Added Cloudflare DNS, HAProxy LB
This commit is contained in:
parent
41f67af217
commit
2646d735f7
|
@ -0,0 +1,10 @@
|
|||
# Playbook Application Install
|
||||
---
|
||||
- name: Haproxy Control LB
|
||||
hosts:
|
||||
- control_lb_nodes
|
||||
roles:
|
||||
- role: haproxy_control_lb
|
||||
tags:
|
||||
- haproxy
|
||||
- haproxy_control_lb
|
|
@ -1,6 +1,5 @@
|
|||
---
|
||||
# Playbook Services Install
|
||||
|
||||
---
|
||||
- name: Install services on K8S
|
||||
become: false
|
||||
gather_facts: false
|
|
@ -0,0 +1,28 @@
|
|||
# Playbook OS Install
|
||||
---
|
||||
- name: Cloudflare DNS
|
||||
become: false
|
||||
gather_facts: false
|
||||
hosts:
|
||||
- debian
|
||||
roles:
|
||||
- role: cloudflare_dns
|
||||
tags:
|
||||
- cloudflare_dns
|
||||
- dns
|
||||
|
||||
- name: Debian
|
||||
hosts:
|
||||
- debian
|
||||
roles:
|
||||
- role: debian
|
||||
tags:
|
||||
- debian
|
||||
|
||||
- name: Ubuntu
|
||||
hosts:
|
||||
- ubuntu
|
||||
roles:
|
||||
- role: ubuntu
|
||||
tags:
|
||||
- ubuntu
|
17
playbook.yml
17
playbook.yml
|
@ -4,7 +4,20 @@
|
|||
tags:
|
||||
- talos
|
||||
|
||||
- name: Include playbook services
|
||||
ansible.builtin.import_playbook: services.yml
|
||||
- name: Include playbook k8s_services
|
||||
ansible.builtin.import_playbook: k8s_services.yml
|
||||
tags:
|
||||
- k8s_services
|
||||
- services
|
||||
|
||||
- name: Include playbook os
|
||||
ansible.builtin.import_playbook: os.yml
|
||||
tags:
|
||||
- os
|
||||
- loadbalancer
|
||||
|
||||
- name: Include playbook applications
|
||||
ansible.builtin.import_playbook: applications.yml
|
||||
tags:
|
||||
- applications
|
||||
- loadbalancer
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
#!/usr/bin/env -S python3 -m pip install --upgrade --requirement
|
||||
ansible
|
||||
ansible-lint
|
||||
dnspython
|
||||
netaddr
|
||||
kubernetes
|
|
@ -0,0 +1,5 @@
|
|||
#!/usr/bin/env -S ansible-galaxy install --force --role-file
|
||||
---
|
||||
collections:
|
||||
- name: community.crypto
|
||||
- name: community.general
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
- name: Create an A record at Cloudflare
|
||||
delegate_to: localhost
|
||||
when: inventory_hostname is match('.*\.k8s\.snel\.com')
|
||||
community.general.cloudflare_dns:
|
||||
zone: snel.com
|
||||
record: "{{ inventory_hostname | regex_replace('\\.snel\\.com$', '') }}"
|
||||
type: A
|
||||
value: "{{ ansible_host }}"
|
||||
api_token: "{{ cloudflare_token }}"
|
||||
register: record
|
|
@ -1,2 +1,6 @@
|
|||
---
|
||||
- name: Import Talos handlers
|
||||
ansible.builtin.import_tasks: handlers/talos.yml
|
||||
|
||||
- name: Import Restart handlers
|
||||
ansible.builtin.import_tasks: handlers/restart.yml
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
---
|
||||
- name: Restart Systemd-Journald
|
||||
ansible.builtin.systemd:
|
||||
name: systemd-journald.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: Restart Apache2
|
||||
ansible.builtin.systemd:
|
||||
name: apache2.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: Restart MySQL
|
||||
ansible.builtin.systemd:
|
||||
name: mysql.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: Restart Containerd
|
||||
ansible.builtin.systemd:
|
||||
name: containerd.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: Restart SSH
|
||||
ansible.builtin.systemd:
|
||||
name: ssh.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: Restart Postfix
|
||||
ansible.builtin.systemd:
|
||||
name: postfix.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: Restart haproxy
|
||||
ansible.builtin.systemd:
