phips/hasetup.yml

## hasetup.yml
---
# vim: set ft=ansible sw=2 ts=2 et:
#
# Prepare for Tower HA install
#
#* Download offline bundle
#* Unarchive offline bundle on ALL hosts
#* do ./bundle_setup.sh on ALL hosts
#* do pre-dependency installs [yum install -y $(cat required_os_packages.txt)] on PRIMARY host
#
# On primary
# Put this gist in ansible-tower-setup-2.2.* directory
#
# get these:
# https://github.com/chrismeyersfsu/role-required_vars/archive/master.zip
# https://github.com/chrismeyersfsu/role-install_mongod
#
# cd to ansible-tower-setup-2.2.*/roles
# unzip master
# mv role-required_vars-master chrismeyersfsu.required_vars
# unzip updates_for_ha_support.zip
# mv role-install_mongod install_mongod
## cut off the iptables dependency
# head -n-2 install_mongod/meta/main.yml > xx && mv xx install_mongod/meta/main.yml
#
# run ./configure - DO NOT run setup.sh yet -- strongly recommended you configure the one primary
# and at least two secondary hosts. ** This play has been tested with two 2arys **
#
# run...
# ansible-playbook -i inventory hasetup.yml -e pw=(password_for_database_user) -e repl_pw=(password_for_database_replication) -e install_mongod_admin_password=(obvious) -e install_mongod_user_password=(also_obvious) -e bundled=True
#
# ...this should set up postgres and mongo across the three hosts.
#
# run setup.sh

- hosts: all
  sudo: yes
  vars:
    dbuser: awx
    dbname: awx
    dbpath: /var/lib/pgsql/9.4/data

  pre_tasks:
    - name: Check for variables
      fail:
        msg: 'Must pass -e pw for DB user, repl_pw for replication user'
      when: (pw is not defined) or (repl_pw is not defined)

    - name: Check for OS version
      fail:
        msg: 'Only tested on RHEL'
      when: ansible_os_family != 'RedHat'

    - name: CBA with selinux
      selinux:
        state: permissive
        policy: targeted

    - name: Check for availability of postgresql94
      command: yum info postgresql94
      register: check
      ignore_errors: true

    - name: Install pgdg94 yum repo
      yum:
        name: http://yum.postgresql.org/9.4/redhat/rhel-6-x86_64/pgdg-redhat94-9.4-1.noarch.rpm
        state: present
      when: check|failed

    - name: Ensure packages are installed
      yum:
        name: "{{ item }}"
      with_items:
        - libselinux-python
        - postgresql94-server
        - python-psycopg2

  # https://github.com/phips/role-install_mongod/tree/updates_for_ha_support
  # README!! https://github.com/phips/role-install_mongod/blob/updates_for_ha_support/README.md
  roles:
    - { role: install_mongod
        , install_mongod_admin_username: admin
        , install_mongod_admin_password: ''
        , install_mongod_user_username: awx
        , install_mongod_user_password: ''
        , install_mongod_user_database: awx
        , install_mongod_replset: tower
        , install_mongod_keyfile: '/etc/pki/mongo/keyfile'
        , tags: mongo }

- hosts: primary
  sudo: yes
  sudo_user: postgres
  vars:
    dbuser: awx
    dbname: awx
    dbpath: /var/lib/pgsql/9.4/data
    initdb:
      "6": /sbin/service postgresql-9.4 initdb
      "7": /usr/pgsql-9.4/bin/postgresql94-setup initdb
  tasks:
    - name: initdb
      command: "{{ initdb[ansible_distribution_major_version] }}"
      args:
        creates: "{{ dbpath }}/PG_VERSION"
      sudo: yes
      sudo_user: root

    - name: Ensure pgsql is listening on IP
      lineinfile:
        dest: "{{ dbpath }}/postgresql.conf"
        regexp: ^listen_addresses
        line: "listen_addresses = '{{ ansible_default_ipv4.address }}'"
        state: present
      notify: restartdb

    - name: Set wal_level
      lineinfile:
        dest: "{{ dbpath }}/postgresql.conf"
        regexp: ^wal_level
        line: "wal_level = 'hot_standby'"
        state: present

    # needs prefix on network
    - name: Ensure dbuser has remote access to db
      lineinfile:
        dest: "{{ dbpath }}/pg_hba.conf"
        regexp: ^host.+awx
        line: "host {{ dbname }} {{ dbuser }} samenet md5"
        state: present
      sudo: yes
      sudo_user: postgres
      notify: restartdb

    - name: Ensure pgsql service is started
      service:
        name: postgresql-9.4
        state: started
        enabled: true
      sudo: yes
      sudo_user: root

