/
mediawiki.pp
91 lines (81 loc) · 3.38 KB
/
mediawiki.pp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# === Class role::mediawiki
class role::mediawiki (
Boolean $strict_firewall = lookup('role::mediawiki::use_strict_firewall', {'default_value' => false}),
Boolean $use_mcrouter = lookup('role::mediawiki::use_mcrouter', {'default_value' => false})
) {
# doesn't install on bookworm
# include prometheus::exporter::cadvisor
if $use_mcrouter {
include role::mediawiki::mcrouter
} else {
include role::mediawiki::nutcracker
}
include mediawiki
if $strict_firewall {
$cloudflare_ipv4 = split(file('/etc/puppetlabs/puppet/private/files/firewall/cloudflare_ipv4'), /[\r\n]/)
$cloudflare_ipv6 = split(file('/etc/puppetlabs/puppet/private/files/firewall/cloudflare_ipv6'), /[\r\n]/)
$firewall_rules_str = join(
$cloudflare_ipv4 + $cloudflare_ipv6 + query_facts('Class[Role::Mediawiki] or Class[Role::Varnish] or Class[Role::Icinga2] or Class[Role::Prometheus] or Class[Role::Bastion]', ['networking'])
.map |$key, $value| {
if ( $value['networking']['interfaces']['he-ipv6'] ) {
"${value['networking']['ip']} ${value['networking']['interfaces']['he-ipv6']['ip6']}"
} elsif ( $value['networking']['interfaces']['ens19'] and $value['networking']['interfaces']['ens18'] ) {
"${value['networking']['interfaces']['ens19']['ip']} ${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}"
} elsif ( $value['networking']['interfaces']['ens18'] ) {
"${value['networking']['interfaces']['ens18']['ip']} ${value['networking']['interfaces']['ens18']['ip6']}"
} else {
"${value['networking']['ip']} ${value['networking']['ip6']}"
}
}
.flatten()
.unique()
.sort(),
' '
)
ferm::service { 'http':
proto => 'tcp',
port => '80',
srange => "(${firewall_rules_str})",
notrack => true,
}
ferm::service { 'https':
proto => 'tcp',
port => '443',
srange => "(${firewall_rules_str})",
notrack => true,
}
} else {
ferm::service { 'http':
proto => 'tcp',
port => '80',
notrack => true,
}
ferm::service { 'https':
proto => 'tcp',
port => '443',
notrack => true,
}
}
# Temporarily set vm.swappiness to 1 to handle
# sudden cases where there's a spike in memory usage.
# This is when all ram is used for a minute and need to use swap.
sysctl::parameters { 'vm_swappiness':
values => {
'vm.swappiness' => 1,
},
}
# Using fastcgi we need more local ports
sysctl::parameters { 'raise_port_range':
values => { 'net.ipv4.ip_local_port_range' => '22500 65535', },
priority => 90,
}
# Allow sockets in TIME_WAIT state to be re-used.
# This helps prevent exhaustion of ephemeral port or conntrack sessions.
# See <http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html>
sysctl::parameters { 'tcp_tw_reuse':
values => { 'net.ipv4.tcp_tw_reuse' => 1 },
}
system::role { 'mediawiki':
description => 'MediaWiki server',
}
}