Commit 5f4d4f2e authored by blallo's avatar blallo

Merge commit '77c9ee38' into new_tsig_func

parents 730de7b1 77c9ee38
Pipeline #3261 passed with stage
in 4 minutes and 54 seconds
testing: {{ testing|default(True)|to_json }}
use_rsa: false
use_rsa: true
email: "certs@{{ domain_public[0] }}"
account_key_path: "/var/lib/acme/account.key"
default_challenge: "http-01"
......
......@@ -2,5 +2,5 @@
ARGS="--collectors.enabled=conntrack,diskstats,entropy,filefd,filesystem,loadavg,meminfo,netdev,netstat,sockstat,stat,systemd,textfile,time,uname,vmstat \
--collector.diskstats.ignored-devices=^(ram|loop|fd)\d+$ \
--collector.filesystem.ignored-mount-points=^/(sys|proc|dev|run)($|/) \
--collector.textfile.directory=/var/lib/prometheus/node-exporter"
--collector.textfile.directory=/var/lib/prometheus/node-exporter \
--collector.systemd.unit-blacklist=^.*\.(device|swap|mount)$"
......@@ -77,7 +77,16 @@
- tabacco
- restic
- runcron
- name: Install extra packages
apt:
name: "{{ extra_packages }}"
state: present
vars:
extra_packages:
- net-tools
- vim
when: "not testing|default(True)"
- name: Remove blacklisted packages
apt:
......
......@@ -13,9 +13,11 @@
- rsyslog
- rsyslog-gnutls
- name: Install mtail
# Bring in mtail 3.0 for bugfixes etc
- name: Install mtail from backports
apt:
name: mtail
default_release: stretch-backports
state: present
- name: Install mtail systemd units
......
......@@ -36,3 +36,14 @@ To install a custom, manually maintained DNS zone, you are going to
need to create a tiny dedicated Ansible role. There are detailed
instructions on how to do so in
[docs/ansible.md](../../docs/ansible.md).
## Further customization
If you need Bind to set up specific zones or delegations, your own
automation can create the following files:
* */etc/bind/named.conf.internal-custom-zones*
* */etc/bind/named.conf.external-custom-zones*
which should contain Bind directives for the internal and external
views respectively.
......@@ -52,11 +52,15 @@
- manual
- auto
- name: Create empty named.conf.zones files if necessary
- name: Create empty named.conf.* files if necessary
file:
path: "/etc/bind/named.conf.zones"
path: "/etc/bind/{{ item }}"
state: touch
changed_when: false
with_items:
- named.conf.zones
- named.conf.internal-custom-zones
- named.conf.external-custom-zones
- name: Generate infrastructural zone
template:
......
view "internal-in" in {
// View for internal clients (i.e. localhost). Enables
// recursive requests and cache.
match-clients { localhost; };
match-clients {
localhost;
{% for n in net_overlays %}
net_{{ n.name }};
{% endfor %}
};
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
......@@ -14,6 +19,9 @@ view "internal-in" in {
// Include the root hints and the default zones.
include "/etc/bind/named.conf.default-zones";
// Include further manually-maintained zones.
include "/etc/bind/named.conf.internal-custom-zones";
// Include zonetool-maintained zones.
include "/etc/bind/named.conf.zones";
};
......@@ -28,6 +36,9 @@ view "external-in" in {
additional-from-auth no;
additional-from-cache no;
// Include zonetool-maintained zones.
// Include manually-maintained zones.
include "/etc/bind/named.conf.external-custom-zones";
// Include zonetool-maintained zones.
include "/etc/bind/named.conf.zones";
};
{% for n in net_overlays %}
acl "net_{{ n.name }}" {
{{ n.network }};
};
{% endfor %}
options {
directory "/var/cache/bind";
......@@ -17,7 +23,12 @@ options {
auth-nxdomain no;
allow-transfer { none; };
allow-query { localhost; };
allow-query {
localhost;
{% for n in net_overlays %}
net_{{ n.name }};
{% endfor %}
};
};
logging {
......
