default[:chef][:server][:version] = "12.13.0-1"
# Set the default client version
-default[:chef][:client][:version] = "12.19.36"
+default[:chef][:client][:version] = "12.20.3"
description "Chef client"
after "network.target"
exec_start "/usr/bin/chef-client -i 1800 -s 20"
- success_exit_status 3
restart "on-failure"
end
else
service "chef-client" do
action [:enable, :start]
+ if node[:lsb][:release].to_f >= 15.10
+ restart_command "systemctl kill --signal=TERM chef-client.service"
+ end
supports :status => true, :restart => true, :reload => true
subscribes :restart, "dpkg_package[chef]"
subscribes :restart, "template[/etc/init/chef-client.conf]"
# Disable scatter-gather offload for HP NC362i network controllers
SUBSYSTEM=="net", ACTION=="add", ATTRS{vendor}=="0x8086", ATTRS{device}=="0x10c9", ATTRS{subsystem_vendor}=="0x103c", ATTRS{subsystem_device}=="0x323f", RUN+="/sbin/ethtool -K $name gso off tso off sg off gro off"
+
+# Workaround unreliable Western Digital WD RE3/RE4 disks (ATA only)
+# Set sufficent Linux subsystem timeout
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1002FBYS-02A6B0", ATTR{device/timeout}="90"
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1003FBYX-01Y7B0", ATTR{device/timeout}="90"
+# Disable Disk Write Cache, Set AAM and Power Management correctly
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1002FBYS-02A6B0", RUN+="/sbin/hdparm -q -W0 -q -M254 $env{DEVNAME}"
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1003FBYX-01Y7B0", RUN+="/sbin/hdparm -q -W0 -q -M254 -q -B254 $env{DEVNAME}"
+
+# Set Disks TLED / SCT Error Recovery Control
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1002FBYS-02A6B0", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,70,70 $env{DEVNAME}"
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1003FBYX-01Y7B0", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,70,70 $env{DEVNAME}"
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD5000AAKS-00A7B0", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,70,70 $env{DEVNAME}"
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD2000FYYZ-01UL1B2", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,70,70 $env{DEVNAME}"
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="TOSHIBA_DT01ACA300", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,70,70 $env{DEVNAME}"
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="ST31000340NS", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,100,100 $env{DEVNAME}"
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="HGST_HTS725050A7E630", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,100,100 $env{DEVNAME}"
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="HGST_HTE721010A9E630", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,100,100 $env{DEVNAME}"
fixed-address draco.oob.openstreetmap.org;
}
+host eddie.oob.openstreetmap.org {
+ hardware ethernet 0c:c4:7a:d5:8c:c0;
+ server-name "eddie.oob.openstreetmap.org";
+ fixed-address eddie.oob.openstreetmap.org;
+}
+
host errol.oob.openstreetmap.org {
hardware ethernet 00:e0:81:c0:8d:01;
server-name "errol.oob.openstreetmap.org";
fixed-address spike-03.oob.openstreetmap.org;
}
+host tiamat-00.oob.openstreetmap.org {
+ hardware ethernet 00:25:90:1a:76:01;
+ server-name "tiamat-00.oob.openstreetmap.org";
