aboutsummaryrefslogtreecommitdiff
path: root/terraform/ansible/roles
diff options
context:
space:
mode:
Diffstat (limited to 'terraform/ansible/roles')
-rw-r--r--terraform/ansible/roles/apt-repos/defaults/main.yml1
-rw-r--r--terraform/ansible/roles/apt-repos/handlers/main.yml3
-rw-r--r--terraform/ansible/roles/apt-repos/tasks/main.yml10
-rw-r--r--terraform/ansible/roles/apt-repos/tasks/repo.yml28
-rw-r--r--terraform/ansible/roles/k3s/defaults/main.yml1
-rw-r--r--terraform/ansible/roles/k3s/handlers/main.yml4
-rw-r--r--terraform/ansible/roles/k3s/tasks/main.yml39
-rw-r--r--terraform/ansible/roles/k3s/templates/k3s.service.j221
-rw-r--r--terraform/ansible/roles/k3s/vars/k3s_releases.yml21
-rw-r--r--terraform/ansible/roles/lusers/defaults/main.yml1
-rw-r--r--terraform/ansible/roles/lusers/tasks/main.yml45
-rw-r--r--terraform/ansible/roles/packages/defaults/main.yml3
-rw-r--r--terraform/ansible/roles/packages/handlers/main.yml5
-rw-r--r--terraform/ansible/roles/packages/tasks/main.yml54
-rw-r--r--terraform/ansible/roles/superusers/tasks/adjust-group.yml21
-rw-r--r--terraform/ansible/roles/superusers/tasks/main.yml31
16 files changed, 288 insertions, 0 deletions
diff --git a/terraform/ansible/roles/apt-repos/defaults/main.yml b/terraform/ansible/roles/apt-repos/defaults/main.yml
new file mode 100644
index 0000000..80975f0
--- /dev/null
+++ b/terraform/ansible/roles/apt-repos/defaults/main.yml
@@ -0,0 +1 @@
+apt_repos:
diff --git a/terraform/ansible/roles/apt-repos/handlers/main.yml b/terraform/ansible/roles/apt-repos/handlers/main.yml
new file mode 100644
index 0000000..2401293
--- /dev/null
+++ b/terraform/ansible/roles/apt-repos/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: apt update
+ apt:
+ update_cache: true
diff --git a/terraform/ansible/roles/apt-repos/tasks/main.yml b/terraform/ansible/roles/apt-repos/tasks/main.yml
new file mode 100644
index 0000000..de51cb3
--- /dev/null
+++ b/terraform/ansible/roles/apt-repos/tasks/main.yml
@@ -0,0 +1,10 @@
+- apt:
+ name:
+ - apt-transport-https
+ install_recommends: no
+
+- with_dict: "{{ apt_repos|default('[]') }}"
+ include_tasks: repo.yml
+ vars:
+ state: "{{ item.value.state | default('present') }}"
+
diff --git a/terraform/ansible/roles/apt-repos/tasks/repo.yml b/terraform/ansible/roles/apt-repos/tasks/repo.yml
new file mode 100644
index 0000000..135aeac
--- /dev/null
+++ b/terraform/ansible/roles/apt-repos/tasks/repo.yml
@@ -0,0 +1,28 @@
+- name: "apt-key add {{ item.key }} (key url)"
+ apt_key:
+ id: "{{ item.value.key_id }}"
+ url: "{{ item.value.key_url }}"
+ state: "{{ state }}"
+ when: item.value.key_url is defined and item.value.key_id is defined
+
+- name: "apt-key add {{ item.key }} (keyserver)"
+ apt_key:
+ id: "{{ item.value.key_id }}"
+ keyserver: "{{ item.value.keyserver }}"
+ state: "{{ state }}"
+ when: item.value.keyserver is defined and item.value.key_id is defined
+
+- name: "add repo {{ item.key }}"
+ when: item.value.url is defined and state == "present"
+ copy:
+ dest: "/etc/apt/sources.list.d/{{ item.key }}.list"
+ content: |
+ deb {{ item.value.url }} {{ item.value.distro }} {{ item.value.sections }}
+ notify: apt update
+
+- name: "remove repo {{ item.key }}"
+ when: state == "absent"
+ file:
+ path: "/etc/apt/sources.list.d/{{ item.key }}.list"
+ state: absent
+ notify: apt update
diff --git a/terraform/ansible/roles/k3s/defaults/main.yml b/terraform/ansible/roles/k3s/defaults/main.yml
new file mode 100644
