mreschke/ansible-shared
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tons of updates including erpnext, fusionauth, kong, elasticsearch, postgres-12, opennebula-5.10...

Browse Source
This commit is contained in:
Matthew Reschke
2020-04-15 18:46:59 -06:00
parent 957ff8bb8e
commit 0d76f1eb12
73 changed files with 4532 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/erpnext-12/files/mysql/60-frappe.cnf Normal file
View File

@@ -0,0 +1,10 @@
[mysqld]
innodb-file-format=barracuda
innodb-file-per-table=1
innodb-large-prefix=1
character-set-client-handshake = FALSE
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
[mysql]
default-character-set = utf8mb4

3
app/erpnext-12/files/ssh.config Normal file
View File

@@ -0,0 +1,3 @@
# So ansible does not have to add each hypervisor node to known_hosts
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null

12
app/erpnext-12/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: restart mysql
service: name=mysql enabled=yes state=restarted
- name: reload nginx
service: name=nginx enabled=yes state=restarted
- name: restart supervisor
service: name=supervisor enabled=yes state=restarted
- name: reload supervisor
service: name=supervisor enabled=yes state=reloaded

133
app/erpnext-12/tasks/configure-erpnext.yml Normal file
View File

@@ -0,0 +1,133 @@
---
# # Pip install frappe-bench
# - name: Installing pip frappe-bench
# pip:
# name:
# - frappe-bench
# # Create {{ base }} directory
# - name: Creating {{ base }} directory
# file:
# path: '{{ base }}'
# state: directory
# owner: toor
# group: toor
# mode: '0755'
# # Run frappe bench init
# - name: Running frappe bench init
# # NOTICE: running as toor
# become_user: toor
# shell: bench init {{ projectname }} --frappe-branch version-12 --no-backups
# args:
# chdir: '{{ base }}'
# # Ensures this command only runs if the dir does NOT exist
# creates: '{{ path }}'
# when: frappe_repo is undefined
# # Run frappe bench init with custom repo
# - name: Running frappe bench init with custom repo
# # NOTICE: running as toor
# become_user: toor
# shell: bench init {{ projectname }} --frappe-path {{ frappe_repo }} --frappe-branch version-12 --no-backups
# args:
# chdir: '{{ base }}'
# # Ensures this command only runs if the dir does NOT exist
# creates: '{{ path }}'
# when: frappe_repo is defined
# # Create frappe-bench supervisor configs
# - name: Creating frappe-bench supervisor config
# become_user: toor
# shell: bench setup supervisor
# args:
# chdir: '{{ path }}'
# creates: '{{ path }}/config/supervisor.conf'
# # Symlink frappe-bench supervisor config
# - name: Symlinking frappe-bench supervisor config
# file:
# src: '{{ path }}/config/supervisor.conf'
# dest: /etc/supervisor/conf.d/frappe-bench.conf
# state: link
# notify: reload supervisor
# # Get ERPNext app
# - name: Getting ERPNext app
# become_user: toor
# shell: bench get-app erpnext --branch version-12
# args:
# chdir: '{{ path }}'
# creates: '{{ path }}/apps/erpnext'
# notify: reload supervisor
# when: erpnext_repo is undefined
# # Get ERPNext app from custom repo
# - name: Getting ERPNext app from custom repo
# become_user: toor
# shell: bench get-app erpnext {{ erpnext_repo }} --branch version-12
# args:
# chdir: '{{ path }}'
# creates: '{{ path }}/apps/erpnext'
# notify: reload supervisor
# when: erpnext_repo is defined
# # Settings frappe bench mariadb-host
# - name: Setting frappe bench mariadb-host
# become_user: toor
# shell: bench set-mariadb-host {{ db_host }}
# args:
# chdir: '{{ path }}'
# when: db_host is defined
# # Create new site using local database
# - name: Creating new frappe site using local database
# become_user: toor
# shell: bench new-site {{ site }} --admin-password {{ erpnext_admin_password }} --db-name {{ db_name }} --db-password {{ erpnext_db_password }} --mariadb-root-username root --mariadb-root-password {{ root_db_password }} --force
# args:
# chdir: '{{ path }}'
# creates: '{{ path }}/sites/{{ site }}'
# notify: reload supervisor
# when: db_host is undefined
# # Create new site using remote database
# - name: Creating new frappe site using remote database
# become_user: toor
# shell: bench new-site {{ site }} --admin-password {{ erpnext_admin_password }} --db-name {{ db_name }} --db-password {{ erpnext_db_password }} --mariadb-root-username root --mariadb-root-password {{ root_db_password }} --force --no-mariadb-socket
# args:
# chdir: '{{ path }}'
# creates: '{{ path }}/sites/{{ site }}'
# notify: reload supervisor
# when: db_host is defined
# Adding ERPNext to site
- name: Adding ERPNext to site
become_user: toor
shell: bench --site {{ site }} install-app erpnext
args:
chdir: '{{ path }}'
creates: '{{ path }}/sites/{{ site }}/ansible-flag-app-erpnext-added'
notify: reload supervisor
# Create frappe-bench nginx configs
- name: Creating frappe-bench nginx config
become_user: toor
shell: bench setup nginx
args:
chdir: '{{ path }}'
creates: '{{ path }}/config/nginx.conf'
# Delete /etc/nginx/sites-enabled/default
- name: Deleting /etc/nginx/sites-enabled/default
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify: reload nginx
# Symlink frappe-bench nginx config
- name: Symlinking frappe-bench nginx config
file:
src: '{{ path }}/config/nginx.conf'
dest: /etc/nginx/sites-enabled/erpnext.conf
state: link
notify: reload nginx

9
app/erpnext-12/tasks/configure-linux.yml Normal file
View File

@@ -0,0 +1,9 @@
---
# Copy ssh client config for toor user so we can git clone without confirmation
- name: Copying toor SSH client config
copy:
src: 'ssh.config'
dest: '/home/toor/.ssh/config'
owner: toor
group: toor
mode: '0644'

30
app/erpnext-12/tasks/configure-mysql.yml Normal file
View File

@@ -0,0 +1,30 @@
---
# Install mariadb-client
# Required regardless if MySQL server is local or remote
- name: Installing mariadb-client
apt:
update_cache: yes
state: present
name:
- mariadb-client
# Enable root password (only if using localhost db)
- name: Enable MySQL root password
shell: "{{ item }}"
with_items:
- mysql -e "CREATE USER 'root'@'%' IDENTIFIED BY '{{ root_db_password }}'; GRANT ALL PRIVILEGES ON *.* to 'root'@'%';"
- mysql -e "ALTER USER 'root'@'%' IDENTIFIED VIA mysql_native_password; SET PASSWORD = PASSWORD('{{ root_db_password }}');"
args:
# Ensure this runs only once
creates: ~/.config/ansible-flag-mysql-password-enabled
notify: restart mysql
# Copy MariaDB /etc/mysql/mariadb.conf.d/60-frappe.cnf
- name: Copying /etc/mysql/mariadb.conf.d/60-frappe.cnf
copy:
src: mysql/60-frappe.cnf
dest: /etc/mysql/mariadb.conf.d/60-frappe.cnf
owner: root
group: root
mode: '0644'
notify: restart mysql

6
app/erpnext-12/tasks/configure-nodejs.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# Install nodejs yarn globally
- name: Installing nodejs yarn globally
npm:
name: yarn
global: yes

22
app/erpnext-12/tasks/configure-python.yml Normal file
View File

@@ -0,0 +1,22 @@
---
# Install python3-pip
- name: Installing python3-pip
apt:
update_cache: yes
state: present
name:
- python3-pip
# Update alternatives to python3
- name: Updating alternatives to python3
alternatives:
name: python
link: /usr/bin/python
path: /usr/bin/python3
# Update alternatives to pip3
- name: Updating alternatives for pip3
alternatives:
name: pip
link: /usr/bin/pip
path: /usr/bin/pip3

12
app/erpnext-12/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# NOTICE: Commands like frappe bench and git clone need to run
# as the toor user, not root. The playbook that runs this role
# should be logging in as toor, using become:yes with toors ssh key
# Because become:yes all command still run as root, until I use
# become_user: toor below.
#- include_tasks: configure-linux.yml
#- include_tasks: configure-mysql.yml
#- include_tasks: configure-python.yml
#- include_tasks: configure-nodejs.yml
- include_tasks: configure-erpnext.yml

73
app/fusionauth-1.15.8/files/originals/fusionauth.properties Normal file
View File

@@ -0,0 +1,73 @@
#
# Copyright (c) 2018, FusionAuth, All Rights Reserved
#
#------------------------------------------------------------------------------
# Database
# - Specify the URL and credentials for your database here
# - Required on each node running FusionAuth App webservice
#------------------------------------------------------------------------------
database.url=jdbc:mysql://localhost:3306/fusionauth?serverTimezone=UTC&useSSL=false
database.username=fusionauth
database.password=fusionauth
#------------------------------------------------------------------------------
# Database Encoding Validation for MySQL
# - This value is ignored if using PostgreSQL
# - Disable (set to false) only if you understand the MySQL limitations not using 'utf8mb4' character sets.
#------------------------------------------------------------------------------
database.enforce-utf8mb4=true
#------------------------------------------------------------------------------
# fusionauth-search
# - Required on each node running FusionAuth Search
#------------------------------------------------------------------------------
fusionauth-search.transport-port=9020
fusionauth-search.http-port=9021
fusionauth-search.memory=256M
fusionauth-search.additional-java-args=
# Special values include: _local_, _site_. Values can be combined in a comma separated list.
fusionauth-search.hosts=_local_
# Specify the location of your FusionAuth Search servers. Multiple values may be specified using a comma separator.
# This configuration is used by ElasticSearch to configure clustering. The specified port should be the configured value
# for 'fusionauth-search.transport-port'.
#
# Single host example: localhost:9020
# Multiple hosts example: localhost:9020,192.168.1.42:9020
fusionauth-search.servers=localhost:9020
# Specify the full path to the ElasticSearch data directory. This defaults to /usr/local/fusionauth/data/search/esv6
# on Linux/Unix and %FUSIONAUTH_HOME%\data\search\esv6 on Windows if not specified
fusionauth-search.data-directory=
#------------------------------------------------------------------------------
# fusionauth-app
# - Required on each node running FusionAuth App webservice
#------------------------------------------------------------------------------
# Optionally specify an addressable URL or IP address to access this node from other FusionAuth nodes.
# - In most cases this should be left empty and it will be determined at runtime.
# - Ideally this is a site local IP address that is not publicly routable but accessible from other FusionAuth nodes.
fusionauth-app.public-url=
# Specify the location of your FusionAuth Search servers. Multiple values may be specified using a comma separator.
# This configuration is used by FusionAuth App to connect to the ElasticSearch nodes. The specified port should be the
# configured value for 'fusionauth-search.http-port'.
#
# Single host example: http://localhost:9021
# Multiple hosts example: http://localhost:9021,http://192.168.1.42:9021
fusionauth-app.search-servers=http://localhost:9021
# Specify the management and HTTP ports for Tomcat
fusionauth-app.management-port=9010
fusionauth-app.http-port=9011
fusionauth-app.https-port=9013
fusionauth-app.ajp-port=9019
# Specify the memory size here. You can use M for megabytes and G for gigabytes
fusionauth-app.memory=256M
# Specify any additional JVM arguments here
fusionauth-app.additional-java-args=

BIN
app/fusionauth-1.15.8/files/originals/keystore Normal file
View File

Binary file not shown.

