356
Comment: working!!
|
6650
migrating notes
|
Deletions are marked like this. | Additions are marked like this. |
Line 19: | Line 19: |
== IPv6 == {{{ For VLAN 457 (legacy) machines, just assign addresses out of: My address space: 2407:7800:100:1c9:0:14::/64 - 2407:7800:100:1c9:0:14:FFFF:FFFF/64 Gateway: 2407:7800:100:1c9::1 2407:7800:100:1c9:0:14::1/64 base address 2407:7800:100:1c9:0:14::2/64 nginx lastorder 2407:7800:100:1c9:0:14::3/64 apache biribiri }}} == Migrating from other systems == Lock other accounts and pack the homedir: {{{ INACTIVE=oldUserName usermod -L $INACTIVE tar zcvf "${INACTIVE}.tar.gz" "$INACTIVE" }}} == thinking about apache == Our puppet management of apache is still a mess, so we'll do it manually. What do we want to take care of? * install `apache2-mpm-itk` * a couple of timeout tweaks to `apache2.conf` * `ports.conf` (listen only on 202.4.224.31, ''not'' ssl, etc.) * aka. biribiri.meidokon.net * `a2enmod ssl` * fix `ports.conf` again for SSL, no generic Listens * conf.d/priv.conf {{{ SetEnvIf Remote_Addr ^202\.4\.235\.109$ priv-group }}} * install `libapache2-mod-php5` * start the service * stub out `/var/www/html/monitor` for the default site * fix up an index.html * edit `mods-enabled/status.conf` to get a usable `/server-status` * fix up an `info.php` * install `libapache2-mod-wsgi` * `AssignUserId [username] [groupname]` for itk * nice logging * log to homedirs, `~/logs/apache/{access,error}.log` * fix up logrotate fragment, `apache2-vhost-logs` == Some puppet manifest == {{{#!highlight puppet @kvm::guest { "misaka.anchor.net.au": server => "jellyfish.engineroom.anchor.net.au", profile => linux, memory => "2G", vcpus => 4, disks => "40G", nets => [ "vps", "backups" ]; } class misaka::sshkey::furinkan { $key = "AAAAB3NzaC1yc2EAAAABIwAAAQEAzCHxTgSiO02ZMx148OifiDQxNSVHnI00tuoEZDcy+DFiwsxvjw06rvY5h7fCqkq0Sw+i/71YhEq6uddRARi4MKLKoCWDLf8s4Z/41NS6Rm2/vk5/nD8Wtgyeqm5MHb7Io2gOsE0RGN7Uwi3dC5deD3iHS8FkEnnaQAiXCbEsTePA+JE2PmmPG/RkJehYTCz1qRnKeifJm3j8WGzzODgfIRFURE9tYPsN9+Kpd4LtCXFahioKy7K/0MU2Bbfp6xHozbtMbrZS0cY6mZsjNv5zAUUcKmV6Xz5Cdk9Lw8T3FXY8rDH//tqdH020PhyoNx2mn5xSZ7iyZzVRG387/I0NoQ==" } define misaka::imouto( $ensure = present, $comment = "no comment entered" ) { include misaka::sshkey::furinkan case $ensure { present: { user { "${name}": comment => $comment, gid => "users", shell => "/bin/bash", managehome => true, password => "!!", } file { "/home/${name}/.ssh": ensure => directory, mode => 0700, owner => "${name}", group => "users", } authorized_key { "${comment} - ${name}": key => "${misaka::sshkey::furinkan::key}", type => "ssh-rsa", user => "${name}", require => File["/home/${name}/.ssh"]; "purge-${name}": user => "${name}", ensure => specified_only, require => File["/home/${name}/.ssh"]; } } absent: { user { "${name}": comment => $comment, gid => "users", shell => "/bin/bash", managehome => true, password => "!!", } exec { "Expire the account for ${name}": command => shellquote("/usr/sbin/usermod", "--expiredate", "1970-01-02", $name), unless => "/usr/bin/perl -F: -lane 'print(\$F[0],\" expired \", scalar localtime(\$F[7]*86400)) if (\$F[7]) && (\$F[7] lt int(time/(60*60*24)))' /etc/shadow | /bin/grep -q '^${name} '", } } default: { fail("Invalid value for ensure: ${ensure}") } } } node "misaka.anchor.net.au" { $supportlevel = complete networking::interface { "eth0": ipaddress => "202.4.224.29/25", gateway => "top"; "eth0:00": ipaddress => "202.4.224.30/25", comment => "nginx"; "eth0:01": ipaddress => "202.4.224.31/25", comment => "apache"; "eth0:02": ipaddress => "202.4.224.48/25", comment => "qqc.meidokon.net"; "eth1": ipaddress => "172.22.71.103/16"; } anchor::complete { complete: site => SYD1, mailer => true, backup_interface => "eth1", rdiffbackup_server => "cthulhu.engineroom.anchor.net.au"; } anchor::dirvish::client { dirvish: site => "SYD1", server => "scylla.engineroom.anchor.net.au", } # package { "apache2-mpm-itk": } # listen on 202.4.224.31 