jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-04-23 13:43:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2022-09-20 13:00

Browse Source
This commit is contained in:
Daniel Berteaud 2022-09-20 13:00:08 +02:00
parent 66df749295
commit e6019f8e32
12 changed files with 50 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
roles/ampache/defaults/main.yml
View File

@ -3,10 +3,10 @@
ampache_id: "1" ampache_id: "1"
ampache_manage_upgrade: True ampache_manage_upgrade: True
ampache_version: '5.5.1' ampache_version: '5.5.2'
ampache_config_version: 62 ampache_config_version: 62
ampache_zip_url: https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all.zip ampache_zip_url: https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all.zip
ampache_zip_sha256: 3e37839058c263be990915759eecab9b5da3ec324638a7ff7d8094516f56a85c ampache_zip_sha256: 7cd9327bb8cb3015fd3a360645a720ab60ff7af2a0622cecb027543a1a8132b5
ampache_root_dir: /opt/ampache_{{ ampache_id }} ampache_root_dir: /opt/ampache_{{ ampache_id }}

2
roles/consul/tasks/conf.yml
View File

@ -8,7 +8,7 @@
cert_path: "{{ consul_conf.tls.defaults.cert_file }}" cert_path: "{{ consul_conf.tls.defaults.cert_file }}"
cert_key_path: "{{ consul_conf.tls.defaults.key_file }}" cert_key_path: "{{ consul_conf.tls.defaults.key_file }}"
cert_key_group: "{{ consul_user }}" cert_key_group: "{{ consul_user }}"
cert_key_mode: 0640 cert_key_mode: 640
tags: consul tags: consul
- name: Check if CA exists - name: Check if CA exists

4
roles/documize/defaults/main.yml
View File

@ -1,11 +1,11 @@
--- ---
# Version of cocumize to deploy # Version of cocumize to deploy
documize_version: 5.2.2 documize_version: 5.3.0
# URL of the binary to install # URL of the binary to install
documize_bin_url: https://github.com/documize/community/releases/download/v{{ documize_version }}/documize-community-linux-amd64 documize_bin_url: https://github.com/documize/community/releases/download/v{{ documize_version }}/documize-community-linux-amd64
# Expected sha1 of the binary # Expected sha1 of the binary
documize_bin_sha256: 86d635d804853f10bbe190ba40253293b692869ad0efff707005ec6a08f23163 documize_bin_sha256: d12e55eab88b1920e230c86d115cff6d5d794c1cfa113a66eaa629719e1bb91e
# Should documize handle upgrades or only initial install ? # Should documize handle upgrades or only initial install ?
documize_manage_upgrade: True documize_manage_upgrade: True

6
roles/metabase/defaults/main.yml
View File

@ -1,15 +1,15 @@
--- ---
# Version to deploy # Version to deploy
metabase_version: 0.44.2 metabase_version: 0.44.3
# URL to fetch the jar # URL to fetch the jar
metabase_jar_url: https://downloads.metabase.com/v{{ metabase_version }}/metabase.jar metabase_jar_url: https://downloads.metabase.com/v{{ metabase_version }}/metabase.jar
# Expected sha256 of the jar # Expected sha256 of the jar
metabase_jar_sha256: 23471284af7fdbd9088cbb4f0c6972cacca9a1f155f408b80dbaade08c13480f metabase_jar_sha256: ef8fc6d12251bf2062208b02821f4b948345e8c4b952b08a9a77d328f2c8a6bd
# When building from source # When building from source
metabase_archive_url: https://github.com/metabase/metabase/archive/refs/tags/v{{ metabase_version }}.tar.gz metabase_archive_url: https://github.com/metabase/metabase/archive/refs/tags/v{{ metabase_version }}.tar.gz
# Expected sha256 of the archive # Expected sha256 of the archive
metabase_archive_sha256: bdbfff6f2a7bd0434b8a9885e10f5b0d5c52d0e1918a4b9d091c596b5e5d06ca metabase_archive_sha256: 98a51d1f3f5408a8da008745032790e0b32213fb9defa135211cbf44556f30c5
# Should ansible handle upgrades ? If set to false, only the initial install (and the config) will be handled # Should ansible handle upgrades ? If set to false, only the initial install (and the config) will be handled
metabase_manage_upgrade: True metabase_manage_upgrade: True

