diff options
101 files changed, 1186 insertions, 654 deletions
@@ -1,6 +1,8 @@ -/log -/gpg/vault-keyring.gpg~ *.pyc *.retry .*.sw? +/log +/gpg/vault-keyring-*.gpg~ +/.galaxy /.cache/ +/artifacts/ diff --git a/README_vault.md b/README_vault.md deleted file mode 100644 index c930a1da..00000000 --- a/README_vault.md +++ /dev/null @@ -1,118 +0,0 @@ -Secrets and Vaults -================== - -All secrets are stored inside encrypted ansible vault files which live in -`host_vars`, `group_vars` or inside the `secrets` directory. -Access to the vault files is controlled via GPG keys. Anybody who uses this -ansible repository needs to have a GPG key. - - -Creating a GPG key ------------------- - -You can use the following command to generate a new GPG key: - -``` -# gpg2 --full-gen-key - - select "RSA and RSA" as kind (should be option: 1) - - set keysize to: 4096 - - set key expiration to: 2y - - set Real name and eMail address - - set a passphrase for the key (please use a strong passphrase!!!) -``` - -This command prints the fingerprint and other information about the newly -generated key. In the line starting with pub you can find the key ID. This -ID can be used to uniquely identify your key. Here is a sample output: - -``` -pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01] - Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678 -uid [ unknown] Firstname Lastname <lastname@example.com> -sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01] -``` - -The key ID is the hexadecimal number next to ```rsa4096/``` in the line -starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678``` - -In order to add your key to the list of keys which can read the ansible vault -you first need to export the public part of your key using the following -command: - -``` -# gpg2 --armor --export "<your key id>" > mykey.asc -``` - - - -Adding a key to the Vault -------------------------- - -Everybody who currently has access to the vault can add keys using the -following command: - -``` -# gpg/add-keys.sh mykey.asc -``` - -This will add the new key to the keyring stored inside the repository and -re-encrypt the secret to unlock the vault for all keys inside the keyring. - - - -Removing a key from the Vault ------------------------------ - -Everybody who currently has access to the vault can remove keys using the -following command: - -``` -# gpg/remove-keys.sh "<key-id>" -``` - -This will remove the key from the keyring stored inside the repository and -re-encrypt the secret to unlock the vault for all remaining keys inside the -keyring. - -You can find out the key ID using the command: - -``` -# gpg/list-keys.sh -``` - -Here is an example output: - -``` -pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01] - Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678 -uid [ unknown] Firstname Lastname <lastname@example.com> -sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01] -``` - -The key ID is the hexadecimal number next to ```rsa4096/``` in the line -starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678``` - - - -Working with Vault files ------------------------- - - * create new vault: - ``` - # ansible-vault create host_vars/foo/vault.yml - ``` - This will open up an editor which allows you to add variables. Once you - store and close the file the content is automatically encrypted. - - * edit a vault file: - ``` - # ansible-vault edit group_vars/foo/vault.yml - ``` - This will open up an editor which allows you to add/remove/change variables. - Once you store and close the file the content is automatically encrypted. - - * show the contents of a vault file: - ``` - # ansible-vault view secrets/foo.vault.yml - ``` - This will automatically decrypt the file and print it's contents. diff --git a/ansible.cfg b/ansible.cfg index f44889fd..4248b8ba 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,19 +1,27 @@ [defaults] -inventory = ./hosts.ini -roles_path = ./roles:../roles -remote_user = root +inventory = ./inventory/hosts.ini +roles_path = ./.galaxy:./roles +nocows = 1 + log_path = ./log remote_tmp = /tmp/.ansible/tmp -nocows=1 -vault_password_file = ./gpg/get-vault-pass.sh + +filter_plugins = ./filter_plugins gathering = smart fact_caching = jsonfile fact_caching_connection = ./.cache/facts fact_caching_timeout = 7200 +## this will be set by environment.sh +#vault_identity_list = spreadspace@gpg/get-vault-pass-spreadsprace +## only try keys with matching vault-ids +vault_id_match = True + var_compression_level = 9 +bin_ansible_callbacks = True + [ssh_connection] pipelining = True ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s diff --git a/apply-role.sh b/apply-role.sh index 3d39f345..708a8357 100755 --- a/apply-role.sh +++ b/apply-role.sh @@ -1,6 +1,6 @@ #!/bin/bash -if [ -z "$1" ] || [ -z "$2" ] ; then +if [ -z "$1" ] || [ -z "$2" ]; then echo "$0 <host(s)> <role>" exit 1 fi @@ -9,5 +9,10 @@ shift role="$1" shift -echo "######## applying the role '$role' to host(s) '$hosts' ########" -exec ansible-playbook -e "myhosts=$hosts" -e "myrole=$role" $@ generic.yaml +cd "${BASH_SOURCE%/*}" +source common/utils.sh +ansible_variable__get env_group "$hosts" || exit 1 +vault_environment__set "$env_group" || exit 1 + +echo "######## applying the role '$role' to host(s) '$hosts' in environment '$env_group' ########" +exec ansible-playbook -e "myhosts=$hosts" -e "myrole=$role" $@ "$env_group/generic.yaml" diff --git a/generic.yaml b/chaos-at-home/generic.yaml index d3b8de82..d3b8de82 100644 --- a/generic.yaml +++ b/chaos-at-home/generic.yaml diff --git a/chaos-at-home/vm-install.yml b/chaos-at-home/vm-install.yml new file mode 100644 index 00000000..b5d8bf2e --- /dev/null +++ b/chaos-at-home/vm-install.yml @@ -0,0 +1,2 @@ +--- +- import_playbook: ../common/vm-install.yml diff --git a/common/utils.sh b/common/utils.sh new file mode 100644 index 00000000..3e31c568 --- /dev/null +++ b/common/utils.sh @@ -0,0 +1,108 @@ +## this file contains several helper functions, please source it to make use of them + +print_error() { + echo -e "\033[1;31mERROR:\033[1;0m $1" +} + +print_success() { + echo -e "\033[1;32mSuccess:\033[1;0m $1" +} + +print_info() { + echo -e "\033[1;37mInfo:\033[1;0m $1" +} + +########################### +## varibales from ansible hosts + +ansible_variable__get() { + local _var_name="$1" + local _hosts="$2" + + local _result=$(env ANSIBLE_STDOUT_CALLBACK="json" ansible "$_hosts" -m debug -a "var=$_var_name" | \ + jq -r ".plays[].tasks[].hosts[].$_var_name" | sort | uniq) + if [ $? -ne 0 ] || [ -z "$_result" ]; then + print_error "failed to get value of variable '$_var_name' for host(s) '$_hosts'" + return 1 + fi + + local _num_results=$(echo "$_result" | wc -l) + if [ $_num_results -ne 1 ]; then + print_error "the vairable '$_var_name' is not unique for the given hosts '$_hosts', got values: $(echo $_result | xargs | sed 's/ /, /g')" + return 2 + fi + + eval "$_var_name"='$(echo "$_result")' + return 0 +} + + +########################### +## vault environment handling + +vault_environment__get() { + echo "${ANSIBLE_VAULT_IDENTITY_LIST}" | tr ',' '\n' | awk -F '@' '{ print($1) }' | sed '/^$/d' +} + +vault_environment__set() { + unset ANSIBLE_VAULT_IDENTITY_LIST + for e in "$@"; do + vault_environment__activate $e || return 1 + done +} + +vault_environment__activate() { + if [ -z "$1" ]; then + print_error "please specify an environment" + return 2 + fi + + if [ ! -f "gpg/get-vault-pass-$1" ]; then + print_error "failed to activate environment: '$1' .. could not find password file 'gpg/get-vault-pass-$1'" + return 1 + fi + + for e in $(vault_environment__get); do + if [ "$1" = "$e" ]; then + print_info "environment '$1' is already active" + return 0 # environment is already activated + fi + done + + if [ -z "${ANSIBLE_VAULT_IDENTITY_LIST}" ]; then + export ANSIBLE_VAULT_IDENTITY_LIST="$1@gpg/get-vault-pass-$1" + else + export ANSIBLE_VAULT_IDENTITY_LIST="${ANSIBLE_VAULT_IDENTITY_LIST},$1@gpg/get-vault-pass-$1" + fi + print_success "environment '$1' is now active" + return 0 +} + +vault_environment__deactivate() { + local new_list + + if [ -z "$1" ]; then + print_error "please specify an environment" + return 2 + fi + + new_list="" + for e in $(vault_environment__get); do + if [ "$1" != "$e" ]; then + if [ -z "$new_list" ]; then + new_list="$e@gpg/get-vault-pass-$e" + else + new_list="$new_list,$e@gpg/get-vault-pass-$e" + fi + fi + done + + if [ -z "$new_list" ]; then + unset ANSIBLE_VAULT_IDENTITY_LIST + else + export ANSIBLE_VAULT_IDENTITY_LIST="$new_list" + fi + + print_success "environment '$1' is now deactivated" + return 0 +} diff --git a/vm-install.yml b/common/vm-install.yml index e0685f9d..5cc2a1c3 100644 --- a/vm-install.yml +++ b/common/vm-install.yml @@ -1,16 +1,16 @@ --- - name: preperations and sanity checks - hosts: "{{ vmname }}" + hosts: "{{ hostname }}" gather_facts: no tasks: - name: setup variables set_fact: - vm_network_cooked: "{{ vm_network }}" - vm_install_cooked: "{{ vm_install }}" + network_cooked: "{{ network }}" + install_cooked: "{{ install }}" - name: create temporary host group for vm host add_host: - name: "{{ vm_install.host }}" - inventory_dir: "{{inventory_dir}}" + name: "{{ vm_host }}" + inventory_dir: "{{ inventory_dir }}" group: _vmhost_ # TODO: add some sanity checks @@ -20,7 +20,7 @@ - role: vm/install - name: wait for new vm to start up - hosts: "{{ vmname }}" + hosts: "{{ hostname }}" gather_facts: no tasks: ## TODO: find a better way to fetch host key of new VMs @@ -35,10 +35,20 @@ set_fact: ansible_ssh_extra_args: "" -- import_playbook: "host_playbooks/{{ vmname }}.yml" +- name: Apply VM configuration roles + hosts: "{{ hostname }}" + pre_tasks: + - name: make sure to update cached facts + setup: + roles: + - role: vm/grub + - role: vm/network + - role: vm/guest + +- import_playbook: "../{{ hostenv }}/{{ hostname }}.yml" - name: reboot and wait for VM come back - hosts: "{{ vmname }}" + hosts: "{{ hostname }}" gather_facts: no roles: - role: reboot-and-wait diff --git a/dan/generic.yaml b/dan/generic.yaml new file mode 100644 index 00000000..d3b8de82 --- /dev/null +++ b/dan/generic.yaml @@ -0,0 +1,5 @@ +--- +- name: "Apply role {{ myrole }} to hosts: {{ myhosts }}" + hosts: "{{ myhosts }}" + roles: + - role: "{{ myrole }}" diff --git a/host_playbooks/sk2013.yml b/dan/sk2013.yml index 5caa6603..5caa6603 100644 --- a/host_playbooks/sk2013.yml +++ b/dan/sk2013.yml diff --git a/host_playbooks/sk2016.yml b/dan/sk2016.yml index ef3d7c43..ef3d7c43 100644 --- a/host_playbooks/sk2016.yml +++ b/dan/sk2016.yml diff --git a/dan/vm-install.yml b/dan/vm-install.yml new file mode 100644 index 00000000..b5d8bf2e --- /dev/null +++ b/dan/vm-install.yml @@ -0,0 +1,2 @@ +--- +- import_playbook: ../common/vm-install.yml diff --git a/environment.sh b/environment.sh new file mode 100644 index 00000000..7d99979a --- /dev/null +++ b/environment.sh @@ -0,0 +1,20 @@ +## +## must be sourced in your interactive shell session before using vault files +## scripts should source common/utils and call the functions directly +## + +source common/utils.sh + +op="$1" +if [ -n "$op" ]; then + shift +fi + +case $op in + activate|deactivate|set|get) + "vault_environment__$op" "$@" + ;; + *) + print_error "unknown operation: '$op'" + ;; +esac diff --git a/gpg/add-key.sh b/gpg/add-key.sh index 98e29174..82970a91 100755 --- a/gpg/add-key.sh +++ b/gpg/add-key.sh @@ -1,21 +1,28 @@ #!