modules/roles/manifests/pubsub.pp

   1 class roles::pubsub {
   2         include roles::pubsub::params
   3
   4         $cluster_cookie  = $roles::pubsub::params::cluster_cookie
   5         $admin_password  = $roles::pubsub::params::admin_password
   6         $ftp_password    = $roles::pubsub::params::ftp_password
   7         $buildd_password = $roles::pubsub::params::buildd_password
   8         $wbadm_password  = $roles::pubsub::params::wbadm_password
   9
  10         $cc_master       = rainier
  11         $cc_secondary    = rapoport
  12
  13         class { 'rabbitmq':
  14                 cluster           => true,
  15                 clustermembers    => [
  16                         "rabbit@${cc_master}",
  17                         "rabbit@${cc_secondary}",
  18                 ],
  19                 clustercookie     => '8r17so6o1s124ns49sr08n0o24342160',
  20                 delete_guest_user => true,
  21                 master            => $cc_master,
  22         }
  23
  24         user { 'rabbitmq':
  25                 groups => 'ssl-cert'
  26         }
  27
  28         concat::fragment { 'rabbit_ssl':
  29                 target => '/etc/rabbitmq/rabbitmq.config',
  30                 order  => 35,
  31                 source => 'puppet:///modules/roles/pubsub/rabbitmq.config'
  32         }
  33
  34         concat::fragment { 'rabbit_mgmt_ssl':
  35                 target => '/etc/rabbitmq/rabbitmq.config',
  36                 order  => 55,
  37                 source => 'puppet:///modules/roles/pubsub/rabbitmq-mgmt.config'
  38         }
  39
  40         rabbitmq_user { 'admin':
  41                 admin    => true,
  42                 password => $admin_password,
  43                 provider => 'rabbitmqctl',
  44         }
  45
  46         rabbitmq_user { 'ftpteam':
  47                 admin    => true,
  48                 password => $ftp_password,
  49                 provider => 'rabbitmqctl',
  50         }
  51
  52         rabbitmq_user { 'buildd':
  53                 admin    => true,
  54                 password => $buildd_password,
  55                 provider => 'rabbitmqctl',
  56         }
  57
  58         rabbitmq_user { 'wbadm':
  59                 admin    => true,
  60                 password => $wbadm_password,
  61                 provider => 'rabbitmqctl',
  62         }
  63
  64         rabbitmq_vhost { 'packages':
  65                 ensure   => present,
  66                 provider => 'rabbitmqctl',
  67         }
  68
  69         rabbitmq_vhost { 'buildd':
  70                 ensure   => present,
  71                 provider => 'rabbitmqctl',
  72         }
  73
  74         rabbitmq_user_permissions { 'admin@buildd':
  75                 configure_permission => '.*',
  76                 read_permission      => '.*',
  77                 write_permission     => '.*',
  78                 provider             => 'rabbitmqctl',
  79                 require              => [
  80                         Rabbitmq_user['admin'],
  81                         Rabbitmq_vhost['buildd']
  82                 ]
  83         }
  84         rabbitmq_user_permissions { 'admin@packages':
  85                 configure_permission => '.*',
  86                 read_permission      => '.*',
  87                 write_permission     => '.*',
  88                 provider             => 'rabbitmqctl',
  89                 require              => [
  90                         Rabbitmq_user['admin'],
  91                         Rabbitmq_vhost['packages']
  92                 ]
  93         }
  94
  95         rabbitmq_user_permissions { 'admin@/':
  96                 configure_permission => '.*',
  97                 read_permission      => '.*',
  98                 write_permission     => '.*',
  99                 provider             => 'rabbitmqctl',
 100                 require              => Rabbitmq_user['admin']
 101         }
 102
 103         rabbitmq_user_permissions { 'ftpteam@packages':
 104                 configure_permission => '.*',
 105                 read_permission      => '.*',
 106                 write_permission     => '.*',
 107                 provider             => 'rabbitmqctl',
 108                 require              => [
 109                         Rabbitmq_user['ftpteam'],
 110                         Rabbitmq_vhost['packages']
 111                 ]
 112         }
 113
 114         rabbitmq_user_permissions { 'wbadm@packages':
 115                 read_permission      => 'unchecked',
 116                 write_permission     => 'wbadm',
 117                 provider             => 'rabbitmqctl',
