diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml index 129d00c..dd0bae4 100644 --- a/ansible/group_vars/all/main.yml +++ b/ansible/group_vars/all/main.yml @@ -1,5 +1,6 @@ --- # consul +consul_dc: columbia consul_version: 1.8.3 # vault diff --git a/ansible/host_vars/fatman.minhas.io/main.yml b/ansible/host_vars/fatman.minhas.io/main.yml index ff399e3..be8da94 100644 --- a/ansible/host_vars/fatman.minhas.io/main.yml +++ b/ansible/host_vars/fatman.minhas.io/main.yml @@ -1,4 +1,3 @@ --- -consul_dc: columbia consul_config_path: /usr/local/etc/consul.d ... diff --git a/ansible/host_vars/ivyking.minhas.io/main.yml b/ansible/host_vars/ivyking.minhas.io/main.yml deleted file mode 100644 index c310f7a..0000000 --- a/ansible/host_vars/ivyking.minhas.io/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -consul_dc: columbia -... diff --git a/ansible/host_vars/sedan.minhas.io/main.yml b/ansible/host_vars/sedan.minhas.io/main.yml deleted file mode 100644 index c310f7a..0000000 --- a/ansible/host_vars/sedan.minhas.io/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -consul_dc: columbia -... diff --git a/ansible/inventory.txt b/ansible/inventory.txt index ed90648..7eeb3ab 100644 --- a/ansible/inventory.txt +++ b/ansible/inventory.txt @@ -1,3 +1,9 @@ +[all] +fatman.minhas.io +ivyking.minhas.io +ranger.minhas.io +sedan.minhas.io + [consul_server] fatman.minhas.io ivyking.minhas.io diff --git a/ansible/playbooks/consul-client.yml b/ansible/playbooks/consul-client.yml new file mode 100644 index 0000000..9bddc2f --- /dev/null +++ b/ansible/playbooks/consul-client.yml @@ -0,0 +1,7 @@ +--- +- hosts: all + roles: + - { role: consul, + when: '"consul_server" not in group_names' + } +... diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml index a66a226..fa39ff8 100644 --- a/ansible/playbooks/site.yml +++ b/ansible/playbooks/site.yml @@ -5,4 +5,5 @@ - import_playbook: consul-server.yml - import_playbook: vault-server.yml +- import_playbook: consul-client.yml ... diff --git a/ansible/roles/consul/defaults/main.yml b/ansible/roles/consul/defaults/main.yml new file mode 100644 index 0000000..f5f06b0 --- /dev/null +++ b/ansible/roles/consul/defaults/main.yml @@ -0,0 +1,3 @@ +--- +consul_config_path: /etc/consul.d +... diff --git a/ansible/roles/consul/files/consul-agent-ca.pem b/ansible/roles/consul/files/consul-agent-ca.pem new file mode 100644 index 0000000..f22fc45 --- /dev/null +++ b/ansible/roles/consul/files/consul-agent-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6jCCApGgAwIBAgIQME5Go459u5LlhDqirL54aTAKBggqhkjOPQQDAjCBuDEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv +MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV +BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg +NjQyMDkzNzU2Nzk2MDMyOTY4MTA4MDI5ODk2NTUzNjQ4OTI3NzcwHhcNMjAwODI3 +MTYxOTE4WhcNMjUwODI2MTYxOTE4WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT +AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k +IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu +MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgNjQyMDkzNzU2Nzk2MDMyOTY4MTA4 +MDI5ODk2NTUzNjQ4OTI3NzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASUDPnD +lfeWaTrJHZ9JzovcEXTGh2VKOaq4a1GceAqYNg1Jj2A6+6Je9Nm5+tvVn939ZS0z +NQGjuL3vdxJN96sYo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB +/zApBgNVHQ4EIgQg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwKwYD +VR0jBCQwIoAg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwCgYIKoZI +zj0EAwIDRwAwRAIgGj3Z1yyMTcdsZiFu89Si0E9ueX2CAAztWabhbvzMOl4CIHIv +DhH1LG5/DHuJCQA4MAKLiDzt1/XQoS1FJiguyorb +-----END CERTIFICATE----- diff --git a/ansible/roles/consul/files/consul.service b/ansible/roles/consul/files/consul.service new file mode 100644 index 0000000..71b78f8 --- /dev/null +++ b/ansible/roles/consul/files/consul.service @@ -0,0 +1,15 @@ +[Unit] +Description=Consul Service Discovery Agent +After=network-online.target + +[Service] +Type=simple +Restart=on-failure +User=consul +Group=consul +RestartSec=3 +StateDirectory=consul +ExecStart=/usr/local/bin/consul agent -config-dir /etc/consul.d/ + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/consul/handlers/main.yml b/ansible/roles/consul/handlers/main.yml new file mode 100644 index 0000000..0c9cfcd --- /dev/null +++ b/ansible/roles/consul/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: daemon_reload + systemd: + daemon_reload: True + +- name: restart_consul_debian + systemd: + name: consul + state: restarted + +- name: restart_consul_fbsd + service: + name: consul + state: restarted diff --git a/ansible/roles/consul/tasks/Debian.yml b/ansible/roles/consul/tasks/Debian.yml new file mode 100644 index 0000000..7111a25 --- /dev/null +++ b/ansible/roles/consul/tasks/Debian.yml @@ -0,0 +1,88 @@ +--- +- name: ensure consul group + group: + name: consul + state: present + system: True + +- name: ensure consul user + user: + name: consul + state: present + group: consul + system: True + +- name: ensure consul config dir + file: + path: /etc/consul.d/ + state: directory + owner: consul + group: consul + mode: 0755 + +- name: ensure consul config dir + file: + path: /etc/consul.d/certs/ + state: directory + owner: consul + group: consul + mode: 0744 + +- name: ensure consul agent ca cert + copy: + src: files/consul-agent-ca.pem + dest: /etc/consul.d/certs/consul-agent-ca.pem + owner: consul + group: consul + mode: 0644 + +- name: ensure consul data dir + file: + path: /opt/consul + state: directory + owner: consul + group: consul + mode: 0755 + +- name: check consul version + shell: + cmd: "consul --version | head -1 | cut -d'v' -f2" + args: + executable: /bin/bash + changed_when: False + register: installed_consul_version + check_mode: False + +- name: get consul + unarchive: + src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" + dest: /usr/local/bin/ + mode: 0755 + owner: root + group: root + remote_src: True + when: installed_consul_version.stdout != consul_version + +- name: copy consul unit file + copy: + src: files/consul.service + dest: /etc/systemd/system/consul.service + mode: 0755 + owner: root + group: root + notify: daemon_reload + +- name: template consul config + template: + src: templates/consul.hcl.j2 + dest: /etc/consul.d/consul.hcl + owner: root + group: root + mode: 0755 + notify: restart_consul_debian + +- name: ensure consul is started and enabled + systemd: + name: consul + state: started + enabled: True diff --git a/ansible/roles/consul/tasks/main.yml b/ansible/roles/consul/tasks/main.yml new file mode 100644 index 0000000..8ebc556 --- /dev/null +++ b/ansible/roles/consul/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- include: "{{ ansible_os_family }}.yml" +... diff --git a/ansible/roles/consul/templates/consul-client.key.j2 b/ansible/roles/consul/templates/consul-client.key.j2 new file mode 100644 index 0000000..a9adc62 --- /dev/null +++ b/ansible/roles/consul/templates/consul-client.key.j2 @@ -0,0 +1 @@ +{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['consul-client-key'] }} diff --git a/ansible/roles/consul/templates/consul.hcl.j2 b/ansible/roles/consul/templates/consul.hcl.j2 new file mode 100644 index 0000000..5899d6d --- /dev/null +++ b/ansible/roles/consul/templates/consul.hcl.j2 @@ -0,0 +1,33 @@ +datacenter = "{{ consul_dc }}" +domain = "consul" + +encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}" + +verify_incoming = false +verify_outgoing = true +verify_server_hostname = true +ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem" + +auto_encrypt { + tls = true +} + +bind_addr = "{{ ansible_default_ipv4.address }}" +start_join = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"] + +data_dir = "/opt/consul" +log_level = "INFO" +raft_protocol = 3 + +addresses { + http = "0.0.0.0" +} + +acl { + enabled = true + default_policy = "deny" + enable_token_persistence = true + tokens { + agent = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}" + } +}