From fae4e6b247c04eeccc6608ae1fc93ebc63404634 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sat, 27 Apr 2024 11:12:50 +0100 Subject: [PATCH 01/16] Blackhole unreachable Amazon IPv6 block on equinix machines --- roles/equinix-ams.rb | 5 ++++- roles/equinix-dub.rb | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/equinix-ams.rb b/roles/equinix-ams.rb index 7923e09d4..2ed34454d 100644 --- a/roles/equinix-ams.rb +++ b/roles/equinix-ams.rb @@ -21,7 +21,10 @@ default_attributes( }, :inet6 => { :prefix => "64", - :gateway => "2001:470:1:fa1::1" + :gateway => "2001:470:1:fa1::1", + :routes => { + "2600:9000::/28" => { :type => "unreachable" } + } } } } diff --git a/roles/equinix-dub.rb b/roles/equinix-dub.rb index e24d71a1f..0974d04c8 100644 --- a/roles/equinix-dub.rb +++ b/roles/equinix-dub.rb @@ -30,7 +30,10 @@ default_attributes( }, :inet6 => { :prefix => "64", - :gateway => "2001:470:1:b3b::1" + :gateway => "2001:470:1:b3b::1", + :routes => { + "2600:9000::/28" => { :type => "unreachable" } + } } } } -- 2.43.2 From e3ea52a50427f196e693043a957650f99d34dbae Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 30 Apr 2024 10:32:44 +0100 Subject: [PATCH 02/16] Revert "Blackhole unreachable Amazon IPv6 block on equinix machines" This reverts commit fae4e6b247c04eeccc6608ae1fc93ebc63404634. --- roles/equinix-ams.rb | 5 +---- roles/equinix-dub.rb | 5 +---- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/roles/equinix-ams.rb b/roles/equinix-ams.rb index 2ed34454d..7923e09d4 100644 --- a/roles/equinix-ams.rb +++ b/roles/equinix-ams.rb @@ -21,10 +21,7 @@ default_attributes( }, :inet6 => { :prefix => "64", - :gateway => "2001:470:1:fa1::1", - :routes => { - "2600:9000::/28" => { :type => "unreachable" } - } + :gateway => "2001:470:1:fa1::1" } } } diff --git a/roles/equinix-dub.rb b/roles/equinix-dub.rb index 0974d04c8..e24d71a1f 100644 --- a/roles/equinix-dub.rb +++ b/roles/equinix-dub.rb @@ -30,10 +30,7 @@ default_attributes( }, :inet6 => { :prefix => "64", - :gateway => "2001:470:1:b3b::1", - :routes => { - "2600:9000::/28" => { :type => "unreachable" } - } + :gateway => "2001:470:1:b3b::1" } } } -- 2.43.2 From 25d07fd9899c0ba0e741a21eb9a590ea6073e163 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 1 May 2024 12:12:17 +0100 Subject: [PATCH 03/16] Update temperature and humidity alert levels for amsterdam --- cookbooks/prometheus/templates/default/alert_rules.yml.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/prometheus/templates/default/alert_rules.yml.erb b/cookbooks/prometheus/templates/default/alert_rules.yml.erb index 7afa799e8..a0cea5792 100644 --- a/cookbooks/prometheus/templates/default/alert_rules.yml.erb +++ b/cookbooks/prometheus/templates/default/alert_rules.yml.erb @@ -25,14 +25,14 @@ groups: annotations: current: "{{ $value | humanize }}kVA" - alert: site temperature - expr: min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 < 18 or min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 > 26 + expr: min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 < 15 or min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 > 32 for: 6m labels: alertgroup: "amsterdam" annotations: temperature: "{{ $value | humanize }}C" - alert: site humidity - expr: max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="amsterdam"}) / 100 < 0.25 or max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="amsterdam"}) / 100 > 0.65 + expr: max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="amsterdam"}) / 100 < 0.08 or max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="amsterdam"}) / 100 > 0.8 for: 6m labels: alertgroup: "amsterdam" -- 2.43.2 From 90348c618e78b0003d28015b2a538a912e806e05 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Wed, 1 May 2024 14:32:07 +0100 Subject: [PATCH 04/16] Add contrapunctus to dev --- .../accounts/files/default/contrapunctus/.ssh/authorized_keys | 2 ++ roles/dev.rb | 1 + 2 files changed, 3 insertions(+) create mode 100644 cookbooks/accounts/files/default/contrapunctus/.ssh/authorized_keys diff --git a/cookbooks/accounts/files/default/contrapunctus/.ssh/authorized_keys b/cookbooks/accounts/files/default/contrapunctus/.ssh/authorized_keys new file mode 100644 index 000000000..032adbfb6 --- /dev/null +++ b/cookbooks/accounts/files/default/contrapunctus/.ssh/authorized_keys @@ -0,0 +1,2 @@ +# DO NOT EDIT - This file is being maintained by Chef - use authorized_keys2 instead +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwUG1hL4maYavu5UE8O/6N/O7BWQPoRR42IzWKx1tncf4BKbyf7ck5vP0fPYGDR54FsaZEOjCAQ+TwsozpGVBcxbWTo2ApxKM4MH3t/UHclRvmgj38wSQPc57hIBiWfkukKYq5vGPvw9Avd5LSyTKB5Sm9H0jYgVel5QtbGLIN1l/Liwc91T8hbk47vJ1NEy2WVvnPglQI/jZff0ZOc85O/bHxrtt6Nv/03p2BYPoObrCiGJkDO4mBQyUf/9FRoZ1ZcEyINTAgd1nS0CVLEMjMeYsqcRf1NEhY2ai1tZ0kHEOBia4cTlCiJhNUOgf/hz3HbIwTiTv04NmhpVZzOESnsaW9T6Wvb4/6G9JS+ZDZK54r4Ht0bsGt61IyhdPATKKHTzyktHQ/89K4YWppHhlzt4FZ3gyslpBv5lhagIXCjGN8+UP8295pKdBMknefbQfSsjYlxdCPZhI2XtyKDjmRTJRn78eKfrwdo/om0t6GHlDE+r259QvX98rSXOdUJjdbbITk+nS6cn5WK5O5RjMo1+e8EAOmC9vdE4zgeFJyNwxeCRUpIpv/233Cd2qG73r3czbhtLJji27vSLXomfeSBfiEfjBGi69VI07dwECwW31hdDUAAHL50HD53nJgRkxHDJHIPVmHBB2MA09etnUZ+24gzpAx/w5QnA2tYWRGZw== contrapunctus@disroot.org diff --git a/roles/dev.rb b/roles/dev.rb index 84d29716d..f85849e88 100644 --- a/roles/dev.rb +++ b/roles/dev.rb @@ -13,6 +13,7 @@ default_attributes( :bsupnik => { :status => :user }, :chippy => { :status => :user }, :cobra => { :status => :user }, + :contrapunctus => { :status => :user }, :csmale => { :status => :user }, :dan => { :status => :user }, :daveh => { :status => :user }, -- 2.43.2 From 024e8c44bfca5167e53e82583748d1567d38c9b2 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Wed, 1 May 2024 14:33:37 +0100 Subject: [PATCH 05/16] blogs: fix lint issue --- cookbooks/blogs/recipes/default.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/blogs/recipes/default.rb b/cookbooks/blogs/recipes/default.rb index c3f238cc2..0fb2cc7aa 100644 --- a/cookbooks/blogs/recipes/default.rb +++ b/cookbooks/blogs/recipes/default.rb @@ -50,7 +50,7 @@ bundle_install "/srv/blogs.openstreetmap.org" do environment "BUNDLE_PATH" => "vendor/bundle" user "blogs" group "blogs" - subscribes :run, "git[/srv/blogs.openstreetmap.org]", :immediate + subscribes :run, "git[/srv/blogs.openstreetmap.org]", :immediately end bundle_exec "/srv/blogs.openstreetmap.org" do @@ -59,7 +59,7 @@ bundle_exec "/srv/blogs.openstreetmap.org" do environment "BUNDLE_PATH" => "vendor/bundle" user "blogs" group "blogs" - subscribes :run, "git[/srv/blogs.openstreetmap.org]", :immediate + subscribes :run, "git[/srv/blogs.openstreetmap.org]", :immediately end ssl_certificate "blogs.openstreetmap.org" do -- 2.43.2 From 47c4d3fbeb213a3b07ca573a40a1c5ab79c82225 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Wed, 1 May 2024 18:06:15 +0100 Subject: [PATCH 06/16] Setup otrs::debian on naga --- roles/naga.rb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/naga.rb b/roles/naga.rb index b12795a97..0c1aba1e2 100644 --- a/roles/naga.rb +++ b/roles/naga.rb @@ -28,6 +28,14 @@ default_attributes( } } } + }, + :otrs => { + :site => "test.otrs.openstreetmap.org", + :site_aliases => ["test.otrs.osm.org"], + :database_cluster => "16/main" + }, + :postgresql => { + :versions => ["16"] } ) @@ -45,5 +53,6 @@ run_list( "recipe[stateofthemap::container]", "recipe[hot]", "recipe[ideditor]", - "recipe[dmca]" + "recipe[dmca]", + "recipe[otrs::debian]" ) -- 2.43.2 From 933ac16625c6642aceb1670e6a98f0a8f83f25d2 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Wed, 1 May 2024 18:19:23 +0100 Subject: [PATCH 07/16] otrs: allow writing of pid --- cookbooks/otrs/recipes/debian.