From 472384d4039d10dcfe1567b07f64ca6b1f8b744d Mon Sep 17 00:00:00 2001
From: LUXEY Adrien <adrien.luxey@inria.fr>
Date: Sun, 14 Mar 2021 15:49:08 +0100
Subject: [PATCH 1/5] =?UTF-8?q?premier=20tri=20des=20outils=20de=20base=20?=
 =?UTF-8?q?=C3=A0=20installer=20via=20apt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 os/config/cluster_nodes.yml           |  2 ++
 os/config/roles/common/tasks/main.yml | 47 +++++++++++++++------------
 2 files changed, 28 insertions(+), 21 deletions(-)

diff --git a/os/config/cluster_nodes.yml b/os/config/cluster_nodes.yml
index ea58630..0f22baf 100644
--- a/os/config/cluster_nodes.yml
+++ b/os/config/cluster_nodes.yml
@@ -1,6 +1,8 @@
 ---
  
 - hosts: cluster_nodes
+  # "you can define how many hosts Ansible should manage at a single time 
+  # using the serial keyword"
   serial: 1
   roles:
     - role: common
diff --git a/os/config/roles/common/tasks/main.yml b/os/config/roles/common/tasks/main.yml
index b4d00bb..f31b2c3 100644
--- a/os/config/roles/common/tasks/main.yml
+++ b/os/config/roles/common/tasks/main.yml
@@ -15,30 +15,35 @@
 - name: "Install base tools"
   apt:
     name:
-      - vim
-      - htop
-      - screen
-      - iptables
-      - iptables-persistent
-      - nftables
-      - iproute2
+      # Essentials
       - curl
-      - iputils-ping
-      - dnsutils
-      - bmon
-      - iftop
-      - iotop
-      - docker.io
-      - unzip
-      - tar
-      - tcpdump
       - less
-      - parted
-      - btrfs-tools
-      - libnss-resolve
-      - net-tools
-      - strace
       - sudo
+      - tar
+      - unzip
+      # User tooling
+      - screen
+      - vim
+      # Monitoring
+      - bmon
+      - htop
+      - iftop
+      - iputils-ping
+      - iotop
+      - strace
+      - tcpdump
+      # Networking
+      - iproute2 # advanced net-tools
+      - iptables # legacy firewall (still used by diplonat)
+      - iptables-persistent
+      - net-tools # basic network tools
+      - nftables # iptables' successor (will replace it eventually)
+      - dnsutils # now called bind9-dnsutils
+      # Optional / Dispensable
+      #- docker.io # Adrien n'approuve pas (il faut utiliser le repo Docker)
+      - parted 
+      #- btrfs-tools
+      #- libnss-resolve # provides DNS/LLMNR utilities via systemd-resolved
     state: present
 
 - name: "Passwordless sudo"

From 005a027fcb6e4c9a4d90da27963617b6463aa7f2 Mon Sep 17 00:00:00 2001
From: LUXEY Adrien <adrien.luxey@inria.fr>
Date: Tue, 23 Mar 2021 16:57:10 +0100
Subject: [PATCH 2/5] WIP: improving Ansible config while I install my
 HammerHead

---
 os/config/production.yml                   |  4 +++
 os/config/roles/common/tasks/main.yml      | 33 ++++++++++++++++++++--
 os/config/roles/consul/tasks/main.yml      | 20 ++++++-------
 os/config/roles/network/templates/rules.v4 |  4 +--
 os/config/roles/network/templates/rules.v6 |  4 ++-
 os/config/roles/nomad/tasks/main.yml       | 20 ++++++-------
 os/config/roles/users/vars/main.yml        |  1 -
 7 files changed, 60 insertions(+), 26 deletions(-)

diff --git a/os/config/production.yml b/os/config/production.yml
index 8870b52..c0f6371 100644
--- a/os/config/production.yml
+++ b/os/config/production.yml
@@ -12,6 +12,7 @@ cluster_nodes:
       dns_1: 212.27.40.240
       dns_2: 212.27.40.241
       ansible_python_interpreter: python3
+      ssh_port: 22
 
     digitale:
       ansible_host: atuin.site.deuxfleurs.fr
@@ -25,6 +26,7 @@ cluster_nodes:
       dns_1: 212.27.40.240
       dns_2: 212.27.40.241
       ansible_python_interpreter: python3
+      ssh_port: 22
 
