Compare commits
6 commits
9c0b211db2
...
d68fefe9a4
Author | SHA1 | Date | |
---|---|---|---|
d68fefe9a4 | |||
6251f33740 | |||
ff33da4818 | |||
bd87a2487f | |||
30cfa2aa1c | |||
0c99c0b5b2 |
22 changed files with 74 additions and 44 deletions
|
@ -13,8 +13,8 @@ poll_interval = 15
|
|||
transport = smart
|
||||
remote_port = 22
|
||||
gathering = smart
|
||||
stdout_callback = skippy
|
||||
callback_whitelist = timer
|
||||
stdout_callback = default
|
||||
callbacks_enabled = timer
|
||||
timeout = 10
|
||||
remote_user = cfgmgmt
|
||||
private_key_file = ~/personal/keys/cfgmgmt
|
||||
|
@ -29,3 +29,6 @@ become_user = root
|
|||
|
||||
[diff]
|
||||
always = True
|
||||
|
||||
[hashi_vault_collection]
|
||||
token_validate = True
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
---
|
||||
lego_email_address: amarpreet@minhas.io
|
||||
letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['account_id'] }}"
|
||||
letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:account_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||
...
|
||||
|
|
|
@ -5,3 +5,4 @@ nomad_arch: arm64
|
|||
docker_arch: arm64
|
||||
k3s_version: v1.24.1+k3s1
|
||||
k3s_role: 'client'
|
||||
k3s_server_hostname: hardtack1.minhas.io
|
||||
|
|
6
ansible/group_vars/teapot/main.yml
Normal file
6
ansible/group_vars/teapot/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
hashi_arch: arm
|
||||
consul_arch: arm64
|
||||
k3s_version: v1.25.4+k3s1
|
||||
k3s_role: 'client'
|
||||
k3s_server_hostname: teapot01.minhas.io
|
3
ansible/host_vars/teapot01.minhas.io/main.yml
Normal file
3
ansible/host_vars/teapot01.minhas.io/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
k3s_role: server
|
||||
...
|
|
@ -4,6 +4,7 @@ ranger.minhas.io
|
|||
redwingcherokee.minhas.io
|
||||
sedan.minhas.io
|
||||
fishbowl.minhas.io
|
||||
teapot[01:06].minhas.io
|
||||
|
||||
[consul_server]
|
||||
sedan.minhas.io
|
||||
|
@ -16,8 +17,12 @@ sedan.minhas.io
|
|||
[hardtack]
|
||||
hardtack[1:7].minhas.io
|
||||
|
||||
[teapot]
|
||||
teapot[01:06].minhas.io
|
||||
|
||||
[k3s]
|
||||
hardtack[1:7].minhas.io
|
||||
teapot[01:06].minhas.io
|
||||
|
||||
[lnd]
|
||||
redwingcherokee.minhas.io
|
||||
|
|
|
@ -1,16 +1,22 @@
|
|||
ansible==2.9.12
|
||||
certifi==2020.6.20
|
||||
cffi==1.14.2
|
||||
chardet==3.0.4
|
||||
cryptography==3.0
|
||||
docker==4.3.1
|
||||
hvac==0.10.5
|
||||
idna==2.10
|
||||
Jinja2==2.11.2
|
||||
MarkupSafe==1.1.1
|
||||
pycparser==2.20
|
||||
PyYAML==5.3.1
|
||||
requests==2.24.0
|
||||
six==1.15.0
|
||||
urllib3==1.25.10
|
||||
websocket-client==0.57.0
|
||||
ansible==6.5.0
|
||||
ansible-core==2.13.5
|
||||
certifi==2022.9.24
|
||||
cffi==1.15.1
|
||||
chardet==5.0.0
|
||||
charset-normalizer==2.1.1
|
||||
cryptography==38.0.3
|
||||
docker==6.0.1
|
||||
hvac==1.0.2
|
||||
idna==3.4
|
||||
Jinja2==3.1.2
|
||||
MarkupSafe==2.1.1
|
||||
packaging==21.3
|
||||
pycparser==2.21
|
||||
pyhcl==0.4.4
|
||||
pyparsing==3.0.9
|
||||
PyYAML==6.0
|
||||
requests==2.28.1
|
||||
resolvelib==0.8.1
|
||||
six==1.16.0
|
||||
urllib3==1.26.12
|
||||
websocket-client==1.4.2
|
||||
|
|
|
@ -23,6 +23,7 @@
|
|||
- kitty-terminfo
|
||||
- make
|
||||
- ncdu
|
||||
- neovim
|
||||
- netcat-openbsd
|
||||
- ntp
|
||||
- screen
|
||||
|
@ -31,7 +32,6 @@
|
|||
- tmux
|
||||
- tree
|
||||
- unzip
|
||||
- vim
|
||||
state: present
|
||||
|
||||
- name: apt autoremove
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
---
|
||||
- include: "{{ ansible_os_family }}_pki.yml"
|
||||
- include: "{{ ansible_os_family }}.yml"
|
||||
- include_tasks: "{{ ansible_os_family }}.yml"
|
||||
- include_tasks: "{{ ansible_os_family }}_pki.yml"
|
||||
...