 118                 require              => [
 119                         Rabbitmq_user['wbadm'],
 120                         Rabbitmq_vhost['packages']
 121                 ]
 122         }
 123
 124         rabbitmq_user_permissions { 'buildd@buildd':
 125                 configure_permission => '.*',
 126                 read_permission      => '.*',
 127                 write_permission     => '.*',
 128                 provider             => 'rabbitmqctl',
 129                 require              => [
 130                         Rabbitmq_user['buildd'],
 131                         Rabbitmq_vhost['buildd']
 132                 ]
 133         }
 134
 135         rabbitmq_user_permissions { 'wbadm@buildd':
 136                 configure_permission => '.*',
 137                 read_permission      => '.*',
 138                 write_permission     => '.*',
 139                 provider             => 'rabbitmqctl',
 140                 require              => [
 141                         Rabbitmq_user['wbadm'],
 142                         Rabbitmq_vhost['buildd']
 143                 ]
 144         }
 145
 146         rabbitmq_policy { 'mirror-buildd':
 147                 vhost   => 'buildd',
 148                 match   => '.*',
 149                 policy  => '{"ha-mode":"all"}',
 150                 require => Rabbitmq_vhost['buildd']
 151         }
 152
 153         rabbitmq_policy { 'mirror-packages':
 154                 vhost   => 'packages',
 155                 match   => '.*',
 156                 policy  => '{"ha-mode":"all"}',
 157                 require => Rabbitmq_vhost['packages']
 158         }
 159
 160         rabbitmq_plugin { 'rabbitmq_management':
 161                 ensure   => present,
 162                 provider => 'rabbitmqplugins',
 163                 require  => Package['rabbitmq-server'],
 164                 notify   => Service['rabbitmq-server']
 165         }
 166         rabbitmq_plugin { 'rabbitmq_management_agent':
 167                 ensure   => present,
 168                 provider => 'rabbitmqplugins',
 169                 require  => Package['rabbitmq-server'],
 170                 notify   => Service['rabbitmq-server']
 171         }
 172         rabbitmq_plugin { 'rabbitmq_tracing':
 173                 ensure   => present,
 174                 provider => 'rabbitmqplugins',
 175                 require  => Package['rabbitmq-server'],
 176                 notify   => Service['rabbitmq-server']
 177         }
 178         rabbitmq_plugin { 'rabbitmq_management_visualiser':
 179                 ensure   => present,
 180                 provider => 'rabbitmqplugins',
 181                 require  => Package['rabbitmq-server'],
 182                 notify   => Service['rabbitmq-server']
 183         }
 184
 185         @ferm::rule { 'rabbitmq':
 186                 description => 'rabbitmq connections',
 187                 rule        => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V4)'
 188         }
 189
 190         @ferm::rule { 'rabbitmq-v6':
 191                 domain      => 'ip6',
 192                 description => 'rabbitmq connections',
 193                 rule        => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V6)'
 194         }
 195
 196         @ferm::rule { 'rabbitmq-adm':
 197                 description => 'rabbitmq connections',
 198                 rule        => '&SERVICE_RANGE(tcp, 5671, $DSA_IPS)'
 199         }
 200
 201         @ferm::rule { 'rabbitmq-v6-adm':
 202                 domain      => 'ip6',
 203                 description => 'rabbitmq connections',
 204                 rule        => '&SERVICE_RANGE(tcp, 5671, $DSA_V6_IPS)'
 205         }
 206
 207         if $::hostname == $cc_master {
 208                 $you = $cc_secondary
 209         } else {
 210                 $you = $cc_master
 211         }
 212
 213         @ferm::rule { 'rabbitmq_cluster':
 214                 domain      => '(ip ip6)',
 215                 description => 'rabbitmq cluster connections',
 216                 rule        => "proto tcp mod state state (NEW) saddr (${you}) ACCEPT"
 217         }
 218         @ferm::rule { 'rabbitmq_mgmt':
 219                 description => 'rabbitmq cluster connections',
 220                 rule        => '&SERVICE_RANGE(tcp, 15672, $DSA_IPS)'
 221         }
 222         @ferm::rule { 'rabbitmq_mgmt_v6':
 223                 domain      => '(ip6)',
 224                 description => 'rabbitmq cluster connections',
 225                 rule        => '&SERVICE_RANGE(tcp, 15672, $DSA_V6_IPS)'
 226         }
 227 }