From 6b15ecc3a65a66d5af071cc488737ac9a5f9def2 Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Mon, 29 Jul 2024 00:00:00 +0000 Subject: [PATCH] feat(k3s): add possibility to provide a custom backend; moved opentofu states to postgresql on actinium --- .../roles/k3s/tasks/opentofu.yml | 21 ++++++++++ inventory/host_vars/actinium/vars.yml | 40 +++++++++++++++++-- playbooks/internal.yml | 1 + 3 files changed, 58 insertions(+), 4 deletions(-) diff --git a/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/opentofu.yml b/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/opentofu.yml index 299b47a..3f8c6ee 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/opentofu.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/opentofu.yml @@ -5,6 +5,7 @@ ansible.builtin.set_fact: k3s_tf_safe_item_name: "{{ item.name | regex_replace('[^\\w]', '') }}" k3s_tf_project_git_path: "{{ provisioner_facts.artifacts_dir }}/{{ item.name | regex_replace('[^\\w]', '') }}.git" + changed_when: false - name: check pre-existing TF state file ansible.builtin.file: @@ -12,6 +13,7 @@ register: tfstate_file_info changed_when: false failed_when: false + when: item.get("backend_override", false) is falsy - name: fetch git repository ansible.builtin.git: @@ -33,6 +35,15 @@ dest: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}/terraform.tfstate' force: true mode: '0600' + when: item.get("backend_override", false) is falsy + + - name: dump custom backend override + ansible.builtin.copy: + content: '{{ item.backend_override }}' + dest: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}/backend_override.tf' + mode: '0600' + when: item.get("backend_override", false) is truthy + changed_when: false - name: deploy k8s resources community.general.terraform: @@ -40,6 +51,14 @@ project_path: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}' provider_upgrade: true force_init: true + environment: '{{ item.get("backend_env", {}) }}' + + - name: cleanup override file + ansible.builtin.file: + path: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}/backend_override.tf' + state: absent + when: item.get("backend_override", false) is truthy + changed_when: false - name: backup source state file ansible.builtin.copy: @@ -47,6 +66,7 @@ dest: '{{ provisioner_facts.k8s_states_dir }}/{{ k3s_tf_safe_item_name }}.tfstate.previous' force: true mode: '0600' + when: item.get("backend_override", false) is falsy - name: update source tfstate file ansible.builtin.copy: @@ -54,3 +74,4 @@ dest: '{{ provisioner_facts.k8s_states_dir }}/{{ k3s_tf_safe_item_name }}.tfstate' force: true mode: '0600' + when: item.get("backend_override", false) is falsy diff --git a/inventory/host_vars/actinium/vars.yml b/inventory/host_vars/actinium/vars.yml index 902ac88..840bcc1 100644 --- a/inventory/host_vars/actinium/vars.yml +++ b/inventory/host_vars/actinium/vars.yml @@ -16,23 +16,46 @@ mariadb_server_custom_sql: "{{ vault_mariadb_server_custom_sql }}" mariadb_server_bind_addresses: "{{ vault_mariadb_server_bind_addresses }}" postgresql_server_run_custom_sql: true -postgresql_nft_allowed_ingress_list: ['127.0.0.1/32', '10.42.0.0/16'] +postgresql_nft_allowed_ingress_list: '{{ vault_postgresql_nft_allowed_ingress_list }}' postgresql_server_custom_sql: "{{ vault_postgresql_server_custom_sql }}" postgresql_server_bind_addresses: "{{ vault_postgresql_server_bind_addresses }}" postgresql_server_databases_list: - name: '{{ vault_invidious_pg_dbname }}' + - name: '{{ vault_opentofu_pg_dbname }}' postgresql_server_accounts_list: - name: '{{ vault_invidious_pg_user }}' - db: '{{ vault_invidious_pg_dbname }}' password: '{{ vault_invidious_pg_password }}' + - name: '{{ vault_opentofu_pg_user }}' + password: '{{ vault_opentofu_pg_password }}' postgresql_server_hba_conf_list: - address: '10.42.0.0/16' databases: - - invidious + - '{{ vault_invidious_pg_dbname }}' contype: hostssl method: scram-sha-256 users: - - invidious + - '{{ vault_invidious_pg_user }}' + - address: '{{ vault_provider_geopoiesis }}/32' + databases: + - '{{ vault_opentofu_pg_dbname }}' + contype: hostssl + method: scram-sha-256 + users: + - '{{ vault_opentofu_pg_user }}' + - address: '{{ vault_provider_unobtainium }}/32' + databases: + - '{{ vault_opentofu_pg_dbname }}' + contype: hostssl + method: scram-sha-256 + users: + - '{{ vault_opentofu_pg_user }}' + - address: '{{ vault_provider_unsepttrium }}/32' + databases: + - '{{ vault_opentofu_pg_dbname }}' + contype: hostssl + method: scram-sha-256 + users: + - '{{ vault_opentofu_pg_user }}' k3s_cluster_helm_customizations: - name: routing-invidious @@ -115,6 +138,15 @@ k3s_cluster_additional_tf_resources: git_revision: 0.0.8 terraform_dir: 'terraform' tfvars_content: '{{ vault_invoice_ninja_tfvars }}' + backend_override: |- + terraform { + backend "pg" {} + } + backend_env: + PGHOST: '{{ vault_ansible_host }}' + PGDATABASE: '{{ vault_opentofu_pg_dbname }}' + PGUSER: '{{ vault_opentofu_pg_user }}' + PGPASSWORD: '{{ vault_opentofu_pg_password }}' hc_vault_server_tls_cert_data: '{{ vault_hc_vault_server_tls_cert_data }}' hc_vault_server_tls_key_data: '{{ vault_hc_vault_server_tls_key_data }}' diff --git a/playbooks/internal.yml b/playbooks/internal.yml index 3e0e324..1f4e7df 100644 --- a/playbooks/internal.yml +++ b/playbooks/internal.yml @@ -105,6 +105,7 @@ tags: [gaming] tags: [gaming] +# WARNING: OpenTofu states depend on setting up the postgresql database first - name: install K3S hosts: internal:&k3s tasks: