From 2ab82fa5b20753291201afc64be76b0f919d8b1e Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 5 Jul 2022 16:40:58 +0200 Subject: prepare install config and playbooks for ele-(helene,dione,telesto) --- dan/ele-dione.yml | 20 ++++ dan/ele-helene.yml | 135 ++++++++++++++--------- dan/ele-telesto.yml | 115 +++++-------------- inventory/group_vars/elevate-festival/vars.yml | 13 ++- inventory/group_vars/k8s-emc/vars.yml | 6 +- inventory/group_vars/vmhost-ele-helene/vars.yml | 20 ++++ inventory/group_vars/vmhost-ele-telesto/vars.yml | 31 ------ inventory/host_vars/ele-dione.yml | 18 +-- inventory/host_vars/ele-helene.yml | 49 ++------ inventory/host_vars/ele-telesto.yml | 79 ++++++------- inventory/hosts.ini | 22 ++-- 11 files changed, 235 insertions(+), 273 deletions(-) create mode 100644 inventory/group_vars/vmhost-ele-helene/vars.yml delete mode 100644 inventory/group_vars/vmhost-ele-telesto/vars.yml diff --git a/dan/ele-dione.yml b/dan/ele-dione.yml index 45ad8b81..ca1516b5 100644 --- a/dan/ele-dione.yml +++ b/dan/ele-dione.yml @@ -13,6 +13,26 @@ - role: monitoring/prometheus/exporter - role: streaming/blackmagic/desktopvideo post_tasks: + ## this is needed for local rtmp proxy + # - name: install interface config for guest vlan + # copy: + # content: | + # auto {{ ansible_default_ipv4.interface }}.{{ network_zones.guest.vlan }} + # iface {{ ansible_default_ipv4.interface }}.{{ network_zones.guest.vlan }} inet static + # address {{ network_zones.guest.prefix | ipaddr(network_zones.guest.offsets[inventory_hostname]) | ipaddr('address/prefix') }} + # dest: "/etc/network/interfaces.d/{{ ansible_default_ipv4.interface }}.{{ network_zones.guest.vlan }}" + + # - name: prepare storage volume for recordings + # vars: + # storage_volume: + # vg: "{{ host_name }}" + # lv: recordings + # size: 200g + # fs: ext4 + # dest: /srv/recordings + # import_role: + # name: storage/lvm/volume + - name: install lm-sensors and i7z apt: name: diff --git a/dan/ele-helene.yml b/dan/ele-helene.yml index b65a3d34..b2635fc0 100644 --- a/dan/ele-helene.yml +++ b/dan/ele-helene.yml @@ -7,55 +7,88 @@ - role: core/sshd/base - role: core/zsh - role: core/cpu-microcode - - role: core/ntp - - role: core/admin-users - role: apt-repo/spreadspace - - role: monitoring/prometheus/exporter - - role: streaming/blackmagic/desktopvideo - post_tasks: - ## this is needed for local rtmp proxy - - name: install interface config for guest vlan - copy: - content: | - auto {{ ansible_default_ipv4.interface }}.{{ network_zones.guest.vlan }} - iface {{ ansible_default_ipv4.interface }}.{{ network_zones.guest.vlan }} inet static - address {{ network_zones.guest.prefix | ipaddr(network_zones.guest.offsets[inventory_hostname]) | ipaddr('address/prefix') }} - dest: "/etc/network/interfaces.d/{{ ansible_default_ipv4.interface }}.{{ network_zones.guest.vlan }}" - - - name: prepare storage volume for recordings - vars: - storage_volume: - vg: "{{ host_name }}" - lv: recordings - size: 200g - fs: ext4 - dest: /srv/recordings - import_role: - name: storage/lvm/volume - - - name: install lm-sensors and i7z - apt: - name: - - lm-sensors - - i7z - - - name: load modules for lm-sensors - vars: - sensors_modules: - - coretemp - block: - - name: load special modules for lm-sensors - loop: "{{ sensors_modules }}" - modprobe: - name: "{{ item }}" - state: present - - - name: make sure sensor modules are loaded on reboot - copy: - content: | - # Ansible managed - - {% for module in sensors_modules %} - {{ module }} - {% endfor %} - dest: /etc/modules-load.d/sensors.conf +# - role: monitoring/prometheus/exporter + - role: vm/host/base + - role: vm/host/network + - role: installer/debian/base +# - role: installer/openbsd/base + # post_tasks: + # - name: install smstools + # apt: + # name: smstools + # state: present + + # - name: add user for sachet + # user: + # name: sachet + # system: yes + # home: /nonexistent + # create_home: no + # groups: smsd + # append: yes + + # - name: create sachet config directory + # file: + # path: /etc/sachet + # state: directory + + # - name: install sachet config file + # copy: + # dest: /etc/sachet/config.yml + # content: | + # providers: + # smstools: + # outgoing_dir: /var/spool/sms/outgoing + + # receivers: + # - name: equinox + # provider: smstools + # to: + # - '+436644800222' + + # - name: install systemd service unit for sachet + # copy: + # dest: /etc/systemd/system/sachet.service + # content: | + # [Unit] + # Description=Sachet SMS Daemon for Prometheus Alertmanager + + # [Service] + # Restart=on-failure + # User=sachet + # ExecStart=/usr/local/bin/sachet -config /etc/sachet/config.yml + + # # systemd hardening-options + # AmbientCapabilities= + # CapabilityBoundingSet= + # DeviceAllow=/dev/null rw + # DevicePolicy=strict + # LimitMEMLOCK=0 + # LimitNOFILE=8192 + # LockPersonality=true + # MemoryDenyWriteExecute=true + # NoNewPrivileges=true + # PrivateDevices=true + # PrivateTmp=true + # PrivateUsers=true + # ProtectControlGroups=true + # ProtectHome=true + # ProtectKernelModules=true + # ProtectKernelTunables=true + # ProtectSystem=full + # ReadWritePaths=/var/spool/sms/outgoing + # RemoveIPC=true + # RestrictNamespaces=true + # RestrictRealtime=true + # SystemCallArchitectures=native + + # [Install] + # WantedBy=multi-user.target + + # ## TODO: + # ## - configure smstools + # ## - build sachet using this branch: https://github.com/spreadspace/sachet/tree/topic/add-smstools + # ## - copy binary to /usr/local/bin/sachet + # ## - $ systemctl daemon-reload + # ## - $ systemctl enable --now sachet diff --git a/dan/ele-telesto.yml b/dan/ele-telesto.yml index 41ae9151..2370fdc2 100644 --- a/dan/ele-telesto.yml +++ b/dan/ele-telesto.yml @@ -7,90 +7,35 @@ - role: core/sshd/base - role: core/zsh - role: core/cpu-microcode - - role: storage/zfs/pools + - role: core/ntp + - role: core/admin-users - role: apt-repo/spreadspace - - role: storage/zfs/sanoid - role: monitoring/prometheus/exporter - - role: vm/host/base - - role: vm/host/network - - role: installer/debian/base - - role: installer/openbsd/base - post_tasks: - - name: install smstools - apt: - name: smstools - state: present - - - name: add user for sachet - user: - name: sachet - system: yes - home: /nonexistent - create_home: no - groups: smsd - append: yes - - - name: create sachet config directory - file: - path: /etc/sachet - state: directory - - - name: install sachet config file - copy: - dest: /etc/sachet/config.yml - content: | - providers: - smstools: - outgoing_dir: /var/spool/sms/outgoing - - receivers: - - name: equinox - provider: smstools - to: - - '+436644800222' - - - name: install systemd service unit for sachet - copy: - dest: /etc/systemd/system/sachet.service - content: | - [Unit] - Description=Sachet SMS Daemon for Prometheus Alertmanager - - [Service] - Restart=on-failure - User=sachet - ExecStart=/usr/local/bin/sachet -config /etc/sachet/config.yml - - # systemd hardening-options - AmbientCapabilities= - CapabilityBoundingSet= - DeviceAllow=/dev/null rw - DevicePolicy=strict - LimitMEMLOCK=0 - LimitNOFILE=8192 - LockPersonality=true - MemoryDenyWriteExecute=true - NoNewPrivileges=true - PrivateDevices=true - PrivateTmp=true - PrivateUsers=true - ProtectControlGroups=true - ProtectHome=true - ProtectKernelModules=true - ProtectKernelTunables=true - ProtectSystem=full - ReadWritePaths=/var/spool/sms/outgoing - RemoveIPC=true - RestrictNamespaces=true - RestrictRealtime=true - SystemCallArchitectures=native - - [Install] - WantedBy=multi-user.target - - ## TODO: - ## - configure smstools - ## - build sachet using this branch: https://github.com/spreadspace/sachet/tree/topic/add-smstools - ## - copy binary to /usr/local/bin/sachet - ## - $ systemctl daemon-reload - ## - $ systemctl enable --now sachet + - role: streaming/blackmagic/desktopvideo +# post_tasks: +# - name: install lm-sensors and i7z +# apt: +# name: +# - lm-sensors +# - i7z +# +# - name: load modules for lm-sensors +# vars: +# sensors_modules: +# - coretemp +# block: +# - name: load special modules for lm-sensors +# loop: "{{ sensors_modules }}" +# modprobe: +# name: "{{ item }}" +# state: present +# +# - name: make sure sensor modules are loaded on reboot +# copy: +# content: | +# # Ansible managed +# +# {% for module in sensors_modules %} +# {{ module }} +# {% endfor %} +# dest: /etc/modules-load.d/sensors.conf diff --git a/inventory/group_vars/elevate-festival/vars.yml b/inventory/group_vars/elevate-festival/vars.yml index 6329deb9..9391f80c 100644 --- a/inventory/group_vars/elevate-festival/vars.yml +++ b/inventory/group_vars/elevate-festival/vars.yml @@ -12,9 +12,10 @@ network_zones: limit: 199 offsets: ele-media: 200 - ele-telesto: 201 + ele-helene: 201 ele-thetys: 202 ele-calypso: 203 + ele-dione: 204 ele-tsdatacop: 210 ele-hpws-maxi: 211 ele-mon: 220 @@ -62,7 +63,7 @@ network_zones: ele-hpws-mini1: 241 ele-minidan: 242 equinox-t450s: 250 - ele-helene: 253 + ele-dione: 253 ele-router: 254 wifi: ssid: "elevate Public" @@ -229,7 +230,7 @@ network_zones: - 217.29.144.66 offsets: ## citycom uses offset 1,2 and 3 - ele-helene: 4 # 85.237.28.196 + ele-telesto: 4 # 85.237.28.196 ele-dione: 5 # 85.237.28.197 ele-laptop: 7 # 85.237.28.199 @@ -264,6 +265,7 @@ network_zones: offsets: ## citycom uses offset 1,2 and 3 ele-router-leslie: 5 #4 # x.x.x.x+4 + ele-thetys: 6 #5 # x.x.x.x+5 cc_hmtsaal: description: "citycom upstream @ Heimatsaal (Fiber)" @@ -277,6 +279,7 @@ network_zones: offsets: ## citycom uses offset 1,2 and 3 ele-router-hmtsaal: 4 # x.x.x.x+4 + ele-telesto: 5 # x.x.x.x+5 funkfeuer: description: "funkfeuer access, subnet will be announced by olsr using HNA" @@ -295,8 +298,8 @@ network_zones: description: "transfer network for upstream via mur.at" prefix: 172.31.255.240/28 offsets: - ele-dione: 1 - ele-helene: 2 + ele-telesto: 1 + ele-dione: 2 equinox-t450s: 10 ele-mon: 11 ele-router: 13 diff --git a/inventory/group_vars/k8s-emc/vars.yml b/inventory/group_vars/k8s-emc/vars.yml index be1c4818..14b5cd84 100644 --- a/inventory/group_vars/k8s-emc/vars.yml +++ b/inventory/group_vars/k8s-emc/vars.yml @@ -35,16 +35,16 @@ kubeguard: emc-06: 6 emc-00: 100 emc-dist0: 110 - ele-dione: 111 - ele-helene: 112 + ele-telesto: 111 + ele-dione: 112 emc-ctrl: 127 direct_net_zones: encoder: transfer_net: 172.18.191.0/24 node_interface: + ele-telesto: eno2 ele-dione: eno2 - ele-helene: eno2 kubernetes_overlay_node_ip: "{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ipaddr(1) | ipaddr('address') }}" diff --git a/inventory/group_vars/vmhost-ele-helene/vars.yml b/inventory/group_vars/vmhost-ele-helene/vars.yml new file mode 100644 index 00000000..45f6ca62 --- /dev/null +++ b/inventory/group_vars/vmhost-ele-helene/vars.yml @@ -0,0 +1,20 @@ +--- +__vmhost_bridge_interface_zones__: + eno2: "{{ network_zones | dict2items | rejectattr('value.vlan', 'undefined') | map(attribute='key') | difference(['lan']) }}" + +__vmhost_bridge_interface_zones_yaml__: | + {% for interface in (__vmhost_bridge_interface_zones__.keys() | sort) %} + {% for zone in __vmhost_bridge_interface_zones__[interface] %} + {{ zone }}: + interfaces: + - {{ interface }}.{{ network_zones[zone].vlan }} + {% endfor %} + {% endfor %} + lan: + interfaces: + - eno1 + +vm_host: + name: ele-helene + network: + bridges: "{{ __vmhost_bridge_interface_zones_yaml__ | from_yaml }}" diff --git a/inventory/group_vars/vmhost-ele-telesto/vars.yml b/inventory/group_vars/vmhost-ele-telesto/vars.yml deleted file mode 100644 index 688fa66f..00000000 --- a/inventory/group_vars/vmhost-ele-telesto/vars.