17
app/fusionauth-1.15.8/tasks/main.yml Normal file
View File

@@ -0,0 +1,17 @@
---
# Install Fusionauth from online .deb (they provide NO apt repos)
# Get latest version from curl https://metrics.fusionauth.io/api/latest-version
# Currently 1.15.8
- name: Install FusionAuth .deb package from the internet.
apt:
deb: https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/1.15.8/fusionauth-app_1.15.8-1_all.deb
- name: Install FusionAuth-Search .deb package from the internet.
apt:
deb: https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/1.15.8/fusionauth-search_1.15.8-1_all.deb
# Install missing dependencies
- name: Installing missing dependencies
apt:
update_cache: yes
state: fixed

1
app/gitlab/tasks/main.yml
View File

@@ -12,6 +12,7 @@
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
# Install Gitlab
# CE vs EE see https://about.gitlab.com/install/ce-or-ee/?distro=debian
- name: Installing Gitlab
apt:
update_cache: yes

13
app/konga-0.14.7/files/konga.service Normal file
View File

@@ -0,0 +1,13 @@
[Unit]
Description=Konga NodeJS Website
After=network.target
[Service]
Type=simple
User=toor
WorkingDirectory=/var/www/konga
ExecStart=/usr/bin/node --harmony app.js --prod
Restart=on-failure
[Install]
WantedBy=multi-user.target

82
app/konga-0.14.7/tasks/main.yml Normal file
View File

@@ -0,0 +1,82 @@
---
# Install build-essential for konga
# Required during npm install phase (needs make, g++, etc...)
- name: Installing build-essential for konga
apt:
update_cache: yes
state: present
name:
- build-essential
# Create /var/www folder
- name: Creating /var/www directory
file:
path: /var/www
state: directory
owner: toor
group: toor
mode: '0755'
# Create /var/www/konga folder
- name: Creating /var/www/konga directory
file:
path: /var/www/konga
state: directory
owner: toor
group: toor
mode: '0755'
# Git clone https://github.com/pantsel/konga.git
- name: Git clone https://github.com/pantsel/konga.git tag 0.14.7
git:
clone: yes
force: yes
repo: https://github.com/pantsel/konga.git
dest: /var/www/konga
version: 0.14.7
depth: 1
# Ensure konga git contents owned by toor
- name: Ensuring konga git contents owned by toor
file:
path: /var/www/konga
state: directory
owner: toor
group: toor
recurse: yes
# Delete package-lock.json
- name: Deleting konga package-lock.json
file:
path: /var/www/konga/package-lock.json
state: absent
# Install konga npm packages
- name: Installing konga NPM packages
npm:
path: /var/www/konga
# Install konga bower dependencies
- name: Installing konga bower dependencies
shell: npm run bower-deps
args:
chdir: /var/www/konga
# Ensure konga git contents owned by toor
- name: Ensuring konga git contents owned by toor
file:
path: /var/www/konga
state: directory
owner: toor
group: toor
recurse: yes
# Copy konga systemd unit file
- name: Copying konga.service systemd unit file
copy:
src: konga.service
dest: "/etc/systemd/system/konga.service"
owner: root
group: root
mode: '0644' # -rw-r--r--
#NOnotify: reload konga # NO because you need to copy your own .env first

17
chat/jitsi/tasks/intall-debian.yml Normal file
View File

@@ -0,0 +1,17 @@
---
# Add GPG keys
- name: Addding jitsi GPG key
apt_key: url='https://download.jitsi.org/jitsi-key.gpg.key' state=present
# Add jitsi repositories
- name: Adding jitsi sources for Debian
apt_repository: repo='deb https://download.jitsi.org stable/' state=present
when: ansible_os_family == "Debian"
# Install Jitsi Server
- name: Installing Jitsi Server
apt:
update_cache: yes
state: present
name:
- jitsi-meet

3
chat/jitsi/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
# Install Jitsi - Debian All Versions
- include_tasks: install-debian.yml
when: ansible_os_family == "Debian"

4
code/nodejs-8-lts/tasks/main.yml
View File

@@ -12,3 +12,7 @@
# Install NodeJS 8.x LTS
- name: Installing node.js 8x LTS
apt: name=nodejs state=present
# NOTE, I ran this on 2020-04-14 for sun-auth and it installed v10.15.2 instead?
# Maybe 8x is deprecated?

1
db/elasticsearch-7.x/files/original/etc/.elasticsearch.keystore.initial_md5sum Normal file
View File

@@ -0,0 +1 @@
bf3d6720c4f9a81500e606aed2ec45c0 /etc/elasticsearch/elasticsearch.keystore

BIN
db/elasticsearch-7.x/files/original/etc/elasticsearch.keystore Normal file
View File

Binary file not shown.

88
db/elasticsearch-7.x/files/original/etc/elasticsearch.yml Normal file
View File

@@ -0,0 +1,88 @@
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
#network.host: 192.168.0.1
#
# Set a custom port for HTTP:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true

77
db/elasticsearch-7.x/files/original/etc/jvm.options Normal file
View File

@@ -0,0 +1,77 @@
## JVM configuration
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms1g
-Xmx1g
################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################
## GC configuration
8-13:-XX:+UseConcMarkSweepGC
8-13:-XX:CMSInitiatingOccupancyFraction=75
8-13:-XX:+UseCMSInitiatingOccupancyOnly
## G1GC Configuration
# NOTE: G1 GC is only supported on JDK version 10 or later
# to use G1GC, uncomment the next two lines and update the version on the
# following three lines to your version of the JDK
# 10-13:-XX:-UseConcMarkSweepGC
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
14-:-XX:+UseG1GC
14-:-XX:G1ReservePercent=25
14-:-XX:InitiatingHeapOccupancyPercent=30
## JVM temporary directory
-Djava.io.tmpdir=${ES_TMPDIR}
## heap dumps
# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError
# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=/var/lib/elasticsearch
# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log
## JDK 8 GC logging
8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:/var/log/elasticsearch/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m
# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m

263
db/elasticsearch-7.x/files/original/etc/log4j2.properties Normal file
View File