21
roles/nomad/tasks/conf.yml
View File

@ -133,7 +133,7 @@
- name: Set ACL on the TLS dir - name: Set ACL on the TLS dir
shell: | shell: |
setfacl -R -b -k {{ nomad_root_dir }}/tls setfacl -R -k -b {{ nomad_root_dir }}/tls
{% if nomad_admin_groups | length > 0 %} {% if nomad_admin_groups | length > 0 %}
setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
setfacl -m {% for group in nomad_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls setfacl -m {% for group in nomad_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
@ -153,3 +153,22 @@
when: nomad_vault_secrets.consul_pki.enabled and nomad_conf.consul.ssl when: nomad_vault_secrets.consul_pki.enabled and nomad_conf.consul.ssl
tags: nomad tags: nomad
- name: Ensure the bridge module is loaded
modprobe: name=bridge state=present
when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers
tags: nomad
- name: Set sysctl
sysctl:
name: "{{ item.key }}"
value: "{{ item.val }}"
sysctl_file: /etc/sysctl.d/nomad.conf
state: "{{ (nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers) | ternary('present', 'absent') }}"
loop:
- key: net.bridge.bridge-nf-call-arptables
val: 1
- key: net.bridge.bridge-nf-call-ip6tables
val: 1
- key: net.bridge.bridge-nf-call-iptables
val: 1
tags: nomad

2
roles/nomad/templates/consul-template.hcl.j2
View File

@ -31,7 +31,7 @@ template {
{% if nomad_vault_secrets.consul_pki.enabled and nomad_conf.consul.ssl %} {% if nomad_vault_secrets.consul_pki.enabled and nomad_conf.consul.ssl %}
template { template {
source = "{{ nomad_root_dir }}/consul-template/consul_bundle.pem.tpl" source = "{{ nomad_root_dir }}/consul-template/consul_bundle.pem.tpl"
destination = "{{ nomad_root_dir }}/tlc/consul_bundle.pem" destination = "{{ nomad_root_dir }}/tls/consul_bundle.pem"
left_delimiter = "[[" left_delimiter = "[["
right_delimiter = "]]" right_delimiter = "]]"
perms = 0640 perms = 0640

4
roles/sftpgo/defaults/main.yml
View File

@ -1,11 +1,11 @@
--- ---
# Version to deploy # Version to deploy
sftpgo_version: 2.3.4 sftpgo_version: 2.3.5
# URL of the archive # URL of the archive
sftpgo_archive_url: https://github.com/drakkan/sftpgo/releases/download/v{{ sftpgo_version }}/sftpgo_v{{ sftpgo_version }}_linux_x86_64.tar.xz sftpgo_archive_url: https://github.com/drakkan/sftpgo/releases/download/v{{ sftpgo_version }}/sftpgo_v{{ sftpgo_version }}_linux_x86_64.tar.xz
# Expected sha1 of the archive # Expected sha1 of the archive
sftpgo_archive_sha256: b18ed2ce34ebff4eeadc4c7025a3e870f9a5635a321a946325c1865dd6fa038a sftpgo_archive_sha256: 6d80910fcf70d6f1fbcf1ef87a37ada3a7dbdd2b522736eb6e9248eeadbd19ad
# Should ansible handle upgrades ? If False, only initial install will be done # Should ansible handle upgrades ? If False, only initial install will be done
sftpgo_manage_upgrade: True sftpgo_manage_upgrade: True

8
roles/vault/tasks/conf.yml
View File

@ -19,6 +19,10 @@
notify: restart vault notify: restart vault
tags: vault tags: vault
- name: Ensure correct permission on vault private key
file: path={{ vault_root_dir }}/tls/vault.key mode=640 owner=root group={{ vault_user }}
tags: vault
- name: Setup logrotate - name: Setup logrotate
template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
tags: vault tags: vault
@ -30,8 +34,8 @@
template: src=consul-template.hcl.j2 dest={{ vault_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root template: src=consul-template.hcl.j2 dest={{ vault_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
notify: restart consul-template-vault notify: restart consul-template-vault
- name: Deploy Nomad certificate bundle template for consul-template - name: Deploy Nomad certificate bundle template
template: src=nomad_client_bundle.json.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.json.tpl template: src=nomad_client_bundle.pem.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl
notify: restart consul-template-vault notify: restart consul-template-vault
- name: Deploy the update cert hook - name: Deploy the update cert hook

