Update k3s role to allow for multiple clusters

Add teapot!
fix ordering to get unzip after trying to unzip
2022-11-23 00:43:04 -05:00 · 2022-11-23 00:06:38 -05:00 · 2022-11-23 00:06:29 -05:00 · 2022-11-23 00:06:13 -05:00 · 2022-11-05 22:14:29 -04:00 · 2022-11-05 22:11:23 -04:00
22 changed files with 74 additions and 44 deletions
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@ -13,8 +13,8 @@ poll_interval           = 15
 transport               = smart
 remote_port             = 22
 gathering               = smart
-stdout_callback         = skippy
-callback_whitelist      = timer
+stdout_callback         = default
+callbacks_enabled	= timer
 timeout                 = 10
 remote_user             = cfgmgmt
 private_key_file        = ~/personal/keys/cfgmgmt
@ -29,3 +29,6 @@ become_user             = root

 [diff]
 always                  = True
+
+[hashi_vault_collection]
+token_validate = True
--- a/ansible/group_vars/haproxy/main.yml
+++ b/ansible/group_vars/haproxy/main.yml
@ -1,4 +1,4 @@
 ---
 lego_email_address: amarpreet@minhas.io
-letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['account_id'] }}"
+letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:account_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
 ...
--- a/ansible/group_vars/hardtack/main.yml
+++ b/ansible/group_vars/hardtack/main.yml
@ -5,3 +5,4 @@ nomad_arch: arm64
 docker_arch: arm64
 k3s_version: v1.24.1+k3s1
 k3s_role: 'client'
+k3s_server_hostname: hardtack1.minhas.io
--- a/ansible/group_vars/teapot/main.yml
+++ b/ansible/group_vars/teapot/main.yml
@ -0,0 +1,6 @@
+---
+hashi_arch: arm
+consul_arch: arm64
+k3s_version: v1.25.4+k3s1
+k3s_role: 'client'
+k3s_server_hostname: teapot01.minhas.io
--- a/ansible/host_vars/teapot01.minhas.io/main.yml
+++ b/ansible/host_vars/teapot01.minhas.io/main.yml
@ -0,0 +1,3 @@
+---
+k3s_role: server
+...
--- a/ansible/inventory.txt
+++ b/ansible/inventory.txt
@ -4,6 +4,7 @@ ranger.minhas.io
 redwingcherokee.minhas.io
 sedan.minhas.io
 fishbowl.minhas.io
+teapot[01:06].minhas.io

 [consul_server]
 sedan.minhas.io
@ -16,8 +17,12 @@ sedan.minhas.io
 [hardtack]
 hardtack[1:7].minhas.io

+[teapot]
+teapot[01:06].minhas.io
+
 [k3s]
 hardtack[1:7].minhas.io
+teapot[01:06].minhas.io

 [lnd]
 redwingcherokee.minhas.io
--- a/ansible/requirements.txt
+++ b/ansible/requirements.txt
@ -1,16 +1,22 @@
-ansible==2.9.12
-certifi==2020.6.20
-cffi==1.14.2
-chardet==3.0.4
-cryptography==3.0
-docker==4.3.1
-hvac==0.10.5
-idna==2.10
-Jinja2==2.11.2
-MarkupSafe==1.1.1
-pycparser==2.20
-PyYAML==5.3.1
-requests==2.24.0
-six==1.15.0
-urllib3==1.25.10
-websocket-client==0.57.0
+ansible==6.5.0
+ansible-core==2.13.5
+certifi==2022.9.24
+cffi==1.15.1
+chardet==5.0.0
+charset-normalizer==2.1.1
+cryptography==38.0.3
+docker==6.0.1
+hvac==1.0.2
+idna==3.4
+Jinja2==3.1.2
+MarkupSafe==2.1.1
+packaging==21.3
+pycparser==2.21
+pyhcl==0.4.4
+pyparsing==3.0.9
+PyYAML==6.0
+requests==2.28.1
+resolvelib==0.8.1
+six==1.16.0
+urllib3==1.26.12
+websocket-client==1.4.2
--- a/ansible/roles/common/tasks/Debian.yml
+++ b/ansible/roles/common/tasks/Debian.yml
@ -23,6 +23,7 @@
      - kitty-terminfo
      - make
      - ncdu
+      - neovim
      - netcat-openbsd
      - ntp
      - screen
@ -31,7 +32,6 @@
      - tmux
      - tree
      - unzip
-      - vim
    state: present

 - name: apt autoremove
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@ -1,4 +1,4 @@
 ---
- include: "{{ ansible_os_family }}_pki.yml"
- include: "{{ ansible_os_family }}.yml"
+- include_tasks: "{{ ansible_os_family }}.yml"
+- include_tasks: "{{ ansible_os_family }}_pki.yml"
 ...
--- a/ansible/roles/consul/tasks/main.yml
+++ b/ansible/roles/consul/tasks/main.yml
@ -1,3 +1,3 @@
 ---
- include: "{{ ansible_os_family }}.yml"
+- include_tasks: "{{ ansible_os_family }}.yml"
 ...
--- a/ansible/roles/consul/templates/consul.hcl.j2
+++ b/ansible/roles/consul/templates/consul.hcl.j2
@ -3,7 +3,7 @@ primary_datacenter  = "{{ main_dc_name }}"
 domain              = "{{ consul_domain }}"
 node_name           = "{{ inventory_hostname_short }}"

-encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
+encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"

 verify_incoming         = false
 verify_outgoing         = true
@ -32,6 +32,6 @@ acl {
  default_policy = "deny"
  enable_token_persistence = true
  tokens {
-    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
+    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
  }
 }
--- a/ansible/roles/consul_server/tasks/main.yml
+++ b/ansible/roles/consul_server/tasks/main.yml
@ -1,3 +1,3 @@
 ---
- include: "{{ ansible_os_family }}.yml"
+- include_tasks: "{{ ansible_os_family }}.yml"
 ...
--- a/ansible/roles/consul_server/templates/consul.hcl.j2
+++ b/ansible/roles/consul_server/templates/consul.hcl.j2
@ -6,7 +6,7 @@ server              = true
 bootstrap_expect    = 3
 ui                  = true

-encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
+encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"

 verify_outgoing         = true
 verify_server_hostname  = true
@ -49,6 +49,6 @@ acl {
  default_policy = "deny"
  enable_token_persistence = true
  tokens {
-    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
+    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
  }
 }
--- a/ansible/roles/k3s/tasks/main.yml
+++ b/ansible/roles/k3s/tasks/main.yml
@ -1,7 +1,7 @@
 ---
- include: get_k3s.yml
- include: server.yml
+- include_tasks: get_k3s.yml
+- include_tasks: server.yml
  when: k3s_role == "server"
- include: clients.yml
+- include_tasks: clients.yml
  when: k3s_role == "client"
 ...
--- a/ansible/roles/k3s/tasks/server.yml
+++ b/ansible/roles/k3s/tasks/server.yml
@ -22,4 +22,10 @@
 - name: set k3s token var
  set_fact:
    k3s_node_token: "{{ registered_k3s_node_token.content | b64decode | trim }}"
+
+- name: set kubectl symlink
+  file:
+    state: link
+    src: /usr/local/bin/k3s
+    dest: /usr/local/bin/kubectl
 ...
--- a/ansible/roles/k3s/templates/k3s.service.j2
+++ b/ansible/roles/k3s/templates/k3s.service.j2
@ -8,7 +8,7 @@ ExecReload=/bin/kill -HUP $MAINPID
 {% if k3s_role == 'server' %}
 ExecStart=/usr/local/bin/k3s server --write-kubeconfig-mode 644 --disable servicelb --disable traefik
 {% else %}
-ExecStart=/usr/local/bin/k3s agent --server https://hardtack1.minhas.io:6443 --token {{ hostvars['hardtack1.minhas.io'].k3s_node_token }}
+ExecStart=/usr/local/bin/k3s agent --server https://{{ k3s_server_hostname }}:6443 --token {{ hostvars[k3s_server_hostname].k3s_node_token }}
 {% endif %}
 KillMode=process
 KillSignal=SIGINT
--- a/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2
+++ b/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2
@ -1 +1 @@
-{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['private_key'] }}
+{{ lookup('hashi_vault', 'secret=kv/data/acme:private_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
--- a/ansible/roles/lego/templates/defaults
+++ b/ansible/roles/lego/templates/defaults
@ -1,5 +1,5 @@
-export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_user'] }}
-export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_key'] }}
-export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['access_key'] }}
-export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['secret_key'] }}
-export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['hosted_zone_id'] }}
+export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_user ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
+export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
+export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:access_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
+export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:secret_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
+export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:hosted_zone_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
--- a/ansible/roles/nomad_client/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2
@ -14,13 +14,13 @@ client {
 }

 consul {
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-client'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-client ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
 }

 vault {
  enabled           = true
  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
  address           = "https://vault.service.{{ consul_domain }}:8200"
  create_from_role  = "nomad-cluster"
  unwrap_token      = true
--- a/ansible/roles/nomad_server/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_server/templates/nomad.hcl.j2
@ -9,14 +9,14 @@ server {
 vault {
  enabled           = true
  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
  address           = "https://vault.service.{{ consul_domain }}:8200"
  create_from_role  = "nomad-cluster"
  unwrap_token      = true
 }

 consul {
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-server'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-server ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
 }

 tls {
--- a/ansible/roles/vault_server/templates/vault.hcl.j2
+++ b/ansible/roles/vault_server/templates/vault.hcl.j2
@ -18,5 +18,5 @@ cluster_addr      = "https://{{ ansible_default_ipv4.address }}:8201"
 storage "consul" {
  address   = "localhost:8500"
  path      = "vault/"
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/vault:consul-acl ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
 }
--- a/docker/wallabag/Dockerfile
+++ b/docker/wallabag/Dockerfile
@ -1,4 +1,4 @@
-FROM wallabag/wallabag:2.5.1
+FROM wallabag/wallabag:2.5.2

 # add ca-certificates package
 RUN apk add --no-cache ca-certificates
Author	SHA1	Message	Date
Asara	d68fefe9a4	Update k3s role to allow for multiple clusters	2022-11-23 00:43:04 -05:00
Asara	6251f33740	Add teapot!	2022-11-23 00:06:38 -05:00
Asara	ff33da4818	fix ordering to get unzip after trying to unzip	2022-11-23 00:06:29 -05:00
Asara	bd87a2487f	upgrade wallabag	2022-11-23 00:06:13 -05:00
Asara	30cfa2aa1c	Woops	2022-11-05 22:14:29 -04:00
Asara	0c99c0b5b2	Update ansible	2022-11-05 22:11:23 -04:00