diff --git a/app/erpnext-12/files/mysql/60-frappe.cnf b/app/erpnext-12/files/mysql/60-frappe.cnf new file mode 100644 index 0000000..d2122d4 --- /dev/null +++ b/app/erpnext-12/files/mysql/60-frappe.cnf @@ -0,0 +1,10 @@ +[mysqld] +innodb-file-format=barracuda +innodb-file-per-table=1 +innodb-large-prefix=1 +character-set-client-handshake = FALSE +character-set-server = utf8mb4 +collation-server = utf8mb4_unicode_ci + +[mysql] +default-character-set = utf8mb4 diff --git a/app/erpnext-12/files/ssh.config b/app/erpnext-12/files/ssh.config new file mode 100644 index 0000000..4490e56 --- /dev/null +++ b/app/erpnext-12/files/ssh.config @@ -0,0 +1,3 @@ +# So ansible does not have to add each hypervisor node to known_hosts +StrictHostKeyChecking=no +UserKnownHostsFile=/dev/null \ No newline at end of file diff --git a/app/erpnext-12/handlers/main.yml b/app/erpnext-12/handlers/main.yml new file mode 100644 index 0000000..cd32750 --- /dev/null +++ b/app/erpnext-12/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: restart mysql + service: name=mysql enabled=yes state=restarted + +- name: reload nginx + service: name=nginx enabled=yes state=restarted + +- name: restart supervisor + service: name=supervisor enabled=yes state=restarted + +- name: reload supervisor + service: name=supervisor enabled=yes state=reloaded diff --git a/app/erpnext-12/tasks/configure-erpnext.yml b/app/erpnext-12/tasks/configure-erpnext.yml new file mode 100644 index 0000000..edc64a0 --- /dev/null +++ b/app/erpnext-12/tasks/configure-erpnext.yml @@ -0,0 +1,133 @@ +--- +# # Pip install frappe-bench +# - name: Installing pip frappe-bench +# pip: +# name: +# - frappe-bench + +# # Create {{ base }} directory +# - name: Creating {{ base }} directory +# file: +# path: '{{ base }}' +# state: directory +# owner: toor +# group: toor +# mode: '0755' + +# # Run frappe bench init +# - name: Running frappe bench init +# # NOTICE: running as toor +# become_user: toor +# shell: bench init {{ projectname }} --frappe-branch version-12 --no-backups +# args: +# chdir: '{{ base }}' +# # Ensures this command only runs if the dir does NOT exist +# creates: '{{ path }}' +# when: frappe_repo is undefined + +# # Run frappe bench init with custom repo +# - name: Running frappe bench init with custom repo +# # NOTICE: running as toor +# become_user: toor +# shell: bench init {{ projectname }} --frappe-path {{ frappe_repo }} --frappe-branch version-12 --no-backups +# args: +# chdir: '{{ base }}' +# # Ensures this command only runs if the dir does NOT exist +# creates: '{{ path }}' +# when: frappe_repo is defined + +# # Create frappe-bench supervisor configs +# - name: Creating frappe-bench supervisor config +# become_user: toor +# shell: bench setup supervisor +# args: +# chdir: '{{ path }}' +# creates: '{{ path }}/config/supervisor.conf' + +# # Symlink frappe-bench supervisor config +# - name: Symlinking frappe-bench supervisor config +# file: +# src: '{{ path }}/config/supervisor.conf' +# dest: /etc/supervisor/conf.d/frappe-bench.conf +# state: link +# notify: reload supervisor + +# # Get ERPNext app +# - name: Getting ERPNext app +# become_user: toor +# shell: bench get-app erpnext --branch version-12 +# args: +# chdir: '{{ path }}' +# creates: '{{ path }}/apps/erpnext' +# notify: reload supervisor +# when: erpnext_repo is undefined + +# # Get ERPNext app from custom repo +# - name: Getting ERPNext app from custom repo +# become_user: toor +# shell: bench get-app erpnext {{ erpnext_repo }} --branch version-12 +# args: +# chdir: '{{ path }}' +# creates: '{{ path }}/apps/erpnext' +# notify: reload supervisor +# when: erpnext_repo is defined + +# # Settings frappe bench mariadb-host +# - name: Setting frappe bench mariadb-host +# become_user: toor +# shell: bench set-mariadb-host {{ db_host }} +# args: +# chdir: '{{ path }}' +# when: db_host is defined + +# # Create new site using local database +# - name: Creating new frappe site using local database +# become_user: toor +# shell: bench new-site {{ site }} --admin-password {{ erpnext_admin_password }} --db-name {{ db_name }} --db-password {{ erpnext_db_password }} --mariadb-root-username root --mariadb-root-password {{ root_db_password }} --force +# args: +# chdir: '{{ path }}' +# creates: '{{ path }}/sites/{{ site }}' +# notify: reload supervisor +# when: db_host is undefined + +# # Create new site using remote database +# - name: Creating new frappe site using remote database +# become_user: toor +# shell: bench new-site {{ site }} --admin-password {{ erpnext_admin_password }} --db-name {{ db_name }} --db-password {{ erpnext_db_password }} --mariadb-root-username root --mariadb-root-password {{ root_db_password }} --force --no-mariadb-socket +# args: +# chdir: '{{ path }}' +# creates: '{{ path }}/sites/{{ site }}' +# notify: reload supervisor +# when: db_host is defined + +# Adding ERPNext to site +- name: Adding ERPNext to site + become_user: toor + shell: bench --site {{ site }} install-app erpnext + args: + chdir: '{{ path }}' + creates: '{{ path }}/sites/{{ site }}/ansible-flag-app-erpnext-added' + notify: reload supervisor + +# Create frappe-bench nginx configs +- name: Creating frappe-bench nginx config + become_user: toor + shell: bench setup nginx + args: + chdir: '{{ path }}' + creates: '{{ path }}/config/nginx.conf' + +# Delete /etc/nginx/sites-enabled/default +- name: Deleting /etc/nginx/sites-enabled/default + file: + path: /etc/nginx/sites-enabled/default + state: absent + notify: reload nginx + +# Symlink frappe-bench nginx config +- name: Symlinking frappe-bench nginx config + file: + src: '{{ path }}/config/nginx.conf' + dest: /etc/nginx/sites-enabled/erpnext.conf + state: link + notify: reload nginx diff --git a/app/erpnext-12/tasks/configure-linux.yml b/app/erpnext-12/tasks/configure-linux.yml new file mode 100644 index 0000000..a6c4204 --- /dev/null +++ b/app/erpnext-12/tasks/configure-linux.yml @@ -0,0 +1,9 @@ +--- +# Copy ssh client config for toor user so we can git clone without confirmation +- name: Copying toor SSH client config + copy: + src: 'ssh.config' + dest: '/home/toor/.ssh/config' + owner: toor + group: toor + mode: '0644' diff --git a/app/erpnext-12/tasks/configure-mysql.yml b/app/erpnext-12/tasks/configure-mysql.yml new file mode 100644 index 0000000..1a41aca --- /dev/null +++ b/app/erpnext-12/tasks/configure-mysql.yml @@ -0,0 +1,30 @@ +--- +# Install mariadb-client +# Required regardless if MySQL server is local or remote +- name: Installing mariadb-client + apt: + update_cache: yes + state: present + name: + - mariadb-client + +# Enable root password (only if using localhost db) +- name: Enable MySQL root password + shell: "{{ item }}" + with_items: + - mysql -e "CREATE USER 'root'@'%' IDENTIFIED BY '{{ root_db_password }}'; GRANT ALL PRIVILEGES ON *.* to 'root'@'%';" + - mysql -e "ALTER USER 'root'@'%' IDENTIFIED VIA mysql_native_password; SET PASSWORD = PASSWORD('{{ root_db_password }}');" + args: + # Ensure this runs only once + creates: ~/.config/ansible-flag-mysql-password-enabled + notify: restart mysql + +# Copy MariaDB /etc/mysql/mariadb.conf.d/60-frappe.cnf +- name: Copying /etc/mysql/mariadb.conf.d/60-frappe.cnf + copy: + src: mysql/60-frappe.cnf + dest: /etc/mysql/mariadb.conf.d/60-frappe.cnf + owner: root + group: root + mode: '0644' + notify: restart mysql diff --git a/app/erpnext-12/tasks/configure-nodejs.yml b/app/erpnext-12/tasks/configure-nodejs.yml new file mode 100644 index 0000000..6b8d474 --- /dev/null +++ b/app/erpnext-12/tasks/configure-nodejs.yml @@ -0,0 +1,6 @@ +--- +# Install nodejs yarn globally +- name: Installing nodejs yarn globally + npm: + name: yarn + global: yes diff --git a/app/erpnext-12/tasks/configure-python.yml b/app/erpnext-12/tasks/configure-python.yml new file mode 100644 index 0000000..503b8af --- /dev/null +++ b/app/erpnext-12/tasks/configure-python.yml @@ -0,0 +1,22 @@ +--- +# Install python3-pip +- name: Installing python3-pip + apt: + update_cache: yes + state: present + name: + - python3-pip + +# Update alternatives to python3 +- name: Updating alternatives to python3 + alternatives: + name: python + link: /usr/bin/python + path: /usr/bin/python3 + +# Update alternatives to pip3 +- name: Updating alternatives for pip3 + alternatives: + name: pip + link: /usr/bin/pip + path: /usr/bin/pip3 diff --git a/app/erpnext-12/tasks/main.yml b/app/erpnext-12/tasks/main.yml new file mode 100644 index 0000000..b5314de --- /dev/null +++ b/app/erpnext-12/tasks/main.yml @@ -0,0 +1,12 @@ +--- +# NOTICE: Commands like frappe bench and git clone need to run +# as the toor user, not root. The playbook that runs this role +# should be logging in as toor, using become:yes with toors ssh key +# Because become:yes all command still run as root, until I use +# become_user: toor below. + +#- include_tasks: configure-linux.yml +#- include_tasks: configure-mysql.yml +#- include_tasks: configure-python.yml +#- include_tasks: configure-nodejs.yml +- include_tasks: configure-erpnext.yml diff --git a/app/fusionauth-1.15.8/files/originals/fusionauth.properties b/app/fusionauth-1.15.8/files/originals/fusionauth.properties new file mode 100644 index 0000000..1b4dd2c --- /dev/null +++ b/app/fusionauth-1.15.8/files/originals/fusionauth.properties @@ -0,0 +1,73 @@ +# +# Copyright (c) 2018, FusionAuth, All Rights Reserved +# + +#------------------------------------------------------------------------------ +# Database +# - Specify the URL and credentials for your database here +# - Required on each node running FusionAuth App webservice +#------------------------------------------------------------------------------ +database.url=jdbc:mysql://localhost:3306/fusionauth?serverTimezone=UTC&useSSL=false +database.username=fusionauth +database.password=fusionauth + +#------------------------------------------------------------------------------ +# Database Encoding Validation for MySQL +# - This value is ignored if using PostgreSQL +# - Disable (set to false) only if you understand the MySQL limitations not using 'utf8mb4' character sets. +#------------------------------------------------------------------------------ +database.enforce-utf8mb4=true + +#------------------------------------------------------------------------------ +# fusionauth-search +# - Required on each node running FusionAuth Search +#------------------------------------------------------------------------------ +fusionauth-search.transport-port=9020 +fusionauth-search.http-port=9021 +fusionauth-search.memory=256M +fusionauth-search.additional-java-args= + +# Special values include: _local_, _site_. Values can be combined in a comma separated list. +fusionauth-search.hosts=_local_ + +# Specify the location of your FusionAuth Search servers. Multiple values may be specified using a comma separator. +# This configuration is used by ElasticSearch to configure clustering. The specified port should be the configured value +# for 'fusionauth-search.transport-port'. +# +# Single host example: localhost:9020 +# Multiple hosts example: localhost:9020,192.168.1.42:9020 +fusionauth-search.servers=localhost:9020 + +# Specify the full path to the ElasticSearch data directory. This defaults to /usr/local/fusionauth/data/search/esv6 +# on Linux/Unix and %FUSIONAUTH_HOME%\data\search\esv6 on Windows if not specified +fusionauth-search.data-directory= + +#------------------------------------------------------------------------------ +# fusionauth-app +# - Required on each node running FusionAuth App webservice +#------------------------------------------------------------------------------ + +# Optionally specify an addressable URL or IP address to access this node from other FusionAuth nodes. +# - In most cases this should be left empty and it will be determined at runtime. +# - Ideally this is a site local IP address that is not publicly routable but accessible from other FusionAuth nodes. +fusionauth-app.public-url= + +# Specify the location of your FusionAuth Search servers. Multiple values may be specified using a comma separator. +# This configuration is used by FusionAuth App to connect to the ElasticSearch nodes. The specified port should be the +# configured value for 'fusionauth-search.http-port'. +# +# Single host example: http://localhost:9021 +# Multiple hosts example: http://localhost:9021,http://192.168.1.42:9021 +fusionauth-app.search-servers=http://localhost:9021 + +# Specify the management and HTTP ports for Tomcat +fusionauth-app.management-port=9010 +fusionauth-app.http-port=9011 +fusionauth-app.https-port=9013 +fusionauth-app.ajp-port=9019 + +# Specify the memory size here. You can use M for megabytes and G for gigabytes +fusionauth-app.memory=256M + +# Specify any additional JVM arguments here +fusionauth-app.additional-java-args= \ No newline at end of file diff --git a/app/fusionauth-1.15.8/files/originals/keystore b/app/fusionauth-1.15.8/files/originals/keystore new file mode 100644 index 0000000..c44a790 Binary files /dev/null and b/app/fusionauth-1.15.8/files/originals/keystore differ diff --git a/app/fusionauth-1.15.8/tasks/main.yml b/app/fusionauth-1.15.8/tasks/main.yml new file mode 100644 index 0000000..cca1bae --- /dev/null +++ b/app/fusionauth-1.15.8/tasks/main.yml @@ -0,0 +1,17 @@ +--- +# Install Fusionauth from online .deb (they provide NO apt repos) +# Get latest version from curl https://metrics.fusionauth.io/api/latest-version +# Currently 1.15.8 +- name: Install FusionAuth .deb package from the internet. + apt: + deb: https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/1.15.8/fusionauth-app_1.15.8-1_all.deb + +- name: Install FusionAuth-Search .deb package from the internet. + apt: + deb: https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/1.15.8/fusionauth-search_1.15.8-1_all.deb + +# Install missing dependencies +- name: Installing missing dependencies + apt: + update_cache: yes + state: fixed diff --git a/app/gitlab/tasks/main.yml b/app/gitlab/tasks/main.yml index 39a0fbb..7c363f9 100644 --- a/app/gitlab/tasks/main.yml +++ b/app/gitlab/tasks/main.yml @@ -12,6 +12,7 @@ when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9" # Install Gitlab +# CE vs EE see https://about.gitlab.com/install/ce-or-ee/?distro=debian - name: Installing Gitlab apt: update_cache: yes diff --git a/app/konga-0.14.7/files/konga.service b/app/konga-0.14.7/files/konga.service new file mode 100644 index 0000000..68302b6 --- /dev/null +++ b/app/konga-0.14.7/files/konga.service @@ -0,0 +1,13 @@ +[Unit] +Description=Konga NodeJS Website +After=network.target + +[Service] +Type=simple +User=toor +WorkingDirectory=/var/www/konga +ExecStart=/usr/bin/node --harmony app.js --prod +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/app/konga-0.14.7/tasks/main.yml b/app/konga-0.14.7/tasks/main.yml new file mode 100644 index 0000000..381ebe1 --- /dev/null +++ b/app/konga-0.14.7/tasks/main.yml @@ -0,0 +1,82 @@ +--- +# Install build-essential for konga +# Required during npm install phase (needs make, g++, etc...) +- name: Installing build-essential for konga + apt: + update_cache: yes + state: present + name: + - build-essential + +# Create /var/www folder +- name: Creating /var/www directory + file: + path: /var/www + state: directory + owner: toor + group: toor + mode: '0755' + +# Create /var/www/konga folder +- name: Creating /var/www/konga directory + file: + path: /var/www/konga + state: directory + owner: toor + group: toor + mode: '0755' + +# Git clone https://github.com/pantsel/konga.git +- name: Git clone https://github.com/pantsel/konga.git tag 0.14.7 + git: + clone: yes + force: yes + repo: https://github.com/pantsel/konga.git + dest: /var/www/konga + version: 0.14.7 + depth: 1 + +# Ensure konga git contents owned by toor +- name: Ensuring konga git contents owned by toor + file: + path: /var/www/konga + state: directory + owner: toor + group: toor + recurse: yes + +# Delete package-lock.json +- name: Deleting konga package-lock.json + file: + path: /var/www/konga/package-lock.json + state: absent + +# Install konga npm packages +- name: Installing konga NPM packages + npm: + path: /var/www/konga + +# Install konga bower dependencies +- name: Installing konga bower dependencies + shell: npm run bower-deps + args: + chdir: /var/www/konga + +# Ensure konga git contents owned by toor +- name: Ensuring konga git contents owned by toor + file: + path: /var/www/konga + state: directory + owner: toor + group: toor + recurse: yes + +# Copy konga systemd unit file +- name: Copying konga.service systemd unit file + copy: + src: konga.service + dest: "/etc/systemd/system/konga.service" + owner: root + group: root + mode: '0644' # -rw-r--r-- + #NOnotify: reload konga # NO because you need to copy your own .env first diff --git a/chat/jitsi/tasks/intall-debian.yml b/chat/jitsi/tasks/intall-debian.yml new file mode 100644 index 0000000..817ab31 --- /dev/null +++ b/chat/jitsi/tasks/intall-debian.yml @@ -0,0 +1,17 @@ +--- +# Add GPG keys +- name: Addding jitsi GPG key + apt_key: url='https://download.jitsi.org/jitsi-key.gpg.key' state=present + +# Add jitsi repositories +- name: Adding jitsi sources for Debian + apt_repository: repo='deb https://download.jitsi.org stable/' state=present + when: ansible_os_family == "Debian" + +# Install Jitsi Server +- name: Installing Jitsi Server + apt: + update_cache: yes + state: present + name: + - jitsi-meet diff --git a/chat/jitsi/tasks/main.yml b/chat/jitsi/tasks/main.yml new file mode 100644 index 0000000..6aec60e --- /dev/null +++ b/chat/jitsi/tasks/main.yml @@ -0,0 +1,3 @@ +# Install Jitsi - Debian All Versions +- include_tasks: install-debian.yml + when: ansible_os_family == "Debian" diff --git a/code/nodejs-8-lts/tasks/main.yml b/code/nodejs-8-lts/tasks/main.yml index 956a73f..97cdf14 100644 --- a/code/nodejs-8-lts/tasks/main.yml +++ b/code/nodejs-8-lts/tasks/main.yml @@ -12,3 +12,7 @@ # Install NodeJS 8.x LTS - name: Installing node.js 8x LTS apt: name=nodejs state=present + + +# NOTE, I ran this on 2020-04-14 for sun-auth and it installed v10.15.2 instead? +# Maybe 8x is deprecated? diff --git a/db/elasticsearch-7.x/files/original/etc/.elasticsearch.keystore.initial_md5sum b/db/elasticsearch-7.x/files/original/etc/.elasticsearch.keystore.initial_md5sum new file mode 100644 index 0000000..09846cd --- /dev/null +++ b/db/elasticsearch-7.x/files/original/etc/.elasticsearch.keystore.initial_md5sum @@ -0,0 +1 @@ +bf3d6720c4f9a81500e606aed2ec45c0 /etc/elasticsearch/elasticsearch.keystore diff --git a/db/elasticsearch-7.x/files/original/etc/elasticsearch.keystore b/db/elasticsearch-7.x/files/original/etc/elasticsearch.keystore new file mode 100644 index 0000000..68d1e4e Binary files /dev/null and b/db/elasticsearch-7.x/files/original/etc/elasticsearch.keystore differ diff --git a/db/elasticsearch-7.x/files/original/etc/elasticsearch.yml b/db/elasticsearch-7.x/files/original/etc/elasticsearch.yml new file mode 100644 index 0000000..cfe9428 --- /dev/null +++ b/db/elasticsearch-7.x/files/original/etc/elasticsearch.yml @@ -0,0 +1,88 @@ +# ======================== Elasticsearch Configuration ========================= +# +# NOTE: Elasticsearch comes with reasonable defaults for most settings. +# Before you set out to tweak and tune the configuration, make sure you +# understand what are you trying to accomplish and the consequences. +# +# The primary way of configuring a node is via this file. This template lists +# the most important settings you may want to configure for a production cluster. +# +# Please consult the documentation for further information on configuration options: +# https://www.elastic.co/guide/en/elasticsearch/reference/index.html +# +# ---------------------------------- Cluster ----------------------------------- +# +# Use a descriptive name for your cluster: +# +#cluster.name: my-application +# +# ------------------------------------ Node ------------------------------------ +# +# Use a descriptive name for the node: +# +#node.name: node-1 +# +# Add custom attributes to the node: +# +#node.attr.rack: r1 +# +# ----------------------------------- Paths ------------------------------------ +# +# Path to directory where to store the data (separate multiple locations by comma): +# +path.data: /var/lib/elasticsearch +# +# Path to log files: +# +path.logs: /var/log/elasticsearch +# +# ----------------------------------- Memory ----------------------------------- +# +# Lock the memory on startup: +# +#bootstrap.memory_lock: true +# +# Make sure that the heap size is set to