@@ -0,0 +1,263 @@
status = error
# log action execution errors for easier debugging
logger.action.name = org.elasticsearch.action
logger.action.level = debug
appender.console.type = Console
appender.console.name = console
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
######## Server JSON ############################
appender.rolling.type = RollingFile
appender.rolling.name = rolling
appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_server.json
appender.rolling.layout.type = ESJsonLayout
appender.rolling.layout.type_name = server
appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.json.gz
appender.rolling.policies.type = Policies
appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.rolling.policies.time.interval = 1
appender.rolling.policies.time.modulate = true
appender.rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.rolling.policies.size.size = 128MB
appender.rolling.strategy.type = DefaultRolloverStrategy
appender.rolling.strategy.fileIndex = nomax
appender.rolling.strategy.action.type = Delete
appender.rolling.strategy.action.basepath = ${sys:es.logs.base_path}
appender.rolling.strategy.action.condition.type = IfFileName
appender.rolling.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-*
appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB
################################################
######## Server - old style pattern ###########
appender.rolling_old.type = RollingFile
appender.rolling_old.name = rolling_old
appender.rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
appender.rolling_old.layout.type = PatternLayout
appender.rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
appender.rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz
appender.rolling_old.policies.type = Policies
appender.rolling_old.policies.time.type = TimeBasedTriggeringPolicy
appender.rolling_old.policies.time.interval = 1
appender.rolling_old.policies.time.modulate = true
appender.rolling_old.policies.size.type = SizeBasedTriggeringPolicy
appender.rolling_old.policies.size.size = 128MB
appender.rolling_old.strategy.type = DefaultRolloverStrategy
appender.rolling_old.strategy.fileIndex = nomax
appender.rolling_old.strategy.action.type = Delete
appender.rolling_old.strategy.action.basepath = ${sys:es.logs.base_path}
appender.rolling_old.strategy.action.condition.type = IfFileName
appender.rolling_old.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-*
appender.rolling_old.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
appender.rolling_old.strategy.action.condition.nested_condition.exceeds = 2GB
################################################
rootLogger.level = info
rootLogger.appenderRef.console.ref = console
rootLogger.appenderRef.rolling.ref = rolling
rootLogger.appenderRef.rolling_old.ref = rolling_old
######## Deprecation JSON #######################
appender.deprecation_rolling.type = RollingFile
appender.deprecation_rolling.name = deprecation_rolling
appender.deprecation_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.json
appender.deprecation_rolling.layout.type = ESJsonLayout
appender.deprecation_rolling.layout.type_name = deprecation
appender.deprecation_rolling.layout.esmessagefields=x-opaque-id
appender.deprecation_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.json.gz
appender.deprecation_rolling.policies.type = Policies
appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.deprecation_rolling.policies.size.size = 1GB
appender.deprecation_rolling.strategy.type = DefaultRolloverStrategy
appender.deprecation_rolling.strategy.max = 4
#################################################
######## Deprecation - old style pattern #######
appender.deprecation_rolling_old.type = RollingFile
appender.deprecation_rolling_old.name = deprecation_rolling_old
appender.deprecation_rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.log
appender.deprecation_rolling_old.layout.type = PatternLayout
appender.deprecation_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
appender.deprecation_rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\
_deprecation-%i.log.gz
appender.deprecation_rolling_old.policies.type = Policies
appender.deprecation_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
appender.deprecation_rolling_old.policies.size.size = 1GB
appender.deprecation_rolling_old.strategy.type = DefaultRolloverStrategy
appender.deprecation_rolling_old.strategy.max = 4
#################################################
logger.deprecation.name = org.elasticsearch.deprecation
logger.deprecation.level = warn
logger.deprecation.appenderRef.deprecation_rolling.ref = deprecation_rolling
logger.deprecation.appenderRef.deprecation_rolling_old.ref = deprecation_rolling_old
logger.deprecation.additivity = false
######## Search slowlog JSON ####################
appender.index_search_slowlog_rolling.type = RollingFile
appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling
appender.index_search_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs\
.cluster_name}_index_search_slowlog.json
appender.index_search_slowlog_rolling.layout.type = ESJsonLayout
appender.index_search_slowlog_rolling.layout.type_name = index_search_slowlog
appender.index_search_slowlog_rolling.layout.esmessagefields=message,took,took_millis,total_hits,types,stats,search_type,total_shards,source,id
appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs\
.cluster_name}_index_search_slowlog-%i.json.gz
appender.index_search_slowlog_rolling.policies.type = Policies
appender.index_search_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.index_search_slowlog_rolling.policies.size.size = 1GB
appender.index_search_slowlog_rolling.strategy.type = DefaultRolloverStrategy
appender.index_search_slowlog_rolling.strategy.max = 4
#################################################
######## Search slowlog - old style pattern ####
appender.index_search_slowlog_rolling_old.type = RollingFile
appender.index_search_slowlog_rolling_old.name = index_search_slowlog_rolling_old
appender.index_search_slowlog_rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\
_index_search_slowlog.log
appender.index_search_slowlog_rolling_old.layout.type = PatternLayout
appender.index_search_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
appender.index_search_slowlog_rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\
_index_search_slowlog-%i.log.gz
appender.index_search_slowlog_rolling_old.policies.type = Policies
appender.index_search_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
appender.index_search_slowlog_rolling_old.policies.size.size = 1GB
appender.index_search_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy
appender.index_search_slowlog_rolling_old.strategy.max = 4
#################################################
logger.index_search_slowlog_rolling.name = index.search.slowlog
logger.index_search_slowlog_rolling.level = trace
logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref = index_search_slowlog_rolling
logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling_old.ref = index_search_slowlog_rolling_old
logger.index_search_slowlog_rolling.additivity = false
######## Indexing slowlog JSON ##################
appender.index_indexing_slowlog_rolling.type = RollingFile
appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling
appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\
_index_indexing_slowlog.json
appender.index_indexing_slowlog_rolling.layout.type = ESJsonLayout
appender.index_indexing_slowlog_rolling.layout.type_name = index_indexing_slowlog
appender.index_indexing_slowlog_rolling.layout.esmessagefields=message,took,took_millis,doc_type,id,routing,source
appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\
_index_indexing_slowlog-%i.json.gz
appender.index_indexing_slowlog_rolling.policies.type = Policies
appender.index_indexing_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.index_indexing_slowlog_rolling.policies.size.size = 1GB
appender.index_indexing_slowlog_rolling.strategy.type = DefaultRolloverStrategy
appender.index_indexing_slowlog_rolling.strategy.max = 4
#################################################
######## Indexing slowlog - old style pattern ##
appender.index_indexing_slowlog_rolling_old.type = RollingFile
appender.index_indexing_slowlog_rolling_old.name = index_indexing_slowlog_rolling_old
appender.index_indexing_slowlog_rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\
_index_indexing_slowlog.log
appender.index_indexing_slowlog_rolling_old.layout.type = PatternLayout
appender.index_indexing_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
appender.index_indexing_slowlog_rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\
_index_indexing_slowlog-%i.log.gz
appender.index_indexing_slowlog_rolling_old.policies.type = Policies
appender.index_indexing_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy
appender.index_indexing_slowlog_rolling_old.policies.size.size = 1GB
appender.index_indexing_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy
appender.index_indexing_slowlog_rolling_old.strategy.max = 4
#################################################
logger.index_indexing_slowlog.name = index.indexing.slowlog.index
logger.index_indexing_slowlog.level = trace
logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref = index_indexing_slowlog_rolling
logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling_old.ref = index_indexing_slowlog_rolling_old
logger.index_indexing_slowlog.additivity = false
appender.audit_rolling.type = RollingFile
appender.audit_rolling.name = audit_rolling
appender.audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit.json
appender.audit_rolling.layout.type = PatternLayout
appender.audit_rolling.layout.pattern = {\
"type":"audit", \
"timestamp":"%d{yyyy-MM-dd'T'HH:mm:ss,SSSZ}"\
%varsNotEmpty{, "node.name":"%enc{%map{node.name}}{JSON}"}\
%varsNotEmpty{, "node.id":"%enc{%map{node.id}}{JSON}"}\
%varsNotEmpty{, "host.name":"%enc{%map{host.name}}{JSON}"}\
%varsNotEmpty{, "host.ip":"%enc{%map{host.ip}}{JSON}"}\
%varsNotEmpty{, "event.type":"%enc{%map{event.type}}{JSON}"}\
%varsNotEmpty{, "event.action":"%enc{%map{event.action}}{JSON}"}\
%varsNotEmpty{, "user.name":"%enc{%map{user.name}}{JSON}"}\
%varsNotEmpty{, "user.run_by.name":"%enc{%map{user.run_by.name}}{JSON}"}\
%varsNotEmpty{, "user.run_as.name":"%enc{%map{user.run_as.name}}{JSON}"}\
%varsNotEmpty{, "user.realm":"%enc{%map{user.realm}}{JSON}"}\
%varsNotEmpty{, "user.run_by.realm":"%enc{%map{user.run_by.realm}}{JSON}"}\
%varsNotEmpty{, "user.run_as.realm":"%enc{%map{user.run_as.realm}}{JSON}"}\
%varsNotEmpty{, "user.roles":%map{user.roles}}\
%varsNotEmpty{, "origin.type":"%enc{%map{origin.type}}{JSON}"}\
%varsNotEmpty{, "origin.address":"%enc{%map{origin.address}}{JSON}"}\
%varsNotEmpty{, "realm":"%enc{%map{realm}}{JSON}"}\
%varsNotEmpty{, "url.path":"%enc{%map{url.path}}{JSON}"}\
%varsNotEmpty{, "url.query":"%enc{%map{url.query}}{JSON}"}\
%varsNotEmpty{, "request.method":"%enc{%map{request.method}}{JSON}"}\
%varsNotEmpty{, "request.body":"%enc{%map{request.body}}{JSON}"}\
%varsNotEmpty{, "request.id":"%enc{%map{request.id}}{JSON}"}\
%varsNotEmpty{, "action":"%enc{%map{action}}{JSON}"}\
%varsNotEmpty{, "request.name":"%enc{%map{request.name}}{JSON}"}\
%varsNotEmpty{, "indices":%map{indices}}\
%varsNotEmpty{, "opaque_id":"%enc{%map{opaque_id}}{JSON}"}\
%varsNotEmpty{, "x_forwarded_for":"%enc{%map{x_forwarded_for}}{JSON}"}\
%varsNotEmpty{, "transport.profile":"%enc{%map{transport.profile}}{JSON}"}\
%varsNotEmpty{, "rule":"%enc{%map{rule}}{JSON}"}\
%varsNotEmpty{, "event.category":"%enc{%map{event.category}}{JSON}"}\
}%n
# "node.name" node name from the `elasticsearch.yml` settings
# "node.id" node id which should not change between cluster restarts
# "host.name" unresolved hostname of the local node
# "host.ip" the local bound ip (i.e. the ip listening for connections)
# "event.type" a received REST request is translated into one or more transport requests. This indicates which processing layer generated the event "rest" or "transport" (internal)
# "event.action" the name of the audited event, eg. "authentication_failed", "access_granted", "run_as_granted", etc.
# "user.name" the subject name as authenticated by a realm
# "user.run_by.name" the original authenticated subject name that is impersonating another one.
# "user.run_as.name" if this "event.action" is of a run_as type, this is the subject name to be impersonated as.
# "user.realm" the name of the realm that authenticated "user.name"
# "user.run_by.realm" the realm name of the impersonating subject ("user.run_by.name")
# "user.run_as.realm" if this "event.action" is of a run_as type, this is the realm name the impersonated user is looked up from
# "user.roles" the roles array of the user; these are the roles that are granting privileges
# "origin.type" it is "rest" if the event is originating (is in relation to) a REST request; possible other values are "transport" and "ip_filter"
# "origin.address" the remote address and port of the first network hop, i.e. a REST proxy or another cluster node
# "realm" name of a realm that has generated an "authentication_failed" or an "authentication_successful"; the subject is not yet authenticated
# "url.path" the URI component between the port and the query string; it is percent (URL) encoded
# "url.query" the URI component after the path and before the fragment; it is percent (URL) encoded
# "request.method" the method of the HTTP request, i.e. one of GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH, TRACE, CONNECT
# "request.body" the content of the request body entity, JSON escaped
# "request.id" a synthentic identifier for the incoming request, this is unique per incoming request, and consistent across all audit events generated by that request
# "action" an action is the most granular operation that is authorized and this identifies it in a namespaced way (internal)
# "request.name" if the event is in connection to a transport message this is the name of the request class, similar to how rest requests are identified by the url path (internal)
# "indices" the array of indices that the "action" is acting upon
# "opaque_id" opaque value conveyed by the "X-Opaque-Id" request header
# "x_forwarded_for" the addresses from the "X-Forwarded-For" request header, as a verbatim string value (not an array)
# "transport.profile" name of the transport profile in case this is a "connection_granted" or "connection_denied" event
# "rule" name of the applied rulee if the "origin.type" is "ip_filter"
# "event.category" fixed value "elasticsearch-audit"
appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}.json
appender.audit_rolling.policies.type = Policies
appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.audit_rolling.policies.time.interval = 1
appender.audit_rolling.policies.time.modulate = true
logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
logger.xpack_security_audit_logfile.level = info
logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling
logger.xpack_security_audit_logfile.additivity = false
logger.xmlsig.name = org.apache.xml.security.signature.XMLSignature
logger.xmlsig.level = error
logger.samlxml_decrypt.name = org.opensaml.xmlsec.encryption.support.Decrypter
logger.samlxml_decrypt.level = fatal
logger.saml2_decrypt.name = org.opensaml.saml.saml2.encryption.Decrypter
logger.saml2_decrypt.level = fatal

14
db/elasticsearch-7.x/files/original/etc/role_mapping.yml Normal file
View File

@@ -0,0 +1,14 @@
# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names
#roleA: this is an elasticsearch role
# - groupA-DN this is a group distinguished name
# - groupB-DN
# - user1-DN this is the full user distinguished name
#power_user:
# - "cn=admins,dc=example,dc=com"
#user:
# - "cn=users,dc=example,dc=com"
# - "cn=admins,dc=example,dc=com"
# - "cn=John Doe,cn=other users,dc=example,dc=com"

3
db/elasticsearch-7.x/files/original/etc/roles.yml Normal file
View File

@@ -0,0 +1,3 @@
# The default roles file is empty as the preferred method of defining roles is
# through the API/UI. File based roles are useful in error scenarios when the
# API based roles may not be available.

