Config Ansible mise à jour à l'occasion de l'install de HammerHead #37
11 changed files with 204 additions and 47 deletions
|
@ -1,6 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- hosts: cluster_nodes
|
- hosts: cluster_nodes
|
||||||
|
# "you can define how many hosts Ansible should manage at a single time
|
||||||
|
# using the serial keyword"
|
||||||
serial: 1
|
serial: 1
|
||||||
roles:
|
roles:
|
||||||
- role: common
|
- role: common
|
||||||
|
|
17
os/config/hammerhead_inventory.yml
Normal file
17
os/config/hammerhead_inventory.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
cluster_nodes:
|
||||||
|
hosts:
|
||||||
|
hammerhead:
|
||||||
|
ansible_host: ns3118584.ip-5-135-179.eu
|
||||||
|
ansible_port: 110
|
||||||
|
ansible_user: root
|
||||||
|
ansible_ssh_private_key_file: /home/adrien/.ssh/hammerhead
|
||||||
|
ansible_become: true
|
||||||
|
ipv4: 5.135.179.11
|
||||||
|
gatewayv4: 5.135.179.254
|
||||||
|
ipv6: 2001:41d0:8:ba0b::1
|
||||||
|
gatewayv6: fe80::264:40ff:fe3a:fac0
|
||||||
|
interface: eno1
|
||||||
|
dns_1: 213.186.33.99
|
||||||
|
dns_2: 172.104.136.243
|
||||||
|
ansible_python_interpreter: python3
|
||||||
|
ssh_port: 110
|
|
@ -12,6 +12,7 @@ cluster_nodes:
|
||||||
dns_1: 212.27.40.240
|
dns_1: 212.27.40.240
|
||||||
dns_2: 212.27.40.241
|
dns_2: 212.27.40.241
|
||||||
ansible_python_interpreter: python3
|
ansible_python_interpreter: python3
|
||||||
|
ssh_port: 22
|
||||||
|
|
||||||
digitale:
|
digitale:
|
||||||
ansible_host: atuin.site.deuxfleurs.fr
|
ansible_host: atuin.site.deuxfleurs.fr
|
||||||
|
@ -25,6 +26,7 @@ cluster_nodes:
|
||||||
dns_1: 212.27.40.240
|
dns_1: 212.27.40.240
|
||||||
dns_2: 212.27.40.241
|
dns_2: 212.27.40.241
|
||||||
ansible_python_interpreter: python3
|
ansible_python_interpreter: python3
|
||||||
|
ssh_port: 22
|
||||||
|
|
||||||
drosera:
|
drosera:
|
||||||
ansible_host: atuin.site.deuxfleurs.fr
|
ansible_host: atuin.site.deuxfleurs.fr
|
||||||
|
@ -38,6 +40,7 @@ cluster_nodes:
|
||||||
dns_1: 212.27.40.240
|
dns_1: 212.27.40.240
|
||||||
dns_2: 212.27.40.241
|
dns_2: 212.27.40.241
|
||||||
ansible_python_interpreter: python3
|
ansible_python_interpreter: python3
|
||||||
|
ssh_port: 22
|
||||||
|
|
||||||
io:
|
io:
|
||||||
ansible_host: jupiter.site.deuxfleurs.fr
|
ansible_host: jupiter.site.deuxfleurs.fr
|
||||||
|
@ -51,3 +54,4 @@ cluster_nodes:
|
||||||
dns_1: 109.0.66.20
|
dns_1: 109.0.66.20
|
||||||
dns_2: 109.0.66.10
|
dns_2: 109.0.66.10
|
||||||
ansible_python_interpreter: python3
|
ansible_python_interpreter: python3
|
||||||
|
ssh_port: 22
|
||||||
|
|
75
os/config/roles/common/tasks/docker.yml
Normal file
75
os/config/roles/common/tasks/docker.yml
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
# From the official Docker installation guide for Debian:
|
||||||
|
# https://docs.docker.com/engine/install/debian/
|
||||||
|
|
||||||
|
# Uninstall old Docker versions
|
||||||
|
# $ sudo apt-get remove docker docker-engine docker.io containerd runc
|
||||||
|
- name: "Remove old Docker versions"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
state: absent
|
||||||
|
name:
|
||||||
|
- docker
|
||||||
|
- docker-engine
|
||||||
|
- docker.io
|
||||||
|
- containerd
|
||||||
|
- runc
|
||||||
|
|
||||||
|
# Install dependencies
|
||||||
|
# > apt-transport-https ca-certificates curl gnupg lsb-release
|
||||||
|