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/otrs/recipes/debian.rb b/cookbooks/otrs/recipes/debian.rb index 35bdc148e..bed09a8b3 100644 --- a/cookbooks/otrs/recipes/debian.rb +++ b/cookbooks/otrs/recipes/debian.rb @@ -94,7 +94,7 @@ systemd_service "otrs" do private_tmp true protect_system "strict" protect_home true - read_write_paths ["/var/lib/otrs", "/var/log/exim4", "/var/spool/exim4"] + read_write_paths ["/var/lib/otrs", "/run/otrs", "/var/log/exim4", "/var/spool/exim4"] end service "otrs" do -- 2.43.2 From 12c7fbd7b0aca8f8e304f0bfacc5f73d2f743cc8 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Wed, 1 May 2024 20:03:58 +0100 Subject: [PATCH 08/16] naga: Set postgresql 16 port --- roles/naga.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/naga.rb b/roles/naga.rb index 0c1aba1e2..2586aaf4a 100644 --- a/roles/naga.rb +++ b/roles/naga.rb @@ -35,7 +35,12 @@ default_attributes( :database_cluster => "16/main" }, :postgresql => { - :versions => ["16"] + :versions => ["16"], + :settings => { + "16" => { + :port => 5433 + } + } } ) -- 2.43.2 From 7f9e279d341b99167f9163077ebd43d5e8923a1a Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Wed, 1 May 2024 20:05:12 +0100 Subject: [PATCH 09/16] otrs: use apt_preference for otrs backport priority --- cookbooks/otrs/recipes/debian.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/cookbooks/otrs/recipes/debian.rb b/cookbooks/otrs/recipes/debian.rb index bed09a8b3..2d683b17e 100644 --- a/cookbooks/otrs/recipes/debian.rb +++ b/cookbooks/otrs/recipes/debian.rb @@ -62,10 +62,14 @@ template "/etc/dbconfig-common/otrs2.conf" do :database_password => database_password end -apt_package "otrs2" do - options "-t #{node[:lsb][:codename]}-backports" +# Ensure the OTRS package in backports has a priority preference. +apt_preference "otrs2" do + pin "release o=Debian Backports" + pin_priority "600" end +apt_package "otrs2" + # Ensure debconf is repopulated on a dbconfig change execute "dpkg-reconfigure-otrs2" do action :nothing -- 2.43.2 From f8a576aca1270f703f38c3257cf533390692de06 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Wed, 1 May 2024 21:09:22 +0100 Subject: [PATCH 10/16] Remove otrs test role from naga --- roles/naga.rb | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/roles/naga.rb b/roles/naga.rb index 2586aaf4a..b12795a97 100644 --- a/roles/naga.rb +++ b/roles/naga.rb @@ -28,19 +28,6 @@ default_attributes( } } } - }, - :otrs => { - :site => "test.otrs.openstreetmap.org", - :site_aliases => ["test.otrs.osm.org"], - :database_cluster => "16/main" - }, - :postgresql => { - :versions => ["16"], - :settings => { - "16" => { - :port => 5433 - } - } } ) @@ -58,6 +45,5 @@ run_list( "recipe[stateofthemap::container]", "recipe[hot]", "recipe[ideditor]", - "recipe[dmca]", - "recipe[otrs::debian]" + "recipe[dmca]" ) -- 2.43.2 From 3434bb0e2b4875bf953bf39b9490407b8227b10a Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Wed, 1 May 2024 18:50:50 +0100 Subject: [PATCH 11/16] Upgrade chef to 18.4.12 --- cookbooks/chef/attributes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/chef/attributes/default.rb b/cookbooks/chef/attributes/default.rb index 185bc4ad6..d6284df52 100644 --- a/cookbooks/chef/attributes/default.rb +++ b/cookbooks/chef/attributes/default.rb @@ -2,4 +2,4 @@ default[:chef][:server][:version] = "15.1.7" # Set the default client version -default[:chef][:client][:version] = "18.4.2" +default[:chef][:client][:version] = "18.4.12" -- 2.43.2 From 8b4cd15c411729f1b65da9fce29a247897f72d35 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Thu, 2 May 2024 09:49:49 +0100 Subject: [PATCH 12/16] web: add openstreetmap.com to certificate --- cookbooks/web/recipes/rails.