diff --git a/ansible_galaxy-requirements.yml b/ansible_galaxy-requirements.yml index 1c97b2a..7077654 100644 --- a/ansible_galaxy-requirements.yml +++ b/ansible_galaxy-requirements.yml @@ -6,3 +6,5 @@ collections: version: 9.0.0 - name: ansible.utils version: 5.0.0 + - name: moreati.jq + version: 0.2.1 diff --git a/collections/ansible_collections/nullified/infrastructure/roles/provisioner/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/defaults/main.yml new file mode 100644 index 0000000..131173b --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/defaults/main.yml @@ -0,0 +1,10 @@ +--- +provisioner_artifacts_dir: '{{ provisioner_artifacts_dir | default("/srv/ansible/artifacts", true) }}' +provisioner_github_token: "{{ custom_github_token | default('') }}" +provisioner_helm_binary_path: '{{ provisioner_helm_binary_path | default("/usr/local/bin/helm", true) }}' +provisioner_helm_version: latest +provisioner_k8s_states_dir: '{{ provisioner_k8s_states_dir | default("/srv/ansible/states", true) }}' +provisioner_kubeconfig_repository: '{{ provisioner_kubeconfig_repository | default("/srv/ansible/kubeconfig", true) }}' +provisioner_kubectl_binary_path: '{{ provisioner_kubectl_binary_path | default("/usr/local/bin/kubectl", true) }}' +provisioner_kubectl_version: latest +provisioner_k3sup_binary_path: '{{ provisioner_k3sup_binary_path | default("/usr/local/bin/k3sup") }}' diff --git a/collections/ansible_collections/nullified/infrastructure/roles/provisioner/handlers/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/handlers/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/handlers/main.yml @@ -0,0 +1 @@ +--- diff --git a/collections/ansible_collections/nullified/infrastructure/roles/provisioner/meta/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/meta/main.yml new file mode 100644 index 0000000..b91e959 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + author: Florian L. + namespace: nullified + description: Install server related configuration and tooling + # issue_tracker_url: http://example.com/issue/tracker + license: MIT + min_ansible_version: 2.15 + + # https://galaxy.ansible.com/api/v1/platforms/ + platforms: + - name: Debian + versions: + - bookworm + + galaxy_tags: + - utils + - system + +dependencies: [] diff --git a/collections/ansible_collections/nullified/infrastructure/roles/provisioner/tasks/load_facts.yml b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/tasks/load_facts.yml new file mode 100644 index 0000000..159f2a1 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/tasks/load_facts.yml @@ -0,0 +1,13 @@ +--- +- name: load provisioner facts + block: + - name: save current provisioner hostname + ansible.builtin.set_fact: + provisioner_hostname: '{{ lookup("pipe", "hostname") }}' + - name: retrieve provisioner inventory facts + ansible.builtin.set_fact: + provisioner_facts: '{{ dict(hostvars[provisioner_hostname]) | moreati.jq.jq(JSON_MATCH_QUERY) }}' + when: inventory_hostname == ansible_play_hosts_all[0] + run_once: true + vars: + JSON_MATCH_QUERY: 'to_entries | map(select(.key | match("^provisioner_.+")) | .key |= ltrimstr("provisioner_")) | from_entries' diff --git a/collections/ansible_collections/nullified/infrastructure/roles/provisioner/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/tasks/main.yml new file mode 100644 index 0000000..333c5b7 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/tasks/main.yml @@ -0,0 +1,56 @@ +--- +# add https://github.com/databus23/helm-diff +- name: set default facts + ansible.builtin.set_fact: + provisioner_playbook_user: '{{ lookup("env", "USER") }}' + changed_when: false + +- name: install helm + ansible.builtin.include_role: + name: nullified.infrastructure.helm + vars: + helm_binary_path: '{{ provisioner_helm_binary_path }}' + helm_install_version: '{{ provisioner_helm_version }}' + +- name: install kubectl + ansible.builtin.include_role: + name: nullified.infrastructure.kubectl + vars: + kubectl_binary_path: '{{ provisioner_kubectl_binary_path }}' + kubectl_install_version: '{{ provisioner_kubectl_version }}' + +- name: install OpenTofu + become: true + nullified.infrastructure.github_artifact: + github_token: '{{ provisioner_github_token }}' + asset_name: 'tofu_{version}_amd64.deb' + asset_type: release + creates: '{{ provisioner_tofu_binary_path }}' # path used by the .deb, no control over it + repository: opentofu/opentofu + force: true + cmds: + - 'dpkg -i {asset_dirname}/{asset_filename}' + +- name: retrieve k3sup on Ansible controller + become: true + nullified.infrastructure.github_artifact: + asset_name: k3sup + asset_type: release + repository: alexellis/k3sup + creates: '{{ provisioner_k3sup_binary_path }}' + force: true + cmds: + - "install --mode=755 {asset_dirname}/{asset_filename} {{ provisioner_k3sup_binary_path }}" + +- name: create storage directories + become: true + ansible.builtin.file: + path: '{{ item }}' + mode: '0700' + owner: '{{ provisioner_playbook_user }}' + group: '{{ provisioner_playbook_user }}' + state: directory + loop: + - '{{ provisioner_artifacts_dir }}' + - '{{ provisioner_k8s_states_dir }}' + - '{{ provisioner_kubeconfig_repository }}' diff --git a/collections/ansible_collections/nullified/infrastructure/roles/provisioner/tests/inventory b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/collections/ansible_collections/nullified/infrastructure/roles/provisioner/vars/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/vars/main.yml new file mode 100644 index 0000000..592812d --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/provisioner/vars/main.yml @@ -0,0 +1,2 @@ +--- +provisioner_tofu_binary_path: /usr/bin/tofu # path used by the .deb, no control over it diff --git a/inventory/group_vars/provisioner/vars.yml b/inventory/group_vars/provisioner/vars.yml new file mode 100644 index 0000000..f9ae430 --- /dev/null +++ b/inventory/group_vars/provisioner/vars.yml @@ -0,0 +1,8 @@ +# Variables starting with 'provisioner_' in this file will be injected in all hosts configuration as 'ansible_facts.provisioner_facts.' +provisioner_artifacts_dir: /srv/ansible/artifacts +provisioner_helm_binary_path: /usr/local/bin/helm +provisioner_k8s_states_dir: /srv/ansible/states +provisioner_kubeconfig_repository: /srv/ansible/kubeconfig +provisioner_kubectl_binary_path: /usr/local/bin/kubectl +provisioner_k3sup_binary_path: /usr/local/bin/k3sup +provisioner_tofu_binary_path: /usr/bin/tofu #do not change this, the path is decided by the .deb package diff --git a/inventory/host_vars/unobtainium/vars.yml b/inventory/host_vars/unobtainium/vars.yml index 3a6b272..2218aa7 100644 --- a/inventory/host_vars/unobtainium/vars.yml +++ b/inventory/host_vars/unobtainium/vars.yml @@ -1,6 +1,5 @@ ansible_become_password: "{{ vault_root_pass }}" ansible_host: "{{ vault_ansible_host }}" -ansible_connection: local # common role common_apt_packages: @@ -21,6 +20,3 @@ common_sysctl_configuration: security_firewall_filter_policy_output: accept security_firewall_filter_policy_forward: accept security_firewall_mangle_policy_forward: accept - -# provisioner role -terraform_binary_path: '/usr/bin/tofu' diff --git a/inventory/host_vars/unsepttrium/unsepttrium/vars.yml b/inventory/host_vars/unsepttrium/unsepttrium/vars.yml new file mode 100644 index 0000000..bacc2db --- /dev/null +++ b/inventory/host_vars/unsepttrium/unsepttrium/vars.yml @@ -0,0 +1,21 @@ +ansible_become_password: "{{ vault_root_pass }}" +ansible_host: "{{ vault_ansible_host }}" + +# common role +common_apt_packages: + - pcscd + - pinentry-curses +common_git_enabled: true +common_git_username: "{{ vault_common_gitconfig_username }}" +common_git_email: "{{ vault_common_gitconfig_email }}" +common_git_force_sign: true +common_git_signing_key: "{{ vault_common_gitconfig_signingkey }}" +common_install_fonts: true +common_sysctl_configuration: + 'fs.inotify.max_user_watches': 1048576 + 'vm.swappiness': 1 + +# security role +security_firewall_filter_policy_output: accept +security_firewall_filter_policy_forward: accept +security_firewall_mangle_policy_forward: accept diff --git a/inventory/host_vars/unsepttrium/vars.yml b/inventory/host_vars/unsepttrium/vars.yml new file mode 100644 index 0000000..bacc2db --- /dev/null +++ b/inventory/host_vars/unsepttrium/vars.yml @@ -0,0 +1,21 @@ +ansible_become_password: "{{ vault_root_pass }}" +ansible_host: "{{ vault_ansible_host }}" + +# common role +common_apt_packages: + - pcscd + - pinentry-curses +common_git_enabled: true +common_git_username: "{{ vault_common_gitconfig_username }}" +common_git_email: "{{ vault_common_gitconfig_email }}" +common_git_force_sign: true +common_git_signing_key: "{{ vault_common_gitconfig_signingkey }}" +common_install_fonts: true +common_sysctl_configuration: + 'fs.inotify.max_user_watches': 1048576 + 'vm.swappiness': 1 + +# security role +security_firewall_filter_policy_output: accept +security_firewall_filter_policy_forward: accept +security_firewall_mangle_policy_forward: accept diff --git a/playbooks/internal.yml b/playbooks/internal.yml index c010663..67cfcbd 100644 --- a/playbooks/internal.yml +++ b/playbooks/internal.yml @@ -1,4 +1,21 @@ --- +- name: setup provisioners + hosts: internal:&provisioner + gather_facts: false + tasks: + - name: include provisioner role + include_role: + name: nullified.infrastructure.provisioner + +- name: load provisioner facts + hosts: internal + gather_facts: false + tasks: + - name: include provisioner role + include_role: + name: nullified.infrastructure.provisioner + tasks_from: load_facts.yml + - name: setup internal infrastructure hosts: internal gather_facts: false diff --git a/playbooks/provisioner.yml b/playbooks/provisioner.yml new file mode 100644 index 0000000..5e8618d --- /dev/null +++ b/playbooks/provisioner.yml @@ -0,0 +1,7 @@ +--- +- name: setup local provisioner + hosts: provisioner + tasks: + - name: include provisioner role + ansible.builtin.include_role: + name: nullified.infrastructure.provisioner diff --git a/requirements.txt b/requirements.txt index 3e641e7..d5b9057 100644 --- a/requirements.txt +++ b/requirements.txt @@ -13,3 +13,4 @@ pycurl==7.45.2 pylint==2.17.5 python-vagrant==1.0.0 yamllint==1.32.0 +jq==1.7.0