Update ansible

This commit is contained in:
Amarpreet Minhas 2022-11-05 22:11:23 -04:00
parent 9c0b211db2
commit 0c99c0b5b2
16 changed files with 112 additions and 41 deletions

View file

@ -13,8 +13,8 @@ poll_interval = 15
transport = smart transport = smart
remote_port = 22 remote_port = 22
gathering = smart gathering = smart
stdout_callback = skippy stdout_callback = default
callback_whitelist = timer callbacks_enabled = timer
timeout = 10 timeout = 10
remote_user = cfgmgmt remote_user = cfgmgmt
private_key_file = ~/personal/keys/cfgmgmt private_key_file = ~/personal/keys/cfgmgmt
@ -29,3 +29,6 @@ become_user = root
[diff] [diff]
always = True always = True
[hashi_vault_collection]
token_validate = True

View file

@ -1,4 +1,4 @@
--- ---
lego_email_address: amarpreet@minhas.io lego_email_address: amarpreet@minhas.io
letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['account_id'] }}" letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:account_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
... ...

View file

@ -1,16 +1,22 @@
ansible==2.9.12 ansible==6.5.0
certifi==2020.6.20 ansible-core==2.13.5
cffi==1.14.2 certifi==2022.9.24
chardet==3.0.4 cffi==1.15.1
cryptography==3.0 chardet==5.0.0
docker==4.3.1 charset-normalizer==2.1.1
hvac==0.10.5 cryptography==38.0.3
idna==2.10 docker==6.0.1
Jinja2==2.11.2 hvac==1.0.2
MarkupSafe==1.1.1 idna==3.4
pycparser==2.20 Jinja2==3.1.2
PyYAML==5.3.1 MarkupSafe==2.1.1
requests==2.24.0 packaging==21.3
six==1.15.0 pycparser==2.21
urllib3==1.25.10 pyhcl==0.4.4
websocket-client==0.57.0 pyparsing==3.0.9
PyYAML==6.0
requests==2.28.1
resolvelib==0.8.1
six==1.16.0
urllib3==1.26.12
websocket-client==1.4.2

View file

@ -1,4 +1,4 @@
--- ---
- include: "{{ ansible_os_family }}_pki.yml" - include_tasks: "{{ ansible_os_family }}_pki.yml"
- include: "{{ ansible_os_family }}.yml" - include_tasks: "{{ ansible_os_family }}.yml"
... ...

View file

@ -1,3 +1,3 @@
--- ---
- include: "{{ ansible_os_family }}.yml" - include_tasks: "{{ ansible_os_family }}.yml"
... ...

View file

@ -3,7 +3,7 @@ primary_datacenter = "{{ main_dc_name }}"
domain = "{{ consul_domain }}" domain = "{{ consul_domain }}"
node_name = "{{ inventory_hostname_short }}" node_name = "{{ inventory_hostname_short }}"
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}" encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
verify_incoming = false verify_incoming = false
verify_outgoing = true verify_outgoing = true
@ -32,6 +32,6 @@ acl {
default_policy = "deny" default_policy = "deny"
enable_token_persistence = true enable_token_persistence = true
tokens { tokens {
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}" default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
} }
} }

View file

@ -1,3 +1,3 @@
--- ---
- include: "{{ ansible_os_family }}.yml" - include_tasks: "{{ ansible_os_family }}.yml"
... ...

View file

@ -6,7 +6,7 @@ server = true
bootstrap_expect = 3 bootstrap_expect = 3
ui = true ui = true
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}" encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
verify_outgoing = true verify_outgoing = true
verify_server_hostname = true verify_server_hostname = true
@ -49,6 +49,6 @@ acl {
default_policy = "deny" default_policy = "deny"
enable_token_persistence = true enable_token_persistence = true
tokens { tokens {
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}" default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
} }
} }

View file

@ -1,7 +1,7 @@
--- ---
- include: get_k3s.yml - include_tasks: get_k3s.yml
- include: server.yml - include_tasks: server.yml
when: k3s_role == "server" when: k3s_role == "server"
- include: clients.yml - include_tasks: clients.yml
when: k3s_role == "client" when: k3s_role == "client"
... ...

View file

@ -1 +1 @@
{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['private_key'] }} {{ lookup('hashi_vault', 'secret=kv/data/acme:private_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}

View file

@ -1,5 +1,5 @@
export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_user'] }} export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_user ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_key'] }} export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['access_key'] }} export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:access_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['secret_key'] }} export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:secret_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['hosted_zone_id'] }} export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:hosted_zone_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}

View file

@ -14,13 +14,13 @@ client {
} }
consul { consul {
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-client'] }}" token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-client ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
} }
vault { vault {
enabled = true enabled = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}" token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
address = "https://vault.service.{{ consul_domain }}:8200" address = "https://vault.service.{{ consul_domain }}:8200"
create_from_role = "nomad-cluster" create_from_role = "nomad-cluster"
unwrap_token = true unwrap_token = true

View file

@ -9,14 +9,14 @@ server {
vault { vault {
enabled = true enabled = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}" token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
address = "https://vault.service.{{ consul_domain }}:8200" address = "https://vault.service.{{ consul_domain }}:8200"
create_from_role = "nomad-cluster" create_from_role = "nomad-cluster"
unwrap_token = true unwrap_token = true
} }
consul { consul {
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-server'] }}" token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-server ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
} }
tls { tls {

View file

@ -18,5 +18,5 @@ cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201"
storage "consul" { storage "consul" {
address = "localhost:8500" address = "localhost:8500"
path = "vault/" path = "vault/"
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl'] }}" token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:consul-acl ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
} }

