Merge pull request 'Config Ansible mise à jour à l'occasion de l'install de HammerHead' (#37) from adrien/infrastructure:main into feature/upgrade-ansible

Reviewed-on: Deuxfleurs/infrastructure#37
This commit is contained in:
Quentin 2021-04-09 11:19:38 +02:00
commit f4c8ba8ebd
13 changed files with 184 additions and 54 deletions

View file

@ -1,6 +1,8 @@
--- ---
- hosts: cluster_nodes - hosts: cluster_nodes
# "you can define how many hosts Ansible should manage at a single time
# using the serial keyword"
serial: 1 serial: 1
roles: roles:
- role: common - role: common

View file

@ -0,0 +1,17 @@
cluster_nodes:
hosts:
hammerhead:
ansible_host: ns3118584.ip-5-135-179.eu
ansible_port: 110
ansible_user: root
ansible_ssh_private_key_file: /home/adrien/.ssh/hammerhead
ansible_become: true
ipv4: 5.135.179.11
gatewayv4: 5.135.179.254
ipv6: 2001:41d0:8:ba0b::1
gatewayv6: fe80::264:40ff:fe3a:fac0
interface: eno1
dns_1: 213.186.33.99
dns_2: 172.104.136.243
ansible_python_interpreter: python3
ssh_port: 110

View file

@ -12,6 +12,7 @@ cluster_nodes:
dns_1: 212.27.40.240 dns_1: 212.27.40.240
dns_2: 212.27.40.241 dns_2: 212.27.40.241
ansible_python_interpreter: python3 ansible_python_interpreter: python3
ssh_port: 22
digitale: digitale:
ansible_host: atuin.site.deuxfleurs.fr ansible_host: atuin.site.deuxfleurs.fr
@ -25,6 +26,7 @@ cluster_nodes:
dns_1: 212.27.40.240 dns_1: 212.27.40.240
dns_2: 212.27.40.241 dns_2: 212.27.40.241
ansible_python_interpreter: python3 ansible_python_interpreter: python3
ssh_port: 22
drosera: drosera:
ansible_host: atuin.site.deuxfleurs.fr ansible_host: atuin.site.deuxfleurs.fr
@ -38,6 +40,7 @@ cluster_nodes:
dns_1: 212.27.40.240 dns_1: 212.27.40.240
dns_2: 212.27.40.241 dns_2: 212.27.40.241
ansible_python_interpreter: python3 ansible_python_interpreter: python3
ssh_port: 22
io: io:
ansible_host: jupiter.site.deuxfleurs.fr ansible_host: jupiter.site.deuxfleurs.fr
@ -51,3 +54,4 @@ cluster_nodes:
dns_1: 109.0.66.20 dns_1: 109.0.66.20
dns_2: 109.0.66.10 dns_2: 109.0.66.10
ansible_python_interpreter: python3 ansible_python_interpreter: python3
ssh_port: 22

View file

@ -0,0 +1,75 @@
# From the official Docker installation guide for Debian:
# https://docs.docker.com/engine/install/debian/
# Uninstall old Docker versions
# $ sudo apt-get remove docker docker-engine docker.io containerd runc
- name: "Remove old Docker versions"
ansible.builtin.apt:
state: absent
name:
- docker
- docker-engine
- docker.io
- containerd
- runc
# Install dependencies
# > apt-transport-https ca-certificates curl gnupg lsb-release
- name: "Install Docker dependencies"
ansible.builtin.apt:
state: present
name:
- apt-transport-https
- ca-certificates
# - curl # Already installed in main.yml
- gnupg
- lsb-release
# Dowload Docker's official GPG key
# $ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
- name: "Add Docker's official GPG key to apt"
ansible.builtin.apt_key:
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
url: https://download.docker.com/linux/debian/gpg
# Key destination path
keyring: /usr/share/keyrings/docker-archive-keyring.gpg
state: present
# Add Docker's repository to apt
# $ echo \
# "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
# $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
- name: "Add Docker's repository to APT sources list"
ansible.builtin.apt_repository:
repo: "deb [arch={{ architecture_map[ansible_architecture] }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
state: present
vars:
architecture_map:
"x86_64": "amd64"
"aarch64": "arm64"
"aarch": "arm64"
"armhf": "armhf"
"armv7l": "armhf"
# Install Docker engine
# $ sudo apt-get update
# $ sudo apt-get install docker-ce docker-ce-cli containerd.io
- name: "Install Docker engine"
ansible.builtin.apt:
state: present
update_cache: yes
name:
- docker-ce
- docker-ce-cli
- containerd.io
# Install docker-compose
# $ sudo curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: "Install Docker Compose"
ansible.builtin.get_url:
url: "https://github.com/docker/compose/releases/download/{{ compose_version }}/docker-compose-{{ ansible_system }}-{{ ansible_architecture }}"
dest: /usr/local/bin/docker-compose
mode: "0755"
vars:
compose_version: 1.28.5

