diff options
Diffstat (limited to 'ansible')
21 files changed, 319 insertions, 14 deletions
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 6f2b86b..014f5a6 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -7,6 +7,7 @@ stdout_callback = debug vault_password_file = ./.vault-password roles_path = roles:thirdparty retry_files_enabled = False +vars_plugins_enabled = community.sops.sops [ssh_connection] pipelining = True diff --git a/ansible/group_vars/all/bird.yml b/ansible/group_vars/all/bird.yml new file mode 100644 index 0000000..dce5afa --- /dev/null +++ b/ansible/group_vars/all/bird.yml @@ -0,0 +1,3 @@ +# which version of bird is used, 0-padded with 3 digits +# 2.15 => 2015 +birdv: 0 diff --git a/ansible/group_vars/all/ipam.yml b/ansible/group_vars/all/ipam.yml index c182329..4caa80d 100644 --- a/ansible/group_vars/all/ipam.yml +++ b/ansible/group_vars/all/ipam.yml @@ -1,10 +1,60 @@ +# Netmasks for prefixes: +# 48: ffff:ffff:ffff:0000:: +# 52: ffff:ffff:ffff:f000:: +# 56: ffff:ffff:ffff:ff00:: +# 60: ffff:ffff:ffff:fff0:: +# 64: ffff:ffff:ffff:ffff:: ipam6: networks: - - bitraf-dn42: - range: "fdb1:4242:3538:::/48" - - tnet-dn42: - range: "fdb1:4242:3538:a000::/52" - - conflatorio-dn42: - range: "fdb1:4242:3538:a001::/64" - hosts: - - conflatorio-ix: "fdb1:4242:3538:a001::ffff" + bitraf_dn42: + range: "fdb1:4242:3538::/48" + tnet_dn42: + range: "fdb1:4242:3538:2000::/52" + unused_2001: + range: "fdb1:4242:3538:2001::/64" + node1_dn42: + range: "fdb1:4242:3538:2002::/64" + hosts: + node1: "fdb1:4242:3538:2002::ffff" + node2_dn42: + range: "fdb1:4242:3538:2003::/64" + hosts: + node2: "fdb1:4242:3538:2003::ffff" + knot_dn42: + range: "fdb1:4242:3538:2004::/64" + hosts: + knot: "fdb1:4242:3538:2004::ffff" + coregonus_dn42: + range: "fdb1:4242:3538:2005::/64" + hosts: + coregonus: "fdb1:4242:3538:2005::ffff" + coregonus_docker: + range: "fdb1:4242:3538:2005:df01:676a:ec28:0a00/120" + kv24_dn42: + range: "fdb1:4242:3538:2006::/64" + hosts: + kv24ix: "fdb1:4242:3538:2006::ffff" + hash_dn42: + range: "fdb1:4242:3538:2007::/64" + hosts: + hash: "fdb1:4242:3538:2007::ffff" + hash_docker_dn42: + range: "fdb1:4242:3538:2007:1001::/112" + lhn2_dn42: + range: "fdb1:4242:3538:2008::/64" + hosts: + lhn2pi: "fdb1:4242:3538:2008::ffff" + conflatorio: "fdb1:4242:3538:2008:8042:32ff:fe0c:7161" + danneri: "fdb1:4242:3538:2008:9422:d355:95b7:f170" + + k8s: + range: "fdb1:4242:3538:3000::/52" + danneri_cluster: + range: "fdb1:4242:3538:3009::/112" + danneri_service: + range: "fdb1:4242:3538:300a::/100" + danneri_service2: + range: "fdb1:4242:3538:300a::/112" + + dn42: + range: "fd00::/8" diff --git a/ansible/host_vars/danneri/systemd-networkd.yml b/ansible/host_vars/danneri/systemd-networkd.yml new file mode 100644 index 0000000..023e276 --- /dev/null +++ b/ansible/host_vars/danneri/systemd-networkd.yml @@ -0,0 +1,2 @@ +systemd_networkd__files: + - danneri/systemd-networkd/enp1s0.network diff --git a/ansible/host_vars/lhn2pi/all.yml b/ansible/host_vars/lhn2pi/all.yml new file mode 100644 index 0000000..447906a --- /dev/null +++ b/ansible/host_vars/lhn2pi/all.yml @@ -0,0 +1,2 @@ +systemd_networkd__files: + - lhn2pi/systemd/network/10-eth0.network diff --git a/ansible/inventory b/ansible/inventory index 9b89ace..845580f 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -46,6 +46,8 @@ all: kv24ix: coregonus: ansible_host: 192.168.10.190 + danneri: + ansible_host: 192.168.100.103 node1: ansible_host: 9859f51e-1e3e-4c05-a826-b7fbe18d91be.pub.instances.scw.cloud @@ -178,6 +180,7 @@ all: akili: astyanax: conflatorio: + coregonus: hash: knot: kv24ix: @@ -191,6 +194,7 @@ all: akili: astyanax: conflatorio: + coregonus: hash: knot: lhn2pi: diff --git a/ansible/plays/danneri.yml b/ansible/plays/danneri.yml new file mode 100644 index 0000000..88d6412 --- /dev/null +++ b/ansible/plays/danneri.yml @@ -0,0 +1,23 @@ +- hosts: + - danneri + tasks: + - import_role: + name: systemd-networkd + + - meta: flush_handlers + + - become: yes + apt: + name: + - etckeeper + - import_role: + name: timezone + + - become: yes + copy: + dest: /etc/rancher/k3s/config.yaml + content: | + tls-san: + - "{{ ipam6.networks.lhn2_dn42.hosts.danneri }}" + - "2a06:2240:f00d:b500:9422:d355:95b7:f170" + diff --git a/ansible/plays/host-hash.yml b/ansible/plays/host-hash.yml new file mode 100644 index 0000000..62b781f --- /dev/null +++ b/ansible/plays/host-hash.yml @@ -0,0 +1,10 @@ +- hosts: hash + tasks: + - become: yes + copy: + dest: /etc/docker/daemon.json + content: | + { + "ipv6": true, + "fixed-cidr-v6": "{{ ipam6.networks.hash_docker_dn42.range }}" + } diff --git a/ansible/plays/host-lhn2pi.yml b/ansible/plays/host-lhn2pi.yml new file mode 100644 index 0000000..551c3dd --- /dev/null +++ b/ansible/plays/host-lhn2pi.yml @@ -0,0 +1,6 @@ +- hosts: + - lhn2pi + roles: + - systemd-networkd + - prometheus-bird-exporter + - prometheus-node-exporter diff --git a/ansible/plays/ipam-generate-dns.yml b/ansible/plays/ipam-generate-dns.yml new file mode 100644 index 0000000..d29b3e8 --- /dev/null +++ b/ansible/plays/ipam-generate-dns.yml @@ -0,0 +1,32 @@ +- hosts: localhost + gather_facts: no + connection: local + tasks: + - set_fact: + content: | + {% set hosts = [] %} + {% for nw_name, network in ipam6.networks.items() %} + {% for host, address in (network.hosts|default({})).items() %} + {{- hosts.append({'name': host, 'address': address}) -}} + {% endfor %} + {% endfor %} + # Generated from ansible data + {% for h in hosts|sort(attribute='name') %} + + resource "linode_domain_record" "dn42-{{ h.name }}" { + domain_id = linode_domain.root.id + name = "{{ h.name }}.dn42" + record_type = "AAAA" + target = "{{ h.address|ansible.utils.ipv6('address') }}" + } + {% endfor %} + - debug: + msg: "{{ content }}" + when: false + - name: Generating ../../terraform/dns/dn42.tf + register: tf + copy: + dest: ../../terraform/dns/dn42.tf + content: "{{ content }}" + - shell: terraform fmt ../../terraform/ipam6/ipam6.tf + when: "tf.changed" diff --git a/ansible/plays/ipam-generate-tf.yml b/ansible/plays/ipam-generate-tf.yml new file mode 100644 index 0000000..e43a559 --- /dev/null +++ b/ansible/plays/ipam-generate-tf.yml @@ -0,0 +1,53 @@ +- hosts: localhost + gather_facts: no + connection: local + collections: + - ansible.utils + tasks: + - name: Generate terraform/ipam6/ipam6.tf + register: tf + copy: + dest: ../../terraform/ipam6/ipam6.tf + content: | + output "networks" { + value = { + {% for name, network in ipam6.networks.items() %} + {% if not (network.range | ansible.utils.ipv6) %} + Invalid network: {{ network.range }} + {% endif %} + {{ name }} = { + {% if network.description|default("") %} + description = "{{ network.description }}" + {% endif %} + range = "{{ network.range }}" + address = "{{ network.range|ipaddr("network") }}" + prefix = "{{ network.range|ipaddr("prefix") }}" + {% set hosts = network.hosts|default({}) %} + hosts = { + {% for name, addr in hosts.items() %} + {{ name }} = { + address: "{{ addr|ipaddr("address") }}" + prefix: "{{ addr|ipaddr("prefix") }}" + } + {% endfor %} + } + } + {% endfor %} + } + } + + output "hosts" { + value = { + {% for name, network in ipam6.networks.items() %} + {% set hosts = network.hosts|default({}) %} + {% for name, addr in hosts.items() %} + {{ name }} = { + address: "{{ addr|ipaddr("address") }}" + prefix: "{{ addr|ipaddr("prefix") }}" + } + {% endfor %} + {% endfor %} + } + } + - shell: terraform fmt ../../terraform/ipam6/ipam6.tf + when: "tf.changed" diff --git a/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network b/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network new file mode 100644 index 0000000..b38116c --- /dev/null +++ b/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network @@ -0,0 +1,8 @@ +[Match] +Name=enp1s0 + +[Network] +DHCP=ipv4 + +[IPv6AcceptRA] +Token=static:{{ ipam6.networks.lhn2_dn42.hosts.danneri }} diff --git a/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network b/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network new file mode 100644 index 0000000..853556d --- /dev/null +++ b/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network @@ -0,0 +1,11 @@ +[Match] +Name=eth0 + +[Network] +DHCP=ipv4 +Address={{ ipam6.networks.lhn2_dn42.hosts.lhn2pi }} +# IPv6Forwarding=yes # needs newer systemd + +# Disables the automatic activation of DHCPv6 from RA packets +[IPv6AcceptRA] +DHCPv6Client=no diff --git a/ansible/prometheus/deploy-config.yml b/ansible/prometheus/deploy-config.yml new file mode 100644 index 0000000..472d05c --- /dev/null +++ b/ansible/prometheus/deploy-config.yml @@ -0,0 +1,19 @@ +- hosts: + - conflatorio + tasks: + - become: yes + file: + path: /etc/docker-service/prometheus + state: directory + owner: root + group: root + + - become: yes + notify: reload prometheus + copy: + dest: /etc/docker-service/prometheus/prometheus.yml + src: "{{ inventory_hostname }}/prometheus.yml" + + handlers: + - name: reload prometheus + shell: docker kill --signal HUP prometheus diff --git a/ansible/prometheus/files/conflatorio/prometheus.yml b/ansible/prometheus/files/conflatorio/prometheus.yml new file mode 100644 index 0000000..9fc1316 --- /dev/null +++ b/ansible/prometheus/files/conflatorio/prometheus.yml @@ -0,0 +1,25 @@ +global: + scrape_interval: 15s + evaluation_interval: 15s + +rule_files: + # - "first.rules" + # - "second.rules" + +scrape_configs: + - job_name: prometheus + static_configs: + - targets: ['localhost:9090'] + + - job_name: node + static_configs: + - targets: + - "knot.vpn.trygvis.io:9100" + - "hash.vpn.trygvis.io:9323" + - "conflatorio.vpn.trygvis.io:9100" + + - job_name: bird + static_configs: + - targets: + - "knot.vpn.trygvis.io:9324" + - "conflatorio.vpn.trygvis.io:9324" diff --git a/ansible/roles/prometheus-bird-exporter/handlers/main.yml b/ansible/roles/prometheus-bird-exporter/handlers/main.yml new file mode 100644 index 0000000..f4f9381 --- /dev/null +++ b/ansible/roles/prometheus-bird-exporter/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart + become: yes + systemd: + name: prometheus-bird-exporter + state: restarted diff --git a/ansible/roles/prometheus-bird-exporter/tasks/main.yml b/ansible/roles/prometheus-bird-exporter/tasks/main.yml new file mode 100644 index 0000000..6d8b999 --- /dev/null +++ b/ansible/roles/prometheus-bird-exporter/tasks/main.yml @@ -0,0 +1,18 @@ +- become: yes + package: + name: "{{ items }}" + state: present + vars: + items: + - prometheus-bird-exporter +- name: /etc/default/prometheus-bird-exporter + become: yes + copy: + dest: /etc/default/prometheus-bird-exporter + content: | + # Set the command-line arguments to pass to the server. + # Due to shell escaping, to pass backslashes for regexes, you need to double + # them (\\d for \d). If running under systemd, you need to double them again + # (\\\\d to mean \d), and escape newlines too. + ARGS="-bird.v2 -format.new" + notify: restart diff --git a/ansible/roles/prometheus-node-exporter/handlers/main.yml b/ansible/roles/prometheus-node-exporter/handlers/main.yml new file mode 100644 index 0000000..f4f9381 --- /dev/null +++ b/ansible/roles/prometheus-node-exporter/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart + become: yes + systemd: + name: prometheus-bird-exporter + state: restarted diff --git a/ansible/roles/prometheus-node-exporter/tasks/main.yml b/ansible/roles/prometheus-node-exporter/tasks/main.yml new file mode 100644 index 0000000..e7c6d18 --- /dev/null +++ b/ansible/roles/prometheus-node-exporter/tasks/main.yml @@ -0,0 +1,18 @@ +- become: yes + package: + name: "{{ items }}" + state: present + vars: + items: + - prometheus-node-exporter +- name: /etc/default/prometheus-node-exporter + become: yes + copy: + dest: /etc/default/prometheus-node-exporter + content: | + # Set the command-line arguments to pass to the server. + # Due to shell escaping, to pass backslashes for regexes, you need to double + # them (\\d for \d). If running under systemd, you need to double them again + # (\\\\d to mean \d), and escape newlines too. + ARGS="" + notify: restart diff --git a/ansible/roles/systemd-networkd/handlers/main.yml b/ansible/roles/systemd-networkd/handlers/main.yml index 9656da4..c9b2603 100644 --- a/ansible/roles/systemd-networkd/handlers/main.yml +++ b/ansible/roles/systemd-networkd/handlers/main.yml @@ -1,4 +1,5 @@ -- name: restart +- name: reload + become: yes systemd: name: systemd-networkd - state: restarted + state: reloaded diff --git a/ansible/roles/systemd-networkd/tasks/main.yml b/ansible/roles/systemd-networkd/tasks/main.yml index 13c167b..aed4168 100644 --- a/ansible/roles/systemd-networkd/tasks/main.yml +++ b/ansible/roles/systemd-networkd/tasks/main.yml @@ -1,9 +1,18 @@ -- systemd: +- become: yes + systemd: name: systemd-networkd state: started enabled: yes -- loop: "{{ systemd_networkd__files | default([]) }}" - copy: +- name: mkdir /etc/systemd/network + become: yes + file: + path: "/etc/systemd/network" + state: directory + owner: systemd-network + group: systemd-network +- become: yes + loop: "{{ systemd_networkd__files | default([]) }}" + template: src: "{{ item }}" dest: "/etc/systemd/network/{{ item | basename }}" - notify: restart + notify: reload |