|
||||
name: haproxy.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: Restart PHP-FPM
|
||||
ansible.builtin.systemd:
|
||||
name: php{{ php_version }}-fpm.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: Restart New Relic Infra
|
||||
ansible.builtin.systemd:
|
||||
name: newrelic-infra.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: Restart networking
|
||||
ansible.builtin.systemd:
|
||||
name: networking.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
||||
- name: Restart systemd-networkd
|
||||
ansible.builtin.systemd:
|
||||
name: systemd-networkd.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
|
@ -66,4 +66,4 @@
|
|||
|
||||
- name: Set fact with server info from DCI Manager
|
||||
ansible.builtin.set_fact:
|
||||
dci_server_info: "{{ _dci_server.content | from_json | community.general.json_query('list[?@.ip[?@.name==`' ~ ansible_remote ~ '`]]') | first }}"
|
||||
dci_server_info: "{{ _dci_server.content | from_json | community.general.json_query('list[?@.ip[?@.name==`' ~ ansible_host ~ '`]]') | first }}"
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
ansible.builtin.wait_for:
|
||||
delay: 10
|
||||
state: stopped
|
||||
host: "{{ ansible_remote }}"
|
||||
host: "{{ ansible_host }}"
|
||||
port: 50000
|
||||
timeout: 300
|
||||
|
||||
|
@ -39,6 +39,6 @@
|
|||
become: false
|
||||
ansible.builtin.wait_for:
|
||||
delay: 10
|
||||
host: "{{ ansible_remote }}"
|
||||
host: "{{ ansible_host }}"
|
||||
port: 50000
|
||||
timeout: 1200
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
have_mail: true
|
||||
have_firewall: true
|
||||
timezone: Europe/Brussels
|
|
@ -0,0 +1,10 @@
|
|||
root soft nofile 1024000
|
||||
root hard nofile 1024000
|
||||
root soft core 0
|
||||
root hard core 0
|
||||
* soft nofile 1024000
|
||||
* hard nofile 1024000
|
||||
* soft core 0
|
||||
* hard core 0
|
||||
mysql soft memlock unlimited
|
||||
mysql hard memlock unlimited
|
|
@ -0,0 +1,4 @@
|
|||
[Journal]
|
||||
Storage=persistent
|
||||
SystemMaxFiles=10000
|
||||
RuntimeMaxFiles=10000
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
IFS=$'\n'
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get --assume-yes -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' "$@"
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
dependencies:
|
||||
- role: common
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
- name: "Create Ansible remote_tmp ~/.ansible/tmp"
|
||||
ansible.builtin.file:
|
||||
path: ~/.ansible/tmp
|
||||
state: directory
|
||||
mode: u=rwx,go=
|
||||
|
||||
- name: Stop & Disable unwanted services
|
||||
ansible.builtin.include_tasks: shared/tasks/disable_service.yml
|
||||
loop:
|
||||
- motd-news
|
||||
loop_control:
|
||||
loop_var: __disable_service_name
|
||||
|
||||
- name: Kill unattended-upgrades
|
||||
ansible.builtin.command:
|
||||
cmd: pkill -f unattended-upgrade
|
||||
register: _pkill_unattended_upgrade
|
||||
failed_when: _pkill_unattended_upgrade.rc not in [0, 1]
|
||||
changed_when: false
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Check if APT cache exists
|
||||
ansible.builtin.find:
|
||||
paths: /var/lib/apt/lists/
|
||||
patterns: "*_{{ ansible_distribution_release }}_InRelease"
|
||||
register: _pkgcache
|
||||
|
||||
- name: Update repositories cache
|
||||
when: _pkgcache.matched == 0
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
||||
|
||||
- name: Wait for APT Lock
|
||||
ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
|
||||
|
||||
- name: Install APT Transport HTTPS
|
||||
ansible.builtin.apt:
|
||||