......@@ -33,3 +33,6 @@ mariadb_master_port: "{{ mariadb_port }}"
mariadb_replication_user: replica
mariadb_replication_password: ""
mariadb_replicate_dbs: []
# Custom server settings.
mariadb_settings: {}
......@@ -4,7 +4,7 @@ Description=Prometheus exporter for MySQL server (%I)
[Service]
Restart=always
User=prometheus
ExecStart=/usr/bin/prometheus-mysqld-exporter -web.listen-address {{ mariadb_metrics_address }}:{{ mariadb_metrics_port }} -config.my-cnf {{ mariadb_metrics_config }}
ExecStart=/usr/bin/prometheus-mysqld-exporter -web.listen-address {{ mariadb_metrics_address }}:{{ mariadb_metrics_port }} -config.my-cnf {{ mariadb_metrics_config }} -collect.info_schema.tables=false -collect.info_schema.tablestats=false
[Install]
WantedBy=multi-user.target
......@@ -21,6 +21,7 @@ innodb_flush_method=O_DIRECT
innodb_flush_log_at_trx_commit=2
innodb_log_file_size={{ mariadb_innodb_log_file_size }}
innodb_log_buffer_size=8M
log_warnings=4
# Do not block hosts because of errors.
max_connect_errors = 4294967295
......@@ -35,5 +36,9 @@ replicate_wild_do_table={{ db }}.%
{% endfor %}
{% endif %}
{% for key, value in mariadb_settings.items() %}
{{ key }}={{ value }}
{% endfor %}
# Include instance-specific configuration.
!includedir {{ mariadb_config_dir }}/
......@@ -3,10 +3,10 @@
# Dedicate a bit of memory to buffering data. Setting
# proxy_buffer_size too small can have bad interactions with the proxy
# cache (the entire response headers should fit in the proxy_buffer).
#proxy_buffer_size 16k;
#proxy_buffers 8 4k;
#proxy_busy_buffers_size 32k;
proxy_buffering on;
proxy_buffers 4 16k;
proxy_buffer_size 16k;
proxy_busy_buffers_size 16k;
# Do not buffer body of requests.
proxy_request_buffering off;
......
......@@ -20,9 +20,14 @@ http {
map_hash_max_size 16384;
map_hash_bucket_size 256;
server_names_hash_max_size 2048;
server_names_hash_bucket_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
client_max_body_size 60m;
# Log response times so that we can compute latency histograms
# (using mtail). Works around the lack of Prometheus
# instrumentation in NGINX.
......
......@@ -7,8 +7,8 @@ server {
{% if 'acme' in services %}
# Handle ACME challenge verification.
location /.well-known/acme-challenge {
include /etc/nginx/snippets/proxy.conf;
proxy_pass http://acme.{{ domain }};
include /etc/nginx/snippets/proxy.conf;
proxy_pass http://acme.{{ domain }}:5004;
}
{% endif %}
......@@ -23,7 +23,7 @@ server {
server_name _;
ssl on;
ssl_certificate /etc/credentials/selfsigned/default/cert.pem;
ssl_certificate /etc/credentials/selfsigned/default/cert.pem;
ssl_certificate_key /etc/credentials/selfsigned/default/private_key.pem;
root /var/www/html;
......
......@@ -15,8 +15,8 @@
"editable": true,
"gnetId": 3894,
"graphTooltip": 0,
"id": 9,
"iteration": 1551088117898,
"id": 6,
"iteration": 1559409520591,
"links": [],
"panels": [
{
......@@ -81,7 +81,7 @@
"tableColumn": "",
"targets": [
{
"expr": "apache_uptime_seconds_total{instance=~\"$host:$port\"}",
"expr": "apache_uptime_seconds_total{instance=~\"^$host:.*\"}",
"format": "time_series",
"intervalFactor": 2,
"refId": "A",
......@@ -150,7 +150,7 @@
"steppedLine": false,
"targets": [
{
"expr": "count(apache_up{instance=~\"$host:$port\"} == 1)",
"expr": "count(apache_up{instance=~\"^$host:.*\"} == 1)",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Apache Up",
......@@ -158,7 +158,7 @@
"step": 120
},
{
"expr": "scalar(count(apache_up{instance=~\"$host:$port\"} == 0))",
"expr": "scalar(count(apache_up{instance=~\"^$host:.*\"} == 0))",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Apache Down",
......@@ -246,7 +246,7 @@
"steppedLine": false,
"targets": [
{
"expr": "rate(apache_sent_kilobytes_total{instance=~\"$host:$port\"}[5m])",
"expr": "rate(apache_sent_kilobytes_total{instance=~\"^$host:.*\"}[5m])",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Kilobytes Sent",