about half the memory available +# on the system and that the owner of the process is allowed to use this +# limit. +# +# Elasticsearch performs poorly when the system is swapping the memory. +# +# ---------------------------------- Network ----------------------------------- +# +# Set the bind address to a specific IP (IPv4 or IPv6): +# +#network.host: 192.168.0.1 +# +# Set a custom port for HTTP: +# +#http.port: 9200 +# +# For more information, consult the network module documentation. +# +# --------------------------------- Discovery ---------------------------------- +# +# Pass an initial list of hosts to perform discovery when this node is started: +# The default list of hosts is ["127.0.0.1", "[::1]"] +# +#discovery.seed_hosts: ["host1", "host2"] +# +# Bootstrap the cluster using an initial set of master-eligible nodes: +# +#cluster.initial_master_nodes: ["node-1", "node-2"] +# +# For more information, consult the discovery and cluster formation module documentation. +# +# ---------------------------------- Gateway ----------------------------------- +# +# Block initial recovery after a full cluster restart until N nodes are started: +# +#gateway.recover_after_nodes: 3 +# +# For more information, consult the gateway module documentation. +# +# ---------------------------------- Various ----------------------------------- +# +# Require explicit names when deleting indices: +# +#action.destructive_requires_name: true diff --git a/db/elasticsearch-7.x/files/original/etc/jvm.options b/db/elasticsearch-7.x/files/original/etc/jvm.options new file mode 100644 index 0000000..2c83b3e --- /dev/null +++ b/db/elasticsearch-7.x/files/original/etc/jvm.options @@ -0,0 +1,77 @@ +## JVM configuration + +################################################################ +## IMPORTANT: JVM heap size +################################################################ +## +## You should always set the min and max JVM heap +## size to the same value. For example, to set +## the heap to 4 GB, set: +## +## -Xms4g +## -Xmx4g +## +## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html +## for more information +## +################################################################ + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space + +-Xms1g +-Xmx1g + +################################################################ +## Expert settings +################################################################ +## +## All settings below this section are considered +## expert settings. Don't tamper with them unless +## you understand what you are doing +## +################################################################ + +## GC configuration +8-13:-XX:+UseConcMarkSweepGC +8-13:-XX:CMSInitiatingOccupancyFraction=75 +8-13:-XX:+UseCMSInitiatingOccupancyOnly + +## G1GC Configuration +# NOTE: G1 GC is only supported on JDK version 10 or later +# to use G1GC, uncomment the next two lines and update the version on the +# following three lines to your version of the JDK +# 10-13:-XX:-UseConcMarkSweepGC +# 10-13:-XX:-UseCMSInitiatingOccupancyOnly +14-:-XX:+UseG1GC +14-:-XX:G1ReservePercent=25 +14-:-XX:InitiatingHeapOccupancyPercent=30 + +## JVM temporary directory +-Djava.io.tmpdir=${ES_TMPDIR} + +## heap dumps + +# generate a heap dump when an allocation from the Java heap fails +# heap dumps are created in the working directory of the JVM +-XX:+HeapDumpOnOutOfMemoryError + +# specify an alternative path for heap dumps; ensure the directory exists and +# has sufficient space +-XX:HeapDumpPath=/var/lib/elasticsearch + +# specify an alternative path for JVM fatal error logs +-XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log + +## JDK 8 GC logging +8:-XX:+PrintGCDetails +8:-XX:+PrintGCDateStamps +8:-XX:+PrintTenuringDistribution +8:-XX:+PrintGCApplicationStoppedTime +8:-Xloggc:/var/log/elasticsearch/gc.log +8:-XX:+UseGCLogFileRotation +8:-XX:NumberOfGCLogFiles=32 +8:-XX:GCLogFileSize=64m + +# JDK 9+ GC logging +9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m diff --git a/db/elasticsearch-7.x/files/original/etc/log4j2.properties b/db/elasticsearch-7.x/files/original/etc/log4j2.properties new file mode 100644 index 0000000..ff1830c --- /dev/null +++ b/db/elasticsearch-7.x/files/original/etc/log4j2.properties @@ -0,0 +1,263 @@ +status = error + +# log action execution errors for easier debugging +logger.action.name = org.elasticsearch.action +logger.action.level = debug + +appender.console.type = Console +appender.console.name = console +appender.console.layout.type = PatternLayout +appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +######## Server JSON ############################ +appender.rolling.type = RollingFile +appender.rolling.name = rolling +appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_server.json +appender.rolling.layout.type = ESJsonLayout +appender.rolling.layout.type_name = server + +appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.json.gz +appender.rolling.policies.type = Policies +appender.rolling.policies.time.type = TimeBasedTriggeringPolicy +appender.rolling.policies.time.interval = 1 +appender.rolling.policies.time.modulate = true +appender.rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.rolling.policies.size.size = 128MB +appender.rolling.strategy.type = DefaultRolloverStrategy +appender.rolling.strategy.fileIndex = nomax +appender.rolling.strategy.action.type = Delete +appender.rolling.strategy.action.basepath = ${sys:es.logs.base_path} +appender.rolling.strategy.action.condition.type = IfFileName +appender.rolling.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-* +appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize +appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB +################################################ +######## Server - old style pattern ########### +appender.rolling_old.type = RollingFile +appender.rolling_old.name = rolling_old +appender.rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log +appender.rolling_old.layout.type = PatternLayout +appender.rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz +appender.rolling_old.policies.type = Policies +appender.rolling_old.policies.time.type = TimeBasedTriggeringPolicy +appender.rolling_old.policies.time.interval = 1 +appender.rolling_old.policies.time.modulate = true +appender.rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.rolling_old.policies.size.size = 128MB +appender.rolling_old.strategy.type = DefaultRolloverStrategy +appender.rolling_old.strategy.fileIndex = nomax +appender.rolling_old.strategy.action.type = Delete +appender.rolling_old.strategy.action.basepath = ${sys:es.logs.base_path} +appender.rolling_old.strategy.action.condition.type = IfFileName +appender.rolling_old.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-* +appender.rolling_old.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize +appender.rolling_old.strategy.action.condition.nested_condition.exceeds = 2GB +################################################ + +rootLogger.level = info +rootLogger.appenderRef.console.ref = console +rootLogger.appenderRef.rolling.ref = rolling +rootLogger.appenderRef.rolling_old.ref = rolling_old + +######## Deprecation JSON ####################### +appender.deprecation_rolling.type = RollingFile +appender.deprecation_rolling.name = deprecation_rolling +appender.deprecation_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.json +appender.deprecation_rolling.layout.type = ESJsonLayout +appender.deprecation_rolling.layout.type_name = deprecation +appender.deprecation_rolling.layout.esmessagefields=x-opaque-id + +appender.deprecation_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.json.gz +appender.deprecation_rolling.policies.type = Policies +appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.deprecation_rolling.policies.size.size = 1GB +appender.deprecation_rolling.strategy.type = DefaultRolloverStrategy +appender.deprecation_rolling.strategy.max = 4 +################################################# +######## Deprecation - old style pattern ####### +appender.deprecation_rolling_old.type = RollingFile +appender.deprecation_rolling_old.name = deprecation_rolling_old +appender.deprecation_rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.log +appender.deprecation_rolling_old.layout.type = PatternLayout +appender.deprecation_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.deprecation_rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _deprecation-%i.log.gz +appender.deprecation_rolling_old.policies.type = Policies +appender.deprecation_rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.deprecation_rolling_old.policies.size.size = 1GB +appender.deprecation_rolling_old.strategy.type = DefaultRolloverStrategy +appender.deprecation_rolling_old.strategy.max = 4 +################################################# +logger.deprecation.name = org.elasticsearch.deprecation +logger.deprecation.level = warn +logger.deprecation.appenderRef.deprecation_rolling.ref = deprecation_rolling +logger.deprecation.appenderRef.deprecation_rolling_old.ref = deprecation_rolling_old +logger.deprecation.additivity = false + +######## Search slowlog JSON #################### +appender.index_search_slowlog_rolling.type = RollingFile +appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling +appender.index_search_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs\ + .cluster_name}_index_search_slowlog.json +appender.index_search_slowlog_rolling.layout.type = ESJsonLayout +appender.index_search_slowlog_rolling.layout.type_name = index_search_slowlog +appender.index_search_slowlog_rolling.layout.esmessagefields=message,took,took_millis,total_hits,types,stats,search_type,total_shards,source,id + +appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs\ + .cluster_name}_index_search_slowlog-%i.json.gz +appender.index_search_slowlog_rolling.policies.type = Policies +appender.index_search_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.index_search_slowlog_rolling.policies.size.size = 1GB +appender.index_search_slowlog_rolling.strategy.type = DefaultRolloverStrategy +appender.index_search_slowlog_rolling.strategy.max = 4 +################################################# +######## Search slowlog - old style pattern #### +appender.index_search_slowlog_rolling_old.type = RollingFile +appender.index_search_slowlog_rolling_old.name = index_search_slowlog_rolling_old +appender.index_search_slowlog_rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_search_slowlog.log +appender.index_search_slowlog_rolling_old.layout.type = PatternLayout +appender.index_search_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.index_search_slowlog_rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_search_slowlog-%i.log.gz +appender.index_search_slowlog_rolling_old.policies.type = Policies +appender.index_search_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.index_search_slowlog_rolling_old.policies.size.size = 1GB +appender.index_search_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy +appender.index_search_slowlog_rolling_old.strategy.max = 4 +################################################# +logger.index_search_slowlog_rolling.name = index.search.slowlog +logger.index_search_slowlog_rolling.level = trace +logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref = index_search_slowlog_rolling +logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling_old.ref = index_search_slowlog_rolling_old +logger.index_search_slowlog_rolling.additivity = false + +######## Indexing slowlog JSON ################## +appender.index_indexing_slowlog_rolling.type = RollingFile +appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling +appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_indexing_slowlog.json +appender.index_indexing_slowlog_rolling.layout.type = ESJsonLayout +appender.index_indexing_slowlog_rolling.layout.type_name = index_indexing_slowlog +appender.index_indexing_slowlog_rolling.layout.esmessagefields=message,took,took_millis,doc_type,id,routing,source + +appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_indexing_slowlog-%i.json.gz +appender.index_indexing_slowlog_rolling.policies.type = Policies +appender.index_indexing_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.index_indexing_slowlog_rolling.policies.size.size = 1GB +appender.index_indexing_slowlog_rolling.strategy.type = DefaultRolloverStrategy +appender.index_indexing_slowlog_rolling.strategy.max = 4 +################################################# +######## Indexing slowlog - old style pattern ## +appender.index_indexing_slowlog_rolling_old.type = RollingFile +appender.index_indexing_slowlog_rolling_old.name = index_indexing_slowlog_rolling_old +appender.index_indexing_slowlog_rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_indexing_slowlog.log +appender.index_indexing_slowlog_rolling_old.layout.type = PatternLayout +appender.index_indexing_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.index_indexing_slowlog_rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_indexing_slowlog-%i.log.gz +appender.index_indexing_slowlog_rolling_old.policies.type = Policies +appender.index_indexing_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.index_indexing_slowlog_rolling_old.policies.size.size = 1GB +appender.index_indexing_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy +appender.index_indexing_slowlog_rolling_old.strategy.max = 4 +################################################# + +logger.index_indexing_slowlog.name = index.indexing.slowlog.index +logger.index_indexing_slowlog.level = trace +logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref = index_indexing_slowlog_rolling +logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling_old.ref = index_indexing_slowlog_rolling_old +logger.index_indexing_slowlog.additivity = false + + +appender.audit_rolling.type = RollingFile +appender.audit_rolling.name = audit_rolling +appender.audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit.json +appender.audit_rolling.layout.type = PatternLayout +appender.audit_rolling.layout.pattern = {\ + "type":"audit", \ + "timestamp":"%d{yyyy-MM-dd'T'HH:mm:ss,SSSZ}"\ + %varsNotEmpty{, "node.name":"%enc{%map{node.name}}{JSON}"}\ + %varsNotEmpty{, "node.id":"%enc{%map{node.id}}{JSON}"}\ + %varsNotEmpty{, "host.name":"%enc{%map{host.name}}{JSON}"}\ + %varsNotEmpty{, "host.ip":"%enc{%map{host.ip}}{JSON}"}\ + %varsNotEmpty{, "event.type":"%enc{%map{event.type}}{JSON}"}\ + %varsNotEmpty{, "event.action":"%enc{%map{event.action}}{JSON}"}\ + %varsNotEmpty{, "user.name":"%enc{%map{user.name}}{JSON}"}\ + %varsNotEmpty{, "user.run_by.name":"%enc{%map{user.run_by.name}}{JSON}"}\ + %varsNotEmpty{, "user.run_as.name":"%enc{%map{user.run_as.name}}{JSON}"}\ + %varsNotEmpty{, "user.realm":"%enc{%map{user.realm}}{JSON}"}\ + %varsNotEmpty{, "user.run_by.realm":"%enc{%map{user.run_by.realm}}{JSON}"}\ + %varsNotEmpty{, "user.run_as.realm":"%enc{%map{user.run_as.realm}}{JSON}"}\ + %varsNotEmpty{, "user.roles":%map{user.roles}}\ + %varsNotEmpty{, "origin.type":"%enc{%map{origin.type}}{JSON}"}\ + %varsNotEmpty{, "origin.address":"%enc{%map{origin.address}}{JSON}"}\ + %varsNotEmpty{, "realm":"%enc{%map{realm}}{JSON}"}\ + %varsNotEmpty{, "url.path":"%enc{%map{url.path}}{JSON}"}\ + %varsNotEmpty{, "url.query":"%enc{%map{url.query}}{JSON}"}\ + %varsNotEmpty{, "request.method":"%enc{%map{request.method}}{JSON}"}\ + %varsNotEmpty{, "request.body":"%enc{%map{request.body}}{JSON}"}\ + %varsNotEmpty{, "request.id":"%enc{%map{request.id}}{JSON}"}\ + %varsNotEmpty{, "action":"%enc{%map{action}}{JSON}"}\ + %varsNotEmpty{, "request.name":"%enc{%map{request.name}}{JSON}"}\ + %varsNotEmpty{, "indices":%map{indices}}\ + %varsNotEmpty{, "opaque_id":"%enc{%map{opaque_id}}{JSON}"}\ + %varsNotEmpty{, "x_forwarded_for":"%enc{%map{x_forwarded_for}}{JSON}"}\ + %varsNotEmpty{, "transport.profile":"%enc{%map{transport.profile}}{JSON}"}\ + %varsNotEmpty{, "rule":"%enc{%map{rule}}{JSON}"}\ + %varsNotEmpty{, "event.category":"%enc{%map{event.category}}{JSON}"}\ + }%n +# "node.name" node name from the `elasticsearch.yml` settings +# "node.id" node id which should not change between cluster restarts +# "host.name" unresolved hostname of the local node +# "host.ip" the local bound ip (i.e. the ip listening for connections) +# "event.type" a received REST request is translated into one or more transport requests. This indicates which processing layer generated the event "rest" or "transport" (internal) +# "event.action" the name of the audited event, eg. "authentication_failed", "access_granted", "run_as_granted", etc. +# "user.name" the subject name as authenticated by a realm +# "user.run_by.name" the original authenticated subject name that is impersonating another one. +# "user.run_as.name" if this "event.action" is of a run_as type, this is the subject name to be impersonated as. +# "user.realm" the name of the realm that authenticated "user.name" +# "user.run_by.realm" the realm name of the impersonating subject ("user.run_by.name") +# "user.run_as.realm" if this "event.action" is of a run_as type, this is the realm name the impersonated user is looked up from +# "user.roles" the roles array of the user; these are the roles that are granting privileges +# "origin.type" it is "rest" if the event is originating (is in relation to) a REST request; possible other values are "transport" and "ip_filter" +# "origin.address" the remote address and port of the first network hop, i.e. a REST proxy or another cluster node +# "realm" name of a realm that has generated an "authentication_failed" or an "authentication_successful"; the subject is not yet authenticated +# "url.path" the URI component between the port and the query string; it is percent (URL) encoded +# "url.query" the URI component after the path and before the fragment; it is percent (URL) encoded +# "request.method" the method of the HTTP request, i.e. one of GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH, TRACE, CONNECT +# "request.body" the content of the request body entity, JSON escaped +# "request.id" a synthentic identifier for the incoming request, this is unique per incoming request, and consistent across all audit events generated by that request +# "action" an action is the most granular operation that is authorized and this identifies it in a namespaced way (internal) +# "request.name" if the event is in connection to a transport message this is the name of the request class, similar to how rest requests are identified by the url path (internal) +# "indices" the array of indices that the "action" is acting upon +# "opaque_id" opaque value conveyed by the "X-Opaque-Id" request header +# "x_forwarded_for" the addresses from the "X-Forwarded-For" request header, as a verbatim string value (not an array) +# "transport.profile" name of the transport profile in case this is a "connection_granted" or "connection_denied" event +# "rule" name of the applied rulee if the "origin.type" is "ip_filter" +# "event.category" fixed value "elasticsearch-audit" + +appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}.json +appender.audit_rolling.policies.type = Policies +appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy +appender.audit_rolling.policies.time.interval = 1 +appender.audit_rolling.policies.time.modulate = true + +logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail +logger.xpack_security_audit_logfile.level = info +logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling +logger.xpack_security_audit_logfile.additivity = false + +logger.xmlsig.name = org.apache.xml.security.signature.XMLSignature +logger.xmlsig.level = error +logger.samlxml_decrypt.name = org.opensaml.xmlsec.encryption.support.Decrypter +logger.samlxml_decrypt.level = fatal +logger.saml2_decrypt.name = org.opensaml.saml.saml2.encryption.Decrypter +logger.saml2_decrypt.level = fatal diff --git a/db/elasticsearch-7.x/files/original/etc/role_mapping.yml b/db/elasticsearch-7.x/files/original/etc/role_mapping.yml new file mode 100644 index 0000000..68c82f7 --- /dev/null +++ b/db/elasticsearch-7.x/files/original/etc/role_mapping.yml @@ -0,0 +1,14 @@ +# Role mapping configuration file which has elasticsearch roles as keys +# that map to one or more user or group distinguished names + +#roleA: this is an elasticsearch role +# - groupA-DN this is a group distinguished name +# - groupB-DN +# - user1-DN this is the full user distinguished name + +#power_user: +# - "cn=admins,dc=example,dc=com" +#user: +# - "cn=users,dc=example,dc=com" +# - "cn=admins,dc=example,dc=com" +# - "cn=John Doe,cn=other users,dc=example,dc=com" diff --git a/db/elasticsearch-7.x/files/original/etc/roles.yml b/db/elasticsearch-7.x/files/original/etc/roles.yml new file mode 100644 index 0000000..68e003b --- /dev/null +++ b/db/elasticsearch-7.x/files/original/etc/roles.yml @@ -0,0 +1,3 @@ +# The default roles file is empty as the preferred method of defining roles is +# through the API/UI. File based roles are useful in error scenarios when the +# API based roles may not be available. diff --git a/db/elasticsearch-7.x/files/original/etc/users b/db/elasticsearch-7.x/files/original/etc/users new file mode 100644 index 0000000..e69de29 diff --git a/db/elasticsearch-7.x/files/original/etc/users_roles b/db/elasticsearch-7.x/files/original/etc/users_roles new file mode 100644 index 0000000..e69de29 diff --git a/db/elasticsearch-7.x/tasks/main.yml b/db/elasticsearch-7.x/tasks/main.yml new file mode 100644 index 0000000..0ea15ec --- /dev/null +++ b/db/elasticsearch-7.x/tasks/main.yml @@ -0,0 +1,21 @@ +--- +# Add Elasticsearch GPG Key +- name: Addding Elasticsearch sources GPG key + apt_key: url='https://artifacts.elastic.co/GPG-KEY-elasticsearch' state=present + +# Add Elasticsearch repositories for Debian 8 +- name: Adding Elasticsearch sources + apt_repository: repo='deb https://artifacts.elastic.co/packages/7.x/apt stable main' state=present + +# Install Elasticsearch +- name: Installing Elasticsearch + apt: + update_cache: yes + state: present + name: + - elasticsearch + +# Enable service in systemd (debian does not start this daemon by default, which is not the norm) +- name: Enabling elasticsearch.service systemd unit + systemd: name=elasticsearch enabled=yes state=started + diff --git a/db/mariadb-10.3/files/originals/conf.d/mysql.cnf b/db/mariadb-10.3/files/originals/conf.d/mysql.cnf new file mode 100644 index 0000000..22b052d --- /dev/null +++ b/db/mariadb-10.3/files/originals/conf.d/mysql.cnf @@ -0,0 +1 @@ +[mysql] diff --git a/db/mariadb-10.3/files/originals/conf.d/mysqldump.cnf b/db/mariadb-10.3/files/originals/conf.d/mysqldump.cnf new file mode 100644 index 0000000..38310a9 --- /dev/null +++ b/db/mariadb-10.3/files/originals/conf.d/mysqldump.cnf @@ -0,0 +1,4 @@ +[mysqldump] +quick +quote-names +max_allowed_packet = 16M diff --git a/db/mariadb-10.3/files/originals/debian-start b/db/mariadb-10.3/files/originals/debian-start new file mode 100755 index 0000000..7de59ce --- /dev/null +++ b/db/mariadb-10.3/files/originals/debian-start @@ -0,0 +1,43 @@ +#!