From 67f5d1008eef96f13dbf8910092155b7aa1bcee4 Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Tue, 23 Jul 2019 13:17:56 +0200 Subject: o Merging in Terraform setup. --- terraform/ansible/Makefile | 9 ++ terraform/ansible/all.yml | 35 +++++ terraform/ansible/ansible.cfg | 12 ++ terraform/ansible/dashboard-adminuser.yaml | 21 +++ terraform/ansible/group_vars/all/apt-repos.yml | 8 + terraform/ansible/group_vars/all/k3s.yml | 1 + terraform/ansible/group_vars/all/packages.yml | 5 + terraform/ansible/group_vars/all/users.yml | 17 +++ terraform/ansible/inventory | 9 ++ terraform/ansible/k3s-refresh-releases | 33 +++++ terraform/ansible/kubernetes-dashboard.yaml | 162 +++++++++++++++++++++ terraform/ansible/ping.yml | 4 + terraform/ansible/requirements.txt | 1 + .../ansible/roles/apt-repos/defaults/main.yml | 1 + .../ansible/roles/apt-repos/handlers/main.yml | 3 + terraform/ansible/roles/apt-repos/tasks/main.yml | 10 ++ terraform/ansible/roles/apt-repos/tasks/repo.yml | 28 ++++ terraform/ansible/roles/k3s/defaults/main.yml | 1 + terraform/ansible/roles/k3s/handlers/main.yml | 4 + terraform/ansible/roles/k3s/tasks/main.yml | 39 +++++ .../ansible/roles/k3s/templates/k3s.service.j2 | 21 +++ terraform/ansible/roles/k3s/vars/k3s_releases.yml | 21 +++ terraform/ansible/roles/lusers/defaults/main.yml | 1 + terraform/ansible/roles/lusers/tasks/main.yml | 45 ++++++ terraform/ansible/roles/packages/defaults/main.yml | 3 + terraform/ansible/roles/packages/handlers/main.yml | 5 + terraform/ansible/roles/packages/tasks/main.yml | 54 +++++++ .../roles/superusers/tasks/adjust-group.yml | 21 +++ terraform/ansible/roles/superusers/tasks/main.yml | 31 ++++ 29 files changed, 605 insertions(+) create mode 100644 terraform/ansible/Makefile create mode 100644 terraform/ansible/all.yml create mode 100644 terraform/ansible/ansible.cfg create mode 100644 terraform/ansible/dashboard-adminuser.yaml create mode 100644 terraform/ansible/group_vars/all/apt-repos.yml create mode 100644 terraform/ansible/group_vars/all/k3s.yml create mode 100644 terraform/ansible/group_vars/all/packages.yml create mode 100644 terraform/ansible/group_vars/all/users.yml create mode 100755 terraform/ansible/inventory create mode 100755 terraform/ansible/k3s-refresh-releases create mode 100644 terraform/ansible/kubernetes-dashboard.yaml create mode 100644 terraform/ansible/ping.yml create mode 100644 terraform/ansible/requirements.txt create mode 100644 terraform/ansible/roles/apt-repos/defaults/main.yml create mode 100644 terraform/ansible/roles/apt-repos/handlers/main.yml create mode 100644 terraform/ansible/roles/apt-repos/tasks/main.yml create mode 100644 terraform/ansible/roles/apt-repos/tasks/repo.yml create mode 100644 terraform/ansible/roles/k3s/defaults/main.yml create mode 100644 terraform/ansible/roles/k3s/handlers/main.yml create mode 100644 terraform/ansible/roles/k3s/tasks/main.yml create mode 100644 terraform/ansible/roles/k3s/templates/k3s.service.j2 create mode 100644 terraform/ansible/roles/k3s/vars/k3s_releases.yml create mode 100644 terraform/ansible/roles/lusers/defaults/main.yml create mode 100644 terraform/ansible/roles/lusers/tasks/main.yml create mode 100644 terraform/ansible/roles/packages/defaults/main.yml create mode 100644 terraform/ansible/roles/packages/handlers/main.yml create mode 100644 terraform/ansible/roles/packages/tasks/main.yml create mode 100644 terraform/ansible/roles/superusers/tasks/adjust-group.yml