Compare commits
6 commits
9c0b211db2
...
d68fefe9a4
Author | SHA1 | Date | |
---|---|---|---|
d68fefe9a4 | |||
6251f33740 | |||
ff33da4818 | |||
bd87a2487f | |||
30cfa2aa1c | |||
0c99c0b5b2 |
22 changed files with 74 additions and 44 deletions
|
@ -13,8 +13,8 @@ poll_interval = 15
|
||||||
transport = smart
|
transport = smart
|
||||||
remote_port = 22
|
remote_port = 22
|
||||||
gathering = smart
|
gathering = smart
|
||||||
stdout_callback = skippy
|
stdout_callback = default
|
||||||
callback_whitelist = timer
|
callbacks_enabled = timer
|
||||||
timeout = 10
|
timeout = 10
|
||||||
remote_user = cfgmgmt
|
remote_user = cfgmgmt
|
||||||
private_key_file = ~/personal/keys/cfgmgmt
|
private_key_file = ~/personal/keys/cfgmgmt
|
||||||
|
@ -29,3 +29,6 @@ become_user = root
|
||||||
|
|
||||||
[diff]
|
[diff]
|
||||||
always = True
|
always = True
|
||||||
|
|
||||||
|
[hashi_vault_collection]
|
||||||
|
token_validate = True
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
---
|
---
|
||||||
lego_email_address: amarpreet@minhas.io
|
lego_email_address: amarpreet@minhas.io
|
||||||
letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['account_id'] }}"
|
letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:account_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||||
...
|
...
|
||||||
|
|
|
@ -5,3 +5,4 @@ nomad_arch: arm64
|
||||||
docker_arch: arm64
|
docker_arch: arm64
|
||||||
k3s_version: v1.24.1+k3s1
|
k3s_version: v1.24.1+k3s1
|
||||||
k3s_role: 'client'
|
k3s_role: 'client'
|
||||||
|
k3s_server_hostname: hardtack1.minhas.io
|
||||||
|
|
6
ansible/group_vars/teapot/main.yml
Normal file
6
ansible/group_vars/teapot/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
hashi_arch: arm
|
||||||
|
consul_arch: arm64
|
||||||
|
k3s_version: v1.25.4+k3s1
|
||||||
|
k3s_role: 'client'
|
||||||
|
k3s_server_hostname: teapot01.minhas.io
|
3
ansible/host_vars/teapot01.minhas.io/main.yml
Normal file
3
ansible/host_vars/teapot01.minhas.io/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
k3s_role: server
|
||||||
|
...
|
|
@ -4,6 +4,7 @@ ranger.minhas.io
|
||||||
redwingcherokee.minhas.io
|
redwingcherokee.minhas.io
|
||||||
sedan.minhas.io
|
sedan.minhas.io
|
||||||
fishbowl.minhas.io
|
fishbowl.minhas.io
|
||||||
|
teapot[01:06].minhas.io
|
||||||
|
|
||||||
[consul_server]
|
[consul_server]
|
||||||
sedan.minhas.io
|
sedan.minhas.io
|
||||||
|
@ -16,8 +17,12 @@ sedan.minhas.io
|
||||||
[hardtack]
|
[hardtack]
|
||||||
hardtack[1:7].minhas.io
|
hardtack[1:7].minhas.io
|
||||||
|
|
||||||
|
[teapot]
|
||||||
|
teapot[01:06].minhas.io
|
||||||
|
|
||||||
[k3s]
|
[k3s]
|
||||||
hardtack[1:7].minhas.io
|
hardtack[1:7].minhas.io
|
||||||
|
teapot[01:06].minhas.io
|
||||||
|
|
||||||
[lnd]
|
[lnd]
|
||||||
redwingcherokee.minhas.io
|
redwingcherokee.minhas.io
|
||||||
|
|
|
@ -1,16 +1,22 @@
|
||||||
ansible==2.9.12
|
ansible==6.5.0
|
||||||
certifi==2020.6.20
|
ansible-core==2.13.5
|
||||||
cffi==1.14.2
|
certifi==2022.9.24
|
||||||
chardet==3.0.4
|
cffi==1.15.1
|
||||||
cryptography==3.0
|
chardet==5.0.0
|
||||||
docker==4.3.1
|
charset-normalizer==2.1.1
|
||||||
hvac==0.10.5
|
cryptography==38.0.3
|
||||||
idna==2.10
|
docker==6.0.1
|
||||||
Jinja2==2.11.2
|
hvac==1.0.2
|
||||||
MarkupSafe==1.1.1
|
idna==3.4
|
||||||
pycparser==2.20
