Config Ansible mise à jour à l'occasion de l'install de HammerHead #37
11 changed files with 204 additions and 47 deletions
|
@ -1,6 +1,8 @@
|
|||
---
|
||||
|
||||
- hosts: cluster_nodes
|
||||
# "you can define how many hosts Ansible should manage at a single time
|
||||
# using the serial keyword"
|
||||
serial: 1
|
||||
roles:
|
||||
- role: common
|
||||
|
|
17
os/config/hammerhead_inventory.yml
Normal file
17
os/config/hammerhead_inventory.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
cluster_nodes:
|
||||
hosts:
|
||||
hammerhead:
|
||||
ansible_host: ns3118584.ip-5-135-179.eu
|
||||
ansible_port: 110
|
||||
ansible_user: root
|
||||
ansible_ssh_private_key_file: /home/adrien/.ssh/hammerhead
|
||||
ansible_become: true
|
||||
ipv4: 5.135.179.11
|
||||
gatewayv4: 5.135.179.254
|
||||
ipv6: 2001:41d0:8:ba0b::1
|
||||
gatewayv6: fe80::264:40ff:fe3a:fac0
|
||||
interface: eno1
|
||||
dns_1: 213.186.33.99
|
||||
dns_2: 172.104.136.243
|
||||
ansible_python_interpreter: python3
|
||||
ssh_port: 110
|
|
@ -12,6 +12,7 @@ cluster_nodes:
|
|||
dns_1: 212.27.40.240
|
||||
dns_2: 212.27.40.241
|
||||
ansible_python_interpreter: python3
|
||||
ssh_port: 22
|
||||
|
||||
digitale:
|
||||
ansible_host: atuin.site.deuxfleurs.fr
|
||||
|
@ -25,6 +26,7 @@ cluster_nodes:
|
|||
dns_1: 212.27.40.240
|
||||
dns_2: 212.27.40.241
|
||||
ansible_python_interpreter: python3
|
||||
ssh_port: 22
|
||||
|
||||
drosera:
|
||||
ansible_host: atuin.site.deuxfleurs.fr
|
||||
|
@ -38,6 +40,7 @@ cluster_nodes:
|
|||
dns_1: 212.27.40.240
|
||||
dns_2: 212.27.40.241
|
||||
ansible_python_interpreter: python3
|
||||
ssh_port: 22
|
||||
|
||||
io:
|
||||
ansible_host: jupiter.site.deuxfleurs.fr
|
||||
|
@ -51,3 +54,4 @@ cluster_nodes:
|
|||
dns_1: 109.0.66.20
|
||||
dns_2: 109.0.66.10
|
||||
ansible_python_interpreter: python3
|
||||
ssh_port: 22
|
||||
|
|
75
os/config/roles/common/tasks/docker.yml
Normal file
75
os/config/roles/common/tasks/docker.yml
Normal file
|
@ -0,0 +1,75 @@
|
|||
# From the official Docker installation guide for Debian:
|
||||
# https://docs.docker.com/engine/install/debian/
|
||||
|
||||
# Uninstall old Docker versions
|
||||
# $ sudo apt-get remove docker docker-engine docker.io containerd runc
|
||||
- name: "Remove old Docker versions"
|
||||
ansible.builtin.apt:
|
||||
state: absent
|
||||
name:
|
||||
- docker
|
||||
- docker-engine
|
||||
- docker.io
|
||||
- containerd
|
||||
- runc
|
||||
|
||||
# Install dependencies
|
||||
# > apt-transport-https ca-certificates curl gnupg lsb-release
|
||||
- name: "Install Docker dependencies"
|
||||
ansible.builtin.apt:
|
||||
state: present
|
||||
name:
|
||||
- apt-transport-https
|
||||
- ca-certificates
|
||||
# - curl # Already installed in main.yml
|
||||
- gnupg
|
||||
- lsb-release
|
||||
|
||||
# Dowload Docker's official GPG key
|
||||
# $ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
|
||||
- name: "Add Docker's official GPG key to apt"
|
||||
ansible.builtin.apt_key:
|
||||
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
|
||||
url: https://download.docker.com/linux/debian/gpg
|
||||
# Key destination path
|
||||
keyring: /usr/share/keyrings/docker-archive-keyring.gpg
|
||||
state: present
|
||||
|
||||
|
||||
# Add Docker's repository to apt
|
||||
# $ echo \
|
||||
# "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
|
||||
# $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||
- name: "Add Docker's repository to APT sources list"
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb [arch={{ architecture_map[ansible_architecture] }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