create mode 100644 terraform/ansible/roles/superusers/tasks/main.yml (limited to 'terraform/ansible') diff --git a/terraform/ansible/Makefile b/terraform/ansible/Makefile new file mode 100644 index 0000000..99574dc --- /dev/null +++ b/terraform/ansible/Makefile @@ -0,0 +1,9 @@ +all: pip-install + +env: + virtualenv -p python3 env + +pip-install: env/.pip-install.cookie +env/.pip-install.cookie: requirements.txt | env + env/bin/pip install -r $< + @touch "$@" diff --git a/terraform/ansible/all.yml b/terraform/ansible/all.yml new file mode 100644 index 0000000..8ba47b7 --- /dev/null +++ b/terraform/ansible/all.yml @@ -0,0 +1,35 @@ +- hosts: + - all + roles: + - role: packages + tags: packages + become: yes + - role: lusers + tags: lusers + become: yes + - role: superusers + tags: superusers + become: yes + - role: apt-repos + tags: apt-repos + become: yes + +- hosts: + k8s-master + tags: k3s, k8s + roles: + - role: k3s + tags: k3s + become: yes + vars: + k3s_role: master + +- hosts: + k8s-nodes + tags: k3s, k8s + roles: + - role: k3s + tags: k3s + become: yes + vars: + k3s_role: node diff --git a/terraform/ansible/ansible.cfg b/terraform/ansible/ansible.cfg new file mode 100644 index 0000000..c04b015 --- /dev/null +++ b/terraform/ansible/ansible.cfg @@ -0,0 +1,12 @@ +[defaults] +become_method = sudo +inventory = ./inventory +stdout_callback = debug +#vault_password_file = vault-password +retry_files_save_path = .retry + +#https://stackoverflow.com/questions/32297456/how-to-ignore-ansible-ssh-authenticity-checking +host_key_checking = False + +strategy_plugins = env/lib/python3.7/site-packages/ansible_mitogen/plugins/strategy +strategy = mitogen_linear diff --git a/terraform/ansible/dashboard-adminuser.yaml b/terraform/ansible/dashboard-adminuser.yaml new file mode 100644 index 0000000..30e8122 --- /dev/null +++ b/terraform/ansible/dashboard-adminuser.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin-user + namespace: kube-system + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: admin-user +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: admin-user + namespace: kube-system diff --git a/terraform/ansible/group_vars/all/apt-repos.yml b/terraform/ansible/group_vars/all/apt-repos.yml new file mode 100644 index 0000000..4f47512 --- /dev/null +++ b/terraform/ansible/group_vars/all/apt-repos.yml @@ -0,0 +1,8 @@ +apt_repos: + kubernetes: + state: present + url: http://apt.kubernetes.io/ + distro: "kubernetes-{{ ansible_distribution_release }}" + sections: main + key_id: 54A647F9048D5688D7DA2ABE6A030B21BA07F4FB + keyserver: hkp://keyserver.ubuntu.com:80 diff --git a/terraform/ansible/group_vars/all/k3s.yml b/terraform/ansible/group_vars/all/k3s.yml new file mode 100644 index 0000000..2efb8dc --- /dev/null +++ b/terraform/ansible/group_vars/all/k3s.yml @@ -0,0 +1 @@ +k3s_version: 0.7.0 diff --git a/terraform/ansible/group_vars/all/packages.yml b/terraform/ansible/group_vars/all/packages.yml new file mode 100644 index 0000000..9e97fd6 --- /dev/null +++ b/terraform/ansible/group_vars/all/packages.yml @@ -0,0 +1,5 @@ +packages__packages_all: + - git + - etckeeper + +packages_packages: "{{ packages__packages_all }}" diff --git a/terraform/ansible/group_vars/all/users.yml b/terraform/ansible/group_vars/all/users.yml new file mode 100644 index 0000000..6cec1e3 --- /dev/null +++ b/terraform/ansible/group_vars/all/users.yml @@ -0,0 +1,17 @@ +users: + trygvis: + authorized_keys: | + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX+sVfRvl0+KxsDlbIutyB/Es3exTwNfDVHwi9orwz3 trygvis@birgitte + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAzB6JB/hZ87M6ozsd7lgKxgOacEOZZRxa4ucs11lqq trygvis@conflatorio + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/Xrsk69KhaXdHPcbBoCbqlQ2DXmx77OnkLAk22ui5m trygvis@malabaricus + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPKXVnzqo+JTVNrt3p0LGeH59DPMc9WkVMXO3wpAyTH6 trygvis@akili + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3UZyrbXX7WMHqcZCRspkoSIfB6egrbOxXPf1zyZkAw trygvis@arius-v4 + + authorized_keys_absent: + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpWssvnarp8O/oN86VDlLxUHAYHSKbdhXpe1s0hWkX5 trygvis@fuckaduck + +lusers: + - trygvis + +superusers: + - trygvis diff --git a/terraform/ansible/inventory b/terraform/ansible/inventory new file mode 100755 index 0000000..9c92aff --- /dev/null +++ b/terraform/ansible/inventory @@ -0,0 +1,9 @@ +k8s-master ansible_host=51.158.110.170 +k8s-node0 ansible_host=51.15.201.150 +k8s-node1 ansible_host=163.172.174.68 +k8s-node2 ansible_host=51.158.96.79 + +[k8s-nodes] +k8s-node0 +k8s-node1 +k8s-node2 diff --git a/terraform/ansible/k3s-refresh-releases b/terraform/ansible/k3s-refresh-releases new file mode 100755 index 0000000..ba8f7d6 --- /dev/null +++ b/terraform/ansible/k3s-refresh-releases @@ -0,0 +1,33 @@ +#!/bin/bash + +set -ueo pipefail +set -x + +#curl https://api.github.com/repos/rancher/k3s/releases > releases.json + +#function search { +# file=$1; shift +# checksum=$1; shift +# prog='.[]| {tag_name, assets:(.assets|.[]|{name,url:.browser_download_url} | select(.name==$file or .name==$checksum )) }' +# prog="$prog |[.tag_name,.assets.name,.assets.url]" +# cat releases.json |jq -r --arg file $file --arg checksum $checksum "$prog|@sh" +#} +# +#search k3s sha256sum-amd64.txt | while read file file_url checksum checksum_url + +function dl() { + v=$1; shift + echo " \"$v\":" + curl -s -L https://github.com/rancher/k3s/releases/download/v$v/sha256sum-amd64.txt | while read checksum file + do + url="https://github.com/rancher/k3s/releases/download/v$v/$file" + echo " \"$file\":" + echo " url: \"$url\"" + echo " checksum: \"$checksum\"" + done +} + +releases=ansible/roles/k3s/vars/k3s_releases.yml +echo "k3s__releases:" > $releases +dl 0.6.0 >> $releases +dl 0.7.0 >> $releases diff --git a/terraform/ansible/kubernetes-dashboard.yaml b/terraform/ansible/kubernetes-dashboard.yaml new file mode 100644 index 0000000..ee6977b --- /dev/null +++ b/terraform/ansible/kubernetes-dashboard.yaml @@ -0,0 +1,162 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ------------------- Dashboard Secret ------------------- # + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-certs + namespace: kube-system +type: Opaque + +--- +# ------------------- Dashboard Service Account ------------------- # + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system + +--- +# ------------------- Dashboard Role & Role Binding ------------------- # + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubernetes-dashboard-minimal + namespace: kube-system +rules: + # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] + # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics from heapster. +- apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster"] + verbs: ["proxy"] +- apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:"] + verbs: ["get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-dashboard-minimal + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-dashboard-minimal +subjects: +- kind: ServiceAccount + name: kubernetes-dashboard + namespace: kube-system + +--- +# ------------------- Dashboard Deployment ------------------- # + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + template: + metadata: + labels: + k8s-app: kubernetes-dashboard + spec: + containers: + - name: kubernetes-dashboard + image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} + serviceAccountName: kubernetes-dashboard + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + +--- +# ------------------- Dashboard Service ------------------- # + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard diff --git a/terraform/ansible/ping.yml b/terraform/ansible/ping.yml new file mode 100644 index 0000000..c6ade2b --- /dev/null +++ b/terraform/ansible/ping.yml @@ -0,0 +1,4 @@ +- hosts: + - all + tasks: + - debug: msg=Hello diff --git a/terraform/ansible/requirements.txt b/terraform/ansible/requirements.txt new file mode 100644 index 0000000..5eed6b2 --- /dev/null +++ b/terraform/ansible/requirements.txt @@ -0,0 +1 @@ +mitogen==0.2.3 diff --git a/terraform/ansible/roles/apt-repos/defaults/main.yml b/terraform/ansible/roles/apt-repos/defaults/main.yml new file mode 100644 index 0000000..80975f0 --- /dev/null +++ b/terraform/ansible/roles/apt-repos/defaults/main.yml @@ -0,0 +1 @@ +apt_repos: diff --git a/terraform/ansible/roles/apt-repos/handlers/main.yml b/terraform/ansible/roles/apt-repos/handlers/main.yml new file mode 100644 index 0000000..2401293 --- /dev/null +++ b/terraform/ansible/roles/apt-repos/handlers/main.yml @@ -0,0 +1,3 @@ +- name: apt update + apt: + update_cache: true diff --git a/terraform/ansible/roles/apt-repos/tasks/main.yml b/terraform/ansible/roles/apt-repos/tasks/main.yml new file mode 100644 index 0000000..de51cb3 --- /dev/null +++ b/terraform/ansible/roles/apt-repos/tasks/main.yml @@ -0,0 +1,10 @@ +- apt: + name: + - apt-transport-https + install_recommends: no + +- with_dict: "{{ apt_repos|default('[]') }}" + include_tasks: repo.yml + vars: + state: "{{ item.value.state | default('present') }}" + diff --git a/terraform/ansible/roles/apt-repos/tasks/repo.yml b/terraform/ansible/roles/apt-repos/tasks/repo.yml new file mode 100644 index 0000000..135aeac --- /dev/null +++ b/terraform/ansible/roles/apt-repos/tasks/repo.yml @@ -0,0 +1,28 @@ +- name: "apt-key add {{ item.key }} (key url)" + apt_key: + id: "{{ item.value.key_id }}" + url: "{{ item.value.key_url }}" + state: "{{ state }}" + when: item.value.key_url is defined and item.value.key_id is defined + +- name: "apt-key add {{ item.key }} (keyserver)" + apt_key: + id: "{{ item.value.key_id }}" + keyserver: "{{ item.value.keyserver }}" + state: "{{ state }}" + when: item.value.keyserver is defined and item.value.key_id is defined + +- name: "add repo {{ item.key }}" + when: item.value.url is defined and state == "present" + copy: + dest: "/etc/apt/sources.list.d/{{ item.key }}.list" + content: | + deb {{ item.value.url }} {{ item.value.distro }} {{ item.value.sections }} + notify: apt update + +- name: "remove repo {{ item.key }}" + when: state == "absent" + file: + path: "/etc/apt/sources.list.d/{{ item.key }}.list" + state: absent + notify: apt update diff --git a/terraform/ansible/roles/k3s/defaults/main.yml