     drosera:
       ansible_host: atuin.site.deuxfleurs.fr
@@ -38,6 +40,7 @@ cluster_nodes:
       dns_1: 212.27.40.240
       dns_2: 212.27.40.241
       ansible_python_interpreter: python3
+      ssh_port: 22
 
     io:
       ansible_host: jupiter.site.deuxfleurs.fr
@@ -51,3 +54,4 @@ cluster_nodes:
       dns_1: 109.0.66.20
       dns_2: 109.0.66.10
       ansible_python_interpreter: python3
+      ssh_port: 22
diff --git a/os/config/roles/common/tasks/main.yml b/os/config/roles/common/tasks/main.yml
index f31b2c3..3baeb01 100644
--- a/os/config/roles/common/tasks/main.yml
+++ b/os/config/roles/common/tasks/main.yml
@@ -46,11 +46,40 @@
       #- libnss-resolve # provides DNS/LLMNR utilities via systemd-resolved
     state: present
 
+# Install Docker if need be
+
+- name: Check if Docker is installed 
+  command: 'which docker'
+  args:
+    warn: no
+  register: docker_exists
+  changed_when: docker_exists.rc != 0
+  ignore_errors: true
+
+- name: "Install Docker"
+  include_tasks: docker.yml
+  when: docker_exists.rc != 0
+
+# Install Nomad & Consul if need be
+
+- name: Check if Nomad is installed 
+  command: 'which nomad'
+  args:
+    warn: no
+  register: nomad_exists
+  changed_when: nomad_exists.rc != 0
+  ignore_errors: true
+
+- name: "Install Nomad & Consul"
+  include_tasks: hashicorp.yml
+  when: nomad_exists.rc != 0
+
+
+
 - name: "Passwordless sudo"
   lineinfile:
     path: /etc/sudoers
     state: present
     regexp: '^%sudo'
     line: '%sudo ALL=(ALL) NOPASSWD: ALL'
-    validate: 'visudo -cf %s'
-
+    validate: 'visudo -cf %s'
\ No newline at end of file
diff --git a/os/config/roles/consul/tasks/main.yml b/os/config/roles/consul/tasks/main.yml
index 340d4d7..da6f6f1 100644
--- a/os/config/roles/consul/tasks/main.yml
+++ b/os/config/roles/consul/tasks/main.yml
@@ -1,14 +1,14 @@
-- name: "Set consul version"
-  set_fact:
-    consul_version: 1.9.1
+# - name: "Set consul version"
+#   set_fact:
+#     consul_version: 1.9.1
 
-- name: "Download and install Consul for x86_64"
-  unarchive:
-    src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
-    dest: /usr/local/bin
-    remote_src: yes
-  when:
-    - "ansible_architecture == 'x86_64'"
+# - name: "Download and install Consul for x86_64"
+#   unarchive:
+#     src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
+#     dest: /usr/local/bin
+#     remote_src: yes
+#   when:
+#     - "ansible_architecture == 'x86_64'"
 
 - name: "Create consul configuration directory"
   file: path=/etc/consul/ state=directory
diff --git a/os/config/roles/network/templates/rules.v4 b/os/config/roles/network/templates/rules.v4
index a5f138b..83f5348 100644
--- a/os/config/roles/network/templates/rules.v4
+++ b/os/config/roles/network/templates/rules.v4
@@ -7,10 +7,10 @@
 -A INPUT -p icmp -j ACCEPT
 
 # Administration
--A INPUT -p tcp  --dport 22 -j ACCEPT
+-A INPUT -p tcp  --dport {{ hostvars[selected_host]['ssh_port'] }} -j ACCEPT
 
 # Diplonat needs everything open to communicate with IGD with the router
--A INPUT -s 192.168.1.254 -j ACCEPT
+-A INPUT -s {{ hostvars[selected_host]['gatewayv4'] }} -j ACCEPT
 
 # Cluster
 {% for selected_host in groups['cluster_nodes'] %}
diff --git a/os/config/roles/network/templates/rules.v6 b/os/config/roles/network/templates/rules.v6
index e2b94ea..eace08e 100644
--- a/os/config/roles/network/templates/rules.v6
+++ b/os/config/roles/network/templates/rules.v6
@@ -13,7 +13,7 @@
 -A INPUT -p ipv6-icmp -j ACCEPT
 
 # Administration
--A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --dport {{ hostvars[selected_host]['ssh_port'] }} -j ACCEPT
 
