remove nomad policies, remove consul from servers

2023-03-20 23:17:53 -04:00 · 2023-03-20 23:17:53 -04:00 · 5395377679
commit 5395377679
parent 5cc64a7170
8 changed files with 27 additions and 61 deletions
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@ -56,5 +56,5 @@ vault_ca_cert_payload: |
  -----END CERTIFICATE-----

 # lnd
-lnd_version: 0.15.4-beta
+lnd_version: 0.15.5-beta
 ...
--- a/ansible/playbooks/site.yml
+++ b/ansible/playbooks/site.yml
@ -2,7 +2,7 @@
 - import_playbook: common.yml
 - import_playbook: vault-server.yml
 - import_playbook: k3s.yml
- import_playbook: docker-repo.yml
+  #- import_playbook: docker-repo.yml
 - import_playbook: lnd.yml
 - import_playbook: wekan.yml
 ...
--- a/ansible/roles/common/tasks/Debian.yml
+++ b/ansible/roles/common/tasks/Debian.yml
@ -1,4 +1,14 @@
 ---
+- name: remove consul
+  systemd:
+    name: consul
+    state: stopped
+    enabled: false
+
+- name: daemon-reload
+  systemd:
+    daemon_reload: true
+
 - name: apt update
  apt:
    update_cache: True
--- a/ansible/roles/k3s/tasks/server.yml
+++ b/ansible/roles/k3s/tasks/server.yml
@ -1,19 +1,4 @@
 ---
- name: template k3s server systemd
-  template:
-    src: templates/k3s.service.j2
-    dest: /etc/systemd/system/k3s.service
-    owner: root
-    group: root
-    mode: 0644
-
- name: enable and start k3s
-  systemd:
-    daemon_reload: yes
-    enabled: yes
-    name: k3s
-    state: started
-
 - name: get k3s token
  slurp:
    src: /var/lib/rancher/k3s/server/node-token
@ -28,4 +13,19 @@
    state: link
    src: /usr/local/bin/k3s
    dest: /usr/local/bin/kubectl
+
+- name: template k3s server systemd
+  template:
+    src: templates/k3s.service.j2
+    dest: /etc/systemd/system/k3s.service
+    owner: root
+    group: root
+    mode: 0644
+
+- name: enable and start k3s
+  systemd:
+    daemon_reload: yes
+    enabled: yes
+    name: k3s
+    state: started
 ...
--- a/vault/policies/nomad-server.hcl
+++ b/vault/policies/nomad-server.hcl
@ -1,30 +0,0 @@
-# Allow creating tokens under "nomad-cluster" role.
-path "auth/token/create/nomad-cluster" {
-  capabilities = ["update"]
-}
-
-# Allow looking up "nomad-cluster" role.
-path "auth/token/roles/nomad-cluster" {
-  capabilities = ["read"]
-}
-
-# Allow looking up incoming tokens to validate they have permissions to access
-# the tokens they are requesting.
-path "auth/token/lookup" {
-  capabilities = ["update"]
-}
-
-# Allow revoking tokens that should no longer exist.
-path "auth/token/revoke-accessor" {
-  capabilities = ["update"]
-}
-
-# Allow checking the capabilities of our own token.
-path "sys/capabilities-self" {
-  capabilities = ["update"]
-}
-
-# Allow our own token to be renewed.
-path "auth/token/renew-self" {
-  capabilities = ["update"]
-}
--- a/vault/policies/sudoscientist-go-backend.hcl
+++ b/vault/policies/sudoscientist-go-backend.hcl
@ -1,3 +0,0 @@
-path "kv/data/sudoscientist" {
-  capabilities = ["read"]
-}
--- a/vault/policies/wallabag.hcl
+++ b/vault/policies/wallabag.hcl
@ -1,3 +0,0 @@
-path "kv/data/wallabag" {
-  capabilities = ["read"]
-}
--- a/vault/roles/nomad-cluster-role.json
+++ b/vault/roles/nomad-cluster-role.json
@ -1,8 +0,0 @@
-{
-  "disallowed_policies": "nomad-server,root",
-  "token_explicit_max_ttl": 0,
-  "name": "nomad-cluster",
-  "orphan": true,
-  "token_period": 259200,
-  "renewable": true
-}