remove nomad policies, remove consul from servers

2023-03-20 23:17:53 -04:00 · 2023-03-20 23:17:53 -04:00 · 5395377679
commit 5395377679
parent 5cc64a7170
8 changed files with 27 additions and 61 deletions
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@ -56,5 +56,5 @@ vault_ca_cert_payload: |
  -----END CERTIFICATE-----
 # lnd
-lnd_version: 0.15.4-beta
+lnd_version: 0.15.5-beta
 ...
--- a/ansible/playbooks/site.yml
+++ b/ansible/playbooks/site.yml
@ -2,7 +2,7 @@
 - import_playbook: common.yml
 - import_playbook: vault-server.yml
 - import_playbook: k3s.yml
- import_playbook: docker-repo.yml
+  #- import_playbook: docker-repo.yml
 - import_playbook: lnd.yml
 - import_playbook: wekan.yml
 ...
--- a/ansible/roles/common/tasks/Debian.yml
+++ b/ansible/roles/common/tasks/Debian.yml
@ -1,4 +1,14 @@
 ---
 - name: remove consul
  systemd:
    name: consul
    state: stopped
    enabled: false
 - name: daemon-reload
  systemd:
    daemon_reload: true
 - name: apt update
  apt:
    update_cache: True
--- a/ansible/roles/k3s/tasks/server.yml
+++ b/ansible/roles/k3s/tasks/server.yml
@ -1,19 +1,4 @@
 ---
 - name: template k3s server systemd
  template:
    src: templates/k3s.service.j2
    dest: /etc/systemd/system/k3s.service
    owner: root
    group: root
    mode: 0644
 - name: enable and start k3s
  systemd:
    daemon_reload: yes
    enabled: yes
    name: k3s
    state: started
 - name: get k3s token
  slurp:
    src: /var/lib/rancher/k3s/server/node-token
@ -28,4 +13,19 @@
    state: link
    src: /usr/local/bin/k3s
    dest: /usr/local/bin/kubectl
 - name: template k3s server systemd
  template:
    src: templates/k3s.service.j2
    dest: /etc/systemd/system/k3s.service
    owner: root
    group: root
    mode: 0644
 - name: enable and start k3s
  systemd:
    daemon_reload: yes
    enabled: yes
    name: k3s
    state: started
 ...
--- a/vault/policies/nomad-server.hcl
+++ b/vault/policies/nomad-server.hcl
@ -1,30 +0,0 @@
 # Allow creating tokens under "nomad-cluster" role.
 path "auth/token/create/nomad-cluster" {
  capabilities = ["update"]
 }
 # Allow looking up "nomad-cluster" role.
 path "auth/token/roles/nomad-cluster" {
  capabilities = ["read"]
 }
 # Allow looking up incoming tokens to validate they have permissions to access
 # the tokens they are requesting.
 path "auth/token/lookup" {
  capabilities = ["update"]
 }
 # Allow revoking tokens that should no longer exist.
 path "auth/token/revoke-accessor" {
  capabilities = ["update"]
 }
 # Allow checking the capabilities of our own token.
 path "sys/capabilities-self" {
  capabilities = ["update"]
 }
 # Allow our own token to be renewed.
 path "auth/token/renew-self" {
  capabilities = ["update"]
 }
--- a/vault/policies/sudoscientist-go-backend.hcl
+++ b/vault/policies/sudoscientist-go-backend.hcl
@ -1,3 +0,0 @@
 path "kv/data/sudoscientist" {
  capabilities = ["read"]
 }
--- a/vault/policies/wallabag.hcl
+++ b/vault/policies/wallabag.hcl
@ -1,3 +0,0 @@
 path "kv/data/wallabag" {
  capabilities = ["read"]
 }
--- a/vault/roles/nomad-cluster-role.json
+++ b/vault/roles/nomad-cluster-role.json
@ -1,8 +0,0 @@
 {
  "disallowed_policies": "nomad-server,root",
  "token_explicit_max_ttl": 0,
  "name": "nomad-cluster",
  "orphan": true,
  "token_period": 259200,
  "renewable": true
 }