|
Jinja2==3.1.2
|
||||||
PyYAML==5.3.1
|
MarkupSafe==2.1.1
|
||||||
requests==2.24.0
|
packaging==21.3
|
||||||
six==1.15.0
|
pycparser==2.21
|
||||||
urllib3==1.25.10
|
pyhcl==0.4.4
|
||||||
websocket-client==0.57.0
|
pyparsing==3.0.9
|
||||||
|
PyYAML==6.0
|
||||||
|
requests==2.28.1
|
||||||
|
resolvelib==0.8.1
|
||||||
|
six==1.16.0
|
||||||
|
urllib3==1.26.12
|
||||||
|
websocket-client==1.4.2
|
||||||
|
|
|
@ -23,6 +23,7 @@
|
||||||
- kitty-terminfo
|
- kitty-terminfo
|
||||||
- make
|
- make
|
||||||
- ncdu
|
- ncdu
|
||||||
|
- neovim
|
||||||
- netcat-openbsd
|
- netcat-openbsd
|
||||||
- ntp
|
- ntp
|
||||||
- screen
|
- screen
|
||||||
|
@ -31,7 +32,6 @@
|
||||||
- tmux
|
- tmux
|
||||||
- tree
|
- tree
|
||||||
- unzip
|
- unzip
|
||||||
- vim
|
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: apt autoremove
|
- name: apt autoremove
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
---
|
---
|
||||||
- include: "{{ ansible_os_family }}_pki.yml"
|
- include_tasks: "{{ ansible_os_family }}.yml"
|
||||||
- include: "{{ ansible_os_family }}.yml"
|
- include_tasks: "{{ ansible_os_family }}_pki.yml"
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
---
|
---
|
||||||
- include: "{{ ansible_os_family }}.yml"
|
- include_tasks: "{{ ansible_os_family }}.yml"
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,7 +3,7 @@ primary_datacenter = "{{ main_dc_name }}"
|
||||||
domain = "{{ consul_domain }}"
|
domain = "{{ consul_domain }}"
|
||||||
node_name = "{{ inventory_hostname_short }}"
|
node_name = "{{ inventory_hostname_short }}"
|
||||||
|
|
||||||
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
|
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||||
|
|
||||||
verify_incoming = false
|
verify_incoming = false
|
||||||
verify_outgoing = true
|
verify_outgoing = true
|
||||||
|
@ -32,6 +32,6 @@ acl {
|
||||||
default_policy = "deny"
|
default_policy = "deny"
|
||||||
enable_token_persistence = true
|
enable_token_persistence = true
|
||||||
tokens {
|
tokens {
|
||||||
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
|
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
---
|
---
|
||||||
- include: "{{ ansible_os_family }}.yml"
|
- include_tasks: "{{ ansible_os_family }}.yml"
|
||||||
...
|
...
|
||||||
|
|
|
@ -6,7 +6,7 @@ server = true
|
||||||
bootstrap_expect = 3
|
bootstrap_expect = 3
|
||||||
ui = true
|
ui = true
|
||||||
|
|
||||||
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
|
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||||
|
|
||||||
verify_outgoing = true
|
verify_outgoing = true
|
||||||
verify_server_hostname = true
|
verify_server_hostname = true
|
||||||
|
@ -49,6 +49,6 @@ acl {
|
||||||
default_policy = "deny"
|
default_policy = "deny"
|
||||||
enable_token_persistence = true
|
enable_token_persistence = true
|
||||||
tokens {
|
tokens {
|
||||||
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
|
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- include: get_k3s.yml
|
- include_tasks: get_k3s.yml
|
||||||
- include: server.yml
|
- include_tasks: server.yml
|
||||||
when: k3s_role == "server"
|
when: k3s_role == "server"
|
||||||
- include: clients.yml
|
- include_tasks: clients.yml
|
||||||
when: k3s_role == "client"
|
when: k3s_role == "client"
|
||||||
...
