casa 08/04/23

compreview-sharing/initiator.yml

@@ -0,0 +1,63 @@
+---
+- name: Ensure /data_prod is mounted from serverc iSCSI target
+  hosts: initiators
+  become: true
+
+  tasks:
+    - name: the iSCSI initiator software is installed
+      yum:
+        name: #FIXME: install the required package
+        state: present
+
+    - name: the IQN is set for the initiator
+      copy:
+        #FIXME: set the initiator IQN to iqn.2014-06.com.example:servera
+        dest: #FIXME#
+        content: "#FIXME#=iqn.2014-06.com.example:{{ ansible_facts['hostname'] }}\n"
+        mode: '644'
+        owner: root
+        group: root
+      notify: restart iscsid
+
+    # Forces the handler to run so that the iscsid service is restarted
+    # and is aware of the new initiator IQN
+    - meta: flush_handlers
+
+    - name: the iSCSI target is discovered and available
+      open_iscsi:
+        #FIXME: discover and log into the target.
+        #       Target IQN: iqn.2014-06.com.example:rack1
+        #       Portal: 172.25.250.12 (port 3260)
+        portal: #FIXME#
+        port: #FIXME#
+        target: #FIXME#
+        discover: yes
+        login: yes
+      register: target
+
+    - name: display the discovered devices
+      debug:
+        msg: The new device is {{ target['devicenodes'][0] }}
+
+    - name: the new device is formatted and mounted under /data_prod
+      include_role:
+        name: rhel-system-roles.storage
+      vars:
+        #FIXME: mount target['devicenodes'][0] into /data_prod
+        #       If the device is not yet formatted in ext4, format it.
+        #       Use the proper mount option for an iSCSI disk.
+        storage_volumes:
+          - name: devdata
+            state: present
+            type: disk
+            disks:
+              - "{{ target['devicenodes'][0] }}"
+            mount_point: #FIXME#
+            fs_type: #FIXME#
+            mount_options: #FIXME#
+
+  handlers:
+    - name: restart iscsid
+      service:
+        name: iscsid
+        state: restarted

compreview-sharing/inventory

@@ -0,0 +1,8 @@
+[servers]
+serverc.lab.example.com
+
+[clients]
+servera.lab.example.com
+
+[initiators]
+servera.lab.example.com

compreview-sharing/nfs_client.yml

@@ -0,0 +1,22 @@
+---
+- name: Access an NFS share
+  hosts: servera.lab.example.com
+  become: true
+  vars:
+    shared_dir: /srv/operators
+    mount_point: /operators_data
+
+  tasks:
+    - name: the package for NFS client is installed
+      yum:
+        name: #FIXME: install the required package for an NFS client
+        state: present
+
+    - name: the NFS share is mounted and in /etc/fstab
+      mount:
+        #FIXME: persistently mount {{ shared_dir }} from serverc.lab.example.com
+        #       into the {{ mount_point }} directory
+        path: #FIXME#
+        src: #FIXME#
+        state: mounted
+        fstype: #FIXME#

compreview-sharing/nfs_server.yml

@@ -0,0 +1,52 @@
+---
+- name: Share a directory with NFS
+  hosts: serverc.lab.example.com
+  become: true
+  vars:
+    shared_dir: /srv/operators
+
+  tasks:
+    - name: the package for NFS server is installed
+      yum:
+        name: #FIXME: install the required package for an NFS server
+        state: present
+
+    - name: the directory exists
+      file:
+        path: "{{ shared_dir }}"
+        owner: root
+        group: operators
+        mode: '2770'
+        state: directory
+
+    - name: the directory is shared
+      copy:
+        #FIXME: declare the {{ shared_dir }} directory as an NFS share.
+        #       Only servera.lab.example.com must be able to access the share.
+        #       servera has read/write access to the share.
+        #       The root user on servera must have no access to the share.
+        content: "{{ shared_dir }} #FIXME#(#FIXME#)\n"
+        dest: /etc/exports.d/share.exports
+        owner: root
+        group: root
+        mode: '0644'
+      notify: reload exports
+
+    - name: NFS is started and enabled
+      service:
+        name: #FIXME: the NFS server service must be started and enabled
+        state: started
+        enabled: yes
+
+    - name: the firewall is opened for NFS
+      firewalld:
+        service: #FIXME: configure the firewall to allow NFS traffic
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: reload exports
+      service:
+        name: #FIXME: the NFS server service must be reloaded
+        state: reloaded

compreview-sharing/printer-accept.yml

@@ -0,0 +1,18 @@
+---
+- name: Accept print jobs
+  hosts: servera.lab.example.com
+  become: true
+  vars:
+    queue_name: "office-printer"
+
+  tasks:
+    - name: check if print queue already exists
+      command: lpstat -p "{{ queue_name }}"
+      register: cmdout
+      ignore_errors: true
+      changed_when: false
+
+    - name: print jobs are accepted
+      #FIXME: accept jobs for the {{ queue_name}} queue
+      command: #FIXME#
+      when: cmdout.rc == 0

compreview-sharing/printer-create.yml

@@ -0,0 +1,40 @@
+---
+- name: Install CUPS and create a print queue
+  hosts: servera.lab.example.com
+  become: true
+  vars:
+    queue_name: "office-printer"
+    device_uri: "ipp://serverc.lab.example.com:631/printers/rht-printer"
+
+  tasks:
+    - name: the package for creating print queues is installed
+      yum:
+        name: #FIXME#
+        state: present
+
+    - name: the printing service is running and enabled
+      service:
+        name: #FIXME#
+        state: started
+        enabled: yes
+
+    - name: check if print queue already exists
+      command: lpstat -p "{{ queue_name }}"
+      register: cmdout
+      ignore_errors: true
+      changed_when: false
+
+    - name: the print queue exists
+      #FIXME: declare the {{ queue_name}} queue with {{ device_uri }} for the
+      #       IPP Everywhere printer. Enable the printer.
+      command: #FIXME#
+      when: cmdout.rc != 0
+
+    - name: check default printer
+      command: lpstat -d
+      register: curr_dest
+      changed_when: false
+
+    - name: the new print queue is the default queue
+      command: #FIXME: define the {{ queue_name }} queue as the default printer
+      when: curr_dest['stdout'] | regex_replace('^(.*):.') != queue_name

compreview-sharing/printer-reject.yml

@@ -0,0 +1,19 @@
+---
+- name: Reject print jobs
+  hosts: servera.lab.example.com
+  become: true
+  vars:
+    queue_name: "office-printer"
+
+  tasks:
+    - name: check if print queue already exists
+      command: lpstat -p "{{ queue_name }}"
+      register: cmdout
+      ignore_errors: true
+      changed_when: false
+
+    - name: print jobs are rejected
+      #FIXME: reject jobs for the {{ queue_name}} queue with the
+      #       message: Printer on Fire
+      command: #FIXME#
+      when: cmdout.rc == 0

compreview-sharing/smb_client.yml

@@ -0,0 +1,49 @@
+---
+- name: Access an SMB share
+  hosts: servera.lab.example.com
+  become: true
+  vars_files:
+   - smb_vars.yml
+
+  tasks:
+    - name: the package to mount SMB shares is installed
+      yum:
+        name: #FIXME: install the required package to mount SMB shares
+        state: present
+
+    - name: the Linux group for Samba users exists
+      group:
+        name: "{{ allowed_group }}"
+
+    - name: the Linux user for Samba exists
+      user:
+        name: "{{ samba_user }}"
+        password: "{{ samba_user_password | password_hash('sha512', 'secretsalt') }}"
+        groups:
+          - "{{ allowed_group }}"
+
+    - name: the credential file exists
+      copy:
+        #FIXME: create the /etc/samba/creds.txt credential file for the
+        #       multiuser mount option.
+        #       Use the sambamount user account with redhat for
+        #       the password.
+        content: "#FIXME#={{ samba_usermount }}\n                  #FIXME#={{ samba_passmount }}\n"
+        dest: #FIXME#
+        owner: root
+        group: root
+        mode: '0600'
+      no_log: true
+
+    - name: the SMB share is mounted
+      mount:
+        #FIXME: persistently mount the managerdata SMB share from
+        #       serverc.lab.example.com into the /managers_reports
+        #       directory.
+        #       Use the credential file, the multiuser option, and activate
+        #       traffic encryption.
+        path: #FIXME#
+        src: #FIXME#
+        opts: #FIXME#
+        state: mounted
+        fstype: #FIXME#

compreview-sharing/smb_server.yml

@@ -0,0 +1,100 @@
+---
+- name: Share a directory with SMB
+  hosts: serverc.lab.example.com
+  become: true
+  vars_files:
+    - smb_vars.yml
+
+  tasks:
+    - name: the package for a Samba server is installed
+      yum:
+        name: #FIXME: install the required package for a Samba server
+        state: present
+
+    - name: the Linux group for Samba users exists
+      group:
+        name: "{{ allowed_group }}"
+
+    - name: the Linux user for Samba exists
+      user:
+        name: "{{ samba_user }}"
+        password: "{{ samba_user_password | password_hash('sha512', 'secretsalt') }}"
+        groups:
+          - "{{ allowed_group }}"
+
+    - name: the Linux user is in Samba database
+      command: smbpasswd -s -a {{ samba_user }}
+      args:
+        stdin: "{{ samba_user_password }}\n{{ samba_user_password }}"
+
+    - name: the Linux user for Samba mount exists
+      user:
+        name: "{{ samba_usermount }}"
+        shell: /sbin/nologin
+        create_home: no
+        system: yes
+
+    - name: the Samba user for Samba mount exists
+      command: smbpasswd -s -a {{ samba_usermount }}
+      args:
+        stdin: "{{ samba_passmount }}\n{{ samba_passmount }}"
+
+    - name: the directory exists
+      file:
+        #FIXME: create the /srv/managers directory as follows:
+        #             Directory ownership: sambamount
+        #       Directory group ownership: managers
+        #                    Owner access: read
+        #                    Group access: read/write
+        #              Other users access: none
+        #       All contents created in the directory must automatically
+        #       belong to the managers group.
+        #       Set the correct SELinux context type.
+        path: #FIXME#
+        owner: #FIXME#
+        group: #FIXME#
+        mode: #FIXME#
+        state: directory
+        setype: #FIXME#
+
+
+    - name: the directory is shared
+      template:
+        #FIXME: edit templates/smb.conf.j2 to declare the /srv/managers
+        #       directory as an SMB share as follows:
+        #                          Work group: MANAGERGROUP
+        #        SMB minimum protocol version: 3
+        #                  Traffic encryption: Always required
+        #                          Share name: managerdata
+        #                   Access allowed to: sambamount and the
+        #                                      members of the managers group
+        #                   Read/write access: Members of the managers group
+        #       For your convenience, the default Samba configuration file is
+        #       available under the templates/ directory but must be updated
+        #       according to the preceding requirements.
+        src: templates/smb.conf.j2
+        dest: /etc/samba/smb.conf
+        owner: root
+        group: root
+        mode: '0644'
+        setype: samba_etc_t
+      notify: reload smb
+
+    - name: the SMB service is started and enabled
+      service:
+        name: #FIXME: the service must be started and enabled
+        state: started
+        enabled: yes
+
+    - name: the firewall is opened for SMB
+      firewalld:
+        service: #FIXME: configure the firewall to allow SMB traffic
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: reload smb
+      service:
+        name: #FIXME: the service must be reloaded
+        state: reloaded

compreview-sharing/smb_vars.yml

@@ -0,0 +1,12 @@
+---
+shared_dir: /srv/managers
+share_name: managerdata
+mount_point: /managers_reports
+
+# User account for mounting the share
+samba_usermount: sambamount
+samba_passmount: redhat
+
+allowed_group: managers
+samba_user: manager1
+samba_user_password: redhat

compreview-sharing/solution/initiator.yml

@@ -0,0 +1,56 @@
+---
+- name: Ensure /data_prod is mounted from serverc iSCSI target
+  hosts: initiators
+  become: true
+
+  tasks:
+    - name: the iSCSI initiator software is installed
+      yum:
+        name: iscsi-initiator-utils
+        state: present
+
+    - name: the IQN is set for the initiator
+      copy:
+        dest: /etc/iscsi/initiatorname.iscsi
+        content: "InitiatorName=iqn.2014-06.com.example:{{ ansible_facts['hostname'] }}\n"
+        mode: '644'
+        owner: root
+        group: root
+      notify: restart iscsid
+
+    # Forces the handler to run so that the iscsid service is restarted
+    # and is aware of the new initiator IQN
+    - meta: flush_handlers
+
+    - name: the iSCSI target is discovered and available
+      open_iscsi:
+        portal: 172.25.250.12
+        port: '3260'
+        target: iqn.2014-06.com.example:rack1
+        discover: yes
+        login: yes
+      register: target
+
+    - name: display the discovered devices
+      debug:
+        msg: The new device is {{ target['devicenodes'][0] }}
+
+    - name: the new device is formatted and mounted under /data_prod
+      include_role:
+        name: rhel-system-roles.storage
+      vars:
+        storage_volumes:
+          - name: devdata
+            state: present
+            type: disk
+            disks:
+              - "{{ target['devicenodes'][0] }}"
+            mount_point: /data_prod
+            fs_type: ext4
+            mount_options: '_netdev'
+
+  handlers:
+    - name: restart iscsid
+      service:
+        name: iscsid
+        state: restarted

compreview-sharing/solution/initiator_cleanup.yml

@@ -0,0 +1,34 @@
+---
+- name: Ensure /data_prod is not mounted
+  hosts: initiators
+  become: true
+
+  tasks:
+    - name: the /data_prod file system is unmounted
+      mount:
+        path: /data_prod
+        state: absent
+
+    - name: the iSCSI target is disconnected
+      open_iscsi:
+        portal: 172.25.250.12
+        port: '3260'
+        target: iqn.2014-06.com.example:rack1
+        discover: no
+        login: no
+        auto_node_startup: no
+      ignore_errors: yes
+
+    - name: the iscsi-initiator-utils package is not installed
+      yum:
+        name: iscsi-initiator-utils
+        state: absent
+
+    - name: the iSCSI configuration files are not present
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /etc/iscsi
+        - /var/lib/iscsi
+        - /var/lock/iscsi

compreview-sharing/solution/nfs_client.yml

@@ -0,0 +1,20 @@
+---
+- name: Access an NFS share
+  hosts: servera.lab.example.com
+  become: true
+  vars:
+    shared_dir: /srv/operators
+    mount_point: /operators_data
+
+  tasks:
+    - name: the package for NFS client is installed
+      yum:
+        name: nfs-utils
+        state: present
+
+    - name: the NFS share is mounted and in /etc/fstab
+      mount:
+        path: "{{ mount_point }}"
+        src: serverc.lab.example.com:{{ shared_dir }}
+        state: mounted
+        fstype: nfs

compreview-sharing/solution/nfs_server.yml

@@ -0,0 +1,48 @@
+---
+- name: Share a directory with NFS
+  hosts: serverc.lab.example.com
+  become: true
+  vars:
+    shared_dir: /srv/operators
+
+  tasks:
+    - name: the package for NFS server is installed
+      yum:
+        name: nfs-utils
+        state: present
+
+    - name: the directory exists
+      file:
+        path: "{{ shared_dir }}"
+        owner: root
+        group: operators
+        mode: '2770'
+        state: directory
+
+    - name: the directory is shared
+      copy:
+        content: "{{ shared_dir }} servera.lab.example.com(rw)\n"
+        dest: /etc/exports.d/share.exports
+        owner: root
+        group: root
+        mode: '0644'
+      notify: reload exports
+
+    - name: NFS is started and enabled
+      service:
+        name: nfs-server
+        state: started
+        enabled: yes
+
+    - name: the firewall is opened for NFS
+      firewalld:
+        service: nfs
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: reload exports
+      service:
+        name: nfs-server
+        state: reloaded

