diff --git a/data/common/cassandra.yaml b/data/common/cassandra.yaml new file mode 100644 index 00000000..1a5e5e26 --- /dev/null +++ b/data/common/cassandra.yaml @@ -0,0 +1,1182 @@ +cassandra::release: 311x +cassandra::cluster: azure + +cassandra::exporter::version: "0.9.10" +cassandra::exporter::listen_network: "%{lookup('internal_network')}" +cassandra::exporter::listen_port: 9500 + +cassandra::listen_network: "%{lookup('internal_network')}" + +cassandra::baseline_settings: + # NOTE: + # See http://wiki.apache.org/cassandra/StorageConfiguration for + # full explanations of configuration directives + # /NOTE + + # This defines the number of tokens randomly assigned to this node on the ring + # The more tokens, relative to other nodes, the larger the proportion of data + # that this node will store. You probably want all nodes to have the same number + # of tokens assuming they have equal hardware capability. + # + # If you leave this unspecified, Cassandra will use the default of 1 token for legacy compatibility, + # and will use the initial_token as described below. + # + # Specifying initial_token will override this setting on the node's initial start, + # on subsequent starts, this setting will apply even if initial token is set. + # + # If you already have a cluster with 1 token per node, and wish to migrate to + # multiple tokens per node, see http://wiki.apache.org/cassandra/Operations + num_tokens: 256 + + # Triggers automatic allocation of num_tokens tokens for this node. The allocation + # algorithm attempts to choose tokens in a way that optimizes replicated load over + # the nodes in the datacenter for the replication strategy used by the specified + # keyspace. + # + # The load assigned to each node will be close to proportional to its number of + # vnodes. + # + # Only supported with the Murmur3Partitioner. + # allocate_tokens_for_keyspace: KEYSPACE + + # initial_token allows you to specify tokens manually. While you can use it with + # vnodes (num_tokens > 1, above) -- in which case you should provide a + # comma-separated list -- it's primarily used when adding nodes to legacy clusters + # that do not have vnodes enabled. + # initial_token: + + # See http://wiki.apache.org/cassandra/HintedHandoff + # May either be "true" or "false" to enable globally + hinted_handoff_enabled: true + + # When hinted_handoff_enabled is true, a black list of data centers that will not + # perform hinted handoff + # hinted_handoff_disabled_datacenters: + # - DC1 + # - DC2 + + # this defines the maximum amount of time a dead host will have hints + # generated. After it has been dead this long, new hints for it will not be + # created until it has been seen alive and gone down again. + max_hint_window_in_ms: 10800000 # 3 hours + + # Maximum throttle in KBs per second, per delivery thread. This will be + # reduced proportionally to the number of nodes in the cluster. (If there + # are two nodes in the cluster, each delivery thread will use the maximum + # rate; if there are three, each will throttle to half of the maximum, + # since we expect two nodes to be delivering hints simultaneously.) + hinted_handoff_throttle_in_kb: 1024 + + # Number of threads with which to deliver hints; + # Consider increasing this number when you have multi-dc deployments, since + # cross-dc handoff tends to be slower + max_hints_delivery_threads: 2 + + # How often hints should be flushed from the internal buffers to disk. + # Will *not* trigger fsync. + hints_flush_period_in_ms: 10000 + + # Maximum size for a single hints file, in megabytes. + max_hints_file_size_in_mb: 128 + + # Compression to apply to the hint files. If omitted, hints files + # will be written uncompressed. LZ4, Snappy, and Deflate compressors + # are supported. + #hints_compression: + # - class_name: LZ4Compressor + # parameters: + # - + + # Maximum throttle in KBs per second, total. This will be + # reduced proportionally to the number of nodes in the cluster. + batchlog_replay_throttle_in_kb: 1024 + + # Authentication backend, implementing IAuthenticator; used to identify users + # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthenticator, + # PasswordAuthenticator}. + # + # - AllowAllAuthenticator performs no checks - set it to disable authentication. + # - PasswordAuthenticator relies on username/password pairs to authenticate + # users. It keeps usernames and hashed passwords in system_auth.roles table. + # Please increase system_auth keyspace replication factor if you use this authenticator. + # If using PasswordAuthenticator, CassandraRoleManager must also be used (see below) + authenticator: AllowAllAuthenticator + + # Authorization backend, implementing IAuthorizer; used to limit access/provide permissions + # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer, + # CassandraAuthorizer}. + # + # - AllowAllAuthorizer allows any action to any user - set it to disable authorization. + # - CassandraAuthorizer stores permissions in system_auth.role_permissions table. Please + # increase system_auth keyspace replication factor if you use this authorizer. + authorizer: AllowAllAuthorizer + + # Part of the Authentication & Authorization backend, implementing IRoleManager; used + # to maintain grants and memberships between roles. + # Out of the box, Cassandra provides org.apache.cassandra.auth.CassandraRoleManager, + # which stores role information in the system_auth keyspace. Most functions of the + # IRoleManager require an authenticated login, so unless the configured IAuthenticator + # actually implements authentication, most of this functionality will be unavailable. + # + # - CassandraRoleManager stores role data in the system_auth keyspace. Please + # increase system_auth keyspace replication factor if you use this role manager. + role_manager: CassandraRoleManager + + # Validity period for roles cache (fetching granted roles can be an expensive + # operation depending on the role manager, CassandraRoleManager is one example) + # Granted roles are cached for authenticated sessions in AuthenticatedUser and + # after the period specified here, become eligible for (async) reload. + # Defaults to 2000, set to 0 to disable caching entirely. + # Will be disabled automatically for AllowAllAuthenticator. + roles_validity_in_ms: 2000 + + # Refresh interval for roles cache (if enabled). + # After this interval, cache entries become eligible for refresh. Upon next + # access, an async reload is scheduled and the old value returned until it + # completes. If roles_validity_in_ms is non-zero, then this must be + # also. + # Defaults to the same value as roles_validity_in_ms. + # roles_update_interval_in_ms: 2000 + + # Validity period for permissions cache (fetching permissions can be an + # expensive operation depending on the authorizer, CassandraAuthorizer is + # one example). Defaults to 2000, set to 0 to disable. + # Will be disabled automatically for AllowAllAuthorizer. + permissions_validity_in_ms: 2000 + + # Refresh interval for permissions cache (if enabled). + # After this interval, cache entries become eligible for refresh. Upon next + # access, an async reload is scheduled and the old value returned until it + # completes. If permissions_validity_in_ms is non-zero, then this must be + # also. + # Defaults to the same value as permissions_validity_in_ms. + # permissions_update_interval_in_ms: 2000 + + # Validity period for credentials cache. This cache is tightly coupled to + # the provided PasswordAuthenticator implementation of IAuthenticator. If + # another IAuthenticator implementation is configured, this cache will not + # be automatically used and so the following settings will have no effect. + # Please note, credentials are cached in their encrypted form, so while + # activating this cache may reduce the number of queries made to the + # underlying table, it may not bring a significant reduction in the + # latency of individual authentication attempts. + # Defaults to 2000, set to 0 to disable credentials caching. + credentials_validity_in_ms: 2000 + + # Refresh interval for credentials cache (if enabled). + # After this interval, cache entries become eligible for refresh. Upon next + # access, an async reload is scheduled and the old value returned until it + # completes. If credentials_validity_in_ms is non-zero, then this must be + # also. + # Defaults to the same value as credentials_validity_in_ms. + # credentials_update_interval_in_ms: 2000 + + # The partitioner is responsible for distributing groups of rows (by + # partition key) across nodes in the cluster. You should leave this + # alone for new clusters. The partitioner can NOT be changed without + # reloading all data, so when upgrading you should set this to the + # same partitioner you were already using. + # + # Besides Murmur3Partitioner, partitioners included for backwards + # compatibility include RandomPartitioner, ByteOrderedPartitioner, and + # OrderPreservingPartitioner. + # + partitioner: org.apache.cassandra.dht.Murmur3Partitioner + + # Enable / disable CDC functionality on a per-node basis. This modifies the logic used + # for write path allocation rejection (standard: never reject. cdc: reject Mutation + # containing a CDC-enabled table if at space limit in cdc_raw_directory). + cdc_enabled: false + + # Policy for data disk failures: + # + # die + # shut down gossip and client transports and kill the JVM for any fs errors or + # single-sstable errors, so the node can be replaced. + # + # stop_paranoid + # shut down gossip and client transports even for single-sstable errors, + # kill the JVM for errors during startup. + # + # stop + # shut down gossip and client transports, leaving the node effectively dead, but + # can still be inspected via JMX, kill the JVM for errors during startup. + # + # best_effort + # stop using the failed disk and respond to requests based on + # remaining available sstables. This means you WILL see obsolete + # data at CL.ONE! + # + # ignore + # ignore fatal errors and let requests fail, as in pre-1.2 Cassandra + disk_failure_policy: stop + + # Policy for commit disk failures: + # + # die + # shut down gossip and Thrift and kill the JVM, so the node can be replaced. + # + # stop + # shut down gossip and Thrift, leaving the node effectively dead, but + # can still be inspected via JMX. + # + # stop_commit + # shutdown the commit log, letting writes collect but + # continuing to service reads, as in pre-2.0.5 Cassandra + # + # ignore + # ignore fatal errors and let the batches fail + commit_failure_policy: stop + + # Maximum size of the native protocol prepared statement cache + # + # Valid values are either "auto" (omitting the value) or a value greater 0. + # + # Note that specifying a too large value will result in long running GCs and possbily + # out-of-memory errors. Keep the value at a small fraction of the heap. + # + # If you constantly see "prepared statements discarded in the last minute because + # cache limit reached" messages, the first step is to investigate the root cause + # of these messages and check whether prepared statements are used correctly - + # i.e. use bind markers for variable parts. + # + # Do only change the default value, if you really have more prepared statements than + # fit in the cache. In most cases it is not neccessary to change this value. + # Constantly re-preparing statements is a performance penalty. + # + # Default value ("auto") is 1/256th of the heap or 10MB, whichever is greater + #prepared_statements_cache_size_mb: + + # Maximum size of the Thrift prepared statement cache + # + # If you do not use Thrift at all, it is safe to leave this value at "auto". + # + # See description of 'prepared_statements_cache_size_mb' above for more information. + # + # Default value ("auto") is 1/256th of the heap or 10MB, whichever is greater + #thrift_prepared_statements_cache_size_mb: + + # Maximum size of the key cache in memory. + # + # Each key cache hit saves 1 seek and each row cache hit saves 2 seeks at the + # minimum, sometimes more. The key cache is fairly tiny for the amount of + # time it saves, so it's worthwhile to use it at large numbers. + # The row cache saves even more time, but must contain the entire row, + # so it is extremely space-intensive. It's best to only use the + # row cache if you have hot rows or static rows. + # + # NOTE: if you reduce the size, you may not get you hottest keys loaded on startup. + # + # Default value is empty to make it "auto" (min(5% of Heap (in MB), 100MB)). Set to 0 to disable key cache. + #key_cache_size_in_mb: + + # Duration in seconds after which Cassandra should + # save the key cache. Caches are saved to saved_caches_directory as + # specified in this configuration file. + # + # Saved caches greatly improve cold-start speeds, and is relatively cheap in + # terms of I/O for the key cache. Row cache saving is much more expensive and + # has limited use. + # + # Default is 14400 or 4 hours. + key_cache_save_period: 14400 + + # Number of keys from the key cache to save + # Disabled by default, meaning all keys are going to be saved + # key_cache_keys_to_save: 100 + + # Row cache implementation class name. Available implementations: + # + # org.apache.cassandra.cache.OHCProvider + # Fully off-heap row cache implementation (default). + # + # org.apache.cassandra.cache.SerializingCacheProvider + # This is the row cache implementation availabile + # in previous releases of Cassandra. + # row_cache_class_name: org.apache.cassandra.cache.OHCProvider + + # Maximum size of the row cache in memory. + # Please note that OHC cache implementation requires some additional off-heap memory to manage + # the map structures and some in-flight memory during operations before/after cache entries can be + # accounted against the cache capacity. This overhead is usually small compared to the whole capacity. + # Do not specify more memory that the system can afford in the worst usual situation and leave some + # headroom for OS block level cache. Do never allow your system to swap. + # + # Default value is 0, to disable row caching. + row_cache_size_in_mb: 0 + + # Duration in seconds after which Cassandra should save the row cache. + # Caches are saved to saved_caches_directory as specified in this configuration file. + # + # Saved caches greatly improve cold-start speeds, and is relatively cheap in + # terms of I/O for the key cache. Row cache saving is much more expensive and + # has limited use. + # + # Default is 0 to disable saving the row cache. + row_cache_save_period: 0 + + # Number of keys from the row cache to save. + # Specify 0 (which is the default), meaning all keys are going to be saved + # row_cache_keys_to_save: 100 + + # Maximum size of the counter cache in memory. + # + # Counter cache helps to reduce counter locks' contention for hot counter cells. + # In case of RF = 1 a counter cache hit will cause Cassandra to skip the read before + # write entirely. With RF > 1 a counter cache hit will still help to reduce the duration + # of the lock hold, helping with hot counter cell updates, but will not allow skipping + # the read entirely. Only the local (clock, count) tuple of a counter cell is kept + # in memory, not the whole counter, so it's relatively cheap. + # + # NOTE: if you reduce the size, you may not get you hottest keys loaded on startup. + # + # Default value is empty to make it "auto" (min(2.5% of Heap (in MB), 50MB)). Set to 0 to disable counter cache. + # NOTE: if you perform counter deletes and rely on low gcgs, you should disable the counter cache. + #counter_cache_size_in_mb: + + # Duration in seconds after which Cassandra should + # save the counter cache (keys only). Caches are saved to saved_caches_directory as + # specified in this configuration file. + # + # Default is 7200 or 2 hours. + counter_cache_save_period: 7200 + + # Number of keys from the counter cache to save + # Disabled by default, meaning all keys are going to be saved + # counter_cache_keys_to_save: 100 + + # commitlog_sync may be either "periodic" or "batch." + # + # When in batch mode, Cassandra won't ack writes until the commit log + # has been fsynced to disk. It will wait + # commitlog_sync_batch_window_in_ms milliseconds between fsyncs. + # This window should be kept short because the writer threads will + # be unable to do extra work while waiting. (You may need to increase + # concurrent_writes for the same reason.) + # + # commitlog_sync: batch + # commitlog_sync_batch_window_in_ms: 2 + # + # the other option is "periodic" where writes may be acked immediately + # and the CommitLog is simply synced every commitlog_sync_period_in_ms + # milliseconds. + commitlog_sync: periodic + commitlog_sync_period_in_ms: 10000 + + # The size of the individual commitlog file segments. A commitlog + # segment may be archived, deleted, or recycled once all the data + # in it (potentially from each columnfamily in the system) has been + # flushed to sstables. + # + # The default size is 32, which is almost always fine, but if you are + # archiving commitlog segments (see commitlog_archiving.properties), + # then you probably want a finer granularity of archiving; 8 or 16 MB + # is reasonable. + # Max mutation size is also configurable via max_mutation_size_in_kb setting in + # cassandra.yaml. The default is half the size commitlog_segment_size_in_mb * 1024. + # This should be positive and less than 2048. + # + # NOTE: If max_mutation_size_in_kb is set explicitly then commitlog_segment_size_in_mb must + # be set to at least twice the size of max_mutation_size_in_kb / 1024 + # + commitlog_segment_size_in_mb: 32 + + # Compression to apply to the commit log. If omitted, the commit log + # will be written uncompressed. LZ4, Snappy, and Deflate compressors + # are supported. + # commitlog_compression: + # - class_name: LZ4Compressor + # parameters: + # - + + # For workloads with more data than can fit in memory, Cassandra's + # bottleneck will be reads that need to fetch data from + # disk. "concurrent_reads" should be set to (16 * number_of_drives) in + # order to allow the operations to enqueue low enough in the stack + # that the OS and drives can reorder them. Same applies to + # "concurrent_counter_writes", since counter writes read the current + # values before incrementing and writing them back. + # + # On the other hand, since writes are almost never IO bound, the ideal + # number of "concurrent_writes" is dependent on the number of cores in + # your system; (8 * number_of_cores) is a good rule of thumb. + concurrent_reads: 64 + concurrent_writes: 96 + concurrent_counter_writes: 64 + + # For materialized view writes, as there is a read involved, so this should + # be limited by the less of concurrent reads or concurrent writes. + concurrent_materialized_view_writes: 32 + + # Maximum memory to use for sstable chunk cache and buffer pooling. + # 32MB of this are reserved for pooling buffers, the rest is used as an + # cache that holds uncompressed sstable chunks. + # Defaults to the smaller of 1/4 of heap or 512MB. This pool is allocated off-heap, + # so is in addition to the memory allocated for heap. The cache also has on-heap + # overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size + # if the default 64k chunk size is used). + # Memory is only allocated when needed. + # file_cache_size_in_mb: 512 + + # Flag indicating whether to allocate on or off heap when the sstable buffer + # pool is exhausted, that is when it has exceeded the maximum memory + # file_cache_size_in_mb, beyond which it will not cache buffers but allocate on request. + + # buffer_pool_use_heap_if_exhausted: true + + # The strategy for optimizing disk read + # Possible values are: + # ssd (for solid state disks, the default) + # spinning (for spinning disks) + # disk_optimization_strategy: ssd + + # Total permitted memory to use for memtables. Cassandra will stop + # accepting writes when the limit is exceeded until a flush completes, + # and will trigger a flush based on memtable_cleanup_threshold + # If omitted, Cassandra will set both to 1/4 the size of the heap. + # memtable_heap_space_in_mb: 2048 + # memtable_offheap_space_in_mb: 2048 + + # memtable_cleanup_threshold is deprecated. The default calculation + # is the only reasonable choice. See the comments on memtable_flush_writers + # for more information. + # + # Ratio of occupied non-flushing memtable size to total permitted size + # that will trigger a flush of the largest memtable. Larger mct will + # mean larger flushes and hence less compaction, but also less concurrent + # flush activity which can make it difficult to keep your disks fed + # under heavy write load. + # + # memtable_cleanup_threshold defaults to 1 / (memtable_flush_writers + 1) + # memtable_cleanup_threshold: 0.11 + + # Specify the way Cassandra allocates and manages memtable memory. + # Options are: + # + # heap_buffers + # on heap nio buffers + # + # offheap_buffers + # off heap (direct) nio buffers + # + # offheap_objects + # off heap objects + memtable_allocation_type: heap_buffers + + # Total space to use for commit logs on disk. + # + # If space gets above this value, Cassandra will flush every dirty CF + # in the oldest segment and remove it. So a small total commitlog space + # will tend to cause more flush activity on less-active columnfamilies. + # + # The default value is the smaller of 8192, and 1/4 of the total space + # of the commitlog volume. + # + # commitlog_total_space_in_mb: 8192 + + # This sets the number of memtable flush writer threads per disk + # as well as the total number of memtables that can be flushed concurrently. + # These are generally a combination of compute and IO bound. + # + # Memtable flushing is more CPU efficient than memtable ingest and a single thread + # can keep up with the ingest rate of a whole server on a single fast disk + # until it temporarily becomes IO bound under contention typically with compaction. + # At that point you need multiple flush threads. At some point in the future + # it may become CPU bound all the time. + # + # You can tell if flushing is falling behind using the MemtablePool.BlockedOnAllocation + # metric which should be 0, but will be non-zero if threads are blocked waiting on flushing + # to free memory. + # + # memtable_flush_writers defaults to two for a single data directory. + # This means that two memtables can be flushed concurrently to the single data directory. + # If you have multiple data directories the default is one memtable flushing at a time + # but the flush will use a thread per data directory so you will get two or more writers. + # + # Two is generally enough to flush on a fast disk [array] mounted as a single data directory. + # Adding more flush writers will result in smaller more frequent flushes that introduce more + # compaction overhead. + # + # There is a direct tradeoff between number of memtables that can be flushed concurrently + # and flush size and frequency. More is not better you just need enough flush writers + # to never stall waiting for flushing to free memory. + # + #memtable_flush_writers: 2 + + # Total space to use for change-data-capture logs on disk. + # + # If space gets above this value, Cassandra will throw WriteTimeoutException + # on Mutations including tables with CDC enabled. A CDCCompactor is responsible + # for parsing the raw CDC logs and deleting them when parsing is completed. + # + # The default value is the min of 4096 mb and 1/8th of the total space + # of the drive where cdc_raw_directory resides. + # cdc_total_space_in_mb: 4096 + + # When we hit our cdc_raw limit and the CDCCompactor is either running behind + # or experiencing backpressure, we check at the following interval to see if any + # new space for cdc-tracked tables has been made available. Default to 250ms + # cdc_free_space_check_interval_ms: 250 + + # A fixed memory pool size in MB for for SSTable index summaries. If left + # empty, this will default to 5% of the heap size. If the memory usage of + # all index summaries exceeds this limit, SSTables with low read rates will + # shrink their index summaries in order to meet this limit. However, this + # is a best-effort process. In extreme conditions Cassandra may need to use + # more than this amount of memory. + #index_summary_capacity_in_mb: + + # How frequently index summaries should be resampled. This is done + # periodically to redistribute memory from the fixed-size pool to sstables + # proportional their recent read rates. Setting to -1 will disable this + # process, leaving existing index summaries at their current sampling level. + index_summary_resize_interval_in_minutes: 60 + + # Whether to, when doing sequential writing, fsync() at intervals in + # order to force the operating system to flush the dirty + # buffers. Enable this to avoid sudden dirty buffer flushing from + # impacting read latencies. Almost always a good idea on SSDs; not + # necessarily on platters. + trickle_fsync: true + trickle_fsync_interval_in_kb: 10240 + + # TCP port, for commands and data + # For security reasons, you should not expose this port to the internet. Firewall it if needed. + storage_port: 7000 + + # SSL port, for encrypted communication. Unused unless enabled in + # encryption_options + # For security reasons, you should not expose this port to the internet. Firewall it if needed. + ssl_storage_port: 7001 + + # Set listen_address OR listen_interface, not both. Interfaces must correspond + # to a single address, IP aliasing is not supported. + # listen_interface: eth0 + + # If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address + # you can specify which should be chosen using listen_interface_prefer_ipv6. If false the first ipv4 + # address will be used. If true the first ipv6 address will be used. Defaults to false preferring + # ipv4. If there is only one address it will be selected regardless of ipv4/ipv6. + # listen_interface_prefer_ipv6: false + + # Address to broadcast to other Cassandra nodes + # Leaving this blank will set it to the same value as listen_address + # broadcast_address: 1.2.3.4 + + # When using multiple physical network interfaces, set this + # to true to listen on broadcast_address in addition to + # the listen_address, allowing nodes to communicate in both + # interfaces. + # Ignore this property if the network configuration automatically + # routes between the public and private networks such as EC2. + # listen_on_broadcast_address: false + + # Internode authentication backend, implementing IInternodeAuthenticator; + # used to allow/disallow connections from peer nodes. + # internode_authenticator: org.apache.cassandra.auth.AllowAllInternodeAuthenticator + + # Whether to start the native transport server. + # Please note that the address on which the native transport is bound is the + # same as the rpc_address. The port however is different and specified below. + start_native_transport: true + # port for the CQL native transport to listen for clients on + # For security reasons, you should not expose this port to the internet. Firewall it if needed. + native_transport_port: 9042 + # Enabling native transport encryption in client_encryption_options allows you to either use + # encryption for the standard port or to use a dedicated, additional port along with the unencrypted + # standard native_transport_port. + # Enabling client encryption and keeping native_transport_port_ssl disabled will use encryption + # for native_transport_port. Setting native_transport_port_ssl to a different value + # from native_transport_port will use encryption for native_transport_port_ssl while + # keeping native_transport_port unencrypted. + # native_transport_port_ssl: 9142 + # The maximum threads for handling requests when the native transport is used. + # This is similar to