diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..285fc8c --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +* text eol=lf +*.zip -text diff --git a/.gitignore b/.gitignore index be6cd1e..d889b61 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ .DS_Store vault.keys +*.log +*.retry +*.iml +.idea/ diff --git a/ansible.cfg b/ansible.cfg index 9c29427..1d384df 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,3 +1,5 @@ [defaults] roles_path = roles:/etc/ansible/roles -host_key_checking = false \ No newline at end of file +host_key_checking = false +log_path=ansible.log +timeout = 30 diff --git a/bootstrap.yml b/bootstrap.yml index 44b6c8d..7f3d2a2 100755 --- a/bootstrap.yml +++ b/bootstrap.yml @@ -7,19 +7,25 @@ hosts: - bramble roles: - - users + - ssh-key - shell tasks: - - name: stop all the default shit - command: "{{ item }}" + - name: update system + apt: + update_cache: yes + upgrade: dist + cache_valid_time: 86400 + - name: stop and disable services + service: + name: "{{item}}" + enabled: false + state: stopped with_items: - - apt-get update - - apt dist-upgrade -y - - systemctl stop avahi-daemon - - systemctl disable avahi-daemon - - systemctl disable avahi-daemon.socket - - systemctl stop bluetooth - - systemctl disable bluetooth - become: yes - become_user: root \ No newline at end of file + - avahi-daemon + - avahi-daemon.socket + - bluetooth + - name: set hostname + hostname: + name: "{{hostvars.hostname}}" + diff --git a/inventory.ini b/inventory.ini index 4a10124..d5cb303 100644 --- a/inventory.ini +++ b/inventory.ini @@ -1,19 +1,21 @@ [bramble] -192.168.10.26 -192.168.10.25 -192.168.10.27 -192.168.10.28 +192.168.0.18 hostname=odin +192.168.0.19 hostname=balder +192.168.0.20 hostname=loki +192.168.0.21 hostname=thor +; run the consul server(s) [consul] -192.168.10.26 -192.168.10.25 -192.168.10.27 +192.168.0.18 +192.168.0.19 +192.168.0.20 ; runs nomad leader, vault and statsd [baron] -192.168.10.26 +192.168.0.18 +; run consul and nomad clients [followers] -192.168.10.25 -192.168.10.27 -192.168.10.28 +192.168.0.19 +192.168.0.20 +192.168.0.21 diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml index 7502ec4..683983e 100644 --- a/roles/consul/defaults/main.yml +++ b/roles/consul/defaults/main.yml @@ -1,8 +1,21 @@ --- -consul_version: "0.7.1" -consul_checksum: "sha256:e7b6846fb338c31e238f9b70cc42bd35f7de804cc31d2d91fe23cbe5de948aae" -consul_install_path: /usr/local/consul -consul_dc: alpha +consul_version: "{{ lookup('env','CONSUL_VERSION') | default('0.9.0', true) }}" +consul_architecture_map: + # this first entry seems... redundant + #(but it's required for reasons) + amd64: amd64 + x86_64: amd64 + armv7l: arm + aarch64: arm64 +consul_architecture: "{{ consul_architecture_map[ansible_architecture] }}" +consul_os: "{{ ansible_system|lower }}" +consul_pkg: "consul_{{ consul_version }}_{{ consul_os }}_{{ consul_architecture }}.zip" +consul_zip_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_{{ consul_os }}_{{ consul_architecture }}.zip" +consul_checksum_file_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version}}_SHA256SUMS" +consul_install_path: /usr/local/bin +consul_owner: root +consul_group: root +consul_dc: dc1 consul_dns_domain: bramble.local consul_bind: "{{ ansible_default_ipv4.address }}" consul_client: "{{ ansible_default_ipv4.address }}" @@ -10,7 +23,7 @@ consul_advertise: "{{ ansible_default_ipv4.address }}" consul_is_server: no consul_retry_join: "{% for host in groups['consul'] %}\"{{ host }}\"{% if not loop.last %}, {% endif %}{% endfor %}" consul_bootstrap_expect: 3 -consul_disable_remote_exec: "true" +consul_disable_remote_exec: "false" consul_do_acl: no consul_acl_master_token: "42baab74-b9e1-11e6-8370-c7a88ede55d0" @@ -25,3 +38,7 @@ consul_cert_file: consul.cert consul_key_file: consul.key consul_do_auth: no + +consul_ui_enabled: no + +consul_arch: arm diff --git a/roles/consul/files/consul-destroy-install.sh b/roles/consul/files/consul-destroy-install.sh index f82505b..98b02ad 100644 --- a/roles/consul/files/consul-destroy-install.sh +++ b/roles/consul/files/consul-destroy-install.sh @@ -1,9 +1,13 @@ #!/bin/bash -set -e +#set -e +sudo systemctl stop vault.service sudo systemctl stop consul.service && \ +sudo rm -rf /usr/local/bin/consul && \ sudo rm -rf /usr/local/consul && \ sudo rm -rf /var/lib/consul && \ -sudo rm -rf /etc/consul +sudo rm -rf /etc/consul && +exit 0 +exit 1 diff --git a/roles/consul/files/consul-wait-for-leader.sh b/roles/consul/files/consul-wait-for-leader.sh index 2b058ba..f76c0d8 100755 --- a/roles/consul/files/consul-wait-for-leader.sh +++ b/roles/consul/files/consul-wait-for-leader.sh @@ -8,7 +8,7 @@ while :; do fi if [ $SECONDS -gt $max_wait ]; then - echo "No Consul leader elected in 30 seconds" + echo "No Consul leader elected in $max_wait seconds" exit 1 fi diff --git a/roles/consul/files/consul.service b/roles/consul/files/consul.service index 39a7223..c2d3efe 100644 --- a/roles/consul/files/consul.service +++ b/roles/consul/files/consul.service @@ -7,7 +7,7 @@ Wants=network-online.target [Service] User=root Group=root -ExecStart=/usr/local/bin/consul agent -client 0.0.0.0 -config-dir=/etc/consul -data-dir=/var/lib/consul +ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul ExecReload=/bin/kill -HUP $MAINPID KillSignal=SIGTERM diff --git a/roles/consul/handlers/main.yml b/roles/consul/handlers/main.yml index 63054e8..4472cd2 100644 --- a/roles/consul/handlers/main.yml +++ b/roles/consul/handlers/main.yml @@ -1,7 +1,4 @@ --- + - name: restart consul - become: yes - become_user: root - service: - name: consul - state: restarted + include: restart.yml diff --git a/roles/consul/tasks/configure.yml b/roles/consul/tasks/configure.yml new file mode 100644 index 0000000..f3e675c --- /dev/null +++ b/roles/consul/tasks/configure.yml @@ -0,0 +1,107 @@ +############################################################################### +################################ CONFIGURE #################################### +############################################################################### + +- block: + # - name: deploy tls files + # copy: + # src: "{{ item.src }}" + # dest: "{{ item.dest }}" + # with_items: + # - src: etc/consul/ssl/cacert.pem + # dest: /etc/consul/ssl/{{ consul_ca_file }} + # - src: etc/consul/ssl/certs/consul.cert.pem + # dest: /etc/consul/ssl/{{ consul_cert_file }} + # - src: etc/consul/ssl/private/consul.key.pem + # dest: /etc/consul/ssl/{{ consul_key_file }} + # when: consul_do_ssl + # notify: + # - restart consul + # tags: + # - consul + + - name: install consul scripts + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0755 + with_items: + - src: consul-wait-for-leader.sh + dest: /usr/local/bin + - src: consul-destroy-install.sh + dest: /usr/local/bin + tags: + - consul + + - name: configure for systemd + copy: + src: consul.service + dest: "{{ systemd_dir }}/consul.service" + mode: 644 + tags: + - consul + - name: reload systemd + systemd: + daemon_reload: yes + name: consul.service + state: restarted + tags: + - consul + + - name: Create config folder + file: + path: /etc/consul + state: directory + mode: 0755 + tags: + - consul + + - name: configure consul + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: u=rw,g=r,o=r + with_items: + - src: consul.json.j2 + dest: /etc/consul/consul.json + notify: + - restart consul + tags: + - consul + + - name: Generate server config + template: + src: server.json.j2 + dest: /etc/consul/server.json + mode: u=rw,g=r,o=r + when: consul_is_server + notify: + - restart consul + tags: + - consul + + - name: enable consul + service: + name: consul + enabled: yes + state: started + tags: + - consul + + become: yes + become_user: root + +- pause: + seconds: 3 + +- name: join cluster of consul-dcs + command: "/usr/local/bin/consul join {{ groups['consul'] | random }}" + run_once: yes + tags: + - consul + +- name: wait for leader + command: /usr/local/bin/consul-wait-for-leader.sh + register: leader_status + tags: + - consul diff --git a/roles/consul/tasks/install.yml b/roles/consul/tasks/install.yml new file mode 100644 index 0000000..7be64a7 --- /dev/null +++ b/roles/consul/tasks/install.yml @@ -0,0 +1,67 @@ +############################################################################### +################################# INSTALL ##################################### +############################################################################### +- name: Read package checksum file + local_action: stat path="{{ role_path }}/files/consul_{{ consul_version }}_SHA256SUMS" + become: no + run_once: true + register: consul_checksum + tags: + - installation + - consul + +- name: Download package checksum file + local_action: get_url url="{{ consul_checksum_file_url }}" dest="{{ role_path }}/files/consul_{{ consul_version }}_SHA256SUMS" + become: no + run_once: true + tags: + - installation + - consul + when: not consul_checksum.stat.exists | bool + +- name: Read package checksum + local_action: shell grep "{{ consul_pkg }}" "{{ role_path }}/files/consul_{{ consul_version }}_SHA256SUMS" | awk '{print $1}' + become: no + run_once: true + register: consul_sha256 + tags: + - installation + - consul + +- name: Check Consul package file + local_action: stat path="{{ role_path }}/files/{{ consul_pkg }}" + become: no + run_once: true + register: consul_package + tags: + - installation + - consul + +- name: Download Consul package + local_action: get_url url="{{ consul_zip_url }}" dest="{{ role_path }}/files/{{ consul_pkg }}" checksum="sha256:{{ consul_sha256.stdout }}" timeout="42" + become: no + run_once: true + tags: + - installation + - consul + when: not consul_package.stat.exists | bool + +- name: Install Consul + unarchive: + src: "{{ consul_pkg }}" + dest: "{{ consul_install_path }}" + owner: "{{ consul_owner }}" + group: "{{ consul_group }}" + become: yes + tags: + - installation + - consul + +- name: Cleanup + local_action: file path="{{ item }}" state="absent" + become: no + with_fileglob: "{{ role_path }}/files/consul" + run_once: true + tags: + - installation + - consul diff --git a/roles/consul/tasks/main.yml b/roles/consul/tasks/main.yml index 704cbe7..fdb17cf 100644 --- a/roles/consul/tasks/main.yml +++ b/roles/consul/tasks/main.yml @@ -1,161 +1,3 @@ --- -############################################################################### -################################# INSTALL ##################################### -############################################################################### -- stat: - path: "{{ consul_install_path }}/{{ consul_version }}/" - register: preexisting - tags: - - consul - -# - debug: var=preexisting - -- block: - - - name: download consul - get_url: - url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_arm.zip" - dest: /tmp/consul.zip - mode: 0777 - checksum: "{{ consul_checksum }}" - tags: - - consul - - - name: create the install paths - file: - path: "{{ item }}" - state: directory - mode: 0755 - with_items: - - "{{ consul_install_path }}/{{ consul_version }}" - - /usr/share/consul-ui - - /etc/consul - tags: - - consul - - - name: decompress archive - command: "unzip /tmp/consul.zip -d {{ consul_install_path }}/{{ consul_version }}/" - tags: - - consul - - - name: link the versioned consul to the local bin - file: - src: "{{ consul_install_path }}/{{ consul_version }}/consul" - dest: /usr/local/bin/consul - owner: root - group: root - state: link - tags: - - consul - - - name: get consul-ui - get_url: - url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_web_ui.zip" - dest: /tmp/consul_web_ui.zip - tags: - - consul - - - name: extract consul-ui - unarchive: - src: /tmp/consul_web_ui.zip - dest: /usr/share/consul-ui - copy: no - creates: /usr/share/consul-ui/index.html - tags: - - consul - - - name: remove the temp archives - file: - path: "{{ item }}" - state: absent - with_items: - - /tmp/consul.zip - - /tmp/consul_web_ui.zip - tags: - - consul - - become: true - become_user: root - when: preexisting.stat.exists != true - -############################################################################### -################################ CONFIGURE #################################### -############################################################################### - -- block: - # - name: deploy tls files - # copy: - # src: "{{ item.src }}" - # dest: "{{ item.dest }}" - # with_items: - # - src: etc/consul/ssl/cacert.pem - # dest: /etc/consul/ssl/{{ consul_ca_file }} - # - src: etc/consul/ssl/certs/consul.cert.pem - # dest: /etc/consul/ssl/{{ consul_cert_file }} - # - src: etc/consul/ssl/private/consul.key.pem - # dest: /etc/consul/ssl/{{ consul_key_file }} - # when: consul_do_ssl - # notify: - # - restart consul - # tags: - # - consul - - - name: install consul scripts - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - mode: u=rwx,g=rx,o=rx - with_items: - - src: consul-wait-for-leader.sh - dest: /usr/local/bin - - src: consul-destroy-install.sh - dest: /usr/local/bin - tags: - - consul - - - name: configure for systemd - copy: - src: consul.service - dest: "{{ systemd_dir }}/consul.service" - mode: 644 - notify: - - reload systemd - tags: - - consul - - - name: configure consul - template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - mode: u=rw,g=r,o=r - with_items: - - src: consul.json.j2 - dest: /etc/consul/consul.json - tags: - - consul - - - name: enable consul - service: - name: consul - enabled: yes - state: started - tags: - - consul - - become: yes - become_user: root - -- pause: - seconds: 3 - -- name: join cluster of consul-dcs - command: "/usr/local/bin/consul join {{ groups['consul'] | random }}" - run_once: yes - tags: - - consul - -- name: wait for leader - command: /usr/local/bin/consul-wait-for-leader.sh - register: leader_status - tags: - - consul +- include: install.yml +- include: configure.yml diff --git a/roles/consul/tasks/restart.yml b/roles/consul/tasks/restart.yml new file mode 100644 index 0000000..29ed2e0 --- /dev/null +++ b/roles/consul/tasks/restart.yml @@ -0,0 +1,15 @@ +--- +#- name: stop vault +# become: yes +# become_user: root +# service: +# name: vault +# state: stopped +# +- name: reload consul + become: yes + become_user: root + service: + name: consul + enabled: yes + state: reloaded \ No newline at end of file diff --git a/roles/consul/templates/consul.json.j2 b/roles/consul/templates/consul.json.j2 index a81d58c..56c06f9 100644 --- a/roles/consul/templates/consul.json.j2 +++ b/roles/consul/templates/consul.json.j2 @@ -5,14 +5,14 @@ "node_name": "{{ ansible_hostname }}", "rejoin_after_leave": true, "domain": "{{ consul_dns_domain }}", + "client_addr": "0.0.0.0", "recursors" : [ "8.8.8.8" ], +{% if consul_ui_enabled %} + "ui": true, +{% endif %} {% if consul_bootstrap_expect > 1 %} "retry_join": [ {{ consul_retry_join }} ], {% endif %} -{% if consul_is_server %} - "server": true, - "bootstrap_expect": {{ consul_bootstrap_expect }}, -{% endif %} {% if consul_gossip_key is defined %} "encrypt": "{{ consul_gossip_key }}", {% endif %} @@ -23,7 +23,7 @@ "verify_incoming": true, "verify_outgoing": true, {% endif %} + "enable_syslog": true, "data_dir": "/var/lib/consul", - "ui_dir": "/usr/share/consul-ui", "disable_remote_exec": {{ consul_disable_remote_exec }} } diff --git a/roles/consul/templates/server.json.j2 b/roles/consul/templates/server.json.j2 new file mode 100644 index 0000000..815e976 --- /dev/null +++ b/roles/consul/templates/server.json.j2 @@ -0,0 +1,4 @@ +{ + "server": true, + "bootstrap_expect": {{ consul_bootstrap_expect }} +} diff --git a/roles/dnsmasq/handlers/main.yml b/roles/dnsmasq/handlers/main.yml index 7126cc3..b7bec43 100644 --- a/roles/dnsmasq/handlers/main.yml +++ b/roles/dnsmasq/handlers/main.yml @@ -1,6 +1,11 @@ --- - name: restart networkmanager - command: systemctl restart NetworkManager + service: + name: NetworkManager + state: restarted + - name: restart dnsmasq - command: systemctl restart dnsmasq + service: + name: dnsmasq + state: restarted diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml index 55df3f6..5578ce4 100644 --- a/roles/dnsmasq/tasks/main.yml +++ b/roles/dnsmasq/tasks/main.yml @@ -85,6 +85,7 @@ - dnsmasq - name: update hosts file + become: yes template: src: etc/hosts.j2 dest: /etc/hosts diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml new file mode 100644 index 0000000..19d5fdb --- /dev/null +++ b/roles/docker/defaults/main.yml @@ -0,0 +1,2 @@ +--- +docker_user: pi diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..56386d6 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- block: + - name: install docker + apt_key: + keyserver: hkp://p80.pool.sks-keyservers.net:80 + id: 58118E89F3A912897C070ADBF76221572C52609D + + - name: add deb repo + apt_repository: + repo: "deb https://apt.dockerproject.org/repo raspbian-jessie main" + filename: docker.list + state: present + when: ansible_architecture == 'armv7l' + + - name: add deb repo + apt_repository: + repo: "deb https://apt.dockerproject.org/repo debian-jessie main" + filename: docker.list + state: present + when: ansible_architecture == 'amd64' or ansible_architecture == 'x86_64' + + - name: apt update + apt: + update_cache: yes + - apt: + name: docker-engine + state: present + - name: add user mod + user: + name: "{{docker_user}}" + append: yes + groups: docker + become: yes + when: ansible_distribution == 'Debian' + tags: + docker diff --git a/roles/nomad/defaults/main.yml b/roles/nomad/defaults/main.yml index 6df3e5f..96ce217 100644 --- a/roles/nomad/defaults/main.yml +++ b/roles/nomad/defaults/main.yml @@ -1,9 +1,24 @@ --- -nomad_version: "0.5.0" -nomad_checksum: "sha256:c85d3ddac0dbb9ed594eabada29daa2bf26619d24f304587c9d7e775c99ad6f6" -nomad_install_path: /usr/local/consul +nomad_version: "{{ lookup('env','NOMAD_VERSION') | default('0.5.6', true) }}" +nomad_architecture_map: + # this first entry seems... redundant + #(but it's required for reasons) + amd64: amd64 + x86_64: amd64 + armv7l: arm + aarch64: arm64 +nomad_architecture: "{{ nomad_architecture_map[ansible_architecture] }}" +nomad_os: "{{ ansible_system|lower }}" +nomad_pkg: "nomad_{{ nomad_version }}_{{ nomad_os }}_{{ nomad_architecture }}.zip" +nomad_zip_url: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_{{ nomad_os }}_{{ nomad_architecture }}.zip" +nomad_checksum_file_url: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version}}_SHA256SUMS" +nomad_install_path: /usr/local/bin +nomad_owner: root +nomad_group: root nomad_dc: dc1 nomad_is_server: no nomad_leader_group: baron nomad_bootstrap_expect: "{{ groups[nomad_leader_group] | length }}" nomad_retry_join: ' [{% for host in groups[nomad_leader_group] %}"{{ host }}"{% if not loop.last %}, {% endif %}{% endfor %}]' + +nomad_enable_syslog: yes diff --git a/roles/nomad/tasks/main.yml b/roles/nomad/tasks/main.yml index a0569fe..46c7d13 100644 --- a/roles/nomad/tasks/main.yml +++ b/roles/nomad/tasks/main.yml @@ -2,63 +2,65 @@ ############################################################################### ################################# INSTALL ##################################### ############################################################################### -- stat: - path: "{{ nomad_install_path }}/{{ nomad_version }}/" - register: preexisting +- name: Read package checksum file + local_action: stat path="{{ role_path }}/files/nomad_{{ nomad_version }}_SHA256SUMS" + become: no + run_once: true + register: nomad_checksum tags: + - installation - nomad -- block: - - - name: download nomad - get_url: - url: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_arm.zip" - dest: /tmp/nomad.zip - mode: 0777 - checksum: "{{ nomad_checksum }}" - tags: - - nomad - - - name: create the install paths - file: - path: "{{ item }}" - state: directory - mode: 0755 - with_items: - - "{{ nomad_install_path }}/{{ nomad_version }}" - - /var/lib/nomad - - /etc/nomad - tags: - - nomad +- name: Download package checksum file + local_action: get_url url="{{ nomad_checksum_file_url }}" dest="{{ role_path }}/files/nomad_{{ nomad_version }}_SHA256SUMS" + become: no + run_once: true + tags: + - installation + - nomad + when: not nomad_checksum.stat.exists | bool - - name: decompress archive - command: "unzip /tmp/nomad.zip -d {{ nomad_install_path }}/{{ nomad_version }}/" - tags: - - nomad +- name: Read package checksum + local_action: shell grep "{{ nomad_pkg }}" "{{ role_path }}/files/nomad_{{ nomad_version }}_SHA256SUMS" | awk '{print $1}' + become: no + run_once: true + register: nomad_sha256 + tags: + - installation + - nomad - - name: link the versioned nomad to the local bin - file: - src: "{{ nomad_install_path }}/{{ nomad_version }}/nomad" - dest: /usr/local/bin/nomad - owner: root - group: root - state: link - tags: - - nomad +- name: Check Nomad package file + local_action: stat path="{{ role_path }}/files/{{ nomad_pkg }}" + become: no + run_once: true + register: nomad_package + tags: + - installation + - nomad - - name: remove the temp archives - file: - path: "{{ item }}" - state: absent - with_items: - - /tmp/nomad.zip - tags: - - nomad +- name: Download Nomad package + local_action: get_url url="{{ nomad_zip_url }}" dest="{{ role_path }}/files/{{ nomad_pkg }}" checksum="sha256:{{ nomad_sha256.stdout }}" timeout="42" + become: no + run_once: true + tags: + - installation + - nomad + when: not nomad_package.stat.exists | bool - become: true - become_user: root - when: preexisting.stat.exists != true +- name: Unarchive Nomad package + unarchive: + src: "{{ nomad_pkg }}" + dest: "{{ nomad_install_path }}" + owner: "{{ nomad_owner }}" + group: "{{ nomad_group }}" + become: yes + tags: + - installation + - nomad +####################################################### +############# CONFIG ############################### +####################################################### - block: - name: setup nomad server config template: @@ -80,11 +82,15 @@ copy: src: nomad.service dest: "{{ systemd_dir }}/nomad.service" - notify: - - reload systemd tags: - nomad - + - name: reload systemd + systemd: + daemon_reload: yes + name: nomad.service + state: restarted + tags: + - nomad - name: enable nomad service: name: nomad diff --git a/roles/nomad/templates/client.conf.j2 b/roles/nomad/templates/client.conf.j2 index 11f7a48..c888d21 100644 --- a/roles/nomad/templates/client.conf.j2 +++ b/roles/nomad/templates/client.conf.j2 @@ -5,6 +5,9 @@ datacenter = "{{ nomad_dc }}" name = "{{ ansible_hostname }}.node" log_level = "DEBUG" enable_debug = true +{% if nomad_enable_syslog %} +enable_syslog = true +{% endif %} advertise { # We need to specify our host's IP because we can't diff --git a/roles/nomad/templates/server.conf.j2 b/roles/nomad/templates/server.conf.j2 index 8d434b1..09188e4 100644 --- a/roles/nomad/templates/server.conf.j2 +++ b/roles/nomad/templates/server.conf.j2 @@ -5,6 +5,9 @@ datacenter = "{{ nomad_dc }}" name = "{{ ansible_hostname }}.node" log_level = "DEBUG" enable_debug = true +{% if nomad_enable_syslog %} +enable_syslog = true +{% endif %} advertise { # We need to specify our host's IP because we can't diff --git a/roles/shell/files/bash_aliases b/roles/shell/files/bash_aliases index afef9cf..a4ae34d 100644 --- a/roles/shell/files/bash_aliases +++ b/roles/shell/files/bash_aliases @@ -1,3 +1,4 @@ # add convenience aliases here -alias ll="ls -lahG" +alias ll="ls -lahG --color=auto" +alias la="ls -a --color=auto" diff --git a/roles/ssh-key/tasks/main.yml b/roles/ssh-key/tasks/main.yml new file mode 100644 index 0000000..b175b06 --- /dev/null +++ b/roles/ssh-key/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Set authorized key took from file + vars: + local_home: "{{ lookup('env','HOME') }}" + authorized_key: + user: pi + state: present + key: "{{ lookup('file', '{{local_home}}/.ssh/id_rsa.pub') }}" diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml deleted file mode 100644 index 71af05b..0000000 --- a/roles/users/tasks/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: install publish ssh keys - authorized_key: user=pi key={{ item }} - with_items: - - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYI/SFJRu4Rg+2GABMnMaEmH+JvymSmXmd9DQ1mYwvQ9NWbmbGsBRrHKAIgiwen2Cv6UWGVjCbC3nclwgmVp+2BOSmhxyTvW2kypjcwJITH1KlywuQoPlvq3hYDa6efVofp0pFhjELWAiAqiJM4O5hh5YEPDOfCo/KeSvBeMBdXV0QN7mly0pFpIp3ZOMT6jFsRA0Aj7EAajpFMgXamgQqMnyxgWHihEqXGAbVyk0sbYENTQNYSgWph7SXB4L0i3hAKOB+rruwSXr+j9rcYbjI+Bedh1TI7qZK4x8gLXqMBjWOtj1l9NMT9S2Ldgiu0Hzyf8HiGs9CgMI3cXn3fx8R