compreview-sharing/solution/printer-accept.yml

@@ -0,0 +1,17 @@
+---
+- name: Accept print jobs
+  hosts: servera.lab.example.com
+  become: true
+  vars:
+    queue_name: "office-printer"
+
+  tasks:
+    - name: check if print queue already exists
+      command: lpstat -p "{{ queue_name }}"
+      register: cmdout
+      ignore_errors: true
+      changed_when: false
+
+    - name: print jobs are accepted
+      command: cupsaccept "{{ queue_name }}"
+      when: cmdout.rc == 0

compreview-sharing/solution/printer-create.yml

@@ -0,0 +1,39 @@
+---
+- name: Install CUPS and create a print queue
+  hosts: servera.lab.example.com
+  become: true
+  vars:
+    queue_name: "office-printer"
+    device_uri: "ipp://serverc.lab.example.com:631/printers/rht-printer"
+
+  tasks:
+    - name: the package for creating print queues is installed
+      yum:
+        name: cups
+        state: present
+
+    - name: the printing service is running and enabled
+      service:
+        name: cups
+        state: started
+        enabled: yes
+
+    - name: check if print queue already exists
+      command: lpstat -p "{{ queue_name }}"
+      register: cmdout
+      ignore_errors: true
+      changed_when: false
+
+    - name: the print queue exists
+      command: lpadmin -p "{{ queue_name }}" -v "{{ device_uri }}"
+                       -m everywhere -E
+      when: cmdout.rc != 0
+
+    - name: check default printer
+      command: lpstat -d
+      register: curr_dest
+      changed_when: false
+
+    - name: the new print queue is the default queue
+      command: lpadmin -d "{{ queue_name }}"
+      when: curr_dest['stdout'] | regex_replace('^(.*):.') != queue_name

compreview-sharing/solution/printer-reject.yml

@@ -0,0 +1,17 @@
+---
+- name: Reject print jobs
+  hosts: servera.lab.example.com
+  become: true
+  vars:
+    queue_name: "office-printer"
+
+  tasks:
+    - name: check if print queue already exists
+      command: lpstat -p "{{ queue_name }}"
+      register: cmdout
+      ignore_errors: true
+      changed_when: false
+
+    - name: print jobs are rejected
+      command: cupsreject -r "Printer on Fire" "{{ queue_name }}"
+      when: cmdout.rc == 0

compreview-sharing/solution/smb.conf.j2

@@ -0,0 +1,9 @@
+[global]
+        workgroup = MANAGERGROUP
+        server min protocol = SMB3
+        smb encrypt = required
+
+[{{ share_name }}]
+        path = {{ shared_dir }}
+        valid users = {{ samba_usermount }}, @{{ allowed_group }}
+        write list = @{{ allowed_group }}

compreview-sharing/solution/smb_client.yml

@@ -0,0 +1,41 @@
+---
+- name: Access an SMB share
+  hosts: servera.lab.example.com
+  become: true
+  vars_files:
+   - smb_vars.yml
+
+  tasks:
+    - name: the package to mount SMB shares is installed
+      yum:
+        name: cifs-utils
+        state: present
+
+    - name: the Linux group for Samba users exists
+      group:
+        name: "{{ allowed_group }}"
+
+    - name: the Linux user for Samba exists
+      user:
+        name: "{{ samba_user }}"
+        password: "{{ samba_user_password | password_hash('sha512', 'secretsalt') }}"
+        groups:
+          - "{{ allowed_group }}"
+
+    - name: the credential file exists
+      copy:
+        content: "username={{ samba_usermount }}\n\
+                  password={{ samba_passmount }}\n"
+        dest: /etc/samba/creds.txt
+        owner: root
+        group: root
+        mode: '0600'
+      no_log: true
+
+    - name: the SMB share is mounted
+      mount:
+        path: "{{ mount_point }}"
+        src: "//serverc.lab.example.com/{{ share_name }}"
+        opts: "credentials=/etc/samba/creds.txt,multiuser,seal"
+        state: mounted
+        fstype: cifs

compreview-sharing/solution/smb_server.yml

@@ -0,0 +1,78 @@
+---
+- name: Share a directory with SMB
+  hosts: serverc.lab.example.com
+  become: true
+  vars_files:
+    - smb_vars.yml
+
+  tasks:
+    - name: the package for a Samba server is installed
+      yum:
+        name: samba
+        state: present
+
+    - name: the Linux group for Samba users exists
+      group:
+        name: "{{ allowed_group }}"
+
+    - name: the Linux user for Samba exists
+      user:
+        name: "{{ samba_user }}"
+        password: "{{ samba_user_password | password_hash('sha512', 'secretsalt') }}"
+        groups:
+          - "{{ allowed_group }}"
+
+    - name: the Linux user is in Samba database
+      command: smbpasswd -s -a {{ samba_user }}
+      args:
+        stdin: "{{ samba_user_password }}\n{{ samba_user_password }}"
+
+    - name: the Linux user for Samba mount exists
+      user:
+        name: "{{ samba_usermount }}"
+        shell: /sbin/nologin
+        create_home: no
+        system: yes
+
+    - name: the Samba user for Samba mount exists
+      command: smbpasswd -s -a {{ samba_usermount }}
+      args:
+        stdin: "{{ samba_passmount }}\n{{ samba_passmount }}"
+
+    - name: the directory exists
+      file:
+        path: "{{ shared_dir }}"
+        owner: "{{ samba_usermount }}"
+        group: "{{ allowed_group }}"
+        mode: '2570'
+        state: directory
+        setype: samba_share_t
+
+    - name: the directory is shared
+      template:
+        src: templates/smb.conf.j2
+        dest: /etc/samba/smb.conf
+        owner: root
+        group: root
+        mode: '0644'
+        setype: samba_etc_t
+      notify: reload smb
+
+    - name: the SMB service is started and enabled
+      service:
+        name: smb
+        state: started
+        enabled: yes
+
+    - name: the firewall is opened for SMB
+      firewalld:
+        service: samba
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: reload smb
+      service:
+        name: smb
+        state: reloaded

compreview-sharing/solution/target.yml

@@ -0,0 +1,40 @@
+---
+- name: Ensure the iSCSI target is prepared
+  hosts: serverc.lab.example.com
+  become: true
+
+  tasks:
+    - name: the target command line tool is installed
+      yum:
+        name: targetcli
+        state: present
+
+    - name: the target service is started and enabled
+      service:
+        name: target
+        state: started
+        enabled: yes
+
+    - name: the firewall is opened for iSCSI
+      firewalld:
+        service: iscsi-target
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+    - name: check if the target already exists
+      command: targetcli ls /iscsi/iqn.2014-06.com.example:rack1
+      register: cmdout
+      ignore_errors: true
+      changed_when: false
+
+    - name: the iSCSI target is prepared
+      shell: |
+        targetcli /backstores/block create rack1.disk1 /dev/vdb1
+        targetcli /iscsi create iqn.2014-06.com.example:rack1
+        targetcli /iscsi/iqn.2014-06.com.example:rack1/tpg1/acls create iqn.2014-06.com.example:servera
+        targetcli /iscsi/iqn.2014-06.com.example:rack1/tpg1/luns create /backstores/block/rack1.disk1
+        targetcli /iscsi/iqn.2014-06.com.example:rack1/tpg1/portals delete 0.0.0.0 3260
+        targetcli /iscsi/iqn.2014-06.com.example:rack1/tpg1/portals create 172.25.250.12 3260
+        targetcli saveconfig
+      when: cmdout.rc != 0

compreview-sharing/target.yml

@@ -0,0 +1,40 @@
+---
+- name: Ensure the iSCSI target is prepared
+  hosts: serverc.lab.example.com
+  become: true
+
+  tasks:
+    - name: the target command line tool is installed
+      yum:
+        name: #FIXME: install the required package
+        state: present
+
+    - name: the target service is started and enabled
+      service:
+        name: #FIXME: start and enable the service
+        state: started
+        enabled: yes
+
+    - name: the firewall is opened for iSCSI
+      firewalld:
+        service: #FIXME: enable the firewalld service for an iSCSI target
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+    - name: check if the target already exists
+      command: targetcli ls /iscsi/iqn.2014-06.com.example:rack1
+      register: cmdout
+      ignore_errors: true
+      changed_when: false
+
+    - name: the iSCSI target is prepared
+      shell: |
+        targetcli /backstores/block create rack1.disk1 /dev/vdb1
+        targetcli /iscsi create iqn.2014-06.com.example:rack1
+        targetcli /iscsi/iqn.2014-06.com.example:rack1/tpg1/acls create iqn.2014-06.com.example:servera
+        targetcli /iscsi/iqn.2014-06.com.example:rack1/tpg1/luns create /backstores/block/rack1.disk1
+        targetcli /iscsi/iqn.2014-06.com.example:rack1/tpg1/portals delete 0.0.0.0 3260
+        targetcli /iscsi/iqn.2014-06.com.example:rack1/tpg1/portals create 172.25.250.12 3260
+        targetcli saveconfig
+      when: cmdout.rc != 0

compreview-sharing/templates/smb.conf.j2

@@ -0,0 +1,37 @@
+# See smb.conf.example for a more detailed config file or
+# read the smb.conf manpage.
+# Run 'testparm' to verify the config is correct after
+# you modified it.
+
+[global]
+        workgroup = SAMBA
+        security = user
+
+        passdb backend = tdbsam
+
+        printing = cups
+        printcap name = cups
+        load printers = yes
+        cups options = raw
+
+[homes]
+        comment = Home Directories
+        valid users = %S, %D%w%S
+        browseable = No
+        read only = No
+        inherit acls = Yes
+
+[printers]
+        comment = All Printers
+        path = /var/tmp
+        printable = Yes
+        create mask = 0600
+        browseable = No
+
+[print$]
+        comment = Printer Drivers
+        path = /var/lib/samba/drivers
+        write list = @printadmin root
+        force group = @printadmin
+        create mask = 0664
+        directory mask = 0775

cr-network/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+inventory=./inventory
+remote_user=devops
+
+[privilege_escalation]
+become = False
+become_method = sudo
+become_user = root
+become_ask_pass = False

cr-network/config-bind.yml

@@ -0,0 +1,79 @@
+---
+- name: Configure master nameserver
+  hosts:
+# become: yes
+
+  tasks:
+    - name: Install BIND9
+      yum:
+        name:
+        state:
+
+    - name: Copy master config file
+      copy:
+        src:
+        dest:
+        owner:
+        group:
+        mode:
+      notify:
+        - reload_named
+
+    - name: Copy forward zone file to master
+      copy:
+        src:
+        dest:
+        owner:
+        group:
+        mode:
+      notify:
+        - reload_named
+
+    - name: Copy IPv4 reverse zone file to master
+      copy:
+        src:
+        dest:
+        owner:
+        group:
+        mode:
+      notify:
+        - reload_named
+
+    - name: Copy IPv6 reverse zone file to master
+      copy:
+        src:
+        dest:
+        owner:
+        group:
+        mode:
+      notify:
+        - reload_named
+
+    - name: Copy backend config file (for zones)
+      copy:
+        src:
+        dest:
+        owner:
+        group:
+        mode:
+      notify:
+        - reload_named
+
+    - name: Allow dns service on firewall
+      firewalld:
+        service:
+        state:
+        immediate:
+        permanent:
+
+    - name: Ensure named is running and enabled
+      service:
+        name:
+        state:
+        enabled:
+
+  handlers:
+    - name: reload_named
+      service:
+        name:
+        state:

cr-network/config-dhcp.yml

@@ -0,0 +1,56 @@
+---
+
+- name: Deploy a DHCPv4 and DHCPv6 server
+  hosts:
+# become: true
+
+  roles:
+    -
+
+  tasks:
+    - name: install the dhcp-server package
+      yum:
+        name:
+        state:
+
+    - name: deploy the DHCPv4 configuration file
+      copy:
+        src:
+        dest:
+      notify: reload dhcpd
+
+    - name: deploy the DHCPv6 configuration file
+      copy:
+        src:
+        dest:
+      notify: reload dhcpd6
+
+    - name: start and enable the dhcpd and dhcpd6 services
+      service:
+        name: "{{ item }}"
+        state:
+        enabled:
+      loop:
+        -
+        -
+
+    - name: open the dhcp and dhcpv6 firewall services
+      firewalld:
+        service: "{{ item }}"
+        state:
+        immediate:
+        permanent:
+      loop:
+        -
+        -
+
+  handlers:
+    - name: reload dhcpd
+      service:
+        name:
+        state: restarted
+
+    - name: reload dhcpd6
+      service:
+        name:
+        state: restarted

cr-network/config-network.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Configure network interface
+  hosts:
+  become: true
+
+  roles:
+    -

cr-network/config-unbound.yml

@@ -0,0 +1,39 @@
+---
+- name: Install cache only nameserver
+  hosts:
+# become: yes
+
+  tasks:
+    - name: Install cache only nameserver
+      yum:
+        name:
+        state:
+
+    - name: Create configuration file on caching server host
+      copy:
+        src:
+        dest:
+        owner: root
+        group: root
+        mode: 0644
+      notify:
+        - restart_unbound
+
+    - name: Allow dns service on firewall
+      firewalld:
+        service:
+        state:
+        immediate:
+        permanent:
+
+    - name: Ensure unbound is running and enabled
+      service:
+        name:
+        state:
+        enabled:
+
+  handlers:
+    - name: restart_unbound
+      service:
+        name:
+        state: restarted

cr-network/files/bind/named.conf

@@ -0,0 +1,30 @@
+options {
+	listen-on port 53	{ 127.0.0.1; };
+	listen-on-v6 port 53	{ ::1; };
+	directory	"/var/named";
+	dump-file	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	allow-query	{ localhost; };
+
+	recursion yes;
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+
+	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+	include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+	channel default_debug {
+		file "data/named.run";
+		severity dynamic;
+	};
+};
+
+# include "";
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+

cr-network/files/bind/named.pvt.conf

@@ -0,0 +1,17 @@
+zone "" IN {
+	type ;
+	file ;
+	forwarders {};
+};
+
+zone ".in-addr.arpa" IN {
+	type ;
+	file ;
+	forwarders {};
+};
+
+zone "4.7.1.6.8.4.4.6.5.6.2.5.2.6.C.F.ip6.arpa" IN {
+	type ;
+	file ;
+	forwarders {};
+};

cr-network/files/dhcp/dhcpd.conf

@@ -0,0 +1,15 @@
+authoritative;
+
+subnet 192.168.62.0 netmask 255.255.255.0 {
+  range ;
+  option broadcast-address ;
+  option domain-name-servers ;
+  option domain-search ;
+  default-lease-time 600;
+  max-lease-time 7200;
+}
+
+# host serverc {
+#   hardware ethernet ;
+#   fixed-address ;
+# }

cr-network/files/dhcp/dhcpd6.conf

@@ -0,0 +1,15 @@
+authoritative;
+
+subnet6 fc62:5265:6448:6174::/64 {
+  range6 ;
+  option dhcp6.name-servers ;
+  option dhcp6.domain-search ;
+  default-lease-time 600;
+  max-lease-time 7200;
+}
+
+host serverc {
+  host-identifier option
+    dhcp6.client-id ;
+  fixed-address6 ;
+}