/bin/bash +# +# This script is executed by "/etc/init.d/mysql" on every (re)start. +# +# Changes to this file will be preserved when updating the Debian package. +# +# NOTE: This file is read only by the traditional SysV init script, not systemd. +# + +source /usr/share/mysql/debian-start.inc.sh + +if [ -f /etc/default/mysql ]; then + . /etc/default/mysql +fi + +MYSQL="/usr/bin/mysql --defaults-file=/etc/mysql/debian.cnf" +MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf" +# Don't run full mysql_upgrade on every server restart, use --version-check to do it only once +MYUPGRADE="/usr/bin/mysql_upgrade --defaults-extra-file=/etc/mysql/debian.cnf --version-check" +MYCHECK="/usr/bin/mysqlcheck --defaults-file=/etc/mysql/debian.cnf" +MYCHECK_SUBJECT="WARNING: mysqlcheck has found corrupt tables" +MYCHECK_PARAMS="--all-databases --fast --silent" +MYCHECK_RCPT="${MYCHECK_RCPT:-root}" + +## Checking for corrupt, not cleanly closed (only for MyISAM and Aria engines) and upgrade needing tables. + +# The following commands should be run when the server is up but in background +# where they do not block the server start and in one shell instance so that +# they run sequentially. They are supposed not to echo anything to stdout. +# If you want to disable the check for crashed tables comment +# "check_for_crashed_tables" out. +# (There may be no output to stdout inside the background process!) + +# Need to ignore SIGHUP, as otherwise a SIGHUP can sometimes abort the upgrade +# process in the middle. +trap "" SIGHUP +( + upgrade_system_tables_if_necessary; + check_root_accounts; + check_for_crashed_tables; +) >&2 & + +exit 0 diff --git a/db/mariadb-10.3/files/originals/mariadb.cnf b/db/mariadb-10.3/files/originals/mariadb.cnf new file mode 100644 index 0000000..94d8f10 --- /dev/null +++ b/db/mariadb-10.3/files/originals/mariadb.cnf @@ -0,0 +1,23 @@ +# The MariaDB configuration file +# +# The MariaDB/MySQL tools read configuration files in the following order: +# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults, +# 2. "/etc/mysql/conf.d/*.cnf" to set global options. +# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options. +# 4. "~/.my.cnf" to set user-specific options. +# +# If the same option is defined multiple times, the last one will apply. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. + +# +# This group is read both both by the client and the server +# use it for options that affect everything +# +[client-server] + +# Import all .cnf files from configuration directory +!includedir /etc/mysql/conf.d/ +!includedir /etc/mysql/mariadb.conf.d/ diff --git a/db/mariadb-10.3/files/originals/mariadb.conf.d/50-client.cnf b/db/mariadb-10.3/files/originals/mariadb.conf.d/50-client.cnf new file mode 100644 index 0000000..b509f19 --- /dev/null +++ b/db/mariadb-10.3/files/originals/mariadb.conf.d/50-client.cnf @@ -0,0 +1,25 @@ +# +# This group is read by the client library +# Use it for options that affect all clients, but not the server +# + +[client] +# Default is Latin1, if you need UTF-8 set this (also in server section) +default-character-set = utf8mb4 + +# socket location +socket = /var/run/mysqld/mysqld.sock + +# Example of client certificate usage +# ssl-cert=/etc/mysql/client-cert.pem +# ssl-key=/etc/mysql/client-key.pem +# +# Allow only TLS encrypted connections +# ssl-verify-server-cert=on + +# This group is *never* read by mysql client library, though this +# /etc/mysql/mariadb.cnf.d/client.cnf file is not read by Oracle MySQL +# client anyway. +# If you use the same .cnf file for MySQL and MariaDB, +# use it for MariaDB-only client options +[client-mariadb] diff --git a/db/mariadb-10.3/files/originals/mariadb.conf.d/50-mysql-clients.cnf b/db/mariadb-10.3/files/originals/mariadb.conf.d/50-mysql-clients.cnf new file mode 100644 index 0000000..55cfda2 --- /dev/null +++ b/db/mariadb-10.3/files/originals/mariadb.conf.d/50-mysql-clients.cnf @@ -0,0 +1,24 @@ +# +# These groups are read by MariaDB command-line tools +# Use it for options that affect only one utility +# + +[mysql] +# Default is Latin1, if you need UTF-8 set this (also in server section) +default-character-set = utf8mb4 + +[mysql_upgrade] + +[mysqladmin] + +[mysqlbinlog] + +[mysqlcheck] + +[mysqldump] + +[mysqlimport] + +[mysqlshow] + +[mysqlslap] diff --git a/db/mariadb-10.3/files/originals/mariadb.conf.d/50-mysqld_safe.cnf b/db/mariadb-10.3/files/originals/mariadb.conf.d/50-mysqld_safe.cnf new file mode 100644 index 0000000..141d51f --- /dev/null +++ b/db/mariadb-10.3/files/originals/mariadb.conf.d/50-mysqld_safe.cnf @@ -0,0 +1,30 @@ +# NOTE: This file is read only by the traditional SysV init script, not systemd. +# MariaDB systemd does _not_ utilize mysqld_safe nor read this file. +# +# For similar behaviour, systemd users should create the following file: +# /etc/systemd/system/mariadb.service.d/migrated-from-my.cnf-settings.conf +# +# To achieve the same result as the default 50-mysqld_safe.cnf, please create +# /etc/systemd/system/mariadb.service.d/migrated-from-my.cnf-settings.conf +# with the following contents: +# +# [Service] +# User=mysql +# StandardOutput=syslog +# StandardError=syslog +# SyslogFacility=daemon +# SyslogLevel=err +# SyslogIdentifier=mysqld +# +# For more information, please read https://mariadb.com/kb/en/mariadb/systemd/ +# + +[mysqld_safe] +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# especially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +socket = /var/run/mysqld/mysqld.sock +nice = 0 +skip_log_error +syslog diff --git a/db/mariadb-10.3/files/originals/mariadb.conf.d/50-server.cnf b/db/mariadb-10.3/files/originals/mariadb.conf.d/50-server.cnf new file mode 100644 index 0000000..e7e88ef --- /dev/null +++ b/db/mariadb-10.3/files/originals/mariadb.conf.d/50-server.cnf @@ -0,0 +1,133 @@ +# +# These groups are read by MariaDB server. +# Use it for options that only the server (but not clients) should see +# +# See the examples of server my.cnf files in /usr/share/mysql + +# this is read by the standalone daemon and embedded servers +[server] + +# this is only for the mysqld standalone daemon +[mysqld] + +# +# * Basic Settings +# +user = mysql +pid-file = /run/mysqld/mysqld.pid +socket = /run/mysqld/mysqld.sock +#port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +#skip-external-locking + +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = 127.0.0.1 + +# +# * Fine Tuning +# +#key_buffer_size = 16M +#max_allowed_packet = 16M +#thread_stack = 192K +#thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +#myisam_recover_options = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 + +# +# * Query Cache Configuration +# +#query_cache_limit = 1M +query_cache_size = 16M + +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /var/log/mysql/error.log +# +# Enable the slow query log to see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mariadb-slow.log +#long_query_time = 10 +#log_slow_rate_limit = 1000 +#log_slow_verbosity = query_plan +#log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +#max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = exclude_database_name + +# +# * Security Features +# +# Read the manual, too, if you want chroot! +#chroot = /var/lib/mysql/ +# +# For generating SSL certificates you can use for example the GUI tool "tinyca". +# +#ssl-ca = /etc/mysql/cacert.pem +#ssl-cert = /etc/mysql/server-cert.pem +#ssl-key = /etc/mysql/server-key.pem +# +# Accept only connections using the latest and most secure TLS protocol version. +# ..when MariaDB is compiled with OpenSSL: +#ssl-cipher = TLSv1.2 +# ..when MariaDB is compiled with YaSSL (default in Debian): +#ssl = on + +# +# * Character sets +# +# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full +# utf8 4-byte character set. See also client.cnf +# +character-set-server = utf8mb4 +collation-server = utf8mb4_general_ci + +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! + +# +# * Unix socket authentication plugin is built-in since 10.0.22-6 +# +# Needed so the root database user can authenticate without a password but +# only when running as the unix root user. +# +# Also available for other users if required. +# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/ + +# this is only for embedded server +[embedded] + +# This group is only read by MariaDB servers, not by MySQL. +# If you use the same .cnf file for MySQL and MariaDB, +# you can put MariaDB-only options here +[mariadb] + +# This group is only read by MariaDB-10.3 servers. +# If you use the same .cnf file for MariaDB of different versions, +# use this group for options that older servers don't understand +[mariadb-10.3] diff --git a/db/mariadb-10.3/files/originals/my.cnf b/db/mariadb-10.3/files/originals/my.cnf new file mode 120000 index 0000000..3c2e7f7 --- /dev/null +++ b/db/mariadb-10.3/files/originals/my.cnf @@ -0,0 +1 @@ +./mariadb.cnf \ No newline at end of file diff --git a/db/mariadb-10.3/files/originals/my.cnf.fallback b/db/mariadb-10.3/files/originals/my.cnf.fallback new file mode 100644 index 0000000..92747d8 --- /dev/null +++ b/db/mariadb-10.3/files/originals/my.cnf.fallback @@ -0,0 +1,23 @@ +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +!includedir /etc/mysql/conf.d/ diff --git a/db/postgresql-10/tasks/install-debian.yml b/db/postgresql-10/tasks/install-debian.yml index 9f53c2a..60b39ea 100644 --- a/db/postgresql-10/tasks/install-debian.yml +++ b/db/postgresql-10/tasks/install-debian.yml @@ -9,13 +9,23 @@ # Add PostgreSQL repositories for Debian 9 - name: Adding PostgreSQL sources for Debian 9 Jessie apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' state=present - when: ansible_distribution == "Debian" and ansible_distribution_major_version == "9" + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9" + +# Add PostgreSQL repositories for Debian 10 +- name: Adding PostgreSQL sources for Debian 10 Jessie + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" # Add PostgreSQL repositories for Ubuntu 16.04 - name: Adding PostgreSQL sources for Ubuntu 16.04 apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ xenial-pgdg main' state=present when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "16.04" +# Add PostgreSQL repositories for Ubuntu 19.04 +- name: Adding PostgreSQL sources for Ubuntu 18.04 + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main' state=present + when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "18.04" + # Install PostgreSQL 10 - name: Installing PostgreSQL 10 apt: diff --git a/db/postgresql-10/tasks/main.yml b/db/postgresql-10/tasks/main.yml index 99ae946..8494760 100644 --- a/db/postgresql-10/tasks/main.yml +++ b/db/postgresql-10/tasks/main.yml @@ -1,6 +1,4 @@ --- -# postgresql-10 - -# Install PostgreSQL 10 - Debian and Ubuntu +# Install PostgreSQL 10 - Debian All Versions - include_tasks: install-debian.yml when: ansible_os_family == "Debian" diff --git a/db/postgresql-11/tasks/install-debian.yml b/db/postgresql-11/tasks/install-debian.yml new file mode 100644 index 0000000..c3faa1f --- /dev/null +++ b/db/postgresql-11/tasks/install-debian.yml @@ -0,0 +1,36 @@ +--- +# We use the official PostgreSQL repositories which contains many versions of PostgreSQL +# Most of these versions will be newer than comes stock with debian + +# Add GPG keys +- name: Addding PostgreSQL sources GPG key + apt_key: url='https://www.postgresql.org/media/keys/ACCC4CF8.asc' state=present + +# Add PostgreSQL repositories for Debian 9 +- name: Adding PostgreSQL sources for Debian 9 Jessie + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9" + +# Add PostgreSQL repositories for Debian 10 +- name: Adding PostgreSQL sources for Debian 10 Jessie + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" + +# Add PostgreSQL repositories for Ubuntu 16.04 +- name: Adding PostgreSQL sources for Ubuntu 16.04 + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ xenial-pgdg main' state=present + when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "16.04" + +# Add PostgreSQL repositories for Ubuntu 19.04 +- name: Adding PostgreSQL sources for Ubuntu 18.04 + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main' state=present + when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "18.04" + +# Install PostgreSQL 11 +- name: Installing PostgreSQL 11 + apt: + update_cache: yes + state: present + name: + - postgresql-11 + - python-psycopg2 # Required for ansible postgres manipulation diff --git a/db/postgresql-11/tasks/main.yml b/db/postgresql-11/tasks/main.yml new file mode 100644 index 0000000..d9d12ca --- /dev/null +++ b/db/postgresql-11/tasks/main.yml @@ -0,0 +1,4 @@ +--- +# Install PostgreSQL 11 - Debian All Versions +- include_tasks: install-debian.yml + when: ansible_os_family == "Debian" diff --git a/db/postgresql-12/files/originals/etc/environment b/db/postgresql-12/files/originals/etc/environment new file mode 100644 index 0000000..411be67 --- /dev/null +++ b/db/postgresql-12/files/originals/etc/environment @@ -0,0 +1,7 @@ +# environment variables for postgres processes +# This file has the same syntax as postgresql.conf: +# VARIABLE = simple_value +# VARIABLE2 = 'any value!' +# I. e. you need to enclose any value which does not only consist of letters, +# numbers, and '-', '_', '.' in single quotes. Shell commands are not +# evaluated. diff --git a/db/postgresql-12/files/originals/etc/pg_ctl.conf b/db/postgresql-12/files/originals/etc/pg_ctl.conf new file mode 100644 index 0000000..d33e363 --- /dev/null +++ b/db/postgresql-12/files/originals/etc/pg_ctl.conf @@ -0,0 +1,5 @@ +# Automatic pg_ctl configuration +# This configuration file contains cluster specific options to be passed to +# pg_ctl(1). + +pg_ctl_options = '' diff --git a/db/postgresql-12/files/originals/etc/pg_hba.conf b/db/postgresql-12/files/originals/etc/pg_hba.conf new file mode 100644 index 0000000..f07bb73 --- /dev/null +++ b/db/postgresql-12/files/originals/etc/pg_hba.conf @@ -0,0 +1,99 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + + + + +# DO NOT DISABLE! +# If you change this first entry you will need to make sure that the +# database superuser can access the database using some other method. +# Noninteractive access to all databases is required during automatic +# maintenance (custom daily cronjobs, replication, and similar tasks). +# +# Database administrative login by Unix domain socket +local all postgres peer + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all peer +# IPv4 local connections: +host all all 127.0.0.1/32 md5 +# IPv6 local connections: +host all all ::1/128 md5 +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all peer +host replication all 127.0.0.1/32 md5 +host replication all ::1/128 md5 diff --git a/db/postgresql-12/files/originals/etc/pg_ident.conf b/db/postgresql-12/files/originals/etc/pg_ident.conf new file mode 100644 index 0000000..a5870e6 --- /dev/null +++ b/db/postgresql-12/files/originals/etc/pg_ident.conf @@ -0,0 +1,42 @@ +# PostgreSQL User Name Maps +# ========================= +# +# Refer to the PostgreSQL documentation, chapter "Client +# Authentication" for a complete description. A short synopsis +# follows. +# +# This file controls PostgreSQL user name mapping. It maps external +# user names to their corresponding PostgreSQL user names. Records +# are of the form: +# +# MAPNAME SYSTEM-USERNAME PG-USERNAME +# +# (The uppercase quantities must be replaced by actual values.) +# +# MAPNAME is the (otherwise freely chosen) map name that was used in +# pg_hba.conf. SYSTEM-USERNAME is the detected user name of the +# client. PG-USERNAME is the requested PostgreSQL user name. The +# existence of a record specifies that SYSTEM-USERNAME may connect as +# PG-USERNAME. +# +# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a +# regular expression. Optionally this can contain a capture (a +# parenthesized subexpression). The substring matching the capture +# will be substituted for \1 (backslash-one) if present in +# PG-USERNAME. +# +# Multiple maps may be specified in this file and used by pg_hba.conf. +# +# No map names are defined in the default configuration. If all +# system user names and PostgreSQL user names are the same, you don't +# need anything in this file. +# +# This file is read on server startup and when the postmaster receives +# a SIGHUP signal. If you edit the file on a running system, you have +# to SIGHUP the postmaster for the changes to take effect. You can +# use "pg_ctl reload" to do that. + +# Put your actual configuration here +# ---------------------------------- + +# MAPNAME SYSTEM-USERNAME PG-USERNAME diff --git a/db/postgresql-12/files/originals/etc/postgresql.conf b/db/postgresql-12/files/originals/etc/postgresql.conf new file mode 100644 index 0000000..79317e2 --- /dev/null +++ b/db/postgresql-12/files/originals/etc/postgresql.conf @@ -0,0 +1,750 @@ +# ----------------------------- +# PostgreSQL configuration file +# ----------------------------- +# +# This file consists of lines of the form: +# +# name = value +# +# (The "=" is optional.) Whitespace may be used. Comments are introduced with +# "#" anywhere on a line. The complete list of parameter names and allowed +# values can be found in the PostgreSQL documentation. +# +# The commented-out settings shown in this file represent the default values. +# Re-commenting a setting is NOT sufficient to revert it to the default value; +# you need to reload the server. +# +# This file is read on server startup and when the server receives a SIGHUP +# signal. If you edit the file on a running system, you have to SIGHUP the +# server for the changes to take effect, run "pg_ctl reload", or execute +# "SELECT pg_reload_conf()". Some parameters, which are marked below, +# require a server shutdown and restart to take effect. +# +# Any parameter can also be given as a command-line option to the server, e.g., +# "postgres -c log_connections=on". Some parameters