Puppet Class: toollabs::proxy

Defined in:
modules/toollabs/manifests/proxy.pp

Overview

Parameters:

  • ssl_certificate_name (Any) (defaults to: 'star.wmflabs.org')
  • ssl_install_certificate (Any) (defaults to: true)
  • web_domain (Any) (defaults to: 'tools.wmflabs.org')
  • proxies (Any) (defaults to: ['tools-proxy-03', 'tools-proxy-04'])


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# File 'modules/toollabs/manifests/proxy.pp', line 3

class toollabs::proxy(
    $ssl_certificate_name = 'star.wmflabs.org',
    $ssl_install_certificate = true,
    $web_domain = 'tools.wmflabs.org',
    $proxies = ['tools-proxy-03', 'tools-proxy-04'],
) {

    include ::toollabs::infrastructure
    include ::redis::client::python

    if $ssl_install_certificate {
        sslcert::certificate { $ssl_certificate_name:
            before       => Class['::dynamicproxy'],
        }
    }

    $active_proxy = hiera('active_proxy_host')

    if $::hostname != $active_proxy {
        $redis_replication = {
            "${::hostname}" => $active_proxy,
        }
    } else {
        $redis_replication = undef
    }

    class { '::dynamicproxy':
        ssl_settings         => ssl_ciphersuite('nginx', 'compat'),
        luahandler           => 'urlproxy',
        ssl_certificate_name => $ssl_certificate_name,
        redis_replication    => $redis_replication,
        error_config         => {
            title       => 'Wikimedia Toolforge Error',
            logo        => '/.error/tool-labs-logo.png',
            logo_2x     => '/.error/tool-labs-logo-2x.png',
            logo_alt    => 'Wikimedia Toolforge',
            logo_height => '157',
            favicon     => '/.error/favicon.ico',
        },
        banned_description   => 'You have been banned from accessing Toolforge. Please see <a href="https://wikitech.wikimedia.org/wiki/Help:Toolforge/Banned">Help:Toolforge/Banned</a> for more information on why and on how to resolve this.',
        web_domain           => $web_domain,
        https_upgrade        => true,
    }


    $proxy_nodes = join($proxies, ' ')

    # Open up redis to all proxies!
    ferm::service { 'redis-replication':
        proto  => 'tcp',
        port   => '6379',
        srange => "@resolve((${proxy_nodes}))",
    }

    file { '/usr/local/sbin/proxylistener':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => '0555',
        source  => 'puppet:///modules/toollabs/proxylistener.py',
        # Is provided by the dynamicproxy class.
        require => Class['::redis::client::python'],
    }

    base::service_unit { 'proxylistener':
        ensure  => present,
        upstart => upstart_template('proxylistener'),
        systemd => systemd_template('proxylistener'),
        require => File['/usr/local/sbin/proxylistener'],
    }

    ferm::service { 'proxylistener-port':
        proto  => 'tcp',
        port   => '8282',
        srange => '$LABS_NETWORKS',
        desc   => 'Proxylistener port, open to just labs',
    }

    file { '/var/www/error/favicon.ico':
        ensure  => file,
        source  => 'puppet:///modules/toollabs/favicon.ico',
        require => File['/var/www/error'],
    }

    file { '/var/www/error/tool-labs-logo.png':
        ensure  => file,
        source  => 'puppet:///modules/toollabs/tool-labs-logo.png',
        require => [File['/var/www/error']],
    }

    file { '/var/www/error/tool-labs-logo-2x.png':
        ensure  => file,
        source  => 'puppet:///modules/toollabs/tool-labs-logo-2x.png',
        require => [File['/var/www/error']],
    }

    require_package('goaccess')  # webserver statistics, T121233

    $graphite_metric_prefix = "${::labsproject}.reqstats"

    file { '/usr/local/lib/python2.7/dist-packages/toolsweblogster.py':
        source => 'puppet:///modules/toollabs/toolsweblogster.py',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    logster::job { 'proxy-requests':
        minute          => '*/1',
        parser          => 'toolsweblogster.UrlFirstSegmentLogster', # Nothing more specific yet
        logfile         => '/var/log/nginx/access.log',
        logster_options => "-o statsd --statsd-host=labmon1001.eqiad.wmnet:8125 --metric-prefix=${graphite_metric_prefix}.",
        require         => File['/usr/local/lib/python2.7/dist-packages/toolsweblogster.py'],
    }
}