cr-network/files/unbound/unbound.conf

@@ -0,0 +1,148 @@
+server:
+
+	verbosity: 1
+	statistics-interval: 0
+	statistics-cumulative: no
+	extended-statistics: yes
+
+	num-threads: 4
+
+	# Listen only on loopback and pvt.example.com IPv4/IPv6 interfaces.
+	# The default is to listen to localhost (127.0.0.1 and ::1).
+	# The listen interfaces are not changed on reload, only on restart.
+
+	interface: 127.0.0.1
+	interface: ::1
+	interface:
+	interface:
+
+	interface-automatic: no
+
+	outgoing-port-permit: 32768-60999
+	outgoing-port-avoid: 0-32767
+	so-reuseport: yes
+	ip-transparent: yes
+
+	max-udp-size: 3072
+
+	# Control which clients are allowed to make (recursive) queries
+	# to this server. Specify classless netblocks with /size and action.
+	# By default everything is refused, except for localhost.
+
+	access-control: 127.0.0.0/8 allow
+	access-control: ::1 allow
+	access-control:
+	access-control:
+
+	chroot: ""
+	username: "unbound"
+	directory: "/etc/unbound"
+	log-time-ascii: yes
+	pidfile: "/var/run/unbound/unbound.pid"
+
+	harden-glue: yes
+	harden-dnssec-stripped: yes
+	harden-below-nxdomain: yes
+	harden-referral-path: yes
+	qname-minimisation: yes
+	aggressive-nsec: yes
+	unwanted-reply-threshold: 10000000
+
+	prefetch: yes
+	prefetch-key: yes
+	rrset-roundrobin: yes
+	minimal-responses: yes
+
+	module-config: "ipsecmod validator iterator"
+
+	trust-anchor-signaling: yes
+	root-key-sentinel: yes
+	trusted-keys-file: /etc/unbound/keys.d/*.key
+	auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+	# Ignore chain of trust. Domain is treated as insecure.
+
+	domain-insecure:
+	domain-insecure:
+	domain-insecure: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa"
+
+	val-clean-additional: yes
+	val-permissive-mode: no
+	serve-expired: yes
+	val-log-level: 1
+
+	# By default, for a number of zones a small default 'nothing here'
+	# reply is built-in.  Query traffic is thus blocked.  If you
+	# wish to serve such zone you can unblock them by uncommenting one
+	# of the nodefault statements below.
+	# You may also have to use domain-insecure: zone to make DNSSEC work,
+	# unless you have your own trust anchors for this zone.
+	# local-zone: "localhost." nodefault
+	# local-zone: "127.in-addr.arpa." nodefault
+	# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
+
+	local-zone:
+	local-zone:
+	local-zone: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa" nodefault
+
+	include: /etc/unbound/local.d/*.conf
+
+	ipsecmod-enabled: no
+	ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
+
+python:
+
+remote-control:
+	control-enable: yes
+	server-key-file: "/etc/unbound/unbound_server.key"
+	server-cert-file: "/etc/unbound/unbound_server.pem"
+	control-key-file: "/etc/unbound/unbound_control.key"
+	control-cert-file: "/etc/unbound/unbound_control.pem"
+
+# Stub and Forward zones
+include: /etc/unbound/conf.d/*.conf
+
+# Stub zones.
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of nameservers. list zero or more
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
+# the list is treated as priming hints (default is no).
+# Consider adding domain-insecure: name and local-zone: name nodefault
+# to the server: section if the stub is a locally served zone.
+
+stub-zone:
+	name: ""
+	stub-addr:
+	stub-addr:
+
+stub-zone:
+	name: ""
+	stub-addr:
+	stub-addr:
+
+stub-zone:
+	name: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa"
+	stub-addr: 192.168.62.10
+	stub-addr: fc62:5265:6448:6174::a
+
+# Forward zones
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of servers. These servers have to handle
+# recursion to other nameservers. List zero or more nameservers by hostname
+# or by ipaddress. Use an entry with name "." to forward all queries.
+
+forward-zone:
+	name: ""
+	forward-addr:
+
+auth-zone:
+	name: "."
+	for-downstream: no
+	for-upstream: yes
+	fallback-enabled: yes
+	master: b.root-servers.net
+	master: c.root-servers.net
+	master: e.root-servers.net
+	master: f.root-servers.net
+	master: g.root-servers.net
+	master: k.root-servers.net

cr-network/files/zones/192.168.62.zone

@@ -0,0 +1,13 @@
+$TTL 300
+
+@	IN SOA	servera.pvt.example.com. dnslab.example.com. (
+				2020062000	; serial
+				1H		; refresh
+				5M		; retry
+				1W		; expire
+				1M )		; minimum
+
+; owner		TTL	CL  type	RDATA
+		600	IN  NS		servera.pvt.example.com.
+
+10			IN  PTR		FIXME.pvt.example.com.

cr-network/files/zones/fc62.5265.6448.6174.zone

@@ -0,0 +1,13 @@
+$TTL 300
+
+@	IN SOA	servera.pvt.example.com. dnslab.example.com. (
+				2020062000	; serial
+				1H		; refresh
+				5M		; retry
+				1W		; expire
+				1M )		; minimum
+
+; owner		TTL	CL  type	RDATA
+		600	IN  NS		servera.pvt.example.com.
+
+A.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  IN PTR FIXME.pvt.example.com.

cr-network/files/zones/pvt.example.com.zone

@@ -0,0 +1,15 @@
+$TTL 300
+
+@	IN SOA	servera.pvt.example.com. dnslab.example.com. (
+				2020062000	; serial
+				1H		; refresh
+				5M		; retry
+				1W		; expire
+				1M )		; minimum
+
+; owner		TTL	CL  type	RDATA
+		600	IN  NS		servera
+
+servera			IN  A		FIXME
+
+servera			IN  AAAA	fc62:5265:6448:6174::a

cr-network/host_vars/servera.lab.example.com

@@ -0,0 +1,28 @@
+---
+network_connections:
+
+  # Create the team profile
+  - name:
+    state: up
+    type: team
+    interface_name:
+    ip:
+      dhcp4:
+      auto6:
+      address:
+        -
+        -
+
+  # Attach an ethernet port to the team
+  - name:
+    state: up
+    type: ethernet
+    interface_name:
+    master:
+
+  # Attach an ethernet port to the team
+  - name:
+    state: up
+    type: ethernet
+    interface_name:
+    master:

cr-network/host_vars/serverb.lab.example.com

@@ -0,0 +1,28 @@
+---
+network_connections:
+
+  # Create the team profile
+  - name:
+    state: up
+    type: team
+    interface_name:
+    ip:
+      dhcp4: no
+      auto6: no
+      address:
+        -
+        -
+
+  # Attach an ethernet port to the team
+  - name:
+    state: up
+    type: ethernet
+    interface_name:
+    master:
+
+  # Attach an ethernet port to the team
+  - name:
+    state: up
+    type: ethernet
+    interface_name:
+    master:

cr-network/host_vars/serverc.lab.example.com

@@ -0,0 +1,11 @@
+---
+network_connections:
+
+  # Create the ethernet connection
+  - name:
+    type: ethernet
+    interface_name:
+    state: up
+    ip:
+      dhcp4:
+      auto6:

cr-network/inventory

@@ -0,0 +1,14 @@
+[control_node]
+workstation.lab.example.com
+
+[master_dns]
+servera.lab.example.com
+
+[caching_dns]
+serverb.lab.example.com
+
+[servers]
+servera.lab.example.com
+serverb.lab.example.com
+serverc.lab.example.com
+serverd.lab.example.com

cr-services/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+inventory=inventory
+remote_user=devops
+
+[privilege_escalation]
+become=False
+become_method=sudo
+become_user=root
+become_ask_pass=False

cr-services/cacert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUOKjPjzHifOZxjYsUUt/UGyCSNfkwDQYJKoZIhvcNAQEL
+BQAwfDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD
+VQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1FeGFtcGxlLCBJbmMuMSowKAYDVQQDDCFl
+eGFtcGxlLmNvbSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjMwMzA3MDgwNzM0
+WhcNMjQwMzA2MDgwNzM0WjB8MQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGgg
+Q2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxFjAUBgNVBAoMDUV4YW1wbGUsIElu
+Yy4xKjAoBgNVBAMMIWV4YW1wbGUuY29tIENlcnRpZmljYXRlIEF1dGhvcml0eTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxQNgc7WXCbPg+ZTthtkPZH
+o20poCBSD6wkWANVMSgi1dNLNJx+X/N+rpC1hjDmQzqTJT1FYiYNhE9teHkg6kkL
+DNbWdWITxL9kYAliaxi+48pWj4ONZIE7x9ymgG50DbVc1fCGAvUCFx+Cfebkroxa
+PVSqG8frg6Vl3sLgruv4gCt7ZJAZKJA2dJ/XbFkZ2YxhD5Uusqxy0qA5mcLHcvDU
+g5seVnDY0S6sR+fvcawm5Rb1hEXeSbxPpKiwOTULN0a1p8SMbuXyhZSRjspR1Tsi
+lPEwnNykM8gk3VhbZTw6zSNEJOjtqcHf+5AQacuUQQgCq8ZVnC0jxJcUabWC6S8C
+AwEAAaNTMFEwHQYDVR0OBBYEFFYHbid6fperMhKwuZi787Y86JGZMB8GA1UdIwQY
+MBaAFFYHbid6fperMhKwuZi787Y86JGZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBABXKHdRy5ZMjQSRKLnRAJq7dTzP+d2f6RHkmpx6aW0mZktNE
+h9PByXI6sYHUJCCWpdLMHu1AXQnHWwPHJCqww+0xoaVZA9cRo7gyWB0T2m3YxpOk
+2ayoC9qTOr5+KWMBxVckxcOWmUv0lxzslD6KOQeGDgmaPJPsruOSoBaeqoY/7FpW
+6xvp/qIzXqsU31oHuDMPnw95+vm3XqcYukgxPTnXkNmUilR+Tw/R37uBzaQxqRqQ
+F0IlX/CrXbCVIp0rMebW1537ZnRVWIm3NWpjlssJulkbD4QiXFoTwHh3uyQG/GaN
+ha4UBNh9vP4nD2eNtWSu/TgKzsgeCtwJlSzNkLE=
+-----END CERTIFICATE-----

cr-services/deploy_content.yml

@@ -0,0 +1,47 @@
+- name: Create the document root for each web site
+  file:
+    path: ""
+    state:
+    owner:
+    mode: ''
+  loop: "{{ web_hosts }}"
+
+- name: Deploy the default index.html
+  template:
+    src: "sample-index.html.j2"
+    dest: ""
+  loop: "{{ web_hosts }}"
+
+- name: Assign the SELinux policy for the document roots
+  sefcontext:
+    target: '/srv/www(/.*)?'
+    setype:
+    state: present
+
+- name: Change the SELinux file contexts
+  file:
+    path:
+    state: directory
+    recurse: yes
+    follow: no
+    setype:
+
+- name: Install the TLS certs of the virtual hosts
+  copy:
+    src: "{{ item }}.crt"
+    dest: "/etc/pki/tls/certs"
+  loop: "{{ web_hosts }}"
+
+- name: Install the TLS private keys of the virtual hosts
+  copy:
+    src: "{{ item }}.key"
+    dest: "/etc/pki/tls/private"
+    mode: ''
+    owner:
+    group:
+  loop: "{{ web_hosts }}"
+
+- name: Install the example.com CA cert
+  copy:
+    src: "{{ cacert_file }}"
+    dest: "/etc/pki/tls/certs/{{ cacert_file }}"

cr-services/deploy_haproxy.yml

@@ -0,0 +1,56 @@
+---
+- name: Ensure HAProxy is deployed
+  hosts: servera.lab.example.com
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: the haproxy package is installed
+      yum:
+        name: haproxy
+        state: present
+
+    - name: the /etc/pki/haproxy directory exists
+      file:
+        path: /etc/pki/haproxy
+        state: directory
+        owner: root
+        mode: '700'
+
+    - name: the SSL file for HTTPS termination is deployed
+      copy:
+        # You need to create that file from the
+        # servera.lab.example.com.{crt,key} files under the
+        # files/ directory
+        src: files/haproxy.pem
+        dest: /etc/pki/haproxy/haproxy.pem
+      notify: restart haproxy
+
+    - name: the HAProxy configuration file is deployed
+      copy:
+        # You need to complete that configuration file
+        src: files/haproxy.cfg
+        dest: /etc/haproxy/haproxy.cfg
+      notify: restart haproxy
+
+    - name: the haproxy service is started and enabled
+      service:
+        name: haproxy
+        state: started
+        enabled: yes
+
+    - name: the http and https firewall services are opened
+      firewalld:
+        service: "{{ item }}"
+        state: enabled
+        immediate: yes
+        permanent: yes
+      loop:
+        - http
+        - https
+
+  handlers:
+    - name: restart haproxy
+      service:
+        name: haproxy
+        state: restarted

cr-services/deploy_smtp.yml

@@ -0,0 +1,13 @@
+---
+- name: Configure Null Client Email Service
+  become: true
+  hosts:
+
+  vars:
+    postfix_conf:
+      relayhost:
+      inet_interfaces:
+      ...
+
+  roles:
+    - linux-system-roles....