......@@ -334,7 +334,7 @@
"steppedLine": false,
"targets": [
{
"expr": "rate(apache_accesses_total{instance=~\"$host:$port\"}[5m])",
"expr": "rate(apache_accesses_total{instance=~\"^$host:.*\"}[5m])",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Accesses",
......@@ -362,7 +362,7 @@
},
"yaxes": [
{
"format": "short",
"format": "reqps",
"label": null,
"logBase": 1,
"max": null,
......@@ -406,6 +406,8 @@
"min": true,
"rightSide": true,
"show": true,
"sort": "current",
"sortDesc": true,
"total": false,
"values": true
},
......@@ -423,7 +425,7 @@
"steppedLine": false,
"targets": [
{
"expr": "apache_scoreboard{instance=~\"$host:$port\"}",
"expr": "apache_scoreboard{instance=~\"^$host:.*\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{ state }}",
......@@ -501,17 +503,26 @@
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"percentage": true,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"seriesOverrides": [
{
"alias": "busy",
"color": "#E02F44"
},
{
"alias": "idle",
"color": "#96D98D"
}
],
"spaceLength": 10,
"stack": true,
"steppedLine": false,
"targets": [
{
"expr": "apache_workers{instance=~\"$host:$port\"}\n",
"expr": "apache_workers{instance=~\"^$host:.*\"}\n",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "{{ state }}",
......@@ -542,7 +553,7 @@
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"max": "100",
"min": null,
"show": true
},
......@@ -599,7 +610,7 @@
"steppedLine": false,
"targets": [
{
"expr": "apache_cpuload{instance=~\"$host:$port\"}",
"expr": "apache_cpuload{instance=~\"^$host:.*\"}",
"format": "time_series",
"intervalFactor": 2,
"legendFormat": "Load",
......@@ -627,10 +638,10 @@
},
"yaxes": [
{
"format": "short",
"format": "percent",
"label": null,
"logBase": 1,
"max": null,
"max": "100",
"min": "0",
"show": true
},
......@@ -650,7 +661,7 @@
}
],
"refresh": "1m",
"schemaVersion": 16,
"schemaVersion": 18,
"style": "dark",
"tags": [],
"templating": {
......@@ -658,8 +669,8 @@
{
"allValue": null,
"current": {
"text": "host3.noblogs.infra.investici.org",
"value": "host3.noblogs.infra.investici.org"
"text": "assenza.noblogs.investici.org",
"value": "assenza.noblogs.investici.org"
},
"datasource": "localhost",
"definition": "",
......@@ -683,8 +694,8 @@
{
"allValue": null,
"current": {
"text": "8082",
"value": "8082"
"text": "8084",
"value": "8084"
},
"datasource": "localhost",
"definition": "",
......@@ -708,7 +719,7 @@
]
},
"time": {
"from": "now-1h",
"from": "now-3h",
"to": "now"
},
"timepicker": {
......@@ -740,4 +751,4 @@
"title": "Apache",
"uid": "a_mnQfrik",
"version": 1
}
}
\ No newline at end of file
......@@ -16,9 +16,9 @@ groups:
- record: instance:network_receive_bytes:rate5m
expr: sum(rate(node_network_receive_bytes{device!="lo"}[5m])) without (device)
- record: instance:public_network_transmit_bytes:rate5m
expr: sum(rate(node_network_transmit_bytes{device=~"(eth|eno|elp).*"}[5m])) without (device)
expr: sum(rate(node_network_transmit_bytes{device=~"(eth|e[nl][op]).*"}[5m])) without (device)
- record: instance:public_network_receive_bytes:rate5m
expr: sum(rate(node_network_receive_bytes{device=~"(eth|eno|elp).*"}[5m])) without (device)
expr: sum(rate(node_network_receive_bytes{device=~"(eth|e[nl][op]).*"}[5m])) without (device)
- record: global:public_network_transmit_bytes:rate5m
expr: sum(instance:public_network_transmit_bytes:rate5m) without (instance, host)
- record: global:public_network_receive_bytes:rate5m
......
......@@ -12,6 +12,8 @@ http_server:
cn: "(auth-server|accountserver).{{ domain }}"
- path: "/api/check_device"
cn: "auth-server.{{ domain }}"
- path: "/api/set_last_login"
cn: "auth-server.{{ domain }}"
- path: "/api/get_user_.*"
cn: "accounts.{{ domain }}"
- path: "/metrics"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment