Compare commits

...

10 commits

11 changed files with 141 additions and 54 deletions

View file

@ -1,6 +1,8 @@
---
- hosts: cluster_nodes
# "you can define how many hosts Ansible should manage at a single time
# using the serial keyword"
serial: 1
roles:
- role: common

View file

@ -12,6 +12,7 @@ cluster_nodes:
dns_1: 212.27.40.240
dns_2: 212.27.40.241
ansible_python_interpreter: python3
ssh_port: 22
digitale:
ansible_host: atuin.site.deuxfleurs.fr
@ -25,6 +26,7 @@ cluster_nodes:
dns_1: 212.27.40.240
dns_2: 212.27.40.241
ansible_python_interpreter: python3
ssh_port: 22
drosera:
ansible_host: atuin.site.deuxfleurs.fr
@ -38,6 +40,7 @@ cluster_nodes:
dns_1: 212.27.40.240
dns_2: 212.27.40.241
ansible_python_interpreter: python3
ssh_port: 22
io:
ansible_host: jupiter.site.deuxfleurs.fr
@ -51,3 +54,19 @@ cluster_nodes:
dns_1: 109.0.66.20
dns_2: 109.0.66.10
ansible_python_interpreter: python3
ssh_port: 22
hammerhead:
ansible_host: ns3118584.ip-5-135-179.eu
ansible_port: 110
ansible_become: true
ipv4: 5.135.179.11
gatewayv4: 5.135.179.254
ipv6: 2001:41d0:8:ba0b::1
gatewayv6: fe80::264:40ff:fe3a:fac0
interface: eno1
dns_1: 213.186.33.99
dns_2: 172.104.136.243
ansible_python_interpreter: python3
ssh_port: 110

View file

@ -0,0 +1,75 @@
# From the official Docker installation guide for Debian:
# https://docs.docker.com/engine/install/debian/
# Uninstall old Docker versions
# $ sudo apt-get remove docker docker-engine docker.io containerd runc
- name: "Remove old Docker versions"
ansible.builtin.apt:
state: absent
name:
- docker
- docker-engine
- docker.io
- containerd
- runc
# Install dependencies
# > apt-transport-https ca-certificates curl gnupg lsb-release
- name: "Install Docker dependencies"
ansible.builtin.apt:
state: present
name:
- apt-transport-https
- ca-certificates
# - curl # Already installed in main.yml
- gnupg
- lsb-release
# Dowload Docker's official GPG key
# $ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
- name: "Add Docker's official GPG key to apt"
ansible.builtin.apt_key:
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
url: https://download.docker.com/linux/debian/gpg
# Key destination path
keyring: /usr/share/keyrings/docker-archive-keyring.gpg
state: present
# Add Docker's repository to apt
# $ echo \
# "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
# $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
- name: "Add Docker's repository to APT sources list"
ansible.builtin.apt_repository:
repo: "deb [arch={{ architecture_map[ansible_architecture] }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
state: present
vars:
architecture_map:
"x86_64": "amd64"
"aarch64": "arm64"
"aarch": "arm64"
"armhf": "armhf"
"armv7l": "armhf"
# Install Docker engine
# $ sudo apt-get update
# $ sudo apt-get install docker-ce docker-ce-cli containerd.io
- name: "Install Docker engine"
ansible.builtin.apt:
state: present
update_cache: yes
name:
- docker-ce
- docker-ce-cli
- containerd.io
# Install docker-compose
# $ sudo curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: "Install Docker Compose"
ansible.builtin.get_url:
url: "https://github.com/docker/compose/releases/download/{{ compose_version }}/docker-compose-{{ ansible_system }}-{{ ansible_architecture }}"
dest: /usr/local/bin/docker-compose
mode: "0755"
vars:
compose_version: 1.28.5

View file

@ -6,7 +6,7 @@
- name: "Upgrade system"
apt:
upgrade: dist # Should we do a full uprade instead of a dist one?
upgrade: full
update_cache: yes
cache_valid_time: 3600
autoclean: yes
@ -15,34 +15,52 @@
- name: "Install base tools"
apt:
name:
- vim
- htop
- screen
- iptables
- iptables-persistent
- nftables
- iproute2
# Essentials
- curl
- iputils-ping
- dnsutils
- less
- sudo
- tar
- unzip
# User tooling
- screen
- vim
# Monitoring
- bmon
- htop
- iftop
- iotop
- docker.io
- unzip
- tar
- tcpdump
- less
- parted
- btrfs-tools
- libnss-resolve
- net-tools
- strace
- sudo
- ethtool
- iputils-ping
- pciutils
- strace
- tcpdump
# Networking
- bind9-dnsutils
- ethtool
- iproute2 # advanced net-tools
- iptables # legacy firewall (still used by diplonat)
- iptables-persistent
- net-tools # basic network tools
- nftables # iptables' successor (will replace it eventually)
# Filesystems / Disk Utils
- parted
state: present
# Install Docker if need be
- name: Check if Docker is installed
command: 'which docker'
args:
warn: no
register: docker_exists
changed_when: docker_exists.rc != 0
ignore_errors: true
- name: "Install Docker"
include_tasks: docker.yml
when: docker_exists.rc != 0
# Cool stuff
- name: "Passwordless sudo"
lineinfile:
path: /etc/sudoers
@ -50,4 +68,3 @@
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'

View file

@ -1,15 +1,3 @@
- name: "Set consul version"
set_fact:
consul_version: 1.9.1
- name: "Download and install Consul for x86_64"
unarchive:
src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
dest: /usr/local/bin
remote_src: yes
when:
- "ansible_architecture == 'x86_64'"
- name: "Create consul configuration directory"
file: path=/etc/consul/ state=directory

View file

@ -1 +0,0 @@
main.yml

View file

@ -1,2 +0,0 @@
---
consul_gossip_encrypt: "<secret>"

View file

@ -7,10 +7,10 @@
-A INPUT -p icmp -j ACCEPT
# Administration
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT
# Diplonat needs everything open to communicate with IGD with the router
-A INPUT -s 192.168.1.254 -j ACCEPT
-A INPUT -s {{ gatewayv4 }} -j ACCEPT
# Cluster
{% for selected_host in groups['cluster_nodes'] %}

View file

@ -13,7 +13,7 @@
-A INPUT -p ipv6-icmp -j ACCEPT
# Administration
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport {{ ssh_port }} -j ACCEPT
# Cluster
{% for selected_host in groups['cluster_nodes'] %}
@ -36,6 +36,8 @@
-A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT
# ADRN@Gandi
-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT
# ADRN@Kimsufi
-A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:8:ba0b::1/64 -j DEUXFLEURS-TRUSTED-PORT
# Quentin@Rennes
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT
# Erwan@Rennes

View file

@ -1,15 +1,3 @@
- name: "Set nomad version"
set_fact:
nomad_version: 1.0.2
- name: "Download and install Nomad for x86_64"
unarchive:
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
dest: /usr/local/bin
remote_src: yes
when:
- "ansible_architecture == 'x86_64'"
- name: "Create Nomad configuration directory"
file: path=/etc/nomad/ state=directory

View file

@ -10,7 +10,6 @@ active_users:
is_admin: true
ssh_keys:
- 'alex-key1.pub'
#- 'alex-key2.pub'
- 'alex-key3.pub'
- username: 'maximilien'