Update to 2022-07-21 01:00

2025-04-16 10:13:26 +02:00 · 2022-07-21 01:00:17 +02:00 · 2022-07-21 01:00:17 +02:00 · 0db06a7240
commit 0db06a7240
parent eca2f00fb1
32 changed files with 643 additions and 0 deletions
--- a/roles/consul/defaults/main.yml
+++ b/roles/consul/defaults/main.yml
@ -0,0 +1,85 @@
 ---
 # Version of consul to deploy
 consul_version: 1.12.3
 # URL from where the consul archive will be downloaded
 consul_archive_url: https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip
 # Expected sha256 of the archive
 consul_archive_sha256: 620a47cfba34bdf918b4c3238d22f6318b29403888cfd927c6006a4ac1b1c9f6
 # user account under which consul will run (will be created if needed)
 consul_user: consul
 # Root directory where consul will be installed
 consul_root_dir: /opt/consul
 # List of consul servers name or IP
 consul_servers: []
 # List of services exposed by consul, the ports they use, and the list of IP
 # for which the service is accessible at the firewall level (if iptables_manage == True)
 consul_services:
  dns:
    port: 8600
    src_ip: []
    proto: [tcp,udp]
  http_api:
    port: 8500
    src_ip: []
    proto: [tcp]
  https_api:
    port: 8501
    src_ip: []
    proto: [tcp]
  grpc_api:
    port: 8502
    src_ip: []
    proto: [tcp]
  lan_serf:
    port: 8301
    src_ip: []
    proto: [tcp,udp]
  wan_serf:
    port: 8302
    src_ip: []
    proto: [tcp_udp]
  server_rpc:
    port: 8300
    src_ip: []
    proto: [tcp]
  sidecar_proxy:
    port: '21000:21255'
    src_ip: []
    proto: [tcp]
 # Consul configuration (which will be converted to JSON)
 # The configuration is splited in a base conf and an extra conf, so you can override part of the config easily
 consul_base_conf:
  node_name: "{{ inventory_hostname }}"
  data_dir: "{{ consul_root_dir }}/data"
  client_addr: 0.0.0.0
  log_level: INFO
  bind_addr: 0.0.0.0
  advertise_addr: "{{ ansible_default_ipv4.address }}"
  retry_join: "{{ consul_servers }}"
  bootstrap_expect: "{{ consul_servers | length }}"
  server: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}"
  ui_config:
    enabled: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}"
  connect:
    enabled: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}"
 # For example
 # consul_extra_conf:
 #   datacenter: my-dc
 #   domain: dev.example.org
 #   encrypt: WSnGbK30nI6K/xk9w+AAtk0Y3RMXKoAlsj4VEICqi0I=
 #   ui_config:
 #     enabled: False
 consul_extra_conf: {}
 # Host conf is just another level of configuration override
 consul_host_conf: {}
 # Merge all the conf
 consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"
--- a/roles/consul/handlers/main.yml
+++ b/roles/consul/handlers/main.yml
@ -0,0 +1,8 @@
 ---
 - name: restart consul
  service: name=consul state=restarted
  when: consul_service_started is not defined or not consul_service_started.changed
 - name: reload consul
  service: name=consul state=reloaded
--- a/roles/consul/tasks/archive_post.yml
+++ b/roles/consul/tasks/archive_post.yml
@ -0,0 +1,15 @@
 ---
 - name: Compress previous version
  command: tar cf {{ consul_root_dir }}/archives/{{ consul_current_version }}.tar.zst --use-compress-program=zstd ./
  args:
    chdir: "{{ consul_root_dir }}/archives/{{ consul_current_version }}"
    warn: False
  environment:
    ZSTD_CLEVEL: 10
  tags: consul
 - name: Remove archive dir
  file: path={{ consul_root_dir }}/archives/{{ consul_current_version }} state=absent
  tags: consul
--- a/roles/consul/tasks/archive_pre.yml
+++ b/roles/consul/tasks/archive_pre.yml