rpc_max_threads though the default differs slightly (and + # there is no native_transport_min_threads, idle threads will always be stopped + # after 30 seconds). + # native_transport_max_threads: 128 + # + # The maximum size of allowed frame. Frame (requests) larger than this will + # be rejected as invalid. The default is 256MB. If you're changing this parameter, + # you may want to adjust max_value_size_in_mb accordingly. This should be positive and less than 2048. + # native_transport_max_frame_size_in_mb: 256 + + # The maximum number of concurrent client connections. + # The default is -1, which means unlimited. + # native_transport_max_concurrent_connections: -1 + + # The maximum number of concurrent client connections per source ip. + # The default is -1, which means unlimited. + # native_transport_max_concurrent_connections_per_ip: -1 + + # Whether to start the thrift rpc server. + start_rpc: false + + # Set rpc_address OR rpc_interface, not both. Interfaces must correspond + # to a single address, IP aliasing is not supported. + # rpc_interface: eth1 + + # If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address + # you can specify which should be chosen using rpc_interface_prefer_ipv6. If false the first ipv4 + # address will be used. If true the first ipv6 address will be used. Defaults to false preferring + # ipv4. If there is only one address it will be selected regardless of ipv4/ipv6. + # rpc_interface_prefer_ipv6: false + + # port for Thrift to listen for clients on + rpc_port: 9160 + + # RPC address to broadcast to drivers and other Cassandra nodes. This cannot + # be set to 0.0.0.0. If left blank, this will be set to the value of + # rpc_address. If rpc_address is set to 0.0.0.0, broadcast_rpc_address must + # be set. + # broadcast_rpc_address: 1.2.3.4 + + # enable or disable keepalive on rpc/native connections + rpc_keepalive: true + + # Cassandra provides two out-of-the-box options for the RPC Server: + # + # sync + # One thread per thrift connection. For a very large number of clients, memory + # will be your limiting factor. On a 64 bit JVM, 180KB is the minimum stack size + # per thread, and that will correspond to your use of virtual memory (but physical memory + # may be limited depending on use of stack space). + # + # hsha + # Stands for "half synchronous, half asynchronous." All thrift clients are handled + # asynchronously using a small number of threads that does not vary with the amount + # of thrift clients (and thus scales well to many clients). The rpc requests are still + # synchronous (one thread per active request). If hsha is selected then it is essential + # that rpc_max_threads is changed from the default value of unlimited. + # + # The default is sync because on Windows hsha is about 30% slower. On Linux, + # sync/hsha performance is about the same, with hsha of course using less memory. + # + # Alternatively, can provide your own RPC server by providing the fully-qualified class name + # of an o.a.c.t.TServerFactory that can create an instance of it. + rpc_server_type: sync + + # Uncomment rpc_min|max_thread to set request pool size limits. + # + # Regardless of your choice of RPC server (see above), the number of maximum requests in the + # RPC thread pool dictates how many concurrent requests are possible (but if you are using the sync + # RPC server, it also dictates the number of clients that can be connected at all). + # + # The default is unlimited and thus provides no protection against clients overwhelming the server. You are + # encouraged to set a maximum that makes sense for you in production, but do keep in mind that + # rpc_max_threads represents the maximum number of client requests this server may execute concurrently. + # + # rpc_min_threads: 16 + # rpc_max_threads: 2048 + + # uncomment to set socket buffer sizes on rpc connections + # rpc_send_buff_size_in_bytes: + # rpc_recv_buff_size_in_bytes: + + # Uncomment to set socket buffer size for internode communication + # Note that when setting this, the buffer size is limited by net.core.wmem_max + # and when not setting it it is defined by net.ipv4.tcp_wmem + # See also: + # /proc/sys/net/core/wmem_max + # /proc/sys/net/core/rmem_max + # /proc/sys/net/ipv4/tcp_wmem + # /proc/sys/net/ipv4/tcp_wmem + # and 'man tcp' + # internode_send_buff_size_in_bytes: + + # Uncomment to set socket buffer size for internode communication + # Note that when setting this, the buffer size is limited by net.core.wmem_max + # and when not setting it it is defined by net.ipv4.tcp_wmem + # internode_recv_buff_size_in_bytes: + + # Frame size for thrift (maximum message length). + thrift_framed_transport_size_in_mb: 15 + + # Set to true to have Cassandra create a hard link to each sstable + # flushed or streamed locally in a backups/ subdirectory of the + # keyspace data. Removing these links is the operator's + # responsibility. + incremental_backups: false + + # Whether or not to take a snapshot before each compaction. Be + # careful using this option, since Cassandra won't clean up the + # snapshots for you. Mostly useful if you're paranoid when there + # is a data format change. + snapshot_before_compaction: false + + # Whether or not a snapshot is taken of the data before keyspace truncation + # or dropping of column families. The STRONGLY advised default of true + # should be used to provide data safety. If you set this flag to false, you will + # lose data on truncation or drop. + auto_snapshot: true + + # Granularity of the collation index of rows within a partition. + # Increase if your rows are large, or if you have a very large + # number of rows per partition. The competing goals are these: + # + # - a smaller granularity means more index entries are generated + # and looking up rows withing the partition by collation column + # is faster + # - but, Cassandra will keep the collation index in memory for hot + # rows (as part of the key cache), so a larger granularity means + # you can cache more hot rows + column_index_size_in_kb: 64 + + # Per sstable indexed key cache entries (the collation index in memory + # mentioned above) exceeding this size will not be held on heap. + # This means that only partition information is held on heap and the + # index entries are read from disk. + # + # Note that this size refers to the size of the + # serialized index information and not the size of the partition. + column_index_cache_size_in_kb: 2 + + # Number of simultaneous compactions to allow, NOT including + # validation "compactions" for anti-entropy repair. Simultaneous + # compactions can help preserve read performance in a mixed read/write + # workload, by mitigating the tendency of small sstables to accumulate + # during a single long running compactions. The default is usually + # fine and if you experience problems with compaction running too + # slowly or too fast, you should look at + # compaction_throughput_mb_per_sec first. + # + # concurrent_compactors defaults to the smaller of (number of disks, + # number of cores), with a minimum of 2 and a maximum of 8. + # + # If your data directories are backed by SSD, you should increase this + # to the number of cores. + #concurrent_compactors: 1 + + # Throttles compaction to the given total throughput across the entire + # system. The faster you insert data, the faster you need to compact in + # order to keep the sstable count down, but in general, setting this to + # 16 to 32 times the rate you are inserting data is more than sufficient. + # Setting this to 0 disables throttling. Note that this account for all types + # of compaction, including validation compaction. + compaction_throughput_mb_per_sec: 16 + + # When compacting, the replacement sstable(s) can be opened before they + # are completely written, and used in place of the prior sstables for + # any range that has been written. This helps to smoothly transfer reads + # between the sstables, reducing page cache churn and keeping hot rows hot + sstable_preemptive_open_interval_in_mb: 50 + + # Throttles all outbound streaming file transfers on this node to the + # given total throughput in Mbps. This is necessary because Cassandra does + # mostly sequential IO when streaming data during bootstrap or repair, which + # can lead to saturating the network connection and degrading rpc performance. + # When unset, the default is 200 Mbps or 25 MB/s. + # stream_throughput_outbound_megabits_per_sec: 200 + + # Throttles all streaming file transfer between the datacenters, + # this setting allows users to throttle inter dc stream throughput in addition + # to throttling all network stream traffic as configured with + # stream_throughput_outbound_megabits_per_sec + # When unset, the default is 200 Mbps or 25 MB/s + # inter_dc_stream_throughput_outbound_megabits_per_sec: 200 + + # How long the coordinator should wait for read operations to complete + read_request_timeout_in_ms: 5000 + # How long the coordinator should wait for seq or index scans to complete + range_request_timeout_in_ms: 10000 + # How long the coordinator should wait for writes to complete + write_request_timeout_in_ms: 2000 + # How long the coordinator should wait for counter writes to complete + counter_write_request_timeout_in_ms: 5000 + # How long a coordinator should continue to retry a CAS operation + # that contends with other proposals for the same row + cas_contention_timeout_in_ms: 1000 + # How long the coordinator should wait for truncates to complete + # (This can be much longer, because unless auto_snapshot is disabled + # we need to flush first so we can snapshot before removing the data.) + truncate_request_timeout_in_ms: 60000 + # The default timeout for other, miscellaneous operations + request_timeout_in_ms: 10000 + + # How long before a node logs slow queries. Select queries that take longer than + # this timeout to execute, will generate an aggregated log message, so that slow queries + # can be identified. Set this value to zero to disable slow query logging. + slow_query_log_timeout_in_ms: 500 + + # Enable operation timeout information exchange between nodes to accurately + # measure request timeouts. If disabled, replicas will assume that requests + # were forwarded to them instantly by the coordinator, which means that + # under overload conditions we will waste that much extra time processing + # already-timed-out requests. + # + # Warning: before enabling this property make sure to ntp is installed + # and the times are synchronized between the nodes. + cross_node_timeout: false + + # Set keep-alive period for streaming + # This node will send a keep-alive message periodically with this period. + # If the node does not receive a keep-alive message from the peer for + # 2 keep-alive cycles the stream session times out and fail + # Default value is 300s (5 minutes), which means stalled stream + # times out in 10 minutes by default + # streaming_keep_alive_period_in_secs: 300 + + # phi value that must be reached for a host to be marked down. + # most users should never need to adjust this. + # phi_convict_threshold: 8 + + # endpoint_snitch -- Set this to a class that implements + # IEndpointSnitch. The snitch has two functions: + # + # - it teaches Cassandra enough about your network topology to route + # requests efficiently + # - it allows Cassandra to spread replicas around your cluster to avoid + # correlated failures. It does this by grouping machines into + # "datacenters" and "racks." Cassandra will do its best not to have + # more than one replica on the same "rack" (which may not actually + # be a physical location) + # + # CASSANDRA WILL NOT ALLOW YOU TO SWITCH TO AN INCOMPATIBLE SNITCH + # ONCE DATA IS INSERTED INTO THE CLUSTER. This would cause data loss. + # This means that if you start with the default SimpleSnitch, which + # locates every node on "rack1" in "datacenter1", your only options + # if you need to add another datacenter are GossipingPropertyFileSnitch + # (and the older PFS). From there, if you want to migrate to an + # incompatible snitch like Ec2Snitch you can do it by adding new nodes + # under Ec2Snitch (which will locate them in a new "datacenter") and + # decommissioning the old ones. + # + # Out of the box, Cassandra provides: + # + # SimpleSnitch: + # Treats Strategy order as proximity. This can improve cache + # locality when disabling read repair. Only appropriate for + # single-datacenter deployments. + # + # GossipingPropertyFileSnitch + # This should be your go-to snitch for production use. The rack + # and datacenter for the local node are defined in + # cassandra-rackdc.properties and propagated to other nodes via + # gossip. If cassandra-topology.properties exists, it is used as a + # fallback, allowing migration from the PropertyFileSnitch. + # + # PropertyFileSnitch: + # Proximity is determined by rack and data center, which are + # explicitly configured in cassandra-topology.properties. + # + # Ec2Snitch: + # Appropriate for EC2 deployments in a single Region. Loads Region + # and Availability Zone information from the EC2 API. The Region is + # treated as the datacenter, and the Availability Zone as the rack. + # Only private IPs are used, so this will not work across multiple + # Regions. + # + # Ec2MultiRegionSnitch: + # Uses public IPs as broadcast_address to allow cross-region + # connectivity. (Thus, you should set seed addresses to the public + # IP as well.) You will need to open the storage_port or + # ssl_storage_port on the public IP firewall. (For intra-Region + # traffic, Cassandra will switch to the private IP after + # establishing a connection.) + # + # RackInferringSnitch: + # Proximity is determined by rack and data center, which are + # assumed to correspond to the 3rd and 2nd octet of each node's IP + # address, respectively. Unless this happens to match your + # deployment conventions, this is best used as an example of + # writing a custom Snitch class and is provided in that spirit. + # + # You can use a custom Snitch by setting this to the full class name + # of the snitch, which will be assumed to be on your classpath. + endpoint_snitch: SimpleSnitch + + # controls how often to perform the more expensive part of host score + # calculation + dynamic_snitch_update_interval_in_ms: 100 + # controls how often to reset all host scores, allowing a bad host to + # possibly recover + dynamic_snitch_reset_interval_in_ms: 600000 + # if set greater than zero and read_repair_chance is < 1.0, this will allow + # 'pinning' of replicas to hosts in order to increase cache capacity. + # The badness threshold will control how much worse the pinned host has to be + # before the dynamic snitch will prefer other replicas over it. This is + # expressed as a double which represents a percentage. Thus, a value of + # 0.2 means Cassandra would continue to prefer the static snitch values + # until the pinned host was 20% worse than the fastest. + dynamic_snitch_badness_threshold: 0.1 + + # request_scheduler -- Set this to a class that implements + # RequestScheduler, which will schedule incoming client requests + # according to the specific policy. This is useful for multi-tenancy + # with a single Cassandra cluster. + # NOTE: This is specifically for requests from the client and does + # not affect inter node communication. + # org.apache.cassandra.scheduler.NoScheduler - No scheduling takes place + # org.apache.cassandra.scheduler.RoundRobinScheduler - Round robin of + # client requests to a node with a separate queue for each + # request_scheduler_id. The scheduler is further customized by + # request_scheduler_options as described below. + request_scheduler: org.apache.cassandra.scheduler.NoScheduler + + # Scheduler Options vary based on the type of scheduler + # + # NoScheduler + # Has no options + # + # RoundRobin + # throttle_limit + # The throttle_limit is the number of in-flight + # requests per client. Requests beyond + # that limit are queued up until + # running requests can complete. + # The value of 80 here is twice the number of + # concurrent_reads + concurrent_writes. + # default_weight + # default_weight is optional and allows for + # overriding the default which is 1. + # weights + # Weights are optional and will default to 1 or the + # overridden default_weight. The weight translates into how + # many requests are handled during each turn of the + # RoundRobin, based on the scheduler id. + # + # request_scheduler_options: + # throttle_limit: 80 + # default_weight: 5 + # weights: + # Keyspace1: 1 + # Keyspace2: 5 + + # request_scheduler_id -- An identifier based on which to perform + # the request scheduling. Currently the only valid option is keyspace. + # request_scheduler_id: keyspace + + # Enable or disable inter-node encryption + # JVM defaults for supported SSL socket protocols and cipher suites can + # be replaced using custom encryption options. This is not recommended + # unless you have policies in place that dictate certain settings, or + # need to disable vulnerable ciphers or protocols in case the JVM cannot + # be updated. + # FIPS compliant settings can be configured at JVM level and should not + # involve changing encryption settings here: + # https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html + # *NOTE* No custom encryption options are enabled at the moment + # The available internode options are : all, none, dc, rack + # + # If set to dc cassandra will encrypt the traffic between the DCs + # If set to rack cassandra will encrypt the traffic between the racks + # + # The passwords used in these options must match the passwords used when generating + # the keystore and truststore. For instructions on generating these files, see: + # http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore + # + server_encryption_options: + internode_encryption: none + keystore: conf/.keystore + keystore_password: cassandra + truststore: conf/.truststore + truststore_password: cassandra + # More advanced defaults below: + # protocol: TLS + # algorithm: SunX509 + # store_type: JKS + # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + # require_client_auth: false + # require_endpoint_verification: false + + # enable or disable client/server encryption. + client_encryption_options: + enabled: false + # If enabled and optional is set to true encrypted and unencrypted connections are handled. + optional: false + keystore: conf/.keystore + keystore_password: cassandra + # require_client_auth: false + # Set trustore and truststore_password if require_client_auth is true + # truststore: conf/.truststore + # truststore_password: cassandra + # More advanced defaults below: + # protocol: TLS + # algorithm: SunX509 + # store_type: JKS + # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + + # internode_compression controls whether traffic between nodes is + # compressed. + # Can be: + # + # all + # all traffic is compressed + # + # dc + # traffic between different datacenters is compressed + # + # none + # nothing is compressed. + internode_compression: dc + + # Enable or disable tcp_nodelay for inter-dc communication. + # Disabling it will result in larger (but fewer) network packets being sent, + # reducing overhead from the TCP protocol itself, at the cost of increasing + # latency if you block for cross-datacenter responses. + inter_dc_tcp_nodelay: false + + # TTL for different trace types used during logging of the repair process. + tracetype_query_ttl: 86400 + tracetype_repair_ttl: 604800 + + # By default, Cassandra logs GC Pauses greater than 200 ms at INFO level + # This threshold can be adjusted to minimize logging if necessary + # gc_log_threshold_in_ms: 200 + + # If unset, all GC Pauses greater than gc_log_threshold_in_ms will log at + # INFO level + # UDFs (user defined functions) are disabled by default. + # As of Cassandra 3.0 there is a sandbox in place that should prevent execution of evil code. + enable_user_defined_functions: true + + # Enables scripted UDFs (JavaScript UDFs). + # Java UDFs are always enabled, if enable_user_defined_functions is true. + # Enable this option to be able to use UDFs with "language javascript" or any custom JSR-223 provider. + # This option has no effect, if enable_user_defined_functions is false. + enable_scripted_user_defined_functions: false + + # Enables materialized view creation on this node. + # Materialized views are considered experimental and are not recommended for production use. + enable_materialized_views: true + + # The default Windows kernel timer and scheduling resolution is 15.6ms for power conservation. + # Lowering this value on Windows can provide much tighter latency and better throughput, however + # some virtualized environments may see a negative performance impact from changing this setting + # below their system default. The sysinternals 'clockres' tool can confirm your system's default + # setting. + windows_timer_interval: 1 + + + # Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from + # a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by + # the "key_alias" is the only key that will be used for encrypt opertaions; previously used keys + # can still (and should!) be in the keystore and will be used on decrypt operations + # (to handle the case of key rotation). + # + # It is strongly recommended to download and install Java Cryptography Extension (JCE) + # Unlimited Strength Jurisdiction Policy Files for your version of the JDK. + # (current link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) + # + # Currently, only the following file types are supported for transparent data encryption, although + # more are coming in future cassandra releases: commitlog, hints + transparent_data_encryption_options: + enabled: false + chunk_length_kb: 64 + cipher: AES/CBC/PKCS5Padding + key_alias: testing:1 + # CBC IV length for AES needs to be 16 bytes (which is also the default size) + # iv_length: 16 + key_provider: + - class_name: org.apache.cassandra.security.JKSKeyProvider + parameters: + - keystore: conf/.keystore + keystore_password: cassandra + store_type: JCEKS + key_password: cassandra + + + ##################### + # SAFETY THRESHOLDS # + ##################### + + # When executing a scan, within or across a partition, we need to keep the + # tombstones seen in memory so we can return them to the coordinator, which + # will use them to make sure other replicas also know about the deleted rows. + # With workloads that generate a lot of tombstones, this can cause performance + # problems and even exaust the server heap. + # (http://www.datastax.com/dev/blog/cassandra-anti-patterns-queues-and-queue-like-datasets) + # Adjust the thresholds here if you understand the dangers and want to + # scan more tombstones anyway. These thresholds may also be adjusted at runtime + # using the StorageService mbean. + tombstone_warn_threshold: 1000 + tombstone_failure_threshold: 100000 + + # Log WARN on any multiple-partition batch size exceeding this value. 5kb per batch by default. + # Caution should be taken on increasing the size of this threshold as it can lead to node instability. + batch_size_warn_threshold_in_kb: 5 + + # Fail any multiple-partition batch exceeding this value. 50kb (10x warn threshold) by default. + batch_size_fail_threshold_in_kb: 50 + + # Log WARN on any batches not of type LOGGED than span across more partitions than this limit + unlogged_batch_across_partitions_warn_threshold: 10 + + # Log a warning when compacting partitions larger than this value + compaction_large_partition_warning_threshold_mb: 100 + + # GC Pauses greater than gc_warn_threshold_in_ms will be logged at WARN level + # Adjust the threshold based on your application throughput requirement + # By default, Cassandra logs GC Pauses greater than 200 ms at INFO level + gc_warn_threshold_in_ms: 1000 + + # Maximum size of any value in SSTables. Safety measure to detect SSTable corruption + # early. Any value size larger than this threshold will result into marking an SSTable + # as corrupted. This should be positive and less than 2048. + # max_value_size_in_mb: 256 + + # Back-pressure settings # + # If enabled, the coordinator will apply the back-pressure strategy specified below to each mutation + # sent to replicas, with the aim of reducing pressure on overloaded replicas. + back_pressure_enabled: false + # The back-pressure strategy applied. + # The default implementation, RateBasedBackPressure, takes three arguments: + # high ratio, factor, and flow type, and uses the ratio between incoming mutation responses and outgoing mutation requests. + # If below high ratio, outgoing mutations are rate limited according to the incoming rate decreased by the given factor; + # if above high ratio, the rate limiting is increased by the given factor; + # such factor is usually best configured between 1 and 10, use larger values for a faster recovery + # at the expense of potentially more dropped mutations; + # the rate limiting is applied according to the flow type: if FAST, it's rate limited at the speed of the fastest replica, + # if SLOW at the speed of the slowest one. + # New strategies can be added. Implementors need to implement org.apache.cassandra.net.BackpressureStrategy and + # provide a public constructor accepting a Map. + back_pressure_strategy: + - class_name: org.apache.cassandra.net.RateBasedBackPressure + parameters: + - high_ratio: 0.90 + factor: 5 + flow: FAST + + # Coalescing Strategies # + # Coalescing multiples messages turns out to significantly boost message processing throughput (think doubling or more). + # On bare metal, the floor for packet processing throughput is high enough that many applications won't notice, but in + # virtualized environments, the point at which an application can be bound by network packet processing can be + # surprisingly low compared to the throughput of task processing that is possible inside a VM. It's not that bare metal + # doesn't benefit from coalescing messages, it's that the number of packets a bare metal network interface can process + # is sufficient for many applications such that no load starvation is experienced even without coalescing. + # There are other benefits to coalescing network messages that are harder to isolate with a simple metric like messages + # per second. By coalescing multiple tasks together, a network thread can process multiple messages for the cost of one + # trip to read from a socket, and all the task submission work can be done at the same time reducing context switching + # and increasing cache friendliness of network message processing. + # See CASSANDRA-8692 for details. + + # Strategy to use for coalescing messages in OutboundTcpConnection. + # Can be fixed, movingaverage, timehorizon, disabled (default). + # You can also specify a subclass of CoalescingStrategies.CoalescingStrategy by name. + # otc_coalescing_strategy: DISABLED + + # How many microseconds to wait for coalescing. For fixed strategy this is the amount of time after the first + # message is received before it will be sent with any accompanying messages. For moving average this is the + # maximum amount of time that will be waited as well as the interval at which messages must arrive on average + # for coalescing to be enabled. + # otc_coalescing_window_us: 200 + + # Do not try to coalesce messages if we already got that many messages. This should be more than 2 and less than 128. + # otc_coalescing_enough_coalesced_messages: 8 + + # How many milliseconds to wait between two expiration runs on the backlog (queue) of the OutboundTcpConnection. + # Expiration is done if messages are piling up in the backlog. Droppable messages are expired to free the memory + # taken by expired messages. The interval should be between 0 and 1000, and in most installations the default value + # will be appropriate. A smaller value could potentially expire messages slightly sooner at the expense of more CPU + # time and queue contention while iterating the backlog of messages. + # An interval of 0 disables any wait time, which is the behavior of former Cassandra versions. + # + # otc_backlog_expiration_interval_ms: 200 + +cassandra::clusters: + azure: + cluster_name: SWH on Azure + seed_provider: + - class_name: org.apache.cassandra.locator.SimpleSeedProvider + parameters: + - seeds: 192.168.200.27 # cassandra01.euwest.azure.internal.softwareheritage.org diff --git a/data/common/common.yaml b/data/common/common.yaml index 5d561681..c60f4772 100644 --- a/data/common/common.yaml +++ b/data/common/common.yaml @@ -1,4418 +1,3235 @@ --- ### See also public_keys.yaml for public key/cert fingerprint blocks ### dns::local_cache: true dns::nameservers: - 127.0.0.1 dns::search_domains: - internal.softwareheritage.org - softwareheritage.org dns::disable_local_zones: - '168.192.in-addr.arpa.' dns::forward_zones: 'internal.softwareheritage.org.': "%{alias('dns::local_nameservers')}" '100.168.192.in-addr.arpa.': "%{alias('dns::local_nameservers')}" '101.168.192.in-addr.arpa.': "%{alias('dns::local_nameservers')}" '200.168.192.in-addr.arpa.': "%{alias('dns::local_nameservers')}" 'internal.staging.swh.network.': "%{alias('dns::local_nameservers')}" 'internal.admin.swh.network.': "%{alias('dns::local_nameservers')}" '130.168.192.in-addr.arpa.': "%{alias('dns::local_nameservers')}" '50.168.192.in-addr.arpa.': "%{alias('dns::local_nameservers')}" # dns::forwarders per-subnet. No Default value # dns::local_nameservers per-subnet. No Default value # ntp::servers per-subnet. Default value: ntp::servers: - 0.debian.pool.ntp.org - 1.debian.pool.ntp.org - 2.debian.pool.ntp.org - 3.debian.pool.ntp.org sudo::configs: {} # smtp::relay_hostname is per-subnet. Default value: smtp::relay_hostname: 'pergamon.internal.softwareheritage.org' smtp::relayhost: "[%{lookup('smtp::relay_hostname')}]" smtp::mydestination: - "%{::fqdn}" smtp::mynetworks: - 127.0.0.0/8 - "[::ffff:127.0.0.0]/104" - "[::1]/128" smtp::relay_destinations: [] smtp::virtual_aliases: [] smtp::mail_aliases: - user: anlambert aliases: - antoine.lambert33@gmail.com - user: ardumont aliases: - antoine.romain.dumont@gmail.com - user: aeviso aliases: - aeviso@softwareheritage.org - user: ddouard aliases: - david.douard@sdfa3.org - user: olasd aliases: - nicolas+swhinfra@dandrimont.eu - user: morane aliases: - morane.gg@gmail.com - user: postgres aliases: - root - user: rdicosmo aliases: - roberto@dicosmo.org - user: root aliases: - olasd - zack - ardumont - ddouard - vsellier - user: seirl aliases: - antoine.pietri1@gmail.com - user: swhstorage aliases: - root - user: swhworker aliases: - zack - olasd - ardumont - vsellier - user: swhdeposit aliases: - ardumont - vsellier - user: zack aliases: - zack@upsilon.cc - user: vlorentz aliases: - valentin.lorentz@inria.fr - user: haltode aliases: - haltode@gmail.com - user: danseraf aliases: - me@danieleserafini.eu - user: vsellier aliases: - vincent.sellier@gmail.com - user: tenma aliases: - nicolas.gattolin@softwareheritage.org - user: tg1999 aliases: - tushar.goel.dav@gmail.com networks::manage_interfaces: true networks::private_routes: vpn: network: 192.168.101.0/24 gateway: "%{alias('networks::private_gateway')}" enabled: true azure: network: 192.168.200.0/21 gateway: "%{alias('networks::private_gateway')}" enabled: true staging_legacy: network: 192.168.128.0/24 gateway: "%{alias('networks::staging_legacy_gateway')}" enabled: false staging: network: 192.168.130.0/24 gateway: "%{alias('networks::staging_gateway')}" enabled: false admin: network: 192.168.50.0/24 gateway: "%{alias('networks::admin_gateway')}" enabled: false public_swh_network: network: 128.93.166.0/26 gateway: "%{alias('networks::public_swh_gateway')}" enabled: false networks::private_network: 192.168.100.0/24 networks::private_gateway: 192.168.100.1 networks::staging_legacy_gateway: 192.168.100.125 networks::staging_gateway: 192.168.100.130 networks::admin_gateway: 192.168.100.130 networks::public_swh_gateway: "%{alias('networks::staging_gateway')}" locales::default_locale: C.UTF-8 locales::installed_locales: - C.UTF-8 UTF-8 - en_US.UTF-8 UTF-8 - fr_FR.UTF-8 UTF-8 - it_IT.UTF-8 UTF-8 timezone: Etc/UTC packages: - acl - curl - dstat - etckeeper - fish - git - htop - iotop - ipython3 - molly-guard - moreutils - ncdu - netcat-openbsd - nfs-common - python3 - python3-yaml - ruby-filesystem - strace - tcpdump - tmux - vim - zsh - zstd packages::desktop: - autojump - chromium - curl - emacs - ethtool - gnome - i3 - ii - libx11-dev - mosh - myrepos - net-tools - ruby-dev - rxvt-unicode-256color - screen - scrot - tcpdump - tree - vim-nox - weechat - weechat-scripts packages::devel: - arcanist - elpa-magit - git-email - gitg - gitk - ltrace - perl-doc packages::devel::debian: - devscripts - dpkg-dev - reprepro - sbuild packages::devel::python: - graphviz - make - python3-arrow - python3-azure-storage - python3-blinker - python3-celery - python3-cffi - python3-click - python3-dateutil - python3-dev - python3-dulwich - python3-flake8 - python3-flask - python3-flask-api - python3-flask-limiter - python3-flask-testing - python3-libcloud - python3-msgpack - python3-nose - python3-psycopg2 - python3-pygit2 - python3-requests - python3-retrying - python3-sphinx - python3-subvertpy - python3-vcversioner - python3-venv - python3-wheel packages::devel::broker: - rabbitmq-server packages::devel::postgres: - apgdiff - barman - check-postgres - libpq-dev - postgresql - postgresql-autodoc - postgresql-client - postgresql-contrib - postgresql-doc - postgresql-plpython3-11 users: root: uid: 0 full_name: shell: /bin/bash groups: [] authorized_keys: root@louvre: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDMLEWHlUQldlvZs5rg0y42lRNAfOhD+6pmO8a73DzpJWHTqvAlfteLpU78IPjSacB4dO5ish1E/1RX/HC+Bt8p2v4RBqbCnVLx2w+Hx4ahWu6qbeTVmTz+U++1SQrHnL08fSlhT0OekCw0lRZM2sQq21FZi6+vul97Ecikag4Xaw6Qfumylu94pM3t05uzTUlKk1+6VMCjhT8dlSe8VS8OirVQpE/OqYtTMAWtQaMXGHPCsqDdYRAKzkJ8GjH7ydZmX5VCRyqS0RvPKAlcJfLCs5HBtv0u5rbeGtiHhuzhj/j3YgS/6NJOC2mUfcetcDOMPLnhkKpnF0vUAzTsJ7aR root@banco: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIDcljv9eR52wJsu9yYan6/riIQw70lQuyz+Qt0XpGXMs zack: uid: 1000 full_name: Stefano Zacchiroli shell: /usr/bin/zsh groups: - adm - swhdev - swhstorage - swhscheduler - swhdeploy - sudo - gitorious - swhteam authorized_keys: zack-software-heritage: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAACAQDU0O8tkUqtQCelLEatOGfGpx1sIwHPSMA+7OdXoZjZG5pT9Sfgf3ITsNgo1iYWge5bpH/TKhhvf20B05fa8cCEE5ULaD+xdV9eTIvBEaCiP36HH33WNl/UV8T8klTG2sqBXUgLMJuinfGkuRJ977ndm7mjNwzl3Ghf6JwKfpHrvob4GLc0hm54yzcnNEzQZLcdxmOCWdwTINKnL+W/DDM8NR3vNF6T5+xaiLJzsS0IGcTubklugD3m05qbswS/uACWys3FzRM8tttw/0wCRrC9SCSKoDLonab5y3Ld6vCj1k12J2RAHSqJYwVCm70JRPWZcmU67Udi6kbqkJMftp04K0pplu8V7RLPrpwLyH4sPx7Kkhslvxqj0rerLPOkoDkqneFgxNoMcxN5ayod7fBJAq5jQUmGozeTtgPLKybnxRDhsYpkEH9paZroQ3CqDsA0dptOpedVpcQUSbiLMaYd8kgCPkVIdKANnTGGXDcTfWv21IvFx6sKm1kld2Me3ExVMq7JFcmXutF/IQom9F4vj/xd/7Lt4KmqZKyiAq4n5iaPIRUbZvmwd2D6umOHpMGlqKwtsiWRUYnAVvhRfuSZmgrGgliYiYr+vU2xeWe+XXQhP9vt3eItmdSp/8/+a2lqaIE9slE75hEI2n8in7DeSn6QhFDbyUKwZz5OwK7QVw== olasd: uid: 1001 full_name: Nicolas Dandrimont shell: /bin/bash groups: - adm - swhdev - swhstorage - swhscheduler - swhdeploy - sudo - gitorious - swhteam authorized_keys: nicolasd@darboux: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ1TCpfzrvxLhEMhxjbxqPDCwY0nazIr1cyIbhGD2bUdAbZqVMdNtr7MeDnlLIKrIPJWuvltauvLNkYU0iLc1jMntdBCBM3hgXjmTyDtc8XvXseeBp5tDqccYNR/cnDUuweNcL5tfeu5kzaAg3DFi5Dsncs5hQK5KQ8CPKWcacPjEk4ir9gdFrtKG1rZmg/wi7YbfxrJYWzb171hdV13gSgyXdsG5UAFsNyxsKSztulcLKxvbmDgYbzytr38FK2udRk7WuqPbtEAW1zV4yrBXBSB/uw8EAMi+wwvLTwyUcEl4u0CTlhREljUx8LhYrsQUCrBcmoPAmlnLCD5Q9XrGH mirzakhani-ed25519: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAID/qk9xQq6KpRbRjMVpMzPM7unmGnJp+i6oQ3a0NA65k ardumont: uid: 1003 full_name: Antoine R. Dumont shell: /usr/bin/zsh groups: - adm - swhdev - swhstorage - swhscheduler - swhdeploy - sudo - gitorious - swhteam authorized_keys: eniotna.t@gmail.com: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDZarzgHrzUYspvrgSI6fszrALo92BDys7QOkJgUfZa9t9m4g7dUANNtwBiqIbqijAQPmB1zKgG6QTZC5rJkRy6KqXCW/+Qeedw/FWIbuI7jOD5WxnglbEQgvPkkB8kf1xIF7icRfWcQmK2je/3sFd9yS4/+jftNMPPXkBCxYm74onMenyllA1akA8FLyujLu6MNA1D8iLLXvz6pBDTT4GZ5/bm3vSE6Go8Xbuyu4SCtYZSHaHC2lXZ6Hhi6dbli4d3OwkUWz+YhFGaEra5Fx45Iig4UCL6kXPkvL/oSc9KGerpT//Xj9qz1K7p/IrBS8+eA4X69bHYYV0UZKDADZSn ardumont@louvre: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQC0Xj8nwGWTb6VGFNIrlhVTLX6VFTlvpirjdgOTOz8riRxBTS9ra35g3cz8zfDl0iVyE455GXzxlm33w/uu3DX0jQOIzkcoEBRw+T33EK89lo6tCCd9xQrteWCTNR1ZBFloHSnYk2m7kw9kyrisziyAdULsCrXmMd3BH1oJyEpISA+sv/dtVpIOWdEQmkbLmdHl2uEdjBLjqb3BtAp2oJZMmppE5YjAx0Aa1+7uSnURf7NnwMx+0wTDMdfqn8z4wqI8eQny+B+bqLH9kY++52FfMVALuErGh5+75/vtd2xzRQamjKsBlTGjFFbMRagZiVNLDX2wtdudhNmnQDIKA+rH ardumont@yavin4: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIPsJCCMKJEXEEsHyoFOrydDmXxL8B4yhzrE8PcDVtCjr swhworker: uid: 1004 full_name: SWH Worker Acccount shell: /bin/bash groups: - swhdeploy - gitorious swhstorage: uid: 1005 full_name: SWH Storage Account shell: /bin/bash groups: - swhdeploy - swhstorage swhwebapp: uid: 1006 full_name: SWH Web App Account shell: /bin/bash groups: [] swhbackup: uid: 1007 full_name: SWH Backup Account shell: /bin/bash groups: [] rdicosmo: uid: 1008 full_name: Roberto Di Cosmo shell: /bin/bash groups: - swhteam authorized_keys: dicosmo@voyager: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAACAQC5aS/3Cps2Ru9EW+nIF9Z9o6/xq1thwtCgpIjSPgcrm2BVisj6xbD5OOapS3U6BpLKjWZG8sMGBCsJJ3S1cP0s2I+xHFToqCcbfOxIe/tq/UgTtxGJ0+TfUKNoD+QJjIKnjyC+HVEQm5bSm8mJv0vptj4On8yNopytSGuLcFHHnMB2t+IOkHnTW7n3emhh3SZKAcpI1h7WvPqsqBobMFDMeqvGeHaH2AM2OSoUi7AY+MmcVL0Je6QtJqpz60QI5dvaM4AsobC12AZSJKXnuqQTY6nJy4r9jPRK8RUqo5PuAAsNtlxf5xA4s1LrDR5PxBDpYz47Pq2LHtI9Hgf/SFB3IqZeBKqquMI1xThRBwP307/vOtTiwJr4ZKcpOH+SbU7Tnde4n8siM719QZM8VITtrbwm/VBiEwvhGC/23npX4S55W7Et/l9gmeP3Q+lSw50vBuQhBSn7BzedPM1CqbTN/zqM8TCDUtPVIo+6b2s5ao/Vcq9vBXm5bP0xZeNsqsCl05zpCShudKpT6AlMGAaRTd6NUHHsf4D1JjNx3v42R3vQr6OgHELVMGECuyPs3zWHOS/P6AdD0yJTSOMaklRh2HGN8uj0+aQ7RhnrkYqRfhN+6UkrTANuxdb44AGdLmBAKIYglVrAJe+DEji/LzJdZ22baAWg4ar/WikpFJtxkw== swhteamannex: uid: 1009 full_name: SWH Team Git Annex Account shell: /bin/bash groups: - swhteam authorized_keys: swhteamannex@louvre: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAACAQDL/Ef9kktq/QkJ0lohan8ObQ3o7hMf7EOQPjO+u7UhIMjBNufJnaftQRGIA6N1/wEsDvxxNNz75/oJECJHgZs2OOTJJPsKfYeybmSBocSa/sn6IKK7/b/qlwHJlSGWPGVgbtfP0KexlSAKAmKZuJyqjES5igTLV5w4wTjvUUen9QyefuUehnCX3MJhTpoyixp7icXE80aNMaCPwHZppKb/28sNlPX3MbSONGM45wSFRXNuj0mAAjrgojkhAqFNnI9oKNAt9mDcw1hV0n86VvrDhEbMCJP/z58ecn376BgyXQ8zNUPIr2g0SrSPUNjfxZHfJ0XYpF7624wOMOmZE3fsQzZh+FeMF0IFRPvcG34RaelV9dXiy+/q45oqwbMF464gFSbyt++4jpgqHdsARM4zR//jBhyLvFXR+GaKC3hFENno5W5Raff4XE5rzN/q9jVJBNfvfuEPWrapyM3A/ePeuK3SyNJwyIx+bOEQXsRdxEWKszTeJO2SLPWtCrKrC+G4/HktQSQOj5S9a+N6HoKD8E889eBEYoeZGPIuzMot4cuUlyPt3P99z4oRIaeC6XwUCvZCD2DaTAkQWQMsmOn+soaeZ1zBHbsCBbV0mBMRx7K4Vjs62vhSelryQAXW+cBgd6+f5XBjOnNhHQhsNsDfYP4Kmztn58faQV2TzGG5ow== swhscheduler: uid: 1010 full_name: SWH Scheduler Account shell: /bin/bash groups: - swhscheduler jbertran: uid: 2001 full_name: Jordi Bertran de Balanda shell: /bin/false groups: [] password: "!" qcampos: uid: 2002 full_name: Quentin Campos shell: /bin/false groups: [] password: "!" gitorious: uid: 5000 full_name: Gitorious System User shell: /bin/false groups: - gitorious fiendish: uid: 1011 full_name: Avi Kelman shell: /bin/false groups: [] password: "!" morane: uid: 1012 full_name: Morane Otilia Gruenpeter shell: /bin/bash groups: - swhdev - swhstorage - swhteam authorized_keys: morane.gg@gmail.com: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDm8kH1pP+4ENKmpkTCkL2ashxxnOFVndGrcvfX05lV1hOo2NdItpdoR9txIgFEs3d7v73mtH4nWciUyaK7FIByrtvsR2TIhdVgEcb0Xai8viV+sDMTndpiNlWNilbfxm0K70tgpG4BeSWRJy8cPxnCR9CWoB2Vo9Df7lDKz1LXDgfY4VLJd69ahf1DPFUDjpWIEQdPFX2ZyGUYM+0yPXIoyYW/qreDt1JkYZXXVbRAV8j44/TVgTRYJLgYb9ThW6WzlGM1S4uP7GQdAuROCcspqW3ahV/UmV4Z9SM6S34NN182KvM0Ve7uxAPQz+IdWOgZTK0pvd+hfjHKbLSTA6I3 seirl: uid: 1013 full_name: Antoine Pietri shell: /usr/bin/zsh groups: - swhdev - swhstorage - swhteam - swhdeploy authorized_keys: seirl: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAILiua8eEg+nU0XSbYPTgnOMftzvpbN+u7v5jDabeO/0E ssushant: uid: 1014 full_name: Sushant shell: /bin/false groups: [] password: "!" anlambert: uid: 1015 full_name: Antoine Lambert shell: /bin/bash groups: - swhdev - swhstorage - swhteam - swhdeploy - swhwebapp authorized_keys: antoine.lambert@inria.fr: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAACAQDLWPcZnSUszEedMa39dT3ZCHpRod3NTs6WT4OfMMRVahrhTtWYdSiNGy8U3kEQveTZvMrb9WLtLPB3K8o7Xrf8WCI8iTOl9eb9DVjE9XL+zS0ZAcEmoZ5YH8e3gEDoDm8ZrMxF+V5XSlvhNi6kbWzJdqhXu++bJHHqGrKUHeTCQCfpYYMrsnvhPjtxe+90BK7e+IGm1Ha8LZMCCmOtz0XggxD8d2mFBaP2p8v9xsM48KfwFvsRMb3TZIaO/+NcsRSTe7wfFAR1pb14pi5LZAHeb2tpWfVH2vQGaE7Rej+Ycf4UOeaRmFGpimw7u7fugvDvKfZ/vs7w7Qs2RtxNdqJf9JM+vvi78OQbloufot1Tz2r19aDbhM9nsCn+Uo3rNfkmD+UcSMKrRJCMEXVBbaY/bgzs7XoqCJ8ODE2U/dF3NtHBZr+CB52iilUtemXy+Xwqw4TSs/r9vW7/XueTdb0Yp/cUs5uLCqCwlMpGS5okorpdJextp5gRuN6EMlUo6PffRiz5T0CqKm1xJu0NeT0EaacAXoGTDQaS4pIQGglqWfAOmjej9dM8gxAF6rgrx70uJt6Hy18tvzdB5iwJ4F2LUjcZhFnrxjUDzhjPoDBiRtPNgEKrCc30OHsveqXwMPo3v/d3np1Vpkum0JEwmp83q92P5T2rbf+wiruxZhhtww== grouss: uid: 1016 full_name: Guillaume Rousseau shell: /bin/bash groups: - swhteam authorized_keys: guillaume.rousseau@univ-paris-diderot.fr: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Akcdxrod/MFcHg53dCf7iZY/ph9MR0tWU08pjMDfU04j1nAgmHmvumYbxBtFNnd0nu4A9YY4nT79273PCE3c6ba3zSGS9DBYhrASGDqHBECrgEREM3YPXpA2NI0FKEZ878Ic3CQlYaOmRoe/QkFpm2j8CMoG4VdKp0EcvV1RCTgWqJY1P4KC30CJUg+OdGRaaqHEoSskjstU5yjbZCC9M90Hz0xO+MsMl/xKdcDmvwbLDMtp/3SKDQeyN4Q7Uu/zZwoZ8FmgEU4Xp7nKN3yCiEB9rqMkP/lLY71hTPHn/GiZnPo4rWL13w3unuI3X0GDpqxPxjt0LZN4xQEGEn+1 ftigeot: uid: 1017 full_name: Francois Tigeot shell: /bin/false password: "!" groups: [] swhdeposit: uid: 1018 full_name: SWH Deposit App Account shell: /bin/bash groups: - swhscheduler swhvault: uid: 1019 full_name: SWH Vault Account shell: /bin/bash groups: - swhdeploy - swhstorage - swhvault ddouard: uid: 1020 full_name: David Douard shell: /bin/bash groups: - adm - sudo - swhdev - swhteam - swhscheduler authorized_keys: david.douard@sdfa3.org: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAACAQCoON7De2Bx03owpZfzbOyucZTmyQdm7F+LP4D4H9EyOFxtyMpjH2S9Ve/JvMoFIWGQQlXSkYzRv63Z0BzPLKD2NsYgomcjOLdw1Baxnv8VOH+Q01g4B3cabcP2LMVjerHt/KRkY3E6dnKLQGE5UiER/taQ7KazAwvu89nUd4BJsV43rJ3X3DtFEfH3lR4ZEIgFyPUkVemQAjBhueFmN3w8debOdr7t9cBpnYvYKzLQN+G/kQVFc+fgs+fFOtOv+Az9kTXChfLs5pKPBm+MuGxz4gS3fPiAjY9cN6vGzr7ZNkCRUSUjJ10Hlm7Gf2EN8f+k6iSR4CPeixDcZ+scbCg4dCORqTsliSQzUORIJED9fbUR6bBjF4rRwm5GvnXx5ZTToWDJu0PSHYOkomqffp30wqvAvs6gLb+bG1daYsOLp+wYru3q09J9zUAA8vNXoWYaERFxgwsmsf57t8+JevUuePJGUC45asHjQh/ON1H5PDXtULmeD1GKkjqyaS7SBNbpOWgQb21l3pwhLet3Mq3TJmxVqzGMDnYvQMUCkiPdZq2pDplzfpDpOKLaDg8q82rR5+/tAfB4P2Z9RCOqnMLRcQk9AluTyO1D472Mkp+v5VA4di0eTWZ0tuzwYJEft0OVo+QOVTslCGsyGiEUoOcHzkrdgsT5uQziyAfgTMSuiw== vlorentz: uid: 1021 full_name: Valentin Lorentz shell: /usr/bin/zsh groups: - swhdev - swhteam authorized_keys: vlorentz@pro-desktop: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAILsRMQjrrfUjX1ka9e6YlyMyDvTC+qk5a21Fp9yXYI7p vlorentz@perso-laptop: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIIjJoY4XBTTNsxLVF/sUKBI4WGR2AIiR9qfMdspnsRfJ vlorentz@pro-laptop: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIND42yBr8C/zKJiQx2I84yIlMNsS9IMTUkdb9GjYgFON haltode: uid: 1022 full_name: Thibault Allancon shell: /usr/bin/zsh groups: - swhdev - swhteam authorized_keys: haltode@gmail.com: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIORGwY56PpvgwMWqDei718PPriV6U7LL5JMPJWS7zTcg danseraf: uid: 1023 full_name: Daniel Serafini groups: - swhdev shell: /usr/bin/fish authorized_keys: me@danieleserafini.eu: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABgQDsQ1QxD/xHOOhCAarH9o3oAfT7YCwxXCAVaazxC1ZMygWZUE95oMu6D2Wib5Q4GBKD35ddclY/l5GsYB5uXbl1UxAFUPe4COqTEt+7deMSWakv46ceb5oHxOkMAF4w400FV1Pi1usk2TpArarOPuxN7yKu54sBACI5HEezn3KOvxPYt/DUAt+XdrfLsiZPyzjOYYezocCV+O1PkivhC99cXHtlwTBRntWTjlyUt9p46U6Uf2G9u88v4v2KopH0sQG7nAYNXN7W14pB925fnDYDHFYUoKDCBbJiQMMKKlQxJZLSfh/KX6kX7OIXOiMclIfmBYAUwDHU3MevdczAIj8JWspUVyRf32B1jnD+H8UnDTCwApCFytcvzDuoYCgiUVk4bDpJOHeb8V4dh6UZt0DFa4iiLsVIX8MjcqaI5TmmvaYgjGPSTLlUsasUJnVqCweQNTiZPhDiqrs258aQvSGf634k10lxmhAAB0xAGVO6Zj1mBjqS+XDJiLzf4mWwm4M= aeviso: uid: 1024 full_name: Andres Ezequiel Viso groups: - swhdev - swhteam shell: /bin/bash authorized_keys: andres@powerage: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDRnVV1UimkTbAAb1FPxDPAqfyCVSrlB7a1Kq83ZKc6e7tTVmOKA55whZa3KwNBwgZGB8389ejCery+WDqSiRZsirup4UN/VZ5X3XJdnRVPPcpzVuWFivPKBMn6D4LMa9D7moMnV9JC5q9zwMNHZQ4qJbGlW44MzWOi0RnPVd28jsRkL0sMRvz+i3KXFGDNeaVPV0YLB4vS1bmEho/8Tu5NlY/Tzkter9qTNN7QNIAbnq8oQF/lLPFAytE0s61ZtoDcXfznJPXWkIljMCTQHlxeDci9DQWUgQc+A+7qWmqkb3lzDYKQrxRfZtl3hbnR3jrtSfTI+q0Nagh0O4FN2QUj vsellier: uid: 1025 full_name: Vincent Sellier groups: - swhdev - swhteam - sudo shell: /usr/bin/zsh authorized_keys: vsellier@swh-vs1: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAII5oO0jj/IeV04osZ/iaKBZdnuqdziJD3x1VOhtK9tZY tenma: uid: 1026 full_name: Nicolas Gattolin groups: - swhdev - swhteam shell: /bin/bash authorized_keys: tenma@swh-ng1: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIFZ2Ny1YDntm3yHa7yTG+HsZr+HUIMHAi/k/MS6hoKzY tg1999: uid: 1027 full_name: Tushar Goel groups: - swhdev - swhteam shell: /bin/bash authorized_keys: tg@tg-Inspiron-15-7000-Gaming: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIFWGdBi6sAzfrphRg6h8fwD+W6HaZMIv9OUCXJjc0R9c groups: adm: gid: 4 # assigned from base-files sudo: gid: 27 # assigned from base-files www-data: gid: 33 # assigned from base-files zack: gid: 1000 olasd: gid: 1001 ardumont: gid: 1003 ddouard: gid: 1020 swhworker: gid: 1004 swhdev: gid: 1002 swhstorage: gid: 1005 swhdeploy: gid: 1006 swhbackup: gid: 1007 swhwebapp: gid: 1008 swhteam: gid: 1009 swhscheduler: gid: 1010 gitorious: gid: 5000 swhdeposit: gid: 1018 swhvault: gid: 1019 vsellier: gid: 1025 tenma: gid: 1026 tg1999: gid: 1027 gunicorn::statsd::host: 127.0.0.1:8125 munin::master::hostname: munin.internal.softwareheritage.org rabbitmq::monitoring::user: swhdev # following password key in private data # - rabbitmq::monitoring::password # - swh::deploy::worker::task_broker::password # - swh::deploy::scheduler::task_broker::password rabbitmq::server::users: - name: "%{hiera('rabbitmq::monitoring::user')}" is_admin: true password: "%{hiera('rabbitmq::monitoring::password')}" tags: [] - name: swhconsumer is_admin: false password: "%{hiera('swh::deploy::worker::task_broker::password')}" tags: [] - name: swhproducer is_admin: false password: "%{hiera('swh::deploy::scheduler::task_broker::password')}" tags: - management puppet::master::hostname: pergamon.internal.softwareheritage.org puppet::master::puppetdb: pergamon.internal.softwareheritage.org puppetdb::master::config::terminus_package: puppet-terminus-puppetdb strict_transport_security::max_age: 15768000 php::version: '7.4' # Those variables get picked up by 'include ::php::fpm::daemon' php::fpm::daemon::log_owner: www-data php::fpm::daemon::log_group: adm php::fpm::daemon::log_dir_mode: '0750' # Those variables get picked up by 'include ::apache' apache::server_tokens: 'Prod' apache::server_signature: 'Off' apache::trace_enable: 'Off' apache::manage_group: false # Those variables get picked up by 'include ::apache::mod::passenger' apache::mod::passenger::passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini # Those variables need to be set manually in the SSL vhosts. apache::ssl_protocol: all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 apache::ssl_honorcipherorder: 'On' apache::ssl_cipher: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 apache::hsts_header: "set Strict-Transport-Security \"max-age=%{hiera('strict_transport_security::max_age')}\"" # Those variables need to be set manually for all vhosts apache::http_port: 80 apache::https_port: 443 apache::log_formats: combined_with_duration: "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{literal('%')}{Referer}i\\\" \\\"%{literal('%')}{User-Agent}i\\\" %{literal('%')}{ms}T" # Hitch TLS proxy configuration hitch::frontend: "[*]:10443" hitch::proxy_support: false hitch::http2_support: false # Varnish configuration varnish::http_port: 10080 varnish::proxy_port: 6081 varnish::http2_support: false varnish::listen: - ":%{hiera('varnish::http_port')}" - "[::1]:%{hiera('varnish::proxy_port')},PROXY" varnish::backend_http_port: "%{hiera('apache::http_port')}" varnish::admin_listen: 127.0.0.1 varnish::admin_port: 6082 varnish::storage_type: malloc varnish::storage_size: 256m varnish::storage_file: /var/lib/varnish/varnish_storage.bin # varnish::secret in private-data swh::deploy::reverse_proxy::services: - deposit - webapp letsencrypt::account_email: sysop+letsencrypt@softwareheritage.org letsencrypt::server: https://acme-v02.api.letsencrypt.org/directory letsencrypt::gandi_livedns_hook::config: gandi_api: https://dns.api.gandi.net/api/v5/ zones: softwareheritage.org: api_key: "%{alias('gandi::softwareheritage_org::api_key')}" sharing_id: "%{alias('gandi::softwareheritage_org::sharing_id')}" swh.network: api_key: "%{alias('gandi::softwareheritage_org::api_key')}" sharing_id: "%{alias('gandi::swh_network::sharing_id')}" letsencrypt::gandi_paas_hook::config: gandi_xmlrpc: https://rpc.gandi.net/xmlrpc/ zone_keys: softwareheritage.org: "%{alias('gandi::softwareheritage_org::xmlrpc_key')}" letsencrypt::certificates::exported_directory: "%{::puppet_vardir}/letsencrypt_exports" letsencrypt::certificates::directory: /etc/ssl/certs/letsencrypt letsencrypt::certificates: archive_production: domains: # Should match with keycloak::resources::realms.SoftwareHeritage.clients.swh-web.redirect_uris - archive.softwareheritage.org - base.softwareheritage.org - archive.internal.softwareheritage.org archive_staging: domains: # Should match with keycloak::resources::realms.SoftwareHeritageStaging.clients.swh-web.redirect_uris - webapp.staging.swh.network - webapp-rp.internal.staging.swh.network archive_webapp1: domains: - webapp1.internal.softwareheritage.org deposit_production: domains: - deposit.softwareheritage.org - deposit.internal.softwareheritage.org deposit_staging: domains: - deposit.staging.swh.network - deposit-rp.internal.staging.swh.network hedgedoc: domains: - hedgedoc.softwareheritage.org journal0.internal.staging.swh.network: domains: - broker0.journal.staging.swh.network - journal0.internal.staging.swh.network objstorage_staging: domains: - objstorage.staging.swh.network - objstorage-rp.internal.staging.swh.network stats_export: domains: - stats.export.softwareheritage.org - pergamon.softwareheritage.org jenkins: domains: - jenkins.softwareheritage.org sentry: domains: - sentry.softwareheritage.org keycloak: domains: - auth.softwareheritage.org kafka1.internal.softwareheritage.org: domains: - broker1.journal.softwareheritage.org - kafka1.internal.softwareheritage.org kafka2.internal.softwareheritage.org: domains: - broker2.journal.softwareheritage.org - kafka2.internal.softwareheritage.org kafka3.internal.softwareheritage.org: domains: - broker3.journal.softwareheritage.org - kafka3.internal.softwareheritage.org kafka4.internal.softwareheritage.org: domains: - broker4.journal.softwareheritage.org - kafka4.internal.softwareheritage.org kafka01.euwest.azure.internal.softwareheritage.org: domains: - kafka01.euwest.azure.internal.softwareheritage.org - kafka01.euwest.azure.softwareheritage.org kafka02.euwest.azure.internal.softwareheritage.org: domains: - kafka02.euwest.azure.internal.softwareheritage.org - kafka02.euwest.azure.softwareheritage.org kafka03.euwest.azure.internal.softwareheritage.org: domains: - kafka03.euwest.azure.internal.softwareheritage.org - kafka03.euwest.azure.softwareheritage.org kafka04.euwest.azure.internal.softwareheritage.org: domains: - kafka04.euwest.azure.internal.softwareheritage.org - kafka04.euwest.azure.softwareheritage.org kafka05.euwest.azure.internal.softwareheritage.org: domains: - kafka05.euwest.azure.internal.softwareheritage.org - kafka05.euwest.azure.softwareheritage.org kafka06.euwest.azure.internal.softwareheritage.org: domains: - kafka06.euwest.azure.internal.softwareheritage.org - kafka06.euwest.azure.softwareheritage.org annex.softwareheritage.org: domains: - annex.softwareheritage.org bitbucket-archive.softwareheritage.org: domains: - bitbucket-archive.softwareheritage.org debian.softwareheritage.org: domains: - debian.softwareheritage.org - debian.internal.softwareheritage.org docs.softwareheritage.org: domains: - docs.softwareheritage.org intranet.softwareheritage.org: domains: - intranet.softwareheritage.org wiki.softwareheritage.org: domains: - wiki.softwareheritage.org icinga.softwareheritage.org: domains: - icinga.softwareheritage.org - icinga.internal.softwareheritage.org wg.softwareheritage.org: domains: - wg.softwareheritage.org git.softwareheritage.org: domains: - git.softwareheritage.org forge.softwareheritage.org: domains: - forge.softwareheritage.org grafana.softwareheritage.org: domains: - grafana.softwareheritage.org www-dev: domains: - www-dev.softwareheritage.org deploy_hook: gandi_paas www: domains: - softwareheritage.org - www.softwareheritage.org deploy_hook: gandi_paas gandi-redirects: domains: - softwareheritage.org - sponsors.softwareheritage.org - sponsorship.softwareheritage.org - testimonials.softwareheritage.org deploy_hook: gandi_paas netbox: domains: - inventory.internal.softwareheritage.org netbox-vagrant: domains: - inventory-vagrant.internal.softwareheritage.org bind::update_key: local-update bind::zones: internal.softwareheritage.org: domain: internal.softwareheritage.org 100.168.192.in-addr.arpa: domain: 100.168.192.in-addr.arpa 101.168.192.in-addr.arpa: domain: 101.168.192.in-addr.arpa internal.staging.swh.network: domain: internal.staging.swh.network internal.admin.swh.network: domain: internal.admin.swh.network 50.168.192.in-addr.arpa: domain: 50.168.192.in-addr.arpa 128.168.192.in-addr.arpa: domain: 128.168.192.in-addr.arpa 130.168.192.in-addr.arpa: domain: 130.168.192.in-addr.arpa 200.168.192.in-addr.arpa: domain: 200.168.192.in-addr.arpa 201.168.192.in-addr.arpa: domain: 201.168.192.in-addr.arpa 202.168.192.in-addr.arpa: domain: 202.168.192.in-addr.arpa 203.168.192.in-addr.arpa: domain: 203.168.192.in-addr.arpa 204.168.192.in-addr.arpa: domain: 204.168.192.in-addr.arpa 205.168.192.in-addr.arpa: domain: 205.168.192.in-addr.arpa 206.168.192.in-addr.arpa: domain: 206.168.192.in-addr.arpa 207.168.192.in-addr.arpa: domain: 207.168.192.in-addr.arpa # Defaults for secondary bind server bind::zones::type: slave bind::zones::masters: - 192.168.100.29 bind::zones::allow_transfers: - 192.168.100.0/24 - 192.168.101.0/24 - 192.168.200.22 bind::zones::default_data: zone_type: "%{alias('bind::zones::type')}" dynamic: true masters: "%{alias('bind::zones::masters')}" transfer_source: '' allow_updates: [] update_policies: '' allow_transfers: "%{alias('bind::zones::allow_transfers')}" dnssec: false key_directory: '' ns_notify: true also_notify: '' allow_notify: '' forwarders: '' forward: '' source: '' ns_records: - pergamon.internal.softwareheritage.org. - ns0.euwest.azure.internal.softwareheritage.org. bind::resource_records: archive/CNAME: type: CNAME record: archive.internal.softwareheritage.org data: moma.internal.softwareheritage.org. db/CNAME: type: CNAME record: db.internal.softwareheritage.org data: belvedere.internal.softwareheritage.org. debian/CNAME: type: CNAME record: debian.internal.softwareheritage.org data: pergamon.internal.softwareheritage.org. backup/CNAME: type: CNAME record: backup.internal.softwareheritage.org data: banco.internal.softwareheritage.org. icinga/CNAME: type: CNAME record: icinga.internal.softwareheritage.org data: pergamon.internal.softwareheritage.org. faitout/CNAME: type: CNAME record: faitout.internal.softwareheritage.org data: prado.internal.softwareheritage.org. graph/CNAME: type: CNAME record: graph.internal.softwareheritage.org data: granet.internal.softwareheritage.org. logstash/CNAME: type: CNAME record: logstash.internal.softwareheritage.org data: logstash0.internal.softwareheritage.org. kibana/CNAME: type: CNAME record: kibana.internal.softwareheritage.org data: banco.internal.softwareheritage.org. rabbitmq/CNAME: type: CNAME record: rabbitmq.internal.softwareheritage.org data: saatchi.internal.softwareheritage.org. inventory/CNAME: type: CNAME record: inventory.internal.softwareheritage.org data: bojimans.internal.softwareheritage.org. staging-gateway/A: # Cannot autogenerate due to limitations in $::swh_hostname fact record: staging-gateway.internal.softwareheritage.org data: 192.168.100.125 glyptotek/A: # OPNSense firewall, not managed by puppet record: "%{alias('opnsense::hosts.glyptotek.fqdn')}" data: "%{alias('opnsense::hosts.glyptotek.ip')}" pushkin/A: # OPNSense firewall, not managed by puppet record: "%{alias('opnsense::hosts.pushkin.fqdn')}" data: "%{alias('opnsense::hosts.pushkin.ip')}" internalgw/A: # Firewal(s)l vip, not managed by puppet record: gw.internal.softwareheritage.org data: 192.168.100.130 staging-rp0/A: record: rp0.internal.staging.swh.network data: 192.168.130.20 staging-webapp/A: record: webapp.internal.staging.swh.network data: 192.168.130.30 staging-webapp-rp/CNAME: type: CNAME record: webapp-rp.internal.staging.swh.network data: rp0.internal.staging.swh.network. staging-deposit/A: record: deposit.internal.staging.swh.network data: 192.168.130.31 staging-deposit-rp/CNAME: type: CNAME record: deposit-rp.internal.staging.swh.network data: rp0.internal.staging.swh.network. # Non-puppet azure hosts pgmirror0.euwest.azure/A: record: pgmirror0.euwest.azure.internal.softwareheritage.org data: 192.168.200.51 # VPN hosts zack/A: record: zack.internal.softwareheritage.org data: 192.168.101.6 olasd/A: record: olasd.internal.softwareheritage.org data: 192.168.101.10 ardumont/A: record: ardumont.internal.softwareheritage.org data: 192.168.101.14 ardumont-desktop/A: record: ardumont-desktop.internal.softwareheritage.org data: 192.168.101.158 rdicosmo/A: record: rdicosmo.internal.softwareheritage.org data: 192.168.101.38 grand-palais/A: record: grand-palais.internal.softwareheritage.org data: 192.168.101.62 grandpalais/CNAME: type: CNAME record: grandpalais.internal.softwareheritage.org data: grand-palais.internal.softwareheritage.org. giverny/A: type: A record: giverny.internal.softwareheritage.org data: 192.168.101.118 orangeriedev/A: type: A record: orangeriedev.internal.softwareheritage.org data: 192.168.101.130 orangerie/A: type: A record: orangerie.internal.softwareheritage.org data: 192.168.101.142 ddouard-desktop/A: record: ddouard-desktop.internal.softwareheritage.org data: 192.168.101.162 vlorentz-desktop/A: record: vlorentz-desktop.internal.softwareheritage.org data: 192.168.101.166 oturtle-desktop/A: record: oturtle-desktop.internal.softwareheritage.org data: 192.168.101.222 bind::resource_records::default_data: type: A bind::clients: - 192.168.50.0/24 - 192.168.100.0/24 - 192.168.101.0/24 - 192.168.130.0/24 - 192.168.200.0/21 - 127.0.0.0/8 - '::1/128' bind::autogenerate: 192.168.100.0/24: .internal.softwareheritage.org 192.168.200.0/21: .internal.softwareheritage.org 192.168.130.0/24: .internal.staging.swh.network 192.168.50.0/24: .internal.admin.swh.network backups::legacy_storage: /srv/backups backups::enable: true backups::base: / backups::exclude: - dev - proc - run - srv/backups - srv/db-backups - srv/elasticsearch - srv/remote-backups - srv/softwareheritage/objects - srv/softwareheritage/postgres - srv/softwareheritage/scratch - srv/softwareheritage/scratch.2TB - srv/storage - sys - tmp - var/cache - var/lib/mysql - var/log/journal - var/run - var/tmp phabricator::basepath: /srv/phabricator phabricator::user: phabricator phabricator::group: phabricator phabricator::vcs_user: git phabricator::notification::client_host: 127.0.0.1 phabricator::notification::client_port: 22280 phabricator::notification::listen: "%{hiera('phabricator::notification::client_host')}:%{hiera('phabricator::notification::client_port')}" phabricator::mysql::database_prefix: phabricator phabricator::mysql::username: phabricator phabricator::mysql::readonly_usernames: [] # phabricator::mysql::readonly_password_seed in private data phabricator::mysql::conf::max_allowed_packet: 33554432 phabricator::mysql::conf::sql_mode: STRICT_ALL_TABLES phabricator::mysql::conf::ft_stopword_file: "%{hiera('phabricator::basepath')}/phabricator/resources/sql/stopwords.txt" phabricator::mysql::conf::ft_min_word_len: 3 phabricator::mysql::conf::ft_boolean_syntax: "' |-><()~*:\"\"&^'" phabricator::mysql::conf::innodb_buffer_pool_size: 4G phabricator::mysql::conf::innodb_file_per_table: TRUE phabricator::mysql::conf::innodb_flush_method: O_DIRECT phabricator::mysql::conf::innodb_log_file_size: 1G phabricator::mysql::conf::max_connections: 16384 phabricator::php::fpm_listen: 127.0.0.1:9001 phabricator::php::max_file_size: 128M phabricator::php::opcache_validate_timestamps: 0 # Must have a matching cert in letsencrypt::domains phabricator::vhost::name: forge.softwareheritage.org phabricator::vhost::docroot: "%{hiera('phabricator::basepath')}/phabricator/webroot" phabricator::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" phabricator::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" phabricator::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" phabricator::vhost::hsts_header: "%{hiera('apache::hsts_header')}" mediawiki::php::fpm_listen: 127.0.0.1:9002 mediawiki::vhosts: # Must have matching certificates in letsencrypt::certificates intranet.softwareheritage.org: swh_logo: /images/9/99/Swh-intranet-logo.png mysql: username: mw_intranet dbname: mediawiki_intranet aliases: [] site_name: Software Heritage Intranet wiki.softwareheritage.org: swh_logo: /images/b/b2/Swh-logo.png mysql: username: mw_public dbname: mediawiki_public aliases: [] site_name: Software Heritage Wiki mediawiki::vhost::docroot: /var/lib/mediawiki mediawiki::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" mediawiki::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" mediawiki::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" mediawiki::vhost::hsts_header: "%{hiera('apache::hsts_header')}" annex::basepath: /srv/softwareheritage/annex # Must have matching certificate in letsencrypt::certificates annex::vhost::name: annex.softwareheritage.org annex::vhost::docroot: "%{hiera('annex::basepath')}/webroot" annex::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" annex::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" annex::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" annex::vhost::hsts_header: "%{hiera('apache::hsts_header')}" docs::basepath: /srv/softwareheritage/docs # Must have matching certificate in letsencrypt::certificates docs::vhost::name: docs.softwareheritage.org docs::vhost::docroot: "%{hiera('docs::basepath')}/webroot" docs::vhost::docroot_owner: "jenkins-push-docs" docs::vhost::docroot_group: "www-data" docs::vhost::docroot_mode: "2755" docs::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" docs::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" docs::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" docs::vhost::hsts_header: "%{hiera('apache::hsts_header')}" # Must have matching certificate in letsencrypt::certificates bitbucket_archive::vhost::name: bitbucket-archive.softwareheritage.org bitbucket_archive::vhost::docroot: /srv/softwareheritage/bitbucket-archive/webroot bitbucket_archive::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" bitbucket_archive::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" bitbucket_archive::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" bitbucket_archive::vhost::hsts_header: "%{hiera('apache::hsts_header')}" ssh::port: 22 ssh::permitrootlogin: without-password swh::base_directory: /srv/softwareheritage swh::conf_directory: /etc/softwareheritage swh::log_directory: /var/log/softwareheritage swh::global_conf::file: "%{hiera('swh::conf_directory')}/global.ini" swh::apt_config::swh_repository::hostname: debian.softwareheritage.org swh::apt_config::swh_repository: "https://%{hiera('swh::apt_config::swh_repository::hostname')}/" swh::apt_config::enable_non_free: false swh::apt_config::backported_packages: stretch: # For swh.scheduler - python3-msgpack # T1609 - python3-urllib3 - python3-requests - python3-chardet - python3-idna buster: # More recent systemd for new features like OOMPolicy - libnss-myhostname - libnss-mymachines - libnss-resolve - libnss-systemd - libpam-systemd - libsystemd-dev - libsystemd0 - libudev-dev - libudev1 - libudev1-udeb - libzstd1 - systemd - systemd-container - systemd-coredump - systemd-journal-remote - systemd-sysv - systemd-tests - udev - udev-udeb # python3-msgpack 1.0 breaks the older versions of borgbackup - borgbackup # Needed for some swh packages - python3-typing-extensions debian_repository::basepath: "%{hiera('swh::base_directory')}/repository" debian_repository::owner: swhdebianrepo debian_repository::owner::homedir: /home/swhdebianrepo debian_repository::group: swhdev debian_repository::mode: "02775" debian_repository::ssh_authorized_keys: nicolasd@darboux: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ1TCpfzrvxLhEMhxjbxqPDCwY0nazIr1cyIbhGD2bUdAbZqVMdNtr7MeDnlLIKrIPJWuvltauvLNkYU0iLc1jMntdBCBM3hgXjmTyDtc8XvXseeBp5tDqccYNR/cnDUuweNcL5tfeu5kzaAg3DFi5Dsncs5hQK5KQ8CPKWcacPjEk4ir9gdFrtKG1rZmg/wi7YbfxrJYWzb171hdV13gSgyXdsG5UAFsNyxsKSztulcLKxvbmDgYbzytr38FK2udRk7WuqPbtEAW1zV4yrBXBSB/uw8EAMi+wwvLTwyUcEl4u0CTlhREljUx8LhYrsQUCrBcmoPAmlnLCD5Q9XrGH jenkins@thyssen: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQCrfYnl8v4QK1ClkPMHO4WiPqgLVoOGpOPFUvg3WehMo8xMQ9e/EeZddQn96mhHkbbC5HCWEVK1VwafpIeadaMHnypdGhpapncYPpoKItxmf1IwVtlt/h8OYai5pTMCgkuOHjhnQdO20Amr9WMkoRZ/K7v/GijIZ6svvgWiYKfDnu0s1ziFYIT5rEA5hL9SqNJTlKdy2H68/7mmTii9NpBsGWQYDOjcrwELNOI5EUgQSOzmeKxecPkABfh/dezp6jmrv/2x7bm7LT46d+rnVDqVRiUrLVnLhrZCmZDxXfbEmftTdAoK8U/wjLreanRxKOc7arYRyKu0RbAaejPejzgR debian_repository::gpg_keys: # olasd - 791F12396630DD71FD364375B8E5087766475AAF # zack - 4900707DDC5C07F2DECB02839C31503C6D866396 # ardumont - BF00203D741AC9D546A8BE0752E2E9840D10C3B8 # anlambert - 91FAF3F5CDE011E4FDF4CBF2D026E5C2F802586D # seirl - 225CD9E3FA9374BDF6E057042F8984858B1A9945 # vlorentz - 379043E3DF96D3237E6782AC0E082B40E4376B1E # ddouard - 7DC7325EF1A6226AB6C3D7E32388A3BF6F0A6938 # jenkins-debian1 - 1F4BDC445E30C7066324D7B3D7D3329147AE3148 # vsellier - 89226003C15CBC8C65C189C33F13C434EADAD17D # Must have matching certificate in letsencrypt::certificates debian_repository::vhost::name: "%{hiera('swh::apt_config::swh_repository::hostname')}" debian_repository::vhost::aliases: - debian.internal.softwareheritage.org debian_repository::vhost::docroot: "%{hiera('debian_repository::basepath')}" debian_repository::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" debian_repository::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" debian_repository::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" debian_repository::vhost::hsts_header: "%{hiera('apache::hsts_header')}" swh::apt_config::debian_mirror::hostname: deb.debian.org swh::apt_config::debian_mirror: "http://%{hiera('swh::apt_config::debian_mirror::hostname')}/debian/" swh::apt_config::debian_security_mirror::hostname: "%{hiera('swh::apt_config::debian_mirror::hostname')}" swh::apt_config::debian_security_mirror: "http://%{hiera('swh::apt_config::debian_mirror::hostname')}/debian-security/" swh::apt_config::azure_repository::hostname: debian-archive.trafficmanager.net swh::apt_config::azure_repository: "http://%{hiera('swh::apt_config::azure_repository::hostname')}/debian-azure/" swh::apt_config::unattended_upgrades: true swh::apt_config::unattended_upgraes::origins: - "o=Debian,n=%{::lsbdistcodename}" # main Debian archive - "o=Debian,n=%{::lsbdistcodename}-updates" # stable-updates (ex-volatile) - "o=Debian,n=%{::lsbdistcodename},l=Debian-Security" # security updates - "o=debian icinga-%{::lsbdistcodename},n=icinga-%{::lsbdistcodename}" # Icinga2 repository - "o=Debian Azure,n=%{::lsbdistcodename}" # Debian Azure - "o=Proxmox,n=%{::lsbdistcodename}" # Proxmox repository - "o=packages.sury.org" # PHP backports (tate) ##################################################################################################### # Remote service configurations # Default ports swh::remote_service::storage::port: 5002 swh::remote_service::objstorage::port: 5003 swh::remote_service::webapp::port: 5004 swh::remote_service::vault::port: 5005 swh::remote_service::deposit::port: 5006 swh::remote_service::indexer::port: 5007 swh::remote_service::scheduler::port: 5008 swh::remote_service::search::port: 5010 # Default backend services. Override in specific sites if needed. Configurations # are split between read-only (the default) and writable storages. In most cases # overrides should only happen for read-only services. swh::remote_service::objstorage::config: "%{alias('swh::remote_service::objstorage::config::azure_readonly_with_fallback')}" swh::remote_service::objstorage::config::writable: "%{alias('swh::remote_service::objstorage::config::saam')}" swh::remote_service::objstorage::config_as_dict: banco: "%{alias('swh::remote_service::objstorage::config::banco')}" saam: "%{alias('swh::remote_service::objstorage::config::saam')}" azure: "%{alias('swh::remote_service::objstorage::config::azure')}" swh::remote_service::storage::config: "%{alias('swh::remote_service::storage::config::saam')}" swh::remote_service::storage::config::writable: &swh_remote_service_storage_config_writable "%{alias('swh::remote_service::storage::config::saam')}" swh::remote_service::indexer::config: "%{alias('swh::remote_service::indexer::config::saam')}" swh::remote_service::indexer::config::writable: "%{alias('swh::remote_service::indexer::config::saam')}" swh::remote_service::scheduler::config: "%{alias('swh::remote_service::scheduler::config::saatchi')}" swh::remote_service::scheduler::config::writable: "%{alias('swh::remote_service::scheduler::config::saatchi')}" swh::remote_service::vault::config: "%{alias('swh::remote_service::vault::config::azure')}" swh::remote_service::vault::config::writable: "%{alias('swh::remote_service::vault::config::azure')}" # Pipeline storage with retry, filter, buffer and finally writable storage swh::deploy::worker::storage::pipeline: cls: pipeline steps: - cls: retry - cls: buffer min_batch_size: content: 1000 content_bytes: 52428800 # 50 MB directory: 1000 revision: 1000 release: 1000 - cls: filter - "%{alias('swh::remote_service::storage::config::writable')}" # Objstorage backend configurations swh::remote_service::objstorage::config::azure: cls: azure-prefixed args: accounts: "0": account_name: 0euwestswh api_secret_key: "%{hiera('swh::azure::credentials::0euwestswh')}" container_name: contents "1": account_name: 1euwestswh api_secret_key: "%{hiera('swh::azure::credentials::1euwestswh')}" container_name: contents "2": account_name: 2euwestswh api_secret_key: "%{hiera('swh::azure::credentials::2euwestswh')}" container_name: contents "3": account_name: 3euwestswh api_secret_key: "%{hiera('swh::azure::credentials::3euwestswh')}" container_name: contents "4": account_name: 4euwestswh api_secret_key: "%{hiera('swh::azure::credentials::4euwestswh')}" container_name: contents "5": account_name: 5euwestswh api_secret_key: "%{hiera('swh::azure::credentials::5euwestswh')}" container_name: contents "6": account_name: 6euwestswh api_secret_key: "%{hiera('swh::azure::credentials::6euwestswh')}" container_name: contents "7": account_name: 7euwestswh api_secret_key: "%{hiera('swh::azure::credentials::7euwestswh')}" container_name: contents "8": account_name: 8euwestswh api_secret_key: "%{hiera('swh::azure::credentials::8euwestswh')}" container_name: contents "9": account_name: 9euwestswh api_secret_key: "%{hiera('swh::azure::credentials::9euwestswh')}" container_name: contents "a": account_name: aeuwestswh api_secret_key: "%{hiera('swh::azure::credentials::aeuwestswh')}" container_name: contents "b": account_name: beuwestswh api_secret_key: "%{hiera('swh::azure::credentials::beuwestswh')}" container_name: contents "c": account_name: ceuwestswh api_secret_key: "%{hiera('swh::azure::credentials::ceuwestswh')}" container_name: contents "d": account_name: deuwestswh api_secret_key: "%{hiera('swh::azure::credentials::deuwestswh')}" container_name: contents "e": account_name: eeuwestswh api_secret_key: "%{hiera('swh::azure::credentials::eeuwestswh')}" container_name: contents "f": account_name: feuwestswh api_secret_key: "%{hiera('swh::azure::credentials::feuwestswh')}" container_name: contents swh::remote_service::objstorage::config::azure::readonly: cls: filtered args: storage_conf: "%{alias('swh::remote_service::objstorage::config::azure')}" filters_conf: - type: readonly swh::remote_service::objstorage::config::saam: cls: remote args: url: "http://saam.internal.softwareheritage.org:%{hiera('swh::remote_service::objstorage::port')}/" swh::remote_service::objstorage::config::saam::readonly: cls: filtered args: storage_conf: "%{alias('swh::remote_service::objstorage::config::saam')}" filters_conf: - type: readonly swh::remote_service::objstorage::config::banco: cls: remote args: url: "http://banco.internal.softwareheritage.org:%{hiera('swh::remote_service::objstorage::port')}/" swh::remote_service::objstorage::config::banco::readonly: cls: filtered args: storage_conf: "%{alias('swh::remote_service::objstorage::config::banco')}" filters_conf: - type: readonly swh::remote_service::objstorage::config::azure_readonly_with_fallback: &swh_azure_readonly_with_fallback cls: multiplexer args: objstorages: - "%{alias('swh::remote_service::objstorage::config::azure::readonly')}" - "%{alias('swh::remote_service::objstorage::config::banco::readonly')}" - "%{alias('swh::remote_service::objstorage::config::saam::readonly')}" swh::remote_service::objstorage::config::localhost: cls: remote args: url: "http://127.0.0.1:%{hiera('swh::remote_service::objstorage::port')}/" # Storage backend configurations swh::remote_service::storage::config::saam: cls: remote args: url: "http://saam.internal.softwareheritage.org:%{hiera('swh::remote_service::storage::port')}/" swh::remote_service::storage::config::azure: cls: remote args: url: "http://storage01.euwest.azure.internal.softwareheritage.org:%{hiera('swh::remote_service::storage::port')}/" swh::remote_service::storage::config::localhost: cls: remote args: url: "http://localhost:%{hiera('swh::remote_service::storage::port')}/" swh::remote_service::search::config::empty: {} swh::remote_service::search::config::storage0: cls: remote url: "http://storage01.euwest.azure.internal.softwareheritage.org:%{hiera('swh::remote_service::search::port')}/" swh::remote_service::search::config::localhost: cls: remote url: "http://localhost:%{hiera('swh::remote_service::search::port')}/" swh::remote_service::search::config::search1: cls: remote url: "http://search1.internal.softwareheritage.org:%{hiera('swh::remote_service::search::port')}/" swh::remote_service::search::config: "%{alias('swh::remote_service::search::config::empty')}" # Indexer backend configurations swh::remote_service::indexer::config::saam: cls: remote url: "http://saam.internal.softwareheritage.org:%{hiera('swh::remote_service::indexer::port')}/" swh::remote_service::indexer::config::azure: cls: remote url: "http://storage01.euwest.azure.internal.softwareheritage.org:%{hiera('swh::remote_service::indexer::port')}/" # Scheduler backend configurations swh::remote_service::scheduler::config::saatchi: cls: remote url: "http://saatchi.internal.softwareheritage.org:%{hiera('swh::remote_service::scheduler::port')}/" # Vault backend configurations swh::remote_service::vault::config::azure: cls: remote url: "http://vangogh.euwest.azure.internal.softwareheritage.org:%{hiera('swh::remote_service::vault::port')}/" # End remote service configurations ##################################################################################################### swh::deploy::db::pgbouncer::port: 5432 swh::deploy::db::main::port: 5433 swh::deploy::db::secondary::port: 5434 swh::deploy::db::indexer::port: 5435 swh::deploy::db::pgbouncer::user::login: postgres swh::deploy::db::pgbouncer::user::password: "%{alias('swh::deploy::db::postgres::password')}" pgbouncer::common::listen_addresses: - 127.0.0.1 - 127.0.1.1 - "%{alias('pgbouncer::listen_addr')}" pgbouncer::config_params: logfile: /var/log/postgresql/pgbouncer.log pidfile: /var/run/postgresql/pgbouncer.pid unix_socket_dir: /var/run/postgresql client_tls_sslmode: allow client_tls_ca_file: /etc/ssl/certs/ssl-cert-snakeoil.pem client_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key client_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem server_tls_sslmode: allow listen_port: "%{hiera('swh::deploy::db::pgbouncer::port')}" listen_addr: "%{alias('pgbouncer::common::listen_addresses')}" auth_type: "hba" auth_file: /etc/pgbouncer/userlist.txt auth_hba_file: "%{hiera('pgbouncer::auth_hba_file')}" admin_users: - "%{hiera('swh::deploy::db::pgbouncer::user::login')}" - olasd pool_mode: session ignore_startup_parameters: extra_float_digits server_reset_query: DISCARD ALL max_client_conn: 2000 default_pool_size: 2000 max_db_connections: 2000 max_user_connections: 2000 log_connections: 0 log_disconnections: 0 pgbouncer::user: postgres pgbouncer::group: postgres # swh::deploy::db::pgbouncer::user::password in private data pgbouncer::userlist: - user: "%{hiera('swh::deploy::db::pgbouncer::user::login')}" password: "%{hiera('swh::deploy::db::pgbouncer::user::password')}" pgbouncer::databases: [] swh::deploy::directory: "%{hiera('swh::conf_directory')}/deploy" swh::deploy::group: swhdeploy swh::deploy::public_key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWrJX/uUss/EYZaTp2EIsZgg3ZSH8JcNZV5gBdNZ7EHcQcqxYUCqmwv9Ss3xT8n9kIrH6iz/vquqf84XR+keoZK3bsp50tMOY8LJWpcl/JK2XD6ovoJrHPu+iAroLkE59RdTa1Vz+jF67Q2UuG9f0nKwL4rnkeWTyuK/zAbyHyYKFQntkkwMr5/YTU8sjl/4aNF/2Ww8hitdi2GORlCjav2bB0wyPBA2e8sMt8Hp9O4TIWg/RD6vPX+ZvuFaB/Lw/Hv21622QGTHoZiO92/8/W9/t24il6SU4z96ZGfXqdUZkpPYKBGwyIkZkS4dN6jb4CcRlyXTObphyu3dAlABRt swhworker@worker01' swh::deploy::storage::sentry_swh_package: swh.storage swh::deploy::storage::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::storage::sentry_dsn: "https://%{lookup('swh::deploy::storage::sentry_token')}@sentry.softwareheritage.org/3" swh::deploy::storage::conf_directory: "%{hiera('swh::conf_directory')}/storage" swh::deploy::storage::conf_file: "%{hiera('swh::deploy::storage::conf_directory')}/storage.yml" swh::deploy::storage::user: swhstorage swh::deploy::storage::group: swhstorage swh::deploy::storage::db::host: db.internal.softwareheritage.org swh::deploy::storage::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" swh::deploy::storage::db::user: swhstorage swh::deploy::storage::db::dbname: softwareheritage swh::deploy::storage::directory: "%{hiera('swh::base_directory')}/objects" swh::deploy::storage::backend::listen::host: 127.0.0.1 swh::deploy::storage::backend::listen::port: "%{alias('swh::remote_service::storage::port')}" swh::deploy::storage::backend::workers: 4 swh::deploy::storage::backend::reload_mercy: 3600 swh::deploy::storage::backend::http_keepalive: 5 swh::deploy::storage::backend::http_timeout: 3600 swh::deploy::storage::backend::max_requests: 10000 swh::deploy::storage::backend::max_requests_jitter: 1000 swh::deploy::storage::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" # This can be overriden per storage node swh::deploy::storage::config::local: cls: local args: db: "host=%{hiera('swh::deploy::storage::db::host')} port=%{hiera('swh::deploy::storage::db::port')} user=%{hiera('swh::deploy::storage::db::user')} dbname=%{hiera('swh::deploy::storage::db::dbname')} password=%{hiera('swh::deploy::storage::db::password')}" objstorage: "%{alias('swh::remote_service::objstorage::config')}" swh::deploy::storage::config: storage: "%{alias('swh::deploy::storage::config::local')}" swh::deploy::journal::writer::config: cls: kafka args: brokers: "%{alias('swh::deploy::journal::brokers')}" prefix: "%{alias('swh::deploy::journal::prefix')}" client_id: "swh.storage.journal_writer.%{::swh_hostname.short}" anonymize: true producer_config: message.max.bytes: 1000000000 swh::deploy::journal::backfill::config_file: "%{hiera('swh::deploy::journal::conf_directory')}/backfill.yml" swh::deploy::journal::backfill::user: swhstorage swh::deploy::journal::backfill::group: swhstorage swh::deploy::journal::backfill::config: storage: "%{alias('swh::deploy::storage::config::local')}" journal_writer: "%{alias('swh::deploy::journal::writer::config')}" swh::deploy::indexer::storage::sentry_swh_package: swh.indexer swh::deploy::indexer::storage::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::indexer::storage::sentry_dsn: "%{alias('swh::deploy::indexer::sentry_dsn')}" swh::deploy::indexer::storage::conf_file: "%{hiera('swh::deploy::storage::conf_directory')}/indexer.yml" swh::deploy::indexer::storage::user: swhstorage swh::deploy::indexer::storage::group: swhstorage swh::deploy::indexer::storage::db::host: belvedere.internal.softwareheritage.org swh::deploy::indexer::storage::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" swh::deploy::indexer::storage::db::user: swhstorage swh::deploy::indexer::storage::db::dbname: softwareheritage-indexer swh::deploy::indexer::storage::backend::listen::host: 127.0.0.1 swh::deploy::indexer::storage::backend::listen::port: "%{alias('swh::remote_service::indexer::port')}" swh::deploy::indexer::storage::backend::workers: 4 swh::deploy::indexer::storage::backend::reload_mercy: 3600 swh::deploy::indexer::storage::backend::http_keepalive: 5 swh::deploy::indexer::storage::backend::http_timeout: 3600 swh::deploy::indexer::storage::backend::max_requests: 10000 swh::deploy::indexer::storage::backend::max_requests_jitter: 1000 swh::deploy::indexer::storage::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" swh::deploy::indexer::storage::config: indexer_storage: cls: local db: "host=%{hiera('swh::deploy::indexer::storage::db::host')} port=%{hiera('swh::deploy::indexer::storage::db::port')} user=%{hiera('swh::deploy::indexer::storage::db::user')} dbname=%{hiera('swh::deploy::indexer::storage::db::dbname')} password=%{hiera('swh::deploy::indexer::storage::db::password')}" swh::deploy::indexer::journal::prefix: 'swh.journal.indexed' swh::deploy::indexer::brokers: "%{alias('swh::deploy::journal::brokers')}" swh::deploy::indexer::journal::writer::config: cls: kafka brokers: "%{alias('swh::deploy::indexer::brokers')}" prefix: "%{alias('swh::deploy::indexer::journal::prefix')}" client_id: "swh.idx_storage.journal_writer.