diff options
Diffstat (limited to 'chaos-at-home')
-rw-r--r-- | chaos-at-home/ch-prometheus.yml | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/chaos-at-home/ch-prometheus.yml b/chaos-at-home/ch-prometheus.yml index a736a331..c632a905 100644 --- a/chaos-at-home/ch-prometheus.yml +++ b/chaos-at-home/ch-prometheus.yml @@ -7,6 +7,10 @@ - role: core/sshd/base - role: core/zsh - role: core/cpu-microcode + +- name: Payload Setup + hosts: ch-prometheus + roles: - role: apt-repo/spreadspace - role: nginx/base - role: monitoring/prometheus/exporter @@ -61,3 +65,56 @@ {% endif %} {% endfor %} exec dstat -cnd -N {{ network.primary.name }} -D "{{ disk_variables | join(',') }}" --disk-util --top-io --top-bio + + - name: install systemd service to sync homes from prometheus-legcay + copy: + content: | + [Unit] + Description=sync homes from legacy server + + [Service] + Type=oneshot + ExecStart=rsync -v -a --delete -e 'ssh -i /root/.ssh/id_promtheus-legacy_rsa -o PubkeyAcceptedKeyTypes=ssh-rsa -o MACs=hmac-sha1 -o HostKeyAlgorithms=ssh-rsa' --exclude /sendfile-spool --exclude /.zfs/ root@192.168.28.250:/home/ /srv/storage/home/ + TimeoutStartSec=50m + + # systemd hardening-options + AmbientCapabilities=CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER + CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER + LockPersonality=true + MemoryDenyWriteExecute=true + NoNewPrivileges=true + PrivateTmp=true + ProtectControlGroups=true + ProtectKernelModules=true + ProtectKernelTunables=true + ProtectSystem=strict + ReadWritePaths=/srv/storage/home + RemoveIPC=true + RestrictNamespaces=true + RestrictRealtime=true + RestrictAddressFamilies=AF_UNIX AF_INET + SystemCallArchitectures=native + + [Install] + WantedBy=multi-user.target + dest: /etc/systemd/system/sync-homes-from-legacy.service + + - name: install systemd timer to sync homes from prometheus-legcay + copy: + content: | + [Unit] + Description=sync homes from legacy server + + [Timer] + OnCalendar=hourly + + [Install] + WantedBy=timers.target + dest: /etc/systemd/system/sync-homes-from-legacy.timer + + - name: make sure systemd timer to sync homes from prometheus-legcay is started and enabled + systemd: + daemon_reload: yes + name: sync-homes-from-legacy.timer + state: started + enabled: yes |