@ -0,0 +1,10 @@
 ---
 - name: Create the archive dir
  file: path={{ consul_root_dir }}/archives/{{ consul_current_version }} state=directory
  tags: consul
 - name: Backup previous version
  copy: src={{ consul_root_dir }}/bin/consul dest={{ consul_root_dir }}/archives/{{ consul_current_version }}/ remote_src=True
  tags: consul
--- a/roles/consul/tasks/cleanup.yml
+++ b/roles/consul/tasks/cleanup.yml
@ -0,0 +1,8 @@
 ---
 - name: Remove tmp and obsolete files
  file: path={{ item }} state=absent
  loop:
    - "{{ consul_root_dir }}/tmp/consul_{{ consul_version }}_linux_amd64.zip"
    - "{{ consul_root_dir }}/tmp/consul"
  tags: consul
--- a/roles/consul/tasks/conf.yml
+++ b/roles/consul/tasks/conf.yml
@ -0,0 +1,6 @@
 ---
 - name: Deploy consul configuration
  template: src=consul.json.j2 dest={{ consul_root_dir }}/etc/consul.json owner=root group={{ consul_user }} mode=640
  notify: reload consul
  tags: consul
--- a/roles/consul/tasks/directories.yml
+++ b/roles/consul/tasks/directories.yml
@ -0,0 +1,31 @@
 ---
 - name: Create needed directories
  file: path={{ consul_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
  loop:
    - dir: archives
      owner: root
      group: root
      mode: 700
    - dir: backup
      owner: root
      group: root
      mode: 700
    - dir: meta
      owner: root
      group: root
      mode: 700
    - dir: bin
    - dir: tmp
      owner: "{{ consul_user }}"
      group: "{{ consul_user }}"
      mode: 700
    - dir: data
      owner: "{{ consul_user }}"
      group: "{{ consul_user }}"
      mode: 700
    - dir: etc
      owner: root
      group: "{{ consul_user }}"
      mode: 750
  tags: consul
--- a/roles/consul/tasks/facts.yml
+++ b/roles/consul/tasks/facts.yml
@ -0,0 +1,12 @@
 ---
 - name: Detect installed version
  block:
    - import_tasks: ../includes/webapps_set_install_mode.yml
      vars:
        - root_dir: "{{ consul_root_dir }}"
        - version: "{{ consul_version }}"
    - set_fact: consul_install_mode={{ install_mode | default('none') }}
    - set_fact: consul_current_version={{ current_version | default('') }}
  tags: consul
--- a/roles/consul/tasks/install.yml
+++ b/roles/consul/tasks/install.yml
@ -0,0 +1,55 @@
 ---
 - name: Install needed tools
  package:
    name:
      - tar
      - zstd
      - unzip
  tags: consul
 - when: consul_install_mode != 'none'
  block:
    - name: Download consul
      get_url:
        url: "{{ consul_archive_url }}"
        dest: "{{ consul_root_dir }}/tmp"
        checksum: sha256:{{ consul_archive_sha256 }}
    - name: Extract the archive
      unarchive:
        src: "{{ consul_root_dir }}/tmp/consul_{{ consul_version }}_linux_amd64.zip"
        dest: "{{ consul_root_dir }}/tmp"
        remote_src: True
    - name: Install consul binary
      copy:
        src: "{{ consul_root_dir }}/tmp/consul"
        dest: "{{ consul_root_dir }}/bin/consul"
        remote_src: True
        mode: 755
    - name: Link in /usr/local/bin
      file: src={{ consul_root_dir }}/bin/consul dest=/usr/local/bin/consul state=link force=True
  tags: consul
 - name: Install bash completion support
  copy:
    content: |
      complete -C {{ consul_root_dir }}/bin/consul consul
    dest: /etc/bash_completion.d/consul
    mode: 755
  tags: consul
 - name: Deploy systemd service unit
  template: src=consul.service.j2 dest=/etc/systemd/system/consul.service
  register: consul_unit
  notify: restart consul
  tags: consul
 - name: Reload systemd
  systemd: daemon_reload=True
