default[:chef][:server][:version] = "12.9.1-1"
# Set the default client version
-default[:chef][:client][:version] = "12.14.89-1"
+default[:chef][:client][:version] = "12.17.44"
# limitations under the License.
#
-chef_package = "chef_#{node[:chef][:client][:version]}_amd64.deb"
+chef_version = node[:chef][:client][:version]
+chef_package = "chef_#{chef_version}-1_amd64.deb"
directory "/var/cache/chef" do
owner "root"
end
remote_file "/var/cache/chef/#{chef_package}" do
- source "https://packages.chef.io/stable/ubuntu/12.04/#{chef_package}"
+ source "https://packages.chef.io/files/stable/chef/#{chef_version}/ubuntu/16.04/#{chef_package}"
owner "root"
group "root"
mode 0o644
dpkg_package "chef" do
source "/var/cache/chef/#{chef_package}"
- version node[:chef][:client][:version]
+ version "#{chef_version}-1"
end
directory "/etc/chef" do
if failed? && !exception.is_a?(SystemExit)
subject = "Chef run failed on #{node.name}"
message = "#{run_status.formatted_exception}\n"
- elsif elapsed_time > 300
+ elsif elapsed_time > 600
subject = "Chef run took #{elapsed_time} on #{node.name}"
message = ""
end
package "clamav-daemon"
package "clamav-freshclam"
+package "clamav-unofficial-sigs"
+
+template "/etc/clamav-unofficial-sigs.conf.d/50-chef.conf" do
+ source "clamav-unofficial-sigs.conf.erb"
+ owner "root"
+ group "root"
+ mode 0o644
+end
service "clamav-daemon" do
action [:enable, :start]
--- /dev/null
+# DO NOT EDIT - This file is being maintained by Chef
+
+# Add Sanesecurity foxhole databases
+ss_dbs="
+ ${ss_dbs}
+ foxhole_all.cdb
+ foxhole_all.ndb
+ foxhole_filename.cdb
+ foxhole_generic.cdb
+ foxhole_js.cdb
+ foxhole_js.ndb
+"
+
+# Disable SecuriteInfo databases as the domain no longer exists
+si_dbs=""
+
+# Disable MalwarePatrol databases as they fail checksum validation
+mbl_dbs=""
fixed-address spike-03.oob.openstreetmap.org;
}
+host tiamat-22.oob.openstreetmap.org {
+ hardware ethernet 00:25:90:29:a8:01;
+ server-name "tiamat-22.oob.openstreetmap.org";
+ fixed-address tiamat-22.oob.openstreetmap.org;
+}
+
host thorn-01.oob.openstreetmap.org {
hardware ethernet 00:19:bb:35:87:94;
server-name "thorn-01.oob.openstreetmap.org";
--- /dev/null
+This is an automated response to your email, which was sent to an
+unattended address.
+
+If you are having technical problems with the forums then please
+contact support@openstreetmap.org for assistance.
+
+Thank you,
+
+OpenStreetMap Administrators
message = This message scored $spam_score SpamAssassin points.
<% end -%>
+ # Deny spammy messages with headers of the form:
+ # X-PHP-Originating-Script: <digits>:SendMail.class.php
+ # X-PHP-Originating-Script: <digits>:ExtendedMail.class.php
+ deny condition = ${if match {$h_X-PHP-Originating-Script:}{^[0-9]+:(Send|Extended)Mail\\.class\\.php\$}}
+ message = This message failed local spam checks.
+
# Accept the message.
accept
description "Installs and configures foundation services"
long_description IO.read(File.join(File.dirname(__FILE__), "README.md"))
version "1.0.0"
+depends "apache"
+depends "git"
depends "mediawiki"
--- /dev/null
+#
+# Cookbook Name:: foundation
+# Recipe:: owg
+#
+# Copyright 2016, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apache::ssl"
+include_recipe "git"
+
+package "ruby"
+package "ruby-dev"
+
+gem_package "bundler"
+
+git "/srv/operations.osmfoundation.org" do
+ action :sync
+ repository "git://github.com/openstreetmap/owg-website.git"
+ user "root"
+ group "root"
+ notifies :run, "execute[/srv/operations.osmfoundation.org/Gemfile]"
+end
+
+directory "/srv/operations.osmfoundation.org/_site" do
+ mode 0o755
+ owner "nobody"
+ group "nogroup"
+end
+
+execute "/srv/operations.osmfoundation.org/Gemfile" do
+ action :nothing
+ command "bundle install"
+ cwd "/srv/operations.osmfoundation.org"
+ user "root"
+ group "root"
+ notifies :run, "execute[/srv/operations.osmfoundation.org]"
+end
+
+execute "/srv/operations.osmfoundation.org" do
+ action :nothing
+ command "bundle exec jekyll build --trace --baseurl=https://operations.osmfoundation.org"
+ cwd "/srv/operations.osmfoundation.org"
+ user "nobody"
+ group "nogroup"
+end
+
+apache_site "operations.osmfoundation.org" do
+ template "apache.owg.erb"
+ directory "/srv/operations.osmfoundation.org/_site"
+end
--- /dev/null
+# DO NOT EDIT - This file is being maintained by Chef
+
+<VirtualHost *:80>
+ ServerName <%= @name %>
+ ServerAdmin webmaster@openstreetmap.org
+
+ CustomLog /var/log/apache2/<%= @name %>-access.log combined
+ ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+ Redirect permanent / https://<%= @name %>/
+</VirtualHost>
+
+<VirtualHost *:443>
+ ServerName <%= @name %>
+ ServerAdmin webmaster@openstreetmap.org
+
+ CustomLog /var/log/apache2/<%= @name %>-access.log combined
+ ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+ DocumentRoot <%= @directory %>
+
+ SSLEngine on
+</VirtualHost>
+
+<Directory <%= @directory %>>
+ Require all granted
+</Directory>
--- /dev/null
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml">
+ <head>
+ <meta http-equiv="content-type" content="text/html; charset=utf-8"/>
+ <title>gps.tile.openstreetmap.org</title>
+ <link rel="stylesheet" href="map.css" type="text/css" media="all" />
+ <link rel="stylesheet" href="//unpkg.com/leaflet@1.0.2/dist/leaflet.css" />
+ <script type="text/javascript" src="//unpkg.com/leaflet@1.0.2/dist/leaflet.js"></script>
+ <script src="//code.jquery.com/jquery-3.1.1.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
+ <script type="text/javascript" src="map.js"></script>
+ </head>
+ <body>
+ <div id="map"></div>
+ </body>
+</html>
--- /dev/null
+#map {
+ position: absolute;
+ top: 0px;
+ bottom: 0px;
+ left: 0px;
+ right: 0px;
+}
--- /dev/null
+$(document).ready(function () {
+ // Create a map
+ var map = L.map("map");
+
+ // Add GPS tile layer
+ L.tileLayer("//gps-{s}.tile.openstreetmap.org/gps-lines/tile/{z}/{x}/{y}.png", {
+ attribution: "© <a target=\"_parent\" href=\"http://www.openstreetmap.org\">OpenStreetMap</a> and contributors, under an <a target=\"_parent\" href=\"http://www.openstreetmap.org/copyright\">open license</a>",
+ maxZoom: 18
+ }).addTo(map);
+
+ // SHow the whole world
+ map.fitWorld();
+});
units << "0"
when "Supermicro"
case product
- when "H8DGU", "X9SCD", "X7DBU", "X7DW3", "X9DR7/E-(J)LN4F", "X9DR3-F", "X9DRW", "SYS-2028U-TN24R4T+"
