Asara/infra
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Compare commits

base: Asara:1cdfa9cd6936deefe2e055c2bd5941db8b525abe
Branches Tags
Asara:master
..
compare: Asara:8a1941fc586b2e04e378ad0563609da75b261ca4
Branches Tags
Asara:master

8 commits
1cdfa9cd69 ... 8a1941fc58

Author SHA1 Message Date
Asara
8a1941fc58 Add nomad server/client, fix ansible policy to allow for cert creation 2020-08-29 20:25:30 -04:00
Asara
2ec415f2ef Fix systemd unit file, remove vault since its now in common 2020-08-29 20:25:03 -04:00
Asara
89add56fed Add masked.name ca/intermediary certs, add hosts 2020-08-29 20:24:35 -04:00
Asara
2eaf118b5a Add nomad client and server policies 2020-08-29 20:23:55 -04:00
Asara
4a43799bf4 split out docker role 2020-08-29 20:23:41 -04:00
Asara
edaa4cc9f6 Split out playbooks, start on registry 2020-08-29 20:23:24 -04:00
Asara
ee97d0611f Add masked.name to consul, get certs from vault 2020-08-29 20:22:52 -04:00
Asara
326d017271 Add pki to common 2020-08-29 20:21:40 -04:00
34 changed files with 750 additions and 79 deletions
Show stats Expand all files Collapse all files

54
ansible/group_vars/all/main.yml
View file

@ -1,8 +1,60 @@
---
# main
main_dc_name: columbia
# consul
consul_dc: columbia
consul_version: 1.8.3
consul_domain: masked.name
# vault
vault_version: 1.5.2
vault_pki_policy: masked-dot-name
vault_ca_cert_name: MaskedName_Root_CA.pem
vault_ca_cert_payload: |
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIUYp8xo5t2lJFP3SiD1fJirgGUQJ0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyMzEyWhcNMzAw
ODI3MTkyMzQyWjAWMRQwEgYDVQQDEwttYXNrZWQubmFtZTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMI7oR+KHvvznfnaAXDMO5qpSTCAYCyfjFEohYJf
lOcnLONXb3f6sP5d1eltL+UTq0RVU5UP0aNW7hqDTa41MRw0JCDtB68yKdYq2hZf
97gA+lj3MEJU6RTAKLrg75GRh/AbNEIgwvPuHKW6hMbtwOyM9DFU//W3xpusalXy
RMFzAHfSDj9ci+UygUt9HINWd/SmMGG/8PghaRhfE44wRFMqYezeliIt2JIs43BV
7HqG0Oev9WPeXmiaZUYKQetHiQqR14Mxiv1IGzCmwwN+9b4tZtZTa58oM5dPXfbb
lrELQE5OsPaNtMtER3MgxovDN3VSCGH/O/GyaEWVanY5UF8CAwEAAaN7MHkwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBY8jW3fDVUp
URt1prhmDMjkVikgMB8GA1UdIwQYMBaAFBY8jW3fDVUpURt1prhmDMjkVikgMBYG
A1UdEQQPMA2CC21hc2tlZC5uYW1lMA0GCSqGSIb3DQEBCwUAA4IBAQAWQz4d3QzE
W8NGA16ZPamlVubOLB5DtZz2qrSrn3DeObLIDShInV3qtRlDx9HYJLTCA75Ket0J
NTsyMcTy2txd4I8hgdF30XJeEciN9wZ0mKEeP/YKDwe8V2XwWq4XYkDechlWHpZo
PfWcoLprKwVUI4HzaqkNmwcmMUI4xAsC+SLe1mrebseKm49oOwdQs/oPVLK+0nEp
RvD0aOvohILIa/2ZtKczvhB/L3fo5pg9Ex/0JDBdDHIedMabD3qn8Idse+P5Dfwa
Ju2Ctyb+n1TTPxRDMxs2cFbA5irr+2ARJd8jtGS+1fyxogjOWS1RR523F+qIS3su
KibGel+gFPpq
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIUM52uhXSeTCim1pmzucm/cnIgNp8wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyNzAwWhcNMjUw
ODI4MTkyNzMwWjAtMSswKQYDVQQDEyJtYXNrZWQubmFtZSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8LuGo+As
ICYWdJjBCY0snF/X+jF1tdcrQzNiRKESEb5dsDiy979bugCblPQDQ+g5WGqXX4pj
UyZZE3ZwhOufISlGK0ow1aMjqS+pFlQ85KRD/jUtLPRUJuQF+m2YwId/Mg6/B7Qk
d166uJkNxS+MGZCi2OYXeoivnOY7Q0Kj/0vIbc5Vt3kCRVg2ljLSQhoBd+85AHMR
jeRjZMeYEYF2HTVwrg4DrC/r00MVtDcNqs6+M7YZ/rzny73GvfJWfWoB1C4piZlg
fvUcSDL5HAhjiu5cSeIR7DTuVx7t4PoK6AqUkPygDtq1ZaLybXT7X6d072dR5AXO
nWFLPaaGJ979iwIDAQABo4IBADCB/TAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
BAUwAwEB/zAdBgNVHQ4EFgQUIkhVYBaK9CcvXG8FM2jKVZ16oZAwHwYDVR0jBBgw
FoAUFjyNbd8NVSlRG3WmuGYMyORWKSAwUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUF
BzAChjVodHRwOi8vdmF1bHQuY29sdW1iaWEubWFza2VkLm5hbWU6ODIwMC92MS9w
a2lfcm9vdC9jYTBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vdmF1bHQuY29sdW1i
aWEubWFza2VkLm5hbWU6ODIwMC92MS9wa2lfcm9vdC9jcmwwDQYJKoZIhvcNAQEL
BQADggEBAK6HMgR+hpwjZCmf5NszDSHr7dYKZXP4LrcHPWs94nLM33UZ572ubGHs
dKjRw8YD0cncrsypsYmEgR57U+DHkys394wkb7UOwy1Zvd5IIRXdP0cDylz0QzqM
APnQYN+ismkoljhk9ey0Qbo3CmPjM+UQcAxuZQtA4M+riC1+jkude1uYL0szC6Y9
4KetfvbNkedSaV5yJaRKCBhRcC4/GjpBG/odQ/5AfBPAFjZqhcIJWBrVYbTQVC79
hMA1iwWJPmT9LsjMSUfxFTPzxRnNXQiKFz5kT2OiS1nqh8aOcyU9YC928pkifNJV
KokuDezJFM7ie3d+EcBk1V9lHwOWdto=
-----END CERTIFICATE-----
# nomad
nomad_version: 0.12.3
...

9
ansible/inventory.txt
View file

@ -9,6 +9,15 @@ fatman.minhas.io
ivyking.minhas.io
sedan.minhas.io
[docker_registry]
ivyking.minhas.io
[nomad_client]
sedan.minhas.io
[nomad_server]
ivyking.minhas.io
[vault_server]
ivyking.minhas.io
sedan.minhas.io

5
ansible/playbooks/common.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: all
roles:
- role: common
...

5
ansible/playbooks/docker-registry.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: docker_registry
roles:
- role: docker_registry
...

5
ansible/playbooks/docker.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: docker_registry:nomad_client
roles:
- role: docker
...

5
ansible/playbooks/nomad-client.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: nomad_client
roles:
- role: nomad_client
...

5
ansible/playbooks/nomad-server.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: nomad_server
roles:
- role: nomad_server
...

4
ansible/playbooks/nomad.yml Normal file
View file

@ -0,0 +1,4 @@
---
- import_playbook: nomad-server.yml
- import_playbook: nomad-client.yml
...

7
ansible/playbooks/site.yml
View file

@ -1,9 +1,8 @@
---
- hosts: all
roles:
- role: common
- import_playbook: common.yml
- import_playbook: consul-server.yml
- import_playbook: vault-server.yml
- import_playbook: consul-client.yml
- import_playbook: nomad.yml
#- import_playbook: docker-registry.yml
...

100
ansible/roles/common/tasks/Debian_pki.yml Normal file
View file

@ -0,0 +1,100 @@
---
- name: ensure root cert exists
copy:
content: "{{ vault_ca_cert_payload }}"
dest: "/usr/local/share/ca-certificates/{{ vault_ca_cert_name }}"
mode: 0755
owner: root
group: root
register: root_ca
- name: update ca certs
shell: update-ca-certificates
args:
executable: /bin/bash
when: root_ca.changed
- name: check vault version
shell:
cmd: "vault --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
changed_when: False
register: installed_vault_version
check_mode: False
- name: get vault
unarchive:
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version)
- name: ensure pki cert directory
file:
path: /etc/pki/certs
state: directory
owner: root
group: root
mode: 0755
- name: ensure main pki directory
file:
path: /etc/pki/keys
state: directory
owner: root
group: root
mode: 0600
- name: ensure root cert exists for general use
copy:
content: "{{ vault_ca_cert_payload }}"
dest: "/etc/pki/certs/{{ vault_ca_cert_name }}"
mode: 0644
owner: root
group: root
register: root_ca
- name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt"
args:
executable: /bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
args:
executable: /bin/bash
environment:
VAULT_ADDR: http://ivyking.minhas.io:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
- name: write cert data to server
copy:
content: "{{ item.content }}"
dest: "/etc/pki/{{ item.path }}"
mode: '{{ item.mode }}'
owner: root
group: root
when: cert_data.changed
loop:
- {
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
path: "certs/{{ inventory_hostname_short }}.crt",
mode: "0755"
}
- {
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "keys/{{ inventory_hostname_short }}.key",
mode: "0600"
}
...

110
ansible/roles/common/tasks/FreeBSD_pki.yml Normal file
View file

@ -0,0 +1,110 @@
---
- name: ensure root cert exists
copy:
content: "{{ vault_ca_cert_payload }}"
dest: "/etc/ssl/certs/{{ vault_ca_cert_name }}"
mode: 0644
owner: root
group: staff
register: root_ca
- name: hash cert
shell: "openssl x509 -noout -hash -in /etc/ssl/certs/{{ vault_ca_cert_name }}"
when: root_ca.changed
register: root_ca_hash
failed_when: False
args:
executable: /usr/local/bin/bash
- name: create hash symlink for cert
file:
state: link
src: "/etc/ssl/certs/{{ vault_ca_cert_name }}"
dest: "/etc/ssl/certs/{{ root_ca_hash.stdout }}"
when: root_ca_hash.changed
- name: check vault version
shell:
cmd: "vault --version | head -1 | cut -d'v' -f2"
args:
executable: /usr/local/bin/bash
changed_when: False
failed_when: False
register: installed_vault_version
check_mode: False
- name: get vault
unarchive:
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_freebsd_amd64.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: staff
remote_src: True
when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version)
- name: ensure pki cert directory
file:
path: /etc/pki/certs
state: directory
owner: root
group: staff
mode: 0755
- name: ensure main pki directory
file:
path: /etc/pki/keys
state: directory
owner: root
group: staff
mode: 0700
- name: ensure root cert exists for general use
copy:
content: "{{ vault_ca_cert_payload }}"
dest: "/etc/pki/certs/{{ vault_ca_cert_name }}"
mode: 0644
owner: root
group: staff
register: root_ca
- name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt"
args:
executable: /usr/local/bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }}.name ttl=43200m"
args:
executable: /usr/local/bin/bash
environment:
VAULT_ADDR: http://ivyking.minhas.io:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
- name: write cert data to server
copy:
content: "{{ item.content }}"
dest: "/etc/pki/{{ item.path }}"
mode: '{{ item.mode }}'
owner: root
group: staff
when: cert_data.changed
loop:
- {
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
path: "certs/{{ inventory_hostname_short }}.crt",
mode: "0755"
}
- {
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "keys/{{ inventory_hostname_short }}.key",
mode: "0600"
}
...

1
ansible/roles/common/tasks/main.yml
View file

@ -1,3 +1,4 @@
---
- include: "{{ ansible_os_family }}_pki.yml"
- include: "{{ ansible_os_family }}.yml"
...

1
ansible/roles/consul/tasks/Debian.yml
View file

@ -86,3 +86,4 @@
name: consul
state: started
enabled: True
...

6
ansible/roles/consul/templates/consul.hcl.j2
View file

@ -1,12 +1,12 @@
datacenter = "{{ consul_dc }}"
domain = "consul"
datacenter = "{{ main_dc_name }}"
domain = "{{ consul_domain }}"
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
verify_incoming = false
verify_outgoing = true
verify_server_hostname = true
ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem"
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
auto_encrypt {
tls = true

1
ansible/roles/consul_server/handlers/main.yml
View file

@ -12,3 +12,4 @@
service:
name: consul
state: restarted
...

63
ansible/roles/consul_server/tasks/Debian.yml
View file

@ -26,31 +26,47 @@
state: directory
owner: consul
group: consul
mode: 0744
mode: 0755
- name: ensure consul agent ca cert
- name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /etc/consul.d/certs/consul-server.pem"
args:
executable: /bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
args:
executable: /bin/bash
environment:
VAULT_ADDR: http://ivyking.minhas.io:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
- name: write cert data to server
copy:
src: files/consul-agent-ca.pem
dest: /etc/consul.d/certs/consul-agent-ca.pem
content: "{{ item.content }}"
dest: "/etc/consul.d/certs/{{ item.path }}"
mode: '{{ item.mode }}'
owner: consul
group: consul
mode: 0644
- name: ensure consul server cert
copy:
src: files/consul-server.pem
dest: /etc/consul.d/certs/consul-server.pem
owner: consul
group: consul
mode: 0600
- name: ensure consul server key
template:
src: templates/consul-server.key.j2
dest: /etc/consul.d/certs/consul-server.key
owner: consul
group: consul
mode: 0600
when: cert_data.changed
loop:
- {
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
path: "consul-server.pem",
mode: "0755"
}
- {
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "consul-server.key",
mode: "0600"
}
- name: ensure consul data dir
file:
@ -93,8 +109,8 @@
src: templates/consul.hcl.j2
dest: /etc/consul.d/consul.hcl
owner: root
group: root
mode: 0755
group: consul
mode: 0750
notify: restart_consul_debian
- name: ensure consul is started and enabled
@ -102,3 +118,4 @@
name: consul
state: started
enabled: True
...

65
ansible/roles/consul_server/tasks/FreeBSD.yml
View file

@ -26,31 +26,47 @@
state: directory
owner: consul
group: consul
mode: 0744
mode: 0755
- name: ensure consul agent ca cert
- name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /usr/local/etc/consul.d/certs/consul-server.pem"
args:
executable: /usr/local/bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
args:
executable: /usr/local/bin/bash
environment:
VAULT_ADDR: http://ivyking.minhas.io:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
- name: write cert data to server
copy:
src: files/consul-agent-ca.pem
dest: /usr/local/etc/consul.d/certs/consul-agent-ca.pem
content: "{{ item.content }}"
dest: "/usr/local/etc/consul.d/certs/{{ item.path }}"
mode: '{{ item.mode }}'
owner: consul
group: consul
mode: 0644
- name: ensure consul server cert
copy:
src: files/consul-server.pem
dest: /usr/local/etc/consul.d/certs/consul-server.pem
owner: consul
group: consul
mode: 0600
- name: ensure consul server key
template:
src: templates/consul-server.key.j2
dest: /usr/local/etc/consul.d/certs/consul-server.key
owner: consul
group: consul
mode: 0600
when: cert_data.changed
loop:
- {
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
path: "consul-server.pem",
mode: "0755"
}
- {
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "consul-server.key",
mode: "0600"
}
- name: ensure consul data dir
file:
@ -64,7 +80,7 @@
shell:
cmd: "consul --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
executable: /usr/local/bin/bash
changed_when: False
failed_when: False
register: installed_consul_version
@ -80,8 +96,8 @@
src: templates/consul.hcl.j2
dest: /usr/local/etc/consul.d/consul.hcl
owner: root
group: staff
mode: 0755
group: consul
mode: 0750
notify: restart_consul_fbsd
- name: enable and start consul
@ -89,3 +105,4 @@
name: consul
state: started
enabled: True
...

1
ansible/roles/consul_server/templates/consul-server.key.j2
View file

@ -1 +0,0 @@
{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['consul-server-key'] }}

6
ansible/roles/consul_server/templates/consul.hcl.j2
View file

@ -1,5 +1,5 @@
datacenter = "{{ consul_dc }}"
domain = "consul"
datacenter = "{{ main_dc_name }}"
domain = "{{ consul_domain }}"
server = true
bootstrap_expect = 3
ui = true
@ -9,7 +9,7 @@ encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['g
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem"
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
cert_file = "{{ consul_config_path }}/certs/consul-server.pem"
key_file = "{{ consul_config_path }}/certs/consul-server.key"

62
ansible/roles/docker/files/docker.gpg Normal file
View file

@ -0,0 +1,62 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq
L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7
UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N
cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht
ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo
vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD
G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ
XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj
q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB
tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3
BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO
v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd
tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk
jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m
6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P
XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc
FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8
g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm
ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh
9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5
G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW
FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB
EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF
M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx
Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu
w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk
z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8
eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb
VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa
1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X
zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ
pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7
ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ
BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY
1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp
YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI
mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES
KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7
JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ
cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0
6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5
U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z
VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f
irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk
SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz
QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W
9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw
24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe
dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y
Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR
H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh
/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ
M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S
xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O
jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
=0YYh
-----END PGP PUBLIC KEY BLOCK-----

31
ansible/roles/docker/tasks/main.yml Normal file
View file

@ -0,0 +1,31 @@
---
- name: install docker dependencies
apt:
state: present
name:
- apt-transport-https
- ca-certificates
- curl
- gnupg-agent
- software-properties-common
- name: add docker apt key
apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
- name: add docker repo
apt_repository:
repo: deb [arch=amd64] https://download.docker.com/linux/debian buster stable
state: present
mode: 0600
- name: install docker-ce
apt:
state: present
name:
- docker-ce
- docker-ce-cli
- containerd.io
...

21
ansible/roles/nomad_client/files/nomad.service Normal file
View file

@ -0,0 +1,21 @@
[Unit]
Description=Nomad
Documentation=https://nomadproject.io/docs/
Wants=network-online.target
After=network-online.target
[Service]
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
KillMode=process
KillSignal=SIGINT
LimitNOFILE=infinity
LimitNPROC=infinity
Restart=on-failure
RestartSec=2
StartLimitBurst=3
StartLimitIntervalSec=10
TasksMax=infinity
[Install]
WantedBy=multi-user.target

10
ansible/roles/nomad_client/handlers/main.yml Normal file
View file

@ -0,0 +1,10 @@
---
- name: daemon_reload
systemd:
daemon_reload: True
- name: restart_nomad
systemd:
name: nomad
state: restarted
...

73
ansible/roles/nomad_client/tasks/main.yml Normal file
View file

@ -0,0 +1,73 @@
---
- name: ensure nomad group
group:
name: nomad
state: present
system: True
- name: ensure nomad user
user:
name: nomad
state: present
group: nomad
system: True
- name: ensure nomad config dir
file:
path: /etc/nomad.d/
state: directory
owner: nomad
group: nomad
mode: 0755
- name: ensure nomad data dir
file:
path: /opt/nomad
state: directory
owner: nomad
group: nomad
mode: 0755
- name: check nomad version
shell:
cmd: "nomad --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
changed_when: False
register: installed_nomad_version
check_mode: False
- name: get nomad
unarchive:
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: installed_nomad_version.stdout != nomad_version
- name: copy nomad unit file
copy:
src: files/nomad.service
dest: /etc/systemd/system/nomad.service
mode: 0755
owner: root
group: root
notify: daemon_reload
- name: template nomad config
template:
src: templates/nomad.hcl.j2
dest: /etc/nomad.d/nomad.hcl
owner: root
group: root
mode: 0755
notify: restart_nomad
- name: ensure nomad is started and enabled
systemd:
name: nomad
state: started
enabled: True
...