    # This will be much easier in 1.9 with the hash() filter
    - name: Create encrypted password
      shell: echo -n {{ pw }}{{ dbuser }} | /usr/bin/openssl dgst -md5
      register: towerpw
      changed_when: false

    - name: Ensure DB user exists
      postgresql_user:
        name: "{{ dbuser }}"
        encrypted: True
        password: 'md5{{ towerpw.stdout | regex_replace(".+?\s","") }}'
      sudo: yes
      sudo_user: postgres

    - name: Ensure Tower DB exists
      postgresql_db:
        name: "{{ dbname }}"
        owner: "{{ dbuser }}"
      sudo: yes
      sudo_user: postgres

    # This will be much easier in 1.9 with the hash() filter
    - name: Create encrypted repl password
      shell: echo -n {{ repl_pw }}repl | /usr/bin/openssl dgst -md5
      register: replpw
      changed_when: false

    - name: Ensure replication user exists
      postgresql_user:
        name: repl
        encrypted: True
        role_attr_flags: "LOGIN,REPLICATION"
        password: 'md5{{ replpw.stdout | regex_replace(".+?\s","") }}'

    - name: Ensure replication user can access from standby
      lineinfile:
        dest: "{{ dbpath }}/pg_hba.conf"
        regexp: ^host.+replication.+hostvars[item]['ansible_default_ipv4']['address']
        line: "host  replication  repl  {{ hostvars[item]['ansible_default_ipv4']['address'] }}/32   md5"
        state: present
      with_items: "{{ groups['secondary'] | default([]) }}"
      notify: restartdb

    # replication tuning stuff
    # http://www.olegdulin.com/2015/01/configuring-master-slave-replication-with-postgresql-93.html
    - name: Set max_wal_senders
      lineinfile:
        dest: "{{ dbpath }}/postgresql.conf"
        regexp: ^max_wal_senders
        line: "max_wal_senders = 5"
        state: present
      notify: restartdb

    # 16MB each
    - name: Set wal_keep_segments
      lineinfile:
        dest: "{{ dbpath }}/postgresql.conf"
        regexp: ^wal_keep_segments
        line: "wal_keep_segments = 100"
        state: present
      notify: restartdb

  handlers:
    - name: restartdb
      service:
        name: postgresql-9.4
        state: restarted
      sudo: yes
      sudo_user: root

- hosts: secondary
  sudo: yes
  sudo_user: postgres
  vars:
    dbpath: /var/lib/pgsql/9.4/data
  tasks:
    - name: (SSSSSH)
      copy:
        dest: "{{ ansible_env.HOME }}/.pgpass"
        content: "{{ hostvars[groups['primary'][0]]['ansible_default_ipv4']['address'] }}:5432:replication:repl:{{ repl_pw }}"
        mode: 0600
      no_log: true

    - name: Copy init DBs from master
      command: pg_basebackup -h {{ hostvars[groups['primary'][0]]['ansible_default_ipv4']['address'] }} -D {{ dbpath }} -U repl -X stream
      args:
        creates: "{{ dbpath }}/PG_VERSION"

    - name: Ensure pgsql is listening on IP
      lineinfile:
        dest: "{{ dbpath }}/postgresql.conf"
        regexp: ^listen_addresses
        line: "listen_addresses = '{{ ansible_default_ipv4.address }}'"
        state: present

    - name: Ensure pgsql service is started
      service:
        name: postgresql-9.4
        state: started
        enabled: true
      sudo: yes
      sudo_user: root

    - name: Ensure pgsql is hot standby
      lineinfile:
        dest: "{{ dbpath }}/postgresql.conf"
        regexp: ^hot_standby
        line: "hot_standby = on"
        state: present
      notify: restartdb

    - name: Ensure streaming mode is set
      lineinfile:
        dest: "{{ dbpath }}/recovery.conf"
        create: yes
        state: present
        regexp: ^standby_mode
        line: "standby_mode = 'on'"
        mode: 0600
      notify: restartdb

