Puppet Class: profile::vrts

Defined in:
modules/profile/manifests/vrts.pp

Overview

SPDX-License-Identifier: Apache-2.0 vim: set ts=4 et sw=4: sets up an instance of the 'Volunteer Response Team System' wikitech.wikimedia.org/wiki/VRT_System

Parameters:

  • active_host (Stdlib::Fqdn) (defaults to: lookup('profile::vrts::active_host'))
  • passive_host (Stdlib::Fqdn) (defaults to: lookup('profile::vrts::passive_host'))
  • vrts_database_host (Stdlib::Fqdn) (defaults to: lookup('profile::vrts::database_host'))
  • vrts_database_name (String) (defaults to: lookup('profile::vrts::database_name'))
  • vrts_database_user (String) (defaults to: lookup('profile::vrts::database_user'))
  • vrts_database_pw (String) (defaults to: lookup('profile::vrts::database_pass'))
  • vrts_database_port (String) (defaults to: lookup('profile::vrts::database_port'))
  • exim_database_name (String) (defaults to: lookup('profile::vrts::exim_database_name'))
  • exim_database_user (String) (defaults to: lookup('profile::vrts::exim_database_user'))
  • exim_database_pass (String) (defaults to: lookup('profile::vrts::exim_database_pass'))
  • download_url (String) (defaults to: lookup('profile::vrts::download_url'))
  • http_proxy (String) (defaults to: lookup('profile::vrts::http_proxy'))
  • https_proxy (String) (defaults to: lookup('profile::vrts::https_proxy'))
  • dns_name (String) (defaults to: lookup('profile::vrts::public_dns'))
  • local_database (Boolean) (defaults to: lookup('profile::vrts::local_database', {default_value => false}))
  • db_datadir (Stdlib::Unixpath) (defaults to: lookup('profile::vrts::db_datadir', {default_value => '/var/lib/mysql'})) 


5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
 
# File 'modules/profile/manifests/vrts.pp', line 5

class profile::vrts(
    Stdlib::Fqdn $active_host        = lookup('profile::vrts::active_host'),
    Stdlib::Fqdn $passive_host       = lookup('profile::vrts::passive_host'),
    Stdlib::Fqdn $vrts_database_host = lookup('profile::vrts::database_host'),
    String $vrts_database_name       = lookup('profile::vrts::database_name'),
    String $vrts_database_user       = lookup('profile::vrts::database_user'),
    String $vrts_database_pw         = lookup('profile::vrts::database_pass'),
    String $vrts_database_port       = lookup('profile::vrts::database_port'),
    String $exim_database_name       = lookup('profile::vrts::exim_database_name'),
    String $exim_database_user       = lookup('profile::vrts::exim_database_user'),
    String $exim_database_pass       = lookup('profile::vrts::exim_database_pass'),
    String $download_url             = lookup('profile::vrts::download_url'),
    String $http_proxy               = lookup('profile::vrts::http_proxy'),
    String $https_proxy              = lookup('profile::vrts::https_proxy'),
    String $dns_name                 = lookup('profile::vrts::public_dns'),
    Boolean $local_database          = lookup('profile::vrts::local_database', {default_value => false}),
    Stdlib::Unixpath $db_datadir     = lookup('profile::vrts::db_datadir', {default_value => '/var/lib/mysql'}),
){
    include network::constants
    include ::profile::prometheus::apache_exporter
    include profile::mail::default_mail_relay

    if $local_database {
        class { 'profile::mariadb::generic_server':
            datadir => $db_datadir,
        }
    }

    $trusted_networks = $network::constants::aggregate_networks.filter |$x| {
        $x !~ /127.0.0.0|::1/
    }

    $enable_service = $active_host == $facts['fqdn']

    class { '::vrts':
        vrts_database_host => $vrts_database_host,
        active_host        => $active_host,
        passive_host       => $passive_host,
        vrts_database_name => $vrts_database_name,
        vrts_database_user => $vrts_database_user,
        vrts_database_pw   => $vrts_database_pw,
        vrts_database_port => $vrts_database_port,
        vrts_daemon        => $enable_service,
        exim_database_name => $exim_database_name,
        exim_database_user => $exim_database_user,
        exim_database_pass => $exim_database_pass,
        trusted_networks   => $trusted_networks,
        download_url       => $download_url,
        http_proxy         => $http_proxy,
        https_proxy        => $https_proxy,
        public_dns         => $dns_name,
        mail_smarthosts    => $profile::mail::default_mail_relay::smarthosts,
    }

    class { '::httpd':
        modules => ['headers', 'rewrite', 'perl'],
    }

    profile::auto_restarts::service { 'apache2': }
    profile::auto_restarts::service { 'envoyproxy': }

    # TODO: On purpose here since it references a file not in a module which is
    # used by other classes as well
    # lint:ignore:puppet_url_without_modules
    file { '/etc/exim4/wikimedia_domains':
        ensure  => present,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        source  => 'puppet:///modules/role/exim/wikimedia_domains',
        require => Class['exim4'],
    }
    # lint:endignore

    firewall::service { 'vrts_http':
        proto    => 'tcp',
        port     => 80,
        src_sets => ['CACHES'],
    }

    firewall::service { 'vrts_smtp':
        proto  => 'tcp',
        port   => 25,
        srange => $profile::mail::default_mail_relay::smarthosts,
    }

    prometheus::blackbox::check::tcp { 'vrts-smtp':
        team     => 'collaboration-services',
        severity => 'task',
        port     => 25,
    }

    nrpe::monitor_service{ 'clamd':
        description  => 'clamd running',
        nrpe_command => '/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -u clamav -C clamd',
        notes_url    => 'https://wikitech.wikimedia.org/wiki/VRT_System#ClamAV',
    }
    nrpe::monitor_service{ 'freshclam':
        description  => 'freshclam running',
        nrpe_command => '/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -u clamav -C freshclam',
        notes_url    => 'https://wikitech.wikimedia.org/wiki/VRT_System#ClamAV',
    }

    if $active_host == $facts['fqdn'] {
        prometheus::blackbox::check::http { $dns_name:
            team               => 'collaboration-services',
            severity           => 'task',
            path               => '/otrs/index.pl',
            port               => 1443,
            ip_families        => ['ip4'],
            force_tls          => true,
            body_regex_matches => ['wikimedia'],
        }
    }

    # can conflict with ferm module
    ensure_packages('libnet-dns-perl')
}