/bin/bash if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ <keyfile> ]" + exit 1 +fi +NAME="$1" +shift + +if [ -z "$1" ]; then echo "no keyfile specified, reading from stdin ..." fi -"${BASH_SOURCE%/*}/gpg2.sh" --import $@ +"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --import "$@" if [ $? -ne 0 ]; then - echo -e "\nERROR: import key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg." + echo -e "\nERROR: importing key(s) failed. Please revert any changes of the file gpg/vault-keyring-$NAME.gpg." exit 1 fi echo "" -"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh" +"${BASH_SOURCE%/*}/get-vault-pass-$NAME" | "${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME" if [ $? -ne 0 ]; then echo -e "\nERROR: reencrypting vault password file failed!" - echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!" + echo " You might want to revert any changes on gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg!!" exit 1 fi echo "Successfully reencrypted vault password file!" -echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg." +echo " Don't forget to commit the changes in gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg." diff --git a/gpg/create-environment.sh b/gpg/create-environment.sh new file mode 100755 index 00000000..7ee5827b --- /dev/null +++ b/gpg/create-environment.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ <keyfile> ]" + exit 1 +fi +NAME="$1" +shift + +if [ -e "${BASH_SOURCE%/*}/get-vault-pass-$NAME" ]; then + echo "environment '$NAME' already exists." + exit 0 +fi + + +if [ -z "$1" ]; then + echo "no keyfile specified, reading from stdin ..." +fi + +"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --import "$@" +if [ $? -ne 0 ]; then + echo -e "\nERROR: importing key(s) failed." + exit 1 +fi + + +### enable this as soon https://github.com/ansible/ansible/issues/18319 has landed +#ln -s get-vault-pass- "${BASH_SOURCE%/*}/get-vault-pass-$NAME" +cp "${BASH_SOURCE%/*}/get-vault-pass-" "${BASH_SOURCE%/*}/get-vault-pass-$NAME" + +echo "" +echo "Please type in passphrase:" +"${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME" +if [ $? -ne 0 ]; then + echo -e "\nERROR: creating vault password file failed!" + exit 1 +fi +echo "" +echo "Successfully created vault password file!" +echo " Don't forget to commit gpg/get-vault-pass-$NAME, gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg." diff --git a/gpg/get-vault-pass- b/gpg/get-vault-pass- new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass- @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass-chaos-at-home b/gpg/get-vault-pass-chaos-at-home new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass-chaos-at-home @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass-dan b/gpg/get-vault-pass-dan new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass-dan @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass-spreadspace b/gpg/get-vault-pass-spreadspace new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass-spreadspace @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass.sh b/gpg/get-vault-pass.sh index 202c94f7..6cf2ff9a 100755 --- a/gpg/get-vault-pass.sh +++ b/gpg/get-vault-pass.sh @@ -1,2 +1,20 @@ #!/bin/bash -gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null +if [ -z "$1" ]; then + echo "Usage: $0 <environment>" + exit 1 +fi +NAME="$1" +shift + +gpg2 --decrypt --batch --no-tty --quiet < "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg" + +# Ansible up to including 2.6 seems to have a bug which ignores the setting of 'vault_id_match = True' +# in ansible.cfg (or the equivalent environment variable). +# +# To make it possible to use ansible-vault view as a textconv filter for git, we need to support +# the case that some people do not have access to all vaults. So let's return an invalid +# secret, and pretend success. +if [ $? -ne 0 ]; then + echo This is my secret. There are many others like it, but this one is mine. My secret is my best friend. It is my life. I must master it as I must master my life. Without me, my secret is useless. Without my secret, I am useless. Please do not quote from movies when searching for a passphrase. + exit 0 +fi diff --git a/gpg/gpg2.sh b/gpg/gpg2.sh index 27435ab5..2c0f2157 100755 --- a/gpg/gpg2.sh +++ b/gpg/gpg2.sh @@ -1,2 +1,10 @@ #!/bin/bash -exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring.gpg" --secret-keyring /dev/null --no-options --no-default-keyring --trust-model always $@ + +if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ .. additional parameters passwd on to gpg2 .. ]" + exit 1 +fi +NAME="$1" +shift + +exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring-$NAME.gpg" --secret-keyring /dev/null --no-default-keyring --trust-model always "$@" diff --git a/gpg/list-keys.sh b/gpg/list-keys.sh index 4b010495..4166fa59 100755 --- a/gpg/list-keys.sh +++ b/gpg/list-keys.sh @@ -1,2 +1,10 @@ #!/bin/bash -exec "${BASH_SOURCE%/*}/gpg2.sh" --list-keys $@ + +if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ .. additional parameters passwd on to gpg2 .. ]" + exit 1 +fi +NAME="$1" +shift + +exec "${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --list-keys "$@" diff --git a/gpg/remove-keys.sh b/gpg/remove-keys.sh index 80ae1573..d5fd93c3 100755 --- a/gpg/remove-keys.sh +++ b/gpg/remove-keys.sh @@ -1,9 +1,16 @@ #!/bin/bash if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ <key-id> [ <key-id> [ .. ] ] ]" + exit 1 +fi +NAME="$1" +shift + +if [ -z "$1" ]; then echo "Please specify at least one key ID!" echo "" - echo "You can find out the key ID using the command: gpg/list-keys.sh" + echo "You can find out the key ID using the command: ${0%/*}/list-keys.sh $NAME" echo "" echo " Here is an example output:" echo "" @@ -18,18 +25,18 @@ if [ -z "$1" ]; then exit 1 fi -"${BASH_SOURCE%/*}/gpg2.sh" --delete-keys $@ +"${BASH_SOURCE%/*}/gpg2.sh" $NAME --delete-keys $@ if [ $? -ne 0 ]; then - echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg." + echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring-$NAME.gpg." exit 1 fi echo "" -"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh" +"${BASH_SOURCE%/*}/get-vault-pass-$NAME" | "${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME" if [ $? -ne 0 ]; then echo -e "\nERROR: reencrypting vault password file failed!" - echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!" + echo " You might want to revert any changes on gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg!!" exit 1 fi echo "Successfully reencrypted vault password file!" -echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg." +echo " Don't forget to commit the changes in gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg." diff --git a/gpg/set-vault-pass.sh b/gpg/set-vault-pass.sh index 1fb3426c..64191a37 100755 --- a/gpg/set-vault-pass.sh +++ b/gpg/set-vault-pass.sh @@ -1,6 +1,13 @@ #!/bin/bash -keyids=$("${BASH_SOURCE%/*}/gpg2.sh" --list-keys --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}') +if [ -z "$1" ]; then + echo "Usage: $0 <environment>" + exit 1 +fi +NAME="$1" +shift + +keyids=$("${BASH_SOURCE%/*}/list-keys.sh" "$NAME" --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}') if [ -z "$keyids" ]; then echo "ERROR: no keys to encrypt to, is the keyring empty?" exit 1 @@ -12,9 +19,9 @@ for keyid in $keyids; do done -"${BASH_SOURCE%/*}/gpg2.sh" --yes --trust-model always --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass.gpg.$$" $receipients +"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --yes --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$" $receipients if [ $? -ne 0 ]; then - rm -f "${BASH_SOURCE%/*}/vault-pass.gpg.$$" + rm -f "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$" exit 1 fi -mv "${BASH_SOURCE%/*}/vault-pass.gpg.$$" "${BASH_SOURCE%/*}/vault-pass.gpg" +mv "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$" "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg" diff --git a/gpg/vault-keyring-chaos-at-home.gpg b/gpg/vault-keyring-chaos-at-home.gpg Binary files differnew file mode 100644 index 00000000..864ce7d3 --- /dev/null +++ b/gpg/vault-keyring-chaos-at-home.gpg diff --git a/gpg/vault-keyring-dan.gpg b/gpg/vault-keyring-dan.gpg Binary files differnew file mode 100644 index 00000000..161d61bc --- /dev/null +++ b/gpg/vault-keyring-dan.gpg diff --git a/gpg/vault-keyring.gpg b/gpg/vault-keyring-spreadspace.gpg Binary files differindex 8d2e0443..8d2e0443 100644 --- a/gpg/vault-keyring.gpg +++ b/gpg/vault-keyring-spreadspace.gpg diff --git a/gpg/vault-pass-chaos-at-home.gpg b/gpg/vault-pass-chaos-at-home.gpg new file mode 100644 index 00000000..b69478a6 --- /dev/null +++ b/gpg/vault-pass-chaos-at-home.gpg @@ -0,0 +1,19 @@ +-----BEGIN PGP MESSAGE----- + +hQIMA+Qd5U24qffPAQ//XhC91fRTgM2g8c9sPYLVakqUrr0ErQNWCUvKCRQxV3TA +sxgKWdIpuam4mW7HkE96BHGB+qLd//lrq+LM3jCZFUHgGal1XyWgHwAoHNC0y8Cg +5LKdVyGhDeeh8dSAs9pYouyfwUx3UTG9sFFcm5Nl7KFXP38VHA9ZyerUmC0g7t7F +l5mQmtK+Nc+ZBrZ5+Yr79U/f1VeKaNX2qkDbBrQmO+VubZ4covr4S1amG34ymvlr +2mLf+9wV8sGiOikZTzdDyCtO+32BpjuYvfoZnFRpTdCeKa0niFyrzvqFn6C0No9H +zhIY/SDdfauzLIIvj6WODOW0H6ILVGJ0Eq9KGACTAka+98uhIunHB4MKpOBC01x9 +LLCiISodqIfQuuOHVz4jJqHAwq+MGm0vmoWOfqiNDnOnRCC2kJnMP9K/wynPmXdm +eLSfOz9/8sOqW0MLL5Ugz0sZr9+5rdISlSf2/oa4ssJb3uUQwlSGkG+2MwD0dEMT +wowZBJOrGhGtKxzLRzSsErkng/j/arW3NU9Rai9RIzfyUFjDND5SqnTBdWp+AZqc +YGAeQ1hBTPQzYppx9qgF51p0rGzBmoB9/wC3Td0HavJaswtiwUL4/BATenoMzkG4 +KnB81ZFpkFW1Ze3XilFtmKXXqWpj7dURQ54D4moIwV2dk6dSCKmRumJVREKa5NvS +vAHID0sr7R7BF4z/IrdElmrXa1HExsPAIkPLeyUeU8fkvToSJ009avz6f68hkWEp +vR4hzN6Fe14HU4m9NP8Gn7HJsBnym8d93E8KVKcyEdCb9La1FfFHWm2Ado85Vll0 +EN/GMVhrD2sbX4Dz7+TCklx7n+hzZahankBgP4/1ZyTrrUyQvYNuczXPanckmrCV +DQaYuh+RY1C4bRgQZy47nQzCsYqZpxyn6jH2LvWZWyN9xDuj6vPefphfawqv +=MPgO +-----END PGP MESSAGE----- diff --git a/gpg/vault-pass-dan.gpg b/gpg/vault-pass-dan.gpg new file mode 100644 index 00000000..382a0e3a --- /dev/null +++ b/gpg/vault-pass-dan.gpg @@ -0,0 +1,19 @@ +-----BEGIN PGP MESSAGE----- + +hQIMA+Qd5U24qffPARAAh/hpOPDkQFckrlbmwFYiKtMyzJcHVOeSckFAsGYh0BFa +MzcbLqdRPGDwZL9yIruc/6ubQv1zqq8MZcvRW7BZkkCzBk5h2BcJ76iMgWfcwte6 +Jc2pmog36GihU9t41BJFtxm6mazEN4JTW3SC6i1boMPEJBOEcSIu8SBAFNGm0nCq +GL0j9Rw/T/EiMtmjY6c9nMTSnhOtcedpWeBsMPtYoWAo8/ea1kaGHCON+UGs6/4D +QUhI/ate8RA0vAD6NFkZE9C+uwU22/cyT7pZZTA11ohF32aF4vyVgMf9UY0+MYy0 ++msJZps2KRmECcVZiFGQZ2/OwU4tnYq53jUwL1erzADeFAco4vKtc7yVffN/pIn8 +aQ48kaKe9WT064fe92zWJfWF285fyEB8we72j6AmwA5RxIViVvl/2xdCdYNN6yv+ +kqYmdCEBdMHhcDz73K2mCGeqlkB8+DVpeHwtn+TT5J1IeFkCiK2LD2PtpyqV7BTn +dExQaKtUCbF3+jiPTv6N5ChMbY5ql2roN2zzHgoGVNREGaTxJXnkroJpxaelf4Q3 +ahnNE+/3G16TNCpzYXBNWh9wIHh+6mFhwqKxPy40goW4TMXqSs9+n1MCQhu8GCTH +8CsW6tK98vBgzbhoWLyyNVa40hdltw4+D0YdRle+YFqHaiXJcf2/FjaLoz+jSXvS +uwHQGVypRlmepR7lAKTTVCEjBrJ3lnW7LcBsHEKTr1gX+UleiPri5e029BRLcJDR +PJE4PBi7fp4tAUgSiN6D+mVF0+eXz2px+NVPAeavveMY/oTl8GsPQc/hYtjW9CnM +nhadEDPSmkaLMkCjR6XApprZtuoPyHPSTFIKGTe4bSU1Ezbpd9XNfXcU2Gz55JEk +rAvuyAfHqyXB1zzyA3UTPvRDAw0TN72wbMPEg2v5TE8TFB2Q3XoDuZYsN/A= +=fg/w +-----END PGP MESSAGE----- diff --git a/gpg/vault-pass.gpg b/gpg/vault-pass-spreadspace.gpg index 20130b37..20130b37 100644 --- a/gpg/vault-pass.gpg +++ b/gpg/vault-pass-spreadspace.gpg diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml deleted file mode 100644 index 65417f03..00000000 --- a/group_vars/all/vars.