index 0000000..9731038
--- /dev/null
+++ b/terraform/ansible/roles/k3s/defaults/main.yml
@@ -0,0 +1 @@
+k3s__version: 0.7.0
diff --git a/terraform/ansible/roles/k3s/handlers/main.yml b/terraform/ansible/roles/k3s/handlers/main.yml
new file mode 100644
index 0000000..206b14e
--- /dev/null
+++ b/terraform/ansible/roles/k3s/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: systemctl restart k3s
+ systemd:
+ unit: k3s
+ state: restarted
diff --git a/terraform/ansible/roles/k3s/tasks/main.yml b/terraform/ansible/roles/k3s/tasks/main.yml
new file mode 100644
index 0000000..0b7797a
--- /dev/null
+++ b/terraform/ansible/roles/k3s/tasks/main.yml
@@ -0,0 +1,39 @@
+- include_vars:
+ file: k3s_releases.yml
+
+- get_url:
+ url: "{{ k3s__releases[k3s_version][item].url }}"
+ dest: /usr/local/bin/k3s
+ checksum: "sha256:{{ k3s__releases[k3s_version][item].checksum }}"
+ mode: ugo=rx
+
+ with_items:
+ - k3s
+ notify: systemctl restart k3s
+
+- template:
+ src: "k3s.service.j2"
+ dest: "/etc/systemd/system/k3s.service"
+ notify: systemctl restart k3s
+
+- systemd:
+ unit: k3s
+ daemon_reload: yes
+ enabled: yes
+
+- meta: flush_handlers
+
+- when: k3s_role == 'master'
+ block:
+ - name: Wait for node-token
+ wait_for:
+ path: /var/lib/rancher/k3s/server/node-token
+
+ - name: Read node-token from master
+ slurp:
+ src: /var/lib/rancher/k3s/server/node-token
+ register: node_token
+
+ - name: Store Master node-token
+ set_fact:
+ node_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}"
diff --git a/terraform/ansible/roles/k3s/templates/k3s.service.j2 b/terraform/ansible/roles/k3s/templates/k3s.service.j2
new file mode 100644
index 0000000..b1c5c54
--- /dev/null
+++ b/terraform/ansible/roles/k3s/templates/k3s.service.j2
@@ -0,0 +1,21 @@
+[Unit]
+After=network.target
+
+[Service]
+{% if k3s_role == 'master' %}
+ExecStartPre=-/sbin/modprobe br_netfilter
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/local/bin/k3s server
+{% else %}
+# TODO: this should use private_ip
+ExecStart=/usr/local/bin/k3s agent --server https://{{ hostvars['k8s-master']['ansible_host'] }}:6443 --token {{ hostvars['k8s-master']['node_token'] }}
+{% endif %}
+KillMode=process
+Delegate=yes
+LimitNOFILE=infinity
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+
+[Install]
+WantedBy=multi-user.target
diff --git a/terraform/ansible/roles/k3s/vars/k3s_releases.yml b/terraform/ansible/roles/k3s/vars/k3s_releases.yml
new file mode 100644
index 0000000..52f599d
--- /dev/null
+++ b/terraform/ansible/roles/k3s/vars/k3s_releases.yml
@@ -0,0 +1,21 @@
+k3s__releases:
+ "0.6.0":
+ "hyperkube":
+ url: "https://github.com/rancher/k3s/releases/download/v0.6.0/hyperkube"
+ checksum: "7bb86be92335ebe5fc653d90b28575b7cb0f036b26a1c468ea7bc9d5eb2c302c"
+ "k3s":
+ url: "https://github.com/rancher/k3s/releases/download/v0.6.0/k3s"
+ checksum: "d1ffefe9fa8de45236c9394b5622c8e67319acda5b70ee8a83496325eeb27359"
+ "k3s-airgap-images-amd64.tar":
+ url: "https://github.com/rancher/k3s/releases/download/v0.6.0/k3s-airgap-images-amd64.tar"
+ checksum: "0ea5c7763d6f58294778ffa2fe4167f76f9cf2be0b6e3d15f9fda177838baa0b"
+ "0.7.0":
+ "hyperkube":
+ url: "https://github.com/rancher/k3s/releases/download/v0.7.0/hyperkube"
+ checksum: "96a07f3dfc1e53d8e12964936687ab70831ac5a15de49ed1c4126758acbe1e4b"
+ "k3s":
+ url: "https://github.com/rancher/k3s/releases/download/v0.7.0/k3s"
+ checksum: "b838785f81f4a8c7e4564769c4deae391439d6782170f6a03bee742dd39c4d3c"