timothy" diff --git a/roles/utils/tasks/main.yml b/roles/utils/tasks/main.yml index bb0465f..8d7c2e2 100644 --- a/roles/utils/tasks/main.yml +++ b/roles/utils/tasks/main.yml @@ -7,12 +7,9 @@ tags: - utils -- apt: - name: htop +- name: Install tools + apt: + name: htop,dnsutils,telnet,vim update_cache: yes - with_items: - - htop - - dnsutils - - telnet tags: - utils diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml index e7627b1..e5daaca 100644 --- a/roles/vault/defaults/main.yml +++ b/roles/vault/defaults/main.yml @@ -1,5 +1,19 @@ --- -vault_version: "0.6.2" -vault_checksum: "sha256:efc36dcb2044cf4c80af9e71abd9fb4716db8944e7d102f913d17f922a527189" -vault_install_path: /usr/local/vault/ +vault_version: "{{ lookup('env','VAULT_VERSION') | default('0.7.3', true) }}" +vault_architecture_map: + # this first entry seems... redundant + #(but it's required for reasons) + amd64: amd64 + x86_64: amd64 + armv7l: arm + aarch64: arm64 +vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}" +vault_os: "{{ ansible_system|lower }}" +vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip" +vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip" +vault_checksum_file_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS" +vault_install_path: /usr/local/bin vault_datacenter: dc1 + +vault_owner: root +vault_group: root \ No newline at end of file diff --git a/roles/vault/tasks/config.yml b/roles/vault/tasks/config.yml new file mode 100644 index 0000000..ff385da --- /dev/null +++ b/roles/vault/tasks/config.yml @@ -0,0 +1,46 @@ +############################################################################### +################################ CONFIGURE #################################### +############################################################################### + +- block: + - name: configure vault for systemd + copy: + src: vault.service + dest: "{{ systemd_dir }}/vault.service" + mode: 644 + tags: + - vault + - name: reload systemd + systemd: + daemon_reload: yes + name: vault.service + state: restarted + tags: + - vault + - name: configure vault + template: + src: vault.config + dest: /etc/vault.config + mode: 600 + notify: restart vault + tags: + - vault + +# - name: register vault with consul +# template: +# src: vault-consul.json.j2 +# dest: /etc/consul/vault-consul.json +# mode: 0644 +# tags: +# - vault + + - name: enable vault + service: + name: vault + enabled: yes + state: started + tags: + - vault + + become: yes + become_user: root diff --git a/roles/vault/tasks/install.yml b/roles/vault/tasks/install.yml new file mode 100644 index 0000000..e7317c3 --- /dev/null +++ b/roles/vault/tasks/install.yml @@ -0,0 +1,58 @@ +############################################################################### +################################# INSTALL ##################################### +############################################################################### +- name: Read package checksum file + local_action: stat path="{{ role_path }}/files/vault_{{ vault_version }}_SHA256SUMS" + become: no + run_once: true + register: vault_checksum + tags: + - installation + - vault + +- name: Download package checksum file + local_action: get_url url="{{ vault_checksum_file_url }}" dest="{{ role_path }}/files/vault_{{ vault_version }}_SHA256SUMS" validate_certs=no + become: no + run_once: true + tags: + - installation + - vault + when: not vault_checksum.stat.exists | bool + +- name: Read package checksum + local_action: shell grep "{{ vault_pkg }}" "{{ role_path }}/files/vault_{{ vault_version }}_SHA256SUMS" | awk '{print $1}' + become: no + run_once: true + register: vault_sha256 + tags: + - installation + - vault + +- name: Check Vault package file + local_action: stat path="{{ role_path }}/files/{{ vault_pkg }}" + become: no + run_once: true + register: vault_package + tags: + - installation + - vault + +- name: Download Vault