name: apt-transport-https
|
||||
state: present
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
|
||||
- name: Stop & Disable unwanted services
|
||||
ansible.builtin.include_tasks: shared/tasks/disable_service.yml
|
||||
loop:
|
||||
- motd-news.service
|
||||
loop_control:
|
||||
loop_var: __disable_service_name
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: Set timezone
|
||||
community.general.timezone:
|
||||
name: "{{ timezone }}"
|
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
- name: Wait for APT Lock
|
||||
ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
|
||||
|
||||
- name: Install packages required for Firewall
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- ufw
|
||||
install_recommends: false
|
||||
|
||||
- name: Get IP of Ansible controller
|
||||
ansible.builtin.set_fact:
|
||||
_ssh_client_ip: "{{ ansible_env.SSH_CLIENT.split(' ')[0] }}"
|
||||
|
||||
- name: Allow access to tcp port 22
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
name: OpenSSH
|
||||
src: "{{ item }}"
|
||||
loop: "{{ ip_whitelist + [_ssh_client_ip] }}"
|
||||
|
||||
- name: Delete default SSH rule
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "22"
|
||||
proto: tcp
|
||||
delete: true
|
||||
|
||||
- name: Enable UFW, deny by default
|
||||
community.general.ufw:
|
||||
state: enabled
|
||||
default: deny
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: Create limits.conf
|
||||
ansible.builtin.copy:
|
||||
src: security/limits.conf
|
||||
dest: /etc/security/limits.conf
|
||||
mode: u=rw,go=r
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
- name: Add SSH config on ansible host
|
||||
delegate_to: localhost
|
||||
ansible.builtin.copy:
|
||||
dest: ~/.ssh/config.d/{{ inventory_hostname }}.conf
|
||||
content: |
|
||||
Host {{ inventory_hostname }} {{ inventory_hostname.split(".")[0] }}
|
||||
Hostname {{ ansible_ssh_hostname | default(inventory_hostname) }}
|
||||
Port 22
|
||||
User root
|
||||
ForwardAgent yes
|
||||
mode: u=rw,go=r
|
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
- name: Wait for APT Lock
|
||||
ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
|
||||
|
||||
- name: Install packages required for Postfix
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- postfix
|
||||
- libsasl2-modules
|
||||
- mailutils
|
||||
install_recommends: false
|
||||
|
||||
- name: Postfix config
|
||||
ansible.builtin.template:
|
||||
src: postfix/main.cf.j2
|
||||
dest: /etc/postfix/main.cf
|
||||
mode: u=rw,g=r,o=
|
||||
notify: Restart Postfix
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
- name: Wait for APT Lock
|
||||
ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
|
||||
|
||||
- name: Install packages required for Mail
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- ssmtp
|
||||
- mailutils
|
||||
install_recommends: false
|
||||
|
||||
- name: Ssmtp config
|
||||
ansible.builtin.template:
|
||||
src: ssmtp/ssmtp.conf.j2
|
||||
dest: /etc/ssmtp/ssmtp.conf
|
||||
mode: u=rw,g=r,o=
|
|
@ -0,0 +1,62 @@
|
|||
---
|
||||
- name: Import local-ssh tasks
|
||||
ansible.builtin.import_tasks:
|
||||
file: local-ssh.yml
|
||||
tags:
|
||||
- local
|
||||
- local-ssh
|
||||
- ssh
|
||||
|
||||
- name: Import Debian apt tasks
|
||||
ansible.builtin.import_tasks:
|
||||
file: apt.yml
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Import Debian bloatware tasks
|
||||
ansible.builtin.import_tasks:
|
||||
file: bloatware.yml
|
||||
tags:
|
||||
- bloatware
|
||||
|
||||
- name: Import ssh tasks
|
||||
ansible.builtin.import_tasks:
|
||||
