Merge branch 't32853-ovh_cloud_provisioning' into 'master'

See merge request mediaserver/envsetup!25

Merge branch 't32853-ovh_cloud_provisioning' into 'master'
6d2184a9 · Stéphane Diemer · 2f5addd9 · 783a826d · 6d2184a9 · 6d2184a9
Commit 6d2184a9 authored 4 years ago by Stéphane Diemer
--- a/ansible/roles/haproxy/defaults/main.yml
+++ b/ansible/roles/haproxy/defaults/main.yml
@@ -38,6 +38,16 @@ hap_config_stats: |2
  stats uri /
  stats auth admin:password
-hap_config_listen: []
+hap_config_listen:
+  - name: pgsql-primary
+    content: |2
+        bind :54321
+        default-server inter 2s fall 3 rise 2 on-marked-down shutdown-sessions
+        option tcp-check
+        tcp-check expect string primary
+        maxconn 500
+        server {{ groups['postgres'][0] }} {{ hostvars[groups['postgres'][0]]['ansible_default_ipv4']['address'] }}:5432 maxconn 500 check port 8543
+        server {{ groups['postgres'][1] }} {{ hostvars[groups['postgres'][1]]['ansible_default_ipv4']['address'] }}:5432 maxconn 500 check port 8543 backup
+# hap_config_listen: []
 ...
--- a/ansible/roles/mediaserver/defaults/main.yml
+++ b/ansible/roles/mediaserver/defaults/main.yml
@@ -45,4 +45,7 @@ server_ferm_input_rules:
 server_ferm_output_rules: []
 server_ferm_global_settings:
+real_ip_from: "" # default for OVH is 10.108.0.0/14
 ...
--- a/ansible/roles/mediaserver/handlers/main.yml
+++ b/ansible/roles/mediaserver/handlers/main.yml
@@ -9,4 +9,14 @@
    name: nginx
    state: restarted
+- name: restart mediaserver
+  systemd:
+    name: mediaserver
+    state: restarted
+- name: restart systemd-sysusers
+  systemd:
+    name: systemd-sysusers
+    state: restarted
 ...
--- a/ansible/roles/mediaserver/meta/main.yml
+++ b/ansible/roles/mediaserver/meta/main.yml
@@ -5,8 +5,12 @@ dependencies:
  - role: nginx
  - when: "'celerity' in group_names"
    role: celerity
-  - when: "'postgres' in group_names"
+  # - when: "'postgres' in group_names and groups['postgres'] | length > 1"
-    role: postgres
+  #   role: postgres-ha
+  # - when: "'postgres' in group_names and groups['postgres'] | length == 1"
+  #   role: postgres
+  - when: "groups['postgres'] | length > 1"
+    role: haproxy
  - when: "'wowza' in group_names"
    role: wowza

--- a/ansible/roles/mediaserver/tasks/main.yml
+++ b/ansible/roles/mediaserver/tasks/main.yml
@@ -10,16 +10,19 @@
  register: root_ssh_pubkey
  slurp:
    path: /root/.ssh/id_ed25519.pub
+  tags: always
 - name: register ssh public key as an ansible fact
  set_fact:
    pubkey: "{{ root_ssh_pubkey['content'] | b64decode }}"
+  tags: always
 - name: share ssh public key between cluster members
  loop: "{{ groups['mediaserver'] }}"
  authorized_key:
    user: root
    key: "{{ hostvars[item]['pubkey'] }}"
+  tags: always
 - name: resolve domain name to localhost
  when: not in_docker
@@ -30,19 +33,32 @@
    line: '127.0.1.1 {{ item.ms_server_name }}'
    backup: true
- name: synchronize configuration
+# - name: synchronize configuration
-  when: groups['mediaserver'] | length > 1
+#   when: groups['mediaserver'] | length > 1
-  loop:
+#   loop:
-    - /etc/passwd
+#     - /etc/passwd
-    - /etc/shadow
+#     - /etc/shadow
-    - /etc/group
+#     - /etc/group
-  synchronize:
+#   synchronize:
-    src: "{{ item }}"
+#     src: "{{ item }}"
-    dest: "{{ item }}"
+#     dest: "{{ item }}"
-    mode: push
+#     mode: push
-    copy_links: yes
+#     copy_links: yes
-    set_remote_user: no
+#     set_remote_user: no
-  delegate_to: "{{ groups['mediaserver'][0] }}"
+#   delegate_to: "{{ groups['mediaserver'][0] }}"
+#   tags: always
+- name: create celerity-config
+  notify: restart celerity-server
+  template:
+    src: celerity-config.py.j2
+    dest: /etc/celerity/config.py
+    mode: 0644
+    owner: root
+    group: root
+  when:
+    - inventory_hostname not in groups['celerity']
+  changed_when: "'molecule-idempotence-notest' not in ansible_skip_tags"
 - name: create instances
  when: inventory_hostname == groups['mediaserver'][0]
@@ -74,6 +90,55 @@
    cmd: msinstaller.py {{ item.name }} --no-input
    creates: /etc/nginx/sites-available/mediaserver-{{ item.name }}.conf
+- name: synchronize configuration between servers
+  ignore_errors: yes
+  when:
+    - groups['mediaserver'] | length > 1
+    - inventory_hostname != groups['mediaserver'][0]
+  loop:
+    - /etc/mediaserver
+    - /etc/nginx
+    - /etc/celerity
+    - /etc/sysusers.d
+    - /var/www
+  synchronize:
+    src: "{{ item }}"
+    dest: "{{ item }}"
+    mode: push
+    copy_links: yes
+    delete: yes
+    recursive: yes
+    set_remote_user: no
+    existing_only: yes
+  notify:
+    - restart mediaserver
+    - restart nginx
+    - restart systemd-sysusers
+  delegate_to: "{{ groups['mediaserver'][0] }}"
+  tags: mediaserver-synchronize
+- name: synchronize letsencrypt configuration between servers
+  ignore_errors: yes
+  when:
+    - groups['mediaserver'] | length > 1
+    - inventory_hostname != groups['mediaserver'][0]
+    - letsencrypt_enabled | d(false)
+  loop:
+    - /etc/letsencrypt
+  synchronize:
+    src: "{{ item }}"
+    dest: "{{ item }}"
+    mode: push
+    copy_links: yes
+    delete: yes
+    recursive: yes
+    set_remote_user: no
+    existing_only: yes
+  notify:
+    - restart nginx
+  delegate_to: "{{ groups['mediaserver'][0] }}"
+  tags: mediaserver-synchronize
 - name: configure email sender address
  notify: mscontroller restart
  lineinfile:
@@ -110,6 +175,14 @@
      touch /etc/mediaserver/.{{ item.ms_server_name }}.reset_service_resources.log ;
    creates: /etc/mediaserver/.{{ item.ms_server_name }}.reset_service_resources.log
+- name: add realip configuration for LoadBalancer in HA configuration
+  notify: restart nginx
+  when:
+    - groups['mediaserver'] | length > 1
+  template:
+    src: realip.conf.j2
+    dest: /etc/nginx/conf.d/realip.conf
 # Set RTMP password and URL in lives config json
 # https://stackoverflow.com/questions/50796341/add-a-new-key-value-to-a-json-file-using-ansible
@@ -118,8 +191,8 @@
    msg: "Please define the Wowza URL/IP (server_wowza_url variable) in your inventory for the \"mediaserver\" group"
  when:
    - server_wowza_url == "127.0.0.1"
-    - '"wowza" not in group_names'
    - groups['wowza']|d('') | length > 0
+    - groups['mediaserver'] | length > 1
 - name: ensure lives configuration exists
  copy:
@@ -148,7 +221,6 @@
 - name: set RTMP url in lives configuration
  when:
    - server_wowza_url | d(false)
-    - '"wowza" not in group_names'
  vars:
    rtmp_publish_url_line:
      RTMP_PUBLISH_URL: "rtmp://{{ server_wowza_url }}/%(rtmp_app)s/_definst_?doPublish=%(rtmp_pwd)s/%(stream_id)s"
@@ -163,7 +235,6 @@
 - name: 'Replace nginx conf to join wowza servers'
  when:
    - server_wowza_url | d(false)
-    - '"wowza" not in group_names'
  notify: restart nginx
  replace:
    path: /etc/nginx/conf.d/mediaserver-streaming.conf