cr-services/deploy_varnish.yml

@@ -0,0 +1,55 @@
+---
+- name: Ensure Varnish is deployed
+  hosts: serverb.lab.example.com
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: the varnish package is installed
+      yum:
+        name: varnish
+        state: present
+
+    - name: the systemd drop-in directory exists
+      file:
+        path: /etc/systemd/system/varnish.service.d
+        state: directory
+
+    - name: the varnish systemd service configuration file is deployed
+      copy:
+        # You need to create that configuration file
+        src: files/port.conf
+        dest: /etc/systemd/system/varnish.service.d/port.conf
+      notify:
+        - reload systemd
+        - restart varnish
+
+    - name: the Varnish configuration file is deployed
+      copy:
+        # You need to complete that configuration file
+        src: files/default.vcl
+        dest: /etc/varnish/default.vcl
+      notify: restart varnish
+
+    - name: the varnish service is started and enabled
+      service:
+        name: varnish
+        state: started
+        enabled: yes
+
+    - name: the port 9000 is opened in the firewall
+      firewalld:
+        port: 9000/tcp
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: reload systemd
+      systemd:
+        daemon_reload: yes
+
+    - name: restart varnish
+      service:
+        name: varnish
+        state: restarted

cr-services/files/cacert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUOKjPjzHifOZxjYsUUt/UGyCSNfkwDQYJKoZIhvcNAQEL
+BQAwfDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD
+VQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1FeGFtcGxlLCBJbmMuMSowKAYDVQQDDCFl
+eGFtcGxlLmNvbSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjMwMzA3MDgwNzM0
+WhcNMjQwMzA2MDgwNzM0WjB8MQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGgg
+Q2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxFjAUBgNVBAoMDUV4YW1wbGUsIElu
+Yy4xKjAoBgNVBAMMIWV4YW1wbGUuY29tIENlcnRpZmljYXRlIEF1dGhvcml0eTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxQNgc7WXCbPg+ZTthtkPZH
+o20poCBSD6wkWANVMSgi1dNLNJx+X/N+rpC1hjDmQzqTJT1FYiYNhE9teHkg6kkL
+DNbWdWITxL9kYAliaxi+48pWj4ONZIE7x9ymgG50DbVc1fCGAvUCFx+Cfebkroxa
+PVSqG8frg6Vl3sLgruv4gCt7ZJAZKJA2dJ/XbFkZ2YxhD5Uusqxy0qA5mcLHcvDU
+g5seVnDY0S6sR+fvcawm5Rb1hEXeSbxPpKiwOTULN0a1p8SMbuXyhZSRjspR1Tsi
+lPEwnNykM8gk3VhbZTw6zSNEJOjtqcHf+5AQacuUQQgCq8ZVnC0jxJcUabWC6S8C
+AwEAAaNTMFEwHQYDVR0OBBYEFFYHbid6fperMhKwuZi787Y86JGZMB8GA1UdIwQY
+MBaAFFYHbid6fperMhKwuZi787Y86JGZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBABXKHdRy5ZMjQSRKLnRAJq7dTzP+d2f6RHkmpx6aW0mZktNE
+h9PByXI6sYHUJCCWpdLMHu1AXQnHWwPHJCqww+0xoaVZA9cRo7gyWB0T2m3YxpOk
+2ayoC9qTOr5+KWMBxVckxcOWmUv0lxzslD6KOQeGDgmaPJPsruOSoBaeqoY/7FpW
+6xvp/qIzXqsU31oHuDMPnw95+vm3XqcYukgxPTnXkNmUilR+Tw/R37uBzaQxqRqQ
+F0IlX/CrXbCVIp0rMebW1537ZnRVWIm3NWpjlssJulkbD4QiXFoTwHh3uyQG/GaN
+ha4UBNh9vP4nD2eNtWSu/TgKzsgeCtwJlSzNkLE=
+-----END CERTIFICATE-----

cr-services/files/default.vcl

@@ -0,0 +1,40 @@
+#
+# This is an example VCL file for Varnish.
+#
+# It does not do anything by default, delegating control to the
+# builtin VCL. The builtin VCL is called when there is no explicit
+# return statement.
+#
+# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
+# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.
+
+# Marker to tell the VCL compiler that this VCL has been adapted to the
+# new 4.0 format.
+vcl 4.0;
+
+# Default backend definition. Set this to point to your content server.
+backend default {
+    .host = "127.0.0.1";
+    .port = "8080";
+}
+
+sub vcl_recv {
+    # Happens before we check if we have this in cache already.
+    #
+    # Typically you clean up the request here, removing cookies you don't need,
+    # rewriting the request, etc.
+}
+
+sub vcl_backend_response {
+    # Happens after we have read the response headers from the backend.
+    #
+    # Here you clean the response headers, removing silly Set-Cookie headers
+    # and other mistakes your backend does.
+}
+
+sub vcl_deliver {
+    # Happens when we have all the pieces we need, and are about to send the
+    # response to the client.
+    #
+    # You can do accounting or modifying the final object here.
+}

cr-services/files/example-ca.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUOKjPjzHifOZxjYsUUt/UGyCSNfkwDQYJKoZIhvcNAQEL
+BQAwfDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD
+VQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1FeGFtcGxlLCBJbmMuMSowKAYDVQQDDCFl
+eGFtcGxlLmNvbSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjMwMzA3MDgwNzM0
+WhcNMjQwMzA2MDgwNzM0WjB8MQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGgg
+Q2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxFjAUBgNVBAoMDUV4YW1wbGUsIElu
+Yy4xKjAoBgNVBAMMIWV4YW1wbGUuY29tIENlcnRpZmljYXRlIEF1dGhvcml0eTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxQNgc7WXCbPg+ZTthtkPZH
+o20poCBSD6wkWANVMSgi1dNLNJx+X/N+rpC1hjDmQzqTJT1FYiYNhE9teHkg6kkL
+DNbWdWITxL9kYAliaxi+48pWj4ONZIE7x9ymgG50DbVc1fCGAvUCFx+Cfebkroxa
+PVSqG8frg6Vl3sLgruv4gCt7ZJAZKJA2dJ/XbFkZ2YxhD5Uusqxy0qA5mcLHcvDU
+g5seVnDY0S6sR+fvcawm5Rb1hEXeSbxPpKiwOTULN0a1p8SMbuXyhZSRjspR1Tsi
+lPEwnNykM8gk3VhbZTw6zSNEJOjtqcHf+5AQacuUQQgCq8ZVnC0jxJcUabWC6S8C
+AwEAAaNTMFEwHQYDVR0OBBYEFFYHbid6fperMhKwuZi787Y86JGZMB8GA1UdIwQY
+MBaAFFYHbid6fperMhKwuZi787Y86JGZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBABXKHdRy5ZMjQSRKLnRAJq7dTzP+d2f6RHkmpx6aW0mZktNE
+h9PByXI6sYHUJCCWpdLMHu1AXQnHWwPHJCqww+0xoaVZA9cRo7gyWB0T2m3YxpOk
+2ayoC9qTOr5+KWMBxVckxcOWmUv0lxzslD6KOQeGDgmaPJPsruOSoBaeqoY/7FpW
+6xvp/qIzXqsU31oHuDMPnw95+vm3XqcYukgxPTnXkNmUilR+Tw/R37uBzaQxqRqQ
+F0IlX/CrXbCVIp0rMebW1537ZnRVWIm3NWpjlssJulkbD4QiXFoTwHh3uyQG/GaN
+ha4UBNh9vP4nD2eNtWSu/TgKzsgeCtwJlSzNkLE=
+-----END CERTIFICATE-----

cr-services/files/haproxy.cfg

@@ -0,0 +1,90 @@
+#---------------------------------------------------------------------
+# Example configuration for a possible web application.  See the
+# full configuration options online.
+#
+#   https://www.haproxy.org/download/1.8/doc/configuration.txt
+#
+#---------------------------------------------------------------------
+
+#---------------------------------------------------------------------
+# Global settings
+#---------------------------------------------------------------------
+global
+    # to have these messages end up in /var/log/haproxy.log you will
+    # need to:
+    #
+    # 1) configure syslog to accept network log events.  This is done
+    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
+    #    /etc/sysconfig/syslog
+    #
+    # 2) configure local2 events to go to the /var/log/haproxy.log
+    #   file. A line like the following can be added to
+    #   /etc/sysconfig/syslog
+    #
+    #    local2.*                       /var/log/haproxy.log
+    #
+    log         127.0.0.1 local2
+
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    daemon
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats
+
+    # utilize system-wide crypto-policies
+    ssl-default-bind-ciphers PROFILE=SYSTEM
+    ssl-default-server-ciphers PROFILE=SYSTEM
+
+#---------------------------------------------------------------------
+# common defaults that all the 'listen' and 'backend' sections will
+# use if not designated in their block
+#---------------------------------------------------------------------
+defaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000
+
+#---------------------------------------------------------------------
+# main frontend which proxys to the backends
+#---------------------------------------------------------------------
+frontend main
+    bind *:5000
+    acl url_static       path_beg       -i /static /images /javascript /stylesheets
+    acl url_static       path_end       -i .jpg .gif .png .css .js
+
+    use_backend static          if url_static
+    default_backend             app
+
+#---------------------------------------------------------------------
+# static backend for serving up images, stylesheets and such
+#---------------------------------------------------------------------
+backend static
+    balance     roundrobin
+    server      static 127.0.0.1:4331 check
+
+#---------------------------------------------------------------------
+# round robin balancing between the various backends
+#---------------------------------------------------------------------
+backend app
+    balance     roundrobin
+    server  app1 127.0.0.1:5001 check
+    server  app2 127.0.0.1:5002 check
+    server  app3 127.0.0.1:5003 check
+    server  app4 127.0.0.1:5004 check

cr-services/files/mariadb/legacy-database.sql

@@ -0,0 +1,105 @@
+-- MySQL dump 10.14  Distrib 5.5.35-MariaDB, for Linux (x86_64)
+--
+-- Host: localhost    Database: inventory
+-- ------------------------------------------------------
+-- Server version	5.5.35-MariaDB
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+--
+-- Table structure for table `category`
+--
+
+DROP TABLE IF EXISTS `category`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `category` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` varchar(100) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `category`
+--
+
+LOCK TABLES `category` WRITE;
+/*!40000 ALTER TABLE `category` DISABLE KEYS */;
+INSERT INTO `category` VALUES (1,'Networking'),(2,'Servers'),(3,'Ssd');
+/*!40000 ALTER TABLE `category` ENABLE KEYS */;
+UNLOCK TABLES;
+
+--
+-- Table structure for table `manufacturer`
+--
+
+DROP TABLE IF EXISTS `manufacturer`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `manufacturer` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` varchar(100) NOT NULL,
+  `seller` varchar(100) DEFAULT NULL,
+  `phone_number` varchar(17) DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `manufacturer`
+--
+
+LOCK TABLES `manufacturer` WRITE;
+/*!40000 ALTER TABLE `manufacturer` DISABLE KEYS */;
+INSERT INTO `manufacturer` VALUES (1,'SanDisk','John Miller','+1 (941) 329-8855'),(2,'Kingston','Mike Taylor','+1 (341) 375-9999'),(3,'Asus','Wilson Jackson','+1 (432) 367-8899'),(4,'Sony','Allen Scott','+1 (876) 213-4439');
+/*!40000 ALTER TABLE `manufacturer` ENABLE KEYS */;
+UNLOCK TABLES;
+
+--
+-- Table structure for table `product`
+--
+
+DROP TABLE IF EXISTS `product`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `product` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` varchar(100) NOT NULL,
+  `price` double NOT NULL,
+  `stock` int(11) NOT NULL,
+  `id_category` int(11) NOT NULL,
+  `id_manufacturer` int(11) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `product`
+--
+
+LOCK TABLES `product` WRITE;
+/*!40000 ALTER TABLE `product` DISABLE KEYS */;
+INSERT INTO `product` VALUES (1,'ThinkServer TS140',539.88,20,2,4),(2,'ThinkServer RD630',2379.14,20,2,4),(3,'RT-AC68U',219.99,10,1,3),(4,'X110 64GB',73.84,100,3,1);
+/*!40000 ALTER TABLE `product` ENABLE KEYS */;
+UNLOCK TABLES;
+/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+
+/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
+/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
+/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
+
+-- Dump completed on 2014-06-02 11:41:13

cr-services/files/mariadb/my.cnf

@@ -0,0 +1,3 @@
+[client]
+user=root
+password=redhat

cr-services/files/servera.lab.example.com.crt

@@ -0,0 +1,82 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 12 (0xc)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=example.com Certificate Authority
+        Validity
+            Not Before: Mar  8 12:35:25 2023 GMT
+            Not After : Sep  4 12:35:25 2023 GMT
+        Subject: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=servera.lab.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:d1:36:63:91:c1:e7:17:09:1b:79:e3:69:62:bd:
+                    0f:40:3e:93:61:7b:08:86:9d:1b:6c:ef:30:83:69:
+                    aa:56:e7:c1:c0:54:7b:c2:c2:dd:53:eb:24:0f:13:
+                    24:d5:9c:93:32:7e:78:a5:8d:47:9e:b2:ae:c2:b2:
+                    98:af:6a:d5:3f:c7:25:8e:f8:5b:e9:27:8d:46:a7:
+                    ee:f5:51:81:a6:39:bf:3d:d6:18:27:cd:d8:94:64:
+                    54:32:d9:38:03:ab:55:55:c6:28:08:f5:82:55:00:
+                    d8:97:e1:8a:f2:6c:5e:85:eb:3e:87:40:87:c1:35:
+                    11:a6:0b:c4:c4:24:88:7d:94:0e:d4:13:84:88:66:
+                    08:3b:5b:be:59:f2:ec:b2:31:27:44:56:bf:fe:79:
+                    02:28:8c:3b:00:6a:eb:fd:37:ed:77:a7:c5:5d:27:
+                    f1:3b:3c:98:df:33:dc:4c:98:09:93:33:2b:b9:33:
+                    7b:aa:65:6e:72:7b:ad:5b:de:e4:be:ec:9c:4e:8d:
+                    3d:6b:6a:4e:0d:8f:38:cf:ce:c3:ee:ed:29:01:5d:
+                    b2:e5:ed:2e:57:e5:8c:55:02:b1:93:d1:a3:66:8f:
+                    ba:37:9c:40:71:14:4d:7b:94:d3:64:d6:6c:df:06:
+                    10:4c:d7:1a:2d:f2:92:48:74:da:f4:be:60:eb:f2:
+                    ad:61
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                59:46:4E:BE:3C:01:E5:4D:A9:AF:3B:4C:23:01:9F:B5:18:AC:5C:8D
+            X509v3 Authority Key Identifier: 
+                keyid:56:07:6E:27:7A:7E:97:AB:32:12:B0:B9:98:BB:F3:B6:3C:E8:91:99
+
+    Signature Algorithm: sha256WithRSAEncryption
+         b6:b1:c9:60:a5:2b:a8:fe:2e:6d:94:3d:a0:67:98:4c:e2:92:
+         a5:2a:b3:87:0f:de:9b:d1:d7:5c:5b:a8:b5:14:1e:f3:55:80:
+         ed:6d:64:e1:03:ba:d7:58:01:43:32:b5:95:43:7c:24:03:cf:
+         ba:8d:c7:07:3c:0a:f5:8f:34:67:ab:2f:6d:08:e8:2b:2d:c6:
+         52:c2:a1:81:af:35:bd:d1:c3:a6:1c:fa:9f:5f:d8:32:88:00:
+         bc:93:8c:e3:b0:f6:14:4e:57:f0:9c:13:f2:e1:53:f7:c2:0a:
+         33:00:14:2f:14:18:ba:f8:cb:3d:f6:fa:23:d7:49:0c:ca:c6:
+         3c:40:e2:81:01:ad:e7:ab:a0:08:30:df:22:71:c9:5c:82:4c:
+         67:1f:ac:b6:d5:1f:2e:f2:0e:27:7b:62:6b:82:24:7b:54:41:
+         36:b3:77:6c:c5:31:eb:cf:5b:e4:ec:70:dc:d9:24:0f:5b:20:
+         fd:ac:52:1e:6e:6e:99:d2:55:ba:3b:7a:5f:af:82:4c:b1:56:
+         33:a0:5e:c3:9e:b0:f4:a1:03:18:bb:a1:36:4b:4f:96:88:40:
+         4b:87:d7:1c:c7:b4:17:01:d3:1f:a9:58:91:8a:93:23:4d:25:
+         35:83:fb:a6:8c:78:c8:fc:79:91:99:37:cf:f5:51:15:b7:79:
+         88:34:39:10
+-----BEGIN CERTIFICATE-----
+MIID5DCCAsygAwIBAgIBDDANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzEX
+MBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxFjAUBgNV
+BAoMDUV4YW1wbGUsIEluYy4xKjAoBgNVBAMMIWV4YW1wbGUuY29tIENlcnRpZmlj
+YXRlIEF1dGhvcml0eTAeFw0yMzAzMDgxMjM1MjVaFw0yMzA5MDQxMjM1MjVaMHIx
+CzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwH
+UmFsZWlnaDEWMBQGA1UECgwNRXhhbXBsZSwgSW5jLjEgMB4GA1UEAwwXc2VydmVy
+YS5sYWIuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDRNmORwecXCRt542livQ9APpNhewiGnRts7zCDaapW58HAVHvCwt1T6yQPEyTV
+nJMyfniljUeesq7CspivatU/xyWO+FvpJ41Gp+71UYGmOb891hgnzdiUZFQy2TgD
+q1VVxigI9YJVANiX4YrybF6F6z6HQIfBNRGmC8TEJIh9lA7UE4SIZgg7W75Z8uyy
+MSdEVr/+eQIojDsAauv9N+13p8VdJ/E7PJjfM9xMmAmTMyu5M3uqZW5ye61b3uS+
+7JxOjT1rak4NjzjPzsPu7SkBXbLl7S5X5YxVArGT0aNmj7o3nEBxFE17lNNk1mzf
+BhBM1xot8pJIdNr0vmDr8q1hAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4
+QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRZ
+Rk6+PAHlTamvO0wjAZ+1GKxcjTAfBgNVHSMEGDAWgBRWB24nen6XqzISsLmYu/O2
+POiRmTANBgkqhkiG9w0BAQsFAAOCAQEAtrHJYKUrqP4ubZQ9oGeYTOKSpSqzhw/e
+m9HXXFuotRQe81WA7W1k4QO611gBQzK1lUN8JAPPuo3HBzwK9Y80Z6svbQjoKy3G
+UsKhga81vdHDphz6n1/YMogAvJOM47D2FE5X8JwT8uFT98IKMwAULxQYuvjLPfb6
+I9dJDMrGPEDigQGt56ugCDDfInHJXIJMZx+sttUfLvIOJ3tia4Ike1RBNrN3bMUx
+689b5Oxw3NkkD1sg/axSHm5umdJVujt6X6+CTLFWM6Bew56w9KEDGLuhNktPlohA
+S4fXHMe0FwHTH6lYkYqTI00lNYP7pox4yPx5kZk3z/VRFbd5iDQ5EA==
+-----END CERTIFICATE-----

