MeidokonWiki:

misaka

DECOMMISSIONED

misaka_imouto.jpg

local work

IPv6

For VLAN 457 (legacy) machines, just assign addresses out of:
My address space:  2407:7800:100:1c9:0:14::/64 - 2407:7800:100:1c9:0:14:FFFF:FFFF/64
Gateway:           2407:7800:100:1c9::1

2407:7800:100:1c9:0:14::1/64   base address
2407:7800:100:1c9:0:14::2/64   nginx    lastorder
2407:7800:100:1c9:0:14::3/64   apache   biribiri

Migrating from other systems

Lock other accounts and pack the homedir:

INACTIVE=oldUserName
usermod -L $INACTIVE
tar zcvf "${INACTIVE}.tar.gz" "$INACTIVE"

thinking about apache

Our puppet management of apache is still a mess, so we'll do it manually. What do we want to take care of?

Some puppet manifest

   1 @kvm::guest { "misaka.anchor.net.au":
   2         server  => "jellyfish.engineroom.anchor.net.au",
   3         profile => linux,
   4         memory  => "2G",
   5         vcpus   => 4,
   6         disks   => "40G",
   7         nets    => [ "vps", "backups" ];
   8 }
   9 
  10 class misaka::sshkey::furinkan {
  11         $key = "AAAAB3NzaC1yc2EAAAABIwAAAQEAzCHxTgSiO02ZMx148OifiDQxNSVHnI00tuoEZDcy+DFiwsxvjw06rvY5h7fCqkq0Sw+i/71YhEq6uddRARi4MKLKoCWDLf8s4Z/41NS6Rm2/vk5/nD8Wtgyeqm5MHb7Io2gOsE0RGN7Uwi3dC5deD3iHS8FkEnnaQAiXCbEsTePA+JE2PmmPG/RkJehYTCz1qRnKeifJm3j8WGzzODgfIRFURE9tYPsN9+Kpd4LtCXFahioKy7K/0MU2Bbfp6xHozbtMbrZS0cY6mZsjNv5zAUUcKmV6Xz5Cdk9Lw8T3FXY8rDH//tqdH020PhyoNx2mn5xSZ7iyZzVRG387/I0NoQ=="
  12 }
  13 
  14 define misaka::imouto(
  15                 $ensure  = present,
  16                 $comment = "no comment entered"
  17         ) {
  18         include misaka::sshkey::furinkan
  19 
  20         case $ensure {
  21                 present: {
  22                         user { "${name}":
  23                                 comment    => $comment,
  24                                 gid        => "users",
  25                                 shell      => "/bin/bash",
  26                                 managehome => true,
  27                                 password   => "!!",
  28                         }
  29                         file { "/home/${name}/.ssh":
  30                                 ensure => directory,
  31                                 mode   => 0700,
  32                                 owner  => "${name}",
  33                                 group  => "users",
  34                         }
  35                         authorized_key {
  36                                 "${comment} - ${name}":
  37                                         key     => "${misaka::sshkey::furinkan::key}",
  38                                         type    => "ssh-rsa",
  39                                         user    => "${name}",
  40                                         require => File["/home/${name}/.ssh"];
  41                                 "purge-${name}":
  42                                         user    => "${name}",
  43                                         ensure  => specified_only,
  44                                         require => File["/home/${name}/.ssh"];
  45                         }
  46                 }
  47                 absent: {
  48                         user { "${name}":
  49                                 comment    => $comment,
  50                                 gid        => "users",
  51                                 shell      => "/bin/bash",
  52                                 managehome => true,
  53                                 password   => "!!",
  54                         }
  55                         exec { "Expire the account for ${name}":
  56                                 command => shellquote("/usr/sbin/usermod", "--expiredate", "1970-01-02", $name),
  57                                 unless  => "/usr/bin/perl -F: -lane 'print(\$F[0],\" expired \", scalar localtime(\$F[7]*86400)) if (\$F[7]) && (\$F[7] lt int(time/(60*60*24)))' /etc/shadow | /bin/grep -q '^${name} '",
  58                         }
  59                 }
  60                 default: { fail("Invalid value for ensure: ${ensure}") }
  61         }
  62 }
  63 
  64 node "misaka.anchor.net.au" {
  65         $supportlevel = complete