|
||||
state: present
|
||||
vars:
|
||||
architecture_map:
|
||||
"x86_64": "amd64"
|
||||
"aarch64": "arm64"
|
||||
"aarch": "arm64"
|
||||
"armhf": "armhf"
|
||||
"armv7l": "armhf"
|
||||
|
||||
# Install Docker engine
|
||||
# $ sudo apt-get update
|
||||
# $ sudo apt-get install docker-ce docker-ce-cli containerd.io
|
||||
- name: "Install Docker engine"
|
||||
ansible.builtin.apt:
|
||||
state: present
|
||||
update_cache: yes
|
||||
name:
|
||||
- docker-ce
|
||||
- docker-ce-cli
|
||||
- containerd.io
|
||||
|
||||
# Install docker-compose
|
||||
# $ sudo curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
|
||||
- name: "Install Docker Compose"
|
||||
ansible.builtin.get_url:
|
||||
url: "https://github.com/docker/compose/releases/download/{{ compose_version }}/docker-compose-{{ ansible_system }}-{{ ansible_architecture }}"
|
||||
dest: /usr/local/bin/docker-compose
|
||||
mode: "0755"
|
||||
vars:
|
||||
compose_version: 1.28.5
|
24
os/config/roles/common/tasks/hashicorp.yml
Normal file
24
os/config/roles/common/tasks/hashicorp.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
- name: "Add Hashicorps's official GPG key to apt"
|
||||
ansible.builtin.apt_key:
|
||||
url: https://apt.releases.hashicorp.com/gpg
|
||||
state: present
|
||||
|
||||
- name: "Add Hashicorp's repository to APT sources list"
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb [arch={{ architecture_map[ansible_architecture] }}] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main"
|
||||
state: present
|
||||
vars:
|
||||
architecture_map:
|
||||
"x86_64": "amd64"
|
||||
"aarch64": "arm64"
|
||||
"aarch": "arm64"
|
||||
"armhf": "armhf"
|
||||
"armv7l": "armhf"
|
||||
|
||||
- name: "Install Nomad & Consul"
|
||||
ansible.builtin.apt:
|
||||
state: present
|
||||
update_cache: yes
|
||||
name:
|
||||
- nomad
|
||||
- consul
|
|
@ -15,34 +15,69 @@
|
|||
- name: "Install base tools"
|
||||
apt:
|
||||
name:
|
||||
- vim
|
||||
- htop
|
||||
- screen
|
||||
- iptables
|
||||
- iptables-persistent
|
||||
- nftables
|
||||
- iproute2
|
||||
# Essentials
|
||||
- curl
|
||||
- iputils-ping
|
||||
- dnsutils
|
||||
- less
|
||||
- sudo
|
||||
- tar
|
||||
- unzip
|
||||
# User tooling
|
||||
- screen
|
||||
- vim
|
||||
# Monitoring
|
||||
- bmon
|
||||
- htop
|
||||
- iftop
|
||||
- iotop
|
||||
- docker.io
|
||||
- unzip
|
||||
- tar
|
||||
- tcpdump
|
||||
- less
|
||||
- parted
|
||||
- btrfs-tools
|
||||
- libnss-resolve
|
||||
- net-tools
|
||||
- strace
|
||||
- sudo
|
||||
- ethtool
|
||||
- iputils-ping
|
||||
- pciutils
|
||||
- strace
|
||||
- tcpdump
|
||||
# Networking
|
||||
- dnsutils # now called bind9-dnsutils
|
||||
- ethtool
|
||||
- iproute2 # advanced net-tools
|
||||
- iptables # legacy firewall (still used by diplonat)
|
||||
- iptables-persistent
|
||||
- net-tools # basic network tools
|
||||
- nftables # iptables' successor (will replace it eventually)
|
||||
# Optional / Dispensable
|
||||
#- docker.io # Adrien n'approuve pas (il faut utiliser le repo Docker)
|
||||
- parted
|
||||
#- btrfs-tools
|
||||
#- libnss-resolve # provides DNS/LLMNR utilities via systemd-resolved
|
||||
state: present
|
||||
|
||||
# Install Docker if need be
|
||||
|
||||
- name: Check if Docker is installed
|
||||
command: 'which docker'
|
||||
args:
|
||||
warn: no
|
||||
register: docker_exists
|
||||
changed_when: docker_exists.rc != 0
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Install Docker"
|
||||
include_tasks: docker.yml
|
||||
when: docker_exists.rc != 0
|
||||
|
||||