View file

@ -0,0 +1,19 @@
FROM golang:alpine
RUN apk add --no-cache ca-certificates git && \
go install -tags 'postgres' github.com/golang-migrate/migrate/v4/cmd/migrate@latest && \
mkdir -p ${GOPATH}/src/git.minhas.io/asara && \
cd ${GOPATH}/src/git.minhas.io/asara && \
git clone https://git.minhas.io/asara/sudoscientist-go-backend && \
cd ${GOPATH}/src/git.minhas.io/asara/sudoscientist-go-backend && \
go mod init && go get && go build -o /go/bin/sudoscientist-go-backend main.go && \
mv /go/bin/* /usr/local/bin/ && \
rm -rf /go/src && \
apk del git
# Copy masked.name root cert
COPY files/MaskedName_Root_CA.crt /usr/local/share/ca-certificates/MaskedName_Root_CA.crt
# update ca certs
RUN update-ca-certificates 2>/dev/null
CMD ["/usr/local/bin/sudoscientist-go-backend"]

View file

@ -0,0 +1,43 @@
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIUYp8xo5t2lJFP3SiD1fJirgGUQJ0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyMzEyWhcNMzAw
ODI3MTkyMzQyWjAWMRQwEgYDVQQDEwttYXNrZWQubmFtZTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMI7oR+KHvvznfnaAXDMO5qpSTCAYCyfjFEohYJf
lOcnLONXb3f6sP5d1eltL+UTq0RVU5UP0aNW7hqDTa41MRw0JCDtB68yKdYq2hZf
97gA+lj3MEJU6RTAKLrg75GRh/AbNEIgwvPuHKW6hMbtwOyM9DFU//W3xpusalXy
RMFzAHfSDj9ci+UygUt9HINWd/SmMGG/8PghaRhfE44wRFMqYezeliIt2JIs43BV
7HqG0Oev9WPeXmiaZUYKQetHiQqR14Mxiv1IGzCmwwN+9b4tZtZTa58oM5dPXfbb
lrELQE5OsPaNtMtER3MgxovDN3VSCGH/O/GyaEWVanY5UF8CAwEAAaN7MHkwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBY8jW3fDVUp
URt1prhmDMjkVikgMB8GA1UdIwQYMBaAFBY8jW3fDVUpURt1prhmDMjkVikgMBYG
A1UdEQQPMA2CC21hc2tlZC5uYW1lMA0GCSqGSIb3DQEBCwUAA4IBAQAWQz4d3QzE
W8NGA16ZPamlVubOLB5DtZz2qrSrn3DeObLIDShInV3qtRlDx9HYJLTCA75Ket0J
NTsyMcTy2txd4I8hgdF30XJeEciN9wZ0mKEeP/YKDwe8V2XwWq4XYkDechlWHpZo
PfWcoLprKwVUI4HzaqkNmwcmMUI4xAsC+SLe1mrebseKm49oOwdQs/oPVLK+0nEp
RvD0aOvohILIa/2ZtKczvhB/L3fo5pg9Ex/0JDBdDHIedMabD3qn8Idse+P5Dfwa
Ju2Ctyb+n1TTPxRDMxs2cFbA5irr+2ARJd8jtGS+1fyxogjOWS1RR523F+qIS3su
KibGel+gFPpq
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIUM52uhXSeTCim1pmzucm/cnIgNp8wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyNzAwWhcNMjUw
ODI4MTkyNzMwWjAtMSswKQYDVQQDEyJtYXNrZWQubmFtZSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8LuGo+As
ICYWdJjBCY0snF/X+jF1tdcrQzNiRKESEb5dsDiy979bugCblPQDQ+g5WGqXX4pj
UyZZE3ZwhOufISlGK0ow1aMjqS+pFlQ85KRD/jUtLPRUJuQF+m2YwId/Mg6/B7Qk
d166uJkNxS+MGZCi2OYXeoivnOY7Q0Kj/0vIbc5Vt3kCRVg2ljLSQhoBd+85AHMR
jeRjZMeYEYF2HTVwrg4DrC/r00MVtDcNqs6+M7YZ/rzny73GvfJWfWoB1C4piZlg
fvUcSDL5HAhjiu5cSeIR7DTuVx7t4PoK6AqUkPygDtq1ZaLybXT7X6d072dR5AXO
nWFLPaaGJ979iwIDAQABo4IBADCB/TAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
BAUwAwEB/zAdBgNVHQ4EFgQUIkhVYBaK9CcvXG8FM2jKVZ16oZAwHwYDVR0jBBgw
FoAUFjyNbd8NVSlRG3WmuGYMyORWKSAwUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUF
BzAChjVodHRwOi8vdmF1bHQuY29sdW1iaWEubWFza2VkLm5hbWU6ODIwMC92MS9w
a2lfcm9vdC9jYTBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vdmF1bHQuY29sdW1i
aWEubWFza2VkLm5hbWU6ODIwMC92MS9wa2lfcm9vdC9jcmwwDQYJKoZIhvcNAQEL
BQADggEBAK6HMgR+hpwjZCmf5NszDSHr7dYKZXP4LrcHPWs94nLM33UZ572ubGHs
dKjRw8YD0cncrsypsYmEgR57U+DHkys394wkb7UOwy1Zvd5IIRXdP0cDylz0QzqM
APnQYN+ismkoljhk9ey0Qbo3CmPjM+UQcAxuZQtA4M+riC1+jkude1uYL0szC6Y9
4KetfvbNkedSaV5yJaRKCBhRcC4/GjpBG/odQ/5AfBPAFjZqhcIJWBrVYbTQVC79
hMA1iwWJPmT9LsjMSUfxFTPzxRnNXQiKFz5kT2OiS1nqh8aOcyU9YC928pkifNJV
KokuDezJFM7ie3d+EcBk1V9lHwOWdto=
-----END CERTIFICATE-----