  when: consul_unit.changed
  tags: consul
--- a/roles/consul/tasks/iptables.yml
+++ b/roles/consul/tasks/iptables.yml
@ -0,0 +1,15 @@
 ---
 - name: Handle consul ports in the firewall
  iptables_raw:
    name: consul_port_{{ item }}
    state: "{{ (('tcp' in consul_services[item].proto or 'udp' in consul_services[item].proto) and consul_services[item].src_ip | length > 0) | ternary('present', 'absent') }}"
    rules: |
      {% if 'tcp' in consul_services[item].proto %}
      -A INPUT -m state --state NEW -p tcp --dport {{ consul_services[item].port }} -j ACCEPT
      {% endif %}
      {% if 'udp' in consul_services[item].proto %}
      -A INPUT -m state --state NEW -p udp --dport {{ consul_services[item].port }} -j ACCEPT
      {% endif %}
  loop: "{{ consul_services.keys() | list }}"
  tags: firewall,consul
--- a/roles/consul/tasks/main.yml
+++ b/roles/consul/tasks/main.yml
@ -0,0 +1,38 @@
 ---
 - include_tasks: user.yml
  tags: always
 - include_tasks: directories.yml
  tags: always
 - include_tasks: facts.yml
  tags: always
 - include_tasks: archive_pre.yml
  when: consul_install_mode | default('none') == 'upgrade'
  tags: always
 - include_tasks: install.yml
  tags: always
 - include_tasks: conf.yml
  tags: always
 - include_tasks: iptables.yml
  when: iptables_manage | default(True)
  tags: always
 - include_tasks: services.yml
  tags: always
 - include_tasks: write_version.yml
  tags: always
 - include_tasks: archive_post.yml
  when: consul_install_mode | default('none') == 'upgrade'
  tags: always
 - include_tasks: cleanup.yml
  tags: always
--- a/roles/consul/tasks/services.yml
+++ b/roles/consul/tasks/services.yml
@ -0,0 +1,6 @@
 ---
 - name: Start and enable consul service
  service: name=consul state=started enabled=True
  register: consul_service_started
  tags: consul
--- a/roles/consul/tasks/user.yml
+++ b/roles/consul/tasks/user.yml
@ -0,0 +1,9 @@
 ---
 - name: Create consul user
  user:
    name: "{{ consul_user }}"
    home: "{{ consul_root_dir }}"
    system: True
    shell: /sbin/nologin
  tags: consul
--- a/roles/consul/tasks/write_version.yml
+++ b/roles/consul/tasks/write_version.yml
@ -0,0 +1,5 @@
 ---
 - name: Write installed version
  copy: content={{ consul_version }} dest={{ consul_root_dir }}/meta/ansible_version
  tags: consul
--- a/roles/consul/templates/consul.json.j2
+++ b/roles/consul/templates/consul.json.j2
@ -0,0 +1 @@
 {{ consul_conf | to_nice_json(indent=2) }}
--- a/roles/consul/templates/consul.service.j2
+++ b/roles/consul/templates/consul.service.j2
@ -0,0 +1,20 @@
 [Unit]
 Description="HashiCorp Consul - A service mesh solution"
 Documentation=https://www.consul.io/
 Requires=network-online.target
 After=network-online.target
 ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.json
 [Service]
 EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env
 User={{ consul_user }}
 Group={{ consul_user }}
 ExecStart={{ consul_root_dir }}/bin/consul agent -config-dir={{ consul_root_dir }}/etc/
 ExecReload=/bin/kill --signal HUP $MAINPID
 KillMode=process
 KillSignal=SIGTERM
 Restart=on-failure
 LimitNOFILE=65536
 [Install]
 WantedBy=multi-user.target
--- a/roles/nomad/defaults/main.yml
+++ b/roles/nomad/defaults/main.yml
@ -0,0 +1,69 @@
 ---
 # Version of Nomad to install
 nomad_version: 1.3.2
 # URL of the archive
 nomad_archive_url: https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip
 # Expected sha256 of the archive
 nomad_archive_sha256: fc6b3800935c621633d98148ea30737ab8ac1f698020f45b28b07ac61fbf4a96
