From 1bf68612f7c745c63436ebd61905c0b939b454da Mon Sep 17 00:00:00 2001 From: Alexander Buntakov Date: Sat, 7 Mar 2020 14:54:40 +0300 Subject: [PATCH] add move roles --- docker.deployment.prepare/tasks/main.yml | 29 +++ docker.traefik/defaults/main.yml | 6 + docker.traefik/tasks/main.yml | 52 ++++++ docker.traefik/templates/traefik.toml.j2 | 167 ++++++++++++++++++ .../defaults/main.yml | 3 + .../tasks/main.yml | 32 ++++ .../templates/docker-compose.yml.j2 | 24 +++ .../defaults/main.yml | 3 + monitoring.blackbox-exporter/tasks/main.yml | 31 ++++ .../templates/blackbox.yml.j2 | 8 + .../templates/docker-compose.yml.j2 | 18 ++ monitoring.filebeat/defaults/main.yml | 5 + monitoring.filebeat/tasks/main.yml | 39 ++++ .../templates/docker-compose.yml.j2 | 17 ++ monitoring.filebeat/templates/filebeat.yml.j2 | 23 +++ monitoring.grafana/defaults/main.yml | 16 ++ monitoring.grafana/tasks/main.yml | 33 ++++ .../templates/docker-compose.yml.j2 | 30 ++++ monitoring.grafana/templates/ldap.toml.j2 | 28 +++ monitoring.node-exporter/defaults/main.yml | 3 + .../files/node_exporter.service | 11 ++ monitoring.node-exporter/tasks/main.yml | 74 ++++++++ .../templates/node_exporter | 1 + .../defaults/main.yml | 3 + monitoring.prometheus.prepare/tasks/main.yml | 57 ++++++ .../templates/docker-compose.yml.j2 | 25 +++ repository.nexus/defaults/main.yml | 9 + repository.nexus/tasks/main.yml | 32 ++++ .../templates/docker-compose.yml.j2 | 29 +++ system.dependencies/tasks/main.yml | 46 +++++ system.deploy-user/tasks/main.yml | 30 ++++ .../templates/docker-config.json.j2 | 10 ++ system.docker/.gitignore | 3 + system.docker/LICENSE | 20 +++ system.docker/README.md | 89 ++++++++++ system.docker/defaults/main.yml | 29 +++ system.docker/handlers/main.yml | 3 + system.docker/tasks/docker-1809-shim.yml | 16 ++ system.docker/tasks/docker-compose.yml | 20 +++ system.docker/tasks/docker-users.yml | 7 + system.docker/tasks/main.yml | 31 ++++ system.docker/tasks/setup-Debian.yml | 38 ++++ system.docker/tasks/setup-RedHat.yml | 35 ++++ system.docker/templates/override.conf.j2 | 3 + system.vpn.client/defaults/main.yml | 0 system.vpn.client/tasks/main.yml | 79 +++++++++ system.vpn.client/templates/ipsec.conf.j2 | 32 ++++ system.vpn.client/templates/ipsec.secrets.j2 | 1 + .../templates/options.l2tpd.client.j2 | 5 + system.vpn.client/templates/route10.j2 | 3 + system.vpn.client/templates/xl2tpd.conf.j2 | 10 ++ 51 files changed, 1318 insertions(+) create mode 100644 docker.deployment.prepare/tasks/main.yml create mode 100644 docker.traefik/defaults/main.yml create mode 100644 docker.traefik/tasks/main.yml create mode 100644 docker.traefik/templates/traefik.toml.j2 create mode 100644 monitoring.alertmanager.prepare/defaults/main.yml create mode 100644 monitoring.alertmanager.prepare/tasks/main.yml create mode 100644 monitoring.alertmanager.prepare/templates/docker-compose.yml.j2 create mode 100644 monitoring.blackbox-exporter/defaults/main.yml create mode 100644 monitoring.blackbox-exporter/tasks/main.yml create mode 100644 monitoring.blackbox-exporter/templates/blackbox.yml.j2 create mode 100644 monitoring.blackbox-exporter/templates/docker-compose.yml.j2 create mode 100644 monitoring.filebeat/defaults/main.yml create mode 100644 monitoring.filebeat/tasks/main.yml create mode 100644 monitoring.filebeat/templates/docker-compose.yml.j2 create mode 100644 monitoring.filebeat/templates/filebeat.yml.j2 create mode 100644 monitoring.grafana/defaults/main.yml create mode 100644 monitoring.grafana/tasks/main.yml create mode 100644 monitoring.grafana/templates/docker-compose.yml.j2 create mode 100644 monitoring.grafana/templates/ldap.toml.j2 create mode 100644 monitoring.node-exporter/defaults/main.yml create mode 100644 monitoring.node-exporter/files/node_exporter.service create mode 100644 monitoring.node-exporter/tasks/main.yml create mode 100644 monitoring.node-exporter/templates/node_exporter create mode 100644 monitoring.prometheus.prepare/defaults/main.yml create mode 100644 monitoring.prometheus.prepare/tasks/main.yml create mode 100644 monitoring.prometheus.prepare/templates/docker-compose.yml.j2 create mode 100644 repository.nexus/defaults/main.yml create mode 100644 repository.nexus/tasks/main.yml create mode 100644 repository.nexus/templates/docker-compose.yml.j2 create mode 100644 system.dependencies/tasks/main.yml create mode 100644 system.deploy-user/tasks/main.yml create mode 100644 system.deploy-user/templates/docker-config.json.j2 create mode 100644 system.docker/.gitignore create mode 100644 system.docker/LICENSE create mode 100644 system.docker/README.md create mode 100644 system.docker/defaults/main.yml create mode 100644 system.docker/handlers/main.yml create mode 100644 system.docker/tasks/docker-1809-shim.yml create mode 100644 system.docker/tasks/docker-compose.yml create mode 100644 system.docker/tasks/docker-users.yml create mode 100644 system.docker/tasks/main.yml create mode 100644 system.docker/tasks/setup-Debian.yml create mode 100644 system.docker/tasks/setup-RedHat.yml create mode 100644 system.docker/templates/override.conf.j2 create mode 100644 system.vpn.client/defaults/main.yml create mode 100644 system.vpn.client/tasks/main.yml create mode 100644 system.vpn.client/templates/ipsec.conf.j2 create mode 100644 system.vpn.client/templates/ipsec.secrets.j2 create mode 100644 system.vpn.client/templates/options.l2tpd.client.j2 create mode 100644 system.vpn.client/templates/route10.j2 create mode 100644 system.vpn.client/templates/xl2tpd.conf.j2 diff --git a/docker.deployment.prepare/tasks/main.yml b/docker.deployment.prepare/tasks/main.yml new file mode 100644 index 0000000..45f720e --- /dev/null +++ b/docker.deployment.prepare/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: DOCKER.DEPLOYMENT.PREPARE | Set facts + set_fact: + docker_deployment__deploy_path: "{{ system__deploy_user_home }}/{{ deployment_name }}" + docker_deployment__volume_path: "{{ system__volume_directory }}/{{ deployment_name }}" + docker_deployment__deploy_user_name: "{{ system__deploy_user_name }}" + tags: + - prepare + +- name: DOCKER.DEPLOYMENT.PREPARE | Create deployment directory + file: + path: "{{ docker_deployment__deploy_path }}" + state: directory + mode: 0755 + owner: "{{ deployment_user | default(system__deploy_user_name) }}" + become: yes + become_user: "{{ docker_deployment__deploy_user_name }}" + tags: + - prepare + +- name: DOCKER.DEPLOYMENT.PREPARE | Create volume directory + file: + path: "{{ docker_deployment__volume_path }}" + state: directory + mode: 0755 + owner: "{{ volume_user | default(docker_deployment__deploy_user_name) }}" + become: yes + tags: + - prepare diff --git a/docker.traefik/defaults/main.yml b/docker.traefik/defaults/main.yml new file mode 100644 index 0000000..6899974 --- /dev/null +++ b/docker.traefik/defaults/main.yml @@ -0,0 +1,6 @@ +--- +traefik__image_name: traefik +traefik__image_tag: v1.7.20 + +traefik__image: "{{ traefik__image_name }}:{{ traefik__image_tag }}" +traefik__letsencrypt_email: hi@touchin.ru diff --git a/docker.traefik/tasks/main.yml b/docker.traefik/tasks/main.yml new file mode 100644 index 0000000..d30963e --- /dev/null +++ b/docker.traefik/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: DOCKER.TRAEFIK | Prepare deployment + include_role: + name: docker.deployment.prepare + public: "yes" + vars: + deployment_name: traefik + tags: + - traefik + +- name: DOCKER.TRAEFIK | Copy traefik config + template: + src: traefik.toml.j2 + dest: "{{ docker_deployment__deploy_path }}/traefik.toml" + mode: 0644 + +- name: DOCKER.TRAEFIK | Ensure ACME exists + copy: + content: "" + dest: "{{ docker_deployment__deploy_path }}/acme.json" + force: no + owner: root + mode: 0600 + tags: + - traefik + - files + +- name: DOCKER.TRAEFIK | Create Traefik network + docker_network: + name: "{{ docker__traefik_network }}" + tags: + - traefik + - network + +- name: DOCKER.TRAEFIK | Run deployment + docker_container: + name: traefik + image: "{{ traefik__image }}" + command: "--api --docker" + restart_policy: unless-stopped + networks: + - name: "{{ docker__traefik_network }}" + ports: + - 80:80 + - 443:443 + - 127.0.0.1:5000:8080 + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + - "{{ docker_deployment__deploy_path }}/traefik.toml:/traefik.toml" + - "{{ docker_deployment__deploy_path }}/acme.json:/acme.json" + tags: + - traefik diff --git a/docker.traefik/templates/traefik.toml.j2 b/docker.traefik/templates/traefik.toml.j2 new file mode 100644 index 0000000..ac5120f --- /dev/null +++ b/docker.traefik/templates/traefik.toml.j2 @@ -0,0 +1,167 @@ +################################################################ +# Global configuration +################################################################ + +# Enable debug mode +# +# Optional +# Default: false +# +# debug = true + +# Log level +# +# Optional +# Default: "ERROR" +# +logLevel = "INFO" + +# Entrypoints to be used by frontends that do not specify any entrypoint. +# Each frontend can specify its own entrypoints. +# +# Optional +# Default: ["http"] +# +defaultEntryPoints = ["http"] + +################################################################ +# Entrypoints configuration +################################################################ + +# Entrypoints definition +# +# Optional +# Default: +[entryPoints] + [entryPoints.http] + address = ":80" + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + +[retry] + +################################################################ +# Traefik logs configuration +################################################################ + +# Traefik logs +# Enabled by default and log to stdout +# +# Optional +# +# [traefikLog] + +# Sets the filepath for the traefik log. If not specified, stdout will be used. +# Intermediate directories are created if necessary. +# +# Optional +# Default: os.Stdout +# +# filePath = "log/traefik.log" + +# Format is either "json" or "common". +# +# Optional +# Default: "common" +# +# format = "common" + +################################################################ +# Access logs configuration +################################################################ + +# Enable access logs +# By default it will write to stdout and produce logs in the textual +# Common Log Format (CLF), extended with additional fields. +# +# Optional +# +# [accessLog] + +# Sets the file path for the access log. If not specified, stdout will be used. +# Intermediate directories are created if necessary. +# +# Optional +# Default: os.Stdout +# +# filePath = "/path/to/log/log.txt" + +# Format is either "json" or "common". +# +# Optional +# Default: "common" +# +# format = "common" + +################################################################ +# API and dashboard configuration +################################################################ + +# Enable API and dashboard +[api] + + # Name of the related entry point + # + # Optional + # Default: "traefik" + # + # entryPoint = "traefik" + + # Enabled Dashboard + # + # Optional + # Default: true + # + # dashboard = false + +################################################################ +# Ping configuration +################################################################ + +# Enable ping +[ping] + + # Name of the related entry point + # + # Optional + # Default: "traefik" + # + # entryPoint = "traefik" + +################################################################ +# Docker configuration backend +################################################################ + +# Enable Docker configuration backend +[docker] + +# Docker server endpoint. Can be a tcp or a unix socket endpoint. +# +# Required +# Default: "unix:///var/run/docker.sock" +# +# endpoint = "tcp://10.10.10.10:2375" + +# Default domain used. +# Can be overridden by setting the "traefik.domain" label on a container. +# +# Optional +# Default: "" +# +watch = true + +# Expose containers by default in traefik +# +# Optional +# Default: true +# +exposedByDefault = false + +[acme] +email = "{{ traefik__letsencrypt_email }}" +storage = "acme.json" +entryPoint = "https" +OnHostRule = true + [acme.httpChallenge] + entryPoint = "http" diff --git a/monitoring.alertmanager.prepare/defaults/main.yml b/monitoring.alertmanager.prepare/defaults/main.yml new file mode 100644 index 0000000..7d3c295 --- /dev/null +++ b/monitoring.alertmanager.prepare/defaults/main.yml @@ -0,0 +1,3 @@ +alertmanager__image_name: "prom/alertmanager" +alertmanager__image_tag: "v0.20.0" +alertmanager__image: "{{ alertmanager__image_name }}:{{ alertmanager__image_tag }}" diff --git a/monitoring.alertmanager.prepare/tasks/main.yml b/monitoring.alertmanager.prepare/tasks/main.yml new file mode 100644 index 0000000..7e2f00a --- /dev/null +++ b/monitoring.alertmanager.prepare/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: MONITORING.ALERTMANAGER | Prepare deployment + import_role: + name: docker.deployment.prepare + vars: + deployment_name: alertmanager + tags: + - alertmanager + +- name: MONITORING.ALERTMANAGER | Copy templates + template: + src: templates/{{ item }}.j2 + dest: "{{ docker_deployment__deploy_path }}/{{ item }}" + with_items: + - docker-compose.yml + become_user: "{{ docker_deployment__deploy_user_name }}" + become: yes + tags: + - files + - alertmanager + +- name: MONITORING.ALERTMANAGER | Create mount placeholders + file: + path: "{{ docker_deployment__deploy_path }}/{{ item }}" + state: touch + mode: 0755 + owner: "{{ deployment_user | default(system__deploy_user_name) }}" + loop: + - "alertmanager.yml" + tags: + - files + - alertmanager diff --git a/monitoring.alertmanager.prepare/templates/docker-compose.yml.j2 b/monitoring.alertmanager.prepare/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..b9285a4 --- /dev/null +++ b/monitoring.alertmanager.prepare/templates/docker-compose.yml.j2 @@ -0,0 +1,24 @@ +version: "3.7" + +services: + alertmanager: + container_name: alertmanager + image: "{{ alertmanager__image }}" + user: root + volumes: + - ./alertmanager.yml:/etc/alertmanager.yml:ro + restart: unless-stopped + networks: + - "{{ docker__prometheus_network }}" + ports: + - "{{ alertmanager__port }}:9093" + logging: + driver: json-file + options: + max-file: "1" + max-size: "50m" + command: --config.file=/etc/alertmanager.yml --log.level=debug + +networks: + {{ docker__prometheus_network }}: + external: true diff --git a/monitoring.blackbox-exporter/defaults/main.yml b/monitoring.blackbox-exporter/defaults/main.yml new file mode 100644 index 0000000..fcd0023 --- /dev/null +++ b/monitoring.blackbox-exporter/defaults/main.yml @@ -0,0 +1,3 @@ +blackbox__image_name: "prom/blackbox-exporter" +blackbox__image_tag: "v0.16.0" +blackbox__image: "{{ blackbox__image_name }}:{{ blackbox__image_tag }}" diff --git a/monitoring.blackbox-exporter/tasks/main.yml b/monitoring.blackbox-exporter/tasks/main.yml new file mode 100644 index 0000000..acfaa48 --- /dev/null +++ b/monitoring.blackbox-exporter/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: MONITORING.BLACKBOX | Prepare deployment + import_role: + name: docker.deployment.prepare + vars: + deployment_name: blackbox + tags: + - blackbox-exporter + +- name: MONITORING.BLACKBOX | Copy templates + template: + src: templates/{{ item }}.j2 + dest: "{{ docker_deployment__deploy_path }}/{{ item }}" + with_items: + - blackbox.yml + - docker-compose.yml + become_user: "{{ docker_deployment__deploy_user_name }}" + become: yes + tags: + - files + - blackbox-exporter + +- name: MONITORING.BLACKBOX | Run deployment + docker_service: + restarted: "yes" + project_src: "{{ docker_deployment__deploy_path }}" + become: yes + become_user: "{{ docker_deployment__deploy_user_name }}" + tags: + - run + - blackbox-exporter diff --git a/monitoring.blackbox-exporter/templates/blackbox.yml.j2 b/monitoring.blackbox-exporter/templates/blackbox.yml.j2 new file mode 100644 index 0000000..d909fa6 --- /dev/null +++ b/monitoring.blackbox-exporter/templates/blackbox.yml.j2 @@ -0,0 +1,8 @@ +modules: + icmp: + prober: icmp + timeout: 5s + http: + prober: http + timeout: 5s + http: {} diff --git a/monitoring.blackbox-exporter/templates/docker-compose.yml.j2 b/monitoring.blackbox-exporter/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..ad7fc92 --- /dev/null +++ b/monitoring.blackbox-exporter/templates/docker-compose.yml.j2 @@ -0,0 +1,18 @@ +version: "3.7" + +services: + blackbox-exporter: + container_name: blackbox-exporter + image: "{{ blackbox__image }}" + user: root + volumes: + - ./blackbox.yml:/etc/blackbox.yml:ro + restart: unless-stopped + ports: + - "{{ blackbox_exporter__port }}:9115" + logging: + driver: json-file + options: + max-file: "1" + max-size: "50m" + command: --config.file=/etc/blackbox.yml diff --git a/monitoring.filebeat/defaults/main.yml b/monitoring.filebeat/defaults/main.yml new file mode 100644 index 0000000..7ae354b --- /dev/null +++ b/monitoring.filebeat/defaults/main.yml @@ -0,0 +1,5 @@ +filebeat__image_name: "docker.elastic.co/beats/filebeat" +filebeat__image_tag: "7.5.2" +filebeat__image: "{{ filebeat__image_name }}:{{ filebeat__image_tag }}" + +filebeat__config_user: 0 diff --git a/monitoring.filebeat/tasks/main.yml b/monitoring.filebeat/tasks/main.yml new file mode 100644 index 0000000..b39a623 --- /dev/null +++ b/monitoring.filebeat/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: MONITORING.FILEBEAT | Prepare deployment + import_role: + name: docker.deployment.prepare + vars: + deployment_name: filebeat + tags: + - filebeat + +- name: MONITORING.FILEBEAT | Copy templates + template: + src: templates/{{ item }}.j2 + dest: "{{ docker_deployment__deploy_path }}/{{ item }}" + with_items: + - filebeat.yml + - docker-compose.yml + become_user: "{{ docker_deployment__deploy_user_name }}" + become: yes + tags: + - files + - filebeat + +- name: MONITORING.FILEBEAT | Set config ownership + file: + path: "{{ docker_deployment__deploy_path }}/filebeat.yml" + owner: "{{ filebeat__config_user }}" + tags: + - files + - filebeat + +- name: MONITORING.FILEBEAT | Run deployment + docker_service: + restarted: "yes" + project_src: "{{ docker_deployment__deploy_path }}" + become: yes + become_user: "{{ docker_deployment__deploy_user_name }}" + tags: + - run + - filebeat diff --git a/monitoring.filebeat/templates/docker-compose.yml.j2 b/monitoring.filebeat/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..40e92fe --- /dev/null +++ b/monitoring.filebeat/templates/docker-compose.yml.j2 @@ -0,0 +1,17 @@ +version: "3.7" + +services: + filebeat: + container_name: filebeat + image: "{{ filebeat__image }}" + user: root + volumes: + - /var/lib/docker:/var/lib/docker:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./filebeat.yml:/usr/share/filebeat/filebeat.yml:ro + restart: unless-stopped + logging: + driver: json-file + options: + max-file: "1" + max-size: "50m" diff --git a/monitoring.filebeat/templates/filebeat.yml.j2 b/monitoring.filebeat/templates/filebeat.yml.j2 new file mode 100644 index 0000000..49fd575 --- /dev/null +++ b/monitoring.filebeat/templates/filebeat.yml.j2 @@ -0,0 +1,23 @@ +monitoring.enabled: false +output.file.enabled: false + +filebeat.inputs: + - type: container + paths: + - "/var/lib/docker/containers/*/*.log" + processors: + - add_docker_metadata: + host: "unix:///var/run/docker.sock" + labels.dedot: true + - drop_event: + when: + equals: + container.name: "filebeat" + - drop_event: + when: + not: + equals: + container.labels.log_consumed-by: "filebeat" + +output.logstash: + hosts: {{ filebeat.logstash.hosts | to_json }} diff --git a/monitoring.grafana/defaults/main.yml b/monitoring.grafana/defaults/main.yml new file mode 100644 index 0000000..5ec163b --- /dev/null +++ b/monitoring.grafana/defaults/main.yml @@ -0,0 +1,16 @@ +# grafana__server_root: "http://10.0.8.1:7001" +grafana__user_id: 104 + +grafana__image_name: "grafana/grafana" +grafana__image_tag: "6.6.0-ubuntu" +grafana__image: "{{ grafana__image_name }}:{{ grafana__image_tag }}" + +grafana__enable_ldap_auth: "true" + +grafana__default_labels: + "traefik.enable": "true" + "traefik.port": "3000" + "traefik.backend": "grafana" + "traefik.docker.network": "{{ docker__traefik_network }}" + "traefik.frontend.rule": "Host:{{ grafana.domain }}" + "traefik.frontend.entryPoints": "http" diff --git a/monitoring.grafana/tasks/main.yml b/monitoring.grafana/tasks/main.yml new file mode 100644 index 0000000..a989b5a --- /dev/null +++ b/monitoring.grafana/tasks/main.yml @@ -0,0 +1,33 @@ +--- +- name: MONITORING.GRAFANA | Prepare deployment + include_role: + name: docker.deployment.prepare + public: "yes" + vars: + deployment_name: grafana + volume_user: "{{ grafana__user_id }}" + tags: + - grafana + +- name: MONITORING.GRAFANA | Copy templates + template: + src: templates/{{ item }}.j2 + dest: "{{ docker_deployment__deploy_path }}/{{ item }}" + with_items: + - ldap.toml + - docker-compose.yml + become_user: "{{ docker_deployment__deploy_user_name }}" + become: yes + tags: + - files + - grafana + +- name: MONITORING.GRAFANA | Run deployment + docker_service: + restarted: "yes" + project_src: "{{ docker_deployment__deploy_path }}" + become: yes + become_user: "{{ docker_deployment__deploy_user_name }}" + tags: + - run + - grafana diff --git a/monitoring.grafana/templates/docker-compose.yml.j2 b/monitoring.grafana/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..040aa1e --- /dev/null +++ b/monitoring.grafana/templates/docker-compose.yml.j2 @@ -0,0 +1,30 @@ +version: "3.7" + +services: + grafana: + container_name: grafana + image: "{{ grafana__image }}" + user: "{{ grafana__user_id }}" + environment: + GF_SERVER_DOMAIN: "{{ grafana.domain }}" + GF_SERVER_ROOT_URL: "http://{{ grafana.domain }}" + GF_AUTH_LDAP_ENABLED: "{{ grafana__enable_ldap_auth }}" + volumes: + - "{{ docker_deployment__volume_path }}:/var/lib/grafana" + - "./ldap.toml:/etc/grafana/ldap.toml" + labels: {{ grafana__default_labels | combine(grafana.docker.labels | default({})) | to_json }} + networks: {{ grafana.docker.networks | default([]) | to_json }} + restart: unless-stopped + logging: + driver: json-file + options: + max-file: "1" + max-size: "50m" + +{% if grafana.docker.networks is defined %} +networks: + {% for network in grafana.docker.networks %} +{{ network | indent(width=2) }}: + external: true + {% endfor %} +{% endif %} diff --git a/monitoring.grafana/templates/ldap.toml.j2 b/monitoring.grafana/templates/ldap.toml.j2 new file mode 100644 index 0000000..09477f9 --- /dev/null +++ b/monitoring.grafana/templates/ldap.toml.j2 @@ -0,0 +1,28 @@ +[[servers]] +host = "{{ ldap__host }}" +port = {{ ldap__port }} + +bind_dn = "{{ ldap__binddn }}" +bind_password = "{{ ldap__bindpw }}" + +search_filter = "(&(uid=%s)(memberOf={{ ldap__groups.services }}))" +search_base_dns = ["{{ ldap__users_dn }}"] + +[[servers.group_mappings]] +group_dn="{{ grafana.access_groups.admin }}" +org_role = "Admin" + +[[servers.group_mappings]] +group_dn="{{ grafana.access_groups.editor }}" +org_role = "Editor" + +[[servers.group_mappings]] +group_dn="{{ grafana.access_groups.viewer }}" +org_role = "Viewer" + +[servers.attributes] +name = "givenName" +surname = "sn" +username = "uid" +member_of = "memberOf" +email = "mail" diff --git a/monitoring.node-exporter/defaults/main.yml b/monitoring.node-exporter/defaults/main.yml new file mode 100644 index 0000000..7b77aa8 --- /dev/null +++ b/monitoring.node-exporter/defaults/main.yml @@ -0,0 +1,3 @@ +node_exporter__version: 0.18.1 +node_exporter__dir: "{{ system__vendor_deploy_path }}/node-exporter" +node_exporter__url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter__version }}/node_exporter-{{ node_exporter__version }}.linux-amd64.tar.gz" diff --git a/monitoring.node-exporter/files/node_exporter.service b/monitoring.node-exporter/files/node_exporter.service new file mode 100644 index 0000000..0e5483b --- /dev/null +++ b/monitoring.node-exporter/files/node_exporter.service @@ -0,0 +1,11 @@ +[Unit] +Description=Node Exporter +After = network-online.target + +[Service] +User=node-exporter +EnvironmentFile=/etc/sysconfig/node_exporter +ExecStart=/usr/sbin/node_exporter $OPTIONS + +[Install] +WantedBy=multi-user.target diff --git a/monitoring.node-exporter/tasks/main.yml