+ when "H8DGU", "X9SCD", "X7DBU", "X7DW3", "X9DR7/E-(J)LN4F", "X9DR3-F", "X9DRW", "SYS-2028U-TN24R4T+", "Super Server"
units << "1"
else
units << "0"
end
end
+# Link Layer Discovery Protocol Daemon
+package "lldpd"
+service "lldpd" do
+ action [:start, :enable]
+ supports :status => true, :restart => true, :reload => true
+end
+
tools_packages = []
status_packages = {}
end
else
extension_repository = new_resource.repository || default_repository
- extension_reference = if new_resource.tag
+ extension_reference = if new_resource.reference
+ new_resource.reference
+ elsif new_resource.tag
"refs/tags/#{new_resource.tag}"
else
"REL#{extension_version}".tr(".", "_")
# MediaWiki Language Extension Bundle
# FIXME: should automatically resolve tag
- mw_lang_ext_bundle_tag = "2015.10"
+ mw_lang_ext_bundle_tag = "2016.10"
mediawiki_extension "Babel" do
site new_resource.name
template "mw-ext-Babel.inc.php.erb"
- tag mw_lang_ext_bundle_tag
+ # tag mw_lang_ext_bundle_tag
+ reference "740782459d34e756a932ea1ceddde432a1295197"
update_site false
end
attribute :version, :kind_of => String
attribute :repository, :kind_of => String
attribute :tag, :kind_of => String
+attribute :reference, :kind_of => String
attribute :update_site, :kind_of => [TrueClass, FalseClass], :default => true
def after_created
--- /dev/null
+#!/bin/bash
+
+RRD_DIR=/var/lib/munin/openstreetmap
+DIR=`mktemp -d`
+DUMP_DIR=/srv/munin.openstreetmap.org/dumps
+TARGET_TGZ=`date "+munin-data-%Y-%m-%d.tar.gz"`
+KEEP_OLD_COUNT=3
+
+function cleanup {
+ rm -rf "$DIR"
+}
+
+trap cleanup EXIT
+
+set -e
+
+cd "$RRD_DIR"
+for f in *.rrd; do
+ rrdtool dump "$f" "$DIR/${f}.xml"
+ touch -r "$f" "$DIR/${f}.xml"
+done
+
+cd "$DIR"
+find -name "*.xml" -print0 | tar zcf "dump.tar.gz" --null -T -
+
+# if we got here, then the file was created okay so we're okay to delete any
+# old files.
+find "${DUMP_DIR}" -name "munin-data-*.tar.gz" -print0 | \
+ sort -z -r | \
+ tail -z -n "+${KEEP_OLD_COUNT}" | \
+ xargs --null rm -f
+
+mv dump.tar.gz "${DUMP_DIR}/${TARGET_TGZ}"
node[:network][:interfaces].each do |ifname, ifattr|
if ifattr[:encapsulation] == "Ethernet" && ifattr[:state] == "up"
- if node[:hardware] && node[:hardware][:network][ifname][:device] =~ /^virtio/
+ if node[:hardware] &&
+ node[:hardware][:network] &&
+ node[:hardware][:network][ifname][:device] =~ /^virtio/
munin_plugin_conf "if_#{ifname}" do
template "if.erb"
variables :ifname => ifname
frontends = search(:node, "recipes:web\\:\\:frontend").reject { |n| Time.now - Time.at(n[:ohai_time]) > expiry_time }.map { |n| n[:hostname] }.sort # ~FC010
backends = search(:node, "recipes:web\\:\\:backend").reject { |n| Time.now - Time.at(n[:ohai_time]) > expiry_time }.map { |n| n[:hostname] }.sort # ~FC010
tilecaches = search(:node, "roles:tilecache").reject { |n| Time.now - Time.at(n[:ohai_time]) > expiry_time }.sort_by { |n| n[:hostname] }.map do |n|
- { :name => n[:hostname], :interface => n.interfaces(:role => :external).first[:interface] }
+ { :name => n[:hostname], :interface => n.interfaces(:role => :external).first[:interface].tr(".", "_") }
end
renderers = search(:node, "roles:tile").reject { |n| Time.now - Time.at(n[:ohai_time]) > expiry_time }.sort_by { |n| n[:hostname] }.map do |n|
- { :name => n[:hostname], :interface => n.interfaces(:role => :external).first[:interface] }
+ { :name => n[:hostname], :interface => n.interfaces(:role => :external).first[:interface].tr(".", "_") }
end
geocoders = search(:node, "roles:nominatim").reject { |n| Time.now - Time.at(n[:ohai_time]) > expiry_time }.sort_by { |n| n[:hostname] }.map do |n|
- { :name => n[:hostname], :interface => n.interfaces(:role => :external).first[:interface] }
+ { :name => n[:hostname], :interface => n.interfaces(:role => :external).first[:interface].tr(".", "_") }
end
template "/etc/munin/munin.conf" do
files_owner "root"
files_group "root"
files_mode 0o644
- purge true
+end
+
+# directory to put dumped files in
+directory "/srv/munin.openstreetmap.org/dumps" do
+ owner "www-data"
+ group "www-data"
+ mode 0o755
end
apache_site "munin.openstreetmap.org" do
mode 0o755
end
+# simple shell script to dump RRD data to a file
+cookbook_file "/usr/local/bin/rrddump" do
+ source "rrddump.sh"
+ owner "root"
+ group "root"
+ mode 0o755
+end
+
+template "/etc/cron.d/rrddump" do
+ source "rrddump.cron.erb"
+ owner "root"
+ group "root"
+ mode 0o755
+end
+
munin_plugin "munin_stats"
munin_plugin "munin_update"
munin_plugin "munin_rrdcached"
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/static/
+ RewriteCond %{REQUEST_URI} !^/dumps/
RewriteRule ^(/.*\.html)?$ /munin-cgi/munin-cgi-html/$1 [PT]
</VirtualHost>
Require all granted
</Directory>
+<Directory /srv/munin.openstreetmap.org/dumps>
+ Options +Indexes
+</Directory>
+
<Directory /etc/munin/static>
Require all granted
</Directory>
--- /dev/null
+MAILTO=zerebubuth@gmail.com
+# do the dump & cleanup in the early hours of the morning
+43 3 * * * www-data nice /usr/local/bin/rrddump
<% end -%>
iface <%= interface[:interface] %> <%= interface[:family] %> static
- address <%= interface[:address] %>
+<% if interface[:interface] =~ /\.\d+$/ -%>
+ vlan-raw-device <%= interface[:interface].split(".").first %>
+<% end -%>
+ address <%= interface[:address] %>
<% if interface[:family] == "inet" -%>
- netmask <%= interface[:netmask] %>
+ netmask <%= interface[:netmask] %>
<% elsif interface[:family] == "inet6" -%>
- netmask <%= interface[:prefix] %>
+ netmask <%= interface[:prefix] %>
<% end -%>
<% if interface[:hwaddress] -%>
hwaddress <%= interface[:hwaddress] %>
<% end -%>
<% if interface[:gateway] -%>
<% if interface[:network].include?(interface[:gateway]) or IPAddr.new("fe80::/64").include?(interface[:gateway]) -%>
- gateway <%= interface[:gateway] %>
- metric <%= interface[:metric] %>
+ gateway <%= interface[:gateway] %>
+ metric <%= interface[:metric] %>
<% else -%>
- post-up /sbin/ip -f <%= interface[:family] %> route add <%= interface[:gateway] %> dev <%= interface[:interface] %>
- post-up /sbin/ip -f <%= interface[:family] %> route add default metric <%= interface[:metric] %> via <%= interface[:gateway] %>
- pre-down /sbin/ip -f <%= interface[:family] %> route del default metric <%= interface[:metric] %> via <%= interface[:gateway] %>
