summaryrefslogtreecommitdiff
path: root/chaos-at-home/ch-prometheus.yml
blob: d7dc2e870702ef629fd8cee74a0ad2e9b8a47a3e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
---
- name: Basic Setup
  hosts: ch-prometheus
  roles:
  - role: apt-repo/base
  - role: core/base
  - role: core/sshd/base
  - role: core/zsh
  - role: core/cpu-microcode

- name: Payload Setup
  hosts: ch-prometheus
  roles:
  - role: apt-repo/spreadspace
  - role: nginx/base
  - role: monitoring/prometheus/exporter
  - role: storage/luks/base
  - role: storage/zfs/base
  - role: storage/zfs/sanoid
  - role: chaos-at-home/fileserver
  - role: vm/host/base
  - role: vm/host/network
  - role: installer/debian/base
  - role: installer/openbsd/base
  tasks:
  - name: install post-boot script
    copy:
      dest: /usr/local/bin/post-boot
      mode: 0755
      content: |
        #!/bin/bash
        set -e

        {% for name, volume in luks_devices.items() %}
        echo -e "opening crypto volume: \033[1;37m{{ name }}\033[0m"
        cryptsetup luksOpen '{{ volume.device }}' '{{ name }}'
        {% endfor %}

        systemctl restart zfs-import-cache.service
        systemctl restart zfs-mount.service
        systemctl restart zfs-share.service
        systemctl restart zfs-zed.service
        mount -a

        sleep 2
        rm -f /run/libvirt/qemu/autostarted
        systemctl restart libvirtd.service
        systemctl restart nfs-kernel-server

  - name: install dstat script
    copy:
      dest: /usr/local/bin/dstat.sh
      mode: 0755
      content: |
        #!/bin/bash
        {% set disk_variables = [] %}
        {% for disk in install.disks.raid.members %}
        disk_primary{{ loop.index0 }}=$(basename $(realpath '{{ disk }}'))
        {{ disk_variables.append('$disk_primary'+(loop.index0| string)) -}}
        {% endfor %}
        {% for name,volume in luks_devices.items() %}
        {%   if 'crypto-nvme' not in name %}
        disk_{{ name | replace('-', '_') }}=$(basename $(realpath '{{ volume.device }}'))
        {{ disk_variables.append('$disk_'+(name | replace('-', '_'))) -}}
        {%   endif %}
        {% endfor %}
        exec dstat -cnd -N {{ network.primary.name }} -D "{{ disk_variables | join(',') }}"  --disk-util --top-io --top-bio

  - name: install systemd service to sync homes from prometheus-legcay
    copy:
      content: |
        [Unit]
        Description=sync homes from legacy server

        [Service]
        Type=oneshot
        ExecStart=rsync -v -a --delete -e 'ssh -i /root/.ssh/id_promtheus-legacy_rsa -o PubkeyAcceptedKeyTypes=ssh-rsa -o MACs=hmac-sha1 -o HostKeyAlgorithms=ssh-rsa' --exclude /sendfile-spool --exclude /.zfs/ root@192.168.28.250:/home/ /srv/storage/home/
        TimeoutStartSec=50m

        # systemd hardening-options
        AmbientCapabilities=CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER
        CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER
        LockPersonality=true
        MemoryDenyWriteExecute=true
        NoNewPrivileges=true
        PrivateTmp=true
        ProtectControlGroups=true
        ProtectKernelModules=true
        ProtectKernelTunables=true
        ProtectSystem=strict
        ReadWritePaths=/srv/storage/home
        RemoveIPC=true
        RestrictNamespaces=true
        RestrictRealtime=true
        RestrictAddressFamilies=AF_UNIX AF_INET
        SystemCallArchitectures=native

        [Install]
        WantedBy=multi-user.target
      dest: /etc/systemd/system/sync-homes-from-legacy.service

  - name: install systemd timer to sync homes from prometheus-legcay
    copy:
      content: |
        [Unit]
        Description=sync homes from legacy server

        [Timer]
        OnCalendar=hourly

        [Install]
        WantedBy=timers.target
      dest: /etc/systemd/system/sync-homes-from-legacy.timer

  - name: make sure systemd timer to sync homes from prometheus-legcay is started and enabled
    systemd:
      daemon_reload: yes
      name: sync-homes-from-legacy.timer
      state: started
      enabled: yes