 # Cluster
 {% for selected_host in groups['cluster_nodes'] %}
@@ -36,6 +36,8 @@
 -A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT
 # ADRN@Gandi
 -A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT
+# ADRN@Kimsufi
+-A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:8:ba0b::1/64 -j DEUXFLEURS-TRUSTED-PORT
 # Quentin@Rennes
 -A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT
 # Source address is not trusted
diff --git a/os/config/roles/nomad/tasks/main.yml b/os/config/roles/nomad/tasks/main.yml
index 1ddedbe..080a75f 100644
--- a/os/config/roles/nomad/tasks/main.yml
+++ b/os/config/roles/nomad/tasks/main.yml
@@ -1,14 +1,14 @@
-- name: "Set nomad version"
-  set_fact:
-    nomad_version: 1.0.2
+# - name: "Set nomad version"
+#   set_fact:
+#     nomad_version: 1.0.2
 
-- name: "Download and install Nomad for x86_64"
-  unarchive:
-    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
-    dest: /usr/local/bin
-    remote_src: yes
-  when:
-    - "ansible_architecture == 'x86_64'"
+# - name: "Download and install Nomad for x86_64"
+#   unarchive:
+#     src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
+#     dest: /usr/local/bin
+#     remote_src: yes
+#   when:
+#     - "ansible_architecture == 'x86_64'"
 
 - name: "Create Nomad configuration directory"
   file: path=/etc/nomad/ state=directory
diff --git a/os/config/roles/users/vars/main.yml b/os/config/roles/users/vars/main.yml
index ca2dc0a..c4ca875 100644
--- a/os/config/roles/users/vars/main.yml
+++ b/os/config/roles/users/vars/main.yml
@@ -10,7 +10,6 @@ active_users:
     is_admin: true
     ssh_keys: 
       - 'alex-key1.pub'
-      #- 'alex-key2.pub'
       - 'alex-key3.pub'
 
   - username: 'maximilien'

From 7852eef5a6d0eefc5914f178549f6845857a5c49 Mon Sep 17 00:00:00 2001
From: LUXEY Adrien <adrien.luxey@inria.fr>
Date: Tue, 23 Mar 2021 17:00:27 +0100
Subject: [PATCH 3/5] WIP: improving Ansible config while I install my
 HammerHead - added files...

---
 os/config/hammerhead_inventory.yml         | 17 +++++
 os/config/roles/common/tasks/docker.yml    | 75 ++++++++++++++++++++++
 os/config/roles/common/tasks/hashicorp.yml | 24 +++++++
 3 files changed, 116 insertions(+)
 create mode 100644 os/config/hammerhead_inventory.yml
 create mode 100644 os/config/roles/common/tasks/docker.yml
 create mode 100644 os/config/roles/common/tasks/hashicorp.yml

