Asara/infra
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Compare commits

base: Asara:d68fefe9a4b4a145bf02b69a9674a8a48f14400a
Branches Tags
Asara:master
..
compare: Asara:9c0b211db2d262cf59cd18b5e4c0d7331245a51f
Branches Tags
Asara:master

No commits in common. "d68fefe9a4b4a145bf02b69a9674a8a48f14400a" and "9c0b211db2d262cf59cd18b5e4c0d7331245a51f" have entirely different histories.
d68fefe9a4 ... 9c0b211db2

22 changed files with 44 additions and 74 deletions
Show stats Expand all files Collapse all files

7
ansible/ansible.cfg
View file

@ -13,8 +13,8 @@ poll_interval = 15
transport = smart transport = smart
remote_port = 22 remote_port = 22
gathering = smart gathering = smart
stdout_callback = default stdout_callback = skippy
callbacks_enabled = timer callback_whitelist = timer
timeout = 10 timeout = 10
remote_user = cfgmgmt remote_user = cfgmgmt
private_key_file = ~/personal/keys/cfgmgmt private_key_file = ~/personal/keys/cfgmgmt
@ -29,6 +29,3 @@ become_user = root
[diff] [diff]
always = True always = True
[hashi_vault_collection]
token_validate = True

2
ansible/group_vars/haproxy/main.yml
View file

@ -1,4 +1,4 @@
--- ---
lego_email_address: amarpreet@minhas.io lego_email_address: amarpreet@minhas.io
letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:account_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['account_id'] }}"
... ...

1
ansible/group_vars/hardtack/main.yml
View file

@ -5,4 +5,3 @@ nomad_arch: arm64
docker_arch: arm64 docker_arch: arm64
k3s_version: v1.24.1+k3s1 k3s_version: v1.24.1+k3s1
k3s_role: 'client' k3s_role: 'client'
k3s_server_hostname: hardtack1.minhas.io

6
ansible/group_vars/teapot/main.yml
View file

@ -1,6 +0,0 @@
---
hashi_arch: arm
consul_arch: arm64
k3s_version: v1.25.4+k3s1
k3s_role: 'client'
k3s_server_hostname: teapot01.minhas.io

3
ansible/host_vars/teapot01.minhas.io/main.yml
View file

@ -1,3 +0,0 @@
---
k3s_role: server
...

5
ansible/inventory.txt
View file

@ -4,7 +4,6 @@ ranger.minhas.io
redwingcherokee.minhas.io redwingcherokee.minhas.io
sedan.minhas.io sedan.minhas.io
fishbowl.minhas.io fishbowl.minhas.io
teapot[01:06].minhas.io
[consul_server] [consul_server]
sedan.minhas.io sedan.minhas.io
@ -17,12 +16,8 @@ sedan.minhas.io
[hardtack] [hardtack]
hardtack[1:7].minhas.io hardtack[1:7].minhas.io
[teapot]
teapot[01:06].minhas.io
[k3s] [k3s]
hardtack[1:7].minhas.io hardtack[1:7].minhas.io
teapot[01:06].minhas.io
[lnd] [lnd]
redwingcherokee.minhas.io redwingcherokee.minhas.io

38
ansible/requirements.txt
View file

@ -1,22 +1,16 @@
ansible==6.5.0 ansible==2.9.12
ansible-core==2.13.5 certifi==2020.6.20
certifi==2022.9.24 cffi==1.14.2
cffi==1.15.1 chardet==3.0.4
chardet==5.0.0 cryptography==3.0
charset-normalizer==2.1.1 docker==4.3.1
cryptography==38.0.3 hvac==0.10.5
docker==6.0.1 idna==2.10
hvac==1.0.2 Jinja2==2.11.2
idna==3.4 MarkupSafe==1.1.1
Jinja2==3.1.2 pycparser==2.20
MarkupSafe==2.1.1 PyYAML==5.3.1
packaging==21.3 requests==2.24.0
pycparser==2.21 six==1.15.0
pyhcl==0.4.4 urllib3==1.25.10
pyparsing==3.0.9 websocket-client==0.57.0
PyYAML==6.0
requests==2.28.1
resolvelib==0.8.1
six==1.16.0
urllib3==1.26.12
websocket-client==1.4.2

2
ansible/roles/common/tasks/Debian.yml
View file

@ -23,7 +23,6 @@
- kitty-terminfo - kitty-terminfo
- make - make
- ncdu - ncdu
- neovim
- netcat-openbsd - netcat-openbsd
- ntp - ntp
- screen - screen
@ -32,6 +31,7 @@
- tmux - tmux
- tree - tree
- unzip - unzip
- vim
state: present state: present
- name: apt autoremove - name: apt autoremove

4
ansible/roles/common/tasks/main.yml
View file

@ -1,4 +1,4 @@
--- ---
- include_tasks: "{{ ansible_os_family }}.yml" - include: "{{ ansible_os_family }}_pki.yml"
- include_tasks: "{{ ansible_os_family }}_pki.yml" - include: "{{ ansible_os_family }}.yml"
... ...

2
ansible/roles/consul/tasks/main.yml
View file

@ -1,3 +1,3 @@
--- ---
- include_tasks: "{{ ansible_os_family }}.yml" - include: "{{ ansible_os_family }}.yml"
... ...

