq_user { 'ftpteam':
  41                 admin    => true,
  42                 password => $ftp_password,
  43                 provider => 'rabbitmqctl',
  44         }
  45
  46         rabbitmq_user { 'buildd':
  47                 admin    => true,
  48                 password => $buildd_password,
  49                 provider => 'rabbitmqctl',
  50         }
  51
  52         rabbitmq_user { 'wbadm':
  53                 admin    => true,
  54                 password => $wbadm_password,
  55                 provider => 'rabbitmqctl',
  56         }
  57
  58         rabbitmq_vhost { 'packages':
  59                 ensure   => present,
  60                 provider => 'rabbitmqctl',
  61         }
  62
  63         rabbitmq_vhost { 'buildd':
  64                 ensure   => present,
  65                 provider => 'rabbitmqctl',
  66         }
  67
  68         rabbitmq_user_permissions { 'admin@buildd':
  69                 configure_permission => '.*',
  70                 read_permission      => '.*',
  71                 write_permission     => '.*',
  72                 provider             => 'rabbitmqctl',
  73                 require              => [
  74                         Rabbitmq_user['admin'],
  75                         Rabbitmq_vhost['buildd']
  76                 ]
  77         }
  78         rabbitmq_user_permissions { 'admin@packages':
  79                 configure_permission => '.*',
  80                 read_permission      => '.*',
  81                 write_permission     => '.*',
  82                 provider             => 'rabbitmqctl',
  83                 require              => [
  84                         Rabbitmq_user['admin'],
  85                         Rabbitmq_vhost['packages']
  86                 ]
  87         }
  88
  89         rabbitmq_user_permissions { 'admin@/':
  90                 configure_permission => '.*',
  91                 read_permission      => '.*',
  92                 write_permission     => '.*',
  93                 provider             => 'rabbitmqctl',
  94                 require              => Rabbitmq_user['admin']
  95         }
  96
  97         rabbitmq_user_permissions { 'ftpteam@packages':
  98                 configure_permission => '.*',
  99                 read_permission      => '.*',
 100                 write_permission     => '.*',
 101                 provider             => 'rabbitmqctl',
 102                 require              => [
 103                         Rabbitmq_user['ftpteam'],
 104                         Rabbitmq_vhost['packages']
 105                 ]
 106         }
 107
 108         rabbitmq_user_permissions { 'wbadm@packages':
 109                 read_permission      => 'unchecked',
 110                 write_permission     => 'wbadm',
 111                 provider             => 'rabbitmqctl',
 112                 require              => [
 113                         Rabbitmq_user['wbadm'],
 114                         Rabbitmq_vhost['packages']
 115                 ]
 116         }
 117
 118         rabbitmq_user_permissions { 'buildd@buildd':
 119                 configure_permission => '.*',
 120                 read_permission      => '.*',
 121                 write_permission     => '.*',
 122                 provider             => 'rabbitmqctl',
 123                 require              => [
 124                         Rabbitmq_user['buildd'],
 125                         Rabbitmq_vhost['buildd']
 126                 ]
 127         }
 128
 129         rabbitmq_user_permissions { 'wbadm@buildd':
 130                 configure_permission => '.*',
 131                 read_permission      => '.*',
 132                 write_permission     => '.*',
 133                 provider             => 'rabbitmqctl',
 134                 require              => [
 135                         Rabbitmq_user['wbadm'],
 136                         Rabbitmq_vhost['buildd']
 137                 ]
 138         }
 139
 140         rabbitmq_policy { 'mirror-buildd':
 141                 vhost   => 'buildd',
 142                 match   => '.*',
 143                 policy  => '{"ha-mode":"all"}',
 144                 require => Rabbitmq_vhost['buildd']
 145         }
 146
 147         rabbitmq_policy { 'mirror-packages':
 148                 vhost   => 'packages',
 149                 match   => '.*',
 150                 policy  => '{"ha-mode":"all"}',
 151                 require => Rabbitmq_vhost['packages']
 152         }
 153
 154         rabbitmq_plugin { 'rabbitmq_management':
 155                 ensure   => present,
 156                 provider => 'rabbitmqplugins',
 157                 require  => Package['rabbitmq-server'],
 158                 notify   => Service['rabbitmq-server']
 159         }
 160         rabbitmq_plugin { 'rabbitmq_management_agent':
 161                 ensure   => present,
 162                 provider => 'rabbitmqplugins',
 163                 require  => Package['rabbitmq-server'],
 164                 notify   => Service['rabbitmq-server']
 165         }
 166         rabbitmq_plugin { 'rabbitmq_tracing':
 167                 ensure   => present,
 168                 provider => 'rabbitmqplugins',
 169                 require  => Package['rabbitmq-server'],
 170                 notify   => Service['rabbitmq-server']
 171         }
 172         rabbitmq_plugin { 'rabbitmq_management_visualiser':
 173                 ensure   => present,
 174                 provider => 'rabbitmqplugins',
 175                 require  => Package['rabbitmq-server'],
 176                 notify   => Service['rabbitmq-server']
 177         }
 178
 179         @ferm::rule { 'rabbitmq':
 180                 description => 'rabbitmq connections',
 181                 rule        => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V4)'
 182         }
 183
 184         @ferm::rule { 'rabbitmq-v6':
 185                 domain      => 'ip6',
 186                 description => 'rabbitmq connections',
 187                 rule        => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V6)'
 188         }
 189
 190         if $::hostname == $cc_master {
 191                 $you = $cc_secondary
 192         } else {
 193                 $you = $cc_master
 194         }
 195
 196         @ferm::rule { 'rabbitmq_cluster':
 197                 domain      => '(ip ip6)',
 198                 description => 'rabbitmq cluster connections',
 199                 rule        => "proto tcp mod state state (NEW) saddr (${you}) ACCEPT"
 200         }
 201         @ferm::rule { 'rabbitmq_mgmt':
 202                 description => 'rabbitmq cluster connections',
 203                 rule        => '&SERVICE_RANGE(tcp, 15672, $DSA_IPS)'
 204         }
 205         @ferm::rule { 'rabbitmq_mgmt_v6':
 206                 domain      => '(ip6)',
 207                 description => 'rabbitmq cluster connections',
 208                 rule        => '&SERVICE_RANGE(tcp, 15672, $DSA_V6_IPS)'
 209         }
 210 }