can be changed at run time +# with the "SET" SQL command. +# +# Memory units: kB = kilobytes Time units: ms = milliseconds +# MB = megabytes s = seconds +# GB = gigabytes min = minutes +# TB = terabytes h = hours +# d = days + + +#------------------------------------------------------------------------------ +# FILE LOCATIONS +#------------------------------------------------------------------------------ + +# The default values of these variables are driven from the -D command-line +# option or PGDATA environment variable, represented here as ConfigDir. + +data_directory = '/var/lib/postgresql/12/main' # use data in another directory + # (change requires restart) +hba_file = '/etc/postgresql/12/main/pg_hba.conf' # host-based authentication file + # (change requires restart) +ident_file = '/etc/postgresql/12/main/pg_ident.conf' # ident configuration file + # (change requires restart) + +# If external_pid_file is not explicitly set, no extra PID file is written. +external_pid_file = '/var/run/postgresql/12-main.pid' # write an extra PID file + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONNECTIONS AND AUTHENTICATION +#------------------------------------------------------------------------------ + +# - Connection Settings - + +#listen_addresses = 'localhost' # what IP address(es) to listen on; + # comma-separated list of addresses; + # defaults to 'localhost'; use '*' for all + # (change requires restart) +port = 5432 # (change requires restart) +max_connections = 100 # (change requires restart) +#superuser_reserved_connections = 3 # (change requires restart) +unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories + # (change requires restart) +#unix_socket_group = '' # (change requires restart) +#unix_socket_permissions = 0777 # begin with 0 to use octal notation + # (change requires restart) +#bonjour = off # advertise server via Bonjour + # (change requires restart) +#bonjour_name = '' # defaults to the computer name + # (change requires restart) + +# - TCP settings - +# see "man 7 tcp" for details + +#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; + # 0 selects the system default +#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; + # 0 selects the system default +#tcp_keepalives_count = 0 # TCP_KEEPCNT; + # 0 selects the system default +#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds; + # 0 selects the system default + +# - Authentication - + +#authentication_timeout = 1min # 1s-600s +#password_encryption = md5 # md5 or scram-sha-256 +#db_user_namespace = off + +# GSSAPI using Kerberos +#krb_server_keyfile = '' +#krb_caseins_users = off + +# - SSL - + +ssl = on +#ssl_ca_file = '' +ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' +#ssl_crl_file = '' +ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_min_protocol_version = 'TLSv1' +#ssl_max_protocol_version = '' +#ssl_dh_params_file = '' +#ssl_passphrase_command = '' +#ssl_passphrase_command_supports_reload = off + + +#------------------------------------------------------------------------------ +# RESOURCE USAGE (except WAL) +#------------------------------------------------------------------------------ + +# - Memory - + +shared_buffers = 128MB # min 128kB + # (change requires restart) +#huge_pages = try # on, off, or try + # (change requires restart) +#temp_buffers = 8MB # min 800kB +#max_prepared_transactions = 0 # zero disables the feature + # (change requires restart) +# Caution: it is not advisable to set max_prepared_transactions nonzero unless +# you actively intend to use prepared transactions. +#work_mem = 4MB # min 64kB +#maintenance_work_mem = 64MB # min 1MB +#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem +#max_stack_depth = 2MB # min 100kB +#shared_memory_type = mmap # the default is the first option + # supported by the operating system: + # mmap + # sysv + # windows + # (change requires restart) +dynamic_shared_memory_type = posix # the default is the first option + # supported by the operating system: + # posix + # sysv + # windows + # mmap + # (change requires restart) + +# - Disk - + +#temp_file_limit = -1 # limits per-process temp file space + # in kB, or -1 for no limit + +# - Kernel Resources - + +#max_files_per_process = 1000 # min 25 + # (change requires restart) + +# - Cost-Based Vacuum Delay - + +#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables) +#vacuum_cost_page_hit = 1 # 0-10000 credits +#vacuum_cost_page_miss = 10 # 0-10000 credits +#vacuum_cost_page_dirty = 20 # 0-10000 credits +#vacuum_cost_limit = 200 # 1-10000 credits + +# - Background Writer - + +#bgwriter_delay = 200ms # 10-10000ms between rounds +#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round +#bgwriter_flush_after = 512kB # measured in pages, 0 disables + +# - Asynchronous Behavior - + +#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching +#max_worker_processes = 8 # (change requires restart) +#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers +#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers +#parallel_leader_participation = on +#max_parallel_workers = 8 # maximum number of max_worker_processes that + # can be used in parallel operations +#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate + # (change requires restart) +#backend_flush_after = 0 # measured in pages, 0 disables + + +#------------------------------------------------------------------------------ +# WRITE-AHEAD LOG +#------------------------------------------------------------------------------ + +# - Settings - + +#wal_level = replica # minimal, replica, or logical + # (change requires restart) +#fsync = on # flush data to disk for crash safety + # (turning this off can cause + # unrecoverable data corruption) +#synchronous_commit = on # synchronization level; + # off, local, remote_write, remote_apply, or on +#wal_sync_method = fsync # the default is the first option + # supported by the operating system: + # open_datasync + # fdatasync (default on Linux) + # fsync + # fsync_writethrough + # open_sync +#full_page_writes = on # recover from partial page writes +#wal_compression = off # enable compression of full-page writes +#wal_log_hints = off # also do full page writes of non-critical updates + # (change requires restart) +#wal_init_zero = on # zero-fill new WAL files +#wal_recycle = on # recycle WAL files +#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers + # (change requires restart) +#wal_writer_delay = 200ms # 1-10000 milliseconds +#wal_writer_flush_after = 1MB # measured in pages, 0 disables + +#commit_delay = 0 # range 0-100000, in microseconds +#commit_siblings = 5 # range 1-1000 + +# - Checkpoints - + +#checkpoint_timeout = 5min # range 30s-1d +max_wal_size = 1GB +min_wal_size = 80MB +#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 +#checkpoint_flush_after = 256kB # measured in pages, 0 disables +#checkpoint_warning = 30s # 0 disables + +# - Archiving - + +#archive_mode = off # enables archiving; off, on, or always + # (change requires restart) +#archive_command = '' # command to use to archive a logfile segment + # placeholders: %p = path of file to archive + # %f = file name only + # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' +#archive_timeout = 0 # force a logfile segment switch after this + # number of seconds; 0 disables + +# - Archive Recovery - + +# These are only used in recovery mode. + +#restore_command = '' # command to use to restore an archived logfile segment + # placeholders: %p = path of file to restore + # %f = file name only + # e.g. 'cp /mnt/server/archivedir/%f %p' + # (change requires restart) +#archive_cleanup_command = '' # command to execute at every restartpoint +#recovery_end_command = '' # command to execute at completion of recovery + +# - Recovery Target - + +# Set these only when performing a targeted recovery. + +#recovery_target = '' # 'immediate' to end recovery as soon as a + # consistent state is reached + # (change requires restart) +#recovery_target_name = '' # the named restore point to which recovery will proceed + # (change requires restart) +#recovery_target_time = '' # the time stamp up to which recovery will proceed + # (change requires restart) +#recovery_target_xid = '' # the transaction ID up to which recovery will proceed + # (change requires restart) +#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed + # (change requires restart) +#recovery_target_inclusive = on # Specifies whether to stop: + # just after the specified recovery target (on) + # just before the recovery target (off) + # (change requires restart) +#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID + # (change requires restart) +#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown' + # (change requires restart) + + +#------------------------------------------------------------------------------ +# REPLICATION +#------------------------------------------------------------------------------ + +# - Sending Servers - + +# Set these on the master and on any standby that will send replication data. + +#max_wal_senders = 10 # max number of walsender processes + # (change requires restart) +#wal_keep_segments = 0 # in logfile segments; 0 disables +#wal_sender_timeout = 60s # in milliseconds; 0 disables + +#max_replication_slots = 10 # max number of replication slots + # (change requires restart) +#track_commit_timestamp = off # collect timestamp of transaction commit + # (change requires restart) + +# - Master Server - + +# These settings are ignored on a standby server. + +#synchronous_standby_names = '' # standby servers that provide sync rep + # method to choose sync standbys, number of sync standbys, + # and comma-separated list of application_name + # from standby(s); '*' = all +#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed + +# - Standby Servers - + +# These settings are ignored on a master server. + +#primary_conninfo = '' # connection string to sending server + # (change requires restart) +#primary_slot_name = '' # replication slot on sending server + # (change requires restart) +#promote_trigger_file = '' # file name whose presence ends recovery +#hot_standby = on # "off" disallows queries during recovery + # (change requires restart) +#max_standby_archive_delay = 30s # max delay before canceling queries + # when reading WAL from archive; + # -1 allows indefinite delay +#max_standby_streaming_delay = 30s # max delay before canceling queries + # when reading streaming WAL; + # -1 allows indefinite delay +#wal_receiver_status_interval = 10s # send replies at least this often + # 0 disables +#hot_standby_feedback = off # send info from standby to prevent + # query conflicts +#wal_receiver_timeout = 60s # time that receiver waits for + # communication from master + # in milliseconds; 0 disables +#wal_retrieve_retry_interval = 5s # time to wait before retrying to + # retrieve WAL after a failed attempt +#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery + +# - Subscribers - + +# These settings are ignored on a publisher. + +#max_logical_replication_workers = 4 # taken from max_worker_processes + # (change requires restart) +#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers + + +#------------------------------------------------------------------------------ +# QUERY TUNING +#------------------------------------------------------------------------------ + +# - Planner Method Configuration - + +#enable_bitmapscan = on +#enable_hashagg = on +#enable_hashjoin = on +#enable_indexscan = on +#enable_indexonlyscan = on +#enable_material = on +#enable_mergejoin = on +#enable_nestloop = on +#enable_parallel_append = on +#enable_seqscan = on +#enable_sort = on +#enable_tidscan = on +#enable_partitionwise_join = off +#enable_partitionwise_aggregate = off +#enable_parallel_hash = on +#enable_partition_pruning = on + +# - Planner Cost Constants - + +#seq_page_cost = 1.0 # measured on an arbitrary scale +#random_page_cost = 4.0 # same scale as above +#cpu_tuple_cost = 0.01 # same scale as above +#cpu_index_tuple_cost = 0.005 # same scale as above +#cpu_operator_cost = 0.0025 # same scale as above +#parallel_tuple_cost = 0.1 # same scale as above +#parallel_setup_cost = 1000.0 # same scale as above + +#jit_above_cost = 100000 # perform JIT compilation if available + # and query more expensive than this; + # -1 disables +#jit_inline_above_cost = 500000 # inline small functions if query is + # more expensive than this; -1 disables +#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if + # query is more expensive than this; + # -1 disables + +#min_parallel_table_scan_size = 8MB +#min_parallel_index_scan_size = 512kB +#effective_cache_size = 4GB + +# - Genetic Query Optimizer - + +#geqo = on +#geqo_threshold = 12 +#geqo_effort = 5 # range 1-10 +#geqo_pool_size = 0 # selects default based on effort +#geqo_generations = 0 # selects default based on effort +#geqo_selection_bias = 2.0 # range 1.5-2.0 +#geqo_seed = 0.0 # range 0.0-1.0 + +# - Other Planner Options - + +#default_statistics_target = 100 # range 1-10000 +#constraint_exclusion = partition # on, off, or partition +#cursor_tuple_fraction = 0.1 # range 0.0-1.0 +#from_collapse_limit = 8 +#join_collapse_limit = 8 # 1 disables collapsing of explicit + # JOIN clauses +#force_parallel_mode = off +#jit = on # allow JIT compilation +#plan_cache_mode = auto # auto, force_generic_plan or + # force_custom_plan + + +#------------------------------------------------------------------------------ +# REPORTING AND LOGGING +#------------------------------------------------------------------------------ + +# - Where to Log - + +#log_destination = 'stderr' # Valid values are combinations of + # stderr, csvlog, syslog, and eventlog, + # depending on platform. csvlog + # requires logging_collector to be on. + +# This is used when logging to stderr: +#logging_collector = off # Enable capturing of stderr and csvlog + # into log files. Required to be on for + # csvlogs. + # (change requires restart) + +# These are only used if logging_collector is on: +#log_directory = 'log' # directory where log files are written, + # can be absolute or relative to PGDATA +#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, + # can include strftime() escapes +#log_file_mode = 0600 # creation mode for log files, + # begin with 0 to use octal notation +#log_truncate_on_rotation = off # If on, an existing log file with the + # same name as the new log file will be + # truncated rather than appended to. + # But such truncation only occurs on + # time-driven rotation, not on restarts + # or size-driven rotation. Default is + # off, meaning append to existing files + # in all cases. +#log_rotation_age = 1d # Automatic rotation of logfiles will + # happen after that time. 0 disables. +#log_rotation_size = 10MB # Automatic rotation of logfiles will + # happen after that much log output. + # 0 disables. + +# These are relevant when logging to syslog: +#syslog_facility = 'LOCAL0' +#syslog_ident = 'postgres' +#syslog_sequence_numbers = on +#syslog_split_messages = on + +# This is only relevant when logging to eventlog (win32): +# (change requires restart) +#event_source = 'PostgreSQL' + +# - When to Log - + +#log_min_messages = warning # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic + +#log_min_error_statement = error # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic (effectively off) + +#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements + # and their durations, > 0 logs only + # statements running at least this number + # of milliseconds + +#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements + # are logged regardless of their duration. 1.0 logs all + # statements from all transactions, 0.0 never logs. + +# - What to Log - + +#debug_print_parse = off +#debug_print_rewritten = off +#debug_print_plan = off +#debug_pretty_print = on +#log_checkpoints = off +#log_connections = off +#log_disconnections = off +#log_duration = off +#log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off +log_line_prefix = '%m [%p] %q%u@%d ' # special values: + # %a = application name + # %u = user name + # %d = database name + # %r = remote host and port + # %h = remote host + # %p = process ID + # %t = timestamp without milliseconds + # %m = timestamp with milliseconds + # %n = timestamp with milliseconds (as a Unix epoch) + # %i = command tag + # %e = SQL state + # %c = session ID + # %l = session line number + # %s = session start timestamp + # %v = virtual transaction ID + # %x = transaction ID (0 if none) + # %q = stop here in non-session + # processes + # %% = '%' + # e.g. '<%u%%%d> ' +#log_lock_waits = off # log lock waits >= deadlock_timeout +#log_statement = 'none' # none, ddl, mod, all +#log_replication_commands = off +#log_temp_files = -1 # log temporary files equal or larger + # than the specified size in kilobytes; + # -1 disables, 0 logs all temp files +log_timezone = 'US/Central' + +#------------------------------------------------------------------------------ +# PROCESS TITLE +#------------------------------------------------------------------------------ + +cluster_name = '12/main' # added to process titles if nonempty + # (change requires restart) +#update_process_title = on + + +#------------------------------------------------------------------------------ +# STATISTICS +#------------------------------------------------------------------------------ + +# - Query and Index Statistics Collector - + +#track_activities = on +#track_counts = on +#track_io_timing = off +#track_functions = none # none, pl, all +#track_activity_query_size = 1024 # (change requires restart) +stats_temp_directory = '/var/run/postgresql/12-main.pg_stat_tmp' + + +# - Monitoring - + +#log_parser_stats = off +#log_planner_stats = off +#log_executor_stats = off +#log_statement_stats = off + + +#------------------------------------------------------------------------------ +# AUTOVACUUM +#------------------------------------------------------------------------------ + +#autovacuum = on # Enable autovacuum subprocess? 