- name: "Install Docker dependencies"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
state: present
|
||||||
|
name:
|
||||||
|
- apt-transport-https
|
||||||
|
- ca-certificates
|
||||||
|
# - curl # Already installed in main.yml
|
||||||
|
- gnupg
|
||||||
|
- lsb-release
|
||||||
|
|
||||||
|
# Dowload Docker's official GPG key
|
||||||
|
# $ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
|
||||||
|
- name: "Add Docker's official GPG key to apt"
|
||||||
|
ansible.builtin.apt_key:
|
||||||
|
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
|
||||||
|
url: https://download.docker.com/linux/debian/gpg
|
||||||
|
# Key destination path
|
||||||
|
keyring: /usr/share/keyrings/docker-archive-keyring.gpg
|
||||||
|
state: present
|
||||||
|
|
||||||
|
|
||||||
|
# Add Docker's repository to apt
|
||||||
|
# $ echo \
|
||||||
|
# "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
|
||||||
|
# $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||||
|
- name: "Add Docker's repository to APT sources list"
|
||||||
|
ansible.builtin.apt_repository:
|
||||||
|
repo: "deb [arch={{ architecture_map[ansible_architecture] }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
|
||||||
|
state: present
|
||||||
|
vars:
|
||||||
|
architecture_map:
|
||||||
|
"x86_64": "amd64"
|
||||||
|
"aarch64": "arm64"
|
||||||
|
"aarch": "arm64"
|
||||||
|
"armhf": "armhf"
|
||||||
|
"armv7l": "armhf"
|
||||||
|
|
||||||
|
# Install Docker engine
|
||||||
|
# $ sudo apt-get update
|
||||||
|
# $ sudo apt-get install docker-ce docker-ce-cli containerd.io
|
||||||
|
- name: "Install Docker engine"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
state: present
|
||||||
|
update_cache: yes
|
||||||
|
name:
|
||||||
|
- docker-ce
|
||||||
|
- docker-ce-cli
|
||||||
|
- containerd.io
|
||||||
|
|
||||||
|
# Install docker-compose
|
||||||
|
# $ sudo curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
|
||||||
|
- name: "Install Docker Compose"
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: "https://github.com/docker/compose/releases/download/{{ compose_version }}/docker-compose-{{ ansible_system }}-{{ ansible_architecture }}"
|
||||||
|
dest: /usr/local/bin/docker-compose
|
||||||
|
mode: "0755"
|
||||||
|
vars:
|
||||||
|
compose_version: 1.28.5
|
24
os/config/roles/common/tasks/hashicorp.yml
Normal file
24
os/config/roles/common/tasks/hashicorp.yml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
- name: "Add Hashicorps's official GPG key to apt"
|
||||||
|
ansible.builtin.apt_key:
|
||||||
|
url: https://apt.releases.hashicorp.com/gpg
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: "Add Hashicorp's repository to APT sources list"
|
||||||
|
ansible.builtin.apt_repository:
|
||||||
|
repo: "deb [arch={{ architecture_map[ansible_architecture] }}] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main"
|
||||||
|
state: present
|
||||||
|
vars:
|
||||||
|
architecture_map:
|
||||||
|
"x86_64": "amd64"
|
||||||
|
"aarch64": "arm64"
|
||||||
|
"aarch": "arm64"
|
||||||
|
"armhf": "armhf"
|
||||||
|
"armv7l": "armhf"
|
||||||
|
|
||||||
|
- name: "Install Nomad & Consul"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
state: present
|
||||||
|
update_cache: yes
|
||||||
|
name:
|
||||||
|
- nomad
|
||||||
|
- consul
|
|
@ -15,34 +15,69 @@
|
||||||
- name: "Install base tools"
|
- name: "Install base tools"
