diff options
author | Quentin <quentin@dufour.io> | 2020-07-05 20:37:19 +0200 |
---|---|---|
committer | Quentin <quentin@dufour.io> | 2020-07-05 20:37:19 +0200 |
commit | 09878271f2a207ffb33c1f293dd26ee97cc6fff2 (patch) | |
tree | ee8d82b8640deed41acf13ab5cce94045ebc3081 /ansible/roles | |
parent | f427bcf5645d92604be3994496bf44bd93f5c7e3 (diff) | |
parent | faf39bbb282542efa237c39f4371918589508254 (diff) | |
download | infrastructure-09878271f2a207ffb33c1f293dd26ee97cc6fff2.tar.gz infrastructure-09878271f2a207ffb33c1f293dd26ee97cc6fff2.zip |
Merge pull request 'Network configuration' (#1) from network_config into master
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/deuxfleurs.fr/pulls/1
Diffstat (limited to 'ansible/roles')
-rw-r--r-- | ansible/roles/common/tasks/main.yml | 6 | ||||
-rw-r--r-- | ansible/roles/consul/handlers/main.yml | 4 | ||||
-rw-r--r-- | ansible/roles/consul/tasks/main.yml | 31 | ||||
-rw-r--r-- | ansible/roles/consul/templates/consul.json.j2 | 3 | ||||
-rw-r--r-- | ansible/roles/consul/templates/resolv.conf.j2 | 2 | ||||
-rw-r--r-- | ansible/roles/network/files/nsswitch.conf | 3 | ||||
-rw-r--r-- | ansible/roles/network/files/systemd-resolve-no-listen.conf | 2 | ||||
-rw-r--r-- | ansible/roles/network/handlers/main.yml | 12 | ||||
-rw-r--r-- | ansible/roles/network/tasks/main.yml | 37 | ||||
-rw-r--r-- | ansible/roles/network/templates/nomad-interface.j2 | 8 | ||||
-rw-r--r-- | ansible/roles/nomad/handlers/main.yml | 5 | ||||
-rw-r--r-- | ansible/roles/nomad/tasks/main.yml | 28 | ||||
-rw-r--r-- | ansible/roles/nomad/templates/nomad.hcl.j2 | 4 |
13 files changed, 30 insertions, 115 deletions
diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index b4d00bb..0b15790 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -12,6 +12,12 @@ autoclean: yes autoremove: yes +- name: "Remove base tools" + apt: + name: + - systemd-resolved + state: absent + - name: "Install base tools" apt: name: diff --git a/ansible/roles/consul/handlers/main.yml b/ansible/roles/consul/handlers/main.yml deleted file mode 100644 index e8cd4a4..0000000 --- a/ansible/roles/consul/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -- name: restart consul - service: name=consul state=restarted diff --git a/ansible/roles/consul/tasks/main.yml b/ansible/roles/consul/tasks/main.yml index bb1d9ef..2b77080 100644 --- a/ansible/roles/consul/tasks/main.yml +++ b/ansible/roles/consul/tasks/main.yml @@ -1,16 +1,6 @@ - name: "Set consul version" set_fact: - consul_version: 1.7.4 - -- name: "Download and install Consul for armv7l" - unarchive: - src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_arm.zip" - dest: /usr/local/bin - remote_src: yes - when: - - "ansible_architecture == 'armv7l'" - notify: - - restart consul + consul_version: 1.8.0 - name: "Download and install Consul for x86_64" unarchive: @@ -19,31 +9,18 @@ remote_src: yes when: - "ansible_architecture == 'x86_64'" - notify: - - restart consul - -- name: "Download and install Consul for arm64" - unarchive: - src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_arm64.zip" - dest: /usr/local/bin - remote_src: yes - when: - - "ansible_architecture == 'aarch64'" - notify: - - restart consul - name: "Create consul configuration directory" file: path=/etc/consul/ state=directory - name: "Deploy consul configuration" template: src=consul.json.j2 dest=/etc/consul/consul.json - notify: - - restart consul - name: "Deploy consul systemd