# Install Nomad & Consul if need be
|
||||
|
||||
- name: Check if Nomad is installed
|
||||
command: 'which nomad'
|
||||
args:
|
||||
warn: no
|
||||
register: nomad_exists
|
||||
changed_when: nomad_exists.rc != 0
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Install Nomad & Consul"
|
||||
include_tasks: hashicorp.yml
|
||||
when: nomad_exists.rc != 0
|
||||
|
||||
|
||||
|
||||
- name: "Passwordless sudo"
|
||||
lineinfile:
|
||||
path: /etc/sudoers
|
||||
|
@ -50,4 +85,3 @@
|
|||
regexp: '^%sudo'
|
||||
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
|
||||
validate: 'visudo -cf %s'
|
||||
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
- name: "Set consul version"
|
||||
set_fact:
|
||||
consul_version: 1.9.1
|
||||
# - name: "Set consul version"
|
||||
# set_fact:
|
||||
# consul_version: 1.9.1
|
||||
|
||||
- name: "Download and install Consul for x86_64"
|
||||
unarchive:
|
||||
src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
|
||||
dest: /usr/local/bin
|
||||
remote_src: yes
|
||||
when:
|
||||
- "ansible_architecture == 'x86_64'"
|
||||
# - name: "Download and install Consul for x86_64"
|
||||
# unarchive:
|
||||
# src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
|
||||
# dest: /usr/local/bin
|
||||
# remote_src: yes
|
||||
# when:
|
||||
# - "ansible_architecture == 'x86_64'"
|
||||
|
||||
- name: "Create consul configuration directory"
|
||||
file: path=/etc/consul/ state=directory
|
||||
|
|
|
@ -7,10 +7,10 @@
|
|||
-A INPUT -p icmp -j ACCEPT
|
||||
|
||||
# Administration
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT
|
||||
|
||||
# Diplonat needs everything open to communicate with IGD with the router
|
||||
-A INPUT -s 192.168.1.254 -j ACCEPT
|
||||
-A INPUT -s {{ gatewayv4 }} -j ACCEPT
|
||||
|
||||
# Cluster
|
||||
{% for selected_host in groups['cluster_nodes'] %}
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
-A INPUT -p ipv6-icmp -j ACCEPT
|
||||
|
||||
# Administration
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT
|
||||
|
||||
# Cluster
|
||||
{% for selected_host in groups['cluster_nodes'] %}
|
||||
|
@ -36,6 +36,8 @@
|
|||
-A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT
|
||||
# ADRN@Gandi
|
||||
-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT
|
||||
# ADRN@Kimsufi
|
||||
-A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:8:ba0b::1/64 -j DEUXFLEURS-TRUSTED-PORT
|
||||
# Quentin@Rennes
|
||||
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT
|
||||
# Source address is not trusted
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
- name: "Set nomad version"
|
||||
set_fact:
|
||||
nomad_version: 1.0.2
|
||||
# - name: "Set nomad version"
|
||||
# set_fact:
|
||||
# nomad_version: 1.0.2
|
||||
|
||||
- name: "Download and install Nomad for x86_64"
|
||||
unarchive:
|
||||
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
|
||||
dest: /usr/local/bin
|
||||
remote_src: yes
|
||||
when:
|
||||
- "ansible_architecture == 'x86_64'"
|
||||
# - name: "Download and install Nomad for x86_64"
|
||||
# unarchive:
|
||||
# src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
|
||||
# dest: /usr/local/bin
|
||||
# remote_src: yes
|
||||
# when:
|
||||
# - "ansible_architecture == 'x86_64'"
|
||||
|
||||
- name: "Create Nomad configuration directory"
|
||||
file: path=/etc/nomad/ state=directory
|
||||
|
|
|
@ -10,7 +10,6 @@ active_users:
|
|||
is_admin: true
|
||||
ssh_keys:
|
||||
- 'alex-key1.pub'
|
||||
#- 'alex-key2.pub'
|
||||
- 'alex-key3.pub'
|
||||
|
||||
- username: 'maximilien'
|
||||
|
|
Reference in a new issue