diff --git a/os/config/hammerhead_inventory.yml b/os/config/hammerhead_inventory.yml
new file mode 100644
index 0000000..dd2117e
--- /dev/null
+++ b/os/config/hammerhead_inventory.yml
@@ -0,0 +1,17 @@
+cluster_nodes:
+  hosts:
+    hammerhead:
+      ansible_host: ns3118584.ip-5-135-179.eu
+      ansible_port: 110
+      ansible_user: root
+      ansible_ssh_private_key_file: /home/adrien/.ssh/hammerhead
+      ansible_become: true
+      ipv4: 5.135.179.11
+      gatewayv4: 5.135.179.254
+      ipv6: 2001:41d0:8:ba0b::1
+      gatewayv6: fe80::264:40ff:fe3a:fac0
+      interface: eno1
+      dns_1: 213.186.33.99
+      dns_2: 172.104.136.243
+      ansible_python_interpreter: python3
+      ssh_port: 110
diff --git a/os/config/roles/common/tasks/docker.yml b/os/config/roles/common/tasks/docker.yml
new file mode 100644
index 0000000..a688f4b
--- /dev/null
+++ b/os/config/roles/common/tasks/docker.yml
@@ -0,0 +1,75 @@
+# From the official Docker installation guide for Debian:
+# https://docs.docker.com/engine/install/debian/
+
+# Uninstall old Docker versions
+# $ sudo apt-get remove docker docker-engine docker.io containerd runc
+- name: "Remove old Docker versions"
+  ansible.builtin.apt: 
+    state: absent 
+    name:
+      - docker
+      - docker-engine
+      - docker.io
+      - containerd
+      - runc
+
+# Install dependencies
+# > apt-transport-https ca-certificates curl gnupg lsb-release
+- name: "Install Docker dependencies"
+  ansible.builtin.apt:
+    state: present 
+    name:
+      - apt-transport-https
+      - ca-certificates
+      # - curl # Already installed in main.yml
+      - gnupg
+      - lsb-release
+
+# Dowload Docker's official GPG key
+# $  curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+- name: "Add Docker's official GPG key to apt"
+  ansible.builtin.apt_key:
+    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+    url: https://download.docker.com/linux/debian/gpg
+    # Key destination path
+    keyring: /usr/share/keyrings/docker-archive-keyring.gpg
+    state: present
+
+
+# Add Docker's repository to apt
+# $ echo \
+#   "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
+#   $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+- name: "Add Docker's repository to APT sources list"
+  ansible.builtin.apt_repository:
+    repo: "deb [arch={{ architecture_map[ansible_architecture] }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
+    state: present
+  vars:
+    architecture_map:
+      "x86_64": "amd64"
+      "aarch64": "arm64"
+      "aarch": "arm64"
+      "armhf": "armhf"
+      "armv7l": "armhf"
+
+# Install Docker engine
+# $ sudo apt-get update
+# $ sudo apt-get install docker-ce docker-ce-cli containerd.io
+- name: "Install Docker engine"
+  ansible.builtin.apt:
+    state: present
+    update_cache: yes
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+
+# Install docker-compose 
+# $ sudo curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+- name: "Install Docker Compose"
+  ansible.builtin.get_url:
+    url: "https://github.com/docker/compose/releases/download/{{ compose_version }}/docker-compose-{{ ansible_system }}-{{ ansible_architecture }}"
+    dest: /usr/local/bin/docker-compose
+    mode: "0755"
+  vars:
+    compose_version: 1.28.5
\ No newline at end of file
diff --git a/os/config/roles/common/tasks/hashicorp.yml b/os/config/roles/common/tasks/hashicorp.yml
new file mode 100644
index 0000000..9cf647b
--- /dev/null
+++ b/os/config/roles/common/tasks/hashicorp.yml
@@ -0,0 +1,24 @@
+- name: "Add Hashicorps's official GPG key to apt"
+  ansible.builtin.apt_key:
+    url: https://apt.releases.hashicorp.com/gpg
+    state: present
+
+- name: "Add Hashicorp's repository to APT sources list"
+  ansible.builtin.apt_repository:
+    repo: "deb [arch={{ architecture_map[ansible_architecture] }}] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main"
+    state: present
+  vars:
+    architecture_map:
+      "x86_64": "amd64"
+      "aarch64": "arm64"
+      "aarch": "arm64"
+      "armhf": "armhf"
+      "armv7l": "armhf"
+
+- name: "Install Nomad & Consul"
+  ansible.builtin.apt:
+    state: present
+    update_cache: yes
+    name:
+      - nomad 
+      - consul
\ No newline at end of file

From 7277927ea31ea66f1a3b186423ba59fac2d30d0f Mon Sep 17 00:00:00 2001
From: LUXEY Adrien <adrien.luxey@inria.fr>
Date: Tue, 23 Mar 2021 17:05:56 +0100
Subject: [PATCH 4/5] WIP: Ansible config updated, everything passed alright

---
 os/config/roles/network/templates/rules.v4 | 4 ++--
 os/config/roles/network/templates/rules.v6 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/os/config/roles/network/templates/rules.v4 b/os/config/roles/network/templates/rules.v4
index 83f5348..8ccaed7 100644
--- a/os/config/roles/network/templates/rules.v4
+++ b/os/config/roles/network/templates/rules.v4
@@ -7,10 +7,10 @@
 -A INPUT -p icmp -j ACCEPT
 
 # Administration
--A INPUT -p tcp  --dport {{ hostvars[selected_host]['ssh_port'] }} -j ACCEPT
+-A INPUT -p tcp  --dport {{ ssh_port }} -j ACCEPT
 
 # Diplonat needs everything open to communicate with IGD with the router
--A INPUT -s {{ hostvars[selected_host]['gatewayv4'] }} -j ACCEPT
+-A INPUT -s {{ gatewayv4 }} -j ACCEPT
 