|
...
|
||||||
|
|
|
@ -22,4 +22,10 @@
|
||||||
- name: set k3s token var
|
- name: set k3s token var
|
||||||
set_fact:
|
set_fact:
|
||||||
k3s_node_token: "{{ registered_k3s_node_token.content | b64decode | trim }}"
|
k3s_node_token: "{{ registered_k3s_node_token.content | b64decode | trim }}"
|
||||||
|
|
||||||
|
- name: set kubectl symlink
|
||||||
|
file:
|
||||||
|
state: link
|
||||||
|
src: /usr/local/bin/k3s
|
||||||
|
dest: /usr/local/bin/kubectl
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,7 +8,7 @@ ExecReload=/bin/kill -HUP $MAINPID
|
||||||
{% if k3s_role == 'server' %}
|
{% if k3s_role == 'server' %}
|
||||||
ExecStart=/usr/local/bin/k3s server --write-kubeconfig-mode 644 --disable servicelb --disable traefik
|
ExecStart=/usr/local/bin/k3s server --write-kubeconfig-mode 644 --disable servicelb --disable traefik
|
||||||
{% else %}
|
{% else %}
|
||||||
ExecStart=/usr/local/bin/k3s agent --server https://hardtack1.minhas.io:6443 --token {{ hostvars['hardtack1.minhas.io'].k3s_node_token }}
|
ExecStart=/usr/local/bin/k3s agent --server https://{{ k3s_server_hostname }}:6443 --token {{ hostvars[k3s_server_hostname].k3s_node_token }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
KillMode=process
|
KillMode=process
|
||||||
KillSignal=SIGINT
|
KillSignal=SIGINT
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['private_key'] }}
|
{{ lookup('hashi_vault', 'secret=kv/data/acme:private_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_user'] }}
|
export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_user ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||||
export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_key'] }}
|
export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||||
export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['access_key'] }}
|
export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:access_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||||
export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['secret_key'] }}
|
export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:secret_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||||
export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['hosted_zone_id'] }}
|
export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:hosted_zone_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||||
|
|
|
@ -14,13 +14,13 @@ client {
|
||||||
}
|
}
|
||||||
|
|
||||||
consul {
|
consul {
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-client'] }}"
|
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-client ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||||
}
|
}
|
||||||
|
|
||||||
vault {
|
vault {
|
||||||
enabled = true
|
enabled = true
|
||||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
|
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||||
address = "https://vault.service.{{ consul_domain }}:8200"
|
address = "https://vault.service.{{ consul_domain }}:8200"
|
||||||
create_from_role = "nomad-cluster"
|
create_from_role = "nomad-cluster"
|
||||||
unwrap_token = true
|
unwrap_token = true
|
||||||
|
|
|
@ -9,14 +9,14 @@ server {
|
||||||
vault {
|
vault {
|
||||||
enabled = true
|
enabled = true
|
||||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
|
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||||
address = "https://vault.service.{{ consul_domain }}:8200"
|
address = "https://vault.service.{{ consul_domain }}:8200"
|
||||||
create_from_role = "nomad-cluster"
|
create_from_role = "nomad-cluster"
|
||||||
unwrap_token = true
|
unwrap_token = true
|
||||||
}
|
}
|
||||||
|
|
||||||
consul {
|
consul {
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-server'] }}"
|
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-server ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||||
}
|
}
|
||||||
|
|
||||||
tls {
|
tls {
|
||||||
|
|
|
@ -18,5 +18,5 @@ cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201"
|
||||||
storage "consul" {
|
storage "consul" {
|
||||||
address = "localhost:8500"
|
address = "localhost:8500"
|
||||||
path = "vault/"
|
path = "vault/"
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl'] }}"
|
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:consul-acl ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
FROM wallabag/wallabag:2.5.1
|
FROM wallabag/wallabag:2.5.2
|
||||||
|
|
||||||
# add ca-certificates package
|
# add ca-certificates package
|
||||||
RUN apk add --no-cache ca-certificates
|
RUN apk add --no-cache ca-certificates
|
||||||
|
|
Loading…
Reference in a new issue