diff options
-rw-r--r-- | os/config/cluster_nodes.yml | 2 | ||||
-rw-r--r-- | os/config/hammerhead_inventory.yml | 17 | ||||
-rw-r--r-- | os/config/production.yml | 4 | ||||
-rw-r--r-- | os/config/roles/common/tasks/docker.yml | 75 | ||||
-rw-r--r-- | os/config/roles/common/tasks/hashicorp.yml | 24 | ||||
-rw-r--r-- | os/config/roles/common/tasks/main.yml | 78 | ||||
-rw-r--r-- | os/config/roles/consul/tasks/main.yml | 20 | ||||
-rw-r--r-- | os/config/roles/network/templates/rules.v4 | 4 | ||||
-rw-r--r-- | os/config/roles/network/templates/rules.v6 | 4 | ||||
-rw-r--r-- | os/config/roles/nomad/tasks/main.yml | 20 | ||||
-rw-r--r-- | os/config/roles/users/vars/main.yml | 1 |
11 files changed, 203 insertions, 46 deletions
diff --git a/os/config/cluster_nodes.yml b/os/config/cluster_nodes.yml index ea58630..0f22baf 100644 --- a/os/config/cluster_nodes.yml +++ b/os/config/cluster_nodes.yml @@ -1,6 +1,8 @@ --- - hosts: cluster_nodes + # "you can define how many hosts Ansible should manage at a single time + # using the serial keyword" serial: 1 roles: - role: common diff --git a/os/config/hammerhead_inventory.yml b/os/config/hammerhead_inventory.yml new file mode 100644 index 0000000..dd2117e --- /dev/null +++ b/os/config/hammerhead_inventory.yml @@ -0,0 +1,17 @@ +cluster_nodes: + hosts: + hammerhead: + ansible_host: ns3118584.ip-5-135-179.eu + ansible_port: 110 + ansible_user: root + ansible_ssh_private_key_file: /home/adrien/.ssh/hammerhead + ansible_become: true + ipv4: 5.135.179.11 + gatewayv4: 5.135.179.254 + ipv6: 2001:41d0:8:ba0b::1 + gatewayv6: fe80::264:40ff:fe3a:fac0 + interface: eno1 + dns_1: 213.186.33.99 + dns_2: 172.104.136.243 + ansible_python_interpreter: python3 + ssh_port: 110 diff --git a/os/config/production.yml b/os/config/production.yml index 8870b52..c0f6371 100644 --- a/os/config/production.yml +++ b/os/config/production.yml @@ -12,6 +12,7 @@ cluster_nodes: dns_1: 212.27.40.240 dns_2: 212.27.40.241 ansible_python_interpreter: python3 + ssh_port: 22 digitale: ansible_host: atuin.site.deuxfleurs.fr @@ -25,6 +26,7 @@ cluster_nodes: dns_1: 212.27.40.240 dns_2: 212.27.40.241 ansible_python_interpreter: python3 + ssh_port: 22 drosera: ansible_host: atuin.site.deuxfleurs.fr @@ -38,6 +40,7 @@ cluster_nodes: dns_1: 212.27.40.240 dns_2: 212.27.40.241 ansible_python_interpreter: python3 + ssh_port: 22 io: ansible_host: jupiter.site.deuxfleurs.fr @@ -51,3 +54,4 @@ cluster_nodes: dns_1: 109.0.66.20 dns_2: 109.0.66.10 ansible_python_interpreter: python3 + ssh_port: 22 diff --git a/os/config/roles/common/tasks/docker.yml b/os/config/roles/common/tasks/docker.yml new file mode 100644 index 0000000..a688f4b --- /dev/null +++ b/os/config/roles/common/tasks/docker.yml @@ -0,0 +1,75 @@ +# From the official Docker installation guide for Debian: +# https://docs.docker.com/engine/install/debian/ + +# Uninstall old Docker versions +# $ sudo apt-get remove docker docker-engine docker.io containerd runc +- name: "Remove old Docker versions" + ansible.builtin.apt: + state: absent + name: + - docker + - docker-engine + - docker.io + - containerd + - runc + +# Install dependencies +# > apt-transport-https ca-certificates curl gnupg lsb-release +- name: "Install Docker dependencies" + ansible.builtin.apt: + state: present + name: + - apt-transport-https + - ca-certificates + # - curl # Already installed in main.yml + - gnupg + - lsb-release + +# Dowload Docker's official GPG key +# $ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg +- name: "Add Docker's official GPG key to apt" + ansible.builtin.apt_key: + id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + url: https://download.docker.com/linux/debian/gpg + # Key destination path + keyring: /usr/share/keyrings/docker-archive-keyring.gpg + state: present + + +# Add Docker's repository to apt +# $ echo \ +# "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \ +# $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +- name: "Add Docker's repository to APT sources list" + ansible.builtin.apt_repository: + repo: "deb [arch={{ architecture_map[ansible_architecture] }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" + state: present + vars: + architecture_map: + "x86_64": "amd64" + "aarch64": "arm64" + "aarch": "arm64" + "armhf": "armhf" + "armv7l": "armhf" + +# Install Docker engine +# $ sudo apt-get update +# $ sudo apt-get install docker-ce docker-ce-cli containerd.io +- name: "Install Docker engine" + ansible.builtin.apt: + state: present + update_cache: yes + name: + - docker-ce + - docker-ce-cli + - containerd.io + +# Install docker-compose +# $ sudo curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose +- name: "Install Docker Compose" + ansible.builtin.get_url: + url: "https://github.com/docker/compose/releases/download/{{ compose_version }}/docker-compose-{{ ansible_system }}-{{ ansible_architecture }}" + dest: /usr/local/bin/docker-compose + mode: "0755" + vars: + compose_version: 1.28.5
\ No newline at end of file diff --git a/os/config/roles/common/tasks/hashicorp.yml b/os/config/roles/common/tasks/hashicorp.yml new file mode 100644 index 0000000..9cf647b --- /dev/null +++ b/os/config/roles/common/tasks/hashicorp.yml @@ -0,0 +1,24 @@ +- name: "Add Hashicorps's official GPG key to apt" + ansible.builtin.apt_key: + url: https://apt.releases.hashicorp.com/gpg + state: present + +- name: "Add Hashicorp's repository to APT sources list" + ansible.builtin.apt_repository: + repo: "deb [arch={{ architecture_map[ansible_architecture] }}] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main" + state: present + vars: + architecture_map: + "x86_64": "amd64" + "aarch64": "arm64" + "aarch": "arm64" + "armhf": "armhf" + "armv7l": "armhf" + +- name: "Install Nomad & Consul" + ansible.builtin.apt: + state: present + update_cache: yes + name: + - nomad + - consul
\ No newline at end of file diff --git a/os/config/roles/common/tasks/main.yml b/os/config/roles/common/tasks/main.yml index 3898c8f..37cad52 100644 --- a/os/config/roles/common/tasks/main.yml +++ b/os/config/roles/common/tasks/main.yml @@ -15,39 +15,73 @@ - name: "Install base tools" apt: name: - - vim - - htop - - screen - - iptables - - iptables-persistent - - nftables - - iproute2 + # Essentials - curl - - iputils-ping - - dnsutils + - less + - sudo + - tar + - unzip + # User tooling + - screen + - vim + # Monitoring - bmon + - htop - iftop - iotop - - docker.io - - unzip - - tar - - tcpdump - - less - - parted - - btrfs-tools - - libnss-resolve - - net-tools + - iputils-ping + - pciutils - strace - - sudo + - tcpdump + # Networking + - dnsutils # now called bind9-dnsutils - ethtool - - pciutils + - iproute2 # advanced net-tools + - iptables # legacy firewall (still used by diplonat) + - iptables-persistent + - net-tools # basic network tools + - nftables # iptables' successor (will replace it eventually) + # Optional / Dispensable + #- docker.io # Adrien n'approuve pas (il faut utiliser le repo Docker) + - parted + #- btrfs-tools + #- libnss-resolve # provides DNS/LLMNR utilities via systemd-resolved state: present +# Install Docker if need be + +- name: Check if Docker is installed + command: 'which docker' + args: + warn: no + register: docker_exists + changed_when: docker_exists.rc != 0 + ignore_errors: true + +- name: "Install Docker" + include_tasks: docker.yml + when: docker_exists.rc != 0 + +# Install Nomad & Consul if need be + +- name: Check if Nomad is installed + command: 'which nomad' + args: + warn: no + register: nomad_exists + changed_when: nomad_exists.rc != 0 + ignore_errors: true + +- name: "Install Nomad & Consul" + include_tasks: hashicorp.yml + when: nomad_exists.rc != 0 + + + - name: "Passwordless sudo" lineinfile: path: /etc/sudoers state: present regexp: '^%sudo' line: '%sudo ALL=(ALL) NOPASSWD: ALL' - validate: 'visudo -cf %s' - + validate: 'visudo -cf %s'