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -equinox_user: - name: equinox - # password: "{{ vault_equinox_password }}" - shell: /bin/zsh - - -ssh_keys: - equinox: - chaos: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDL8afqxWieebpxezBuLj2CIx/iAuTY9ziJt8JCJE0qYh+B2wXe9e+sPaKwz5yyS0X0MoEPHbYuVytxGQfGhdVR57gWWTYq5MBBFEqmu5MexAFKlNxad4TNQQwhs7rnI+lptKJO+rqeG/vaQBgao+61ZVwRR5Zr1zsXEoo5m4VB8VPo3TW0nSb97LdMyUmb1TaqDKJ5hrtrV6YcokXzE8FwHMK15oJsuJC7YUReijol3hGsRVw1H5S1zu4uDz7G32dPVxoLOPgupnf0SxnXdNVfNU50MHHSK68HzBXz4/rE1YLacRPloOhO7xegkWd5KGa09opEbUGzGu/lSXgHuAJpPgloy14cehDhLJ7F7SbXK4QBBtVgV+1CYXG2eJsRHIdkWiTWLuG+QZ4oEFLjQBjWpUYsEiDt9FEtSVCtKH2vBk26ps5yIoSCtYq6POvg9miGgcpQA6HHwh5ekVUaKRGWuMdAIvjvQSlCsFjYkxD1NpCgU1RhyWWTI3xTSKzTxcXiCWWZoBDJVoW46EpSvySsOpxL/hLxJwMR8ouc6cPRZZl3m51824Rv3LdEXNBmn3vnojzIvrOed3sxpD0+7+tbA4J1uTbAxtkOMhK94WXKiUAOD7e5bJYdzajvDD2T9tkj/Mqdo8z3iR2/yjkGMEAeWWVOQEh7QhQS7OFEAKK4fw== equinox@chaos-at-home.org - ele: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwjCMiwyz7f0b1b6S5RjGbYXjd+hkTVsNzZ9xIkqqvdF8zCU6qZTqkhem13m6E1aPjALl0iyrmpb8N2pmASD7axUaTMTDd2tktkB3LULBbQCCApMnw5viZc9fm9dLBdbdiYyRtNrpk/b39V+9uViAbRtATBrYS5vV/14gT42WxPhpFiCz6A5JsKpmbBafS9vfexnqLTvKBtYLt+zhuS9eFovMHM5k7Qq4mRdKe+wdMBDeRls2z2G/ZjPrfHAkw2WctFUdSY+YAVzLB0SddVWnbOSZ19tsnzskyHpDD49LWb7wYl0OJ9fhxO02lnxW5Vdpwwwx8I7FVH83fDTQpzfSdr8tMY3F9rvCmi4noiTGDE2AAWqh73unKuydvBomNYX8HbuiJO9eTgwUIRAqsl8vHNU5rA10YF5r2SUqofrBNfINUH8x0NhpLGzNPIlazndaPY1no+XeQRQtgSU1bdDQzmySyyn5g9mlMSTU+jHfzyoK7yqlKE0W/R2ZTOEwr6+uRdFqn+mWmB0Mr20YavjVretseVs1AkmqaVClEO1juwb/CWI//Nd4uboD9zdZwkHmCjLlOmC+GkGrnLValaqQDh8iR8aKiVbaQVffl3ph1pD3BCn79KJy56YySLTbaI4lFDUHherkTdvgyMVmZJZMROzwuX7i4bi04TZ/GKTfDrw== equinox@elevate.at - ff: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCjqlbFhzWRt2EnUrd7AFgR2iqPbV655OE38184ws+RvO82ImpJsKy80AvLQ3DhplLAN2W9kROBn3bga89pK7Sf78EwYYb5e+McVA0vUH/mnPurJpgPHg6q34yW5G5JVqKTmlqzQMDzmYw0iFNcieGmWXmx2QTtHj8qLuGOuBOE6/mljhgE7Pq4S0oyMjH2tLOhHS1Lykh5DH/OaHpofyUcd2uOCkgOClOUBHZ7Oo82J7yk5SZSVcrjQ4psO9ptqWNmw58ZBX5OPDTV/N7wPjgr2TL3HfCe8gkf2jERsghKufSuFpf2P6bNrK4k+grxB+LXuZihvOxJGRjemqImqvqaADLs23yCUWhgF/9oQ25ACydRGhHc56KIC3lQ3KOGoYT2IGo3Si/bQ7FpQIkODRWPHNKqbpItGm07uSTvkPZ4CadlG0MRhlOEjzRQgP1GYjr8w6917RZxO3DHndC1TfsciYhuwDGLon8WNtw1AjqRXolGnrkB2GsEENGvtJC97dioxPamOBctu06xdmDXwYpynXePoAp4+XxFlj/lUC8draUrKjAh++/LkId2Ldlxm0b1tGyfPl1ox1Gu9lY4QwoeGsTm/RJFnVH8kKns0aLHIlSdYp1+XdlQmBYSIIvVYFynVOQIKBzMBqQG9wcLbnMt7+Kz4coPI0TSvmn2dbDVKw== equinox@ffgraz.net - mur: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUW4fz/Vs4w5JMIFxoftimcbkqksZPDMfbHH/wfPKFAfJdi+fdGfWqqP7hy2/1iREF5W0L5dz9zQus0xS1/kkneUUL3CCKBD3+VzZqIbhy5rMlifd+jacVV+UZGhl/WP/wagu4+Mv0/ksXIlN6/2Pv2+ojjpGeCv4FHG/kR68zKoKNLxjHiTKt3LM9AFtx3Pn3ghIO3egbzaQ8vnTdQjGJHiosfKxiGZfnkAWvrMMq1sCJUJS7A8n2S3QUjoap3OYrVqFcPO4R/VaCaBWVdSKrymnpOGABvP9QuGenZ0CFXgl+p5QwKJz7n3CQHooUai+FPmmrCmtRV1QICyON8vdNI4hU5O1ksZOYxa0vptfqd//FMyauek5JzCDr4ExOWaZvhGsvZdLuWwiN/8KwpsgY+duiqWVC9jCOymFBPQ0Qik1hjCLXUWxDKcJIpF3WfHaHPESAlmNCKPbH5X7oBDOI5k96J34vDl1cBLjcVydtwfwbJmbApOMz3IukoUlYusbvLo2bJicHolkNrlS6qcSbaPpKsrjZ5II0Fks/S39q5rE//nVsY5oE35Gm5Pb7gndSuo/l01WOANYmKuYiwUz/XC62fis7fxiCxmLPMG3PIym7E3pe+lTjSOI3SN24cgwArDEvGZhqeyOHN468Yt8mPersXvY/cUMS1XFvLadtnw== equinox@mur.at - r3: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDj7AcnQZCRihToOI7/L5YslP4bkZlZwR2dg6hV8EfQ+37z1p0imhoqc2Oz/zIEgOVARBHkn5XmfR9Bu6e3YfKpXpJXC9O3jpRSw34Xac/8qXzWZsqVAXbtzvBlYA/G4j0NQM9XIVBa1ZzBZu87xeE4KUWzO80fnQ+G3GSBp28BM4TUiSOmX9y58chPZfUp2DE80fInoXv11ikLLCBDXfMkzFCZ4Gcexhr0TYcBUgLV7ufL0xqLg4yE+Z21PLtttvVYgZIers2nWetLPoREi5yDGKeCjJVyT00X2rp6h3eFkc/VaHfb5c2MY9/4BOt+cbFCx73sG0C1SnSzWd624K/8CEoJTsX4MazLLrxwi3hIwiYX1mCCfq4+S4PpSFvMUGdMWB52PkBRXulQislCVBA/lzma93xJr1jWVFSikjkvAUt8Zt33vHMRd7RMYDfsDVIEKpUT49cBj0v7zs6IVE858J33sUZoVXaiA2sjsap8RguNtjJMSYx8+nwkQAjxwlTiV2J6pHGQHJDyeVsqGlnMpEk32ZeSs/BQ7XWPG62FT3SN6E4C/fa8dawvs7RgY0cbZkhucECBu9Zto/KakIhzLtFzgDighPmK5SlAPoNEJLJYPo5ry2SBTysc4uV7xYZSQ6OVofeQeFXKL8oPe/ZAvKafn3Zk0mQcCtH0Z8q8iQ== equinox@realraum.at - spread: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtmysXjBidEwJek6hBgaENiyVOwroFi19xRZZw+cYYqi6asDfF6B/h6gYNkJGWo0rD5ZaLdau1O210O5Xu+TfK1e2bZbxuFIj2fguUkat9wN6IQIO2m2Wcf4k/eiTmtAE3dp0l5ThMqfxxE8dj76mOOrUHCfJUIVoATGs4X5TLcGcXroAcZ+DFFoDzjxjFYNmIuUNtXDwXTpPc63SAYmRvW0ZYZlvH1qZ6irLh+GtE1dZ1Q5lQZvp6xUYcjInbpcd5Ko3KbG/In7sNmUCI7iaTwC4DPDTcHFj99Ll1jruAbdaQqe+ClZv55dbQ+92RDF6fsuQBD8FeRz7nYChvCqNPT1KOvcVsDtbW0iJ1PZ05QdE27w23wJj9OE0JWM09P3AH3ttswHaJ+P4s7mSxxK2m6YZcqop3czLlWWoGna0ynd5eV6l/rtvAQUvBOXjKQ5fPQY5d9cF0Z87NBE54HM9a/IKZ2toU2MuYNUpI/DUoAA9ILS4bJm3AUz8wbaC5EiuIhbM6I/u0NANamaQKRrolGNP4ETaQvhABs+S3/NSSBy4DMjtwax2BxyenF6i89vyHPNY+LZzBOn842yUlEGn6Z11MxiE5fhIfMPUclSYi5bQJDf1fvAyAo59/AX8sPqRK+/OCLIgLwdtW6D4OZGXjqrBJe2j/5uZSJEsl6ROyKw== equinox@spreadspace.org diff --git a/group_vars/elevate/vars.yml b/group_vars/elevate/vars.yml deleted file mode 100644 index 1808db88..00000000 --- a/group_vars/elevate/vars.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -sshserver_root_keys: "{{ [ ssh_keys.equinox.ele ] | join('\n') }}" - -acmetool_account_email: equinox@elevate.at diff --git a/group_vars/skillz/vars.yml b/group_vars/skillz/vars.yml deleted file mode 100644 index 4d8f679d..00000000 --- a/group_vars/skillz/vars.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -sshserver_root_keys: "{{ [ ssh_keys.equinox.ele ] | join('\n') }}" diff --git a/group_vars/spreadspace/vars.yml b/group_vars/spreadspace/vars.yml deleted file mode 100644 index 30011725..00000000 --- a/group_vars/spreadspace/vars.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -sshserver_root_keys: "{{ [ ssh_keys.equinox.spread ] | join('\n') }}" - -acmetool_account_email: equinox@spreadspace.org diff --git a/group_vars/spreadspace/vault.yml b/group_vars/spreadspace/vault.yml deleted file mode 100644 index 625cf08f..00000000 --- a/group_vars/spreadspace/vault.yml +++ /dev/null @@ -1,10 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -32323866383432633535336666356561623133626164346637376531333330313938363639303763 -6665643638373736653863366537336432333662396638660a336564616431313330623065643733 -66326231663364303432623839363638303565646438373333653837633235373961656633366333 -6330393836653433610a386633343737646663313764356538653664336539366630313837323739 -38363165373462386230356338396662653634316534343738643438343132616132333238623333 -30313339653537643066343262373339336363333030353538326466653833313638356639316237 -39313632373831613161306535656133363266353133343865373561346266306538363935303538 -30313164356361613265613763616364316330663735653662643937666166316562633339363037 -3733 diff --git a/host_playbooks/elesearch.yml b/host_playbooks/elesearch.yml deleted file mode 100644 index 15fca1a7..00000000 --- a/host_playbooks/elesearch.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Basic Setup - hosts: elesearch - roles: - - role: sshserver - - role: vm/grub - - role: vm/network - - role: base - - role: zsh diff --git a/host_vars/elesearch.yml b/host_vars/elesearch.yml deleted file mode 100644 index 0e235000..00000000 --- a/host_vars/elesearch.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -vm_install_host: sk2013 - -vm_install: - host: "{{ vm_install_host }}" - mem: 1024 - numcpu: 4 - disks: - primary: vda - virtio: - vda: - vg: storage - lv: "{{ inventory_hostname }}" - size: 50g - interfaces: - - bridge: "{{ hostvars[vm_install_host].vm_host.network.interface }}" - name: primary0 - autostart: True - -vm_network: - nameservers: "{{ hostvars[vm_install_host].vm_host.network.nameservers }}" - domain: elevate.at - systemd_link: - interfaces: "{{ vm_install.interfaces }}" - primary: - interface: primary0 - ip: "{{ (hostvars[vm_install_host].vm_host.network.ip+'/'+hostvars[vm_install_host].vm_host.network.mask) | ipaddr(hostvars[vm_install_host].vm_host.network.indices[inventory_hostname]) | ipaddr('address') }}" - mask: "{{ hostvars[vm_install_host].vm_host.network.mask }}" - gateway: "{{ hostvars[vm_install_host].vm_host.network.gateway | default(hostvars[vm_install_host].vm_host.network.ip) }}" diff --git a/host_vars/emc-master.yml b/host_vars/emc-master.yml deleted file mode 100644 index 95b3062a..00000000 --- a/host_vars/emc-master.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -vm_install_host: sk2013 - -vm_install: - host: "{{ vm_install_host }}" - mem: 1024 - numcpu: 2 - disks: - primary: vda - virtio: - vda: - vg: storage - lv: "{{ inventory_hostname }}" - size: 42g - interfaces: - - bridge: "{{ hostvars[vm_install_host].vm_host.network.interface }}" - name: primary0 - autostart: True - -vm_network: - nameservers: "{{ hostvars[vm_install_host].vm_host.network.nameservers }}" - domain: spreadspace.org - systemd_link: - interfaces: "{{ vm_install.interfaces }}" - primary: - interface: primary0 - ip: "{{ (hostvars[vm_install_host].vm_host.network.ip+'/'+hostvars[vm_install_host].vm_host.network.mask) | ipaddr(hostvars[vm_install_host].vm_host.network.indices[inventory_hostname]) | ipaddr('address') }}" - mask: "{{ hostvars[vm_install_host].vm_host.network.mask }}" - gateway: "{{ hostvars[vm_install_host].vm_host.network.gateway | default(hostvars[vm_install_host].vm_host.network.ip) }}" - -docker_lvm: - vg: "{{ inventory_hostname }}" - lv: docker - size: 10G - fs: ext4 - -kubelet_lvm: - vg: "{{ inventory_hostname }}" - lv: kubelet - size: 10G - fs: ext4 diff --git a/host_vars/emc-stats.yml b/host_vars/emc-stats.yml deleted file mode 100644 index 89352b4f..00000000 --- a/host_vars/emc-stats.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -vm_install_host: sk2016 - -vm_install: - host: "{{ vm_install_host }}" - mem: 8192 - numcpu: 6 - disks: - primary: vda - virtio: - vda: - vg: storage - lv: "{{ inventory_hostname }}" - size: 42g - vdb: - vg: storage - lv: "{{ inventory_hostname }}-data" - size: 100g - interfaces: - - bridge: "{{ hostvars[vm_install_host].vm_host.network.interface }}" - name: primary0 - autostart: True - -vm_network: - nameservers: "{{ hostvars[vm_install_host].vm_host.network.nameservers }}" - domain: spreadspace.org - systemd_link: - interfaces: "{{ vm_install.interfaces }}" - primary: - interface: primary0 - ip: "{{ (hostvars[vm_install_host].vm_host.network.ip+'/'+hostvars[vm_install_host].vm_host.network.mask) | ipaddr(hostvars[vm_install_host].vm_host.network.indices[inventory_hostname]) | ipaddr('address') }}" - mask: "{{ hostvars[vm_install_host].vm_host.network.mask }}" - gateway: "{{ hostvars[vm_install_host].vm_host.network.gateway | default(hostvars[vm_install_host].vm_host.network.ip) }}" - -docker_lvm: - vg: "{{ inventory_hostname }}" - lv: docker - size: 15G - fs: ext4 - -kubelet_lvm: - vg: "{{ inventory_hostname }}" - lv: kubelet - size: 10G - fs: ext4 - -emc_stats_lvm: - pvs: /dev/vdb - vg: "{{ inventory_hostname }}-data" - lv: stats - size: 50G - fs: ext4 diff --git a/hosts.ini b/hosts.ini deleted file mode 100644 index 28fb4e4e..00000000 --- a/hosts.ini +++ /dev/null @@ -1,94 +0,0 @@ -[chaos-at-home] -prometheus -web -mail -stats -auth -atlas -pan -keyserver -mimas - -[spreadspace] -ssbuild -calypso -telesto -thetys -dione -helene -emc-test - - -[skillz] -sk2013 -sk2016 -sktorrent - - -[emc-xx] -#emc-0[0:6] -emc-00 - -[elevate] -elewolke -elestream -elemedia -elesearch -emc-stats -emc-master - -[elevate:children] -emc-xx - - -[kvmhosts] -prometheus -atlas -sk2013 -sk2016 - -[hetzner] -sk2013 -sk2016 -emc-stats -emc-master -mimas -sktorrent -elewolke -elestream -elesearch - -[hetzner:children] -emc-xx - - -[scaleway-kernel] -# emc-test - -[scaleway] -emc-test - -[scaleway:children] -scaleway-kernel - - -### kubernetes cluster: emc - -[k8s-emc-encoder] -#dione -#helene - -[k8s-emc-streamer:children] -emc-xx - -[k8s-emc-master] -emc-master - -[k8s-emc-stats] -emc-stats - -[k8s-emc:children] -k8s-emc-master -k8s-emc-encoder -k8s-emc-streamer -k8s-emc-stats diff --git a/inventory/group_vars/all/main.yml b/inventory/group_vars/all/main.yml new file mode 100644 index 00000000..4bb6c76c --- /dev/null +++ b/inventory/group_vars/all/main.yml @@ -0,0 +1,21 @@ +--- +ssh_keys_root: "{{ ssh_keys.equinox[env_group] }}" + +equinox_user: + name: equinox + # password: "{{ vault_equinox_password }}" + shell: /bin/zsh + + +ssh_keys: + equinox: + chaos-at-home: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDL8afqxWieebpxezBuLj2CIx/iAuTY9ziJt8JCJE0qYh+B2wXe9e+sPaKwz5yyS0X0MoEPHbYuVytxGQfGhdVR57gWWTYq5MBBFEqmu5MexAFKlNxad4TNQQwhs7rnI+lptKJO+rqeG/vaQBgao+61ZVwRR5Zr1zsXEoo5m4VB8VPo3TW0nSb97LdMyUmb1TaqDKJ5hrtrV6YcokXzE8FwHMK15oJsuJC7YUReijol3hGsRVw1H5S1zu4uDz7G32dPVxoLOPgupnf0SxnXdNVfNU50MHHSK68HzBXz4/rE1YLacRPloOhO7xegkWd5KGa09opEbUGzGu/lSXgHuAJpPgloy14cehDhLJ7F7SbXK4QBBtVgV+1CYXG2eJsRHIdkWiTWLuG+QZ4oEFLjQBjWpUYsEiDt9FEtSVCtKH2vBk26ps5yIoSCtYq6POvg9miGgcpQA6HHwh5ekVUaKRGWuMdAIvjvQSlCsFjYkxD1NpCgU1RhyWWTI3xTSKzTxcXiCWWZoBDJVoW46EpSvySsOpxL/hLxJwMR8ouc6cPRZZl3m51824Rv3LdEXNBmn3vnojzIvrOed3sxpD0+7+tbA4J1uTbAxtkOMhK94WXKiUAOD7e5bJYdzajvDD2T9tkj/Mqdo8z3iR2/yjkGMEAeWWVOQEh7QhQS7OFEAKK4fw== equinox@chaos-at-home.org + dan: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwjCMiwyz7f0b1b6S5RjGbYXjd+hkTVsNzZ9xIkqqvdF8zCU6qZTqkhem13m6E1aPjALl0iyrmpb8N2pmASD7axUaTMTDd2tktkB3LULBbQCCApMnw5viZc9fm9dLBdbdiYyRtNrpk/b39V+9uViAbRtATBrYS5vV/14gT42WxPhpFiCz6A5JsKpmbBafS9vfexnqLTvKBtYLt+zhuS9eFovMHM5k7Qq4mRdKe+wdMBDeRls2z2G/ZjPrfHAkw2WctFUdSY+YAVzLB0SddVWnbOSZ19tsnzskyHpDD49LWb7wYl0OJ9fhxO02lnxW5Vdpwwwx8I7FVH83fDTQpzfSdr8tMY3F9rvCmi4noiTGDE2AAWqh73unKuydvBomNYX8HbuiJO9eTgwUIRAqsl8vHNU5rA10YF5r2SUqofrBNfINUH8x0NhpLGzNPIlazndaPY1no+XeQRQtgSU1bdDQzmySyyn5g9mlMSTU+jHfzyoK7yqlKE0W/R2ZTOEwr6+uRdFqn+mWmB0Mr20YavjVretseVs1AkmqaVClEO1juwb/CWI//Nd4uboD9zdZwkHmCjLlOmC+GkGrnLValaqQDh8iR8aKiVbaQVffl3ph1pD3BCn79KJy56YySLTbaI4lFDUHherkTdvgyMVmZJZMROzwuX7i4bi04TZ/GKTfDrw== equinox@elevate.at + spreadspace: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtmysXjBidEwJek6hBgaENiyVOwroFi19xRZZw+cYYqi6asDfF6B/h6gYNkJGWo0rD5ZaLdau1O210O5Xu+TfK1e2bZbxuFIj2fguUkat9wN6IQIO2m2Wcf4k/eiTmtAE3dp0l5ThMqfxxE8dj76mOOrUHCfJUIVoATGs4X5TLcGcXroAcZ+DFFoDzjxjFYNmIuUNtXDwXTpPc63SAYmRvW0ZYZlvH1qZ6irLh+GtE1dZ1Q5lQZvp6xUYcjInbpcd5Ko3KbG/In7sNmUCI7iaTwC4DPDTcHFj99Ll1jruAbdaQqe+ClZv55dbQ+92RDF6fsuQBD8FeRz7nYChvCqNPT1KOvcVsDtbW0iJ1PZ05QdE27w23wJj9OE0JWM09P3AH3ttswHaJ+P4s7mSxxK2m6YZcqop3czLlWWoGna0ynd5eV6l/rtvAQUvBOXjKQ5fPQY5d9cF0Z87NBE54HM9a/IKZ2toU2MuYNUpI/DUoAA9ILS4bJm3AUz8wbaC5EiuIhbM6I/u0NANamaQKRrolGNP4ETaQvhABs+S3/NSSBy4DMjtwax2BxyenF6i89vyHPNY+LZzBOn842yUlEGn6Z11MxiE5fhIfMPUclSYi5bQJDf1fvAyAo59/AX8sPqRK+/OCLIgLwdtW6D4OZGXjqrBJe2j/5uZSJEsl6ROyKw== equinox@spreadspace.org + funkfeuer: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCjqlbFhzWRt2EnUrd7AFgR2iqPbV655OE38184ws+RvO82ImpJsKy80AvLQ3DhplLAN2W9kROBn3bga89pK7Sf78EwYYb5e+McVA0vUH/mnPurJpgPHg6q34yW5G5JVqKTmlqzQMDzmYw0iFNcieGmWXmx2QTtHj8qLuGOuBOE6/mljhgE7Pq4S0oyMjH2tLOhHS1Lykh5DH/OaHpofyUcd2uOCkgOClOUBHZ7Oo82J7yk5SZSVcrjQ4psO9ptqWNmw58ZBX5OPDTV/N7wPjgr2TL3HfCe8gkf2jERsghKufSuFpf2P6bNrK4k+grxB+LXuZihvOxJGRjemqImqvqaADLs23yCUWhgF/9oQ25ACydRGhHc56KIC3lQ3KOGoYT2IGo3Si/bQ7FpQIkODRWPHNKqbpItGm07uSTvkPZ4CadlG0MRhlOEjzRQgP1GYjr8w6917RZxO3DHndC1TfsciYhuwDGLon8WNtw1AjqRXolGnrkB2GsEENGvtJC97dioxPamOBctu06xdmDXwYpynXePoAp4+XxFlj/lUC8draUrKjAh++/LkId2Ldlxm0b1tGyfPl1ox1Gu9lY4QwoeGsTm/RJFnVH8kKns0aLHIlSdYp1+XdlQmBYSIIvVYFynVOQIKBzMBqQG9wcLbnMt7+Kz4coPI0TSvmn2dbDVKw== equinox@ffgraz.net + mur.at: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUW4fz/Vs4w5JMIFxoftimcbkqksZPDMfbHH/wfPKFAfJdi+fdGfWqqP7hy2/1iREF5W0L5dz9zQus0xS1/kkneUUL3CCKBD3+VzZqIbhy5rMlifd+jacVV+UZGhl/WP/wagu4+Mv0/ksXIlN6/2Pv2+ojjpGeCv4FHG/kR68zKoKNLxjHiTKt3LM9AFtx3Pn3ghIO3egbzaQ8vnTdQjGJHiosfKxiGZfnkAWvrMMq1sCJUJS7A8n2S3QUjoap3OYrVqFcPO4R/VaCaBWVdSKrymnpOGABvP9QuGenZ0CFXgl+p5QwKJz7n3CQHooUai+FPmmrCmtRV1QICyON8vdNI4hU5O1ksZOYxa0vptfqd//FMyauek5JzCDr4ExOWaZvhGsvZdLuWwiN/8KwpsgY+duiqWVC9jCOymFBPQ0Qik1hjCLXUWxDKcJIpF3WfHaHPESAlmNCKPbH5X7oBDOI5k96J34vDl1cBLjcVydtwfwbJmbApOMz3IukoUlYusbvLo2bJicHolkNrlS6qcSbaPpKsrjZ5II0Fks/S39q5rE//nVsY5oE35Gm5Pb7gndSuo/l01WOANYmKuYiwUz/XC62fis7fxiCxmLPMG3PIym7E3pe+lTjSOI3SN24cgwArDEvGZhqeyOHN468Yt8mPersXvY/cUMS1XFvLadtnw== equinox@mur.at diff --git a/inventory/group_vars/elevate/main.yml b/inventory/group_vars/elevate/main.yml new file mode 100644 index 00000000..58103d1a --- /dev/null +++ b/inventory/group_vars/elevate/main.yml @@ -0,0 +1,2 @@ +--- +acmetool_account_email: equinox@elevate.at diff --git a/group_vars/hetzner/vars.yml b/inventory/group_vars/hetzner/main.yml index 2e5c8b4a..2e5c8b4a 100644 --- a/group_vars/hetzner/vars.yml +++ b/inventory/group_vars/hetzner/main.yml diff --git a/group_vars/k8s-emc/vars.yml b/inventory/group_vars/k8s-emc/main.yml index 6b1344ae..6b1344ae 100644 --- a/group_vars/k8s-emc/vars.yml +++ b/inventory/group_vars/k8s-emc/main.yml diff --git a/inventory/group_vars/kvmhosts/main.yml b/inventory/group_vars/kvmhosts/main.yml new file mode 100644 index 00000000..7ae104b1 --- /dev/null +++ b/inventory/group_vars/kvmhosts/main.yml @@ -0,0 +1,3 @@ +--- +preseed_path: /srv/preseed +debian_installer_path: /srv/installer diff --git a/inventory/group_vars/spreadspace/main.yml b/inventory/group_vars/spreadspace/main.yml new file mode 100644 index 00000000..4da60636 --- /dev/null +++ b/inventory/group_vars/spreadspace/main.yml @@ -0,0 +1,6 @@ +--- +acmetool_account_email: equinox@spreadspace.org + +blackmagic_desktopvideo_apt: + username: "streaming" + password: "{{ vault_spreadspace.blackmagic_desktopvideo_apt_password }}" diff --git a/host_vars/calypso.yml b/inventory/host_vars/calypso.yml index ff853586..ff853586 100644 --- a/host_vars/calypso.yml +++ b/inventory/host_vars/calypso.yml diff --git a/host_vars/dione.yml b/inventory/host_vars/dione.yml index 75b289c2..75b289c2 100644 --- a/host_vars/dione.yml +++ b/inventory/host_vars/dione.yml diff --git a/inventory/host_vars/emc-master.yml b/inventory/host_vars/emc-master.yml new file mode 100644 index 00000000..2a2de27f --- /dev/null +++ b/inventory/host_vars/emc-master.yml @@ -0,0 +1,41 @@ +--- +vm_host: sk2013 + +install: + host: "{{ vm_host }}" + mem: 1024 + numcpu: 2 + disks: + primary: vda + virtio: + vda: + vg: storage + lv: "{{ inventory_hostname }}" + size: 42g + interfaces: + - bridge: "{{ hostvars[vm_host].vm_host.network.interface }}" + name: primary0 + autostart: True + +network: + nameservers: "{{ hostvars[vm_host].vm_host.network.nameservers }}" + domain: spreadspace.org + systemd_link: + interfaces: "{{ install.interfaces }}" + primary: + interface: primary0 + ip: "{{ (hostvars[vm_host].vm_host.network.ip+'/'+hostvars[vm_host].vm_host.network.mask) | ipaddr(hostvars[vm_host].vm_host.network.indices[inventory_hostname]) | ipaddr('address') }}" + mask: "{{ hostvars[vm_host].vm_host.network.mask }}" + gateway: "{{ hostvars[vm_host].vm_host.network.gateway | default(hostvars[vm_host].vm_host.network.ip) }}" + +docker_lvm: + vg: "{{ inventory_hostname }}" + lv: docker + size: 10G + fs: ext4 + +kubelet_lvm: + vg: "{{ inventory_hostname }}" + lv: kubelet + size: 10G + fs: ext4 diff --git a/inventory/host_vars/emc-stats.yml b/inventory/host_vars/emc-stats.yml new file mode 100644 index 00000000..0bd53559 --- /dev/null +++ b/inventory/host_vars/emc-stats.yml @@ -0,0 +1,52 @@ +--- +vm_host: sk2016 + +install: + host: "{{ vm_host }}" + mem: 8192 + numcpu: 6 + disks: + primary: vda + virtio: + vda: + vg: storage + lv: "{{ inventory_hostname }}" + size: 42g + vdb: + vg: storage + lv: "{{ inventory_hostname }}-data" + size: 100g + interfaces: + - bridge: "{{ hostvars[vm_host].vm_host.network.interface }}" + name: primary0 + autostart: True + +network: + nameservers: "{{ hostvars[vm_host].vm_host.network.nameservers }}" + domain: spreadspace.org + systemd_link: + interfaces: "{{ install.interfaces }}" + primary: + interface: primary0 + ip: "{{ (hostvars[vm_host].vm_host.network.ip+'/'+hostvars[vm_host].vm_host.network.mask) | ipaddr(hostvars[vm_host].vm_host.network.indices[inventory_hostname]) | ipaddr('address') }}" + mask: "{{ hostvars[vm_host].vm_host.network.mask }}" + gateway: "{{ hostvars[vm_host].vm_host.network.gateway | default(hostvars[vm_host].vm_host.network.ip) }}" + +docker_lvm: + vg: "{{ inventory_hostname }}" + lv: docker + size: 15G + fs: ext4 + +kubelet_lvm: + vg: "{{ inventory_hostname }}" + lv: kubelet + size: 10G + fs: ext4 + +emc_stats_lvm: + pvs: /dev/vdb + vg: "{{ inventory_hostname }}-data" + lv: stats + size: 50G + fs: ext4 diff --git a/inventory/host_vars/emc-test.yml b/inventory/host_vars/emc-test.yml new file mode 100644 index 00000000..9b556df0 --- /dev/null +++ b/inventory/host_vars/emc-test.yml @@ -0,0 +1,29 @@ +--- +vm_host: sk2016 + +install: + host: "{{ vm_host }}" + mem: 1024 + numcpu: 2 + disks: + primary: vda + virtio: + vda: + vg: storage + lv: "{{ inventory_hostname }}" + size: 10g + interfaces: + - bridge: "{{ hostvars[vm_host].vm_host.network.interface }}" + name: primary0 + autostart: True + +network: + nameservers: "{{ hostvars[vm_host].vm_host.network.nameservers }}" + domain: spreadspace.org + systemd_link: + interfaces: "{{ install.interfaces }}" + primary: + interface: primary0 + ip: "{{ (hostvars[vm_host].vm_host.network.ip+'/'+hostvars[vm_host].vm_host.network.mask) | ipaddr(hostvars[vm_host].vm_host.network.indices[inventory_hostname]) | ipaddr('address') }}" + mask: "{{ hostvars[vm_host].vm_host.network.mask }}" + gateway: "{{ hostvars[vm_host].vm_host.network.gateway | default(hostvars[vm_host].vm_host.network.ip) }}" diff --git a/host_vars/helene.yml b/inventory/host_vars/helene.yml index b40fb069..b40fb069 100644 --- a/host_vars/helene.yml +++ b/inventory/host_vars/helene.yml diff --git a/host_vars/sk2013.yml b/inventory/host_vars/sk2013.yml index 920748c1..c1bf2728 100644 --- a/host_vars/sk2013.yml +++ b/inventory/host_vars/sk2013.yml @@ -7,19 +7,6 @@ sshserver_allowusers_host: vm_host: installer: net_if: virbr - preseed_path: /srv/preseed - path: /srv/installer - distros: - - distro: debian - codename: stretch - arch: - - amd64 - - i386 - - distro: ubuntu - codename: xenial - arch: - - amd64 - - i386 network: interface: virbr ip: 192.168.160.254 @@ -30,4 +17,3 @@ vm_host: - 213.133.99.99 indices: emc-master: 141 - elesearch: 142 diff --git a/host_vars/sk2016.yml b/inventory/host_vars/sk2016.yml index 872223db..73e59d75 100644 --- a/host_vars/sk2016.yml +++ b/inventory/host_vars/sk2016.yml @@ -7,19 +7,6 @@ sshserver_allowusers_host: vm_host: installer: net_if: virbr - preseed_path: /srv/preseed - path: /srv/installer - distros: - - distro: debian - codename: stretch - arch: - - amd64 - - i386 - - distro: ubuntu - codename: xenial - arch: - - amd64 - - i386 network: interface: virbr ip: 192.168.216.254 @@ -30,3 +17,4 @@ vm_host: - 213.133.99.99 indices: emc-stats: 200 + emc-test: 201 diff --git a/host_vars/telesto.yml b/inventory/host_vars/telesto.yml index ff853586..ff853586 100644 --- a/host_vars/telesto.yml +++ b/inventory/host_vars/telesto.yml diff --git a/host_vars/thetys.yml b/inventory/host_vars/thetys.yml index ff853586..ff853586 100644 --- a/host_vars/thetys.yml +++ b/inventory/host_vars/thetys.yml diff --git a/inventory/hosts.ini b/inventory/hosts.ini new file mode 100644 index 00000000..0e83ecda --- /dev/null +++ b/inventory/hosts.ini @@ -0,0 +1,124 @@ +[all:vars] +host_name={{ inventory_hostname }} +#ansible_host={{ host_name }}.