aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--os/config/cluster_nodes.yml2
-rw-r--r--os/config/hammerhead_inventory.yml17
-rw-r--r--os/config/production.yml4
-rw-r--r--os/config/roles/common/tasks/docker.yml75
-rw-r--r--os/config/roles/common/tasks/hashicorp.yml24
-rw-r--r--os/config/roles/common/tasks/main.yml78
-rw-r--r--os/config/roles/consul/tasks/main.yml20
-rw-r--r--os/config/roles/network/templates/rules.v44
-rw-r--r--os/config/roles/network/templates/rules.v64
-rw-r--r--os/config/roles/nomad/tasks/main.yml20
-rw-r--r--os/config/roles/users/vars/main.yml1
11 files changed, 203 insertions, 46 deletions
diff --git a/os/config/cluster_nodes.yml b/os/config/cluster_nodes.yml
index ea58630..0f22baf 100644
--- a/os/config/cluster_nodes.yml
+++ b/os/config/cluster_nodes.yml
@@ -1,6 +1,8 @@
---
- hosts: cluster_nodes
+ # "you can define how many hosts Ansible should manage at a single time
+ # using the serial keyword"
serial: 1
roles:
- role: common
diff --git a/os/config/hammerhead_inventory.yml b/os/config/hammerhead_inventory.yml
new file mode 100644
index 0000000..dd2117e
--- /dev/null
+++ b/os/config/hammerhead_inventory.yml
@@ -0,0 +1,17 @@
+cluster_nodes:
+ hosts:
+ hammerhead:
+ ansible_host: ns3118584.ip-5-135-179.eu
+ ansible_port: 110
+ ansible_user: root
+ ansible_ssh_private_key_file: /home/adrien/.ssh/hammerhead
+ ansible_become: true
+ ipv4: 5.135.179.11
+ gatewayv4: 5.135.179.254
+ ipv6: 2001:41d0:8:ba0b::1
+ gatewayv6: fe80::264:40ff:fe3a:fac0
+ interface: eno1
+ dns_1: 213.186.33.99
+ dns_2: 172.104.136.243
+ ansible_python_interpreter: python3
+ ssh_port: 110
diff --git a/os/config/production.yml b/os/config/production.yml
index 8870b52..c0f6371 100644
--- a/os/config/production.yml
+++ b/os/config/production.yml
@@ -12,6 +12,7 @@ cluster_nodes:
dns_1: 212.27.40.240
dns_2: 212.27.40.241
ansible_python_interpreter: python3
+ ssh_port: 22
digitale:
ansible_host: atuin.site.deuxfleurs.fr
@@ -25,6 +26,7 @@ cluster_nodes:
dns_1: 212.27.40.240
dns_2: 212.27.40.241
ansible_python_interpreter: python3
+ ssh_port: 22
drosera:
ansible_host: atuin.site.deuxfleurs.fr
@@ -38,6 +40,7 @@ cluster_nodes:
dns_1: 212.27.40.240
dns_2: 212.27.40.241
ansible_python_interpreter: python3
+ ssh_port: 22
io:
ansible_host: jupiter.site.deuxfleurs.fr
@@ -51,3 +54,4 @@ cluster_nodes:
dns_1: 109.0.66.20
dns_2: 109.0.66.10
ansible_python_interpreter: python3
+ ssh_port: 22
diff --git a/os/config/roles/common/tasks/docker.yml b/os/config/roles/common/tasks/docker.yml
new file mode 100644
index 0000000..a688f4b
--- /dev/null
+++ b/os/config/roles/common/tasks/docker.yml
@@ -0,0 +1,75 @@
+# From the official Docker installation guide for Debian:
+# https://docs.docker.com/engine/install/debian/
+
+# Uninstall old Docker versions
+# $ sudo apt-get remove docker docker-engine docker.io containerd runc
+- name: "Remove old Docker versions"
+ ansible.builtin.apt:
+ state: absent
+ name:
+ - docker
+ - docker-engine
+ - docker.io
+ - containerd
+ - runc
+
+# Install dependencies
+# > apt-transport-https ca-certificates curl gnupg lsb-release
+- name: "Install Docker dependencies"
+ ansible.builtin.apt:
+ state: present
+ name:
+ - apt-transport-https
+ - ca-certificates
+ # - curl # Already installed in main.yml
+ - gnupg
+ - lsb-release
+
+# Dowload Docker's official GPG key
+# $ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+- name: "Add Docker's official GPG key to apt"
+ ansible.builtin.apt_key:
+ id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+ url: https://download.docker.com/linux/debian/gpg
+ # Key destination path
+ keyring: /usr/share/keyrings/docker-archive-keyring.gpg
+ state: present
+
+
+# Add Docker's repository to apt
+# $ echo \
