2021-01-20 14:16:57 +00:00
|
|
|
---
|
2021-03-22 10:12:49 +00:00
|
|
|
# CloudFlare Origin certificates
|
|
|
|
origin_certs:
|
|
|
|
- domain: 'status.im'
|
2021-08-13 20:05:12 +00:00
|
|
|
crt: '{{lookup("bitwarden", "Cloudflare/status.im", file="origin.crt")}}'
|
|
|
|
key: '{{lookup("bitwarden", "Cloudflare/status.im", file="origin.key")}}'
|
2021-03-22 10:12:49 +00:00
|
|
|
default: true
|
|
|
|
|
2021-01-20 19:35:33 +00:00
|
|
|
# Syncing can use a lot of mamory
|
|
|
|
swap_file_path: '/main.swap'
|
|
|
|
swap_file_size_mb: 2048
|
|
|
|
|
2021-01-20 14:16:57 +00:00
|
|
|
# ElasticSearch Cluster
|
|
|
|
es_master_nodes: |
|
|
|
|
{{ ansible_play_hosts
|
|
|
|
| map('extract', hostvars)
|
|
|
|
| list
|
|
|
|
| json_query(
|
|
|
|
'[].{
|
|
|
|
name: hostname,
|
2021-05-19 12:11:45 +00:00
|
|
|
addr: ansible_local.wireguard.vpn_ip,
|
2021-01-20 14:16:57 +00:00
|
|
|
port: to_string(es_node_port)
|
|
|
|
}') }}
|
|
|
|
es_cluster_name: 'nimbus-logs-search'
|
|
|
|
es_cont_name: 'elasticsearch'
|
|
|
|
|
2021-10-28 17:29:15 +00:00
|
|
|
es_image: 'elasticsearch:7.14.2'
|
2021-01-20 14:16:57 +00:00
|
|
|
es_api_port: 9200
|
|
|
|
es_node_port: 9300
|
|
|
|
|
2022-02-09 17:43:23 +00:00
|
|
|
# Since Logstash stores 1 index per day this is fine.
|
2021-01-20 14:16:57 +00:00
|
|
|
# See: https://www.elastic.co/blog/how-many-shards-should-i-have-in-my-elasticsearch-cluster
|
|
|
|
es_number_of_shards: 3
|
2022-02-09 17:43:23 +00:00
|
|
|
# Since Nimbus logs are low-value we don't need replicas.
|
|
|
|
es_number_of_replicas: 0
|
2021-01-20 14:16:57 +00:00
|
|
|
|
|
|
|
# JVM memory settings
|
logs.nimbus: bump JVM memory limits to 80%
We started getting errors like:
```
Caused by: org.elasticsearch.common.breaker.CircuitBreakingException: [parent] Data too large, data for [internal:cluster/nodes/indices/shard/store[n]] would be [36997638608/34.4gb], which is larger than the limit of [36795685273/34.2gb], real usage: [36997638456/34.4gb], new bytes reserved: [152/152b], usages [request=0/0b, fielddata=0/0b, in_flight_requests=152/152b, model_inference=0/0b, eql_sequence=0/0b, accounting=3913236/3.7mb]
```
Signed-off-by: Jakub Sokołowski <jakub@status.im>
2022-02-07 10:49:44 +00:00
|
|
|
es_jvm_mem_ratio: 0.8
|
2021-01-20 14:16:57 +00:00
|
|
|
es_jvm_mem: '{{ (ansible_memtotal_mb * es_jvm_mem_ratio) | round(0, "floor") }}'
|
|
|
|
es_jvm_min_heap: '{{ es_jvm_mem | int }}m'
|
|
|
|
es_jvm_max_heap: '{{ es_jvm_mem | int }}m'
|
|
|
|
|
|
|
|
# ElasticSearch HQ
|
|
|
|
es_hq_lb_cont_name: '{{ es_cont_name }}'
|
|
|
|
|
|
|
|
# oauth access
|
|
|
|
oauth_domain: 'nimbus-es.infra.status.im'
|
|
|
|
oauth_cont_name: '{{ es_hq_cont_name }}-oauth'
|
|
|
|
oauth_upstream_cont: '{{ es_hq_cont_name }}'
|
|
|
|
oauth_upstream_port: '{{ es_hq_cont_port }}'
|
|
|
|
oauth_public_port: 443
|
|
|
|
oauth_local_port: 8090
|
2021-08-13 20:05:12 +00:00
|
|
|
oauth_cookie_secret: '{{ lookup("bitwarden", "cookie-secret", field="secret") }}'
|
|
|
|
oauth_id: '{{ lookup("bitwarden", "nimbus/elastic-hq/oauth", field="client-id") }}'
|
|
|
|
oauth_secret: '{{ lookup("bitwarden", "nimbus/elastic-hq/oauth", field="secret") }}'
|
2021-08-11 17:54:36 +00:00
|
|
|
|
|
|
|
# Open Ports
|
|
|
|
open_ports_default_comment: 'ElasticSearch'
|
|
|
|
open_ports_default_chain: 'VPN'
|
|
|
|
open_ports_list:
|
|
|
|
- { port: 80, protocol: 'tcp', chain: 'SERVICES' }
|
|
|
|
- { port: 443, protocol: 'tcp', chain: 'SERVICES' }
|
2022-02-03 20:38:55 +00:00
|
|
|
- { port: '{{ es_api_port }}', ipset: 'logs.nimbus' }
|
2021-09-02 10:06:42 +00:00
|
|
|
- { port: '{{ es_api_port }}', ipset: 'dash.nimbus' }
|
2021-08-13 20:31:39 +00:00
|
|
|
- { port: '{{ es_api_port }}', ipset: 'log-aggr.hq' }
|
2022-02-03 20:38:55 +00:00
|
|
|
- { port: '{{ es_node_port }}', ipset: 'logs.nimbus' }
|
2021-09-02 10:06:42 +00:00
|
|
|
- { port: '{{ es_node_port }}', ipset: 'dash.nimbus' }
|
2021-08-11 17:54:36 +00:00
|
|
|
- { port: '{{ es_metrics_cont_port }}', ipset: 'metrics.hq' }
|
|
|
|
|
2021-01-20 14:16:57 +00:00
|
|
|
# Proxy for ES HQ
|
|
|
|
nginx_sites:
|
|
|
|
elasticsearch_hq_http:
|
|
|
|
- listen 80
|
|
|
|
- server_name {{ oauth_domain }}
|
|
|
|
- return 302 https://$server_name$request_uri
|
|
|
|
elasticsearch_hq_https:
|
|
|
|
- listen 80
|
|
|
|
- listen 443 ssl
|
|
|
|
|
|
|
|
- server_name {{ oauth_domain }}
|
|
|
|
|
|
|
|
- ssl_certificate /certs/status.im/origin.crt
|
|
|
|
- ssl_certificate_key /certs/status.im/origin.key
|
|
|
|
|
|
|
|
- location / {
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_pass http://127.0.0.1:{{ oauth_local_port }}/;
|
|
|
|
}
|