    - name: Ensure streaming conninfo present
      lineinfile:
        dest: "{{ dbpath }}/recovery.conf"
        create: yes
        state: present
        regexp: ^primary_conninfo
        line: "primary_conninfo = 'host={{ hostvars[groups['primary'][0]]['ansible_default_ipv4']['address'] }} port=5432 user=repl password={{ repl_pw }}'"
        mode: 0600
      notify: restartdb

  handlers:
    - name: restartdb
      service:
        name: postgresql-9.4
        state: restarted
      sudo: yes
      sudo_user: root
	---
	# vim: set ft=ansible sw=2 ts=2 et:
	#
	# Prepare for Tower HA install
	#
	#* Download offline bundle
	#* Unarchive offline bundle on ALL hosts
	#* do ./bundle_setup.sh on ALL hosts
	#* do pre-dependency installs [yum install -y $(cat required_os_packages.txt)] on PRIMARY host
	#
	# On primary
	# Put this gist in ansible-tower-setup-2.2.* directory
	#
	# get these:
	# https://github.com/chrismeyersfsu/role-required_vars/archive/master.zip
	# https://github.com/chrismeyersfsu/role-install_mongod
	#
	# cd to ansible-tower-setup-2.2.*/roles
	# unzip master
	# mv role-required_vars-master chrismeyersfsu.required_vars
	# unzip updates_for_ha_support.zip
	# mv role-install_mongod install_mongod
	## cut off the iptables dependency
	# head -n-2 install_mongod/meta/main.yml > xx && mv xx install_mongod/meta/main.yml
	#
	# run ./configure - DO NOT run setup.sh yet -- strongly recommended you configure the one primary
	# and at least two secondary hosts. This play has been tested with two 2arys
	#
	# run...
	# ansible-playbook -i inventory hasetup.yml -e pw=(password_for_database_user) -e repl_pw=(password_for_database_replication) -e install_mongod_admin_password=(obvious) -e install_mongod_user_password=(also_obvious) -e bundled=True
	#
	# ...this should set up postgres and mongo across the three hosts.
	#
	# run setup.sh

	- hosts: all
	sudo: yes
	vars:
	dbuser: awx
	dbname: awx
	dbpath: /var/lib/pgsql/9.4/data

	pre_tasks:
	- name: Check for variables
	fail:
	msg: 'Must pass -e pw for DB user, repl_pw for replication user'
	when: (pw is not defined) or (repl_pw is not defined)

	- name: Check for OS version
	fail:
	msg: 'Only tested on RHEL'
	when: ansible_os_family != 'RedHat'

	- name: CBA with selinux
	selinux:
	state: permissive
	policy: targeted

	- name: Check for availability of postgresql94
	command: yum info postgresql94
	register: check
	ignore_errors: true

	- name: Install pgdg94 yum repo
	yum:
	name: http://yum.postgresql.org/9.4/redhat/rhel-6-x86_64/pgdg-redhat94-9.4-1.noarch.rpm
	state: present
	when: check\|failed

	- name: Ensure packages are installed
	yum:
	name: "{{ item }}"
	with_items:
	- libselinux-python
	- postgresql94-server
	- python-psycopg2

	# https://github.com/phips/role-install_mongod/tree/updates_for_ha_support
	# README!! https://github.com/phips/role-install_mongod/blob/updates_for_ha_support/README.md
	roles:
	- { role: install_mongod
	, install_mongod_admin_username: admin
	, install_mongod_admin_password: ''
	, install_mongod_user_username: awx
	, install_mongod_user_password: ''
	, install_mongod_user_database: awx
	, install_mongod_replset: tower
	, install_mongod_keyfile: '/etc/pki/mongo/keyfile'
	, tags: mongo }

	- hosts: primary
	sudo: yes
	sudo_user: postgres
	vars:
	dbuser: awx
	dbname: awx
	dbpath: /var/lib/pgsql/9.4/data
	initdb:
	"6": /sbin/service postgresql-9.4 initdb
	"7": /usr/pgsql-9.4/bin/postgresql94-setup initdb
	tasks:
	- name: initdb
	command: "{{ initdb[ansible_distribution_major_version] }}"
	args:
	creates: "{{ dbpath }}/PG_VERSION"
	sudo: yes
	sudo_user: root

	- name: Ensure pgsql is listening on IP
	lineinfile:
	dest: "{{ dbpath }}/postgresql.conf"
	regexp: ^listen_addresses
	line: "listen_addresses = '{{ ansible_default_ipv4.address }}'"
	state: present
	notify: restartdb

	- name: Set wal_level
	lineinfile:
	dest: "{{ dbpath }}/postgresql.conf"
	regexp: ^wal_level
	line: "wal_level = 'hot_standby'"
	state: present

	# needs prefix on network
	- name: Ensure dbuser has remote access to db
	lineinfile:
	dest: "{{ dbpath }}/pg_hba.conf"
	regexp: ^host.+awx
	line: "host {{ dbname }} {{ dbuser }} samenet md5"
	state: present
	sudo: yes
	sudo_user: postgres
	notify: restartdb

	- name: Ensure pgsql service is started
	service:
	name: postgresql-9.4
	state: started
	enabled: true
	sudo: yes
	sudo_user: root