{{ host_domain }} +ansible_user=root +ansible_port=22000 + + +############################### +# environment: chaos-at-home + +[chaos-at-home:vars] +host_domain=chaos-at-home.org +env_group=chaos-at-home +ansible_host={{ host_name }}.{{ host_domain }} + +[chaos-at-home] +#prometheus +atlas +keyserver + + +############################### +# environment: spreadspace + +[spreadspace:vars] +host_domain=spreadspace.org +env_group=spreadspace +ansible_host={{ host_name }}.{{ host_domain }} + +[spreadspace] +build +calypso +telesto +thetys +dione +helene + + +[emc:vars] +host_domain=spreadspace.org +env_group=spreadspace + +[emc] +emc-stats +emc-master +emc-test + +[emc:children] +emc-xx + +[emc-xx] +#emc-0[0:6] +emc-00 + + +############################### +# environment: dan + +[skillz:vars] +host_domain=skillz.biz +env_group=dan + +[skillz] +sk2013 host_name=2013 +sk2016 host_name=2016 + + +[elevate:vars] +host_domain=elevate.at +env_group=dan + +[elevate] +elemedia host_name=media + + +############################### +# host categories + +[kvmhosts] +#prometheus +atlas +sk2013 +sk2016 + +[hetzner] +sk2013 +sk2016 +emc-stats +emc-master + +[hetzner:children] +emc-xx + + +[scaleway-kernel] +# emc-test + +[scaleway] +emc-test + +[scaleway:children] +scaleway-kernel + + +### kubernetes cluster: emc + +[k8s-emc-encoder] +#dione +#helene + +[k8s-emc-streamer:children] +emc-xx + +[k8s-emc-master] +emc-master + +[k8s-emc-stats] +emc-stats + +[k8s-emc:children] +k8s-emc-master +k8s-emc-encoder +k8s-emc-streamer +k8s-emc-stats diff --git a/roles/blackmagic-desktopvideo/defaults/main.yml b/roles/blackmagic-desktopvideo/defaults/main.yml new file mode 100644 index 00000000..8dde7e4d --- /dev/null +++ b/roles/blackmagic-desktopvideo/defaults/main.yml @@ -0,0 +1,4 @@ +--- +blackmagic_desktopvideo_apt: + username: "change-me" +# password: "secret" diff --git a/roles/blackmagic-desktopvideo/tasks/main.yml b/roles/blackmagic-desktopvideo/tasks/main.yml index 632f36ea..5283b628 100644 --- a/roles/blackmagic-desktopvideo/tasks/main.yml +++ b/roles/blackmagic-desktopvideo/tasks/main.yml @@ -11,7 +11,7 @@ - name: add repository entry apt_repository: - repo: deb https://{{ vault_build_spreadspace_blackmagic.username }}:{{ vault_build_spreadspace_blackmagic.password }}@build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic + repo: "deb https://{{ blackmagic_desktopvideo_apt.username }}:{{ blackmagic_desktopvideo_apt.password }}@build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic" state: present filename: blackmagic mode: 0600 diff --git a/roles/debian-installer/defaults/main.yml b/roles/debian-installer/defaults/main.yml new file mode 100644 index 00000000..94e8d6c2 --- /dev/null +++ b/roles/debian-installer/defaults/main.yml @@ -0,0 +1,18 @@ +distros: + - distro: debian + codename: stretch + arch: + - amd64 + - i386 + + - distro: ubuntu + codename: bionic + arch: + - amd64 + - i386 + +debian_installer_force_download: no + +debian_installer_url: + debian: "https://debian.ffgraz.net/debian" + ubuntu: "https://debian.ffgraz.net/ubuntu" diff --git a/roles/debian-installer/tasks/main.yml b/roles/debian-installer/tasks/main.yml new file mode 100644 index 00000000..eb32f6aa --- /dev/null +++ b/roles/debian-installer/tasks/main.yml @@ -0,0 +1,27 @@ +- name: prepare directories for installer images + with_subelements: + - "{{ distros }}" + - arch + file: + name: "{{ debian_installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}" + state: directory + +- name: download installer kernel images + with_subelements: + - "{{ distros }}" + - arch + get_url: + url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/images/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/linux" + dest: "{{ debian_installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/linux" + mode: 0644 + force: "{{ debian_installer_force_download }}" + +- name: download installer initrd.gz + with_subelements: + - "{{ distros }}" + - arch + get_url: + url: "{{ debian_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/images/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/initrd.gz" + dest: "{{ debian_installer_path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/initrd.gz" + mode: 0644 + force: "{{ debian_installer_force_download }}" diff --git a/roles/preseed/defaults/main.yml b/roles/preseed/defaults/main.yml new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/roles/preseed/defaults/main.yml diff --git a/roles/preseed/tasks/main.yml b/roles/preseed/tasks/main.yml new file mode 100644 index 00000000..7406154c --- /dev/null +++ b/roles/preseed/tasks/main.yml @@ -0,0 +1,25 @@ +- name: Copy initramfs into position + copy: + remote_src: yes + src: "{{ debian_installer_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[hostname].install_cooked.arch | default('amd64') }}/initrd.gz" + dest: "{{ preseed_tmpdir }}/initrd.preseed.gz" + +- name: Generate preseed file + template: + src: "preseed_{{ install_distro }}-{{ install_codename }}.cfg.j2" + dest: "{{ preseed_tmpdir }}/preseed.cfg" + +- name: Generate authorized_keys file + authorized_key: + user: root + manage_dir: no + path: "{{ preseed_tmpdir }}/authorized_keys" + key: "{{ ssh_keys_root | join('\n') }}" + +- name: Inject files into initramfs + shell: cpio -H newc -o | gzip -9 >> 'initrd.preseed.gz' + args: + chdir: "{{ preseed_tmpdir }}" + stdin: | + preseed.cfg + authorized_keys diff --git a/roles/vm/install/templates/preseed_debian-stretch.cfg.j2 b/roles/preseed/templates/preseed_debian-stretch.cfg.j2 index 8e221671..36d221a1 100644 --- a/roles/vm/install/templates/preseed_debian-stretch.cfg.j2 +++ b/roles/preseed/templates/preseed_debian-stretch.cfg.j2 @@ -4,20 +4,24 @@ d-i debian-installer/language string en d-i debian-installer/country string AT -d-i debian-installer/locale string de_AT.UTF-8 -d-i keyboard-configuration/xkb-keymap select de - - -#d-i netcfg/choose_interface select enp1s1 -#d-i netcfg/disable_autoconfig boolean false -#d-i netcfg/get_ipaddress string {{ hostvars[vmname].vm_network_cooked.primary.ip }} -#d-i netcfg/get_netmask string {{ hostvars[vmname].vm_network_cooked.primary.mask }} -#d-i netcfg/get_gateway string {{ hostvars[vmname].vm_network_cooked.primary.gateway }} -#d-i netcfg/get_nameservers string {{ hostvars[vmname].vm_network_cooked.nameservers | join(' ') }} -#d-i netcfg/confirm_static boolean true - -d-i netcfg/get_hostname string {{ vmname }} -d-i netcfg/get_domain string {{ hostvars[vmname].vm_network_cooked.domain }} +d-i debian-installer/locale string en_US.UTF-8 +d-i keyboard-configuration/xkb-keymap select us + +d-i hw-detect/load_firmware boolean false + +d-i netcfg/disable_dhcp boolean true +d-i netcfg/choose_interface select {{ install_interface | default(hostvars[hostname].network_cooked.primary.interface) }} +d-i netcfg/disable_autoconfig boolean false +d-i netcfg/get_ipaddress string {{ hostvars[hostname].network_cooked.primary.ip }} +d-i netcfg/get_netmask string {{ hostvars[hostname].network_cooked.primary.mask }} +d-i netcfg/get_gateway string {{ hostvars[hostname].network_cooked.primary.gateway }} +d-i netcfg/get_nameservers string {{ hostvars[hostname].network_cooked.nameservers | join(' ') }} +d-i netcfg/confirm_static boolean true + +d-i netcfg/hostname string {{ hostname }} +d-i netcfg/get_hostname string {{ hostname }} +d-i netcfg/domain string {{ hostvars[hostname].network_cooked.domain }} +d-i netcfg/get_domain string {{ hostvars[hostname].network_cooked.domain }} d-i netcfg/wireless_wep string @@ -37,8 +41,12 @@ d-i time/zone string Europe/Vienna d-i clock-setup/ntp boolean false -d-i partman-auto/disk string /dev/{{ hostvars[vmname].vm_install_cooked.disks.primary }} +d-i partman-auto/disk string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} d-i partman-auto/method string lvm +d-i partman-auto/purge_lvm_from_device boolean true +d-i partman-auto-lvm/new_vg_name string {{ hostname }} +d-i partman-auto-lvm/guided_size string max + d-i partman-lvm/device_remove_lvm boolean true d-i partman-md/device_remove_md boolean true @@ -49,22 +57,22 @@ d-i partman-auto/expert_recipe string \ boot-root :: \ 1000 10000 -1 ext4 \ $defaultignore{ } $primary{ } $bootable{ } \ - method{ lvm } vg_name{ {{ vmname }} } \ + method{ lvm } vg_name{ {{ hostname }} } \ . \ 2048 10000 2560 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ / } \ . \ 1024 11000 1280 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /var } \ . \ 768 10000 768 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /var/log } \ @@ -72,7 +80,7 @@ d-i partman-auto/expert_recipe string \ options/noexec{ noexec } \ . \ 16 20000 -1 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method( keep } lv_name{ dummy } \ . @@ -92,7 +100,7 @@ d-i pkgsel/include string openssh-server python d-i pkgsel/upgrade select safe-upgrade popularity-contest popularity-contest/participate boolean false -d-i grub-installer/choose_bootdev string /dev/{{ hostvars[vmname].vm_install_cooked.disks.primary }} +d-i grub-installer/choose_bootdev string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} d-i grub-installer/only_debian boolean true d-i grub-installer/with_other_os boolean false @@ -100,6 +108,12 @@ d-i finish-install/reboot_in_progress note d-i preseed/late_command string \ - lvremove -f {{ vmname }}/dummy; \ + lvremove -f {{ hostname }}/dummy; \ in-target bash -c "apt-get update -q && apt-get full-upgrade -y -q"; \ - in-target bash -c "passwd -d root; passwd -l root; umask 077; mkdir -p /root/.ssh/; echo -e '{{ sshserver_root_keys }}' > /root/.ssh/authorized_keys" + in-target bash -c "passwd -d root && passwd -l root"; \ + in-target bash -c "sed -e 's/^allow-hotplug/auto/' -i /etc/network/interfaces"; \ + mkdir -p -m 0700 /target/root/.ssh; \ + cp /authorized_keys /target/root/.ssh/; \ +{% if hostvars[hostname].ansible_port is defined %} + in-target bash -c "sed -e 's/^\(\s*#*\s*Port.