file: ssh.yml
|
||||
tags:
|
||||
- ssh
|
||||
|
||||
- name: Import environment tasks
|
||||
ansible.builtin.import_tasks:
|
||||
file: environment.yml
|
||||
tags:
|
||||
- environment
|
||||
|
||||
- name: Import mail tasks
|
||||
when: have_mail
|
||||
ansible.builtin.import_tasks:
|
||||
file: mail_postfix.yml
|
||||
tags:
|
||||
- mail
|
||||
|
||||
- name: Import sysadmin-tools tasks
|
||||
ansible.builtin.import_tasks:
|
||||
file: sysadmin-tools.yml
|
||||
|
||||
- name: Import firewall tasks
|
||||
when: have_firewall
|
||||
ansible.builtin.import_tasks:
|
||||
file: firewall.yml
|
||||
tags:
|
||||
- firewall
|
||||
|
||||
- name: Import limits tasks
|
||||
ansible.builtin.import_tasks:
|
||||
file: limits.yml
|
||||
tags:
|
||||
- limits
|
||||
|
||||
- name: Import systemd tasks
|
||||
ansible.builtin.import_tasks:
|
||||
file: systemd.yml
|
||||
tags:
|
||||
- systemd
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
- name: Configure SSH UseDNS=no
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "^#?UseDNS "
|
||||
line: UseDNS no
|
||||
notify: Restart SSH
|
||||
|
||||
- name: Configure SSH GSSAPIAuthentication=no
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "^#?GSSAPIAuthentication "
|
||||
line: GSSAPIAuthentication no
|
||||
notify: Restart SSH
|
|
@ -0,0 +1,73 @@
|
|||
---
|
||||
- name: Wait for APT Lock
|
||||
ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
|
||||
|
||||
- name: Install system administrator tools
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- bash
|
||||
- mlocate
|
||||
- joe
|
||||
- nano
|
||||
- sudo
|
||||
- telnet
|
||||
- ncdu
|
||||
- screen
|
||||
- git
|
||||
- curl
|
||||
- python3-pip
|
||||
- apt-dater-host
|
||||
- net-tools
|
||||
install_recommends: false
|
||||
|
||||
- name: Stat mlocate
|
||||
ansible.builtin.stat:
|
||||
path: /var/lib/mlocate/mlocate.db
|
||||
register: _mlocate
|
||||
|
||||
- name: Stat plocate
|
||||
ansible.builtin.stat:
|
||||
path: /var/lib/plocate/plocate.db
|
||||
register: _plocate
|
||||
|
||||
- name: Run updatedb
|
||||
when: not _mlocate.stat.exists and not _plocate.stat.exists
|
||||
ansible.builtin.command:
|
||||
cmd: updatedb
|
||||
changed_when: true
|
||||
|
||||
- name: Profile.d
|
||||
ansible.builtin.template:
|
||||
src: profile.d/100-ansible.sh.j2
|
||||
dest: /etc/profile.d/100-ansible.sh
|
||||
mode: u=rwx,go=rx
|
||||
|
||||
- name: Profile.d
|
||||
ansible.builtin.template:
|
||||
src: profile.d/100-ansible.sh.j2
|
||||
dest: /etc/profile.d/100-ansible.sh
|
||||
mode: u=rwx,go=rx
|
||||
|
||||
- name: Disable wordwrap in the Joe editor
|
||||
ansible.builtin.replace:
|
||||
path: /etc/joe/ftyperc
|
||||
regexp: '^(-wordwrap)$'
|
||||
replace: ' \1'
|
||||
|
||||
- name: Directory /usr/local/bin
|
||||
ansible.builtin.file:
|
||||
path: /usr/local/bin
|
||||
state: directory
|
||||
mode: u=rwX,go=rX
|
||||
|
||||
- name: Create apt-get-noninteractive script
|
||||
ansible.builtin.copy:
|
||||
src: usr/local/bin/apt-get-noninteractive
|
||||
dest: /usr/local/bin/apt-get-noninteractive
|
||||
mode: u=rwx,go=
|
||||
|
||||
- name: Configure Apt-Dater to use APT wrapper
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/apt-dater-host.conf
|
||||
regexp: "^\\$DPKGTOOL="
|
||||
line: '$DPKGTOOL="/usr/local/bin/apt-get-noninteractive";'
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
- name: "Directory for Journald config"
|
||||
ansible.builtin.file:
|
||||
path: /etc/systemd/journald.conf.d
|
||||
state: directory
|
||||
mode: u=rw,go=r
|
||||
|
||||
- name: "Config for persistent Journald logging"