4
roles/vault/templates/consul-template.hcl.j2
View File

@ -6,10 +6,10 @@ vault {
{% if vault_secrets.nomad.enabled %} {% if vault_secrets.nomad.enabled %}
template { template {
source = "{{ vault_root_dir }}/consul-template/nomad_client_bundle.json.tpl" source = "{{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl"
left_delimiter = "[[" left_delimiter = "[["
right_delimiter = "]]" right_delimiter = "]]"
destination = "{{ vault_root_dir }}/tmp/nomad_client_bundle.json" destination = "{{ vault_root_dir }}/tls/nomad_client_bundle.pem"
perms = 0600 perms = 0600
exec { exec {
command = "{{ vault_root_dir }}/bin/update_nomad_cert {{ vault_secrets.nomad.token }} {{ vault_secrets.vault_token }}" command = "{{ vault_root_dir }}/bin/update_nomad_cert {{ vault_secrets.nomad.token }} {{ vault_secrets.vault_token }}"

3
roles/vault/templates/nomad_client_bundle.json.tpl.j2
View File

@ -1,3 +0,0 @@
[[ with secret "{{ vault_secrets.nomad.pki.path }}/issue/{{ vault_secrets.nomad.pki.role }}" "ttl={{ vault_secrets.nomad.pki.ttl }}" "common_name={{ vault_secrets.nomad.pki.cn }}" ]]
[[ .Data | toJSONPretty ]]
[[ end ]]

8
roles/vault/templates/nomad_client_bundle.pem.tpl.j2 Normal file
View File

@ -0,0 +1,8 @@
[[ with pkiCert "{{ vault_secrets.nomad.pki.path }}/issue/{{ vault_secrets.nomad.pki.role }}" "ttl={{ vault_secrets.nomad.pki.ttl }}" "common_name={{ vault_secrets.nomad.pki.cn }}" ]]
[[ .CA ]]
[[ .Cert ]]
[[ .Key ]]
[[ .CA | writeToFile "{{ vault_root_dir }}/tls/nomad_ca.crt" "root" "root" "0644" ]]
[[ .Cert | writeToFile "{{ vault_root_dir }}/tls/nomad_client.crt" "root" "root" "0644" ]]
[[ .Key | writeToFile "{{ vault_root_dir }}/tls/nomad_client.key" "root" "root" "0600" ]]
[[ end ]]

10
roles/vault/templates/update_nomad_cert.j2
View File

@ -5,7 +5,6 @@ set -eo pipefail
NOMAD_TOKEN=$1 NOMAD_TOKEN=$1
VAULT_TOKEN=$2 VAULT_TOKEN=$2
NOMAD_CERT_BUNDLE={{ vault_root_dir }}/tmp/nomad_client_bundle.json
VAULT_ADDR={{ vault_conf.api_addr }} VAULT_ADDR={{ vault_conf.api_addr }}
if [ "$(vault status -format=json| jq .is_self)" != "true" ]; then if [ "$(vault status -format=json| jq .is_self)" != "true" ]; then
@ -20,10 +19,7 @@ else
vault write {{ vault_secrets.nomad.secret.path }}/config/access \ vault write {{ vault_secrets.nomad.secret.path }}/config/access \
address="{{ vault_secrets.nomad.address }}" \ address="{{ vault_secrets.nomad.address }}" \
token="$NOMAD_TOKEN" \ token="$NOMAD_TOKEN" \
ca_cert="$(cat $NOMAD_CERT_BUNDLE | jq -r .issuing_ca)" \ ca_cert="$(cat {{ vault_root_dir }}/tls/nomad_ca.crt)" \
client_cert="$(cat $NOMAD_CERT_BUNDLE | jq -r .certificate)" \ client_cert="$(cat {{ vault_root_dir }}/tls/nomad_client.crt)" \
client_key="$(cat $NOMAD_CERT_BUNDLE | jq -r .private_key)" client_key="$(cat {{ vault_root_dir }}/tls/nomad_client.key)"
fi fi
echo Removing Nomad client certificate from the filesystem
rm -f $NOMAD_CERT_BUNDLE