b/monitoring.node-exporter/tasks/main.yml new file mode 100644 index 0000000..4699666 --- /dev/null +++ b/monitoring.node-exporter/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: MONITORING.NODE-EXPORTER | Create user + user: + name: "node-exporter" + shell: /sbin/nologin + tags: + - system + - node-exporter + +- name: MONITORING.NODE-EXPORTER | Ensure node-exporter folder exists + file: + path: "{{ node_exporter__dir }}" + state: directory + tags: + - prepare + - node-exporter + +- name: MONITORING.NODE-EXPORTER | Get Node Exporter + unarchive: + src: "{{ node_exporter__url }}" + dest: "{{ node_exporter__dir }}" + remote_src: yes + extra_opts: ['--strip-components=1', '--show-stored-names'] + tags: + - files + - node-exporter + +- name: MONITORING.NODE-EXPORTER | Install Node Exporter + copy: + src: "{{ node_exporter__dir }}/node_exporter" + dest: "/usr/sbin" + remote_src: yes + mode: 755 + tags: + - files + - node-exporter + +- name: MONITORING.NODE-EXPORTER | Ensure sysconfig folder exists + file: + path: "/etc/sysconfig" + state: directory + tags: + - prepare + - node-exporter + +- name: MONITORING.NODE-EXPORTER | Copy systemctl service + copy: + src: "files/node_exporter.service" + dest: "/etc/systemd/system/node_exporter.service" + mode: 755 + tags: + - files + - service + - node-exporter + +- name: MONITORING.NODE-EXPORTER | Copy systemctl config + template: + src: "templates/node_exporter" + dest: "/etc/sysconfig/node_exporter" + mode: 755 + tags: + - files + - service + - node-exporter + +- name: MONITORING.NODE-EXPORTER | Enable and Run Node Exporter Service + systemd: + name: node_exporter + daemon_reload: yes + enabled: true + state: restarted + tags: + - service + - node-exporter diff --git a/monitoring.node-exporter/templates/node_exporter b/monitoring.node-exporter/templates/node_exporter new file mode 100644 index 0000000..f2e36ad --- /dev/null +++ b/monitoring.node-exporter/templates/node_exporter @@ -0,0 +1 @@ +OPTIONS="--web.listen-address={{ system__internal_listen_address }}:9100" diff --git a/monitoring.prometheus.prepare/defaults/main.yml b/monitoring.prometheus.prepare/defaults/main.yml new file mode 100644 index 0000000..00f79c3 --- /dev/null +++ b/monitoring.prometheus.prepare/defaults/main.yml @@ -0,0 +1,3 @@ +prometheus__image_name: "prom/prometheus" +prometheus__image_tag: "v2.15.2" +prometheus__image: "{{ prometheus__image_name }}:{{ prometheus__image_tag }}" diff --git a/monitoring.prometheus.prepare/tasks/main.yml b/monitoring.prometheus.prepare/tasks/main.yml new file mode 100644 index 0000000..fd7d887 --- /dev/null +++ b/monitoring.prometheus.prepare/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: MONITORING.PROMETHEUS | Prepare deployment + include_role: + name: docker.deployment.prepare + public: "yes" + vars: + deployment_name: prometheus + tags: + - prometheus + +- name: MONITORING.PROMETHEUS | Create mount directories + file: + path: "{{ docker_deployment__deploy_path }}/{{ item }}" + state: directory + mode: 0755 + owner: "{{ deployment_user | default(system__deploy_user_name) }}" + loop: + - "alert-rules" + become_user: "{{ docker_deployment__deploy_user_name }}" + become: yes + tags: + - files + - prometheus + +- name: MONITORING.PROMETHEUS | Create mount placeholders + file: + path: "{{ docker_deployment__deploy_path }}/{{ item }}" + state: touch + mode: 0755 + owner: "{{ deployment_user | default(system__deploy_user_name) }}" + loop: + - "prometheus.yml" + become_user: "{{ docker_deployment__deploy_user_name }}" + become: yes + tags: + - files + - prometheus + +- name: MONITORING.PROMETHEUS | Copy templates + template: + src: templates/{{ item }}.j2 + dest: "{{ docker_deployment__deploy_path }}/{{ item }}" + with_items: + - docker-compose.yml + become_user: "{{ docker_deployment__deploy_user_name }}" + become: yes + tags: + - files + - prometheus + +- name: MONITORING.PROMETHEUS | Create Prometheus Docker network + docker_network: + name: "{{ docker__prometheus_network }}" + tags: + - docker + - network + - prometheus diff --git a/monitoring.prometheus.prepare/templates/docker-compose.yml.j2 b/monitoring.prometheus.prepare/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..ef6b078 --- /dev/null +++ b/monitoring.prometheus.prepare/templates/docker-compose.yml.j2 @@ -0,0 +1,25 @@ +version: "3.7" + +services: + prometheus: + container_name: prometheus + image: "{{ prometheus__image }}" + networks: + - "{{ docker__prometheus_network }}" + volumes: + - "{{ docker_deployment__deploy_path }}/alert-rules:/etc/prometheus/alert-rules:ro" + - "{{ docker_deployment__deploy_path }}/prometheus.yml:/etc/prometheus/prometheus.yml:ro" + restart: unless-stopped + ports: + - "{{ prometheus__port }}:9090" + logging: + driver: "json-file" + options: + max-file: "1" + max-size: "50m" + command: + - --config.file=/etc/prometheus/prometheus.yml + +networks: + {{ docker__prometheus_network }}: + external: true diff --git a/repository.nexus/defaults/main.yml b/repository.nexus/defaults/main.yml new file mode 100644 index 0000000..cfbc76b --- /dev/null +++ b/repository.nexus/defaults/main.yml @@ -0,0 +1,9 @@ +nexus__image_name: "sonatype/nexus3" +nexus__image_tag: "3.21.1" +nexus__image: "{{ nexus__image_name }}:{{ nexus__image_tag }}" +nexus__container_name: "nexus" + +nexus__ui_port: "8081" +nexus__registry_port: "8082" + +nexus__volume_user: "200" diff --git a/repository.nexus/tasks/main.yml b/repository.nexus/tasks/main.yml new file mode 100644 index 0000000..6cd1428 --- /dev/null +++ b/repository.nexus/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: DOCKER.NEXUS | Prepare deployment + include_role: + name: docker.deployment.prepare + public: "yes" + vars: + deployment_name: nexus + volume_user: "{{ nexus__volume_user }}" + tags: + - nexus + +- name: DOCKER.NEXUS | Copy templates + template: + src: templates/{{ item }}.j2 + dest: "{{ docker_deployment__deploy_path }}/{{ item }}" + with_items: + - docker-compose.yml + become_user: "{{ docker_deployment__deploy_user_name }}" + become: yes + tags: + - files + - nexus + +- name: DOCKER.NEXUS | Run deployment + docker_service: + restarted: "yes" + project_src: "{{ docker_deployment__deploy_path }}" + become: yes + become_user: "{{ docker_deployment__deploy_user_name }}" + tags: + - run + - nexus diff --git a/repository.nexus/templates/docker-compose.yml.j2 b/repository.nexus/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..4b7347c --- /dev/null +++ b/repository.nexus/templates/docker-compose.yml.j2 @@ -0,0 +1,29 @@ +version: "3" +services: + nexus3: + container_name: "{{ nexus__container_name }}" + image: "{{ nexus__image }}" + volumes: + - "{{ docker_deployment__volume_path }}:/nexus-data" + restart: unless-stopped + networks: + - "{{ docker__traefik_network }}" + labels: + "traefik.enable": "true" + "traefik.docker.network": "{{ docker__traefik_network }}" + # ui labels + "traefik.ui.backend": "{{ nexus__container_name }}-ui" + "traefik.ui.port": "{{ nexus__ui_port }}" + "traefik.ui.frontend.rule": "Host:{{ domains.nexus.ui }}" + "traefik.ui.frontend.entryPoints": "http" + # registry labels + "traefik.registry.backend": "{{ nexus__container_name }}-registry" + "traefik.registry.port": "{{ nexus__registry_port }}" + "traefik.registry.frontend.rule": "Host:{{ domains.nexus.registry }}" + "traefik.registry.frontend.entryPoints": "http,https" + "traefik.registry.frontend.redirect.permanent": "true" + "traefik.registry.frontend.headers.SSLRedirect": "true" + +networks: + {{ docker__traefik_network }}: + external: true diff --git a/system.dependencies/tasks/main.yml b/system.dependencies/tasks/main.yml new file mode 100644 index 0000000..0c16544 --- /dev/null +++ b/system.dependencies/tasks/main.yml @@ -0,0 +1,46 @@ +--- +- name: SYSTEM.DEPENDENCIES | Install common dependencies + apt: + name: + - python3-pip + - nmap + - htop + - curl + - vim + - expect + - unzip + - bash-completion + become: yes + tags: + - dependencies + +- name: SYSTEM.DEPENDENCIES | Install Java dependencies + apt: + name: + - openjdk-8-jdk + when: java is defined and java|bool + tags: + - java + - dependencies + +- name: SYSTEM.DEPENDENCIES | Install MySQL dependencies + apt: + name: + - mysql-client + - python3-mysqldb + become: yes + when: mysql is defined and mysql|bool + tags: + - mysql + - dependencies + +- name: SYSTEM.DEPENDENCIES | Install Ansible Docker dependencies + pip: + name: + - docker + - docker-compose + executable: pip3 + when: docker is defined and docker|bool + tags: + - docker + - dependencies diff --git a/system.deploy-user/tasks/main.yml b/system.deploy-user/tasks/main.yml new file mode 100644 index 0000000..60f0393 --- /dev/null +++ b/system.deploy-user/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: SYSTEM.DEPLOY-USER | Create user + user: + name: "{{ system__deploy_user_name }}" + shell: /bin/bash + home: "{{ system__deploy_user_home }}" + createhome: yes + tags: + - system + - deploy-user + +- name: SYSTEM.DEPLOY-USER | Ensure Docker dir exists + file: + path: "{{ system__deploy_user_home }}/.docker" + state: directory + owner: "{{ system__deploy_user_name }}" + mode: 0755 + when: docker is defined + tags: + - docker + - prepare + +- name: SYSTEM.DEPLOY-USER | Copy Docker credentials + template: + src: "templates/docker-config.json.j2" + dest: "{{ system__deploy_user_home }}/.docker/config.json" + when: docker is defined + tags: + - files + - docker diff --git a/system.deploy-user/templates/docker-config.json.j2 b/system.deploy-user/templates/docker-config.json.j2 new file mode 100644 index 0000000..d10a375 --- /dev/null +++ b/system.deploy-user/templates/docker-config.json.j2 @@ -0,0 +1,10 @@ +{ + "auths": { + "dhub.touchin.ru": { + "auth": "{{ docker__touchin_registry_auth_token }}" + } + }, + "HttpHeaders": { + "User-Agent": "Docker-Client/18.05.0-ce (linux)" + } +} diff --git a/system.docker/.gitignore b/system.docker/.gitignore new file mode 100644 index 0000000..f56f5b5 --- /dev/null +++ b/system.docker/.gitignore @@ -0,0 +1,3 @@ +*.retry +*/__pycache__ +*.pyc diff --git a/system.docker/LICENSE b/system.docker/LICENSE new file mode 100644 index 0000000..4275cf3 --- /dev/null +++ b/system.docker/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2017 Jeff Geerling + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/system.docker/README.md b/system.docker/README.md new file mode 100644 index 0000000..9a49840 --- /dev/null +++ b/system.docker/README.md @@ -0,0 +1,89 @@ +# Ansible Role: Docker + +[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-docker.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-docker) + +An Ansible Role that installs [Docker](https://www.docker.com) on Linux. + +## Requirements + +None. + +## Role Variables + +Available variables are listed below, along with default values (see `defaults/main.yml`): + + # Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition). + docker_edition: 'ce' + docker_package: "docker-{{ docker_edition }}" + docker_package_state: present + +The `docker_edition` should be either `ce` (Community Edition) or `ee` (Enterprise Edition). You can also specify a specific version of Docker to install using the distribution-specific format: Red Hat/CentOS: `docker-{{ docker_edition }}-`; Debian/Ubuntu: `docker-{{ docker_edition }}=`. + +You can control whether the package is installed, uninstalled, or at the latest version by setting `docker_package_state` to `present`, `absent`, or `latest`, respectively. Note that the Docker daemon will be automatically restarted if the Docker package is updated. This is a side effect of flushing all handlers (running any of the handlers that have been notified by this and any other role up to this point in the play). + + docker_service_state: started + docker_service_enabled: true + docker_restart_handler_state: restarted + +Variables to control the state of the `docker` service, and whether it should start on boot. If you're installing Docker inside a Docker container without systemd or sysvinit, you should set these to `stopped` and set the enabled variable to `no`. + + docker_install_compose: true + docker_compose_version: "1.22.0" + docker_compose_path: /usr/local/bin/docker-compose + +Docker Compose installation options. + + docker_apt_release_channel: stable + docker_apt_arch: amd64 + docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" + docker_apt_ignore_key_error: True + +(Used only for Debian/Ubuntu.) You can switch the channel to `edge` if you want to use the Edge release. + + docker_yum_repo_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo + docker_yum_repo_enable_edge: 0 + docker_yum_repo_enable_test: 0 + +(Used only for RedHat/CentOS.) You can enable the Edge or Test repo by setting the respective vars to `1`. + + docker_users: + - user1 + - user2 + +A list of system users to be added to the `docker` group (so they can use Docker on the server). + +## Use with Ansible (and `docker` Python library) + +Many users of this role wish to also use Ansible to then _build_ Docker images and manage Docker containers on the server where Docker is installed. In this case, you can easily add in the `docker` Python library using the `geerlingguy.pip` role: + +```yaml +- hosts: all + + vars: + pip_install_packages: + - name: docker + + roles: + - geerlingguy.pip + - geerlingguy.docker +``` + +## Dependencies + +None. + +## Example Playbook + +```yaml +- hosts: all + roles: + - geerlingguy.docker +``` + +## License + +MIT / BSD + +## Author Information + +This role was created in 2017 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/system.docker/defaults/main.yml b/system.docker/defaults/main.yml new file mode 100644 index 0000000..2bcb620 --- /dev/null +++ b/system.docker/defaults/main.yml @@ -0,0 +1,29 @@ +--- +# Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition). +docker_edition: 'ce' +docker_package: "docker-{{ docker_edition }}" +docker_package_state: present + +# Service options. +docker_service_state: started +docker_service_enabled: true +docker_restart_handler_state: restarted + +# Docker Compose options. +docker_install_compose: true +docker_compose_version: "1.22.0" +docker_compose_path: /usr/local/bin/docker-compose + +# Used only for Debian/Ubuntu. Switch 'stable' to 'edge' if needed. +docker_apt_release_channel: stable +docker_apt_arch: amd64 +docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" +docker_apt_ignore_key_error: true + +# Used only for RedHat/CentOS/Fedora. +docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo +docker_yum_repo_enable_edge: 0 +docker_yum_repo_enable_test: 0 + +# A list of users who will be added to the docker group. +docker_users: [] diff --git a/system.docker/handlers/main.yml b/system.docker/handlers/main.yml new file mode 100644 index 0000000..7847bc1 --- /dev/null +++ b/system.docker/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart docker + service: "name=docker state={{ docker_restart_handler_state }}" diff --git a/system.docker/tasks/docker-1809-shim.yml b/system.docker/tasks/docker-1809-shim.yml new file mode 100644 index 0000000..286254b --- /dev/null +++ b/system.docker/tasks/docker-1809-shim.yml @@ -0,0 +1,16 @@ +--- +- name: Ensure containerd service dir exists. + file: + path: /etc/systemd/system/containerd.service.d + state: directory + +- name: Add shim to ensure Docker can start in all environments. + template: + src: override.conf.j2 + dest: /etc/systemd/system/containerd.service.d/override.conf + register: override_template + +- name: Reload systemd daemon if template is changed. + systemd: + daemon_reload: true + when: override_template is changed diff --git a/system.docker/tasks/docker-compose.yml b/system.docker/tasks/docker-compose.yml new file mode 100644 index 0000000..92cf4f2 --- /dev/null +++ b/system.docker/tasks/docker-compose.yml @@ -0,0 +1,20 @@ +--- +- name: Check current docker-compose version. + command: docker-compose --version + register: docker_compose_current_version + changed_when: false + failed_when: false + +- name: Delete existing docker-compose version if it's different. + file: + path: "{{ docker_compose_path }}" + state: absent + when: > + docker_compose_current_version.stdout is defined + and docker_compose_version not in docker_compose_current_version.stdout + +- name: Install Docker Compose (if configured). + get_url: + url: https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-Linux-x86_64 + dest: "{{ docker_compose_path }}" + mode: 0755 diff --git a/system.docker/tasks/docker-users.yml b/system.docker/tasks/docker-users.yml new file mode 100644 index 0000000..b3b6e0f --- /dev/null +++ b/system.docker/tasks/docker-users.yml @@ -0,0 +1,7 @@ +--- +- name: Ensure docker users are added to the docker group. + user: + name: "{{ item }}" + groups: docker + append: true + with_items: "{{ docker_users }}" diff --git a/system.docker/tasks/main.yml b/system.docker/tasks/main.yml new file mode 100644 index 0000000..f248279 --- /dev/null +++ b/system.docker/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- include_tasks: setup-RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: setup-Debian.yml + when: ansible_os_family == 'Debian' + +- name: Install Docker. + package: + name: "{{ docker_package }}" + state: "{{ docker_package_state }}" + notify: restart docker + +# TODO: Remove this shim once 18.09.1 or later is released. +- import_tasks: docker-1809-shim.yml + when: ansible_service_mgr == 'systemd' + +- name: Ensure Docker is started and enabled at boot. + service: + name: docker + state: "{{ docker_service_state }}" + enabled: "{{ docker_service_enabled }}" + +- name: Ensure handlers are notified now to avoid firewall conflicts. + meta: flush_handlers + +- include_tasks: docker-compose.yml + when: docker_install_compose + +- include_tasks: docker-users.yml + when: docker_users diff --git a/system.docker/tasks/setup-Debian.yml b/system.docker/tasks/setup-Debian.yml new file mode 100644 index 0000000..23a49ae --- /dev/null +++ b/system.docker/tasks/setup-Debian.yml @@ -0,0 +1,38 @@ +--- +- name: Ensure old versions of Docker are not installed. + package: + name: + - docker + - docker-engine + state: absent + +- name: Ensure dependencies are installed. + apt: + name: + - apt-transport-https + - ca-certificates + state: present + +- name: Add Docker apt key. + apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + state: present + register: add_repository_key + ignore_errors: "{{ docker_apt_ignore_key_error }}" + +- name: Ensure curl is present (on older systems without SNI). + package: name=curl state=present + when: add_repository_key is failed + +- name: Add Docker apt key (alternative for older systems without SNI). + shell: "curl -sSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -" + args: + warn: false + when: add_repository_key is failed + +- name: Add Docker repository. + apt_repository: + repo: "{{ docker_apt_repository }}" + state: present + update_cache: true diff --git a/system.docker/tasks/setup-RedHat.yml b/system.docker/tasks/setup-RedHat.yml new file mode 100644 index 0000000..0cd1a50 --- /dev/null +++ b/system.docker/tasks/setup-RedHat.yml @@ -0,0 +1,35 @@ +--- +- name: Ensure old versions of Docker are not installed. + package: + name: + - docker + - docker-common + - docker-engine + state: absent + +- name: Add Docker GPG key. + rpm_key: + key: https://download.docker.com/linux/centos/gpg + state: present + +- name: Add Docker repository. + get_url: + url: "{{ docker_yum_repo_url }}" + dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' + owner: root + group: root + mode: 0644 + +- name: Configure Docker Edge repo. + ini_file: + dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' + section: 'docker-{{ docker_edition }}-edge' + option: enabled + value: '{{ docker_yum_repo_enable_edge }}' + +- name: Configure Docker Test repo. + ini_file: + dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' + section: 'docker-{{ docker_edition }}-test' + option: enabled + value: '{{ docker_yum_repo_enable_test }}' diff --git a/system.docker/templates/override.conf.j2 b/system.docker/templates/override.conf.j2 new file mode 100644 index 0000000..adab53c --- /dev/null +++ b/system.docker/templates/override.conf.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} +[Service] +ExecStartPre= diff --git a/system.vpn.client/defaults/main.yml b/system.vpn.client/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/system.vpn.client/tasks/main.yml b/system.vpn.client/tasks/main.yml new file mode 100644 index 0000000..805ac84 --- /dev/null +++ b/system.vpn.client/tasks/main.yml @@ -0,0 +1,79 @@ +--- +- name: SYSTEM.VPN-CLIENT | Install dependencies + apt: + name: + - xl2tpd + - strongswan + - strongswan-starter + - strongswan-charon + tags: + - dependencies + - sys + - vpn + +- name: SYSTEM.VPN-CLIENT | Install xl2tpd configuration + template: + src: "{{ item }}.j2" + dest: "{{ vpn__xl2tpd_config_dir }}/{{ item }}" + with_items: + - xl2tpd.conf + tags: + - files + - vpn + +- name: SYSTEM.VPN-CLIENT | Install pppd configuration + template: + src: "{{ item }}.j2" + dest: "{{ vpn__pppd_config_dir }}/{{ item }}" + with_items: + - options.l2tpd.client + tags: + - files + - vpn + +- name: SYSTEM.VPN-CLIENT | Install pppd up script(s) + template: + src: "{{ item }}.j2" + dest: "{{ vpn__pppd_up_script_dir }}/{{ item }}" + mode: 0751 + with_items: + - route10 + tags: + - files + - vpn + +- name: SYSTEM.VPN-CLIENT | Install strongswan configuration + template: + src: "{{ item }}.j2" + dest: "{{ vpn__strongswan_config_dir }}/{{ item }}" + owner: root + group: root + mode: 0600 + with_items: + - ipsec.conf + - ipsec.secrets + tags: + - files + - vpn + +- name: SYSTEM.VPN-CLIENT | Enable and restart strongswan unit(s) + systemd: + unit: "{{ item }}" + enabled: true + state: restarted + with_items: + - strongswan.service + tags: + - vpn + - service + +- name: SYSTEM.VPN-CLIENT | Enable and restart common systemd unit(s) + systemd: + unit: "{{ item }}" + enabled: true + state: restarted + with_items: + - xl2tpd.service + tags: + - vpn + - service diff --git a/system.vpn.client/templates/ipsec.conf.j2 b/system.vpn.client/templates/ipsec.conf.j2 new file mode 100644 index 0000000..c589397 --- /dev/null +++ b/system.vpn.client/templates/ipsec.conf.j2 @@ -0,0 +1,32 @@ +# ipsec.conf - strongSwan IPsec configuration file + +# basic configuration + +config setup + # strictcrlpolicy=yes + # uniqueids = no + +# Add connections here. + +# Sample VPN connections + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + authby=secret + ike=aes256-sha1-modp1024 + esp=aes256-sha1 + +conn {{ vpn__connection_id }} + keyexchange=ikev1 + left=%defaultroute + auto=route + authby=secret + type=transport + leftprotoport=17/1701 + rightprotoport=17/1701 + right={{ vpn__public_host }} + keyingtries=%forever diff --git a/system.vpn.client/templates/ipsec.secrets.j2 b/system.vpn.client/templates/ipsec.secrets.j2 new file mode 100644 index 0000000..1670983 --- /dev/null +++ b/system.vpn.client/templates/ipsec.secrets.j2 @@ -0,0 +1 @@ +: PSK "{{ vpn__psk }}" diff --git a/system.vpn.client/templates/options.l2tpd.client.j2 b/system.vpn.client/templates/options.l2tpd.client.j2 new file mode 100644 index 0000000..96cbee0 --- /dev/null +++ b/system.vpn.client/templates/options.l2tpd.client.j2 @@ -0,0 +1,5 @@ +debug +noauth +usepeerdns +name {{ vpn__username}} +password {{ vpn__password }} diff --git a/system.vpn.client/templates/route10.j2 b/system.vpn.client/templates/route10.j2 new file mode 100644 index 0000000..3c8bd3a --- /dev/null +++ b/system.vpn.client/templates/route10.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/env sh + +ip route add {{ vpn__subnet }} via {{ vpn__ppp_ip }} diff --git a/system.vpn.client/templates/xl2tpd.conf.j2 b/system.vpn.client/templates/xl2tpd.conf.j2 new file mode 100644 index 0000000..a3990b4 --- /dev/null +++ b/system.vpn.client/templates/xl2tpd.conf.j2 @@ -0,0 +1,10 @@ +[lac {{ vpn__connection_id }}] +lns = {{ vpn__public_host }} +ppp debug = yes +require chap = yes +pppoptfile = {{ vpn__pppd_config_dir }}/options.l2tpd.client +length bit = yes +redial=yes +redial timeout=2 +max redials=100000000 +autodial=yes