553f268b04
ruff: Fix RUF027 Possible f-string without an `f` prefix.
...
This is a preview rule, not yet enabled by default.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2024-03-01 09:30:04 -08:00
570f3dd447
python: Reformat with Ruff formatter.
...
https://docs.astral.sh/ruff/formatter/
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2024-02-29 17:07:16 -08:00
802477ca1a
memcached-exporter: Add metrics for max item size and max connections.
2024-02-27 10:16:00 -08:00
11e0c448da
memcached-exporter: Fix descriptions on read/written_bytes_total.
2024-02-27 10:16:00 -08:00
be59ef9c02
runtornado: Swap deferred reload events to the default.
...
This makes no immediate reloads the default for runtornado, matching
the production configuration, and changes the development incantation
to be the one to specify the departure from the norm, with
--immediate-reloads.
2024-02-26 22:29:19 -08:00
8673f87907
puppet: Allow enabling "stats sizes" in memcached.
2024-02-23 13:32:04 -08:00
dfdaddea38
kandra: Add a memcached exporter using bmemcached.
2024-02-23 13:32:04 -08:00
e891c57d0e
docs: Update links to new "Reverse proxies" page.
2024-02-20 21:03:32 -08:00
ec6f64f7b0
tornado: Perform rolling client restarts after servers are restarted.
...
Decouple the sending of client restart events from the restarting of
the servers. Restarts use the new Tornado restart-clients endpoint to
inject "restart" events into queues of clients which were loaded from
the previous Tornado process. The rate is controlled by the
`application_server.client_restart_rate`, in clients per minute, or a
flag to `restart-clients` which overrides it. Note that a web client
will also spread its restart over 5 minutes, so artificially-slow
client restarts are generally not very necessary.
Restarts of clients are deferred to until after post-deploy hooks are
run, such that the pre- and post- deploy hooks are around the actual
server restarts, even if pushing restart events to clients takes
significant time.
2024-02-15 15:42:50 -08:00
fa6f4cc039
kandra: Skip hostnames which are undef.
...
If zulip.conf is not fully configured, do not error out if one of
the $hostname values is undef.
2024-02-07 10:42:12 -08:00
3d63a87384
kandra: Puppet github.com keys to both root and zulip users.
...
We update to add the ecdsa-sha2-nistp256 key as well.
2024-02-07 10:42:12 -08:00
b1f899512a
pack-local-script: Match mode of file outside of packing.
2024-02-07 10:42:12 -08:00
927660a7b6
kandra: Remove munin.
2024-02-06 21:34:56 -08:00
96d237d57e
kandra: Pull in known_hosts to the nagios user.
...
This prevents failures when new hosts are initially added to the
configuration.
2024-02-07 00:02:40 -05:00
2cbd9c2a47
kandra: Update default chrony configuration for 22.04.
2024-02-07 00:02:32 -05:00
b23d90ed62
puppet: Rename puppet/zulip_ops to puppet/kandra.
...
This makes for easier tab-completion, and also is a bit more explicit
about the expected consumer.
2024-02-06 17:56:27 -08:00
ccc106dca3
puppet: Add redis host to ~redistunnel/.ssh/known_hosts.
2024-02-06 11:34:09 -08:00
aaf3eb514d
puppet: Allow controlling known_hosts.
...
Note that this uses `ssh-keyscan` to write in the currently-observed
host fingerprint; if DNS or network is untrusted during initial puppet
apply, this can allow attackers to write their own host key, obviating
the utility of known_hosts.
We do not view this as a likely attack mechanism, since in our
deployment the network and DNS is almost certainly trusted, and if
not, the timing attack to catch only initial configuration is likely
impossible.
2024-02-06 11:34:09 -08:00
fe1fd30a58
puppet: Create redistunnel group.
...
This was left off of 1fe5e7c7da
2024-02-05 12:15:15 -08:00
dc950235e5
puppet: Raise net.core.somaxconn on redis.
2024-02-02 17:54:02 -08:00
ec59b4fd78
puppet: Enact redis' kernel config suggestions.
2024-02-02 17:54:02 -08:00
069f262e7b
puppet: Inline all sysctl settings, and always check for containers.
2024-02-02 17:54:02 -08:00
fd69f5f8e2
puppet: Call systemd reload after adding or changing a teleport service.
2024-02-02 17:54:02 -08:00
1ac6e24eaa
puppet: Rename exec resource of systemd_daemon_reload.