- pre-down /sbin/ip -f <%= interface[:family] %> route del <%= interface[:gateway] %> dev <%= interface[:interface] %>
+ post-up /sbin/ip -f <%= interface[:family] %> route add <%= interface[:gateway] %> dev <%= interface[:interface] %>
+ post-up /sbin/ip -f <%= interface[:family] %> route add default metric <%= interface[:metric] %> via <%= interface[:gateway] %>
+ pre-down /sbin/ip -f <%= interface[:family] %> route del default metric <%= interface[:metric] %> via <%= interface[:gateway] %>
+ pre-down /sbin/ip -f <%= interface[:family] %> route del <%= interface[:gateway] %> dev <%= interface[:interface] %>
<% end -%>
<% end -%>
<% if interface[:mtu] -%>
- mtu <%= interface[:mtu] %>
+ mtu <%= interface[:mtu] %>
<% end -%>
<% if interface[:family] == "inet6" -%>
- autoconf 0
+ autoconf 0
<% end -%>
<% if interface[:bond] -%>
bond-mode <%= interface[:bond][:mode] || "active-backup" %>
aws:osm <%= @type %>
ds:osm <%= @type %>
uz:osm <%= @type %>
+ovh:osm <%= @type %>
+ffr:osm <%= @type %>
end
service "nginx" do
- action [:enable, :start]
+ action [:enable] # Do not start the service as config may be broken from failed chef run
supports :status => true, :restart => true, :reload => true
subscribes :restart, "template[/etc/nginx/nginx.conf]"
end
# DO NOT EDIT - This file is being maintained by Chef
user www-data;
-worker_processes <%= node['cpu']['total'] %>;
+worker_processes auto;
+worker_cpu_affinity auto;
worker_rlimit_nofile 65536;
error_log /var/log/nginx/error.log warn;
-default[:piwik][:version] = "2.17.1"
+default[:piwik][:version] = "3.0.1"
default[:piwik][:plugins] = %w(
Actions API BulkTracking Contents CoreAdminHome CoreConsole CoreHome
CorePluginsAdmin CoreUpdater CoreVisualizations CustomVariables
include_recipe "tools"
blocks = data_bag_item("tile", "blocks")
+web_passwords = data_bag_item("web", "passwords")
apache_module "alias"
apache_module "cgi"
package "python-cairo"
package "python-mapnik"
+package "python-setuptools"
+
+easy_install_package "pyotp"
package "fonts-noto-cjk"
package "fonts-noto-hinted"
owner "tile"
group "tile"
mode 0o755
- variables :blocks => blocks
+ variables :blocks => blocks, :totp_key => web_passwords["totp_key"]
end
template "/srv/tile.openstreetmap.org/cgi-bin/debug" do
execute "#{style_directory}/project.mml" do
action :nothing
- command "carto project.mml > project.xml"
+ command "carto -a 3.0.0 project.mml > project.xml"
cwd style_directory
user "tile"
group "tile"
end
end
+postgresql_version = node[:tile][:database][:cluster].split("/").first
+
package "postgis"
+package "postgresql-#{postgresql_version}-postgis-2.3"
postgresql_user "jburgess" do
cluster node[:tile][:database][:cluster]
<% end -%>
# Setup logging
- CustomLog /var/log/apache2/access.log combined
+ LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
+ CustomLog /var/log/apache2/access.log combined_with_remoteip
ErrorLog /var/log/apache2/error.log
BufferedLogs on
import cairo
import cgi
+import Cookie
import mapnik
import os
+import pyotp
+import resource
import shutil
+import signal
import sys
import tempfile
-import resource
-import signal
# Limit maximum CPU time
# The Postscript output format can sometimes take hours
print "</body>"
print "</html>"
+# Create TOTP token validator
+totp = pyotp.TOTP('<%= @totp_key %>', interval = 3600)
+
# Parse CGI parameters
form = cgi.FieldStorage()
+# Import cookies
+cookies = Cookie.SimpleCookie(os.environ.get('HTTP_COOKIE'))
+
# Make sure we have a user agent
if not os.environ.has_key('HTTP_USER_AGENT'):
os.environ['HTTP_USER_AGENT'] = 'NONE'
+# Make sure we have a referer
+if not os.environ.has_key('HTTP_REFERER'):
+ os.environ['HTTP_REFERER'] = 'NONE'
+
+# Look for TOTP token
+if cookies.has_key('_osm_totp_token'):
+ token = cookies['_osm_totp_token'].value
+else:
+ token = None
+
# Get the load average
cputimes = [float(n) for n in open("/proc/stat").readline().rstrip().split()[1:-1]]
idletime = cputimes[3] / sum(cputimes)
# Process the request
-if idletime < 0.2:
+if not totp.verify(token, valid_window = 1):
+ # Abort if the request didn't have a valid TOTP token
+ output_error("Missing or invalid token")
+elif idletime < 0.2:
# Abort if the CPU idle time on the machine is too low
output_error("The server is too busy at the moment. Please wait a few minutes before trying again.", "503 Service Unavailable")
<% @blocks["user_agents"].each do |user_agent| -%>
# Block scraper
output_error("The server is too busy at the moment. Please wait a few minutes before trying again.", "503 Service Unavailable")
<% end -%>
+<% @blocks["referers"].each do |referer| -%>
+elif os.environ['HTTP_REFERER'] == '<%= referer %>':
+ # Block scraper
+ output_error("The server is too busy at the moment. Please wait a few minutes before trying again.", "503 Service Unavailable")
+<% end -%>
elif not form.has_key("bbox"):
# No bounding box specified
output_error("No bounding box specified")
package "xz-utils"
package "openssl"
+# oathtool for QoS token
+package "oathtool"
+
tilecaches = search(:node, "roles:tilecache").sort_by { |n| n[:hostname] }
tilerenders = search(:node, "roles:tile").sort_by { |n| n[:hostname] }
+web_passwords = data_bag_item("web", "passwords")
+
tilecaches.each do |cache|
cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address|
firewall_rule "accept-squid" do
IPAddr.new(resolver).ipv6? ? "[#{resolver}]" : resolver
end
+template "/usr/local/bin/nginx_generate_tilecache_qos_map" do
+ source "nginx_generate_tilecache_qos_map.erb"
+ owner "root"
+ group "root"
+ mode 0o750
+ variables :totp_key => web_passwords["totp_key"]
+end
+
+template "/etc/cron.d/tilecache" do
+ source "cron.erb"
+ owner "root"
+ group "root"
+ mode 0o644
+end
+
+execute "execute_nginx_generate_tilecache_qos_map" do
+ command "/usr/local/bin/nginx_generate_tilecache_qos_map"
+ creates "/etc/nginx/conf.d/tile_qos_rates.map"
+ action :run
+end
+
nginx_site "tile-ssl" do
template "nginx_tile_ssl.conf.erb"
variables :certificate => certificate, :resolvers => resolvers, :caches => tilecaches
--- /dev/null
+# DO NOT EDIT - This file is being maintained by Chef
+
+0 * * * * root /usr/local/bin/nginx_generate_tilecache_qos_map
--- /dev/null
+#!/bin/bash
+# DO NOT EDIT - This file is being maintained by Chef
+set -e
+
+NUM_TOKENS=4 # current + 4
+VALID_TOKEN=3600 # in seconds
+