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- vim
|
# Essentials
|
||||||
- htop
|
|
||||||
- screen
|
|
||||||
- iptables
|
|
||||||
- iptables-persistent
|
|
||||||
- nftables
|
|
||||||
- iproute2
|
|
||||||
- curl
|
- curl
|
||||||
- iputils-ping
|
- less
|
||||||
- dnsutils
|
- sudo
|
||||||
|
- tar
|
||||||
|
- unzip
|
||||||
|
# User tooling
|
||||||
|
- screen
|
||||||
|
- vim
|
||||||
|
# Monitoring
|
||||||
- bmon
|
- bmon
|
||||||
|
- htop
|
||||||
- iftop
|
- iftop
|
||||||
- iotop
|
- iotop
|
||||||
- docker.io
|
- iputils-ping
|
||||||
- unzip
|
|
||||||
- tar
|
|
||||||
- tcpdump
|
|
||||||
- less
|
|
||||||
- parted
|
|
||||||
- btrfs-tools
|
|
||||||
- libnss-resolve
|
|
||||||
- net-tools
|
|
||||||
- strace
|
|
||||||
- sudo
|
|
||||||
- ethtool
|
|
||||||
- pciutils
|
- pciutils
|
||||||
|
- strace
|
||||||
|
- tcpdump
|
||||||
|
# Networking
|
||||||
|
- dnsutils # now called bind9-dnsutils
|
||||||
|
- ethtool
|
||||||
|
- iproute2 # advanced net-tools
|
||||||
|
- iptables # legacy firewall (still used by diplonat)
|
||||||
|
- iptables-persistent
|
||||||
|
- net-tools # basic network tools
|
||||||
|
- nftables # iptables' successor (will replace it eventually)
|
||||||
|
# Optional / Dispensable
|
||||||
|
#- docker.io # Adrien n'approuve pas (il faut utiliser le repo Docker)
|
||||||
|
- parted
|
||||||
|
#- btrfs-tools
|
||||||
|
#- libnss-resolve # provides DNS/LLMNR utilities via systemd-resolved
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
# Install Docker if need be
|
||||||
|
|
||||||
|
- name: Check if Docker is installed
|
||||||
|
command: 'which docker'
|
||||||
|
args:
|
||||||
|
warn: no
|
||||||
|
register: docker_exists
|
||||||
|
changed_when: docker_exists.rc != 0
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: "Install Docker"
|
||||||
|
include_tasks: docker.yml
|
||||||
|
when: docker_exists.rc != 0
|
||||||
|
|
||||||
|
# Install Nomad & Consul if need be
|
||||||
|
|
||||||
|
- name: Check if Nomad is installed
|
||||||
|
command: 'which nomad'
|
||||||
|
args:
|
||||||
|
warn: no
|
||||||
|
register: nomad_exists
|
||||||
|
changed_when: nomad_exists.rc != 0
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: "Install Nomad & Consul"
|
||||||
|
include_tasks: hashicorp.yml
|
||||||
|
when: nomad_exists.rc != 0
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- name: "Passwordless sudo"
|
- name: "Passwordless sudo"
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/sudoers
|
path: /etc/sudoers
|
||||||
|
@ -50,4 +85,3 @@
|
||||||
regexp: '^%sudo'
|
regexp: '^%sudo'
|
||||||
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
|
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
|
||||||
validate: 'visudo -cf %s'
|
validate: 'visudo -cf %s'
|
||||||
|
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
- name: "Set consul version"
|
# - name: "Set consul version"
|
||||||
set_fact:
|
# set_fact:
|
||||||
consul_version: 1.9.1
|
# consul_version: 1.9.1
|
||||||
|
|
||||||
- name: "Download and install Consul for x86_64"
|
# - name: "Download and install Consul for x86_64"
|
||||||
unarchive:
|
# unarchive:
|
||||||
src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
|
# src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
|
||||||
dest: /usr/local/bin
|
# dest: /usr/local/bin
|
||||||
remote_src: yes
|
# remote_src: yes
|