+# "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
+# $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+- name: "Add Docker's repository to APT sources list"
+ ansible.builtin.apt_repository:
+ repo: "deb [arch={{ architecture_map[ansible_architecture] }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
+ state: present
+ vars:
+ architecture_map:
+ "x86_64": "amd64"
+ "aarch64": "arm64"
+ "aarch": "arm64"
+ "armhf": "armhf"
+ "armv7l": "armhf"
+
+# Install Docker engine
+# $ sudo apt-get update
+# $ sudo apt-get install docker-ce docker-ce-cli containerd.io
+- name: "Install Docker engine"
+ ansible.builtin.apt:
+ state: present
+ update_cache: yes
+ name:
+ - docker-ce
+ - docker-ce-cli
+ - containerd.io
+
+# Install docker-compose
+# $ sudo curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+- name: "Install Docker Compose"
+ ansible.builtin.get_url:
+ url: "https://github.com/docker/compose/releases/download/{{ compose_version }}/docker-compose-{{ ansible_system }}-{{ ansible_architecture }}"
+ dest: /usr/local/bin/docker-compose
+ mode: "0755"
+ vars:
+ compose_version: 1.28.5 \ No newline at end of file
diff --git a/os/config/roles/common/tasks/hashicorp.yml b/os/config/roles/common/tasks/hashicorp.yml
new file mode 100644
index 0000000..9cf647b
--- /dev/null
+++ b/os/config/roles/common/tasks/hashicorp.yml
@@ -0,0 +1,24 @@
+- name: "Add Hashicorps's official GPG key to apt"
+ ansible.builtin.apt_key:
+ url: https://apt.releases.hashicorp.com/gpg
+ state: present
+
+- name: "Add Hashicorp's repository to APT sources list"
+ ansible.builtin.apt_repository:
+ repo: "deb [arch={{ architecture_map[ansible_architecture] }}] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main"
+ state: present
+ vars:
+ architecture_map:
+ "x86_64": "amd64"
+ "aarch64": "arm64"
+ "aarch": "arm64"
+ "armhf": "armhf"
+ "armv7l": "armhf"
+
+- name: "Install Nomad & Consul"
+ ansible.builtin.apt:
+ state: present
+ update_cache: yes
+ name:
+ - nomad
+ - consul \ No newline at end of file
diff --git a/os/config/roles/common/tasks/main.yml b/os/config/roles/common/tasks/main.yml
index 3898c8f..37cad52 100644
--- a/os/config/roles/common/tasks/main.yml
+++ b/os/config/roles/common/tasks/main.yml
@@ -15,39 +15,73 @@
- name: "Install base tools"
apt:
name:
- - vim
- - htop
- - screen
- - iptables
- - iptables-persistent
- - nftables
- - iproute2
+ # Essentials
- curl
- - iputils-ping
- - dnsutils
+ - less
+ - sudo
+ - tar
+ - unzip
+ # User tooling
+ - screen
+ - vim
+ # Monitoring
- bmon
+ - htop
- iftop
- iotop
- - docker.io
- - unzip
- - tar
- - tcpdump
- - less
- - parted
- - btrfs-tools
- - libnss-resolve
- - net-tools
+ - iputils-ping
+ - pciutils
- strace
- - sudo
+ - tcpdump
+ # Networking
+ - dnsutils # now called bind9-dnsutils
- ethtool
- - pciutils
+ - iproute2 # advanced net-tools
+ - iptables # legacy firewall (still used by diplonat)
+ - iptables-persistent
+ - net-tools # basic network tools
+ - nftables # iptables' successor (will replace it eventually)
+ # Optional / Dispensable
+ #- docker.io # Adrien n'approuve pas (il faut utiliser le repo Docker)
+ - parted
+ #- btrfs-tools
+ #- libnss-resolve # provides DNS/LLMNR utilities via systemd-resolved
state: present
+# Install Docker if need be
+
+- name: Check if Docker is installed
+ command: 'which docker'
+ args:
+ warn: no
+ register: docker_exists
+ changed_when: docker_exists.rc != 0
+ ignore_errors: true
+
+- name: "Install Docker"
+ include_tasks: docker.yml
+ when: docker_exists.rc != 0
+
+# Install Nomad & Consul if need be
+
+- name: Check if Nomad is installed
+ command: 'which nomad'
+ args:
+ warn: no
+ register: nomad_exists
+ changed_when: nomad_exists.rc != 0