+SECONDS_AGO=$((${NUM_TOKENS} * ${VALID_TOKEN}))
+OLD_TIME=$(/bin/date -u "+%Y-%m-%dT %H:%M:%S %z" -d "${SECONDS_AGO} seconds ago")
+QOS_TOKENS=($(/usr/bin/oathtool --totp --now="${OLD_TIME}" --window=${NUM_TOKENS} --time-step-size=${VALID_TOKEN}s -b "<%= @totp_key %>"))
+
+# ${qos_tokens[4]/[-1] } = OSM.org exclusive / current
+# ${qos_tokens[3]/[-2] } = OSM.org exclusive / stale
+# ${qos_tokens[2]/[-3] } = tile.openstreetmap.org default
+# ${qos_tokens[1]/[-4] } = stale ~ 1 hour
+# ${qos_tokens[0]} = expired
+
+# Test if number of tokens returned by oathtool is expected number
+if [ "${#QOS_TOKENS[@]}" -ne "$((${NUM_TOKENS}+1))" ]; then
+ >&2 echo "ERROR: Unexpected number of tokens"
+ exit 1
+fi
+
+QOS_TOKEN_OSM=${QOS_TOKENS[-1]} # Cookie set by openstreetmap.org
+QOS_TOKEN_OSM_STALE=${QOS_TOKENS[-2]} # Cookie set by openstreetmap.org stale
+QOS_TOKEN_DEFAULT=${QOS_TOKENS[-3]} # Cookie presented by tile.openstreetmap.org to browsers
+QOS_TOKEN_STALE=${QOS_TOKENS[-4]} # Cookie which has become stale and will be replaced
+
+if [ -z "$QOS_TOKEN_OSM" -o -z "$QOS_TOKEN_DEFAULT" -o -z "$QOS_TOKEN_STALE" ]; then
+ >&2 echo "ERROR: Unexpected blank token"
+ exit 2
+fi
+
+cat <<EOF >/etc/nginx/conf.d/tile_qos_rates.map
+default 24576; # Default Rate (No QoS cookie)
+"${QOS_TOKEN_STALE}" 24576; # Stale
+"${QOS_TOKEN_DEFAULT}" 24576; # Default
+"${QOS_TOKEN_OSM_STALE}" 32768; # Exclusive Stale
+"${QOS_TOKEN_OSM}" 32768; # Exclusive
+EOF
+
+cat <<EOF >/etc/nginx/conf.d/tile_qos_cookies.map
+default 'qos_token=${QOS_TOKEN_DEFAULT}; Max-Age=${VALID_TOKEN}; Domain=openstreetmap.org; Path=/'; # Cookie Domain per RFC6265
+"${QOS_TOKEN_DEFAULT}" ''; # Do not Set-Cookie. # Default
+"${QOS_TOKEN_OSM_STALE}" ''; # Do not Set-Cookie. # Exclusive Stale
+"${QOS_TOKEN_OSM}" ''; # Do not Set-Cookie. # Exclusive
+EOF
+
+# Check config, reload config and fail safe
+/etc/init.d/nginx configtest 2>/dev/null && /bin/systemctl try-reload-or-restart nginx
+# DO NOT EDIT - This file is being maintained by Chef
+
upstream tile_cache_backend {
server 127.0.0.1;
<% @caches.each do |cache| -%>
keepalive 32;
}
+# Rates table based on current cookie value
+map $cookie_qos_token $limit_rate_qos {
+ include /etc/nginx/conf.d/tile_qos_rates.map;
+}
+
+# Set-Cookie table based on current cookie value
+map $cookie_qos_token $cookie_qos_token_set {
+ include /etc/nginx/conf.d/tile_qos_cookies.map;
+}
+
+map $http_user_agent $approved_scraper {
+ default ''; # Not approved
+ '~^JOSM\/' 'JOSM';
+ '~^Mozilla\/5\.0\ QGIS\/' 'QGIS';
+}
+
+# Limit Cache-Control header to only approved User-Agents
+map $http_user_agent $limit_http_cache_control {
+ default ''; # Unset Header
+ '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header
+ '~^Mozilla\/5\.0\ ' $http_cache_control; # Pass Header
+}
+
+# Limit Pragma header to only approved User-Agents
+map $http_user_agent $limit_http_pragma {
+ default ''; # Unset Header
+ '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header
+ '~^Mozilla\/5\.0\ ' $http_pragma; # Pass Header
+}
+
server {
- listen 443 ssl http2 default_server;
+ listen 443 ssl fastopen=2048 http2 default_server;
server_name localhost;
proxy_buffers 8 64k;
ssl_stapling on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
resolver <%= @resolvers.join(" ") %>;
+ resolver_timeout 5s;
location / {
proxy_pass http://tile_cache_backend;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_http_version 1.1;
- proxy_set_header Connection "";
+ proxy_set_header Connection '';
+
+ proxy_connect_timeout 5s;
+
+ # Do not pass cookies to backends.
+ proxy_set_header Cookie '';
+ # Do not pass Accept-Encoding to backends.
+ proxy_set_header Accept-Encoding '';
+
+ # Do not allow setting cookies from backends due to caching.
+ proxy_ignore_headers Set-Cookie;
+ proxy_hide_header Set-Cookie;
+
+ # Set a QoS cookie if none presented (uses nginx Map)
+ add_header Set-Cookie $cookie_qos_token_set;
+
+ # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html
+ set $limit_rate $limit_rate_qos;
+
+ # Allow Higher Traffic Rate from Approved User-Agents which do not support cookies (uses nginx Map)
+ if ($approved_scraper) {
+ set $limit_rate 32768;
+ }
+
+ # Strip any ?query parameters from urls
+ set $args '';
- # Slow traffic slightly
- limit_rate 24576;
+ # Allow cache purging headers only from select User-Agents (uses nginx Map)
+ proxy_set_header Cache-Control $limit_http_cache_control;
+ proxy_set_header Pragma $limit_http_pragma;
}
}
acl osmtileScrapers browser ^MOBAC
acl osmtileScrapers browser ^JTileDownloader
acl osmtileScrapers browser ^Apache\-HttpClient
+acl osmtileScrapers browser ^Go-http-client\/
acl osmtileScrapers browser ^Opera\/10\.00
acl osmtileScrapers browser ^shipxy01
#acl osmtileScrapers browser ^OsmAnd #Victor + Email. Whitelist for 1 week
acl osmtileScrapers browser Firefox\/11\.0
acl osmtileScrapers browser Firefox\/12\.0
acl osmtileScrapers browser Firefox\/13\.0
-
+
acl is_fake_browser browser Firefox\/3\.0
acl is_fake_browser browser Firefox\/4\.0
acl is_fake_browser browser Firefox\/5\.0
line.gsub!(/^( *)#github_auth_secret:.*$/, "\\1github_auth_secret: \"#{params[:github_auth_secret]}\"")
end
+ if params[:wikipedia_auth_id]
+ line.gsub!(/^( *)#wikipedia_auth_id:.*$/, "\\1wikipedia_auth_id: \"#{params[:wikipedia_auth_id]}\"")
+ line.gsub!(/^( *)#wikipedia_auth_secret:.*$/, "\\1wikipedia_auth_secret: \"#{params[:wikipedia_auth_secret]}\"")
+ end
+
if params[:mapquest_key]
line.gsub!(/^( *)#mapquest_key:.*$/, "\\1mapquest_key: \"#{params[:mapquest_key]}\"")
end
line.gsub!(/^( *)#thunderforest_key:.*$/, "\\1thunderforest_key: \"#{params[:thunderforest_key]}\"")
end
+ if params[:totp_key]
+ line.gsub!(/^( *)#totp_key:.*$/, "\\1totp_key: \"#{params[:totp_key]}\"")
+ end
+
line.gsub!(/^( *)require_terms_seen:.*$/, "\\1require_terms_seen: true")
line.gsub!(/^( *)require_terms_agreed:.*$/, "\\1require_terms_agreed: true")
cwd "#{rails_directory}/lib/quad_tile"
user rails_user
group rails_group
- not_if { File.exist?("#{rails_directory}/lib/quad_tile/Makefile") && File.mtime("#{rails_directory}/lib/quad_tile/Makefile") >= File.mtime("#{rails_directory}/lib/quad_tile/extconf.rb") }
+ not_if do
+ File.exist?("#{rails_directory}/lib/quad_tile/quad_tile_so.so") &&