only - NameVirtualHost 202.4.224.31:80 # package { "libapache2-mod-php5": } # package { "libapache2-mod-wsgi": } file { "/usr/local/sbin/check_apache_configtest": ensure => present, mode => 0755, source => "puppet:///modules/apache/usr/local/sbin/check_apache_configtest"; } nrpe::command { check_apache_configtest: command => "/usr/local/sbin/check_apache_configtest", sudo => true, } # Shiny new nginx featurerepo { "nginx-1.2": prefer => true, } nginx { $fqdn: monitor => false, } nagios::check::http { http: } # Monitor those HTTP connections nagios::check::httpconnections { httpconnections: } misaka::imouto { "moin": comment => "moin.meidokon.net wiki" } gunicorn::app { "moin": type => wsgi, directory => "/home/moin/moin-1.9.3/wiki/server", user => "moin", group => "users", manager => daemontools; } daemontools::sudo { "moin": user => "moin", service => "moin_gunicorn", passwd => false, } misaka::imouto { "qqc": comment => "qqc.meidokon.net" } # Too hard to make QQC work under gunicorn, I'll just go with apache and mod_wsgi # Access to the old machine filtergen::rule { "50.pgsql-to-shimako": content => 'output eth0 local dest 202.4.233.227 proto tcp dport 5432 accept;'; } mysql { mysql: monitor => false, backup => false, } mysql::backup::zikir { misaka: lv => 'misaka/mysql', lv_size => '1G', mysql_subdir => '/', } mysql::nagios_check { mysql: username => "nagios", password => "dumb", } postgres::tuneshm { tuning: shmmax_in_mib => 42 } # postgres default plus some wiggle room postgres::server { $fqdn: version => "8.4", backup => "zikir", } postfix::common_maps { common_maps: } postfix::nagios_check::mailq { postfix_mailq_check: warn_threshold => 20, crit_threshold => 100, } } }}} |
misaka
- debian squeeze x64
- puppet managed
local work
mount /home with acls
/etc/skel
.bashrc
# Timestamped shell FTW export HISTTIMEFORMAT='%Y-%m-%d %H:%M:%S '
.screenrc
.vimrc
add self to .ssh/authorized_keys
mkdir -m 0701 public_html
IPv6
For VLAN 457 (legacy) machines, just assign addresses out of: My address space: 2407:7800:100:1c9:0:14::/64 - 2407:7800:100:1c9:0:14:FFFF:FFFF/64 Gateway: 2407:7800:100:1c9::1 2407:7800:100:1c9:0:14::1/64 base address 2407:7800:100:1c9:0:14::2/64 nginx lastorder 2407:7800:100:1c9:0:14::3/64 apache biribiri
Migrating from other systems
Lock other accounts and pack the homedir:
INACTIVE=oldUserName usermod -L $INACTIVE tar zcvf "${INACTIVE}.tar.gz" "$INACTIVE"
thinking about apache
Our puppet management of apache is still a mess, so we'll do it manually. What do we want to take care of?
install apache2-mpm-itk
a couple of timeout tweaks to apache2.conf
ports.conf (listen only on 202.4.224.31, not ssl, etc.)
- aka. biribiri.meidokon.net
a2enmod ssl
fix ports.conf again for SSL, no generic Listens
conf.d/priv.conf
SetEnvIf Remote_Addr ^202\.4\.235\.109$ priv-group
install libapache2-mod-php5
- start the service
stub out /var/www/html/monitor for the default site
- fix up an index.html
edit mods-enabled/status.conf to get a usable /server-status
fix up an info.php
install libapache2-mod-wsgi
AssignUserId [username] [groupname] for itk
- nice logging
log to homedirs, ~/logs/apache/{access,error}.log
fix up logrotate fragment, apache2-vhost-logs
Some puppet manifest
1 @kvm::guest { "misaka.anchor.net.au":
2 server => "jellyfish.engineroom.anchor.net.au",
3 profile => linux,
4 memory => "2G",
5 vcpus => 4,
6 disks => "40G",
7 nets => [ "vps", "backups" ];
8 }
9
10 class misaka::sshkey::furinkan {
11 $key = "AAAAB3NzaC1yc2EAAAABIwAAAQEAzCHxTgSiO02ZMx148OifiDQxNSVHnI00tuoEZDcy+DFiwsxvjw06rvY5h7fCqkq0Sw+i/71YhEq6uddRARi4MKLKoCWDLf8s4Z/41NS6Rm2/vk5/nD8Wtgyeqm5MHb7Io2gOsE0RGN7Uwi3dC5deD3iHS8FkEnnaQAiXCbEsTePA+JE2PmmPG/RkJehYTCz1qRnKeifJm3j8WGzzODgfIRFURE9tYPsN9+Kpd4LtCXFahioKy7K/0MU2Bbfp6xHozbtMbrZS0cY6mZsjNv5zAUUcKmV6Xz5Cdk9Lw8T3FXY8rDH//tqdH020PhyoNx2mn5xSZ7iyZzVRG387/I0NoQ=="
12 }
13
14 define misaka::imouto(
15 $ensure = present,
16 $comment = "no comment entered"
17 ) {
