9bd88a93e2
puppet: Tell needrestart to not default to restarting core services.
...
The `needrestart` tool added in 22.04 is useful in terms of listing
which services may need to be restarted to pick up updated libraries.
However, it prompts about the current state of services needing
restart for *every* subsequent `apt-get upgrade`, and defaulting core
services to restarting requires carefully manually excluding them
every time, at risk of causing an unscheduled outage.
Build a list of default-off services based on the list in
unattended-upgrades.
2022-07-19 17:51:18 -07:00
775a084d0f
nagios: Add a catchall "other" set.
2022-06-22 12:07:38 -07:00
33472ee9ff
nagios: Remove unused stats host set.
2022-06-22 12:07:38 -07:00
7f6a77da31
puppet: Add a redis exporter.
2022-05-03 17:13:44 -07:00
e9ba9b0e0d
zulip-ec2-configure-interfaces: Remove.
...
Our current EC2 systems don’t have an interface named ‘eth0’, and if
they did, this script would do nothing but crash with ImportError
because we have never installed boto.utils for Python 3.
(The message of commit 2a4d851a7c2dc6d09c2a#14278 ) was evidently
unresearched and untested.)
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-05-03 02:25:59 -07:00
646a4d19a3
puppet: Remove quotes for enumerable values.
...
https://puppet.com/docs/puppet/7/style_guide.html#style_guide_module_design-quoting
“If a string is a value from an enumerable set of options, such as
present and absent, it SHOULD NOT be enclosed in quotes at all.”
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-04-29 22:06:46 -07:00
f6d27562fa
puppet: Configure chrony to use AWS-local NTP sources.
...
This prevents hosts from spewing traffic to random hosts across the
Internet.
2022-03-25 17:07:53 -07:00
bdd2f35d05
puppet: Switch czo to using zulip_ops::app_frontend_monitoring.
...
This was clearly intended in f61ac4a28d
2022-03-20 16:12:11 -07:00
17699bea44
puppet: postgresql_backups is auto-included if s3_backups_bucket is set.
...
Since 6496d43148
2022-03-20 16:12:11 -07:00
bedc7c2986
puppet: Smokescreen is now auto-included in standalone.
...
Since c33562f0a8
2022-03-20 16:12:11 -07:00
788daa953b
puppet: Factor out $::architecture case statement for golang.
2022-02-15 12:04:37 -08:00
6bc5849ea8
puppet: Remove now-unused debathena apt repository.
2022-01-18 14:13:28 -08:00
b3f07cc98d
puppet: Replace debathena zephyr package with equivalent puppet file.
2022-01-18 14:13:28 -08:00
a6d7539571
puppet: Replace debathena krb5 package with equivalent puppet file.
2022-01-18 14:13:28 -08:00
75224ea5de
puppet: python-dev is now purely virtual; install python2.7-dev.
2022-01-18 14:13:28 -08:00
0b8a6a51b8
puppet: Remove all parts of AWS kernels.
...
Otherwise, we just uninstall the meta-package, and still restart into
the installed AWS kernel.
2022-01-12 15:52:19 -08:00
1e80b844f4
puppet: Disable apparmor profile for msmtp.
...
As the nagios user, we want to read the msmtp configuration from
~nagios, which apparmor's profile does not allow msmtp to do.
2022-01-11 09:38:31 -08:00
3c95ad82c6
puppet: Upgrade to nagios4.
...
This updates the puppeted nagios configuration file for the Nagios4
defaults.
2022-01-11 09:38:31 -08:00
4a95967a33
puppet: Gather uwsgi stats from chat.zulip.org.
2022-01-03 21:26:57 -08:00
82748d45d8
install-yarn: Use test -ef in case /srv is a symlink.
...
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-12-30 13:42:07 -08:00
c094867a74
puppet: Add aarch64 build hashes to external dependencies.
...
wal-g does not ship aarch64 binaries, currently; the compilation
process([1]) is somewhat complicated, so we defer the decision about
how to support wal-g for aarch64 until a later date.
[1]: https://github.com/wal-g/wal-g/blob/master/docs/PostgreSQL.md#installing
2021-12-29 16:35:15 -08:00
f166f9f7d6
puppet: Centralize versions and sha256 hashes of external dependencies.
...
This will make it easier to update versions of these dependencies.
2021-12-29 16:35:15 -08:00
57662689a9
puppet: Provide a constant homedir for grafana user.
...
The homedir of a user cannot be changed if any processes are running
as them, so having it change over time as upgrades happen will break
puppet application, as the old grafana process under supervisor will
effectively lock changes to the user's homedir.
Unfortunately, that means that this change will thus fail to
puppet-apply unless `supervisorctl stop grafana` is run first, but
there's no way around that.
2021-12-29 16:35:15 -08:00
6e55e52694
puppet: Pull out grafana $data_dir.