+ File.mtime("#{rails_directory}/lib/quad_tile/quad_tile_so.so") >= File.mtime("#{rails_directory}/lib/quad_tile/extconf.rb") &&
+ File.mtime("#{rails_directory}/lib/quad_tile/quad_tile_so.so") >= File.mtime("#{rails_directory}/lib/quad_tile/quad_tile.c") &&
+ File.mtime("#{rails_directory}/lib/quad_tile/quad_tile_so.so") >= File.mtime("#{rails_directory}/lib/quad_tile/quad_tile.h")
+ end
+ notifies :run, "execute[#{rails_directory}/lib/quad_tile/Makefile]"
end
execute "#{rails_directory}/lib/quad_tile/Makefile" do
+ action :nothing
command "make"
cwd "#{rails_directory}/lib/quad_tile"
user rails_user
group rails_group
- not_if do
- File.exist?("#{rails_directory}/lib/quad_tile/quad_tile_so.so") &&
- File.mtime("#{rails_directory}/lib/quad_tile/quad_tile_so.so") >= File.mtime("#{rails_directory}/lib/quad_tile/Makefile") &&
- File.mtime("#{rails_directory}/lib/quad_tile/quad_tile_so.so") >= File.mtime("#{rails_directory}/lib/quad_tile/quad_tile.c") &&
- File.mtime("#{rails_directory}/lib/quad_tile/quad_tile_so.so") >= File.mtime("#{rails_directory}/lib/quad_tile/quad_tile.h")
- end
notifies :run, "execute[#{rails_directory}]"
end
windowslive_auth_secret web_passwords["windowslive_auth_secret"]
github_auth_id "acf7da34edee99e35499"
github_auth_secret web_passwords["github_auth_secret"]
+ wikipedia_auth_id "e4fe0c2c5855d23ed7e1f1c0fa1f1c58"
+ wikipedia_auth_secret web_passwords["wikipedia_auth_secret"]
mapzen_valhalla_key web_passwords["mapzen_valhalla_key"]
thunderforest_key web_passwords["thunderforest_key"]
+ totp_key web_passwords["totp_key"]
end
package "libjson-xs-perl"
# Basic server configuration
#
ServerName <%= node[:fqdn] %>
- ServerAlias api.openstreetmap.org www.openstreetmap.org
+ ServerAlias api.openstreetmap.org www.openstreetmap.org 127.0.0.1
ServerAdmin webmaster@openstreetmap.org
<% if port == 443 -%>
</VirtualHost>
<% end -%>
+<VirtualHost *:80>
+ ServerName openstreetmap.org.uk
+ ServerAlias www.openstreetmap.org.uk
+ ServerAlias openstreetmap.co.uk
+ ServerAlias www.openstreetmap.co.uk
+
+ RedirectPermanent /events.ics http://calendar.openstreetmap.org.uk/events.ics
+ RedirectPermanent / http://www.openstreetmap.org/
+</VirtualHost>
+
<VirtualHost *:80>
ServerName openstreetmap.org
- ServerAlias maps.openstreetmap.org mapz.openstreetmap.org
- ServerAlias openstreetmap.com www.openstreetmap.com
- ServerAlias maps.openstreetmap.com mapz.openstreetmap.com
- ServerAlias openstreetmap.net www.openstreetmap.net
- ServerAlias maps.openstreetmap.net mapz.openstreetmap.net
- ServerAlias openstreetmap.ca www.openstreetmap.ca
- ServerAlias maps.openstreetmap.ca mapz.openstreetmap.ca
- ServerAlias openstreetmap.eu www.openstreetmap.eu
- ServerAlias maps.openstreetmap.eu mapz.openstreetmap.eu
- ServerAlias openstreetmap.pro www.openstreetmap.pro
- ServerAlias maps.openstreetmap.pro mapz.openstreetmap.pro
- ServerAlias openstreetmaps.org www.openstreetmaps.org
- ServerAlias maps.openstreetmaps.org mapz.openstreetmaps.org
- ServerAlias osm.org www.osm.org
- ServerAlias maps.osm.org mapz.osm.org
- ServerAlias openmaps.org www.openmaps.org
- ServerAlias maps.openmaps.org mapz.openmaps.org
- ServerAlias openstreetmap.io www.openstreetmap.io
- ServerAlias maps.openstreetmap.io mapz.openstreetmap.io
- ServerAlias osm.io www.osm.io
- ServerAlias maps.osm.io mapz.osm.io
- ServerAlias openworldmap.org www.openworldmap.org
- ServerAlias maps.openworldmap.org mapz.openworldmap.org
- ServerAlias freeosm.org www.freeosm.org
- ServerAlias maps.freeosm.org mapz.freeosm.org
- ServerAlias open-maps.org www.open-maps.org
- ServerAlias maps.open-maps.org mapz.open-maps.org
- ServerAlias open-maps.com www.open-maps.com
- ServerAlias maps.open-maps.com mapz.open-maps.com
- ServerAlias osmbugs.org www.osmbugs.org
- ServerAlias maps.osmbugs.org mapz.osmbugs.org
-
- #Third Party Sites
- ServerAlias openstreetmap.pm www.openstreetmap.pm
+ ServerAlias *
RedirectPermanent / http://www.openstreetmap.org/
</VirtualHost>
<VirtualHost *:443>
ServerName openstreetmap.org
- ServerAlias maps.openstreetmap.org mapz.openstreetmap.org
+ ServerAlias *
SSLEngine on
RedirectPermanent / https://www.openstreetmap.org/
</VirtualHost>
-<VirtualHost *:80>
- ServerName openstreetmap.org.uk
- ServerAlias www.openstreetmap.org.uk
- ServerAlias openstreetmap.co.uk
- ServerAlias www.openstreetmap.co.uk
-
- RedirectPermanent /events.ics http://calendar.openstreetmap.org.uk/events.ics
- RedirectPermanent / http://www.openstreetmap.org/
-</VirtualHost>
-
<Directory <%= node[:web][:base_directory] %>/rails/public>
Require all granted
</Directory>
+++ /dev/null
-name "ascalon"
-description "Master role applied to ascalon"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "eth0",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.18"
- },
- :external_ipv4 => {
- :interface => "eth1",
- :role => :external,
- :family => :inet,
- :address => "128.40.45.193"
- }
- }
- },
- :accounts => {
- :users => {
- :emacsen => { :status => :administrator }
- }
- }
-)
-
-run_list(
- "role[ucl-wolfson]",
- "role[hp-g5]",
- "role[roundup]"
-)
:gid => "osmbackup",
:transfer_logging => false,
:hosts_allow => [
- "128.40.168.0/24", # ucl external (wates)
- "128.40.45.192/27", # ucl external (wolfson)
+ "193.60.236.0/24", # ucl external
"146.179.159.160/27", # ic internal
"193.63.75.96/27", # ic external
"2001:630:12:500::/64", # ic external
description "Master role applied to clifford"
default_attributes(
+ :exim => {
+ :rewrites => [
+ {
+ :pattern => "www-data@openstreetmap.org",
+ :replacement => "forum@noreply.openstreetmap.org",
+ :flags => "F"
+ }
+ ]
+ },
:networking => {
:interfaces => {
:internal_ipv4 => {
- :interface => "enp2s0f0",
+ :interface => "enp2s0f0.2801",
:role => :internal,
:family => :inet,
:address => "10.0.0.17"
},
:external_ipv4 => {
- :interface => "enp2s0f1",
+ :interface => "enp2s0f0.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.194"
+ :address => "193.60.236.11"
}
}
}
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[hp-dl360-g6]",
"role[forum]"
)
:networking => {
:interfaces => {
:internal_ipv4 => {
- :interface => "eth0",
+ :interface => "eth0.2801",
:role => :internal,
:family => :inet,
:address => "10.0.0.11"
},
:external_ipv4 => {
- :interface => "eth1",
+ :interface => "eth0.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.195"
+ :address => "193.60.236.12"
