diff options
author | Quentin <quentin@deuxfleurs.fr> | 2020-09-12 10:03:48 +0200 |
---|---|---|
committer | Quentin <quentin@deuxfleurs.fr> | 2020-09-12 10:03:48 +0200 |
commit | c4a6cf1534b864d3941c839d4a4dca7e505bd828 (patch) | |
tree | 3e866768cf39ae947def5b205f74fddfb435725d /os_config/roles | |
parent | 0550647b9348d1e36431400e0832b4340564c658 (diff) | |
download | infrastructure-c4a6cf1534b864d3941c839d4a4dca7e505bd828.tar.gz infrastructure-c4a6cf1534b864d3941c839d4a4dca7e505bd828.zip |
Rebase first step
Diffstat (limited to 'os_config/roles')
24 files changed, 404 insertions, 0 deletions
diff --git a/os_config/roles/common/tasks/main.yml b/os_config/roles/common/tasks/main.yml new file mode 100644 index 0000000..b4d00bb --- /dev/null +++ b/os_config/roles/common/tasks/main.yml @@ -0,0 +1,51 @@ +- name: "Check that host runs Debian buster/sid on armv7l or x86_64" + assert: + that: + - "ansible_architecture == 'aarch64' or ansible_architecture == 'armv7l' or ansible_architecture == 'x86_64'" + - "ansible_os_family == 'Debian'" + +- name: "Upgrade system" + apt: + upgrade: dist # Should we do a full uprade instead of a dist one? + update_cache: yes + cache_valid_time: 3600 + autoclean: yes + autoremove: yes + +- name: "Install base tools" + apt: + name: + - vim + - htop + - screen + - iptables + - iptables-persistent + - nftables + - iproute2 + - curl + - iputils-ping + - dnsutils + - bmon + - iftop + - iotop + - docker.io + - unzip + - tar + - tcpdump + - less + - parted + - btrfs-tools + - libnss-resolve + - net-tools + - strace + - sudo + state: present + +- name: "Passwordless sudo" + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%sudo' + line: '%sudo ALL=(ALL) NOPASSWD: ALL' + validate: 'visudo -cf %s' + diff --git a/os_config/roles/consul/files/consul.service b/os_config/roles/consul/files/consul.service new file mode 100644 index 0000000..ffaa2a3 --- /dev/null +++ b/os_config/roles/consul/files/consul.service @@ -0,0 +1,10 @@ +[Unit] +Description=Consul +After=network-online.target +Wants=network-online.target + +[Service] +ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul + +[Install] +WantedBy=multi-user.target diff --git a/os_config/roles/consul/tasks/main.yml b/os_config/roles/consul/tasks/main.yml new file mode 100644 index 0000000..2b77080 --- /dev/null +++ b/os_config/roles/consul/tasks/main.yml @@ -0,0 +1,26 @@ +- name: "Set consul version" + set_fact: + consul_version: 1.8.0 + +- name: "Download and install Consul for x86_64" + unarchive: + src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" + dest: /usr/local/bin + remote_src: yes + when: + - "ansible_architecture == 'x86_64'" + +- name: "Create consul configuration directory" + file: path=/etc/consul/ state=directory + +- name: "Deploy consul configuration" + template: src=consul.json.j2 dest=/etc/consul/consul.json + +- name: "Deploy consul systemd service" + copy: src=consul.service dest=/etc/systemd/system/consul.service + +- name: "Enable consul systemd service at boot" + service: name=consul state=started enabled=yes daemon_reload=yes + +- name: "Deploy resolv.conf to use Consul" + template: src=resolv.conf.j2 dest=/etc/resolv.conf diff --git a/os_config/roles/consul/templates/consul.json.j2 b/os_config/roles/consul/templates/consul.json.j2 new file mode 100644 index 0000000..b6c86aa --- /dev/null +++ b/os_config/roles/consul/templates/consul.json.j2 @@ -0,0 +1,30 @@ +{ + "data_dir": "/var/lib/consul", + "bind_addr": "0.0.0.0", + "advertise_addr": "{{ public_ip }}", + "addresses": { + "dns": "0.0.0.0", + "http": "0.0.0.0" + }, + "retry_join": [ + {% for selected_host in groups['cluster_nodes']|reject("sameas", ansible_fqdn) %}{# @FIXME: Reject doesn't work #} + "{{ hostvars[selected_host]['private_ip'] }}" {{ "," if not loop.last else "" }} + {% endfor %} + ], + "bootstrap_expect": 3, + "server": true, + "ui": true, + "ports": { + "dns": 53 + }, + "recursors": [ + "{{ dns_server }}" + ], + "encrypt": "{{ consul_gossip_encrypt }}", + "domain": "2.cluster.deuxfleurs.fr", + "performance": { + "raft_multiplier": 10, + "rpc_hold_timeout": "30s", + "leave_drain_time": "30s" + } +} diff --git a/os_config/roles/consul/templates/resolv.conf.j2 b/os_config/roles/consul/templates/resolv.conf.j2 new file mode 100644 index 0000000..2404034 --- /dev/null +++ b/os_config/roles/consul/templates/resolv.conf.j2 @@ -0,0 +1,2 @@ +nameserver {{ private_ip }} +nameserver {{ dns_server }} diff --git a/os_config/roles/consul/vars/.gitignore b/os_config/roles/consul/vars/.gitignore new file mode 100644 index 0000000..ff5c0bd --- /dev/null +++ b/os_config/roles/consul/vars/.gitignore @@ -0,0 +1 @@ +main.yml diff --git a/os_config/roles/consul/vars/main.yml.sample b/os_config/roles/consul/vars/main.yml.sample new file mode 100644 index 0000000..9c44126 --- /dev/null +++ b/os_config/roles/consul/vars/main.yml.sample @@ -0,0 +1,2 @@ +--- +consul_gossip_encrypt: "<secret>" diff --git a/os_config/roles/network/files/rules.v6 b/os_config/roles/network/files/rules.v6 new file mode 100644 index 0000000..17ff71c --- /dev/null +++ b/os_config/roles/network/files/rules.v6 @@ -0,0 +1,12 @@ +# WARNING!! When rules.{v4,v6} are changed, the whole iptables configuration is reloaded. +# This creates issues with Docker, which injects its own configuration in iptables when it starts. +# In practice, most (all?) containers will break if rules.{v4,v6} are changed, +# and docker will have to be restared. + + +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT + diff --git a/os_config/roles/network/tasks/main.yml b/os_config/roles/network/tasks/main.yml new file mode 100644 index 0000000..1443e0c --- /dev/null +++ b/os_config/roles/network/tasks/main.yml @@ -0,0 +1,11 @@ +- name: "Deploy iptablesv4 configuration" + template: src=rules.v4.j2 dest=/etc/iptables/rules.v4 + +- name: "Deploy iptablesv6 configuration" + copy: src=rules.v6 dest=/etc/iptables/rules.v6 + +- name: "Activate IP forwarding" + sysctl: + name: net.ipv4.ip_forward + value: "1" + sysctl_set: yes diff --git a/os_config/roles/network/templates/rules.v4.j2 b/os_config/roles/network/templates/rules.v4.j2 new file mode 100644 index 0000000..a446139 --- /dev/null +++ b/os_config/roles/network/templates/rules.v4.j2 @@ -0,0 +1,36 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +# Administration +-A INPUT -p tcp --dport 22 -j ACCEPT + +# Cluster +-A INPUT -s 192.168.1.254 -j ACCEPT +-A INPUT -s 82.253.205.190 -j ACCEPT +{% for selected_host in groups['cluster_nodes'] %} +-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT +-A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT +{% endfor %} + +# Local +-A INPUT -i docker0 -j ACCEPT +-A INPUT -s 127.0.0.1/8 -j ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +COMMIT + +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT + +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT diff --git a/os_config/roles/nomad/files/nomad.service b/os_config/roles/nomad/files/nomad.service new file mode 100644 index 0000000..50116be --- /dev/null +++ b/os_config/roles/nomad/files/nomad.service @@ -0,0 +1,15 @@ +[Unit] +Description=Nomad +After=network-online.target +After=glusterd.service +After=consul.service +Wants=network-online.target +Wants=glusterd.service +Wants=consul.service + +[Service] +ExecStart=/usr/local/bin/nomad agent -config /etc/nomad + +[Install] +WantedBy=multi-user.target + diff --git a/os_config/roles/nomad/tasks/main.yml b/os_config/roles/nomad/tasks/main.yml new file mode 100644 index 0000000..7c73362 --- /dev/null +++ b/os_config/roles/nomad/tasks/main.yml @@ -0,0 +1,23 @@ +- name: "Set nomad version" + set_fact: + nomad_version: 0.12.0-beta2 + +- name: "Download and install Nomad for x86_64" + unarchive: + src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" + dest: /usr/local/bin + remote_src: yes + when: + - "ansible_architecture == 'x86_64'" + +- name: "Create Nomad configuration directory" + file: path=/etc/nomad/ state=directory + +- name: "Deploy Nomad configuration" + template: src=nomad.hcl.j2 dest=/etc/nomad/nomad.hcl + +- name: "Deploy Nomad systemd service" + copy: src=nomad.service dest=/etc/systemd/system/nomad.service + +- name: "Enable Nomad systemd service at boot" + service: name=nomad state=started enabled=yes daemon_reload=yes diff --git a/os_config/roles/nomad/templates/nomad.hcl.j2 b/os_config/roles/nomad/templates/nomad.hcl.j2 new file mode 100644 index 0000000..b0be6a8 --- /dev/null +++ b/os_config/roles/nomad/templates/nomad.hcl.j2 @@ -0,0 +1,34 @@ +addresses { + http = "0.0.0.0" + rpc = "0.0.0.0" + serf = "0.0.0.0" +} + +advertise { + http = "{{ public_ip }}" + rpc = "{{ public_ip }}" + serf = "{{ public_ip }}" +} + +data_dir = "/var/lib/nomad" + +server { + enabled = true + bootstrap_expect = 3 +} + +consul { + address="127.0.0.1:8500" +} + +client { + enabled = true + #cpu_total_compute = 4000 + servers = ["127.0.0.1:4648"] + network_interface = "{{ interface }}" + options { + docker.privileged.enabled = "true" + docker.volumes.enabled = "true" + } +} + diff --git a/os_config/roles/storage/handlers/main.yml b/os_config/roles/storage/handlers/main.yml new file mode 100644 index 0000000..a395c93 --- /dev/null +++ b/os_config/roles/storage/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: umount gluster + shell: umount --force --lazy /mnt/glusterfs ; true diff --git a/os_config/roles/storage/tasks/main.yml b/os_config/roles/storage/tasks/main.yml new file mode 100644 index 0000000..a1f2d8f --- /dev/null +++ b/os_config/roles/storage/tasks/main.yml @@ -0,0 +1,72 @@ +- name: "Add GlusterFS Repo Key" + apt_key: + url: https://download.gluster.org/pub/gluster/glusterfs/5/rsa.pub + state: present + +- name: "Add GlusterFS official repository" + apt_repository: + repo: "deb [arch=amd64] https://download.gluster.org/pub/gluster/glusterfs/5/LATEST/Debian/buster/amd64/apt buster main" + state: present + filename: gluster + +- name: "Install GlusterFS" + apt: + name: + - glusterfs-server + - glusterfs-client + state: present + +- name: "Ensure Gluster Daemon started and enabled" + service: + name: glusterd + enabled: yes + state: started + +- name: "Create directory for GlusterFS bricks" + file: path=/mnt/storage/glusterfs/brick1 recurse=yes state=directory + +- name: "Create GlusterFS volumes" + gluster_volume: + state: present + name: donnees + bricks: /mnt/storage/glusterfs/brick1/g1 + #rebalance: yes + redundancies: 1 + disperses: 3 + #replicas: 3 + force: yes + options: + client.event-threads: "8" + server.event-threads: "8" + performance.stat-prefetch: "on" + nfs.disable: "on" + features.cache-invalidation: "on" + performance.client-io-threads: "on" + config.transport: tcp + performance.quick-read: "on" + performance.io-cache: "on" + nfs.export-volumes: "off" + cluster.lookup-optimize: "on" + + cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['private_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}" + run_once: true + +- name: "Create mountpoint" + file: path=/mnt/glusterfs recurse=yes state=directory + +- name: "Flush handlers (umount glusterfs and restart ganesha)" + meta: flush_handlers + +- name: "Add fstab entry" + tags: gluster-fstab + mount: + path: /mnt/glusterfs + src: "{{ private_ip }}:/donnees" + fstype: glusterfs + opts: "defaults,_netdev,noauto,x-systemd.automount" + state: present + +- name: Mount everything + command: mount -a + args: + warn: no diff --git a/os_config/roles/users/files/alex-key1.pub b/os_config/roles/users/files/alex-key1.pub new file mode 100644 index 0000000..93514ab --- /dev/null +++ b/os_config/roles/users/files/alex-key1.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDdVbA9fEdqSr5UJ77NnoIqDTVp8ca5kHExhZYI4ecBExFJfonJllXMBN9KdC4ukxtY8Ug47PcMOfMaTBZQc+e+KpvDWpkBt15Xpem3RCxmMBES79sLL7LgtAdBXc5mNaCX8EOEVixWKdarjvxRyf6py6the51G5muaiMpoj5fae4ZpRGjhGTPefzc7y7zRWBUUZ8pYHW774BIaK6XT9gn3hyHV+Occjl/UODXvodktk55YtnuPi8adXTYEsHrVVz8AkFhx+cr0U/U8vtQnsTrZG+JmgQLqpXVs0RDw5bE1RefEbMuYNKxutYKUe3L+ZJtDe0M0MqOFI8a4F5TxP5 katchup@konata diff --git a/os_config/roles/users/files/alex-key2.pub b/os_config/roles/users/files/alex-key2.pub new file mode 100644 index 0000000..1eddcc8 --- /dev/null +++ b/os_config/roles/users/files/alex-key2.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJk4tAEhDkLeik9eEHIHMliyckM/gWr/k6fX/CSmayCM katchup@charlotte diff --git a/os_config/roles/users/files/florian-key1.pub b/os_config/roles/users/files/florian-key1.pub new file mode 100644 index 0000000..47b5593 --- /dev/null +++ b/os_config/roles/users/files/florian-key1.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/qOM2BYy3UFycDylioACWrnDwg69AoTNE6Ym9W4WI2R+FXd6A1DDG+NLW2orUfkARcJGYEXkzsd3wjDg0s+FS23QWTP+JTkZbdGzuMAcoNeJBtgsCq6m5Q2kvrQc5RscYBr/OZtx2PUfrGyRE3yiVCj38zOgRLRWY0Iqs97tlH74YP4BG3jQ/MI5zXEptWcXBO86FtISB3QyHPRg5OH0192094X/QcG18GKd2ORxC/ZcwK9GdEbJJHgkxJ0TbsQO3KfNTEFBCiynYpYViBsQZsrdBkw4sHHy5OKEahIexdpUg8EJhpyzLn6pvGSqua/mVxirJazgNgtvLlrUsAuNd4/HoWRSqzh51/4hQJ3BV4Yed/tX0rwlT/ZzIIzpGw+qJF3IVuxdvXIineNAEyjVfLVT6hADyQu52ziHSE0cVmUkWT0R7ZgPku0PRBuSeewJIm8uLM69GU/GeRt+mSNl6xOvtBrY/j6sRHcMROlgSHhJ6YnvmkiYXl0MyrH9YGc8= diff --git a/os_config/roles/users/files/florian-key2.pub b/os_config/roles/users/files/florian-key2.pub new file mode 100644 index 0000000..f9935b3 --- /dev/null +++ b/os_config/roles/users/files/florian-key2.