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
---
|
||||
- include: "{{ ansible_os_family }}.yml"
|
||||
- include_tasks: "{{ ansible_os_family }}.yml"
|
||||
...
|
||||
|
|
|
@ -3,7 +3,7 @@ primary_datacenter = "{{ main_dc_name }}"
|
|||
domain = "{{ consul_domain }}"
|
||||
node_name = "{{ inventory_hostname_short }}"
|
||||
|
||||
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
|
||||
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||
|
||||
verify_incoming = false
|
||||
verify_outgoing = true
|
||||
|
@ -32,6 +32,6 @@ acl {
|
|||
default_policy = "deny"
|
||||
enable_token_persistence = true
|
||||
tokens {
|
||||
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
|
||||
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
---
|
||||
- include: "{{ ansible_os_family }}.yml"
|
||||
- include_tasks: "{{ ansible_os_family }}.yml"
|
||||
...
|
||||
|
|
|
@ -6,7 +6,7 @@ server = true
|
|||
bootstrap_expect = 3
|
||||
ui = true
|
||||
|
||||
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
|
||||
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||
|
||||
verify_outgoing = true
|
||||
verify_server_hostname = true
|
||||
|
@ -49,6 +49,6 @@ acl {
|
|||
default_policy = "deny"
|
||||
enable_token_persistence = true
|
||||
tokens {
|
||||
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
|
||||
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- include: get_k3s.yml
|
||||
- include: server.yml
|
||||
- include_tasks: get_k3s.yml
|
||||
- include_tasks: server.yml
|
||||
when: k3s_role == "server"
|
||||
- include: clients.yml
|
||||
- include_tasks: clients.yml
|
||||
when: k3s_role == "client"
|
||||
...
|
||||
|
|
|
@ -22,4 +22,10 @@
|
|||
- name: set k3s token var
|
||||
set_fact:
|
||||
k3s_node_token: "{{ registered_k3s_node_token.content | b64decode | trim }}"
|
||||
|
||||
- name: set kubectl symlink
|
||||
file:
|
||||
state: link
|
||||
src: /usr/local/bin/k3s
|
||||
dest: /usr/local/bin/kubectl
|
||||
...
|
||||
|
|
|
@ -8,7 +8,7 @@ ExecReload=/bin/kill -HUP $MAINPID
|
|||
{% if k3s_role == 'server' %}
|
||||
ExecStart=/usr/local/bin/k3s server --write-kubeconfig-mode 644 --disable servicelb --disable traefik
|
||||
{% else %}
|
||||
ExecStart=/usr/local/bin/k3s agent --server https://hardtack1.minhas.io:6443 --token {{ hostvars['hardtack1.minhas.io'].k3s_node_token }}
|
||||
ExecStart=/usr/local/bin/k3s agent --server https://{{ k3s_server_hostname }}:6443 --token {{ hostvars[k3s_server_hostname].k3s_node_token }}
|
||||
{% endif %}
|
||||
KillMode=process
|
||||
KillSignal=SIGINT
|
||||
|
|
|
@ -1 +1 @@
|
|||
{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['private_key'] }}
|
||||
{{ lookup('hashi_vault', 'secret=kv/data/acme:private_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_user'] }}
|
||||
export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_key'] }}
|
||||
export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['access_key'] }}
|
||||
export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['secret_key'] }}
|
||||
export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['hosted_zone_id'] }}
|
||||
export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_user ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||
export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||
export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:access_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||
export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:secret_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||
export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:hosted_zone_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
|
||||
|
|
|
@ -14,13 +14,13 @@ client {
|
|||
}
|
||||
|
||||
consul {
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-client'] }}"
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-client ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||
}
|
||||
|
||||
vault {
|
||||
enabled = true
|
||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||
address = "https://vault.service.{{ consul_domain }}:8200"
|
||||
create_from_role = "nomad-cluster"
|
||||
unwrap_token = true
|
||||
|
|
|
@ -9,14 +9,14 @@ server {
|
|||
vault {
|
||||
enabled = true
|
||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||
address = "https://vault.service.{{ consul_domain }}:8200"
|
||||
create_from_role = "nomad-cluster"
|
||||
unwrap_token = true
|
||||
}
|
||||
|
||||
consul {
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-server'] }}"
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-server ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||
}
|
||||
|
||||
tls {
|
||||
|
|
|
@ -18,5 +18,5 @@ cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201"
|
|||
storage "consul" {
|
||||
address = "localhost:8500"
|
||||
path = "vault/"
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl'] }}"
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:consul-acl ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
FROM wallabag/wallabag:2.5.1
|
||||
FROM wallabag/wallabag:2.5.2
|
||||
|
||||
# add ca-certificates package
|
||||
RUN apk add --no-cache ca-certificates
|
||||
|
|
Loading…
Reference in a new issue