0
db/elasticsearch-7.x/files/original/etc/users Normal file
View File

0
db/elasticsearch-7.x/files/original/etc/users_roles Normal file
View File

21
db/elasticsearch-7.x/tasks/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
# Add Elasticsearch GPG Key
- name: Addding Elasticsearch sources GPG key
apt_key: url='https://artifacts.elastic.co/GPG-KEY-elasticsearch' state=present
# Add Elasticsearch repositories for Debian 8
- name: Adding Elasticsearch sources
apt_repository: repo='deb https://artifacts.elastic.co/packages/7.x/apt stable main' state=present
# Install Elasticsearch
- name: Installing Elasticsearch
apt:
update_cache: yes
state: present
name:
- elasticsearch
# Enable service in systemd (debian does not start this daemon by default, which is not the norm)
- name: Enabling elasticsearch.service systemd unit
systemd: name=elasticsearch enabled=yes state=started

1
db/mariadb-10.3/files/originals/conf.d/mysql.cnf Normal file
View File

@@ -0,0 +1 @@
[mysql]

4
db/mariadb-10.3/files/originals/conf.d/mysqldump.cnf Normal file
View File

@@ -0,0 +1,4 @@
[mysqldump]
quick
quote-names
max_allowed_packet = 16M

43
db/mariadb-10.3/files/originals/debian-start Executable file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
#
# This script is executed by "/etc/init.d/mysql" on every (re)start.
#
# Changes to this file will be preserved when updating the Debian package.
#
# NOTE: This file is read only by the traditional SysV init script, not systemd.
#
source /usr/share/mysql/debian-start.inc.sh
if [ -f /etc/default/mysql ]; then
. /etc/default/mysql
fi
MYSQL="/usr/bin/mysql --defaults-file=/etc/mysql/debian.cnf"
MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"
# Don't run full mysql_upgrade on every server restart, use --version-check to do it only once
MYUPGRADE="/usr/bin/mysql_upgrade --defaults-extra-file=/etc/mysql/debian.cnf --version-check"
MYCHECK="/usr/bin/mysqlcheck --defaults-file=/etc/mysql/debian.cnf"
MYCHECK_SUBJECT="WARNING: mysqlcheck has found corrupt tables"
MYCHECK_PARAMS="--all-databases --fast --silent"
MYCHECK_RCPT="${MYCHECK_RCPT:-root}"
## Checking for corrupt, not cleanly closed (only for MyISAM and Aria engines) and upgrade needing tables.
# The following commands should be run when the server is up but in background
# where they do not block the server start and in one shell instance so that
# they run sequentially. They are supposed not to echo anything to stdout.
# If you want to disable the check for crashed tables comment
# "check_for_crashed_tables" out.
# (There may be no output to stdout inside the background process!)
# Need to ignore SIGHUP, as otherwise a SIGHUP can sometimes abort the upgrade
# process in the middle.
trap "" SIGHUP
(
upgrade_system_tables_if_necessary;
check_root_accounts;
check_for_crashed_tables;
) >&2 &
exit 0

23
db/mariadb-10.3/files/originals/mariadb.cnf Normal file
View File

@@ -0,0 +1,23 @@
# The MariaDB configuration file
#
# The MariaDB/MySQL tools read configuration files in the following order:
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
# 4. "~/.my.cnf" to set user-specific options.
#
# If the same option is defined multiple times, the last one will apply.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]
# Import all .cnf files from configuration directory
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

25
db/mariadb-10.3/files/originals/mariadb.conf.d/50-client.cnf Normal file
View File

@@ -0,0 +1,25 @@
#
# This group is read by the client library
# Use it for options that affect all clients, but not the server
#
[client]
# Default is Latin1, if you need UTF-8 set this (also in server section)
default-character-set = utf8mb4
# socket location
socket = /var/run/mysqld/mysqld.sock
# Example of client certificate usage
# ssl-cert=/etc/mysql/client-cert.pem
# ssl-key=/etc/mysql/client-key.pem
#
# Allow only TLS encrypted connections
# ssl-verify-server-cert=on
# This group is *never* read by mysql client library, though this
# /etc/mysql/mariadb.cnf.d/client.cnf file is not read by Oracle MySQL
# client anyway.
# If you use the same .cnf file for MySQL and MariaDB,
# use it for MariaDB-only client options
[client-mariadb]

24
db/mariadb-10.3/files/originals/mariadb.conf.d/50-mysql-clients.cnf Normal file
View File

@@ -0,0 +1,24 @@
#
# These groups are read by MariaDB command-line tools
# Use it for options that affect only one utility
#
[mysql]
# Default is Latin1, if you need UTF-8 set this (also in server section)
default-character-set = utf8mb4
[mysql_upgrade]
[mysqladmin]
[mysqlbinlog]
[mysqlcheck]
[mysqldump]
[mysqlimport]
[mysqlshow]
[mysqlslap]

30
db/mariadb-10.3/files/originals/mariadb.conf.d/50-mysqld_safe.cnf Normal file
View File

@@ -0,0 +1,30 @@
# NOTE: This file is read only by the traditional SysV init script, not systemd.
# MariaDB systemd does _not_ utilize mysqld_safe nor read this file.
#
# For similar behaviour, systemd users should create the following file:
# /etc/systemd/system/mariadb.service.d/migrated-from-my.cnf-settings.conf
#
# To achieve the same result as the default 50-mysqld_safe.cnf, please create
# /etc/systemd/system/mariadb.service.d/migrated-from-my.cnf-settings.conf
# with the following contents:
#
# [Service]
# User=mysql
# StandardOutput=syslog
# StandardError=syslog
# SyslogFacility=daemon
# SyslogLevel=err
# SyslogIdentifier=mysqld
#
# For more information, please read https://mariadb.com/kb/en/mariadb/systemd/
#
[mysqld_safe]
# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# especially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
socket = /var/run/mysqld/mysqld.sock
nice = 0
skip_log_error
syslog

133
db/mariadb-10.3/files/originals/mariadb.conf.d/50-server.cnf Normal file
View File

@@ -0,0 +1,133 @@
#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql
# this is read by the standalone daemon and embedded servers
[server]
# this is only for the mysqld standalone daemon
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /run/mysqld/mysqld.pid
socket = /run/mysqld/mysqld.sock
#port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
#skip-external-locking
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1
#
# * Fine Tuning
#
#key_buffer_size = 16M
#max_allowed_packet = 16M
#thread_stack = 192K
#thread_cache_size = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
#myisam_recover_options = BACKUP
#max_connections = 100
#table_cache = 64
#thread_concurrency = 10
#
# * Query Cache Configuration
#
#query_cache_limit = 1M
query_cache_size = 16M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file = /var/log/mysql/mysql.log
#general_log = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file = /var/log/mysql/mariadb-slow.log
#long_query_time = 10
#log_slow_rate_limit = 1000
#log_slow_verbosity = query_plan
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
#max_binlog_size = 100M
#binlog_do_db = include_database_name
#binlog_ignore_db = exclude_database_name
#
# * Security Features
#
# Read the manual, too, if you want chroot!
#chroot = /var/lib/mysql/
#
# For generating SSL certificates you can use for example the GUI tool "tinyca".
#
#ssl-ca = /etc/mysql/cacert.pem
#ssl-cert = /etc/mysql/server-cert.pem
#ssl-key = /etc/mysql/server-key.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
#ssl-cipher = TLSv1.2
# ..when MariaDB is compiled with YaSSL (default in Debian):
#ssl = on
#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
#
character-set-server = utf8mb4
collation-server = utf8mb4_general_ci
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
#
# * Unix socket authentication plugin is built-in since 10.0.22-6
#
# Needed so the root database user can authenticate without a password but
# only when running as the unix root user.
#
# Also available for other users if required.
# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
# this is only for embedded server
[embedded]
# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]
# This group is only read by MariaDB-10.3 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-10.3]

1
db/mariadb-10.3/files/originals/my.cnf Symbolic link
View File

@@ -0,0 +1 @@
./mariadb.cnf

23
db/mariadb-10.3/files/originals/my.cnf.fallback Normal file
View File

@@ -0,0 +1,23 @@
#
# The MySQL database server configuration file.
#
# You can copy this to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
# Here is entries for some specific programs
# The following values assume you have at least 32M ram
!includedir /etc/mysql/conf.d/

12
db/postgresql-10/tasks/install-debian.yml
View File

@@ -9,13 +9,23 @@
# Add PostgreSQL repositories for Debian 9
- name: Adding PostgreSQL sources for Debian 9 Jessie
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' state=present
when: ansible_distribution == "Debian" and ansible_distribution_major_version == "9"
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
# Add PostgreSQL repositories for Debian 10
- name: Adding PostgreSQL sources for Debian 10 Jessie
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main' state=present
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
# Add PostgreSQL repositories for Ubuntu 16.04
- name: Adding PostgreSQL sources for Ubuntu 16.04
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ xenial-pgdg main' state=present
when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "16.04"
# Add PostgreSQL repositories for Ubuntu 19.04
- name: Adding PostgreSQL sources for Ubuntu 18.04
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main' state=present
when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "18.04"
# Install PostgreSQL 10
- name: Installing PostgreSQL 10
apt:

4
db/postgresql-10/tasks/main.yml
View File

@@ -1,6 +1,4 @@
---
# postgresql-10
# Install PostgreSQL 10 - Debian and Ubuntu
# Install PostgreSQL 10 - Debian All Versions
- include_tasks: install-debian.yml
when: ansible_os_family == "Debian"

36
db/postgresql-11/tasks/install-debian.yml Normal file
View File

@@ -0,0 +1,36 @@
---
# We use the official PostgreSQL repositories which contains many versions of PostgreSQL
# Most of these versions will be newer than comes stock with debian
# Add GPG keys
- name: Addding PostgreSQL sources GPG key
apt_key: url='https://www.postgresql.org/media/keys/ACCC4CF8.asc' state=present
# Add PostgreSQL repositories for Debian 9
- name: Adding PostgreSQL sources for Debian 9 Jessie
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' state=present
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
# Add PostgreSQL repositories for Debian 10
- name: Adding PostgreSQL sources for Debian 10 Jessie
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main' state=present
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
# Add PostgreSQL repositories for Ubuntu 16.04
- name: Adding PostgreSQL sources for Ubuntu 16.04
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ xenial-pgdg main' state=present
when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "16.04"
# Add PostgreSQL repositories for Ubuntu 19.04
- name: Adding PostgreSQL sources for Ubuntu 18.04
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main' state=present
when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "18.04"
# Install PostgreSQL 11
- name: Installing PostgreSQL 11
apt:
update_cache: yes
state: present
name:
- postgresql-11
- python-psycopg2 # Required for ansible postgres manipulation

4
db/postgresql-11/tasks/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
# Install PostgreSQL 11 - Debian All Versions
- include_tasks: install-debian.yml
when: ansible_os_family == "Debian"

7
db/postgresql-12/files/originals/etc/environment Normal file
View File

@@ -0,0 +1,7 @@
# environment variables for postgres processes
# This file has the same syntax as postgresql.conf:
# VARIABLE = simple_value
# VARIABLE2 = 'any value!'
# I. e. you need to enclose any value which does not only consist of letters,
# numbers, and '-', '_', '.' in single quotes. Shell commands are not
# evaluated.