\ No newline at end of file diff --git a/os/config/roles/consul/tasks/main.yml b/os/config/roles/consul/tasks/main.yml index 340d4d7..da6f6f1 100644 --- a/os/config/roles/consul/tasks/main.yml +++ b/os/config/roles/consul/tasks/main.yml @@ -1,14 +1,14 @@ -- name: "Set consul version" - set_fact: - consul_version: 1.9.1 +# - name: "Set consul version" +# set_fact: +# consul_version: 1.9.1 -- name: "Download and install Consul for x86_64" - unarchive: - src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" - dest: /usr/local/bin - remote_src: yes - when: - - "ansible_architecture == 'x86_64'" +# - name: "Download and install Consul for x86_64" +# unarchive: +# src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" +# dest: /usr/local/bin +# remote_src: yes +# when: +# - "ansible_architecture == 'x86_64'" - name: "Create consul configuration directory" file: path=/etc/consul/ state=directory diff --git a/os/config/roles/network/templates/rules.v4 b/os/config/roles/network/templates/rules.v4 index a5f138b..8ccaed7 100644 --- a/os/config/roles/network/templates/rules.v4 +++ b/os/config/roles/network/templates/rules.v4 @@ -7,10 +7,10 @@ -A INPUT -p icmp -j ACCEPT # Administration --A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT # Diplonat needs everything open to communicate with IGD with the router --A INPUT -s 192.168.1.254 -j ACCEPT +-A INPUT -s {{ gatewayv4 }} -j ACCEPT # Cluster {% for selected_host in groups['cluster_nodes'] %} diff --git a/os/config/roles/network/templates/rules.v6 b/os/config/roles/network/templates/rules.v6 index e2b94ea..6977f02 100644 --- a/os/config/roles/network/templates/rules.v6 +++ b/os/config/roles/network/templates/rules.v6 @@ -13,7 +13,7 @@ -A INPUT -p ipv6-icmp -j ACCEPT # Administration --A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT # Cluster {% for selected_host in groups['cluster_nodes'] %} @@ -36,6 +36,8 @@ -A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT # ADRN@Gandi -A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT +# ADRN@Kimsufi +-A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:8:ba0b::1/64 -j DEUXFLEURS-TRUSTED-PORT # Quentin@Rennes -A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT # Source address is not trusted diff --git a/os/config/roles/nomad/tasks/main.yml b/os/config/roles/nomad/tasks/main.yml index 1ddedbe..080a75f 100644 --- a/os/config/roles/nomad/tasks/main.yml +++ b/os/config/roles/nomad/tasks/main.yml @@ -1,14 +1,14 @@ -- name: "Set nomad version" - set_fact: - nomad_version: 1.0.2 +# - name: "Set nomad version" +# set_fact: +# nomad_version: 1.0.2 -- name: "Download and install Nomad for x86_64" - unarchive: - src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" - dest: /usr/local/bin - remote_src: yes - when: - - "ansible_architecture == 'x86_64'" +# - name: "Download and install Nomad for x86_64" +# unarchive: +# src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" +# dest: /usr/local/bin +# remote_src: yes +# when: +# - "ansible_architecture == 'x86_64'" - name: "Create Nomad configuration directory" file: path=/etc/nomad/ state=directory diff --git a/os/config/roles/users/vars/main.yml b/os/config/roles/users/vars/main.yml index ca2dc0a..c4ca875 100644 --- a/os/config/roles/users/vars/main.yml +++ b/os/config/roles/users/vars/main.yml @@ -10,7 +10,6 @@ active_users: is_admin: true ssh_keys: - 'alex-key1.pub' - #- 'alex-key2.pub' - 'alex-key3.pub' - username: 'maximilien' |