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0OcDsEZdiizsz8UIgOIqOQilnHWq0sOxuu6idOqqLVYLPZEv8owdeC5oIgQj94BcKnRzpe8UHxN13GQdEWsqCim6Zn8G5x1HdZDBC83466x3i6KBkMP0dk+h47tENxKFXBPUbh/2sR8r/lZXEhzCCo7tpVuRZpCc/r8WPbAQpLgDO2D0dR7etwf3ndgObxQU0w7WbN+7NzmaHE+VQLu/pqH0op8jZyebfb26XhZ1JnNrDhp86KYbusagn6wUwp3vaJmK9UyEMi21E5HI0ri51+FP8kaTCUpgIRmgIkKFFWiup5I56K8cpgZHcJ4NY7G3jHJeI3KBlazVMyhDVJ5glI1mV0zgdr7BRGqhn70hjf5vbkzcHbRVaMaGzGENLpTFWnaONB/EbqRghWsiVpV75BYzvxSSM8Yrx8pwKUBtLWU+FjljwuumXNLigLIc/FTxdcLvZudn51+XdJXtCBrBI1H22Q7kYXz7Pi800CDLQ8rUWkW8upQ+zu5fSRH+Ptwc= diff --git a/os_config/roles/users/files/maximilien-key1.pub b/os_config/roles/users/files/maximilien-key1.pub new file mode 100644 index 0000000..963b1f9 --- /dev/null +++ b/os_config/roles/users/files/maximilien-key1.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5 diff --git a/os_config/roles/users/files/quentin-key1.pub b/os_config/roles/users/files/quentin-key1.pub new file mode 100644 index 0000000..f3667e0 --- /dev/null +++ b/os_config/roles/users/files/quentin-key1.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io diff --git a/os_config/roles/users/files/quentin-key2.pub b/os_config/roles/users/files/quentin-key2.pub new file mode 100644 index 0000000..c1b19fd --- /dev/null +++ b/os_config/roles/users/files/quentin-key2.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBu+KUebaWwlugMC5fGbNhHc6IaQDAC6+1vMc4Ww7nVU1rs2nwI7L5qcWxOwNdhFaorZQZy/fJuCWdFbF61RCKGayBWPLZHGPsfqDuggYNEi1Qil1kpeCECfDQNjyMTK058ZBBhOWNMHBjlLWXUlRJDkRBBECY0vo4jRv22SvSaPUCAnkdJ9rbAp/kqb497PTIb2r1l1/ew8YdhINAlpYQFQezZVfkZdTKxt22n0QCjhupqjfh3gfNnbBX0z/iO+RvAOWRIZsjPFLC+jXl+n7cnu2cq1nvST5eHiYfXXeIgIwmeENLKqp+2Twr7PIdv22PnJkh6iR5kx7eTRxkNZdN quentin@deuxfleurs.fr diff --git a/os_config/roles/users/tasks/main.yml b/os_config/roles/users/tasks/main.yml new file mode 100644 index 0000000..990a041 --- /dev/null +++ b/os_config/roles/users/tasks/main.yml @@ -0,0 +1,39 @@ +- name: Add users in the system + user: + name: "{{ item.username }}" + #groups: docker + shell: "{{ item.shell | default('/bin/bash') }}" + append: no + loop: "{{ active_users + | selectattr('is_admin', 'defined') + | rejectattr('is_admin') + | list + | union( active_users + | selectattr('is_admin', 'undefined') + | list )}}" + +- name: Set admin rights + user: + name: "{{ item.username }}" + groups: docker, sudo + shell: "{{ item.shell | default('/bin/bash') }}" + append: no + loop: "{{ active_users + | selectattr('is_admin', 'defined') + | selectattr('is_admin') + | list }}" + +# [V How SSH Key works] magic is done by subelements, understand the trick at: +# https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#subelements-filter +- name: Add SSH keys + authorized_key: + user: "{{ item.0.username }}" + state: present + key: "{{ lookup('file', item.1) }}" + loop: "{{ active_users | subelements('ssh_keys', skip_missing=True) }}" + +- name: Disable old users + user: + name: "{{ item }}" + state: absent + loop: "{{ disabled_users }}" diff --git a/os_config/roles/users/vars/main.yml b/os_config/roles/users/vars/main.yml new file mode 100644 index 0000000..5f4df4d --- /dev/null +++ b/os_config/roles/users/vars/main.yml @@ -0,0 +1,30 @@ +--- +active_users: + - username: 'quentin' + is_admin: true + ssh_keys: + - 'quentin-key1.pub' + - 'quentin-key2.pub' + + - username: 'alex' + is_admin: true + ssh_keys: + - 'alex-key1.pub' + - 'alex-key2.pub' + + - username: 'maximilien' + is_admin: true + ssh_keys: + - 'maximilien-key1.pub' + + - username: 'florian' + is_admin: false + ssh_keys: + - 'quentin-key1.pub' + #- 'florian-key1.pub' + #- 'florian-key2.pub' + +disabled_users: + - 'john.doe' + - 'erwan' + - 'valentin' |