*\)/Port {{ hostvars[hostname].ansible_port }}/' -i /etc/ssh/sshd_config" +{% endif %} diff --git a/roles/preseed/templates/preseed_ubuntu-bionic.cfg.j2 b/roles/preseed/templates/preseed_ubuntu-bionic.cfg.j2 new file mode 100644 index 00000000..8c7093aa --- /dev/null +++ b/roles/preseed/templates/preseed_ubuntu-bionic.cfg.j2 @@ -0,0 +1,126 @@ +######################################################################### +# spreadspace preseed file for Ubuntu bionic based VMs +######################################################################### + +d-i debian-installer/language string en +d-i debian-installer/country string AT +d-i debian-installer/locale string en_US.UTF-8 +d-i localechooser/preferred-locale string en_US.UTF-8 +d-i localechooser/supported-locales multiselect de_DE.UTF-8, de_AT.UTF-8 +d-i console-setup/ask_detect boolean false +d-i keyboard-configuration/xkb-keymap select us +d-i keyboard-configuration/layoutcode string us + +d-i hw-detect/load_firmware boolean false + +d-i netcfg/disable_dhcp boolean true +d-i netcfg/choose_interface select {{ install_interface | default(hostvars[hostname].network_cooked.primary.interface) }} +d-i netcfg/disable_autoconfig boolean false +d-i netcfg/get_ipaddress string {{ hostvars[hostname].network_cooked.primary.ip }} +d-i netcfg/get_netmask string {{ hostvars[hostname].network_cooked.primary.mask }} +d-i netcfg/get_gateway string {{ hostvars[hostname].network_cooked.primary.gateway }} +d-i netcfg/get_nameservers string {{ hostvars[hostname].network_cooked.nameservers | join(' ') }} +d-i netcfg/confirm_static boolean true + +d-i netcfg/hostname string {{ hostname }} +d-i netcfg/get_hostname string {{ hostname }} +d-i netcfg/domain string {{ hostvars[hostname].network_cooked.domain }} +d-i netcfg/get_domain string {{ hostvars[hostname].network_cooked.domain }} +d-i netcfg/wireless_wep string + + +d-i mirror/country string manual +d-i mirror/http/hostname string archive.ubuntu.com +d-i mirror/http/directory string /ubuntu +d-i mirror/http/proxy string + + +d-i passwd/make-user boolean false +d-i passwd/root-login boolean true +d-i passwd/root-password password this-very-very-secure-password-will-be-removed-by-latecommand +d-i passwd/root-password-again password this-very-very-secure-password-will-be-removed-by-latecommand + + +d-i clock-setup/utc boolean true +d-i time/zone string Europe/Vienna +d-i clock-setup/ntp boolean false + + +d-i partman-auto/disk string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} +d-i partman-auto/method string lvm +d-i partman-auto/purge_lvm_from_device boolean true +d-i partman-auto-lvm/new_vg_name string {{ hostname }} +d-i partman-auto-lvm/guided_size string max + +d-i partman-lvm/device_remove_lvm boolean true +d-i partman-md/device_remove_md boolean true + +d-i partman-lvm/confirm boolean true +d-i partman-lvm/confirm_nooverwrite boolean true + +d-i partman-auto/expert_recipe string \ + boot-root :: \ + 1000 10000 -1 ext4 \ + $defaultignore{ } $primary{ } $bootable{ } \ + method{ lvm } vg_name{ {{ hostname }} } \ + . \ + 2048 10000 2560 ext4 \ + $lvmok{ } in_vg{ {{ hostname }} } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ / } \ + . \ + 1024 11000 1280 ext4 \ + $lvmok{ } in_vg{ {{ hostname }} } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ /var } \ + . \ + 768 10000 768 ext4 \ + $lvmok{ } in_vg{ {{ hostname }} } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ /var/log } \ + options/nodev{ nodev } options/noatime{ noatime } \ + options/noexec{ noexec } \ + . \ + 16 20000 -1 ext4 \ + $lvmok{ } in_vg{ {{ hostname }} } \ + method( keep } lv_name{ dummy } \ + . + +d-i partman-auto-lvm/no_boot boolean true +d-i partman-basicfilesystems/no_swap true +d-i partman-partitioning/confirm_write_new_label boolean true +d-i partman/choose_partition select finish +d-i partman/confirm boolean true +d-i partman/confirm_nooverwrite boolean true + + +d-i base-installer/install-recommends boolean false +d-i apt-setup/security_host string archive.ubuntu.com + +tasksel tasksel/first multiselect +d-i pkgsel/include string openssh-server python +d-i pkgsel/upgrade select safe-upgrade +popularity-contest popularity-contest/participate boolean false +d-i pkgsel/update-policy select none + +d-i grub-installer/choose_bootdev string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} +d-i grub-installer/only_debian boolean true +d-i grub-installer/with_other_os boolean false + +d-i finish-install/reboot_in_progress note + + +d-i preseed/late_command string \ + lvremove -f {{ hostname }}/dummy; \ + in-target bash -c "swapoff -a; sed -e '/^\/swapfile/d' -i /etc/fstab; rm -f /swapfile"; \ + in-target bash -c "apt-get update -q && apt-get full-upgrade -y -q"; \ + in-target bash -c "passwd -d root && passwd -l root"; \ + in-target bash -c "sed -e 's/^allow-hotplug/auto/' -i /etc/network/interfaces"; \ + mkdir -p -m 0700 /target/root/.ssh; \ + cp /authorized_keys /target/root/.ssh/; \ +{% if hostvars[hostname].ansible_port is defined %} + in-target bash -c "sed -e 's/^\(\s*#*\s*Port.*\)/Port {{ hostvars[hostname].ansible_port }}/' -i /etc/ssh/sshd_config" +{% endif %} diff --git a/roles/vm/install/templates/preseed_ubuntu-xenial.cfg.j2 b/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2 index dc53fd36..1be16ff8 100644 --- a/roles/vm/install/templates/preseed_ubuntu-xenial.cfg.j2 +++ b/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2 @@ -11,17 +11,21 @@ d-i console-setup/ask_detect boolean false d-i keyboard-configuration/xkb-keymap select us d-i keyboard-configuration/layoutcode string us - -#d-i netcfg/choose_interface select enp1s1 -#d-i netcfg/disable_autoconfig boolean false -#d-i netcfg/get_ipaddress string {{ hostvars[vmname].vm_network_cooked.primary.ip }} -#d-i netcfg/get_netmask string {{ hostvars[vmname].vm_network_cooked.primary.mask }} -#d-i netcfg/get_gateway string {{ hostvars[vmname].vm_network_cooked.primary.gateway }} -#d-i netcfg/get_nameservers string {{ hostvars[vmname].vm_network_cooked.nameservers | join(' ') }} -#d-i netcfg/confirm_static boolean true - -d-i netcfg/get_hostname string {{ vmname }} -d-i netcfg/get_domain string {{ hostvars[vmname].vm_network_cooked.domain }} +d-i hw-detect/load_firmware boolean false + +d-i netcfg/disable_dhcp boolean true +d-i netcfg/choose_interface select {{ install_interface | default(hostvars[hostname].network_cooked.primary.interface) }} +d-i netcfg/disable_autoconfig boolean false +d-i netcfg/get_ipaddress string {{ hostvars[hostname].network_cooked.primary.ip }} +d-i netcfg/get_netmask string {{ hostvars[hostname].network_cooked.primary.mask }} +d-i netcfg/get_gateway string {{ hostvars[hostname].network_cooked.primary.gateway }} +d-i netcfg/get_nameservers string {{ hostvars[hostname].network_cooked.nameservers | join(' ') }} +d-i netcfg/confirm_static boolean true + +d-i netcfg/hostname string {{ hostname }} +d-i netcfg/get_hostname string {{ hostname }} +d-i netcfg/domain string {{ hostvars[hostname].network_cooked.domain }} +d-i netcfg/get_domain string {{ hostvars[hostname].network_cooked.domain }} d-i netcfg/wireless_wep string @@ -42,13 +46,15 @@ d-i time/zone string Europe/Vienna d-i clock-setup/ntp boolean false -d-i partman-auto/disk string /dev/{{ hostvars[vmname].vm_install_cooked.disks.primary }} +d-i partman-auto/disk string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} d-i partman-auto/method string lvm d-i partman-auto/purge_lvm_from_device boolean true -d-i partman-auto-lvm/new_vg_name string {{ vmname }} +d-i partman-auto-lvm/new_vg_name string {{ hostname }} d-i partman-auto-lvm/guided_size string max d-i partman-lvm/device_remove_lvm boolean true +d-i partman-md/device_remove_md boolean true + d-i partman-lvm/confirm boolean true d-i partman-lvm/confirm_nooverwrite boolean true @@ -56,22 +62,22 @@ d-i partman-auto/expert_recipe string \ boot-root :: \ 1000 10000 -1 ext4 \ $defaultignore{ } $primary{ } $bootable{ } \ - method{ lvm } vg_name{ {{ vmname }} } \ + method{ lvm } vg_name{ {{ hostname }} } \ . \ 2048 10000 2560 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ / } \ . \ 1024 11000 1280 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /var } \ . \ 768 10000 768 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /var/log } \ @@ -79,7 +85,7 @@ d-i partman-auto/expert_recipe string \ options/noexec{ noexec } \ . \ 16 20000 -1 ext4 \ - $lvmok{ } in_vg{ {{ vmname }} } \ + $lvmok{ } in_vg{ {{ hostname }} } \ method( keep } lv_name{ dummy } \ . @@ -100,7 +106,7 @@ d-i pkgsel/upgrade select safe-upgrade popularity-contest popularity-contest/participate boolean false d-i pkgsel/update-policy select none -d-i grub-installer/choose_bootdev string /dev/{{ hostvars[vmname].vm_install_cooked.disks.primary }} +d-i grub-installer/choose_bootdev string /dev/{{ hostvars[hostname].install_cooked.disks.primary }} d-i grub-installer/only_debian boolean true d-i grub-installer/with_other_os boolean false @@ -108,6 +114,12 @@ d-i finish-install/reboot_in_progress note d-i preseed/late_command string \ - lvremove -f {{ vmname }}/dummy; \ + lvremove -f {{ hostname }}/dummy; \ in-target bash -c "apt-get update -q && apt-get full-upgrade -y -q"; \ - in-target bash -c "passwd -d root; passwd -l root; umask 077; mkdir -p /root/.ssh/; echo -e '{{ sshserver_root_keys }}' > /root/.ssh/authorized_keys" + in-target bash -c "passwd -d root && passwd -l root"; \ + in-target bash -c "sed -e 's/^allow-hotplug/auto/' -i /etc/network/interfaces"; \ + mkdir -p -m 0700 /target/root/.ssh; \ + cp /authorized_keys /target/root/.ssh/; \ +{% if hostvars[hostname].ansible_port is defined %} + in-target bash -c "sed -e 's/^\(\s*#*\s*Port.*\)/Port {{ hostvars[hostname].ansible_port }}/' -i /etc/ssh/sshd_config" +{% endif %} diff --git a/roles/sshserver/tasks/main.yml b/roles/sshserver/tasks/main.yml index 6d6cc59c..cd4c5043 100644 --- a/roles/sshserver/tasks/main.yml +++ b/roles/sshserver/tasks/main.yml @@ -29,7 +29,7 @@ - name: install ssh keys for root authorized_key: user: root - key: "{{ sshserver_root_keys }}" + key: "{{ ssh_keys_root | join('\n') }}" exclusive: yes - name: delete root password diff --git a/roles/usb-install/meta/main.yml b/roles/usb-install/meta/main.yml new file mode 100644 index 00000000..bca7f83d --- /dev/null +++ b/roles/usb-install/meta/main.yml @@ -0,0 +1,6 @@ +dependencies: + - role: debian-installer + distros: + - distro: "{{ install_distro }}" + codename: "{{ install_codename }}" + arch: [ "{{ install.arch | default('amd64') }}" ] diff --git a/roles/usb-install/tasks/main.yml b/roles/usb-install/tasks/main.yml new file mode 100644 index 00000000..1523aedc --- /dev/null +++ b/roles/usb-install/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- block: + - name: Create temporary workdir + command: mktemp -d + register: tmpdir + + - import_role: + name: preseed + vars: + preseed_tmpdir: "{{ tmpdir.stdout }}" + + - name: Copy the preseed initramfs to the artifacts directory + copy: + src: "{{ tmpdir.stdout }}/initrd.preseed.gz" + dest: "{{ artifacts_dir }}/" + + + always: + - name: Cleanup temporary workdir + file: + path: "{{ tmpdir.stdout }}" + state: absent diff --git a/roles/vm/grub/tasks/main.yml b/roles/vm/grub/tasks/main.yml index f751243a..eb868d38 100644 --- a/roles/vm/grub/tasks/main.yml +++ b/roles/vm/grub/tasks/main.yml @@ -1,16 +1,15 @@ --- - name: enable serial console in grub and for kernel - with_items: - - regexp: '^GRUB_TIMEOUT=' - line: 'GRUB_TIMEOUT=2' - - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="console=ttyS0,115200n8"' - - regexp: '^GRUB_TERMINAL=' - line: 'GRUB_TERMINAL=serial' - - regexp: '^GRUB_SERIAL_COMMAND=' - line: 'GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1"' + with_dict: + GRUB_TIMEOUT: 2 + GRUB_CMDLINE_LINUX: '"console=ttyS0,115200n8"' + GRUB_TERMINAL: serial + GRUB_SERIAL_COMMAND: >- + "serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1" lineinfile: dest: /etc/default/grub - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + regexp: "^{{ item.key }}=" + line: "{{ item.key }}={{ item.value }}" notify: update grub + loop_control: + label: "{{ item.key }}" diff --git a/roles/vm/guest/defaults/main.yml b/roles/vm/guest/defaults/main.yml new file mode 100644 index 00000000..b4deefa0 --- /dev/null +++ b/roles/vm/guest/defaults/main.yml @@ -0,0 +1,3 @@ +rngd_config: + HRNGDEVICE: /dev/hwrng + RNGDOPTIONS: '"-s 256 -W 80%"' diff --git a/roles/vm/guest/handlers/main.yml b/roles/vm/guest/handlers/main.yml new file mode 100644 index 00000000..5b57f3bc --- /dev/null +++ b/roles/vm/guest/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart rngd + service: + name: rng-tools + state: restarted diff --git a/roles/vm/guest/tasks/main.yml b/roles/vm/guest/tasks/main.yml new file mode 100644 index 00000000..4830d051 --- /dev/null +++ b/roles/vm/guest/tasks/main.yml @@ -0,0 +1,37 @@ +- name: Install rngd + apt: + name: rng-tools + state: present + +- name: Configure rngd [1/2] + lineinfile: + path: /etc/default/rng-tools + line: '{{ item.key }}={{ item.value }}' + regexp: '^#?