blob: d7dc2e870702ef629fd8cee74a0ad2e9b8a47a3e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
---
- name: Basic Setup
hosts: ch-prometheus
roles:
- role: apt-repo/base
- role: core/base
- role: core/sshd/base
- role: core/zsh
- role: core/cpu-microcode
- name: Payload Setup
hosts: ch-prometheus
roles:
- role: apt-repo/spreadspace
- role: nginx/base
- role: monitoring/prometheus/exporter
- role: storage/luks/base
- role: storage/zfs/base
- role: storage/zfs/sanoid
- role: chaos-at-home/fileserver
- role: vm/host/base
- role: vm/host/network
- role: installer/debian/base
- role: installer/openbsd/base
tasks:
- name: install post-boot script
copy:
dest: /usr/local/bin/post-boot
mode: 0755
content: |
#!/bin/bash
set -e
{% for name, volume in luks_devices.items() %}
echo -e "opening crypto volume: \033[1;37m{{ name }}\033[0m"
cryptsetup luksOpen '{{ volume.device }}' '{{ name }}'
{% endfor %}
systemctl restart zfs-import-cache.service
systemctl restart zfs-mount.service
systemctl restart zfs-share.service
systemctl restart zfs-zed.service
mount -a
sleep 2
rm -f /run/libvirt/qemu/autostarted
systemctl restart libvirtd.service
systemctl restart nfs-kernel-server
- name: install dstat script
copy:
dest: /usr/local/bin/dstat.sh
mode: 0755
content: |
#!/bin/bash
{% set disk_variables = [] %}
{% for disk in install.disks.raid.members %}
disk_primary{{ loop.index0 }}=$(basename $(realpath '{{ disk }}'))
{{ disk_variables.append('$disk_primary'+(loop.index0| string)) -}}
{% endfor %}
{% for name,volume in luks_devices.items() %}
{% if 'crypto-nvme' not in name %}
disk_{{ name | replace('-', '_') }}=$(basename $(realpath '{{ volume.device }}'))
{{ disk_variables.append('$disk_'+(name | replace('-', '_'))) -}}
{% endif %}
{% endfor %}
exec dstat -cnd -N {{ network.primary.name }} -D "{{ disk_variables | join(',') }}" --disk-util --top-io --top-bio
- name: install systemd service to sync homes from prometheus-legcay
copy:
content: |
[Unit]
Description=sync homes from legacy server
[Service]
Type=oneshot
ExecStart=rsync -v -a --delete -e 'ssh -i /root/.ssh/id_promtheus-legacy_rsa -o PubkeyAcceptedKeyTypes=ssh-rsa -o MACs=hmac-sha1 -o HostKeyAlgorithms=ssh-rsa' --exclude /sendfile-spool --exclude /.zfs/ root@192.168.28.250:/home/ /srv/storage/home/
TimeoutStartSec=50m
# systemd hardening-options
AmbientCapabilities=CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateTmp=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/srv/storage/home
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictAddressFamilies=AF_UNIX AF_INET
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
dest: /etc/systemd/system/sync-homes-from-legacy.service
- name: install systemd timer to sync homes from prometheus-legcay
copy:
content: |
[Unit]
Description=sync homes from legacy server
[Timer]
OnCalendar=hourly
[Install]
WantedBy=timers.target
dest: /etc/systemd/system/sync-homes-from-legacy.timer
- name: make sure systemd timer to sync homes from prometheus-legcay is started and enabled
systemd:
daemon_reload: yes
name: sync-homes-from-legacy.timer
state: started
enabled: yes
|