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -__vmhost_bridge_interface_zones__: - eno1: "{{ network_zones | dict2items | rejectattr('value.vlan', 'undefined') | map(attribute='key') | difference(['lan']) }}" - -__vmhost_bridge_interface_zones_yaml__: | - {% for interface in (__vmhost_bridge_interface_zones__.keys() | sort) %} - {% for zone in __vmhost_bridge_interface_zones__[interface] %} - {{ zone }}: - interfaces: - - {{ interface }}.{{ network_zones[zone].vlan }} - {% endfor %} - {% endfor %} - lan: - interfaces: - - enp3s0 - -vm_host: - name: ele-telesto - network: - bridges: "{{ __vmhost_bridge_interface_zones_yaml__ | from_yaml }}" - zfs: - default: - pool: ssd - name: vm - properties: - compression: lz4 - storage: - pool: storage - name: vm - properties: - compression: lz4 diff --git a/inventory/host_vars/ele-dione.yml b/inventory/host_vars/ele-dione.yml index 59420d8d..643682e0 100644 --- a/inventory/host_vars/ele-dione.yml +++ b/inventory/host_vars/ele-dione.yml @@ -9,13 +9,12 @@ install: - "nomodeset" network: - nameservers: - - 1.1.1.1 + nameservers: "{{ network_zones.lan.dns }}" domain: "{{ host_domain }}" primary: &_network_primary_ name: eno1 - address: "{{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" - gateway: "{{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ipaddr('address') }}" + address: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + gateway: "{{ network_zones.lan.gateway }}" interfaces: - *_network_primary_ @@ -52,18 +51,13 @@ kubelet_storage: ntp_variant: chrony ntp_client: - pools: - - name: at.pool.ntp.org - options: iburst + servers: + - name: "{{ kubeguard.direct_net_zones.encoder.transfer_net | ipaddr(kubeguard.node_index['ele-telesto']) | ipaddr('address') }}" + options: iburst minpoll 1 maxpoll 3 polltarget 30 ntp_hwtimestamp_interfaces: - name: "*" -ntp_server: - local: stratum 8 - allow: - - "{{ kubeguard.direct_net_zones.encoder.transfer_net }}" - blackmagic_desktopvideo_version: 12.2.2a6 blackmagic_desktopvideo_include_gui: yes diff --git a/inventory/host_vars/ele-helene.yml b/inventory/host_vars/ele-helene.yml index 2e4f8f6c..e70cf2df 100644 --- a/inventory/host_vars/ele-helene.yml +++ b/inventory/host_vars/ele-helene.yml @@ -1,5 +1,6 @@ --- -system_lvm_volume_size_root: 3G +install_interface: eno1 + install: efi: true disks: @@ -9,15 +10,16 @@ install: - "nomodeset" network: - nameservers: - - 1.1.1.1 + nameservers: "{{ network_zones.lan.dns }}" domain: "{{ host_domain }}" primary: &_network_primary_ - name: eno1 - address: "{{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" - gateway: "{{ network_zones.murat_transfer.prefix | ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ipaddr('address') }}" + name: br-lan + address: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + gateway: "{{ network_zones.lan.gateway }}" interfaces: - *_network_primary_ + vlans: + eno2: "{{ __vmhost_bridge_interface_zones__['eno2'] | map('extract', network_zones) | map(attribute='vlan') | list }}" apt_repo_components: @@ -26,40 +28,13 @@ apt_repo_components: - non-free ## for microcode updates spreadspace_apt_repo_components: + - main - prometheus - - container - - -admin_users_host: - - equinox -containerd_storage: - type: lvm - vg: "{{ host_name }}" - lv: containerd - size: 15G - fs: ext4 - -kubelet_storage: +installer_storage: type: lvm vg: "{{ host_name }}" - lv: kubelet - size: 10G + lv: installer + size: 3G fs: ext4 - - -ntp_variant: chrony - -ntp_client: - servers: - - name: "{{ kubeguard.direct_net_zones.encoder.transfer_net | ipaddr(kubeguard.node_index['ele-dione']) | ipaddr('address') }}" - options: iburst minpoll 1 maxpoll 3 polltarget 30 - -ntp_hwtimestamp_interfaces: - - name: "*" - - - -blackmagic_desktopvideo_version: 12.2.2a6 -blackmagic_desktopvideo_include_gui: yes diff --git a/inventory/host_vars/ele-telesto.yml b/inventory/host_vars/ele-telesto.yml index 47f000f1..fa4675c7 100644 --- a/inventory/host_vars/ele-telesto.yml +++ b/inventory/host_vars/ele-telesto.yml @@ -1,62 +1,65 @@ --- -install_interface: enp3s0 - +system_lvm_volume_size_root: 3G install: - efi: yes + efi: true disks: - primary: /dev/disk/by-id/ata-? - system_lvm: - size: 15G + primary: /dev/disk/by-id/nvme-Samsung_SSD_970_PRO_512GB_S5JYNC0N310329Z network: - nameservers: "{{ network_zones.lan.dns }}" + nameservers: "{{ network_zones.cc_hmtsaal.dns }}" domain: "{{ host_domain }}" primary: &_network_primary_ - name: br-lan - address: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" - gateway: "{{ network_zones.lan.gateway }}" + name: eno1 + address: "{{ network_zones.cc_hmtsaal.prefix | ipaddr(network_zones.cc_hmtsaal.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + gateway: "{{ network_zones.cc_hmtsaal.gateway }}" interfaces: - *_network_primary_ - vlans: - eno1: "{{ __vmhost_bridge_interface_zones__['eno1'] | map('extract', network_zones) | map(attribute='vlan') | list }}" apt_repo_components: - main - - contrib ## for zfs + - contrib - non-free ## for microcode updates spreadspace_apt_repo_components: - - main - prometheus + - container + + +admin_users_host: + - equinox -installer_storage: +containerd_storage: type: lvm vg: "{{ host_name }}" - lv: installer - size: 3G + lv: containerd + size: 15G fs: ext4 +kubelet_storage: + type: lvm + vg: "{{ host_name }}" + lv: kubelet + size: 10G + fs: ext4 + + +ntp_variant: chrony + +ntp_client: + pools: + - name: at.pool.ntp.org + options: iburst + +ntp_hwtimestamp_interfaces: + - name: "*" + +ntp_server: + local: stratum 8 + allow: + - "{{ kubeguard.direct_net_zones.encoder.transfer_net }}" + -zfs_arc_size: - min: 1GB - max: 4GB - -zfs_pools: - ssd: - mountpoint: /srv/ssd - create_vdevs: ata-? - storage: - mountpoint: /srv/storage - create_vdevs: mirror /dev/disk/by-id/ata-SAMSUNG_HD103UJ_S1PVJDWQ720808 /dev/disk/by-id/ata-SAMSUNG_HD103UJ_S1PVJDWQ720810 - -zfs_sanoid_modules: - nvme/vm: - use_template: production - recursive: yes - process_children_only: yes - storage/vm: - use_template: production - recursive: yes - process_children_only: yes +blackmagic_desktopvideo_version: 12.2.2a6 +blackmagic_desktopvideo_include_gui: yes diff --git a/inventory/hosts.ini b/inventory/hosts.ini index f87c2b18..7f4659a1 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -387,12 +387,12 @@ sk-tomnext [vmhost-sk-tomnext:children] vmhost-sk-tomnext-guests -[vmhost-ele-telesto-guests] +[vmhost-ele-helene-guests] ele-mon -[vmhost-ele-telesto] -ele-telesto -[vmhost-ele-telesto:children] -vmhost-ele-telesto-guests +[vmhost-ele-helene] +ele-helene +[vmhost-ele-helene:children] +vmhost-ele-helene-guests [kvmhosts] @@ -401,7 +401,7 @@ ch-prometheus ch-atlas sk-2019vm sk-tomnext -ele-telesto +ele-helene [kvmguests:children] vmhost-ch-phoebe-guests @@ -409,7 +409,7 @@ vmhost-ch-prometheus-guests vmhost-ch-atlas-guests vmhost-sk-2019vm-guests vmhost-sk-tomnext-guests -vmhost-ele-telesto-guests +vmhost-ele-helene-guests ## prometheus monitoring @@ -431,11 +431,11 @@ promzone-chaos-at-home-server [promzone-elevate-festival-server] ele-mon [promzone-elevate-festival] -ele-telesto -ele-dione ele-helene +#ele-dione +#ele-telesto #ele-router -#ele-tub +#ele-thetys [promzone-elevate-festival:children] ele-ap ele-ups @@ -547,8 +547,8 @@ standalone-kubelet ### Kubernetes Cluster: emc [k8s-emc-encoder] +ele-telesto ele-dione -ele-helene [k8s-emc-distribution:children] emc-dist -- cgit v1.2.3