package + local_action: get_url url="{{ vault_zip_url }}" dest="{{ role_path }}/files/{{ vault_pkg }}" checksum="sha256:{{ vault_sha256.stdout }}" timeout="42" validate_certs=no + become: no + run_once: true + tags: + - installation + - vault + when: not vault_package.stat.exists | bool + +- name: Unarchive Vault package + unarchive: + src: "{{ vault_pkg }}" + dest: "{{ vault_install_path }}" + owner: "{{ vault_owner }}" + group: "{{ vault_group }}" + become: yes + tags: + - installation + - vault diff --git a/roles/vault/tasks/main.yml b/roles/vault/tasks/main.yml index 6202771..8570db6 100644 --- a/roles/vault/tasks/main.yml +++ b/roles/vault/tasks/main.yml @@ -1,99 +1,3 @@ --- -############################################################################### -################################# INSTALL ##################################### -############################################################################### - -- stat: - path: "{{ vault_install_path }}/{{ vault_version }}" - register: preexisting - tags: - - vault - -# - debug: var=preexisting - -- block: - - - name: download vault - get_url: - url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_arm.zip" - dest: /tmp/vault.zip - mode: 0777 - checksum: "{{ vault_checksum }}" - tags: - - vault - - - name: create the install path - file: - path: "{{ vault_install_path }}/{{ vault_version }}/" - state: directory - mode: 0755 - tags: - - vault - - - name: decompress archive - command: "unzip /tmp/vault.zip -d {{ vault_install_path }}/{{ vault_version }}/" - tags: - - vault - - - name: remove the tempoary install archive - file: - path: /tmp/vault.zip - state: absent - tags: - - vault - - - name: link the versioned binary to the local bin - file: - src: "{{ vault_install_path }}/{{ vault_version }}/vault" - dest: /usr/local/bin/vault - owner: root - group: root - state: link - tags: - - vault - - become: true - become_user: root - when: preexisting.stat.exists != true - -############################################################################### -################################ CONFIGURE #################################### -############################################################################### - -- block: - - name: configure vault for systemd - copy: - src: vault.service - dest: "{{ systemd_dir }}/vault.service" - mode: 644 - notify: reload systemd - tags: - - vault - - - name: configure vault - copy: - src: vault.config - dest: /etc/vault.config - mode: 600 - notify: restart vault - tags: - - vault - - - name: register vault with consul - template: - src: vault-consul.json.j2 - dest: /etc/consul/vault-consul.json - mode: 0644 - tags: - - vault - - - name: enable vault - service: - name: vault - enabled: yes - state: started - tags: - - vault - - become: yes - become_user: root +- include: install.yml +- include: config.yml diff --git a/roles/vault/files/vault.config b/roles/vault/templates/vault.config similarity index 100% rename from roles/vault/files/vault.config rename to roles/vault/templates/vault.config diff --git a/site.yml b/site.yml index 11e66db..1d17bb8 100755 --- a/site.yml +++ b/site.yml @@ -1,4 +1,4 @@ -#!/usr/bin/env ansible-playbook -i inventory.ini --skip-tags=consul-servers,bootstrap,vault +#!/usr/bin/env ansible-playbook -i inventory.ini --skip-tags=bootstrap,vault --- - hosts: bramble gather_facts: true @@ -7,7 +7,9 @@ become_user: root roles: - utils - - { role: dnsmasq, consul_dns_domain: bramble.local } + - shell + - ssh-key + - { role: dnsmasq, consul_dns_domain: bramble.local, consul_dc: alpha } tags: - bramble - bootstrap @@ -17,7 +19,7 @@ gather_facts: true remote_user: pi roles: - - { role: consul, consul_is_server: yes } + - { role: consul, consul_is_server: yes, consul_dc: alpha, consul_bootstrap_expect: "{{ groups['consul'] | length }}", consul_ui_enabled: yes } tags: - consul - consul-servers @@ -43,7 +45,8 @@ gather_facts: true remote_user: pi roles: - - consul + - { role: docker } + - { role: consul, consul_dc: alpha } - { role: nomad, nomad_dc: alpha } tags: - followers