'on' + # requires track_counts to also be on. +#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and + # their durations, > 0 logs only + # actions running at least this number + # of milliseconds. +#autovacuum_max_workers = 3 # max number of autovacuum subprocesses + # (change requires restart) +#autovacuum_naptime = 1min # time between autovacuum runs +#autovacuum_vacuum_threshold = 50 # min number of row updates before + # vacuum +#autovacuum_analyze_threshold = 50 # min number of row updates before + # analyze +#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum +#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze +#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum + # (change requires restart) +#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age + # before forced vacuum + # (change requires restart) +#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for + # autovacuum, in milliseconds; + # -1 means use vacuum_cost_delay +#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for + # autovacuum, -1 means use + # vacuum_cost_limit + + +#------------------------------------------------------------------------------ +# CLIENT CONNECTION DEFAULTS +#------------------------------------------------------------------------------ + +# - Statement Behavior - + +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error +#search_path = '"$user", public' # schema names +#row_security = on +#default_tablespace = '' # a tablespace name, '' uses the default +#temp_tablespaces = '' # a list of tablespace names, '' uses + # only default tablespace +#default_table_access_method = 'heap' +#check_function_bodies = on +#default_transaction_isolation = 'read committed' +#default_transaction_read_only = off +#default_transaction_deferrable = off +#session_replication_role = 'origin' +#statement_timeout = 0 # in milliseconds, 0 is disabled +#lock_timeout = 0 # in milliseconds, 0 is disabled +#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled +#vacuum_freeze_min_age = 50000000 +#vacuum_freeze_table_age = 150000000 +#vacuum_multixact_freeze_min_age = 5000000 +#vacuum_multixact_freeze_table_age = 150000000 +#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples + # before index cleanup, 0 always performs + # index cleanup +#bytea_output = 'hex' # hex, escape +#xmlbinary = 'base64' +#xmloption = 'content' +#gin_fuzzy_search_limit = 0 +#gin_pending_list_limit = 4MB + +# - Locale and Formatting - + +datestyle = 'iso, mdy' +#intervalstyle = 'postgres' +timezone = 'US/Central' +#timezone_abbreviations = 'Default' # Select the set of available time zone + # abbreviations. Currently, there are + # Default + # Australia (historical usage) + # India + # You can create your own file in + # share/timezonesets/. +#extra_float_digits = 1 # min -15, max 3; any value >0 actually + # selects precise output mode +#client_encoding = sql_ascii # actually, defaults to database + # encoding + +# These settings are initialized by initdb, but they can be changed. +lc_messages = 'en_US.UTF-8' # locale for system error message + # strings +lc_monetary = 'en_US.UTF-8' # locale for monetary formatting +lc_numeric = 'en_US.UTF-8' # locale for number formatting +lc_time = 'en_US.UTF-8' # locale for time formatting + +# default configuration for text search +default_text_search_config = 'pg_catalog.english' + +# - Shared Library Preloading - + +#shared_preload_libraries = '' # (change requires restart) +#local_preload_libraries = '' +#session_preload_libraries = '' +#jit_provider = 'llvmjit' # JIT library to use + +# - Other Defaults - + +#dynamic_library_path = '$libdir' + + +#------------------------------------------------------------------------------ +# LOCK MANAGEMENT +#------------------------------------------------------------------------------ + +#deadlock_timeout = 1s +#max_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_relation = -2 # negative values mean + # (max_pred_locks_per_transaction + # / -max_pred_locks_per_relation) - 1 +#max_pred_locks_per_page = 2 # min 0 + + +#------------------------------------------------------------------------------ +# VERSION AND PLATFORM COMPATIBILITY +#------------------------------------------------------------------------------ + +# - Previous PostgreSQL Versions - + +#array_nulls = on +#backslash_quote = safe_encoding # on, off, or safe_encoding +#escape_string_warning = on +#lo_compat_privileges = off +#operator_precedence_warning = off +#quote_all_identifiers = off +#standard_conforming_strings = on +#synchronize_seqscans = on + +# - Other Platforms and Clients - + +#transform_null_equals = off + + +#------------------------------------------------------------------------------ +# ERROR HANDLING +#------------------------------------------------------------------------------ + +#exit_on_error = off # terminate session on any error? +#restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync + # data? + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONFIG FILE INCLUDES +#------------------------------------------------------------------------------ + +# These options allow settings to be loaded from files other than the +# default postgresql.conf. Note that these are directives, not variable +# assignments, so they can usefully be given more than once. + +include_dir = 'conf.d' # include files ending in '.conf' from + # a directory, e.g., 'conf.d' +#include_if_exists = '...' # include file only if it exists +#include = '...' # include file + + +#------------------------------------------------------------------------------ +# CUSTOMIZED OPTIONS +#------------------------------------------------------------------------------ + +# Add settings for extensions here diff --git a/db/postgresql-12/files/originals/etc/start.conf b/db/postgresql-12/files/originals/etc/start.conf new file mode 100644 index 0000000..b0f3256 --- /dev/null +++ b/db/postgresql-12/files/originals/etc/start.conf @@ -0,0 +1,8 @@ +# Automatic startup configuration +# auto: automatically start the cluster +# manual: manual startup with pg_ctlcluster/postgresql@.service only +# disabled: refuse to start cluster +# See pg_createcluster(1) for details. When running from systemd, +# invoke 'systemctl daemon-reload' after editing this file. + +auto diff --git a/db/postgresql-12/tasks/configure-linux.yml b/db/postgresql-12/tasks/configure-linux.yml new file mode 100644 index 0000000..fa2dbd1 --- /dev/null +++ b/db/postgresql-12/tasks/configure-linux.yml @@ -0,0 +1,30 @@ +--- +# Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory=2 +# https://www.postgresql.org/docs/12/kernel-resources.html#LINUX-MEMORY-OVERCOMMIT +# View with sysctl -a |grep overcommit +- name: Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory=2 + sysctl: + name: vm.overcommit_memory + value: '2' + reload: yes + state: present + +# PostgreSQL docs recommend tweaking vm.nr_hugepages by using some math like so +# head -1 /var/lib/postgresql/12/main/postmaster.pid +# Gave me 14299 (this is the current process ID, can also us ps aux|grep postgres) +# pmap 14299 | awk '/rw-s/ && /zero/ {print $2}' +# Substiture your process ID of course +# This gave me 145608K on a fresh install of postgres +# grep ^Hugepagesize /proc/meminfo +# This gave me 2048KB +# Now take 145608 / 2048 = 71.09 +# Now set sysctl -w vm.nr_hugepages=71 + +# I however did not do this just yet. Will wait once Postgres is actually used +# before tweaking this type of setting +# - NO, not yet name: Tweak vm.nr_hugepages according to some precalculated math +# sysctl: +# name: vm.nr_hugepages +# value: 2048 +# reload: yes +# state: present diff --git a/db/postgresql-12/tasks/install-debian.yml b/db/postgresql-12/tasks/install-debian.yml new file mode 100644 index 0000000..d83bf4c --- /dev/null +++ b/db/postgresql-12/tasks/install-debian.yml @@ -0,0 +1,36 @@ +--- +# We use the official PostgreSQL repositories which contains many versions of PostgreSQL +# Most of these versions will be newer than comes stock with debian + +# Add GPG keys +- name: Addding PostgreSQL sources GPG key + apt_key: url='https://www.postgresql.org/media/keys/ACCC4CF8.asc' state=present + +# Add PostgreSQL repositories for Debian 9 +- name: Adding PostgreSQL sources for Debian 9 Jessie + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9" + +# Add PostgreSQL repositories for Debian 10 +- name: Adding PostgreSQL sources for Debian 10 Jessie + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" + +# Add PostgreSQL repositories for Ubuntu 16.04 +- name: Adding PostgreSQL sources for Ubuntu 16.04 + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ xenial-pgdg main' state=present + when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "16.04" + +# Add PostgreSQL repositories for Ubuntu 19.04 +- name: Adding PostgreSQL sources for Ubuntu 18.04 + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main' state=present + when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "18.04" + +# Install PostgreSQL 12 +- name: Installing PostgreSQL 12 + apt: + update_cache: yes + state: present + name: + - postgresql-12 + - python-psycopg2 # Required for ansible postgres manipulation diff --git a/db/postgresql-12/tasks/main.yml b/db/postgresql-12/tasks/main.yml new file mode 100644 index 0000000..1d32b2e --- /dev/null +++ b/db/postgresql-12/tasks/main.yml @@ -0,0 +1,8 @@ +--- +# Configure Linux (agnostic) +- include_tasks: configure-linux.yml + +# Install PostgreSQL 11 - Debian All Versions +- include_tasks: install-debian.yml + when: ansible_os_family == "Debian" + diff --git a/db/postgresql-9.6/tasks/configure-linux.yml b/db/postgresql-9.6/tasks/configure-linux.yml new file mode 100644 index 0000000..fa2dbd1 --- /dev/null +++ b/db/postgresql-9.6/tasks/configure-linux.yml @@ -0,0 +1,30 @@ +--- +# Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory=2 +# https://www.postgresql.org/docs/12/kernel-resources.html#LINUX-MEMORY-OVERCOMMIT +# View with sysctl -a |grep overcommit +- name: Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory=2 + sysctl: + name: vm.overcommit_memory + value: '2' + reload: yes + state: present + +# PostgreSQL docs recommend tweaking vm.nr_hugepages by using some math like so +# head -1 /var/lib/postgresql/12/main/postmaster.pid +# Gave me 14299 (this is the current process ID, can also us ps aux|grep postgres) +# pmap 14299 | awk '/rw-s/ && /zero/ {print $2}' +# Substiture your process ID of course +# This gave me 145608K on a fresh install of postgres +# grep ^Hugepagesize /proc/meminfo +# This gave me 2048KB +# Now take 145608 / 2048 = 71.09 +# Now set sysctl -w vm.nr_hugepages=71 + +# I however did not do this just yet. Will wait once Postgres is actually used +# before tweaking this type of setting +# - NO, not yet name: Tweak vm.nr_hugepages according to some precalculated math +# sysctl: +# name: vm.nr_hugepages +# value: 2048 +# reload: yes +# state: present diff --git a/db/postgresql-9.6/tasks/install-debian.yml b/db/postgresql-9.6/tasks/install-debian.yml index eb2977d..033d486 100644 --- a/db/postgresql-9.6/tasks/install-debian.yml +++ b/db/postgresql-9.6/tasks/install-debian.yml @@ -11,7 +11,22 @@ apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' state=present when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9" -# Install PostgreSQL 10 +# Add PostgreSQL repositories for Debian 10 +- name: Adding PostgreSQL sources for Debian 10 Jessie + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" + +# Add PostgreSQL repositories for Ubuntu 16.04 +- name: Adding PostgreSQL sources for Ubuntu 16.04 + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ xenial-pgdg main' state=present + when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "16.04" + +# Add PostgreSQL repositories for Ubuntu 19.04 +- name: Adding PostgreSQL sources for Ubuntu 18.04 + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main' state=present + when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "18.04" + +# Install PostgreSQL 9.6 - name: Installing PostgreSQL 9.6 apt: update_cache: yes diff --git a/db/postgresql-9.6/tasks/main.yml b/db/postgresql-9.6/tasks/main.yml index 0388f13..ddef9c9 100644 --- a/db/postgresql-9.6/tasks/main.yml +++ b/db/postgresql-9.6/tasks/main.yml @@ -1,6 +1,8 @@ --- -# postgresql-9.6 +# Configure Linux (agnostic) +- include_tasks: configure-linux.yml # Install PostgreSQL 9.6 - Debian All Versions - include_tasks: install-debian.yml when: ansible_os_family == "Debian" + diff --git a/db/redis/tasks/main.yml b/db/redis/tasks/main.yml index 8c3cb1e..b37a739 100644 --- a/db/redis/tasks/main.yml +++ b/db/redis/tasks/main.yml @@ -10,7 +10,7 @@ - name: Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory = 1 sysctl: name: vm.overcommit_memory - value: 1 + value: '1' reload: yes state: present notify: restart redis # Only runs if file changed! @@ -19,7 +19,7 @@ - name: Setting /etc/sysctl.conf vm.swappiness = 0 sysctl: name: vm.swappiness - value: 0 + value: '0' reload: yes state: present notify: restart redis # Only runs if file changed! @@ -34,7 +34,7 @@ dest: "/etc/systemd/system/disable-thp.service" owner: root group: root - mode: 0644 # -rw-r--r-- + mode: '0644' # -rw-r--r-- notify: - disable thp - restart redis # Only runs if file changed! diff --git a/functions/user.yml b/functions/user.yml index 4458358..09aef4d 100644 --- a/functions/user.yml +++ b/functions/user.yml @@ -17,11 +17,19 @@ changed_when: false register: user_home -# Notice both group and user is {{id}}, so they are the same! +# Create group by same ID as user - name: Creating group {{ user }} group: name: '{{ user }}' gid: '{{ id }}' + when: gid is undefined + +# Create group by options gid +- name: Creating group {{ user }} + group: + name: '{{ user }}' + gid: '{{ gid }}' + when: gid is defined - name: Creating user {{ user }} user: @@ -53,6 +61,12 @@ line: '{{ user }} ALL=(ALL) NOPASSWD:ALL' when: '"sudo" in group' +# Create users ~/.ssh directory +- name: Creating {{ user }} ~/.ssh directory + file: + path: '{{ "~" + user | expanduser }}/.ssh' + state: directory + # Authorize users SSH keys # NOTE, when: ssh_authorize|bool == true # IS working, BUT even if ssh_authorize = false the @@ -66,13 +80,6 @@ - 'keys/{{ user }}.key.pub' when: ssh_authorize|default(true)|bool -# Create users ~/.ssh directory -- name: Creating {{ user }} ~/.ssh directory - file: - path: '{{ "~" + user | expanduser }}/.ssh' - state: directory - when: ssh_keys|default(false)|bool - # Create users public key - name: Copying {{ user }} SSH public key copy: diff --git a/server/tasks/agnostic/main.yml b/server/tasks/agnostic/main.yml index 114c6f3..56bec28 100644 --- a/server/tasks/agnostic/main.yml +++ b/server/tasks/agnostic/main.yml @@ -57,7 +57,7 @@ limit_item: nofile value: '65535' -# Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory = 1 +# Increase max_user_watches # View with sysctl -a |grep max_user_watches (default on debian is 8192) - name: Increase fs.inotify.max_user_watches in /etc/sysctl.conf sysctl: diff --git a/server/tasks/main.yml b/server/tasks/main.yml index 096adeb..d61a7f4 100644 --- a/server/tasks/main.yml +++ b/server/tasks/main.yml @@ -1,12 +1,13 @@ --- -# Any server (OS agnostic) -# ------------------------------------------------------------------------------ -- name: Configure any server (OS agnostic) - include_tasks: agnostic/main.yml - - # Debian server +# Run first to install base software required for agnostic/main.yml # ------------------------------------------------------------------------------ - name: Configure debian/ubuntu server include_tasks: debian/main.yml when: ansible_os_family == "Debian" + + +# Any server (OS agnostic) +# ------------------------------------------------------------------------------ +- name: Configure any server (OS agnostic) + include_tasks: agnostic/main.yml diff --git a/system/supervisor/tasks/main.yml b/system/supervisor/tasks/main.yml new file mode 100644 index 0000000..e7a5b89 --- /dev/null +++ b/system/supervisor/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Installing supervisor + apt: + update_cache: yes + state: present + name: + - supervisor diff --git a/virt/opennebula-5.10-controller/tasks/main.yml b/virt/opennebula-5.10-controller/tasks/main.yml index ba0b372..4c72bd9 100644 --- a/virt/opennebula-5.10-controller/tasks/main.yml +++ b/virt/opennebula-5.10-controller/tasks/main.yml @@ -31,6 +31,33 @@ # NOTE: OpenNebula daemons do NOT start after install, contrary to how most other debian packages behave. # This is good as we want to set passwords and other configurations before we start OpenNebula for the first time. +# Set permissions on /var/lib/one folder +- name: Ensuring permissions on /var/lib/one directory + file: + path: /var/lib/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/lib/one/.ssh folder +- name: Creating /var/lib/one/.ssh directory + file: + path: /var/lib/one/.ssh + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/log/one folder or the daemon will not start +- name: Creating /var/log/one directory + file: + path: /var/log/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + # Copy ssh client config for oneadmin user - name: Copying oneadmin SSH client config copy: diff --git a/virt/opennebula-5.10-kvm-node/files/libvirtd.conf b/virt/opennebula-5.10-kvm-node/files/libvirtd-debian10.conf similarity index 100% rename from virt/opennebula-5.10-kvm-node/files/libvirtd.conf rename to virt/opennebula-5.10-kvm-node/files/libvirtd-debian10.conf diff --git a/virt/opennebula-5.10-kvm-node/files/libvirtd-debian9.conf b/virt/opennebula-5.10-kvm-node/files/libvirtd-debian9.conf new file mode 100644 index 0000000..7a5d77d --- /dev/null +++ b/virt/opennebula-5.10-kvm-node/files/libvirtd-debian9.conf @@ -0,0 +1,469 @@ +# Master libvirt daemon configuration file +# +# For further information consult http://libvirt.org/format.html +# +# NOTE: the tests/daemon-conf regression test script requires +# that each "PARAMETER = VALUE" line in this file have the parameter +# name just after a leading "#". + +################################################################# +# +# Network connectivity controls +# + +# Flag listening for secure TLS connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# It is necessary to setup a CA and issue server certificates before +# using this capability. +# +# This is enabled by default, uncomment this to disable it +#listen_tls = 0 + +# Listen for unencrypted TCP connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# Using the TCP socket requires SASL authentication by default. Only +# SASL mechanisms which support data encryption are allowed. This is +# DIGEST_MD5 and GSSAPI (Kerberos5) +# +# This is disabled by default, uncomment this to enable it. +#listen_tcp = 1 + + + +# Override the port for accepting secure TLS connections +# This can be a port number, or service name +# +#tls_port = "16514" + +# Override the port for accepting insecure TCP connections +# This can be a port number, or service name +# +#tcp_port = "16509" + + +# Override the default configuration which binds to all network +# interfaces. This can be a numeric IPv4/6 address, or hostname +# +# If the libvirtd service is started in parallel with network +# startup (e.g. with systemd), binding to addresses other than +# the wildcards (0.0.0.0/::) might not be available yet. +# +#listen_addr = "192.168.0.1" + + +# Flag toggling mDNS advertizement of the libvirt service. +# +# Alternatively can disable for all services on a host by +# stopping the Avahi daemon +# +# This is disabled by default, uncomment this to enable it +#mdns_adv = 1 + +# Override the default mDNS advertizement name. This must be +# unique on the immediate broadcast network. +# +# The default is "Virtualization Host HOSTNAME", where HOSTNAME +# is substituted for the short hostname of the machine (without domain) +# +#mdns_name = "Virtualization Host Joe Demo" + + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This is restricted to 'root' by default. +#unix_sock_group = "libvirt" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +#unix_sock_ro_perms = "0777" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +#unix_sock_rw_perms = "0770" + +# Set the UNIX socket permissions for the admin interface socket. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + +# Set the name of the directory in which sockets will be found/created. +#unix_sock_dir = "/var/run/libvirt" + + + +################################################################# +# +# Authentication. +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# +# Set an authentication scheme for UNIX read-only sockets +# By default socket permissions allow anyone to connect +# +# To restrict monitoring of domains you may wish to enable +# an authentication mechanism here +auth_unix_ro = "none" + +# Set an authentication scheme for UNIX read-write sockets +# By default socket permissions only allow root. If PolicyKit +# support was compiled into libvirt, the default will be to +# use 'polkit' auth. +# +# If the unix_sock_rw_perms are changed you may wish to enable +# an authentication mechanism here +auth_unix_rw = "none" + +# Change the authentication scheme for TCP sockets. +# +# If you don't enable SASL, then all TCP traffic is cleartext. +# Don't do this outside of a dev/test scenario. For real world +# use, always enable SASL and use the GSSAPI or DIGEST-MD5 +# mechanism in /etc/sasl2/libvirt.conf +#auth_tcp = "sasl" + +# Change the authentication scheme for TLS sockets. +# +# TLS sockets already have encryption provided by the TLS +# layer, and limited authentication is done by certificates +# +# It is possible to make use of any SASL authentication +# mechanism as well, by using 'sasl' for this option +#auth_tls = "none" + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with libvirtd +# +#access_drivers = [ "polkit" ] + +################################################################# +# +# TLS x509 certificate configuration +# + + +# Override the default server key file path +# +#key_file = "/etc/pki/libvirt/private/serverkey.pem" + +# Override the default server certificate file path +# +#cert_file = "/etc/pki/libvirt/servercert.pem" + +# Override the default CA certificate path +# +#ca_file = "/etc/pki/CA/cacert.pem" + +# Specify a certificate revocation list. +# +# Defaults to not using a CRL, uncomment to enable it +#crl_file = "/etc/pki/CA/crl.pem" + + + +################################################################# +# +# Authorization controls +# + + +# Flag to disable verification of our own server certificates +# +# When libvirtd starts it performs some sanity checks against +# its own certificates. +# +# Default is to always run sanity checks. Uncommenting this +# will disable sanity checks which is not a good idea +#tls_no_sanity_certificate = 1 + +# Flag to disable verification of client certificates +# +# Client certificate verification is the primary authentication mechanism. +# Any client which does not present a certificate signed by the CA +# will be rejected. +# +# Default is to always verify. Uncommenting this will disable +# verification - make sure an IP whitelist is set +#tls_no_verify_certificate = 1 + + +# A whitelist of allowed x509 Distinguished Names +# This list may contain wildcards such as +# +# "C=GB,ST=London,L=London,O=Red Hat,CN=*" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no DN's are checked +#tls_allowed_dn_list = ["DN1", "DN2"] + + +# A whitelist of allowed SASL usernames. The format for username +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + +# Override the compile time default TLS priority string. The +# default is usually "NORMAL" unless overridden at build time. +# Only set this is it is desired for libvirt to deviate from +# the global default settings. +# +#tls_priority="NORMAL" + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is 20. Set this to +# zero to turn this feature off. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Total global limit on concurrent RPC calls. Should be +# at least as large as max_workers. Beyond this, RPC requests +# will be read into memory and queued. This directly impacts +# memory usage, currently each request requires 256 KB of +# memory. So by default up to 5 MB of memory is used +# +# XXX this isn't actually enforced yet, only the per-client +# limit is used so far +#max_requests = 20 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_requests +# and max_workers parameter +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# Note: Journald may employ rate limiting of the messages logged +# and thus lock up the libvirt daemon. To use the debug level with +# journald you have to specify it explicitly in 'log_outputs', otherwise +# only information level messages will be logged. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs +# The format for a filter is one of: +# x:name +# x:+name + +# where name is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json" (the name in the +# filter can be a substring of the full category name, in order +# to match multiple similar categories), the optional "+" prefix +# tells libvirt to log stack trace for each message matching +# name, and x is the minimal level where matching messages should +# be logged: + +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @filters, they just need to be +# separated by spaces. +# +# e.g. to only get warning or errors from the remote layer and only errors +# from the event layer: +#log_filters="3:remote 4:event" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# x:stderr +# output goes to stderr +# x:syslog:name +# use syslog for the output and use the given name as the ident +# x:file:file_path +# output to a file, with the given filepath +# x:journald +# output to journald logging system +# In all case the x prefix is the minimal level, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the libvirtd ident: +#log_outputs="3:syslog:libvirtd" +# + +# Log debug buffer size: +# +# This configuration option is no longer used, since the global +# log buffer functionality has been removed. Please configure +# suitable log_outputs/log_filters settings to obtain logs. +#log_buffer_size = 64 + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Host UUID is read from one of the sources specified in host_uuid_source. +# +# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' +# - 'machine-id': fetch the UUID from /etc/machine-id +# +# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide +# a valid UUID a temporary UUID will be generated. +# +# Another option is to specify host UUID in host_uuid. +# +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +#host_uuid_source = "smbios" + +################################################################### +# Keepalive protocol: +# This allows libvirtd to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, libvirtd will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 diff --git a/virt/opennebula-5.10-kvm-node/files/original/libvirtd.conf b/virt/opennebula-5.10-kvm-node/files/original/libvirtd-debian10.conf similarity index 100% rename from virt/opennebula-5.10-kvm-node/files/original/libvirtd.conf rename to virt/opennebula-5.10-kvm-node/files/original/libvirtd-debian10.conf diff --git a/virt/opennebula-5.10-kvm-node/files/original/libvirtd-debian9.conf b/virt/opennebula-5.10-kvm-node/files/original/libvirtd-debian9.conf new file mode 100644 index 0000000..8466616 --- /dev/null +++ b/virt/opennebula-5.10-kvm-node/files/original/libvirtd-debian9.conf @@ -0,0 +1,469 @@ +# Master libvirt daemon configuration file +# +# For further information consult http://libvirt.org/format.html +# +# NOTE: the tests/daemon-conf regression test script requires +# that each "PARAMETER = VALUE" line in this file have the parameter +# name just after a leading "#". + +################################################################# +# +# Network connectivity controls +# + +# Flag listening for secure TLS connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# It is necessary to setup a CA and issue server certificates before +# using this capability. +# +# This is enabled by default, uncomment this to disable it +#listen_tls = 0 + +# Listen for unencrypted TCP connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# Using the TCP socket requires SASL authentication by default. Only +# SASL mechanisms which support data encryption are allowed. This is +# DIGEST_MD5 and GSSAPI (Kerberos5) +# +# This is disabled by default, uncomment this to enable it. +#listen_tcp = 1 + + + +# Override the port for accepting secure TLS connections +# This can be a port number, or service name +# +#tls_port = "16514" + +# Override the port for accepting insecure TCP connections +# This can be a port number, or service name +# +#tcp_port = "16509" + + +# Override the default configuration which binds to all network +# interfaces. This can be a numeric IPv4/6 address, or hostname +# +# If the libvirtd service is started in parallel with network +# startup (e.g. with systemd), binding to addresses other than +# the wildcards (0.0.0.0/::) might not be available yet. +# +#listen_addr = "192.168.0.1" + + +# Flag toggling mDNS advertizement of the libvirt service. +# +# Alternatively can disable for all services on a host by +# stopping the Avahi daemon +# +# This is disabled by default, uncomment this to enable it +#mdns_adv = 1 + +# Override the default mDNS advertizement name. This must be +# unique on the immediate broadcast network. +# +# The default is "Virtualization Host HOSTNAME", where HOSTNAME +# is substituted for the short hostname of the machine (without domain) +# +#mdns_name = "Virtualization Host Joe Demo" + + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This is restricted to 'root' by default. +#unix_sock_group = "libvirt" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +#unix_sock_ro_perms = "0777" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +#unix_sock_rw_perms = "0770" + +# Set the UNIX socket permissions for the admin interface socket. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + +# Set the name of the directory in which sockets will be found/created. +#unix_sock_dir = "/var/run/libvirt" + + + +################################################################# +# +# Authentication. +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# +# Set an authentication scheme for UNIX read-only sockets +# By default socket permissions allow anyone to connect +# +# To restrict monitoring of domains you may wish to enable +# an authentication mechanism here +#auth_unix_ro = "none" + +# Set an authentication scheme for UNIX read-write sockets +# By default socket permissions only allow root. If PolicyKit +# support was compiled into libvirt, the default will be to +# use 'polkit' auth. +# +# If the unix_sock_rw_perms are changed you may wish to enable +# an authentication mechanism here +#auth_unix_rw = "none" + +# Change the authentication scheme for TCP sockets. +# +# If you don't enable SASL, then all TCP traffic is cleartext. +# Don't do this outside of a dev/test scenario. For real world +# use, always enable SASL and use the GSSAPI or DIGEST-MD5 +# mechanism in /etc/sasl2/libvirt.conf +#auth_tcp = "sasl" + +# Change the authentication scheme for TLS sockets. +# +# TLS sockets already have encryption provided by the TLS +# layer, and limited authentication is done by certificates +# +# It is possible to make use of any SASL authentication +# mechanism as well, by using 'sasl' for this option +#auth_tls = "none" + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with libvirtd +# +#access_drivers = [ "polkit" ] + +################################################################# +# +# TLS x509 certificate configuration +# + + +# Override the default server key file path +# +#key_file = "/etc/pki/libvirt/private/serverkey.pem" + +# Override the default server certificate file path +# +#cert_file = "/etc/pki/libvirt/servercert.pem" + +# Override the default CA certificate path +# +#ca_file = "/etc/pki/CA/cacert.pem" + +# Specify a certificate revocation list. +# +# Defaults to not using a CRL, uncomment to enable it +#crl_file = "/etc/pki/CA/crl.pem" + + + +################################################################# +# +# Authorization controls +# + + +# Flag to disable verification of our own server certificates +# +# When libvirtd starts it performs some sanity checks against +# its own certificates. +# +# Default is to always run sanity checks. Uncommenting this +# will disable sanity checks which is not a good idea +#tls_no_sanity_certificate = 1 + +# Flag to disable verification of client certificates +# +# Client certificate verification is the primary authentication mechanism. +# Any client which does not present a certificate signed by the CA +# will be rejected. +# +# Default is to always verify. Uncommenting this will disable +# verification - make sure an IP whitelist is set +#tls_no_verify_certificate = 1 + + +# A whitelist of allowed x509 Distinguished Names +# This list may contain wildcards such as +# +# "C=GB,ST=London,L=London,O=Red Hat,CN=*" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no DN's are checked +#tls_allowed_dn_list = ["DN1", "DN2"] + + +# A whitelist of allowed SASL usernames. The format for username +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + +# Override the compile time default TLS priority string. The +# default is usually "NORMAL" unless overridden at build time. +# Only set this is it is desired for libvirt to deviate from +# the global default settings. +# +#tls_priority="NORMAL" + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is 20. Set this to +# zero to turn this feature off. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Total global limit on concurrent RPC calls. Should be +# at least as large as max_workers. Beyond this, RPC requests +# will be read into memory and queued. This directly impacts +# memory usage, currently each request requires 256 KB of +# memory. So by default up to 5 MB of memory is used +# +# XXX this isn't actually enforced yet, only the per-client +# limit is used so far +#max_requests = 20 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_requests +# and max_workers parameter +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# Note: Journald may employ rate limiting of the messages logged +# and thus lock up the libvirt daemon. To use the debug level with +# journald you have to specify it explicitly in 'log_outputs', otherwise +# only information level messages will be logged. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs +# The format for a filter is one of: +# x:name +# x:+name + +# where name is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json" (the name in the +# filter can be a substring of the full category name, in order +# to match multiple similar categories), the optional "+" prefix +# tells libvirt to log stack trace for each message matching +# name, and x is the minimal level where matching messages should +# be logged: + +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @filters, they just need to be +# separated by spaces. +# +# e.g. to only get warning or errors from the remote layer and only errors +# from the event layer: +#log_filters="3:remote 4:event" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# x:stderr +# output goes to stderr +# x:syslog:name +# use syslog for the output and use the given name as the ident +# x:file:file_path +# output to a file, with the given filepath +# x:journald +# output to journald logging system +# In all case the x prefix is the minimal level, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the libvirtd ident: +#log_outputs="3:syslog:libvirtd" +# + +# Log debug buffer size: +# +# This configuration option is no longer used, since the global +# log buffer functionality has been removed. Please configure +# suitable log_outputs/log_filters settings to obtain logs. +#log_buffer_size = 64 + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Host UUID is read from one of the sources specified in host_uuid_source. +# +# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' +# - 'machine-id': fetch the UUID from /etc/machine-id +# +# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide +# a valid UUID a temporary UUID will be generated. +# +# Another option is to specify host UUID in host_uuid. +# +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +#host_uuid_source = "smbios" + +################################################################### +# Keepalive protocol: +# This allows libvirtd to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, libvirtd will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 diff --git a/virt/opennebula-5.10-kvm-node/tasks/main.yml b/virt/opennebula-5.10-kvm-node/tasks/main.yml index fcc86f0..8948cb1 100644 --- a/virt/opennebula-5.10-kvm-node/tasks/main.yml +++ b/virt/opennebula-5.10-kvm-node/tasks/main.yml @@ -19,15 +19,54 @@ name: opennebula-node notify: restart libvirtd -# Copy /etc/libvirt/libvirt.conf to bypass polkit socker permissions +# Copy /etc/libvirt/libvirt.conf to bypass polkit socket permissions - name: Copying libvirtd.conf copy: - src: 'files/libvirtd.conf' + src: 'libvirtd-debian10.conf' dest: '/etc/libvirt/libvirtd.conf' owner: 'root' group: 'root' mode: 0644 notify: restart libvirtd + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" + +# Copy /etc/libvirt/libvirt.conf to bypass polkit socker permissions +- name: Copying libvirtd.conf + copy: + src: 'libvirtd-debian9.conf' + dest: '/etc/libvirt/libvirtd.conf' + owner: 'root' + group: 'root' + mode: 0644 + notify: restart libvirtd + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9" + +# Set permissions on /var/lib/one folder +- name: Ensuring permissions on /var/lib/one directory + file: + path: /var/lib/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/lib/one/.ssh folder +- name: Creating /var/lib/one/.ssh directory + file: + path: /var/lib/one/.ssh + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/log/one folder or the daemon will not start +- name: Creating /var/log/one directory + file: + path: /var/log/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' # Copy ssh client config for oneadmin user - name: Copying oneadmin SSH client config diff --git a/virt/opennebula-5.8-controller/files/ssh.config b/virt/opennebula-5.8-controller/files/ssh.config new file mode 100644 index 0000000..a65775d --- /dev/null +++ b/virt/opennebula-5.8-controller/files/ssh.config @@ -0,0 +1,3 @@ +# So ansible does not have to add each hypervisor node to known_hosts +StrictHostKeyChecking=no +UserKnownHostsFile=/dev/null diff --git a/virt/opennebula-5.8-controller/tasks/main.yml b/virt/opennebula-5.8-controller/tasks/main.yml index 3ff8a6e..56f78a6 100644 --- a/virt/opennebula-5.8-controller/tasks/main.yml +++ b/virt/opennebula-5.8-controller/tasks/main.yml @@ -25,3 +25,39 @@ # NOTE: OpenNebula daemons do NOT start after install, contrary to how most other debian packages behave. # This is good as we want to set passwords and other configurations before we start OpenNebula for the first time. + +# Set permissions on /var/lib/one folder +- name: Ensuring permissions on /var/lib/one directory + file: + path: /var/lib/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/lib/one/.ssh folder +- name: Creating /var/lib/one/.ssh directory + file: + path: /var/lib/one/.ssh + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/log/one folder or the daemon will not start +- name: Creating /var/log/one directory + file: + path: /var/log/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Copy ssh client config for oneadmin user +- name: Copying oneadmin SSH client config + copy: + src: 'files/ssh.config' + dest: '/var/lib/one/.ssh/config' + owner: 'oneadmin' + group: 'oneadmin' + mode: 0644 diff --git a/virt/opennebula-5.8-kvm-node/files/ssh.config b/virt/opennebula-5.8-kvm-node/files/ssh.config new file mode 100644 index 0000000..a65775d --- /dev/null +++ b/virt/opennebula-5.8-kvm-node/files/ssh.config @@ -0,0 +1,3 @@ +# So ansible does not have to add each hypervisor node to known_hosts +StrictHostKeyChecking=no +UserKnownHostsFile=/dev/null diff --git a/virt/opennebula-5.8-kvm-node/tasks/main.yml b/virt/opennebula-5.8-kvm-node/tasks/main.yml index 3f8850f..094c3ab 100644 --- a/virt/opennebula-5.8-kvm-node/tasks/main.yml +++ b/virt/opennebula-5.8-kvm-node/tasks/main.yml @@ -7,6 +7,11 @@ apt_repository: repo='deb https://downloads.opennebula.org/repo/5.8/Debian/9 stable opennebula' state=present when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9" +# NO, OpenNebula 5.8 never had a debian 10 repo, does not work with debian 10 +# - name: Adding Debian 10 OpenNebula repository +# apt_repository: repo='deb https://downloads.opennebula.org/repo/5.8/Debian/10 stable opennebula' state=present +# when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" + # Install OpenNebula - name: Installing OpenNebula controller applications apt: @@ -14,3 +19,39 @@ state: present name: opennebula-node notify: restart libvirtd + +# Set permissions on /var/lib/one folder +- name: Ensuring permissions on /var/lib/one directory + file: + path: /var/lib/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/lib/one/.ssh folder +- name: Creating /var/lib/one/.ssh directory + file: + path: /var/lib/one/.ssh + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/log/one folder or the daemon will not start +- name: Creating /var/log/one directory + file: + path: /var/log/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Copy ssh client config for oneadmin user +- name: Copying oneadmin SSH client config + copy: + src: 'files/ssh.config' + dest: '/var/lib/one/.ssh/config' + owner: 'oneadmin' + group: 'oneadmin' + mode: 0644 diff --git a/web/haproxy/handlers/main.yml b/web/haproxy/handlers/main.yml index e8df446..bdaaec2 100644 --- a/web/haproxy/handlers/main.yml +++ b/web/haproxy/handlers/main.yml @@ -1,9 +1,9 @@ --- - name: restart haproxy - service: name=haproxy state=restarted + service: name=haproxy enabled=yes state=restarted - name: reload haproxy - service: name=haproxy state=reloaded + service: name=haproxy enabled=yes state=reloaded - name: restart rsyslog - service: name=rsyslog state=restarted + service: name=rsyslog enabled=yes state=restarted diff --git a/web/kong-2.0.3/files/original/kong.conf.default b/web/kong-2.0.3/files/original/kong.conf.default new file mode 100644 index 0000000..45910ce --- /dev/null +++ b/web/kong-2.0.3/files/original/kong.conf.default @@ -0,0 +1,1070 @@ +# ----------------------- +# Kong configuration file +# ----------------------- +# +# The commented-out settings shown in this file represent the default values. +# +# This file is read when `kong start` or `kong prepare` are used. Kong +# generates the Nginx configuration with the settings specified in this file. +# +# All environment variables prefixed with `KONG_` and capitalized will override +# the settings specified in this file. +# Example: +# `log_level` setting -> `KONG_LOG_LEVEL` env variable +# +# Boolean values can be specified as `on`/`off` or `true`/`false`. +# Lists must be specified as comma-separated strings. +# +# All comments in this file can be removed safely, including the +# commented-out properties. +# You can verify the integrity of your settings with `kong check `. + +#------------------------------------------------------------------------------ +# GENERAL +#------------------------------------------------------------------------------ + +#prefix = /usr/local/kong/ # Working directory. Equivalent to Nginx's + # prefix path, containing temporary files + # and logs. + # Each Kong process must have a separate + # working directory. + +#log_level = notice # Log level of the Nginx server. Logs are + # found at `/logs/error.log`. + +# See http://nginx.org/en/docs/ngx_core_module.html#error_log for a list +# of accepted values. + +#proxy_access_log = logs/access.log # Path for proxy port request access + # logs. Set this value to `off` to + # disable logging proxy requests. + # If this value is a relative path, + # it will be placed under the + # `prefix` location. + +#proxy_error_log = logs/error.log # Path for proxy port request error + # logs. The granularity of these logs + # is adjusted by the `log_level` + # property. + +#admin_access_log = logs/admin_access.log # Path for Admin API request access + # logs. Set this value to `off` to + # disable logging Admin API requests. + # If this value is a relative path, + # it will be placed under the + # `prefix` location. + +#admin_error_log = logs/error.log # Path for Admin API request error + # logs. The granularity of these logs + # is adjusted by the `log_level` + # property. + +#status_access_log = off # Path for Status API request access + # logs. The default value of `off` + # implies that loggin for this API + # is disabled by default. + # If this value is a relative path, + # it will be placed under the + # `prefix` location. + +#status_error_log = logs/status_error.log # Path for Status API request error + # logs. The granularity of these logs + # is adjusted by the `log_level` + # property. + +#plugins = bundled # Comma-separated list of plugins this node + # should load. By default, only plugins + # bundled in official distributions are + # loaded via the `bundled` keyword. + # + # Loading a plugin does not enable it by + # default, but only instructs Kong to load its + # source code, and allows to configure the + # plugin via the various related Admin API + # endpoints. + # + # The specified name(s) will be substituted as + # such in the Lua namespace: + # `kong.plugins.