+ "k3s-airgap-images-amd64.tar":
+ url: "https://github.com/rancher/k3s/releases/download/v0.7.0/k3s-airgap-images-amd64.tar"
+ checksum: "219f3bc8c9747a317362c948efb10b750233fcd751cb793fcb78d5b7b1449008"
diff --git a/terraform/ansible/roles/lusers/defaults/main.yml b/terraform/ansible/roles/lusers/defaults/main.yml
new file mode 100644
index 0000000..61602c5
--- /dev/null
+++ b/terraform/ansible/roles/lusers/defaults/main.yml
@@ -0,0 +1 @@
+lusers_authorized_keys_exclusive: no
diff --git a/terraform/ansible/roles/lusers/tasks/main.yml b/terraform/ansible/roles/lusers/tasks/main.yml
new file mode 100644
index 0000000..cb10845
--- /dev/null
+++ b/terraform/ansible/roles/lusers/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+- become: yes
+ tags: lusers
+ vars:
+ usernames: "{{ users|dict2items|map(attribute='key')|list }}"
+ block:
+ - name: adduser
+ with_items: "{{ lusers }}"
+ user:
+ name: "{{ item }}"
+ shell: /bin/bash
+
+ - name: getent passwd
+ getent:
+ database: passwd
+
+ - name: disable user
+ with_items: "{{ usernames }}"
+ when: (item not in lusers) and (item in getent_passwd)
+ user:
+ name: "{{ item }}"
+ shell: /usr/sbin/nologin
+
+ - name: mkdir ~/.ssh
+ when: lusers_authorized_keys_exclusive
+ with_items: "{{ lusers }}"
+ file:
+ path: "~{{ item }}/.ssh"
+ state: directory
+ owner: "{{ item }}"
+ mode: 0700
+
+ - name: authorized_keys, exclusively managed by Ansible
+ copy:
+ dest: "/home/{{ item }}/.ssh/authorized_keys"
+ content: "{{ users[item].authorized_keys }}"
+ when: lusers_authorized_keys_exclusive
+ with_items: "{{ lusers }}"
+
+ - name: authorized_keys, shared management with Ansible
+ authorized_key:
+ user: "{{ item }}"
+ key: "{{ users[item].authorized_keys }}"
+ with_items: "{{ lusers }}"
+ when: not lusers_authorized_keys_exclusive
diff --git a/terraform/ansible/roles/packages/defaults/main.yml b/terraform/ansible/roles/packages/defaults/main.yml
new file mode 100644
index 0000000..5c17ccd
--- /dev/null
+++ b/terraform/ansible/roles/packages/defaults/main.yml
@@ -0,0 +1,3 @@
+packages__enable_backports: no
+packages_packages:
+packages__version: "{{ ansible_distribution_release }}"
diff --git a/terraform/ansible/roles/packages/handlers/main.yml b/terraform/ansible/roles/packages/handlers/main.yml
new file mode 100644
index 0000000..0298ff9
--- /dev/null
+++ b/terraform/ansible/roles/packages/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: update apt cache
+ become: yes
+ apt:
+ update_cache: yes
diff --git a/terraform/ansible/roles/packages/tasks/main.yml b/terraform/ansible/roles/packages/tasks/main.yml
new file mode 100644
index 0000000..a6b990a
--- /dev/null
+++ b/terraform/ansible/roles/packages/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+- name: configure debian repositories
+ notify: update apt cache
+ copy:
+ dest: /etc/apt/sources.list
+ content: "{{ versions[packages__version] }}"
+ vars:
+ versions:
+ stretch: |
+ deb http://ftp.no.debian.org/debian/ stretch main contrib non-free
+ deb-src http://ftp.no.debian.org/debian/ stretch main contrib non-free
+
+ deb http://security.debian.org/debian-security stretch/updates main contrib non-free
+ deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free
+
+ deb http://ftp.no.debian.org/debian/ stretch-updates main contrib non-free
+ deb-src http://ftp.no.debian.org/debian/ stretch-updates main contrib non-free
+