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/systemd/journald.conf.d/persistent.conf
|
||||
src: systemd/journald.conf.d/persistent.conf
|
||||
mode: u=rw,go=r
|
||||
notify: Restart Systemd-Journald
|
|
@ -0,0 +1,8 @@
|
|||
inet_interfaces = loopback-only
|
||||
mydestination =
|
||||
myhostname = {{ inventory_hostname }}
|
||||
myorigin = $mydomain
|
||||
relayhost = {{ smtp_relay_host }}:{{ smtp_relay_port }}
|
||||
smtp_sasl_auth_enable = yes
|
||||
smtp_sasl_password_maps = static:{{ smtp_relay_user }}:{{ smtp_relay_password }}
|
||||
smtp_sasl_security_options = noanonymous
|
|
@ -0,0 +1 @@
|
|||
export HISTTIMEFORMAT="%Y-%m-%d %T "
|
|
@ -0,0 +1,8 @@
|
|||
Root={{ sysadmin_email }}
|
||||
Hostname={{ inventory_hostname }}
|
||||
FromLineOverride=no
|
||||
Mailhub={{ smtp_relay_host }}:{{ smtp_relay_port }}
|
||||
UseSTARTTLS=yes
|
||||
AuthUser={{ smtp_relay_user }}
|
||||
AuthPass={{ smtp_relay_password }}
|
||||
AuthMethod={{ smtp_relay_auth_method | default('cram-md5') }}
|
|
@ -0,0 +1 @@
|
|||
CONFIG=/etc/haproxy
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
dependencies:
|
||||
- role: common
|
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
- name: Wait for APT Lock
|
||||
ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
|
||||
|
||||
- name: Install haproxy
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- haproxy
|
||||
install_recommends: false
|
||||
|
||||
- name: Directory /etc/sysconfig
|
||||
ansible.builtin.file:
|
||||
path: /etc/sysconfig
|
||||
state: directory
|
||||
mode: u=rwX,go=rX
|
||||
|
||||
- name: Haproxy service environment file
|
||||
ansible.builtin.copy:
|
||||
src: haproxy.env
|
||||
dest: /etc/sysconfig/haproxy
|
||||
mode: u=rwX,go=rX
|
||||
notify: Restart haproxy
|
||||
|
||||
- name: Haproxy base config
|
||||
ansible.builtin.template:
|
||||
src: haproxy.cfg.j2
|
||||
dest: /etc/haproxy/haproxy.cfg
|
||||
mode: u=rw,g=r,o=
|
||||
group: haproxy
|
||||
notify: Restart haproxy
|
||||
|
||||
- name: Enable haproxy service
|
||||
ansible.builtin.systemd:
|
||||
name: haproxy.service
|
||||
enabled: true
|
|
@ -0,0 +1,36 @@
|
|||
global
|
||||
log /dev/log local0
|
||||
log /dev/log local1 debug
|
||||
chroot /var/lib/haproxy
|
||||
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
# stats timeout 30s
|
||||
user haproxy
|
||||
group haproxy
|
||||
daemon
|
||||
# Default SSL material locations
|
||||
ca-base /etc/ssl/certs
|
||||
crt-base /etc/ssl/private
|
||||
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
option httplog
|
||||
option dontlognull
|
||||
timeout connect 5000
|
||||
timeout client 50000
|
||||
timeout server 50000
|
||||
errorfile 400 /etc/haproxy/errors/400.http
|
||||
errorfile 403 /etc/haproxy/errors/403.http
|
||||
errorfile 408 /etc/haproxy/errors/408.http
|
||||
errorfile 500 /etc/haproxy/errors/500.http
|
||||
errorfile 502 /etc/haproxy/errors/502.http
|
||||
errorfile 503 /etc/haproxy/errors/503.http
|
||||
errorfile 504 /etc/haproxy/errors/504.http
|
||||
|
||||
backend bk_no_match
|
||||
mode http
|
||||
http-request deny deny_status 403
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
dependencies:
|
||||
- role: common
|
||||
- role: haproxy
|
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
|
||||
- name: Get IP of Ansible controller
|
||||
ansible.builtin.set_fact:
|
||||
_ssh_client_ip: "{{ ansible_env.SSH_CLIENT.split(' ')[0] }}"
|
||||
|
||||
- name: Allow access from whitelist to tcp port 50000
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "50000"
|
||||
src: "{{ item }}"