 # Root dir where Nomad will be installed
 nomad_root_dir: /opt/nomad
 # user under which nomad will run.
 # Servers can run under an unprivileged user, while clients should run as root (or with equivalent privileges)
 nomad_user: "{{ nomad_conf.client.enabled | ternary('root', 'nomad') }}"
 # List of nomad servers (not clients)
 nomad_servers: []
 # Ports used by Nomad, the protocols, and the list of IP/CIDR for which the ports will be opened in the firewall
 nomad_services:
  http_api:
    port: 4646
    proto: [tcp]
    src_ip: []
  rpc:
    port: 4647
    proto: [tcp]
    src_ip: []
  serf:
    port: 4648
    proto: [tcp,udp]
    src_ip: []
 # Nomad configuration (which will be converted to JSON)
 # The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily
 nomad_base_conf:
  name: "{{ inventory_hostname }}"
  data_dir: "{{ nomad_root_dir }}/data"
  log_level: INFO
  bind_addr: 0.0.0.0
  client:
    enabled: "{{ (inventory_hostname in nomad_servers) | ternary(False, True) }}"
    servers: "{{ (inventory_hostname in nomad_servers) | ternary([], nomad_servers) }}"
  server:
    enabled: "{{ (inventory_hostname in nomad_servers) | ternary(True, False) }}"
    server_join:
      retry_join: "{{ (inventory_hostname in nomad_servers) | ternary(nomad_servers, []) }}"
    bootstrap_expect: "{{ nomad_servers | length }}"
  ports:
    http: "{{ nomad_services.http_api.port }}"
    rpc: "{{ nomad_services.rpc.port }}"
    serf: "{{ nomad_services.serf.port }}"
 # For example
 # nomad_extra_conf:
 #   datacenter: my-dc
 #   server:
 #     encrypt: umizzu2vi9VaYwdRiOjDXgZIjV8AJ2AV+prqaAhElz0=
 #   ui_config:
 #     enabled: True
 #
 nomad_extra_conf: {}
 # Host conf is just another level of configuration override
 nomad_host_conf: {}
 # Merge all the conf
 nomad_conf: "{{ nomad_base_conf | combine(nomad_extra_conf, recursive=True) | combine(nomad_host_conf, recursive=True) }}"
--- a/roles/nomad/handlers/main.yml
+++ b/roles/nomad/handlers/main.yml
@ -0,0 +1,8 @@
 ---
 - name: restart nomad
  service: name=nomad state=restarted
  when: nomad_service_started is not defined or not nomad_service_started.changed
 - name: reload nomad
  service: name=nomad state=reloaded
--- a/roles/nomad/tasks/archive_post.yml
+++ b/roles/nomad/tasks/archive_post.yml
@ -0,0 +1,15 @@
 ---
 - name: Compress previous version
  command: tar cf {{ nomad_root_dir }}/archives/{{ nomad_current_version }}.tar.zst --use-compress-program=zstd ./
  args:
    chdir: "{{ nomad_root_dir }}/archives/{{ nomad_current_version }}"
    warn: False
  environment:
    ZSTD_CLEVEL: 10
  tags: nomad
 - name: Remove archive dir
  file: path={{ nomad_root_dir }}/archives/{{ nomad_current_version }} state=absent
  tags: nomad
--- a/roles/nomad/tasks/archive_pre.yml
+++ b/roles/nomad/tasks/archive_pre.yml
@ -0,0 +1,10 @@
 ---
 - name: Create the archive dir
  file: path={{ nomad_root_dir }}/archives/{{ nomad_current_version }} state=directory
  tags: nomad
 - name: Backup previous version
  copy: src={{ nomad_root_dir }}/bin/nomad dest={{ nomad_root_dir }}/archives/{{ nomad_current_version }}/ remote_src=True
  tags: nomad
--- a/roles/nomad/tasks/cleanup.yml
+++ b/roles/nomad/tasks/cleanup.yml