 # Cluster
 {% for selected_host in groups['cluster_nodes'] %}
diff --git a/os/config/roles/network/templates/rules.v6 b/os/config/roles/network/templates/rules.v6
index eace08e..6977f02 100644
--- a/os/config/roles/network/templates/rules.v6
+++ b/os/config/roles/network/templates/rules.v6
@@ -13,7 +13,7 @@
 -A INPUT -p ipv6-icmp -j ACCEPT
 
 # Administration
--A INPUT -p tcp --dport {{ hostvars[selected_host]['ssh_port'] }} -j ACCEPT
+-A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT
 
 # Cluster
 {% for selected_host in groups['cluster_nodes'] %}

From 89b87407818c78852b2c99b4300053e34e255fa5 Mon Sep 17 00:00:00 2001
From: LUXEY Adrien <adrien.luxey@inria.fr>
Date: Tue, 23 Mar 2021 17:12:13 +0100
Subject: [PATCH 5/5] Ansible config cleanup

---
 os/config/roles/common/tasks/main.yml       |  4 ++--
 os/config/roles/consul/tasks/main.yml       | 12 ------------
 os/config/roles/consul/vars/.gitignore      |  1 -
 os/config/roles/consul/vars/main.yml.sample |  2 --
 os/config/roles/nomad/tasks/main.yml        | 12 ------------
 5 files changed, 2 insertions(+), 29 deletions(-)
 delete mode 100644 os/config/roles/consul/vars/.gitignore
 delete mode 100644 os/config/roles/consul/vars/main.yml.sample

diff --git a/os/config/roles/common/tasks/main.yml b/os/config/roles/common/tasks/main.yml
index 37cad52..b332414 100644
--- a/os/config/roles/common/tasks/main.yml
+++ b/os/config/roles/common/tasks/main.yml
@@ -34,7 +34,7 @@
       - strace
       - tcpdump
       # Networking
-      - dnsutils # now called bind9-dnsutils
+      - dnsutils # now called bind9-dnsutils (still valid)
       - ethtool
       - iproute2 # advanced net-tools
       - iptables # legacy firewall (still used by diplonat)
@@ -76,7 +76,7 @@
   include_tasks: hashicorp.yml
   when: nomad_exists.rc != 0
 
-
+# Cool stuff
 
 - name: "Passwordless sudo"
   lineinfile:
diff --git a/os/config/roles/consul/tasks/main.yml b/os/config/roles/consul/tasks/main.yml
index da6f6f1..bdbf295 100644
--- a/os/config/roles/consul/tasks/main.yml
+++ b/os/config/roles/consul/tasks/main.yml
@@ -1,15 +1,3 @@
-# - name: "Set consul version"
-#   set_fact:
-#     consul_version: 1.9.1
-
-# - name: "Download and install Consul for x86_64"
-#   unarchive:
-#     src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
-#     dest: /usr/local/bin
-#     remote_src: yes
-#   when:
-#     - "ansible_architecture == 'x86_64'"
-
 - name: "Create consul configuration directory"
   file: path=/etc/consul/ state=directory
 
diff --git a/os/config/roles/consul/vars/.gitignore b/os/config/roles/consul/vars/.gitignore
deleted file mode 100644
index ff5c0bd..0000000
--- a/os/config/roles/consul/vars/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-main.yml
diff --git a/os/config/roles/consul/vars/main.yml.sample b/os/config/roles/consul/vars/main.yml.sample
deleted file mode 100644
index 9c44126..0000000
--- a/os/config/roles/consul/vars/main.yml.sample
+++ /dev/null
@@ -1,2 +0,0 @@
----
-consul_gossip_encrypt: "<secret>"
diff --git a/os/config/roles/nomad/tasks/main.yml b/os/config/roles/nomad/tasks/main.yml
index 080a75f..c4f2876 100644
--- a/os/config/roles/nomad/tasks/main.yml
+++ b/os/config/roles/nomad/tasks/main.yml
@@ -1,15 +1,3 @@
-# - name: "Set nomad version"
-#   set_fact:
-#     nomad_version: 1.0.2
-
-# - name: "Download and install Nomad for x86_64"
-#   unarchive:
-#     src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
-#     dest: /usr/local/bin
-#     remote_src: yes
-#   when:
-#     - "ansible_architecture == 'x86_64'"
-
 - name: "Create Nomad configuration directory"
   file: path=/etc/nomad/ state=directory