cr-services/files/servera.lab.example.com.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRNmORwecXCRt5
+42livQ9APpNhewiGnRts7zCDaapW58HAVHvCwt1T6yQPEyTVnJMyfniljUeesq7C
+spivatU/xyWO+FvpJ41Gp+71UYGmOb891hgnzdiUZFQy2TgDq1VVxigI9YJVANiX
+4YrybF6F6z6HQIfBNRGmC8TEJIh9lA7UE4SIZgg7W75Z8uyyMSdEVr/+eQIojDsA
+auv9N+13p8VdJ/E7PJjfM9xMmAmTMyu5M3uqZW5ye61b3uS+7JxOjT1rak4NjzjP
+zsPu7SkBXbLl7S5X5YxVArGT0aNmj7o3nEBxFE17lNNk1mzfBhBM1xot8pJIdNr0
+vmDr8q1hAgMBAAECggEBAINdknHQfklRl6YWbHLqYawmXqaD+ZuFBNaG7kBl1eaR
+yW/53GgzsYPjDxZEIAndMfQvw5O4PXNhoShxujvTaimM44F9Y0Doa+Ykxn/VeQIm
+GnY6e5pqv4aV5OS0zl5Hc+LS9QqDFh5H1Lixj2yfLU8LooyMsXFY4EcR9rBufCHU
+9ayqXmLBaSYctQypgOJb796K1h4ZxBHddi+vtcBszfg11rqbSZxtPKXjGTScT2fd
+vif4Eyippuyo3DTGrNwKnxuYd6Z9lkExN7AuorJIS0nTYFgb/ZyNBfc+gnnRFvHR
+hF4YyqjvruZGQv//yqWht+dQsV72APrPTnzV6jxq3W0CgYEA9rQR+Hgr0dqoa2YB
+ZYPrU/r5x1GBnOcS0bTVTegLaZPleZWRdABpijtZdQpAgor5nzg/K0EqIGt1ivjD
+cCYNdFXRVbeaKp+2HP6W2nByPjbu1/L0fuACrXfKsr9D0u5bSdNDUq7f5HgQonYj
+Sv1uNarLrd3yXYuKoU2uDg9RL0MCgYEA2RildrS5Xrx8Yq1hrTqsHAT4r1Y3JBZC
+jE5aemEtsdmrclptkoaoxcw11SrN//rC+5sv1FwjPQRuX8QEweBF82vrFWO9vpgs
+OmJ9LWclMDddWsTPQV8/RInRMf7z5WQtNYZv+qGsS8NNY4OAPAG6ggIvsxwKbwYI
+4WHPJvIfrIsCgYAEgnopnpi+d07I186CuoyctmPGfvjtk1PGvZWAnRNIVMnHFTLZ
+egBz5G3YM93GBSBXBsIw2joY6Z32cmGwNSHd1IvFE1wgF1dO5GCBkbik5oArNme9
+wf6KiTwNVG2691x31wLOCiBRntg/AAXZIxTWqk6a2QnLJ/faxv69hw4m3QKBgQDG
+UTl2AwoDfPOzwOcltB9dST1UDtI4aQ1J1pnYicWQXmO8BtdprxGl/zJ+FKgyWwSb
+i9xZhgG6z710RkCCSzobcE5EL+U5oxFkFGx9eWgDb9AcBwW9liDZn3w2y8xJlQWn
+i7PnpKEcZMDhU1Nlfb6+3PhuCgOOAFlEanEuBqjgmQKBgGnslufqzSwoZ4y+t4YN
+P22vtbF8yTbvdbiN5ezO8aFv4amWuBkEAL/mIgZ8dQsr6WGFUOOsdAi0SACrwJ7g
+N0p3KW4QYFS6oOSCBWsH4q/pWsBTIXviLiPFEdX1rG77o58BmuoGwJ0GmqNUGTRD
+MrArZm/rjU2FlIGewUCeSmpC
+-----END PRIVATE KEY-----

cr-services/files/serverc.lab.example.com.crt

@@ -0,0 +1,82 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 11 (0xb)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=example.com Certificate Authority
+        Validity
+            Not Before: Mar  8 12:35:19 2023 GMT
+            Not After : Sep  4 12:35:19 2023 GMT
+        Subject: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=serverc.lab.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:b0:cc:61:e1:6c:fb:2f:9e:87:32:8f:37:1b:aa:
+                    0f:17:75:45:de:b9:eb:12:4d:ff:09:b4:55:a9:b8:
+                    b9:53:a9:c1:3e:91:58:10:b9:21:22:e6:05:92:3b:
+                    70:79:0d:01:d1:4c:1c:3e:01:50:1b:f5:9c:17:f0:
+                    02:ee:7d:af:1b:cd:55:94:92:18:ae:d1:85:b0:b9:
+                    e5:bb:c6:d4:b5:64:17:90:30:e8:37:a6:3c:3f:3a:
+                    83:fa:40:bb:00:f3:4a:98:86:fc:c2:00:f8:c8:44:
+                    f3:3d:85:67:40:59:aa:c8:01:eb:9d:c6:3d:0d:40:
+                    7d:18:69:d6:bc:85:11:64:60:dd:7f:18:13:d1:17:
+                    65:40:86:0f:19:7f:7b:ba:78:f3:04:93:c7:77:00:
+                    c0:88:7c:95:43:5e:d9:18:1c:02:bc:25:e5:c8:ef:
+                    a7:79:cf:20:86:3c:5f:13:d6:bd:0f:80:cb:69:1b:
+                    b1:1a:93:a7:5b:4f:e8:b3:2c:9b:b5:1f:e6:93:f2:
+                    a0:ef:6d:22:15:af:e6:ad:b2:a6:c6:1a:fc:e8:97:
+                    ce:ad:4b:2f:54:44:95:d3:59:3d:82:8c:a6:ca:c6:
+                    bd:e5:e8:3d:bf:16:7f:00:d0:e7:35:67:f3:59:30:
+                    df:01:8b:ce:23:3e:c8:cc:42:6e:90:27:6e:80:98:
+                    94:dd
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                11:2C:E5:85:24:AB:80:F5:BD:F6:1D:09:B1:46:AC:C6:D9:AE:5C:80
+            X509v3 Authority Key Identifier: 
+                keyid:56:07:6E:27:7A:7E:97:AB:32:12:B0:B9:98:BB:F3:B6:3C:E8:91:99
+
+    Signature Algorithm: sha256WithRSAEncryption
+         bf:d3:c8:14:b0:ac:db:49:2b:b1:c1:b4:29:e1:8c:7d:5c:6f:
+         a8:7a:9c:2c:26:98:4c:ab:fd:28:f7:23:de:e2:9e:b0:f8:45:
+         4e:a4:7a:e8:8b:6e:8a:b2:a2:c5:3a:0b:cc:9c:5c:b8:98:46:
+         95:44:7f:7e:7d:df:ca:06:b1:bf:a0:76:0e:66:b7:a5:72:d4:
+         df:3e:54:1a:06:5a:7a:3a:07:85:73:62:52:e4:2b:7b:ba:b6:
+         06:09:43:11:8e:50:65:e6:09:cf:36:fb:ab:ce:de:88:82:87:
+         8f:d1:3d:5e:7c:ac:a7:bb:e2:6b:04:29:0f:5e:cc:7b:9f:a7:
+         67:c7:0e:11:c5:27:24:aa:3f:95:08:d8:b9:32:17:8a:51:c6:
+         0f:a6:95:aa:b5:5e:5f:b3:43:a4:92:17:b6:c4:8a:99:a1:bd:
+         fe:4d:00:8f:9c:3d:98:8a:2c:35:1b:21:98:34:be:07:89:fa:
+         39:70:4f:7f:b4:5c:d2:47:1d:37:2c:c1:89:98:7a:0d:f3:6f:
+         97:bc:aa:03:88:cb:c3:2b:76:97:46:19:a7:69:93:58:03:89:
+         50:7c:8d:77:6a:1c:92:18:3c:c6:e8:5c:03:8c:40:bb:58:66:
+         f7:80:af:06:61:ee:a6:0f:6a:35:7c:d0:a7:63:57:03:ab:ca:
+         47:03:50:0b
+-----BEGIN CERTIFICATE-----
+MIID5DCCAsygAwIBAgIBCzANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzEX
+MBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxFjAUBgNV
+BAoMDUV4YW1wbGUsIEluYy4xKjAoBgNVBAMMIWV4YW1wbGUuY29tIENlcnRpZmlj
+YXRlIEF1dGhvcml0eTAeFw0yMzAzMDgxMjM1MTlaFw0yMzA5MDQxMjM1MTlaMHIx
+CzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwH
+UmFsZWlnaDEWMBQGA1UECgwNRXhhbXBsZSwgSW5jLjEgMB4GA1UEAwwXc2VydmVy
+Yy5sYWIuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCwzGHhbPsvnocyjzcbqg8XdUXeuesSTf8JtFWpuLlTqcE+kVgQuSEi5gWSO3B5
+DQHRTBw+AVAb9ZwX8ALufa8bzVWUkhiu0YWwueW7xtS1ZBeQMOg3pjw/OoP6QLsA
+80qYhvzCAPjIRPM9hWdAWarIAeudxj0NQH0Yada8hRFkYN1/GBPRF2VAhg8Zf3u6
+ePMEk8d3AMCIfJVDXtkYHAK8JeXI76d5zyCGPF8T1r0PgMtpG7Eak6dbT+izLJu1
+H+aT8qDvbSIVr+atsqbGGvzol86tSy9URJXTWT2CjKbKxr3l6D2/Fn8A0Oc1Z/NZ
+MN8Bi84jPsjMQm6QJ26AmJTdAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4
+QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQR
+LOWFJKuA9b32HQmxRqzG2a5cgDAfBgNVHSMEGDAWgBRWB24nen6XqzISsLmYu/O2
+POiRmTANBgkqhkiG9w0BAQsFAAOCAQEAv9PIFLCs20krscG0KeGMfVxvqHqcLCaY
+TKv9KPcj3uKesPhFTqR66ItuirKixToLzJxcuJhGlUR/fn3fygaxv6B2Dma3pXLU
+3z5UGgZaejoHhXNiUuQre7q2BglDEY5QZeYJzzb7q87eiIKHj9E9Xnysp7viawQp
+D17Me5+nZ8cOEcUnJKo/lQjYuTIXilHGD6aVqrVeX7NDpJIXtsSKmaG9/k0Aj5w9
+mIosNRshmDS+B4n6OXBPf7Rc0kcdNyzBiZh6DfNvl7yqA4jLwyt2l0YZp2mTWAOJ
+UHyNd2ockhg8xuhcA4xAu1hm94CvBmHupg9qNXzQp2NXA6vKRwNQCw==
+-----END CERTIFICATE-----

cr-services/files/serverc.lab.example.com.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwzGHhbPsvnocy
+jzcbqg8XdUXeuesSTf8JtFWpuLlTqcE+kVgQuSEi5gWSO3B5DQHRTBw+AVAb9ZwX
+8ALufa8bzVWUkhiu0YWwueW7xtS1ZBeQMOg3pjw/OoP6QLsA80qYhvzCAPjIRPM9
+hWdAWarIAeudxj0NQH0Yada8hRFkYN1/GBPRF2VAhg8Zf3u6ePMEk8d3AMCIfJVD
+XtkYHAK8JeXI76d5zyCGPF8T1r0PgMtpG7Eak6dbT+izLJu1H+aT8qDvbSIVr+at
+sqbGGvzol86tSy9URJXTWT2CjKbKxr3l6D2/Fn8A0Oc1Z/NZMN8Bi84jPsjMQm6Q
+J26AmJTdAgMBAAECggEAOSXXfcZ8aygTC4S/i3Gs7yg5LYVrNr9/cOOZzQKo5SI6
+FL9meAFfdKhlpJ8R/A74R28Ssfg6rM73ZcVvLSfzMkltIFkZIWkYjceJOulKWFfC
+RhmI9nQFhWqkvn+t8uCxfBwmF4+42wNunLRCa8qQKZZ1UsqBcYcm6H1NrCJXPNqI
+jLeC7T+cFqjuym8hKWwj6sRCw4ZUDLHqy5Pp45a9mcrwjqBCiOrD6fVf7n/g4Mm/
+ypAnoIggjWqUD99umZ/JQ3Sr6NZ9qD88VZgwP8a/TjFBIVOmj4qO8B9b36IOH2fh
+T1RzEvFE1CsLQY1nUB7Q3CLpj7nak95u4QzB4E/wAQKBgQDqlo/0wi4QZ5dtOxFX
+WpA/jiHh79HjYR3Cpv9nQFTwENycTHYsUYHRbBJGpTb+j5aBws1APNsmfP7t1crC
+tKV4imP56chMusiPQMs0PCCZ1XkE7vODasjQp1DceQhu+S0jOj0YVWmnyD+aR8mr
+YSkoUk9/34ErQGcBq/MQp9RNLQKBgQDA733gvawecHXp8vNqdWdhNDgdHqmNQyQl
+ZXneOThdGo3+7faRFr1MiBIABdQmhApgm0kxoZc7xjS7gws+ZyseuSWrTlDW6svU
+d3vfTPy35azpOpxo+SGvlKhUrLtZ1NCCBw4dM97TSccPSiFEhLenRvjzKcpAkiD/
+2Kf05CcUcQKBgQC5Er/P4cJlvtSAoLE1sYVMHt4sWf/E28GW6BlnZCGepC7oQIqa
+vFMm3ZQtl/qjKrUa+ozjuR9MZiDZkmm84rgJOWVWrVIQ9utz2TJ3q1gtBXXMppgH
+fh+gPeBVkEdPBdbOjAvXPst0S0+icDByvNyzqvx9bd+CN/UMJJRG96FOoQKBgQCM
+sVh6/fW40Mu7ybYmCO1VXg4ZdhWwdKi0OJaxLcrjYgzwPTmTviBW4dc2ewmk+J7U
+qgirD6pIJZaosrwNSpCQO/WzQU4EG35+No93XB3iQLNh9KLAjgQ5lM9XyAprTJys
+ZVauhvfT3jYx+R3faGTAsCm0sOHTSnyT9bstAv9YkQKBgAnfpDNncehufZKwWmf8
+YKfXP9UOhWrBpLjGtLd6XSUp7Uc8WvRsBCZYiYR3VkRspAYbOV4EavxgEGcGcz0S
+pIjSqywez49LpAarkt03XgYh/QNSKoLlRISV4WCWUPhpq7QprkhmetEUU72SGjL/
+SHjrdPQdDzs8QLAKjldAOWhK
+-----END PRIVATE KEY-----