5
db/postgresql-12/files/originals/etc/pg_ctl.conf Normal file
View File

@@ -0,0 +1,5 @@
# Automatic pg_ctl configuration
# This configuration file contains cluster specific options to be passed to
# pg_ctl(1).
pg_ctl_options = ''

99
db/postgresql-12/files/originals/etc/pg_hba.conf Normal file
View File

@@ -0,0 +1,99 @@
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
# Note that "password" sends passwords in clear text; "md5" or
# "scram-sha-256" are preferred since they send encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the server receives a
# SIGHUP signal. If you edit the file on a running system, you have to
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
# or execute "SELECT pg_reload_conf()".
#
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5

42
db/postgresql-12/files/originals/etc/pg_ident.conf Normal file
View File

@@ -0,0 +1,42 @@
# PostgreSQL User Name Maps
# =========================
#
# Refer to the PostgreSQL documentation, chapter "Client
# Authentication" for a complete description. A short synopsis
# follows.
#
# This file controls PostgreSQL user name mapping. It maps external
# user names to their corresponding PostgreSQL user names. Records
# are of the form:
#
# MAPNAME SYSTEM-USERNAME PG-USERNAME
#
# (The uppercase quantities must be replaced by actual values.)
#
# MAPNAME is the (otherwise freely chosen) map name that was used in
# pg_hba.conf. SYSTEM-USERNAME is the detected user name of the
# client. PG-USERNAME is the requested PostgreSQL user name. The
# existence of a record specifies that SYSTEM-USERNAME may connect as
# PG-USERNAME.
#
# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
# regular expression. Optionally this can contain a capture (a
# parenthesized subexpression). The substring matching the capture
# will be substituted for \1 (backslash-one) if present in
# PG-USERNAME.
#
# Multiple maps may be specified in this file and used by pg_hba.conf.
#
# No map names are defined in the default configuration. If all
# system user names and PostgreSQL user names are the same, you don't
# need anything in this file.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect. You can
# use "pg_ctl reload" to do that.
# Put your actual configuration here
# ----------------------------------
# MAPNAME SYSTEM-USERNAME PG-USERNAME

750
db/postgresql-12/files/originals/etc/postgresql.conf Normal file
View File

@@ -0,0 +1,750 @@
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
data_directory = '/var/lib/postgresql/12/main' # use data in another directory
# (change requires restart)
hba_file = '/etc/postgresql/12/main/pg_hba.conf' # host-based authentication file
# (change requires restart)
ident_file = '/etc/postgresql/12/main/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
external_pid_file = '/var/run/postgresql/12-main.pid' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
#listen_addresses = 'localhost' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
port = 5432 # (change requires restart)
max_connections = 100 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP settings -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
# 0 selects the system default
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - SSL -
ssl = on
#ssl_ca_file = ''
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
#ssl_crl_file = ''
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
shared_buffers = 128MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#max_stack_depth = 2MB # min 100kB
#shared_memory_type = mmap # the default is the first option
# supported by the operating system:
# mmap
# sysv
# windows
# (change requires restart)
dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kB, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 25
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 512kB # measured in pages, 0 disables
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#backend_flush_after = 0 # measured in pages, 0 disables
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_compression = off # enable compression of full-page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_init_zero = on # zero-fill new WAL files
#wal_recycle = on # recycle WAL files
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
max_wal_size = 1GB
min_wal_size = 80MB
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 256kB # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
# - Archive Recovery -
# These are only used in recovery mode.
#restore_command = '' # command to use to restore an archived logfile segment
# placeholders: %p = path of file to restore
# %f = file name only
# e.g. 'cp /mnt/server/archivedir/%f %p'
# (change requires restart)
#archive_cleanup_command = '' # command to execute at every restartpoint
#recovery_end_command = '' # command to execute at completion of recovery
# - Recovery Target -
# Set these only when performing a targeted recovery.
#recovery_target = '' # 'immediate' to end recovery as soon as a
# consistent state is reached
# (change requires restart)
#recovery_target_name = '' # the named restore point to which recovery will proceed
# (change requires restart)
#recovery_target_time = '' # the time stamp up to which recovery will proceed
# (change requires restart)
#recovery_target_xid = '' # the transaction ID up to which recovery will proceed
# (change requires restart)
#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed
# (change requires restart)
#recovery_target_inclusive = on # Specifies whether to stop:
# just after the specified recovery target (on)
# just before the recovery target (off)
# (change requires restart)
#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID
# (change requires restart)
#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown'
# (change requires restart)
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#primary_conninfo = '' # connection string to sending server
# (change requires restart)
#primary_slot_name = '' # replication slot on sending server
# (change requires restart)
#promote_trigger_file = '' # file name whose presence ends recovery
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_parallel_hash = on
#enable_partition_pruning = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#force_parallel_mode = off
#jit = on # allow JIT compilation
#plan_cache_mode = auto # auto, force_generic_plan or
# force_custom_plan
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (win32):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements
# are logged regardless of their duration. 1.0 logs all
# statements from all transactions, 0.0 never logs.
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
log_line_prefix = '%m [%p] %q%u@%d ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
log_timezone = 'US/Central'
#------------------------------------------------------------------------------
# PROCESS TITLE
#------------------------------------------------------------------------------
cluster_name = '12/main' # added to process titles if nonempty
# (change requires restart)
#update_process_title = on
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Query and Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
stats_temp_directory = '/var/run/postgresql/12-main.pg_stat_tmp'
# - Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#default_table_access_method = 'heap'
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
# before index cleanup, 0 always performs
# index cleanup
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_fuzzy_search_limit = 0
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
timezone = 'US/Central'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
# selects precise output mode
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
lc_messages = 'en_US.UTF-8' # locale for system error message
# strings
lc_monetary = 'en_US.UTF-8' # locale for monetary formatting
lc_numeric = 'en_US.UTF-8' # locale for number formatting
lc_time = 'en_US.UTF-8' # locale for time formatting
# default configuration for text search
default_text_search_config = 'pg_catalog.english'
# - Shared Library Preloading -
#shared_preload_libraries = '' # (change requires restart)
#local_preload_libraries = ''
#session_preload_libraries = ''
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#escape_string_warning = on
#lo_compat_privileges = off
#operator_precedence_warning = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf. Note that these are directives, not variable
# assignments, so they can usefully be given more than once.
include_dir = 'conf.d' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '...' # include file only if it exists
#include = '...' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

8
db/postgresql-12/files/originals/etc/start.conf Normal file
View File

@@ -0,0 +1,8 @@
# Automatic startup configuration
# auto: automatically start the cluster
# manual: manual startup with pg_ctlcluster/postgresql@.service only
# disabled: refuse to start cluster
# See pg_createcluster(1) for details. When running from systemd,
# invoke 'systemctl daemon-reload' after editing this file.
auto

30
db/postgresql-12/tasks/configure-linux.yml Normal file
View File

@@ -0,0 +1,30 @@
---
# Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory=2
# https://www.postgresql.org/docs/12/kernel-resources.html#LINUX-MEMORY-OVERCOMMIT
# View with sysctl -a |grep overcommit
- name: Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory=2
sysctl:
name: vm.overcommit_memory
value: '2'
reload: yes
state: present
# PostgreSQL docs recommend tweaking vm.nr_hugepages by using some math like so
# head -1 /var/lib/postgresql/12/main/postmaster.pid
# Gave me 14299 (this is the current process ID, can also us ps aux|grep postgres)
# pmap 14299 | awk '/rw-s/ && /zero/ {print $2}'
# Substiture your process ID of course
# This gave me 145608K on a fresh install of postgres
# grep ^Hugepagesize /proc/meminfo
# This gave me 2048KB
# Now take 145608 / 2048 = 71.09
# Now set sysctl -w vm.nr_hugepages=71
# I however did not do this just yet. Will wait once Postgres is actually used
# before tweaking this type of setting
# - NO, not yet name: Tweak vm.nr_hugepages according to some precalculated math
# sysctl:
# name: vm.nr_hugepages
# value: 2048
# reload: yes
# state: present

36
db/postgresql-12/tasks/install-debian.yml Normal file
View File

@@ -0,0 +1,36 @@
---
# We use the official PostgreSQL repositories which contains many versions of PostgreSQL
# Most of these versions will be newer than comes stock with debian
# Add GPG keys
- name: Addding PostgreSQL sources GPG key
apt_key: url='https://www.postgresql.org/media/keys/ACCC4CF8.asc' state=present
# Add PostgreSQL repositories for Debian 9
- name: Adding PostgreSQL sources for Debian 9 Jessie
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' state=present
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
# Add PostgreSQL repositories for Debian 10
- name: Adding PostgreSQL sources for Debian 10 Jessie
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main' state=present
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
# Add PostgreSQL repositories for Ubuntu 16.04
- name: Adding PostgreSQL sources for Ubuntu 16.04
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ xenial-pgdg main' state=present
when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "16.04"
# Add PostgreSQL repositories for Ubuntu 19.04
- name: Adding PostgreSQL sources for Ubuntu 18.04
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main' state=present
when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "18.04"
# Install PostgreSQL 12
- name: Installing PostgreSQL 12
apt:
update_cache: yes
state: present
name:
- postgresql-12
- python-psycopg2 # Required for ansible postgres manipulation

8
db/postgresql-12/tasks/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
# Configure Linux (agnostic)
- include_tasks: configure-linux.yml
# Install PostgreSQL 11 - Debian All Versions
- include_tasks: install-debian.yml
when: ansible_os_family == "Debian"

30
db/postgresql-9.6/tasks/configure-linux.yml Normal file
View File

@@ -0,0 +1,30 @@
---
# Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory=2
# https://www.postgresql.org/docs/12/kernel-resources.html#LINUX-MEMORY-OVERCOMMIT
# View with sysctl -a |grep overcommit
- name: Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory=2
sysctl:
name: vm.overcommit_memory
value: '2'
reload: yes
state: present
# PostgreSQL docs recommend tweaking vm.nr_hugepages by using some math like so
# head -1 /var/lib/postgresql/12/main/postmaster.pid
# Gave me 14299 (this is the current process ID, can also us ps aux|grep postgres)
# pmap 14299 | awk '/rw-s/ && /zero/ {print $2}'
# Substiture your process ID of course
# This gave me 145608K on a fresh install of postgres
# grep ^Hugepagesize /proc/meminfo
# This gave me 2048KB
# Now take 145608 / 2048 = 71.09
# Now set sysctl -w vm.nr_hugepages=71
# I however did not do this just yet. Will wait once Postgres is actually used
# before tweaking this type of setting
# - NO, not yet name: Tweak vm.nr_hugepages according to some precalculated math
# sysctl:
# name: vm.nr_hugepages
# value: 2048
# reload: yes
# state: present

17
db/postgresql-9.6/tasks/install-debian.yml
View File

@@ -11,7 +11,22 @@
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' state=present
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
# Install PostgreSQL 10
# Add PostgreSQL repositories for Debian 10
- name: Adding PostgreSQL sources for Debian 10 Jessie
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main' state=present
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
# Add PostgreSQL repositories for Ubuntu 16.04
- name: Adding PostgreSQL sources for Ubuntu 16.04
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ xenial-pgdg main' state=present
when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "16.04"
# Add PostgreSQL repositories for Ubuntu 19.04
- name: Adding PostgreSQL sources for Ubuntu 18.04
apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main' state=present
when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "18.04"
# Install PostgreSQL 9.6
- name: Installing PostgreSQL 9.6
apt:
update_cache: yes

4
db/postgresql-9.6/tasks/main.yml
View File

@@ -1,6 +1,8 @@
---
# postgresql-9.6
# Configure Linux (agnostic)
- include_tasks: configure-linux.yml
# Install PostgreSQL 9.6 - Debian All Versions
- include_tasks: install-debian.yml
when: ansible_os_family == "Debian"

6
db/redis/tasks/main.yml
View File

@@ -10,7 +10,7 @@
- name: Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory = 1
sysctl:
name: vm.overcommit_memory
value: 1
value: '1'
reload: yes
state: present
notify: restart redis # Only runs if file changed!
@@ -19,7 +19,7 @@
- name: Setting /etc/sysctl.conf vm.swappiness = 0
sysctl:
name: vm.swappiness
value: 0
value: '0'
reload: yes
state: present
notify: restart redis # Only runs if file changed!
@@ -34,7 +34,7 @@
dest: "/etc/systemd/system/disable-thp.service"
owner: root
group: root
mode: 0644 # -rw-r--r--
mode: '0644' # -rw-r--r--
notify:
- disable thp
- restart redis # Only runs if file changed!