10
ansible/roles/nomad_client/templates/nomad.hcl.j2 Normal file
View file

@ -0,0 +1,10 @@
datacenter = "{{ main_dc_name }}"
data_dir = "/opt/nomad"
client {
enabled = true
}
consul {
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
}

21
ansible/roles/nomad_server/files/nomad.service Normal file
View file

@ -0,0 +1,21 @@
[Unit]
Description=Nomad
Documentation=https://nomadproject.io/docs/
Wants=network-online.target
After=network-online.target
[Service]
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
KillMode=process
KillSignal=SIGINT
LimitNOFILE=infinity
LimitNPROC=infinity
Restart=on-failure
RestartSec=2
StartLimitBurst=3
StartLimitIntervalSec=10
TasksMax=infinity
[Install]
WantedBy=multi-user.target

10
ansible/roles/nomad_server/handlers/main.yml Normal file
View file

@ -0,0 +1,10 @@
---
- name: daemon_reload
systemd:
daemon_reload: True
- name: restart_nomad
systemd:
name: nomad
state: restarted
...

73
ansible/roles/nomad_server/tasks/main.yml Normal file
View file

@ -0,0 +1,73 @@
---
- name: ensure nomad group
group:
name: nomad
state: present
system: True
- name: ensure nomad user
user:
name: nomad
state: present
group: nomad
system: True
- name: ensure nomad config dir
file:
path: /etc/nomad.d/
state: directory
owner: nomad
group: nomad
mode: 0755
- name: ensure nomad data dir
file:
path: /opt/nomad
state: directory
owner: nomad
group: nomad
mode: 0755
- name: check nomad version
shell:
cmd: "nomad --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
changed_when: False
register: installed_nomad_version
check_mode: False
- name: get nomad
unarchive:
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: installed_nomad_version.stdout != nomad_version
- name: copy nomad unit file
copy:
src: files/nomad.service
dest: /etc/systemd/system/nomad.service
mode: 0755
owner: root
group: root
notify: daemon_reload
- name: template nomad config
template:
src: templates/nomad.hcl.j2
dest: /etc/nomad.d/nomad.hcl
owner: root
group: root
mode: 0755
notify: restart_nomad
- name: ensure nomad is started and enabled
systemd:
name: nomad
state: started
enabled: True
...

11
ansible/roles/nomad_server/templates/nomad.hcl.j2 Normal file
View file

@ -0,0 +1,11 @@
datacenter = "{{ main_dc_name }}"
data_dir = "/opt/nomad"
server {
enabled = true
bootstrap_expect = 1
}
consul {
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
}

1
ansible/roles/vault_server/files/vault.service
View file

@ -25,7 +25,6 @@ Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity

20
ansible/roles/vault_server/tasks/main.yml
View file

@ -20,25 +20,6 @@
group: vault
mode: 0755
- name: check vault version
shell:
cmd: "vault --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
changed_when: False
register: installed_vault_version
check_mode: False
- name: get vault
unarchive:
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: installed_vault_version.stdout != vault_version
- name: copy vault unit file
copy:
src: files/vault.service
@ -62,3 +43,4 @@
name: vault
state: started
enabled: True
...

15
consul/acls/nomad-client-policy.hcl Normal file
View file

@ -0,0 +1,15 @@
agent_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "write"
}
key_prefix "" {
policy = read
}

14
consul/acls/nomad-server-policy.hcl Normal file
View file

@ -0,0 +1,14 @@
agent_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "write"
}
acl = "write"

4
vault/policies/ansible.hcl
View file

@ -1,3 +1,7 @@
path "kv/*" {
capabilities = ["list", "read"]
}
path "pki_int/issue/masked-dot-name" {
capabilities = [ "create", "read", "list", "update" ]
}