--- a/ansible/roles/mediaserver/templates/celerity-config.py.j2
+++ b/ansible/roles/mediaserver/templates/celerity-config.py.j2
@@ -2,11 +2,9 @@
 # -*- coding: utf-8 -*-
 SIGNING_KEY = '{{ server_celerity_signing_key }}'
-SERVER_URL = 'https://{{ server_hostname }}:6200'
+SERVER_URL = 'https://{{ hostvars[groups['celerity'][0]]['ansible_default_ipv4']['address'] }}:6200'
+# QUEUES_PER_WORKER  = 2
-# WORKERS_COUNT = 2
 # MediaServer interactions
 MEDIASERVERS = {
-    '{{ server_id }}': {'url': 'https://{{ server_hostname }}', 'api_key': '{{ server_api_key }}'},
 }
--- a/ansible/roles/mediaserver/templates/realip.conf.j2
+++ b/ansible/roles/mediaserver/templates/realip.conf.j2
+# {{ ansible_managed }}
+set_real_ip_from {{ real_ip_from }}; # IP/network of the reverse proxy
+real_ip_header X-Forwarded-For;
--- a/ansible/roles/mediaworker/templates/celerity-config.py.j2
+++ b/ansible/roles/mediaworker/templates/celerity-config.py.j2
@@ -4,7 +4,7 @@
 SIGNING_KEY = '{{ worker_celerity_signing_key }}'
 SERVER_URL = 'https://{{ worker_celerity_server }}:6200'
-WORKERS_COUNT = {{ worker_workers_count }}
+QUEUES_PER_WORKER = {{ worker_workers_count }}
 # MediaServer interactions
 MEDIASERVERS = {

--- a/ansible/roles/netcapture/meta/main.yml
+++ b/ansible/roles/netcapture/meta/main.yml
@@ -2,5 +2,6 @@
 dependencies:
  - role: base
+  - role: docker
 ...
--- a/ansible/roles/netcapture/tasks/main.yml
+++ b/ansible/roles/netcapture/tasks/main.yml
 ---
- name: requirements install
-  apt:
-    force_apt_get: true
-    install_recommends: false
-    name:
-      - apt-transport-https
-      - ca-certificates
-      - curl
-      - gnupg-agent
-      - lsb-release
-      - software-properties-common
- name: docker repo key
-  apt_key:
-    url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
-    state: present
- name: docker repo
-  apt_repository:
-    repo: deb [arch=amd64] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release | lower }} stable
-    state: present
-    filename: docker-ce
- name: docker install
-  apt:
-    force_apt_get: true
-    install_recommends: false
-    name: docker-ce
- name: docker service
-  systemd:
-    name: docker
-    enabled: true
-    state: started
 - name: netcapture install
  apt:
    force_apt_get: true

--- a/ansible/roles/sysconfig/defaults/main.yml
+++ b/ansible/roles/sysconfig/defaults/main.yml
@@ -38,6 +38,8 @@ sysconfig_packages:
  - sudo
  - unattended-upgrades
  - vim
+  - man
+  - git-man
 sysconfig_firewall_enabled: true
 sysconfig_ferm_rules_filename: sysutils

--- a/ansible/roles/wowza/tasks/main.yml
+++ b/ansible/roles/wowza/tasks/main.yml
@@ -6,6 +6,12 @@
    name: base
  when: '"mediaserver" not in group_names'
+- name: force directory creation
+  file:
+    path: /usr/share/man/man1
+    force: true
+    state: directory
 - name: install wowza requirements
  apt:
    force_apt_get: true