@ -0,0 +1,8 @@
 ---
 - name: Remove tmp and obsolete files
  file: path={{ item }} state=absent
  loop:
    - "{{ nomad_root_dir }}/tmp/nomad_{{ nomad_version }}_linux_amd64.zip"
    - "{{ nomad_root_dir }}/tmp/nomad"
  tags: nomad
--- a/roles/nomad/tasks/conf.yml
+++ b/roles/nomad/tasks/conf.yml
@ -0,0 +1,6 @@
 ---
 - name: Deploy nomad configuration
  template: src=nomad.json.j2 dest={{ nomad_root_dir }}/etc/nomad.json owner=root group={{ nomad_user }} mode=640
  notify: restart nomad
  tags: nomad
--- a/roles/nomad/tasks/directories.yml
+++ b/roles/nomad/tasks/directories.yml
@ -0,0 +1,37 @@
 ---
 - name: Create needed directories
  file: path={{ nomad_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} recurse={{ item.recurse | default(omit) }}
  loop:
    - dir: /
      owner: root
      group: root
      mode: 755
    - dir: archives
      owner: root
      group: root
      mode: 700
    - dir: backup
      owner: root
      group: root
      mode: 700
    - dir: meta
      owner: root
      group: root
      mode: 700
    - dir: bin
    - dir: tmp
      owner: "{{ nomad_user }}"
      group: "{{ nomad_user }}"
      mode: u=rwX,g=-,o=-
      recurse: True
    - dir: data
      owner: "{{ nomad_user }}"
      group: "{{ nomad_user }}"
      mode: u=rwX,g=-,o=-
      recurse: True
    - dir: etc
      owner: root
      group: "{{ nomad_user }}"
      mode: 750
  tags: nomad
--- a/roles/nomad/tasks/facts.yml
+++ b/roles/nomad/tasks/facts.yml
@ -0,0 +1,12 @@
 ---
 - name: Detect installed version
  block:
    - import_tasks: ../includes/webapps_set_install_mode.yml
      vars:
        - root_dir: "{{ nomad_root_dir }}"
        - version: "{{ nomad_version }}"
    - set_fact: nomad_install_mode={{ install_mode | default('none') }}
    - set_fact: nomad_current_version={{ current_version | default('') }}
  tags: nomad
--- a/roles/nomad/tasks/install.yml
+++ b/roles/nomad/tasks/install.yml
@ -0,0 +1,55 @@
 ---
 - name: Install needed tools
  package:
    name:
      - tar
      - zstd
      - unzip
  tags: nomad
 - when: nomad_install_mode != 'none'
  block:
    - name: Download nomad
      get_url:
        url: "{{ nomad_archive_url }}"
        dest: "{{ nomad_root_dir }}/tmp"
        checksum: sha256:{{ nomad_archive_sha256 }}
    - name: Extract the archive
      unarchive:
        src: "{{ nomad_root_dir }}/tmp/nomad_{{ nomad_version }}_linux_amd64.zip"
        dest: "{{ nomad_root_dir }}/tmp"
        remote_src: True
    - name: Install nomad binary
      copy:
        src: "{{ nomad_root_dir }}/tmp/nomad"
        dest: "{{ nomad_root_dir }}/bin/nomad"
        remote_src: True
        mode: 755
    - name: Link in /usr/local/bin
      file: src={{ nomad_root_dir }}/bin/nomad dest=/usr/local/bin/nomad state=link force=True
  tags: nomad
 - name: Install bash completion support
  copy:
    content: |
      complete -C {{ nomad_root_dir }}/bin/nomad nomad
    dest: /etc/bash_completion.d/nomad
    mode: 755
  tags: nomad
 - name: Deploy systemd service unit
  template: src=nomad.service.j2 dest=/etc/systemd/system/nomad.service
  register: nomad_unit
  notify: restart nomad
  tags: nomad
 - name: Reload systemd
