WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: WoodSmellParticle:d0e4450645df97a411642fe253256d7bcb92334f
Branches Tags
WoodSmellParticle:main
..
compare: WoodSmellParticle:ab41f3ffc005e0a8d6e37153354946fa1c7b14ca
Branches Tags
WoodSmellParticle:main

No commits in common. "d0e4450645df97a411642fe253256d7bcb92334f" and "ab41f3ffc005e0a8d6e37153354946fa1c7b14ca" have entirely different histories.
d0e4450645 ... ab41f3ffc0

10 changed files with 13 additions and 65 deletions
Show stats Expand all files Collapse all files

24
Taskfile.yml
View file

@ -3,20 +3,14 @@ version: '3'
includes: includes:
setup: ./tasks/setup_{{OS}}.yml setup: ./tasks/setup_{{OS}}.yml
test: ./tasks/tests.yml test: ./tasks/tests.yml
utils:
taskfile: ./tasks/utils.yml
flatten: true
env: env:
DOCKER_REPOSITORY: pouncetech/molecule DOCKER_REPOSITORY: pouncetech/molecule
ANSIBLE_VAULT_PASSWORD_FILE: '{{.ROOT_DIR}}/scripts/pass_get_vault_id.sh'
vars: vars:
PYTHON_WRAPPER: '{{.ROOT_DIR}}/scripts/python_wrapper.sh' PYTHON_WRAPPER: '{{.ROOT_DIR}}/scripts/python_wrapper.sh'
MOLECULE_DIR: '{{.ROOT_DIR}}/ansible_collections/nullified/infrastructure/extensions' MOLECULE_DIR: '{{.ROOT_DIR}}/collections/ansible_collections/nullified/infrastructure/extensions'
COLLECTIONS_DIR: '{{.ROOT_DIR}}/ansible_collections' COLLECTIONS_DIR: '{{.ROOT_DIR}}/collections/ansible_collections'
ANSIBLE_PASS_PATH: ansible/vault-id
ANSIBLE_PASS_LENGTH: 50
tasks: tasks:
setup: setup:
@ -26,7 +20,6 @@ tasks:
- task: 'setup:venv' - task: 'setup:venv'
- task: 'setup:ansible' - task: 'setup:ansible'
- task: 'setup:galaxy' - task: 'setup:galaxy'
- task: 'vault:init'
docker:build: docker:build:
desc: build docker images locally. desc: build docker images locally.
@ -40,7 +33,6 @@ tasks:
DOCKERFILE: '{{.ITEM}}' DOCKERFILE: '{{.ITEM}}'
DOCKER_CONTEXT: images DOCKER_CONTEXT: images
IMAGE_TAG: '{{.ITEM | splitList "/" | last | replace "Dockerfile-" ""}}' IMAGE_TAG: '{{.ITEM | splitList "/" | last | replace "Dockerfile-" ""}}'
docker:build:image: docker:build:image:
internal: true internal: true
sources: sources:
@ -50,6 +42,13 @@ tasks:
status: status:
- docker image ls --format '{{"{{"}} .Tag {{"}}"}}' | grep -E '^{{.IMAGE_TAG}}$' - docker image ls --format '{{"{{"}} .Tag {{"}}"}}' | grep -E '^{{.IMAGE_TAG}}$'
docker:push:
desc: push locally built images
cmds:
- 'echo docker push $DOCKER_REPOSITORY:$IMAGE_TAG'
env:
IMAGE_TAG:
nosey: nosey:
desc: start noseyparker to ensure no secrets or passwords are committed desc: start noseyparker to ensure no secrets or passwords are committed
cmds: cmds:
@ -70,13 +69,12 @@ tasks:
vars: vars:
VIRSH_CONNECT: '{{.VIRSH_CONNECT | default "qemu:///system"}}' VIRSH_CONNECT: '{{.VIRSH_CONNECT | default "qemu:///system"}}'
cmds: cmds:
- ./scripts/reset_virtd.sh - ./scripts/purge_virsh.sh
- task: 'molecule' - task: 'molecule'
vars: vars:
CLI_ARGS: 'destroy' CLI_ARGS: 'destroy'
- sudo systemctl restart nftables.service - sudo systemctl restart nftables.service
- sudo systemctl restart libvirtd.service # reset libvirtd related nft rules - sudo systemctl restart libvirtd.service
- sudo systemctl restart docker.service # reset docker related nft rules
ansible:new:role:*: ansible:new:role:*:
desc: create a new role for the specified collection desc: create a new role for the specified collection

2
ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml
View file

@ -116,7 +116,7 @@
asset_type: release asset_type: release
creates: /usr/local/bin/yq creates: /usr/local/bin/yq
cmds: cmds:
- install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin/yq - install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin
- name: '[apt] install custom packages' - name: '[apt] install custom packages'
become: true become: true

