diff options
Diffstat (limited to 'ansible')
25 files changed, 284 insertions, 60 deletions
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 6f2b86b..2190846 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -7,6 +7,7 @@ stdout_callback = debug vault_password_file = ./.vault-password roles_path = roles:thirdparty retry_files_enabled = False +vars_plugins_enabled = host_group_vars,community.sops.sops [ssh_connection] pipelining = True diff --git a/ansible/group_vars/all/ipam.yml b/ansible/group_vars/all/ipam.yml index 6c61600..54fc444 100644 --- a/ansible/group_vars/all/ipam.yml +++ b/ansible/group_vars/all/ipam.yml @@ -4,44 +4,94 @@ # 56: ffff:ffff:ffff:ff00:: # 60: ffff:ffff:ffff:fff0:: # 64: ffff:ffff:ffff:ffff:: +# 80: ffff:ffff:ffff:ffff:ffff: ipam6: networks: bitraf_dn42: - range: "fdb1:4242:3538:::/48" + range: "fdb1:4242:3538::/48" tnet_dn42: range: "fdb1:4242:3538:2000::/52" - conflatorio_dn42: - description: Internal network on host + unused_2001: range: "fdb1:4242:3538:2001::/64" - hosts: - conflatorio-ix: "fdb1:4242:3538:2001::ffff/64" - conflatorio_docker: - range: "fdb1:4242:3538:2001:1001::/112" node1_dn42: range: "fdb1:4242:3538:2002::/64" + hosts: + node1: "fdb1:4242:3538:2002::ffff" node2_dn42: range: "fdb1:4242:3538:2003::/64" + hosts: + node2: "fdb1:4242:3538:2003::ffff" knot_dn42: range: "fdb1:4242:3538:2004::/64" hosts: - knot: "fdb1:4242:3538:2004::ffff/64" + knot: "fdb1:4242:3538:2004::ffff" coregonus_dn42: range: "fdb1:4242:3538:2005::/64" hosts: - coregonus-ix: "fdb1:4242:3538:2005::ffff/64" - danneri: "fdb1:4242:3538:2005:9422:d355:95b7:f170" + coregonus: "fdb1:4242:3538:2005::ffff" coregonus_docker: range: "fdb1:4242:3538:2005:df01:676a:ec28:0a00/120" kv24_dn42: range: "fdb1:4242:3538:2006::/64" hosts: - kv24ix: "fdb1:4242:3538:2006::ffff/64" - conflatorio_dn42_2: + kv24ix: "fdb1:4242:3538:2006::ffff" + hash_dn42: + range: "fdb1:4242:3538:2007::/64" + hosts: + hash: "fdb1:4242:3538:2007::ffff" + hash_docker_dn42: range: "fdb1:4242:3538:2007:1001::/112" lhn2_dn42: range: "fdb1:4242:3538:2008::/64" hosts: - lhn2pi: "fdb1:4242:3538:2008::ffff/64" + lhn2pi: "fdb1:4242:3538:2008::ffff" + conflatorio: "fdb1:4242:3538:2008:8042:32ff:fe0c:7161" + danneri: "fdb1:4242:3538:2008:9422:d355:95b7:f170" + unifi: "fdb1:4242:3538:2008:5054:ff:fe4d:96c" + + k8s: + range: "fdb1:4242:3538:3000::/52" + danneri_cluster: + range: "fdb1:4242:3538:3009::/112" + danneri_service: + range: "fdb1:4242:3538:300a::/100" + danneri_service2: + range: "fdb1:4242:3538:300a::/112" dn42: range: "fd00::/8" + +routers: + knot: + as: 4242423538 + peers: + hash: + routedbits_lon1: + as: 4242420207 + hash: + as: 4242423538 + peers: + knot: + lhn2: + as: 4242423538 + peers: + knot: + node1: + as: 4242423538 + peers: + knot: + hash: + node2: + as: 4242423538 + peers: + knot: + hash: + kv24: + as: 4242423538 + peers: + knot: + danneri: + as: 4242423538 + peers: + knot: + hash: diff --git a/ansible/host_vars/danneri/systemd-networkd.yml b/ansible/host_vars/danneri/systemd-networkd.yml index 842a42e..023e276 100644 --- a/ansible/host_vars/danneri/systemd-networkd.yml +++ b/ansible/host_vars/danneri/systemd-networkd.yml @@ -1,3 +1,2 @@ systemd_networkd__files: - - systemd_networkd/enp1s0.netdev - - systemd_networkd/enp1s0.network + - danneri/systemd-networkd/enp1s0.network diff --git a/ansible/host_vars/unifi/systemd-networkd.yml b/ansible/host_vars/unifi/systemd-networkd.yml new file mode 100644 index 0000000..4ee9ee6 --- /dev/null +++ b/ansible/host_vars/unifi/systemd-networkd.yml @@ -0,0 +1,2 @@ +systemd_networkd__files: + - unifi/systemd-networkd/enp1s0.network diff --git a/ansible/inventory b/ansible/inventory index a21cbc9..91e463e 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -29,8 +29,6 @@ all: ansible_python_interpreter: /usr/bin/python3 nextcloud: ansible_host: 192.168.10.201 - unifi: - ansible_host: 192.168.10.202 babypi: ansible_host: 192.168.10.159 # astyanax: @@ -46,6 +44,10 @@ all: kv24ix: coregonus: ansible_host: 192.168.10.190 + danneri: + ansible_host: danneri.dn42.trygvis.io + unifi: + ansible_host: unifi.dn42.trygvis.io node1: ansible_host: 9859f51e-1e3e-4c05-a826-b7fbe18d91be.pub.instances.scw.cloud @@ -83,7 +85,6 @@ all: malabaricus: nextcloud: numquam: - unifi: lxc_hosts: hosts: arius: @@ -100,7 +101,6 @@ all: debian_stretch: hosts: malabaricus: - unifi: vars: packages__version: stretch diff --git a/ansible/plays/danneri.yml b/ansible/plays/danneri.yml index 47872c0..6b4265a 100644 --- a/ansible/plays/danneri.yml +++ b/ansible/plays/danneri.yml @@ -1,3 +1,27 @@ - hosts: - danneri - roles: systemd-networkd + tasks: + - import_role: + name: systemd-networkd + + - meta: flush_handlers + + - become: yes + apt: + name: + - etckeeper + - import_role: + name: timezone + + - become: yes + tags: k3s + copy: + dest: /etc/rancher/k3s/config.yaml + content: | + tls-san: + - "danneri.dn42.trygvis.io" + - "{{ ipam6.networks.lhn2_dn42.hosts.danneri }}" + - "2a06:2240:f00d:b500:9422:d355:95b7:f170" + cluster-cidr: "{{ ipam6.networks.danneri_cluster.range }}" + service-cidr: "{{ ipam6.networks.danneri_service.range }}" + diff --git a/ansible/plays/host-hash.yml b/ansible/plays/host-hash.yml new file mode 100644 index 0000000..62b781f --- /dev/null +++ b/ansible/plays/host-hash.yml @@ -0,0 +1,10 @@ +- hosts: hash + tasks: + - become: yes + copy: + dest: /etc/docker/daemon.json + content: | + { + "ipv6": true, + "fixed-cidr-v6": "{{ ipam6.networks.hash_docker_dn42.range }}" + } diff --git a/ansible/plays/host-lhn2pi.yml b/ansible/plays/host-lhn2pi.yml new file mode 100644 index 0000000..551c3dd --- /dev/null +++ b/ansible/plays/host-lhn2pi.yml @@ -0,0 +1,6 @@ +- hosts: + - lhn2pi + roles: + - systemd-networkd + - prometheus-bird-exporter + - prometheus-node-exporter diff --git a/ansible/plays/host-unifi.yml b/ansible/plays/host-unifi.yml new file mode 100644 index 0000000..41fb292 --- /dev/null +++ b/ansible/plays/host-unifi.yml @@ -0,0 +1,18 @@ +- hosts: + - unifi + tasks: + - become: yes + apt: + name: + - etckeeper + + - import_role: + name: timezone + + - import_role: + name: systemd-networkd + + - become: yes + apt: + name: + - docker.io diff --git a/ansible/plays/ipam-generate-dns.yml b/ansible/plays/ipam-generate-dns.yml new file mode 100644 index 0000000..d29b3e8 --- /dev/null +++ b/ansible/plays/ipam-generate-dns.yml @@ -0,0 +1,32 @@ +- hosts: localhost + gather_facts: no + connection: local + tasks: + - set_fact: + content: | + {% set hosts = [] %} + {% for nw_name, network in ipam6.networks.items() %} + {% for host, address in (network.hosts|default({})).items() %} + {{- hosts.append({'name': host, 'address': address}) -}} + {% endfor %} + {% endfor %} + # Generated from ansible data + {% for h in hosts|sort(attribute='name') %} + + resource "linode_domain_record" "dn42-{{ h.name }}" { + domain_id = linode_domain.root.id + name = "{{ h.name }}.dn42" + record_type = "AAAA" + target = "{{ h.address|ansible.utils.ipv6('address') }}" + } + {% endfor %} + - debug: + msg: "{{ content }}" + when: false + - name: Generating ../../terraform/dns/dn42.tf + register: tf + copy: + dest: ../../terraform/dns/dn42.tf + content: "{{ content }}" + - shell: terraform fmt ../../terraform/ipam6/ipam6.tf + when: "tf.changed" diff --git a/ansible/plays/ipam-generate-tf.yml b/ansible/plays/ipam-generate-tf.yml new file mode 100644 index 0000000..209b8ab --- /dev/null +++ b/ansible/plays/ipam-generate-tf.yml @@ -0,0 +1,53 @@ +- hosts: localhost + gather_facts: no + connection: local + collections: + - ansible.utils + tasks: + - name: Generate terraform/ipam6/ipam6.tf + register: tf + copy: + dest: ../../terraform/ipam6/ipam6.tf + content: | + output "networks" { + value = { + {% for name, network in ipam6.networks.items() %} + {% if not (network.range | ansible.utils.ipv6) %} + Invalid network: {{ network.range }} + {% endif %} + {{ name }} = { + {% if network.description|default("") %} + description = "{{ network.description }}" + {% endif %} + range = "{{ network.range }}" + address = "{{ network.range|ansible.utils.ipaddr("network") }}" + prefix = "{{ network.range|ansible.utils.ipaddr("prefix") }}" + {% set hosts = network.hosts|default({}) %} + hosts = { + {% for name, addr in hosts.items() %} + {{ name }} = { + address: "{{ addr|ansible.utils.ipaddr("address") }}" + prefix: "{{ addr|ansible.utils.ipaddr("prefix") }}" + } + {% endfor %} + } + } + {% endfor %} + } + } + + output "hosts" { + value = { + {% for name, network in ipam6.networks.items() %} + {% set hosts = network.hosts|default({}) %} + {% for name, addr in hosts.items() %} + {{ name }} = { + address: "{{ addr|ansible.utils.ipaddr("address") }}" + prefix: "{{ addr|ansible.utils.ipaddr("prefix") }}" + } + {% endfor %} + {% endfor %} + } + } + - shell: terraform fmt ../../terraform/ipam6/ipam6.tf + when: "tf.changed" diff --git a/ansible/plays/lhn2pi.yml b/ansible/plays/lhn2pi.yml deleted file mode 100644 index 614b926..0000000 --- a/ansible/plays/lhn2pi.yml +++ /dev/null @@ -1,4 +0,0 @@ -- hosts: - - lhn2pi - roles: - - systemd-networkd diff --git a/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network b/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network index a4c84ee..b38116c 100644 --- a/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network +++ b/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network @@ -5,4 +5,4 @@ Name=enp1s0 DHCP=ipv4 [IPv6AcceptRA] -Token=static:{{ ipam6.networks.coregonus_dn42.hosts.danneri }} +Token=static:{{ ipam6.networks.lhn2_dn42.hosts.danneri }} diff --git a/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network b/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network index f17b3f9..853556d 100644 --- a/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network +++ b/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network @@ -5,3 +5,7 @@ Name=eth0 DHCP=ipv4 Address={{ ipam6.networks.lhn2_dn42.hosts.lhn2pi }} # IPv6Forwarding=yes # needs newer systemd + +# Disables the automatic activation of DHCPv6 from RA packets +[IPv6AcceptRA] +DHCPv6Client=no diff --git a/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network b/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network new file mode 100644 index 0000000..251bf45 --- /dev/null +++ b/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network @@ -0,0 +1,8 @@ +[Match] +Name=enp1s0 + +[Network] +DHCP=ipv4 + +[IPv6AcceptRA] +Token=static:{{ ipam6.networks.lhn2_dn42.hosts.unifi }} diff --git a/ansible/roles/prometheus-bird-exporter/handlers/main.yml b/ansible/roles/prometheus-bird-exporter/handlers/main.yml new file mode 100644 index 0000000..f4f9381 --- /dev/null +++ b/ansible/roles/prometheus-bird-exporter/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart + become: yes + systemd: + name: prometheus-bird-exporter + state: restarted diff --git a/ansible/roles/prometheus-bird-exporter/tasks/main.yml b/ansible/roles/prometheus-bird-exporter/tasks/main.yml new file mode 100644 index 0000000..6d8b999 --- /dev/null +++ b/ansible/roles/prometheus-bird-exporter/tasks/main.yml @@ -0,0 +1,18 @@ +- become: yes + package: + name: "{{ items }}" + state: present + vars: + items: + - prometheus-bird-exporter +- name: /etc/default/prometheus-bird-exporter + become: yes + copy: + dest: /etc/default/prometheus-bird-exporter + content: | + # Set the command-line arguments to pass to the server. + # Due to shell escaping, to pass backslashes for regexes, you need to double + # them (\\d for \d). If running under systemd, you need to double them again + # (\\\\d to mean \d), and escape newlines too. + ARGS="-bird.v2 -format.new" + notify: restart diff --git a/ansible/roles/prometheus-node-exporter/handlers/main.yml b/ansible/roles/prometheus-node-exporter/handlers/main.yml new file mode 100644 index 0000000..f4f9381 --- /dev/null +++ b/ansible/roles/prometheus-node-exporter/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart + become: yes + systemd: + name: prometheus-bird-exporter + state: restarted diff --git a/ansible/roles/prometheus-node-exporter/tasks/main.yml b/ansible/roles/prometheus-node-exporter/tasks/main.yml new file mode 100644 index 0000000..e7c6d18 --- /dev/null +++ b/ansible/roles/prometheus-node-exporter/tasks/main.yml @@ -0,0 +1,18 @@ +- become: yes + package: + name: "{{ items }}" + state: present + vars: + items: + - prometheus-node-exporter +- name: /etc/default/prometheus-node-exporter + become: yes + copy: + dest: /etc/default/prometheus-node-exporter + content: | + # Set the command-line arguments to pass to the server. + # Due to shell escaping, to pass backslashes for regexes, you need to double + # them (\\d for \d). If running under systemd, you need to double them again + # (\\\\d to mean \d), and escape newlines too. + ARGS="" + notify: restart diff --git a/ansible/roles/superusers/tasks/main.yml b/ansible/roles/superusers/tasks/main.yml index c1f5a47..12672ec 100644 --- a/ansible/roles/superusers/tasks/main.yml +++ b/ansible/roles/superusers/tasks/main.yml @@ -16,7 +16,7 @@ unix_groups: - sudo - systemd-journal - with_items: "{{ unix_groups }}" + with_items: "{{ unix_groups + (['docker'] if 'docker' in getent_group else []) }}" loop_control: loop_var: group include_tasks: adjust-group.yml diff --git a/ansible/roles/systemd-networkd/handlers/main.yml b/ansible/roles/systemd-networkd/handlers/main.yml index 5050e02..c9b2603 100644 --- a/ansible/roles/systemd-networkd/handlers/main.yml +++ b/ansible/roles/systemd-networkd/handlers/main.yml @@ -1,5 +1,5 @@ -- become: yes - name: reload +- name: reload + become: yes systemd: name: systemd-networkd state: reloaded diff --git a/ansible/roles/systemd-networkd/tasks/main.yml b/ansible/roles/systemd-networkd/tasks/main.yml index 0e8856b..aed4168 100644 --- a/ansible/roles/systemd-networkd/tasks/main.yml +++ b/ansible/roles/systemd-networkd/tasks/main.yml @@ -3,6 +3,13 @@ name: systemd-networkd state: started enabled: yes +- name: mkdir /etc/systemd/network + become: yes + file: + path: "/etc/systemd/network" + state: directory + owner: systemd-network + group: systemd-network - become: yes loop: "{{ systemd_networkd__files | default([]) }}" template: diff --git a/ansible/roles/unifi/handlers/main.yml b/ansible/roles/unifi/handlers/main.yml deleted file mode 100644 index ce78323..0000000 --- a/ansible/roles/unifi/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: update apt cache - apt: - update_cache: yes diff --git a/ansible/roles/unifi/tasks/main.yml b/ansible/roles/unifi/tasks/main.yml deleted file mode 100644 index 11c4c00..0000000 --- a/ansible/roles/unifi/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Ubiquiti APT key - notify: update apt cache - apt_key: - id: 06E85760C0A52C50 - keyserver: keyserver.ubuntu.com - -- name: Ubiquiti APT repository - notify: update apt cache - copy: - dest: /etc/apt/sources.list.d/unifi.list - content: 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' - -- meta: flush_handlers - -- name: packages - apt: - name: "{{ items }}" - install_recommends: no - vars: - items: - - openjdk-8-jre - - unifi diff --git a/ansible/unifi.yml b/ansible/unifi.yml deleted file mode 100644 index d417a2a..0000000 --- a/ansible/unifi.yml +++ /dev/null @@ -1,6 +0,0 @@ -- hosts: - - unifi - roles: - - role: unifi - tags: unifi - become: yes |