cr-services/inventory

@@ -0,0 +1,24 @@
+[control_node]
+workstation.lab.example.com
+
+[db_servers]
+serverd.lab.example.com
+
+[db_clients]
+serverc.lab.example.com
+
+[web_servers]
+serverc.lab.example.com
+
+[lb_servers]
+servera.lab.example.com
+
+[cache_servers]
+serverb.lab.example.com
+
+[email_servers]
+servera.lab.example.com
+serverb.lab.example.com
+serverc.lab.example.com
+serverd.lab.example.com
+

cr-services/nginx.yml

@@ -0,0 +1,43 @@
+---
+- name: Deploy Nginx Web Server
+  hosts:
+  become: true
+
+  vars:
+    web_hosts:
+      - ""
+    web_ports:
+      -
+      -
+    nginx_packages:
+      - '@nginx:1.16'
+    cacert_file: "example-ca.crt"
+
+  tasks:
+    - name: Install latest Nginx software
+      yum:
+        name: ""
+        state:
+
+    - name: Deploy web content
+      import_tasks: deploy_content.yml
+
+    - name: Define the Nginx server block
+      template:
+        src: ""
+        dest: ""
+      loop: "{{ web_hosts }}"
+
+    - name: Open the web services firewall ports
+      firewalld:
+        service: ""
+        permanent:
+        immediate:
+        state:
+      loop: "{{ web_ports }}"
+
+    - name: Start and enable the Nginx service
+      service:
+        name:
+        state:
+        enabled:

cr-services/site.yml

@@ -0,0 +1,11 @@
+---
+- name: Deploy Web Server
+  import_playbook: nginx.yml
+
+- name: Deploy HAProxy
+  import_playbook: deploy_haproxy.yml
+
+- name: Deploy Varnish
+  import_playbook: deploy_varnish.yml
+
+

cr-services/templates/nginx.conf.j2

@@ -0,0 +1,15 @@
+server {
+    listen 80 ;
+    server_name {{ item }};
+    return 301 https://$host$request_uri;
+}
+server {
+    listen 443 ssl;
+    server_name {{ item }};
+    ssl_certificate /etc/pki/tls/certs/{{ item }}.crt;
+    ssl_certificate_key /etc/pki/tls/private/{{ item }}.key;
+    location / {
+        root /srv/www/{{ item }};
+        index index.html index.htm;
+    }
+}

cr-services/templates/sample-index.html.j2

@@ -0,0 +1,9 @@
+<html>
+  <head>
+    <title>Welcome to {{ item }} !</title>
+  </head>
+  <body>
+    <h1>Success! The {{ item }} virtual host is working!</h1>
+    <p>This site is hosted on {{ ansible_facts['fqdn'] }}.</p>
+  </body>
+</html>

iscsi-automation.03-06-09_15_49/ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+inventory=inventory
+remote_user=devops

iscsi-automation.03-06-09_15_49/templates/initiatorname.iscsi.j2

@@ -0,0 +1 @@
+InitiatorName=iqn.2014-06.com.example:{{ ansible_facts['hostname'] }}

optimizeweb-automation/ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+inventory=inventory
+remote_user=devops

optimizeweb-automation/cacert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUOKjPjzHifOZxjYsUUt/UGyCSNfkwDQYJKoZIhvcNAQEL
+BQAwfDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD
+VQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1FeGFtcGxlLCBJbmMuMSowKAYDVQQDDCFl
+eGFtcGxlLmNvbSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjMwMzA3MDgwNzM0
+WhcNMjQwMzA2MDgwNzM0WjB8MQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGgg
+Q2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxFjAUBgNVBAoMDUV4YW1wbGUsIElu
+Yy4xKjAoBgNVBAMMIWV4YW1wbGUuY29tIENlcnRpZmljYXRlIEF1dGhvcml0eTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxQNgc7WXCbPg+ZTthtkPZH
+o20poCBSD6wkWANVMSgi1dNLNJx+X/N+rpC1hjDmQzqTJT1FYiYNhE9teHkg6kkL
+DNbWdWITxL9kYAliaxi+48pWj4ONZIE7x9ymgG50DbVc1fCGAvUCFx+Cfebkroxa
+PVSqG8frg6Vl3sLgruv4gCt7ZJAZKJA2dJ/XbFkZ2YxhD5Uusqxy0qA5mcLHcvDU
+g5seVnDY0S6sR+fvcawm5Rb1hEXeSbxPpKiwOTULN0a1p8SMbuXyhZSRjspR1Tsi
+lPEwnNykM8gk3VhbZTw6zSNEJOjtqcHf+5AQacuUQQgCq8ZVnC0jxJcUabWC6S8C
+AwEAAaNTMFEwHQYDVR0OBBYEFFYHbid6fperMhKwuZi787Y86JGZMB8GA1UdIwQY
+MBaAFFYHbid6fperMhKwuZi787Y86JGZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBABXKHdRy5ZMjQSRKLnRAJq7dTzP+d2f6RHkmpx6aW0mZktNE
+h9PByXI6sYHUJCCWpdLMHu1AXQnHWwPHJCqww+0xoaVZA9cRo7gyWB0T2m3YxpOk
+2ayoC9qTOr5+KWMBxVckxcOWmUv0lxzslD6KOQeGDgmaPJPsruOSoBaeqoY/7FpW
+6xvp/qIzXqsU31oHuDMPnw95+vm3XqcYukgxPTnXkNmUilR+Tw/R37uBzaQxqRqQ
+F0IlX/CrXbCVIp0rMebW1537ZnRVWIm3NWpjlssJulkbD4QiXFoTwHh3uyQG/GaN
+ha4UBNh9vP4nD2eNtWSu/TgKzsgeCtwJlSzNkLE=
+-----END CERTIFICATE-----

optimizeweb-automation/deploy_apache.yml

@@ -0,0 +1,33 @@
+---
+# Deploy the Apache HTTP Server and configure it to listen on port 8080.
+# The service can only be accessed from localhost.
+- name: Ensure Apache HTTP Server is deployed
+  hosts: web_servers
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: the httpd package is installed
+      yum:
+        name: httpd
+        state: present
+
+    - name: httpd is configured to listen on port 8080
+      lineinfile:
+        path: /etc/httpd/conf/httpd.conf
+        regexp: '^Listen '
+        insertafter: '^#Listen '
+        line: Listen 8080
+      notify: restart httpd
+
+    - name: the httpd service is started and enabled
+      service:
+        name: httpd
+        state: started
+        enabled: yes
+
+  handlers:
+    - name: restart httpd
+      service:
+        name: httpd
+        state: restarted

optimizeweb-automation/deploy_haproxy.yml

@@ -0,0 +1,57 @@
+---
+- name: Ensure HAProxy is deployed
+  hosts: servera.lab.example.com
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: the haproxy package is installed
+      yum:
+        name: haproxy
+        state: present
+
+    - name: the /etc/pki/haproxy directory exists
+      file:
+        path: /etc/pki/haproxy
+        state: directory
+        owner: root
+        mode: '700'
+
+    - name: the SSL file for HTTPS termination is deployed
+      assemble:
+        src: files
+        remote_src: false
+        regexp: "^servera\\.lab\\.example\\.com\\.(crt|key)$"
+        dest: /etc/pki/haproxy/haproxy.pem
+      notify: restart haproxy
+
+    - name: the HAProxy configuration file is deployed
+      copy:
+        src: files/haproxy.cfg
+        dest: /etc/haproxy/haproxy.cfg
+      notify: restart haproxy
+
+    - name: SELinux allows HAProxy to connect to remote port 6081
+      seboolean:
+        name: haproxy_connect_any
+        state: true
+        persistent: true
+
+    - name: the haproxy service is started and enabled
+      service:
+        name: haproxy
+        state: started
+        enabled: yes
+
+    - name: the https firewall service is opened
+      firewalld:
+        service: https
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: restart haproxy
+      service:
+        name: haproxy
+        state: restarted

optimizeweb-automation/deploy_varnish.yml

@@ -0,0 +1,47 @@
+---
+- name: Ensure Varnish is deployed
+  hosts: web_servers
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: the varnish package is installed
+      yum:
+        name: varnish
+        state: present
+
+    - name: the systemd drop-in directory exists
+      file:
+        path: /etc/systemd/system/varnish.service.d
+        state: directory
+
+    - name: the varnish systemd service configuration file is deployed
+      copy:
+        src: files/port.conf
+        dest: /etc/systemd/system/varnish.service.d/port.conf
+      notify:
+        - reload systemd
+        - restart varnish
+
+    - name: the varnish service is started and enabled
+      service:
+        name: varnish
+        state: started
+        enabled: yes
+
+    - name: the port 6081 is opened in the firewall
+      firewalld:
+        port: 6081/tcp
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: reload systemd
+      systemd:
+        daemon_reload: yes
+
+    - name: restart varnish
+      service:
+        name: varnish
+        state: restarted

optimizeweb-automation/deploy_webcontent.yml

@@ -0,0 +1,11 @@
+---
+- name: Ensure the web content is deployed
+  hosts: web_servers
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: the web content is deployed
+      copy:
+        content: "This is {{ inventory_hostname }}\n"
+        dest: /var/www/html/index.html

optimizeweb-automation/files/haproxy.cfg

@@ -0,0 +1,72 @@
+#---------------------------------------------------------------------
+# Example configuration for a possible web application.  See the
+# full configuration options online.
+#
+#   https://www.haproxy.org/download/1.8/doc/configuration.txt
+#
+#---------------------------------------------------------------------
+
+#---------------------------------------------------------------------
+# Global settings
+#---------------------------------------------------------------------
+global
+    # to have these messages end up in /var/log/haproxy.log you will
+    # need to:
+    #
+    # 1) configure syslog to accept network log events.  This is done
+    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
+    #    /etc/sysconfig/syslog
+    #
+    # 2) configure local2 events to go to the /var/log/haproxy.log
+    #   file. A line like the following can be added to
+    #   /etc/sysconfig/syslog
+    #
+    #    local2.*                       /var/log/haproxy.log
+    #
+    log         127.0.0.1 local2
+
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    daemon
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats level admin
+
+    # utilize system-wide crypto-policies
+    ssl-default-bind-ciphers PROFILE=SYSTEM
+    ssl-default-server-ciphers PROFILE=SYSTEM
+
+#---------------------------------------------------------------------
+# common defaults that all the 'listen' and 'backend' sections will
+# use if not designated in their block
+#---------------------------------------------------------------------
+defaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+#    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000
+
+frontend http-proxy
+    bind *:443 ssl crt /etc/pki/haproxy/haproxy.pem
+    http-request add-header X-Forwarded-Proto https
+    default_backend classroom-web-farm
+
+backend classroom-web-farm
+    balance roundrobin
+    server serverc.lab.example.com 172.25.250.12:6081 send-proxy-v2 check inter 5s
+    server serverd.lab.example.com 172.25.250.13:6081 send-proxy-v2 check inter 5s

optimizeweb-automation/files/port.conf

@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/varnishd -a :80 -a :6081,PROXY -f /etc/varnish/default.vcl -s malloc,256m

optimizeweb-automation/files/servera.lab.example.com.crt

@@ -0,0 +1,82 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 10 (0xa)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=example.com Certificate Authority
+        Validity
+            Not Before: Mar  8 12:29:02 2023 GMT
+            Not After : Sep  4 12:29:02 2023 GMT
+        Subject: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=servera.lab.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:dd:77:f0:95:be:a6:21:34:d9:0a:cc:97:7f:b3:
+                    83:92:cb:83:e0:dd:74:50:be:35:96:6b:53:61:da:
+                    a0:9b:53:f3:74:35:ff:02:8a:69:ac:63:62:8e:3f:
+                    32:69:53:40:cb:4e:d0:9d:b0:37:97:a3:56:dd:ed:
+                    fd:ae:a1:bc:6f:37:92:7d:5c:0b:f6:b6:76:09:b3:
+                    f3:88:70:5e:6c:39:67:cf:15:f2:7c:a7:64:32:fa:
+                    74:ea:67:b8:76:41:c8:7b:55:d2:c9:42:b3:cd:5f:
+                    c9:fd:95:05:9a:b1:21:21:2f:2f:b4:57:ad:67:f5:
+                    d8:d8:c6:b7:08:71:d4:81:ce:b7:03:71:b9:89:99:
+                    26:f8:04:3d:15:31:fb:4a:c6:6a:c9:27:c3:12:2a:
+                    8a:97:00:41:7a:f1:3b:11:e4:66:86:af:d7:c1:f7:
+                    18:d6:9e:2c:aa:dc:c8:c7:19:c7:5d:f5:24:fd:67:
+                    63:f7:17:ee:68:e9:78:05:42:92:55:09:1c:e5:4f:
+                    c8:97:17:b2:82:a2:0a:42:ba:e3:d6:5c:07:f4:68:
+                    fb:d5:d6:c1:08:a0:fc:31:f6:95:99:f0:2d:a5:35:
+                    9a:67:d4:ce:02:63:9b:1b:e3:fb:95:7e:bc:78:ed:
+                    3e:99:67:65:d5:a4:b0:43:6a:41:87:a4:64:51:19:
+                    6b:53
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                47:42:57:ED:98:BA:9B:14:1C:03:0C:77:35:AA:E0:35:B9:B2:A2:7E
+            X509v3 Authority Key Identifier: 
+                keyid:56:07:6E:27:7A:7E:97:AB:32:12:B0:B9:98:BB:F3:B6:3C:E8:91:99
+
+    Signature Algorithm: sha256WithRSAEncryption
+         10:74:6b:4d:c8:af:b1:0f:e8:28:de:9e:93:2a:5e:e3:ec:6f:
+         2b:1d:37:42:71:ca:3a:3a:ce:0a:e6:9b:cb:31:8b:db:ff:07:
+         39:20:c1:2d:0d:b9:48:c7:5b:8e:a7:a3:f4:e5:26:0f:49:00:
+         a4:93:e8:c3:b3:ac:7c:e4:4d:6d:3d:8c:20:f6:7a:86:4e:c3:
+         f1:e0:f0:0c:21:32:bf:95:01:b6:26:91:f2:b0:dd:f2:f6:0c:
+         fc:e9:28:32:8f:10:b1:c6:47:f3:65:a8:f4:aa:50:a3:11:6c:
+         5d:ea:d8:aa:fc:f2:60:79:f9:ca:94:5f:df:b5:ee:fb:23:24:
+         92:39:f5:45:f7:d5:ba:7d:fc:72:a4:6c:82:d0:8d:bf:1e:33:
+         0c:92:1b:59:c3:c7:62:41:b2:11:df:99:1b:39:c3:0f:1d:8e:
+         89:11:fc:ea:40:dc:aa:12:32:b7:f4:e5:d5:90:a1:6e:ec:fb:
+         dd:c3:fa:2c:c2:08:dd:7d:94:c3:ec:89:9f:64:90:8c:35:25:
+         36:e1:ca:bb:af:ff:fc:62:f2:a4:7b:26:d3:f9:4e:94:2d:24:
+         ed:d7:ff:22:87:c1:7c:ab:d7:c8:b3:2d:d3:2c:db:96:e1:9d:
+         a7:1c:f6:bf:95:b8:b3:08:41:db:18:0c:5d:f7:e9:76:9b:f1:
+         dc:14:e9:0b
+-----BEGIN CERTIFICATE-----
+MIID5DCCAsygAwIBAgIBCjANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzEX
+MBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxFjAUBgNV
+BAoMDUV4YW1wbGUsIEluYy4xKjAoBgNVBAMMIWV4YW1wbGUuY29tIENlcnRpZmlj
+YXRlIEF1dGhvcml0eTAeFw0yMzAzMDgxMjI5MDJaFw0yMzA5MDQxMjI5MDJaMHIx
+CzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwH
+UmFsZWlnaDEWMBQGA1UECgwNRXhhbXBsZSwgSW5jLjEgMB4GA1UEAwwXc2VydmVy
+YS5sYWIuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDdd/CVvqYhNNkKzJd/s4OSy4Pg3XRQvjWWa1Nh2qCbU/N0Nf8CimmsY2KOPzJp
+U0DLTtCdsDeXo1bd7f2uobxvN5J9XAv2tnYJs/OIcF5sOWfPFfJ8p2Qy+nTqZ7h2
+Qch7VdLJQrPNX8n9lQWasSEhLy+0V61n9djYxrcIcdSBzrcDcbmJmSb4BD0VMftK
+xmrJJ8MSKoqXAEF68TsR5GaGr9fB9xjWniyq3MjHGcdd9ST9Z2P3F+5o6XgFQpJV
+CRzlT8iXF7KCogpCuuPWXAf0aPvV1sEIoPwx9pWZ8C2lNZpn1M4CY5sb4/uVfrx4
+7T6ZZ2XVpLBDakGHpGRRGWtTAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4
+QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRH
+QlftmLqbFBwDDHc1quA1ubKifjAfBgNVHSMEGDAWgBRWB24nen6XqzISsLmYu/O2
+POiRmTANBgkqhkiG9w0BAQsFAAOCAQEAEHRrTcivsQ/oKN6ekype4+xvKx03QnHK
+OjrOCuabyzGL2/8HOSDBLQ25SMdbjqej9OUmD0kApJPow7OsfORNbT2MIPZ6hk7D
+8eDwDCEyv5UBtiaR8rDd8vYM/OkoMo8QscZH82Wo9KpQoxFsXerYqvzyYHn5ypRf
+37Xu+yMkkjn1RffVun38cqRsgtCNvx4zDJIbWcPHYkGyEd+ZGznDDx2OiRH86kDc
+qhIyt/Tl1ZChbuz73cP6LMII3X2Uw+yJn2SQjDUlNuHKu6///GLypHsm0/lOlC0k
+7df/IofBfKvXyLMt0yzbluGdpxz2v5W4swhB2xgMXffpdpvx3BTpCw==
+-----END CERTIFICATE-----

