From 005a027fcb6e4c9a4d90da27963617b6463aa7f2 Mon Sep 17 00:00:00 2001 From: LUXEY Adrien Date: Tue, 23 Mar 2021 16:57:10 +0100 Subject: [PATCH] WIP: improving Ansible config while I install my HammerHead --- os/config/production.yml | 4 +++ os/config/roles/common/tasks/main.yml | 33 ++++++++++++++++++++-- os/config/roles/consul/tasks/main.yml | 20 ++++++------- os/config/roles/network/templates/rules.v4 | 4 +-- os/config/roles/network/templates/rules.v6 | 4 ++- os/config/roles/nomad/tasks/main.yml | 20 ++++++------- os/config/roles/users/vars/main.yml | 1 - 7 files changed, 60 insertions(+), 26 deletions(-) diff --git a/os/config/production.yml b/os/config/production.yml index 8870b52..c0f6371 100644 --- a/os/config/production.yml +++ b/os/config/production.yml @@ -12,6 +12,7 @@ cluster_nodes: dns_1: 212.27.40.240 dns_2: 212.27.40.241 ansible_python_interpreter: python3 + ssh_port: 22 digitale: ansible_host: atuin.site.deuxfleurs.fr @@ -25,6 +26,7 @@ cluster_nodes: dns_1: 212.27.40.240 dns_2: 212.27.40.241 ansible_python_interpreter: python3 + ssh_port: 22 drosera: ansible_host: atuin.site.deuxfleurs.fr @@ -38,6 +40,7 @@ cluster_nodes: dns_1: 212.27.40.240 dns_2: 212.27.40.241 ansible_python_interpreter: python3 + ssh_port: 22 io: ansible_host: jupiter.site.deuxfleurs.fr @@ -51,3 +54,4 @@ cluster_nodes: dns_1: 109.0.66.20 dns_2: 109.0.66.10 ansible_python_interpreter: python3 + ssh_port: 22 diff --git a/os/config/roles/common/tasks/main.yml b/os/config/roles/common/tasks/main.yml index f31b2c3..3baeb01 100644 --- a/os/config/roles/common/tasks/main.yml +++ b/os/config/roles/common/tasks/main.yml @@ -46,11 +46,40 @@ #- libnss-resolve # provides DNS/LLMNR utilities via systemd-resolved state: present +# Install Docker if need be + +- name: Check if Docker is installed + command: 'which docker' + args: + warn: no + register: docker_exists + changed_when: docker_exists.rc != 0 + ignore_errors: true + +- name: "Install Docker" + include_tasks: docker.yml + when: docker_exists.rc != 0 + +# Install Nomad & Consul if need be + +- name: Check if Nomad is installed + command: 'which nomad' + args: + warn: no + register: nomad_exists + changed_when: nomad_exists.rc != 0 + ignore_errors: true + +- name: "Install Nomad & Consul" + include_tasks: hashicorp.yml + when: nomad_exists.rc != 0 + + + - name: "Passwordless sudo" lineinfile: path: /etc/sudoers state: present regexp: '^%sudo' line: '%sudo ALL=(ALL) NOPASSWD: ALL' - validate: 'visudo -cf %s' - + validate: 'visudo -cf %s' \ No newline at end of file diff --git a/os/config/roles/consul/tasks/main.yml b/os/config/roles/consul/tasks/main.yml index 340d4d7..da6f6f1 100644 --- a/os/config/roles/consul/tasks/main.yml +++ b/os/config/roles/consul/tasks/main.yml @@ -1,14 +1,14 @@ -- name: "Set consul version" - set_fact: - consul_version: 1.9.1 +# - name: "Set consul version" +# set_fact: +# consul_version: 1.9.1 -- name: "Download and install Consul for x86_64" - unarchive: - src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" - dest: /usr/local/bin - remote_src: yes - when: - - "ansible_architecture == 'x86_64'" +# - name: "Download and install Consul for x86_64" +# unarchive: +# src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" +# dest: /usr/local/bin +# remote_src: yes +# when: +# - "ansible_architecture == 'x86_64'" - name: "Create consul configuration directory" file: path=/etc/consul/ state=directory diff --git a/os/config/roles/network/templates/rules.v4 b/os/config/roles/network/templates/rules.v4 index a5f138b..83f5348 100644 --- a/os/config/roles/network/templates/rules.v4 +++ b/os/config/roles/network/templates/rules.v4 @@ -7,10 +7,10 @@ -A INPUT -p icmp -j ACCEPT # Administration --A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -p tcp --dport {{ hostvars[selected_host]['ssh_port'] }} -j ACCEPT # Diplonat needs everything open to communicate with IGD with the router --A INPUT -s 192.168.1.254 -j ACCEPT +-A INPUT -s {{ hostvars[selected_host]['gatewayv4'] }} -j ACCEPT # Cluster {% for selected_host in groups['cluster_nodes'] %} diff --git a/os/config/roles/network/templates/rules.v6 b/os/config/roles/network/templates/rules.v6 index e2b94ea..eace08e 100644 --- a/os/config/roles/network/templates/rules.v6 +++ b/os/config/roles/network/templates/rules.v6 @@ -13,7 +13,7 @@ -A INPUT -p ipv6-icmp -j ACCEPT # Administration --A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -p tcp --dport {{ hostvars[selected_host]['ssh_port'] }} -j ACCEPT # Cluster {% for selected_host in groups['cluster_nodes'] %} @@ -36,6 +36,8 @@ -A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT # ADRN@Gandi -A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT +# ADRN@Kimsufi +-A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:8:ba0b::1/64 -j DEUXFLEURS-TRUSTED-PORT # Quentin@Rennes -A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT # Source address is not trusted diff --git a/os/config/roles/nomad/tasks/main.yml b/os/config/roles/nomad/tasks/main.yml index 1ddedbe..080a75f 100644 --- a/os/config/roles/nomad/tasks/main.yml +++ b/os/config/roles/nomad/tasks/main.yml @@ -1,14 +1,14 @@ -- name: "Set nomad version" - set_fact: - nomad_version: 1.0.2 +# - name: "Set nomad version" +# set_fact: +# nomad_version: 1.0.2 -- name: "Download and install Nomad for x86_64" - unarchive: - src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" - dest: /usr/local/bin - remote_src: yes - when: - - "ansible_architecture == 'x86_64'" +# - name: "Download and install Nomad for x86_64" +# unarchive: +# src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" +# dest: /usr/local/bin +# remote_src: yes +# when: +# - "ansible_architecture == 'x86_64'" - name: "Create Nomad configuration directory" file: path=/etc/nomad/ state=directory diff --git a/os/config/roles/users/vars/main.yml b/os/config/roles/users/vars/main.yml index ca2dc0a..c4ca875 100644 --- a/os/config/roles/users/vars/main.yml +++ b/os/config/roles/users/vars/main.yml @@ -10,7 +10,6 @@ active_users: is_admin: true ssh_keys: - 'alex-key1.pub' - #- 'alex-key2.pub' - 'alex-key3.pub' - username: 'maximilien'