diff --git a/data/common/common.yaml b/data/common/common.yaml index eaf87736..5a074f19 100644 --- a/data/common/common.yaml +++ b/data/common/common.yaml @@ -1,3901 +1,3905 @@ --- ### See also public_keys.yaml for public key/cert fingerprint blocks ### dns::local_cache: true dns::nameservers: - 127.0.0.1 dns::search_domains: - internal.softwareheritage.org - softwareheritage.org dns::disable_local_zones: - '168.192.in-addr.arpa.' dns::forward_zones: 'internal.softwareheritage.org.': "%{alias('dns::local_nameservers')}" '100.168.192.in-addr.arpa.': "%{alias('dns::local_nameservers')}" '101.168.192.in-addr.arpa.': "%{alias('dns::local_nameservers')}" '200.168.192.in-addr.arpa.': "%{alias('dns::local_nameservers')}" 'internal.staging.swh.network.': "%{alias('dns::local_nameservers')}" 'internal.admin.swh.network.': "%{alias('dns::local_nameservers')}" '130.168.192.in-addr.arpa.': "%{alias('dns::local_nameservers')}" '50.168.192.in-addr.arpa.': "%{alias('dns::local_nameservers')}" # dns::forwarders per-subnet. No Default value # dns::local_nameservers per-subnet. No Default value # ntp::servers per-subnet. Default value: ntp::servers: - 0.debian.pool.ntp.org - 1.debian.pool.ntp.org - 2.debian.pool.ntp.org - 3.debian.pool.ntp.org sudo::configs: {} # smtp::relay_hostname is per-subnet. Default value: smtp::relay_hostname: 'pergamon.internal.softwareheritage.org' smtp::relayhost: "[%{lookup('smtp::relay_hostname')}]" smtp::mydestination: - "%{::fqdn}" smtp::mynetworks: - 127.0.0.0/8 - "[::ffff:127.0.0.0]/104" - "[::1]/128" smtp::relay_destinations: [] smtp::virtual_aliases: [] smtp::extra_aliases_files: [] smtp::mail_aliases: - user: anlambert aliases: - antoine.lambert33@gmail.com - user: ardumont aliases: - antoine.romain.dumont@gmail.com - user: aeviso aliases: - aeviso@softwareheritage.org - user: ddouard aliases: - david.douard@sdfa3.org - user: olasd aliases: - nicolas+swhinfra@dandrimont.eu - user: morane aliases: - morane.gg@gmail.com - user: postgres aliases: - root - user: rdicosmo aliases: - roberto@dicosmo.org - user: root aliases: - olasd - zack - ardumont - ddouard - vsellier - user: seirl aliases: - antoine.pietri1@gmail.com - user: swhstorage aliases: - root - user: swhworker aliases: - zack - olasd - ardumont - vsellier - user: swhdeposit aliases: - ardumont - vsellier - user: zack aliases: - zack@upsilon.cc - user: vlorentz aliases: - valentin.lorentz@inria.fr - user: haltode aliases: - haltode@gmail.com - user: danseraf aliases: - me@danieleserafini.eu - user: vsellier aliases: - vincent.sellier@gmail.com - user: tenma aliases: - nicolas.gattolin@softwareheritage.org - user: tg1999 aliases: - tushar.goel.dav@gmail.com - user: hakb aliases: - hakim.baaloudj@gmail.com - user: jayesh aliases: - jayesh.mail@gmail.com - user: zaboukha aliases: - zainab.ab.k7@gmail.com - user: bchauvet aliases: - bchauvet@softwareheritage.org networks::manage_interfaces: true networks::private_routes: vpn: network: 192.168.101.0/24 gateway: "%{alias('networks::private_gateway')}" enabled: true azure: network: 192.168.200.0/21 gateway: "%{alias('networks::private_gateway')}" enabled: true staging: network: 192.168.130.0/24 gateway: "%{alias('networks::private_gateway')}" enabled: false admin: network: 192.168.50.0/24 gateway: "%{alias('networks::private_gateway')}" enabled: false networks::private_network: 192.168.100.0/24 networks::private_gateway: 192.168.100.1 networks::public_swh_gateway: "%{alias('networks::staging_gateway')}" locales::default_locale: C.UTF-8 locales::installed_locales: - C.UTF-8 UTF-8 - en_US.UTF-8 UTF-8 - fr_FR.UTF-8 UTF-8 - it_IT.UTF-8 UTF-8 timezone: Etc/UTC packages: - acl - curl - dstat - etckeeper - fish - git - htop - iotop - ipython3 - molly-guard - moreutils - ncdu - netcat-openbsd - nfs-common - python3 - python3-yaml - ruby-filesystem - strace - tcpdump - tmux - vim - zsh - zstd packages::desktop: - autojump - chromium - emacs - ethtool - gnome - i3 - ii - libx11-dev - mosh - myrepos - net-tools - ruby-dev - rxvt-unicode-256color - screen - scrot - tree - vim-nox - weechat - weechat-scripts packages::devel: - arcanist - elpa-magit - git-email - gitg - gitk - ltrace - perl-doc packages::devel::debian: - devscripts - dpkg-dev - reprepro - sbuild packages::devel::python: - graphviz - make - python3-arrow - python3-azure-storage - python3-blinker - python3-celery - python3-cffi - python3-click - python3-dateutil - python3-dev - python3-dulwich - python3-flake8 - python3-flask - python3-flask-api - python3-flask-limiter - python3-flask-testing - python3-libcloud - python3-msgpack - python3-nose - python3-psycopg2 - python3-pygit2 - python3-requests - python3-retrying - python3-sphinx - python3-subvertpy - python3-vcversioner - python3-venv - python3-wheel packages::devel::broker: - rabbitmq-server packages::devel::postgres: - apgdiff - barman - check-postgres - libpq-dev - postgresql - postgresql-autodoc - postgresql-client - postgresql-contrib - postgresql-doc - postgresql-plpython3-11 users: root: uid: 0 full_name: shell: /bin/bash groups: [] authorized_keys: root@louvre: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDMLEWHlUQldlvZs5rg0y42lRNAfOhD+6pmO8a73DzpJWHTqvAlfteLpU78IPjSacB4dO5ish1E/1RX/HC+Bt8p2v4RBqbCnVLx2w+Hx4ahWu6qbeTVmTz+U++1SQrHnL08fSlhT0OekCw0lRZM2sQq21FZi6+vul97Ecikag4Xaw6Qfumylu94pM3t05uzTUlKk1+6VMCjhT8dlSe8VS8OirVQpE/OqYtTMAWtQaMXGHPCsqDdYRAKzkJ8GjH7ydZmX5VCRyqS0RvPKAlcJfLCs5HBtv0u5rbeGtiHhuzhj/j3YgS/6NJOC2mUfcetcDOMPLnhkKpnF0vUAzTsJ7aR root@banco: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIDcljv9eR52wJsu9yYan6/riIQw70lQuyz+Qt0XpGXMs zack: uid: 1000 full_name: Stefano Zacchiroli shell: /usr/bin/zsh groups: - adm - swhdev - swhstorage - swhscheduler - swhdeploy - sudo - gitorious - swhteam authorized_keys: zack-software-heritage: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAACAQDU0O8tkUqtQCelLEatOGfGpx1sIwHPSMA+7OdXoZjZG5pT9Sfgf3ITsNgo1iYWge5bpH/TKhhvf20B05fa8cCEE5ULaD+xdV9eTIvBEaCiP36HH33WNl/UV8T8klTG2sqBXUgLMJuinfGkuRJ977ndm7mjNwzl3Ghf6JwKfpHrvob4GLc0hm54yzcnNEzQZLcdxmOCWdwTINKnL+W/DDM8NR3vNF6T5+xaiLJzsS0IGcTubklugD3m05qbswS/uACWys3FzRM8tttw/0wCRrC9SCSKoDLonab5y3Ld6vCj1k12J2RAHSqJYwVCm70JRPWZcmU67Udi6kbqkJMftp04K0pplu8V7RLPrpwLyH4sPx7Kkhslvxqj0rerLPOkoDkqneFgxNoMcxN5ayod7fBJAq5jQUmGozeTtgPLKybnxRDhsYpkEH9paZroQ3CqDsA0dptOpedVpcQUSbiLMaYd8kgCPkVIdKANnTGGXDcTfWv21IvFx6sKm1kld2Me3ExVMq7JFcmXutF/IQom9F4vj/xd/7Lt4KmqZKyiAq4n5iaPIRUbZvmwd2D6umOHpMGlqKwtsiWRUYnAVvhRfuSZmgrGgliYiYr+vU2xeWe+XXQhP9vt3eItmdSp/8/+a2lqaIE9slE75hEI2n8in7DeSn6QhFDbyUKwZz5OwK7QVw== olasd: uid: 1001 full_name: Nicolas Dandrimont shell: /bin/bash groups: - adm - swhdev - swhstorage - swhscheduler - swhdeploy - sudo - gitorious - swhteam authorized_keys: nicolasd@darboux: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ1TCpfzrvxLhEMhxjbxqPDCwY0nazIr1cyIbhGD2bUdAbZqVMdNtr7MeDnlLIKrIPJWuvltauvLNkYU0iLc1jMntdBCBM3hgXjmTyDtc8XvXseeBp5tDqccYNR/cnDUuweNcL5tfeu5kzaAg3DFi5Dsncs5hQK5KQ8CPKWcacPjEk4ir9gdFrtKG1rZmg/wi7YbfxrJYWzb171hdV13gSgyXdsG5UAFsNyxsKSztulcLKxvbmDgYbzytr38FK2udRk7WuqPbtEAW1zV4yrBXBSB/uw8EAMi+wwvLTwyUcEl4u0CTlhREljUx8LhYrsQUCrBcmoPAmlnLCD5Q9XrGH mirzakhani-ed25519: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAID/qk9xQq6KpRbRjMVpMzPM7unmGnJp+i6oQ3a0NA65k ardumont: uid: 1003 full_name: Antoine R. Dumont shell: /usr/bin/zsh groups: - adm - swhdev - swhstorage - swhscheduler - swhdeploy - sudo - gitorious - swhteam authorized_keys: eniotna.t@gmail.com: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDZarzgHrzUYspvrgSI6fszrALo92BDys7QOkJgUfZa9t9m4g7dUANNtwBiqIbqijAQPmB1zKgG6QTZC5rJkRy6KqXCW/+Qeedw/FWIbuI7jOD5WxnglbEQgvPkkB8kf1xIF7icRfWcQmK2je/3sFd9yS4/+jftNMPPXkBCxYm74onMenyllA1akA8FLyujLu6MNA1D8iLLXvz6pBDTT4GZ5/bm3vSE6Go8Xbuyu4SCtYZSHaHC2lXZ6Hhi6dbli4d3OwkUWz+YhFGaEra5Fx45Iig4UCL6kXPkvL/oSc9KGerpT//Xj9qz1K7p/IrBS8+eA4X69bHYYV0UZKDADZSn ardumont@louvre: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQC0Xj8nwGWTb6VGFNIrlhVTLX6VFTlvpirjdgOTOz8riRxBTS9ra35g3cz8zfDl0iVyE455GXzxlm33w/uu3DX0jQOIzkcoEBRw+T33EK89lo6tCCd9xQrteWCTNR1ZBFloHSnYk2m7kw9kyrisziyAdULsCrXmMd3BH1oJyEpISA+sv/dtVpIOWdEQmkbLmdHl2uEdjBLjqb3BtAp2oJZMmppE5YjAx0Aa1+7uSnURf7NnwMx+0wTDMdfqn8z4wqI8eQny+B+bqLH9kY++52FfMVALuErGh5+75/vtd2xzRQamjKsBlTGjFFbMRagZiVNLDX2wtdudhNmnQDIKA+rH ardumont@yavin4: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIPsJCCMKJEXEEsHyoFOrydDmXxL8B4yhzrE8PcDVtCjr swhworker: uid: 1004 full_name: SWH Worker Acccount shell: /bin/bash groups: - swhdeploy - gitorious swhstorage: uid: 1005 full_name: SWH Storage Account shell: /bin/bash groups: - swhdeploy - swhstorage swhwebapp: uid: 1006 full_name: SWH Web App Account shell: /bin/bash groups: [] swhbackup: uid: 1007 full_name: SWH Backup Account shell: /bin/bash groups: [] rdicosmo: uid: 1008 full_name: Roberto Di Cosmo shell: /bin/bash groups: - swhteam authorized_keys: dicosmo@voyager: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAACAQC5aS/3Cps2Ru9EW+nIF9Z9o6/xq1thwtCgpIjSPgcrm2BVisj6xbD5OOapS3U6BpLKjWZG8sMGBCsJJ3S1cP0s2I+xHFToqCcbfOxIe/tq/UgTtxGJ0+TfUKNoD+QJjIKnjyC+HVEQm5bSm8mJv0vptj4On8yNopytSGuLcFHHnMB2t+IOkHnTW7n3emhh3SZKAcpI1h7WvPqsqBobMFDMeqvGeHaH2AM2OSoUi7AY+MmcVL0Je6QtJqpz60QI5dvaM4AsobC12AZSJKXnuqQTY6nJy4r9jPRK8RUqo5PuAAsNtlxf5xA4s1LrDR5PxBDpYz47Pq2LHtI9Hgf/SFB3IqZeBKqquMI1xThRBwP307/vOtTiwJr4ZKcpOH+SbU7Tnde4n8siM719QZM8VITtrbwm/VBiEwvhGC/23npX4S55W7Et/l9gmeP3Q+lSw50vBuQhBSn7BzedPM1CqbTN/zqM8TCDUtPVIo+6b2s5ao/Vcq9vBXm5bP0xZeNsqsCl05zpCShudKpT6AlMGAaRTd6NUHHsf4D1JjNx3v42R3vQr6OgHELVMGECuyPs3zWHOS/P6AdD0yJTSOMaklRh2HGN8uj0+aQ7RhnrkYqRfhN+6UkrTANuxdb44AGdLmBAKIYglVrAJe+DEji/LzJdZ22baAWg4ar/WikpFJtxkw== swhteamannex: uid: 1009 full_name: SWH Team Git Annex Account shell: /bin/bash groups: - swhteam authorized_keys: swhteamannex@louvre: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAACAQDL/Ef9kktq/QkJ0lohan8ObQ3o7hMf7EOQPjO+u7UhIMjBNufJnaftQRGIA6N1/wEsDvxxNNz75/oJECJHgZs2OOTJJPsKfYeybmSBocSa/sn6IKK7/b/qlwHJlSGWPGVgbtfP0KexlSAKAmKZuJyqjES5igTLV5w4wTjvUUen9QyefuUehnCX3MJhTpoyixp7icXE80aNMaCPwHZppKb/28sNlPX3MbSONGM45wSFRXNuj0mAAjrgojkhAqFNnI9oKNAt9mDcw1hV0n86VvrDhEbMCJP/z58ecn376BgyXQ8zNUPIr2g0SrSPUNjfxZHfJ0XYpF7624wOMOmZE3fsQzZh+FeMF0IFRPvcG34RaelV9dXiy+/q45oqwbMF464gFSbyt++4jpgqHdsARM4zR//jBhyLvFXR+GaKC3hFENno5W5Raff4XE5rzN/q9jVJBNfvfuEPWrapyM3A/ePeuK3SyNJwyIx+bOEQXsRdxEWKszTeJO2SLPWtCrKrC+G4/HktQSQOj5S9a+N6HoKD8E889eBEYoeZGPIuzMot4cuUlyPt3P99z4oRIaeC6XwUCvZCD2DaTAkQWQMsmOn+soaeZ1zBHbsCBbV0mBMRx7K4Vjs62vhSelryQAXW+cBgd6+f5XBjOnNhHQhsNsDfYP4Kmztn58faQV2TzGG5ow== swhscheduler: uid: 1010 full_name: SWH Scheduler Account shell: /bin/bash groups: - swhscheduler jbertran: uid: 2001 full_name: Jordi Bertran de Balanda shell: /bin/false groups: [] password: "!" qcampos: uid: 2002 full_name: Quentin Campos shell: /bin/false groups: [] password: "!" gitorious: uid: 5000 full_name: Gitorious System User shell: /bin/false groups: - gitorious fiendish: uid: 1011 full_name: Avi Kelman shell: /bin/false groups: [] password: "!" morane: uid: 1012 full_name: Morane Otilia Gruenpeter shell: /bin/bash groups: - swhdev - swhstorage - swhteam authorized_keys: morane.gg@gmail.com: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDm8kH1pP+4ENKmpkTCkL2ashxxnOFVndGrcvfX05lV1hOo2NdItpdoR9txIgFEs3d7v73mtH4nWciUyaK7FIByrtvsR2TIhdVgEcb0Xai8viV+sDMTndpiNlWNilbfxm0K70tgpG4BeSWRJy8cPxnCR9CWoB2Vo9Df7lDKz1LXDgfY4VLJd69ahf1DPFUDjpWIEQdPFX2ZyGUYM+0yPXIoyYW/qreDt1JkYZXXVbRAV8j44/TVgTRYJLgYb9ThW6WzlGM1S4uP7GQdAuROCcspqW3ahV/UmV4Z9SM6S34NN182KvM0Ve7uxAPQz+IdWOgZTK0pvd+hfjHKbLSTA6I3 seirl: uid: 1013 full_name: Antoine Pietri shell: /usr/bin/zsh groups: - swhdev - swhstorage - swhteam - swhdeploy authorized_keys: seirl: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAILiua8eEg+nU0XSbYPTgnOMftzvpbN+u7v5jDabeO/0E ssushant: uid: 1014 full_name: Sushant shell: /bin/false groups: [] password: "!" anlambert: uid: 1015 full_name: Antoine Lambert shell: /bin/bash groups: - swhdev - swhstorage - swhteam - swhdeploy - swhwebapp authorized_keys: antoine.lambert@inria.fr: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAACAQDLWPcZnSUszEedMa39dT3ZCHpRod3NTs6WT4OfMMRVahrhTtWYdSiNGy8U3kEQveTZvMrb9WLtLPB3K8o7Xrf8WCI8iTOl9eb9DVjE9XL+zS0ZAcEmoZ5YH8e3gEDoDm8ZrMxF+V5XSlvhNi6kbWzJdqhXu++bJHHqGrKUHeTCQCfpYYMrsnvhPjtxe+90BK7e+IGm1Ha8LZMCCmOtz0XggxD8d2mFBaP2p8v9xsM48KfwFvsRMb3TZIaO/+NcsRSTe7wfFAR1pb14pi5LZAHeb2tpWfVH2vQGaE7Rej+Ycf4UOeaRmFGpimw7u7fugvDvKfZ/vs7w7Qs2RtxNdqJf9JM+vvi78OQbloufot1Tz2r19aDbhM9nsCn+Uo3rNfkmD+UcSMKrRJCMEXVBbaY/bgzs7XoqCJ8ODE2U/dF3NtHBZr+CB52iilUtemXy+Xwqw4TSs/r9vW7/XueTdb0Yp/cUs5uLCqCwlMpGS5okorpdJextp5gRuN6EMlUo6PffRiz5T0CqKm1xJu0NeT0EaacAXoGTDQaS4pIQGglqWfAOmjej9dM8gxAF6rgrx70uJt6Hy18tvzdB5iwJ4F2LUjcZhFnrxjUDzhjPoDBiRtPNgEKrCc30OHsveqXwMPo3v/d3np1Vpkum0JEwmp83q92P5T2rbf+wiruxZhhtww== grouss: uid: 1016 full_name: Guillaume Rousseau shell: /bin/bash groups: - swhteam authorized_keys: guillaume.rousseau@univ-paris-diderot.fr: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Akcdxrod/MFcHg53dCf7iZY/ph9MR0tWU08pjMDfU04j1nAgmHmvumYbxBtFNnd0nu4A9YY4nT79273PCE3c6ba3zSGS9DBYhrASGDqHBECrgEREM3YPXpA2NI0FKEZ878Ic3CQlYaOmRoe/QkFpm2j8CMoG4VdKp0EcvV1RCTgWqJY1P4KC30CJUg+OdGRaaqHEoSskjstU5yjbZCC9M90Hz0xO+MsMl/xKdcDmvwbLDMtp/3SKDQeyN4Q7Uu/zZwoZ8FmgEU4Xp7nKN3yCiEB9rqMkP/lLY71hTPHn/GiZnPo4rWL13w3unuI3X0GDpqxPxjt0LZN4xQEGEn+1 ftigeot: uid: 1017 full_name: Francois Tigeot shell: /bin/false password: "!" groups: [] swhdeposit: uid: 1018 full_name: SWH Deposit App Account shell: /bin/bash groups: - swhscheduler swhvault: uid: 1019 full_name: SWH Vault Account shell: /bin/bash groups: - swhdeploy - swhstorage - swhvault ddouard: uid: 1020 full_name: David Douard shell: /bin/bash groups: - adm - sudo - swhdev - swhteam - swhscheduler authorized_keys: david.douard@sdfa3.org: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAACAQCoON7De2Bx03owpZfzbOyucZTmyQdm7F+LP4D4H9EyOFxtyMpjH2S9Ve/JvMoFIWGQQlXSkYzRv63Z0BzPLKD2NsYgomcjOLdw1Baxnv8VOH+Q01g4B3cabcP2LMVjerHt/KRkY3E6dnKLQGE5UiER/taQ7KazAwvu89nUd4BJsV43rJ3X3DtFEfH3lR4ZEIgFyPUkVemQAjBhueFmN3w8debOdr7t9cBpnYvYKzLQN+G/kQVFc+fgs+fFOtOv+Az9kTXChfLs5pKPBm+MuGxz4gS3fPiAjY9cN6vGzr7ZNkCRUSUjJ10Hlm7Gf2EN8f+k6iSR4CPeixDcZ+scbCg4dCORqTsliSQzUORIJED9fbUR6bBjF4rRwm5GvnXx5ZTToWDJu0PSHYOkomqffp30wqvAvs6gLb+bG1daYsOLp+wYru3q09J9zUAA8vNXoWYaERFxgwsmsf57t8+JevUuePJGUC45asHjQh/ON1H5PDXtULmeD1GKkjqyaS7SBNbpOWgQb21l3pwhLet3Mq3TJmxVqzGMDnYvQMUCkiPdZq2pDplzfpDpOKLaDg8q82rR5+/tAfB4P2Z9RCOqnMLRcQk9AluTyO1D472Mkp+v5VA4di0eTWZ0tuzwYJEft0OVo+QOVTslCGsyGiEUoOcHzkrdgsT5uQziyAfgTMSuiw== vlorentz: uid: 1021 full_name: Valentin Lorentz shell: /usr/bin/zsh groups: - swhdev - swhteam authorized_keys: vlorentz@pro-desktop: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAILsRMQjrrfUjX1ka9e6YlyMyDvTC+qk5a21Fp9yXYI7p vlorentz@perso-laptop: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIIjJoY4XBTTNsxLVF/sUKBI4WGR2AIiR9qfMdspnsRfJ vlorentz@pro-laptop: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIND42yBr8C/zKJiQx2I84yIlMNsS9IMTUkdb9GjYgFON haltode: uid: 1022 full_name: Thibault Allancon shell: /usr/bin/zsh groups: - swhdev - swhteam authorized_keys: haltode@gmail.com: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIORGwY56PpvgwMWqDei718PPriV6U7LL5JMPJWS7zTcg danseraf: uid: 1023 full_name: Daniel Serafini groups: - swhdev shell: /usr/bin/fish authorized_keys: me@danieleserafini.eu: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABgQDsQ1QxD/xHOOhCAarH9o3oAfT7YCwxXCAVaazxC1ZMygWZUE95oMu6D2Wib5Q4GBKD35ddclY/l5GsYB5uXbl1UxAFUPe4COqTEt+7deMSWakv46ceb5oHxOkMAF4w400FV1Pi1usk2TpArarOPuxN7yKu54sBACI5HEezn3KOvxPYt/DUAt+XdrfLsiZPyzjOYYezocCV+O1PkivhC99cXHtlwTBRntWTjlyUt9p46U6Uf2G9u88v4v2KopH0sQG7nAYNXN7W14pB925fnDYDHFYUoKDCBbJiQMMKKlQxJZLSfh/KX6kX7OIXOiMclIfmBYAUwDHU3MevdczAIj8JWspUVyRf32B1jnD+H8UnDTCwApCFytcvzDuoYCgiUVk4bDpJOHeb8V4dh6UZt0DFa4iiLsVIX8MjcqaI5TmmvaYgjGPSTLlUsasUJnVqCweQNTiZPhDiqrs258aQvSGf634k10lxmhAAB0xAGVO6Zj1mBjqS+XDJiLzf4mWwm4M= aeviso: uid: 1024 full_name: Andres Ezequiel Viso groups: - swhdev - swhteam shell: /bin/bash authorized_keys: andres@powerage: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDRnVV1UimkTbAAb1FPxDPAqfyCVSrlB7a1Kq83ZKc6e7tTVmOKA55whZa3KwNBwgZGB8389ejCery+WDqSiRZsirup4UN/VZ5X3XJdnRVPPcpzVuWFivPKBMn6D4LMa9D7moMnV9JC5q9zwMNHZQ4qJbGlW44MzWOi0RnPVd28jsRkL0sMRvz+i3KXFGDNeaVPV0YLB4vS1bmEho/8Tu5NlY/Tzkter9qTNN7QNIAbnq8oQF/lLPFAytE0s61ZtoDcXfznJPXWkIljMCTQHlxeDci9DQWUgQc+A+7qWmqkb3lzDYKQrxRfZtl3hbnR3jrtSfTI+q0Nagh0O4FN2QUj aeviso@powerage: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQCX0CtuTAwQpOQl3qBGm7FAuzKlnSmSUOISKPV3F8ohbYbN682VKnruTPFRwkdy5sidg6I8jVrIeJJQ+WZVrTM6mdtpiLANB4r3sgQdml4l3sWAyNm3UD5wwhsNYlnVgVuzUihK7/ykr9vKYxY3rrAYcLVyLzkq9t7BPVAMHJZj6XBsKqzhATcQxVdVVA+7k7aTSnaNR29AiHEVYb8/1J61W59mNqrqrwcWXaGXgjb4rvzprWhooQd21/9v4rlgwZznFlK20GQUoHy+BVCbpQJznQtQeCvXfTpBYGZjo7DrljbDdafkrz9fa7NqJ3UwRzYITadM6NLDPzD7EIR9q2cf vsellier: uid: 1025 full_name: Vincent Sellier groups: - swhdev - swhteam - sudo shell: /usr/bin/zsh authorized_keys: vsellier@swh-vs1: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAII5oO0jj/IeV04osZ/iaKBZdnuqdziJD3x1VOhtK9tZY tenma: uid: 1026 full_name: Nicolas Gattolin groups: - swhdev - swhteam shell: /bin/false authorized_keys: tenma@swh-ng1: type: ssh-ed25519 key: disabled tg1999: uid: 1027 full_name: Tushar Goel groups: - swhdev - swhteam shell: /bin/false authorized_keys: tg@tg-Inspiron-15-7000-Gaming: type: ssh-ed25519 key: disabled hakb: uid: 1028 full_name: Hakim Baaloudj shell: /bin/false groups: - swhdev - swhteam authorized_keys: hbaaloud@po461-pro.paris.inria.fr: type: ssh-ed25519 key: disabled jayesh: uid: 1029 full_name: Jayesh Velayudhan shell: /bin/bash groups: - swhdev - swhteam authorized_keys: jayesh@jayesh: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQCyBrP2uhCnQcEbNHpH6tsP/yl80JGcxtgxJ8m3Gts0keA8JTA6J1qnn9HUmzbdLpoJjCyHMxfW/oBR7G3IGEyD93S2SShaGltNMpFOEq+iAbKR2Y3ZBy8Vvq/bwBneq0dBNs/ITawbYQVMahcbOzB2I3aq+rG149t5icZ/1DPswVc9ZBPigtiReywF3EJ7uBd6JQ6OLRDnwpKZf6LNlkHzIWD5yBRLTmMNEExLcFw6zdw86t5GfgFTlGkARhUh+iXEBhPeVZnCboB9GZVcKURfrV788QUbIFzzKFm6VQt/cVAJDMUQmx/kYjFaV1ejU3f0+k3SdtVbANfQCYUsL2f7 zaboukha: uid: 1030 full_name: Zeinab Abou Khalil shell: /bin/bash groups: - swhdev - swhteam authorized_keys: spirals@wifi-pro-83-138.paris.inria.fr: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABgQDocv8kwNgelVAccRs8uDDGPeEalSwH/NhUfbvnum5dlhx7aRUBfswJIRy142TWCskS5h+3EXhwXmsEUfEKSIAkQT9+FlYDxYML7NFy7ONMo0ZUQUWXbMo4PGpQuIPmGFH4AUqL7Y69gdY4p5lUTlV+8wZP6Fi91tsjBwtJqvGyMS7QmeRgY/f7LTEyxzv3jB9XN+DioxAHQDDfodTD1UZlGNSSdIU6yI2oj7pEMGLAw5ghHlI2lIJoGoWY5fR30Yuua714R5DdQZ7yoWUEWAenefmKZmDtaMaUvbDVFvgDZIZSI3Xg+75iogbPhb3tG1psS1geaUo4oPFdYr0xTQ5HySoloFw9segk9j8gUsGqgAHoyEcA3jgoA81iH6l+5tI+qXgj5BMxykAglBDfIbkOoYW39eEJM7Pv5RkXZPdbDVxypTSNGr2uS8xFb3J1ibaHyC8alluZDUkcBjAGOD9XcqYKfuM8zVpL4tOhN5igorebBFJwF03cwU2r1ccIKec= bchauvet: uid: 1031 full_name: Benoit Chauvet shell: /bin/bash groups: - swhdev - swhteam authorized_keys: ben@ben-deb: type: ssh-ed25519 key: AAAAC3NzaC1lZDI1NTE5AAAAIJKPlIonRqTCL3ptpakag49GrY0Aw7SXpyZG2UjEhW18 groups: adm: gid: 4 # assigned from base-files sudo: gid: 27 # assigned from base-files www-data: gid: 33 # assigned from base-files zack: gid: 1000 olasd: gid: 1001 ardumont: gid: 1003 ddouard: gid: 1020 swhworker: gid: 1004 swhdev: gid: 1002 swhstorage: gid: 1005 swhdeploy: gid: 1006 swhbackup: gid: 1007 swhwebapp: gid: 1008 swhteam: gid: 1009 swhscheduler: gid: 1010 gitorious: gid: 5000 swhdeposit: gid: 1018 swhvault: gid: 1019 vsellier: gid: 1025 tenma: gid: 1026 tg1999: gid: 1027 bchauvet: gid: 1031 gunicorn::statsd::host: 127.0.0.1:8125 munin::master::hostname: munin.internal.softwareheritage.org rabbitmq::monitoring::user: swhdev # following password key in private data # - rabbitmq::monitoring::password # - swh::deploy::worker::task_broker::password # - swh::deploy::scheduler::task_broker::password rabbitmq::server::users: - name: "%{hiera('rabbitmq::monitoring::user')}" is_admin: true password: "%{hiera('rabbitmq::monitoring::password')}" tags: [] - name: swhconsumer is_admin: false password: "%{hiera('swh::deploy::worker::task_broker::password')}" tags: [] - name: swhproducer is_admin: false password: "%{hiera('swh::deploy::scheduler::task_broker::password')}" tags: - management puppet::master::hostname: pergamon.internal.softwareheritage.org puppet::master::puppetdb: pergamon.internal.softwareheritage.org puppet::master::codedir: /etc/puppet/code puppetdb::master::config::terminus_package: puppet-terminus-puppetdb puppet::master::manage_puppetdb: false strict_transport_security::max_age: 15768000 php::version: '7.4' # Those variables get picked up by 'include ::php::fpm::daemon' php::fpm::daemon::log_owner: www-data php::fpm::daemon::log_group: adm php::fpm::daemon::log_dir_mode: '0750' # Those variables get picked up by 'include ::apache' apache::server_tokens: 'Prod' apache::server_signature: 'Off' apache::trace_enable: 'Off' apache::manage_group: false # Those variables get picked up by 'include ::apache::mod::passenger' apache::mod::passenger::passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini # Those variables need to be set manually in the SSL vhosts. apache::ssl_protocol: all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 apache::ssl_honorcipherorder: 'On' apache::ssl_cipher: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 apache::hsts_header: "set Strict-Transport-Security \"max-age=%{hiera('strict_transport_security::max_age')}\"" # Those variables need to be set manually for all vhosts apache::http_port: 80 apache::https_port: 443 apache::log_formats: combined_with_duration: "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{literal('%')}{Referer}i\\\" \\\"%{literal('%')}{User-Agent}i\\\" %{literal('%')}{ms}T" # Hitch TLS proxy configuration hitch::frontend: "[*]:10443" hitch::proxy_support: false hitch::http2_support: false # Varnish configuration varnish::http_port: 10080 varnish::proxy_port: 6081 varnish::http2_support: false varnish::listen: - ":%{hiera('varnish::http_port')}" - "[::1]:%{hiera('varnish::proxy_port')},PROXY" varnish::backend_http_port: "%{hiera('apache::http_port')}" varnish::admin_listen: 127.0.0.1 varnish::admin_port: 6082 varnish::storage_type: malloc varnish::storage_size: 256m varnish::storage_file: /var/lib/varnish/varnish_storage.bin # varnish::secret in private-data swh::deploy::reverse_proxy::services: - deposit - webapp - objstorage letsencrypt::account_email: sysop+letsencrypt@softwareheritage.org letsencrypt::server: https://acme-v02.api.letsencrypt.org/directory letsencrypt::gandi_livedns_hook::config: gandi_api: https://dns.api.gandi.net/api/v5/ zones: softwareheritage.org: api_key: "%{alias('gandi::softwareheritage_org::api_key')}" sharing_id: "%{alias('gandi::softwareheritage_org::sharing_id')}" swh.network: api_key: "%{alias('gandi::softwareheritage_org::api_key')}" sharing_id: "%{alias('gandi::swh_network::sharing_id')}" letsencrypt::gandi_paas_hook::config: gandi_xmlrpc: https://rpc.gandi.net/xmlrpc/ zone_keys: softwareheritage.org: "%{alias('gandi::softwareheritage_org::xmlrpc_key')}" sentry::vhost::name: sentry.softwareheritage.org letsencrypt::certificates::exported_directory: "%{::puppet_vardir}/letsencrypt_exports" letsencrypt::certificates::directory: /etc/ssl/certs/letsencrypt letsencrypt::certificates: archive_production: domains: # Should match with keycloak::resources::realms.SoftwareHeritage.clients.swh-web.redirect_uris - archive.softwareheritage.org - base.softwareheritage.org - archive.internal.softwareheritage.org archive_staging: domains: # Should match with keycloak::resources::realms.SoftwareHeritageStaging.clients.swh-web.redirect_uris - webapp.staging.swh.network - webapp-rp.internal.staging.swh.network archive_webapp1: domains: - webapp1.internal.softwareheritage.org deposit_production: domains: - deposit.softwareheritage.org - deposit.internal.softwareheritage.org deposit_staging: domains: - deposit.staging.swh.network - deposit-rp.internal.staging.swh.network + graphql_staging: + domains: + - graphql.staging.swh.network + - graphql-rp.internal.staging.swh.network hedgedoc: domains: - hedgedoc.softwareheritage.org objstorage_production: domains: - objstorage.softwareheritage.org - objstorage.internal.softwareheritage.org objstorage_staging: domains: - objstorage.staging.swh.network - objstorage-rp.internal.staging.swh.network stats_export: domains: - stats.export.softwareheritage.org - pergamon.softwareheritage.org jenkins: domains: - jenkins.softwareheritage.org "%{lookup('sentry::vhost::name')}": domains: - "%{lookup('sentry::vhost::name')}" storage1.internal.staging.swh.network: domains: - broker1.journal.staging.swh.network - journal1.internal.staging.swh.network keycloak: domains: - auth.softwareheritage.org kafka1.internal.softwareheritage.org: domains: - broker1.journal.softwareheritage.org - kafka1.internal.softwareheritage.org kafka2.internal.softwareheritage.org: domains: - broker2.journal.softwareheritage.org - kafka2.internal.softwareheritage.org kafka3.internal.softwareheritage.org: domains: - broker3.journal.softwareheritage.org - kafka3.internal.softwareheritage.org kafka4.internal.softwareheritage.org: domains: - broker4.journal.softwareheritage.org - kafka4.internal.softwareheritage.org kafka01.euwest.azure.internal.softwareheritage.org: domains: - kafka01.euwest.azure.internal.softwareheritage.org - kafka01.euwest.azure.softwareheritage.org kafka02.euwest.azure.internal.softwareheritage.org: domains: - kafka02.euwest.azure.internal.softwareheritage.org - kafka02.euwest.azure.softwareheritage.org kafka03.euwest.azure.internal.softwareheritage.org: domains: - kafka03.euwest.azure.internal.softwareheritage.org - kafka03.euwest.azure.softwareheritage.org kafka04.euwest.azure.internal.softwareheritage.org: domains: - kafka04.euwest.azure.internal.softwareheritage.org - kafka04.euwest.azure.softwareheritage.org kafka05.euwest.azure.internal.softwareheritage.org: domains: - kafka05.euwest.azure.internal.softwareheritage.org - kafka05.euwest.azure.softwareheritage.org kafka06.euwest.azure.internal.softwareheritage.org: domains: - kafka06.euwest.azure.internal.softwareheritage.org - kafka06.euwest.azure.softwareheritage.org annex.softwareheritage.org: domains: - annex.softwareheritage.org bitbucket-archive.softwareheritage.org: domains: - bitbucket-archive.softwareheritage.org debian.softwareheritage.org: domains: - debian.softwareheritage.org - debian.internal.softwareheritage.org docs.softwareheritage.org: domains: - docs.softwareheritage.org intranet.softwareheritage.org: domains: - intranet.softwareheritage.org wiki.softwareheritage.org: domains: - wiki.softwareheritage.org icinga.softwareheritage.org: domains: - icinga.softwareheritage.org - icinga.internal.softwareheritage.org wg.softwareheritage.org: domains: - wg.softwareheritage.org git.softwareheritage.org: domains: - git.softwareheritage.org forge.softwareheritage.org: domains: - forge.softwareheritage.org grafana.softwareheritage.org: domains: - grafana.softwareheritage.org www-dev: domains: - www-dev.softwareheritage.org deploy_hook: gandi_paas www: domains: - softwareheritage.org - www.softwareheritage.org deploy_hook: gandi_paas gandi-redirects: domains: - softwareheritage.org - sponsors.softwareheritage.org - sponsorship.softwareheritage.org - testimonials.softwareheritage.org deploy_hook: gandi_paas netbox: domains: - inventory.internal.admin.swh.network # legacy hostname, needed for the redirect inventory.internal.softwareheritage.org: domains: - inventory.internal.softwareheritage.org azure-billing.internal.admin.swh.network: domains: - azure-billing.internal.admin.swh.network maven-exporter.internal.staging.swh.network: domains: - maven-exporter.internal.staging.swh.network pergamon.softwareheritage.org: domains: - pergamon.softwareheritage.org - pergamon.internal.softwareheritage.org thanos.internal.admin.swh.network: domains: - thanos.internal.admin.swh.network bind::update_key: local-update bind::zones: internal.softwareheritage.org: domain: internal.softwareheritage.org 100.168.192.in-addr.arpa: domain: 100.168.192.in-addr.arpa 101.168.192.in-addr.arpa: domain: 101.168.192.in-addr.arpa internal.staging.swh.network: domain: internal.staging.swh.network internal.admin.swh.network: domain: internal.admin.swh.network 50.168.192.in-addr.arpa: domain: 50.168.192.in-addr.arpa 128.168.192.in-addr.arpa: domain: 128.168.192.in-addr.arpa 130.168.192.in-addr.arpa: domain: 130.168.192.in-addr.arpa 200.168.192.in-addr.arpa: domain: 200.168.192.in-addr.arpa 201.168.192.in-addr.arpa: domain: 201.168.192.in-addr.arpa 202.168.192.in-addr.arpa: domain: 202.168.192.in-addr.arpa 203.168.192.in-addr.arpa: domain: 203.168.192.in-addr.arpa 204.168.192.in-addr.arpa: domain: 204.168.192.in-addr.arpa 205.168.192.in-addr.arpa: domain: 205.168.192.in-addr.arpa 206.168.192.in-addr.arpa: domain: 206.168.192.in-addr.arpa 207.168.192.in-addr.arpa: domain: 207.168.192.in-addr.arpa # Defaults for secondary bind server bind::zones::type: slave bind::zones::masters: - 192.168.100.29 bind::zones::allow_transfers: - 192.168.100.0/24 - 192.168.101.0/24 - 192.168.200.22 bind::zones::default_data: zone_type: "%{alias('bind::zones::type')}" dynamic: true masters: "%{alias('bind::zones::masters')}" transfer_source: '' allow_updates: [] update_policies: '' allow_transfers: "%{alias('bind::zones::allow_transfers')}" dnssec: false key_directory: '' ns_notify: true also_notify: '' allow_notify: '' forwarders: '' forward: '' source: '' ns_records: - pergamon.internal.softwareheritage.org. - ns0.euwest.azure.internal.softwareheritage.org. bind::resource_records: archive/CNAME: type: CNAME record: archive.internal.softwareheritage.org data: moma.internal.softwareheritage.org. db/CNAME: type: CNAME record: db.internal.softwareheritage.org data: belvedere.internal.softwareheritage.org. debian/CNAME: type: CNAME record: debian.internal.softwareheritage.org data: pergamon.internal.softwareheritage.org. backup/CNAME: type: CNAME record: backup.internal.softwareheritage.org data: banco.internal.softwareheritage.org. icinga/CNAME: type: CNAME record: icinga.internal.softwareheritage.org data: pergamon.internal.softwareheritage.org. faitout/CNAME: type: CNAME record: faitout.internal.softwareheritage.org data: prado.internal.softwareheritage.org. graph/CNAME: type: CNAME record: graph.internal.softwareheritage.org data: granet.internal.softwareheritage.org. logstash/CNAME: type: CNAME record: logstash.internal.softwareheritage.org data: logstash0.internal.softwareheritage.org. kibana/CNAME: type: CNAME record: kibana.internal.softwareheritage.org data: banco.internal.softwareheritage.org. rabbitmq/CNAME: type: CNAME record: rabbitmq.internal.softwareheritage.org data: saatchi.internal.softwareheritage.org. inventory/CNAME: type: CNAME record: inventory.internal.softwareheritage.org data: bojimans.internal.admin.swh.network. inventory-admin/CNAME: type: CNAME record: inventory.internal.admin.swh.network data: bojimans.internal.admin.swh.network. glyptotek/A: # OPNSense firewall, not managed by puppet record: "%{alias('opnsense::hosts.glyptotek.fqdn')}" data: "%{alias('opnsense::hosts.glyptotek.ip')}" pushkin/A: # OPNSense firewall, not managed by puppet record: "%{alias('opnsense::hosts.pushkin.fqdn')}" data: "%{alias('opnsense::hosts.pushkin.ip')}" internalgw/A: # Firewal(s)l vip, not managed by puppet record: gw.internal.softwareheritage.org data: 192.168.100.1 staging-rp0/A: record: rp0.internal.staging.swh.network data: 192.168.130.20 staging-webapp/A: record: webapp.internal.staging.swh.network data: 192.168.130.30 staging-webapp-rp/CNAME: type: CNAME record: webapp-rp.internal.staging.swh.network data: rp0.internal.staging.swh.network. staging-deposit/A: record: deposit.internal.staging.swh.network data: 192.168.130.31 staging-deposit-rp/CNAME: type: CNAME record: deposit-rp.internal.staging.swh.network data: rp0.internal.staging.swh.network. journal1/CNAME: type: CNAME record: journal1.internal.staging.swh.network data: storage1.internal.staging.swh.network. admin-db1/CNAME: type: CNAME record: db1.internal.admin.swh.network data: dali.internal.admin.swh.network. azure-billing-report/CNAME: type: CNAME record: azure-billing.internal.admin.swh.network data: money.internal.admin.swh.network. maven-index-exporter/CNAME: type: CNAME record: maven-exporter.internal.staging.swh.network data: maven-exporter0.internal.staging.swh.network. # Non-puppet azure hosts pgmirror0.euwest.azure/A: record: pgmirror0.euwest.azure.internal.softwareheritage.org data: 192.168.200.51 rancher.euwest.azure/A: record: rancher.euwest.azure.internal.softwareheritage.org data: 192.168.200.19 # VPN hosts zack/A: record: zack.internal.softwareheritage.org data: 192.168.101.6 olasd/A: record: olasd.internal.softwareheritage.org data: 192.168.101.10 ardumont/A: record: ardumont.internal.softwareheritage.org data: 192.168.101.14 ardumont-desktop/A: record: ardumont-desktop.internal.softwareheritage.org data: 192.168.101.158 rdicosmo/A: record: rdicosmo.internal.softwareheritage.org data: 192.168.101.38 grand-palais/A: record: grand-palais.internal.softwareheritage.org data: 192.168.101.62 grandpalais/CNAME: type: CNAME record: grandpalais.internal.softwareheritage.org data: grand-palais.internal.softwareheritage.org. petit-palais/A: record: petit-palais.internal.softwareheritage.org data: 192.168.101.58 petitpalais/CNAME: type: CNAME record: petitpalais.internal.softwareheritage.org data: petit-palais.internal.softwareheritage.org. giverny/A: type: A record: giverny.internal.softwareheritage.org data: 192.168.101.118 ddouard-desktop/A: record: ddouard-desktop.internal.softwareheritage.org data: 192.168.101.162 vlorentz-desktop/A: record: vlorentz-desktop.internal.softwareheritage.org data: 192.168.101.166 oturtle-desktop/A: record: oturtle-desktop.internal.softwareheritage.org data: 192.168.101.222 bind::resource_records::default_data: type: A bind::clients: - 192.168.50.0/24 - 192.168.100.0/24 - 192.168.101.0/24 - 192.168.102.0/23 - 192.168.130.0/24 - 192.168.200.0/21 - 127.0.0.0/8 - '::1/128' bind::autogenerate: 192.168.100.0/24: .internal.softwareheritage.org 192.168.200.0/21: .internal.softwareheritage.org 192.168.130.0/24: .internal.staging.swh.network 192.168.50.0/24: .internal.admin.swh.network backups::legacy_storage: /srv/backups backups::enable: true backups::base: / backups::exclude: - dev - proc - run - srv/backups - srv/db-backups - srv/elasticsearch - srv/remote-backups - srv/softwareheritage/objects - srv/softwareheritage/postgres - srv/softwareheritage/scratch - srv/softwareheritage/scratch.2TB - srv/storage - sys - tmp - var/cache - var/lib/mysql - var/log/journal - var/run - var/tmp phabricator::basepath: /srv/phabricator phabricator::user: phabricator phabricator::group: phabricator phabricator::vcs_user: git phabricator::notification::client_host: 127.0.0.1 phabricator::notification::client_port: 22280 phabricator::notification::listen: "%{hiera('phabricator::notification::client_host')}:%{hiera('phabricator::notification::client_port')}" phabricator::mysql::database_prefix: phabricator phabricator::mysql::username: phabricator phabricator::mysql::readonly_usernames: [] # phabricator::mysql::readonly_password_seed in private data phabricator::mysql::conf::max_allowed_packet: 33554432 phabricator::mysql::conf::sql_mode: STRICT_ALL_TABLES phabricator::mysql::conf::ft_stopword_file: "%{hiera('phabricator::basepath')}/phabricator/resources/sql/stopwords.txt" phabricator::mysql::conf::ft_min_word_len: 3 phabricator::mysql::conf::ft_boolean_syntax: "' |-><()~*:\"\"&^'" phabricator::mysql::conf::innodb_buffer_pool_size: 4G phabricator::mysql::conf::innodb_file_per_table: TRUE phabricator::mysql::conf::innodb_flush_method: O_DIRECT phabricator::mysql::conf::innodb_log_file_size: 1G phabricator::mysql::conf::max_connections: 16384 phabricator::php::fpm_listen: 127.0.0.1:9001 phabricator::php::max_file_size: 128M phabricator::php::opcache_validate_timestamps: 0 # Must have a matching cert in letsencrypt::domains phabricator::vhost::name: forge.softwareheritage.org phabricator::vhost::docroot: "%{hiera('phabricator::basepath')}/phabricator/webroot" phabricator::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" phabricator::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" phabricator::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" phabricator::vhost::hsts_header: "%{hiera('apache::hsts_header')}" mediawiki::php::fpm_listen: 127.0.0.1:9002 mediawiki::vhosts: # Must have matching certificates in letsencrypt::certificates intranet.softwareheritage.org: swh_logo: /images/9/99/Swh-intranet-logo.png mysql: username: mw_intranet dbname: mediawiki_intranet aliases: [] site_name: Software Heritage Intranet wiki.softwareheritage.org: swh_logo: /images/b/b2/Swh-logo.png mysql: username: mw_public dbname: mediawiki_public aliases: [] site_name: Software Heritage Wiki mediawiki::vhost::docroot: /var/lib/mediawiki mediawiki::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" mediawiki::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" mediawiki::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" mediawiki::vhost::hsts_header: "%{hiera('apache::hsts_header')}" annex::basepath: /srv/softwareheritage/annex # Must have matching certificate in letsencrypt::certificates annex::vhost::name: annex.softwareheritage.org annex::vhost::docroot: "%{hiera('annex::basepath')}/webroot" annex::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" annex::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" annex::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" annex::vhost::hsts_header: "%{hiera('apache::hsts_header')}" docs::basepath: /srv/softwareheritage/docs # Must have matching certificate in letsencrypt::certificates docs::vhost::name: docs.softwareheritage.org docs::vhost::docroot: "%{hiera('docs::basepath')}/webroot" docs::vhost::docroot_owner: "jenkins-push-docs" docs::vhost::docroot_group: "www-data" docs::vhost::docroot_mode: "2755" docs::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" docs::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" docs::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" docs::vhost::hsts_header: "%{hiera('apache::hsts_header')}" # Must have matching certificate in letsencrypt::certificates bitbucket_archive::vhost::name: bitbucket-archive.softwareheritage.org bitbucket_archive::vhost::docroot: /srv/softwareheritage/bitbucket-archive/webroot bitbucket_archive::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" bitbucket_archive::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" bitbucket_archive::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" bitbucket_archive::vhost::hsts_header: "%{hiera('apache::hsts_header')}" ssh::port: 22 ssh::permitrootlogin: without-password swh::base_directory: /srv/softwareheritage swh::conf_directory: /etc/softwareheritage swh::log_directory: /var/log/softwareheritage swh::global_conf::file: "%{hiera('swh::conf_directory')}/global.ini" swh::apt_config::swh_repository::hostname: debian.softwareheritage.org swh::apt_config::swh_repository: "https://%{hiera('swh::apt_config::swh_repository::hostname')}/" swh::apt_config::enable_non_free: false swh::apt_config::backported_packages: stretch: # For swh.scheduler - python3-msgpack # T1609 - python3-urllib3 - python3-requests - python3-chardet - python3-idna buster: # More recent systemd for new features like OOMPolicy - libnss-myhostname - libnss-mymachines - libnss-resolve - libnss-systemd - libpam-systemd - libsystemd-dev - libsystemd0 - libudev-dev - libudev1 - libudev1-udeb - libzstd1 - systemd - systemd-container - systemd-coredump - systemd-journal-remote - systemd-sysv - systemd-tests - udev - udev-udeb # python3-msgpack 1.0 breaks the older versions of borgbackup - borgbackup # Needed for some swh packages - python3-typing-extensions debian_repository::basepath: "%{hiera('swh::base_directory')}/repository" debian_repository::owner: swhdebianrepo debian_repository::owner::homedir: /home/swhdebianrepo debian_repository::group: swhdev debian_repository::mode: "02775" debian_repository::ssh_authorized_keys: nicolasd@darboux: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ1TCpfzrvxLhEMhxjbxqPDCwY0nazIr1cyIbhGD2bUdAbZqVMdNtr7MeDnlLIKrIPJWuvltauvLNkYU0iLc1jMntdBCBM3hgXjmTyDtc8XvXseeBp5tDqccYNR/cnDUuweNcL5tfeu5kzaAg3DFi5Dsncs5hQK5KQ8CPKWcacPjEk4ir9gdFrtKG1rZmg/wi7YbfxrJYWzb171hdV13gSgyXdsG5UAFsNyxsKSztulcLKxvbmDgYbzytr38FK2udRk7WuqPbtEAW1zV4yrBXBSB/uw8EAMi+wwvLTwyUcEl4u0CTlhREljUx8LhYrsQUCrBcmoPAmlnLCD5Q9XrGH jenkins@thyssen: type: ssh-rsa key: AAAAB3NzaC1yc2EAAAADAQABAAABAQCrfYnl8v4QK1ClkPMHO4WiPqgLVoOGpOPFUvg3WehMo8xMQ9e/EeZddQn96mhHkbbC5HCWEVK1VwafpIeadaMHnypdGhpapncYPpoKItxmf1IwVtlt/h8OYai5pTMCgkuOHjhnQdO20Amr9WMkoRZ/K7v/GijIZ6svvgWiYKfDnu0s1ziFYIT5rEA5hL9SqNJTlKdy2H68/7mmTii9NpBsGWQYDOjcrwELNOI5EUgQSOzmeKxecPkABfh/dezp6jmrv/2x7bm7LT46d+rnVDqVRiUrLVnLhrZCmZDxXfbEmftTdAoK8U/wjLreanRxKOc7arYRyKu0RbAaejPejzgR debian_repository::gpg_keys: # olasd - 791F12396630DD71FD364375B8E5087766475AAF - 6F339C5E1725D5E379100F096F31F7545A885252 # zack - 4900707DDC5C07F2DECB02839C31503C6D866396 # ardumont - BF00203D741AC9D546A8BE0752E2E9840D10C3B8 # anlambert - 91FAF3F5CDE011E4FDF4CBF2D026E5C2F802586D # seirl - 225CD9E3FA9374BDF6E057042F8984858B1A9945 # vlorentz - 379043E3DF96D3237E6782AC0E082B40E4376B1E # ddouard - 7DC7325EF1A6226AB6C3D7E32388A3BF6F0A6938 # jenkins-debian1 - 1F4BDC445E30C7066324D7B3D7D3329147AE3148 # vsellier - 89226003C15CBC8C65C189C33F13C434EADAD17D # Must have matching certificate in letsencrypt::certificates debian_repository::vhost::name: "%{hiera('swh::apt_config::swh_repository::hostname')}" debian_repository::vhost::aliases: - debian.internal.softwareheritage.org debian_repository::vhost::docroot: "%{hiera('debian_repository::basepath')}" debian_repository::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" debian_repository::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" debian_repository::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" debian_repository::vhost::hsts_header: "%{hiera('apache::hsts_header')}" swh::apt_config::debian_mirror::hostname: deb.debian.org swh::apt_config::debian_mirror: "http://%{hiera('swh::apt_config::debian_mirror::hostname')}/debian/" swh::apt_config::debian_security_mirror::hostname: "%{hiera('swh::apt_config::debian_mirror::hostname')}" swh::apt_config::debian_security_mirror: "http://%{hiera('swh::apt_config::debian_mirror::hostname')}/debian-security/" swh::apt_config::azure_repository::hostname: debian-archive.trafficmanager.net swh::apt_config::azure_repository: "http://%{hiera('swh::apt_config::azure_repository::hostname')}/debian-azure/" swh::apt_config::unattended_upgrades: true swh::apt_config::unattended_upgrades::origins: - "o=Debian,codename=${distro_codename}" # main Debian archive - "o=Debian,codename=${distro_codename}-updates" # stable-updates (ex-volatile) - "o=Debian,codename=${distro_codename},l=Debian-Security" # security updates (buster and below) - "o=Debian,codename=${distro_codename}-security,l=Debian-Security" # security updates (bullseye and later) - "o=debian icinga-stable,codename=icinga-${distro_codename}" # Icinga2 repository - "o=Debian Azure,codename=${distro_codename}" # Debian Azure - "o=Proxmox,codename=${distro_codename}" # Proxmox repository - "o=packages.sury.org" # PHP backports (tate) ##################################################################################################### # Remote service configurations # Default ports swh::remote_service::storage::port: 5002 swh::remote_service::objstorage::port: 5003 swh::remote_service::webapp::port: 5004 swh::remote_service::vault::port: 5005 swh::remote_service::deposit::port: 5006 swh::remote_service::indexer::port: 5007 swh::remote_service::scheduler::port: 5008 swh::remote_service::graph::port: 5009 swh::remote_service::search::port: 5010 swh::remote_service::counters::port: 5011 # Default backend services. Override in specific sites if needed. Configurations # are split between read-only (the default) and writable storages. In most cases # overrides should only happen for read-only services. swh::remote_service::objstorage::config: "%{alias('swh::remote_service::objstorage::config::azure_readonly_with_fallback')}" swh::remote_service::objstorage::config::writable: "%{alias('swh::remote_service::objstorage::config::saam')}" swh::remote_service::objstorage::config_as_dict: banco: "%{alias('swh::remote_service::objstorage::config::banco')}" saam: "%{alias('swh::remote_service::objstorage::config::saam')}" azure: "%{alias('swh::remote_service::objstorage::config::azure')}" swh::remote_service::storage::config: "%{alias('swh::remote_service::storage::config::saam')}" swh::remote_service::storage::config::writable: &swh_remote_service_storage_config_writable "%{alias('swh::remote_service::storage::config::saam')}" swh::remote_service::indexer::config: "%{alias('swh::remote_service::indexer::config::saam')}" swh::remote_service::indexer::config::writable: "%{alias('swh::remote_service::indexer::config::saam')}" swh::remote_service::scheduler::config: "%{alias('swh::remote_service::scheduler::config::saatchi')}" swh::remote_service::scheduler::config::writable: "%{alias('swh::remote_service::scheduler::config::saatchi')}" swh::remote_service::vault::config: "%{alias('swh::remote_service::vault::config::azure')}" swh::remote_service::vault::config::writable: "%{alias('swh::remote_service::vault::config::azure')}" # Pipeline storage with retry, filter, buffer and finally writable storage swh::deploy::worker::storage::pipeline: cls: pipeline steps: - cls: buffer min_batch_size: content: 1000 content_bytes: 52428800 # 50 MB directory: 1000 directory_entries: 12000 revision: 1000 revision_parents: 2000 revision_bytes: 52428800 release: 1000 release_bytes: 52428800 extid: 1000 - cls: filter - cls: retry - "%{alias('swh::remote_service::storage::config::writable')}" # Objstorage backend configurations swh::remote_service::objstorage::config::azure: cls: azure-prefixed accounts: "0": account_name: 0euwestswh api_secret_key: "%{hiera('swh::azure::credentials::0euwestswh')}" container_name: contents "1": account_name: 1euwestswh api_secret_key: "%{hiera('swh::azure::credentials::1euwestswh')}" container_name: contents "2": account_name: 2euwestswh api_secret_key: "%{hiera('swh::azure::credentials::2euwestswh')}" container_name: contents "3": account_name: 3euwestswh api_secret_key: "%{hiera('swh::azure::credentials::3euwestswh')}" container_name: contents "4": account_name: 4euwestswh api_secret_key: "%{hiera('swh::azure::credentials::4euwestswh')}" container_name: contents "5": account_name: 5euwestswh api_secret_key: "%{hiera('swh::azure::credentials::5euwestswh')}" container_name: contents "6": account_name: 6euwestswh api_secret_key: "%{hiera('swh::azure::credentials::6euwestswh')}" container_name: contents "7": account_name: 7euwestswh api_secret_key: "%{hiera('swh::azure::credentials::7euwestswh')}" container_name: contents "8": account_name: 8euwestswh api_secret_key: "%{hiera('swh::azure::credentials::8euwestswh')}" container_name: contents "9": account_name: 9euwestswh api_secret_key: "%{hiera('swh::azure::credentials::9euwestswh')}" container_name: contents "a": account_name: aeuwestswh api_secret_key: "%{hiera('swh::azure::credentials::aeuwestswh')}" container_name: contents "b": account_name: beuwestswh api_secret_key: "%{hiera('swh::azure::credentials::beuwestswh')}" container_name: contents "c": account_name: ceuwestswh api_secret_key: "%{hiera('swh::azure::credentials::ceuwestswh')}" container_name: contents "d": account_name: deuwestswh api_secret_key: "%{hiera('swh::azure::credentials::deuwestswh')}" container_name: contents "e": account_name: eeuwestswh api_secret_key: "%{hiera('swh::azure::credentials::eeuwestswh')}" container_name: contents "f": account_name: feuwestswh api_secret_key: "%{hiera('swh::azure::credentials::feuwestswh')}" container_name: contents swh::remote_service::objstorage::config::azure::readonly: cls: filtered storage_conf: "%{alias('swh::remote_service::objstorage::config::azure')}" filters_conf: - type: readonly swh::remote_service::objstorage::config::saam: cls: remote url: "http://saam.internal.softwareheritage.org:%{hiera('swh::remote_service::objstorage::port')}/" swh::remote_service::objstorage::config::saam::readonly: cls: filtered storage_conf: "%{alias('swh::remote_service::objstorage::config::saam')}" filters_conf: - type: readonly swh::remote_service::objstorage::config::banco: cls: remote url: "http://banco.internal.softwareheritage.org:%{hiera('swh::remote_service::objstorage::port')}/" swh::remote_service::objstorage::config::banco::readonly: cls: filtered storage_conf: "%{alias('swh::remote_service::objstorage::config::banco')}" filters_conf: - type: readonly swh::remote_service::objstorage::config::azure_readonly_with_fallback: &swh_azure_readonly_with_fallback cls: multiplexer objstorages: - "%{alias('swh::remote_service::objstorage::config::azure::readonly')}" - "%{alias('swh::remote_service::objstorage::config::banco::readonly')}" - "%{alias('swh::remote_service::objstorage::config::saam::readonly')}" swh::remote_service::objstorage::config::localhost: cls: remote url: "http://127.0.0.1:%{hiera('swh::remote_service::objstorage::port')}/" # Storage backend configurations swh::remote_service::storage::config::saam: cls: remote url: "http://saam.internal.softwareheritage.org:%{hiera('swh::remote_service::storage::port')}/" swh::remote_service::storage::config::azure: cls: remote url: "http://storage01.euwest.azure.internal.softwareheritage.org:%{hiera('swh::remote_service::storage::port')}/" swh::remote_service::storage::config::local_internal_network: cls: remote url: "http://%{lookup('swh::deploy::storage::backend::listen::host')}:%{lookup('swh::remote_service::storage::port')}/" swh::remote_service::search::config::empty: {} swh::remote_service::search::config::local_internal_network: cls: remote url: "http://%{lookup('swh::deploy::search::backend::listen::host')}:%{hiera('swh::remote_service::search::port')}/" swh::remote_service::search::config::search1: cls: remote url: "http://search1.internal.softwareheritage.org:%{hiera('swh::remote_service::search::port')}/" swh::remote_service::search::config: "%{alias('swh::remote_service::search::config::local_internal_network')}" # Indexer backend configurations swh::remote_service::indexer::config::saam: cls: remote url: "http://saam.internal.softwareheritage.org:%{hiera('swh::remote_service::indexer::port')}/" swh::remote_service::indexer::config::azure: cls: remote url: "http://storage01.euwest.azure.internal.softwareheritage.org:%{hiera('swh::remote_service::indexer::port')}/" # Scheduler backend configurations swh::remote_service::scheduler::config::saatchi: cls: remote url: "http://saatchi.internal.softwareheritage.org:%{hiera('swh::remote_service::scheduler::port')}/" # Vault backend configurations swh::remote_service::vault::config::azure: cls: remote url: "http://vangogh.euwest.azure.internal.softwareheritage.org:%{hiera('swh::remote_service::vault::port')}/" # Counters backend configurations swh::remote_service::counters::url: "http://counters1.internal.softwareheritage.org:%{hiera('swh::remote_service::counters::port')}/" swh::remote_service::counters::config: cls: remote url: "%{alias('swh::remote_service::counters::url')}" swh::remote_service::graph::config: url: "http://graph.internal.softwareheritage.org:%{hiera('swh::remote_service::graph::port')}/" # End remote service configurations ##################################################################################################### swh::deploy::db::pgbouncer::port: 5432 swh::deploy::db::main::port: 5433 swh::deploy::db::secondary::port: 5434 swh::deploy::db::indexer::port: 5435 swh::deploy::db::pgbouncer::user::login: postgres swh::deploy::db::pgbouncer::user::password: "%{alias('swh::deploy::db::postgres::password')}" pgbouncer::common::listen_addresses: - 127.0.0.1 - 127.0.1.1 - "%{alias('pgbouncer::listen_addr')}" pgbouncer::config_params: logfile: /var/log/postgresql/pgbouncer.log pidfile: /var/run/postgresql/pgbouncer.pid unix_socket_dir: /var/run/postgresql client_tls_sslmode: allow client_tls_ca_file: /etc/ssl/certs/ssl-cert-snakeoil.pem client_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key client_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem server_tls_sslmode: allow listen_port: "%{hiera('swh::deploy::db::pgbouncer::port')}" listen_addr: "%{alias('pgbouncer::common::listen_addresses')}" auth_type: "hba" auth_file: /etc/pgbouncer/userlist.txt auth_hba_file: "%{hiera('pgbouncer::auth_hba_file')}" admin_users: - "%{hiera('swh::deploy::db::pgbouncer::user::login')}" - olasd pool_mode: session ignore_startup_parameters: extra_float_digits server_reset_query: DISCARD ALL max_client_conn: 2000 default_pool_size: 2000 max_db_connections: 2000 max_user_connections: 2000 log_connections: 0 log_disconnections: 0 pgbouncer::user: postgres pgbouncer::group: postgres # swh::deploy::db::pgbouncer::user::password in private data pgbouncer::userlist: - user: "%{hiera('swh::deploy::db::pgbouncer::user::login')}" password: "%{hiera('swh::deploy::db::pgbouncer::user::password')}" pgbouncer::databases: [] swh::deploy::directory: "%{hiera('swh::conf_directory')}/deploy" swh::deploy::group: swhdeploy swh::deploy::public_key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWrJX/uUss/EYZaTp2EIsZgg3ZSH8JcNZV5gBdNZ7EHcQcqxYUCqmwv9Ss3xT8n9kIrH6iz/vquqf84XR+keoZK3bsp50tMOY8LJWpcl/JK2XD6ovoJrHPu+iAroLkE59RdTa1Vz+jF67Q2UuG9f0nKwL4rnkeWTyuK/zAbyHyYKFQntkkwMr5/YTU8sjl/4aNF/2Ww8hitdi2GORlCjav2bB0wyPBA2e8sMt8Hp9O4TIWg/RD6vPX+ZvuFaB/Lw/Hv21622QGTHoZiO92/8/W9/t24il6SU4z96ZGfXqdUZkpPYKBGwyIkZkS4dN6jb4CcRlyXTObphyu3dAlABRt swhworker@worker01' swh::deploy::storage::sentry_swh_package: swh.storage swh::deploy::storage::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::storage::sentry_dsn: "https://%{lookup('swh::deploy::storage::sentry_token')}@sentry.softwareheritage.org/3" swh::deploy::storage::conf_directory: "%{hiera('swh::conf_directory')}/storage" swh::deploy::storage::conf_file: "%{hiera('swh::deploy::storage::conf_directory')}/storage.yml" swh::deploy::storage::user: swhstorage swh::deploy::storage::group: swhstorage swh::deploy::storage::db::host: db.internal.softwareheritage.org swh::deploy::storage::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" swh::deploy::storage::db::user: swhstorage swh::deploy::storage::db::dbname: softwareheritage swh::deploy::storage::directory: "%{hiera('swh::base_directory')}/objects" swh::deploy::storage::backend::listen::host: 127.0.0.1 swh::deploy::storage::backend::listen::port: "%{alias('swh::remote_service::storage::port')}" swh::deploy::storage::backend::workers: 4 swh::deploy::storage::backend::reload_mercy: 3600 swh::deploy::storage::backend::http_keepalive: 5 swh::deploy::storage::backend::http_timeout: 3600 swh::deploy::storage::backend::max_requests: 10000 swh::deploy::storage::backend::max_requests_jitter: 1000 swh::deploy::storage::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" # This can be overriden per storage node swh::deploy::storage::config::local: cls: local db: "host=%{hiera('swh::deploy::storage::db::host')} port=%{hiera('swh::deploy::storage::db::port')} user=%{hiera('swh::deploy::storage::db::user')} dbname=%{hiera('swh::deploy::storage::db::dbname')} password=%{hiera('swh::deploy::storage::db::password')}" objstorage: "%{alias('swh::remote_service::objstorage::config')}" swh::deploy::storage::config: storage: "%{alias('swh::deploy::storage::config::local')}" swh::deploy::journal::writer::config: cls: kafka brokers: "%{alias('swh::deploy::journal::brokers')}" prefix: "%{alias('swh::deploy::journal::prefix')}" client_id: "swh.storage.journal_writer.%{::swh_hostname.short}" anonymize: true producer_config: message.max.bytes: 1000000000 swh::deploy::journal::backfill::config_file: "%{hiera('swh::deploy::journal::conf_directory')}/backfill.yml" swh::deploy::journal::backfill::user: swhstorage swh::deploy::journal::backfill::group: swhstorage swh::deploy::storage::db::config::read-only: "host=%{hiera('swh::deploy::storage::db::host')} port=%{hiera('swh::deploy::storage::db::port')} user=guest dbname=%{hiera('swh::deploy::storage::db::dbname')} password=guest" swh::deploy::storage::config::local-read-only: cls: local db: "%{alias('swh::deploy::storage::db::config::read-only')}" # objstorage is required but it's not used in that context objstorage: cls: memory swh::deploy::journal::backfill::config: storage: "%{alias('swh::deploy::storage::config::local-read-only')}" journal_writer: "%{alias('swh::deploy::journal::writer::config')}" swh::deploy::journal::backfill::config_logging_file: "%{hiera('swh::deploy::journal::conf_directory')}/backfill_logger.yml" swh::deploy::journal::backfill::config_logging: version: 1 handlers: console: class: logging.StreamHandler formatter: detail level: INFO stream: ext://sys.stdout formatters: detail: format: '%(asctime)s %(levelname)-8s %(name)-15s %(message)s' datefmt: '%Y-%m-%dT%H:%M:%S' loggers: swh: {} root: level: INFO handlers: - console swh::deploy::indexer::storage::sentry_swh_package: swh.indexer swh::deploy::indexer::storage::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::indexer::storage::sentry_dsn: "%{alias('swh::deploy::indexer::sentry_dsn')}" swh::deploy::indexer::storage::conf_file: "%{hiera('swh::deploy::storage::conf_directory')}/indexer.yml" swh::deploy::indexer::storage::user: swhstorage swh::deploy::indexer::storage::group: swhstorage swh::deploy::indexer::storage::db::host: belvedere.internal.softwareheritage.org swh::deploy::indexer::storage::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" swh::deploy::indexer::storage::db::user: swhstorage swh::deploy::indexer::storage::db::dbname: softwareheritage-indexer swh::deploy::indexer::storage::backend::listen::host: 127.0.0.1 swh::deploy::indexer::storage::backend::listen::port: "%{alias('swh::remote_service::indexer::port')}" swh::deploy::indexer::storage::backend::workers: 4 swh::deploy::indexer::storage::backend::reload_mercy: 3600 swh::deploy::indexer::storage::backend::http_keepalive: 5 swh::deploy::indexer::storage::backend::http_timeout: 3600 swh::deploy::indexer::storage::backend::max_requests: 10000 swh::deploy::indexer::storage::backend::max_requests_jitter: 1000 swh::deploy::indexer::storage::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" swh::deploy::provenance::db::dbname: swh-provenance swh::deploy::provenance::db::user: swh-provenance swh::deploy::provenance::db::host: met.internal.softwareheritage.org swh::deploy::indexer::storage::config: indexer_storage: cls: local db: "host=%{hiera('swh::deploy::indexer::storage::db::host')} port=%{hiera('swh::deploy::indexer::storage::db::port')} user=%{hiera('swh::deploy::indexer::storage::db::user')} dbname=%{hiera('swh::deploy::indexer::storage::db::dbname')} password=%{hiera('swh::deploy::indexer::storage::db::password')}" journal_writer: "%{alias('swh::deploy::indexer::journal::writer::config')}" swh::deploy::indexer::journal::prefix: 'swh.journal.indexed' swh::deploy::indexer::brokers: "%{alias('swh::deploy::journal::brokers')}" swh::deploy::indexer::journal::writer::config: cls: kafka brokers: "%{alias('swh::deploy::indexer::brokers')}" prefix: "%{alias('swh::deploy::indexer::journal::prefix')}" client_id: "swh.idx_storage.journal_writer.