optimizeweb-automation/files/servera.lab.example.com.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdd/CVvqYhNNkK
+zJd/s4OSy4Pg3XRQvjWWa1Nh2qCbU/N0Nf8CimmsY2KOPzJpU0DLTtCdsDeXo1bd
+7f2uobxvN5J9XAv2tnYJs/OIcF5sOWfPFfJ8p2Qy+nTqZ7h2Qch7VdLJQrPNX8n9
+lQWasSEhLy+0V61n9djYxrcIcdSBzrcDcbmJmSb4BD0VMftKxmrJJ8MSKoqXAEF6
+8TsR5GaGr9fB9xjWniyq3MjHGcdd9ST9Z2P3F+5o6XgFQpJVCRzlT8iXF7KCogpC
+uuPWXAf0aPvV1sEIoPwx9pWZ8C2lNZpn1M4CY5sb4/uVfrx47T6ZZ2XVpLBDakGH
+pGRRGWtTAgMBAAECggEAK6Il1FrrgD9ZQ7drYc2Mbq+KHBOFhyLyi+A5XV4lpnSz
+0oGQ7H84sq4iDMSGuhmc+nFcyLSfP1D/HFp3UKCs73yTb/9inAj22JKLuKXq9Iea
+3EIGtGiGZUTTJBurTCFJzoLqNJzfr+bfdQaXRBMB4/fX/kAH+iOFxa/g/9jtdWVW
+4f4S0s+XlTHkZlbiCktxw4RAU6WneQ8/NRPPxlDOccyyr/MZys0C+iBD3HP2dPZN
+KTpRoqKHDoqV/hHvrdhQO+or/yFuBU+opX9N8AbDQL6G15zx4LuVnFc+mqm0kPWZ
+oy8j6ibXvV0mkIlcAibH3xaTDE1TqEYqYFiC+6EZAQKBgQD4ELXD2BKzS0O7xNEA
+iBi8u0Z4MBDufl+YfkTFMdYh/KFwFDOI1+FQlkSHyhUs97pWdq2qTu53pbY3iduU
+sZji9t1pz/Xx1fsQ0+p5+sTdT6PmzIOcky7dtCQ3QKGA8egjZHSmSwnPUAKkuab3
+lIFZFE0js3qsdgzi5iHYdSLymQKBgQDkjXD/07zO8MRwVn/mwIH7KQrFz0Plt72u
+S0kSs1DKWzQQ02Ya+x0F0AKQXAe3uWggslqo54Y37k9lG8K2laOnm3Hlaes/HP7i
+zsaC7off8nRbVqcEyEqoU7F6Og355EVS/iBAl7t2smfDtmlxjSEmbz6yX7K9RHJA
+//xLYW7sywKBgQDYWJJ+BIOCtWCUcXmqUgfpChfSmHEb30F2WKGXrfhIWfFeM3Ai
+p8zNINER8I/5UPDFmemqP/7AgNjjpSrJiv6A67Z9Iy8nxGyb54Z27dsl/OBAWRtr
+wf28w/BV89sm/1NrEqCdq5IZqXk0uunAwVbyHr+MJGsX4Dkq5nScOMTK+QKBgQCP
+ByjhIGu3AZudRbSS/oQZXozcT6II/1yX14tqRYdYq4zAvtrWJbH68jq4hq9ZvZC5
+bYQo0YMAO4W6G45V3v1kpXW4gPl0LLwhyg8W3xlu/3brtiWda461GnMlr3ERolXz
+4w7h/VKWrH0dUGlaY1yMhe+xhwv/P/dUUB5eOiJF0wKBgQDfvIYaogetWn/1Ij3G
++rJDrQrDsy8Bs5iw86Zq43mLOdc/FzD97Y+kSSypvcZQkb3XrwI0g2iy08rgXT/M
+5bJFXwfpAJNiKfTxS0cDz0esUJiR8QPUKF2+egDWGfr5unSY3JAP7J+xolHaYw/o
+GrxLIPb6QbIx543yi6kbwLY7wA==
+-----END PRIVATE KEY-----

optimizeweb-automation/inventory

@@ -0,0 +1,6 @@
+[lb_servers]
+servera.lab.example.com
+
+[web_servers]
+serverc.lab.example.com
+serverd.lab.example.com

optimizeweb-automation/new_web_content/serverc.lab.example.com/index.html

@@ -0,0 +1 @@
+This is serverc.lab.example.com version 2

optimizeweb-automation/new_web_content/serverd.lab.example.com/index.html

@@ -0,0 +1 @@
+This is serverd.lab.example.com version 2

optimizeweb-automation/reset_webcontent.yml

@@ -0,0 +1,18 @@
+---
+- name: Ensure the web content is reverted to its original version
+  hosts: web_servers
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: the original web content is deployed
+      copy:
+        content: "This is {{ inventory_hostname }}\n"
+        dest: /var/www/html/index.html
+      notify: Varnish Cache is clean
+
+  handlers:
+    - name: Varnish Cache is clean
+      service:
+        name: varnish
+        state: restarted

optimizeweb-automation/run_curl_in_a_loop.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+while :
+do
+  curl --cacert ~/optimizeweb-automation/cacert.pem https://servera.lab.example.com/
+  sleep 1
+done

optimizeweb-automation/site.yml

@@ -0,0 +1,12 @@
+---
+- name: Deploy HAProxy
+  import_playbook: deploy_haproxy.yml
+
+- name: Deploy Varnish
+  import_playbook: deploy_varnish.yml
+
+- name: Deploy Web Server
+  import_playbook: deploy_apache.yml
+
+- name: Deploy Web Content
+  import_playbook: deploy_webcontent.yml

optimizeweb-automation/solution/update_webcontent.yml

@@ -0,0 +1,44 @@
+---
+- name: Ensure new web content is deployed
+  hosts: web_servers
+  gather_facts: false
+  become: true
+  serial: 1
+
+  tasks:
+    - name: the web server is removed from service during the update
+      haproxy:
+        socket: /var/lib/haproxy/stats
+        state: disabled
+        backend: classroom-web-farm
+        host: "{{ inventory_hostname }}"
+      delegate_to: servera.lab.example.com
+
+    - name: the new content is deployed
+      synchronize:
+        src: "new_web_content/{{ inventory_hostname }}/"
+        dest: /var/www/html
+        delete: true
+      notify: Varnish Cache is clean
+
+  post_tasks:
+    - name: Smoke Test - Ensure HTTP 200 OK
+      uri:
+        url: "http://localhost"
+        status_code: 200
+
+    # If the test fails, servers are not re-enabled
+    # in the load balancers, and the update process halts.
+    - name: the healthy web server is enabled in HAProxy
+      haproxy:
+        socket: /var/lib/haproxy/stats
+        state: enabled
+        backend: classroom-web-farm
+        host: "{{ inventory_hostname }}"
+      delegate_to: servera.lab.example.com
+
+  handlers:
+    - name: Varnish Cache is clean
+      service:
+        name: varnish
+        state: restarted

optimizeweb-automation/update_webcontent.yml

@@ -0,0 +1,44 @@
+---
+- name: Ensure new web content is deployed
+  hosts: web_servers
+  gather_facts: false
+  become: true
+  serial: 1
+
+  tasks:
+    - name: the web server is removed from service during the update
+      haproxy:
+        socket: ## FIXME ##
+        state: disabled
+        backend: ## FIXME ##
+        host: "{{ inventory_hostname }}"
+      delegate_to: servera.lab.example.com
+
+    - name: the new content is deployed
+      synchronize:
+        src: "new_web_content/{{ inventory_hostname }}/"
+        dest: /var/www/html
+        delete: true
+      notify: Varnish Cache is clean
+
+  post_tasks:
+    - name: Smoke Test - Ensure HTTP 200 OK
+      uri:
+        url: "http://localhost"
+        status_code: 200
+
+    # If the test fails, servers are not re-enabled
+    # in the load balancers, and the update process halts.
+    - name: the healthy web server is enabled in HAProxy
+      haproxy:
+        socket: ## FIXME ##
+        state: enabled
+        backend: ## FIXME ##
+        host: "{{ inventory_hostname }}"
+      delegate_to: servera.lab.example.com
+
+  handlers:
+    - name: Varnish Cache is clean
+      service:
+        name: varnish
+        state: restarted

optimizeweb-review/ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+inventory=inventory
+remote_user=devops

optimizeweb-review/cacert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUOKjPjzHifOZxjYsUUt/UGyCSNfkwDQYJKoZIhvcNAQEL
+BQAwfDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD
+VQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1FeGFtcGxlLCBJbmMuMSowKAYDVQQDDCFl
+eGFtcGxlLmNvbSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjMwMzA3MDgwNzM0
+WhcNMjQwMzA2MDgwNzM0WjB8MQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGgg
+Q2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxFjAUBgNVBAoMDUV4YW1wbGUsIElu
+Yy4xKjAoBgNVBAMMIWV4YW1wbGUuY29tIENlcnRpZmljYXRlIEF1dGhvcml0eTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxQNgc7WXCbPg+ZTthtkPZH
+o20poCBSD6wkWANVMSgi1dNLNJx+X/N+rpC1hjDmQzqTJT1FYiYNhE9teHkg6kkL
+DNbWdWITxL9kYAliaxi+48pWj4ONZIE7x9ymgG50DbVc1fCGAvUCFx+Cfebkroxa
+PVSqG8frg6Vl3sLgruv4gCt7ZJAZKJA2dJ/XbFkZ2YxhD5Uusqxy0qA5mcLHcvDU
+g5seVnDY0S6sR+fvcawm5Rb1hEXeSbxPpKiwOTULN0a1p8SMbuXyhZSRjspR1Tsi
+lPEwnNykM8gk3VhbZTw6zSNEJOjtqcHf+5AQacuUQQgCq8ZVnC0jxJcUabWC6S8C
+AwEAAaNTMFEwHQYDVR0OBBYEFFYHbid6fperMhKwuZi787Y86JGZMB8GA1UdIwQY
+MBaAFFYHbid6fperMhKwuZi787Y86JGZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBABXKHdRy5ZMjQSRKLnRAJq7dTzP+d2f6RHkmpx6aW0mZktNE
+h9PByXI6sYHUJCCWpdLMHu1AXQnHWwPHJCqww+0xoaVZA9cRo7gyWB0T2m3YxpOk
+2ayoC9qTOr5+KWMBxVckxcOWmUv0lxzslD6KOQeGDgmaPJPsruOSoBaeqoY/7FpW
+6xvp/qIzXqsU31oHuDMPnw95+vm3XqcYukgxPTnXkNmUilR+Tw/R37uBzaQxqRqQ
+F0IlX/CrXbCVIp0rMebW1537ZnRVWIm3NWpjlssJulkbD4QiXFoTwHh3uyQG/GaN
+ha4UBNh9vP4nD2eNtWSu/TgKzsgeCtwJlSzNkLE=
+-----END CERTIFICATE-----

optimizeweb-review/deploy_haproxy.yml

@@ -0,0 +1,56 @@
+---
+- name: Ensure HAProxy is deployed
+  hosts: servera.lab.example.com
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: the haproxy package is installed
+      yum:
+        name: haproxy
+        state: present
+
+    - name: the /etc/pki/haproxy directory exists
+      file:
+        path: /etc/pki/haproxy
+        state: directory
+        owner: root
+        mode: '700'
+
+    - name: the SSL file for HTTPS termination is deployed
+      copy:
+        # You need to create that file from the
+        # servera.lab.example.com.{crt,key} files under the
+        # files/ directory
+        src: files/haproxy.pem
+        dest: /etc/pki/haproxy/haproxy.pem
+      notify: restart haproxy
+
+    - name: the HAProxy configuration file is deployed
+      copy:
+        # You need to complete that configuration file
+        src: files/haproxy.cfg
+        dest: /etc/haproxy/haproxy.cfg
+      notify: restart haproxy
+
+    - name: the haproxy service is started and enabled
+      service:
+        name: haproxy
+        state: started
+        enabled: yes
+
+    - name: the http and https firewall services are opened
+      firewalld:
+        service: "{{ item }}"
+        state: enabled
+        immediate: yes
+        permanent: yes
+      loop:
+        - http
+        - https
+
+  handlers:
+    - name: restart haproxy
+      service:
+        name: haproxy
+        state: restarted