}
}
},
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[hp-g5]"
)
:networking => {
:interfaces => {
:internal_ipv4 => {
- :interface => "eth0",
+ :interface => "eth0.2801",
:role => :internal,
:family => :inet,
:address => "10.0.0.14"
},
:external_ipv4 => {
- :interface => "eth1",
+ :interface => "eth0.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.196"
+ :address => "193.60.236.13"
}
}
}
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[tyan-s7010]",
"role[dev]"
)
:networking => {
:interfaces => {
:internal_ipv4 => {
- :interface => "eth0",
+ :interface => "eth0.2801",
:role => :internal,
:family => :inet,
:address => "10.0.0.9"
},
:external_ipv4 => {
- :interface => "eth1",
+ :interface => "eth0.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.197"
+ :address => "193.60.236.14"
}
}
}
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[hp-dl360-g6]",
"role[piwik]"
)
+++ /dev/null
-name "fafnir"
-description "Master role applied to fafnir"
-
-default_attributes(
- :db => {
- :cluster => "9.1/main"
- },
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "eth0",
- :role => :internal,
- :family => :inet,
- :address => "172.31.10.210",
- :hwaddress => "02:c1:c5:8b:5f:1d"
- },
- :external_ipv4 => {
- :role => :external,
- :family => :inet,
- :address => "52.50.86.69"
- }
- }
- },
- :openvpn => {
- :address => "10.0.16.4",
- :tunnels => {
- :aws2ic => {
- :port => "1194",
- :mode => "client",
- :peer => {
- :host => "ironbelly.openstreetmap.org",
- :port => "1195"
- }
- },
- :aws2bm => {
- :port => "1195",
- :mode => "client",
- :peer => {
- :host => "grisu.openstreetmap.org",
- :port => "1195"
- }
- }
- }
- },
- :postgresql => {
- :settings => {
- :defaults => {
- :shared_buffers => "64GB",
- :work_mem => "64MB",
- :maintenance_work_mem => "1GB",
- :effective_cache_size => "180GB"
- }
- }
- },
- :sysctl => {
- :postgres => {
- :comment => "Increase shared memory for postgres",
- :parameters => {
- "kernel.shmmax" => 66 * 1024 * 1024 * 1024,
- "kernel.shmall" => 66 * 1024 * 1024 * 1024 / 4096
- }
- }
- }
-)
-
-run_list(
- "role[aws]",
- "role[db-slave]",
- "recipe[openvpn]"
-)
--- /dev/null
+name "ffrl"
+description "Role applied to all servers at Freifunk Rheinland"
+
+default_attributes(
+ :hosted_by => "Freifunk Rheinland",
+ :location => "Berlin, Germany",
+ :networking => {
+ :nameservers => [
+ "8.8.8.8",
+ "8.8.4.4"
+ ],
+ :roles => {
+ :external => {
+ :zone => "ffr"
+ }
+ }
+ }
+)
+
+override_attributes(
+ :ntp => {
+ :servers => ["0.de.pool.ntp.org", "1.de.pool.ntp.org", "europe.pool.ntp.org"]
+ }
+)
+
+run_list(
+ "role[de]"
+)
:keepalive => false
},
:apt => {
- :sources => ["passenger"]
+ :sources => ["passenger", "brightbox-ruby-ng"]
},
:elasticsearch => {
:cluster => {
"role[elasticsearch]",
"recipe[foundation::wiki]",
"recipe[foundation::board]",
- "recipe[foundation::dwg]"
+ "recipe[foundation::dwg]",
+ "recipe[foundation::owg]"
)
:interface => "eth1",
:role => :external,
:family => :inet,
- :address => "130.193.62.73",
- :prefix => "29",
- :gateway => "130.193.62.78"
+ :address => "5.45.248.21",
+ :prefix => "30",
+ :gateway => "5.45.248.22"
},
:external_ipv6 => {
:interface => "eth1",
:networking => {
:interfaces => {
:internal_ipv4 => {
- :interface => "em1",
+ :interface => "em1.2801",
:role => :internal,
:family => :inet,
:address => "10.0.0.19"
},
:external_ipv4 => {
- :interface => "em2",
+ :interface => "em1.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.199"
+ :address => "193.60.236.15"
}
}
}
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[hp-dl360-g6]",
"role[taginfo]"
)
:gid => "www-data",
:transfer_logging => false,
:hosts_allow => [
- "128.40.168.0/24", # ucl external (wates)
- "128.40.45.192/27", # ucl external (wolfson)
+ "193.60.236.0/24", # ucl external
"146.179.159.160/27", # ic internal
"193.63.75.96/27", # ic external
"2001:630:12:500::/64", # ic external
--- /dev/null
+name "kalessin"
+description "Master role applied to kalessin"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :external_ipv4 => {
+ :interface => "ens3",
+ :role => :external,
+ :family => :inet,
+ :address => "185.66.195.245",
+ :prefix => "28",
+ :gateway => "185.66.195.241"
+ },
+ :external_ipv6 => {
+ :interface => "ens3",
+ :role => :external,
+ :family => :inet6,
+ :address => "2a03:2260:2000:1::5",
+ :prefix => "64",
+ :gateway => "2a03:2260:2000:1::1"
+ }
+ }
+ },
+ :squid => {
+ :cache_mem => "12500 MB",
+ :cache_dir => "coss /store/squid/coss-01 128000 block-size=8192 max-size=262144 membufs=80"
+ },
+ :tilecache => {
+ :tile_parent => "germany.render.openstreetmap.org",
+ :tile_siblings => [
+ "konqi.openstreetmap.org",
+ "trogdor.openstreetmap.org",
+ "nepomuk.openstreetmap.org",
+ "ridgeback.openstreetmap.org",
+ "gorynych.openstreetmap.org",
+ "simurgh.openstreetmap.org"
+ ]
+ }
+)
+
+run_list(
+ "role[ffrl]",
+ "role[geodns]",
+ "role[tilecache]"
+)
:networking => {
:interfaces => {
:internal_ipv4 => {
- :interface => "eth0",
+ :interface => "eth0.2801",
:role => :internal,
:family => :inet,
:address => "10.0.0.13"
},
:external_ipv4 => {
- :interface => "eth1",
+ :interface => "eth0.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.201"
+ :address => "193.60.236.16"
}
}
}
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[hp-dl360-g6]",
"role[gps-tile]"
)
+++ /dev/null
-name "norbert"
-description "Master role applied to norbert"
-
-default_attributes(
- :accounts => {
- :users => {
- :yellowbkpk => { :status => :administrator },
- :pnorman => { :status => :user }
- }
- },
- :exim => {
- :aliases => {
- :root => "yellowbkpk"
- }
- },
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "eth0",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.5"
- },
- :external_ipv4 => {
- :interface => "eth1",
- :role => :external,
- :family => :inet,
- :address => "128.40.45.202"
- }
- }
- },
- :sysfs => {
- :hdd_tune => {
- :comment => "Tune the queue for improved performance",
- :parameters => {
- "block/cciss\!c0d0/queue/nr_requests" => "512",
- "block/cciss\!c0d1/queue/nr_requests" => "512",
- "block/cciss\!c0d0/queue/scheduler" => "noop",
- "block/cciss\!c0d1/queue/scheduler" => "noop",
- "block/sda/queue/nr_requests" => "512",
- "block/sda/queue/scheduler" => "deadline"
- }
- }
- }
-)
-
-run_list(
- "role[ucl-wolfson]",