+ ignore_errors: true
+
+- name: "Install Nomad & Consul"
+ include_tasks: hashicorp.yml
+ when: nomad_exists.rc != 0
+
+
+
- name: "Passwordless sudo"
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
- validate: 'visudo -cf %s'
-
+ validate: 'visudo -cf %s' \ No newline at end of file
diff --git a/os/config/roles/consul/tasks/main.yml b/os/config/roles/consul/tasks/main.yml
index 340d4d7..da6f6f1 100644
--- a/os/config/roles/consul/tasks/main.yml
+++ b/os/config/roles/consul/tasks/main.yml
@@ -1,14 +1,14 @@
-- name: "Set consul version"
- set_fact:
- consul_version: 1.9.1
+# - name: "Set consul version"
+# set_fact:
+# consul_version: 1.9.1
-- name: "Download and install Consul for x86_64"
- unarchive:
- src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
- dest: /usr/local/bin
- remote_src: yes
- when:
- - "ansible_architecture == 'x86_64'"
+# - name: "Download and install Consul for x86_64"
+# unarchive:
+# src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
+# dest: /usr/local/bin
+# remote_src: yes
+# when:
+# - "ansible_architecture == 'x86_64'"
- name: "Create consul configuration directory"
file: path=/etc/consul/ state=directory
diff --git a/os/config/roles/network/templates/rules.v4 b/os/config/roles/network/templates/rules.v4
index a5f138b..8ccaed7 100644
--- a/os/config/roles/network/templates/rules.v4
+++ b/os/config/roles/network/templates/rules.v4
@@ -7,10 +7,10 @@
-A INPUT -p icmp -j ACCEPT
# Administration
--A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT
# Diplonat needs everything open to communicate with IGD with the router
--A INPUT -s 192.168.1.254 -j ACCEPT
+-A INPUT -s {{ gatewayv4 }} -j ACCEPT
# Cluster
{% for selected_host in groups['cluster_nodes'] %}
diff --git a/os/config/roles/network/templates/rules.v6 b/os/config/roles/network/templates/rules.v6
index e2b94ea..6977f02 100644
--- a/os/config/roles/network/templates/rules.v6
+++ b/os/config/roles/network/templates/rules.v6
@@ -13,7 +13,7 @@
-A INPUT -p ipv6-icmp -j ACCEPT
# Administration
--A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT
# Cluster
{% for selected_host in groups['cluster_nodes'] %}
@@ -36,6 +36,8 @@
-A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT
# ADRN@Gandi
-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT
+# ADRN@Kimsufi
+-A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:8:ba0b::1/64 -j DEUXFLEURS-TRUSTED-PORT
# Quentin@Rennes
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT
# Source address is not trusted
diff --git a/os/config/roles/nomad/tasks/main.yml b/os/config/roles/nomad/tasks/main.yml
index 1ddedbe..080a75f 100644
--- a/os/config/roles/nomad/tasks/main.yml
+++ b/os/config/roles/nomad/tasks/main.yml
@@ -1,14 +1,14 @@
-- name: "Set nomad version"
- set_fact:
- nomad_version: 1.0.2
+# - name: "Set nomad version"
+# set_fact:
+# nomad_version: 1.0.2
-- name: "Download and install Nomad for x86_64"
- unarchive:
- src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
- dest: /usr/local/bin
- remote_src: yes
- when:
- - "ansible_architecture == 'x86_64'"
+# - name: "Download and install Nomad for x86_64"
+# unarchive:
+# src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
+# dest: /usr/local/bin
+# remote_src: yes
+# when:
+# - "ansible_architecture == 'x86_64'"
- name: "Create Nomad configuration directory"
file: path=/etc/nomad/ state=directory
diff --git a/os/config/roles/users/vars/main.yml b/os/config/roles/users/vars/main.yml
index ca2dc0a..c4ca875 100644
--- a/os/config/roles/users/vars/main.yml
+++ b/os/config/roles/users/vars/main.yml
@@ -10,7 +10,6 @@ active_users:
is_admin: true
ssh_keys:
- 'alex-key1.pub'
- #- 'alex-key2.pub'
- 'alex-key3.pub'
- username: 'maximilien'