2
ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2
View file

@ -3,7 +3,7 @@ table inet filter {
chain input { chain input {
# operators access # operators access
{%+ if k3s_nft_operators4 %}ip saddr { {{ k3s_nft_operators4 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%} {%+ if k3s_nft_operators4 %}ip saddr { {{ k3s_nft_operators4 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%}
{%+ if k3s_nft_operators6 %}ip6 saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%} {%+ if k3s_nft_operators6 %}ip saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%}
# required only for HA with embedded etcd # required only for HA with embedded etcd
{%+ if k3s_nft_servers4 %}ip saddr { {{ k3s_nft_servers4 | join(',') }} } tcp dport { 2379, 2380 } accept{%- endif +%} {%+ if k3s_nft_servers4 %}ip saddr { {{ k3s_nft_servers4 | join(',') }} } tcp dport { 2379, 2380 } accept{%- endif +%}

1
ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml
View file

@ -166,7 +166,6 @@
loop: loop:
- { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" } - { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" }
- { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" } - { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config" }
- { src: "../templates/.config/picom.conf", dest: "{{ ansible_facts['getent_passwd'][workstation_user_account][4] }}/.config"}
- name: '[authenticator] find if binary is already installed' - name: '[authenticator] find if binary is already installed'
ansible.builtin.file: ansible.builtin.file:

1
ansible_collections/nullified/infrastructure/roles/workstation/templates/.config/picom.conf
View file

@ -1 +0,0 @@
backend = "glx"

2
inventory/host_vars/unobtainium/vars.yml
View file

@ -15,8 +15,6 @@ common_install_fonts: true
security_sysctl_configuration: security_sysctl_configuration:
'fs.inotify.max_user_watches': 1048576 'fs.inotify.max_user_watches': 1048576
'vm.swappiness': 1 'vm.swappiness': 1
'vm.max_map_count': 524288
'vm.min_free_kbytes': 1048576
workstation_setup_xorg_enabled: true workstation_setup_xorg_enabled: true
# security role # security role
security_firewall_filter_policy_output: accept security_firewall_filter_policy_output: accept

6
scripts/pass_get_vault_id.sh
View file

@ -1,6 +0,0 @@
#!/usr/bin/env bash
PASSWORD_STORE_BIN=${PASSWORD_STORE_BIN:-"pass"}
ANSIBLE_PASS_PATH=${ANSIBLE_PASS_PATH:-"ansible/vault-id"}
$PASSWORD_STORE_BIN show "${ANSIBLE_PASS_PATH}"

12
scripts/reset_virtd.sh
View file

@ -1,12 +0,0 @@
#!/usr/bin/env bash
VIRSH_CONNECT="${VIRSH_CONNECT:=qemu:///system}"
VIRSH_VOL_POOL="${VIRSH_VOL_POOL:=default}"
for domain in $(virsh -c "${VIRSH_CONNECT}" list --name --all); do
virsh -c "${VIRSH_CONNECT}" destroy "${domain}" || true
virsh -c "${VIRSH_CONNECT}" undefine "${domain}" || true
done
for volume in $(virsh -c "${VIRSH_CONNECT}" vol-list --pool "${VIRSH_VOL_POOL}" | tail -n +3 | sed -E 's/^\s*([^\s]+)\s+.*$/\1/'); do
virsh -c "${VIRSH_CONNECT}" vol-delete --pool "${VIRSH_VOL_POOL}" "${volume}" || true
done

1
tasks/setup_linux.yml
View file

@ -11,7 +11,6 @@ tasks:
build-essential \ build-essential \
coreutils \ coreutils \
curl \ curl \
pass \
libcurl4-openssl-dev \ libcurl4-openssl-dev \
libtool \ libtool \
python3-virtualenv \ python3-virtualenv \

27
tasks/utils.yml
View file

@ -1,27 +0,0 @@
version: '3'
tasks:
encrypt:
desc: encrypt all vault.yml files using; requires creating a vault-id file in your home
vars:
VAULT_FILES:
sh: find . -type f -name vault.yml -and -not -path "./.venv/*"
cmds:
- for: { var: VAULT_FILES }
cmd: '{{.PYTHON_WRAPPER}} ansible-vault encrypt {{.ITEM | replace "\n" " " }} || true'
decrypt:
desc: encrypt all vault.yml files using; requires creating a vault-id file in your home
vars:
VAULT_FILES:
sh: find . -type f -name vault.yml -and -not -path "./.venv/*"
cmds:
- for: { var: VAULT_FILES }
cmd: '{{.PYTHON_WRAPPER}} ansible-vault decrypt {{.ITEM | replace "\n" " " }} || true'
vault:init:
desc: Create a vault id file in your home directory for encrypting/decrypting vault files
cmds:
- 'pass generate {{.ANSIBLE_PASS_PATH}} {{.ANSIBLE_PASS_LENGTH}} > /dev/null'
status:
- 'pass show {{.ANSIBLE_PASS_PATH}} &> /dev/null '