23
functions/user.yml
View File

@@ -17,11 +17,19 @@
changed_when: false
register: user_home
# Notice both group and user is {{id}}, so they are the same!
# Create group by same ID as user
- name: Creating group {{ user }}
group:
name: '{{ user }}'
gid: '{{ id }}'
when: gid is undefined
# Create group by options gid
- name: Creating group {{ user }}
group:
name: '{{ user }}'
gid: '{{ gid }}'
when: gid is defined
- name: Creating user {{ user }}
user:
@@ -53,6 +61,12 @@
line: '{{ user }} ALL=(ALL) NOPASSWD:ALL'
when: '"sudo" in group'
# Create users ~/.ssh directory
- name: Creating {{ user }} ~/.ssh directory
file:
path: '{{ "~" + user | expanduser }}/.ssh'
state: directory
# Authorize users SSH keys
# NOTE, when: ssh_authorize|bool == true
# IS working, BUT even if ssh_authorize = false the
@@ -66,13 +80,6 @@
- 'keys/{{ user }}.key.pub'
when: ssh_authorize|default(true)|bool
# Create users ~/.ssh directory
- name: Creating {{ user }} ~/.ssh directory
file:
path: '{{ "~" + user | expanduser }}/.ssh'
state: directory
when: ssh_keys|default(false)|bool
# Create users public key
- name: Copying {{ user }} SSH public key
copy:

2
server/tasks/agnostic/main.yml
View File

@@ -57,7 +57,7 @@
limit_item: nofile
value: '65535'
# Enable Memory Overcommit /etc/sysctl.conf vm.overcommit_memory = 1
# Increase max_user_watches
# View with sysctl -a |grep max_user_watches (default on debian is 8192)
- name: Increase fs.inotify.max_user_watches in /etc/sysctl.conf
sysctl:

13
server/tasks/main.yml
View File

@@ -1,12 +1,13 @@
---
# Any server (OS agnostic)
# ------------------------------------------------------------------------------
- name: Configure any server (OS agnostic)
include_tasks: agnostic/main.yml
# Debian server
# Run first to install base software required for agnostic/main.yml
# ------------------------------------------------------------------------------
- name: Configure debian/ubuntu server
include_tasks: debian/main.yml
when: ansible_os_family == "Debian"
# Any server (OS agnostic)
# ------------------------------------------------------------------------------
- name: Configure any server (OS agnostic)
include_tasks: agnostic/main.yml

7
system/supervisor/tasks/main.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Installing supervisor
apt:
update_cache: yes
state: present
name:
- supervisor

27
virt/opennebula-5.10-controller/tasks/main.yml
View File

@@ -31,6 +31,33 @@
# NOTE: OpenNebula daemons do NOT start after install, contrary to how most other debian packages behave.
# This is good as we want to set passwords and other configurations before we start OpenNebula for the first time.
# Set permissions on /var/lib/one folder
- name: Ensuring permissions on /var/lib/one directory
file:
path: /var/lib/one
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Create /var/lib/one/.ssh folder
- name: Creating /var/lib/one/.ssh directory
file:
path: /var/lib/one/.ssh
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Create /var/log/one folder or the daemon will not start
- name: Creating /var/log/one directory
file:
path: /var/log/one
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Copy ssh client config for oneadmin user
- name: Copying oneadmin SSH client config
copy:

0
virt/opennebula-5.10-kvm-node/files/libvirtd.conf → virt/opennebula-5.10-kvm-node/files/libvirtd-debian10.conf
View File

469
virt/opennebula-5.10-kvm-node/files/libvirtd-debian9.conf Normal file
View File

@@ -0,0 +1,469 @@
# Master libvirt daemon configuration file
#
# For further information consult http://libvirt.org/format.html
#
# NOTE: the tests/daemon-conf regression test script requires
# that each "PARAMETER = VALUE" line in this file have the parameter
# name just after a leading "#".
#################################################################
#
# Network connectivity controls
#
# Flag listening for secure TLS connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
# It is necessary to setup a CA and issue server certificates before
# using this capability.
#
# This is enabled by default, uncomment this to disable it
#listen_tls = 0
# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
# Using the TCP socket requires SASL authentication by default. Only
# SASL mechanisms which support data encryption are allowed. This is
# DIGEST_MD5 and GSSAPI (Kerberos5)
#
# This is disabled by default, uncomment this to enable it.
#listen_tcp = 1
# Override the port for accepting secure TLS connections
# This can be a port number, or service name
#
#tls_port = "16514"
# Override the port for accepting insecure TCP connections
# This can be a port number, or service name
#
#tcp_port = "16509"
# Override the default configuration which binds to all network
# interfaces. This can be a numeric IPv4/6 address, or hostname
#
# If the libvirtd service is started in parallel with network
# startup (e.g. with systemd), binding to addresses other than
# the wildcards (0.0.0.0/::) might not be available yet.
#
#listen_addr = "192.168.0.1"
# Flag toggling mDNS advertizement of the libvirt service.
#
# Alternatively can disable for all services on a host by
# stopping the Avahi daemon
#
# This is disabled by default, uncomment this to enable it
#mdns_adv = 1
# Override the default mDNS advertizement name. This must be
# unique on the immediate broadcast network.
#
# The default is "Virtualization Host HOSTNAME", where HOSTNAME
# is substituted for the short hostname of the machine (without domain)
#
#mdns_name = "Virtualization Host Joe Demo"
#################################################################
#
# UNIX socket access controls
#
# Set the UNIX domain socket group ownership. This can be used to
# allow a 'trusted' set of users access to management capabilities
# without becoming root.
#
# This is restricted to 'root' by default.
#unix_sock_group = "libvirt"
# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only
#
# Default allows any user. If setting group ownership, you may want to
# restrict this too.
#unix_sock_ro_perms = "0777"
# Set the UNIX socket permissions for the R/W socket. This is used
# for full management of VMs
#
# Default allows only root. If PolicyKit is enabled on the socket,
# the default will change to allow everyone (eg, 0777)
#
# If not using PolicyKit and setting group ownership for access
# control, then you may want to relax this too.
#unix_sock_rw_perms = "0770"
# Set the UNIX socket permissions for the admin interface socket.
#
# Default allows only owner (root), do not change it unless you are
# sure to whom you are exposing the access to.
#unix_sock_admin_perms = "0700"
# Set the name of the directory in which sockets will be found/created.
#unix_sock_dir = "/var/run/libvirt"
#################################################################
#
# Authentication.
#
# - none: do not perform auth checks. If you can connect to the
# socket you are allowed. This is suitable if there are
# restrictions on connecting to the socket (eg, UNIX
# socket permissions), or if there is a lower layer in
# the network providing auth (eg, TLS/x509 certificates)
#
# - sasl: use SASL infrastructure. The actual auth scheme is then
# controlled from /etc/sasl2/libvirt.conf. For the TCP
# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
# For non-TCP or TLS sockets, any scheme is allowed.
#
# - polkit: use PolicyKit to authenticate. This is only suitable
# for use on the UNIX sockets. The default policy will
# require a user to supply their own password to gain
# full read/write access (aka sudo like), while anyone
# is allowed read/only access.
#
# Set an authentication scheme for UNIX read-only sockets
# By default socket permissions allow anyone to connect
#
# To restrict monitoring of domains you may wish to enable
# an authentication mechanism here
auth_unix_ro = "none"
# Set an authentication scheme for UNIX read-write sockets
# By default socket permissions only allow root. If PolicyKit
# support was compiled into libvirt, the default will be to
# use 'polkit' auth.
#
# If the unix_sock_rw_perms are changed you may wish to enable
# an authentication mechanism here
auth_unix_rw = "none"
# Change the authentication scheme for TCP sockets.
#
# If you don't enable SASL, then all TCP traffic is cleartext.
# Don't do this outside of a dev/test scenario. For real world
# use, always enable SASL and use the GSSAPI or DIGEST-MD5
# mechanism in /etc/sasl2/libvirt.conf
#auth_tcp = "sasl"
# Change the authentication scheme for TLS sockets.
#
# TLS sockets already have encryption provided by the TLS
# layer, and limited authentication is done by certificates
#
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"
# Change the API access control scheme
#
# By default an authenticated user is allowed access
# to all APIs. Access drivers can place restrictions
# on this. By default the 'nop' driver is enabled,
# meaning no access control checks are done once a
# client has authenticated with libvirtd
#
#access_drivers = [ "polkit" ]
#################################################################
#
# TLS x509 certificate configuration
#
# Override the default server key file path
#
#key_file = "/etc/pki/libvirt/private/serverkey.pem"
# Override the default server certificate file path
#
#cert_file = "/etc/pki/libvirt/servercert.pem"
# Override the default CA certificate path
#
#ca_file = "/etc/pki/CA/cacert.pem"
# Specify a certificate revocation list.
#
# Defaults to not using a CRL, uncomment to enable it
#crl_file = "/etc/pki/CA/crl.pem"
#################################################################
#
# Authorization controls
#
# Flag to disable verification of our own server certificates
#
# When libvirtd starts it performs some sanity checks against
# its own certificates.
#
# Default is to always run sanity checks. Uncommenting this
# will disable sanity checks which is not a good idea
#tls_no_sanity_certificate = 1
# Flag to disable verification of client certificates
#
# Client certificate verification is the primary authentication mechanism.
# Any client which does not present a certificate signed by the CA
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
#tls_no_verify_certificate = 1
# A whitelist of allowed x509 Distinguished Names
# This list may contain wildcards such as
#
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
#
# See the POSIX fnmatch function for the format of the wildcards.
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
# By default, no DN's are checked
#tls_allowed_dn_list = ["DN1", "DN2"]
# A whitelist of allowed SASL usernames. The format for username
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#
# This list may contain wildcards such as
#
# "*@EXAMPLE.COM"
#
# See the POSIX fnmatch function for the format of the wildcards.
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
# By default, no Username's are checked
#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
# Override the compile time default TLS priority string. The
# default is usually "NORMAL" unless overridden at build time.
# Only set this is it is desired for libvirt to deviate from
# the global default settings.
#
#tls_priority="NORMAL"
#################################################################
#
# Processing controls
#
# The maximum number of concurrent client connections to allow
# over all sockets combined.
#max_clients = 5000
# The maximum length of queue of connections waiting to be
# accepted by the daemon. Note, that some protocols supporting
# retransmission may obey this so that a later reattempt at
# connection succeeds.
#max_queued_clients = 1000
# The maximum length of queue of accepted but not yet
# authenticated clients. The default value is 20. Set this to
# zero to turn this feature off.
#max_anonymous_clients = 20
# The minimum limit sets the number of workers to start up
# initially. If the number of active clients exceeds this,
# then more threads are spawned, up to max_workers limit.
# Typically you'd want max_workers to equal maximum number
# of clients allowed
#min_workers = 5
#max_workers = 20
# The number of priority workers. If all workers from above
# pool are stuck, some calls marked as high priority
# (notably domainDestroy) can be executed in this pool.
#prio_workers = 5
# Total global limit on concurrent RPC calls. Should be
# at least as large as max_workers. Beyond this, RPC requests
# will be read into memory and queued. This directly impacts
# memory usage, currently each request requires 256 KB of
# memory. So by default up to 5 MB of memory is used
#
# XXX this isn't actually enforced yet, only the per-client
# limit is used so far
#max_requests = 20
# Limit on concurrent requests from a single client
# connection. To avoid one client monopolizing the server
# this should be a small fraction of the global max_requests
# and max_workers parameter
#max_client_requests = 5
# Same processing controls, but this time for the admin interface.
# For description of each option, be so kind to scroll few lines
# upwards.
#admin_min_workers = 1
#admin_max_workers = 5
#admin_max_clients = 5
#admin_max_queued_clients = 5
#admin_max_client_requests = 5
#################################################################
#
# Logging controls
#
# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
# basically 1 will log everything possible
# Note: Journald may employ rate limiting of the messages logged
# and thus lock up the libvirt daemon. To use the debug level with
# journald you have to specify it explicitly in 'log_outputs', otherwise
# only information level messages will be logged.
#log_level = 3
# Logging filters:
# A filter allows to select a different logging level for a given category
# of logs
# The format for a filter is one of:
# x:name
# x:+name
# where name is a string which is matched against the category
# given in the VIR_LOG_INIT() at the top of each libvirt source
# file, e.g., "remote", "qemu", or "util.json" (the name in the
# filter can be a substring of the full category name, in order
# to match multiple similar categories), the optional "+" prefix
# tells libvirt to log stack trace for each message matching
# name, and x is the minimal level where matching messages should
# be logged:
# 1: DEBUG
# 2: INFO
# 3: WARNING
# 4: ERROR
#
# Multiple filters can be defined in a single @filters, they just need to be
# separated by spaces.
#
# e.g. to only get warning or errors from the remote layer and only errors
# from the event layer:
#log_filters="3:remote 4:event"
# Logging outputs:
# An output is one of the places to save logging information
# The format for an output can be:
# x:stderr
# output goes to stderr
# x:syslog:name
# use syslog for the output and use the given name as the ident
# x:file:file_path
# output to a file, with the given filepath
# x:journald
# output to journald logging system
# In all case the x prefix is the minimal level, acting as a filter
# 1: DEBUG
# 2: INFO
# 3: WARNING
# 4: ERROR
#
# Multiple outputs can be defined, they just need to be separated by spaces.
# e.g. to log all warnings and errors to syslog under the libvirtd ident:
#log_outputs="3:syslog:libvirtd"
#
# Log debug buffer size:
#
# This configuration option is no longer used, since the global
# log buffer functionality has been removed. Please configure
# suitable log_outputs/log_filters settings to obtain logs.
#log_buffer_size = 64
##################################################################
#
# Auditing
#
# This setting allows usage of the auditing subsystem to be altered:
#
# audit_level == 0 -> disable all auditing
# audit_level == 1 -> enable auditing, only if enabled on host (default)
# audit_level == 2 -> enable auditing, and exit if disabled on host
#
#audit_level = 2
#
# If set to 1, then audit messages will also be sent
# via libvirt logging infrastructure. Defaults to 0
#
#audit_logging = 1
###################################################################
# UUID of the host:
# Host UUID is read from one of the sources specified in host_uuid_source.
#
# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
# - 'machine-id': fetch the UUID from /etc/machine-id
#
# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
# a valid UUID a temporary UUID will be generated.
#
# Another option is to specify host UUID in host_uuid.
#
# Keep the format of the example UUID below. UUID must not have all digits
# be the same.
# NB This default all-zeros UUID will not work. Replace
# it with the output of the 'uuidgen' command and then
# uncomment this entry
#host_uuid = "00000000-0000-0000-0000-000000000000"
#host_uuid_source = "smbios"
###################################################################
# Keepalive protocol:
# This allows libvirtd to detect broken client connections or even
# dead clients. A keepalive message is sent to a client after
# keepalive_interval seconds of inactivity to check if the client is
# still responding; keepalive_count is a maximum number of keepalive
# messages that are allowed to be sent to the client without getting
# any response before the connection is considered broken. In other
# words, the connection is automatically closed approximately after
# keepalive_interval * (keepalive_count + 1) seconds since the last
# message received from the client. If keepalive_interval is set to
# -1, libvirtd will never send keepalive requests; however clients
# can still send them and the daemon will send responses. When
# keepalive_count is set to 0, connections will be automatically
# closed after keepalive_interval seconds of inactivity without
# sending any keepalive messages.
#
#keepalive_interval = 5
#keepalive_count = 5
#
# These configuration options are no longer used. There is no way to
# restrict such clients from connecting since they first need to
# connect in order to ask for keepalive.
#
#keepalive_required = 1
#admin_keepalive_required = 1
# Keepalive settings for the admin interface
#admin_keepalive_interval = 5
#admin_keepalive_count = 5