{name}.*`. + # + # When the `off` keyword is specified as the + # only value, no plugins will be loaded. + # + # `bundled` and plugin names can be mixed + # together, as the following examples suggest: + # + # - `plugins = bundled,custom-auth,custom-log` + # will include the bundled plugins plus two + # custom ones + # - `plugins = custom-auth,custom-log` will + # *only* include the `custom-auth` and + # `custom-log` plugins. + # - `plugins = off` will not include any + # plugins + # + # **Note:** Kong will not start if some + # plugins were previously configured (i.e. + # have rows in the database) and are not + # specified in this list. Before disabling a + # plugin, ensure all instances of it are + # removed before restarting Kong. + # + # **Note:** Limiting the amount of available + # plugins can improve P99 latency when + # experiencing LRU churning in the database + # cache (i.e. when the configured + # `mem_cache_size`) is full. + +#go_pluginserver_exe = /usr/local/bin/go-pluginserver + # Path for the go-pluginserver executable, + # used for running Kong plugins written in Go. + +#go_plugins_dir = off # Directory for installing Kong plugins + # written in Go. + # + # This value can be set to `off`, thus disabling + # the plugin server and Go plugin loading. + +#anonymous_reports = on # Send anonymous usage data such as error + # stack traces to help improve Kong. + +#------------------------------------------------------------------------------ +# HYBRID MODE +#------------------------------------------------------------------------------ + +#role = traditional # Use this setting to enable Hybrid Mode, + # This allows running some Kong nodes in a + # control plane role with a database and + # have them deliver configuration updates + # to other nodes running to DB-less running in + # a Data Plane role. + # + # Valid values to this setting are: + # + # - `traditional`: do not use Hybrid Mode. + # - `control_plane`: this node runs in a + # control plane role. It can use a database + # and will deliver configuration updates + # to data plane nodes. + # - `data_plane`: this is a data plane node. + # It runs DB-less and receives configuration + # updates from a control plane node. + +#cluster_cert = # Filename of the cluster certificate to use + # when establishing secure communication + # between control and data plane nodes. + # You can use the `kong hybrid` command to + # generate the certificate/key pair. + +#cluster_cert_key = # Filename of the cluster certificate key to + # use when establishing secure communication + # between control and data plane nodes. + # You can use the `kong hybrid` command to + # generate the certificate/key pair. + +#cluster_control_plane = # To be used by data plane nodes only: + # address of the control plane node from + # which configuration updates will be fetched, + # in `host:port` format. + +#cluster_listen = 0.0.0.0:8005 + # Comma-separated list of addresses and ports on + # which the cluster control plane server should listen + # for data plane connections. + # The cluster communication port of the control plane + # must be accessible by all the data planes + # within the same cluster. This port is mTLS protected + # to ensure end-to-end security and integrity. + # + # This setting has no effect if `role` is not set to + # `control_plane`. + +#------------------------------------------------------------------------------ +# NGINX +#------------------------------------------------------------------------------ + +#proxy_listen = 0.0.0.0:8000 reuseport backlog=16384, 0.0.0.0:8443 http2 ssl reuseport backlog=16384 + # Comma-separated list of addresses and ports on + # which the proxy server should listen for + # HTTP/HTTPS traffic. + # The proxy server is the public entry point of Kong, + # which proxies traffic from your consumers to your + # backend services. This value accepts IPv4, IPv6, and + # hostnames. + # + # Some suffixes can be specified for each pair: + # + # - `ssl` will require that all connections made + # through a particular address/port be made with TLS + # enabled. + # - `http2` will allow for clients to open HTTP/2 + # connections to Kong's proxy server. + # - `proxy_protocol` will enable usage of the + # PROXY protocol for a given address/port. + # - `deferred` instructs to use a deferred accept on + # Linux (the TCP_DEFER_ACCEPT socket option). + # - `bind` instructs to make a separate bind() call + # for a given address:port pair. + # - `reuseport` instructs to create an individual + # listening socket for each worker process + # allowing the Kernel to better distribute incoming + # connections between worker processes + # - `backlog=N` sets the maximum length for the queue + # of pending TCP connections. This number should + # not be too small in order to prevent clients + # seeing "Connection refused" error connecting to + # a busy Kong instance. + # **Note:** on Linux, this value is limited by the + # setting of `net.core.somaxconn` Kernel parameter. + # In order for the larger `backlog` set here to take + # effect it is necessary to raise + # `net.core.somaxconn` at the same time to match or + # exceed the `backlog` number set. + # + # This value can be set to `off`, thus disabling + # the HTTP/HTTPS proxy port for this node. + # If stream_listen is also set to `off`, this enables + # 'control-plane' mode for this node + # (in which all traffic proxying capabilities are + # disabled). This node can then be used only to + # configure a cluster of Kong + # nodes connected to the same datastore. + # + # Example: + # `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl` + # + # See http://nginx.org/en/docs/http/ngx_http_core_module.html#listen + # for a description of the accepted formats for this + # and other `*_listen` values. + # + # See https://www.nginx.com/resources/admin-guide/proxy-protocol/ + # for more details about the `proxy_protocol` + # parameter. + # + # Not all `*_listen` values accept all formats + # specified in nginx's documentation. + +#stream_listen = off + # Comma-separated list of addresses and ports on + # which the stream mode should listen. + # + # This value accepts IPv4, IPv6, and hostnames. + # Some suffixes can be specified for each pair: + # - `ssl` will require that all connections made + # through a particular address/port be made with TLS + # enabled. + # - `proxy_protocol` will enable usage of the + # PROXY protocol for a given address/port. + # - `bind` instructs to make a separate bind() call + # for a given address:port pair. + # - `reuseport` instructs to create an individual + # listening socket for each worker process + # allowing the Kernel to better distribute incoming + # connections between worker processes + # - `backlog=N` sets the maximum length for the queue + # of pending TCP connections. This number should + # not be too small in order to prevent clients + # seeing "Connection refused" error connecting to + # a busy Kong instance. + # **Note:** on Linux, this value is limited by the + # setting of `net.core.somaxconn` Kernel parameter. + # In order for the larger `backlog` set here to take + # effect it is necessary to raise + # `net.core.somaxconn` at the same time to match or + # exceed the `backlog` number set. + # + # **Note:** The `ssl` suffix is not supported, + # and each address/port will accept TCP with or + # without TLS enabled. + # + # Examples: + # + # ``` + # stream_listen = 127.0.0.1:7000 reuseport backlog=16384 + # stream_listen = 0.0.0.0:989 reuseport backlog=65536, 0.0.0.0:20 + # stream_listen = [::1]:1234 backlog=16384 + # ``` + # + # By default this value is set to `off`, thus + # disabling the stream proxy port for this node. + +# See http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen +# for a description of the formats that Kong might accept in stream_listen. + +#admin_listen = 127.0.0.1:8001 reuseport backlog=16384, 127.0.0.1:8444 http2 ssl reuseport backlog=16384 + # Comma-separated list of addresses and ports on + # which the Admin interface should listen. + # The Admin interface is the API allowing you to + # configure and manage Kong. + # Access to this interface should be *restricted* + # to Kong administrators *only*. This value accepts + # IPv4, IPv6, and hostnames. + # + # Some suffixes can be specified for each pair: + # + # - `ssl` will require that all connections made + # through a particular address/port be made with TLS + # enabled. + # - `http2` will allow for clients to open HTTP/2 + # connections to Kong's proxy server. + # - `proxy_protocol` will enable usage of the + # PROXY protocol for a given address/port. + # - `deferred` instructs to use a deferred accept on + # Linux (the TCP_DEFER_ACCEPT socket option). + # - `bind` instructs to make a separate bind() call + # for a given address:port pair. + # - `reuseport` instructs to create an individual + # listening socket for each worker process + # allowing the Kernel to better distribute incoming + # connections between worker processes + # - `backlog=N` sets the maximum length for the queue + # of pending TCP connections. This number should + # not be too small in order to prevent clients + # seeing "Connection refused" error connecting to + # a busy Kong instance. + # **Note:** on Linux, this value is limited by the + # setting of `net.core.somaxconn` Kernel parameter. + # In order for the larger `backlog` set here to take + # effect it is necessary to raise + # `net.core.somaxconn` at the same time to match or + # exceed the `backlog` number set. + # + # This value can be set to `off`, thus disabling + # the Admin interface for this node, enabling a + # 'data-plane' mode (without configuration + # capabilities) pulling its configuration changes + # from the database. + # + # Example: `admin_listen = 127.0.0.1:8444 http2 ssl` + + #status_listen = off # Comma-separated list of addresses and ports on + # which the Status API should listen. + # The Status API is a read-only endpoint + # allowing monitoring tools to retrieve metrics, + # healthiness, and other non-sensitive information + # of the current Kong node. + # + # This value can be set to `off`, disabling + # the Status API for this node. + # + # Example: `status_listen = 0.0.0.0:8100` + + +#nginx_user = nobody nobody # Defines user and group credentials used by + # worker processes. If group is omitted, a + # group whose name equals that of user is + # used. + # + # Example: `nginx_user = nginx www` + +#nginx_worker_processes = auto # Determines the number of worker processes + # spawned by Nginx. + # + # See http://nginx.org/en/docs/ngx_core_module.html#worker_processes + # for detailed usage of the equivalent Nginx + # directive and a description of accepted + # values. + +#nginx_daemon = on # Determines whether Nginx will run as a daemon + # or as a foreground process. Mainly useful + # for development or when running Kong inside + # a Docker environment. + # + # See http://nginx.org/en/docs/ngx_core_module.html#daemon. + +#mem_cache_size = 128m # Size of each of the two in-memory caches + # for database entities. The accepted units are + # `k` and `m`, with a minimum recommended value of + # a few MBs. + # + # **Note**: As this option controls the size of two + # different cache entries, the total memory Kong + # uses to cache entities might be double this value. + +#ssl_cipher_suite = intermediate # Defines the TLS ciphers served by Nginx. + # Accepted values are `modern`, + # `intermediate`, `old`, or `custom`. + # + # See https://wiki.mozilla.org/Security/Server_Side_TLS + # for detailed descriptions of each cipher + # suite. + +#ssl_ciphers = # Defines a custom list of TLS ciphers to be + # served by Nginx. This list must conform to + # the pattern defined by `openssl ciphers`. + # This value is ignored if `ssl_cipher_suite` + # is not `custom`. + +#ssl_cert = # The absolute path to the SSL certificate for + # `proxy_listen` values with SSL enabled. + +#ssl_cert_key = # The absolute path to the SSL key for + # `proxy_listen` values with SSL enabled. + +#client_ssl = off # Determines if Nginx should send client-side + # SSL certificates when proxying requests. + +#client_ssl_cert = # If `client_ssl` is enabled, the absolute + # path to the client SSL certificate for the + # `proxy_ssl_certificate` directive. Note that + # this value is statically defined on the + # node, and currently cannot be configured on + # a per-API basis. + +#client_ssl_cert_key = # If `client_ssl` is enabled, the absolute + # path to the client SSL key for the + # `proxy_ssl_certificate_key` address. Note + # this value is statically defined on the + # node, and currently cannot be configured on + # a per-API basis. + +#admin_ssl_cert = # The absolute path to the SSL certificate for + # `admin_listen` values with SSL enabled. + +#admin_ssl_cert_key = # The absolute path to the SSL key for + # `admin_listen` values with SSL enabled. + +#headers = server_tokens, latency_tokens + # Comma-separated list of headers Kong should + # inject in client responses. + # + # Accepted values are: + # - `Server`: Injects `Server: kong/x.y.z` + # on Kong-produced response (e.g. Admin + # API, rejected requests from auth plugin). + # - `Via`: Injects `Via: kong/x.y.z` for + # successfully proxied requests. + # - `X-Kong-Proxy-Latency`: Time taken + # (in milliseconds) by Kong to process + # a request and run all plugins before + # proxying the request upstream. + # - `X-Kong-Response-Latency`: time taken + # (in millisecond) by Kong to produce + # a response in case of e.g. plugin + # short-circuiting the request, or in + # in case of an error. + # - `X-Kong-Upstream-Latency`: Time taken + # (in milliseconds) by the upstream + # service to send response headers. + # - `X-Kong-Admin-Latency`: Time taken + # (in milliseconds) by Kong to process + # an Admin API request. + # - `X-Kong-Upstream-Status`: The HTTP status + # code returned by the upstream service. + # This is particularly useful for clients to + # distinguish upstream statuses if the + # response is rewritten by a plugin. + # - `server_tokens`: Same as specifying both + # `Server` and `Via`. + # - `latency_tokens`: Same as specifying + # `X-Kong-Proxy-Latency`, + # `X-Kong-Response-Latency`, + # `X-Kong-Admin-Latency` and + # `X-Kong-Upstream-Latency` + # + # In addition to those, this value can be set + # to `off`, which prevents Kong from injecting + # any of the above headers. Note that this + # does not prevent plugins from injecting + # headers of their own. + # + # Example: `headers = via, latency_tokens` + +#trusted_ips = # Defines trusted IP addresses blocks that are + # known to send correct `X-Forwarded-*` + # headers. + # Requests from trusted IPs make Kong forward + # their `X-Forwarded-*` headers upstream. + # Non-trusted requests make Kong insert its + # own `X-Forwarded-*` headers. + # + # This property also sets the + # `set_real_ip_from` directive(s) in the Nginx + # configuration. It accepts the same type of + # values (CIDR blocks) but as a + # comma-separated list. + # + # To trust *all* /!\ IPs, set this value to + # `0.0.0.0/0,::/0`. + # + # If the special value `unix:` is specified, + # all UNIX-domain sockets will be trusted. + # + # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from + # for examples of accepted values. + +#real_ip_header = X-Real-IP # Defines the request header field whose value + # will be used to replace the client address. + # This value sets the `ngx_http_realip_module` + # directive of the same name in the Nginx + # configuration. + # + # If this value receives `proxy_protocol`: + # + # - at least one of the `proxy_listen` entries + # must have the `proxy_protocol` flag + # enabled. + # - the `proxy_protocol` parameter will be + # appended to the `listen` directive of the + # Nginx template. + # + # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header + # for a description of this directive. + +#real_ip_recursive = off # This value sets the `ngx_http_realip_module` + # directive of the same name in the Nginx + # configuration. + # + # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive + # for a description of this directive. + +#client_max_body_size = 0 # Defines the maximum request body size allowed + # by requests proxied by Kong, specified in + # the Content-Length request header. If a + # request exceeds this limit, Kong will + # respond with a 413 (Request Entity Too + # Large). Setting this value to 0 disables + # checking the request body size. + +# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size +# for further description of this parameter. Numeric values may be suffixed +# with `k` or `m` to denote limits in terms of kilobytes or megabytes. + +#client_body_buffer_size = 8k # Defines the buffer size for reading the + # request body. If the client request body is + # larger than this value, the body will be + # buffered to disk. Note that when the body is + # buffered to disk Kong plugins that access or + # manipulate the request body may not work, so + # it is advisable to set this value as high as + # possible (e.g., set it as high as + # `client_max_body_size` to force request + # bodies to be kept in memory). Do note that + # high-concurrency environments will require + # significant memory allocations to process + # many concurrent large request bodies. + +# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size +# for further description of this parameter. Numeric values may be suffixed +# with `k` or `m` to denote limits in terms of kilobytes or megabytes. + +#error_default_type = text/plain # Default MIME type to use when the request + # `Accept` header is missing and Nginx + # is returning an error for the request. + # Accepted values are `text/plain`, + # `text/html`, `application/json`, and + # `application/xml`. + +#------------------------------------------------------------------------------ +# NGINX injected directives +#------------------------------------------------------------------------------ + +# Nginx directives can be dynamically injected in the runtime nginx.conf file +# without requiring a custom Nginx configuration template. +# +# All configuration properties