|
||||
loop: "{{ ip_whitelist + [_ssh_client_ip] }}"
|
||||
|
||||
- name: Allow access from nodes to tcp port 50001
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "50001"
|
||||
src: "{{ hostvars[talos_node].ansible_host }}"
|
||||
loop: "{{ groups['customer_' + customer] }}"
|
||||
loop_control:
|
||||
loop_var: talos_node
|
||||
|
||||
- name: Allow public access to tcp port 6443
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "6443"
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
- name: Import firewall tasks
|
||||
ansible.builtin.import_tasks:
|
||||
file: firewall.yml
|
||||
tags:
|
||||
- firewall
|
||||
|
||||
- name: Haproxy LB config
|
||||
ansible.builtin.template:
|
||||
src: haproxy_control_lb.cfg.j2
|
||||
dest: /etc/haproxy/haproxy_control_lb.cfg
|
||||
mode: u=rw,g=r,o=
|
||||
group: haproxy
|
||||
notify: Restart haproxy
|
|
@ -0,0 +1,48 @@
|
|||
frontend tcp_talosapi
|
||||
mode tcp
|
||||
option tcplog
|
||||
bind :50000
|
||||
default_backend bk_talosapi
|
||||
|
||||
backend bk_talosapi
|
||||
mode tcp
|
||||
balance leastconn
|
||||
{% for talos_node in groups['customer_'+customer] %}
|
||||
{% if talos_node in groups['talos_control_nodes'] %}
|
||||
server {{ talos_node }} {{ hostvars[talos_node].ansible_host }}:50000 check
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
####
|
||||
|
||||
frontend tcp_talostrustd
|
||||
mode tcp
|
||||
option tcplog
|
||||
bind :50001
|
||||
default_backend bk_talostrustd
|
||||
|
||||
backend bk_talostrustd
|
||||
mode tcp
|
||||
balance leastconn
|
||||
{% for talos_node in groups['customer_'+customer] %}
|
||||
{% if talos_node in groups['talos_control_nodes'] %}
|
||||
server {{ talos_node }} {{ hostvars[talos_node].ansible_host }}:50001 check
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
####
|
||||
|
||||
frontend tcp_kubeapi
|
||||
mode tcp
|
||||
option tcplog
|
||||
bind :6443
|
||||
default_backend bk_kubeapi
|
||||
|
||||
backend bk_kubeapi
|
||||
mode tcp
|
||||
balance leastconn
|
||||
{% for talos_node in groups['customer_'+customer] %}
|
||||
{% if talos_node in groups['talos_control_nodes'] %}
|
||||
server {{ talos_node }} {{ hostvars[talos_node].ansible_host }}:6443 check
|
||||
{% endif %}
|
||||
{% endfor %}
|
|
@ -19,8 +19,8 @@
|
|||
cmd: >-
|
||||
talosctl apply-config
|
||||
--file '{{ talos_node_config_file }}'
|
||||
--nodes '{{ ansible_remote }}'
|
||||
--endpoints '{{ ansible_remote }}'
|
||||
--nodes '{{ ansible_host }}'
|
||||
--endpoints '{{ ansible_host }}'
|
||||
--mode auto
|
||||
{% if talos_machine_status.spec.stage == 'maintenance' %} --insecure{% endif %}
|
||||
changed_when: true
|
||||
|
@ -31,7 +31,7 @@
|
|||
delegate_to: "{{ talosctl_host }}"
|
||||
become: false
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ ansible_remote }}"
|
||||
host: "{{ ansible_host }}"
|
||||
port: 50000
|
||||
delay: 5
|
||||
timeout: 600
|
||||
|
|
|
@ -9,10 +9,10 @@
|
|||
interfaces:
|
||||
- interface: "{{ network_interface }}"
|
||||
addresses:
|
||||
- "{{ ansible_remote }}/{{ network_cidr_prefix }}"
|
||||
- "{{ ansible_host }}/{{ network_cidr_prefix }}"
|
||||
routes:
|
||||
- network: 0.0.0.0/0
|
||||
gateway: "{{ (ansible_remote ~ '/' ~ network_cidr_prefix) | ansible.utils.ipaddr('1') | ansible.utils.ipaddr('address') }}"
|
||||
gateway: "{{ (ansible_host ~ '/' ~ network_cidr_prefix) | ansible.utils.ipaddr('1') | ansible.utils.ipaddr('address') }}"
|
||||
install:
|
||||
disk: "{{ talos_disk }}"
|
||||
kubelet:
|
||||
|
|
|
@ -11,8 +11,8 @@
|
|||
cmd: >-
|
||||
talosctl reboot
|
||||
--wait=true