||||||
when:
|
# when:
|
||||||
- "ansible_architecture == 'x86_64'"
|
# - "ansible_architecture == 'x86_64'"
|
||||||
|
|
||||||
- name: "Create consul configuration directory"
|
- name: "Create consul configuration directory"
|
||||||
file: path=/etc/consul/ state=directory
|
file: path=/etc/consul/ state=directory
|
||||||
|
|
|
@ -7,10 +7,10 @@
|
||||||
-A INPUT -p icmp -j ACCEPT
|
-A INPUT -p icmp -j ACCEPT
|
||||||
|
|
||||||
# Administration
|
# Administration
|
||||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
-A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT
|
||||||
|
|
||||||
# Diplonat needs everything open to communicate with IGD with the router
|
# Diplonat needs everything open to communicate with IGD with the router
|
||||||
-A INPUT -s 192.168.1.254 -j ACCEPT
|
-A INPUT -s {{ gatewayv4 }} -j ACCEPT
|
||||||
|
|
||||||
# Cluster
|
# Cluster
|
||||||
{% for selected_host in groups['cluster_nodes'] %}
|
{% for selected_host in groups['cluster_nodes'] %}
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
-A INPUT -p ipv6-icmp -j ACCEPT
|
-A INPUT -p ipv6-icmp -j ACCEPT
|
||||||
|
|
||||||
# Administration
|
# Administration
|
||||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
-A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT
|
||||||
|
|
||||||
# Cluster
|
# Cluster
|
||||||
{% for selected_host in groups['cluster_nodes'] %}
|
{% for selected_host in groups['cluster_nodes'] %}
|
||||||
|
@ -36,6 +36,8 @@
|
||||||
-A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT
|
-A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT
|
||||||
# ADRN@Gandi
|
# ADRN@Gandi
|
||||||
-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT
|
-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT
|
||||||
|
# ADRN@Kimsufi
|
||||||
|
-A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:8:ba0b::1/64 -j DEUXFLEURS-TRUSTED-PORT
|
||||||
# Quentin@Rennes
|
# Quentin@Rennes
|
||||||
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT
|
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT
|
||||||
# Source address is not trusted
|
# Source address is not trusted
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
- name: "Set nomad version"
|
# - name: "Set nomad version"
|
||||||
set_fact:
|
# set_fact:
|
||||||
nomad_version: 1.0.2
|
# nomad_version: 1.0.2
|
||||||
|
|
||||||
- name: "Download and install Nomad for x86_64"
|
# - name: "Download and install Nomad for x86_64"
|
||||||
unarchive:
|
# unarchive:
|
||||||
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
|
# src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
|
||||||
dest: /usr/local/bin
|
# dest: /usr/local/bin
|
||||||
remote_src: yes
|
# remote_src: yes
|
||||||
when:
|
# when:
|
||||||
- "ansible_architecture == 'x86_64'"
|
# - "ansible_architecture == 'x86_64'"
|
||||||
|
|
||||||
- name: "Create Nomad configuration directory"
|
- name: "Create Nomad configuration directory"
|
||||||
file: path=/etc/nomad/ state=directory
|
file: path=/etc/nomad/ state=directory
|
||||||
|
|
|
@ -10,7 +10,6 @@ active_users:
|
||||||
is_admin: true
|
is_admin: true
|
||||||
ssh_keys:
|
ssh_keys:
|
||||||
- 'alex-key1.pub'
|
- 'alex-key1.pub'
|
||||||
#- 'alex-key2.pub'
|
|
||||||
- 'alex-key3.pub'
|
- 'alex-key3.pub'
|
||||||
|
|
||||||
- username: 'maximilien'
|
- username: 'maximilien'
|
||||||
|
|
Reference in a new issue