- "role[hp-g5]"
-)
:inet => {
:prefix => "28",
:gateway => "140.211.167.97"
+ },
+ :inet6 => {
+ :prefix => "64",
+ :gateway => "2605:bc80:3010:700::1"
}
}
}
--- /dev/null
+name "ovh"
+description "Role applied to all servers at OVH"
+
+default_attributes(
+ :hosted_by => "OVH",
+ :location => "Roubaix, France",
+ :networking => {
+ :nameservers => [
+ "213.186.33.99"
+ ],
+ :roles => {
+ :external => {
+ :zone => "ovh"
+ }
+ }
+ }
+)
+
+override_attributes(
+ :ntp => {
+ :servers => ["0.fr.pool.ntp.org", "1.fr.pool.ntp.org", "europe.pool.ntp.org"]
+ }
+)
+
+run_list(
+ "role[fr]"
+)
:networking => {
:interfaces => {
:internal_ipv4 => {
- :interface => "em1",
+ :interface => "em1.2801",
:role => :internal,
:family => :inet,
:address => "10.0.0.20"
},
:external_ipv4 => {
- :interface => "em2",
+ :interface => "em1.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.204"
+ :address => "193.60.236.18"
}
}
},
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[nominatim]"
)
:networking => {
:interfaces => {
:external_ipv4 => {
- :interface => "eth0",
+ :interface => "eth0.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.205"
+ :address => "193.60.236.19"
},
:internal_ipv4 => {
- :interface => "eth1",
+ :interface => "eth0.2801",
:role => :internal,
:family => :inet,
:address => "10.0.0.3"
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[hp-dl360-g6]",
"role[gateway]",
"role[foundation]",
:networking => {
:interfaces => {
:internal_ipv4 => {
- :interface => "eth0",
+ :interface => "eth0.2801",
:role => :internal,
:family => :inet,
:address => "10.0.0.12"
},
:external_ipv4 => {
- :interface => "eth1",
+ :interface => "eth0.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.206"
+ :address => "193.60.236.20"
}
}
}
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[hp-g5]",
"role[yournavigation]"
)
--- /dev/null
+name "scorch"
+description "Master role applied to scorch"
+
+default_attributes(
+ :apt => {
+ :sources => ["postgresql"]
+ },
+ :devices => {
+ :ssd_system => {
+ :comment => "Tune scheduler for system disk",
+ :type => "block",
+ :bus => "scsi",
+ :serial => "3600605b009bbf5601fc3206407a43546",
+ :attrs => {
+ "queue/scheduler" => "noop",
+ "queue/nr_requests" => "256",
+ "queue/read_ahead_kb" => "2048"
+ }
+ },
+ :ssd_database => {
+ :comment => "Tune scheduler for database disk",
+ :type => "block",
+ :bus => "scsi",
+ :serial => "3600605b009bbf5601fd931c6dfac767f",
+ :attrs => {
+ "queue/scheduler" => "noop",
+ "queue/nr_requests" => "256",
+ "queue/read_ahead_kb" => "2048"
+ }
+ }
+ },
+ :networking => {
+ :interfaces => {
+ :external_ipv4 => {
+ :interface => "eth0",
+ :role => :external,
+ :family => :inet,
+ :address => "176.31.235.79",
+ :prefix => "24",
+ :gateway => "176.31.235.254"
+ },
+ :external_ipv6 => {
+ :interface => "eth0",
+ :role => :external,
+ :family => :inet6,
+ :address => "2001:41d0:2:fc4f::1",
+ :prefix => "64",
+ :gateway => "2001:41d0:2:fcff:ff:ff:ff:ff"
+ }
+ }
+ },
+ :postgresql => {
+ :versions => ["9.5"],
+ :settings => {
+ :defaults => {
+ :shared_buffers => "8GB",
+ :maintenance_work_mem => "7144MB",
+ :effective_cache_size => "16GB"
+ }
+ }
+ },
+ :sysctl => {
+ :postgres => {
+ :comment => "Increase shared memory for postgres",
+ :parameters => {
+ "kernel.shmmax" => 9 * 1024 * 1024 * 1024,
+ "kernel.shmall" => 9 * 1024 * 1024 * 1024 / 4096
+ }
+ }
+ },
+ :tile => {
+ :database => {
+ :cluster => "9.5/main"
+ },
+ :node_file => "/store/database/nodes",
+ :styles => {
+ :default => {
+ :tile_directories => [
+ { :name => "/store/tiles/default", :min_zoom => 0, :max_zoom => 19 }
+ ]
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ovh]",
+ "role[tile]"
+)
:role => :external,
:family => :inet,
:address => "140.211.167.104"
+ },
+ :external_ipv6 => {
+ :interface => "em1",
+ :role => :external,
+ :family => :inet6,
+ :address => "2605:bc80:3010:700::8cde:a768"
}
}
}
:role => :external,
:family => :inet,
:address => "140.211.167.105"
+ },
+ :external_ipv6 => {
+ :interface => "em1",
+ :role => :external,
+ :family => :inet6,
+ :address => "2605:bc80:3010:700::8cde:a769"
}
}
},
-name "idris"
-description "Master role applied to idris"
+name "tiamat-00"
+description "Master role applied to tiamat-00"
default_attributes(
:networking => {
:interfaces => {
:internal_ipv4 => {
- :interface => "eth0",
+ :interface => "enp1s0.2801",
:role => :internal,
:family => :inet,
- :address => "10.0.0.4"
+ :address => "10.0.0.40"
},
:external_ipv4 => {
- :interface => "eth1",
+ :interface => "enp1s0.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.200"
+ :address => "193.60.236.40"
}
}
}
)
run_list(
- "role[ucl-wolfson]",
- "role[hp-g5]"
+ "role[ucl]"
)
--- /dev/null
+name "tiamat-01"
+description "Master role applied to tiamat-01"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.41"
+ },
+ :external_ipv4 => {
+ :interface => "enp1s0.2800",
+ :role => :external,
+ :family => :inet,
+ :address => "193.60.236.41"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
--- /dev/null
+name "tiamat-02"
+description "Master role applied to tiamat-02"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.42"
+ },
+ :external_ipv4 => {
+ :interface => "enp1s0.2800",
+ :role => :external,
+ :family => :inet,
+ :address => "193.60.236.42"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
--- /dev/null
+name "tiamat-03"
+description "Master role applied to tiamat-03"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.43"
+ },
+ :external_ipv4 => {
+ :interface => "enp1s0.2800",
+ :role => :external,
+ :family => :inet,
+ :address => "193.60.236.43"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
--- /dev/null
+name "tiamat-10"
+description "Master role applied to tiamat-10"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.44"
+ },
+ :external_ipv4 => {
+ :interface => "enp1s0.2800",
+ :role => :external,
+ :family => :inet,
+ :address => "193.60.236.44"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
--- /dev/null
+name "tiamat-11"
+description "Master role applied to tiamat-11"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.45"
+ },
+ :external_ipv4 => {
+ :interface => "enp1s0.2800",
+ :role => :external,
+ :family => :inet,
+ :address => "193.60.236.45"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
--- /dev/null