|
||||
--endpoints '{{ ansible_remote }}'
|
||||
--nodes '{{ ansible_remote }}'
|
||||
--endpoints '{{ ansible_host }}'
|
||||
--nodes '{{ ansible_host }}'
|
||||
{% if talos_machine_status.spec.stage == 'maintenance' %} --insecure{% endif %}
|
||||
changed_when: true
|
||||
environment:
|
||||
|
@ -23,5 +23,5 @@
|
|||
become: false
|
||||
throttle: 1
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ ansible_remote }}"
|
||||
host: "{{ ansible_host }}"
|
||||
port: 50000
|
||||
|
|
|
@ -14,8 +14,8 @@
|
|||
--graceful=false
|
||||
--wait=true
|
||||
--reboot
|
||||
--endpoints '{{ ansible_remote }}'
|
||||
--nodes '{{ ansible_remote }}'
|
||||
--endpoints '{{ ansible_host }}'
|
||||
--nodes '{{ ansible_host }}'
|
||||
changed_when: true
|
||||
environment:
|
||||
TALOSCONFIG: "{{ talosconfig }}"
|
||||
|
@ -24,5 +24,5 @@
|
|||
delegate_to: "{{ talosctl_host }}"
|
||||
become: false
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ ansible_remote }}"
|
||||
host: "{{ ansible_host }}"
|
||||
port: 50000
|
||||
|
|
|
@ -7,7 +7,8 @@
|
|||
talosctl upgrade
|
||||
--image="ghcr.io/siderolabs/installer:{{ talos_version }}"
|
||||
--endpoints='{{ talos_control_lb_hostname }}'
|
||||
--nodes='{{ ansible_remote }}'
|
||||
--preserve
|
||||
--nodes='{{ ansible_host }}'
|
||||
--timeout='30m'
|
||||
--wait=true
|
||||
changed_when: true
|
||||
|
@ -19,7 +20,7 @@
|
|||
throttle: 1
|
||||
become: false
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ ansible_remote }}"
|
||||
host: "{{ ansible_host }}"
|
||||
port: 50000
|
||||
delay: 5
|
||||
timeout: 300
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
throttle: 1
|
||||
become: false
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ ansible_remote }}"
|
||||
host: "{{ ansible_host }}"
|
||||
port: 50000
|
||||
delay: 5
|
||||
timeout: 300
|
||||
|
|
|
@ -4,5 +4,5 @@
|
|||
delegate_to: "{{ talosctl_host }}"
|
||||
become: false
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ ansible_remote }}"
|
||||
host: "{{ ansible_host }}"
|
||||
port: 50000
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: Restart unattended-upgrades
|
||||
ansible.builtin.systemd:
|
||||
name: unattended-upgrades.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
- name: Wait for APT Lock
|
||||
ansible.builtin.include_tasks: shared/tasks/wait_apt.yml
|
||||
|
||||
- name: Install packages required for auto update
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- unattended-upgrades
|
||||
- update-notifier-common
|
||||
install_recommends: false
|
||||
|
||||
- name: Configure unattended-upgrades email
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
regexp: "^(//)?\\s*Unattended-Upgrade::Mail "
|
||||
line: Unattended-Upgrade::Mail "sysadmin@deovereo.com";
|
||||
notify: Restart unattended-upgrades
|
||||
|
||||
- name: Configure unattended-upgrades email on error
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
regexp: "^(//)?\\s*Unattended-Upgrade::MailReport "
|
||||
line: Unattended-Upgrade::MailReport "only-on-error";
|
||||
notify: Restart unattended-upgrades
|
||||
|
||||
- name: Configure unattended-upgrades reboot
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
regexp: "^(//)?\\s*Unattended-Upgrade::Automatic-Reboot "
|
||||
line: Unattended-Upgrade::Automatic-Reboot "true";
|
||||
notify: Restart unattended-upgrades
|
||||
|
||||
- name: Configure unattended-upgrades reboot
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
regexp: "^(//)?\\s*Unattended-Upgrade::Automatic-Reboot-WithUsers "
|
||||
line: Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