  66 
  67         networking::interface {
  68                 "eth0":
  69                         ipaddress => "202.4.224.29/25",
  70                         gateway   => "top";
  71                 "eth0:00":
  72                         ipaddress => "202.4.224.30/25",
  73                         comment   => "nginx";
  74                 "eth0:01":
  75                         ipaddress => "202.4.224.31/25",
  76                         comment   => "apache";
  77                 "eth0:02":
  78                         ipaddress => "202.4.224.48/25",
  79                         comment   => "qqc.meidokon.net";
  80                 "eth1":
  81                         ipaddress => "172.22.71.103/16";
  82         }
  83 
  84         anchor::complete { complete:
  85                 site               => SYD1,
  86                 mailer             => true,
  87                 backup_interface   => "eth1",
  88                 rdiffbackup_server => "cthulhu.engineroom.anchor.net.au";
  89         }
  90         anchor::dirvish::client { dirvish:
  91                 site       => "SYD1",
  92                 server     => "scylla.engineroom.anchor.net.au",
  93         }
  94 
  95         # package { "apache2-mpm-itk": }
  96         # listen on 202.4.224.31 only - NameVirtualHost 202.4.224.31:80
  97         # package { "libapache2-mod-php5": }
  98         # package { "libapache2-mod-wsgi": }
  99         file { "/usr/local/sbin/check_apache_configtest":
 100                 ensure => present,
 101                 mode => 0755,
 102                 source => "puppet:///modules/apache/usr/local/sbin/check_apache_configtest";
 103         }
 104         nrpe::command { check_apache_configtest:
 105                 command => "/usr/local/sbin/check_apache_configtest",
 106                 sudo    => true,
 107         }
 108 
 109 
 110         # Shiny new nginx
 111         featurerepo { "nginx-1.2":
 112                 prefer => true,
 113         }
 114         nginx { $fqdn:
 115                 monitor => false,
 116         }
 117         nagios::check::http { http: }
 118 
 119         # Monitor those HTTP connections
 120         nagios::check::httpconnections { httpconnections: }
 121 
 122 
 123         misaka::imouto { "moin": comment => "moin.meidokon.net wiki" }
 124         gunicorn::app { "moin":
 125                 type      => wsgi,
 126                 directory => "/home/moin/moin-1.9.3/wiki/server",
 127                 user      => "moin",
 128                 group     => "users",
 129                 manager   => daemontools;
 130         }
 131         daemontools::sudo { "moin":
 132                 user    => "moin",
 133                 service => "moin_gunicorn",
 134                 passwd  => false,
 135         }
 136 
 137         misaka::imouto { "qqc": comment => "qqc.meidokon.net" }
 138         # Too hard to make QQC work under gunicorn, I'll just go with apache and mod_wsgi
 139 
 140 
 141         # Access to the old machine
 142         filtergen::rule { "50.pgsql-to-shimako": content => 'output eth0 local dest 202.4.233.227 proto tcp dport 5432 accept;'; }
 143 
 144         mysql { mysql:
 145                 monitor => false,
 146                 backup  => false,
 147         }
 148 
 149         mysql::backup::zikir { misaka:
 150                 lv           => 'misaka/mysql',
 151                 lv_size      => '1G',
 152                 mysql_subdir => '/',
 153         }
 154 
 155         mysql::nagios_check { mysql:
 156                 username => "nagios",
 157                 password => "dumb",
 158         }
 159 
 160         postgres::tuneshm { tuning: shmmax_in_mib => 42 } # postgres default plus some wiggle room
 161         postgres::server { $fqdn:
 162                 version => "8.4",
 163                 backup  => "zikir",
 164         }
 165 
 166         postfix::common_maps { common_maps: }
 167         postfix::nagios_check::mailq { postfix_mailq_check:
 168                 warn_threshold => 20,
 169                 crit_threshold => 100,
 170         }
 171 }

MeidokonWiki: servers/misaka (last edited 2017-11-17 00:02:51 by furinkan)