christopherwood/gist:90752942b3ce3fe9010a7fb1e7d078ba Secret

## gistfile1.txt
<beans
  xmlns="http://www.springframework.org/schema/beans"
  xmlns:amq="http://activemq.apache.org/schema/core"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd
  http://activemq.apache.org/camel/schema/spring http://activemq.apache.org/camel/schema/spring/camel-spring.xsd">

    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<!--        <property name="locations">
            <value>file:${activemq.base}/conf/credentials.properties</value>
        </property> -->
    </bean>

    <!--
      For more information about what MCollective requires in this file,
      see http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html
    -->

    <!--
      WARNING: The elements that are direct children of <broker> MUST BE IN
      ALPHABETICAL ORDER. This is fixed in ActiveMQ 5.6.0, but affects
      previous versions back to 5.4.
      https://issues.apache.org/jira/browse/AMQ-3570
    -->
    <broker xmlns="http://activemq.apache.org/schema/core" brokerName="<%= @fqdn %>" useJmx="true" schedulePeriodForDestinationPurge="60000" persistent="false" networkConnectorStartAsync="true">
        <!--
          MCollective generally expects producer flow control to be turned off.
          It will also generate a limitless number of single-use reply queues,
          which should be garbage-collected after about five minutes to conserve
          memory.

          For more information, see:
          http://activemq.apache.org/producer-flow-control.html
        -->
        <destinationPolicy>
          <policyMap>
            <policyEntries>
              <policyEntry topic=">" producerFlowControl="false" usePrefetchExtension="false">
                <messageEvictionStrategy>
                  <oldestMessageEvictionStrategy/>
                </messageEvictionStrategy>
                <pendingMessageLimitStrategy>
                  <constantPendingMessageLimitStrategy limit="0"/>
                </pendingMessageLimitStrategy>
              </policyEntry>
              <policyEntry queue="*.reply.>" gcInactiveDestinations="true" inactiveTimoutBeforeGC="300000" />
            </policyEntries>
          </policyMap>
        </destinationPolicy>

        <managementContext>
            <managementContext createConnector="false"/>
        </managementContext>

        <plugins>
          <statisticsBrokerPlugin/>

          <!--
            This configures the users and groups used by this broker. Groups
            are referenced below, in the write/read/admin attributes
            of each authorizationEntry element.
          -->
          <simpleAuthenticationPlugin>
            <users>
              <authenticationUser username="<%= @plugin_activemq_pool_1_user %>" password="<%= @plugin_activemq_pool_1_password %>" groups="mcollective,everyone"/>
	      <authenticationUser username="amq" password="<%= @amq_password %>" groups="mcollective,everyone"/>
              <authenticationUser username="admin" password="secret" groups="mcollective,admins,everyone"/>
            </users>
          </simpleAuthenticationPlugin>

          <!--
            Configure which users are allowed to read and write where. Permissions
            are organized by group; groups are configured above, in the
            authentication plugin.

            With the rules below, both servers and admin users belong to group
            mcollective, which can both issue and respond to commands. For an
            example that splits permissions and doesn't allow servers to issue
            commands, see:
            http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#detailed-restrictions
          -->
          <authorizationPlugin>
            <map>
              <authorizationMap>
                <authorizationEntries>
                  <authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
                  <authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
                  <authorizationEntry topic="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
                  <authorizationEntry queue="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
                  <authorizationEntry topic="ca.>" write="mcollective" read="mcollective" admin="mcollective" />
                  <authorizationEntry queue="ca.>" write="mcollective" read="mcollective" admin="mcollective" />
<%
list = {}
@qf.values.each do |h|
  if h['owner']
    owner = h['owner']
    list[owner] = 1
  end
  if h['datacenter']
    datacenter = h['datacenter']
    list[datacenter] = 1
  end
end
-%>
<% list.keys.sort.each do |item| -%>
                  <authorizationEntry topic="<%= item %>.>" write="mcollective" read="mcollective" admin="mcollective" />
                  <authorizationEntry queue="<%= item %>.>" write="mcollective" read="mcollective" admin="mcollective" />
<% end -%>
                  <!--
                    The advisory topics are part of ActiveMQ, and all users need access to them.
                    The "everyone" group is not special; you need to ensure every user is a member.
                  -->
                  <authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/>
                </authorizationEntries>
              </authorizationMap>
            </map>
          </authorizationPlugin>
        </plugins>

        <sslContext>
            <sslContext
                keyStore="keystore.jks" keyStorePassword="puppet"
                trustStore="truststore.jks" trustStorePassword="puppet"
            />
        </sslContext>