0
virt/opennebula-5.10-kvm-node/files/original/libvirtd.conf → virt/opennebula-5.10-kvm-node/files/original/libvirtd-debian10.conf
View File

469
virt/opennebula-5.10-kvm-node/files/original/libvirtd-debian9.conf Normal file
View File

@@ -0,0 +1,469 @@
# Master libvirt daemon configuration file
#
# For further information consult http://libvirt.org/format.html
#
# NOTE: the tests/daemon-conf regression test script requires
# that each "PARAMETER = VALUE" line in this file have the parameter
# name just after a leading "#".
#################################################################
#
# Network connectivity controls
#
# Flag listening for secure TLS connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
# It is necessary to setup a CA and issue server certificates before
# using this capability.
#
# This is enabled by default, uncomment this to disable it
#listen_tls = 0
# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
# Using the TCP socket requires SASL authentication by default. Only
# SASL mechanisms which support data encryption are allowed. This is
# DIGEST_MD5 and GSSAPI (Kerberos5)
#
# This is disabled by default, uncomment this to enable it.
#listen_tcp = 1
# Override the port for accepting secure TLS connections
# This can be a port number, or service name
#
#tls_port = "16514"
# Override the port for accepting insecure TCP connections
# This can be a port number, or service name
#
#tcp_port = "16509"
# Override the default configuration which binds to all network
# interfaces. This can be a numeric IPv4/6 address, or hostname
#
# If the libvirtd service is started in parallel with network
# startup (e.g. with systemd), binding to addresses other than
# the wildcards (0.0.0.0/::) might not be available yet.
#
#listen_addr = "192.168.0.1"
# Flag toggling mDNS advertizement of the libvirt service.
#
# Alternatively can disable for all services on a host by
# stopping the Avahi daemon
#
# This is disabled by default, uncomment this to enable it
#mdns_adv = 1
# Override the default mDNS advertizement name. This must be
# unique on the immediate broadcast network.
#
# The default is "Virtualization Host HOSTNAME", where HOSTNAME
# is substituted for the short hostname of the machine (without domain)
#
#mdns_name = "Virtualization Host Joe Demo"
#################################################################
#
# UNIX socket access controls
#
# Set the UNIX domain socket group ownership. This can be used to
# allow a 'trusted' set of users access to management capabilities
# without becoming root.
#
# This is restricted to 'root' by default.
#unix_sock_group = "libvirt"
# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only
#
# Default allows any user. If setting group ownership, you may want to
# restrict this too.
#unix_sock_ro_perms = "0777"
# Set the UNIX socket permissions for the R/W socket. This is used
# for full management of VMs
#
# Default allows only root. If PolicyKit is enabled on the socket,
# the default will change to allow everyone (eg, 0777)
#
# If not using PolicyKit and setting group ownership for access
# control, then you may want to relax this too.
#unix_sock_rw_perms = "0770"
# Set the UNIX socket permissions for the admin interface socket.
#
# Default allows only owner (root), do not change it unless you are
# sure to whom you are exposing the access to.
#unix_sock_admin_perms = "0700"
# Set the name of the directory in which sockets will be found/created.
#unix_sock_dir = "/var/run/libvirt"
#################################################################
#
# Authentication.
#
# - none: do not perform auth checks. If you can connect to the
# socket you are allowed. This is suitable if there are
# restrictions on connecting to the socket (eg, UNIX
# socket permissions), or if there is a lower layer in
# the network providing auth (eg, TLS/x509 certificates)
#
# - sasl: use SASL infrastructure. The actual auth scheme is then
# controlled from /etc/sasl2/libvirt.conf. For the TCP
# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
# For non-TCP or TLS sockets, any scheme is allowed.
#
# - polkit: use PolicyKit to authenticate. This is only suitable
# for use on the UNIX sockets. The default policy will
# require a user to supply their own password to gain
# full read/write access (aka sudo like), while anyone
# is allowed read/only access.
#
# Set an authentication scheme for UNIX read-only sockets
# By default socket permissions allow anyone to connect
#
# To restrict monitoring of domains you may wish to enable
# an authentication mechanism here
#auth_unix_ro = "none"
# Set an authentication scheme for UNIX read-write sockets
# By default socket permissions only allow root. If PolicyKit
# support was compiled into libvirt, the default will be to
# use 'polkit' auth.
#
# If the unix_sock_rw_perms are changed you may wish to enable
# an authentication mechanism here
#auth_unix_rw = "none"
# Change the authentication scheme for TCP sockets.
#
# If you don't enable SASL, then all TCP traffic is cleartext.
# Don't do this outside of a dev/test scenario. For real world
# use, always enable SASL and use the GSSAPI or DIGEST-MD5
# mechanism in /etc/sasl2/libvirt.conf
#auth_tcp = "sasl"
# Change the authentication scheme for TLS sockets.
#
# TLS sockets already have encryption provided by the TLS
# layer, and limited authentication is done by certificates
#
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"
# Change the API access control scheme
#
# By default an authenticated user is allowed access
# to all APIs. Access drivers can place restrictions
# on this. By default the 'nop' driver is enabled,
# meaning no access control checks are done once a
# client has authenticated with libvirtd
#
#access_drivers = [ "polkit" ]
#################################################################
#
# TLS x509 certificate configuration
#
# Override the default server key file path
#
#key_file = "/etc/pki/libvirt/private/serverkey.pem"
# Override the default server certificate file path
#
#cert_file = "/etc/pki/libvirt/servercert.pem"
# Override the default CA certificate path
#
#ca_file = "/etc/pki/CA/cacert.pem"
# Specify a certificate revocation list.
#
# Defaults to not using a CRL, uncomment to enable it
#crl_file = "/etc/pki/CA/crl.pem"
#################################################################
#
# Authorization controls
#
# Flag to disable verification of our own server certificates
#
# When libvirtd starts it performs some sanity checks against
# its own certificates.
#
# Default is to always run sanity checks. Uncommenting this
# will disable sanity checks which is not a good idea
#tls_no_sanity_certificate = 1
# Flag to disable verification of client certificates
#
# Client certificate verification is the primary authentication mechanism.
# Any client which does not present a certificate signed by the CA
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
#tls_no_verify_certificate = 1
# A whitelist of allowed x509 Distinguished Names
# This list may contain wildcards such as
#
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
#
# See the POSIX fnmatch function for the format of the wildcards.
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
# By default, no DN's are checked
#tls_allowed_dn_list = ["DN1", "DN2"]
# A whitelist of allowed SASL usernames. The format for username
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#
# This list may contain wildcards such as
#
# "*@EXAMPLE.COM"
#
# See the POSIX fnmatch function for the format of the wildcards.
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
# By default, no Username's are checked
#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
# Override the compile time default TLS priority string. The
# default is usually "NORMAL" unless overridden at build time.
# Only set this is it is desired for libvirt to deviate from
# the global default settings.
#
#tls_priority="NORMAL"
#################################################################
#
# Processing controls
#
# The maximum number of concurrent client connections to allow
# over all sockets combined.
#max_clients = 5000
# The maximum length of queue of connections waiting to be
# accepted by the daemon. Note, that some protocols supporting
# retransmission may obey this so that a later reattempt at
# connection succeeds.
#max_queued_clients = 1000
# The maximum length of queue of accepted but not yet
# authenticated clients. The default value is 20. Set this to
# zero to turn this feature off.
#max_anonymous_clients = 20
# The minimum limit sets the number of workers to start up
# initially. If the number of active clients exceeds this,
# then more threads are spawned, up to max_workers limit.
# Typically you'd want max_workers to equal maximum number
# of clients allowed
#min_workers = 5
#max_workers = 20
# The number of priority workers. If all workers from above
# pool are stuck, some calls marked as high priority
# (notably domainDestroy) can be executed in this pool.
#prio_workers = 5
# Total global limit on concurrent RPC calls. Should be
# at least as large as max_workers. Beyond this, RPC requests
# will be read into memory and queued. This directly impacts
# memory usage, currently each request requires 256 KB of
# memory. So by default up to 5 MB of memory is used
#
# XXX this isn't actually enforced yet, only the per-client
# limit is used so far
#max_requests = 20
# Limit on concurrent requests from a single client
# connection. To avoid one client monopolizing the server
# this should be a small fraction of the global max_requests
# and max_workers parameter
#max_client_requests = 5
# Same processing controls, but this time for the admin interface.
# For description of each option, be so kind to scroll few lines
# upwards.
#admin_min_workers = 1
#admin_max_workers = 5
#admin_max_clients = 5
#admin_max_queued_clients = 5
#admin_max_client_requests = 5
#################################################################
#
# Logging controls
#
# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
# basically 1 will log everything possible
# Note: Journald may employ rate limiting of the messages logged
# and thus lock up the libvirt daemon. To use the debug level with
# journald you have to specify it explicitly in 'log_outputs', otherwise
# only information level messages will be logged.
#log_level = 3
# Logging filters:
# A filter allows to select a different logging level for a given category
# of logs
# The format for a filter is one of:
# x:name
# x:+name
# where name is a string which is matched against the category
# given in the VIR_LOG_INIT() at the top of each libvirt source
# file, e.g., "remote", "qemu", or "util.json" (the name in the
# filter can be a substring of the full category name, in order
# to match multiple similar categories), the optional "+" prefix
# tells libvirt to log stack trace for each message matching
# name, and x is the minimal level where matching messages should
# be logged:
# 1: DEBUG
# 2: INFO
# 3: WARNING
# 4: ERROR
#
# Multiple filters can be defined in a single @filters, they just need to be
# separated by spaces.
#
# e.g. to only get warning or errors from the remote layer and only errors
# from the event layer:
#log_filters="3:remote 4:event"
# Logging outputs:
# An output is one of the places to save logging information
# The format for an output can be:
# x:stderr
# output goes to stderr
# x:syslog:name
# use syslog for the output and use the given name as the ident
# x:file:file_path
# output to a file, with the given filepath
# x:journald
# output to journald logging system
# In all case the x prefix is the minimal level, acting as a filter
# 1: DEBUG
# 2: INFO
# 3: WARNING
# 4: ERROR
#
# Multiple outputs can be defined, they just need to be separated by spaces.
# e.g. to log all warnings and errors to syslog under the libvirtd ident:
#log_outputs="3:syslog:libvirtd"
#
# Log debug buffer size:
#
# This configuration option is no longer used, since the global
# log buffer functionality has been removed. Please configure
# suitable log_outputs/log_filters settings to obtain logs.
#log_buffer_size = 64
##################################################################
#
# Auditing
#
# This setting allows usage of the auditing subsystem to be altered:
#
# audit_level == 0 -> disable all auditing
# audit_level == 1 -> enable auditing, only if enabled on host (default)
# audit_level == 2 -> enable auditing, and exit if disabled on host
#
#audit_level = 2
#
# If set to 1, then audit messages will also be sent
# via libvirt logging infrastructure. Defaults to 0
#
#audit_logging = 1
###################################################################
# UUID of the host:
# Host UUID is read from one of the sources specified in host_uuid_source.
#
# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
# - 'machine-id': fetch the UUID from /etc/machine-id
#
# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
# a valid UUID a temporary UUID will be generated.
#
# Another option is to specify host UUID in host_uuid.
#
# Keep the format of the example UUID below. UUID must not have all digits
# be the same.
# NB This default all-zeros UUID will not work. Replace
# it with the output of the 'uuidgen' command and then
# uncomment this entry
#host_uuid = "00000000-0000-0000-0000-000000000000"
#host_uuid_source = "smbios"
###################################################################
# Keepalive protocol:
# This allows libvirtd to detect broken client connections or even
# dead clients. A keepalive message is sent to a client after
# keepalive_interval seconds of inactivity to check if the client is
# still responding; keepalive_count is a maximum number of keepalive
# messages that are allowed to be sent to the client without getting
# any response before the connection is considered broken. In other
# words, the connection is automatically closed approximately after
# keepalive_interval * (keepalive_count + 1) seconds since the last
# message received from the client. If keepalive_interval is set to
# -1, libvirtd will never send keepalive requests; however clients
# can still send them and the daemon will send responses. When
# keepalive_count is set to 0, connections will be automatically
# closed after keepalive_interval seconds of inactivity without
# sending any keepalive messages.
#
#keepalive_interval = 5
#keepalive_count = 5
#
# These configuration options are no longer used. There is no way to
# restrict such clients from connecting since they first need to
# connect in order to ask for keepalive.
#
#keepalive_required = 1
#admin_keepalive_required = 1
# Keepalive settings for the admin interface
#admin_keepalive_interval = 5
#admin_keepalive_count = 5