service" copy: src=consul.service dest=/etc/systemd/system/consul.service - notify: - - restart consul - name: "Enable consul systemd service at boot" service: name=consul state=started enabled=yes daemon_reload=yes + +- name: "Deploy resolv.conf to use Consul" + template: src=resolv.conf.j2 dest=/etc/resolv.conf diff --git a/ansible/roles/consul/templates/consul.json.j2 b/ansible/roles/consul/templates/consul.json.j2 index d1bd2d8..b6c86aa 100644 --- a/ansible/roles/consul/templates/consul.json.j2 +++ b/ansible/roles/consul/templates/consul.json.j2 @@ -17,6 +17,9 @@ "ports": { "dns": 53 }, + "recursors": [ + "{{ dns_server }}" + ], "encrypt": "{{ consul_gossip_encrypt }}", "domain": "2.cluster.deuxfleurs.fr", "performance": { diff --git a/ansible/roles/consul/templates/resolv.conf.j2 b/ansible/roles/consul/templates/resolv.conf.j2 new file mode 100644 index 0000000..2404034 --- /dev/null +++ b/ansible/roles/consul/templates/resolv.conf.j2 @@ -0,0 +1,2 @@ +nameserver {{ private_ip }} +nameserver {{ dns_server }} diff --git a/ansible/roles/network/files/nsswitch.conf b/ansible/roles/network/files/nsswitch.conf index f4c3149..a84e024 100644 --- a/ansible/roles/network/files/nsswitch.conf +++ b/ansible/roles/network/files/nsswitch.conf @@ -9,8 +9,7 @@ group: files systemd shadow: files gshadow: files -#hosts: files dns -hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname +hosts: files dns networks: files protocols: db files diff --git a/ansible/roles/network/files/systemd-resolve-no-listen.conf b/ansible/roles/network/files/systemd-resolve-no-listen.conf deleted file mode 100644 index 6e95967..0000000 --- a/ansible/roles/network/files/systemd-resolve-no-listen.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Resolve] -DNSStubListener=no diff --git a/ansible/roles/network/handlers/main.yml b/ansible/roles/network/handlers/main.yml deleted file mode 100644 index 3454894..0000000 --- a/ansible/roles/network/handlers/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: reload iptables - shell: iptables-restore < /etc/iptables/rules.v4 && systemctl restart docker && ifdown nomad1 || true && ifup nomad1 || true - -- name: reload ip6tables - shell: ip6tables-restore < /etc/iptables/rules.v6 - -- name: reload nomad interface - shell: ifdown nomad1 || true ; ifup nomad1 - -- name: reload systemd-resolved - service: name=systemd-resolved state=restarted diff --git a/ansible/roles/network/tasks/main.yml b/ansible/roles/network/tasks/main.yml index 7f95b0f..2087765 100644 --- a/ansible/roles/network/tasks/main.yml +++ b/ansible/roles/network/tasks/main.yml @@ -1,42 +1,23 @@ -- name: "Add dummy interface to handle Nomad NAT restriction nomad#2770" - template: src=nomad-interface.j2 dest=/etc/network/interfaces.d/nomad.cfg - when: public_ip != private_ip - notify: - - reload nomad interface - - name: "Deploy iptablesv4 configuration" template: src=rules.v4.j2 dest=/etc/iptables/rules.v4 - notify: - - reload iptables - name: "Deploy iptablesv6 configuration" copy: src=rules.v6 dest=/etc/iptables/rules.v6 - notify: - - reload ip6tables - name: "Activate IP forwarding" sysctl: name: net.ipv4.ip_forward - value: 1 + value: "1" sysctl_set: yes -- name: "Create systemd-resolved override directory" - file: path=/etc/systemd/resolved.conf.d/ state=directory - -- name: "Prevent systemd-resolved from listening on port 53 (DNS)" - copy: src=systemd-resolve-no-listen.conf