  systemd: daemon_reload=True
  when: nomad_unit.changed
  tags: nomad
--- a/roles/nomad/tasks/iptables.yml
+++ b/roles/nomad/tasks/iptables.yml
@ -0,0 +1,15 @@
 ---
 - name: Handle nomad ports in the firewall
  iptables_raw:
    name: nomad_port_{{ item }}
    state: "{{ (('tcp' in nomad_services[item].proto or 'udp' in nomad_services[item].proto) and nomad_services[item].src_ip | length > 0) | ternary('present', 'absent') }}"
    rules: |
      {% if 'tcp' in nomad_services[item].proto %}
      -A INPUT -m state --state NEW -p tcp --dport {{ nomad_services[item].port }} -j ACCEPT
      {% endif %}
      {% if 'udp' in nomad_services[item].proto %}
      -A INPUT -m state --state NEW -p udp --dport {{ nomad_services[item].port }} -j ACCEPT
      {% endif %}
  loop: "{{ nomad_services.keys() | list }}"
  tags: firewall,nomad
--- a/roles/nomad/tasks/main.yml
+++ b/roles/nomad/tasks/main.yml
@ -0,0 +1,39 @@
 ---
 - include_tasks: user.yml
  when: nomad_user != 'root'
  tags: always
 - include_tasks: directories.yml
  tags: always
 - include_tasks: facts.yml
  tags: always
 - include_tasks: archive_pre.yml
  when: nomad_install_mode | default('none') == 'upgrade'
  tags: always
 - include_tasks: install.yml
  tags: always
 - include_tasks: conf.yml
  tags: always
 - include_tasks: iptables.yml
  when: iptables_manage | default(True)
  tags: always
 - include_tasks: services.yml
  tags: always
 - include_tasks: write_version.yml
  tags: always
 - include_tasks: archive_post.yml
  when: nomad_install_mode | default('none') == 'upgrade'
  tags: always
 - include_tasks: cleanup.yml
  tags: always
--- a/roles/nomad/tasks/services.yml
+++ b/roles/nomad/tasks/services.yml
@ -0,0 +1,6 @@
 ---
 - name: Start and enable nomad service
  service: name=nomad state=started enabled=True
  register: nomad_service_started
  tags: nomad
--- a/roles/nomad/tasks/user.yml
+++ b/roles/nomad/tasks/user.yml
@ -0,0 +1,9 @@
 ---
 - name: Create nomad user
  user:
    name: "{{ nomad_user }}"
    home: "{{ nomad_root_dir }}"
    system: True
    shell: /sbin/nologin
  tags: nomad
--- a/roles/nomad/tasks/write_version.yml
+++ b/roles/nomad/tasks/write_version.yml
@ -0,0 +1,5 @@
 ---
 - name: Write installed version
  copy: content={{ nomad_version }} dest={{ nomad_root_dir }}/meta/ansible_version
  tags: nomad
--- a/roles/nomad/templates/nomad.json.j2
+++ b/roles/nomad/templates/nomad.json.j2
@ -0,0 +1 @@
 {{ nomad_conf | to_nice_json(indent=2) }}
--- a/roles/nomad/templates/nomad.service.j2
+++ b/roles/nomad/templates/nomad.service.j2
@ -0,0 +1,24 @@
 [Unit]
 Description=Nomad
 Documentation=https://nomadproject.io/docs/
 Wants=network-online.target
 After=network-online.target
 ConditionFileNotEmpty={{ nomad_root_dir }}/etc/nomad.json
 [Service]
 EnvironmentFile=-{{ nomad_root_dir }}/etc/nomad.env
 User={{ nomad_user }}
 Group={{ nomad_user }}
 ExecStart={{ nomad_root_dir }}/bin/nomad agent -config={{ nomad_root_dir }}/etc/
 ExecReload=/bin/kill --signal HUP $MAINPID
 KillMode=process
 KillSignal=SIGINT
 Restart=on-failure
 LimitNOFILE=65536
 LimitNPROC=infinity
 RestartSec=2
 TasksMax=infinity
 OOMScoreAdjust=-1000
 [Install]
 WantedBy=multi-user.target