Alex Vandiver
1806e0f45e
puppet: Remove zulip.org configuration.
2021-08-26 17:21:31 -07:00
Alex Vandiver
e46e862f2b
puppet: Add a bare-bones zulipbot profile.
...
This sets up the firewalls appropriate for zulipbot, but does not
automate any of the configuration of zulipbot itself.
2021-08-24 16:05:58 -07:00
Alex Vandiver
5857dcd9b4
puppet: Configure ip6tables in parallel to ipv4.
...
Previously, IPv6 firewalls were left at the default all-open.
Configure IPv6 equivalently to IPv4.
2021-08-24 16:05:46 -07:00
Alex Vandiver
845509a9ec
puppet: Be explicit that existing iptables are only ipv4.
2021-08-24 16:05:46 -07:00
Alex Vandiver
e6bae4f1dd
puppet: Remove zulip::nagios class.
...
93f62b999e
removed the last file in
puppet/zulip/files/nagios_plugins/zulip_nagios_server, which means the
singular rule in zulip::nagios no longer applies cleanly.
Remove the `zulip::nagios` class, as it is no longer needed.
2021-07-09 17:29:41 -07:00
Anders Kaseorg
93f62b999e
nagios: Replace check_website_response with standard check_http plugin.
...
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-07-09 16:47:03 -07:00
Alex Vandiver
6c72698df2
puppet: Move zulip_ops supervisor config into /etc/supervisor/conf.d/zulip/.
...
This is similar cleanup to 3ab9b31d2f
, but only affects zulip_ops
services; it serves to ensure that any of these services which are no
longer enabled are automatically removed from supervisor.
Note that this will cause a supervisor restart on all affected hosts,
which will restart all supervisor services.
2021-06-14 17:12:59 -07:00
Alex Vandiver
c90ff80084
puppet: Bump grafana version to 8.0.1.
...
Most notably, this fixes an annoying bug with CloudWatch metrics being
repeated in graphs.
2021-06-10 15:49:08 -07:00
Alex Vandiver
d905eb6131
puppet: Add a database teleport server.
...
Host-based md5 auth for 127.0.0.1 must be removed from `pg_hba.conf`,
otherwise password authentication is preferred over certificate-based
authentication for localhost.
2021-06-08 22:21:21 -07:00
Alex Vandiver
100a899d5d
puppet: Add grafana server.
2021-06-08 22:21:00 -07:00
Alex Vandiver
459f37f041
puppet: Add prometheus server.
2021-06-08 22:21:00 -07:00
Alex Vandiver
19fb58e845
puppet: Add prometheus node exporter.
2021-06-08 22:21:00 -07:00
Alex Vandiver
61b6fc865c
puppet: Add a label to teleport applications, to allow RBAC.
...
Roles can only grant or deny access based on labels; set one based on
the application name.
2021-06-08 15:19:04 -07:00
Alex Vandiver
359f37389a
puppet: Remove in-nagios auth restrictions.
...
51b985b40d
made nagios only accessible from localhost, or as proxied
via teleport. Remove the HTTP-level auth requirements.
2021-06-07 16:17:45 -07:00
Alex Vandiver
2352fac6b5
puppet: Fix indentation.
2021-06-02 18:38:38 -07:00
Alex Vandiver
51b985b40d
puppet: Move nagios to behind teleport.
...
This makes the server only accessible via localhost, by way of the
Teleport application service.
2021-06-02 18:38:38 -07:00
Alex Vandiver
c59421682f
puppet: Add a teleport node on every host.
...
Teleport nodes[1] are the equivalent to SSH servers. In addition to
this config, joining the teleport cluster will require presenting a
one-time "join token" from the proxy server[2], which may either be
short-lived or static.
[1] https://goteleport.com/docs/architecture/nodes/
[2] https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster
2021-06-02 18:38:38 -07:00
Alex Vandiver
1cdf14d195
puppet: Add a teleport server.
...
See https://goteleport.com/docs/architecture/overview/ for the general
architecture of a Teleport cluster. This commit adds a Teleport auth[1]
and proxy[2] server. The auth server serves as a CA for granting
time-bounded access to users and authenticating nodes on the cluster;
the proxy provides access and a management UI.