+ fixed-address tiamat-00.oob.openstreetmap.org;
+}
+
+host tiamat-01.oob.openstreetmap.org {
+ hardware ethernet 00:25:90:1a:75:78;
+ server-name "tiamat-01.oob.openstreetmap.org";
+ fixed-address tiamat-01.oob.openstreetmap.org;
+}
+
+host tiamat-02.oob.openstreetmap.org {
+ hardware ethernet 00:25:90:1f:10:e3;
+ server-name "tiamat-02.oob.openstreetmap.org";
+ fixed-address tiamat-02.oob.openstreetmap.org;
+}
+
+host tiamat-03.oob.openstreetmap.org {
+ hardware ethernet 00:25:90:1a:75:74;
+ server-name "tiamat-03.oob.openstreetmap.org";
+ fixed-address tiamat-03.oob.openstreetmap.org;
+}
+
+host tiamat-11.oob.openstreetmap.org {
+ hardware ethernet 00:25:90:2c:cd:68;
+ server-name "tiamat-11.oob.openstreetmap.org";
+ fixed-address tiamat-11.oob.openstreetmap.org;
+}
+
+host tiamat-12.oob.openstreetmap.org {
+ hardware ethernet 00:25:90:1f:0a:9c;
+ server-name "tiamat-12.oob.openstreetmap.org";
+ fixed-address tiamat-12.oob.openstreetmap.org;
+}
+
+host tiamat-13.oob.openstreetmap.org {
+ hardware ethernet 00:25:90:1f:17:ed;
+ server-name "tiamat-13.oob.openstreetmap.org";
+ fixed-address tiamat-13.oob.openstreetmap.org;
+}
+
+host tiamat-21.oob.openstreetmap.org {
+ hardware ethernet 00:25:90:29:a8:d7;
+ server-name "tiamat-21.oob.openstreetmap.org";
+ fixed-address tiamat-21.oob.openstreetmap.org;
+}
+
host tiamat-22.oob.openstreetmap.org {
hardware ethernet 00:25:90:29:a8:01;
server-name "tiamat-22.oob.openstreetmap.org";
fixed-address tiamat-22.oob.openstreetmap.org;
}
+host tiamat-23.oob.openstreetmap.org {
+ hardware ethernet 00:25:90:29:a7:ff;
+ server-name "tiamat-23.oob.openstreetmap.org";
+ fixed-address tiamat-23.oob.openstreetmap.org;
+}
+
host thorn-01.oob.openstreetmap.org {
hardware ethernet 00:19:bb:35:87:94;
server-name "thorn-01.oob.openstreetmap.org";
<% end -%>
# Deny spammy messages with headers of the form:
- # X-PHP-Originating-Script: <digits>:SendMail.php
- # X-PHP-Originating-Script: <digits>:SendMail.class.php
- # X-PHP-Originating-Script: <digits>:ExtendedMail.php
- # X-PHP-Originating-Script: <digits>:ExtendedMail.class.php
- deny condition = ${if match {$h_X-PHP-Originating-Script:}{^[0-9]+:(Send|Extended)[Mm]ail(\\.class)?\\.php\$}}
+ # X-PHP-Originating-Script: <digits>:<name>.php
+ # X-PHP-Originating-Script: <digits>:<name>.class.php
+ deny condition = ${if match {$h_X-PHP-Originating-Script:}{^[0-9]+:[A-Za-z]+(\\.class)?\\.php\$}}
+ !hosts = +relay_from_hosts
message = This message failed local spam checks.
# Accept the message.
apache_module "proxy_fcgi"
apache_module "proxy_http"
apache_module "headers"
+apache_module "reqtimeout"
service "php7.0-fpm" do
action [:enable, :start]
end.flatten
fail2ban_filter "nominatim" do
- failregex '^<HOST> - - \[\] "[^"]+" (400|429) '
+ failregex '^<HOST> - - \[\] "[^"]+" (408|429) '
end
fail2ban_jail "nominatim" do
# Remove Proxy request header to mitigate https://httpoxy.org/
RequestHeader unset Proxy early
+ RequestReadTimeout header=15-30,MinRate=500 body=15-30,MinRate=500
+
CustomLog /var/log/apache2/nominatim.openstreetmap.org-access.log combined
ErrorLog /var/log/apache2/nominatim.openstreetmap.org-error.log
LD_PRELOAD=/opt/flush/flush.so