18 include misaka::sshkey::furinkan
19
20 case $ensure {
21 present: {
22 user { "${name}":
23 comment => $comment,
24 gid => "users",
25 shell => "/bin/bash",
26 managehome => true,
27 password => "!!",
28 }
29 file { "/home/${name}/.ssh":
30 ensure => directory,
31 mode => 0700,
32 owner => "${name}",
33 group => "users",
34 }
35 authorized_key {
36 "${comment} - ${name}":
37 key => "${misaka::sshkey::furinkan::key}",
38 type => "ssh-rsa",
39 user => "${name}",
40 require => File["/home/${name}/.ssh"];
41 "purge-${name}":
42 user => "${name}",
43 ensure => specified_only,
44 require => File["/home/${name}/.ssh"];
45 }
46 }
47 absent: {
48 user { "${name}":
49 comment => $comment,
50 gid => "users",
51 shell => "/bin/bash",
52 managehome => true,
53 password => "!!",
54 }
55 exec { "Expire the account for ${name}":
56 command => shellquote("/usr/sbin/usermod", "--expiredate", "1970-01-02", $name),
57 unless => "/usr/bin/perl -F: -lane 'print(\$F[0],\" expired \", scalar localtime(\$F[7]*86400)) if (\$F[7]) && (\$F[7] lt int(time/(60*60*24)))' /etc/shadow | /bin/grep -q '^${name} '",
58 }
59 }
60 default: { fail("Invalid value for ensure: ${ensure}") }
61 }
62 }
63
64 node "misaka.anchor.net.au" {
65 $supportlevel = complete
66
67 networking::interface {
68 "eth0":
69 ipaddress => "202.4.224.29/25",
70 gateway => "top";
71 "eth0:00":
72 ipaddress => "202.4.224.30/25",
73 comment => "nginx";
74 "eth0:01":
75 ipaddress => "202.4.224.31/25",
76 comment => "apache";
77 "eth0:02":
78 ipaddress => "202.4.224.48/25",
79 comment => "qqc.meidokon.net";
80 "eth1":
81 ipaddress => "172.22.71.103/16";
82 }
83
84 anchor::complete { complete:
85 site => SYD1,
86 mailer => true,
87 backup_interface => "eth1",
88 rdiffbackup_server => "cthulhu.engineroom.anchor.net.au";
89 }
90 anchor::dirvish::client { dirvish:
91 site => "SYD1",
92 server => "scylla.engineroom.anchor.net.au",
93 }
94
95 # package { "apache2-mpm-itk": }
96 # listen on 202.4.224.31 only - NameVirtualHost 202.4.224.31:80
97 # package { "libapache2-mod-php5": }
98 # package { "libapache2-mod-wsgi": }
99 file { "/usr/local/sbin/check_apache_configtest":
100 ensure => present,
101 mode => 0755,
102 source => "puppet:///modules/apache/usr/local/sbin/check_apache_configtest";
103 }
104 nrpe::command { check_apache_configtest:
105 command => "/usr/local/sbin/check_apache_configtest",
106 sudo => true,
107 }
108
109
110 # Shiny new nginx
111 featurerepo { "nginx-1.2":
112 prefer => true,
113 }
114 nginx { $fqdn:
115 monitor => false,
116 }
117 nagios::check::http { http: }
118
119 # Monitor those HTTP connections
120 nagios::check::httpconnections { httpconnections: }
121
122
123 misaka::imouto { "moin": comment => "moin.meidokon.net wiki" }
124 gunicorn::app { "moin":
125 type => wsgi,
126 directory => "/home/moin/moin-1.9.3/wiki/server",
127 user => "moin",
128 group => "users",
129 manager => daemontools;
130 }
131 daemontools::sudo { "moin":
132 user => "moin",
133 service => "moin_gunicorn",
134 passwd => false,
135 }
136
137 misaka::imouto { "qqc": comment => "qqc.meidokon.net" }
138 # Too hard to make QQC work under gunicorn, I'll just go with apache and mod_wsgi
139
140
141 # Access to the old machine
142 filtergen::rule { "50.pgsql-to-shimako": content => 'output eth0 local dest 202.4.233.227 proto tcp dport 5432 accept;'; }
143
144 mysql { mysql:
145 monitor => false,
146 backup => false,
147 }
148
149 mysql::backup::zikir { misaka:
150 lv => 'misaka/mysql',
151 lv_size => '1G',
152 mysql_subdir => '/',
153 }
154
155 mysql::nagios_check { mysql:
156 username => "nagios",
157 password => "dumb",
158 }
159
160 postgres::tuneshm { tuning: shmmax_in_mib => 42 } # postgres default plus some wiggle room
161 postgres::server { $fqdn:
162 version => "8.4",
163 backup => "zikir",
164 }
165
166 postfix::common_maps { common_maps: }
167 postfix::nagios_check::mailq { postfix_mailq_check:
168 warn_threshold => 20,
169 crit_threshold => 100,
170 }
171 }