43
virt/opennebula-5.10-kvm-node/tasks/main.yml
View File

@@ -19,15 +19,54 @@
name: opennebula-node
notify: restart libvirtd
# Copy /etc/libvirt/libvirt.conf to bypass polkit socker permissions
# Copy /etc/libvirt/libvirt.conf to bypass polkit socket permissions
- name: Copying libvirtd.conf
copy:
src: 'files/libvirtd.conf'
src: 'libvirtd-debian10.conf'
dest: '/etc/libvirt/libvirtd.conf'
owner: 'root'
group: 'root'
mode: 0644
notify: restart libvirtd
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
# Copy /etc/libvirt/libvirt.conf to bypass polkit socker permissions
- name: Copying libvirtd.conf
copy:
src: 'libvirtd-debian9.conf'
dest: '/etc/libvirt/libvirtd.conf'
owner: 'root'
group: 'root'
mode: 0644
notify: restart libvirtd
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
# Set permissions on /var/lib/one folder
- name: Ensuring permissions on /var/lib/one directory
file:
path: /var/lib/one
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Create /var/lib/one/.ssh folder
- name: Creating /var/lib/one/.ssh directory
file:
path: /var/lib/one/.ssh
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Create /var/log/one folder or the daemon will not start
- name: Creating /var/log/one directory
file:
path: /var/log/one
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Copy ssh client config for oneadmin user
- name: Copying oneadmin SSH client config

3
virt/opennebula-5.8-controller/files/ssh.config Normal file
View File

@@ -0,0 +1,3 @@
# So ansible does not have to add each hypervisor node to known_hosts
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null

36
virt/opennebula-5.8-controller/tasks/main.yml
View File

@@ -25,3 +25,39 @@
# NOTE: OpenNebula daemons do NOT start after install, contrary to how most other debian packages behave.
# This is good as we want to set passwords and other configurations before we start OpenNebula for the first time.
# Set permissions on /var/lib/one folder
- name: Ensuring permissions on /var/lib/one directory
file:
path: /var/lib/one
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Create /var/lib/one/.ssh folder
- name: Creating /var/lib/one/.ssh directory
file:
path: /var/lib/one/.ssh
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Create /var/log/one folder or the daemon will not start
- name: Creating /var/log/one directory
file:
path: /var/log/one
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Copy ssh client config for oneadmin user
- name: Copying oneadmin SSH client config
copy:
src: 'files/ssh.config'
dest: '/var/lib/one/.ssh/config'
owner: 'oneadmin'
group: 'oneadmin'
mode: 0644

3
virt/opennebula-5.8-kvm-node/files/ssh.config Normal file
View File

@@ -0,0 +1,3 @@
# So ansible does not have to add each hypervisor node to known_hosts
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null

41
virt/opennebula-5.8-kvm-node/tasks/main.yml
View File

@@ -7,6 +7,11 @@
apt_repository: repo='deb https://downloads.opennebula.org/repo/5.8/Debian/9 stable opennebula' state=present
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
# NO, OpenNebula 5.8 never had a debian 10 repo, does not work with debian 10
# - name: Adding Debian 10 OpenNebula repository
# apt_repository: repo='deb https://downloads.opennebula.org/repo/5.8/Debian/10 stable opennebula' state=present
# when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
# Install OpenNebula
- name: Installing OpenNebula controller applications
apt:
@@ -14,3 +19,39 @@
state: present
name: opennebula-node
notify: restart libvirtd
# Set permissions on /var/lib/one folder
- name: Ensuring permissions on /var/lib/one directory
file:
path: /var/lib/one
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Create /var/lib/one/.ssh folder
- name: Creating /var/lib/one/.ssh directory
file:
path: /var/lib/one/.ssh
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Create /var/log/one folder or the daemon will not start
- name: Creating /var/log/one directory
file:
path: /var/log/one
state: directory
owner: oneadmin
group: oneadmin
mode: '0755'
# Copy ssh client config for oneadmin user
- name: Copying oneadmin SSH client config
copy:
src: 'files/ssh.config'
dest: '/var/lib/one/.ssh/config'
owner: 'oneadmin'
group: 'oneadmin'
mode: 0644

6
web/haproxy/handlers/main.yml
View File

@@ -1,9 +1,9 @@
---
- name: restart haproxy
service: name=haproxy state=restarted
service: name=haproxy enabled=yes state=restarted
- name: reload haproxy
service: name=haproxy state=reloaded
service: name=haproxy enabled=yes state=reloaded
- name: restart rsyslog
service: name=rsyslog state=restarted
service: name=rsyslog enabled=yes state=restarted

1070
web/kong-2.0.3/files/original/kong.conf.default Normal file
View File

File diff suppressed because it is too large Load Diff

13
web/kong-2.0.3/files/original/kong.logrotate Normal file
View File

@@ -0,0 +1,13 @@
/usr/local/kong/logs/*.log {
rotate 14
daily
missingok
compress
notifempty
sharedscripts
postrotate
if [ -f /usr/local/kong/pids/nginx.pid ]; then
kill -USR1 `cat /usr/local/kong/pids/nginx.pid`
fi
endscript
}

17
web/kong-2.0.3/tasks/main.yml Normal file
View File

@@ -0,0 +1,17 @@
---
# Add GPG keys
- name: Addding Kong sources GPG key
apt_key: url='https://bintray.com/user/downloadSubjectPublicKey?username=bintray' state=present
# Add Kong repositories for Debian 10
- name: Adding Kong sources for Debian 10 Jessie
apt_repository: repo='deb https://kong.bintray.com/kong-deb buster main' state=present
when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
# Install Kong
- name: Installing Kong
apt:
update_cache: yes
state: present
name:
- kong=2.0.3