        <!--
          The systemUsage controls the maximum amount of space the broker will
          use for messages. For more information, see:
          http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#memory-and-temp-usage-for-messages-systemusage
        -->
        <systemUsage>
            <systemUsage>
                <memoryUsage>
                    <memoryUsage limit="6 gb"/>
                </memoryUsage>
                <storeUsage>
                    <storeUsage limit="2 gb" name="foo"/>
                </storeUsage>
                <tempUsage>
                    <tempUsage limit="2 gb"/>
                </tempUsage>
            </systemUsage>
        </systemUsage>

	<networkConnectors>
<% @clusterwith.each do |partner| -%>
	  <networkConnector
              name="<%= @fqdn %>-<%= partner %>-topics"
              uri="static:(ssl://<%= partner %>:61617)?useExponentialBackOff=false&amp;initialReconnectDelay=60000&amp;jms.prefetchPolicy.all=0"
              userName="amq"
              password="<%= @amq_password %>"
              duplex="true"
              decreaseNetworkConsumerPriority="true"
              networkTTL="2"
              dynamicOnly="true">
            <excludedDestinations>
              <queue physicalName=">" />
            </excludedDestinations>
	  </networkConnector>
	  <networkConnector
              name="<%= @fqdn %>-<%= partner %>-queues"
              uri="static:(ssl://<%= partner %>:61617)?useExponentialBackOff=false&amp;initialReconnectDelay=60000&amp;jms.prefetchPolicy.all=0"
              userName="amq"
              password="<%= @amq_password %>"
              duplex="true"
              decreaseNetworkConsumerPriority="true"
              networkTTL="2"
              dynamicOnly="true"
              conduitSubscriptions="false">
            <excludedDestinations>
              <topic physicalName=">" />
            </excludedDestinations>
	  </networkConnector>
<% end -%>
	</networkConnectors>

        <!--
          The transport connectors allow ActiveMQ to listen for connections over
          a given protocol. MCollective uses Stomp, and other ActiveMQ brokers
          use OpenWire. You'll need different URLs depending on whether you are
          using TLS. For more information, see:

          http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#transport-connectors
        -->
        <transportConnectors>
            <transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:61614?needClientAuth=true&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.hbGracePeriodMultiplier=5"/>
	    <transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:61617?needClientAuth=true&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
        </transportConnectors>
    </broker>

</beans>
	<beans
	xmlns="http://www.springframework.org/schema/beans"
	xmlns:amq="http://activemq.apache.org/schema/core"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
	http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd
	http://activemq.apache.org/camel/schema/spring http://activemq.apache.org/camel/schema/spring/camel-spring.xsd">

	<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
	<!-- <property name="locations">
	<value>file:${activemq.base}/conf/credentials.properties</value>
	</property> -->
	</bean>

	<!--
	For more information about what MCollective requires in this file,
	see http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html
	-->

	<!--
	WARNING: The elements that are direct children of <broker> MUST BE IN
	ALPHABETICAL ORDER. This is fixed in ActiveMQ 5.6.0, but affects
	previous versions back to 5.4.
	https://issues.apache.org/jira/browse/AMQ-3570
	-->
	<broker xmlns="http://activemq.apache.org/schema/core" brokerName="<%= @fqdn %>" useJmx="true" schedulePeriodForDestinationPurge="60000" persistent="false" networkConnectorStartAsync="true">
	<!--
	MCollective generally expects producer flow control to be turned off.
	It will also generate a limitless number of single-use reply queues,
	which should be garbage-collected after about five minutes to conserve
	memory.

	For more information, see:
	http://activemq.apache.org/producer-flow-control.html
	-->
	<destinationPolicy>
	<policyMap>
	<policyEntries>
	<policyEntry topic=">" producerFlowControl="false" usePrefetchExtension="false">
	<messageEvictionStrategy>
	<oldestMessageEvictionStrategy/>
	</messageEvictionStrategy>
	<pendingMessageLimitStrategy>
	<constantPendingMessageLimitStrategy limit="0"/>
	</pendingMessageLimitStrategy>
	</policyEntry>
	<policyEntry queue="*.reply.>" gcInactiveDestinations="true" inactiveTimoutBeforeGC="300000" />
	</policyEntries>
	</policyMap>
	</destinationPolicy>

	<managementContext>
	<managementContext createConnector="false"/>
	</managementContext>

	<plugins>
	<statisticsBrokerPlugin/>

	<!--
	This configures the users and groups used by this broker. Groups
	are referenced below, in the write/read/admin attributes
	of each authorizationEntry element.
	-->
	<simpleAuthenticationPlugin>
	<users>
	<authenticationUser username="<%= @plugin_activemq_pool_1_user %>" password="<%= @plugin_activemq_pool_1_password %>" groups="mcollective,everyone"/>
	<authenticationUser username="amq" password="<%= @amq_password %>" groups="mcollective,everyone"/>
	<authenticationUser username="admin" password="secret" groups="mcollective,admins,everyone"/>
	</users>
	</simpleAuthenticationPlugin>

	<!--
	Configure which users are allowed to read and write where. Permissions
	are organized by group; groups are configured above, in the
	authentication plugin.