+name "tiamat-12"
+description "Master role applied to tiamat-12"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.46"
+ },
+ :external_ipv4 => {
+ :interface => "enp1s0.2800",
+ :role => :external,
+ :family => :inet,
+ :address => "193.60.236.46"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
--- /dev/null
+name "tiamat-13"
+description "Master role applied to tiamat-13"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.47"
+ },
+ :external_ipv4 => {
+ :interface => "enp1s0.2800",
+ :role => :external,
+ :family => :inet,
+ :address => "193.60.236.47"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
--- /dev/null
+name "tiamat-20"
+description "Master role applied to tiamat-20"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.48"
+ },
+ :external_ipv4 => {
+ :interface => "enp1s0.2800",
+ :role => :external,
+ :family => :inet,
+ :address => "193.60.236.48"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
--- /dev/null
+name "tiamat-21"
+description "Master role applied to tiamat-21"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.49"
+ },
+ :external_ipv4 => {
+ :interface => "enp1s0.2800",
+ :role => :external,
+ :family => :inet,
+ :address => "193.60.236.49"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
--- /dev/null
+name "tiamat-22"
+description "Master role applied to tiamat-22"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.50"
+ },
+ :external_ipv4 => {
+ :interface => "enp1s0.2800",
+ :role => :external,
+ :family => :inet,
+ :address => "193.60.236.50"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
--- /dev/null
+name "tiamat-23"
+description "Master role applied to tiamat-23"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.51"
+ },
+ :external_ipv4 => {
+ :interface => "enp1s0.2800",
+ :role => :external,
+ :family => :inet,
+ :address => "193.60.236.51"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
:server_limit => 60,
:max_request_workers => 1200,
:threads_per_child => 20,
- :min_spare_threads => 30,
- :max_spare_threads => 540,
- :max_connections_per_child => 100000,
+ :min_spare_threads => 300,
+ :max_spare_threads => 1200,
+ :max_connections_per_child => 0,
:async_request_worker_factor => 4
}
},
:styles => {
:default => {
:repository => "git://github.com/gravitystorm/openstreetmap-carto.git",
- :revision => "v2.44.1",
+ :revision => "v3.0.1",
:max_zoom => 19
}
}
:apt => {
:sources => ["nginx"]
},
+ :munin => {
+ :plugins => {
+ :cpu => {
+ :user => { :warning => 200, :critical => 400 }
+ }
+ }
+ },
:sysctl => {
:network_conntrack_time_wait => {
:comment => "Only track completed connections for 30 seconds",
"net.netfilter.nf_conntrack_max" => "131072"
}
},
+ :kernel_tfo_listen_enable => {
+ :comment => "Enable TCP Fast Open for listening sockets",
+ :parameters => {
+ "net.ipv4.tcp_fastopen" => 3
+ }
+ },
:squid_swappiness => {
:comment => "Prefer not to swapout to free memory",
:parameters => {
+++ /dev/null
-name "ucl-wates"
-description "Role applied to all servers at UCL which are in Wates House"
-
-default_attributes(
- :networking => {
- :roles => {
- :internal => {
- :inet => {
- :prefix => "20",
- :gateway => "10.0.0.3"
- }
- },
- :external => {
- :zone => "ucl",
- :inet => {
- :prefix => "24",
- :gateway => "128.40.168.126"
- }
- }
- }
- },
- :sysctl => {
- :sack => {
- :comment => "Disable SACK as the UCL firewall breaks it",
- :parameters => {
- "net.ipv4.tcp_sack" => "0"
- }
- }
- }
-)
-
-override_attributes(
- :networking => {
- :nameservers => ["10.0.0.3", "8.8.8.8", "8.8.4.4"],
- :search => ["ucl.openstreetmap.org", "openstreetmap.org"]
- }
-)
-
-run_list(
- "role[ucl]"
-)
+++ /dev/null
-name "ucl-wolfson"
-description "Role applied to all servers at UCL which are in Wolfson House"
-
-default_attributes(
- :networking => {
- :roles => {
- :internal => {
- :inet => {
- :prefix => "20",
- :gateway => "10.0.0.3"
- }
- },
- :external => {
- :zone => "ucl",
- :inet => {
- :prefix => "27",
- :gateway => "128.40.45.222"
- }
- }
- }
- }
-)
-
-override_attributes(
- :networking => {
- :nameservers => ["10.0.0.3", "8.8.8.8", "8.8.4.4"],
- :search => ["ucl.openstreetmap.org", "openstreetmap.org"]
- }
-)
-
-run_list(
- "role[ucl]"
-)
description "Role applied to all servers at UCL"
default_attributes(
- :bind => {
- :forwarders => ["144.82.100.1", "144.82.100.41"]
- },
- :location => "London, England"
+ :location => "Slough, England",
+ :networking => {
+ :roles => {
+ :internal => {
+ :inet => {
+ :prefix => "20",
+ :gateway => "10.0.0.3"
+ }
+ },
+ :external => {
+ :zone => "ucl",
+ :inet => {
+ :prefix => "24",
+ :gateway => "193.60.236.254"
+ }
+ }
+ }
+ }
)
override_attributes(
+ :networking => {
+ :nameservers => ["10.0.0.3", "8.8.8.8", "8.8.4.4"],
+ :search => ["ucl.openstreetmap.org", "openstreetmap.org"]
+ },
:ntp => {
:servers => ["ntp1.ucl.ac.uk", "ntp2.ucl.ac.uk"]
}
:networking => {
:interfaces => {
:internal_ipv4 => {
- :interface => "eth0",
+ :interface => "eth0.2801",
:role => :internal,
:family => :inet,
:address => "10.0.0.6"
},
:external_ipv4 => {
- :interface => "eth1",
+ :interface => "eth0.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.207"
+ :address => "193.60.236.21"
}
}
}
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[hp-dl360-g6]",
"role[munin]"
)
}
},
:nameservers => [
- "161.53.2.66",
- "2001:b68:ff:1::2",
- "2001:b68:ff:2::2",
- "2001:4860:4860::8888"
+ "8.8.8.8",
+ "8.8.4.4",
+ "2001:4860:4860::8888",
+ "2001:4860:4860::8844"
]
},
:squid => {
},
:networking => {
:interfaces => {
+ :internal_ipv4 => {
+ :interface => "eth0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.15"
+ },
:external_ipv4 => {
- :interface => "eth1",
+ :interface => "eth0.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.208"
+ :address => "193.60.236.22"
}
}
},
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[tyan-s7010]",
"role[tile]"
)
:networking => {
:interfaces => {
:internal_ipv4 => {
- :interface => "eth0",
+ :interface => "eth1.2801",
:role => :internal,
:family => :inet,
:address => "10.0.0.8"
},
:external_ipv4 => {
- :interface => "eth1",
+ :interface => "eth1.2800",
:role => :external,
:family => :inet,
- :address => "128.40.45.209"
+ :address => "193.60.236.23"
}
}
},
)
run_list(
- "role[ucl-wolfson]",
+ "role[ucl]",
"role[owl]"
)
projects / chef.git / commitdiff