2021-12-29 16:35:15 -08:00
1e4e6a09af
puppet: Stop making resources for external binaries and directories.
...
In the event that extracting doesn't produce the binary we expected it
to, all this will do is create an _empty_ file where we expect the
binary to be. This will likely muddle debugging.
Since the only reason the resourfce was made in the first place was to
make dependencies clear, switch to depending on the External_Dep
itself, when such a dependency is needed.
2021-12-29 16:35:15 -08:00
3c163a7d5e
puppet: Move slash out of $dir by convention.
2021-12-29 16:35:15 -08:00
bb5a2c8138
puppet: Move prometheus to external_dep.
2021-12-29 16:35:15 -08:00
e4b23daad7
puppet: Upgrade to Grafana 8.3.2, for CVE-2021-43813.
2021-12-10 14:00:11 -08:00
291f688678
puppet: Use zulip::external_dep for grafana, template config.
...
Templating the config ensures that the service is restarted when it is
upgraded.
2021-12-08 20:58:10 -08:00
3eae429ab4
puppet: Upgrade Grafana to 8.3.1, for CVE-2021-43798.
2021-12-08 20:58:10 -08:00
7db146d0a9
puppet: Do not assume amd64 architecture.
2021-12-06 11:08:50 -08:00
1806e0f45e
puppet: Remove zulip.org configuration.
2021-08-26 17:21:31 -07:00
e46e862f2b
puppet: Add a bare-bones zulipbot profile.
...
This sets up the firewalls appropriate for zulipbot, but does not
automate any of the configuration of zulipbot itself.
2021-08-24 16:05:58 -07:00
5857dcd9b4
puppet: Configure ip6tables in parallel to ipv4.
...
Previously, IPv6 firewalls were left at the default all-open.
Configure IPv6 equivalently to IPv4.
2021-08-24 16:05:46 -07:00
845509a9ec
puppet: Be explicit that existing iptables are only ipv4.
2021-08-24 16:05:46 -07:00
e6bae4f1dd
puppet: Remove zulip::nagios class.
...
93f62b999e
2021-07-09 17:29:41 -07:00
93f62b999e
nagios: Replace check_website_response with standard check_http plugin.
...
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-07-09 16:47:03 -07:00
6c72698df2
puppet: Move zulip_ops supervisor config into /etc/supervisor/conf.d/zulip/.
...
This is similar cleanup to 3ab9b31d2f
2021-06-14 17:12:59 -07:00
c90ff80084
puppet: Bump grafana version to 8.0.1.
...
Most notably, this fixes an annoying bug with CloudWatch metrics being
repeated in graphs.
2021-06-10 15:49:08 -07:00
d905eb6131
puppet: Add a database teleport server.
...
Host-based md5 auth for 127.0.0.1 must be removed from `pg_hba.conf`,
otherwise password authentication is preferred over certificate-based
authentication for localhost.
2021-06-08 22:21:21 -07:00
100a899d5d
puppet: Add grafana server.
2021-06-08 22:21:00 -07:00
459f37f041
puppet: Add prometheus server.
2021-06-08 22:21:00 -07:00
19fb58e845
puppet: Add prometheus node exporter.
2021-06-08 22:21:00 -07:00
61b6fc865c
puppet: Add a label to teleport applications, to allow RBAC.
...
Roles can only grant or deny access based on labels; set one based on
the application name.
2021-06-08 15:19:04 -07:00
359f37389a
puppet: Remove in-nagios auth restrictions.
...
51b985b40d
2021-06-07 16:17:45 -07:00
2352fac6b5
puppet: Fix indentation.
2021-06-02 18:38:38 -07:00
51b985b40d
puppet: Move nagios to behind teleport.
...
This makes the server only accessible via localhost, by way of the
Teleport application service.
2021-06-02 18:38:38 -07:00
c59421682f
puppet: Add a teleport node on every host.
...
Teleport nodes[1] are the equivalent to SSH servers. In addition to
this config, joining the teleport cluster will require presenting a
one-time "join token" from the proxy server[2], which may either be
short-lived or static.
[1] https://goteleport.com/docs/architecture/nodes/
[2] https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster
2021-06-02 18:38:38 -07:00
1cdf14d195
puppet: Add a teleport server.
...
See https://goteleport.com/docs/architecture/overview/ for the general
architecture of a Teleport cluster. This commit adds a Teleport auth[1]
and proxy[2] server. The auth server serves as a CA for granting
time-bounded access to users and authenticating nodes on the cluster;
the proxy provides access and a management UI.
[1] https://goteleport.com/docs/architecture/authentication/
[2] https://goteleport.com/docs/architecture/proxy/
2021-06-02 18:38:38 -07:00
3ebd627c50
puppet: Fix "import" -> "include" in chat_zulip_org.
2021-06-02 11:02:34 -07:00
Alex Vandiver
Anders Kaseorg