	With the rules below, both servers and admin users belong to group
	mcollective, which can both issue and respond to commands. For an
	example that splits permissions and doesn't allow servers to issue
	commands, see:
	http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#detailed-restrictions
	-->
	<authorizationPlugin>
	<map>
	<authorizationMap>
	<authorizationEntries>
	<authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
	<authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
	<authorizationEntry topic="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
	<authorizationEntry queue="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
	<authorizationEntry topic="ca.>" write="mcollective" read="mcollective" admin="mcollective" />
	<authorizationEntry queue="ca.>" write="mcollective" read="mcollective" admin="mcollective" />
	<%
	list = {}
	@qf.values.each do \|h\|
	if h['owner']
	owner = h['owner']
	list[owner] = 1
	end
	if h['datacenter']
	datacenter = h['datacenter']
	list[datacenter] = 1
	end
	end
	-%>
	<% list.keys.sort.each do \|item\| -%>
	<authorizationEntry topic="<%= item %>.>" write="mcollective" read="mcollective" admin="mcollective" />
	<authorizationEntry queue="<%= item %>.>" write="mcollective" read="mcollective" admin="mcollective" />
	<% end -%>
	<!--
	The advisory topics are part of ActiveMQ, and all users need access to them.
	The "everyone" group is not special; you need to ensure every user is a member.
	-->
	<authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/>
	</authorizationEntries>
	</authorizationMap>
	</map>
	</authorizationPlugin>
	</plugins>

	<sslContext>
	<sslContext
	keyStore="keystore.jks" keyStorePassword="puppet"
	trustStore="truststore.jks" trustStorePassword="puppet"
	/>
	</sslContext>

	<!--
	The systemUsage controls the maximum amount of space the broker will
	use for messages. For more information, see:
	http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#memory-and-temp-usage-for-messages-systemusage
	-->
	<systemUsage>
	<systemUsage>
	<memoryUsage>
	<memoryUsage limit="6 gb"/>
	</memoryUsage>
	<storeUsage>
	<storeUsage limit="2 gb" name="foo"/>
	</storeUsage>
	<tempUsage>
	<tempUsage limit="2 gb"/>
	</tempUsage>
	</systemUsage>
	</systemUsage>

	<networkConnectors>
	<% @clusterwith.each do \|partner\| -%>
	<networkConnector
	name="<%= @fqdn %>-<%= partner %>-topics"
	uri="static:(ssl://<%= partner %>:61617)?useExponentialBackOff=false&initialReconnectDelay=60000&jms.prefetchPolicy.all=0"
	userName="amq"
	password="<%= @amq_password %>"
	duplex="true"
	decreaseNetworkConsumerPriority="true"
	networkTTL="2"
	dynamicOnly="true">
	<excludedDestinations>
	<queue physicalName=">" />
	</excludedDestinations>
	</networkConnector>
	<networkConnector
	name="<%= @fqdn %>-<%= partner %>-queues"
	uri="static:(ssl://<%= partner %>:61617)?useExponentialBackOff=false&initialReconnectDelay=60000&jms.prefetchPolicy.all=0"
	userName="amq"
	password="<%= @amq_password %>"
	duplex="true"
	decreaseNetworkConsumerPriority="true"
	networkTTL="2"
	dynamicOnly="true"
	conduitSubscriptions="false">
	<excludedDestinations>
	<topic physicalName=">" />
	</excludedDestinations>
	</networkConnector>
	<% end -%>
	</networkConnectors>

	<!--
	The transport connectors allow ActiveMQ to listen for connections over
	a given protocol. MCollective uses Stomp, and other ActiveMQ brokers
	use OpenWire. You'll need different URLs depending on whether you are
	using TLS. For more information, see:

	http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#transport-connectors
	-->
	<transportConnectors>
	<transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:61614?needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.hbGracePeriodMultiplier=5"/>
	<transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:61617?needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
	</transportConnectors>
	</broker>

	</beans>