{{ item.key }}=' + with_dict: '{{ rngd_config }}' + loop_control: + label: "{{ item.key }}" + notify: restart rngd + +- name: Configure rngd [2/2] + lineinfile: + path: /etc/default/rng-tools + regexp: '^{{ item.key }}=(?!{{ item.value }})' + state: absent + with_dict: '{{ rngd_config }}' + loop_control: + label: "{{ item.key }}" + notify: restart rngd + +- name: Provide a root shell on the VM console [1/2] + file: + path: /etc/systemd/system/serial-getty@ttyS0.service.d/ + state: directory + +- name: Provide a root shell on the VM console [2/2] + copy: + dest: /etc/systemd/system/serial-getty@ttyS0.service.d/autologon.conf + content: | + [Service] + ExecStart= + ExecStart=-/sbin/agetty --keep-baud 115200,38400,9600 --noclear --autologin root --login-pause --host {{ vm_host }} %I $TERM diff --git a/roles/vm/host/defaults/main.yml b/roles/vm/host/defaults/main.yml deleted file mode 100644 index 0e3cddf1..00000000 --- a/roles/vm/host/defaults/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -vm_host_force_download_installer: False -vm_host_installer_url: - # debian: "{{ debian_mirror.packages | default('http://deb.debian.org/debian') }}" - # ubuntu: "{{ ubuntu_mirror | default('http://archive.ubuntu.com/ubuntu') }}" - debian: "http://deb.debian.org/debian" - ubuntu: "http://archive.ubuntu.com/ubuntu" diff --git a/roles/vm/host/handlers/main.yml b/roles/vm/host/handlers/main.yml index 158f4dcd..6541dd80 100644 --- a/roles/vm/host/handlers/main.yml +++ b/roles/vm/host/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: restart inetd +- name: restart haveged service: - name: openbsd-inetd + name: haveged state: restarted diff --git a/roles/vm/host/meta/main.yml b/roles/vm/host/meta/main.yml new file mode 100644 index 00000000..40f6fcb3 --- /dev/null +++ b/roles/vm/host/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: debian-installer diff --git a/roles/vm/host/tasks/main.yml b/roles/vm/host/tasks/main.yml index 248f855c..010fdce4 100644 --- a/roles/vm/host/tasks/main.yml +++ b/roles/vm/host/tasks/main.yml @@ -1,53 +1,25 @@ --- -- name: install tftpd and python-libvirt +- name: install dependencies apt: name: - - atftpd - - openbsd-inetd - qemu-kvm - - libvirt-bin + - # configuration package, pulls in libvirt-clients and libvirt-daemon + libvirt-daemon-system - python-libvirt + - haveged state: present -- name: configure tftpd via inetd +- name: configure haveged lineinfile: - regexp: "^#?({{ vm_host.network.ip }}:)?tftp" - line: "{{ vm_host.network.ip }}:tftp dgram udp4 wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd --tftpd-timeout 300 --retry-timeout 5 --maxthread 10 --verbose=5 {{ vm_host.installer.preseed_path }}" - path: /etc/inetd.conf - notify: restart inetd + regexp: "^#?DAEMON_ARGS" + line: 'DAEMON_ARGS="-w 3072"' + path: /etc/default/haveged + notify: restart haveged - name: make sure installer directories exists with_items: - - "{{ vm_host.installer.path }}" - - "{{ vm_host.installer.preseed_path }}" + - "{{ debian_installer_path }}" + - "{{ preseed_path }}" file: name: "{{ item }}" state: directory - -- name: prepare directories for installer images - with_subelements: - - "{{ vm_host.installer.distros }}" - - arch - file: - name: "{{ vm_host.installer.path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}" - state: directory - -- name: download installer kernel images - with_subelements: - - "{{ vm_host.installer.distros }}" - - arch - get_url: - url: "{{ vm_host_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/images/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/linux" - dest: "{{ vm_host.installer.path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/linux" - mode: 0644 - force: "{{ vm_host_force_download_installer }}" - -- name: download installer initrd.gz - with_subelements: - - "{{ vm_host.installer.distros }}" - - arch - get_url: - url: "{{ vm_host_installer_url[item.0.distro] }}/dists/{{ item.0.codename }}/main/installer-{{ item.1 }}/current/images/netboot/{{ item.0.distro }}-installer/{{ item.1 }}/initrd.gz" - dest: "{{ vm_host.installer.path }}/{{ item.0.distro }}-{{ item.0.codename }}/{{ item.1 }}/initrd.gz" - mode: 0644 - force: "{{ vm_host_force_download_installer }}" diff --git a/roles/vm/install/meta/main.yml b/roles/vm/install/meta/main.yml new file mode 100644 index 00000000..d5f95204 --- /dev/null +++ b/roles/vm/install/meta/main.yml @@ -0,0 +1,7 @@ +--- +dependencies: + - role: debian-installer + distros: + - distro: "{{ install_distro }}" + codename: "{{ install_codename }}" + arch: [ "{{ hostvars[hostname].install_cooked.arch | default('amd64') }}" ] diff --git a/roles/vm/install/tasks/main.yml b/roles/vm/install/tasks/main.yml index c4220434..973f44d1 100644 --- a/roles/vm/install/tasks/main.yml +++ b/roles/vm/install/tasks/main.yml @@ -1,11 +1,6 @@ --- -- name: generate preseed file - template: - src: "preseed_{{ vmdistro }}-{{ vmdistcodename }}.cfg.j2" - dest: "{{ vm_host.installer.preseed_path }}/vm-{{ vmname }}-{{ vmdistro }}-{{ vmdistcodename }}.cfg" - - name: create disks for vm - with_dict: "{{ hostvars[vmname].vm_install_cooked.disks.virtio | default({}) | combine(hostvars[vmname].vm_install_cooked.disks.scsi | default({})) }}" + with_dict: "{{ hostvars[hostname].install_cooked.disks.virtio | default({}) | combine(hostvars[hostname].install_cooked.disks.scsi | default({})) }}" lvol: vg: "{{ item.value.vg }}" lv: "{{ item.value.lv }}" @@ -13,84 +8,107 @@ - name: check if vm already exists virt: - name: "{{ vmname }}" + name: "{{ hostname }}" command: info register: vmhost_info -- name: destroy exisiting vm - virt: - name: "{{ vmname }}" - state: destroyed - when: vmname in vmhost_info - -- name: wait for vm to be destroyed - wait_for_virt: - name: "{{ vmname }}" - states: shutdown,crashed - timeout: 5 - when: vmname in vmhost_info - -- name: undefining exisiting vm - virt: - name: "{{ vmname }}" - command: undefine - when: vmname in vmhost_info - -- name: enable installer in VM config - set_fact: - run_installer: True - -- name: define new installer vm - virt: - name: "{{ vmname }}" - command: define - xml: "{{ lookup('template', 'libvirt-domain.xml.j2') }}" - -- name: start vm - virt: - name: "{{ vmname }}" - state: running - -- name: wait for installer to start - wait_for_virt: - name: "{{ vmname }}" - states: running - timeout: 10 - -- debug: - msg: "you can check on the status of the installer running this command 'virsh console {{ vmname }}' on host {{ inventory_hostname }}." - -- name: wait for installer to finish or crash - wait_for_virt: - name: "{{ vmname }}" - states: shutdown,crashed - timeout: 1200 - register: installer_result - failed_when: installer_result.failed or installer_result.state == "crashed" - -- name: undefining installer vm - virt: - name: "{{ vmname }}" - command: undefine - -- name: disable installer in VM config - set_fact: - run_installer: False +- block: + - name: destroy exisiting vm + virt: + name: "{{ hostname }}" + state: destroyed + + - name: wait for vm to be destroyed + wait_for_virt: + name: "{{ hostname }}" + states: shutdown,crashed + timeout: 5 + + - name: undefining exisiting vm + virt: + name: "{{ hostname }}" + command: undefine + + when: hostname in vmhost_info + +- block: + - name: create a temporary workdir + command: mktemp -d + register: tmpdir + + - import_role: + name: preseed + vars: + ssh_keys_root: "{{ hostvars[hostname].ssh_keys_root }}" + install_interface: enp1s1 + preseed_tmpdir: "{{ tmpdir.stdout }}" + + - name: Make preseed workdir readable by qemu + acl: + path: "{{ tmpdir.stdout }}" + state: present + entity: libvirt-qemu + etype: user + permissions: rx + + - name: define new installer vm + virt: + name: "{{ hostname }}" + command: define + xml: "{{ lookup('template', 'libvirt-domain.xml.j2') }}" + vars: + run_installer: yes + preseed_tmpdir: "{{ tmpdir.stdout }}" + + - name: start vm + virt: + name: "{{ hostname }}" + state: running + + - name: wait for installer to start + wait_for_virt: + name: "{{ hostname }}" + states: running + timeout: 10 + + - debug: + msg: "you can check on the status of the installer running this command 'virsh console {{ hostname }}' on host {{ inventory_hostname }}." + + - name: wait for installer to finish or crash + wait_for_virt: + name: "{{ hostname }}" + states: shutdown,crashed + timeout: 900 + register: installer_result + failed_when: installer_result.failed or installer_result.state == "crashed" + + - name: undefining installer vm + virt: + name: "{{ hostname }}" + command: undefine + + always: + - name: cleanup temporary workdir + file: + path: "{{ tmpdir.stdout }}" + state: absent - name: define new production vm virt: - name: "{{ vmname }}" + name: "{{ hostname }}" command: define xml: "{{ lookup('template', 'libvirt-domain.xml.j2') }}" + vars: + run_installer: no - name: start vm virt: - name: "{{ vmname }}" + name: "{{ hostname }}" state: running - name: mark vm as autostarted virt: - name: "{{ vmname }}" - autostart: "{{ hostvars[vmname].vm_install_cooked.autostart }}" + name: "{{ hostname }}" + autostart: "{{ hostvars[hostname].install_cooked.autostart }}" command: info ## virt module needs either command or state - when: hostvars[vmname].vm_install_cooked.autostart is defined + when: hostvars[hostname].install_cooked.autostart is defined diff --git a/roles/vm/install/templates/libvirt-domain.xml.j2 b/roles/vm/install/templates/libvirt-domain.xml.j2 index 2bf4b57b..f3bdeae1 100644 --- a/roles/vm/install/templates/libvirt-domain.xml.j2 +++ b/roles/vm/install/templates/libvirt-domain.xml.j2 @@ -1,14 +1,14 @@ <domain type='kvm'> - <name>{{ vmname }}</name> - <memory>{{ hostvars[vmname].vm_install_cooked.mem * 1024 }}</memory> - <currentMemory>{{ hostvars[vmname].vm_install_cooked.mem * 1024 }}</currentMemory> - <vcpu>{{ hostvars[vmname].vm_install_cooked.numcpu }}</vcpu> + <name>{{ hostname }}</name> + <memory>{{ hostvars[hostname].install_cooked.mem * 1024 }}</memory> + <currentMemory>{{ hostvars[hostname].install_cooked.mem * 1024 }}</currentMemory> + <vcpu>{{ hostvars[hostname].install_cooked.numcpu }}</vcpu> <os> <type arch='x86_64' machine='pc-0.12'>hvm</type> {% if run_installer %} - <kernel>{{ vm_host.installer.path }}/{{ vmdistro }}-{{ vmdistcodename }}/{{ hostvars[vmname].vm_install_cooked.arch | default('amd64') }}/linux</kernel> - <initrd>{{ vm_host.installer.path }}/{{ vmdistro }}-{{ vmdistcodename }}/{{ hostvars[vmname].vm_install_cooked.arch | default('amd64') }}/initrd.gz</initrd> - <cmdline>console=ttyS0,115200n8 auto=true interface=auto url=tftp://{{ hostvars[inventory_hostname]['ansible_' + (vm_host.installer.net_if | replace('-', '_'))].ipv4.address }}/vm-{{ vmname }}-{{ vmdistro }}-{{ vmdistcodename }}.cfg netcfg/choose_interface=enp1s1 netcfg/disable_autoconfig=true netcfg/get_ipaddress={{ hostvars[vmname].vm_network_cooked.primary.ip }} netcfg/get_netmask={{ hostvars[vmname].vm_network_cooked.primary.mask }} netcfg/get_gateway={{ hostvars[vmname].vm_network_cooked.primary.gateway }} netcfg/get_nameservers="{{ hostvars[vmname].vm_network_cooked.nameservers | join(' ') }}" netcfg/confirm_static=true netcfg/get_hostname={{ vmname }} netcfg/get_domain={{ hostvars[vmname].vm_network_cooked.domain }}</cmdline> + <kernel>{{ debian_installer_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[hostname].install_cooked.arch | default('amd64') }}/linux</kernel> + <initrd>{{ preseed_tmpdir }}/initrd.preseed.gz</initrd> + <cmdline>console=ttyS0,115200n8</cmdline> {% endif %} <boot dev='hd'/> </os> @@ -28,9 +28,15 @@ {% endif %} <devices> <emulator>/usr/bin/kvm</emulator> + <!