%{::swh_hostname.short}" producer_config: message.max.bytes: 1000000000 swh::deploy::vault::cache: "%{hiera('swh::base_directory')}/vault_cache" # Default cache a pathslicing objstorage swh::deploy::vault::config::cache: cls: pathslicing root: "%{hiera('swh::deploy::vault::cache')}" slicing: "0:1/1:5" swh::deploy::vault::sentry_swh_package: swh.vault swh::deploy::vault::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::vault::sentry_dsn: "https://%{lookup('swh::deploy::vault::sentry_token')}@sentry.softwareheritage.org/11" swh::deploy::vault::conf_directory: "%{hiera('swh::conf_directory')}/vault" swh::deploy::vault::conf_file: "%{hiera('swh::deploy::vault::conf_directory')}/server.yml" swh::deploy::vault::user: swhvault swh::deploy::vault::group: swhvault swh::deploy::vault::db::host: db.internal.softwareheritage.org swh::deploy::vault::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" swh::deploy::vault::db::user: swh-vault swh::deploy::vault::db::dbname: swh-vault swh::deploy::vault::backend::listen::host: 127.0.0.1 swh::deploy::vault::backend::listen::port: "%{alias('swh::remote_service::vault::port')}" swh::deploy::vault::backend::workers: 4 swh::deploy::vault::backend::reload_mercy: 3600 swh::deploy::vault::backend::http_keepalive: 5 swh::deploy::vault::backend::http_timeout: 3600 swh::deploy::vault::backend::max_requests: 10000 swh::deploy::vault::backend::max_requests_jitter: 1000 swh::deploy::vault::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" swh::deploy::vault::config: objstorage: "%{alias('swh::remote_service::objstorage::config')}" storage: cls: retry storage: "%{alias('swh::remote_service::storage::config')}" scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" cache: "%{alias('swh::deploy::vault::config::cache')}" vault: cls: local db: "host=%{hiera('swh::deploy::vault::db::host')} port=%{hiera('swh::deploy::vault::db::port')} user=%{hiera('swh::deploy::vault::db::user')} dbname=%{hiera('swh::deploy::vault::db::dbname')} password=%{hiera('swh::deploy::vault::db::password')}" swh::deploy::graph::user: swhworker swh::deploy::graph::group: swhworker swh::deploy::graph::backend::listen::host: 127.0.0.1 swh::deploy::graph::backend::listen::port: "%{alias('swh::remote_service::graph::port')}" swh::deploy::graph::sentry_swh_package: swh.graph swh::deploy::graph::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::graph::sentry_dsn: "https://%{lookup('swh::deploy::graph::sentry_token')}@sentry.softwareheritage.org/20" swh::deploy::journal::conf_directory: "%{hiera('swh::conf_directory')}/journal" swh::deploy::journal::brokers: - kafka1.internal.softwareheritage.org - kafka2.internal.softwareheritage.org - kafka3.internal.softwareheritage.org - kafka4.internal.softwareheritage.org swh::deploy::journal::prefix: swh.journal.objects swh::deploy::scrubber::db::user: swh-scrubber swh::deploy::scrubber::db::dbname: swh-scrubber swh::deploy::scrubber::db::host: db.internal.softwareheritage.org swh::deploy::scrubber::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" swh::deploy::scrubber::sentry_swh_package: swh.scrubber swh::deploy::scrubber::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::scrubber::sentry_dsn: "https://%{lookup('swh::deploy::scrubber::sentry_token')}@sentry.softwareheritage.org/23" swh::deploy::scrubber::checker::postgres::conf_directory: "%{hiera('swh::conf_directory')}/scrubber" swh::deploy::scrubber::checker::postgres::conf_file: "%{hiera('swh::deploy::scrubber::checker::postgres::conf_directory')}/postgres.yml" swh::deploy::scrubber::checker::postgres::user: swhworker swh::deploy::scrubber::checker::postgres::group: swhdev swh::deploy::scrubber::checker::postgres::object_types: - directory - revision - release - snapshot swh::deploy::scrubber::checker::postgres::ranges: - 00000000000000000000:44444444444444444444 - 44444444444444444444:88888888888888888888 - 88888888888888888888:bbbbbbbbbbbbbbbbbbbb - bbbbbbbbbbbbbbbbbbbb:ffffffffffffffffffff # password entry in private-data swh::deploy::scrubber::db::config: "host=%{hiera('swh::deploy::scrubber::db::host')} port=%{hiera('swh::deploy::db::pgbouncer::port')} dbname=%{hiera('swh::deploy::scrubber::db::dbname')} user=%{hiera('swh::deploy::scrubber::db::user')} password=%{hiera('swh::deploy::scrubber::db::password')}" swh::deploy::scrubber::checker::postgres::config: scrubber_db: cls: postgresql db: "%{alias('swh::deploy::scrubber::db::config')}" storage: cls: postgresql db: "%{alias('swh::deploy::storage::db::config::read-only')}" objstorage: cls: noop swh::deploy::journal_simple_checker_producer::conf_file: "%{hiera('swh::deploy::journal::conf_directory')}/checker.yml" swh::deploy::journal_simple_checker_producer::user: swhstorage swh::deploy::journal_simple_checker_producer::group: swhstorage swh::deploy::journal_simple_checker_producer::config: brokers: "%{alias('swh::deploy::journal::brokers')}" temporary_prefix: swh.tmp_journal.new storage_dbconn: "host=%{hiera('swh::deploy::storage::db::host')} port=%{hiera('swh::deploy::storage::db::port')} user=%{hiera('swh::deploy::storage::db::user')} dbname=%{hiera('swh::deploy::storage::db::dbname')} password=%{hiera('swh::deploy::storage::db::password')}" object_types: - content - directory - revision - release - origin - origin_visit swh::deploy::objstorage::sentry_swh_package: swh.objstorage swh::deploy::objstorage::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::objstorage::sentry_dsn: "https://%{lookup('swh::deploy::objstorage::sentry_token')}@sentry.softwareheritage.org/4" swh::deploy::objstorage::conf_directory: "%{hiera('swh::conf_directory')}/objstorage" swh::deploy::objstorage::conf_file: "%{hiera('swh::deploy::objstorage::conf_directory')}/server.yml" swh::deploy::objstorage::user: "%{hiera('swh::deploy::storage::user')}" swh::deploy::objstorage::group: "%{hiera('swh::deploy::storage::group')}" swh::deploy::objstorage::directory: "%{hiera('swh::deploy::storage::directory')}" swh::deploy::objstorage::slicing: 0:2/2:4/4:6 swh::deploy::objstorage::config: objstorage: cls: pathslicing root: "%{hiera('swh::deploy::objstorage::directory')}" slicing: "%{hiera('swh::deploy::objstorage::slicing')}" client_max_size: 1073741824 # 1 GiB swh::deploy::objstorage::backend::listen::host: 127.0.0.1 swh::deploy::objstorage::backend::listen::port: "%{alias('swh::remote_service::objstorage::port')}" swh::deploy::objstorage::backend::workers: 4 swh::deploy::objstorage::backend::reload_mercy: 3600 swh::deploy::objstorage::backend::http_workers: 1 swh::deploy::objstorage::backend::http_keepalive: 5 swh::deploy::objstorage::backend::http_timeout: 3600 swh::deploy::objstorage::backend::max_requests: 0 swh::deploy::objstorage::backend::max_requests_jitter: 0 swh::deploy::objstorage::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" # read-only storage use basic auth # it returns a 401 Restricted return code without # any content swh::deploy::objstorage::icinga_check_string: '' swh::deploy::objstorage::reverse_proxy::backend_http_port: "%{lookup('swh::remote_service::objstorage::port')}" swh::deploy::objstorage::reverse_proxy::basic_auth: true swh::deploy::objstorage::reverse_proxy::basic_auth::users: - swh-prod - enea-prod swh::deploy::deposit::reverse_proxy::backend_http_port: "%{alias('varnish::backend_http_port')}" # aliases are pulled from letsencrypt::certificates[$swh::deploy::deposit::vhost::letsencrypt_cert] swh::deploy::deposit::vhost::letsencrypt_cert: deposit_production swh::deploy::deposit::url: https://deposit.softwareheritage.org swh::deploy::deposit::internal_url: "%{hiera('swh::deploy::deposit::url')}" swh::deploy::deposit::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" swh::deploy::deposit::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" swh::deploy::deposit::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" swh::deploy::deposit::vhost::access_log_format: combined_with_duration swh::deploy::deposit::locked_endpoints: - /1/private/[^/]+/[^/]+/[^/]+ - /1/private/deposits/ # e2e vault swh::deploy::vault::e2e::webapp: "%{alias('swh::deploy::webapp::url')}" # e2e save code now swh::deploy::savecodenow::e2e::activate: true # to be deactivated on secondaries webapps swh::deploy::savecodenow::e2e::origins: - name: parmap origin: https://github.com/rdicosmo/parmap type: git - name: panda origin: https://subversion.renater.fr/anonscm/svn/panda type: svn - name: hgview origin: https://foss.heptapod.net/mercurial/hgview type: hg swh::deploy::savecodenow::e2e::webapp: "%{alias('swh::deploy::webapp::url')}" # e2e checks on deposit swh::deploy::deposit::e2e::server: "%{hiera('swh::deploy::deposit::url')}/1" swh::deploy::deposit::e2e::user: swh swh::deploy::deposit::e2e::collection: swh swh::deploy::deposit::e2e::provider_url: https://www.softwareheritage.org swh::deploy::deposit::e2e::swh_web_url: "%{alias('swh::deploy::webapp::url')}" swh::deploy::deposit::e2e::poll_interval: 1 swh::deploy::deposit::e2e::archive: /usr/share/swh/icinga-plugins/data/deposit/jesuisgpl.tgz swh::deploy::deposit::e2e::metadata: /usr/share/swh/icinga-plugins/data/deposit/jesuisgpl.tgz.xml swh::deploy::deposit::sentry_swh_package: swh.deposit swh::deploy::deposit::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::deposit::sentry_dsn: "https://%{lookup('swh::deploy::deposit::sentry_token')}@sentry.softwareheritage.org/12" swh::deploy::deposit::config_directory: "%{hiera('swh::conf_directory')}/deposit" swh::deploy::deposit::config_file: "%{hiera('swh::deploy::deposit::config_directory')}/server.yml" swh::deploy::deposit::user: swhdeposit swh::deploy::deposit::group: swhdeposit swh::deploy::deposit::media_root_directory: /srv/storage/space/swh-deposit/uploads/ swh::deploy::deposit::db::host: db.internal.softwareheritage.org swh::deploy::deposit::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" swh::deploy::deposit::db::dbname: softwareheritage-deposit swh::deploy::deposit::db::dbuser: swhstorage swh::config::keycloak::realm_name: SoftwareHeritage swh::deploy::deposit::config::keycloak: server_url: "https://%{hiera('keycloak::vhost::name')}/auth/" realm_name: "%{alias('swh::config::keycloak::realm_name')}" swh::deploy::deposit::config::authentication: authentication_provider: keycloak keycloak: "%{alias('swh::deploy::deposit::config::keycloak')}" cache_uri: "%{hiera('memcached::server::bind')}:%{hiera('memcached::server::port')}" # swh::deploy::deposit::db::password: in private data # swh::deploy::deposit::runtime_secret_key in private data swh::deploy::deposit::config: max_upload_size: 209715200 scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" # The backend server writes raw_extrinsic_metadata objects storage_metadata: "%{alias('swh::remote_service::storage::config::writable')}" # It only reads some information from this storage, but use the same config for consistency. storage: "%{alias('swh::remote_service::storage::config::writable')}" private: secret_key: "%{hiera('swh::deploy::deposit::runtime_secret_key')}" db: host: "%{hiera('swh::deploy::deposit::db::host')}" port: "%{hiera('swh::deploy::deposit::db::port')}" name: "%{hiera('swh::deploy::deposit::db::dbname')}" user: "%{hiera('swh::deploy::deposit::db::dbuser')}" password: "%{hiera('swh::deploy::deposit::db::password')}" media_root: "%{hiera('swh::deploy::deposit::media_root_directory')}" extraction_dir: /tmp/swh-deposit/archive/ swh_authority_url: "%{hiera('swh::deploy::deposit::url')}/" swh::deploy::worker::loader::max_content_size: 104857600 swh::deploy::worker::loader_deposit::config_file: "%{hiera('swh::conf_directory')}/loader_deposit.yml" swh::deploy::worker::loader_deposit::concurrency: 1 swh::deploy::worker::loader_deposit::private_tmp: true swh::deploy::worker::loader_deposit::loglevel: info # deposit_basic_auth_swhworker_{username|password} in private_data swh::deploy::worker::loader_deposit::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.deposit.tasks.LoadDeposit deposit: url: "%{alias('swh::deploy::webapp::deposit::private::url')}" auth: username: "%{hiera('deposit_basic_auth_swhworker_username')}" password: "%{hiera('deposit_basic_auth_swhworker_password')}" default_filename: archive.tar swh::deploy::checker_deposit::sentry_swh_package: swh.deposit.loader swh::deploy::checker_deposit::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::worker::checker_deposit::config_file: "%{hiera('swh::conf_directory')}/checker_deposit.yml" swh::deploy::worker::checker_deposit::concurrency: 1 swh::deploy::worker::checker_deposit::private_tmp: true swh::deploy::worker::checker_deposit::loglevel: info # deposit_basic_auth_swhworker_{username|password} in private_data swh::deploy::worker::checker_deposit::config: storage: "%{alias('swh::remote_service::storage::config::writable')}" extraction_dir: /tmp/swh.checker.deposit/ celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_modules: - swh.deposit.loader.tasks task_queues: - swh.deposit.loader.tasks.ChecksDepositTsk deposit: url: "%{hiera('swh::deploy::deposit::internal_url')}/1/private/" auth: username: "%{hiera('deposit_basic_auth_swhworker_username')}" password: "%{hiera('deposit_basic_auth_swhworker_password')}" swh::deploy::deposit::backend::listen::host: 127.0.0.1 swh::deploy::deposit::backend::listen::port: "%{alias('swh::remote_service::deposit::port')}" swh::deploy::deposit::backend::workers: 8 swh::deploy::deposit::backend::reload_mercy: 3600 swh::deploy::deposit::backend::http_keepalive: 5 swh::deploy::deposit::backend::http_timeout: 3600 swh::deploy::objstorage_log_checker::conf_directory: "%{hiera('swh::deploy::objstorage::conf_directory')}" swh::deploy::objstorage_log_checker::conf_file: "%{hiera('swh::deploy::objstorage_log_checker::conf_directory')}/log_checker.yml" swh::deploy::objstorage_log_checker::user: "%{hiera('swh::deploy::objstorage::user')}" swh::deploy::objstorage_log_checker::group: "%{hiera('swh::deploy::objstorage::group')}" swh::deploy::objstorage_log_checker:config: storage: cls: pathslicing root: "%{hiera('swh::deploy::objstorage::directory')}" slicing: "%{hiera('swh::deploy::objstorage::slicing')}" batch_size: 1000 log_tag: objstorage.checker.log swh::deploy::objstorage_repair_checker::conf_directory: "%{hiera('swh::deploy::objstorage::conf_directory')}" swh::deploy::objstorage_repair_checker::conf_file: "%{hiera('swh::deploy::objstorage_repair_checker::conf_directory')}/repair_checker.yml" swh::deploy::objstorage_repair_checker::user: "%{hiera('swh::deploy::objstorage::user')}" swh::deploy::objstorage_repair_checker::group: "%{hiera('swh::deploy::objstorage::group')}" swh::deploy::objstorage_repair_checker::config: storage: cls: pathslicing root: "%{hiera('swh::deploy::objstorage::directory')}" slicing: "%{hiera('swh::deploy::objstorage::slicing')}" batch_size: 1000 log_tag: objstorage.checker.repair backup_storages: "%{alias('swh::remote_service::objstorage::config_as_dict')}" swh::deploy::webapp::backported_packages: stretch: - python3-django - python-django-common buster: - python3-django - python3-typing-extensions swh::deploy::deposit::backported_packages: "%{alias('swh::deploy::webapp::backported_packages')}" swh::deploy::webapp::sentry_swh_package: swh.web swh::deploy::webapp::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::webapp::sentry_dsn: "https://%{lookup('swh::deploy::webapp::sentry_token')}@sentry.softwareheritage.org/13" swh::deploy::webapp::conf_directory: "%{hiera('swh::conf_directory')}/web" swh::deploy::webapp::conf_file: "%{hiera('swh::deploy::webapp::conf_directory')}/web.yml" swh::deploy::webapp::user: swhwebapp swh::deploy::webapp::group: swhwebapp swh::deploy::webapp::conf::log_dir: "%{hiera('swh::log_directory')}/webapp" swh::deploy::webapp::backend::listen::host: 127.0.0.1 swh::deploy::webapp::backend::listen::port: "%{alias('swh::remote_service::webapp::port')}" swh::deploy::webapp::backend::workers: 32 swh::deploy::webapp::backend::http_keepalive: 5 swh::deploy::webapp::backend::http_timeout: 3600 swh::deploy::webapp::backend::reload_mercy: 3600 swh::deploy::webapp::db::host: db.internal.softwareheritage.org swh::deploy::webapp::db::user: swh-web swh::deploy::webapp::db::name: swh-web swh::deploy::webapp::db::port: "%{alias('swh::deploy::db::secondary::port')}" # swh::deploy::webapp::db::password in private data swh::deploy::webapp::production_db: host: "%{alias('swh::deploy::webapp::db::host')}" port: "%{alias('swh::deploy::db::pgbouncer::port')}" name: "%{alias('swh::deploy::webapp::db::name')}" user: "%{alias('swh::deploy::webapp::db::user')}" password: "%{alias('swh::deploy::webapp::db::password')}" swh::deploy::webapp::icinga_check_string: 'archive' swh::deploy::webapp::reverse_proxy::backend_http_port: "%{alias('varnish::backend_http_port')}" swh::deploy::webapp::django_settings_module: swh.web.settings.production swh::deploy::webapp::timers_enabled: false # aliases are pulled from letsencrypt::certificates[$swh::deploy::webapp::vhost::letsencrypt_cert] swh::deploy::webapp::vhost::letsencrypt_cert: archive_production swh::deploy::webapp::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" swh::deploy::webapp::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" swh::deploy::webapp::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" swh::deploy::webapp::vhost::hsts_header: "%{hiera('apache::hsts_header')}" swh::deploy::webapp::vhost::access_log_format: combined_with_duration swh::deploy::webapp::inbound_email::production::domain: archive.softwareheritage.org swh::deploy::webapp::inbound_email::staging::domain: webapp.staging.swh.network swh::deploy::webapp::config::es_workers_index_url: http://esnode1.internal.softwareheritage.org:9200/swh_workers-* swh::deploy::webapp::deposit::private::url: "%{hiera('swh::deploy::deposit::internal_url')}/1/private/" swh::deploy::webapp::config::throttling: cache_uri: "%{hiera('memcached::server::bind')}:%{hiera('memcached::server::port')}" scopes: swh_api: limiter_rate: default: 120/h exempted_networks: - 127.0.0.0/8 - 192.168.100.0/23 - 128.93.166.14 - 131.107.174.0/24 # OpenAIRE - 213.135.60.145 - 213.135.60.146 # DINSIC - 37.187.137.47 # Antoine Eiche - 37.187.96.121 swh_api_origin_search: limiter_rate: default: 10/m swh_api_origin_visit_latest: # This endpoint gets called a lot (by default, up to 70 times # per origin search), so it deserves a much higher rate-limit # than the rest of the API. limiter_rate: default: 700/m swh_vault_cooking: limiter_rate: default: 120/h GET: 60/m exempted_networks: - 127.0.0.0/8 - 192.168.100.0/23 - 128.93.166.14 - 131.107.174.0/24 # OpenAIRE - 213.135.60.145 - 213.135.60.146 # Antoine Eiche - 37.187.96.121 swh_save_origin: limiter_rate: default: 120/h POST: 10/h exempted_networks: - 127.0.0.0/8 - 192.168.100.0/23 - 128.93.166.14 - 131.107.174.0/24 # OpenAIRE - 213.135.60.145 - 213.135.60.146 # Antoine Eiche - 37.187.96.121 swh_raw_object: limiter_rate: default: 120/h swh::deploy::webapp::config::keycloak: server_url: "https://%{hiera('keycloak::vhost::name')}/auth/" realm_name: "%{alias('swh::config::keycloak::realm_name')}" swh::deploy::webapp::metadata_search_backend: swh-search swh::deploy::webapp::history_counters_url: "%{lookup('swh::remote_service::counters::url')}counters_history/history.json" swh::deploy::webapp::counters_backend: swh-counters swh::deploy::webapp::instance_name: archive.softwareheritage.org swh::deploy::webapp::add_forge_now_email_address: "add-forge-now@%{lookup('swh::deploy::webapp::inbound_email::domain')}" # in private data: # deposit_basic_auth_swhworker_username # deposit_basic_auth_swhworker_password # webapp_give_public_key # webapp_give_token swh::deploy::webapp::config: search: "%{alias('swh::remote_service::search::config')}" search_config: metadata_backend: "%{alias('swh::deploy::webapp::metadata_search_backend')}" storage: "%{alias('swh::remote_service::storage::config')}" vault: "%{alias('swh::remote_service::vault::config::writable')}" indexer_storage: "%{alias('swh::remote_service::indexer::config')}" scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" counters: "%{alias('swh::remote_service::counters::config')}" counters_backend: "%{alias('swh::deploy::webapp::counters_backend')}" log_dir: "%{hiera('swh::deploy::webapp::conf::log_dir')}" secret_key: "%{hiera('swh::deploy::webapp::conf::secret_key')}" content_display_max_size: 5242880 # 5MB throttling: "%{alias('swh::deploy::webapp::config::throttling')}" production_db: "%{alias('swh::deploy::webapp::production_db')}" es_workers_index_url: "%{alias('swh::deploy::webapp::config::es_workers_index_url')}" deposit: private_api_url: "%{hiera('swh::deploy::webapp::deposit::private::url')}" private_api_user: "%{hiera('deposit_basic_auth_swhworker_username')}" private_api_password: "%{hiera('deposit_basic_auth_swhworker_password')}" client_config: sentry_dsn: "%{lookup('swh::deploy::webapp::sentry_dsn')}" keycloak: "%{alias('swh::deploy::webapp::config::keycloak')}" history_counters_url: "%{alias('swh::deploy::webapp::history_counters_url')}" instance_name: "%{alias('swh::deploy::webapp::instance_name')}" give: public_key: "%{hiera('webapp_give_public_key')}" token: "%{hiera('webapp_give_token')}" add_forge_now: email_address: "%{hiera('swh::deploy::webapp::add_forge_now_email_address')}" features: "%{alias('swh::deploy::webapp::config::features')}" swh::deploy::webapp::config::features: add_forge_now: true swh::deploy::webapp::locked_endpoints: - /api/1/content/[^/]+/symbol/ - /api/1/entity/ - /api/1/provenance/ swh::deploy::webapp::sync_mailmaps::db::service_name: "softwareheritage-sync-mailmaps" swh::deploy::webapp::sync_mailmaps::db::host: "%{hiera('swh::deploy::storage::db::host')}" swh::deploy::webapp::sync_mailmaps::db::port: "%{hiera('swh::deploy::db::pgbouncer::port')}" swh::deploy::webapp::sync_mailmaps::db::dbname: "%{hiera('swh::deploy::storage::db::dbname')}" swh::deploy::webapp::sync_mailmaps::db::user: swhmailmap # swh::deploy::webapp::sync_mailmaps::db::password in private data # regexp style end-to-end check for production instance # overwrite in staging for its dedicated snapshot check swh::deploy::webapp::snapshot_e2e: uri: '/browse/snapshot/baebc2109e4a2ec22a1129a3859647e191d04df4/branches/' regexp: - 'buster/main/4.13.13-1.*buster/main/4.14.12-2.*buster/main/4.14.13-1.*buster/main/4.14.17-1.*buster/main/4.15.4-1.*buster/main/4.9.65-3.*experimental/main/4.10~rc6-1~exp2.*jessie-backports/main/3.16.39-1.*jessie-backports/main/4.7.8-1~bpo8\\+1.*jessie-backports/main/4.9.18-1~bpo8\\+1.*jessie-backports/main/4.9.65-3\\+deb9u1~bpo8\\+1.*jessie-backports/main/4.9.65-3\\+deb9u2~bpo8\\+1.*jessie-kfreebsd/main/3.16.7-ckt9-2.*jessie-proposed-updates/main/3.16.51-3.*jessie-proposed-updates/main/3.16.51-3\\+deb8u1.*jessie-updates/main/3.16.51-3.*jessie/main/3.16.43-1.*jessie/main/3.16.51-2.*jessie/main/3.16.7-ckt2-1.*jessie/main/3.16.7-ckt20-1\\+deb8u3' swh::deploy::webapp::icinga_checks: get: counters: uri: '/api/1/stat/counters/' string: '"content":' 'content end to end': uri: '/browse/content/4dfc4478b1d5f7388b298fdfc06802485bdeae0c/' string: 'PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2' post: content_known: uri: '/api/1/content/known/search/' post: 'q=8624bcdae55baeef00cd11d5dfcfa60f68710a02' string: '"found":true' regexp: 'directory end to end': uri: '/browse/directory/977fc4b98c0e85816348cebd3b12026407c368b6/' regexp: - 'Doc.*Grammar.*Include.*Lib.*Mac.*Misc.*Modules.*Objects.*PC.*PCbuild.*LICENSE.*README.rst' 'revision end to end': uri: '/browse/revision/f1b94134a4b879bc55c3dacdb496690c8ebdc03f/' regexp: - 'Allocate the output vlc pictures with dimensions padded,.*' - 'as requested by the decoder \\(for alignments\\).' 'revision log end to end': uri: '/browse/revision/b9b0ecd1e2f9db10335383651f8317ed8cec8296/log/' regexp: - '/browse/revision/b9b0ecd1e2f9db10335383651f8317ed8cec8296/.*Roberto Di Cosmo.*Moved to github' 'release end to end': uri: '/browse/release/a9b7e3f1eada90250a6b2ab2ef3e0a846cb16831/' regexp: - 'Linux 4.9-rc8.*' - '/revision/3e5de27e940d00d8d504dfb96625fb654f641509/' 'snapshot end to end': "%{alias('swh::deploy::webapp::snapshot_e2e')}" # local configuration for the scheduler swh::deploy::scheduler::config::local: &swh_scheduler_local_config scheduler: cls: local db: "host=%{hiera('swh::deploy::scheduler::db::host')} port=%{hiera('swh::deploy::scheduler::db::port')} dbname=%{hiera('swh::deploy::scheduler::db::dbname')} user=%{hiera('swh::deploy::scheduler::db::user')} password=%{hiera('swh::deploy::scheduler::db::password')}" swh::deploy::scheduler::sentry_swh_package: swh.scheduler swh::deploy::scheduler::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::scheduler::sentry_dsn: "https://%{lookup('swh::deploy::scheduler::sentry_token')}@sentry.softwareheritage.org/7" swh::deploy::scheduler::conf_dir: "%{lookup('swh::conf_directory')}/scheduler" swh::deploy::scheduler::conf_file: "%{hiera('swh::deploy::scheduler::conf_dir')}/listener-runner.yml" swh::deploy::scheduler::user: swhscheduler swh::deploy::scheduler::group: swhscheduler swh::deploy::scheduler::db::host: db.internal.softwareheritage.org swh::deploy::scheduler::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" swh::deploy::scheduler::db::dbname: softwareheritage-scheduler swh::deploy::scheduler::db::user: swhscheduler # swh::deploy::scheduler::db::password in private data # swh::deploy::scheduler::task_broker::password in private data swh::deploy::scheduler::task_broker: "amqp://swhproducer:%{hiera('swh::deploy::scheduler::task_broker::password')}@rabbitmq:5672/%2f" swh::deploy::scheduler::services::log_level: INFO swh::deploy::scheduler::config: <<: *swh_scheduler_local_config celery: task_broker: "%{alias('swh::deploy::scheduler::task_broker')}" swh::deploy::scheduler::packages: - python3-swh.lister - python3-swh.loader.bzr - python3-swh.loader.git - python3-swh.loader.mercurial - python3-swh.loader.svn - python3-swh.loader.core - python3-swh.scheduler # subset limited to the save code now tasks for the runner priority swh::deploy::scheduler::swh-scheduler-runner-priority::config::task_types: - load-git - load-svn - load-archive-files - load-hg swh::deploy::scheduler::remote::sentry_swh_package: swh.scheduler swh::deploy::scheduler::remote::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::scheduler::remote::sentry_dsn: "%{alias('swh::deploy::scheduler::sentry_dsn')}" swh::deploy::scheduler::remote::conf_dir: "%{alias('swh::deploy::scheduler::conf_dir')}" swh::deploy::scheduler::remote::conf_file: "%{hiera('swh::deploy::scheduler::remote::conf_dir')}/backend.yml" swh::deploy::scheduler::remote::user: swhscheduler swh::deploy::scheduler::remote::group: swhscheduler swh::deploy::scheduler::remote::backend::listen::host: 127.0.0.1 swh::deploy::scheduler::remote::backend::listen::port: "%{alias('swh::remote_service::scheduler::port')}" swh::deploy::scheduler::remote::backend::workers: 16 swh::deploy::scheduler::remote::backend::reload_mercy: 3600 swh::deploy::scheduler::remote::backend::http_keepalive: 5 swh::deploy::scheduler::remote::backend::http_timeout: 3600 swh::deploy::scheduler::remote::backend::max_requests: 10000 swh::deploy::scheduler::remote::backend::max_requests_jitter: 1000 swh::deploy::scheduler::remote::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" swh::deploy::scheduler::remote::config: "%{alias('swh::deploy::scheduler::config::local')}" swh::elasticsearch::storage_nodes: - host: esnode2.internal.softwareheritage.org port: 9200 - host: esnode3.internal.softwareheritage.org port: 9200 - host: esnode1.internal.softwareheritage.org port: 9200 swh::elasticsearch::search_nodes: - host: search-esnode4.internal.softwareheritage.org port: 9200 - host: search-esnode5.internal.softwareheritage.org port: 9200 - host: search-esnode6.internal.softwareheritage.org port: 9200 swh::deploy::scheduler::journal_client::config_file: "%{lookup('swh::deploy::scheduler::conf_dir')}/journal-client.yml" swh::deploy::scheduler::journal_client::user: "%{alias('swh::deploy::scheduler::user')}" swh::deploy::scheduler::journal_client::group: "%{alias('swh::deploy::scheduler::group')}" swh::deploy::scheduler::journal_client::config: <<: *swh_scheduler_local_config journal: brokers: "%{alias('swh::deploy::journal::brokers')}" group_id: swh.scheduler.journal_client # Main lister configuration swh::deploy::worker::lister::db::user: swh-lister swh::deploy::worker::lister::db::name: swh-lister swh::deploy::worker::lister::db::host: db.internal.softwareheritage.org swh::deploy::worker::lister::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}" # swh::deploy::lister::db::password in private data # swh::deploy::worker::task_broker::password in private data swh::deploy::worker::task_broker: "amqp://swhconsumer:%{hiera('swh::deploy::worker::task_broker::password')}@rabbitmq:5672/%2f" swh::deploy::worker::instances: [] swh::deploy::loader_git::sentry_swh_package: swh.loader.git swh::deploy::loader_git::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::loader_git::sentry_dsn: "https://%{lookup('swh::deploy::loader_git::sentry_token')}@sentry.softwareheritage.org/8" swh::deploy::worker::loader_git::config_file: "%{hiera('swh::conf_directory')}/loader_git.yml" swh::deploy::worker::loader_git::concurrency: 1 swh::deploy::worker::loader_git::max_tasks_per_child: 100 swh::deploy::worker::loader_git::temp_file_cutoff: 536870912 # 512 * 1024 * 1024 swh::deploy::worker::loader_git::loglevel: info swh::deploy::worker::loader_git::load_metadata: true swh::deploy::worker::loader_git::extra_config: metadata_fetcher_credentials: "%{alias('swh::deploy::worker::lister::config::credentials')}" swh::deploy::loader_git::queues: - swh.loader.git.tasks.UpdateGitRepository # loader-git-disk - swh.loader.git.tasks.LoadDiskGitRepository - swh.loader.git.tasks.UncompressAndLoadDiskGitRepository swh::deploy::worker::loader_git::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" temp_file_cutoff: "%{alias('swh::deploy::worker::loader_git::temp_file_cutoff')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: "%{alias('swh::deploy::loader_git::queues')}" # high priority loader (save-code-now, ...) swh::deploy::worker::loader_high_priority::config_file: "%{hiera('swh::conf_directory')}/loader_high_priority.yml" swh::deploy::worker::loader_high_priority::queues: # git - save_code_now:swh.loader.git.tasks.UpdateGitRepository # mercurial - save_code_now:swh.loader.mercurial.tasks.LoadMercurial - save_code_now:swh.loader.mercurial.tasks.LoadArchiveMercurial # svn - save_code_now:swh.loader.svn.tasks.LoadSvnRepository - save_code_now:swh.loader.svn.tasks.MountAndLoadSvnRepository - save_code_now:swh.loader.svn.tasks.DumpMountAndLoadSvnRepository # archives - save_code_now:swh.loader.package.archive.tasks.LoadArchive swh::deploy::worker::loader_high_priority::concurrency: 1 swh::deploy::worker::loader_high_priority::max_tasks_per_child: 1 swh::deploy::worker::loader_high_priority::loglevel: info swh::deploy::worker::loader_high_priority::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_acks_late: true task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: "%{alias('swh::deploy::worker::loader_high_priority::queues')}" # One shot worker deactivated by default (e.g. first time ingestion on forge with # restrictive loading ingestion parallelism policies) swh::deploy::worker::loader_oneshot::config_file: "%{hiera('swh::conf_directory')}/loader_oneshot.yml" swh::deploy::worker::loader_oneshot::concurrency: 1 swh::deploy::worker::loader_oneshot::max_tasks_per_child: 100 swh::deploy::worker::loader_oneshot::loglevel: info swh::deploy::worker::loader_oneshot::task_queues: [] swh::deploy::worker::loader_oneshot::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: "%{alias('swh::deploy::worker::loader_oneshot::task_queues')}" # for all loader packages swh::deploy::loader_core::sentry_swh_package: swh.loader.core swh::deploy::loader_core::sentry_environment: "%{hiera('swh::deploy::environment')}" swh::deploy::loader_core::sentry_dsn: "https://%{lookup('swh::deploy::loader_core::sentry_token')}@sentry.softwareheritage.org/9" swh::deploy::worker::loader_debian::config_file: "%{hiera('swh::conf_directory')}/loader_debian.yml" swh::deploy::worker::loader_debian::private_tmp: true swh::deploy::worker::loader_debian::concurrency: 1 swh::deploy::worker::loader_debian::loglevel: info swh::deploy::worker::loader_debian::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.debian.tasks.LoadDebian swh::deploy::worker::loader_archive::config_file: "%{hiera('swh::conf_directory')}/loader_archive.yml" swh::deploy::worker::loader_archive::private_tmp: true swh::deploy::worker::loader_archive::concurrency: 1 swh::deploy::worker::loader_archive::loglevel: info swh::deploy::worker::loader_archive::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.archive.tasks.LoadArchive swh::deploy::loader_bzr::sentry_swh_package: swh.loader.bzr swh::deploy::loader_bzr::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::loader_bzr::sentry_dsn: "https://%{lookup('swh::deploy::loader_bzr::sentry_token')}@sentry.softwareheritage.org/22" swh::deploy::worker::loader_bzr::config_file: "%{hiera('swh::conf_directory')}/loader_bzr.yml" swh::deploy::worker::loader_bzr::concurrency: 1 swh::deploy::worker::loader_bzr::private_tmp: true swh::deploy::worker::loader_bzr::loglevel: info swh::deploy::worker::loader_bzr::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" clone_timeout_seconds: 7200 celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.bzr.tasks.LoadBazaar swh::deploy::worker::loader_cran::config_file: "%{hiera('swh::conf_directory')}/loader_cran.yml" swh::deploy::worker::loader_cran::private_tmp: true swh::deploy::worker::loader_cran::concurrency: 1 swh::deploy::worker::loader_cran::loglevel: info swh::deploy::worker::loader_cran::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.cran.tasks.LoadCRAN swh::deploy::loader_cvs::sentry_swh_package: swh.loader.cvs swh::deploy::loader_cvs::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::loader_cvs::sentry_dsn: "https://%{lookup('swh::deploy::loader_cvs::sentry_token')}@sentry.softwareheritage.org/21" swh::deploy::worker::loader_cvs::config_file: "%{hiera('swh::conf_directory')}/loader_cvs.yml" swh::deploy::worker::loader_cvs::concurrency: 1 swh::deploy::worker::loader_cvs::private_tmp: true swh::deploy::worker::loader_cvs::loglevel: info swh::deploy::worker::loader_cvs::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.cvs.tasks.LoadCvsRepository swh::deploy::worker::loader_nixguix::config_file: "%{hiera('swh::conf_directory')}/loader_nixguix.yml" swh::deploy::worker::loader_nixguix::private_tmp: true swh::deploy::worker::loader_nixguix::concurrency: 1 swh::deploy::worker::loader_nixguix::loglevel: info swh::deploy::worker::loader_nixguix::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.nixguix.tasks.LoadNixguix unsupported_file_extensions: - patch - iso - whl - gem - pom - msi - pod - png - rock - ttf - jar - c - el - rpm - diff swh::deploy::lister::db::local: cls: local db: "postgresql://%{hiera('swh::deploy::worker::lister::db::user')}:%{hiera('swh::deploy::lister::db::password')}@%{hiera('swh::deploy::worker::lister::db::host')}:%{hiera('swh::deploy::worker::lister::db::port')}/%{hiera('swh::deploy::worker::lister::db::name')}" swh::deploy::lister::queues: - swh.lister.bitbucket.tasks.IncrementalBitBucketLister - swh.lister.bitbucket.tasks.FullBitBucketRelister - swh.lister.cgit.tasks.CGitListerTask - swh.lister.cran.tasks.CRANListerTask - swh.lister.debian.tasks.DebianListerTask - swh.lister.gitea.tasks.IncrementalGiteaLister - swh.lister.gitea.tasks.RangeGiteaLister - swh.lister.gitea.tasks.FullGiteaRelister - swh.lister.gitlab.tasks.IncrementalGitLabLister - swh.lister.gitlab.tasks.RangeGitLabLister - swh.lister.gitlab.tasks.FullGitLabRelister - swh.lister.gnu.tasks.GNUListerTask - swh.lister.launchpad.tasks.FullLaunchpadLister - swh.lister.launchpad.tasks.IncrementalLaunchpadLister - swh.lister.opam.tasks.OpamListerTask - swh.lister.npm.tasks.NpmListerTask - swh.lister.phabricator.tasks.FullPhabricatorLister - swh.lister.pypi.tasks.PyPIListerTask - swh.lister.sourceforge.tasks.FullSourceForgeLister - swh.lister.sourceforge.tasks.IncrementalSourceForgeLister swh::deploy::lister::sentry_swh_package: swh.lister swh::deploy::lister::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::lister::sentry_dsn: "https://%{lookup('swh::deploy::lister::sentry_token')}@sentry.softwareheritage.org/6" swh::deploy::worker::lister::config_file: "%{hiera('swh::conf_directory')}/lister.yml" swh::deploy::worker::lister::concurrency: 5 swh::deploy::worker::lister::loglevel: warning swh::deploy::worker::lister::config: storage: "%{alias('swh::remote_service::storage::config::writable')}" scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" lister: "%{alias('swh::deploy::lister::db::local')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: "%{alias('swh::deploy::lister::queues')}" credentials: "%{alias('swh::deploy::worker::lister::config::credentials')}" swh::deploy::worker::loader_maven::config_file: "%{hiera('swh::conf_directory')}/loader_maven.yml" swh::deploy::worker::loader_maven::concurrency: 1 swh::deploy::worker::loader_maven::loglevel: info swh::deploy::worker::loader_maven::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.maven.tasks.LoadMaven swh::deploy::loader_mercurial::sentry_swh_package: swh.loader.mercurial swh::deploy::loader_mercurial::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::loader_mercurial::sentry_dsn: "https://%{lookup('swh::deploy::loader_mercurial::sentry_token')}@sentry.softwareheritage.org/10" swh::deploy::worker::loader_mercurial::config_file: "%{hiera('swh::conf_directory')}/loader_mercurial.yml" swh::deploy::worker::loader_mercurial::concurrency: 1 swh::deploy::worker::loader_mercurial::private_tmp: true swh::deploy::worker::loader_mercurial::loglevel: info swh::deploy::worker::loader_mercurial::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" clone_timeout_seconds: 7200 celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.mercurial.tasks.LoadMercurial - swh.loader.mercurial.tasks.LoadArchiveMercurial swh::deploy::worker::loader_opam::user: swhworker swh::deploy::worker::loader_opam::group: swhworker swh::deploy::worker::opam::root_directory: /tmp/opam/ # Keep opam.ocaml.org entry as the first one which is the default repository swh::deploy::worker::opam::default_instance::name: opam.ocaml.org swh::deploy::worker::opam::default_instance::url: https://opam.ocaml.org swh::deploy::worker::opam::instances: coq.inria.fr: https://coq.inria.fr/opam/released ocamlbench-repo: https://github.com/OCamlPro/ocamlbench-repo.git