respecting the naming scheme +# `nginx__` will result in `` being injected in +# the Nginx configuration block corresponding to the property's ``. +# Example: +# `nginx_proxy_large_client_header_buffers = 8 24k` +# +# Will inject the following directive in Kong's proxy `server {}` block: +# +# `large_client_header_buffers 8 24k;` +# +# The following namespaces are supported: +# +# - `nginx_main_`: Injects `` in Kong's configuration +# `main` context. +# - `nginx_events_`: Injects `` in Kong's `events {}` +# block. +# - `nginx_http_`: Injects `` in Kong's `http {}` block. +# - `nginx_proxy_`: Injects `` in Kong's proxy +# `server {}` block. +# - `nginx_upstream_`: Injects `` in Kong's proxy +# `upstream {}` block. +# - `nginx_admin_`: Injects `` in Kong's Admin API +# `server {}` block. +# - `nginx_status_`: Injects `` in Kong's Status API +# `server {}` block (only effective if `status_listen` is enabled). +# - `nginx_stream_`: Injects `` in Kong's stream module +# `stream {}` block (only effective if `stream_listen` is enabled). +# - `nginx_sproxy_`: Injects `` in Kong's stream module +# `server {}` block (only effective if `stream_listen` is enabled). +# - `nginx_supstream_`: Injects `` in Kong's stream +# module `upstream {}` block. +# +# As with other configuration properties, Nginx directives can be injected via +# environment variables when capitalized and prefixed with `KONG_`. +# Example: +# `KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols` +# +# Will inject the following directive in Kong's `http {}` block: +# +# `ssl_protocols ;` +# +# If different sets of protocols are desired between the proxy and Admin API +# server, you may specify `nginx_proxy_ssl_protocols` and/or +# `nginx_admin_ssl_protocols`, both of which taking precedence over the +# `http {}` block. + +#nginx_http_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 + # Enables the specified protocols for + # client-side connections. The set of + # supported protocol versions also depends + # on the version of OpenSSL Kong was built + # with. + # + # This value is ignored if `ssl_cipher_suite` + # is not `custom`. + # + # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols + +#nginx_http_ssl_prefer_server_ciphers = on + # Specifies that server ciphers should be + # preferred over client ciphers when using + # the SSLv3 and TLS protocols + # + # This value is ignored if `ssl_cipher_suite` + # is not `custom`. + # + # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers + +#nginx_http_ssl_session_tickets = on + # Enables or disables session resumption through + # TLS session tickets. This is has no impact when + # used with TLSv1.3. + # + # Kong enables this by default for performance + # reasons, but it has security implications: + # https://github.com/mozilla/server-side-tls/issues/135 + # + # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets + +#nginx_http_ssl_session_timeout = 1d + # Specifies a time during which a client may + # reuse the session parameters. See the rationale: + # https://github.com/mozilla/server-side-tls/issues/198 + # + # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout + +#nginx_upstream_keepalive = 60 # Sets the maximum number of idle keepalive + # connections to upstream servers that are + # preserved in the cache of each worker + # process. When this number is exceeded, the + # least recently used connections are closed. + # A value of `NONE` will disable this behavior + # altogether, forcing each upstream request + # to open a new connection. + # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive + +#nginx_upstream_keepalive_requests = 100 + # Sets the maximum number of requests that can + # be served through one keepalive connection. + # After the maximum number of requests is + # made, the connection is closed. + # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_requests + +#nginx_upstream_keepalive_timeout = 60s + # Sets a timeout during which an idle + # keepalive connection to an upstream server + # will stay open. + # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout + +#------------------------------------------------------------------------------ +# DATASTORE +#------------------------------------------------------------------------------ + +# Kong can run with a database to store coordinated data between Kong nodes in +# a cluster, or without a database, where each node stores its information +# independently in memory. +# +# When using a database, Kong will store data for all its entities (such as +# Routes, Services, Consumers, and Plugins) in either Cassandra or PostgreSQL, +# and all Kong nodes belonging to the same cluster must connect themselves +# to the same database. +# +# Kong supports the following database versions: +# - **PostgreSQL**: 9.5 and above. +# - **Cassandra**: 2.2 and above. +# +# When not using a database, Kong is said to be in "DB-less mode": it will keep +# its entities in memory, and each node needs to have this data entered via a +# declarative configuration file, which can be specified through the +# `declarative_config` property, or via the Admin API using the `/config` +# endpoint. + +#database = postgres # Determines which of PostgreSQL or Cassandra + # this node will use as its datastore. + # Accepted values are `postgres`, + # `cassandra`, and `off`. + +#pg_host = 127.0.0.1 # Host of the Postgres server. +#pg_port = 5432 # Port of the Postgres server. +#pg_timeout = 5000 # Defines the timeout (in ms), for connecting, + # reading and writing. + +#pg_user = kong # Postgres user. +#pg_password = # Postgres user's password. +#pg_database = kong # The database name to connect to. + +#pg_schema = # The database schema to use. If unspecified, + # Kong will respect the `search_path` value of + # your PostgreSQL instance. + +#pg_ssl = off # Toggles client-server TLS connections + # between Kong and PostgreSQL. + +#pg_ssl_verify = off # Toggles server certificate verification if + # `pg_ssl` is enabled. + # See the `lua_ssl_trusted_certificate` + # setting to specify a certificate authority. + +#pg_max_concurrent_queries = 0 # Sets the maximum number of concurrent queries + # that can be executing at any given time. This + # limit is enforced per worker process; the + # total number of concurrent queries for this + # node will be will be: + # `pg_max_concurrent_queries * nginx_worker_processes`. + # + # The default value of 0 removes this + # concurrency limitation. + +#pg_semaphore_timeout = 60000 # Defines the timeout (in ms) after which + # PostgreSQL query semaphore resource + # acquisition attempts will fail. Such + # failures will generally result in the + # associated proxy or Admin API request + # failing with an HTTP 500 status code. + # Detailed discussion of this behavior is + # available in the online documentation. + +#cassandra_contact_points = 127.0.0.1 # A comma-separated list of contact + # points to your cluster. + # You may specify IP addresses or + # hostnames. Note that the port + # component of SRV records will be + # ignored in favor of `cassandra_port`. + # When connecting to a multi-DC cluster, + # ensure that contact points from the + # local datacenter are specified first + # in this list. + +#cassandra_port = 9042 # The port on which your nodes are listening + # on. All your nodes and contact points must + # listen on the same port. Will be created if + # it doesn't exist. + +#cassandra_keyspace = kong # The keyspace to use in your cluster. + +#cassandra_consistency = ONE # Consistency setting to use when reading/ + # writing to the Cassandra cluster. + # +#cassandra_timeout = 5000 # Defines the timeout (in ms) for reading + # and writing. + +#cassandra_ssl = off # Toggles client-to-node TLS connections + # between Kong and Cassandra. + +#cassandra_ssl_verify = off # Toggles server certificate verification if + # `cassandra_ssl` is enabled. + # See the `lua_ssl_trusted_certificate` + # setting to specify a certificate authority. + +#cassandra_username = kong # Username when using the + # `PasswordAuthenticator` scheme. + +#cassandra_password = # Password when using the + # `PasswordAuthenticator` scheme. + +#cassandra_lb_policy = RequestRoundRobin # Load balancing policy to use when + # distributing queries across your + # Cassandra cluster. + # Accepted values are: + # `RoundRobin`, `RequestRoundRobin`, + # `DCAwareRoundRobin`, and + # `RequestDCAwareRoundRobin`. + # Policies prefixed with "Request" + # make efficient use of established + # connections throughout the same + # request. + # Prefer "DCAware" policies if and + # only if you are using a + # multi-datacenter cluster. + +#cassandra_local_datacenter = # When using the `DCAwareRoundRobin` + # or `RequestDCAwareRoundRobin` load + # balancing policy, you must specify the name + # of the local (closest) datacenter for this + # Kong node. + +#cassandra_refresh_frequency = 60 # Frequency (in seconds) at which + # the cluster topology will be + # checked for new or decommissioned + # nodes. + # A value of `0` will disable this + # check, and the cluster topology + # will never be refreshed. + +#cassandra_repl_strategy = SimpleStrategy # When migrating for the first time, + # Kong will use this setting to + # create your keyspace. + # Accepted values are + # `SimpleStrategy` and + # `NetworkTopologyStrategy`. + +#cassandra_repl_factor = 1 # When migrating for the first time, Kong + # will create the keyspace with this + # replication factor when using the + # `SimpleStrategy`. + +#cassandra_data_centers = dc1:2,dc2:3 # When migrating for the first time, + # will use this setting when using the + # `NetworkTopologyStrategy`. + # The format is a comma-separated list + # made of `:`. + +#cassandra_schema_consensus_timeout = 10000 # Defines the timeout (in ms) for + # the waiting period to reach a + # schema consensus between your + # Cassandra nodes. + # This value is only used during + # migrations. + +#declarative_config = # The path to the declarative configuration + # file which holds the specification of all + # entities (Routes, Services, Consumers, etc.) + # to be used when the `database` is set to + # `off`. + # + # Entities are stored in Kong's in-memory cache, + # so you must ensure that enough memory is + # allocated to it via the `mem_cache_size` + # property. You must also ensure that items + # in the cache never expire, which means that + # `db_cache_ttl` should preserve its default + # value of 0. + +#------------------------------------------------------------------------------ +# DATASTORE CACHE +#------------------------------------------------------------------------------ + +# In order to avoid unnecessary communication with the datastore, Kong caches +# entities (such as APIs, Consumers, Credentials...) for a configurable period +# of time. It also handles invalidations if such an entity is updated. +# +# This section allows for configuring the behavior of Kong regarding the +# caching of such configuration entities. + +#db_update_frequency = 5 # Frequency (in seconds) at which to check for + # updated entities with the datastore. + # + # When a node creates, updates, or deletes an + # entity via the Admin API, other nodes need + # to wait for the next poll (configured by + # this value) to eventually purge the old + # cached entity and start using the new one. + +#db_update_propagation = 0 # Time (in seconds) taken for an entity in the + # datastore to be propagated to replica nodes + # of another datacenter. + # + # When in a distributed environment such as + # a multi-datacenter Cassandra cluster, this + # value should be the maximum number of + # seconds taken by Cassandra to propagate a + # row to other datacenters. + # + # When set, this property will increase the + # time taken by Kong to propagate the change + # of an entity. + # + # Single-datacenter setups or PostgreSQL + # servers should suffer no such delays, and + # this value can be safely set to 0. + +#db_cache_ttl = 0 # Time-to-live (in seconds) of an entity from + # the datastore when cached by this node. + # + # Database misses (no entity) are also cached + # according to this setting. + # + # If set to 0 (default), such cached entities + # or misses never expire. + +#db_resurrect_ttl = 30 # Time (in seconds) for which stale entities + # from the datastore should be resurrected for + # when they cannot be refreshed (e.g., the + # datastore is unreachable). When this TTL + # expires, a new attempt to refresh the stale + # entities will be made. + +#db_cache_warmup_entities = services, plugins + # Entities to be pre-loaded from the datastore + # into the in-memory cache at Kong start-up. + # This speeds up the first access of endpoints + # that use the given entities. + # + # When the `services` entity is configured + # for warmup, the DNS entries for values in + # its `host` attribute are pre-resolved + # asynchronously as well. + # + # Cache size set in `mem_cache_size` should + # be set to a value large enough to hold all + # instances of the specified entities. + # If the size is insufficient, Kong will log + # a warning. + +#------------------------------------------------------------------------------ +# DNS RESOLVER +#------------------------------------------------------------------------------ + +# By default the DNS resolver will use the standard configuration files +# `/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be +# overridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if +# they have been set. +# +# Kong will resolve hostnames as either `SRV` or `A` records (in that order, and +# `CNAME` records will be dereferenced in the process). +# In case a name was resolved as an `SRV` record it will also override any given +# port number by the `port` field contents received from the DNS server. +# +# The DNS options `SEARCH` and `NDOTS` (from the `/etc/resolv.conf` file) will +# be used to expand short names to fully qualified ones. So it will first try +# the entire `SEARCH` list for the `SRV` type, if that fails it will try the +# `SEARCH` list for `A`, etc. +# +# For the duration of the `ttl`, the internal DNS resolver will loadbalance each +# request it gets over the entries in the DNS record. For `SRV` records the +# `weight` fields will be honored, but it will only use the lowest `priority` +# field entries in the record. + +#dns_resolver = # Comma separated list of nameservers, each + # entry in `ip[:port]` format to be used by + # Kong. If not specified the nameservers in + # the local `resolv.conf` file will be used. + # Port defaults to 53 if omitted. Accepts + # both IPv4 and IPv6 addresses. + +#dns_hostsfile = /etc/hosts # The hosts file to use. This file is read + # once and its content is static in memory. + # To read the file again after modifying it, + # Kong must be reloaded. + +#dns_order = LAST,SRV,A,CNAME # The order in which to resolve different + # record types. The `LAST` type means the + # type of the last successful lookup (for the + # specified name). The format is a (case + # insensitive) comma separated list. + +#dns_valid_ttl = # By default, DNS records are cached using + # the TTL value of a response. If this + # property receives a value (in seconds), it + # will override the TTL for all records. + +#dns_stale_ttl = 4 # Defines, in seconds, how long a record will + # remain in cache past its TTL. This value + # will be used while the new DNS record is + # fetched in the background. + # Stale data will be used from expiry of a + # record until either the refresh query + # completes, or the `dns_stale_ttl` number of + # seconds have passed. + +#dns_not_found_ttl = 30 # TTL in seconds for empty DNS responses and + # "(3) name error" responses. + +#dns_error_ttl = 1 # TTL in seconds for error responses. + +#dns_no_sync = off # If enabled, then upon a cache-miss every + # request will trigger its own dns query. + # When disabled multiple requests for the + # same name/type will be synchronised to a + # single query. + +#------------------------------------------------------------------------------ +# TUNING & BEHAVIOR +#------------------------------------------------------------------------------ + +#router_consistency = strict # Defines whether this node should rebuild its + # router synchronously or asynchronously (the + # router is rebuilt every time a Route or a + # Service is updated via the Admin API or + # loading a declarative configuration file). + # + # Accepted values are: + # + # - `strict`: the router will be rebuilt + # synchronously, causing incoming requests to + # be delayed until the rebuild is finished. + # - `eventual`: the router will be rebuilt + # asynchronously via a recurring background + # job running every second inside of each + # worker. + # + # Note that `strict` ensures that all workers + # of a given node will always proxy requests + # with an identical router, but that increased + # long tail latency can be observed if + # frequent Routes and Services updates are + # expected. + # Using `eventual` will help preventing long + # tail latency issues in such cases, but may + # cause workers to route requests differently + # for a short period of time after Routes and + # Services updates. + +#router_update_frequency = 1 # Defines how often the router changes are + # checked with a background job. When a change + # is detected, a new router will be built. By + # default we check for changes every second. + # Raising this value will decrease the load on + # database servers and result in less jitter + # in proxy latency, with downside of longer + # converge time for router updates. + +#------------------------------------------------------------------------------ +# DEVELOPMENT & MISCELLANEOUS +#------------------------------------------------------------------------------ + +# Additional settings inherited from lua-nginx-module allowing for more +# flexibility and advanced usage. +# +# See the lua-nginx-module documentation for more information: +# https://github.com/openresty/lua-nginx-module + +#lua_ssl_trusted_certificate = # Absolute path to the certificate + # authority file for Lua cosockets in PEM + # format. This certificate will be the one + # used for verifying Kong's database + # connections, when `pg_ssl_verify` or + # `cassandra_ssl_verify` are enabled. + # + # See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate + +#lua_ssl_verify_depth = 1 # Sets the verification depth in the server + # certificates chain used by Lua cosockets, + # set by `lua_ssl_trusted_certificate`. + # This includes the certificates configured + # for Kong's database connections. + # + # See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth + +#lua_package_path = ./?.lua;./?/init.lua; # Sets the Lua module search path + # (LUA_PATH). Useful when developing + # or using custom plugins not stored + # in the default search path. + # + # See https://github.com/openresty/lua-nginx-module#lua_package_path + +#lua_package_cpath = # Sets the Lua C module search path + # (LUA_CPATH). + # + # See https://github.com/openresty/lua-nginx-module#lua_package_cpath + +#lua_socket_pool_size = 30 # Specifies the size limit for every cosocket + # connection pool associated with every remote + # server. + # + # See https://github.com/openresty/lua-nginx-module#lua_socket_pool_size diff --git a/web/kong-2.0.3/files/original/kong.logrotate b/web/kong-2.0.3/files/original/kong.logrotate new file mode 100644 index 0000000..3eda9d9 --- /dev/null +++ b/web/kong-2.0.3/files/original/kong.logrotate @@ -0,0 +1,13 @@ +/usr/local/kong/logs/*.log { + rotate 14 + daily + missingok + compress + notifempty + sharedscripts + postrotate + if [ -f /usr/local/kong/pids/nginx.pid ]; then + kill -USR1 `cat /usr/local/kong/pids/nginx.pid` + fi + endscript +} \ No newline at end of file diff --git a/web/kong-2.0.3/tasks/main.yml b/web/kong-2.0.3/tasks/main.yml new file mode 100644 index 0000000..fc05e16 --- /dev/null +++ b/web/kong-2.0.3/tasks/main.yml @@ -0,0 +1,17 @@ +--- +# Add GPG keys +- name: Addding Kong sources GPG key + apt_key: url='https://bintray.com/user/downloadSubjectPublicKey?username=bintray' state=present + +# Add Kong repositories for Debian 10 +- name: Adding Kong sources for Debian 10 Jessie + apt_repository: repo='deb https://kong.bintray.com/kong-deb buster main' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" + +# Install Kong +- name: Installing Kong + apt: + update_cache: yes + state: present + name: + - kong=2.0.3