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/web/recipes/rails.rb b/cookbooks/web/recipes/rails.rb index 1f3236caa..ee24dbd8d 100644 --- a/cookbooks/web/recipes/rails.rb +++ b/cookbooks/web/recipes/rails.rb @@ -31,11 +31,11 @@ web_passwords = data_bag_item("web", "passwords") db_passwords = data_bag_item("db", "passwords") ssl_certificate "www.openstreetmap.org" do - domains ["www.openstreetmap.org", "www.osm.org", + domains ["www.openstreetmap.org", "www.osm.org", "www.openstreetmap.com", "api.openstreetmap.org", "api.osm.org", "maps.openstreetmap.org", "maps.osm.org", "mapz.openstreetmap.org", "mapz.osm.org", - "openstreetmap.org", "osm.org"] + "openstreetmap.org", "osm.org", "openstreetmap.com"] notifies :reload, "service[apache2]" end -- 2.43.2 From e6efb80e3363ef7ee084f6aee004a0b7dbb7a0e4 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Fri, 3 May 2024 03:11:05 +0100 Subject: [PATCH 13/16] Add birthday20 wordpress dev site --- cookbooks/blog/recipes/birthday.rb | 59 +++++++++++++++++++ .../default/backup-birthday20.cron.erb | 21 +++++++ roles/birthday20.rb | 19 ++++++ roles/fume.rb | 3 +- 4 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 cookbooks/blog/recipes/birthday.rb create mode 100644 cookbooks/blog/templates/default/backup-birthday20.cron.erb create mode 100644 roles/birthday20.rb diff --git a/cookbooks/blog/recipes/birthday.rb b/cookbooks/blog/recipes/birthday.rb new file mode 100644 index 000000000..eac984ae0 --- /dev/null +++ b/cookbooks/blog/recipes/birthday.rb @@ -0,0 +1,59 @@ +# +# Cookbook:: blog +# Recipe:: birthday +# +# Copyright:: 2024, OpenStreetMap Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "wordpress" + +passwords = data_bag_item("birthday20", "passwords") +wp2fa_encrypt_keys = data_bag_item("birthday20", "wp2fa_encrypt_keys") + +directory "/srv/birthday20.openstreetmap.org" do + owner "wordpress" + group "wordpress" + mode "755" +end + +wordpress_site "birthday20.openstreetmap.org" do + aliases ["birthday20.osm.org", "birthday20.openstreetmap.com", + "birthday20.openstreetmap.net", "birthday20.openstreetmaps.org"] + directory "/srv/birthday20.openstreetmap.org/wp" + database_name "osm-birthday20" + database_user "osm-birthday20-user" + database_password passwords["osm-birthday20-user"] + wp2fa_encrypt_key wp2fa_encrypt_keys["key"] + fpm_prometheus_port 11403 +end + +wordpress_plugin "birthday20.openstreetmap.org-shareadraft" do + action :delete + plugin "shareadraft" + site "birthday20.openstreetmap.org" +end + +wordpress_plugin "birthday20.openstreetmap.org-public-post-preview" do + plugin "public-post-preview" + site "birthday20.openstreetmap.org" +end + +template "/etc/cron.daily/birthday20-backup" do + source "backup-birthday20.cron.erb" + owner "root" + group "root" + mode "750" + variables :passwords => passwords +end diff --git a/cookbooks/blog/templates/default/backup-birthday20.cron.erb b/cookbooks/blog/templates/default/backup-birthday20.cron.erb new file mode 100644 index 000000000..cef3d14ee --- /dev/null +++ b/cookbooks/blog/templates/default/backup-birthday20.cron.erb @@ -0,0 +1,21 @@ +#!