optimizeweb-review/deploy_varnish.yml

@@ -0,0 +1,55 @@
+---
+- name: Ensure Varnish is deployed
+  hosts: serverb.lab.example.com
+  gather_facts: false
+  become: true
+
+  tasks:
+    - name: the varnish package is installed
+      yum:
+        name: varnish
+        state: present
+
+    - name: the systemd drop-in directory exists
+      file:
+        path: /etc/systemd/system/varnish.service.d
+        state: directory
+
+    - name: the varnish systemd service configuration file is deployed
+      copy:
+        # You need to create that configuration file
+        src: files/port.conf
+        dest: /etc/systemd/system/varnish.service.d/port.conf
+      notify:
+        - reload systemd
+        - restart varnish
+
+    - name: the Varnish configuration file is deployed
+      copy:
+        # You need to complete that configuration file
+        src: files/default.vcl
+        dest: /etc/varnish/default.vcl
+      notify: restart varnish
+
+    - name: the varnish service is started and enabled
+      service:
+        name: varnish
+        state: started
+        enabled: yes
+
+    - name: the port 9000 is opened in the firewall
+      firewalld:
+        port: 9000/tcp
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+  handlers:
+    - name: reload systemd
+      systemd:
+        daemon_reload: yes
+
+    - name: restart varnish
+      service:
+        name: varnish
+        state: restarted

optimizeweb-review/files/default.vcl

@@ -0,0 +1,40 @@
+#
+# This is an example VCL file for Varnish.
+#
+# It does not do anything by default, delegating control to the
+# builtin VCL. The builtin VCL is called when there is no explicit
+# return statement.
+#
+# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
+# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.
+
+# Marker to tell the VCL compiler that this VCL has been adapted to the
+# new 4.0 format.
+vcl 4.0;
+
+# Default backend definition. Set this to point to your content server.
+backend default {
+    .host = "127.0.0.1";
+    .port = "8080";
+}
+
+sub vcl_recv {
+    # Happens before we check if we have this in cache already.
+    #
+    # Typically you clean up the request here, removing cookies you don't need,
+    # rewriting the request, etc.
+}
+
+sub vcl_backend_response {
+    # Happens after we have read the response headers from the backend.
+    #
+    # Here you clean the response headers, removing silly Set-Cookie headers
+    # and other mistakes your backend does.
+}
+
+sub vcl_deliver {
+    # Happens when we have all the pieces we need, and are about to send the
+    # response to the client.
+    #
+    # You can do accounting or modifying the final object here.
+}

optimizeweb-review/files/haproxy.cfg

@@ -0,0 +1,90 @@
+#---------------------------------------------------------------------
+# Example configuration for a possible web application.  See the
+# full configuration options online.
+#
+#   https://www.haproxy.org/download/1.8/doc/configuration.txt
+#
+#---------------------------------------------------------------------
+
+#---------------------------------------------------------------------
+# Global settings
+#---------------------------------------------------------------------
+global
+    # to have these messages end up in /var/log/haproxy.log you will
+    # need to:
+    #
+    # 1) configure syslog to accept network log events.  This is done
+    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
+    #    /etc/sysconfig/syslog
+    #
+    # 2) configure local2 events to go to the /var/log/haproxy.log
+    #   file. A line like the following can be added to
+    #   /etc/sysconfig/syslog
+    #
+    #    local2.*                       /var/log/haproxy.log
+    #
+    log         127.0.0.1 local2
+
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    daemon
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats
+
+    # utilize system-wide crypto-policies
+    ssl-default-bind-ciphers PROFILE=SYSTEM
+    ssl-default-server-ciphers PROFILE=SYSTEM
+
+#---------------------------------------------------------------------
+# common defaults that all the 'listen' and 'backend' sections will
+# use if not designated in their block
+#---------------------------------------------------------------------
+defaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000
+
+#---------------------------------------------------------------------
+# main frontend which proxys to the backends
+#---------------------------------------------------------------------
+frontend main
+    bind *:5000
+    acl url_static       path_beg       -i /static /images /javascript /stylesheets
+    acl url_static       path_end       -i .jpg .gif .png .css .js
+
+    use_backend static          if url_static
+    default_backend             app
+
+#---------------------------------------------------------------------
+# static backend for serving up images, stylesheets and such
+#---------------------------------------------------------------------
+backend static
+    balance     roundrobin
+    server      static 127.0.0.1:4331 check
+
+#---------------------------------------------------------------------
+# round robin balancing between the various backends
+#---------------------------------------------------------------------
+backend app
+    balance     roundrobin
+    server  app1 127.0.0.1:5001 check
+    server  app2 127.0.0.1:5002 check
+    server  app3 127.0.0.1:5003 check
+    server  app4 127.0.0.1:5004 check

optimizeweb-review/files/servera.lab.example.com.crt

@@ -0,0 +1,82 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 13 (0xd)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=example.com Certificate Authority
+        Validity
+            Not Before: Mar  8 12:44:09 2023 GMT
+            Not After : Sep  4 12:44:09 2023 GMT
+        Subject: C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=servera.lab.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:d0:1c:d5:18:3c:52:a2:8d:48:a5:84:42:ce:d7:
+                    ae:c3:94:ff:87:a6:06:c6:f4:fa:80:25:53:30:c7:
+                    10:4e:08:9b:ca:05:f0:c0:5b:18:d4:62:b9:ae:bb:
+                    f1:64:3a:29:5e:70:82:0d:a9:3d:95:47:38:2b:74:
+                    4a:ff:35:fb:2c:8c:53:74:11:f9:52:19:17:00:a1:
+                    7e:b3:8b:80:b2:d1:6a:be:9b:3f:ae:66:d8:96:05:
+                    b7:89:ad:b0:e8:4c:82:d8:f5:e3:58:11:60:c9:53:
+                    77:a7:b9:a7:e3:3b:dc:9d:88:16:d3:55:37:8f:85:
+                    34:53:e3:19:8f:9d:a0:d6:17:b9:64:e9:7f:57:88:
+                    00:ce:ed:5b:84:bb:de:ac:62:3c:18:f0:40:66:1a:
+                    41:c8:f2:48:c9:bc:5f:5c:03:91:99:98:01:78:5b:
+                    99:48:89:4b:f7:8f:e9:aa:03:46:e8:1d:a5:ea:33:
+                    c2:1f:ba:15:91:38:b8:83:61:19:bf:51:b4:98:ca:
+                    08:ee:1a:0c:51:56:9b:eb:8d:66:e1:af:b2:e7:66:
+                    99:c9:55:18:53:2b:ba:16:91:29:64:37:7f:2a:89:
+                    0c:00:96:a3:75:2b:0c:a1:81:4c:a9:30:74:97:d1:
+                    21:e0:99:3f:67:52:0b:8e:50:9b:4b:51:9b:32:3e:
+                    e1:c7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                E4:7D:63:FC:76:6E:E4:A0:3E:E9:A7:E0:49:45:4B:55:9D:C0:26:99
+            X509v3 Authority Key Identifier: 
+                keyid:56:07:6E:27:7A:7E:97:AB:32:12:B0:B9:98:BB:F3:B6:3C:E8:91:99
+
+    Signature Algorithm: sha256WithRSAEncryption
+         6e:a0:7e:88:65:67:c7:e2:2a:3a:a1:e2:07:f6:4e:53:98:51:
+         95:ca:e7:52:69:e9:97:0b:07:e0:ef:49:b3:f2:e0:4c:15:8d:
+         54:43:b3:65:40:17:1e:82:c7:d8:5e:84:47:fa:84:77:e2:05:
+         5b:d9:a3:d1:b8:7d:d4:99:7b:f4:35:ef:b1:13:3e:68:2c:ec:
+         76:bf:33:3b:6f:d5:a1:66:ad:fd:02:d2:db:3e:1b:27:0d:56:
+         fe:b5:2b:5f:64:3d:5f:17:20:75:38:45:70:70:fa:da:11:3f:
+         44:7f:4d:fa:8c:96:69:17:be:17:3d:9b:82:a5:1b:26:26:2b:
+         be:c6:06:ba:68:85:f3:d0:9f:e1:c8:29:f1:90:7d:1f:1a:10:
+         1a:6a:f2:31:8e:64:70:52:e0:d5:23:f5:99:b5:76:3f:84:d8:
+         87:06:9c:0f:0e:7a:b5:52:68:5c:0f:74:8d:12:39:0a:83:66:
+         88:50:d9:8c:78:f3:26:35:9a:20:93:55:c1:66:bf:e6:df:c0:
+         ef:c9:12:66:b0:25:a7:34:e5:0c:1b:0d:70:ef:7e:07:eb:24:
+         5d:e4:eb:2c:55:7a:db:2d:82:46:54:94:e9:38:20:fa:28:1e:
+         98:83:66:54:3a:4b:43:79:d8:4d:2b:93:0b:46:83:9a:8d:3e:
+         5a:8d:e2:81
+-----BEGIN CERTIFICATE-----
+MIID5DCCAsygAwIBAgIBDTANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzEX
+MBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxFjAUBgNV
+BAoMDUV4YW1wbGUsIEluYy4xKjAoBgNVBAMMIWV4YW1wbGUuY29tIENlcnRpZmlj
+YXRlIEF1dGhvcml0eTAeFw0yMzAzMDgxMjQ0MDlaFw0yMzA5MDQxMjQ0MDlaMHIx
+CzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwH
+UmFsZWlnaDEWMBQGA1UECgwNRXhhbXBsZSwgSW5jLjEgMB4GA1UEAwwXc2VydmVy
+YS5sYWIuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDQHNUYPFKijUilhELO167DlP+HpgbG9PqAJVMwxxBOCJvKBfDAWxjUYrmuu/Fk
+OilecIINqT2VRzgrdEr/NfssjFN0EflSGRcAoX6zi4Cy0Wq+mz+uZtiWBbeJrbDo
+TILY9eNYEWDJU3enuafjO9ydiBbTVTePhTRT4xmPnaDWF7lk6X9XiADO7VuEu96s
+YjwY8EBmGkHI8kjJvF9cA5GZmAF4W5lIiUv3j+mqA0boHaXqM8IfuhWROLiDYRm/
+UbSYygjuGgxRVpvrjWbhr7LnZpnJVRhTK7oWkSlkN38qiQwAlqN1KwyhgUypMHSX
+0SHgmT9nUguOUJtLUZsyPuHHAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4
+QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTk
+fWP8dm7koD7pp+BJRUtVncAmmTAfBgNVHSMEGDAWgBRWB24nen6XqzISsLmYu/O2
+POiRmTANBgkqhkiG9w0BAQsFAAOCAQEAbqB+iGVnx+IqOqHiB/ZOU5hRlcrnUmnp
+lwsH4O9Js/LgTBWNVEOzZUAXHoLH2F6ER/qEd+IFW9mj0bh91Jl79DXvsRM+aCzs
+dr8zO2/VoWat/QLS2z4bJw1W/rUrX2Q9XxcgdThFcHD62hE/RH9N+oyWaRe+Fz2b
+gqUbJiYrvsYGumiF89Cf4cgp8ZB9HxoQGmryMY5kcFLg1SP1mbV2P4TYhwacDw56
+tVJoXA90jRI5CoNmiFDZjHjzJjWaIJNVwWa/5t/A78kSZrAlpzTlDBsNcO9+B+sk
+XeTrLFV62y2CRlSU6Tgg+igemINmVDpLQ3nYTSuTC0aDmo0+Wo3igQ==
+-----END CERTIFICATE-----

optimizeweb-review/files/servera.lab.example.com.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQHNUYPFKijUil
+hELO167DlP+HpgbG9PqAJVMwxxBOCJvKBfDAWxjUYrmuu/FkOilecIINqT2VRzgr
+dEr/NfssjFN0EflSGRcAoX6zi4Cy0Wq+mz+uZtiWBbeJrbDoTILY9eNYEWDJU3en
+uafjO9ydiBbTVTePhTRT4xmPnaDWF7lk6X9XiADO7VuEu96sYjwY8EBmGkHI8kjJ
+vF9cA5GZmAF4W5lIiUv3j+mqA0boHaXqM8IfuhWROLiDYRm/UbSYygjuGgxRVpvr
+jWbhr7LnZpnJVRhTK7oWkSlkN38qiQwAlqN1KwyhgUypMHSX0SHgmT9nUguOUJtL
+UZsyPuHHAgMBAAECggEAU0pGysVRuTbcTUoKxuexTRtzzWFYMwZWvzSw/8Obte9i
+Ek+gVAvhexbsA4+6g4d3iRF0K22BdR4kz9diMJP1K5YZzElpRD9AYoM/xzHc1zRT
+CWfu66jDo/8zvoliVQZSE+0NCPEjkE+0gs8d7ybFG9Mcd4YSj4EbOTuZvk2y0hvB
+r9hhiT5paG8CvD/bwFBTQnPbE7skHtV8qH7rX8RdgdHwLLMHl0HVh6S2kSzsZj37
+GrXs97mxS06LriTEeLlFXFdErRQmQJHAU1fCuHfZzG5irX9Bd2rW6zfdZZj91WSU
+NagqANx0YT6lSCbvq2ZKEee67i5VRVC2pF665cWOeQKBgQDwktPkh3u6bFS800i9
+fme4DCpcgea0lmAnaqVbr0M8+UY6ry2VieQ5WdGS305yd3EK3Mh1GZoz9KPMqvUO
+usO866HoX4l2nh3GQaIccLQHkladPoOd020OkRi64sjfDjeYgX5uzXhppo5T7exr
+lR0ZM88qW4Ug9L4a6VezEmK2DQKBgQDddSMv7DnjQJ3rA+rjGmYdxmkiStZfWqtl
+Cfw0UplWACj/nPvOLZCyDdFAkac88Nxg3/w0Kwp3nbIptWDrkM+dGwpjQTANotMp
+7CuhHA3ZksO6pIH7bK4fikjJQtYUSEsmY3+0v18dyTEAkidaC89Wm7EFB85TxPTa
+91otuq52IwKBgCiMNtaf10TWmXmyCuKVeZnVwxYQdvgdGFvMZ86KPcT7JtEhUYeQ
+1DyuXNpqdOhqJU11ZPwHsqvrIeiPL/qpk/A1rvZhk+PARrhxu4cbn9xe1+Zs8PYa
++pin8AkfzEd8N/ambM70JsV34ylWQrDnUx46U0KKZmflmF0k0zlFcgnJAoGARk16
+ZytB0T/hIgtzVLc7tbYYCBfj6A97m67Izr9uCBwy57qpQXG7npq+VBYpFjKMc4CH
+qvQC9agtOAppgz7Med5stMer/pgzGvrretDSIMDzu9ufm/aLbF3U73d1SKkOmlg5
+4WJjSqxlDv5W2cIoByGT17n7qSI8bQrbKOs7mSsCgYAB9B4inK8Ku586QboCuexH
+pxdGPrjp42Qs1OKLbrujmvyOUZRMV3FCRGngPqmmtBGQMaTFyklBryk1PmbQfHZ5
+HdDASBVu3RUGbjYh6z71cLnjo8HVrO8nRgFSP0YJV6BcJjwz2f5KnZcf6NE9OZyE
+6keEZ6r7WF0LvEIjfPItVA==
+-----END PRIVATE KEY-----

optimizeweb-review/inventory

@@ -0,0 +1,8 @@
+[lb_servers]
+servera.lab.example.com
+
+[cache_servers]
+serverb.lab.example.com
+
+[web_servers]
+serverc.lab.example.com

optimizeweb-review/site.yml

@@ -0,0 +1,6 @@
+---
+- name: Deploy HAProxy
+  import_playbook: deploy_haproxy.yml
+
+- name: Deploy Varnish
+  import_playbook: deploy_varnish.yml