swh::deploy::worker::loader_opam::config_file: "%{hiera('swh::conf_directory')}/loader_opam.yml" swh::deploy::worker::loader_opam::concurrency: 1 swh::deploy::worker::loader_opam::private_tmp: false swh::deploy::worker::loader_opam::loglevel: info swh::deploy::worker::loader_opam::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.opam.tasks.LoadOpam swh::deploy::worker::loader_pypi::config_file: "%{hiera('swh::conf_directory')}/loader_pypi.yml" swh::deploy::worker::loader_pypi::concurrency: 1 swh::deploy::worker::loader_pypi::private_tmp: true swh::deploy::worker::loader_pypi::loglevel: info swh::deploy::worker::loader_pypi::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.pypi.tasks.LoadPyPI swh::deploy::worker::loader_npm::config_file: "%{hiera('swh::conf_directory')}/loader_npm.yml" swh::deploy::worker::loader_npm::concurrency: 1 swh::deploy::worker::loader_npm::private_tmp: true swh::deploy::worker::loader_npm::loglevel: info swh::deploy::worker::loader_npm::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.package.npm.tasks.LoadNpm swh::deploy::loader_svn::sentry_swh_package: swh.loader.svn swh::deploy::loader_svn::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::loader_svn::sentry_dsn: "https://%{lookup('swh::deploy::loader_svn::sentry_token')}@sentry.softwareheritage.org/14" swh::deploy::worker::loader_svn::config_file: "%{hiera('swh::conf_directory')}/loader_svn.yml" swh::deploy::worker::loader_svn::concurrency: 1 # so the fallback clean up becomes more effective swh::deploy::worker::loader_svn::max_tasks_per_child: 1 swh::deploy::worker::loader_svn::private_tmp: true swh::deploy::worker::loader_svn::limit_no_file: 8192 swh::deploy::worker::loader_svn::loglevel: info # Contains a password: in private data swh::deploy::worker::loader_svn::config: storage: "%{alias('swh::deploy::worker::storage::pipeline')}" max_content_size: "%{alias('swh::deploy::worker::loader::max_content_size')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_queues: - swh.loader.svn.tasks.LoadSvnRepository - swh.loader.svn.tasks.MountAndLoadSvnRepository - swh.loader.svn.tasks.DumpMountAndLoadSvnRepository swh::deploy::base_indexer::config_directory: "%{hiera('swh::conf_directory')}/indexer" swh::deploy::indexer_journal_client::config_file: "journal_client.yml" swh::deploy::indexer_journal_client::user: swhworker swh::deploy::indexer_journal_client::group: swhworker swh::deploy::indexer_journal_client::config: journal: brokers: "%{alias('swh::deploy::journal::brokers')}" group_id: swh.indexer.journal_client prefix: "%{alias('swh::deploy::journal::prefix')}" scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" tools: name: swh-metadata-detector version: 0.0.2 configuration: {} # for all indexers swh::deploy::indexer::sentry_swh_package: swh.indexer swh::deploy::indexer::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::indexer::sentry_dsn: "https://%{lookup('swh::deploy::indexer::sentry_token')}@sentry.softwareheritage.org/5" swh::deploy::worker::indexer_content_mimetype::config_file: "%{hiera('swh::conf_directory')}/indexer_content_mimetype.yml" swh::deploy::worker::indexer_content_mimetype::concurrency: 1 swh::deploy::worker::indexer_content_mimetype::loglevel: info # Contains a password: in private data swh::deploy::worker::indexer_content_mimetype::config: scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" indexer_storage: "%{alias('swh::remote_service::indexer::config::writable')}" objstorage: "%{alias('swh::remote_service::objstorage::config')}" storage: "%{alias('swh::remote_service::storage::config')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_modules: - swh.indexer.tasks task_queues: - swh.indexer.tasks.ContentMimetypePartition tools: name: file version: 2:0.4.15-2 configuration: type: library debian-package: python3-magic write_batch_size: 1000 swh::deploy::worker::indexer_origin_intrinsic_metadata::config_file: "%{hiera('swh::conf_directory')}/indexer_origin_intrinsic_metadata.yml" swh::deploy::worker::indexer_origin_intrinsic_metadata::concurrency: 1 swh::deploy::worker::indexer_origin_intrinsic_metadata::loglevel: info # Contains a password: in private data swh::deploy::worker::indexer_origin_intrinsic_metadata::config: scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}" indexer_storage: "%{alias('swh::remote_service::indexer::config::writable')}" objstorage: "%{alias('swh::remote_service::objstorage::config')}" storage: "%{alias('swh::remote_service::storage::config')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_modules: - swh.indexer.tasks task_queues: - swh.indexer.tasks.OriginMetadata tools: name: swh-metadata-detector version: 0.0.2 configuration: {} swh::deploy::worker::indexer_rehash::config_file: "rehash.yml" swh::deploy::worker::indexer_rehash::concurrency: 5 swh::deploy::worker::indexer_rehash::loglevel: info # Contains a password: in private data swh::deploy::worker::indexer_rehash::config: storage: "%{alias('swh::remote_service::storage::config::writable')}" objstorage: "%{alias('swh::remote_service::objstorage::config')}" compute_checksums: - blake2s256 batch_size_retrieve_content: 10000 batch_size_update: 5000 swh::deploy::worker::indexer_fossology_license::config_file: "%{hiera('swh::conf_directory')}/indexer_fossology_license.yml" swh::deploy::worker::indexer_fossology_license::concurrency: 1 swh::deploy::worker::indexer_fossology_license::loglevel: info # Contains a password: in private data swh::deploy::worker::indexer_fossology_license::config: indexer_storage: "%{alias('swh::remote_service::indexer::config::writable')}" objstorage: "%{alias('swh::remote_service::objstorage::config')}" storage: "%{alias('swh::remote_service::storage::config')}" workdir: /tmp/swh/indexer.fossology.license/ tools: name: 'nomos' version: '3.1-1~bpo9~swh+1' configuration: command_line: "nomossa " celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_modules: - swh.indexer.tasks task_queues: - swh.indexer.tasks.ContentFossologyLicensePartition write_batch_size: 1000 swh::deploy::worker::vault_cooker::config_file: "%{hiera('swh::conf_directory')}/vault_cooker.yml" swh::deploy::worker::vault_cooker::concurrency: 20 swh::deploy::worker::vault_cooker::loglevel: info swh::deploy::worker::vault_cooker::conf_file: "%{hiera('swh::conf_directory')}/vault/cooker.yml" swh::deploy::worker::vault_cooker::config: storage: cls: retry storage: "%{alias('swh::remote_service::storage::config')}" vault: "%{alias('swh::remote_service::vault::config::writable')}" celery: task_broker: "%{alias('swh::deploy::worker::task_broker')}" task_modules: - swh.vault.cooking_tasks task_queues: - swh.vault.cooking_tasks.SWHCookingTask - swh.vault.cooking_tasks.SWHBatchCookingTask max_bundle_size: 1073741824 # 1GiB desktop::printers: MFP_C: uri: lpd://print.paris.inria.fr/MFP_C-pro description: Impression couleur location: Partout ppd: "%{hiera('desktop::printers::ppd_dir')}/MFP_Paris.ppd" ppd_options: ColorType: Color MFP: uri: lpd://print.paris.inria.fr/MFP-pro description: Impression Noir et Blanc location: Partout ppd: "%{hiera('desktop::printers::ppd_dir')}/MFP_Paris.ppd" ppd_options: ColorType: Mono desktop::printers::default: MFP desktop::printers::ppd_dir: /usr/share/ppd/softwareheritage desktop::printers::cups_usernames: ardumont: andumont morane: mgruenpe olasd: ndandrim seirl: apietri zack: zacchiro icinga2::role: agent icinga2::master::zonename: master icinga2::master::db::username: icinga2 # icinga2::master::db::password in private data icinga2::master::db::database: icinga2 icinga2::icingaweb2::db::username: icingaweb2 # icinga2::icingaweb2::db::password in private data icinga2::icingaweb2::db::database: icingaweb2 icinga2::icingaweb2::protected_customvars: - "*pw*" - "*pass*" - community - http_auth_pair # Must have matching certificate in letsencrypt::certificates icinga2::icingaweb2::vhost::name: icinga.softwareheritage.org icinga2::icingaweb2::vhost::aliases: - icinga.internal.softwareheritage.org icinga2::icingaweb2::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" icinga2::icingaweb2::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" icinga2::icingaweb2::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" icinga2::icingaweb2::vhost::hsts_header: "%{hiera('apache::hsts_header')}" icinga2::parent_zone: master icinga2::parent_endpoints: pergamon.softwareheritage.org: host: 192.168.100.29 icinga2::network: "%{lookup('internal_network')}" icinga2::features: - checker - mainlog icinga2::service_configuration: load: default: load_wload1: 30 load_wload5: 28 load_wload15: 26 load_cload1: 50 load_cload5: 45 load_cload15: 40 sql: load_wload1: 50 load_wload5: 40 load_wload15: 35 load_cload1: 70 load_cload5: 60 load_cload15: 50 high: load_wload1: 140 load_wload5: 120 load_wload15: 100 load_cload1: 240 load_cload5: 220 load_cload15: 200 hypervisor: load_wload1: 60 load_wload5: 50 load_wload15: 45 load_cload1: 120 load_cload5: 110 load_cload15: 100 icinga2::host::vars: os: Linux cores: "%{::processorcount}" virtual_machine: "%{::is_virtual}" distro: "%{::operatingsystem}" disks: 'disk /': disk_partitions: '/' icinga2::disk::excludes: - ^/srv/containers/ - ^/var/lib/docker/overlay2/ - ^/var/lib/docker/buildkit/ - ^/var/lib/docker/zfs/ - ^/var/lib/kubelet/ - ^/run/schroot/ - ^/run/k3s/ # directory traversal not allowed under postgresql directories - postgresql/.*/pg_wal - postgres/.*/pg_wal icinga2::apiusers: root: # password in private data permissions: - '*' icinga2::exported_checks::filename: "/etc/icinga2/zones.d/%{hiera('icinga2::parent_zone')}/exported-checks.conf" logstash_hosts: - logstash.internal.softwareheritage.org:5044 systemd_journal::logstash_hosts: "%{alias('logstash_hosts')}" filebeat::config: filebeat.config.inputs: enabled: true path: inputs.d/*.yml output: logstash: hosts: "%{alias('logstash_hosts')}" memcached::server::bind: 127.0.0.1 memcached::server::port: 11211 memcached::server::max_memory: '5%' mountpoints: {} ceph::release: luminous ceph::fsid: b3e34018-388e-499b-9579-d1c0d57e8c09 # needs to match the values of $::hostname on the ceph monitors ceph::mon_initial_members: - ceph-mon1 ceph::mon_host: - 192.168.100.170 ceph::keys: admin: secret: "%{hiera('ceph::secrets::admin')}" cap_mds: allow cap_mgr: allow * cap_mon: allow * cap_osd: allow * bootstrap-osd: secret: "%{hiera('ceph::secrets::bootstrap_osd')}" cap_mon: allow profile bootstrap-osd proxmox-rbd: secret: "%{hiera('ceph::secrets::proxmox_rbd')}" cap_mon: profile rbd cap_osd: profile rbd pool=rbd swh-contents: secret: "%{hiera('ceph::secrets::swh_contents')}" cap_mon: allow r cap_osd: allow r pool=swh_contents swh-contents-rw: secret: "%{hiera('ceph::secrets::swh_contents_rw')}" cap_mon: allow r cap_osd: allow rw pool=swh_contents swh-contents-test: secret: "%{hiera('ceph::secrets::swh_contents_test')}" cap_mon: allow r cap_osd: allow r pool=swh_contents_test swh-contents-test-rw: secret: "%{hiera('ceph::secrets::swh_contents_test_rw')}" cap_mon: allow r cap_osd: allow rw pool=swh_contents_test ceph::default_client_keyring: /etc/softwareheritage/ceph-keyring ceph::client_keyrings: '/etc/softwareheritage/ceph-keyring': owner: root group: swhdev mode: '0644' keys: - swh-contents - swh-contents-test nginx::package_name: nginx-light nginx::accept_mutex: 'off' nginx::names_hash_bucket_size: 128 nginx::names_hash_max_size: 1024 nginx::worker_processes: "%{::processorcount}" nginx::metrics_port: 9081 nginx::metrics_location: '/metrics' # prometheus::pve-exporter::password in credential prometheus::pve-exporter::user: pve_exporter@pve prometheus::server::defaults_config: web: enable_admin_api: true storage: tsdb: retention: '1y' min-block-duration: '2h' max-block-duration: '2h' prometheus::server::config::global: scrape_interval: 1m scrape_timeout: 45s external_labels: tenant: "%{lookup('thanos::tenant')}" replica: "%{lookup('thanos::replica')}" prometheus::server::config::static_scrape_configs: [] prometheus::server::listen_network: "%{lookup('internal_network')}" prometheus::server::listen_port: 9090 prometheus::server::certname: pergamon.softwareheritage.org swh::deploy::environment: production prometheus::static_labels: instance: "%{::swh_hostname.internal_fqdn}" environment: "%{lookup('swh::deploy::environment')}" prometheus::node::listen_network: "%{lookup('internal_network')}" prometheus::node::listen_port: 9100 prometheus::node::textfile_directory: /var/lib/prometheus/node-exporter prometheus::node::defaults_config: collector: diskstats: ignored_devices: "^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$" filesystem: ignored_mount_points: "^/(sys|proc|dev|run|srv/softwareheritage/objects/[0-9a-f][0-9a-f])($|/)" systemd: true logind: true loadavg: true ntp: true netstat: true textfile: directory: "%{lookup('prometheus::node::textfile_directory')}" prometheus::node::scripts::directory: /var/lib/prometheus/node-exporter-scripts prometheus::node::scripts: puppet-classes: mode: cron cron: user: root specification: minute: fqdn_rand apt: mode: cron cron: user: root specification: minute: fqdn_rand prometheus::statsd::exporter::version: 0.22.5 prometheus::statsd::exporter::archive_sha256sum: b04a25fe937a2e74dab097d589bd1f4da9e874d62b166c4e74d5d55b0f58eab6 prometheus::statsd::listen_network: "%{lookup('internal_network')}" prometheus::statsd::listen_port: 9102 prometheus::statsd::defaults_config: {} prometheus::statsd::statsd_listen_tcp: 127.0.0.1:8125 prometheus::statsd::statsd_listen_udp: 127.0.0.1:8125 prometheus::statsd::mapping: defaults: timer_type: histogram buckets: - .005 - .01 - .025 - .05 - .1 - .25 - .5 - .75 - 1 - 2 - 5 - 10 - 15 - 30 - 45 - 60 - 120 - 300 - 600 - 900 - 1800 - 2700 - 3600 - 7200 mappings: - match: "(.*_percent)" name: "${1}" match_type: regex observer_type: histogram histogram_options: buckets: - 0.0 - 0.05 - 0.1 - 0.15 - 0.2 - 0.25 - 0.3 - 0.35 - 0.4 - 0.45 - 0.5 - 0.55 - 0.6 - 0.65 - 0.7 - 0.75 - 0.8 - 0.85 - 0.9 - 0.95 - 1. prometheus::sql::listen_network: "%{lookup('internal_network')}" prometheus::sql::listen_port: 9237 prometheus::sql::config_snippets: - activity - queries - replication - wal prometheus::jmx::version: 0.11.0 prometheus::kafka::listen_network: "%{lookup('internal_network')}" prometheus::kafka::listen_port: 7071 prometheus::kafka_consumer_group::listen_network: "%{lookup('internal_network')}" prometheus::kafka_consumer_group::base_port: 9208 prometheus::rabbitmq::listen_network: "%{lookup('internal_network')}" prometheus::rabbitmq::listen_port: 9419 # Include first, then skip prometheus::rabbitmq::include_vhost: .* prometheus::rabbitmq::skip_vhost: ^$ prometheus::rabbitmq::include_queues: .* prometheus::rabbitmq::skip_queues: ^(.*\.pidbox|amq\.gen.*|.*\.tasks\.ping)$ prometheus::rabbitmq::rabbit_capabilities: - bert - no_sort prometheus::rabbitmq::rabbit_exporters: - exchange - node - queue prometheus::rabbitmq::rabbit_timeout: 30 prometheus::rabbitmq::exclude_metrics: [] prometheus::nginx::listen_network: "%{lookup('internal_network')}" prometheus::nginx::listen_port: 9103 prometheus::varnish::listen_network: "%{lookup('internal_network')}" prometheus::varnish::listen_port: 9104 thanos::base::config_dir: "/etc/thanos" thanos::release::version: 0.26.0 thanos::release::digest: cf5ea95e19388736df83f0959bd036b8ad400af233d03ae6f90decc05161dccc thanos::release::digest_type: sha256 thanos::port::http: 19191 thanos::port::grpc: 19090 thanos::sidecar::port_http: "%{lookup('thanos::port::http')}" thanos::sidecar::port_grpc: "%{lookup('thanos::port::grpc')}" thanos::query::port_http: "%{lookup('thanos::port::http')}" thanos::query::config_filepath: "%{lookup('thanos::base::config_dir')}/query-sd.yaml" thanos::tenant: "%{::subnet}" thanos::replica: "0" thanos::objstore::azure_account: swhthanosmetrics # thanos::objstore::azure_account_key in credentials thanos::objstore::config: type: AZURE config: storage_account: "%{lookup('thanos::objstore::azure_account')}" storage_account_key: "%{lookup('thanos::objstore::azure_account_key')}" container: "metrics-%{lookup('thanos::tenant')}-%{lookup('thanos::replica')}" # Other puppet managed stores will be automatically dealt with thanos::query::non_puppet_managed::stores: - mmca-thanos.softwareheritage.org:443 thanos::gateway::services: historical: azure-storage-container: metrics-historical-data-0 port-http: 19193 port-grpc: 19093 mmca: azure-storage-container: metrics-mmca-0 port-http: 19194 port-grpc: 19094 grafana::db::database: grafana grafana::db::username: grafana # grafana::db::password in private-data grafana::backend::port: 3000 # Must have a matching certificate in letsencrypt::certificates grafana::vhost::name: grafana.softwareheritage.org grafana::config: app_mode: production server: root_url: "https://%{lookup('grafana::vhost::name')}/" http_port: "%{alias('grafana::backend::port')}" users: allow_sign_up: false auth.anonymous: enabled: true org_name: Software Heritage org_role: Viewer smtp: enabled: true skip_verify: true from_address: grafana@softwareheritage.org grafana::objects::organizations: - name: Software Heritage id: 1 grafana::objects::users: [] grafana::objects::datasources: - name: Prometheus (Pergamon) url: "http://pergamon.internal.softwareheritage.org:%{hiera('prometheus::server::listen_port')}" type: prometheus organization: 1 access_mode: proxy is_default: true java::distribution: jre jenkins::backend::url: http://thyssen.internal.softwareheritage.org:8080/ jenkins::vhost::name: jenkins.softwareheritage.org jenkins::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" jenkins::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" jenkins::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" jenkins::vhost::hsts_header: "%{hiera('apache::hsts_header')}" jenkins::agent::jar_url: "https://%{hiera('jenkins::vhost::name')}/jnlpJars/agent.jar" jenkins::agent::name: "%{::swh_hostname.internal_fqdn}" # jenkins::agent::jnlp::token in private_data weekly_report_bot::user: nobody weekly_report_bot::cron: minute: 0 hour: 12 weekday: fri monthly_report_bot::user: nobody monthly_report_bot::cron: minute: 0 hour: 0 monthday: 1 weekly_planning_bot::user: nobody weekly_planning_bot::cron: minute: 30 hour: 6 weekday: mon swh::postgres::service::users: - root - zack - ardumont swh::postgres::service::dbs: - alias: admin-swh name: "%{hiera('swh::deploy::storage::db::dbname')}" host: "%{hiera('swh::deploy::storage::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: "%{hiera('swh::deploy::storage::db::user')}" password: "%{hiera('swh::deploy::storage::db::password')}" - alias: admin-swh-deposit name: "%{hiera('swh::deploy::deposit::db::dbname')}" host: "%{hiera('swh::deploy::deposit::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: "%{hiera('swh::deploy::deposit::db::dbuser')}" password: "%{hiera('swh::deploy::deposit::db::password')}" - alias: admin-swh-scheduler name: "%{hiera('swh::deploy::scheduler::db::dbname')}" host: "%{hiera('swh::deploy::scheduler::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: "%{hiera('swh::deploy::scheduler::db::user')}" password: "%{hiera('swh::deploy::scheduler::db::password')}" - alias: admin-swh-vault name: "%{hiera('swh::deploy::vault::db::dbname')}" host: "%{hiera('swh::deploy::vault::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: "%{hiera('swh::deploy::vault::db::user')}" password: "%{hiera('swh::deploy::vault::db::password')}" - alias: admin-swh-lister name: "%{hiera('swh::deploy::worker::lister::db::name')}" host: "%{hiera('swh::deploy::worker::lister::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: "%{hiera('swh::deploy::worker::lister::db::name')}" password: "%{hiera('swh::deploy::lister::db::password')}" - alias: admin-swh-replica name: "%{hiera('swh::deploy::storage::db::dbname')}" host: somerset.internal.softwareheritage.org port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: "%{hiera('swh::deploy::db::pgbouncer::user::login')}" password: "%{hiera('swh::deploy::storage::db::password')}" - alias: admin-swh-indexer name: "%{hiera('swh::deploy::indexer::storage::db::dbname')}" host: "%{hiera('swh::deploy::indexer::storage::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: "%{hiera('swh::deploy::indexer::storage::db::user')}" password: "%{hiera('swh::deploy::indexer::storage::db::password')}" - alias: admin-swh-web name: "%{hiera('swh::deploy::webapp::db::name')}" host: "%{hiera('swh::deploy::webapp::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: "%{hiera('swh::deploy::webapp::db::user')}" password: "%{hiera('swh::deploy::webapp::db::password')}" - alias: swh name: "%{hiera('swh::deploy::storage::db::dbname')}" host: "%{hiera('swh::deploy::storage::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-deposit name: "%{hiera('swh::deploy::deposit::db::dbname')}" host: "%{hiera('swh::deploy::deposit::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-scheduler name: "%{hiera('swh::deploy::scheduler::db::dbname')}" host: "%{hiera('swh::deploy::scheduler::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-vault name: "%{hiera('swh::deploy::vault::db::dbname')}" host: "%{hiera('swh::deploy::vault::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-lister name: "%{hiera('swh::deploy::worker::lister::db::name')}" host: "%{hiera('swh::deploy::worker::lister::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-replica name: "%{hiera('swh::deploy::storage::db::dbname')}" host: somerset.internal.softwareheritage.org port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-indexer name: "%{hiera('swh::deploy::indexer::storage::db::dbname')}" host: "%{hiera('swh::deploy::indexer::storage::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest - alias: swh-web name: "%{hiera('swh::deploy::webapp::db::name')}" host: "%{hiera('swh::deploy::webapp::db::host')}" port: "%{hiera('swh::deploy::db::pgbouncer::port')}" user: guest elastic::elk_version: '7.15.2' elasticsearch::hosts: - http://esnode1.internal.softwareheritage.org:9200 - http://esnode2.internal.softwareheritage.org:9200 - http://esnode3.internal.softwareheritage.org:9200 elasticsearch::jvm_options: - "-Xms%{lookup('elasticsearch::jvm_options::heap_size')}" - "-Xmx%{lookup('elasticsearch::jvm_options::heap_size')}" elasticsearch::config::path::data: /srv/elasticsearch elasticsearch::config::path::logs: /var/log/elasticsearch elasticsearch::config::http::port: 9200 elasticsearch::config::prometheus::indices: false elasticsearch::config: cluster.name: "%{alias('elasticsearch::config::cluster::name')}" node.name: "%{::hostname}" discovery.seed_hosts: "%{alias('elasticsearch::config::discovery::seed_hosts')}" cluster.initial_master_nodes: "%{alias('elasticsearch::config::cluster::initial_master_nodes')}" path.data: "%{alias('elasticsearch::config::path::data')}" path.logs: "%{alias('elasticsearch::config::path::logs')}" http.port: "%{alias('elasticsearch::config::http::port')}" prometheus.indices: "%{alias('elasticsearch::config::prometheus::indices')}" indices.memory.index_buffer_size: 50% index.store.type: hybridfs logstash::listen_network: "%{lookup('internal_network')}" logstash::elasticsearch::hosts: "%{alias('elasticsearch::hosts')}" kibana::listen_network: "%{lookup('internal_network')}" kibana::server_name: "%{::swh_hostname.internal_fqdn}" kibana::config: server.name: "%{alias('kibana::server_name')}" elasticsearch.hosts: "%{alias('elasticsearch::hosts')}" kibana.index: .kibana # puppet-module-keycloak has some issues with Keycloak 11.x so we stick to 10.x # until then (https://github.com/treydock/puppet-module-keycloak/pull/154) keycloak::version: 10.0.2 keycloak::swh_theme::repo_url: https://forge.softwareheritage.org/source/swh-keycloak-theme.git keycloak::swh_theme::tag: v0.3.1 keycloak::vhost::name: auth.softwareheritage.org keycloak::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" keycloak::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" keycloak::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" keycloak::vhost::hsts_header: "%{hiera('apache::hsts_header')}" keycloak::backend::port: 8080 keycloak::backend::url: "http://kelvingrove.internal.softwareheritage.org:%{lookup('keycloak::backend::port')}/" keycloak::admin::user: keycloak-admin # keycloak::admin::password in private-data keycloak::postgres::host: db1.internal.admin.swh.network keycloak::postgres::port: 5432 keycloak::postgres::dbname: keycloak keycloak::postgres::user: keycloak # keycloak::postgres::password in private-data keycloak::resources::realms::common_settings: remember_me: true login_with_email_allowed: true internationalization_enabled: true supported_locales: - en account_theme: swh admin_theme: swh login_theme: swh smtp_server_host: localhost smtp_server_from: noreply@softwareheritage.org smtp_server_from_display_name: Software Heritage Authentication Service brute_force_protected: true # set OIDC refresh token expiration to one week (avoid relogin with credentials often) sso_session_idle_timeout: 604800 # set OIDC session max duration to one month sso_session_max_lifespan: 2592000 keycloak::resources::clients::common_settings: public_client: true login_theme: swh default_client_scopes: - profile - email - roles - web-origins optional_client_scopes: - microprofile-jwt - offline_access keycloak::resources::clients::swh_web:::roles: - swh.web.api.throttling_exempted - swh.web.api.graph - swh.vault.git_bare.ui - swh.web.api.save_origin - swh.web.admin.list_deposits - swh.web.mailmap - swh.web.search_ql - swh.web.add_forge_now.moderator - swh.web.admin.mailmap - swh.web.api.raw_object keycloak::resources::clients::swh_deposit::roles: - swh.deposit.api keycloak::resources::protocol_mappers::audience: resource_name: audience type: oidc-audience-mapper included_client_audience: __client_id__ keycloak::resources::protocol_mappers::groups: resource_name: groups type: oidc-group-membership-mapper claim_name: groups full_path: true keycloak::resources::realms: master: settings: display_name: master SoftwareHeritage: settings: display_name: Software Heritage registration_allowed: true reset_password_allowed: true verify_email: true roles: - offline_access - uma_authorization - swh.ambassador clients: swh-web: settings: redirect_uris: # Should match letsencrypt::certificates.archive_production.domains - https://archive.softwareheritage.org/* - https://base.softwareheritage.org/* - https://archive.internal.softwareheritage.org/* roles: "%{alias('keycloak::resources::clients::swh_web:::roles')}" protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::audience')}" - "%{alias('keycloak::resources::protocol_mappers::groups')}" swh-deposit: settings: redirect_uris: # Should match letsencrypt::certificates.archive_staging.domains - https://deposit.softwareheritage.org/* - https://deposit.internal.softwareheritage.org/* roles: "%{alias('keycloak::resources::clients::swh_deposit::roles')}" protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::audience')}" - "%{alias('keycloak::resources::protocol_mappers::groups')}" SoftwareHeritageStaging: settings: display_name: Software Heritage (Staging) registration_allowed: true reset_password_allowed: true verify_email: true roles: - offline_access - uma_authorization - swh.ambassador clients: swh-web: settings: redirect_uris: # Should match letsencrypt::certificates.archive_staging.domains - https://webapp.staging.swh.network/* - https://webapp.internal.staging.swh.network/* roles: "%{alias('keycloak::resources::clients::swh_web:::roles')}" protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::audience')}" - "%{alias('keycloak::resources::protocol_mappers::groups')}" swh-deposit: settings: redirect_uris: # Should match letsencrypt::certificates.archive_staging.domains - https://deposit.staging.swh.network/* - https://deposit.internal.staging.swh.network/* roles: "%{alias('keycloak::resources::clients::swh_deposit::roles')}" protocol_mappers: - "%{alias('keycloak::resources::protocol_mappers::audience')}" - "%{alias('keycloak::resources::protocol_mappers::groups')}" borg::repository_user: borg borg::repository_group: borg borg::base_path: /srv/borg borg::repository_path: "%{lookup('borg::base_path')}/repositories" borg::repository_server: banco.internal.softwareheritage.org borg::encryption: repokey-blake2 swh::deploy::base_counters::config_directory: "%{hiera('swh::conf_directory')}/counters" swh::deploy::base_counters::user: swhstorage swh::deploy::base_counters::group: swhstorage swh::deploy::counters::conf_file: "%{hiera('swh::deploy::base_counters::config_directory')}/server.yml" swh::deploy::counters::sentry_swh_package: swh.counters swh::deploy::counters::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::counters::sentry_dsn: "https://%{lookup('swh::deploy::counters::sentry_token')}@sentry.softwareheritage.org/19" swh::deploy::counters::user: "%{alias('swh::deploy::base_counters::user')}" swh::deploy::counters::group: "%{alias('swh::deploy::base_counters::group')}" swh::deploy::counters::cache_directory: /srv/softwareheritage/counters swh::deploy::counters::refresh_cache::activate: true swh::deploy::counters::history_interval: 12h swh::deploy::counters::live_data_start: 1618415227 # last point of the historical file swh::deploy::counters::cache_static_file: static_history.json swh::deploy::counters::refresh_cache::cron: minute: 0 hour: "*/4" swh::deploy::counters::backend::listen::host: 0.0.0.0 swh::deploy::counters::backend::listen::port: "%{alias('swh::remote_service::counters::port')}" swh::deploy::counters::backend::workers: 2 swh::deploy::counters::backend::reload_mercy: 3600 swh::deploy::counters::backend::http_keepalive: 5 swh::deploy::counters::backend::http_timeout: 3600 swh::deploy::counters::backend::max_requests: 10000 swh::deploy::counters::backend::max_requests_jitter: 1000 swh::deploy::counters::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" swh::deploy::counters::config: counters: cls: redis host: localhost:6379 history: cls: prometheus prometheus_host: pergamon.internal.softwareheritage.org prometheus_port: 9090 live_data_start: "%{alias('swh::deploy::counters::live_data_start')}" cache_base_directory: "%{alias('swh::deploy::counters::cache_directory')}" interval: "%{alias('swh::deploy::counters::history_interval')}" labels: environment: "%{alias('swh::deploy::environment')}" swh::deploy::counters::journal_client::config_file: "%{lookup('swh::deploy::base_counters::config_directory')}/journal_client.yml" swh::deploy::counters::journal_client::config: counters: cls: remote url: http://localhost:5011 journal: brokers: "%{alias('swh::deploy::journal::brokers')}" group_id: swh.counters.journal_client prefix: swh.journal.objects object_types: - content - directory - origin - origin_visit - origin_visit_status - release - revision - skipped_content - snapshot message.max.bytes: 524288000 swh::deploy::base_search::config_directory: "%{hiera('swh::conf_directory')}/search" swh::deploy::base_search::user: swhstorage swh::deploy::base_search::group: swhstorage swh::deploy::search::sentry_swh_package: swh.search swh::deploy::search::sentry_environment: "%{alias('swh::deploy::environment')}" swh::deploy::search::sentry_dsn: "https://%{lookup('swh::deploy::search::sentry_token')}@sentry.softwareheritage.org/15" swh::deploy::search::conf_file: "%{hiera('swh::deploy::base_search::config_directory')}/server.yml" swh::deploy::search::user: "%{alias('swh::deploy::base_search::user')}" swh::deploy::search::group: "%{alias('swh::deploy::base_search::group')}" swh::deploy::search::index: origin-v0.11 swh::deploy::search::read_alias: origin-read swh::deploy::search::write_alias: origin-write swh::deploy::search::config: search: cls: elasticsearch hosts: "%{alias('swh::elasticsearch::search_nodes')}" indexes: origin: index: "%{alias('swh::deploy::search::index')}" read_alias: "%{alias('swh::deploy::search::read_alias')}" write_alias: "%{alias('swh::deploy::search::write_alias')}" swh::deploy::search::journal_client::service_types: - objects - indexed swh::deploy::search::journal_client::objects::config_file: "%{lookup('swh::deploy::base_search::config_directory')}/journal_client_objects.yml" swh::deploy::search::journal_client::objects::consumer_group: swh.search.journal_client-v0.11 swh::deploy::search::journal_client::objects::config: search: "%{alias('swh::remote_service::search::config')}" journal: brokers: "%{alias('swh::deploy::journal::brokers')}" group_id: "%{alias('swh::deploy::search::journal_client::objects::consumer_group')}" prefix: swh.journal.objects object_types: - origin - origin_visit_status storage: "%{alias('swh::remote_service::storage::config')}" swh::deploy::search::journal_client::indexed::config_file: "%{lookup('swh::deploy::base_search::config_directory')}/journal_client_indexed.yml" swh::deploy::search::journal_client::indexed::consumer_group: swh.search.journal_client.indexed-v0.11 swh::deploy::search::journal_client::indexed::config: search: "%{alias('swh::remote_service::search::config')}" journal: brokers: "%{alias('swh::deploy::journal::brokers')}" group_id: "%{alias('swh::deploy::search::journal_client::indexed::consumer_group')}" prefix: swh.journal.indexed object_types: - origin_intrinsic_metadata storage: "%{alias('swh::remote_service::storage::config')}" swh::deploy::search::backend::listen::host: "%{::fqdn}" swh::deploy::search::backend::listen::port: "%{alias('swh::remote_service::search::port')}" swh::deploy::search::backend::workers: 4 swh::deploy::search::backend::reload_mercy: 3600 swh::deploy::search::backend::http_keepalive: 5 swh::deploy::search::backend::http_timeout: 3600 swh::deploy::search::backend::max_requests: 10000 swh::deploy::search::backend::max_requests_jitter: 1000 swh::deploy::search::backend::server_names: - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" netbox::version: "3.1.2" netbox::user: netbox netbox::db::host: db1.internal.admin.swh.network netbox::db::port: 5432 netbox::db::database: netbox netbox::db::username: netbox # netbox::db::password: in private-data netbox::mail::host: "%{lookup('smtp::relay_hostname')}" netbox::mail::from: inventory@softwareheritage.org netbox::redis::host: localhost netbox::redis::port: 6379 # netbox::redis::password in private-data # netbox::redis_cache::password in private-data # netbox::secret_key in private-data netbox::admin::email: sysop+netbox@softwareheritage.org # netbox::admin::password in private-data # netbox::admin::api_token in private-data netbox::webhook_enabled: true netbox::gunicorn::binding: 127.0.0.1 netbox::gunicorn::port: 8001 netbox::data_directory: /var/lib/netbox netbox::allowed_hosts: - "*" - "localhost" netbox::vhost::letsencrypt_cert: inventory.internal.admin.swh.network netbox::vhost::name: inventory.internal.admin.swh.network netbox::backend::url: "http://localhost:%{hiera('netbox::gunicorn::port')}/" netbox::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" netbox::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" netbox::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" netbox::vhost::hsts_header: "%{hiera('apache::hsts_header')}" opnsense::hosts: pushkin: fqdn: pushkin.internal.softwareheritage.org ip: 192.168.100.2 glyptotek: fqdn: glyptotek.internal.softwareheritage.org ip: 192.168.100.3 opnsense::prometheus::port: 9100 opnsense::prometheus::metrics_path: /metrics prometheus::elasticsearch::exporter::version: "%{lookup('elastic::elk_version')}.0" nodejs::version: 14.x swh::provenance::db::shared_buffers: 32GB swh::postgresql::version: "11" swh::postgresql::max_connections: 100 postgresql::globals::version: "%{lookup('swh::postgresql::version')}" docker::compose::version: "1.29.2" sanoid::templates: pg_backup: frequent_period: 0 pre_snapshot_script: /usr/local/bin/start_pg_backup.sh post_snapshot_script: /usr/local/bin/stop_pg_backup.sh script_timeout: 60 monthly: 3 daily: 30 hourly: 0 frequently: 0 autoprune: yes pg_wal_backup: frequent_period: 0 monthly: 3 daily: 30 hourly: 0 frequently: 0 autoprune: yes backup: # from the default sanoid configuration autoprune: yes frequently: 0 hourly: 30 daily: 30 monthly: 3 yearly: 0 ### don't take new snapshots - snapshots on backup ### datasets are replicated in from source, not ### generated locally autosnap: no ### monitor hourlies and dailies, but don't warn or ### crit until they're over 48h old, since replication ### is typically daily only hourly_warn: 2880 hourly_crit: 3600 daily_warn: 48 daily_crit: 60 syncoid::configuration: {} syncoid::default_frequency: 5min # Must have matching certificate in letsencrypt::certificates azure_billing::vhost::name: azure-billing.internal.admin.swh.network azure_billing::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" azure_billing::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" azure_billing::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" azure_billing::vhost::hsts_header: "%{hiera('apache::hsts_header')}" maven_index_exporter::vhost::name: "%{lookup('swh::deploy::maven_index_exporter::url')}" maven_index_exporter::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" maven_index_exporter::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" maven_index_exporter::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" maven_index_exporter::vhost::hsts_header: "%{hiera('apache::hsts_header')}" maven_index_exporter::image::name: softwareheritage/maven-index-exporter maven_index_exporter::image::version: v0.3.0 maven_index_exporter::repositories: maven-central: https://repo1.maven.org/maven2/ clojars: http://clojars.org/repo/ sonatype: http://oss.sonatype.org/content/repositories/releases/ jboss: https://repository.jboss.org/maven2/ atlassian-public: https://maven.atlassian.com/public/ diff --git a/data/deployments/staging/common.yaml b/data/deployments/staging/common.yaml index 98c95afb..b55f27b0 100644 --- a/data/deployments/staging/common.yaml +++ b/data/deployments/staging/common.yaml @@ -1,374 +1,384 @@ --- swh::deploy::environment: staging dns::search_domains: - internal.staging.swh.network swh::deploy::storage::db::host: db1.internal.staging.swh.network swh::deploy::storage::db::user: swh swh::deploy::storage::db::dbname: swh swh::deploy::indexer::storage::db::host: db1.internal.staging.swh.network swh::deploy::indexer::storage::db::user: swh-indexer swh::deploy::indexer::storage::db::dbname: swh-indexer swh::deploy::scheduler::db::host: db1.internal.staging.swh.network swh::deploy::scheduler::db::dbname: swh-scheduler swh::deploy::scheduler::db::user: swh-scheduler swh::deploy::deposit::db::host: db1.internal.staging.swh.network swh::deploy::deposit::db::dbuser: swh-deposit swh::deploy::deposit::db::dbname: swh-deposit swh::deploy::vault::db::host: db1.internal.staging.swh.network swh::deploy::vault::db::user: swh-vault swh::deploy::vault::db::dbname: swh-vault swh::deploy::worker::lister::db::host: db1.internal.staging.swh.network swh::deploy::worker::lister::db::user: swh-lister swh::deploy::worker::lister::db::name: swh-lister swh::deploy::scrubber::db::host: db1.internal.staging.swh.network swh::deploy::webapp::db::host: db1.internal.staging.swh.network # swh::deploy::webapp::db::password in private data swh::deploy::webapp::inbound_email::domain: "%{lookup('swh::deploy::webapp::inbound_email::staging::domain')}" swh::deploy::worker::instances: - indexer_content_mimetype - indexer_fossology_license - indexer_origin_intrinsic_metadata - checker_deposit - loader_archive - loader_bzr - loader_cran - loader_debian - loader_deposit - loader_nixguix - loader_git - loader_mercurial - loader_npm - loader_pypi - loader_svn - vault_cooker - lister - loader_high_priority - loader_opam # only in staging - loader_cvs - loader_maven swh::deploy::lister::queues: - swh.lister.bitbucket.tasks.IncrementalBitBucketLister - swh.lister.bitbucket.tasks.FullBitBucketRelister - swh.lister.cgit.tasks.CGitListerTask - swh.lister.cran.tasks.CRANListerTask - swh.lister.debian.tasks.DebianListerTask - swh.lister.gitea.tasks.IncrementalGiteaLister - swh.lister.gitea.tasks.RangeGiteaLister - swh.lister.gitea.tasks.FullGiteaRelister - swh.lister.gitlab.tasks.IncrementalGitLabLister - swh.lister.gitlab.tasks.RangeGitLabLister - swh.lister.gitlab.tasks.FullGitLabRelister - swh.lister.gnu.tasks.GNUListerTask - swh.lister.launchpad.tasks.FullLaunchpadLister - swh.lister.launchpad.tasks.IncrementalLaunchpadLister - swh.lister.opam.tasks.OpamListerTask - swh.lister.npm.tasks.NpmListerTask - swh.lister.phabricator.tasks.FullPhabricatorLister - swh.lister.pypi.tasks.PyPIListerTask - swh.lister.sourceforge.tasks.FullSourceForgeLister - swh.lister.sourceforge.tasks.IncrementalSourceForgeLister # extra queues - swh.lister.maven.tasks.FullMavenLister - swh.lister.maven.tasks.IncrementalMavenLister #### Rabbitmq instance to use # swh::deploy::worker::task_broker::password in private data swh::deploy::worker::task_broker: "amqp://swhconsumer:%{hiera('swh::deploy::worker::task_broker::password')}@scheduler0.internal.staging.swh.network:5672/%2f" #### Storage/Indexer/Vault/Scheduler services to use in staging area swh::remote_service::storage0::url: "http://storage1.internal.staging.swh.network:%{hiera('swh::remote_service::storage::port')}/" swh::remote_service::storage::config::storage0: cls: remote url: "%{alias('swh::remote_service::storage0::url')}" swh::remote_service::storage::config: "%{alias('swh::remote_service::storage::config::storage0')}" swh::remote_service::storage::config::writable: &swh_remote_service_storage_config_writable "%{alias('swh::remote_service::storage::config::storage0')}" swh::remote_service::vault::config::vault0: cls: remote url: "http://vault.internal.staging.swh.network:%{hiera('swh::remote_service::vault::port')}/" swh::remote_service::vault::config: "%{alias('swh::remote_service::vault::config::vault0')}" swh::remote_service::vault::config::writable: "%{alias('swh::remote_service::vault::config::vault0')}" swh::remote_service::indexer::config::storage0: cls: remote url: "http://storage1.internal.staging.swh.network:%{hiera('swh::remote_service::indexer::port')}/" swh::remote_service::indexer::config: "%{alias('swh::remote_service::indexer::config::storage0')}" swh::remote_service::indexer::config::writable: "%{alias('swh::remote_service::indexer::config::storage0')}" swh::remote_service::scheduler::config::scheduler0: cls: remote url: "http://scheduler0.internal.staging.swh.network:%{hiera('swh::remote_service::scheduler::port')}/" swh::remote_service::scheduler::config: "%{alias('swh::remote_service::scheduler::config::scheduler0')}" swh::remote_service::scheduler::config::writable: "%{alias('swh::remote_service::scheduler::config::scheduler0')}" swh::remote_service::counters::url: "http://counters0.internal.staging.swh.network:%{hiera('swh::remote_service::counters::port')}/" swh::deploy::deposit::url: https://deposit.staging.swh.network swh::deploy::deposit::internal_url: "https://deposit-rp.internal.staging.swh.network" # do not save pack swh::deploy::worker::loader_git::save_data_path: "" swh::deploy::worker::loader_git::concurrency: 1 zookeeper::clusters: rocquencourt_staging: '2': storage1.internal.staging.swh.network kafka::broker::heap_opts: "-Xmx3G -Xms3G" swh::deploy::journal::brokers: - journal1.internal.staging.swh.network swh::deploy::deposit::vhost::letsencrypt_cert: deposit_staging swh::deploy::deposit::reverse_proxy::backend_http_host: deposit.internal.staging.swh.network swh::deploy::webapp::vhost::letsencrypt_cert: archive_staging swh::deploy::webapp::reverse_proxy::backend_http_host: webapp.internal.staging.swh.network +swh::deploy::graphql::vhost::letsencrypt_cert: graphql_staging +swh::deploy::graphql::reverse_proxy::basic_auth: true +swh::deploy::graphql::reverse_proxy::backend_http_host: graphql-worker0.internal.staging.swh.network +swh::deploy::graphql::reverse_proxy::backend_http_port: "80" + +# swh::deploy::graphql::reverse_proxy::basic_auth::swh-stg in private data +swh::deploy::graphql::reverse_proxy::basic_auth::users: + - swh-stg + swh::remote_service::objstorage::config::rw: cls: remote url: "http://storage1.internal.staging.swh.network:%{hiera('swh::remote_service::objstorage::port')}/" swh::remote_service::objstorage::config::ro: cls: filtered storage_conf: "%{alias('swh::remote_service::objstorage::config::rw')}" filters_conf: - type: readonly swh::deploy::objstorage::vhost::letsencrypt_cert: objstorage_staging swh::deploy::objstorage::reverse_proxy::backend_http_host: objstorage0.internal.staging.swh.network swh::deploy::objstorage::reverse_proxy::basic_auth::users: - swh-stg - enea-stg - snyk-stg-01 swh::deploy::objstorage::backend::public_server_name: objstorage.staging.swh.network objstorage.internal.staging.swh.network swh::remote_service::objstorage::config: "%{alias('swh::remote_service::objstorage::config::ro')}" swh::remote_service::objstorage::config::writable: "%{alias('swh::remote_service::objstorage::config::rw')}" swh::deploy::objstorage::backend::server_names: - "%{alias('swh::deploy::objstorage::backend::public_server_name')}" - "%{::swh_hostname.internal_fqdn}" - "%{::hostname}" - 127.0.0.1 - localhost - "::1" swh::deploy::reverse_proxy::services: - deposit - webapp - objstorage + - graphql swh::postgresql::version: '12' swh::postgresql::port: 5433 swh::postgresql::cluster_name: "%{lookup('swh::postgresql::version')}/main" swh::postgresql::datadir_base: "%{lookup('swh::base_directory')}/postgres" swh::postgresql::datadir: "%{lookup('swh::postgresql::datadir_base')}/%{lookup('swh::postgresql::cluster_name')}" swh::postgresql::listen_addresses: - 0.0.0.0 swh::postgresql::network_accesses: - 192.168.100.0/24 # Monitoring - 192.168.130.0/24 # Staging services swh::postgresql::shared_buffers: 32GB postgresql::server::config_entries: shared_buffers: "%{alias('swh::postgresql::shared_buffers')}" cluster_name: "%{alias('swh::postgresql::cluster_name')}" swh::dbs: storage: name: swh user: swh scheduler: name: swh-scheduler user: swh-scheduler vault: name: swh-vault user: swh-vault lister: name: swh-lister user: swh-lister deposit: name: swh-deposit user: swh-deposit indexer::storage: name: swh-indexer user: swh-indexer webapp: name: swh-web user: swh-web scrubber: name: swh-scrubber user: swh-scrubber mirror: name: swh-mirror user: swh-mirror password: "%{lookup('swh::deploy::mirror::db::password')}" pgbouncer::auth_hba_file: "/etc/postgresql/%{lookup('swh::postgresql::cluster_name')}/pg_hba.conf" pgbouncer::common::listen_addresses: - 0.0.0.0 pgbouncer::databases: - source_db: swh host: localhost auth_user: postgres port: 5433 alias: staging-swh - source_db: swh-scheduler host: localhost auth_user: postgres port: 5433 alias: staging-swh-scheduler - source_db: swh-vault host: localhost auth_user: postgres port: 5433 alias: staging-swh-vault - source_db: swh-lister host: localhost auth_user: postgres port: 5433 alias: staging-swh-lister - source_db: swh-deposit host: localhost auth_user: postgres port: 5433 alias: staging-swh-deposit - source_db: swh-indexer host: localhost auth_user: postgres port: 5433 alias: staging-swh-indexer - source_db: swh-web host: localhost auth_user: postgres port: 5433 alias: staging-swh-web - source_db: swh-mirror host: localhost auth_user: postgres port: 5433 alias: swh-mirror - source_db: swh-scrubber host: localhost auth_user: postgres port: 5433 alias: staging-swh-scrubber # open objstorage api swh::deploy::objstorage::backend::listen::host: 0.0.0.0 swh::deploy::objstorage::backend::workers: 16 swh::deploy::objstorage::directory: "%{hiera('swh::deploy::storage::directory')}" swh::deploy::objstorage::slicing: 0:1/1:5 # Deploy the storage server as a public resource swh::deploy::storage::backend::listen::host: 0.0.0.0 swh::deploy::storage::backend::workers: 4 swh::deploy::storage::backend::max_requests: 100 swh::deploy::storage::backend::max_requests_jitter: 10 # Deploy the indexer storage server as a public resource swh::deploy::indexer::storage::backend::listen::host: 0.0.0.0 swh::deploy::indexer::storage::backend::workers: 4 nginx::worker_processes: 4 ## Reverse-proxy and frontend hitch::frontend: "[*]:443" hitch::proxy_support: true varnish::http_port: 80 apache::http_port: 9080 # Disable default vhost on port 80 apache::default_vhost: false # Elasticsearch elasticsearch::config::cluster::name: swh-search elasticsearch::config::discovery::seed_hosts: - search-esnode0.internal.staging.swh.network elasticsearch::config::cluster::initial_master_nodes: - search-esnode0 elasticsearch::jvm_options::heap_size: 16g elasticsearch::config::prometheus::indices: true swh::elasticsearch::search_nodes: - host: search-esnode0.internal.staging.swh.network port: 9200 swh::deploy::search::journal_client::service_types: - objects - indexed swh::deploy::search::journal_client::objects::consumer_group: swh.search.journal_client-v0.11 swh::deploy::search::journal_client::indexed::consumer_group: swh.search.journal_client.indexed-v0.11 swh::deploy::webapp::url: "https://webapp.staging.swh.network" swh::deploy::vault::e2e::storage: "%{alias('swh::remote_service::storage0::url')}" swh::config::keycloak::realm_name: SoftwareHeritageStaging # No historical file on staging swh::deploy::counters::cache_static_file: swh::deploy::counters::live_data_start: 1609462861 # 2021-01-01 swh::deploy::webapp::snapshot_e2e: uri: '/browse/snapshot/48dcf76ec1a3bd57ec117b1dace633691fdfd70d/branches/' regexp: - 'refs/tags/syslinux-3.20-pre2.*refs/tags/syslinux-3.20-pre3.*' swh::deploy::worker::loader_high_priority::queues: # bzr - save_code_now:swh.loader.bzr.tasks.LoadBazaar # cvs - save_code_now:swh.loader.cvs.tasks.LoadCvsRepository # git - save_code_now:swh.loader.git.tasks.UpdateGitRepository # mercurial - save_code_now:swh.loader.mercurial.tasks.LoadMercurial - save_code_now:swh.loader.mercurial.tasks.LoadArchiveMercurial # svn - save_code_now:swh.loader.svn.tasks.LoadSvnRepository - save_code_now:swh.loader.svn.tasks.MountAndLoadSvnRepository - save_code_now:swh.loader.svn.tasks.DumpMountAndLoadSvnRepository # archives - save_code_now:swh.loader.package.archive.tasks.LoadArchive swh::deploy::scheduler::swh-scheduler-runner-priority::config::task_types: - load-bzr - load-cvs - load-git - load-svn - load-archive-files - load-hg syncoid::public_keys::storage1: type: ssh-ed25519 key: "AAAAC3NzaC1lZDI1NTE5AAAAIB0y7dvB0cBluC+Dy+w51P6JCbB18whd/IekP5148XsS" syncoid::public_keys::db1: type: ssh-ed25519 key: "AAAAC3NzaC1lZDI1NTE5AAAAILRVodfvLudSiOdWOPDSoN5MIwZPbyZAyClfr/SQUK4w" swh::deploy::maven_index_exporter::url: maven-exporter.internal.staging.swh.network diff --git a/data/subnets/vagrant.yaml b/data/subnets/vagrant.yaml index 1bb58021..c57f559f 100644 --- a/data/subnets/vagrant.yaml +++ b/data/subnets/vagrant.yaml @@ -1,283 +1,289 @@ --- dns::local_nameservers: - 192.168.100.29 - 192.168.200.22 # forwarder for : # - swh network # - Inria network # - external network dns::forwarders: - 192.168.100.29 - 192.168.200.22 - 128.93.77.234 - 1.1.1.1 dns::forwarder_insecure: true bind::zones::masters: - 192.168.100.29 ntp::servers: - sesi-ntp1.inria.fr - sesi-ntp2.inria.fr networks::manage_interfaces: false internal_network: 10.168.128.0/16 puppet::master::codedir: /tmp/puppet networks::private_routes: {} smtp::relay_hostname: 'none' swh::postgresql::network_accesses: - 10.168.100.0/24 swh::deploy::worker::instances: - checker_deposit - lister - loader_archive - loader_cran - loader_debian - loader_deposit - loader_git - loader_mercurial - loader_nixguix - loader_opam - loader_npm - loader_pypi - loader_svn - loader_high_priority dns::forward_zones: { } netbox::mail::from: inventory+vagrant@softwareheritage.org netbox::admin::email: sysop+vagrant@softwareheritage.org kafka::cluster::public_network: 10.168.130.0/24 kafka::cluster::heap_ops: "-Xmx512m -Xms512m" puppet::master::manage_puppetdb: true puppetdb::listen_address: 0.0.0.0 swh::puppetdb::etcdir: /etc/puppetdb puppetdb::confdir: "%{lookup('swh::puppetdb::etcdir')}/conf.d" puppetdb::ssl_dir: "%{lookup('swh::puppetdb::etcdir')}/ssl" swh::puppetdb::ssl_key_path: "%{lookup('puppetdb::ssl_dir')}/key.pem" swh::puppetdb::ssl_key: "%{::puppet_vardir}/ssl/private_keys/pergamon.softwareheritage.org.pem" swh::puppetdb::ssl_cert: "%{::puppet_vardir}/ssl/certs/pergamon.softwareheritage.org.pem" swh::puppetdb::ssl_cert_path: "%{lookup('puppetdb::ssl_dir')}/cert.pem" swh::puppetdb::ssl_ca_cert: "%{::puppet_vardir}/ssl/ca/ca_crt.pem" swh::puppetdb::ssl_ca_cert_path: "%{lookup('puppetdb::ssl_dir')}/ca_crt.pem" puppet::autosign_entries: - '*.softwareheritage.org' - '*.staging.swh.network' - '*.admin.swh.network' static_hostnames: 10.168.50.10: host: bardo.internal.admin.swh.network 10.168.50.20: host: rp1.internal.admin.swh.network aliases: - hedgedoc.softwareheritage.org - grafana.softwareheritage.org - sentry.softwareheritage.org 10.168.50.30: host: grafana0.internal.admin.swh.network 10.168.50.50: host: dali.internal.admin.swh.network aliases: - db1.internal.admin.swh.network 10.168.50.70: host: riverside.internal.admin.swh.network 10.168.50.60: host: bojimans.internal.admin.swh.network aliases: - inventory.internal.admin.swh.network - inventory.internal.softwareheritage.org 10.168.50.90: host: thanos.internal.admin.swh.network 10.168.100.18: host: banco.internal.softwareheritage.org aliases: - backup.internal.softwareheritage.org - kibana.internal.softwareheritage.org 10.168.100.19: host: logstash0.internal.softwareheritage.org aliases: - logstash.internal.softwareheritage.org 10.168.100.29: host: pergamon.internal.softwareheritage.org aliases: - pergamon.softwareheritage.org - icinga.internal.softwareheritage.org - stats.export.softwareheritage 10.168.100.30: host: jenkins.softwareheritage.org 10.168.100.31: host: moma.internal.softwareheritage.org aliases: - archive.internal.softwareheritage.org - deposit.internal.softwareheritage.org - objstorage.softwareheritage.org - objstorage.internal.softwareheritage.org 10.168.100.32: host: beaubourg.internal.softwareheritage.org 10.168.100.34: host: hypervisor3.internal.softwareheritage.org 10.168.100.61: host: esnode1.internal.softwareheritage.org 10.168.100.62: host: esnode2.internal.softwareheritage.org 10.168.100.63: host: esnode3.internal.softwareheritage.org 10.168.100.71: host: webapp1.internal.softwareheritage.org 10.168.100.81: host: search-esnode1.internal.softwareheritage.org 10.168.100.82: host: search-esnode2.internal.softwareheritage.org 10.168.100.83: host: search-esnode3.internal.softwareheritage.org 10.168.100.85: host: search1.internal.softwareheritage.org 10.168.100.86: host: search-esnode4.internal.softwareheritage.org 10.168.100.87: host: search-esnode5.internal.softwareheritage.org 10.168.100.88: host: search-esnode6.internal.softwareheritage.org 10.168.100.95: host: counters1.internal.softwareheritage.org 10.168.100.101: host: uffizi.internal.softwareheritage.org 10.168.100.102: host: getty.internal.softwareheritage.org 10.168.100.103: host: somerset.internal.softwareheritage.org 10.168.100.104: host: saatchi.internal.softwareheritage.org aliases: - rabbitmq.internal.softwareheritage.org 10.168.100.105: host: thyssen.internal.softwareheritage.org 10.168.100.106: host: kelvingrove.internal.softwareheritage.org aliases: - auth.softwareheritage.org 10.168.100.108: host: branly.internal.softwareheritage.org 10.168.100.109: host: saam.internal.softwareheritage.org 10.168.100.110: host: met.internal.softwareheritage.org 10.168.100.131: host: zookeeper1.internal.softwareheritage.org 10.168.100.132: host: zookeeper2.internal.softwareheritage.org 10.168.100.133: host: zookeeper3.internal.softwareheritage.org 10.168.100.150: host: jenkins1-debian.internal.softwareheritage.org 10.168.100.170: host: pompidou.internal.softwareheritage.org 10.168.100.181: host: cassandra01.internal.softwareheritage.org 10.168.100.182: host: cassandra02.internal.softwareheritage.org 10.168.100.183: host: cassandra03.internal.softwareheritage.org 10.168.100.184: host: cassandra04.internal.softwareheritage.org 10.168.100.185: host: cassandra05.internal.softwareheritage.org 10.168.100.186: host: cassandra06.internal.softwareheritage.org 10.168.100.210: host: belvedere.internal.softwareheritage.org aliases: - db.internal.softwareheritage.org 10.168.100.201: host: kafka1.internal.softwareheritage.org aliases: - broker1.journal.softwareheritage.org 10.168.100.202: host: kafka2.internal.softwareheritage.org aliases: - broker2.journal.softwareheritage.org 10.168.100.203: host: kafka3.internal.softwareheritage.org aliases: - broker3.journal.softwareheritage.org 10.168.100.204: host: kafka4.internal.softwareheritage.org aliases: - broker4.journal.softwareheritage.org 10.168.130.11: host: db1.internal.staging.swh.network 10.168.130.20: host: rp1.internal.staging.swh.network aliases: - webapp.staging.swh.network - deposit.staging.swh.network - objstorage.staging.swh.network 10.168.130.30: host: webapp.internal.staging.swh.network 10.168.130.31: host: deposit.internal.staging.swh.network 10.168.130.41: host: storage1.internal.staging.swh.network aliases: - journal1.internal.staging.swh.network 10.168.130.50: host: scheduler0.internal.staging.swh.network 10.168.130.60: host: vault.internal.staging.swh.network 10.168.130.70: host: maven-exporter0.internal.staging.swh.network aliases: - maven-exporter.internal.staging.swh.network 10.168.130.80: host: search-esnode0.internal.staging.swh.network 10.168.130.90: host: search0.internal.staging.swh.network 10.168.130.95: host: counters0.internal.staging.swh.network 10.168.130.100: host: worker0.internal.staging.swh.network 10.168.130.101: host: worker1.internal.staging.swh.network 10.168.130.102: host: worker2.internal.staging.swh.network 10.168.130.103: host: worker3.internal.staging.swh.network 10.168.130.110: host: objstorage0.internal.staging.swh.network 10.168.130.120: host: scrubber0.internal.staging.swh.network 10.168.130.130: host: elastic-worker0.internal.staging.swh.network 10.168.130.131: host: elastic-worker1.internal.staging.swh.network 10.168.130.132: host: elastic-worker2.internal.staging.swh.network 10.168.130.133: host: elastic-worker3.internal.staging.swh.network 10.168.130.140: host: rancher-node-intern0.internal.staging.swh.network 10.168.130.141: host: rancher-node-intern1.internal.staging.swh.network 10.168.130.142: host: rancher-node-intern2.internal.staging.swh.network + 10.168.130.150: + host: graphql-worker0.internal.staging.swh.network + 10.168.130.151: + host: graphql-worker1.internal.staging.swh.network + 10.168.130.152: + host: graphql-worker2.internal.staging.swh.network 10.168.130.160: host: mirror-test.internal.staging.swh.network 10.168.200.22: host: ns0.euwest.azure.internal.softwareheritage.org thanos::objstore::config: # thanos sidecar will crash if the objstore is a badly configured azure bucket # (e.g. with redacted credentials) type: FILESYSTEM config: directory: "/var/tmp/thanos-objstore"