4
ansible/roles/consul/templates/consul.hcl.j2
View file

@ -3,7 +3,7 @@ primary_datacenter = "{{ main_dc_name }}"
domain = "{{ consul_domain }}" domain = "{{ consul_domain }}"
node_name = "{{ inventory_hostname_short }}" node_name = "{{ inventory_hostname_short }}"
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
verify_incoming = false verify_incoming = false
verify_outgoing = true verify_outgoing = true
@ -32,6 +32,6 @@ acl {
default_policy = "deny" default_policy = "deny"
enable_token_persistence = true enable_token_persistence = true
tokens { tokens {
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
} }
} }

2
ansible/roles/consul_server/tasks/main.yml
View file

@ -1,3 +1,3 @@
--- ---
- include_tasks: "{{ ansible_os_family }}.yml" - include: "{{ ansible_os_family }}.yml"
... ...

4
ansible/roles/consul_server/templates/consul.hcl.j2
View file

@ -6,7 +6,7 @@ server = true
bootstrap_expect = 3 bootstrap_expect = 3
ui = true ui = true
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
verify_outgoing = true verify_outgoing = true
verify_server_hostname = true verify_server_hostname = true
@ -49,6 +49,6 @@ acl {
default_policy = "deny" default_policy = "deny"
enable_token_persistence = true enable_token_persistence = true
tokens { tokens {
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
} }
} }

6
ansible/roles/k3s/tasks/main.yml
View file

@ -1,7 +1,7 @@
--- ---
- include_tasks: get_k3s.yml - include: get_k3s.yml
- include_tasks: server.yml - include: server.yml
when: k3s_role == "server" when: k3s_role == "server"
- include_tasks: clients.yml - include: clients.yml
when: k3s_role == "client" when: k3s_role == "client"
... ...

6
ansible/roles/k3s/tasks/server.yml
View file

@ -22,10 +22,4 @@
- name: set k3s token var - name: set k3s token var
set_fact: set_fact:
k3s_node_token: "{{ registered_k3s_node_token.content | b64decode | trim }}" k3s_node_token: "{{ registered_k3s_node_token.content | b64decode | trim }}"
- name: set kubectl symlink
file:
state: link
src: /usr/local/bin/k3s
dest: /usr/local/bin/kubectl
... ...

2
ansible/roles/k3s/templates/k3s.service.j2
View file

@ -8,7 +8,7 @@ ExecReload=/bin/kill -HUP $MAINPID
{% if k3s_role == 'server' %} {% if k3s_role == 'server' %}
ExecStart=/usr/local/bin/k3s server --write-kubeconfig-mode 644 --disable servicelb --disable traefik ExecStart=/usr/local/bin/k3s server --write-kubeconfig-mode 644 --disable servicelb --disable traefik
{% else %} {% else %}
ExecStart=/usr/local/bin/k3s agent --server https://{{ k3s_server_hostname }}:6443 --token {{ hostvars[k3s_server_hostname].k3s_node_token }} ExecStart=/usr/local/bin/k3s agent --server https://hardtack1.minhas.io:6443 --token {{ hostvars['hardtack1.minhas.io'].k3s_node_token }}
{% endif %} {% endif %}
KillMode=process KillMode=process
KillSignal=SIGINT KillSignal=SIGINT

2
ansible/roles/lego/templates/amarpreet@minhas.io.key.j2
View file

@ -1 +1 @@
{{ lookup('hashi_vault', 'secret=kv/data/acme:private_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} {{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['private_key'] }}

10
ansible/roles/lego/templates/defaults
View file

@ -1,5 +1,5 @@
export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_user ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_user'] }}
export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_key'] }}
export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:access_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['access_key'] }}
export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:secret_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['secret_key'] }}
export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:hosted_zone_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['hosted_zone_id'] }}

4
ansible/roles/nomad_client/templates/nomad.hcl.j2
View file

@ -14,13 +14,13 @@ client {
} }
consul { consul {
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-client ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-client'] }}"
} }
vault { vault {
enabled = true enabled = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
address = "https://vault.service.{{ consul_domain }}:8200" address = "https://vault.service.{{ consul_domain }}:8200"
create_from_role = "nomad-cluster" create_from_role = "nomad-cluster"
unwrap_token = true unwrap_token = true

4
ansible/roles/nomad_server/templates/nomad.hcl.j2
View file

@ -9,14 +9,14 @@ server {
vault { vault {
enabled = true enabled = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
address = "https://vault.service.{{ consul_domain }}:8200" address = "https://vault.service.{{ consul_domain }}:8200"
create_from_role = "nomad-cluster" create_from_role = "nomad-cluster"
unwrap_token = true unwrap_token = true
} }
consul { consul {
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-server ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-server'] }}"
} }
tls { tls {

2
ansible/roles/vault_server/templates/vault.hcl.j2
View file

@ -18,5 +18,5 @@ cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201"
storage "consul" { storage "consul" {
address = "localhost:8500" address = "localhost:8500"
path = "vault/" path = "vault/"
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:consul-acl ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl'] }}"
} }

2
docker/wallabag/Dockerfile
View file

@ -1,4 +1,4 @@
FROM wallabag/wallabag:2.5.2 FROM wallabag/wallabag:2.5.1
# add ca-certificates package # add ca-certificates package
RUN apk add --no-cache ca-certificates RUN apk add --no-cache ca-certificates