...
This makes it easier to put as a "notify" resource.
2024-02-02 17:54:02 -08:00
4947753bfd
puppet: Remove unused systemd_daemon_reload.
...
572443edc6
2024-02-02 17:54:02 -08:00
6e9b25d993
puppet: Add key to allow prod to write ccache on zmirrorp.
2024-02-02 17:24:12 -08:00
96b65cbeab
install-ssh-authorized-keys: Merge multiple authorized_keys secrets.
2024-02-02 17:24:12 -08:00
1567275959
install-ssh-authorized-keys: Use --check rather than another argument.
2024-02-02 17:24:12 -08:00
afa24923e5
install-ssh-authorized-keys: Enable -o pipefail to catch AWS errors.
2024-02-02 17:24:12 -08:00
a0347e76cb
install-ssh-keys: Enable -o pipefail to catch AWS errors.
2024-02-02 17:24:12 -08:00
f8a9edc382
install-ssh-*: Pass -a to rsync to preserve rights, owners, and times.
2024-02-02 17:24:12 -08:00
0bd1e2b434
puppet: Rename and limit production key distribution.
2024-02-02 17:24:12 -08:00
d910ea27fe
puppet: Allow profiles to override zulip_ops::profile::base.
2024-02-02 17:24:12 -08:00
a0e7f1296f
puppet: Increase minimum memory for multiprocess queue workers.
...
This should give some more room for systems that are still below 4GB
of RAM to use the lower-memory multithreaded mode, which is less
likely to have OOM kills (a very bad experience).
There should be little cost, as few systems are likely allocated with
memory in this range.
2024-02-02 13:45:25 -08:00
43c0c77610
puppet: Update rules for number of uwsgi processes.
...
The defaults for how many uwsgi processes to run no longer depend on
the queue processor mode, but instead the total memory on the system.
2024-02-02 13:45:25 -08:00
0e6f013e03
puppet: Drop mosh package -- teleport is now the supported login.
2024-01-31 16:41:04 -08:00
16117e6139
puppet: Drop now-unnecessary common-session change.
2024-01-31 16:41:04 -08:00
9810200d78
puppet: Stop writing custom sshd_config.
...
The only relevant changes are `PasswordAuthentication no` (which
is now the default) and `MaxStartups 40:50:60` (which is now
unneccesary due to autossh tunnels.
2024-01-31 16:41:04 -08:00
1fe5e7c7da
puppet: Use a dedicated user for redis tunneling.
2024-01-31 16:41:04 -08:00
795621771f
puppet: Pull authorized_keys from AWS secretsmanager.
2024-01-31 16:41:04 -08:00
ff00c01538
bootstrap-aws-installer: Pull all keys from secretsmanager.
2024-01-31 16:41:04 -08:00
65d2e855a0
puppet: Switch removal of MOTD directories for .hushlogin.
...
Rather than have to keep resolving apt conflicts with the lack of
`/etc/update-motd.d`, have each user disable the motds with a
`.hushlogin` file.
2024-01-31 16:41:04 -08:00
1bddf41731
puppet: Factor out creation of basic user dotfiles.
2024-01-31 16:41:04 -08:00
69ef808d7b
puppet: Use IAM Roles Anywhere to get AWS credentials outside EC2.
2024-01-31 16:41:04 -08:00
16305761ac
puppet: Use IAM join method, when possible.
2024-01-31 16:41:04 -08:00
dbb60dbeb9
puppet: Factor out $is_ec2, clarify comments.
2024-01-31 16:41:04 -08:00
6902d5db47
install-aws-cli: Also install and keep up to date using Puppet.
...
We previously only did this install on the developer machine and on
initial boot. Also run it from puppet to make sure we keep the binary
up-to-date.
2024-01-31 16:41:04 -08:00
e49fc8873b
install-aws-cli: Check version before no-op'ing.
...
We previously just ensured that _a_ version was installed. Since we
were only using this at initial boot, that was all that was required.
2024-01-31 16:41:04 -08:00
bd87f53c86
install-aws-server: Build a tool to smuggle scripts inline in the bootdata.
2024-01-31 16:41:04 -08:00
1a84a20ca0
install-aws-cli: Add a shebang so it is callable directly.
2024-01-31 16:41:04 -08:00
Anders Kaseorg
Alex Vandiver
David Rosa
Tim Abbott