|
||||
notify: Restart unattended-upgrades
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: Import Ubuntu apt
|
||||
ansible.builtin.import_tasks:
|
||||
file: apt.yml
|
|
@ -0,0 +1,60 @@
|
|||
---
|
||||
# Requires var: __disable_service_name => name with '.service' or '.timer'
|
||||
|
||||
- name: disable_service | Check var __disable_service_name
|
||||
ansible.builtin.assert:
|
||||
that: __disable_service_name is defined and __disable_service_name != ''
|
||||
quiet: true
|
||||
|
||||
# - name: Update service facts
|
||||
# ansible.builtin.service_facts:
|
||||
|
||||
- name: disable_service | List loaded units
|
||||
ansible.builtin.command:
|
||||
cmd: systemctl list-units --state=loaded,masked --plain # noqa command-instead-of-module
|
||||
register: _list_units
|
||||
check_mode: false
|
||||
changed_when: false
|
||||
|
||||
- name: disable_service | When service exists
|
||||
when: _list_units.stdout is regex( '\s' + (__disable_service_name | regex_escape()) + '\s')
|
||||
block:
|
||||
- name: Stop and disable {{ __disable_service_name }}
|
||||
ansible.builtin.systemd:
|
||||
name: "{{ __disable_service_name }}"
|
||||
state: stopped
|
||||
enabled: false
|
||||
|
||||
- name: disable_service | List fa-iled services
|
||||
ansible.builtin.command:
|
||||
cmd: systemctl list-units --failed --plain # noqa command-instead-of-module
|
||||
register: _systemctl_list_failed
|
||||
changed_when: false
|
||||
|
||||
- name: disable_service | Reset-fa-iled service {{ __disable_service_name }}
|
||||
when: _systemctl_list_failed.stdout is regex('\s' + (__disable_service_name) + '\s')
|
||||
ansible.builtin.command:
|
||||
cmd: systemctl reset-failed '{{ __disable_service_name }}' # noqa command-instead-of-module
|
||||
changed_when: true
|
||||
|
||||
- name: disable_service | Find target paths
|
||||
ansible.builtin.find:
|
||||
paths: /etc/systemd/system
|
||||
patterns: "*.wants"
|
||||
file_type: directory
|
||||
register: _target_wants_paths
|
||||
|
||||
- name: disable_service | Find target unit files
|
||||
ansible.builtin.find:
|
||||
paths: "{{ _target_wants_paths.files | map(attribute='path') | list }}"
|
||||
file_type: link
|
||||
patterns: "{{ __disable_service_name }}"
|
||||
register: _remove_list
|
||||
|
||||
- name: disable_service | Remove target unit files
|
||||
ansible.builtin.file:
|
||||
path: "{{ _remove_file }}"
|
||||
state: absent
|
||||
loop: "{{ _remove_list.files | map(attribute='path') | list }}"
|
||||
loop_control:
|
||||
loop_var: _remove_file
|
|
@ -9,8 +9,8 @@
|
|||
ansible.builtin.command:
|
||||
cmd: >-
|
||||
talosctl get machinestatus
|
||||
--endpoints '{{ ansible_remote }}'
|
||||
--nodes '{{ ansible_remote }}'
|
||||
--endpoints '{{ ansible_host }}'
|
||||
--nodes '{{ ansible_host }}'
|
||||
--output json
|
||||
register: _machine_status_cmd
|
||||
failed_when: _machine_status_cmd.rc not in [0, 1]
|
||||
|
@ -25,8 +25,8 @@
|
|||
ansible.builtin.command:
|
||||
cmd: >-
|
||||
talosctl get machinestatus
|
||||
--endpoints '{{ ansible_remote }}'
|
||||
--nodes '{{ ansible_remote }}'
|
||||
--endpoints '{{ ansible_host }}'
|
||||
--nodes '{{ ansible_host }}'
|
||||
--output json
|
||||
--insecure
|
||||
register: _machine_status_cmd_insec
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: Wait for automatic system updates
|
||||
ansible.builtin.raw: systemd-run --property="After=apt-daily.service apt-daily-upgrade.service unattended-upgrades.service cloud-final.service" --wait /bin/true
|
||||
changed_when: false
|
Loading…
Reference in New Issue