From 5395377679a5bff682fa6273dd959949b1315008 Mon Sep 17 00:00:00 2001 From: Asara Date: Mon, 20 Mar 2023 23:17:53 -0400 Subject: [PATCH] remove nomad policies, remove consul from servers --- ansible/group_vars/all/main.yml | 2 +- ansible/playbooks/site.yml | 2 +- ansible/roles/common/tasks/Debian.yml | 10 +++++++ ansible/roles/k3s/tasks/server.yml | 30 ++++++++++----------- vault/policies/nomad-server.hcl | 30 --------------------- vault/policies/sudoscientist-go-backend.hcl | 3 --- vault/policies/wallabag.hcl | 3 --- vault/roles/nomad-cluster-role.json | 8 ------ 8 files changed, 27 insertions(+), 61 deletions(-) delete mode 100644 vault/policies/nomad-server.hcl delete mode 100644 vault/policies/sudoscientist-go-backend.hcl delete mode 100644 vault/policies/wallabag.hcl delete mode 100644 vault/roles/nomad-cluster-role.json diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml index 9eb4410..8597722 100644 --- a/ansible/group_vars/all/main.yml +++ b/ansible/group_vars/all/main.yml @@ -56,5 +56,5 @@ vault_ca_cert_payload: | -----END CERTIFICATE----- # lnd -lnd_version: 0.15.4-beta +lnd_version: 0.15.5-beta ... diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml index 02551bc..0647491 100644 --- a/ansible/playbooks/site.yml +++ b/ansible/playbooks/site.yml @@ -2,7 +2,7 @@ - import_playbook: common.yml - import_playbook: vault-server.yml - import_playbook: k3s.yml -- import_playbook: docker-repo.yml + #- import_playbook: docker-repo.yml - import_playbook: lnd.yml - import_playbook: wekan.yml ... diff --git a/ansible/roles/common/tasks/Debian.yml b/ansible/roles/common/tasks/Debian.yml index a41e17f..73c5a31 100644 --- a/ansible/roles/common/tasks/Debian.yml +++ b/ansible/roles/common/tasks/Debian.yml @@ -1,4 +1,14 @@ --- +- name: remove consul + systemd: + name: consul + state: stopped + enabled: false + +- name: daemon-reload + systemd: + daemon_reload: true + - name: apt update apt: update_cache: True diff --git a/ansible/roles/k3s/tasks/server.yml b/ansible/roles/k3s/tasks/server.yml index 2a5c0ea..a22770c 100644 --- a/ansible/roles/k3s/tasks/server.yml +++ b/ansible/roles/k3s/tasks/server.yml @@ -1,19 +1,4 @@ --- -- name: template k3s server systemd - template: - src: templates/k3s.service.j2 - dest: /etc/systemd/system/k3s.service - owner: root - group: root - mode: 0644 - -- name: enable and start k3s - systemd: - daemon_reload: yes - enabled: yes - name: k3s - state: started - - name: get k3s token slurp: src: /var/lib/rancher/k3s/server/node-token @@ -28,4 +13,19 @@ state: link src: /usr/local/bin/k3s dest: /usr/local/bin/kubectl + +- name: template k3s server systemd + template: + src: templates/k3s.service.j2 + dest: /etc/systemd/system/k3s.service + owner: root + group: root + mode: 0644 + +- name: enable and start k3s + systemd: + daemon_reload: yes + enabled: yes + name: k3s + state: started ... diff --git a/vault/policies/nomad-server.hcl b/vault/policies/nomad-server.hcl deleted file mode 100644 index a4104b4..0000000 --- a/vault/policies/nomad-server.hcl +++ /dev/null @@ -1,30 +0,0 @@ -# Allow creating tokens under "nomad-cluster" role. -path "auth/token/create/nomad-cluster" { - capabilities = ["update"] -} - -# Allow looking up "nomad-cluster" role. -path "auth/token/roles/nomad-cluster" { - capabilities = ["read"] -} - -# Allow looking up incoming tokens to validate they have permissions to access -# the tokens they are requesting. -path "auth/token/lookup" { - capabilities = ["update"] -} - -# Allow revoking tokens that should no longer exist. -path "auth/token/revoke-accessor" { - capabilities = ["update"] -} - -# Allow checking the capabilities of our own token. -path "sys/capabilities-self" { - capabilities = ["update"] -} - -# Allow our own token to be renewed. -path "auth/token/renew-self" { - capabilities = ["update"] -} diff --git a/vault/policies/sudoscientist-go-backend.hcl b/vault/policies/sudoscientist-go-backend.hcl deleted file mode 100644 index a39cb66..0000000 --- a/vault/policies/sudoscientist-go-backend.hcl +++ /dev/null @@ -1,3 +0,0 @@ -path "kv/data/sudoscientist" { - capabilities = ["read"] -} diff --git a/vault/policies/wallabag.hcl b/vault/policies/wallabag.hcl deleted file mode 100644 index ad87e3e..0000000 --- a/vault/policies/wallabag.hcl +++ /dev/null @@ -1,3 +0,0 @@ -path "kv/data/wallabag" { - capabilities = ["read"] -} diff --git a/vault/roles/nomad-cluster-role.json b/vault/roles/nomad-cluster-role.json deleted file mode 100644 index 60557a5..0000000 --- a/vault/roles/nomad-cluster-role.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "disallowed_policies": "nomad-server,root", - "token_explicit_max_ttl": 0, - "name": "nomad-cluster", - "orphan": true, - "token_period": 259200, - "renewable": true -}