dest=/etc/systemd/resolved.conf.d/systemd-resolve-no-listen.conf - notify: reload systemd-resolved +# These two lines are used to undo previous config, remove them once it is done +- name: "Update nsswitch.conf to not use systemd-resolved" + copy: src=nsswitch.conf dest=/etc/nsswitch.conf -- name: "Use systemd-resolved as a source for /etc/resolv.conf" - file: - src: "/run/systemd/resolve/resolv.conf" - dest: "/etc/resolv.conf" - state: link - force: yes - notify: reload systemd-resolved +- name: "Disable systemd-resolved" + systemd: + name: systemd-resolved + state: stopped + enabled: false -- name: "Update nsswitch.conf to use systemd-resolved" - copy: src=nsswitch.conf dest=/etc/nsswitch.conf -- name: "Flush handlers" - meta: flush_handlers diff --git a/ansible/roles/network/templates/nomad-interface.j2 b/ansible/roles/network/templates/nomad-interface.j2 deleted file mode 100644 index 74e9cd4..0000000 --- a/ansible/roles/network/templates/nomad-interface.j2 +++ /dev/null @@ -1,8 +0,0 @@ -auto nomad1 -iface nomad1 inet manual - pre-up /sbin/ip link add nomad1 type dummy - up /sbin/ip addr add {{ public_ip }} dev nomad1 - up /sbin/iptables -t nat -A PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32 - down /sbin/iptables -t nat -D PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32 - post-down /sbin/ip link del nomad1 - diff --git a/ansible/roles/nomad/handlers/main.yml b/ansible/roles/nomad/handlers/main.yml deleted file mode 100644 index 0274673..0000000 --- a/ansible/roles/nomad/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: restart nomad - service: name=nomad state=restarted - diff --git a/ansible/roles/nomad/tasks/main.yml b/ansible/roles/nomad/tasks/main.yml index 0b7b65c..7c73362 100644 --- a/ansible/roles/nomad/tasks/main.yml +++ b/ansible/roles/nomad/tasks/main.yml @@ -1,16 +1,6 @@ - name: "Set nomad version" set_fact: - nomad_version: 0.11.3 - -- name: "Download and install Nomad for armv7l" - unarchive: - src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_arm.zip" - dest: /usr/local/bin - remote_src: yes - when: - - "ansible_architecture == 'armv7l'" - notify: - - restart nomad + nomad_version: 0.12.0-beta2 - name: "Download and install Nomad for x86_64" unarchive: @@ -19,31 +9,15 @@ remote_src: yes when: - "ansible_architecture == 'x86_64'" - notify: - - restart nomad - -- name: "Download and install Nomad for arm64" - unarchive: - src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_arm64.zip" - dest: /usr/local/bin - remote_src: yes - when: - - "ansible_architecture == 'aarch64'" - notify: - - restart nomad - name: "Create Nomad configuration directory" file: path=/etc/nomad/ state=directory - name: "Deploy Nomad configuration" template: src=nomad.hcl.j2 dest=/etc/nomad/nomad.hcl - notify: - - restart nomad - name: "Deploy Nomad systemd service" copy: src=nomad.service dest=/etc/systemd/system/nomad.service - notify: - - restart nomad - name: "Enable Nomad systemd service at boot" service: name=nomad state=started enabled=yes daemon_reload=yes diff --git a/ansible/roles/nomad/templates/nomad.hcl.j2 b/ansible/roles/nomad/templates/nomad.hcl.j2 index 8107410..b0be6a8 100644 --- a/ansible/roles/nomad/templates/nomad.hcl.j2 +++ b/ansible/roles/nomad/templates/nomad.hcl.j2 @@ -26,5 +26,9 @@ client { #cpu_total_compute = 4000 servers = ["127.0.0.1:4648"] network_interface = "{{ interface }}" + options { + docker.privileged.enabled = "true" + docker.volumes.enabled = "true" + } } |