b/terraform/ansible/roles/k3s/defaults/main.yml new file mode 100644 index 0000000..9731038 --- /dev/null +++ b/terraform/ansible/roles/k3s/defaults/main.yml @@ -0,0 +1 @@ +k3s__version: 0.7.0 diff --git a/terraform/ansible/roles/k3s/handlers/main.yml b/terraform/ansible/roles/k3s/handlers/main.yml new file mode 100644 index 0000000..206b14e --- /dev/null +++ b/terraform/ansible/roles/k3s/handlers/main.yml @@ -0,0 +1,4 @@ +- name: systemctl restart k3s + systemd: + unit: k3s + state: restarted diff --git a/terraform/ansible/roles/k3s/tasks/main.yml b/terraform/ansible/roles/k3s/tasks/main.yml new file mode 100644 index 0000000..0b7797a --- /dev/null +++ b/terraform/ansible/roles/k3s/tasks/main.yml @@ -0,0 +1,39 @@ +- include_vars: + file: k3s_releases.yml + +- get_url: + url: "{{ k3s__releases[k3s_version][item].url }}" + dest: /usr/local/bin/k3s + checksum: "sha256:{{ k3s__releases[k3s_version][item].checksum }}" + mode: ugo=rx + + with_items: + - k3s + notify: systemctl restart k3s + +- template: + src: "k3s.service.j2" + dest: "/etc/systemd/system/k3s.service" + notify: systemctl restart k3s + +- systemd: + unit: k3s + daemon_reload: yes + enabled: yes + +- meta: flush_handlers + +- when: k3s_role == 'master' + block: + - name: Wait for node-token + wait_for: + path: /var/lib/rancher/k3s/server/node-token + + - name: Read node-token from master + slurp: + src: /var/lib/rancher/k3s/server/node-token + register: node_token + + - name: Store Master node-token + set_fact: + node_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" diff --git a/terraform/ansible/roles/k3s/templates/k3s.service.j2 b/terraform/ansible/roles/k3s/templates/k3s.service.j2 new file mode 100644 index 0000000..b1c5c54 --- /dev/null +++ b/terraform/ansible/roles/k3s/templates/k3s.service.j2 @@ -0,0 +1,21 @@ +[Unit] +After=network.target + +[Service] +{% if k3s_role == 'master' %} +ExecStartPre=-/sbin/modprobe br_netfilter +ExecStartPre=-/sbin/modprobe overlay +ExecStart=/usr/local/bin/k3s server +{% else %} +# TODO: this should use private_ip +ExecStart=/usr/local/bin/k3s agent --server https://{{ hostvars['k8s-master']['ansible_host'] }}:6443 --token {{ hostvars['k8s-master']['node_token'] }} +{% endif %} +KillMode=process +Delegate=yes +LimitNOFILE=infinity +LimitNPROC=infinity +LimitCORE=infinity +TasksMax=infinity + +[Install] +WantedBy=multi-user.target diff --git a/terraform/ansible/roles/k3s/vars/k3s_releases.yml b/terraform/ansible/roles/k3s/vars/k3s_releases.yml new file mode 100644 index 0000000..52f599d --- /dev/null +++ b/terraform/ansible/roles/k3s/vars/k3s_releases.yml @@ -0,0 +1,21 @@ +k3s__releases: + "0.6.0": + "hyperkube": + url: "https://github.com/rancher/k3s/releases/download/v0.6.0/hyperkube" + checksum: "7bb86be92335ebe5fc653d90b28575b7cb0f036b26a1c468ea7bc9d5eb2c302c" + "k3s": + url: "https://github.com/rancher/k3s/releases/download/v0.6.0/k3s" + checksum: "d1ffefe9fa8de45236c9394b5622c8e67319acda5b70ee8a83496325eeb27359" + "k3s-airgap-images-amd64.tar": + url: "https://github.com/rancher/k3s/releases/download/v0.6.0/k3s-airgap-images-amd64.tar" + checksum: "0ea5c7763d6f58294778ffa2fe4167f76f9cf2be0b6e3d15f9fda177838baa0b" + "0.7.0": + "hyperkube": + url: "https://github.com/rancher/k3s/releases/download/v0.7.0/hyperkube" + checksum: "96a07f3dfc1e53d8e12964936687ab70831ac5a15de49ed1c4126758acbe1e4b" + "k3s": + url: "https://github.com/rancher/k3s/releases/download/v0.7.0/k3s" + checksum: "b838785f81f4a8c7e4564769c4deae391439d6782170f6a03bee742dd39c4d3c" + "k3s-airgap-images-amd64.tar": + url: "https://github.com/rancher/k3s/releases/download/v0.7.0/k3s-airgap-images-amd64.tar" + checksum: "219f3bc8c9747a317362c948efb10b750233fcd751cb793fcb78d5b7b1449008" diff --git a/terraform/ansible/roles/lusers/defaults/main.yml b/terraform/ansible/roles/lusers/defaults/main.yml new file mode 100644 index 0000000..61602c5 --- /dev/null +++ b/terraform/ansible/roles/lusers/defaults/main.yml @@ -0,0 +1 @@ +lusers_authorized_keys_exclusive: no diff --git a/terraform/ansible/roles/lusers/tasks/main.yml b/terraform/ansible/roles/lusers/tasks/main.yml new file mode 100644 index 0000000..cb10845 --- /dev/null +++ b/terraform/ansible/roles/lusers/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- become: yes + tags: lusers + vars: + usernames: "{{ users|dict2items|map(attribute='key')|list }}" + block: + - name: adduser + with_items: "{{ lusers }}" + user: + name: "{{ item }}" + shell: /bin/bash + + - name: getent passwd + getent: + database: passwd + + - name: disable user + with_items: "{{ usernames }}" + when: (item not in lusers) and (item in getent_passwd) + user: + name: "{{ item }}" + shell: /usr/sbin/nologin + + - name: mkdir ~/.ssh + when: lusers_authorized_keys_exclusive + with_items: "{{ lusers }}" + file: + path: "~{{ item }}/.ssh" + state: directory + owner: "{{ item }}" + mode: 0700 + + - name: authorized_keys, exclusively managed by Ansible + copy: + dest: "/home/{{ item }}/.ssh/authorized_keys" + content: "{{ users[item].authorized_keys }}" + when: lusers_authorized_keys_exclusive + with_items: "{{ lusers }}" + + - name: authorized_keys, shared management with Ansible + authorized_key: + user: "{{ item }}" + key: "{{ users[item].authorized_keys }}" + with_items: "{{ lusers }}" + when: not lusers_authorized_keys_exclusive diff --git a/terraform/ansible/roles/packages/defaults/main.yml b/terraform/ansible/roles/packages/defaults/main.yml new file mode 100644 index 0000000..5c17ccd --- /dev/null +++ b/terraform/ansible/roles/packages/defaults/main.yml @@ -0,0 +1,3 @@ +packages__enable_backports: no +packages_packages: +packages__version: "{{ ansible_distribution_release }}" diff --git a/terraform/ansible/roles/packages/handlers/main.yml b/terraform/ansible/roles/packages/handlers/main.yml new file mode 100644 index 0000000..0298ff9 --- /dev/null +++ b/terraform/ansible/roles/packages/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: update apt cache + become: yes + apt: + update_cache: yes diff --git a/terraform/ansible/roles/packages/tasks/main.yml b/terraform/ansible/roles/packages/tasks/main.yml new file mode 100644 index 0000000..a6b990a --- /dev/null +++ b/terraform/ansible/roles/packages/tasks/main.yml @@ -0,0 +1,54 @@ +--- +- name: configure debian repositories + notify: update apt cache + copy: + dest: /etc/apt/sources.list + content: "{{ versions[packages__version] }}" + vars: + versions: + stretch: | + deb http://ftp.no.debian.org/debian/ stretch main contrib non-free + deb-src http://ftp.no.debian.org/debian/ stretch main contrib non-free + + deb http://security.debian.org/debian-security stretch/updates main contrib non-free + deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free + + deb http://ftp.no.debian.org/debian/ stretch-updates main contrib non-free + deb-src http://ftp.no.debian.org/debian/ stretch-updates main contrib non-free + + {{ '' if packages__enable_backports else '#' }}deb http://ftp.no.debian.org/debian/ stretch-backports main contrib non-free + {{ '' if packages__enable_backports else '#' }}deb-src http://ftp.no.debian.org/debian/ stretch-backports main contrib non-free + jessie: | + deb http://ftp.no.debian.org/debian/ jessie main contrib non-free + deb-src http://ftp.no.debian.org/debian/ jessie main contrib non-free + + deb http://security.debian.org/debian-security jessie/updates main contrib non-free + deb-src http://security.debian.org/debian-security jessie/updates main contrib non-free + + deb http://ftp.no.debian.org/debian/ jessie-updates main contrib non-free + deb-src http://ftp.no.debian.org/debian/ jessie-updates main contrib non-free + + {{ '' if packages__enable_backports else '#' }}deb http://ftp.no.debian.org/debian/ jessie-backports main contrib non-free + {{ '' if packages__enable_backports else '#' }}deb-src http://ftp.no.debian.org/debian/ jessie-backports main contrib non-free + unstable: | + deb http://ftp.no.debian.org/debian/ unstable main contrib non-free + deb-src http://ftp.no.debian.org/debian/ unstable main contrib non-free + sid: | + deb http://ftp.no.debian.org/debian/ sid main contrib non-free + deb-src http://ftp.no.debian.org/debian/ sid main contrib non-free + +- name: Enable backports repository by default + when: packages__enable_backports + copy: + dest: /etc/apt/preferences.d/bitraf-packages + content: | + Package: * + Pin: release a=stretch-backports + Pin-Priority: 500 + +- meta: flush_handlers + +- name: install debian packages + apt: + name: "{{ packages_packages }}" + install_recommends: no diff --git a/terraform/ansible/roles/superusers/tasks/adjust-group.yml b/terraform/ansible/roles/superusers/tasks/adjust-group.yml new file mode 100644 index 0000000..32666ad --- /dev/null +++ b/terraform/ansible/roles/superusers/tasks/adjust-group.yml @@ -0,0 +1,21 @@ +- vars: + members: "{{ getent_group[group][2].split(',') if group in getent_group else [] }}" + to_add: "{{ usernames | intersect(superusers) | difference(members) }}" + to_remove: "{{ members | difference(superusers) }}" + tags: superusers + block: + - debug: var=group + - debug: var=to_add + - debug: var=to_remove + + - name: gpasswd --add + with_items: "{{ to_add }}" + when: (item|length) > 0 + become: yes + shell: "gpasswd --add {{ item }} {{ group }}" + + - name: gpasswd --delete + with_items: "{{ to_remove }}" + when: (item|length) > 0 + become: yes + shell: "gpasswd --delete {{ item }} {{ group }}" diff --git a/terraform/ansible/roles/superusers/tasks/main.yml b/terraform/ansible/roles/superusers/tasks/main.yml new file mode 100644 index 0000000..70623a0 --- /dev/null +++ b/terraform/ansible/roles/superusers/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- tags: superusers + block: + - name: getent passwd + getent: + database: passwd + + - name: getent group + getent: + database: group + +# NOTE: Accounts are added by the luser module. +- tags: superusers + vars: + usernames: "{{ users|dict2items|map(attribute='key')|list }}" + unix_groups: + - sudo + - systemd-journal + with_items: "{{ unix_groups }}" + loop_control: + loop_var: group + include_tasks: adjust-group.yml + +- name: "Allow 'sudo' group to have passwordless sudo" + tags: superusers + become: yes + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^%sudo' + line: '%sudo ALL=(ALL) NOPASSWD: ALL' -- cgit v1.2.3