View file

@ -0,0 +1,24 @@
- name: "Add Hashicorps's official GPG key to apt"
ansible.builtin.apt_key:
url: https://apt.releases.hashicorp.com/gpg
state: present
- name: "Add Hashicorp's repository to APT sources list"
ansible.builtin.apt_repository:
repo: "deb [arch={{ architecture_map[ansible_architecture] }}] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main"
state: present
vars:
architecture_map:
"x86_64": "amd64"
"aarch64": "arm64"
"aarch": "arm64"
"armhf": "armhf"
"armv7l": "armhf"
- name: "Install Nomad & Consul"
ansible.builtin.apt:
state: present
update_cache: yes
name:
- nomad
- consul

View file

@ -15,39 +15,73 @@
- name: "Install base tools" - name: "Install base tools"
apt: apt:
name: name:
- vim # Essentials
- htop
- screen
- iptables
- iptables-persistent
- nftables
- iproute2
- curl - curl
- iputils-ping - less
- dnsutils - sudo
- tar
- unzip
# User tooling
- screen
- vim
# Monitoring
- bmon - bmon
- htop
- iftop - iftop
- iotop - iotop
- docker.io - iputils-ping
- unzip
- tar
- tcpdump
- less
- parted
- btrfs-tools
- libnss-resolve
- net-tools
- strace
- sudo
- ethtool
- pciutils - pciutils
- strace
- tcpdump
# Networking
- dnsutils # now called bind9-dnsutils (still valid)
- ethtool
- iproute2 # advanced net-tools
- iptables # legacy firewall (still used by diplonat)
- iptables-persistent
- net-tools # basic network tools
- nftables # iptables' successor (will replace it eventually)
# Optional / Dispensable
#- docker.io # Adrien n'approuve pas (il faut utiliser le repo Docker)
- parted
#- btrfs-tools
#- libnss-resolve # provides DNS/LLMNR utilities via systemd-resolved
state: present state: present
# Install Docker if need be
- name: Check if Docker is installed
command: 'which docker'
args:
warn: no
register: docker_exists
changed_when: docker_exists.rc != 0
ignore_errors: true
- name: "Install Docker"
include_tasks: docker.yml
when: docker_exists.rc != 0
# Install Nomad & Consul if need be
- name: Check if Nomad is installed
command: 'which nomad'
args:
warn: no
register: nomad_exists
changed_when: nomad_exists.rc != 0
ignore_errors: true
- name: "Install Nomad & Consul"
include_tasks: hashicorp.yml
when: nomad_exists.rc != 0
# Cool stuff
- name: "Passwordless sudo" - name: "Passwordless sudo"
lineinfile: lineinfile:
path: /etc/sudoers path: /etc/sudoers
state: present state: present
regexp: '^%sudo' regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL' line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s' validate: 'visudo -cf %s'

View file

@ -1,15 +1,3 @@
- name: "Set consul version"
set_fact:
consul_version: 1.9.1
- name: "Download and install Consul for x86_64"
unarchive:
src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
dest: /usr/local/bin
remote_src: yes
when:
- "ansible_architecture == 'x86_64'"
- name: "Create consul configuration directory" - name: "Create consul configuration directory"
file: path=/etc/consul/ state=directory file: path=/etc/consul/ state=directory

View file

@ -1 +0,0 @@
main.yml

View file

@ -1,2 +0,0 @@
---
consul_gossip_encrypt: "<secret>"

View file

@ -7,10 +7,10 @@
-A INPUT -p icmp -j ACCEPT -A INPUT -p icmp -j ACCEPT
# Administration # Administration
-A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT
# Diplonat needs everything open to communicate with IGD with the router # Diplonat needs everything open to communicate with IGD with the router
-A INPUT -s 192.168.1.254 -j ACCEPT -A INPUT -s {{ gatewayv4 }} -j ACCEPT
# Cluster # Cluster
{% for selected_host in groups['cluster_nodes'] %} {% for selected_host in groups['cluster_nodes'] %}

View file

@ -13,7 +13,7 @@
-A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT
# Administration # Administration
-A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT
# Cluster # Cluster
{% for selected_host in groups['cluster_nodes'] %} {% for selected_host in groups['cluster_nodes'] %}
@ -36,6 +36,8 @@
-A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT -A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT
# ADRN@Gandi # ADRN@Gandi
-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT -A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT
# ADRN@Kimsufi
-A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:8:ba0b::1/64 -j DEUXFLEURS-TRUSTED-PORT
# Quentin@Rennes # Quentin@Rennes
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT -A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT
# Source address is not trusted # Source address is not trusted

View file

@ -1,15 +1,3 @@
- name: "Set nomad version"
set_fact:
nomad_version: 1.0.2
- name: "Download and install Nomad for x86_64"
unarchive:
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
dest: /usr/local/bin
remote_src: yes
when:
- "ansible_architecture == 'x86_64'"
- name: "Create Nomad configuration directory" - name: "Create Nomad configuration directory"
file: path=/etc/nomad/ state=directory file: path=/etc/nomad/ state=directory

View file

@ -10,7 +10,6 @@ active_users:
is_admin: true is_admin: true
ssh_keys: ssh_keys:
- 'alex-key1.pub' - 'alex-key1.pub'
#- 'alex-key2.pub'
- 'alex-key3.pub' - 'alex-key3.pub'
- username: 'maximilien' - username: 'maximilien'