	# This will be much easier in 1.9 with the hash() filter
	- name: Create encrypted password
	shell: echo -n {{ pw }}{{ dbuser }} \| /usr/bin/openssl dgst -md5
	register: towerpw
	changed_when: false

	- name: Ensure DB user exists
	postgresql_user:
	name: "{{ dbuser }}"
	encrypted: True
	password: 'md5{{ towerpw.stdout \| regex_replace(".+?\s","") }}'
	sudo: yes
	sudo_user: postgres

	- name: Ensure Tower DB exists
	postgresql_db:
	name: "{{ dbname }}"
	owner: "{{ dbuser }}"
	sudo: yes
	sudo_user: postgres

	# This will be much easier in 1.9 with the hash() filter
	- name: Create encrypted repl password
	shell: echo -n {{ repl_pw }}repl \| /usr/bin/openssl dgst -md5
	register: replpw
	changed_when: false

	- name: Ensure replication user exists
	postgresql_user:
	name: repl
	encrypted: True
	role_attr_flags: "LOGIN,REPLICATION"
	password: 'md5{{ replpw.stdout \| regex_replace(".+?\s","") }}'

	- name: Ensure replication user can access from standby
	lineinfile:
	dest: "{{ dbpath }}/pg_hba.conf"
	regexp: ^host.+replication.+hostvars[item]['ansible_default_ipv4']['address']
	line: "host replication repl {{ hostvars[item]['ansible_default_ipv4']['address'] }}/32 md5"
	state: present
	with_items: "{{ groups['secondary'] \| default([]) }}"
	notify: restartdb

	# replication tuning stuff
	# http://www.olegdulin.com/2015/01/configuring-master-slave-replication-with-postgresql-93.html
	- name: Set max_wal_senders
	lineinfile:
	dest: "{{ dbpath }}/postgresql.conf"
	regexp: ^max_wal_senders
	line: "max_wal_senders = 5"
	state: present
	notify: restartdb

	# 16MB each
	- name: Set wal_keep_segments
	lineinfile:
	dest: "{{ dbpath }}/postgresql.conf"
	regexp: ^wal_keep_segments
	line: "wal_keep_segments = 100"
	state: present
	notify: restartdb

	handlers:
	- name: restartdb
	service:
	name: postgresql-9.4
	state: restarted
	sudo: yes
	sudo_user: root

	- hosts: secondary
	sudo: yes
	sudo_user: postgres
	vars:
	dbpath: /var/lib/pgsql/9.4/data
	tasks:
	- name: (SSSSSH)
	copy:
	dest: "{{ ansible_env.HOME }}/.pgpass"
	content: "{{ hostvars[groups['primary'][0]]['ansible_default_ipv4']['address'] }}:5432:replication:repl:{{ repl_pw }}"
	mode: 0600
	no_log: true

	- name: Copy init DBs from master
	command: pg_basebackup -h {{ hostvars[groups['primary'][0]]['ansible_default_ipv4']['address'] }} -D {{ dbpath }} -U repl -X stream
	args:
	creates: "{{ dbpath }}/PG_VERSION"

	- name: Ensure pgsql is listening on IP
	lineinfile:
	dest: "{{ dbpath }}/postgresql.conf"
	regexp: ^listen_addresses
	line: "listen_addresses = '{{ ansible_default_ipv4.address }}'"
	state: present

	- name: Ensure pgsql service is started
	service:
	name: postgresql-9.4
	state: started
	enabled: true
	sudo: yes
	sudo_user: root

	- name: Ensure pgsql is hot standby
	lineinfile:
	dest: "{{ dbpath }}/postgresql.conf"
	regexp: ^hot_standby
	line: "hot_standby = on"
	state: present
	notify: restartdb

	- name: Ensure streaming mode is set
	lineinfile:
	dest: "{{ dbpath }}/recovery.conf"
	create: yes
	state: present
	regexp: ^standby_mode
	line: "standby_mode = 'on'"
	mode: 0600
	notify: restartdb

	- name: Ensure streaming conninfo present
	lineinfile:
	dest: "{{ dbpath }}/recovery.conf"
	create: yes
	state: present
	regexp: ^primary_conninfo
	line: "primary_conninfo = 'host={{ hostvars[groups['primary'][0]]['ansible_default_ipv4']['address'] }} port=5432 user=repl password={{ repl_pw }}'"
	mode: 0600
	notify: restartdb

	handlers:
	- name: restartdb
	service:
	name: postgresql-9.4
	state: restarted
	sudo: yes
	sudo_user: root