/bin/sh + +# DO NOT EDIT - This file is being maintained by Chef + +T=$(mktemp -d -t -p /var/tmp osm-birthday20.XXXXXXXXXX) +D=$(date +%Y-%m-%d) +B=osm-birthday20-$D.tar.gz + +mkdir $T/osm-birthday20-$D +echo '[mysqldump]' > $T/mysqldump.opts +echo 'user=osm-birthday20-user' >> $T/mysqldump.opts +echo 'password=<%= @passwords["osm-birthday20-user"] %>' >> $T/mysqldump.opts +mysqldump --defaults-file=$T/mysqldump.opts --opt --no-tablespaces osm-birthday20 > $T/osm-birthday20-$D/osm-birthday20.sql +ln -s /srv/birthday20.openstreetmap.org $T/osm-birthday20-$D/www + +export RSYNC_RSH="ssh -ax" + +nice tar --create --dereference --directory=$T --warning=no-file-changed osm-birthday20-$D | nice gzip --rsyncable -9 > $T/$B +nice rsync --preallocate --fuzzy $T/$B backup::backup + +rm -rf $T diff --git a/roles/birthday20.rb b/roles/birthday20.rb new file mode 100644 index 000000000..ea83dc13b --- /dev/null +++ b/roles/birthday20.rb @@ -0,0 +1,19 @@ +name "birthday20" +description "Role applied to birthday20 servers" + +default_attributes( + :accounts => { + :users => { + :mikel => { :status => :administrator }, + :wordpress => { + :status => :role, + :members => [:mikel] + } + }, + } +) + +# FIXME: Disable while site under development +run_list( + "recipe[blog::birthday20]" +) diff --git a/roles/fume.rb b/roles/fume.rb index 5b4c5a670..6af2333b4 100644 --- a/roles/fume.rb +++ b/roles/fume.rb @@ -33,5 +33,6 @@ default_attributes( run_list( "role[equinix-dub]", - "role[blog-staging]" + "role[blog-staging]", + "role[birthday20]" ) -- 2.43.2 From b31e9fe802a5b8771a476e5800945bedc953a8ac Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Fri, 3 May 2024 03:14:06 +0100 Subject: [PATCH 14/16] Fix role/recipe typo --- roles/birthday20.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/birthday20.rb b/roles/birthday20.rb index ea83dc13b..959366360 100644 --- a/roles/birthday20.rb +++ b/roles/birthday20.rb @@ -15,5 +15,5 @@ default_attributes( # FIXME: Disable while site under development run_list( - "recipe[blog::birthday20]" + "recipe[blog::birthday]" ) -- 2.43.2 From fece7ed198752ba5b22de9d45a51694a65997a08 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Fri, 3 May 2024 03:18:29 +0100 Subject: [PATCH 15/16] Disable birthday recipe while under dev --- roles/birthday20.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/birthday20.rb b/roles/birthday20.rb index 959366360..55132429e 100644 --- a/roles/birthday20.rb +++ b/roles/birthday20.rb @@ -14,6 +14,6 @@ default_attributes( ) # FIXME: Disable while site under development -run_list( - "recipe[blog::birthday]" -) +# run_list( +# "recipe[blog::birthday]" +# ) -- 2.43.2 From b5b2994a949dc3f1daec3ef20a449f8f4e3f8b8d Mon Sep 17 00:00:00 2001 From: Sarah Hoffmann Date: Sat, 4 May 2024 10:48:47 +0200 Subject: [PATCH 16/16] nominatim: install secondary importance file --- cookbooks/nominatim/recipes/default.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb index 2cf17d821..ab1c5aaa2 100644 --- a/cookbooks/nominatim/recipes/default.rb +++ b/cookbooks/nominatim/recipes/default.rb @@ -314,6 +314,14 @@ template "#{project_directory}/.env" do :request_timeout => node[:nominatim][:api_request_timeout] end +remote_file "#{project_directory}/secondary_importance.sql.gz" do + action :create_if_missing + source "https://nominatim.org/data/wikimedia-secondary-importance.sql.gz" + owner "nominatim" + group "nominatim" + mode "644" +end + remote_file "#{project_directory}/wikimedia-importance.sql.gz" do action :create_if_missing source "https://nominatim.org/data/wikimedia-importance.sql.gz" -- 2.43.2