-- Provide a virtualized RNG to the guest --> + <rng model='virtio'> + <!-- Allow consuming up to 10kb/s, measured over 2s --> + <rate period="2000" bytes="20480"/> + <backend model='random'>/dev/random</backend> + </rng> -{% if 'virtio' in hostvars[vmname].vm_install_cooked.disks %} -{% for device, lv in hostvars[vmname].vm_install_cooked.disks.virtio.items() %} +{% if 'virtio' in hostvars[hostname].install_cooked.disks %} +{% for device, lv in hostvars[hostname].install_cooked.disks.virtio.items() %} <disk type='block' device='disk'> <driver name='qemu' type='raw' cache='none' discard='unmap'/> <source dev='/dev/mapper/{{ lv.vg | replace('-', '--') }}-{{ lv.lv | replace('-', '--') }}'/> @@ -39,9 +45,9 @@ {% endfor %} {% endif %} -{% if 'scsi' in hostvars[vmname].vm_install_cooked.disks %} +{% if 'scsi' in hostvars[hostname].install_cooked.disks %} <controller type='scsi' index='0' model='virtio-scsi'/> -{% for device, lv in hostvars[vmname].vm_install_cooked.disks.scsi.items() %} +{% for device, lv in hostvars[hostname].install_cooked.disks.scsi.items() %} <disk type='block' device='disk'> <driver name='qemu' type='raw' cache='none' discard='unmap'/> <source dev='/dev/mapper/{{ lv.vg | replace('-', '--') }}-{{ lv.lv | replace('-', '--') }}'/> @@ -50,8 +56,8 @@ {% endfor %} {% endif %} -{% if hostvars[vmname].vm_install_cooked.interfaces %} -{% for if in hostvars[vmname].vm_install_cooked.interfaces %} +{% if hostvars[hostname].install_cooked.interfaces %} +{% for if in hostvars[hostname].install_cooked.interfaces %} <interface type='bridge'> <source bridge='{{ if.bridge }}'/> <model type='virtio'/> diff --git a/roles/vm/network/tasks/main.yml b/roles/vm/network/tasks/main.yml index 3d51fff2..9bef36ed 100644 --- a/roles/vm/network/tasks/main.yml +++ b/roles/vm/network/tasks/main.yml @@ -9,7 +9,7 @@ state: absent - name: install systemd network link units - with_items: "{{ vm_network.systemd_link.interfaces }}" + with_items: "{{ network.systemd_link.interfaces }}" loop_control: index_var: interface_index template: @@ -17,13 +17,28 @@ dest: "/etc/systemd/network/{{ '%02d' | format(interface_index + 11) }}-{{ item.name }}.link" notify: rebuild initramfs - when: vm_network.systemd_link is defined + when: network.systemd_link is defined - name: install basic interface config template: src: interfaces.j2 dest: /etc/network/interfaces mode: 0644 + when: ansible_distribution == "Debian" or (ansible_distribution == "Ubuntu" and (ansible_distribution_major_version | int) < 18) + +- block: + - name: remove default netplan config + file: + path: /etc/netplan/01-netcfg.yaml + state: absent + + - name: install basic netplan config + template: + src: netplan.yaml.j2 + dest: "/etc/netplan/01-{{ network.primary.interface }}.yaml" + mode: 0644 + + when: ansible_distribution == "Ubuntu" and (ansible_distribution_major_version | int) >= 18 - name: remove resolvconf package apt: diff --git a/roles/vm/network/templates/interfaces.j2 b/roles/vm/network/templates/interfaces.j2 index 542e18d6..829a3e7d 100644 --- a/roles/vm/network/templates/interfaces.j2 +++ b/roles/vm/network/templates/interfaces.j2 @@ -8,10 +8,10 @@ auto lo iface lo inet loopback # The primary network interface -auto {{ vm_network.primary.interface }} -iface {{ vm_network.primary.interface }} inet static - address {{ vm_network.primary.ip }} - netmask {{ vm_network.primary.mask }} - gateway {{ vm_network.primary.gateway }} +auto {{ network.primary.interface }} +iface {{ network.primary.interface }} inet static + address {{ network.primary.ip }} + netmask {{ network.primary.mask }} + gateway {{ network.primary.gateway }} pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf diff --git a/roles/vm/network/templates/netplan.yaml.j2 b/roles/vm/network/templates/netplan.yaml.j2 new file mode 100644 index 00000000..0d78ab46 --- /dev/null +++ b/roles/vm/network/templates/netplan.yaml.j2 @@ -0,0 +1,10 @@ +# This file describes the network interfaces available on your system +# For more information, see netplan(5). +network: + version: 2 + renderer: networkd + ethernets: + {{ network.primary.interface }}: + addresses: [ {{ (network.primary.ip + '/' + network.primary.mask) | ipaddr('address/prefix') }} ] + gateway4: {{ network.primary.gateway }} + accept-ra: false diff --git a/roles/vm/network/templates/resolv.conf.j2 b/roles/vm/network/templates/resolv.conf.j2 index 86d4201e..a32ec181 100644 --- a/roles/vm/network/templates/resolv.conf.j2 +++ b/roles/vm/network/templates/resolv.conf.j2 @@ -1,4 +1,4 @@ -{% for nsrv in vm_network.nameservers %} +{% for nsrv in network.nameservers %} nameserver {{ nsrv }} {% endfor %} -search {{ vm_network.domain }} +search {{ network.domain }} diff --git a/run-host-playbook.sh b/run-host-playbook.sh new file mode 100755 index 00000000..e3b54f22 --- /dev/null +++ b/run-host-playbook.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +if [ -z "$1" ]; then + echo "$0 <host>" + exit 1 +fi +host="$1" +shift + +cd "${BASH_SOURCE%/*}" +source common/utils.sh +ansible_variable__get env_group "$host" || exit 1 +vault_environment__set "$env_group" || exit 1 + +echo "######## running host playbook for host '$host' in environment '$env_group' ########" +exec ansible-playbook $@ "$env_group/$host.yml" diff --git a/playbooks/emc-acme.yml b/spreadspace/acme-emc.yml index 41fff42b..41fff42b 100644 --- a/playbooks/emc-acme.yml +++ b/spreadspace/acme-emc.yml diff --git a/host_playbooks/calypso.yml b/spreadspace/calypso.yml index cd6a9ac0..cd6a9ac0 100644 --- a/host_playbooks/calypso.yml +++ b/spreadspace/calypso.yml diff --git a/host_playbooks/dione.yml b/spreadspace/dione.yml index 70b6a077..70b6a077 100644 --- a/host_playbooks/dione.yml +++ b/spreadspace/dione.yml diff --git a/host_playbooks/emc-master.yml b/spreadspace/emc-master.yml index 9709409e..b12e8004 100644 --- a/host_playbooks/emc-master.yml +++ b/spreadspace/emc-master.yml @@ -4,6 +4,4 @@ roles: - role: base - role: sshserver - - role: vm/grub -# - role: vm/network - role: zsh diff --git a/host_playbooks/emc-stats.yml b/spreadspace/emc-stats.yml index d11b5b15..767b58aa 100644 --- a/host_playbooks/emc-stats.yml +++ b/spreadspace/emc-stats.yml @@ -4,7 +4,5 @@ roles: - role: base - role: sshserver - - role: vm/grub -# - role: vm/network - role: zsh - role: emc-stats diff --git a/host_playbooks/emc-test.yml b/spreadspace/emc-test.yml index e3c6c997..a8805fc7 100644 --- a/host_playbooks/emc-test.yml +++ b/spreadspace/emc-test.yml @@ -2,9 +2,6 @@ - name: Basic Setup hosts: emc-test roles: - - role: scaleway-slim - role: base - role: sshserver - role: zsh - - role: admin-user - - role: wireguard diff --git a/host_playbooks/emc-xx.yml b/spreadspace/emc-xx.yml index e2005178..e2005178 100644 --- a/host_playbooks/emc-xx.yml +++ b/spreadspace/emc-xx.yml diff --git a/spreadspace/generic.yaml b/spreadspace/generic.yaml new file mode 100644 index 00000000..d3b8de82 --- /dev/null +++ b/spreadspace/generic.yaml @@ -0,0 +1,5 @@ +--- +- name: "Apply role {{ myrole }} to hosts: {{ myhosts }}" + hosts: "{{ myhosts }}" + roles: + - role: "{{ myrole }}" diff --git a/spreadspace/group_vars/spreadspace.yml b/spreadspace/group_vars/spreadspace.yml new file mode 100644 index 00000000..c34fdc8d --- /dev/null +++ b/spreadspace/group_vars/spreadspace.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.2;AES256;spreadspace +31313137643137373839333838343730353634616138643463333262373737356639396539643233 +3839663334323736343239373961353164646565653562390a383831383638383434623863333337 +34366232356438386563643165303735663737373566363038653061323765303466376135303565 +6331623630653931660a626235376639376231633735656333333764643064393834363134663936 +63393563323334373231643237353362653839326235336538363730356364643566303566316665 +64396539333132353131326664323866313161386232393536643733386231643737363962666531 +65336366336435633933666436616261303265326232386639333562323032393832633037636266 +36356262346132663165653530363239316438653637326330636537356234646535376365396538 +6231 diff --git a/host_playbooks/helene.yml b/spreadspace/helene.yml index d3619d9d..d3619d9d 100644 --- a/host_playbooks/helene.yml +++ b/spreadspace/helene.yml diff --git a/playbooks/k8s-emc.yml b/spreadspace/k8s-emc.yml index b6f09808..b6f09808 100644 --- a/playbooks/k8s-emc.yml +++ b/spreadspace/k8s-emc.yml diff --git a/host_playbooks/telesto.yml b/spreadspace/telesto.yml index 11b45596..11b45596 100644 --- a/host_playbooks/telesto.yml +++ b/spreadspace/telesto.yml diff --git a/host_playbooks/thetys.yml b/spreadspace/thetys.yml index fffeb769..fffeb769 100644 --- a/host_playbooks/thetys.yml +++ b/spreadspace/thetys.yml diff --git a/spreadspace/vm-install.yml b/spreadspace/vm-install.yml new file mode 100644 index 00000000..b5d8bf2e --- /dev/null +++ b/spreadspace/vm-install.yml @@ -0,0 +1,2 @@ +--- +- import_playbook: ../common/vm-install.yml @@ -4,9 +4,13 @@ if [ -z "$1" ]; then echo "$0 <host(s)>" exit 1 fi - -host="$1" +hosts="$1" shift -echo "######## upgrading host(s) '$host' ########" -exec ansible-playbook -e "myname=$host" -e "myrole=upgrade" $@ generic.yaml +cd "${BASH_SOURCE%/*}" +source common/utils.sh +ansible_variable__get env_group "$hosts" || exit 1 +vault_environment__set "$env_group" || exit 1 + +echo "######## upgrading host(s) '$hosts' in environment '$env_group' ########" +exec ansible-playbook -e "myhosts=$hosts" -e "myrole=upgrade" $@ "$env_group/generic.yaml" diff --git a/vm-install.sh b/vm-install.sh index 0cc0be48..e8893efa 100755 --- a/vm-install.sh +++ b/vm-install.sh @@ -1,10 +1,9 @@ #!/bin/bash if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then - echo "$0 <vm> <distro> <codename>" + echo "$0 <hostname> <distro> <codename>" exit 1 fi - name=$1 shift distro=$1 @@ -12,7 +11,12 @@ shift codename=$1 shift -echo "installing vm: $name with $distro/$codename" +cd "${BASH_SOURCE%/*}" +source common/utils.sh +ansible_variable__get env_group "$name" || exit 1 +vault_environment__set "$env_group" || exit 1 + +echo "installing vm: $name with $distro/$codename in environment '$env_group'" echo "" echo "########## clearing old ssh host keys #########" @@ -20,4 +24,4 @@ echo "########## clearing old ssh host keys #########" echo "" echo "######## running the install playbook ########" -exec ansible-playbook -e "vmname=$name" -e "vmdistro=$distro" -e "vmdistcodename=$codename" $@ vm-install.yml +exec ansible-playbook -e "hostname=$name" -e "install_distro=$distro" -e "install_codename=$codename" -e "hostenv=$env_group" $@ "$env_group/vm-install.yml" |