%{::swh_hostname.short}" producer_config: message.max.bytes: 1000000000 swh::deploy::vault::cache: "%{hiera('swh::base_directory')}/vault_cache" # Default cache (orangerie/orangeriedev) is a pathslicing objstorage swh::deploy::vault::config::cache: cls: pathslicing root: "%{hiera('swh::deploy::vault::cache')}" slicing: "0:1/1:5" swh::deploy::vault::sentry_swh_package: swh.vault swh::deploy::vault::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::vault::sentry_dsn: "https://%{lookup('swh::deploy::vault::sentry_token')}@sentry.softwareheritage.org/11" swh::deploy::vault::conf_directory: "%{hiera('swh::conf_directory')}/vault" swh::deploy::vault::conf_file: "%{hiera('swh::deploy::vault::conf_directory')}/server.yml" swh::deploy::vault::user: swhvault swh::deploy::vault::group: swhvault swh::deploy::vault::db::host: db.internal.softwareheritage.org swh::deploy::vault::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" swh::deploy::vault::db::user: swh-vault swh::deploy::vault::db::dbname: swh-vault swh::deploy::vault::backend::listen::host: 127.0.0.1 swh::deploy::vault::backend::listen::port: "%{alias('swh::remote_service::vault::port')}" swh::deploy::vault::backend::workers: 4 swh::deploy::vault::backend::reload_mercy: 3600 swh::deploy::vault::backend::http_keepalive: 5 swh::deploy::vault::backend::http_timeout: 3600 swh::deploy::vault::backend::max_requests: 10000 swh::deploy::vault::backend::max_requests_jitter: 1000 swh::deploy::vault::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" swh::deploy::vault::config: storage: cls: retry storage: "%{alias('swh::remote_service::storage::config')}" scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" cache: "%{alias('swh::deploy::vault::config::cache')}" vault: cls: local db: "host=%{hiera('swh::deploy::vault::db::host')} port=%{hiera('swh::deploy::vault::db::port')} user=%{hiera('swh::deploy::vault::db::user')} dbname=%{hiera('swh::deploy::vault::db::dbname')} password=%{hiera('swh::deploy::vault::db::password')}" swh::deploy::journal::conf_directory: "%{hiera('swh::conf_directory')}/journal" swh::deploy::journal::brokers: - kafka1.internal.softwareheritage.org - kafka2.internal.softwareheritage.org - kafka3.internal.softwareheritage.org - kafka4.internal.softwareheritage.org swh::deploy::journal::prefix: swh.journal.objects swh::deploy::journal_simple_checker_producer::conf_file: "%{hiera('swh::deploy::journal::conf_directory')}/checker.yml" swh::deploy::journal_simple_checker_producer::user: swhstorage swh::deploy::journal_simple_checker_producer::group: swhstorage swh::deploy::journal_simple_checker_producer::config: brokers: "%{alias('swh::deploy::journal::brokers')}" temporary_prefix: swh.tmp_journal.new storage_dbconn: "host=%{hiera('swh::deploy::storage::db::host')} port=%{hiera('swh::deploy::storage::db::port')} user=%{hiera('swh::deploy::storage::db::user')} dbname=%{hiera('swh::deploy::storage::db::dbname')} password=%{hiera('swh::deploy::storage::db::password')}" object_types: - content - directory - revision - release - origin - origin_visit swh::deploy::objstorage::sentry_swh_package: swh.objstorage swh::deploy::objstorage::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::objstorage::sentry_dsn: "https://%{lookup('swh::deploy::objstorage::sentry_token')}@sentry.softwareheritage.org/4" swh::deploy::objstorage::conf_directory: "%{hiera('swh::conf_directory')}/objstorage" swh::deploy::objstorage::conf_file: "%{hiera('swh::deploy::objstorage::conf_directory')}/server.yml" swh::deploy::objstorage::user: "%{hiera('swh::deploy::storage::user')}" swh::deploy::objstorage::group: "%{hiera('swh::deploy::storage::group')}" swh::deploy::objstorage::directory: "%{hiera('swh::deploy::storage::directory')}" swh::deploy::objstorage::slicing: 0:2/2:4/4:6 swh::deploy::objstorage::config: objstorage: cls: pathslicing args: root: "%{hiera('swh::deploy::objstorage::directory')}" slicing: "%{hiera('swh::deploy::objstorage::slicing')}" client_max_size: 1073741824 # 1 GiB swh::deploy::objstorage::backend::listen::host: 127.0.0.1 swh::deploy::objstorage::backend::listen::port: "%{alias('swh::remote_service::objstorage::port')}" swh::deploy::objstorage::backend::workers: 4 swh::deploy::objstorage::backend::reload_mercy: 3600 swh::deploy::objstorage::backend::http_workers: 1 swh::deploy::objstorage::backend::http_keepalive: 5 swh::deploy::objstorage::backend::http_timeout: 3600 swh::deploy::objstorage::backend::max_requests: 0 swh::deploy::objstorage::backend::max_requests_jitter: 0 swh::deploy::objstorage::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" swh::deploy::deposit::reverse_proxy::backend_http_port: "%{alias('varnish::backend_http_port')}" # aliases are pulled from letsencrypt::certificates[$swh::deploy::deposit::vhost::letsencrypt_cert] swh::deploy::deposit::vhost::letsencrypt_cert: deposit_production swh::deploy::deposit::url: https://deposit.softwareheritage.org swh::deploy::deposit::internal_url: "%{hiera('swh::deploy::deposit::url')}" swh::deploy::deposit::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" swh::deploy::deposit::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" swh::deploy::deposit::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" swh::deploy::deposit::vhost::access_log_format: combined_with_duration swh::deploy::deposit::locked_endpoints: - /1/private/[^/]+/[^/]+/[^/]+ - /1/private/deposits/ # e2e checks on deposit swh::deploy::deposit::e2e::server: "%{hiera('swh::deploy::deposit::url')}/1" swh::deploy::deposit::e2e::user: swh swh::deploy::deposit::e2e::collection: swh swh::deploy::deposit::e2e::poll_interval: 1 swh::deploy::deposit::e2e:archive: /usr/share/swh/icinga-plugins/data/deposit/jesuisgpl.tgz swh::deploy::deposit::e2e:metadata: /usr/share/swh/icinga-plugins/data/deposit/jesuisgpl.tgz.xml # e2e checks on vault swh::deploy::vault::e2e::storage: "http://saam.internal.softwareheritage.org:%{hiera('swh::remote_service::storage::port')}" swh::deploy::vault::e2e::webapp: "https://archive.softwareheritage.org" swh::deploy::deposit::sentry_swh_package: swh.deposit swh::deploy::deposit::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::deposit::sentry_dsn: "https://%{lookup('swh::deploy::deposit::sentry_token')}@sentry.softwareheritage.org/12" swh::deploy::deposit::config_directory: "%{hiera('swh::conf_directory')}/deposit" swh::deploy::deposit::config_file: "%{hiera('swh::deploy::deposit::config_directory')}/server.yml" swh::deploy::deposit::user: swhdeposit swh::deploy::deposit::group: swhdeposit swh::deploy::deposit::media_root_directory: /srv/storage/space/swh-deposit/uploads/ swh::deploy::deposit::db::host: db.internal.softwareheritage.org swh::deploy::deposit::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" swh::deploy::deposit::db::dbname: softwareheritage-deposit swh::deploy::deposit::db::dbuser: swhstorage # swh::deploy::deposit::db::password: in private data # swh::deploy::deposit::runtime_secret_key in private data swh::deploy::deposit::config: max_upload_size: 209715200 scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" storage_metadata: "%{alias('swh::remote_service::storage::config')}" storage: "%{alias('swh::remote_service::storage::config')}" private: secret_key: "%{hiera('swh::deploy::deposit::runtime_secret_key')}" db: host: "%{hiera('swh::deploy::deposit::db::host')}" port: "%{hiera('swh::deploy::deposit::db::port')}" name: "%{hiera('swh::deploy::deposit::db::dbname')}" user: "%{hiera('swh::deploy::deposit::db::dbuser')}" password: "%{hiera('swh::deploy::deposit::db::password')}" media_root: "%{hiera('swh::deploy::deposit::media_root_directory')}" extraction_dir: /tmp/swh-deposit/archive/ swh::deploy::worker::loader_deposit::config_file: "%{hiera('swh::conf_directory')}/loader_deposit.yml" swh::deploy::worker::loader_deposit::concurrency: 1 swh::deploy::worker::loader_deposit::private_tmp: true swh::deploy::worker::loader_deposit::loglevel: info # deposit_basic_auth_swhworker_{username|password} in private_data swh::deploy::worker::loader_deposit::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: 104857600 extraction_dir: /tmp/swh.loader.deposit/ celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.deposit.tasks.LoadDeposit deposit: url: "%{alias('swh::deploy::webapp::deposit::private::url')}" auth: username: "%{hiera('deposit_basic_auth_swhworker_username')}" password: "%{hiera('deposit_basic_auth_swhworker_password')}" swh::deploy::checker_deposit::sentry_swh_package: swh.deposit.loader swh::deploy::checker_deposit::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::worker::checker_deposit::config_file: "%{hiera('swh::conf_directory')}/checker_deposit.yml" swh::deploy::worker::checker_deposit::concurrency: 1 swh::deploy::worker::checker_deposit::private_tmp: true swh::deploy::worker::checker_deposit::loglevel: info # deposit_basic_auth_swhworker_{username|password} in private_data swh::deploy::worker::checker_deposit::config: storage: "%{alias('swh::remote_service::storage::config::writable')}" extraction_dir: /tmp/swh.checker.deposit/ celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_modules: - swh.deposit.loader.tasks task_queues: - swh.deposit.loader.tasks.ChecksDepositTsk deposit: url: "%{hiera('swh::deploy::deposit::internal_url')}/1/private/" auth: username: "%{hiera('deposit_basic_auth_swhworker_username')}" password: "%{hiera('deposit_basic_auth_swhworker_password')}" swh::deploy::deposit::backend::listen::host: 127.0.0.1 swh::deploy::deposit::backend::listen::port: "%{alias('swh::remote_service::deposit::port')}" swh::deploy::deposit::backend::workers: 8 swh::deploy::deposit::backend::reload_mercy: 3600 swh::deploy::deposit::backend::http_keepalive: 5 swh::deploy::deposit::backend::http_timeout: 3600 swh::deploy::objstorage_log_checker::conf_directory: "%{hiera('swh::deploy::objstorage::conf_directory')}" swh::deploy::objstorage_log_checker::conf_file: "%{hiera('swh::deploy::objstorage_log_checker::conf_directory')}/log_checker.yml" swh::deploy::objstorage_log_checker::user: "%{hiera('swh::deploy::objstorage::user')}" swh::deploy::objstorage_log_checker::group: "%{hiera('swh::deploy::objstorage::group')}" swh::deploy::objstorage_log_checker:config: storage: cls: pathslicing args: root: "%{hiera('swh::deploy::objstorage::directory')}" slicing: "%{hiera('swh::deploy::objstorage::slicing')}" batch_size: 1000 log_tag: objstorage.checker.log swh::deploy::objstorage_repair_checker::conf_directory: "%{hiera('swh::deploy::objstorage::conf_directory')}" swh::deploy::objstorage_repair_checker::conf_file: "%{hiera('swh::deploy::objstorage_repair_checker::conf_directory')}/repair_checker.yml" swh::deploy::objstorage_repair_checker::user: "%{hiera('swh::deploy::objstorage::user')}" swh::deploy::objstorage_repair_checker::group: "%{hiera('swh::deploy::objstorage::group')}" swh::deploy::objstorage_repair_checker::config: storage: cls: pathslicing args: root: "%{hiera('swh::deploy::objstorage::directory')}" slicing: "%{hiera('swh::deploy::objstorage::slicing')}" batch_size: 1000 log_tag: objstorage.checker.repair backup_storages: "%{alias('swh::remote_service::objstorage::config_as_dict')}" swh::deploy::webapp::backported_packages: stretch: - python3-django - python-django-common buster: - python3-django - python3-typing-extensions swh::deploy::deposit::backported_packages: "%{alias('swh::deploy::webapp::backported_packages')}" swh::deploy::webapp::sentry_swh_package: swh.web swh::deploy::webapp::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::webapp::sentry_dsn: "https://%{lookup('swh::deploy::webapp::sentry_token')}@sentry.softwareheritage.org/13" swh::deploy::webapp::conf_directory: "%{hiera('swh::conf_directory')}/web" swh::deploy::webapp::conf_file: "%{hiera('swh::deploy::webapp::conf_directory')}/web.yml" swh::deploy::webapp::user: swhwebapp swh::deploy::webapp::group: swhwebapp swh::deploy::webapp::conf::log_dir: "%{hiera('swh::log_directory')}/webapp" swh::deploy::webapp::backend::listen::host: 127.0.0.1 swh::deploy::webapp::backend::listen::port: "%{alias('swh::remote_service::webapp::port')}" swh::deploy::webapp::backend::workers: 32 swh::deploy::webapp::backend::http_keepalive: 5 swh::deploy::webapp::backend::http_timeout: 3600 swh::deploy::webapp::backend::reload_mercy: 3600 swh::deploy::webapp::reverse_proxy::backend_http_port: "%{alias('varnish::backend_http_port')}" # aliases are pulled from letsencrypt::certificates[$swh::deploy::webapp::vhost::letsencrypt_cert] swh::deploy::webapp::vhost::letsencrypt_cert: archive_production swh::deploy::webapp::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" swh::deploy::webapp::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" swh::deploy::webapp::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" swh::deploy::webapp::vhost::hsts_header: "%{hiera('apache::hsts_header')}" swh::deploy::webapp::vhost::access_log_format: combined_with_duration swh::deploy::webapp::config::es_workers_index_url: http://esnode1.internal.softwareheritage.org:9200/swh_workers-* swh::deploy::webapp::production_db_dir: /var/lib/swh swh::deploy::webapp::production_db: "%{hiera('swh::deploy::webapp::production_db_dir')}/web.sqlite3" swh::deploy::webapp::deposit::private::url: "%{hiera('swh::deploy::deposit::internal_url')}/1/private/" swh::deploy::webapp::config::throttling: cache_uri: "%{hiera('memcached::server::bind')}:%{hiera('memcached::server::port')}" scopes: swh_api: limiter_rate: default: 120/h exempted_networks: - 127.0.0.0/8 - 192.168.100.0/23 - 128.93.193.29 - 131.107.174.0/24 # OpenAIRE - 213.135.60.145 - 213.135.60.146 # DINSIC - 37.187.137.47 # Antoine Eiche - 37.187.96.121 swh_api_origin_search: limiter_rate: default: 10/m swh_api_origin_visit_latest: # This endpoint gets called a lot (by default, up to 70 times # per origin search), so it deserves a much higher rate-limit # than the rest of the API. limiter_rate: default: 700/m swh_vault_cooking: limiter_rate: default: 120/h GET: 60/m exempted_networks: - 127.0.0.0/8 - 192.168.100.0/23 - 128.93.193.29 - 131.107.174.0/24 # OpenAIRE - 213.135.60.145 - 213.135.60.146 # Antoine Eiche - 37.187.96.121 swh_save_origin: limiter_rate: default: 120/h POST: 10/h exempted_networks: - 127.0.0.0/8 - 192.168.100.0/23 - 128.93.193.29 - 131.107.174.0/24 # OpenAIRE - 213.135.60.145 - 213.135.60.146 # Antoine Eiche - 37.187.96.121 swh::deploy::webapp::config::keycloak: server_url: "https://%{hiera('keycloak::vhost::name')}/auth/" realm_name: SoftwareHeritage # in private data: # deposit_basic_auth_swhworker_username # deposit_basic_auth_swhworker_password swh::deploy::webapp::config: search: "%{alias('swh::remote_service::search::config')}" storage: "%{alias('swh::remote_service::storage::config')}" vault: "%{alias('swh::remote_service::vault::config::writable')}" indexer_storage: "%{alias('swh::remote_service::indexer::config')}" scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" log_dir: "%{hiera('swh::deploy::webapp::conf::log_dir')}" secret_key: "%{hiera('swh::deploy::webapp::conf::secret_key')}" content_display_max_size: 1048576 throttling: "%{alias('swh::deploy::webapp::config::throttling')}" production_db: "%{hiera('swh::deploy::webapp::production_db')}" es_workers_index_url: "%{alias('swh::deploy::webapp::config::es_workers_index_url')}" deposit: private_api_url: "%{hiera('swh::deploy::webapp::deposit::private::url')}" private_api_user: "%{hiera('deposit_basic_auth_swhworker_username')}" private_api_password: "%{hiera('deposit_basic_auth_swhworker_password')}" client_config: sentry_dsn: "%{lookup('swh::deploy::webapp::sentry_dsn')}" keycloak: "%{alias('swh::deploy::webapp::config::keycloak')}" swh::deploy::webapp::locked_endpoints: - /api/1/content/[^/]+/symbol/ - /api/1/entity/ - /api/1/provenance/ # local configuration for the scheduler swh::deploy::scheduler::config::local: &swh_scheduler_local_config scheduler: cls: local db: "host=%{hiera('swh::deploy::scheduler::db::host')} port=%{hiera('swh::deploy::scheduler::db::port')} dbname=%{hiera('swh::deploy::scheduler::db::dbname')} user=%{hiera('swh::deploy::scheduler::db::user')} password=%{hiera('swh::deploy::scheduler::db::password')}" swh::deploy::scheduler::sentry_swh_package: swh.scheduler swh::deploy::scheduler::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::scheduler::sentry_dsn: "https://%{lookup('swh::deploy::scheduler::sentry_token')}@sentry.softwareheritage.org/7" swh::deploy::scheduler::conf_dir: "%{lookup('swh::conf_directory')}/scheduler" swh::deploy::scheduler::conf_file: "%{hiera('swh::deploy::scheduler::conf_dir')}/listener-runner.yml" swh::deploy::scheduler::user: swhscheduler swh::deploy::scheduler::group: swhscheduler swh::deploy::scheduler::db::host: db.internal.softwareheritage.org swh::deploy::scheduler::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" swh::deploy::scheduler::db::dbname: softwareheritage-scheduler swh::deploy::scheduler::db::user: swhscheduler # swh::deploy::scheduler::db::password in private data # swh::deploy::scheduler::task_broker::password in private data swh::deploy::scheduler::task_broker: "amqp://swhproducer:%{hiera('swh::deploy::scheduler::task_broker::password')}@rabbitmq:5672/%2f" swh::deploy::scheduler::listener::log_level: INFO swh::deploy::scheduler::runner::log_level: INFO swh::deploy::scheduler::config: <<: *swh_scheduler_local_config celery: task_broker: "%{alias('swh::deploy::scheduler::task_broker')}" swh::deploy::scheduler::packages: - python3-swh.scheduler swh::deploy::scheduler::remote::sentry_swh_package: swh.scheduler swh::deploy::scheduler::remote::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::scheduler::remote::sentry_dsn: "%{alias('swh::deploy::scheduler::sentry_dsn')}" swh::deploy::scheduler::remote::conf_dir: "%{alias('swh::deploy::scheduler::conf_dir')}" swh::deploy::scheduler::remote::conf_file: "%{hiera('swh::deploy::scheduler::remote::conf_dir')}/backend.yml" swh::deploy::scheduler::remote::user: swhscheduler swh::deploy::scheduler::remote::group: swhscheduler swh::deploy::scheduler::remote::backend::listen::host: 127.0.0.1 swh::deploy::scheduler::remote::backend::listen::port: "%{alias('swh::remote_service::scheduler::port')}" swh::deploy::scheduler::remote::backend::workers: 16 swh::deploy::scheduler::remote::backend::reload_mercy: 3600 swh::deploy::scheduler::remote::backend::http_keepalive: 5 swh::deploy::scheduler::remote::backend::http_timeout: 3600 swh::deploy::scheduler::remote::backend::max_requests: 10000 swh::deploy::scheduler::remote::backend::max_requests_jitter: 1000 swh::deploy::scheduler::remote::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" swh::deploy::scheduler::remote::config: "%{alias('swh::deploy::scheduler::config::local')}" swh::elasticsearch::nodes: - host: esnode2.internal.softwareheritage.org port: 9200 - host: esnode3.internal.softwareheritage.org port: 9200 - host: esnode1.internal.softwareheritage.org port: 9200 swh::deploy::scheduler::archive::conf_file: "%{lookup('swh::deploy::scheduler::conf_dir')}/elastic.yml" swh::deploy::scheduler::archive::user: "%{hiera('swh::deploy::scheduler::user')}" swh::deploy::scheduler::archive::config: scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" elasticsearch: cls: local args: index_name_prefix: swh-tasks storage_nodes: "%{alias('swh::elasticsearch::nodes')}" client_options: sniff_on_start: false sniff_on_connection_fail: true http_compress: false sniffer_timeout: 60 swh::deploy::scheduler::journal_client::config_file: "%{lookup('swh::deploy::scheduler::conf_dir')}/journal-client.yml" swh::deploy::scheduler::journal_client::user: "%{alias('swh::deploy::scheduler::user')}" swh::deploy::scheduler::journal_client::group: "%{alias('swh::deploy::scheduler::group')}" swh::deploy::scheduler::journal_client::config: <<: *swh_scheduler_local_config journal: brokers: "%{alias('swh::deploy::journal::brokers')}" group_id: swh.scheduler.journal_client # Main lister configuration swh::deploy::worker::lister::db::user: swh-lister swh::deploy::worker::lister::db::name: swh-lister swh::deploy::worker::lister::db::host: db.internal.softwareheritage.org swh::deploy::worker::lister::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" # swh::deploy::lister::db::password in private data # swh::deploy::worker::task_broker::password in private data swh::deploy::worker::task_broker: "amqp://swhconsumer:%{hiera('swh::deploy::worker::task_broker::password')}@rabbitmq:5672/%2f" swh::deploy::worker::instances: - loader_debian - loader_git - lister swh::deploy::loader_git::sentry_swh_package: swh.loader.git swh::deploy::loader_git::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::loader_git::sentry_dsn: "https://%{lookup('swh::deploy::loader_git::sentry_token')}@sentry.softwareheritage.org/8" swh::deploy::worker::loader_git::config_file: "%{hiera('swh::conf_directory')}/loader_git.yml" swh::deploy::worker::loader_git::concurrency: 1 swh::deploy::worker::loader_git::max_tasks_per_child: 100 swh::deploy::worker::loader_git::loglevel: info swh::deploy::worker::loader_git::save_data_path: /srv/storage/space/data/sharded_packfiles swh::deploy::worker::loader_git::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: 104857600 save_data: false save_data_path: "%{alias('swh::deploy::worker::loader_git::save_data_path')}" directory_packet_size: 100 celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.git.tasks.UpdateGitRepository # loader-git-disk - swh.loader.git.tasks.LoadDiskGitRepository - swh.loader.git.tasks.UncompressAndLoadDiskGitRepository # for all loader packages swh::deploy::loader_core::sentry_swh_package: swh.loader.core swh::deploy::loader_core::sentry_environment: "%{hiera('swh::deploy::environment')}" swh::deploy::loader_core::sentry_dsn: "https://%{lookup('swh::deploy::loader_core::sentry_token')}@sentry.softwareheritage.org/9" swh::deploy::worker::loader_debian::config_file: "%{hiera('swh::conf_directory')}/loader_debian.yml" swh::deploy::worker::loader_debian::private_tmp: true swh::deploy::worker::loader_debian::concurrency: 1 swh::deploy::worker::loader_debian::loglevel: info swh::deploy::worker::loader_debian::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: 104857600 celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.debian.tasks.LoadDebian swh::deploy::worker::loader_archive::config_file: "%{hiera('swh::conf_directory')}/loader_archive.yml" swh::deploy::worker::loader_archive::private_tmp: true swh::deploy::worker::loader_archive::concurrency: 1 swh::deploy::worker::loader_archive::loglevel: info swh::deploy::worker::loader_archive::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: 104857600 celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.archive.tasks.LoadArchive swh::deploy::worker::loader_cran::config_file: "%{hiera('swh::conf_directory')}/loader_cran.yml" swh::deploy::worker::loader_cran::private_tmp: true swh::deploy::worker::loader_cran::concurrency: 1 swh::deploy::worker::loader_cran::loglevel: info swh::deploy::worker::loader_cran::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: 104857600 celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.cran.tasks.LoadCRAN swh::deploy::worker::loader_nixguix::config_file: "%{hiera('swh::conf_directory')}/loader_nixguix.yml" swh::deploy::worker::loader_nixguix::private_tmp: true swh::deploy::worker::loader_nixguix::concurrency: 1 swh::deploy::worker::loader_nixguix::loglevel: info swh::deploy::worker::loader_nixguix::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: 104857600 celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.nixguix.tasks.LoadNixguix unsupported_file_extensions: - patch - iso - whl - gem - pom - msi - pod - png - rock - ttf - jar - c - el - rpm - diff swh::deploy::lister::db::local: cls: local args: db: "postgresql://%{hiera('swh::deploy::worker::lister::db::user')}:%{hiera('swh::deploy::lister::db::password')}@%{hiera('swh::deploy::worker::lister::db::host')}:%{hiera('swh::deploy::worker::lister::db::port')}/%{hiera('swh::deploy::worker::lister::db::name')}" swh::deploy::lister::sentry_swh_package: swh.lister swh::deploy::lister::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::lister::sentry_dsn: "https://%{lookup('swh::deploy::lister::sentry_token')}@sentry.softwareheritage.org/6" swh::deploy::worker::lister::config_file: "%{hiera('swh::conf_directory')}/lister.yml" swh::deploy::worker::lister::concurrency: 5 swh::deploy::worker::lister::loglevel: warning swh::deploy::worker::lister::config: storage: "%{alias('swh::remote_service::storage::config::writable')}" scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" lister: "%{alias('swh::deploy::lister::db::local')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.lister.bitbucket.tasks.IncrementalBitBucketLister - swh.lister.bitbucket.tasks.FullBitBucketRelister - swh.lister.cgit.tasks.CGitListerTask - swh.lister.cran.tasks.CRANListerTask - swh.lister.debian.tasks.DebianListerTask - swh.lister.gitea.tasks.IncrementalGiteaLister - swh.lister.gitea.tasks.RangeGiteaLister - swh.lister.gitea.tasks.FullGiteaRelister - swh.lister.gitlab.tasks.IncrementalGitLabLister - swh.lister.gitlab.tasks.RangeGitLabLister - swh.lister.gitlab.tasks.FullGitLabRelister - swh.lister.gnu.tasks.GNUListerTask - swh.lister.launchpad.tasks.FullLaunchpadLister - swh.lister.launchpad.tasks.IncrementalLaunchpadLister - swh.lister.npm.tasks.NpmListerTask - swh.lister.phabricator.tasks.FullPhabricatorLister - swh.lister.pypi.tasks.PyPIListerTask credentials: "%{alias('swh::deploy::worker::lister::config::credentials')}" swh::deploy::loader_mercurial::sentry_swh_package: swh.loader.mercurial swh::deploy::loader_mercurial::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::loader_mercurial::sentry_dsn: "https://%{lookup('swh::deploy::loader_mercurial::sentry_token')}@sentry.softwareheritage.org/10" swh::deploy::worker::loader_mercurial::config_file: "%{hiera('swh::conf_directory')}/loader_mercurial.yml" swh::deploy::worker::loader_mercurial::concurrency: 1 swh::deploy::worker::loader_mercurial::private_tmp: true swh::deploy::worker::loader_mercurial::loglevel: info swh::deploy::worker::loader_mercurial::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: 104857600 reduce_effort: False clone_timeout_seconds: 7200 celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.mercurial.tasks.LoadMercurial - swh.loader.mercurial.tasks.LoadArchiveMercurial swh::deploy::worker::loader_pypi::config_file: "%{hiera('swh::conf_directory')}/loader_pypi.yml" swh::deploy::worker::loader_pypi::concurrency: 1 swh::deploy::worker::loader_pypi::private_tmp: true swh::deploy::worker::loader_pypi::loglevel: info swh::deploy::worker::loader_pypi::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: 104857600 celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.pypi.tasks.LoadPyPI swh::deploy::worker::loader_npm::config_file: "%{hiera('swh::conf_directory')}/loader_npm.yml" swh::deploy::worker::loader_npm::concurrency: 1 swh::deploy::worker::loader_npm::private_tmp: true swh::deploy::worker::loader_npm::loglevel: info swh::deploy::worker::loader_npm::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: 104857600 celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.npm.tasks.LoadNpm swh::deploy::loader_svn::sentry_swh_package: swh.loader.svn swh::deploy::loader_svn::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::loader_svn::sentry_dsn: "https://%{lookup('swh::deploy::loader_svn::sentry_token')}@sentry.softwareheritage.org/14" swh::deploy::worker::loader_svn::config_file: "%{hiera('swh::conf_directory')}/loader_svn.yml" swh::deploy::worker::loader_svn::concurrency: 1 swh::deploy::worker::loader_svn::private_tmp: true swh::deploy::worker::loader_svn::limit_no_file: 8192 swh::deploy::worker::loader_svn::loglevel: info # Contains a password: in private data swh::deploy::worker::loader_svn::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: 104857600 celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.svn.tasks.LoadSvnRepository - swh.loader.svn.tasks.MountAndLoadSvnRepository - swh.loader.svn.tasks.DumpMountAndLoadSvnRepository swh::deploy::base_indexer::config_directory: "%{hiera('swh::conf_directory')}/indexer" swh::deploy::indexer_journal_client::config_file: "journal_client.yml" swh::deploy::indexer_journal_client::user: swhstorage swh::deploy::indexer_journal_client::group: swhstorage swh::deploy::indexer_journal_client::config: journal: brokers: "%{alias('swh::deploy::journal::brokers')}" group_id: swh.indexer.journal_client prefix: "%{alias('swh::deploy::journal::prefix')}" scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" # for all indexers swh::deploy::indexer::sentry_swh_package: swh.indexer