[1] https://goteleport.com/docs/architecture/authentication/
[2] https://goteleport.com/docs/architecture/proxy/
2021-06-02 18:38:38 -07:00
Alex Vandiver
3ebd627c50
puppet: Fix "import" -> "include" in chat_zulip_org.
2021-06-02 11:02:34 -07:00
Alex Vandiver
2130fc0645
puppet: Add an explicit class for czo.
2021-06-01 22:18:50 -07:00
Alex Vandiver
c9141785fd
puppet: Use concat fragments to place port allows next to services.
...
This means that services will only open their ports if they are
actually run, without having to clutter rules.v4 with a log of `if`
statements.
This does not go as far as using `puppetlabs/firewall`[1] because that
would represent an additional DSL to learn; raw IPtables sections can
easily be inserted into the generated iptables file via
`concat::fragment` (either inline, or as a separate file), but config
can be centralized next to the appropriate service.
[1] https://forge.puppet.com/modules/puppetlabs/firewall
2021-05-27 21:14:48 -07:00
Alex Vandiver
4f79b53825
puppet: Factor out firewall config.
2021-05-27 21:14:48 -07:00
Alex Vandiver
ea98549e88
puppet: Always install linux-image-virtual, for ksplice support.
2021-05-23 13:29:23 -07:00
Anders Kaseorg
544bbd5398
docs: Fix capitalization mistakes.
...
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-05-10 09:57:26 -07:00
Alex Vandiver
9ea86c861b
puppet: Add a nagios alert configuration for smokescreen.
...
This verifies that the proxy is working by accessing a
highly-available website through it. Since failure of this equates to
failures of Sentry notifications and Android mobile push
notifications, this is a paging service.
2021-03-18 10:11:15 -07:00
Alex Vandiver
d938dd9d4a
puppet: Document smokescreen installation, and move to puppet/zulip/.
...
This is more broadly useful than for just Kandra; provide
documentation and means to install Smokescreen for stand-alone
servers, and motivate its use somewhat more.
2021-03-02 17:16:38 -08:00
Alex Vandiver
32149c6a1c
puppet: Add ksplice uptrack for kernel hotpatches.
2021-02-25 18:05:47 -08:00
Alex Vandiver
173d2dec3d
puppet: Check in defensive restart-camo cron job.
...
This was found on lb1; add it to the camo install on smokescreen.
2021-02-24 16:42:21 -08:00
Alex Vandiver
0b736ef4cf
puppet: Remove puppet_ops configuration for separate loadbalancer host.
2021-02-22 16:05:13 -08:00
Alex Vandiver
a88af1b5a2
camo: Install on smokescreen host.
2021-02-16 08:12:31 -08:00
Alex Vandiver
29f60bad20
smokescreen: Put the version into the supervisorctl command.
...
This makes it reload correctly if the version is changed.
2021-02-16 08:12:31 -08:00
Tim Abbott
ab3cb2b3bf
puppet: Fix internal redis puppet configuration.
...
The inherits rule is required for overriding existing configuration
files; while the `::profile` piece was missed in the recent ::profile
migration.
2020-10-29 11:53:43 -07:00
Alex Vandiver
45f6c79c4a
puppet: Rename postgres_ variables to postgresql_.
2020-10-28 11:51:52 -07:00
Alex Vandiver
a155430eb5
docs: Document all zulip.conf settings.
...
This provides a single reference point for all zulip.conf settings;
these mostly link out to the more complete documentation about each
setting, elsewhere.
Fixes #12490 .
2020-10-27 13:31:57 -07:00
Alex Vandiver
d24c571bab
puppet: Automatically back up the database if we have the secrets.
...
This avoids folks having to manually add to the puppet_classes.
2020-10-27 13:29:19 -07:00
Alex Vandiver
e7798d2797
puppet: Move zulip_ops::profile::postgres_appdb to postgresql.
2020-10-27 13:29:19 -07:00
Alex Vandiver
9f25389bff
puppet: Move top-level zulip_ops deployments to zulip_ops::profile.
2020-10-27 13:29:19 -07:00