+ {{ '' if packages__enable_backports else '#' }}deb http://ftp.no.debian.org/debian/ stretch-backports main contrib non-free
+ {{ '' if packages__enable_backports else '#' }}deb-src http://ftp.no.debian.org/debian/ stretch-backports main contrib non-free
+ jessie: |
+ deb http://ftp.no.debian.org/debian/ jessie main contrib non-free
+ deb-src http://ftp.no.debian.org/debian/ jessie main contrib non-free
+
+ deb http://security.debian.org/debian-security jessie/updates main contrib non-free
+ deb-src http://security.debian.org/debian-security jessie/updates main contrib non-free
+
+ deb http://ftp.no.debian.org/debian/ jessie-updates main contrib non-free
+ deb-src http://ftp.no.debian.org/debian/ jessie-updates main contrib non-free
+
+ {{ '' if packages__enable_backports else '#' }}deb http://ftp.no.debian.org/debian/ jessie-backports main contrib non-free
+ {{ '' if packages__enable_backports else '#' }}deb-src http://ftp.no.debian.org/debian/ jessie-backports main contrib non-free
+ unstable: |
+ deb http://ftp.no.debian.org/debian/ unstable main contrib non-free
+ deb-src http://ftp.no.debian.org/debian/ unstable main contrib non-free
+ sid: |
+ deb http://ftp.no.debian.org/debian/ sid main contrib non-free
+ deb-src http://ftp.no.debian.org/debian/ sid main contrib non-free
+
+- name: Enable backports repository by default
+ when: packages__enable_backports
+ copy:
+ dest: /etc/apt/preferences.d/bitraf-packages
+ content: |
+ Package: *
+ Pin: release a=stretch-backports
+ Pin-Priority: 500
+
+- meta: flush_handlers
+
+- name: install debian packages
+ apt:
+ name: "{{ packages_packages }}"
+ install_recommends: no
diff --git a/terraform/ansible/roles/superusers/tasks/adjust-group.yml b/terraform/ansible/roles/superusers/tasks/adjust-group.yml
new file mode 100644
index 0000000..32666ad
--- /dev/null
+++ b/terraform/ansible/roles/superusers/tasks/adjust-group.yml
@@ -0,0 +1,21 @@
+- vars:
+ members: "{{ getent_group[group][2].split(',') if group in getent_group else [] }}"
+ to_add: "{{ usernames | intersect(superusers) | difference(members) }}"
+ to_remove: "{{ members | difference(superusers) }}"
+ tags: superusers
+ block:
+ - debug: var=group
+ - debug: var=to_add
+ - debug: var=to_remove
+
+ - name: gpasswd --add
+ with_items: "{{ to_add }}"
+ when: (item|length) > 0
+ become: yes
+ shell: "gpasswd --add {{ item }} {{ group }}"
+
+ - name: gpasswd --delete
+ with_items: "{{ to_remove }}"
+ when: (item|length) > 0
+ become: yes
+ shell: "gpasswd --delete {{ item }} {{ group }}"
diff --git a/terraform/ansible/roles/superusers/tasks/main.yml b/terraform/ansible/roles/superusers/tasks/main.yml
new file mode 100644
index 0000000..70623a0
--- /dev/null
+++ b/terraform/ansible/roles/superusers/tasks/main.yml
@@ -0,0 +1,31 @@
+---
+- tags: superusers
+ block:
+ - name: getent passwd
+ getent:
+ database: passwd
+
+ - name: getent group
+ getent:
+ database: group
+
+# NOTE: Accounts are added by the luser module.
+- tags: superusers
+ vars:
+ usernames: "{{ users|dict2items|map(attribute='key')|list }}"
+ unix_groups:
+ - sudo
+ - systemd-journal
+ with_items: "{{ unix_groups }}"
+ loop_control:
+ loop_var: group
+ include_tasks: adjust-group.yml
+
+- name: "Allow 'sudo' group to have passwordless sudo"
+ tags: superusers
+ become: yes
+ lineinfile:
+ dest: /etc/sudoers
+ state: present
+ regexp: '^%sudo'
+ line: '%sudo ALL=(ALL) NOPASSWD: ALL'
generated by cgit v1.2.3 (git 2.46.0) at 2025-01-09 13:22:35 +0000