swh::deploy::indexer::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::indexer::sentry_dsn: "https://%{lookup('swh::deploy::indexer::sentry_token')}@sentry.softwareheritage.org/5" swh::deploy::worker::indexer_content_mimetype::config_file: "%{hiera('swh::conf_directory')}/indexer_content_mimetype.yml" swh::deploy::worker::indexer_content_mimetype::concurrency: 1 swh::deploy::worker::indexer_content_mimetype::loglevel: info # Contains a password: in private data swh::deploy::worker::indexer_content_mimetype::config: scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" indexer_storage: "%{alias('swh::remote_service::indexer::config::writable')}" objstorage: "%{alias('swh::remote_service::objstorage::config')}" storage: "%{alias('swh::remote_service::storage::config')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_modules: - swh.indexer.tasks task_queues: - swh.indexer.tasks.ContentMimetypePartition tools: name: file version: 2:0.4.15-2 configuration: type: library debian-package: python3-magic write_batch_size: 1000 swh::deploy::worker::indexer_origin_intrinsic_metadata::config_file: "%{hiera('swh::conf_directory')}/indexer_origin_intrinsic_metadata.yml" swh::deploy::worker::indexer_origin_intrinsic_metadata::concurrency: 1 swh::deploy::worker::indexer_origin_intrinsic_metadata::loglevel: info # Contains a password: in private data swh::deploy::worker::indexer_origin_intrinsic_metadata::config: scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" indexer_storage: "%{alias('swh::remote_service::indexer::config::writable')}" objstorage: "%{alias('swh::remote_service::objstorage::config')}" storage: "%{alias('swh::remote_service::storage::config')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_modules: - swh.indexer.tasks task_queues: - swh.indexer.tasks.OriginMetadata tools: name: swh-metadata-detector version: 0.0.2 configuration: {} swh::deploy::worker::indexer_rehash::config_file: "rehash.yml" swh::deploy::worker::indexer_rehash::concurrency: 5 swh::deploy::worker::indexer_rehash::loglevel: info # Contains a password: in private data swh::deploy::worker::indexer_rehash::config: storage: "%{alias('swh::remote_service::storage::config::writable')}" objstorage: "%{alias('swh::remote_service::objstorage::config')}" compute_checksums: - blake2s256 batch_size_retrieve_content: 10000 batch_size_update: 5000 swh::deploy::worker::indexer_fossology_license::config_file: "%{hiera('swh::conf_directory')}/indexer_fossology_license.yml" swh::deploy::worker::indexer_fossology_license::concurrency: 1 swh::deploy::worker::indexer_fossology_license::loglevel: info # Contains a password: in private data swh::deploy::worker::indexer_fossology_license::config: indexer_storage: "%{alias('swh::remote_service::indexer::config::writable')}" objstorage: "%{alias('swh::remote_service::objstorage::config')}" storage: "%{alias('swh::remote_service::storage::config')}" workdir: /tmp/swh/indexer.fossology.license/ tools: name: 'nomos' version: '3.1-1~bpo9~swh+1' configuration: command_line: "nomossa " celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_modules: - swh.indexer.tasks task_queues: - swh.indexer.tasks.ContentFossologyLicensePartition write_batch_size: 1000 swh::deploy::vault_cooker::sentry_swh_package: swh.vault swh::deploy::vault_cooker::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::worker::vault_cooker::config_file: "%{hiera('swh::conf_directory')}/vault_cooker.yml" swh::deploy::worker::vault_cooker::concurrency: 20 swh::deploy::worker::vault_cooker::loglevel: info swh::deploy::worker::vault_cooker::conf_file: "%{hiera('swh::conf_directory')}/vault/cooker.yml" swh::deploy::worker::vault_cooker::config: storage: cls: retry storage: "%{alias('swh::remote_service::storage::config')}" vault: "%{alias('swh::remote_service::vault::config::writable')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_modules: - swh.vault.cooking_tasks task_queues: - swh.vault.cooking_tasks.SWHCookingTask - swh.vault.cooking_tasks.SWHBatchCookingTask max_bundle_size: 1073741824 # 1GiB desktop::printers: MFP_C: uri: lpd://print.paris.inria.fr/MFP_C-pro description: Impression couleur location: Partout ppd: "%{hiera('desktop::printers::ppd_dir')}/MFP_Paris.ppd" ppd_options: ColorType: Color MFP: uri: lpd://print.paris.inria.fr/MFP-pro description: Impression Noir et Blanc location: Partout ppd: "%{hiera('desktop::printers::ppd_dir')}/MFP_Paris.ppd" ppd_options: ColorType: Mono desktop::printers::default: MFP desktop::printers::ppd_dir: /usr/share/ppd/softwareheritage desktop::printers::cups_usernames: ardumont: andumont morane: mgruenpe olasd: ndandrim seirl: apietri zack: zacchiro # Real exported files from munin stats_export::export_path: "/var/www/stats.export.softwareheritage.org" stats_export::export_file: "%{hiera('stats_export::export_path')}/history_counters.json" # Exposed through the following host's apache venv stats_export::vhost::name: stats.export.softwareheritage.org stats_export::vhost::docroot: "/var/www/%{hiera('stats_export::vhost::name')}" stats_export::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" stats_export::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" stats_export::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" stats_export::vhost::hsts_header: "%{hiera('apache::hsts_header')}" icinga2::role: agent icinga2::master::zonename: master icinga2::master::db::username: icinga2 # icinga2::master::db::password in private data icinga2::master::db::database: icinga2 icinga2::icingaweb2::db::username: icingaweb2 # icinga2::icingaweb2::db::password in private data icinga2::icingaweb2::db::database: icingaweb2 icinga2::icingaweb2::protected_customvars: - "*pw*" - "*pass*" - community - http_auth_pair # Must have matching certificate in letsencrypt::certificates icinga2::icingaweb2::vhost::name: icinga.softwareheritage.org icinga2::icingaweb2::vhost::aliases: - icinga.internal.softwareheritage.org icinga2::icingaweb2::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" icinga2::icingaweb2::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" icinga2::icingaweb2::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" icinga2::icingaweb2::vhost::hsts_header: "%{hiera('apache::hsts_header')}" icinga2::parent_zone: master icinga2::parent_endpoints: pergamon.softwareheritage.org: host: 192.168.100.29 icinga2::network: "%{lookup('internal_network')}" icinga2::features: - checker - mainlog icinga2::service_configuration: load: default: load_wload1: 30 load_wload5: 28 load_wload15: 26 load_cload1: 50 load_cload5: 45 load_cload15: 40 sql: load_wload1: 50 load_wload5: 40 load_wload15: 35 load_cload1: 70 load_cload5: 60 load_cload15: 50 high: load_wload1: 140 load_wload5: 120 load_wload15: 100 load_cload1: 240 load_cload5: 220 load_cload15: 200 icinga2::host::vars: os: Linux cores: "%{::processorcount}" virtual_machine: "%{::is_virtual}" distro: "%{::operatingsystem}" disks: 'disk /': disk_partitions: '/' icinga2::disk::excludes: - ^/srv/containers/ - ^/var/lib/docker/overlay2/ - ^/var/lib/docker/buildkit/ - ^/run/schroot/ icinga2::apiusers: root: # password in private data permissions: - '*' icinga2::exported_checks::filename: "/etc/icinga2/zones.d/%{hiera('icinga2::parent_zone')}/exported-checks.conf" logstash_hosts: - logstash.internal.softwareheritage.org:5044 systemd_journal::logstash_hosts: "%{alias('logstash_hosts')}" filebeat::config: filebeat.config.inputs: enabled: true path: inputs.d/*.yml output: logstash: hosts: "%{alias('logstash_hosts')}" memcached::server::bind: 127.0.0.1 memcached::server::port: 11211 memcached::server::max_memory: '5%' mountpoints: /srv/storage/space: device: saam:/srv/storage/space fstype: nfs options: - rw - soft - intr - rsize=8192 - wsize=8192 - noauto - x-systemd.automount - x-systemd.device-timeout=10 /srv/softwareheritage/objects: device: saam:/srv/softwareheritage/objects fstype: nfs options: - rw - soft - intr - rsize=8192 - wsize=8192 - noauto - x-systemd.automount - x-systemd.device-timeout=10 ceph::release: luminous ceph::fsid: b3e34018-388e-499b-9579-d1c0d57e8c09 # needs to match the values of $::hostname on the ceph monitors ceph::mon_initial_members: - ceph-mon1 ceph::mon_host: - 192.168.100.170 ceph::keys: admin: secret: "%{hiera('ceph::secrets::admin')}" cap_mds: allow cap_mgr: allow * cap_mon: allow * cap_osd: allow * bootstrap-osd: secret: "%{hiera('ceph::secrets::bootstrap_osd')}" cap_mon: allow profile bootstrap-osd proxmox-rbd: secret: "%{hiera('ceph::secrets::proxmox_rbd')}" cap_mon: profile rbd cap_osd: profile rbd pool=rbd swh-contents: secret: "%{hiera('ceph::secrets::swh_contents')}" cap_mon: allow r cap_osd: allow r pool=swh_contents swh-contents-rw: secret: "%{hiera('ceph::secrets::swh_contents_rw')}" cap_mon: allow r cap_osd: allow rw pool=swh_contents swh-contents-test: secret: "%{hiera('ceph::secrets::swh_contents_test')}" cap_mon: allow r cap_osd: allow r pool=swh_contents_test swh-contents-test-rw: secret: "%{hiera('ceph::secrets::swh_contents_test_rw')}" cap_mon: allow r cap_osd: allow rw pool=swh_contents_test ceph::default_client_keyring: /etc/softwareheritage/ceph-keyring ceph::client_keyrings: '/etc/softwareheritage/ceph-keyring': owner: root group: swhdev mode: '0644' keys: - swh-contents - swh-contents-test swh::deploy::objstorage::ceph::keyring: "%{alias('ceph::default_client_keyring')}" swh::deploy::objstorage::ceph::pool_name: swh_contents swh::deploy::objstorage::ceph::rados_id: swh-contents swh::deploy::objstorage::ceph::config: cls: rados args: pool_name: "%{alias('swh::deploy::objstorage::ceph::pool_name')}" rados_id: "%{alias('swh::deploy::objstorage::ceph::rados_id')}" ceph_config: keyring: "%{alias('swh::deploy::objstorage::ceph::keyring')}" nginx::package_name: nginx-light nginx::accept_mutex: 'off' nginx::names_hash_bucket_size: 128 nginx::names_hash_max_size: 1024 nginx::worker_processes: "%{::processorcount}" prometheus::server::defaults_config: web: enable_admin_api: true storage: tsdb: retention: '1y' prometheus::server::config::global: scrape_interval: 1m scrape_timeout: 45s prometheus::server::listen_network: "%{lookup('internal_network')}" prometheus::server::listen_port: 9090 prometheus::server::certname: pergamon.softwareheritage.org swh::deploy::environment: production prometheus::static_labels: instance: "%{::swh_hostname.internal_fqdn}" environment: "%{lookup('swh::deploy::environment')}" prometheus::node::listen_network: "%{lookup('internal_network')}" prometheus::node::listen_port: 9100 prometheus::node::textfile_directory: /var/lib/prometheus/node-exporter prometheus::node::defaults_config: collector: diskstats: ignored_devices: "^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$" filesystem: ignored_mount_points: "^/(sys|proc|dev|run|srv/softwareheritage/objects/[0-9a-f][0-9a-f])($|/)" systemd: true logind: true loadavg: true ntp: true netstat: true netdev: ignored_devices: "^lo$" textfile: directory: "%{lookup('prometheus::node::textfile_directory')}" prometheus::node::scripts::directory: /var/lib/prometheus/node-exporter-scripts prometheus::node::scripts: puppet-classes: mode: cron cron: user: root specification: minute: fqdn_rand apt: mode: cron cron: user: root specification: minute: fqdn_rand prometheus::statsd::listen_network: "%{lookup('internal_network')}" prometheus::statsd::listen_port: 9102 prometheus::statsd::defaults_config: {} prometheus::statsd::statsd_listen_tcp: 127.0.0.1:8125 prometheus::statsd::statsd_listen_udp: 127.0.0.1:8125 prometheus::statsd::mapping: defaults: timer_type: histogram buckets: - .005 - .01 - .025 - .05 - .1 - .25 - .5 - .75 - 1 - 2 - 5 - 10 - 15 - 30 - 45 - 60 - 120 - 300 - 600 - 900 - 1800 - 2700 - 3600 - 7200 prometheus::sql::listen_network: "%{lookup('internal_network')}" prometheus::sql::listen_port: 9237 prometheus::sql::config_snippets: - activity - queries - replication - wal prometheus::jmx::version: 0.11.0 prometheus::kafka::listen_network: "%{lookup('internal_network')}" prometheus::kafka::listen_port: 7071 prometheus::kafka_consumer_group::listen_network: "%{lookup('internal_network')}" prometheus::kafka_consumer_group::base_port: 9208 prometheus::rabbitmq::listen_network: "%{lookup('internal_network')}" prometheus::rabbitmq::listen_port: 9419 # Include first, then skip prometheus::rabbitmq::include_vhost: .* prometheus::rabbitmq::skip_vhost: ^$ prometheus::rabbitmq::include_queues: .* prometheus::rabbitmq::skip_queues: ^(.*\.pidbox|amq\.gen.*|.*\.tasks\.ping)$ prometheus::rabbitmq::rabbit_capabilities: - bert - no_sort prometheus::rabbitmq::rabbit_exporters: - exchange - node - queue prometheus::rabbitmq::rabbit_timeout: 30 prometheus::rabbitmq::exclude_metrics: [] grafana::db::database: grafana grafana::db::username: grafana # grafana::db::password in private-data grafana::backend::port: 3000 # Must have a matching certificate in letsencrypt::certificates grafana::vhost::name: grafana.softwareheritage.org grafana::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" grafana::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" grafana::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" grafana::vhost::hsts_header: "%{hiera('apache::hsts_header')}" grafana::config: app_mode: production server: root_url: "https://%{lookup('grafana::vhost::name')}/" http_port: "%{alias('grafana::backend::port')}" users: allow_sign_up: false auth.anonymous: enabled: true org_name: Software Heritage org_role: Viewer smtp: enabled: true skip_verify: true from_address: grafana@softwareheritage.org grafana::objects::organizations: - name: Software Heritage id: 1 grafana::objects::users: [] grafana::objects::datasources: - name: Prometheus (Pergamon) url: "http://pergamon.internal.softwareheritage.org:%{hiera('prometheus::server::listen_port')}" type: prometheus organization: 1 access_mode: proxy is_default: true java::distribution: jre jenkins::backend::url: http://thyssen.internal.softwareheritage.org:8080/ jenkins::vhost::name: jenkins.softwareheritage.org jenkins::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" jenkins::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" jenkins::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" jenkins::vhost::hsts_header: "%{hiera('apache::hsts_header')}" jenkins::agent::jar_url: "https://%{hiera('jenkins::vhost::name')}/jnlpJars/agent.jar" jenkins::agent::name: "%{::swh_hostname.internal_fqdn}" # jenkins::agent::jnlp::token in private_data weekly_report_bot::user: nobody weekly_report_bot::cron: minute: 0 hour: 12 weekday: fri swh::postgres::service::users: - root - zack - ardumont swh::postgres::service::dbs: - alias: admin-swh name: "%{hiera('swh::deploy::storage::db::dbname')}" host: "%{hiera('swh::deploy::storage::db::host')}" user: "%{hiera('swh::deploy::storage::db::user')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" passwd: "%{hiera('swh::deploy::storage::db::password')}" - alias: admin-swh-deposit name: "%{hiera('swh::deploy::deposit::db::dbname')}" host: "%{hiera('swh::deploy::deposit::db::host')}" user: "%{hiera('swh::deploy::deposit::db::dbuser')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" passwd: "%{hiera('swh::deploy::deposit::db::password')}" - alias: admin-swh-scheduler name: "%{hiera('swh::deploy::scheduler::db::dbname')}" host: "%{hiera('swh::deploy::scheduler::db::host')}" user: "%{hiera('swh::deploy::scheduler::db::user')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" passwd: "%{hiera('swh::deploy::scheduler::db::password')}" - alias: admin-swh-vault name: "%{hiera('swh::deploy::vault::db::dbname')}" host: "%{hiera('swh::deploy::vault::db::host')}" user: "%{hiera('swh::deploy::vault::db::user')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" passwd: "%{hiera('swh::deploy::vault::db::password')}" - alias: admin-swh-lister name: "%{hiera('swh::deploy::worker::lister::db::name')}" host: "%{hiera('swh::deploy::worker::lister::db::host')}" user: "%{hiera('swh::deploy::worker::lister::db::name')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" passwd: "%{hiera('swh::deploy::lister::db::password')}" - alias: admin-swh-replica name: "%{hiera('swh::deploy::storage::db::dbname')}" host: somerset.internal.softwareheritage.org user: "%{hiera('swh::deploy::db::pgbouncer::user::login')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" passwd: "%{hiera('swh::deploy::storage::db::password')}" - alias: admin-swh-indexer name: "%{hiera('swh::deploy::indexer::storage::db::dbname')}" host: "%{hiera('swh::deploy::indexer::storage::db::host')}" user: "%{hiera('swh::deploy::indexer::storage::db::user')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" passwd: "%{hiera('swh::deploy::indexer::storage::db::password')}" - alias: swh name: "%{hiera('swh::deploy::storage::db::dbname')}" host: "%{hiera('swh::deploy::storage::db::host')}" user: "%{hiera('swh::deploy::storage::db::user')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-deposit name: "%{hiera('swh::deploy::deposit::db::dbname')}" host: "%{hiera('swh::deploy::deposit::db::host')}" user: "%{hiera('swh::deploy::deposit::db::dbuser')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-scheduler name: "%{hiera('swh::deploy::scheduler::db::dbname')}" host: "%{hiera('swh::deploy::scheduler::db::host')}" user: "%{hiera('swh::deploy::scheduler::db::user')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-vault name: "%{hiera('swh::deploy::vault::db::dbname')}" host: "%{hiera('swh::deploy::vault::db::host')}" user: "%{hiera('swh::deploy::vault::db::user')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-lister name: "%{hiera('swh::deploy::worker::lister::db::name')}" host: "%{hiera('swh::deploy::worker::lister::db::host')}" user: "%{hiera('swh::deploy::worker::lister::db::name')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-replica name: "%{hiera('swh::deploy::storage::db::dbname')}" host: somerset.internal.softwareheritage.org user: "%{hiera('swh::deploy::db::pgbouncer::user::login')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-indexer name: "%{hiera('swh::deploy::indexer::storage::db::dbname')}" host: "%{hiera('swh::deploy::indexer::storage::db::host')}" user: "%{hiera('swh::deploy::indexer::storage::db::user')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest elastic::elk_version: '7.8.0' elasticsearch::hosts: - http://esnode1.internal.softwareheritage.org:9200 - http://esnode2.internal.softwareheritage.org:9200 - http://esnode3.internal.softwareheritage.org:9200 elasticsearch::jvm_options: - "-Xms%{lookup('elasticsearch::jvm_options::heap_size')}" - "-Xmx%{lookup('elasticsearch::jvm_options::heap_size')}" elasticsearch::config::path::data: /srv/elasticsearch elasticsearch::config::path::logs: /var/log/elasticsearch elasticsearch::config::http::port: 9200 elasticsearch::config::prometheus::indices: false elasticsearch::config: cluster.name: "%{alias('elasticsearch::config::cluster::name')}" node.name: "%{::hostname}" discovery.seed_hosts: "%{alias('elasticsearch::config::discovery::seed_hosts')}" cluster.initial_master_nodes: "%{alias('elasticsearch::config::cluster::initial_master_nodes')}" path.data: "%{alias('elasticsearch::config::path::data')}" path.logs: "%{alias('elasticsearch::config::path::logs')}" http.port: "%{alias('elasticsearch::config::http::port')}" prometheus.indices: "%{alias('elasticsearch::config::prometheus::indices')}" logstash::listen_network: "%{lookup('internal_network')}" logstash::elasticsearch::hosts: "%{alias('elasticsearch::hosts')}" kibana::listen_network: "%{lookup('internal_network')}" kibana::server_name: "%{::swh_hostname.internal_fqdn}" kibana::config: server.name: "%{alias('kibana::server_name')}" elasticsearch.hosts: "%{alias('elasticsearch::hosts')}" kibana.index: .kibana # puppet-module-keycloak has some issues with Keycloak 11.x so we stick to 10.x # until then (https://github.com/treydock/puppet-module-keycloak/pull/154) keycloak::version: 10.0.2 keycloak::swh_theme::repo_url: https://forge.softwareheritage.org/source/swh-keycloak-theme.git keycloak::swh_theme::tag: v0.3.1 keycloak::vhost::name: auth.softwareheritage.org keycloak::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" keycloak::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" keycloak::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" keycloak::vhost::hsts_header: "%{hiera('apache::hsts_header')}" keycloak::backend::port: 8080 keycloak::backend::url: "http://kelvingrove.internal.softwareheritage.org:%{lookup('keycloak::backend::port')}/" keycloak::admin::user: keycloak-admin # keycloak::admin::password in private-data keycloak::postgres::host: db.internal.softwareheritage.org keycloak::postgres::port: 5432 keycloak::postgres::dbname: keycloak keycloak::postgres::user: keycloak # keycloak::postgres::password in private-data keycloak::resources::realms::common_settings: remember_me: true login_with_email_allowed: true internationalization_enabled: true supported_locales: - en account_theme: swh admin_theme: swh login_theme: swh smtp_server_host: localhost smtp_server_from: noreply@softwareheritage.org smtp_server_from_display_name: Software Heritage Authentication Service brute_force_protected: true keycloak::resources::clients::common_settings: public_client: true login_theme: swh default_client_scopes: - profile - email - roles - web-origins optional_client_scopes: - microprofile-jwt - offline_access keycloak::resources::clients::swh_web:::roles: - swh.web.api.throttling_exempted - swh.web.api.graph keycloak::resources::protocol_mappers::audience: resource_name: audience type: oidc-audience-mapper included_client_audience: __client_id__ keycloak::resources::protocol_mappers::groups: resource_name: groups type: oidc-group-membership-mapper claim_name: groups full_path: true keycloak::resources::flows::direct_grant_no_otp: name: direct_grant_no_otp description: Direct grant flow without conditional OTP executions: direct-grant-validate-username: requirement: REQUIRED direct-grant-validate-password: requirement: REQUIRED keycloak::resources::realms: master: settings: display_name: master SoftwareHeritage: settings: display_name: Software Heritage registration_allowed: true reset_password_allowed: true verify_email: true flows: - "%{alias('keycloak::resources::flows::direct_grant_no_otp')}" clients: swh-web: settings: redirect_uris: # Should match letsencrypt::certificates.archive_production.domains - https://archive.softwareheritage.org/* - https://base.softwareheritage.org/* - https://archive.internal.softwareheritage.org/* roles: "%{alias('keycloak::resources::clients::swh_web:::roles')}" direct_grant_flow: direct_grant_no_otp-SoftwareHeritage protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::audience')}" - "%{alias('keycloak::resources::protocol_mappers::groups')}" SoftwareHeritageStaging: settings: display_name: Software Heritage (Staging) registration_allowed: true reset_password_allowed: true verify_email: true flows: - "%{alias('keycloak::resources::flows::direct_grant_no_otp')}" clients: swh-web: settings: redirect_uris: # Should match letsencrypt::certificates.archive_staging.domains - https://webapp.staging.swh.network/* - https://webapp.internal.staging.swh.network/* roles: "%{alias('keycloak::resources::clients::swh_web:::roles')}" direct_grant_flow: direct_grant_no_otp-SoftwareHeritageStaging protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::audience')}" - "%{alias('keycloak::resources::protocol_mappers::groups')}" -cassandra::release: 311x -cassandra::cluster: azure - -cassandra::exporter::version: "0.9.10" -cassandra::exporter::listen_network: "%{lookup('internal_network')}" -cassandra::exporter::listen_port: 9500 - -cassandra::listen_network: "%{lookup('internal_network')}" - -cassandra::baseline_settings: - # NOTE: - # See http://wiki.apache.org/cassandra/StorageConfiguration for - # full explanations of configuration directives - # /NOTE - - # This defines the number of tokens randomly assigned to this node on the ring - # The more tokens, relative to other nodes, the larger the proportion of data - # that this node will store. You probably want all nodes to have the same number - # of tokens assuming they have equal hardware capability. - # - # If you leave this unspecified, Cassandra will use the default of 1 token for legacy compatibility, - # and will use the initial_token as described below. - # - # Specifying initial_token will override this setting on the node's initial start, - # on subsequent starts, this setting will apply even if initial token is set. - # - # If you already have a cluster with 1 token per node, and wish to migrate to - # multiple tokens per node, see http://wiki.apache.org/cassandra/Operations - num_tokens: 256 - - # Triggers automatic allocation of num_tokens tokens for this node. The allocation - # algorithm attempts to choose tokens in a way that optimizes replicated load over - # the nodes in the datacenter for the replication strategy used by the specified - # keyspace. - # - # The load assigned to each node will be close to proportional to its number of - # vnodes. - # - # Only supported with the Murmur3Partitioner. - # allocate_tokens_for_keyspace: KEYSPACE - - # initial_token allows you to specify tokens manually. While you can use it with - # vnodes (num_tokens > 1, above) -- in which case you should provide a - # comma-separated list -- it's primarily used when adding nodes to legacy clusters - # that do not have vnodes enabled. - # initial_token: - - # See http://wiki.apache.org/cassandra/HintedHandoff - # May either be "true" or "false" to enable globally - hinted_handoff_enabled: true - - # When hinted_handoff_enabled is true, a black list of data centers that will not - # perform hinted handoff - # hinted_handoff_disabled_datacenters: - # - DC1 - # - DC2 - - # this defines the maximum amount of time a dead host will have hints - # generated. After it has been dead this long, new hints for it will not be - # created until it has been seen alive and gone down again. - max_hint_window_in_ms: 10800000 # 3 hours - - # Maximum throttle in KBs per second, per delivery thread. This will be - # reduced proportionally to the number of nodes in the cluster. (If there - # are two nodes in the cluster, each delivery thread will use the maximum - # rate; if there are three, each will throttle to half of the maximum, - # since we expect two nodes to be delivering hints simultaneously.) - hinted_handoff_throttle_in_kb: 1024 - - # Number of threads with which to deliver hints; - # Consider increasing this number when you have multi-dc deployments, since - # cross-dc handoff tends to be slower - max_hints_delivery_threads: 2 - - # How often hints should be flushed from the internal buffers to disk. - # Will *not* trigger fsync. - hints_flush_period_in_ms: 10000 - - # Maximum size for a single hints file, in megabytes. - max_hints_file_size_in_mb: 128 - - # Compression to apply to the hint files. If omitted, hints files - # will be written uncompressed. LZ4, Snappy, and Deflate compressors - # are supported. - #hints_compression: - # - class_name: LZ4Compressor - # parameters: - # - - - # Maximum throttle in KBs per second, total. This will be - # reduced proportionally to the number of nodes in the cluster. - batchlog_replay_throttle_in_kb: 1024 - - # Authentication backend, implementing IAuthenticator; used to identify users - # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthenticator, - # PasswordAuthenticator}. - # - # - AllowAllAuthenticator performs no checks - set it to disable authentication. - # - PasswordAuthenticator relies on username/password pairs to authenticate - # users. It keeps usernames and hashed passwords in system_auth.roles table. - # Please increase system_auth keyspace replication factor if you use this authenticator. - # If using PasswordAuthenticator, CassandraRoleManager must also be used (see below) - authenticator: AllowAllAuthenticator - - # Authorization backend, implementing IAuthorizer; used to limit access/provide permissions - # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer, - # CassandraAuthorizer}. - # - # - AllowAllAuthorizer allows any action to any user - set it to disable authorization. - # - CassandraAuthorizer stores permissions in system_auth.role_permissions table. Please - # increase system_auth keyspace replication factor if you use this authorizer. - authorizer: AllowAllAuthorizer - - # Part of the Authentication & Authorization backend, implementing IRoleManager; used - # to maintain grants and memberships between roles. - # Out of the box, Cassandra provides org.apache.cassandra.auth.CassandraRoleManager, - # which stores role information in the system_auth keyspace. Most functions of the - # IRoleManager require an authenticated login, so unless the configured IAuthenticator - # actually implements authentication, most of this functionality will be unavailable. - # - # - CassandraRoleManager stores role data in the system_auth keyspace. Please - # increase system_auth keyspace replication factor if you use this role manager. - role_manager: CassandraRoleManager - - # Validity period for roles cache (fetching granted roles can be an expensive - # operation depending on the role manager, CassandraRoleManager is one example) - # Granted roles are cached for authenticated sessions in AuthenticatedUser and - # after the period specified here, become eligible for (async) reload. - # Defaults to 2000, set to 0 to disable caching entirely. - # Will be disabled automatically for AllowAllAuthenticator. - roles_validity_in_ms: 2000 - - # Refresh interval for roles cache (if enabled). - # After this interval, cache entries become eligible for refresh. Upon next - # access, an async reload is scheduled and the old value returned until it - # completes. If roles_validity_in_ms is non-zero, then this must be - # also. - # Defaults to the same value as roles_validity_in_ms. - # roles_update_interval_in_ms: 2000 - - # Validity period for permissions cache (fetching permissions can be an - # expensive operation depending on the authorizer, CassandraAuthorizer is - # one example). Defaults to 2000, set to 0 to disable. - # Will be disabled automatically for AllowAllAuthorizer. - permissions_validity_in_ms: 2000 - - # Refresh interval for permissions cache (if enabled). - # After this interval, cache entries become eligible for refresh. Upon next - # access, an async reload is scheduled and the old value returned until it - # completes. If permissions_validity_in_ms is non-zero, then this must be - # also. - # Defaults to the same value as permissions_validity_in_ms. - # permissions_update_interval_in_ms: 2000 - - # Validity period for credentials cache. This cache is tightly coupled to - # the provided PasswordAuthenticator implementation of IAuthenticator. If - # another IAuthenticator implementation is configured, this cache will not - # be automatically used and so the following settings will have no effect. - # Please note, credentials are cached in their encrypted form, so while - # activating this cache may reduce the number of queries made to the - # underlying table, it may not bring a significant reduction in the - # latency of individual authentication attempts. - # Defaults to 2000, set to 0 to disable credentials caching. - credentials_validity_in_ms: 2000 - - # Refresh interval for credentials cache (if enabled). - # After this interval, cache entries become eligible for refresh. Upon next - # access, an async reload is scheduled and the old value returned until it - # completes. If credentials_validity_in_ms is non-zero, then this must be - # also. - # Defaults to the same value as credentials_validity_in_ms. - # credentials_update_interval_in_ms: 2000 - - # The partitioner is responsible for distributing groups of rows (by - # partition key) across nodes in the cluster. You should leave this - # alone for new clusters. The partitioner can NOT be changed without - # reloading all data, so when upgrading you should set this to the - # same partitioner you were already using. - # - # Besides Murmur3Partitioner, partitioners included for backwards - # compatibility include RandomPartitioner, ByteOrderedPartitioner, and - # OrderPreservingPartitioner. - # - partitioner: org.apache.cassandra.dht.Murmur3Partitioner - - # Enable / disable CDC functionality on a per-node basis. This modifies the logic used - # for write path allocation rejection (standard: never reject. cdc: reject Mutation - # containing a CDC-enabled table if at space limit in cdc_raw_directory). - cdc_enabled: false - - # Policy for data disk failures: - # - # die - # shut down gossip and client transports and kill the JVM for any fs errors or - # single-sstable errors, so the node can be replaced. - # - # stop_paranoid - # shut down gossip and client transports even for single-sstable errors, - # kill the JVM for errors during startup. - # - # stop - # shut down gossip and client transports, leaving the node effectively dead, but - # can still be inspected via JMX, kill the JVM for errors during startup. - # - # best_effort - # stop using the failed disk and respond to requests based on - # remaining available sstables. This means you WILL see obsolete - # data at CL.ONE! - # - # ignore - # ignore fatal errors and let requests fail, as in pre-1.2 Cassandra - disk_failure_policy: stop - - # Policy for commit disk failures: - # - # die - # shut down gossip and Thrift and kill the JVM, so the node can be replaced. - # - # stop - # shut down gossip and Thrift, leaving the node effectively dead, but - # can still be inspected via JMX. - # - # stop_commit - # shutdown the commit log, letting writes collect but - # continuing to service reads, as in pre-2.0.5 Cassandra - # - # ignore - # ignore fatal errors and let the batches fail - commit_failure_policy: stop - - # Maximum size of the native protocol prepared statement cache - # - # Valid values are either "auto" (omitting the value) or a value greater 0. - # - # Note that specifying a too large value will result in long running GCs and possbily - # out-of-memory errors. Keep the value at a small fraction of the heap. - # - # If you constantly see "prepared statements discarded in the last minute because - # cache limit reached" messages, the first step is to investigate the root cause - # of these messages and check whether prepared statements are used correctly - - # i.e. use bind markers for variable parts. - # - # Do only change the default value, if you really have more prepared statements than - # fit in the cache. In most cases it is not neccessary to change this value. - # Constantly re-preparing statements is a performance penalty. - # - # Default value ("auto") is 1/256th of the heap or 10MB, whichever is greater - #prepared_statements_cache_size_mb: - - # Maximum size of the Thrift prepared statement cache - # - # If you do not use Thrift at all, it is safe to leave this value at "auto". - # - # See description of 'prepared_statements_cache_size_mb' above for more information. - # - # Default value ("auto") is 1/256th of the heap or 10MB, whichever is greater - #thrift_prepared_statements_cache_size_mb: - - # Maximum size of the key cache in memory. - # - # Each key cache hit saves 1 seek and each row cache hit saves 2 seeks at the - # minimum, sometimes more. The key cache is fairly tiny for the amount of - # time it saves, so it's worthwhile to use it at large numbers. - # The row cache saves even more time, but must contain the entire row, - # so it is extremely space-intensive. It's best to only use the - # row cache if you have hot rows or static rows. - # - # NOTE: if you reduce the size, you may not get you hottest keys loaded on startup. - # - # Default value is empty to make it "auto" (min(5% of Heap (in MB), 100MB)). Set to 0 to disable key cache. - #key_cache_size_in_mb: - - # Duration in seconds after which Cassandra should - # save the key cache. Caches are saved to saved_caches_directory as - # specified in this configuration file. - # - # Saved caches greatly improve cold-start speeds, and is relatively cheap in - # terms of I/O for the key cache. Row cache saving is much more expensive and - # has limited use. - # - # Default is 14400 or 4 hours. - key_cache_save_period: 14400 - - # Number of keys from the key cache to save - # Disabled by default, meaning all keys are going to be saved - # key_cache_keys_to_save: 100 - - # Row cache implementation class name. Available implementations: - # - # org.apache.cassandra.cache.OHCProvider - # Fully off-heap row cache implementation (default). - # - # org.apache.cassandra.cache.SerializingCacheProvider - # This is the row cache implementation availabile - # in previous releases of Cassandra. - # row_cache_class_name: org.apache.cassandra.cache.OHCProvider - - # Maximum size of the row cache in memory. - # Please note that OHC cache implementation requires some additional off-heap memory to manage - # the map structures and some in-flight memory during operations before/after cache entries can be - # accounted against the cache capacity. This overhead is usually small compared to the whole capacity. - # Do not specify more memory that the system can afford in the worst usual situation and leave some - # headroom for OS block level cache. Do never allow your system to swap. - # - # Default value is 0, to disable row caching. - row_cache_size_in_mb: 0 - - # Duration in seconds after which Cassandra should save the row cache. - # Caches are saved to saved_caches_directory as specified in this configuration file. - # - # Saved caches greatly improve cold-start speeds, and is relatively cheap in - # terms of I/O for the key cache. Row cache saving is much more expensive and - # has limited use. - # - # Default is 0 to disable saving the row cache. - row_cache_save_period: 0 - - # Number of keys from the row cache to save. - # Specify 0 (which is the default), meaning all keys are going to be saved - # row_cache_keys_to_save: 100 - - # Maximum size of the counter cache in memory. - # - # Counter cache helps to reduce counter locks' contention for hot counter cells. - # In case of RF = 1 a counter cache hit will cause Cassandra to skip the read before - # write entirely. With RF > 1 a counter cache hit will still help to reduce the duration - # of the lock hold, helping with hot counter cell updates, but will not allow skipping - # the read entirely. Only the local (clock, count) tuple of a counter cell is kept - # in memory, not the whole counter, so it's relatively cheap. - # - # NOTE: if you reduce the size, you may not get you hottest keys loaded on startup. - # - # Default value is empty to make it "auto" (min(2.5% of Heap (in MB), 50MB)). Set to 0 to disable counter cache. - # NOTE: if you perform counter deletes and rely on low gcgs, you should disable the counter cache. - #counter_cache_size_in_mb: - - # Duration in seconds after which Cassandra should - # save the counter cache (keys only). Caches are saved to saved_caches_directory as - # specified in this configuration file. - # - # Default is 7200 or 2 hours. - counter_cache_save_period: 7200 - - # Number of keys from the counter cache to save - # Disabled by default, meaning all keys are going to be saved - # counter_cache_keys_to_save: 100 - - # commitlog_sync may be either "periodic" or "batch." - # - # When in batch mode, Cassandra won't ack writes until the commit log - # has been fsynced to disk. It will wait - # commitlog_sync_batch_window_in_ms milliseconds between fsyncs. - # This window should be kept short because the writer threads will - # be unable to do extra work while waiting. (You may need to increase - # concurrent_writes for the same reason.) - # - # commitlog_sync: batch - # commitlog_sync_batch_window_in_ms: 2 - # - # the other option is "periodic" where writes may be acked immediately - # and the CommitLog is simply synced every commitlog_sync_period_in_ms - # milliseconds. - commitlog_sync: periodic - commitlog_sync_period_in_ms: 10000 - - # The size of the individual commitlog file segments. A commitlog - # segment may be archived, deleted, or recycled once all the data - # in it (potentially from each columnfamily in the system) has been - # flushed to sstables. - # - # The default size is 32, which is almost always fine, but if you are - # archiving commitlog segments (see commitlog_archiving.properties), - # then you probably want a finer granularity of archiving; 8 or 16 MB - # is reasonable. - # Max mutation size is also configurable via max_mutation_size_in_kb setting in - # cassandra.yaml. The default is half the size commitlog_segment_size_in_mb * 1024. - # This should be positive and less than 2048. - # - # NOTE: If max_mutation_size_in_kb is set explicitly then commitlog_segment_size_in_mb must - # be set to at least twice the size of max_mutation_size_in_kb / 1024 - # - commitlog_segment_size_in_mb: 32 - - # Compression to apply to the commit log. If omitted, the commit log - # will be written uncompressed. LZ4, Snappy, and Deflate compressors - # are supported. - # commitlog_compression: - # - class_name: LZ4Compressor - # parameters: - # - - - # For workloads with more data than can fit in memory, Cassandra's - # bottleneck will be reads that need to fetch data from - # disk. "concurrent_reads" should be set to (16 * number_of_drives) in - # order to allow the operations to enqueue low enough in the stack - # that the OS and drives can reorder them. Same applies to - # "concurrent_counter_writes", since counter writes read the current - # values before incrementing and writing them back. - # - # On the other hand, since writes are almost never IO bound, the ideal - # number of "concurrent_writes" is dependent on the number of cores in - # your system; (8 * number_of_cores) is a good rule of thumb. - concurrent_reads: 64 - concurrent_writes: 96 - concurrent_counter_writes: 64 - - # For materialized view writes, as there is a read involved, so this should - # be limited by the less of concurrent reads or concurrent writes. - concurrent_materialized_view_writes: 32 - - # Maximum memory to use for sstable chunk cache and buffer pooling. - # 32MB of this are reserved for pooling buffers, the rest is used as an - # cache that holds uncompressed sstable chunks. - # Defaults to the smaller of 1/4 of heap or 512MB. This pool is allocated off-heap, - # so is in addition to the memory allocated for heap. The cache also has on-heap - # overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size - # if the default 64k chunk size is used). - # Memory is only allocated when needed. - # file_cache_size_in_mb: 512 - - # Flag indicating whether to allocate on or off heap when the sstable buffer - # pool is exhausted, that is when it has exceeded the maximum memory - # file_cache_size_in_mb, beyond which it will not cache buffers but allocate on request. - - # buffer_pool_use_heap_if_exhausted: true - - # The strategy for optimizing disk read - # Possible values are: - # ssd (for solid state disks, the default) - # spinning (for spinning disks) - # disk_optimization_strategy: ssd - - # Total permitted memory to use for memtables. Cassandra will stop - # accepting writes when the limit is exceeded until a flush completes, - # and will trigger a flush based on memtable_cleanup_threshold - # If omitted, Cassandra will set both to 1/4 the size of the heap. - # memtable_heap_space_in_mb: 2048 - # memtable_offheap_space_in_mb: 2048 - - # memtable_cleanup_threshold is deprecated. The default calculation - # is the only reasonable choice. See the comments on memtable_flush_writers - # for more information. - # - # Ratio of occupied non-flushing memtable size to total permitted size - # that will trigger a flush of the largest memtable. Larger mct will - # mean larger flushes and hence less compaction, but also less concurrent - # flush activity which can make it difficult to keep your disks fed - # under heavy write load. - # - # memtable_cleanup_threshold defaults to 1 / (memtable_flush_writers + 1) - # memtable_cleanup_threshold: 0.11 - - # Specify the way Cassandra allocates and manages memtable memory. - # Options are: - # - # heap_buffers - # on heap nio buffers - # - # offheap_buffers - # off heap (direct) nio buffers - # - # offheap_objects - # off heap objects - memtable_allocation_type: heap_buffers - - # Total space to use for commit logs on disk. - # - # If space gets above this value, Cassandra will flush every dirty CF - # in the oldest segment and remove it. So a small total commitlog space - # will tend to cause more flush activity on less-active columnfamilies. - # - # The default value is the smaller of 8192, and 1/4 of the total space - # of the commitlog volume. - # - # commitlog_total_space_in_mb: 8192 - - # This sets the number of memtable flush writer threads per disk - # as well as the total number of memtables that can be flushed concurrently. - # These are generally a combination of compute and IO bound. - # - # Memtable flushing is more CPU efficient than memtable ingest and a single thread - # can keep up with the ingest rate of a whole server on a single fast disk - # until it temporarily becomes IO bound under contention typically with compaction. - # At that point you need multiple flush threads. At some point in the future - # it may become CPU bound all the time. - # - # You can tell if flushing is falling behind using the MemtablePool.BlockedOnAllocation - # metric which should be 0, but will be non-zero if threads are blocked waiting on flushing - # to free memory. - # - # memtable_flush_writers defaults to two for a single data directory. - # This means that two memtables can be flushed concurrently to the single data directory. - # If you have multiple data directories the default is one memtable flushing at a time - # but the flush will use a thread per data directory so you will get two or more writers. - # - # Two is generally enough to flush on a fast disk [array] mounted as a single data directory. - # Adding more flush writers will result in smaller more frequent flushes that introduce more - # compaction overhead. - # - # There is a direct tradeoff between number of memtables that can be flushed concurrently - # and flush size and frequency. More is not better you just need enough flush writers - # to never stall waiting for flushing to free memory. - # - #memtable_flush_writers: 2 - - # Total space to use for change-data-capture logs on disk. - # - # If space gets above this value, Cassandra will throw WriteTimeoutException - # on Mutations including tables with CDC enabled. A CDCCompactor is responsible - # for parsing the raw CDC logs and deleting them when parsing is completed. - # - # The default value is the min of 4096 mb and 1/8th of the total space - # of the drive where cdc_raw_directory resides. - # cdc_total_space_in_mb: 4096 - - # When we hit our cdc_raw limit and the CDCCompactor is either running behind - # or experiencing backpressure, we check at the following interval to see if any - # new space for cdc-tracked tables has been made available. Default to 250ms - # cdc_free_space_check_interval_ms: 250 - - # A fixed memory pool size in MB for for SSTable index summaries. If left - # empty, this will default to 5% of the heap size. If the memory usage of - # all index summaries exceeds this limit, SSTables with low read rates will - # shrink their index summaries in order to meet this limit. However, this - # is a best-effort process. In extreme conditions Cassandra may need to use - # more than this amount of memory. - #index_summary_capacity_in_mb: - - # How frequently index summaries should be resampled. This is done - # periodically to redistribute memory from the fixed-size pool to sstables - # proportional their recent read rates. Setting to -1 will disable this - # process, leaving existing index summaries at their current sampling level. - index_summary_resize_interval_in_minutes: 60 - - # Whether to, when doing sequential writing, fsync() at intervals in - # order to force the operating system to flush the dirty - # buffers. Enable this to avoid sudden dirty buffer flushing from - # impacting read latencies. Almost always a good idea on SSDs; not - # necessarily on platters. - trickle_fsync: true - trickle_fsync_interval_in_kb: 10240 - - # TCP port, for commands and data - # For security reasons, you should not expose this port to the internet. Firewall it if needed. - storage_port: 7000 - - # SSL port, for encrypted communication. Unused unless enabled in - # encryption_options - # For security reasons, you should not expose this port to the internet. Firewall it if needed. - ssl_storage_port: 7001 - - # Set listen_address OR listen_interface, not both. Interfaces must correspond - # to a single address, IP aliasing is not supported. - # listen_interface: eth0 - - # If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address - # you can specify which should be chosen using listen_interface_prefer_ipv6. If false the first ipv4 - # address will be used. If true the first ipv6 address will be used. Defaults to false preferring - # ipv4. If there is only one address it will be selected regardless of ipv4/ipv6. - # listen_interface_prefer_ipv6: false - - # Address to broadcast to other Cassandra nodes - # Leaving this blank will set it to the same value as listen_address - # broadcast_address: 1.2.3.4 - - # When using multiple physical network interfaces, set this - # to true to listen on broadcast_address in addition to - # the listen_address, allowing nodes to communicate in both - # interfaces. - # Ignore this property if the network configuration automatically - # routes between the public and private networks such as EC2. - # listen_on_broadcast_address: false - - # Internode authentication backend, implementing IInternodeAuthenticator; - # used to allow/disallow connections from peer nodes. - # internode_authenticator: org.apache.cassandra.auth.AllowAllInternodeAuthenticator - - # Whether to start the native transport server. - # Please note that the address on which the native transport is bound is the - # same as the rpc_address. The port however is different and specified below. - start_native_transport: true - # port for the CQL native transport to listen for clients on - # For security reasons, you should not expose this port to the internet. Firewall it if needed. - native_transport_port: 9042 - # Enabling native transport encryption in client_encryption_options allows you to either use - # encryption for the standard port or to use a dedicated, additional port along with the unencrypted - # standard native_transport_port. - # Enabling client encryption and keeping native_transport_port_ssl disabled will use encryption - # for native_transport_port. Setting native_transport_port_ssl to a different value - # from native_transport_port will use encryption for native_transport_port_ssl while - # keeping native_transport_port unencrypted. - # native_transport_port_ssl: 9142 - # The maximum threads for handling requests when the native transport is used. - # This is similar to rpc_max_threads though the default differs slightly (and - # there is no native_transport_min_threads, idle threads will always be stopped - # after 30 seconds). - # native_transport_max_threads: 128 - # - # The maximum size of allowed frame. Frame (requests) larger than this will - # be rejected as invalid. The default is 256MB. If you're changing this parameter, - # you may want to adjust max_value_size_in_mb accordingly. This should be positive and less than 2048. - # native_transport_max_frame_size_in_mb: 256 - - # The maximum number of concurrent client connections. - # The default is -1, which means unlimited. - # native_transport_max_concurrent_connections: -1 - - # The maximum number of concurrent client connections per source ip. - # The default is -1, which means unlimited. - # native_transport_max_concurrent_connections_per_ip: -1 - - # Whether to start the thrift rpc server. - start_rpc: false - - # Set rpc_address OR rpc_interface, not both. Interfaces must correspond - # to a single address, IP aliasing is not supported. - # rpc_interface: eth1 - - # If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address - # you can specify which should be chosen using rpc_interface_prefer_ipv6. If false the first ipv4 - # address will be used. If true the first ipv6 address will be used. Defaults to false preferring - # ipv4. If there is only one address it will be selected regardless of ipv4/ipv6. - # rpc_interface_prefer_ipv6: false - - # port for Thrift to listen for clients on - rpc_port: 9160 - - # RPC address to broadcast to drivers and other Cassandra nodes. This cannot - # be set to 0.0.0.0. If left blank, this will be set to the value of - # rpc_address. If rpc_address is set to 0.0.0.0, broadcast_rpc_address must - # be set. - # broadcast_rpc_address: 1.2.3.4 - - # enable or disable keepalive on rpc/native connections - rpc_keepalive: true - - # Cassandra provides two out-of-the-box options for the RPC Server: - # - # sync - # One thread per thrift connection. For a very large number of clients, memory - # will be your limiting factor. On a 64 bit JVM, 180KB is the minimum stack size - # per thread, and that will correspond to your use of virtual memory (but physical memory - # may be limited depending on use of stack space). - # - # hsha - # Stands for "half synchronous, half asynchronous." All thrift clients are handled - # asynchronously using a small number of threads that does not vary with the amount - # of thrift clients (and thus scales well to many clients). The rpc requests are still - # synchronous (one thread per active request). If hsha is selected then it is essential - # that rpc_max_threads is changed from the default value of unlimited. - # - # The default is sync because on Windows hsha is about 30% slower. On Linux, - # sync/hsha performance is about the same, with hsha of course using less memory. - # - # Alternatively, can provide your own RPC server by providing the fully-qualified class name - # of an o.a.c.t.TServerFactory that can create an instance of it. - rpc_server_type: sync - - # Uncomment rpc_min|max_thread to set request pool size limits. - # - # Regardless of your choice of RPC server (see above), the number of maximum requests in the - # RPC thread pool dictates how many concurrent requests are possible (but if you are using the sync - # RPC server, it also dictates the number of clients that can be connected at all). - # - # The default is unlimited and thus provides no protection against clients overwhelming the server. You are - # encouraged to set a maximum that makes sense for you in production, but do keep in mind that - # rpc_max_threads represents the maximum number of client requests this server may execute concurrently. - # - # rpc_min_threads: 16 - # rpc_max_threads: 2048 - - # uncomment to set socket buffer sizes on rpc connections - # rpc_send_buff_size_in_bytes: - # rpc_recv_buff_size_in_bytes: - - # Uncomment to set socket buffer size for internode communication - # Note that when setting this, the buffer size is limited by net.core.wmem_max - # and when not setting it it is defined by net.ipv4.tcp_wmem - # See also: - # /proc/sys/net/core/wmem_max - # /proc/sys/net/core/rmem_max - # /proc/sys/net/ipv4/tcp_wmem - # /proc/sys/net/ipv4/tcp_wmem - # and 'man tcp' - # internode_send_buff_size_in_bytes: - - # Uncomment to set socket buffer size for internode communication - # Note that when setting this, the buffer size is limited by net.core.wmem_max - # and when not setting it it is defined by net.ipv4.tcp_wmem - # internode_recv_buff_size_in_bytes: - - # Frame size for thrift (maximum message length). - thrift_framed_transport_size_in_mb: 15 - - # Set to true to have Cassandra create a hard link to each sstable - # flushed or streamed locally in a backups/ subdirectory of the - # keyspace data. Removing these links is the operator's - # responsibility. - incremental_backups: false - - # Whether or not to take a snapshot before each compaction. Be - # careful using this option, since Cassandra won't clean up the - # snapshots for you. Mostly useful if you're paranoid when there - # is a data format change. - snapshot_before_compaction: false - - # Whether or not a snapshot is taken of the data before keyspace truncation - # or dropping of column families. The STRONGLY advised default of true - # should be used to provide data safety. If you set this flag to false, you will - # lose data on truncation or drop. - auto_snapshot: true - - # Granularity of the collation index of rows within a partition. - # Increase if your rows are large, or if you have a very large - # number of rows per partition. The competing goals are these: - # - # - a smaller granularity means more index entries are generated - # and looking up rows withing the partition by collation column - # is faster - # - but, Cassandra will keep the collation index in memory for hot - # rows (as part of the key cache), so a larger granularity means - # you can cache more hot rows - column_index_size_in_kb: 64 - - # Per sstable indexed key cache entries (the collation index in memory - # mentioned above) exceeding this size will not be held on heap. - # This means that only partition information is held on heap and the - # index entries are read from disk. - # - # Note that this size refers to the size of the - # serialized index information and not the size of the partition. - column_index_cache_size_in_kb: 2 - - # Number of simultaneous compactions to allow, NOT including - # validation "compactions" for anti-entropy repair. Simultaneous - # compactions can help preserve read performance in a mixed read/write - # workload, by mitigating the tendency of small sstables to accumulate - # during a single long running compactions. The default is usually - # fine and if you experience problems with compaction running too - # slowly or too fast, you should look at - # compaction_throughput_mb_per_sec first. - # - # concurrent_compactors defaults to the smaller of (number of disks, - # number of cores), with a minimum of 2 and a maximum of 8. - # - # If your data directories are backed by SSD, you should increase this - # to the number of cores. - #concurrent_compactors: 1 - - # Throttles compaction to the given total throughput across the entire - # system. The faster you insert data, the faster you need to compact in - # order to keep the sstable count down, but in general, setting this to - # 16 to 32 times the rate you are inserting data is more than sufficient. - # Setting this to 0 disables throttling. Note that this account for all types - # of compaction, including validation compaction. - compaction_throughput_mb_per_sec: 16 - - # When compacting, the replacement sstable(s) can be opened before they - # are completely written, and used in place of the prior sstables for - # any range that has been written. This helps to smoothly transfer reads - # between the sstables, reducing page cache churn and keeping hot rows hot - sstable_preemptive_open_interval_in_mb: 50 - - # Throttles all outbound streaming file transfers on this node to the - # given total throughput in Mbps. This is necessary because Cassandra does - # mostly sequential IO when streaming data during bootstrap or repair, which - # can lead to saturating the network connection and degrading rpc performance. - # When unset, the default is 200 Mbps or 25 MB/s. - # stream_throughput_outbound_megabits_per_sec: 200 - - # Throttles all streaming file transfer between the datacenters, - # this setting allows users to throttle inter dc stream throughput in addition - # to throttling all network stream traffic as configured with - # stream_throughput_outbound_megabits_per_sec - # When unset, the default is 200 Mbps or 25 MB/s - # inter_dc_stream_throughput_outbound_megabits_per_sec: 200 - - # How long the coordinator should wait for read operations to complete - read_request_timeout_in_ms: 5000 - # How long the coordinator should wait for seq or index scans to complete - range_request_timeout_in_ms: 10000 - # How long the coordinator should wait for writes to complete - write_request_timeout_in_ms: 2000 - # How long the coordinator should wait for counter writes to complete - counter_write_request_timeout_in_ms: 5000 - # How long a coordinator should continue to retry a CAS operation - # that contends with other proposals for the same row - cas_contention_timeout_in_ms: 1000 - # How long the coordinator should wait for truncates to complete - # (This can be much longer, because unless auto_snapshot is disabled - # we need to flush first so we can snapshot before removing the data.) - truncate_request_timeout_in_ms: 60000 - # The default timeout for other, miscellaneous operations - request_timeout_in_ms: 10000 - - # How long before a node logs slow queries. Select queries that take longer than - # this timeout to execute, will generate an aggregated log message, so that slow queries - # can be identified. Set this value to zero to disable slow query logging. - slow_query_log_timeout_in_ms: 500 - - # Enable operation timeout information exchange between nodes to accurately - # measure request timeouts. If disabled, replicas will assume that requests - # were forwarded to them instantly by the coordinator, which means that - # under overload conditions we will waste that much extra time processing - # already-timed-out requests. - # - # Warning: before enabling this property make sure to ntp is installed - # and the times are synchronized between the nodes. - cross_node_timeout: false - - # Set keep-alive period for streaming - # This node will send a keep-alive message periodically with this period. - # If the node does not receive a keep-alive message from the peer for - # 2 keep-alive cycles the stream session times out and fail - # Default value is 300s (5 minutes), which means stalled stream - # times out in 10 minutes by default - # streaming_keep_alive_period_in_secs: 300 - - # phi value that must be reached for a host to be marked down. - # most users should never need to adjust this. - # phi_convict_threshold: 8 - - # endpoint_snitch -- Set this to a class that implements - # IEndpointSnitch. The snitch has two functions: - # - # - it teaches Cassandra enough about your network topology to route - # requests efficiently - # - it allows Cassandra to spread replicas around your cluster to avoid - # correlated failures. It does this by grouping machines into - # "datacenters" and "racks." Cassandra will do its best not to have - # more than one replica on the same "rack" (which may not actually - # be a physical location) - # - # CASSANDRA WILL NOT ALLOW YOU TO SWITCH TO AN INCOMPATIBLE SNITCH - # ONCE DATA IS INSERTED INTO THE CLUSTER. This would cause data loss. - # This means that if you start with the default SimpleSnitch, which - # locates every node on "rack1" in "datacenter1", your only options - # if you need to add another datacenter are GossipingPropertyFileSnitch - # (and the older PFS). From there, if you want to migrate to an - # incompatible snitch like Ec2Snitch you can do it by adding new nodes - # under Ec2Snitch (which will locate them in a new "datacenter") and - # decommissioning the old ones. - # - # Out of the box, Cassandra provides: - # - # SimpleSnitch: - # Treats Strategy order as proximity. This can improve cache - # locality when disabling read repair. Only appropriate for - # single-datacenter deployments. - # - # GossipingPropertyFileSnitch - # This should be your go-to snitch for production use. The rack - # and datacenter for the local node are defined in - # cassandra-rackdc.properties and propagated to other nodes via - # gossip. If cassandra-topology.properties exists, it is used as a - # fallback, allowing migration from the PropertyFileSnitch. - # - # PropertyFileSnitch: - # Proximity is determined by rack and data center, which are - # explicitly configured in cassandra-topology.properties. - # - # Ec2Snitch: - # Appropriate for EC2 deployments in a single Region. Loads Region - # and Availability Zone information from the EC2 API. The Region is - # treated as the datacenter, and the Availability Zone as the rack. - # Only private IPs are used, so this will not work across multiple - # Regions. - # - # Ec2MultiRegionSnitch: - # Uses public IPs as broadcast_address to allow cross-region - # connectivity. (Thus, you should set seed addresses to the public - # IP as well.) You will need to open the storage_port or - # ssl_storage_port on the public IP firewall. (For intra-Region - # traffic, Cassandra will switch to the private IP after - # establishing a connection.) - # - # RackInferringSnitch: - # Proximity is determined by rack and data center, which are - # assumed to correspond to the 3rd and 2nd octet of each node's IP - # address, respectively. Unless this happens to match your - # deployment conventions, this is best used as an example of - # writing a custom Snitch class and is provided in that spirit. - # - # You can use a custom Snitch by setting this to the full class name - # of the snitch, which will be assumed to be on your classpath. - endpoint_snitch: SimpleSnitch - - # controls how often to perform the more expensive part of host score - # calculation - dynamic_snitch_update_interval_in_ms: 100 - # controls how often to reset all host scores, allowing a bad host to - # possibly recover - dynamic_snitch_reset_interval_in_ms: 600000 - # if set greater than zero and read_repair_chance is < 1.0, this will allow - # 'pinning' of replicas to hosts in order to increase cache capacity. - # The badness threshold will control how much worse the pinned host has to be - # before the dynamic snitch will prefer other replicas over it. This is - # expressed as a double which represents a percentage. Thus, a value of - # 0.2 means Cassandra would continue to prefer the static snitch values - # until the pinned host was 20% worse than the fastest. - dynamic_snitch_badness_threshold: 0.1 - - # request_scheduler -- Set this to a class that implements - # RequestScheduler, which will schedule incoming client requests - # according to the specific policy. This is useful for multi-tenancy - # with a single Cassandra cluster. - # NOTE: This is specifically for requests from the client and does - # not affect inter node communication. - # org.apache.cassandra.scheduler.NoScheduler - No scheduling takes place - # org.apache.cassandra.scheduler.RoundRobinScheduler - Round robin of - # client requests to a node with a separate queue for each - # request_scheduler_id. The scheduler is further customized by - # request_scheduler_options as described below. - request_scheduler: org.apache.cassandra.scheduler.NoScheduler - - # Scheduler Options vary based on the type of scheduler - # - # NoScheduler - # Has no options - # - # RoundRobin - # throttle_limit - # The throttle_limit is the number of in-flight - # requests per client. Requests beyond - # that limit are queued up until - # running requests can complete. - # The value of 80 here is twice the number of - # concurrent_reads + concurrent_writes. - # default_weight - # default_weight is optional and allows for - # overriding the default which is 1. - # weights - # Weights are optional and will default to 1 or the - # overridden default_weight. The weight translates into how - # many requests are handled during each turn of the - # RoundRobin, based on the scheduler id. - # - # request_scheduler_options: - # throttle_limit: 80 - # default_weight: 5 - # weights: - # Keyspace1: 1 - # Keyspace2: 5 - - # request_scheduler_id -- An identifier based on which to perform - # the request scheduling. Currently the only valid option is keyspace. - # request_scheduler_id: keyspace - - # Enable or disable inter-node encryption - # JVM defaults for supported SSL socket protocols and cipher suites can - # be replaced using custom encryption options. This is not recommended - # unless you have policies in place that dictate certain settings, or - # need to disable vulnerable ciphers or protocols in case the JVM cannot - # be updated. - # FIPS compliant settings can be configured at JVM level and should not - # involve changing encryption settings here: - # https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html - # *NOTE* No custom encryption options are enabled at the moment - # The available internode options are : all, none, dc, rack - # - # If set to dc cassandra will encrypt the traffic between the DCs - # If set to rack cassandra will encrypt the traffic between the racks - # - # The passwords used in these options must match the passwords used when generating - # the keystore and truststore. For instructions on generating these files, see: - # http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore - # - server_encryption_options: - internode_encryption: none - keystore: conf/.keystore - keystore_password: cassandra - truststore: conf/.truststore - truststore_password: cassandra - # More advanced defaults below: - # protocol: TLS - # algorithm: SunX509 - # store_type: JKS - # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - # require_client_auth: false - # require_endpoint_verification: false - - # enable or disable client/server encryption. - client_encryption_options: - enabled: false - # If enabled and optional is set to true encrypted and unencrypted connections are handled. - optional: false - keystore: conf/.keystore - keystore_password: cassandra - # require_client_auth: false - # Set trustore and truststore_password if require_client_auth is true - # truststore: conf/.truststore - # truststore_password: cassandra - # More advanced defaults below: - # protocol: TLS - # algorithm: SunX509 - # store_type: JKS - # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - - # internode_compression controls whether traffic between nodes is - # compressed. - # Can be: - # - # all - # all traffic is compressed - # - # dc - # traffic between different datacenters is compressed - # - # none - # nothing is compressed. - internode_compression: dc - - # Enable or disable tcp_nodelay for inter-dc communication. - # Disabling it will result in larger (but fewer) network packets being sent, - # reducing overhead from the TCP protocol itself, at the cost of increasing - # latency if you block for cross-datacenter responses. - inter_dc_tcp_nodelay: false - - # TTL for different trace types used during logging of the repair process. - tracetype_query_ttl: 86400 - tracetype_repair_ttl: 604800 - - # By default, Cassandra logs GC Pauses greater than 200 ms at INFO level - # This threshold can be adjusted to minimize logging if necessary - # gc_log_threshold_in_ms: 200 - - # If unset, all GC Pauses greater than gc_log_threshold_in_ms will log at - # INFO level - # UDFs (user defined functions) are disabled by default. - # As of Cassandra 3.0 there is a sandbox in place that should prevent execution of evil code. - enable_user_defined_functions: true - - # Enables scripted UDFs (JavaScript UDFs). - # Java UDFs are always enabled, if enable_user_defined_functions is true. - # Enable this option to be able to use UDFs with "language javascript" or any custom JSR-223 provider. - # This option has no effect, if enable_user_defined_functions is false. - enable_scripted_user_defined_functions: false - - # Enables materialized view creation on this node. - # Materialized views are considered experimental and are not recommended for production use. - enable_materialized_views: true - - # The default Windows kernel timer and scheduling resolution is 15.6ms for power conservation. - # Lowering this value on Windows can provide much tighter latency and better throughput, however - # some virtualized environments may see a negative performance impact from changing this setting - # below their system default. The sysinternals 'clockres' tool can confirm your system's default - # setting. - windows_timer_interval: 1 - - - # Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from - # a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by - # the "key_alias" is the only key that will be used for encrypt opertaions; previously used keys - # can still (and should!) be in the keystore and will be used on decrypt operations - # (to handle the case of key rotation). - # - # It is strongly recommended to download and install Java Cryptography Extension (JCE) - # Unlimited Strength Jurisdiction Policy Files for your version of the JDK. - # (current link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) - # - # Currently, only the following file types are supported for transparent data encryption, although - # more are coming in future cassandra releases: commitlog, hints - transparent_data_encryption_options: - enabled: false - chunk_length_kb: 64 - cipher: AES/CBC/PKCS5Padding - key_alias: testing:1 - # CBC IV length for AES needs to be 16 bytes (which is also the default size) - # iv_length: 16 - key_provider: - - class_name: org.apache.cassandra.security.JKSKeyProvider - parameters: - - keystore: conf/.keystore - keystore_password: cassandra - store_type: JCEKS - key_password: cassandra - - - ##################### - # SAFETY THRESHOLDS # - ##################### - - # When executing a scan, within or across a partition, we need to keep the - # tombstones seen in memory so we can return them to the coordinator, which - # will use them to make sure other replicas also know about the deleted rows. - # With workloads that generate a lot of tombstones, this can cause performance - # problems and even exaust the server heap. - # (http://www.datastax.com/dev/blog/cassandra-anti-patterns-queues-and-queue-like-datasets) - # Adjust the thresholds here if you understand the dangers and want to - # scan more tombstones anyway. These thresholds may also be adjusted at runtime - # using the StorageService mbean. - tombstone_warn_threshold: 1000 - tombstone_failure_threshold: 100000 - - # Log WARN on any multiple-partition batch size exceeding this value. 5kb per batch by default. - # Caution should be taken on increasing the size of this threshold as it can lead to node instability. - batch_size_warn_threshold_in_kb: 5 - - # Fail any multiple-partition batch exceeding this value. 50kb (10x warn threshold) by default. - batch_size_fail_threshold_in_kb: 50 - - # Log WARN on any batches not of type LOGGED than span across more partitions than this limit - unlogged_batch_across_partitions_warn_threshold: 10 - - # Log a warning when compacting partitions larger than this value - compaction_large_partition_warning_threshold_mb: 100 - - # GC Pauses greater than gc_warn_threshold_in_ms will be logged at WARN level - # Adjust the threshold based on your application throughput requirement - # By default, Cassandra logs GC Pauses greater than 200 ms at INFO level - gc_warn_threshold_in_ms: 1000 - - # Maximum size of any value in SSTables. Safety measure to detect SSTable corruption - # early. Any value size larger than this threshold will result into marking an SSTable - # as corrupted. This should be positive and less than 2048. - # max_value_size_in_mb: 256 - - # Back-pressure settings # - # If enabled, the coordinator will apply the back-pressure strategy specified below to each mutation - # sent to replicas, with the aim of reducing pressure on overloaded replicas. - back_pressure_enabled: false - # The back-pressure strategy applied. - # The default implementation, RateBasedBackPressure, takes three arguments: - # high ratio, factor, and flow type, and uses the ratio between incoming mutation responses and outgoing mutation requests. - # If below high ratio, outgoing mutations are rate limited according to the incoming rate decreased by the given factor; - # if above high ratio, the rate limiting is increased by the given factor; - # such factor is usually best configured between 1 and 10, use larger values for a faster recovery - # at the expense of potentially more dropped mutations; - # the rate limiting is applied according to the flow type: if FAST, it's rate limited at the speed of the fastest replica, - # if SLOW at the speed of the slowest one. - # New strategies can be added. Implementors need to implement org.apache.cassandra.net.BackpressureStrategy and - # provide a public constructor accepting a Map. - back_pressure_strategy: - - class_name: org.apache.cassandra.net.RateBasedBackPressure - parameters: - - high_ratio: 0.90 - factor: 5 - flow: FAST - - # Coalescing Strategies # - # Coalescing multiples messages turns out to significantly boost message processing throughput (think doubling or more). - # On bare metal, the floor for packet processing throughput is high enough that many applications won't notice, but in - # virtualized environments, the point at which an application can be bound by network packet processing can be - # surprisingly low compared to the throughput of task processing that is possible inside a VM. It's not that bare metal - # doesn't benefit from coalescing messages, it's that the number of packets a bare metal network interface can process - # is sufficient for many applications such that no load starvation is experienced even without coalescing. - # There are other benefits to coalescing network messages that are harder to isolate with a simple metric like messages - # per second. By coalescing multiple tasks together, a network thread can process multiple messages for the cost of one - # trip to read from a socket, and all the task submission work can be done at the same time reducing context switching - # and increasing cache friendliness of network message processing. - # See CASSANDRA-8692 for details. - - # Strategy to use for coalescing messages in OutboundTcpConnection. - # Can be fixed, movingaverage, timehorizon, disabled (default). - # You can also specify a subclass of CoalescingStrategies.CoalescingStrategy by name. - # otc_coalescing_strategy: DISABLED - - # How many microseconds to wait for coalescing. For fixed strategy this is the amount of time after the first - # message is received before it will be sent with any accompanying messages. For moving average this is the - # maximum amount of time that will be waited as well as the interval at which messages must arrive on average - # for coalescing to be enabled. - # otc_coalescing_window_us: 200 - - # Do not try to coalesce messages if we already got that many messages. This should be more than 2 and less than 128. - # otc_coalescing_enough_coalesced_messages: 8 - - # How many milliseconds to wait between two expiration runs on the backlog (queue) of the OutboundTcpConnection. - # Expiration is done if messages are piling up in the backlog. Droppable messages are expired to free the memory - # taken by expired messages. The interval should be between 0 and 1000, and in most installations the default value - # will be appropriate. A smaller value could potentially expire messages slightly sooner at the expense of more CPU - # time and queue contention while iterating the backlog of messages. - # An interval of 0 disables any wait time, which is the behavior of former Cassandra versions. - # - # otc_backlog_expiration_interval_ms: 200 - -cassandra::clusters: - azure: - cluster_name: SWH on Azure - seed_provider: - - class_name: org.apache.cassandra.locator.SimpleSeedProvider - parameters: - - seeds: 192.168.200.27 # cassandra01.euwest.azure.internal.softwareheritage.org - borg::repository_user: borg borg::repository_group: borg borg::base_path: /srv/borg borg::repository_path: "%{lookup('borg::base_path')}/repositories" borg::repository_server: banco.internal.softwareheritage.org borg::encryption: repokey-blake2 swh::deploy::base_search::config_directory: "%{hiera('swh::conf_directory')}/search" swh::deploy::base_search::user: swhstorage swh::deploy::base_search::group: swhstorage swh::deploy::search::sentry_swh_package: swh.search swh::deploy::search::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::search::sentry_dsn: "https://%{lookup('swh::deploy::search::sentry_token')}@sentry.softwareheritage.org/15" swh::deploy::search::conf_file: "%{hiera('swh::deploy::base_search::config_directory')}/server.yml" swh::deploy::search::user: "%{alias('swh::deploy::base_search::user')}" swh::deploy::search::group: "%{alias('swh::deploy::base_search::group')}" swh::deploy::search::config: search: cls: elasticsearch args: hosts: "%{alias('swh::elasticsearch::nodes')}" swh::deploy::search::journal_client::service_types: - objects # - indexed # Waiting for T2876 resolution swh::deploy::search::journal_client::objects::config_file: "%{lookup('swh::deploy::base_search::config_directory')}/journal_client_objects.yml" swh::deploy::search::journal_client::objects::config: search: cls: elasticsearch hosts: "%{alias('swh::elasticsearch::nodes')}" journal: brokers: "%{alias('swh::deploy::journal::brokers')}" group_id: swh.search.journal_client prefix: swh.journal.objects object_types: - origin - origin_visit - origin_visit_status swh::deploy::search::journal_client::indexed::config_file: "%{lookup('swh::deploy::base_search::config_directory')}/journal_client_indexed.yml" swh::deploy::search::journal_client::indexed::config: search: cls: elasticsearch hosts: "%{alias('swh::elasticsearch::nodes')}" journal: brokers: "%{alias('swh::deploy::journal::brokers')}" group_id: swh.search.journal_client prefix: swh.journal.indexed object_types: - origin_intrinsic_metadata swh::deploy::search::backend::listen::host: 127.0.0.1 swh::deploy::search::backend::listen::port: "%{alias('swh::remote_service::search::port')}" swh::deploy::search::backend::workers: 4 swh::deploy::search::backend::reload_mercy: 3600 swh::deploy::search::backend::http_keepalive: 5 swh::deploy::search::backend::http_timeout: 3600 swh::deploy::search::backend::max_requests: 10000 swh::deploy::search::backend::max_requests_jitter: 1000 swh::deploy::search::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" netbox::version: 2.9.3 netbox::user: netbox netbox::db::host: localhost netbox::db::port: 5432 netbox::db::database: netbox netbox::db::username: netbox # netbox::db::password: in private-data netbox::mail::host: "%{lookup('smtp::relay_hostname')}" netbox::mail::from: inventory@softwareheritage.org netbox::redis::host: localhost netbox::redis::port: 6379 # netbox::redis::password in private-data # netbox::redis_cache::password in private-data # netbox::secret_key in private-data netbox::admin::email: sysop+netbox@softwareheritage.org # netbox::admin::password in private-data # netbox::admin::api_token in private-data netbox::webhook_enabled: true netbox::gunicorn::binding: 127.0.0.1 netbox::gunicorn::port: 8001 netbox::data_directory: /var/lib/netbox netbox::allowed_hosts: - "*" - "localhost" netbox::vhost::letsencrypt_cert: netbox netbox::vhost::name: inventory.internal.softwareheritage.org netbox::backend::url: "http://localhost:%{hiera('netbox::gunicorn::port')}/" netbox::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" netbox::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" netbox::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" netbox::vhost::hsts_header: "%{hiera('apache::hsts_header')}" opnsense::hosts: pushkin: fqdn: pushkin.internal.softwareheritage.org ip: 192.168.100.129 glyptotek: fqdn: glyptotek.internal.softwareheritage.org ip: 192.168.100.128 opnsense::prometheus::port: 9100 opnsense::prometheus::metrics_path: /metrics prometheus::elasticsearch::exporter::version: "%{lookup('elastic::elk_version')}.0"