* * * * * planet /usr/local/bin/osmosis -q --replicate-apidb authFile=/etc/replication/auth.conf validateSchemaVersion=false --write-replication workingDirectory=/store/planet/replication/minute
-2 * * * * planet /home/bretth/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour
-5 * * * * planet /home/bretth/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day
+5 * * * * planet /home/bretth/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour
+10 * * * * planet /home/bretth/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day
)
run_list(
- "role[inxza]",
- "role[tilecache]"
+ "role[inxza]"
)
--- /dev/null
+name "eddie"
+description "Master role applied to eddie"
+
+default_attributes(
+ :apt => {
+ :sources => ["postgresql"]
+ },
+ :db => {
+ :cluster => "9.5/main"
+ },
+ :networking => {
+ :interfaces => {
+ :internal_ipv4 => {
+ :interface => "enp1s0f0.2801",
+ :role => :internal,
+ :family => :inet,
+ :address => "10.0.0.10"
+ }
+ }
+ },
+ :postgresql => {
+ :settings => {
+ :defaults => {
+ :shared_buffers => "64GB",
+ :work_mem => "64MB",
+ :maintenance_work_mem => "1GB",
+ :effective_cache_size => "180GB",
+ :effective_io_concurrency => "256"
+ }
+ }
+ },
+ :sysctl => {
+ :postgres => {
+ :comment => "Increase shared memory for postgres",
+ :parameters => {
+ "kernel.shmmax" => 66 * 1024 * 1024 * 1024,
+ "kernel.shmall" => 66 * 1024 * 1024 * 1024 / 4096
+ }
+ }
+ },
+ :sysfs => {
+ :md_tune => {
+ :comment => "Enable request merging for NVMe devices",
+ :parameters => {
+ "block/nvme0n1/queue/nomerges" => "1",
+ "block/nvme1n1/queue/nomerges" => "1",
+ "block/nvme2n1/queue/nomerges" => "1",
+ "block/nvme3n1/queue/nomerges" => "1",
+ "block/nvme4n1/queue/nomerges" => "1",
+ "block/nvme5n1/queue/nomerges" => "1",
+ "block/nvme6n1/queue/nomerges" => "1"
+ }
+ }
+ }
+)
+
+run_list(
+ "role[ucl]"
+)
}
},
:git => {
- :allowed_nodes => "*:*",
+ :allowed_nodes => "fqdn:*",
:user => "chefrepo",
:group => "chefrepo",
:backup => "chef-git"
:maintenance_work_mem => "10GB",
:random_page_cost => "1.5",
:effective_cache_size => "60GB",
- :fsync => "off"
+ :fsync => "on"
}
}
},
:address => "193.60.236.40"
}
}
+ },
+ :hardware => {
+ :watchdog => "w83627hf_wdt"
}
)
:address => "193.60.236.41"
}
}
+ },
+ :hardware => {
+ :watchdog => "w83627hf_wdt"
}
)
:address => "193.60.236.42"
}
}
+ },
+ :hardware => {
+ :watchdog => "w83627hf_wdt"
}
)
:address => "193.60.236.44"
}
}
+ },
+ :hardware => {
+ :watchdog => "w83627hf_wdt"
}
)
:address => "193.60.236.45"
}
}
+ },
+ :hardware => {
+ :watchdog => "w83627hf_wdt"
}
)
:address => "193.60.236.46"
}
}
+ },
+ :hardware => {
+ :watchdog => "w83627hf_wdt"
}
)
:address => "193.60.236.47"
}
}
+ },
+ :hardware => {
+ :watchdog => "w83627hf_wdt"
}
)
:address => "193.60.236.48"
}
}
+ },
+ :hardware => {
+ :watchdog => "w83627hf_wdt"
}
)
:address => "193.60.236.49"
}
}
+ },
+ :hardware => {
+ :watchdog => "w83627hf_wdt"
}
)
:address => "193.60.236.50"
}
}
+ },
+ :hardware => {
+ :watchdog => "w83627hf_wdt"
}
)
:address => "193.60.236.51"
}
}
+ },
+ :hardware => {
+ :watchdog => "w83627hf_wdt"
}
)
:apt => {
:sources => ["nginx"]
},
- :munin => {
- :plugins => {
- :cpu => {
- :user => { :warning => 200, :critical => 400 }
- }
- }
- },
:sysctl => {
:network_conntrack_time_wait => {
:comment => "Only track completed connections for 30 seconds",
projects / chef.git / commitdiff